security: remove auto ssl and disable transport ssl by default

This commit removes the code to auto generate a ssl certificate on startup and disables ssl
on the transport layer by default.

Original commit: elastic/x-pack-elasticsearch@1dc9b17842
This commit is contained in:
jaymode 2016-05-25 07:54:06 -04:00
parent eec4ed90d2
commit c248d7b5da
33 changed files with 89 additions and 641 deletions

View File

@ -1,222 +0,0 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield.ssl;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.env.Environment;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.Reader;
import java.net.InetAddress;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.KeyPair;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
/**
*/
class AutoGeneratedKeyConfig extends KeyConfig {
private static final char[] PASSWORD = "changeme".toCharArray();
private final Set<InetAddress> certificateAddresses = new HashSet<>();
private final X509ExtendedKeyManager[] keyManagers;
private final X509ExtendedTrustManager[] trustManagers;
private final KeyPair keyPair;
private final Certificate caCert;
private final Exception failure;
private boolean certGenerated = false;
AutoGeneratedKeyConfig(boolean includeSystem) {
super(includeSystem, false);
Exception thrown = null;
X509ExtendedTrustManager trustManager;
Certificate caCert = null;
KeyPair keyPair = null;
try {
keyPair = CertUtils.generateKeyPair();
caCert = readCACert();
X509ExtendedTrustManager[] managers = CertUtils.trustManagers(new Certificate[] { caCert });
trustManager = managers[0];
} catch (Exception e) {
thrown = e;
trustManager = new EmptyX509TrustManager();
}
this.failure = thrown;
this.caCert = caCert;
this.keyPair = keyPair;
this.keyManagers = new X509ExtendedKeyManager[] { new ReloadableX509KeyManager(new EmptyX509KeyManager(), null) };
this.trustManagers = new X509ExtendedTrustManager[] { new ReloadableTrustManager(trustManager, null) };
}
@Override
X509ExtendedKeyManager[] loadKeyManagers(@Nullable Environment environment) {
return keyManagers;
}
@Override
X509ExtendedTrustManager[] nonSystemTrustManagers(@Nullable Environment environment) {
return trustManagers;
}
@Override
void validate() {
if (failure != null) {
throw new ElasticsearchException("failed to auto generate keypair and read CA cert", failure);
}
}
@Override
List<Path> filesToMonitor(@Nullable Environment environment) {
return Collections.emptyList();
}
@Override
public String toString() {
return "AutoGeneratedKeyConfig";
}
synchronized void generateCertIfNecessary(boolean resolveHostnames, String nodeName, Set<InetAddress> addresses, ESLogger logger)
throws Exception {
if (failure != null) {
throw new ElasticsearchException("failed to auto generate keypair and read CA cert", failure);
}
// we shouldn't regenerate if we have no new addresses
if (certGenerated && Sets.difference(addresses, certificateAddresses).isEmpty()) {
return;
}
this.certificateAddresses.addAll(addresses);
final PrivateKey caPrivateKey = readCAPrivateKey();
final X509Certificate signedCert =
CertUtils.generateSignedCertificate(resolveHostnames, nodeName, certificateAddresses, keyPair, caCert, caPrivateKey);
Certificate[] certChain = new Certificate[] { signedCert, caCert };
X509ExtendedKeyManager[] keyManagers = CertUtils.keyManagers(certChain, keyPair.getPrivate(), PASSWORD);
X509ExtendedTrustManager[] trustManagers = CertUtils.trustManagers(certChain);
((ReloadableX509KeyManager) this.keyManagers[0]).setKeyManager(keyManagers[0]);
((ReloadableTrustManager) this.trustManagers[0]).setTrustManager(trustManagers[0]);
this.certGenerated = true;
logMessages(signedCert, logger);
}
static Certificate readCACert() throws Exception {
try (InputStream inputStream = AutoGeneratedKeyConfig.class.getResourceAsStream("/cacert.pem");
Reader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8)) {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
List<Certificate> certificateList = new ArrayList<>(1);
CertUtils.readCertificates(reader, certificateList, certificateFactory);
if (certificateList.size() != 1) {
throw new IllegalStateException("expected [1] default CA certificate but found [" + certificateList.size() + "]");
}
return certificateList.get(0);
}
}
static PrivateKey readCAPrivateKey() throws Exception {
try (InputStream inputStream = AutoGeneratedKeyConfig.class.getResourceAsStream("/cakey.pem");
Reader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8)) {
return CertUtils.readPrivateKey(reader, PASSWORD);
}
}
static void logMessages(X509Certificate signedCert, ESLogger logger) {
logger.info("auto generated a X.509 certificate and private/public key pair for SSL use. this should never be used in production " +
"as the signing certificate authority is the same for every installation of X-Pack.{}generated certificate:{}{}",
System.lineSeparator(), System.lineSeparator(), signedCert.toString());
}
private static class EmptyX509KeyManager extends X509ExtendedKeyManager {
@Override
public String[] getClientAliases(String s, Principal[] principals) {
return null;
}
@Override
public String chooseClientAlias(String[] strings, Principal[] principals, Socket socket) {
return null;
}
@Override
public String[] getServerAliases(String s, Principal[] principals) {
return null;
}
@Override
public String chooseServerAlias(String s, Principal[] principals, Socket socket) {
return null;
}
@Override
public X509Certificate[] getCertificateChain(String s) {
return null;
}
@Override
public PrivateKey getPrivateKey(String s) {
return null;
}
}
private static class EmptyX509TrustManager extends X509ExtendedTrustManager {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
throw new CertificateException("trust nothing");
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
throw new CertificateException("trust nothing");
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) throws CertificateException {
throw new CertificateException("trust nothing");
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) throws CertificateException {
throw new CertificateException("trust nothing");
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
throw new CertificateException("trust nothing");
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
throw new CertificateException("trust nothing");
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}
}

View File

@ -64,6 +64,7 @@ abstract class KeyConfig extends TrustConfig {
if (reloadEnabled && resourceWatcherService != null && listener != null) {
ReloadableX509KeyManager reloadableX509KeyManager = new ReloadableX509KeyManager(keyManagers[0], environment);
List<Path> filesToMonitor = filesToMonitor(environment);
if (filesToMonitor.isEmpty() == false) {
ChangeListener changeListener = new ChangeListener(filesToMonitor, reloadableX509KeyManager, listener);
try {
for (Path dir : directoriesToMonitor(filesToMonitor)) {
@ -76,6 +77,7 @@ abstract class KeyConfig extends TrustConfig {
throw new ElasticsearchException("failed to add file watcher", e);
}
}
}
return keyManagers;
}

View File

@ -5,37 +5,22 @@
*/
package org.elasticsearch.shield.ssl;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Setting.Property;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.settings.SettingsModule;
import org.elasticsearch.common.transport.BoundTransportAddress;
import org.elasticsearch.common.transport.InetSocketTransportAddress;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.node.Node;
import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport;
import org.elasticsearch.shield.transport.netty.ShieldNettyTransport;
import org.elasticsearch.transport.TransportSettings;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
import java.net.InetAddress;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import static org.elasticsearch.shield.Security.featureEnabledSetting;
import static org.elasticsearch.shield.Security.setting;
import static org.elasticsearch.shield.support.OptionalSettings.createInt;
import static org.elasticsearch.shield.support.OptionalSettings.createString;
@ -111,11 +96,6 @@ public abstract class SSLConfiguration {
public static final int DEFAULT_SESSION_CACHE_SIZE = 1000;
public static final String DEFAULT_PROTOCOL = "TLSv1.2";
public static final Setting<Boolean> AUTO_GENERATE_SSL_SETTING =
Setting.boolSetting(featureEnabledSetting("ssl.auto_generate"), true, Property.NodeScope, Property.Filtered);
static final Setting<Boolean> AUTO_GEN_RESOLVE_HOST_SETTING =
Setting.boolSetting(setting("ssl.auto_generate.resolve_name"), true, Property.NodeScope, Property.Filtered);
// common settings
static final Setting<List<String>> CIPHERS_SETTING = Setting.listSetting(globalKey(Custom.CIPHERS_SETTING), DEFAULT_CIPHERS,
Function.identity(), Property.NodeScope, Property.Filtered);
@ -184,14 +164,10 @@ public abstract class SSLConfiguration {
settingsModule.registerSetting(Global.SESSION_CACHE_SIZE_SETTING);
settingsModule.registerSetting(Global.SESSION_CACHE_TIMEOUT_SETTING);
settingsModule.registerSetting(Global.CA_PATHS_SETTING);
settingsModule.registerSetting(Global.AUTO_GENERATE_SSL_SETTING);
settingsModule.registerSetting(Global.AUTO_GEN_RESOLVE_HOST_SETTING);
settingsModule.registerSetting(Global.INCLUDE_JDK_CERTS_SETTING);
settingsModule.registerSetting(Global.RELOAD_ENABLED_SETTING);
}
private final ESLogger logger;
private final Settings settings;
private final KeyConfig keyConfig;
private final TrustConfig trustConfig;
private final String sslProtocol;
@ -207,8 +183,6 @@ public abstract class SSLConfiguration {
*/
@Inject
public Global(Settings settings) {
this.settings = settings;
this.logger = Loggers.getLogger(getClass(), settings);
this.keyConfig = createGlobalKeyConfig(settings);
this.trustConfig = createGlobalTrustConfig(settings, keyConfig);
this.sslProtocol = PROTOCOL_SETTING.get(settings);
@ -266,79 +240,11 @@ public abstract class SSLConfiguration {
"]}";
}
public void onTransportStart(BoundTransportAddress boundAddress, Map<String, BoundTransportAddress> profileBoundAddresses) {
if (shouldAutoGenerateKeyAndCertificate(settings) == false) {
return;
}
Set<InetAddress> uniqueAddresses = new HashSet<>();
if (boundAddress != null) {
// this could be null if we came from a transport client
addInetAddresses(uniqueAddresses, boundAddress.boundAddresses());
addInetAddresses(uniqueAddresses, boundAddress.publishAddress());
}
for (BoundTransportAddress profileAddress : profileBoundAddresses.values()) {
addInetAddresses(uniqueAddresses, profileAddress.boundAddresses());
addInetAddresses(uniqueAddresses, profileAddress.publishAddress());
}
try {
((AutoGeneratedKeyConfig) keyConfig).generateCertIfNecessary(AUTO_GEN_RESOLVE_HOST_SETTING.get(settings),
Node.NODE_NAME_SETTING.get(settings), uniqueAddresses, logger);
} catch (Exception e) {
throw new ElasticsearchException("failed to initialize auto generated certificate and key");
}
}
private static String globalKey(Setting setting) {
return setting("ssl." + setting.getKey());
}
static void addInetAddresses(Set<InetAddress> addresses, TransportAddress... transportAddresses) {
for (TransportAddress transportAddress : transportAddresses) {
addresses.add(((InetSocketTransportAddress)transportAddress).address().getAddress());
}
}
static boolean shouldAutoGenerateKeyAndCertificate(Settings settings) {
if (AUTO_GENERATE_SSL_SETTING.get(settings) == false) {
return false;
}
// did they configure some SSL settings other than auto generate
Settings.Builder builder = Settings.builder().put(settings);
builder.remove(AUTO_GEN_RESOLVE_HOST_SETTING.getKey());
builder.remove(AUTO_GENERATE_SSL_SETTING.getKey());
builder.remove(INCLUDE_JDK_CERTS_SETTING.getKey());
Settings nonAutoGen = builder.build();
if (nonAutoGen.getByPrefix(setting("ssl.")).isEmpty() == false) {
return false;
}
// SSL needs to be enabled somewhere
final boolean transportEnabled = ShieldNettyTransport.SSL_SETTING.get(settings);
final boolean httpEnabled = ShieldNettyHttpServerTransport.SSL_SETTING.get(settings);
if (transportEnabled || httpEnabled) {
return true;
}
// check the profiles... maybe disabled SSL on default transport and enabled on a profile
Map<String, Settings> profiles = TransportSettings.TRANSPORT_PROFILES_SETTING.get(settings).getAsGroups(true);
for (Settings profileSettings : profiles.values()) {
if (ShieldNettyTransport.profileSsl(profileSettings, settings)) {
return true;
}
}
return false;
}
static KeyConfig createGlobalKeyConfig(Settings settings) {
if (shouldAutoGenerateKeyAndCertificate(settings)) {
return new AutoGeneratedKeyConfig(INCLUDE_JDK_CERTS_SETTING.get(settings));
}
String keyStorePath = KEYSTORE_PATH_SETTING.get(settings).orElse(null);
String keyPath = KEY_PATH_SETTING.get(settings).orElse(null);
if (keyPath != null && keyStorePath != null) {
@ -368,11 +274,6 @@ public abstract class SSLConfiguration {
}
static TrustConfig createGlobalTrustConfig(Settings settings, KeyConfig keyInfo) {
if (keyInfo instanceof AutoGeneratedKeyConfig) {
assert shouldAutoGenerateKeyAndCertificate(settings);
return keyInfo;
}
String trustStorePath = TRUSTSTORE_PATH_SETTING.get(settings).orElse(null);
List<String> caPaths = getListOrNull(CA_PATHS_SETTING, settings);
boolean includeSystem = INCLUDE_JDK_CERTS_SETTING.get(settings);

View File

@ -58,6 +58,9 @@ class StoreTrustConfig extends TrustConfig {
@Override
List<Path> filesToMonitor(@Nullable Environment environment) {
if (trustStorePath == null) {
return Collections.emptyList();
}
return Collections.singletonList(CertUtils.resolvePath(trustStorePath, environment));
}

View File

@ -52,21 +52,16 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {
private final ServerSSLService sslService;
private final boolean ssl;
private final Settings sslSettings;
private final Global globalSSLConfiguration;
@Inject
public ShieldNettyHttpServerTransport(Settings settings, NetworkService networkService, BigArrays bigArrays, IPFilter ipFilter,
ServerSSLService sslService, ThreadPool threadPool, Global sslConfig) {
ServerSSLService sslService, ThreadPool threadPool) {
super(settings, networkService, bigArrays, threadPool);
this.ipFilter = ipFilter;
this.ssl = SSL_SETTING.get(settings);
this.sslService = sslService;
this.globalSSLConfiguration = sslConfig;
if (ssl) {
Settings.Builder builder = Settings.builder().put(settings.getByPrefix(setting("http.ssl.")));
builder.remove("client.auth");
builder.remove("enabled");
sslSettings = builder.build();
sslSettings = settings.getByPrefix(setting("http.ssl."));
} else {
sslSettings = Settings.EMPTY;
}
@ -101,7 +96,6 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {
@Override
protected void doStart() {
super.doStart();
globalSSLConfiguration.onTransportStart(this.boundAddress(), Collections.emptyMap());
ipFilter.setBoundHttpTransportAddress(this.boundAddress());
}

View File

@ -18,7 +18,6 @@ import org.elasticsearch.common.settings.SettingsModule;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.shield.ssl.ClientSSLService;
import org.elasticsearch.shield.ssl.SSLConfiguration.Global;
import org.elasticsearch.shield.ssl.ServerSSLService;
import org.elasticsearch.shield.transport.SSLClientAuth;
import org.elasticsearch.shield.transport.filter.IPFilter;
@ -48,7 +47,7 @@ import static org.elasticsearch.shield.transport.SSLExceptionHelper.isNotSslReco
public class ShieldNettyTransport extends NettyTransport {
public static final String CLIENT_AUTH_DEFAULT = SSLClientAuth.REQUIRED.name();
public static final boolean SSL_DEFAULT = true;
public static final boolean SSL_DEFAULT = false;
public static final Setting<Boolean> DEPRECATED_HOSTNAME_VERIFICATION_SETTING =
Setting.boolSetting(setting("ssl.hostname_verification"), true, Property.NodeScope, Property.Filtered, Property.Deprecated);
@ -79,7 +78,6 @@ public class ShieldNettyTransport extends NettyTransport {
private final ServerSSLService serverSslService;
private final ClientSSLService clientSSLService;
private final Global globalSSLConfiguration;
private final @Nullable IPFilter authenticator;
private final boolean ssl;
@ -87,21 +85,19 @@ public class ShieldNettyTransport extends NettyTransport {
public ShieldNettyTransport(Settings settings, ThreadPool threadPool, NetworkService networkService, BigArrays bigArrays,
Version version, @Nullable IPFilter authenticator, @Nullable ServerSSLService serverSSLService,
ClientSSLService clientSSLService, NamedWriteableRegistry namedWriteableRegistry,
CircuitBreakerService circuitBreakerService, Global globalSSLConfiguration) {
CircuitBreakerService circuitBreakerService) {
super(settings, threadPool, networkService, bigArrays, version, namedWriteableRegistry, circuitBreakerService);
this.authenticator = authenticator;
this.ssl = SSL_SETTING.get(settings);
this.serverSslService = serverSSLService;
this.clientSSLService = clientSSLService;
this.globalSSLConfiguration = globalSSLConfiguration;
}
@Override
protected void doStart() {
super.doStart();
globalSSLConfiguration.onTransportStart(boundAddress, profileBoundAddresses);
if (authenticator != null) {
authenticator.setBoundTransportAddress(this.boundAddress(), profileBoundAddresses());
authenticator.setBoundTransportAddress(boundAddress(), profileBoundAddresses());
}
}

View File

@ -1,22 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDsjCCApqgAwIBAgIJAKGDffMf8r51MA0GCSqGSIb3DQEBCwUAMEQxGTAXBgNV
BAoTEEVsYXN0aWNzZWFyY2ggQlYxCzAJBgNVBAYTAk5MMRowGAYDVQQDExFYLVBh
Y2sgRGVmYXVsdCBDQTAeFw0xNjA0MTkxNDQ1NDdaFw0yMTA0MTgxNDQ1NDdaMEQx
GTAXBgNVBAoTEEVsYXN0aWNzZWFyY2ggQlYxCzAJBgNVBAYTAk5MMRowGAYDVQQD
ExFYLVBhY2sgRGVmYXVsdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMEtxhGU9TNgfaYFYFTehSkI1tCxPoe9WdvLd6Ag1DggN2Sp65xhDuWLNX4R
mAo7PyXvic+shqfLDjca6R7OgisubldFN3qiw8IwXzjMey/MC0pThsPJS9TQFc6i
a4oNmd4QpvoctqAW8qCOqB+PEUNMx6B54sjqX1/CBGuCB4HZJud//RRbANAf8WKN
nf4z9vM4nk4m6UF0hShCuKdlU+zlDp0/LdkuYn+fn6JmWVNmwMR4Ym9M1i0RKaBI
OE0pgPVIYTRhuU+VyCRGg4ue7tdPlWpps25EihgwEWoieS0lLSGPqEVPC7Msk+HA
kOs4DwJahs0RAep+PJNNrcdSB/0CAwEAAaOBpjCBozAMBgNVHRMEBTADAQH/MB0G
A1UdDgQWBBR5tSUNfOVoB2DrCDjFIauzzxsP+DB0BgNVHSMEbTBrgBR5tSUNfOVo
B2DrCDjFIauzzxsP+KFIpEYwRDEZMBcGA1UEChMQRWxhc3RpY3NlYXJjaCBCVjEL
MAkGA1UEBhMCTkwxGjAYBgNVBAMTEVgtUGFjayBEZWZhdWx0IENBggkAoYN98x/y
vnUwDQYJKoZIhvcNAQELBQADggEBAIv6mt9qW93Y8ZKD7neiYvS6lzN6/yTCRDZ0
sPMYX1BV4dgwIfa3Nc5Iz7fl9MJRQMUaQg1yDmQzoavtRtw8K2Rd1GHtF1pRBwz6
y2th20gVGKXtIyaS5l8oxJ5nlV+GX439In8ovM8Q0CqRN/3X36v77OTTt/FCt24w
8cA6igo9DMfLylfhIU6R3rcImMMPPE/cgXSE6lPCBX0zK2m1h3Bsp9cNAgndUsI6
1xSfnDoO+DuOrze6NX9gzFvy6IwgcTF9vlQ55eXAgy263+k7IhBQydFscNrIFpM5
enqQIqgzcEs5FZcq/V1RWlI5phxsOYaImoN9MJMSO9D3avWOtcE=
-----END CERTIFICATE-----

View File

@ -1,30 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,BF10B2B7AF64C239
xWhoEPwuO8I2qXRG5nSVSPXLltxmzmTxK3VvZPxaf++PTMt+r3F414px763NWigr
Wka3f6p2EJI3huafk47mth02OS268A6hCx3wrp9pq0SrzZVTHqML0OqyNyLJNK8j
azu6IdCFNaFsh6Z5y2PSJ8SWAX11QcYF6g8IRBwGcGr4pmMdJmKEoliuxJ0oGJIy
0hEdeeqiiwEMP2I97CH3g+CtD8eh3+XyNapzSWe7j2Y3wU9lrVUdicUPDOibLVbU
xiLz+HJ0BmNbHF3ND8JiDAZUAYQVjvENHP3VIqm68kzRiHcxsHzVhW6iNz1QTwmR
vugODGkOoYCV0Yfap1Fjawt7bT0emGU7Lbv/E80X43t4kgoeIOGxX96XYIfwJT9C
VVYwtmn85Fr8FmmPRIUYJlMlqm+mvwcRdBxYXKyaamvN7cj8G5pj5A7dgXlSAz7z
JaywteP3GzXdzXAS+ehYrZCkBkdIaMbtNIBFV9ZChDvKWJidGkpajDQtSTNixEnS
42+qMmg4b0AWEcPtlJJJuYZmgl3XXLkfgiyiQ6dnATyq5tE5PxSzHorUCBIv4Bp3
sJCcgsP7TTy3dhr+dyQdsWCVyM9HxUeUzxVj4ULfB6wTAd6duMNHxiIkh3bsxdni
xRm2vNQraW64K/xDTsccbp2emhKpJT3KAU2+ZFAEQUJDMejoQv0b1klOcGZGFKh3
IMmwaSdZfRfh3pIDyRJARHkQ5fPv19SKwtUmwL1ygqR0iRcK7kN9D+lvhzL7RYcP
bKkndgr5jwHdqdGZvrFz2NshcqOwKzKr1tTkXRL8BN6s1s4Az1NQBWyK+bjotF+D
zf3HDUGa94xYF5KFbZCKMUenL4OV+K4qqUvbwqBE/s4rsUkB6p9SSySFc9M8Obmm
U6ZP4hr7/WZpO0AZr6OUX6HMXCeIex0tanINVijDR8Qq7zwa0Nt1t4bnfGbEqPo+
ew5MWjxqEWOb7cJogIjTKokcLqlp4OyVYkP5XdXNqKrnNE23xQNeTeD+W1zZxuJo
KdYQA82NC8vW1uHeEfCiJx4Giziqg6zEhNtF6t0wHebGfLORDICvNsb0Df2tYunj
rtduSaQRVGTT8YRheJFl0B+n8xrLTOqtbFL6PPb/eU4O3C0La8h8VZNSmXBTY/0A
UfeHsxmO7SoAdz8cSiXjvlwVwkt0gbPCbFBTSwALTS0vMas71xI62Dl53EsEup0K
oV9agBfEZyVlse8VC/Js8sZi7cICmCrHcvhKWnju3QB47vPti00/aj6MgE0oLHC4
8CicYeFCyREaxzF+HnOriuG3f82wUfJhtejwefE4xytvJTBTz+5f2j+FI2CL4OGp
R6ix+r/JoygSSIssmxnpcUZQpCxbthfvfBQEvQKq6YDgwgSDfhWAFvLTx45HFDz5
if/wgMDTlL9BP+PcNY4xY73qU9Za1AYdDdS9nWSD3pRz9SZc4gRrLLdLmRzUsCU+
t2Lrvy0AAFVBzf1RZYN0kVArUdgFGiUQyvsyGyFu8FYww23VZuxglIniHVD5JBa+
gymaHiWlKadGciVT552SuYFz89c8nkRFiSEwz/1aLNHP/fFqfVCD2A==
-----END RSA PRIVATE KEY-----

View File

@ -92,11 +92,6 @@ abstract public class AbstractAdLdapRealmTestCase extends ShieldIntegTestCase {
return sslEnabled;
}
@Override
protected boolean autoSSLEnabled() {
return sslEnabled && (useGlobalSSL == false);
}
protected String configRoleMappings() {
return realmConfig.configRoleMappings();
}

View File

@ -131,7 +131,7 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase {
final boolean useSSL = useShield && randomBoolean();
logger.info("--> remote indexing enabled. shield enabled: [{}], SSL enabled: [{}], nodes: [{}]", useShield, useSSL, numNodes);
ShieldSettingsSource cluster2SettingsSource =
new ShieldSettingsSource(numNodes, useSSL, randomBoolean(), systemKey(), createTempDir(), Scope.SUITE) {
new ShieldSettingsSource(numNodes, useSSL, systemKey(), createTempDir(), Scope.SUITE) {
@Override
public Settings nodeSettings(int nodeOrdinal) {
Settings.Builder builder = Settings.builder()

View File

@ -42,7 +42,6 @@ public class RemoteIndexAuditTrailStartingTests extends ShieldIntegTestCase {
private InternalTestCluster remoteCluster;
private final boolean useSSL = randomBoolean();
private final boolean autoSSL = randomBoolean();
private final boolean localAudit = randomBoolean();
private final String outputs = randomFrom("index", "logfile", "index,logfile");
@ -51,11 +50,6 @@ public class RemoteIndexAuditTrailStartingTests extends ShieldIntegTestCase {
return useSSL;
}
@Override
public boolean autoSSLEnabled() {
return autoSSL;
}
@Override
public Settings nodeSettings(int nodeOrdinal) {
return Settings.builder()
@ -93,8 +87,7 @@ public class RemoteIndexAuditTrailStartingTests extends ShieldIntegTestCase {
// Setup a second test cluster with randomization for number of nodes, shield enabled, and SSL
final int numNodes = randomIntBetween(2, 3);
ShieldSettingsSource cluster2SettingsSource = new ShieldSettingsSource(numNodes, useSSL, autoSSL, systemKey(), createTempDir(),
Scope.TEST) {
ShieldSettingsSource cluster2SettingsSource = new ShieldSettingsSource(numNodes, useSSL, systemKey(), createTempDir(), Scope.TEST) {
@Override
public Settings nodeSettings(int nodeOrdinal) {
Settings.Builder builder = Settings.builder()

View File

@ -25,25 +25,19 @@ public class AbstractActiveDirectoryIntegTests extends ESTestCase {
protected ClientSSLService clientSSLService;
protected Settings globalSettings;
protected boolean useGlobalSSL;
@Before
public void initializeSslSocketFactory() throws Exception {
useGlobalSSL = randomBoolean();
Path keystore = getDataPath("../ldap/support/ldaptrust.jks");
/*
* Prior to each test we reinitialize the socket factory with a new SSLService so that we get a new SSLContext.
* If we re-use a SSLContext, previously connected sessions can get re-established which breaks hostname
* verification tests since a re-established connection does not perform hostname verification.
*/
Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
if (useGlobalSSL) {
builder.put("xpack.security.ssl.keystore.path", keystore)
.put("xpack.security.ssl.keystore.password", "changeit");
} else {
builder.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false);
}
globalSettings = builder.build();
globalSettings = Settings.builder().put("path.home", createTempDir())
.put("xpack.security.ssl.keystore.path", keystore)
.put("xpack.security.ssl.keystore.password", "changeit")
.build();
Environment environment = new Environment(globalSettings);
clientSSLService = new ClientSSLService(globalSettings, new Global(globalSettings));
clientSSLService.setEnvironment(environment);
@ -56,11 +50,9 @@ public class AbstractActiveDirectoryIntegTests extends ESTestCase {
.put(ActiveDirectorySessionFactory.AD_DOMAIN_NAME_SETTING, adDomainName)
.put(ActiveDirectorySessionFactory.AD_USER_SEARCH_BASEDN_SETTING, userSearchDN)
.put(ActiveDirectorySessionFactory.AD_USER_SEARCH_SCOPE_SETTING, scope)
.put(ActiveDirectorySessionFactory.HOSTNAME_VERIFICATION_SETTING, hostnameVerification);
if (useGlobalSSL == false) {
builder.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
.put(ActiveDirectorySessionFactory.HOSTNAME_VERIFICATION_SETTING, hostnameVerification)
.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
.put("ssl.truststore.password", "changeit");
}
return builder.build();
}
}

View File

@ -208,14 +208,11 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryI
public void testStandardLdapConnection() throws Exception {
String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
Settings settings = LdapTestCase.buildLdapSettings(AD_LDAP_URL, userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE);
if (useGlobalSSL == false) {
settings = Settings.builder()
.put(settings)
Settings settings = Settings.builder()
.put(LdapTestCase.buildLdapSettings(AD_LDAP_URL, userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE))
.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
.put("ssl.truststore.password", "changeit")
.build();
}
RealmConfig config = new RealmConfig("ad-as-ldap-test", settings, globalSettings);
LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService).init();
@ -234,14 +231,11 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryI
@SuppressWarnings("unchecked")
public void testStandardLdapWithAttributeGroups() throws Exception {
String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
Settings settings = LdapTestCase.buildLdapSettings(new String[] { AD_LDAP_URL }, userTemplate, false);
if (useGlobalSSL == false) {
settings = Settings.builder()
.put(settings)
Settings settings = Settings.builder()
.put(LdapTestCase.buildLdapSettings(new String[] { AD_LDAP_URL }, userTemplate, false))
.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
.put("ssl.truststore.password", "changeit")
.build();
}
RealmConfig config = new RealmConfig("ad-as-ldap-test", settings, globalSettings);
LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService).init();
@ -291,11 +285,9 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryI
Settings.Builder builder = Settings.builder()
.put(ActiveDirectorySessionFactory.URLS_SETTING, ldapUrl)
.put(ActiveDirectorySessionFactory.AD_DOMAIN_NAME_SETTING, adDomainName)
.put(ActiveDirectorySessionFactory.HOSTNAME_VERIFICATION_SETTING, hostnameVerification);
if (useGlobalSSL == false) {
builder.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
.put(ActiveDirectorySessionFactory.HOSTNAME_VERIFICATION_SETTING, hostnameVerification)
.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
.put("ssl.truststore.password", "changeit");
}
return builder.build();
}
}

View File

@ -33,14 +33,10 @@ public abstract class GroupsResolverTestCase extends ESTestCase {
public void setUpLdapConnection() throws Exception {
Path keystore = getDataPath("../ldap/support/ldaptrust.jks");
boolean useGlobalSSL = randomBoolean();
Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
if (useGlobalSSL) {
builder.put("xpack.security.ssl.keystore.path", keystore)
.put("xpack.security.ssl.keystore.password", "changeit");
} else {
builder.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false);
}
Settings settings = builder.build();
Settings settings = Settings.builder().put("path.home", createTempDir())
.put("xpack.security.ssl.keystore.path", keystore)
.put("xpack.security.ssl.keystore.password", "changeit")
.build();
Environment env = new Environment(settings);
ClientSSLService clientSSLService = new ClientSSLService(settings, new Global(settings));
clientSSLService.setEnvironment(env);

View File

@ -38,27 +38,21 @@ public class OpenLdapTests extends ESTestCase {
public static final String OPEN_LDAP_URL = "ldaps://54.200.235.244:636";
public static final String PASSWORD = "NickFuryHeartsES";
private boolean useGlobalSSL;
private ClientSSLService clientSSLService;
private Settings globalSettings;
@Before
public void initializeSslSocketFactory() throws Exception {
useGlobalSSL = randomBoolean();
Path keystore = getDataPath("../ldap/support/ldaptrust.jks");
/*
* Prior to each test we reinitialize the socket factory with a new SSLService so that we get a new SSLContext.
* If we re-use a SSLContext, previously connected sessions can get re-established which breaks hostname
* verification tests since a re-established connection does not perform hostname verification.
*/
Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
if (useGlobalSSL) {
builder.put("xpack.security.ssl.keystore.path", keystore)
.put("xpack.security.ssl.keystore.password", "changeit");
} else {
builder.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false);
}
globalSettings = builder.build();
globalSettings = Settings.builder().put("path.home", createTempDir())
.put("xpack.security.ssl.keystore.path", keystore)
.put("xpack.security.ssl.keystore.password", "changeit")
.build();
Environment environment = new Environment(globalSettings);
clientSSLService = new ClientSSLService(globalSettings, new Global(globalSettings));
clientSSLService.setEnvironment(environment);
@ -186,9 +180,6 @@ public class OpenLdapTests extends ESTestCase {
Settings buildLdapSettings(String ldapUrl, String userTemplate, String groupSearchBase, LdapSearchScope scope) {
Settings baseSettings = LdapTestCase.buildLdapSettings(ldapUrl, userTemplate, groupSearchBase, scope);
if (useGlobalSSL) {
return baseSettings;
}
return Settings.builder()
.put(baseSettings)
.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))

View File

@ -74,11 +74,6 @@ public class PkiAuthenticationTests extends ShieldIntegTestCase {
return true;
}
@Override
protected boolean autoSSLEnabled() {
return false;
}
public void testTransportClientCanAuthenticateViaPki() {
Settings settings = getSSLSettingsForStore("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks", "testnode");
try (TransportClient client = createTransportClient(settings)) {

View File

@ -77,11 +77,6 @@ public class PkiOptionalClientAuthTests extends ShieldIntegTestCase {
return true;
}
@Override
protected boolean autoSSLEnabled() {
return false;
}
public void testRestClientWithoutClientCertificate() throws Exception {
HttpServerTransport httpServerTransport = internalCluster().getDataNodeInstance(HttpServerTransport.class);

View File

@ -57,11 +57,6 @@ public class PkiWithoutClientAuthenticationTests extends ShieldIntegTestCase {
return true;
}
@Override
protected boolean autoSSLEnabled() {
return false;
}
@Override
public Settings nodeSettings(int nodeOrdinal) {
return Settings.builder()

View File

@ -1,60 +0,0 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield.ssl;
import org.elasticsearch.client.transport.NoNodeAvailableException;
import org.elasticsearch.client.transport.TransportClient;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.shield.Security;
import org.elasticsearch.shield.transport.netty.ShieldNettyTransport;
import org.elasticsearch.test.ShieldIntegTestCase;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.xpack.XPackPlugin;
import static org.elasticsearch.test.ShieldSettingsSource.DEFAULT_PASSWORD;
import static org.elasticsearch.test.ShieldSettingsSource.DEFAULT_USER_NAME;
import static org.hamcrest.Matchers.containsString;
public class AutoSSLIntegTests extends ShieldIntegTestCase {
@Override
public boolean sslTransportEnabled() {
return true;
}
@Override
public boolean autoSSLEnabled() {
return true;
}
public void testTransportClient() {
String clusterName = internalCluster().getClusterName();
TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses());
try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class)
.settings(Settings.builder()
.put("cluster.name", clusterName)
.put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD))
.build()) {
transportClient.addTransportAddress(transportAddress);
assertGreenClusterState(transportClient);
}
// now try with SSL disabled and it should fail
try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class)
.settings(Settings.builder()
.put("cluster.name", clusterName)
.put(ShieldNettyTransport.SSL_SETTING.getKey(), false)
.put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD))
.build()) {
transportClient.addTransportAddress(transportAddress);
assertGreenClusterState(transportClient);
fail("should not have been able to connect");
} catch (NoNodeAvailableException e) {
assertThat(e.getMessage(), containsString("None of the configured nodes are available"));
}
}
}

View File

@ -152,9 +152,7 @@ public class ClientSSLServiceTests extends ESTestCase {
}
public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception {
ClientSSLService sslService = createClientSSLService(Settings.builder()
.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false)
.build());
ClientSSLService sslService = createClientSSLService(Settings.EMPTY);
SSLEngine sslEngine = sslService.createSSLEngine();
assertThat(sslEngine, notNullValue());
}
@ -179,8 +177,7 @@ public class ClientSSLServiceTests extends ESTestCase {
@Network
public void testThatSSLContextWithoutSettingsWorks() throws Exception {
ClientSSLService sslService = createClientSSLService(Settings.builder()
.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false).build());
ClientSSLService sslService = createClientSSLService(Settings.EMPTY);
SSLContext sslContext = sslService.sslContext();
try (CloseableHttpClient client = HttpClients.custom().setSslcontext(sslContext).build()) {
// Execute a GET on a site known to have a valid certificate signed by a trusted public CA

View File

@ -53,14 +53,11 @@ import static org.hamcrest.Matchers.sameInstance;
public class SSLConfigurationTests extends ESTestCase {
private static final Settings NO_AUTO_GEN = Settings.builder()
.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false)
.build();
public void testThatSSLConfigurationHasCorrectDefaults() {
SSLConfiguration globalConfig = new Global(Settings.EMPTY);
assertThat(globalConfig.keyConfig(), instanceOf(AutoGeneratedKeyConfig.class));
assertThat(globalConfig.trustConfig(), sameInstance(globalConfig.keyConfig()));
assertThat(globalConfig.keyConfig(), sameInstance(KeyConfig.NONE));
assertThat(globalConfig.trustConfig(), is(not((globalConfig.keyConfig()))));
assertThat(globalConfig.trustConfig(), instanceOf(StoreTrustConfig.class));
assertThat(globalConfig.sessionCacheSize(), is(equalTo(Global.DEFAULT_SESSION_CACHE_SIZE)));
assertThat(globalConfig.sessionCacheTimeout(), is(equalTo(Global.DEFAULT_SESSION_CACHE_TIMEOUT)));
assertThat(globalConfig.protocol(), is(equalTo(Global.DEFAULT_PROTOCOL)));
@ -74,7 +71,7 @@ public class SSLConfigurationTests extends ESTestCase {
}
public void testThatSSLConfigurationWithoutAutoGenHasCorrectDefaults() {
SSLConfiguration globalSettings = new Global(NO_AUTO_GEN);
SSLConfiguration globalSettings = new Global(Settings.EMPTY);
SSLConfiguration scopedSettings = new Custom(Settings.EMPTY, globalSettings);
for (SSLConfiguration sslConfiguration : Arrays.asList(globalSettings, scopedSettings)) {
assertThat(sslConfiguration.keyConfig(), sameInstance(KeyConfig.NONE));
@ -101,7 +98,7 @@ public class SSLConfigurationTests extends ESTestCase {
SSLConfiguration globalSettings = new Global(settings);
SSLConfiguration scopedSettings = new Custom(profileSettings, globalSettings);
SSLConfiguration scopedEmptyGlobalSettings =
new Custom(profileSettings, new Global(NO_AUTO_GEN));
new Custom(profileSettings, new Global(Settings.EMPTY));
for (SSLConfiguration sslConfiguration : Arrays.asList(globalSettings, scopedSettings, scopedEmptyGlobalSettings)) {
assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
@ -129,7 +126,7 @@ public class SSLConfigurationTests extends ESTestCase {
// Pass settings in as profile settings
Settings profileSettings = settings.getByPrefix("xpack.security.ssl.");
SSLConfiguration sslConfiguration1 = new Custom(profileSettings,
randomBoolean() ? sslConfiguration : new Global(NO_AUTO_GEN));
randomBoolean() ? sslConfiguration : new Global(Settings.EMPTY));
assertThat(sslConfiguration1.keyConfig(), instanceOf(StoreKeyConfig.class));
ksKeyInfo = (StoreKeyConfig) sslConfiguration1.keyConfig();
assertThat(ksKeyInfo.keyStorePassword, is(equalTo("password")));
@ -183,8 +180,8 @@ public class SSLConfigurationTests extends ESTestCase {
}
public void testThatEmptySettingsAreEqual() {
SSLConfiguration sslConfiguration = new Global(NO_AUTO_GEN);
SSLConfiguration sslConfiguration1 = new Global(NO_AUTO_GEN);
SSLConfiguration sslConfiguration = new Global(Settings.EMPTY);
SSLConfiguration sslConfiguration1 = new Global(Settings.EMPTY);
assertThat(sslConfiguration.equals(sslConfiguration1), is(equalTo(true)));
assertThat(sslConfiguration1.equals(sslConfiguration), is(equalTo(true)));
assertThat(sslConfiguration.equals(sslConfiguration), is(equalTo(true)));
@ -230,8 +227,8 @@ public class SSLConfigurationTests extends ESTestCase {
}
public void testThatEmptySettingsHaveSameHashCode() {
SSLConfiguration sslConfiguration = new Global(NO_AUTO_GEN);
SSLConfiguration sslConfiguration1 = new Global(NO_AUTO_GEN);
SSLConfiguration sslConfiguration = new Global(Settings.EMPTY);
SSLConfiguration sslConfiguration1 = new Global(Settings.EMPTY);
assertThat(sslConfiguration.hashCode(), is(equalTo(sslConfiguration1.hashCode())));
SSLConfiguration profileSettings = new Custom(Settings.EMPTY, sslConfiguration);

View File

@ -90,11 +90,6 @@ public class SSLReloadIntegTests extends ShieldIntegTestCase {
return true;
}
@Override
protected boolean autoSSLEnabled() {
return false;
}
public void testThatSSLConfigurationReloadsOnModification() throws Exception {
KeyPair keyPair = CertUtils.generateKeyPair();
X509Certificate certificate = getCertificate(keyPair);

View File

@ -152,8 +152,7 @@ public class ServerSSLServiceTests extends ESTestCase {
}
public void testThatCreateSSLEngineWithoutAnySettingsDoesNotWork() throws Exception {
ServerSSLService sslService = new ServerSSLService(Settings.EMPTY, env, new Global(Settings.builder()
.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false).build()), null);
ServerSSLService sslService = new ServerSSLService(Settings.EMPTY, env, new Global(Settings.EMPTY), null);
try {
sslService.createSSLEngine();
fail("Expected IllegalArgumentException");

View File

@ -51,11 +51,6 @@ public class ServerTransportFilterIntegrationTests extends ShieldIntegTestCase {
return true;
}
@Override
protected boolean autoSSLEnabled() {
return false;
}
@Override
protected Settings nodeSettings(int nodeOrdinal) {
Settings.Builder settingsBuilder = Settings.builder();

View File

@ -24,11 +24,6 @@ public class IPHostnameVerificationTests extends ShieldIntegTestCase {
return true;
}
@Override
protected boolean autoSSLEnabled() {
return false;
}
@Override
protected Settings nodeSettings(int nodeOrdinal) {
Settings settings = super.nodeSettings(nodeOrdinal);

View File

@ -49,7 +49,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
public void testDefaultClientAuth() throws Exception {
Settings settings = Settings.builder().put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true).build();
ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
@ -62,7 +62,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
.put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true)
.put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
@ -75,7 +75,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
.put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true)
.put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(true));
@ -88,7 +88,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
.put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true)
.put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
@ -99,7 +99,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
Settings settings = Settings.builder()
.put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true).build();
ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
SSLEngine defaultEngine = factory.getPipeline().get(SslHandler.class).getEngine();
@ -109,7 +109,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
.put("xpack.security.http.ssl.supported_protocols", "TLSv1.2")
.build();
transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
factory = transport.configureServerChannelPipelineFactory();
SSLEngine customEngine = factory.getPipeline().get(SslHandler.class).getEngine();

View File

@ -53,7 +53,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
mock(CircuitBreakerService.class), mock(Global.class));
mock(CircuitBreakerService.class));
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
Settings.builder().put("xpack.security.ssl", false).build());
@ -64,7 +64,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), false).build();
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
mock(CircuitBreakerService.class), mock(Global.class));
mock(CircuitBreakerService.class));
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
Settings.builder().put("xpack.security.ssl", true).build());
@ -75,7 +75,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
mock(CircuitBreakerService.class), mock(Global.class));
mock(CircuitBreakerService.class));
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
assertThat(factory.getPipeline().get(SslHandler.class).getEngine(), notNullValue());
@ -85,7 +85,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
mock(CircuitBreakerService.class), mock(Global.class));
mock(CircuitBreakerService.class));
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(true));
@ -99,7 +99,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
.put(ShieldNettyTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
mock(CircuitBreakerService.class), mock(Global.class));
mock(CircuitBreakerService.class));
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(true));
@ -113,7 +113,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
.put(ShieldNettyTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
mock(CircuitBreakerService.class), mock(Global.class));
mock(CircuitBreakerService.class));
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
@ -127,7 +127,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
.put(ShieldNettyTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
mock(CircuitBreakerService.class), mock(Global.class));
mock(CircuitBreakerService.class));
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
@ -139,7 +139,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
mock(CircuitBreakerService.class), mock(Global.class));
mock(CircuitBreakerService.class));
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
Settings.builder().put(ShieldNettyTransport.PROFILE_CLIENT_AUTH_SETTING, value).build());
@ -152,7 +152,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
mock(CircuitBreakerService.class), mock(Global.class));
mock(CircuitBreakerService.class));
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
Settings.builder().put(ShieldNettyTransport.PROFILE_CLIENT_AUTH_SETTING.getKey(), value).build());
@ -165,7 +165,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class),
mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService,
mock(NamedWriteableRegistry.class), mock(CircuitBreakerService.class), mock(Global.class));
mock(NamedWriteableRegistry.class), mock(CircuitBreakerService.class));
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
Settings.builder().put(ShieldNettyTransport.PROFILE_CLIENT_AUTH_SETTING.getKey(), value).build());

View File

@ -32,11 +32,6 @@ public class SslHostnameVerificationTests extends ShieldIntegTestCase {
return true;
}
@Override
protected boolean autoSSLEnabled() {
return false;
}
@Override
protected Settings nodeSettings(int nodeOrdinal) {
Settings settings = super.nodeSettings(nodeOrdinal);

View File

@ -54,11 +54,6 @@ public class SslClientAuthTests extends ShieldIntegTestCase {
return true;
}
@Override
protected boolean autoSSLEnabled() {
return false;
}
public void testThatHttpFailsWithoutSslClientAuth() throws IOException {
SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
SSLContexts.createDefault(),

View File

@ -56,11 +56,6 @@ public class SslIntegrationTests extends ShieldIntegTestCase {
return true;
}
@Override
protected boolean autoSSLEnabled() {
return false;
}
// no SSL exception as this is the exception is returned when connecting
public void testThatUnconfiguredCiphersAreRejected() {
try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class).settings(Settings.builder()

View File

@ -87,11 +87,6 @@ public class SslMultiPortTests extends ShieldIntegTestCase {
return true;
}
@Override
protected boolean autoSSLEnabled() {
return false;
}
private TransportClient createTransportClient(Settings additionalSettings) {
Settings clientSettings = transportClientSettings();
if (additionalSettings.getByPrefix("xpack.security.ssl.").isEmpty() == false) {

View File

@ -100,8 +100,7 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase {
@BeforeClass
public static void initDefaultSettings() {
if (SHIELD_DEFAULT_SETTINGS == null) {
SHIELD_DEFAULT_SETTINGS = new ShieldSettingsSource(maxNumberOfNodes(), randomBoolean(), randomBoolean(), createTempDir(),
Scope.SUITE);
SHIELD_DEFAULT_SETTINGS = new ShieldSettingsSource(maxNumberOfNodes(), randomBoolean(), createTempDir(), Scope.SUITE);
}
}
@ -124,13 +123,13 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase {
switch (currentClusterScope) {
case SUITE:
if (customShieldSettingsSource == null) {
customShieldSettingsSource = new CustomShieldSettingsSource(sslTransportEnabled(), autoSSLEnabled(),
createTempDir(), currentClusterScope);
customShieldSettingsSource =
new CustomShieldSettingsSource(sslTransportEnabled(), createTempDir(), currentClusterScope);
}
break;
case TEST:
customShieldSettingsSource = new CustomShieldSettingsSource(sslTransportEnabled(), autoSSLEnabled(), createTempDir(),
currentClusterScope);
customShieldSettingsSource =
new CustomShieldSettingsSource(sslTransportEnabled(), createTempDir(), currentClusterScope);
break;
}
}
@ -266,18 +265,14 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase {
return randomBoolean();
}
protected boolean autoSSLEnabled() {
return randomBoolean();
}
protected Class<? extends XPackPlugin> xpackPluginClass() {
return SHIELD_DEFAULT_SETTINGS.xpackPluginClass();
}
private class CustomShieldSettingsSource extends ShieldSettingsSource {
private CustomShieldSettingsSource(boolean sslTransportEnabled, boolean autoSSLEnabled, Path configDir, Scope scope) {
super(maxNumberOfNodes(), sslTransportEnabled, autoSSLEnabled, configDir, scope);
private CustomShieldSettingsSource(boolean sslTransportEnabled, Path configDir, Scope scope) {
super(maxNumberOfNodes(), sslTransportEnabled, configDir, scope);
}
@Override

View File

@ -12,6 +12,7 @@ import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.marvel.Monitoring;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.test.ESIntegTestCase.Scope;
import org.elasticsearch.shield.authc.file.FileRealm;
import org.elasticsearch.shield.authc.esnative.NativeRealm;
import org.elasticsearch.shield.Security;
@ -84,7 +85,6 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
private final String subfolderPrefix;
private final byte[] systemKey;
private final boolean sslTransportEnabled;
private final boolean autoSSLEnabled;
private final boolean hostnameVerificationEnabled;
private final boolean hostnameVerificationResolveNameEnabled;
@ -96,9 +96,8 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
* @param parentFolder the parent folder that will contain all of the configuration files that need to be created
* @param scope the scope of the test that is requiring an instance of ShieldSettingsSource
*/
public ShieldSettingsSource(int numOfNodes, boolean sslTransportEnabled, boolean autoSSLEnabled, Path parentFolder,
ESIntegTestCase.Scope scope) {
this(numOfNodes, sslTransportEnabled, autoSSLEnabled, generateKey(), parentFolder, scope);
public ShieldSettingsSource(int numOfNodes, boolean sslTransportEnabled, Path parentFolder, Scope scope) {
this(numOfNodes, sslTransportEnabled, generateKey(), parentFolder, scope);
}
/**
@ -110,14 +109,12 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
* @param parentFolder the parent folder that will contain all of the configuration files that need to be created
* @param scope the scope of the test that is requiring an instance of ShieldSettingsSource
*/
public ShieldSettingsSource(int numOfNodes, boolean sslTransportEnabled, boolean autoSSLEnabled, byte[] systemKey, Path parentFolder,
ESIntegTestCase.Scope scope) {
public ShieldSettingsSource(int numOfNodes, boolean sslTransportEnabled, byte[] systemKey, Path parentFolder, Scope scope) {
super(numOfNodes, DEFAULT_SETTINGS);
this.systemKey = systemKey;
this.parentFolder = parentFolder;
this.subfolderPrefix = scope.name();
this.sslTransportEnabled = sslTransportEnabled;
this.autoSSLEnabled = autoSSLEnabled;
this.hostnameVerificationEnabled = randomBoolean();
this.hostnameVerificationResolveNameEnabled = randomBoolean();
}
@ -216,10 +213,6 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
}
public Settings getNodeSSLSettings() {
if (sslTransportEnabled && autoSSLEnabled) {
return Settings.EMPTY;
}
if (randomBoolean()) {
return getSSLSettingsForPEMFiles("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.pem", "testnode",
Collections.singletonList("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.crt"),
@ -235,10 +228,6 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
}
public Settings getClientSSLSettings() {
if (sslTransportEnabled && autoSSLEnabled) {
return Settings.EMPTY;
}
if (randomBoolean()) {
return getSSLSettingsForPEMFiles("/org/elasticsearch/shield/transport/ssl/certs/simple/testclient.pem", "testclient",
Collections.singletonList("/org/elasticsearch/shield/transport/ssl/certs/simple/testclient.crt"),