Replace license check isAuthAllowed with isSecurityEnabled (#54547) (#55082)

The isAuthAllowed() method for license checking is used by code that
wants to ensure security is both enabled and available. The enabled
state is dynamic and provided by isSecurityEnabled(). But since security
is available with all license types, an check on the license level is
not necessary. Thus, this change replaces isAuthAllowed() with calling
isSecurityEnabled().
This commit is contained in:
Ryan Ernst 2020-04-13 12:26:39 -07:00 committed by GitHub
parent d32f6fed1d
commit ae14d1661e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
30 changed files with 76 additions and 189 deletions

View File

@ -72,7 +72,7 @@ public class CcrLicenseChecker {
* Constructs a CCR license checker with the default rule based on the license state for checking if CCR is allowed.
*/
CcrLicenseChecker() {
this(XPackPlugin.getSharedLicenseState()::isCcrAllowed, XPackPlugin.getSharedLicenseState()::isAuthAllowed);
this(XPackPlugin.getSharedLicenseState()::isCcrAllowed, XPackPlugin.getSharedLicenseState()::isSecurityEnabled);
}
/**

View File

@ -401,13 +401,6 @@ public class XPackLicenseState {
return checkAgainstStatus(status -> status.active);
}
/**
* @return true if authentication and authorization should be enabled.
*/
public boolean isAuthAllowed() {
return isAllowedBySecurityAndLicense(OperationMode.BASIC, false);
}
public boolean isIpFilteringAllowed() {
return isAllowedBySecurityAndLicense(OperationMode.GOLD, false);
}

View File

@ -77,7 +77,7 @@ public class XPackLicenseStateTests extends ESTestCase {
public void testSecurityDefaults() {
XPackLicenseState licenseState =
new XPackLicenseState(Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build());
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
@ -100,7 +100,7 @@ public class XPackLicenseStateTests extends ESTestCase {
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(BASIC, true, null);
assertThat(licenseState.isAuthAllowed(), is(false));
assertThat(licenseState.isSecurityEnabled(), is(false));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
@ -118,7 +118,7 @@ public class XPackLicenseStateTests extends ESTestCase {
XPackLicenseState licenseState = new XPackLicenseState(settings);
licenseState.update(BASIC, true, null);
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
@ -135,7 +135,7 @@ public class XPackLicenseStateTests extends ESTestCase {
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(BASIC, false, null);
assertThat(licenseState.isAuthAllowed(), is(false));
assertThat(licenseState.isSecurityEnabled(), is(false));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
@ -150,7 +150,7 @@ public class XPackLicenseStateTests extends ESTestCase {
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build());
licenseState.update(BASIC, false, null);
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
@ -165,7 +165,7 @@ public class XPackLicenseStateTests extends ESTestCase {
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(STANDARD, true, null);
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
@ -178,7 +178,7 @@ public class XPackLicenseStateTests extends ESTestCase {
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(STANDARD, false, null);
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
@ -191,7 +191,7 @@ public class XPackLicenseStateTests extends ESTestCase {
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(GOLD, true, null);
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
@ -207,7 +207,7 @@ public class XPackLicenseStateTests extends ESTestCase {
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(GOLD, false, null);
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
@ -223,7 +223,7 @@ public class XPackLicenseStateTests extends ESTestCase {
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(PLATINUM, true, null);
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
@ -239,7 +239,7 @@ public class XPackLicenseStateTests extends ESTestCase {
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(PLATINUM, false, null);
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
@ -259,7 +259,7 @@ public class XPackLicenseStateTests extends ESTestCase {
}
private void assertSecurityNotAllowed(XPackLicenseState licenseState) {
assertThat(licenseState.isAuthAllowed(), is(false));
assertThat(licenseState.isSecurityEnabled(), is(false));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));

View File

@ -88,7 +88,7 @@ public class TransportPutEnrichPolicyAction extends TransportMasterNodeAction<Pu
ActionListener<AcknowledgedResponse> listener
) {
if (licenseState.isAuthAllowed()) {
if (licenseState.isSecurityEnabled()) {
RoleDescriptor.IndicesPrivileges privileges = RoleDescriptor.IndicesPrivileges.builder()
.indices(request.getPolicy().getIndices())
.privileges("read")

View File

@ -141,7 +141,7 @@ public class TransportPutDataFrameAnalyticsAction
.setVersion(Version.CURRENT)
.build();
if (licenseState.isAuthAllowed()) {
if (licenseState.isSecurityEnabled()) {
useSecondaryAuthIfAvailable(securityContext, () -> {
final String username = securityContext.getUser().principal();
RoleDescriptor.IndicesPrivileges sourceIndexPrivileges = RoleDescriptor.IndicesPrivileges.builder()

View File

@ -106,7 +106,7 @@ public class TransportPutDatafeedAction extends TransportMasterNodeAction<PutDat
ActionListener<PutDatafeedAction.Response> listener) {
// If security is enabled only create the datafeed if the user requesting creation has
// permission to read the indices the datafeed is going to read from
if (licenseState.isAuthAllowed()) {
if (licenseState.isSecurityEnabled()) {
useSecondaryAuthIfAvailable(securityContext, () -> {
final String[] indices = request.getDatafeed().getIndices().toArray(new String[0]);

View File

@ -79,7 +79,7 @@ public class SecurityActionFilter implements ActionFilter {
throw LicenseUtils.newComplianceException(XPackField.SECURITY);
}
if (licenseState.isAuthAllowed()) {
if (licenseState.isSecurityEnabled()) {
final ActionListener<Response> contextPreservingListener =
ContextPreservingActionListener.wrapPreservingContext(listener, threadContext);
ActionListener<Void> authenticatedListener = ActionListener.wrap(
@ -156,7 +156,7 @@ public class SecurityActionFilter implements ActionFilter {
ActionListener.wrap((authc) -> {
if (authc != null) {
authorizeRequest(authc, securityAction, request, listener);
} else if (licenseState.isAuthAllowed() == false) {
} else if (licenseState.isSecurityEnabled() == false) {
listener.onResponse(null);
} else {
listener.onFailure(new IllegalStateException("no authentication present but auth is allowed"));

View File

@ -113,7 +113,7 @@ public class Realms implements Iterable<Realm> {
public List<Realm> getUnlicensedRealms() {
final XPackLicenseState licenseStateSnapshot = licenseState.copyCurrentLicenseState();
// If auth is not allowed, then everything is unlicensed
if (licenseStateSnapshot.isAuthAllowed() == false) {
if (licenseStateSnapshot.isSecurityEnabled() == false) {
return Collections.unmodifiableList(realms);
}
@ -139,7 +139,7 @@ public class Realms implements Iterable<Realm> {
public List<Realm> asList() {
final XPackLicenseState licenseStateSnapshot = licenseState.copyCurrentLicenseState();
if (licenseStateSnapshot.isAuthAllowed() == false) {
if (licenseStateSnapshot.isSecurityEnabled() == false) {
return Collections.emptyList();
}
if (licenseStateSnapshot.areAllRealmsAllowed()) {

View File

@ -49,7 +49,7 @@ public final class SecuritySearchOperationListener implements SearchOperationLis
*/
@Override
public void onNewScrollContext(SearchContext searchContext) {
if (licenseState.isAuthAllowed()) {
if (licenseState.isSecurityEnabled()) {
searchContext.scrollContext().putInContext(AuthenticationField.AUTHENTICATION_KEY, securityContext.getAuthentication());
}
}
@ -60,7 +60,7 @@ public final class SecuritySearchOperationListener implements SearchOperationLis
*/
@Override
public void validateSearchContext(SearchContext searchContext, TransportRequest request) {
if (licenseState.isAuthAllowed()) {
if (licenseState.isSecurityEnabled()) {
if (searchContext.scrollContext() != null) {
final Authentication originalAuth = searchContext.scrollContext().getFromContext(AuthenticationField.AUTHENTICATION_KEY);
final Authentication current = securityContext.getAuthentication();

View File

@ -86,7 +86,7 @@ public final class OptOutQueryCache extends AbstractIndexComponent implements Li
@Override
public Weight doCache(Weight weight, QueryCachingPolicy policy) {
assert licenseStateListenerRegistered;
if (licenseState.isAuthAllowed() == false) {
if (licenseState.isSecurityEnabled() == false) {
logger.debug("not opting out of the query cache; authorization is not allowed");
return indicesQueryCache.doCache(weight, policy);
}

View File

@ -50,7 +50,7 @@ public final class IndicesAliasesRequestInterceptor implements RequestIntercepto
final IndicesAliasesRequest request = (IndicesAliasesRequest) requestInfo.getRequest();
final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState();
final AuditTrail auditTrail = auditTrailService.get();
if (frozenLicenseState.isAuthAllowed()) {
if (frozenLicenseState.isSecurityEnabled()) {
if (frozenLicenseState.isDocumentAndFieldLevelSecurityAllowed()) {
IndicesAccessControl indicesAccessControl =
threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);

View File

@ -46,7 +46,7 @@ public final class ResizeRequestInterceptor implements RequestInterceptor {
final ResizeRequest request = (ResizeRequest) requestInfo.getRequest();
final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState();
final AuditTrail auditTrail = auditTrailService.get();
if (frozenLicenseState.isAuthAllowed()) {
if (frozenLicenseState.isSecurityEnabled()) {
if (frozenLicenseState.isDocumentAndFieldLevelSecurityAllowed()) {
IndicesAccessControl indicesAccessControl =
threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);

View File

@ -49,7 +49,7 @@ public final class SetSecurityUserProcessor extends AbstractProcessor {
super(tag);
this.securityContext = securityContext;
this.licenseState = Objects.requireNonNull(licenseState, "license state cannot be null");
if (licenseState.isAuthAllowed() == false) {
if (licenseState.isSecurityEnabled() == false) {
logger.warn("Creating processor [{}] (tag [{}]) on field [{}] but authentication is not currently enabled on this cluster " +
" - this processor is likely to fail at runtime if it is used", TYPE, tag, field);
} else if (this.securityContext == null) {
@ -73,7 +73,7 @@ public final class SetSecurityUserProcessor extends AbstractProcessor {
if (user == null) {
logger.debug(
"Failed to find active user. SecurityContext=[{}] Authentication=[{}] User=[{}]", securityContext, authentication, user);
if (licenseState.isAuthAllowed()) {
if (licenseState.isSecurityEnabled()) {
// This shouldn't happen. If authentication is allowed (and active), then there _should_ always be an authenticated user.
// If we ever see this error message, then one of our assumptions are wrong.
throw new IllegalStateException("There is no authenticated user - the [" + TYPE

View File

@ -50,7 +50,7 @@ public class SecurityRestFilter implements RestHandler {
@Override
public void handleRequest(RestRequest request, RestChannel channel, NodeClient client) throws Exception {
if (licenseState.isAuthAllowed() && request.method() != Method.OPTIONS) {
if (licenseState.isSecurityEnabled() && request.method() != Method.OPTIONS) {
// CORS - allow for preflight unauthenticated OPTIONS request
if (extractClientCertificate) {
HttpChannel httpChannel = request.getHttpChannel();

View File

@ -145,7 +145,7 @@ public class SecurityServerTransportInterceptor implements TransportInterceptor
// So, we always send authentication headers for actions that have an implied user (system-user or explicit-origin)
// and then for other (user originated) actions we enforce that there is an authentication header that we can send, iff the
// current license allows authentication.
return licenseState.isAuthAllowed() && isStateNotRecovered == false;
return licenseState.isSecurityEnabled() && isStateNotRecovered == false;
}
private <T extends TransportResponse> void sendWithUser(Transport.Connection connection, String action, TransportRequest request,
@ -272,7 +272,7 @@ public class SecurityServerTransportInterceptor implements TransportInterceptor
public void messageReceived(T request, TransportChannel channel, Task task) throws Exception {
final AbstractRunnable receiveMessage = getReceiveRunnable(request, channel, task);
try (ThreadContext.StoredContext ctx = threadContext.newStoredContext(true)) {
if (licenseState.isAuthAllowed()) {
if (licenseState.isSecurityEnabled()) {
String profile = channel.getProfileName();
ServerTransportFilter filter = profileFilters.get(profile);

View File

@ -128,7 +128,7 @@ public interface ServerTransportFilter {
} else {
authzService.authorize(authentication, securityAction, request, listener);
}
} else if (licenseState.isAuthAllowed() == false) {
} else if (licenseState.isSecurityEnabled() == false) {
listener.onResponse(null);
} else {
listener.onFailure(new IllegalStateException("no authentication present but auth is allowed"));

View File

@ -15,15 +15,7 @@ import org.elasticsearch.action.admin.cluster.stats.ClusterStatsResponse;
import org.elasticsearch.action.admin.indices.stats.IndicesStatsResponse;
import org.elasticsearch.action.index.IndexResponse;
import org.elasticsearch.client.Client;
import org.elasticsearch.client.Request;
import org.elasticsearch.client.RequestOptions;
import org.elasticsearch.client.Response;
import org.elasticsearch.client.ResponseException;
import org.elasticsearch.client.transport.NoNodeAvailableException;
import org.elasticsearch.client.transport.TransportClient;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.discovery.DiscoveryModule;
import org.elasticsearch.license.License.OperationMode;
import org.elasticsearch.node.MockNode;
@ -33,16 +25,8 @@ import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.test.MockHttpTransport;
import org.elasticsearch.test.SecurityIntegTestCase;
import org.elasticsearch.test.SecuritySettingsSource;
import org.elasticsearch.test.SecuritySettingsSourceField;
import org.elasticsearch.transport.Netty4Plugin;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.xpack.core.TestXPackTransportClient;
import org.elasticsearch.xpack.core.XPackField;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.action.user.PutUserResponse;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.core.security.client.SecurityClient;
import org.elasticsearch.xpack.security.LocalStateSecurity;
import org.junit.After;
import org.junit.Before;
@ -59,7 +43,6 @@ import java.util.stream.Collectors;
import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
import static org.elasticsearch.discovery.SettingsBasedSeedHostsProvider.DISCOVERY_SEED_HOSTS_SETTING;
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoFailures;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.greaterThanOrEqualTo;
import static org.hamcrest.Matchers.hasItem;
import static org.hamcrest.Matchers.is;
@ -130,7 +113,7 @@ public class LicensingTests extends SecurityIntegTestCase {
@Before
public void resetLicensing() throws Exception {
enableLicensing(OperationMode.MISSING);
enableLicensing(OperationMode.BASIC);
}
@After
@ -180,90 +163,6 @@ public class LicensingTests extends SecurityIntegTestCase {
assertThat(nodeStats, notNullValue());
}
public void testRestAuthenticationByLicenseType() throws Exception {
Response unauthorizedRootResponse = getRestClient().performRequest(new Request("GET", "/"));
// the default of the licensing tests is basic
assertThat(unauthorizedRootResponse.getStatusLine().getStatusCode(), is(200));
ResponseException e = expectThrows(ResponseException.class,
() -> getRestClient().performRequest(new Request("GET", "/_security/_authenticate")));
assertThat(e.getResponse().getStatusLine().getStatusCode(), is(403));
// generate a new license with a mode that enables auth
License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.TRIAL,
License.OperationMode.PLATINUM, License.OperationMode.STANDARD, License.OperationMode.ENTERPRISE);
enableLicensing(mode);
e = expectThrows(ResponseException.class, () -> getRestClient().performRequest(new Request("GET", "/")));
assertThat(e.getResponse().getStatusLine().getStatusCode(), is(401));
e = expectThrows(ResponseException.class,
() -> getRestClient().performRequest(new Request("GET", "/_security/_authenticate")));
assertThat(e.getResponse().getStatusLine().getStatusCode(), is(401));
RequestOptions.Builder optionsBuilder = RequestOptions.DEFAULT.toBuilder();
optionsBuilder.addHeader("Authorization", UsernamePasswordToken.basicAuthHeaderValue(SecuritySettingsSource.TEST_USER_NAME,
new SecureString(SecuritySettingsSourceField.TEST_PASSWORD.toCharArray())));
RequestOptions options = optionsBuilder.build();
Request rootRequest = new Request("GET", "/");
rootRequest.setOptions(options);
Response authorizedRootResponse = getRestClient().performRequest(rootRequest);
assertThat(authorizedRootResponse.getStatusLine().getStatusCode(), is(200));
Request authenticateRequest = new Request("GET", "/_security/_authenticate");
authenticateRequest.setOptions(options);
Response authorizedAuthenticateResponse = getRestClient().performRequest(authenticateRequest);
assertThat(authorizedAuthenticateResponse.getStatusLine().getStatusCode(), is(200));
}
public void testSecurityActionsByLicenseType() throws Exception {
// security actions should not work!
Settings settings = internalCluster().transportClient().settings();
try (TransportClient client = new TestXPackTransportClient(settings, LocalStateSecurity.class)) {
client.addTransportAddress(internalCluster().getDataNodeInstance(Transport.class).boundAddress().publishAddress());
new SecurityClient(client).preparePutUser("john", "password".toCharArray(), Hasher.BCRYPT).get();
fail("security actions should not be enabled!");
} catch (ElasticsearchSecurityException e) {
assertThat(e.status(), is(RestStatus.FORBIDDEN));
assertThat(e.getMessage(), containsString("non-compliant"));
}
// enable a license that enables security
License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.TRIAL,
License.OperationMode.PLATINUM, License.OperationMode.STANDARD, OperationMode.BASIC);
enableLicensing(mode);
// security actions should work!
try (TransportClient client = new TestXPackTransportClient(settings, LocalStateSecurity.class)) {
client.addTransportAddress(internalCluster().getDataNodeInstance(Transport.class).boundAddress().publishAddress());
PutUserResponse response = new SecurityClient(client).preparePutUser("john", "password".toCharArray(), Hasher.BCRYPT).get();
assertNotNull(response);
}
}
public void testTransportClientAuthenticationByLicenseType() throws Exception {
Settings.Builder builder = Settings.builder()
.put(internalCluster().transportClient().settings());
// remove user info
builder.remove(SecurityField.USER_SETTING.getKey());
builder.remove(ThreadContext.PREFIX + "." + UsernamePasswordToken.BASIC_AUTH_HEADER);
// basic has no auth
try (TransportClient client = new TestXPackTransportClient(builder.build(), LocalStateSecurity.class)) {
client.addTransportAddress(internalCluster().getDataNodeInstance(Transport.class).boundAddress().publishAddress());
assertGreenClusterState(client);
}
// enable a license that enables security
License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.TRIAL,
License.OperationMode.PLATINUM, License.OperationMode.STANDARD);
enableLicensing(mode);
try (TransportClient client = new TestXPackTransportClient(builder.build(), LocalStateSecurity.class)) {
client.addTransportAddress(internalCluster().getDataNodeInstance(Transport.class).boundAddress().publishAddress());
client.admin().cluster().prepareHealth().get();
fail("should not have been able to connect to a node!");
} catch (NoNodeAvailableException e) {
// expected
}
}
public void testNodeJoinWithoutSecurityExplicitlyEnabled() throws Exception {
License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.PLATINUM,
License.OperationMode.ENTERPRISE, License.OperationMode.STANDARD);
@ -305,12 +204,7 @@ public class LicensingTests extends SecurityIntegTestCase {
// is overwritten by some other cluster activity and the node throws an exception while we
// wait for things to stabilize!
assertBusy(() -> {
for (XPackLicenseState licenseState : internalCluster().getInstances(XPackLicenseState.class)) {
if (licenseState.isAuthAllowed() == false) {
enableLicensing(OperationMode.BASIC);
break;
}
}
ensureGreen();
ensureClusterSizeConsistency();

View File

@ -65,7 +65,7 @@ public class SecurityActionFilterTests extends ESTestCase {
authcService = mock(AuthenticationService.class);
authzService = mock(AuthorizationService.class);
licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isStatsAndHealthAllowed()).thenReturn(true);
ThreadPool threadPool = mock(ThreadPool.class);
threadContext = new ThreadContext(Settings.EMPTY);
@ -250,7 +250,7 @@ public class SecurityActionFilterTests extends ESTestCase {
ActionListener listener = mock(ActionListener.class);
ActionFilterChain chain = mock(ActionFilterChain.class);
Task task = mock(Task.class);
when(licenseState.isAuthAllowed()).thenReturn(false);
when(licenseState.isSecurityEnabled()).thenReturn(false);
filter.apply(task, "_action", request, listener, chain);
verifyZeroInteractions(authcService);
verifyZeroInteractions(authzService);

View File

@ -189,7 +189,7 @@ public class AuthenticationServiceTests extends ESTestCase {
.build();
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.areAllRealmsAllowed()).thenReturn(true);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isApiKeyServiceAllowed()).thenReturn(true);
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);

View File

@ -74,7 +74,7 @@ public class RealmsTests extends ESTestCase {
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
threadContext = new ThreadContext(Settings.EMPTY);
reservedRealm = mock(ReservedRealm.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
allowAllRealms();
when(reservedRealm.type()).thenReturn(ReservedRealm.TYPE);
when(reservedRealm.name()).thenReturn("reserved");
@ -550,7 +550,7 @@ public class RealmsTests extends ESTestCase {
assertThat(realms.iterator().hasNext(), is(true));
when(licenseState.isAuthAllowed()).thenReturn(false);
when(licenseState.isSecurityEnabled()).thenReturn(false);
assertThat(realms.iterator().hasNext(), is(false));
}
@ -590,7 +590,7 @@ public class RealmsTests extends ESTestCase {
}
// check standard realms include native
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
allowOnlyStandardRealms();
future = new PlainActionFuture<>();
realms.usageStats(future);

View File

@ -49,7 +49,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
public void testUnlicensed() {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(false);
when(licenseState.isSecurityEnabled()).thenReturn(false);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext);
AuditTrailService auditTrailService = mock(AuditTrailService.class);
@ -59,7 +59,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
SecuritySearchOperationListener listener = new SecuritySearchOperationListener(securityContext, licenseState, auditTrailService);
listener.onNewScrollContext(searchContext);
listener.validateSearchContext(searchContext, Empty.INSTANCE);
verify(licenseState, times(2)).isAuthAllowed();
verify(licenseState, times(2)).isSecurityEnabled();
verifyZeroInteractions(auditTrailService, searchContext);
}
@ -69,7 +69,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
final Scroll scroll = new Scroll(TimeValue.timeValueSeconds(2L));
testSearchContext.scrollContext().scroll = scroll;
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext);
AuditTrailService auditTrailService = mock(AuditTrailService.class);
@ -83,7 +83,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
assertEquals(authentication, contextAuth);
assertEquals(scroll, testSearchContext.scrollContext().scroll);
verify(licenseState).isAuthAllowed();
verify(licenseState).isSecurityEnabled();
verifyZeroInteractions(auditTrailService);
}
@ -94,7 +94,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
new Authentication(new User("test", "role"), new RealmRef("realm", "file", "node"), null));
testSearchContext.scrollContext().scroll = new Scroll(TimeValue.timeValueSeconds(2L));
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext);
@ -106,7 +106,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
Authentication authentication = new Authentication(new User("test", "role"), new RealmRef("realm", "file", "node"), null);
authentication.writeToContext(threadContext);
listener.validateSearchContext(testSearchContext, Empty.INSTANCE);
verify(licenseState).isAuthAllowed();
verify(licenseState).isSecurityEnabled();
verifyZeroInteractions(auditTrail);
}
@ -116,7 +116,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
Authentication authentication = new Authentication(new User("test", "role"), new RealmRef(realmName, "file", nodeName), null);
authentication.writeToContext(threadContext);
listener.validateSearchContext(testSearchContext, Empty.INSTANCE);
verify(licenseState, times(2)).isAuthAllowed();
verify(licenseState, times(2)).isSecurityEnabled();
verifyZeroInteractions(auditTrail);
}
@ -133,7 +133,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
SearchContextMissingException expected =
expectThrows(SearchContextMissingException.class, () -> listener.validateSearchContext(testSearchContext, request));
assertEquals(testSearchContext.id(), expected.contextId());
verify(licenseState, times(3)).isAuthAllowed();
verify(licenseState, times(3)).isSecurityEnabled();
verify(auditTrail).accessDenied(eq(null), eq(authentication), eq("action"), eq(request),
authzInfoRoles(authentication.getUser().roles()));
}
@ -150,7 +150,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
threadContext.putTransient(ORIGINATING_ACTION_KEY, "action");
final InternalScrollSearchRequest request = new InternalScrollSearchRequest();
listener.validateSearchContext(testSearchContext, request);
verify(licenseState, times(4)).isAuthAllowed();
verify(licenseState, times(4)).isSecurityEnabled();
verifyNoMoreInteractions(auditTrail);
}
@ -169,7 +169,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
SearchContextMissingException expected =
expectThrows(SearchContextMissingException.class, () -> listener.validateSearchContext(testSearchContext, request));
assertEquals(testSearchContext.id(), expected.contextId());
verify(licenseState, times(5)).isAuthAllowed();
verify(licenseState, times(5)).isSecurityEnabled();
verify(auditTrail).accessDenied(eq(null), eq(authentication), eq("action"), eq(request),
authzInfoRoles(authentication.getUser().roles()));
}
@ -183,7 +183,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
final String action = randomAlphaOfLength(4);
TransportRequest request = Empty.INSTANCE;
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
AuditTrail auditTrail = mock(AuditTrail.class);
AuditTrailService auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState);

View File

@ -134,7 +134,7 @@ public class OptOutQueryCacheTests extends ESTestCase {
final IndicesQueryCache indicesQueryCache = mock(IndicesQueryCache.class);
final ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(false);
when(licenseState.isSecurityEnabled()).thenReturn(false);
final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, licenseState);
cache.listenForLicenseStateChanges();
final Weight weight = mock(Weight.class);
@ -153,7 +153,7 @@ public class OptOutQueryCacheTests extends ESTestCase {
final IndicesQueryCache indicesQueryCache = mock(IndicesQueryCache.class);
final ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, licenseState);
cache.listenForLicenseStateChanges();
final Weight weight = mock(Weight.class);
@ -178,7 +178,7 @@ public class OptOutQueryCacheTests extends ESTestCase {
when(indicesAccessControl.getIndexPermissions("index")).thenReturn(indexAccessControl);
threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl);
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, licenseState);
cache.listenForLicenseStateChanges();
final Weight weight = mock(Weight.class);

View File

@ -45,7 +45,7 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase {
public void testInterceptorThrowsWhenFLSDLSEnabled() {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
@ -104,7 +104,7 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase {
public void testInterceptorThrowsWhenTargetHasGreaterPermissions() throws Exception {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(randomBoolean());
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);

View File

@ -49,7 +49,7 @@ public class ResizeRequestInterceptorTests extends ESTestCase {
public void testResizeRequestInterceptorThrowsWhenFLSDLSEnabled() {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
ThreadPool threadPool = mock(ThreadPool.class);
@ -101,7 +101,7 @@ public class ResizeRequestInterceptorTests extends ESTestCase {
public void testResizeRequestInterceptorThrowsWhenTargetHasGreaterPermissions() throws Exception {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
ThreadPool threadPool = mock(ThreadPool.class);

View File

@ -33,7 +33,7 @@ public class SetSecurityUserProcessorFactoryTests extends ESTestCase {
public void setupContext() {
securityContext = new SecurityContext(Settings.EMPTY, new ThreadContext(Settings.EMPTY));
licenseState = Mockito.mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
}
public void testProcessor() throws Exception {
@ -76,7 +76,7 @@ public class SetSecurityUserProcessorFactoryTests extends ESTestCase {
}
public void testCanConstructorProcessorWithoutSecurityEnabled() throws Exception {
when(licenseState.isAuthAllowed()).thenReturn(false);
when(licenseState.isSecurityEnabled()).thenReturn(false);
SetSecurityUserProcessor.Factory factory = new SetSecurityUserProcessor.Factory(() -> null, () -> licenseState);
Map<String, Object> config = new HashMap<>();
config.put("field", "_field");

View File

@ -42,7 +42,7 @@ public class SetSecurityUserProcessorTests extends ESTestCase {
threadContext = new ThreadContext(Settings.EMPTY);
securityContext = new SecurityContext(Settings.EMPTY, threadContext);
licenseState = Mockito.mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
}
public void testProcessorWithData() throws Exception {
@ -103,7 +103,7 @@ public class SetSecurityUserProcessorTests extends ESTestCase {
}
public void testSecurityDisabled() throws Exception {
when(licenseState.isAuthAllowed()).thenReturn(false);
when(licenseState.isSecurityEnabled()).thenReturn(false);
IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>());
SetSecurityUserProcessor processor = new SetSecurityUserProcessor(
"_tag", securityContext, licenseState, "_field", EnumSet.allOf(Property.class));

View File

@ -69,7 +69,7 @@ public class SecurityRestFilterTests extends ESTestCase {
authcService = mock(AuthenticationService.class);
channel = mock(RestChannel.class);
licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
restHandler = mock(RestHandler.class);
threadContext = new ThreadContext(Settings.EMPTY);
secondaryAuthenticator = new SecondaryAuthenticator(Settings.EMPTY, threadContext, authcService);
@ -135,7 +135,7 @@ public class SecurityRestFilterTests extends ESTestCase {
public void testProcessBasicLicense() throws Exception {
RestRequest request = mock(RestRequest.class);
when(licenseState.isAuthAllowed()).thenReturn(false);
when(licenseState.isSecurityEnabled()).thenReturn(false);
filter.handleRequest(request, channel, null);
verify(restHandler).handleRequest(request, channel, null);
verifyZeroInteractions(channel, authcService);

View File

@ -75,7 +75,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
threadContext = threadPool.getThreadContext();
securityContext = spy(new SecurityContext(settings, threadPool.getThreadContext()));
xPackLicenseState = mock(XPackLicenseState.class);
when(xPackLicenseState.isAuthAllowed()).thenReturn(true);
when(xPackLicenseState.isSecurityEnabled()).thenReturn(true);
}
@After
@ -90,7 +90,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY,
Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService);
ClusterServiceUtils.setState(clusterService, clusterService.state()); // force state update to trigger listener
when(xPackLicenseState.isAuthAllowed()).thenReturn(false);
when(xPackLicenseState.isSecurityEnabled()).thenReturn(false);
AtomicBoolean calledWrappedSender = new AtomicBoolean(false);
AtomicReference<User> sendingUser = new AtomicReference<>();
AsyncSender sender = interceptor.interceptSender(new AsyncSender() {
@ -108,7 +108,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
sender.sendRequest(connection, MainAction.NAME, null, null, null);
assertTrue(calledWrappedSender.get());
assertThat(sendingUser.get(), nullValue());
verify(xPackLicenseState).isAuthAllowed();
verify(xPackLicenseState).isSecurityEnabled();
verifyNoMoreInteractions(xPackLicenseState);
}
@ -118,7 +118,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY,
Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService);
ClusterServiceUtils.setState(clusterService, clusterService.state()); // force state update to trigger listener
when(xPackLicenseState.isAuthAllowed()).thenReturn(false);
when(xPackLicenseState.isSecurityEnabled()).thenReturn(false);
AtomicBoolean calledWrappedSender = new AtomicBoolean(false);
AtomicReference<User> sendingUser = new AtomicReference<>();
AsyncSender sender = interceptor.interceptSender(new AsyncSender() {
@ -136,7 +136,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
sender.sendRequest(connection, "internal:foo", null, null, null);
assertTrue(calledWrappedSender.get());
assertThat(sendingUser.get(), is(SystemUser.INSTANCE));
verify(xPackLicenseState).isAuthAllowed();
verify(xPackLicenseState).isSecurityEnabled();
verify(securityContext).executeAsUser(any(User.class), any(Consumer.class), eq(Version.CURRENT));
verifyNoMoreInteractions(xPackLicenseState);
}
@ -147,7 +147,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY,
Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService);
final boolean authAllowed = randomBoolean();
when(xPackLicenseState.isAuthAllowed()).thenReturn(authAllowed);
when(xPackLicenseState.isSecurityEnabled()).thenReturn(authAllowed);
ClusterState notRecovered = ClusterState.builder(clusterService.state())
.blocks(ClusterBlocks.builder().addGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK).build())
.build();
@ -171,7 +171,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
sender.sendRequest(connection, "internal:foo", null, null, null);
assertTrue(calledWrappedSender.get());
assertEquals(SystemUser.INSTANCE, sendingUser.get());
verify(xPackLicenseState).isAuthAllowed();
verify(xPackLicenseState).isSecurityEnabled();
verify(securityContext).executeAsUser(any(User.class), any(Consumer.class), eq(Version.CURRENT));
verifyNoMoreInteractions(xPackLicenseState);
}
@ -205,7 +205,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
assertTrue(calledWrappedSender.get());
assertEquals(user, sendingUser.get());
assertEquals(user, securityContext.getUser());
verify(xPackLicenseState).isAuthAllowed();
verify(xPackLicenseState).isSecurityEnabled();
verify(securityContext, never()).executeAsUser(any(User.class), any(Consumer.class), any(Version.class));
verifyNoMoreInteractions(xPackLicenseState);
}
@ -242,7 +242,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
assertNotEquals(user, sendingUser.get());
assertEquals(SystemUser.INSTANCE, sendingUser.get());
assertEquals(user, securityContext.getUser());
verify(xPackLicenseState).isAuthAllowed();
verify(xPackLicenseState).isSecurityEnabled();
verify(securityContext).executeAsUser(any(User.class), any(Consumer.class), eq(Version.CURRENT));
verifyNoMoreInteractions(xPackLicenseState);
}
@ -272,7 +272,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
expectThrows(IllegalStateException.class, () -> sender.sendRequest(connection, "indices:foo", null, null, null));
assertEquals("there should always be a user when sending a message for action [indices:foo]", e.getMessage());
assertNull(securityContext.getUser());
verify(xPackLicenseState).isAuthAllowed();
verify(xPackLicenseState).isSecurityEnabled();
verify(securityContext, never()).executeAsUser(any(User.class), any(Consumer.class), any(Version.class));
verifyNoMoreInteractions(xPackLicenseState);
}

View File

@ -237,7 +237,7 @@ public class TransportPutTransformAction extends TransportMasterNodeAction<Reque
ActionListener.wrap(
validationResponse -> {
// Early check to verify that the user can create the destination index and can read from the source
if (licenseState.isAuthAllowed() && request.isDeferValidation() == false) {
if (licenseState.isSecurityEnabled() && request.isDeferValidation() == false) {
final String username = securityContext.getUser().principal();
HasPrivilegesRequest privRequest = buildPrivilegeCheck(config, indexNameExpressionResolver, clusterState, username);
ActionListener<HasPrivilegesResponse> privResponseListener = ActionListener.wrap(

View File

@ -231,7 +231,7 @@ public class TransportUpdateTransformAction extends TransportMasterNodeAction<Re
ActionListener<Response> listener
) {
// Early check to verify that the user can create the destination index and can read from the source
if (licenseState.isAuthAllowed() && request.isDeferValidation() == false) {
if (licenseState.isSecurityEnabled() && request.isDeferValidation() == false) {
final String username = securityContext.getUser().principal();
HasPrivilegesRequest privRequest = buildPrivilegeCheck(config, indexNameExpressionResolver, clusterState, username);
ActionListener<HasPrivilegesResponse> privResponseListener = ActionListener.wrap(