The isAuthAllowed() method for license checking is used by code that wants to ensure security is both enabled and available. The enabled state is dynamic and provided by isSecurityEnabled(). But since security is available with all license types, an check on the license level is not necessary. Thus, this change replaces isAuthAllowed() with calling isSecurityEnabled().
This commit is contained in:
parent
d32f6fed1d
commit
ae14d1661e
|
@ -72,7 +72,7 @@ public class CcrLicenseChecker {
|
|||
* Constructs a CCR license checker with the default rule based on the license state for checking if CCR is allowed.
|
||||
*/
|
||||
CcrLicenseChecker() {
|
||||
this(XPackPlugin.getSharedLicenseState()::isCcrAllowed, XPackPlugin.getSharedLicenseState()::isAuthAllowed);
|
||||
this(XPackPlugin.getSharedLicenseState()::isCcrAllowed, XPackPlugin.getSharedLicenseState()::isSecurityEnabled);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -401,13 +401,6 @@ public class XPackLicenseState {
|
|||
return checkAgainstStatus(status -> status.active);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return true if authentication and authorization should be enabled.
|
||||
*/
|
||||
public boolean isAuthAllowed() {
|
||||
return isAllowedBySecurityAndLicense(OperationMode.BASIC, false);
|
||||
}
|
||||
|
||||
public boolean isIpFilteringAllowed() {
|
||||
return isAllowedBySecurityAndLicense(OperationMode.GOLD, false);
|
||||
}
|
||||
|
|
|
@ -77,7 +77,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
public void testSecurityDefaults() {
|
||||
XPackLicenseState licenseState =
|
||||
new XPackLicenseState(Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build());
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(true));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
|
@ -100,7 +100,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
licenseState.update(BASIC, true, null);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(false));
|
||||
assertThat(licenseState.isSecurityEnabled(), is(false));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(false));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
|
@ -118,7 +118,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
XPackLicenseState licenseState = new XPackLicenseState(settings);
|
||||
licenseState.update(BASIC, true, null);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(false));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
|
@ -135,7 +135,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
licenseState.update(BASIC, false, null);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(false));
|
||||
assertThat(licenseState.isSecurityEnabled(), is(false));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(false));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
|
||||
|
@ -150,7 +150,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build());
|
||||
licenseState.update(BASIC, false, null);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(false));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
|
||||
|
@ -165,7 +165,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
|
||||
licenseState.update(STANDARD, true, null);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(false));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
|
@ -178,7 +178,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
|
||||
licenseState.update(STANDARD, false, null);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(false));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
|
||||
|
@ -191,7 +191,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
|
||||
licenseState.update(GOLD, true, null);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(true));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
|
@ -207,7 +207,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
|
||||
licenseState.update(GOLD, false, null);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(true));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
|
||||
|
@ -223,7 +223,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
|
||||
licenseState.update(PLATINUM, true, null);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(true));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
|
@ -239,7 +239,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
|
||||
licenseState.update(PLATINUM, false, null);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(true));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
|
||||
|
@ -259,7 +259,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
}
|
||||
|
||||
private void assertSecurityNotAllowed(XPackLicenseState licenseState) {
|
||||
assertThat(licenseState.isAuthAllowed(), is(false));
|
||||
assertThat(licenseState.isSecurityEnabled(), is(false));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(false));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
|
|
|
@ -88,7 +88,7 @@ public class TransportPutEnrichPolicyAction extends TransportMasterNodeAction<Pu
|
|||
ActionListener<AcknowledgedResponse> listener
|
||||
) {
|
||||
|
||||
if (licenseState.isAuthAllowed()) {
|
||||
if (licenseState.isSecurityEnabled()) {
|
||||
RoleDescriptor.IndicesPrivileges privileges = RoleDescriptor.IndicesPrivileges.builder()
|
||||
.indices(request.getPolicy().getIndices())
|
||||
.privileges("read")
|
||||
|
|
|
@ -141,7 +141,7 @@ public class TransportPutDataFrameAnalyticsAction
|
|||
.setVersion(Version.CURRENT)
|
||||
.build();
|
||||
|
||||
if (licenseState.isAuthAllowed()) {
|
||||
if (licenseState.isSecurityEnabled()) {
|
||||
useSecondaryAuthIfAvailable(securityContext, () -> {
|
||||
final String username = securityContext.getUser().principal();
|
||||
RoleDescriptor.IndicesPrivileges sourceIndexPrivileges = RoleDescriptor.IndicesPrivileges.builder()
|
||||
|
|
|
@ -106,7 +106,7 @@ public class TransportPutDatafeedAction extends TransportMasterNodeAction<PutDat
|
|||
ActionListener<PutDatafeedAction.Response> listener) {
|
||||
// If security is enabled only create the datafeed if the user requesting creation has
|
||||
// permission to read the indices the datafeed is going to read from
|
||||
if (licenseState.isAuthAllowed()) {
|
||||
if (licenseState.isSecurityEnabled()) {
|
||||
useSecondaryAuthIfAvailable(securityContext, () -> {
|
||||
final String[] indices = request.getDatafeed().getIndices().toArray(new String[0]);
|
||||
|
||||
|
|
|
@ -79,7 +79,7 @@ public class SecurityActionFilter implements ActionFilter {
|
|||
throw LicenseUtils.newComplianceException(XPackField.SECURITY);
|
||||
}
|
||||
|
||||
if (licenseState.isAuthAllowed()) {
|
||||
if (licenseState.isSecurityEnabled()) {
|
||||
final ActionListener<Response> contextPreservingListener =
|
||||
ContextPreservingActionListener.wrapPreservingContext(listener, threadContext);
|
||||
ActionListener<Void> authenticatedListener = ActionListener.wrap(
|
||||
|
@ -156,7 +156,7 @@ public class SecurityActionFilter implements ActionFilter {
|
|||
ActionListener.wrap((authc) -> {
|
||||
if (authc != null) {
|
||||
authorizeRequest(authc, securityAction, request, listener);
|
||||
} else if (licenseState.isAuthAllowed() == false) {
|
||||
} else if (licenseState.isSecurityEnabled() == false) {
|
||||
listener.onResponse(null);
|
||||
} else {
|
||||
listener.onFailure(new IllegalStateException("no authentication present but auth is allowed"));
|
||||
|
|
|
@ -113,7 +113,7 @@ public class Realms implements Iterable<Realm> {
|
|||
public List<Realm> getUnlicensedRealms() {
|
||||
final XPackLicenseState licenseStateSnapshot = licenseState.copyCurrentLicenseState();
|
||||
// If auth is not allowed, then everything is unlicensed
|
||||
if (licenseStateSnapshot.isAuthAllowed() == false) {
|
||||
if (licenseStateSnapshot.isSecurityEnabled() == false) {
|
||||
return Collections.unmodifiableList(realms);
|
||||
}
|
||||
|
||||
|
@ -139,7 +139,7 @@ public class Realms implements Iterable<Realm> {
|
|||
|
||||
public List<Realm> asList() {
|
||||
final XPackLicenseState licenseStateSnapshot = licenseState.copyCurrentLicenseState();
|
||||
if (licenseStateSnapshot.isAuthAllowed() == false) {
|
||||
if (licenseStateSnapshot.isSecurityEnabled() == false) {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
if (licenseStateSnapshot.areAllRealmsAllowed()) {
|
||||
|
|
|
@ -49,7 +49,7 @@ public final class SecuritySearchOperationListener implements SearchOperationLis
|
|||
*/
|
||||
@Override
|
||||
public void onNewScrollContext(SearchContext searchContext) {
|
||||
if (licenseState.isAuthAllowed()) {
|
||||
if (licenseState.isSecurityEnabled()) {
|
||||
searchContext.scrollContext().putInContext(AuthenticationField.AUTHENTICATION_KEY, securityContext.getAuthentication());
|
||||
}
|
||||
}
|
||||
|
@ -60,7 +60,7 @@ public final class SecuritySearchOperationListener implements SearchOperationLis
|
|||
*/
|
||||
@Override
|
||||
public void validateSearchContext(SearchContext searchContext, TransportRequest request) {
|
||||
if (licenseState.isAuthAllowed()) {
|
||||
if (licenseState.isSecurityEnabled()) {
|
||||
if (searchContext.scrollContext() != null) {
|
||||
final Authentication originalAuth = searchContext.scrollContext().getFromContext(AuthenticationField.AUTHENTICATION_KEY);
|
||||
final Authentication current = securityContext.getAuthentication();
|
||||
|
|
|
@ -86,7 +86,7 @@ public final class OptOutQueryCache extends AbstractIndexComponent implements Li
|
|||
@Override
|
||||
public Weight doCache(Weight weight, QueryCachingPolicy policy) {
|
||||
assert licenseStateListenerRegistered;
|
||||
if (licenseState.isAuthAllowed() == false) {
|
||||
if (licenseState.isSecurityEnabled() == false) {
|
||||
logger.debug("not opting out of the query cache; authorization is not allowed");
|
||||
return indicesQueryCache.doCache(weight, policy);
|
||||
}
|
||||
|
|
|
@ -50,7 +50,7 @@ public final class IndicesAliasesRequestInterceptor implements RequestIntercepto
|
|||
final IndicesAliasesRequest request = (IndicesAliasesRequest) requestInfo.getRequest();
|
||||
final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState();
|
||||
final AuditTrail auditTrail = auditTrailService.get();
|
||||
if (frozenLicenseState.isAuthAllowed()) {
|
||||
if (frozenLicenseState.isSecurityEnabled()) {
|
||||
if (frozenLicenseState.isDocumentAndFieldLevelSecurityAllowed()) {
|
||||
IndicesAccessControl indicesAccessControl =
|
||||
threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
|
||||
|
|
|
@ -46,7 +46,7 @@ public final class ResizeRequestInterceptor implements RequestInterceptor {
|
|||
final ResizeRequest request = (ResizeRequest) requestInfo.getRequest();
|
||||
final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState();
|
||||
final AuditTrail auditTrail = auditTrailService.get();
|
||||
if (frozenLicenseState.isAuthAllowed()) {
|
||||
if (frozenLicenseState.isSecurityEnabled()) {
|
||||
if (frozenLicenseState.isDocumentAndFieldLevelSecurityAllowed()) {
|
||||
IndicesAccessControl indicesAccessControl =
|
||||
threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
|
||||
|
|
|
@ -49,7 +49,7 @@ public final class SetSecurityUserProcessor extends AbstractProcessor {
|
|||
super(tag);
|
||||
this.securityContext = securityContext;
|
||||
this.licenseState = Objects.requireNonNull(licenseState, "license state cannot be null");
|
||||
if (licenseState.isAuthAllowed() == false) {
|
||||
if (licenseState.isSecurityEnabled() == false) {
|
||||
logger.warn("Creating processor [{}] (tag [{}]) on field [{}] but authentication is not currently enabled on this cluster " +
|
||||
" - this processor is likely to fail at runtime if it is used", TYPE, tag, field);
|
||||
} else if (this.securityContext == null) {
|
||||
|
@ -73,7 +73,7 @@ public final class SetSecurityUserProcessor extends AbstractProcessor {
|
|||
if (user == null) {
|
||||
logger.debug(
|
||||
"Failed to find active user. SecurityContext=[{}] Authentication=[{}] User=[{}]", securityContext, authentication, user);
|
||||
if (licenseState.isAuthAllowed()) {
|
||||
if (licenseState.isSecurityEnabled()) {
|
||||
// This shouldn't happen. If authentication is allowed (and active), then there _should_ always be an authenticated user.
|
||||
// If we ever see this error message, then one of our assumptions are wrong.
|
||||
throw new IllegalStateException("There is no authenticated user - the [" + TYPE
|
||||
|
|
|
@ -50,7 +50,7 @@ public class SecurityRestFilter implements RestHandler {
|
|||
|
||||
@Override
|
||||
public void handleRequest(RestRequest request, RestChannel channel, NodeClient client) throws Exception {
|
||||
if (licenseState.isAuthAllowed() && request.method() != Method.OPTIONS) {
|
||||
if (licenseState.isSecurityEnabled() && request.method() != Method.OPTIONS) {
|
||||
// CORS - allow for preflight unauthenticated OPTIONS request
|
||||
if (extractClientCertificate) {
|
||||
HttpChannel httpChannel = request.getHttpChannel();
|
||||
|
|
|
@ -145,7 +145,7 @@ public class SecurityServerTransportInterceptor implements TransportInterceptor
|
|||
// So, we always send authentication headers for actions that have an implied user (system-user or explicit-origin)
|
||||
// and then for other (user originated) actions we enforce that there is an authentication header that we can send, iff the
|
||||
// current license allows authentication.
|
||||
return licenseState.isAuthAllowed() && isStateNotRecovered == false;
|
||||
return licenseState.isSecurityEnabled() && isStateNotRecovered == false;
|
||||
}
|
||||
|
||||
private <T extends TransportResponse> void sendWithUser(Transport.Connection connection, String action, TransportRequest request,
|
||||
|
@ -272,7 +272,7 @@ public class SecurityServerTransportInterceptor implements TransportInterceptor
|
|||
public void messageReceived(T request, TransportChannel channel, Task task) throws Exception {
|
||||
final AbstractRunnable receiveMessage = getReceiveRunnable(request, channel, task);
|
||||
try (ThreadContext.StoredContext ctx = threadContext.newStoredContext(true)) {
|
||||
if (licenseState.isAuthAllowed()) {
|
||||
if (licenseState.isSecurityEnabled()) {
|
||||
String profile = channel.getProfileName();
|
||||
ServerTransportFilter filter = profileFilters.get(profile);
|
||||
|
||||
|
|
|
@ -128,7 +128,7 @@ public interface ServerTransportFilter {
|
|||
} else {
|
||||
authzService.authorize(authentication, securityAction, request, listener);
|
||||
}
|
||||
} else if (licenseState.isAuthAllowed() == false) {
|
||||
} else if (licenseState.isSecurityEnabled() == false) {
|
||||
listener.onResponse(null);
|
||||
} else {
|
||||
listener.onFailure(new IllegalStateException("no authentication present but auth is allowed"));
|
||||
|
|
|
@ -15,15 +15,7 @@ import org.elasticsearch.action.admin.cluster.stats.ClusterStatsResponse;
|
|||
import org.elasticsearch.action.admin.indices.stats.IndicesStatsResponse;
|
||||
import org.elasticsearch.action.index.IndexResponse;
|
||||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.client.Request;
|
||||
import org.elasticsearch.client.RequestOptions;
|
||||
import org.elasticsearch.client.Response;
|
||||
import org.elasticsearch.client.ResponseException;
|
||||
import org.elasticsearch.client.transport.NoNodeAvailableException;
|
||||
import org.elasticsearch.client.transport.TransportClient;
|
||||
import org.elasticsearch.common.settings.SecureString;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.discovery.DiscoveryModule;
|
||||
import org.elasticsearch.license.License.OperationMode;
|
||||
import org.elasticsearch.node.MockNode;
|
||||
|
@ -33,16 +25,8 @@ import org.elasticsearch.rest.RestStatus;
|
|||
import org.elasticsearch.test.MockHttpTransport;
|
||||
import org.elasticsearch.test.SecurityIntegTestCase;
|
||||
import org.elasticsearch.test.SecuritySettingsSource;
|
||||
import org.elasticsearch.test.SecuritySettingsSourceField;
|
||||
import org.elasticsearch.transport.Netty4Plugin;
|
||||
import org.elasticsearch.transport.Transport;
|
||||
import org.elasticsearch.xpack.core.TestXPackTransportClient;
|
||||
import org.elasticsearch.xpack.core.XPackField;
|
||||
import org.elasticsearch.xpack.core.security.SecurityField;
|
||||
import org.elasticsearch.xpack.core.security.action.user.PutUserResponse;
|
||||
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
|
||||
import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
|
||||
import org.elasticsearch.xpack.core.security.client.SecurityClient;
|
||||
import org.elasticsearch.xpack.security.LocalStateSecurity;
|
||||
import org.junit.After;
|
||||
import org.junit.Before;
|
||||
|
@ -59,7 +43,6 @@ import java.util.stream.Collectors;
|
|||
import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
|
||||
import static org.elasticsearch.discovery.SettingsBasedSeedHostsProvider.DISCOVERY_SEED_HOSTS_SETTING;
|
||||
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoFailures;
|
||||
import static org.hamcrest.Matchers.containsString;
|
||||
import static org.hamcrest.Matchers.greaterThanOrEqualTo;
|
||||
import static org.hamcrest.Matchers.hasItem;
|
||||
import static org.hamcrest.Matchers.is;
|
||||
|
@ -130,7 +113,7 @@ public class LicensingTests extends SecurityIntegTestCase {
|
|||
|
||||
@Before
|
||||
public void resetLicensing() throws Exception {
|
||||
enableLicensing(OperationMode.MISSING);
|
||||
enableLicensing(OperationMode.BASIC);
|
||||
}
|
||||
|
||||
@After
|
||||
|
@ -180,90 +163,6 @@ public class LicensingTests extends SecurityIntegTestCase {
|
|||
assertThat(nodeStats, notNullValue());
|
||||
}
|
||||
|
||||
public void testRestAuthenticationByLicenseType() throws Exception {
|
||||
Response unauthorizedRootResponse = getRestClient().performRequest(new Request("GET", "/"));
|
||||
// the default of the licensing tests is basic
|
||||
assertThat(unauthorizedRootResponse.getStatusLine().getStatusCode(), is(200));
|
||||
ResponseException e = expectThrows(ResponseException.class,
|
||||
() -> getRestClient().performRequest(new Request("GET", "/_security/_authenticate")));
|
||||
assertThat(e.getResponse().getStatusLine().getStatusCode(), is(403));
|
||||
|
||||
// generate a new license with a mode that enables auth
|
||||
License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.TRIAL,
|
||||
License.OperationMode.PLATINUM, License.OperationMode.STANDARD, License.OperationMode.ENTERPRISE);
|
||||
enableLicensing(mode);
|
||||
e = expectThrows(ResponseException.class, () -> getRestClient().performRequest(new Request("GET", "/")));
|
||||
assertThat(e.getResponse().getStatusLine().getStatusCode(), is(401));
|
||||
e = expectThrows(ResponseException.class,
|
||||
() -> getRestClient().performRequest(new Request("GET", "/_security/_authenticate")));
|
||||
assertThat(e.getResponse().getStatusLine().getStatusCode(), is(401));
|
||||
|
||||
RequestOptions.Builder optionsBuilder = RequestOptions.DEFAULT.toBuilder();
|
||||
optionsBuilder.addHeader("Authorization", UsernamePasswordToken.basicAuthHeaderValue(SecuritySettingsSource.TEST_USER_NAME,
|
||||
new SecureString(SecuritySettingsSourceField.TEST_PASSWORD.toCharArray())));
|
||||
RequestOptions options = optionsBuilder.build();
|
||||
|
||||
Request rootRequest = new Request("GET", "/");
|
||||
rootRequest.setOptions(options);
|
||||
Response authorizedRootResponse = getRestClient().performRequest(rootRequest);
|
||||
assertThat(authorizedRootResponse.getStatusLine().getStatusCode(), is(200));
|
||||
Request authenticateRequest = new Request("GET", "/_security/_authenticate");
|
||||
authenticateRequest.setOptions(options);
|
||||
Response authorizedAuthenticateResponse = getRestClient().performRequest(authenticateRequest);
|
||||
assertThat(authorizedAuthenticateResponse.getStatusLine().getStatusCode(), is(200));
|
||||
}
|
||||
|
||||
public void testSecurityActionsByLicenseType() throws Exception {
|
||||
// security actions should not work!
|
||||
Settings settings = internalCluster().transportClient().settings();
|
||||
try (TransportClient client = new TestXPackTransportClient(settings, LocalStateSecurity.class)) {
|
||||
client.addTransportAddress(internalCluster().getDataNodeInstance(Transport.class).boundAddress().publishAddress());
|
||||
new SecurityClient(client).preparePutUser("john", "password".toCharArray(), Hasher.BCRYPT).get();
|
||||
fail("security actions should not be enabled!");
|
||||
} catch (ElasticsearchSecurityException e) {
|
||||
assertThat(e.status(), is(RestStatus.FORBIDDEN));
|
||||
assertThat(e.getMessage(), containsString("non-compliant"));
|
||||
}
|
||||
|
||||
// enable a license that enables security
|
||||
License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.TRIAL,
|
||||
License.OperationMode.PLATINUM, License.OperationMode.STANDARD, OperationMode.BASIC);
|
||||
enableLicensing(mode);
|
||||
// security actions should work!
|
||||
try (TransportClient client = new TestXPackTransportClient(settings, LocalStateSecurity.class)) {
|
||||
client.addTransportAddress(internalCluster().getDataNodeInstance(Transport.class).boundAddress().publishAddress());
|
||||
PutUserResponse response = new SecurityClient(client).preparePutUser("john", "password".toCharArray(), Hasher.BCRYPT).get();
|
||||
assertNotNull(response);
|
||||
}
|
||||
}
|
||||
|
||||
public void testTransportClientAuthenticationByLicenseType() throws Exception {
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put(internalCluster().transportClient().settings());
|
||||
// remove user info
|
||||
builder.remove(SecurityField.USER_SETTING.getKey());
|
||||
builder.remove(ThreadContext.PREFIX + "." + UsernamePasswordToken.BASIC_AUTH_HEADER);
|
||||
|
||||
// basic has no auth
|
||||
try (TransportClient client = new TestXPackTransportClient(builder.build(), LocalStateSecurity.class)) {
|
||||
client.addTransportAddress(internalCluster().getDataNodeInstance(Transport.class).boundAddress().publishAddress());
|
||||
assertGreenClusterState(client);
|
||||
}
|
||||
|
||||
// enable a license that enables security
|
||||
License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.TRIAL,
|
||||
License.OperationMode.PLATINUM, License.OperationMode.STANDARD);
|
||||
enableLicensing(mode);
|
||||
|
||||
try (TransportClient client = new TestXPackTransportClient(builder.build(), LocalStateSecurity.class)) {
|
||||
client.addTransportAddress(internalCluster().getDataNodeInstance(Transport.class).boundAddress().publishAddress());
|
||||
client.admin().cluster().prepareHealth().get();
|
||||
fail("should not have been able to connect to a node!");
|
||||
} catch (NoNodeAvailableException e) {
|
||||
// expected
|
||||
}
|
||||
}
|
||||
|
||||
public void testNodeJoinWithoutSecurityExplicitlyEnabled() throws Exception {
|
||||
License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.PLATINUM,
|
||||
License.OperationMode.ENTERPRISE, License.OperationMode.STANDARD);
|
||||
|
@ -305,12 +204,7 @@ public class LicensingTests extends SecurityIntegTestCase {
|
|||
// is overwritten by some other cluster activity and the node throws an exception while we
|
||||
// wait for things to stabilize!
|
||||
assertBusy(() -> {
|
||||
for (XPackLicenseState licenseState : internalCluster().getInstances(XPackLicenseState.class)) {
|
||||
if (licenseState.isAuthAllowed() == false) {
|
||||
enableLicensing(OperationMode.BASIC);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
ensureGreen();
|
||||
ensureClusterSizeConsistency();
|
||||
|
|
|
@ -65,7 +65,7 @@ public class SecurityActionFilterTests extends ESTestCase {
|
|||
authcService = mock(AuthenticationService.class);
|
||||
authzService = mock(AuthorizationService.class);
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isStatsAndHealthAllowed()).thenReturn(true);
|
||||
ThreadPool threadPool = mock(ThreadPool.class);
|
||||
threadContext = new ThreadContext(Settings.EMPTY);
|
||||
|
@ -250,7 +250,7 @@ public class SecurityActionFilterTests extends ESTestCase {
|
|||
ActionListener listener = mock(ActionListener.class);
|
||||
ActionFilterChain chain = mock(ActionFilterChain.class);
|
||||
Task task = mock(Task.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(false);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(false);
|
||||
filter.apply(task, "_action", request, listener, chain);
|
||||
verifyZeroInteractions(authcService);
|
||||
verifyZeroInteractions(authzService);
|
||||
|
|
|
@ -189,7 +189,7 @@ public class AuthenticationServiceTests extends ESTestCase {
|
|||
.build();
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.areAllRealmsAllowed()).thenReturn(true);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isApiKeyServiceAllowed()).thenReturn(true);
|
||||
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
|
||||
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
|
||||
|
|
|
@ -74,7 +74,7 @@ public class RealmsTests extends ESTestCase {
|
|||
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
|
||||
threadContext = new ThreadContext(Settings.EMPTY);
|
||||
reservedRealm = mock(ReservedRealm.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
allowAllRealms();
|
||||
when(reservedRealm.type()).thenReturn(ReservedRealm.TYPE);
|
||||
when(reservedRealm.name()).thenReturn("reserved");
|
||||
|
@ -550,7 +550,7 @@ public class RealmsTests extends ESTestCase {
|
|||
|
||||
assertThat(realms.iterator().hasNext(), is(true));
|
||||
|
||||
when(licenseState.isAuthAllowed()).thenReturn(false);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(false);
|
||||
assertThat(realms.iterator().hasNext(), is(false));
|
||||
}
|
||||
|
||||
|
@ -590,7 +590,7 @@ public class RealmsTests extends ESTestCase {
|
|||
}
|
||||
|
||||
// check standard realms include native
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
allowOnlyStandardRealms();
|
||||
future = new PlainActionFuture<>();
|
||||
realms.usageStats(future);
|
||||
|
|
|
@ -49,7 +49,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
|||
|
||||
public void testUnlicensed() {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(false);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(false);
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext);
|
||||
AuditTrailService auditTrailService = mock(AuditTrailService.class);
|
||||
|
@ -59,7 +59,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
|||
SecuritySearchOperationListener listener = new SecuritySearchOperationListener(securityContext, licenseState, auditTrailService);
|
||||
listener.onNewScrollContext(searchContext);
|
||||
listener.validateSearchContext(searchContext, Empty.INSTANCE);
|
||||
verify(licenseState, times(2)).isAuthAllowed();
|
||||
verify(licenseState, times(2)).isSecurityEnabled();
|
||||
verifyZeroInteractions(auditTrailService, searchContext);
|
||||
}
|
||||
|
||||
|
@ -69,7 +69,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
|||
final Scroll scroll = new Scroll(TimeValue.timeValueSeconds(2L));
|
||||
testSearchContext.scrollContext().scroll = scroll;
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext);
|
||||
AuditTrailService auditTrailService = mock(AuditTrailService.class);
|
||||
|
@ -83,7 +83,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
|||
assertEquals(authentication, contextAuth);
|
||||
assertEquals(scroll, testSearchContext.scrollContext().scroll);
|
||||
|
||||
verify(licenseState).isAuthAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
verifyZeroInteractions(auditTrailService);
|
||||
}
|
||||
|
||||
|
@ -94,7 +94,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
|||
new Authentication(new User("test", "role"), new RealmRef("realm", "file", "node"), null));
|
||||
testSearchContext.scrollContext().scroll = new Scroll(TimeValue.timeValueSeconds(2L));
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext);
|
||||
|
@ -106,7 +106,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
|||
Authentication authentication = new Authentication(new User("test", "role"), new RealmRef("realm", "file", "node"), null);
|
||||
authentication.writeToContext(threadContext);
|
||||
listener.validateSearchContext(testSearchContext, Empty.INSTANCE);
|
||||
verify(licenseState).isAuthAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
verifyZeroInteractions(auditTrail);
|
||||
}
|
||||
|
||||
|
@ -116,7 +116,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
|||
Authentication authentication = new Authentication(new User("test", "role"), new RealmRef(realmName, "file", nodeName), null);
|
||||
authentication.writeToContext(threadContext);
|
||||
listener.validateSearchContext(testSearchContext, Empty.INSTANCE);
|
||||
verify(licenseState, times(2)).isAuthAllowed();
|
||||
verify(licenseState, times(2)).isSecurityEnabled();
|
||||
verifyZeroInteractions(auditTrail);
|
||||
}
|
||||
|
||||
|
@ -133,7 +133,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
|||
SearchContextMissingException expected =
|
||||
expectThrows(SearchContextMissingException.class, () -> listener.validateSearchContext(testSearchContext, request));
|
||||
assertEquals(testSearchContext.id(), expected.contextId());
|
||||
verify(licenseState, times(3)).isAuthAllowed();
|
||||
verify(licenseState, times(3)).isSecurityEnabled();
|
||||
verify(auditTrail).accessDenied(eq(null), eq(authentication), eq("action"), eq(request),
|
||||
authzInfoRoles(authentication.getUser().roles()));
|
||||
}
|
||||
|
@ -150,7 +150,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
|||
threadContext.putTransient(ORIGINATING_ACTION_KEY, "action");
|
||||
final InternalScrollSearchRequest request = new InternalScrollSearchRequest();
|
||||
listener.validateSearchContext(testSearchContext, request);
|
||||
verify(licenseState, times(4)).isAuthAllowed();
|
||||
verify(licenseState, times(4)).isSecurityEnabled();
|
||||
verifyNoMoreInteractions(auditTrail);
|
||||
}
|
||||
|
||||
|
@ -169,7 +169,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
|||
SearchContextMissingException expected =
|
||||
expectThrows(SearchContextMissingException.class, () -> listener.validateSearchContext(testSearchContext, request));
|
||||
assertEquals(testSearchContext.id(), expected.contextId());
|
||||
verify(licenseState, times(5)).isAuthAllowed();
|
||||
verify(licenseState, times(5)).isSecurityEnabled();
|
||||
verify(auditTrail).accessDenied(eq(null), eq(authentication), eq("action"), eq(request),
|
||||
authzInfoRoles(authentication.getUser().roles()));
|
||||
}
|
||||
|
@ -183,7 +183,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
|||
final String action = randomAlphaOfLength(4);
|
||||
TransportRequest request = Empty.INSTANCE;
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
AuditTrail auditTrail = mock(AuditTrail.class);
|
||||
AuditTrailService auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState);
|
||||
|
|
|
@ -134,7 +134,7 @@ public class OptOutQueryCacheTests extends ESTestCase {
|
|||
final IndicesQueryCache indicesQueryCache = mock(IndicesQueryCache.class);
|
||||
final ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(false);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(false);
|
||||
final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, licenseState);
|
||||
cache.listenForLicenseStateChanges();
|
||||
final Weight weight = mock(Weight.class);
|
||||
|
@ -153,7 +153,7 @@ public class OptOutQueryCacheTests extends ESTestCase {
|
|||
final IndicesQueryCache indicesQueryCache = mock(IndicesQueryCache.class);
|
||||
final ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, licenseState);
|
||||
cache.listenForLicenseStateChanges();
|
||||
final Weight weight = mock(Weight.class);
|
||||
|
@ -178,7 +178,7 @@ public class OptOutQueryCacheTests extends ESTestCase {
|
|||
when(indicesAccessControl.getIndexPermissions("index")).thenReturn(indexAccessControl);
|
||||
threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl);
|
||||
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, licenseState);
|
||||
cache.listenForLicenseStateChanges();
|
||||
final Weight weight = mock(Weight.class);
|
||||
|
|
|
@ -45,7 +45,7 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase {
|
|||
public void testInterceptorThrowsWhenFLSDLSEnabled() {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
|
@ -104,7 +104,7 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase {
|
|||
public void testInterceptorThrowsWhenTargetHasGreaterPermissions() throws Exception {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(randomBoolean());
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
|
|
|
@ -49,7 +49,7 @@ public class ResizeRequestInterceptorTests extends ESTestCase {
|
|||
public void testResizeRequestInterceptorThrowsWhenFLSDLSEnabled() {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
ThreadPool threadPool = mock(ThreadPool.class);
|
||||
|
@ -101,7 +101,7 @@ public class ResizeRequestInterceptorTests extends ESTestCase {
|
|||
public void testResizeRequestInterceptorThrowsWhenTargetHasGreaterPermissions() throws Exception {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
ThreadPool threadPool = mock(ThreadPool.class);
|
||||
|
|
|
@ -33,7 +33,7 @@ public class SetSecurityUserProcessorFactoryTests extends ESTestCase {
|
|||
public void setupContext() {
|
||||
securityContext = new SecurityContext(Settings.EMPTY, new ThreadContext(Settings.EMPTY));
|
||||
licenseState = Mockito.mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
}
|
||||
|
||||
public void testProcessor() throws Exception {
|
||||
|
@ -76,7 +76,7 @@ public class SetSecurityUserProcessorFactoryTests extends ESTestCase {
|
|||
}
|
||||
|
||||
public void testCanConstructorProcessorWithoutSecurityEnabled() throws Exception {
|
||||
when(licenseState.isAuthAllowed()).thenReturn(false);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(false);
|
||||
SetSecurityUserProcessor.Factory factory = new SetSecurityUserProcessor.Factory(() -> null, () -> licenseState);
|
||||
Map<String, Object> config = new HashMap<>();
|
||||
config.put("field", "_field");
|
||||
|
|
|
@ -42,7 +42,7 @@ public class SetSecurityUserProcessorTests extends ESTestCase {
|
|||
threadContext = new ThreadContext(Settings.EMPTY);
|
||||
securityContext = new SecurityContext(Settings.EMPTY, threadContext);
|
||||
licenseState = Mockito.mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
}
|
||||
|
||||
public void testProcessorWithData() throws Exception {
|
||||
|
@ -103,7 +103,7 @@ public class SetSecurityUserProcessorTests extends ESTestCase {
|
|||
}
|
||||
|
||||
public void testSecurityDisabled() throws Exception {
|
||||
when(licenseState.isAuthAllowed()).thenReturn(false);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(false);
|
||||
IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>());
|
||||
SetSecurityUserProcessor processor = new SetSecurityUserProcessor(
|
||||
"_tag", securityContext, licenseState, "_field", EnumSet.allOf(Property.class));
|
||||
|
|
|
@ -69,7 +69,7 @@ public class SecurityRestFilterTests extends ESTestCase {
|
|||
authcService = mock(AuthenticationService.class);
|
||||
channel = mock(RestChannel.class);
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
restHandler = mock(RestHandler.class);
|
||||
threadContext = new ThreadContext(Settings.EMPTY);
|
||||
secondaryAuthenticator = new SecondaryAuthenticator(Settings.EMPTY, threadContext, authcService);
|
||||
|
@ -135,7 +135,7 @@ public class SecurityRestFilterTests extends ESTestCase {
|
|||
|
||||
public void testProcessBasicLicense() throws Exception {
|
||||
RestRequest request = mock(RestRequest.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(false);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(false);
|
||||
filter.handleRequest(request, channel, null);
|
||||
verify(restHandler).handleRequest(request, channel, null);
|
||||
verifyZeroInteractions(channel, authcService);
|
||||
|
|
|
@ -75,7 +75,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
|||
threadContext = threadPool.getThreadContext();
|
||||
securityContext = spy(new SecurityContext(settings, threadPool.getThreadContext()));
|
||||
xPackLicenseState = mock(XPackLicenseState.class);
|
||||
when(xPackLicenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(xPackLicenseState.isSecurityEnabled()).thenReturn(true);
|
||||
}
|
||||
|
||||
@After
|
||||
|
@ -90,7 +90,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
|||
securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY,
|
||||
Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService);
|
||||
ClusterServiceUtils.setState(clusterService, clusterService.state()); // force state update to trigger listener
|
||||
when(xPackLicenseState.isAuthAllowed()).thenReturn(false);
|
||||
when(xPackLicenseState.isSecurityEnabled()).thenReturn(false);
|
||||
AtomicBoolean calledWrappedSender = new AtomicBoolean(false);
|
||||
AtomicReference<User> sendingUser = new AtomicReference<>();
|
||||
AsyncSender sender = interceptor.interceptSender(new AsyncSender() {
|
||||
|
@ -108,7 +108,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
|||
sender.sendRequest(connection, MainAction.NAME, null, null, null);
|
||||
assertTrue(calledWrappedSender.get());
|
||||
assertThat(sendingUser.get(), nullValue());
|
||||
verify(xPackLicenseState).isAuthAllowed();
|
||||
verify(xPackLicenseState).isSecurityEnabled();
|
||||
verifyNoMoreInteractions(xPackLicenseState);
|
||||
}
|
||||
|
||||
|
@ -118,7 +118,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
|||
securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY,
|
||||
Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService);
|
||||
ClusterServiceUtils.setState(clusterService, clusterService.state()); // force state update to trigger listener
|
||||
when(xPackLicenseState.isAuthAllowed()).thenReturn(false);
|
||||
when(xPackLicenseState.isSecurityEnabled()).thenReturn(false);
|
||||
AtomicBoolean calledWrappedSender = new AtomicBoolean(false);
|
||||
AtomicReference<User> sendingUser = new AtomicReference<>();
|
||||
AsyncSender sender = interceptor.interceptSender(new AsyncSender() {
|
||||
|
@ -136,7 +136,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
|||
sender.sendRequest(connection, "internal:foo", null, null, null);
|
||||
assertTrue(calledWrappedSender.get());
|
||||
assertThat(sendingUser.get(), is(SystemUser.INSTANCE));
|
||||
verify(xPackLicenseState).isAuthAllowed();
|
||||
verify(xPackLicenseState).isSecurityEnabled();
|
||||
verify(securityContext).executeAsUser(any(User.class), any(Consumer.class), eq(Version.CURRENT));
|
||||
verifyNoMoreInteractions(xPackLicenseState);
|
||||
}
|
||||
|
@ -147,7 +147,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
|||
securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY,
|
||||
Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService);
|
||||
final boolean authAllowed = randomBoolean();
|
||||
when(xPackLicenseState.isAuthAllowed()).thenReturn(authAllowed);
|
||||
when(xPackLicenseState.isSecurityEnabled()).thenReturn(authAllowed);
|
||||
ClusterState notRecovered = ClusterState.builder(clusterService.state())
|
||||
.blocks(ClusterBlocks.builder().addGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK).build())
|
||||
.build();
|
||||
|
@ -171,7 +171,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
|||
sender.sendRequest(connection, "internal:foo", null, null, null);
|
||||
assertTrue(calledWrappedSender.get());
|
||||
assertEquals(SystemUser.INSTANCE, sendingUser.get());
|
||||
verify(xPackLicenseState).isAuthAllowed();
|
||||
verify(xPackLicenseState).isSecurityEnabled();
|
||||
verify(securityContext).executeAsUser(any(User.class), any(Consumer.class), eq(Version.CURRENT));
|
||||
verifyNoMoreInteractions(xPackLicenseState);
|
||||
}
|
||||
|
@ -205,7 +205,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
|||
assertTrue(calledWrappedSender.get());
|
||||
assertEquals(user, sendingUser.get());
|
||||
assertEquals(user, securityContext.getUser());
|
||||
verify(xPackLicenseState).isAuthAllowed();
|
||||
verify(xPackLicenseState).isSecurityEnabled();
|
||||
verify(securityContext, never()).executeAsUser(any(User.class), any(Consumer.class), any(Version.class));
|
||||
verifyNoMoreInteractions(xPackLicenseState);
|
||||
}
|
||||
|
@ -242,7 +242,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
|||
assertNotEquals(user, sendingUser.get());
|
||||
assertEquals(SystemUser.INSTANCE, sendingUser.get());
|
||||
assertEquals(user, securityContext.getUser());
|
||||
verify(xPackLicenseState).isAuthAllowed();
|
||||
verify(xPackLicenseState).isSecurityEnabled();
|
||||
verify(securityContext).executeAsUser(any(User.class), any(Consumer.class), eq(Version.CURRENT));
|
||||
verifyNoMoreInteractions(xPackLicenseState);
|
||||
}
|
||||
|
@ -272,7 +272,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
|||
expectThrows(IllegalStateException.class, () -> sender.sendRequest(connection, "indices:foo", null, null, null));
|
||||
assertEquals("there should always be a user when sending a message for action [indices:foo]", e.getMessage());
|
||||
assertNull(securityContext.getUser());
|
||||
verify(xPackLicenseState).isAuthAllowed();
|
||||
verify(xPackLicenseState).isSecurityEnabled();
|
||||
verify(securityContext, never()).executeAsUser(any(User.class), any(Consumer.class), any(Version.class));
|
||||
verifyNoMoreInteractions(xPackLicenseState);
|
||||
}
|
||||
|
|
|
@ -237,7 +237,7 @@ public class TransportPutTransformAction extends TransportMasterNodeAction<Reque
|
|||
ActionListener.wrap(
|
||||
validationResponse -> {
|
||||
// Early check to verify that the user can create the destination index and can read from the source
|
||||
if (licenseState.isAuthAllowed() && request.isDeferValidation() == false) {
|
||||
if (licenseState.isSecurityEnabled() && request.isDeferValidation() == false) {
|
||||
final String username = securityContext.getUser().principal();
|
||||
HasPrivilegesRequest privRequest = buildPrivilegeCheck(config, indexNameExpressionResolver, clusterState, username);
|
||||
ActionListener<HasPrivilegesResponse> privResponseListener = ActionListener.wrap(
|
||||
|
|
|
@ -231,7 +231,7 @@ public class TransportUpdateTransformAction extends TransportMasterNodeAction<Re
|
|||
ActionListener<Response> listener
|
||||
) {
|
||||
// Early check to verify that the user can create the destination index and can read from the source
|
||||
if (licenseState.isAuthAllowed() && request.isDeferValidation() == false) {
|
||||
if (licenseState.isSecurityEnabled() && request.isDeferValidation() == false) {
|
||||
final String username = securityContext.getUser().principal();
|
||||
HasPrivilegesRequest privRequest = buildPrivilegeCheck(config, indexNameExpressionResolver, clusterState, username);
|
||||
ActionListener<HasPrivilegesResponse> privResponseListener = ActionListener.wrap(
|
||||
|
|
Loading…
Reference in New Issue