security: remove auto ssl and disable transport ssl by default
This commit removes the code to auto generate a ssl certificate on startup and disables ssl on the transport layer by default. Original commit: elastic/x-pack-elasticsearch@1dc9b17842
This commit is contained in:
parent
eec4ed90d2
commit
c248d7b5da
|
@ -1,222 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the Elastic License;
|
||||
* you may not use this file except in compliance with the Elastic License.
|
||||
*/
|
||||
package org.elasticsearch.shield.ssl;
|
||||
|
||||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.common.Nullable;
|
||||
import org.elasticsearch.common.logging.ESLogger;
|
||||
import org.elasticsearch.common.util.set.Sets;
|
||||
import org.elasticsearch.env.Environment;
|
||||
|
||||
import javax.net.ssl.SSLEngine;
|
||||
import javax.net.ssl.X509ExtendedKeyManager;
|
||||
import javax.net.ssl.X509ExtendedTrustManager;
|
||||
import java.io.InputStream;
|
||||
import java.io.InputStreamReader;
|
||||
import java.io.Reader;
|
||||
import java.net.InetAddress;
|
||||
import java.net.Socket;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.nio.file.Path;
|
||||
import java.security.KeyPair;
|
||||
import java.security.Principal;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.security.cert.CertificateFactory;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
/**
|
||||
*/
|
||||
class AutoGeneratedKeyConfig extends KeyConfig {
|
||||
|
||||
private static final char[] PASSWORD = "changeme".toCharArray();
|
||||
|
||||
private final Set<InetAddress> certificateAddresses = new HashSet<>();
|
||||
private final X509ExtendedKeyManager[] keyManagers;
|
||||
private final X509ExtendedTrustManager[] trustManagers;
|
||||
private final KeyPair keyPair;
|
||||
private final Certificate caCert;
|
||||
private final Exception failure;
|
||||
|
||||
private boolean certGenerated = false;
|
||||
|
||||
AutoGeneratedKeyConfig(boolean includeSystem) {
|
||||
super(includeSystem, false);
|
||||
Exception thrown = null;
|
||||
X509ExtendedTrustManager trustManager;
|
||||
Certificate caCert = null;
|
||||
KeyPair keyPair = null;
|
||||
try {
|
||||
keyPair = CertUtils.generateKeyPair();
|
||||
caCert = readCACert();
|
||||
X509ExtendedTrustManager[] managers = CertUtils.trustManagers(new Certificate[] { caCert });
|
||||
trustManager = managers[0];
|
||||
} catch (Exception e) {
|
||||
thrown = e;
|
||||
trustManager = new EmptyX509TrustManager();
|
||||
}
|
||||
|
||||
this.failure = thrown;
|
||||
this.caCert = caCert;
|
||||
this.keyPair = keyPair;
|
||||
this.keyManagers = new X509ExtendedKeyManager[] { new ReloadableX509KeyManager(new EmptyX509KeyManager(), null) };
|
||||
this.trustManagers = new X509ExtendedTrustManager[] { new ReloadableTrustManager(trustManager, null) };
|
||||
}
|
||||
|
||||
@Override
|
||||
X509ExtendedKeyManager[] loadKeyManagers(@Nullable Environment environment) {
|
||||
return keyManagers;
|
||||
}
|
||||
|
||||
@Override
|
||||
X509ExtendedTrustManager[] nonSystemTrustManagers(@Nullable Environment environment) {
|
||||
return trustManagers;
|
||||
}
|
||||
|
||||
@Override
|
||||
void validate() {
|
||||
if (failure != null) {
|
||||
throw new ElasticsearchException("failed to auto generate keypair and read CA cert", failure);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
List<Path> filesToMonitor(@Nullable Environment environment) {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "AutoGeneratedKeyConfig";
|
||||
}
|
||||
|
||||
synchronized void generateCertIfNecessary(boolean resolveHostnames, String nodeName, Set<InetAddress> addresses, ESLogger logger)
|
||||
throws Exception {
|
||||
if (failure != null) {
|
||||
throw new ElasticsearchException("failed to auto generate keypair and read CA cert", failure);
|
||||
}
|
||||
|
||||
// we shouldn't regenerate if we have no new addresses
|
||||
if (certGenerated && Sets.difference(addresses, certificateAddresses).isEmpty()) {
|
||||
return;
|
||||
}
|
||||
|
||||
this.certificateAddresses.addAll(addresses);
|
||||
final PrivateKey caPrivateKey = readCAPrivateKey();
|
||||
final X509Certificate signedCert =
|
||||
CertUtils.generateSignedCertificate(resolveHostnames, nodeName, certificateAddresses, keyPair, caCert, caPrivateKey);
|
||||
Certificate[] certChain = new Certificate[] { signedCert, caCert };
|
||||
X509ExtendedKeyManager[] keyManagers = CertUtils.keyManagers(certChain, keyPair.getPrivate(), PASSWORD);
|
||||
X509ExtendedTrustManager[] trustManagers = CertUtils.trustManagers(certChain);
|
||||
((ReloadableX509KeyManager) this.keyManagers[0]).setKeyManager(keyManagers[0]);
|
||||
((ReloadableTrustManager) this.trustManagers[0]).setTrustManager(trustManagers[0]);
|
||||
this.certGenerated = true;
|
||||
logMessages(signedCert, logger);
|
||||
}
|
||||
|
||||
static Certificate readCACert() throws Exception {
|
||||
try (InputStream inputStream = AutoGeneratedKeyConfig.class.getResourceAsStream("/cacert.pem");
|
||||
Reader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8)) {
|
||||
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
|
||||
List<Certificate> certificateList = new ArrayList<>(1);
|
||||
CertUtils.readCertificates(reader, certificateList, certificateFactory);
|
||||
if (certificateList.size() != 1) {
|
||||
throw new IllegalStateException("expected [1] default CA certificate but found [" + certificateList.size() + "]");
|
||||
}
|
||||
return certificateList.get(0);
|
||||
}
|
||||
}
|
||||
|
||||
static PrivateKey readCAPrivateKey() throws Exception {
|
||||
try (InputStream inputStream = AutoGeneratedKeyConfig.class.getResourceAsStream("/cakey.pem");
|
||||
Reader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8)) {
|
||||
return CertUtils.readPrivateKey(reader, PASSWORD);
|
||||
}
|
||||
}
|
||||
|
||||
static void logMessages(X509Certificate signedCert, ESLogger logger) {
|
||||
logger.info("auto generated a X.509 certificate and private/public key pair for SSL use. this should never be used in production " +
|
||||
"as the signing certificate authority is the same for every installation of X-Pack.{}generated certificate:{}{}",
|
||||
System.lineSeparator(), System.lineSeparator(), signedCert.toString());
|
||||
}
|
||||
|
||||
private static class EmptyX509KeyManager extends X509ExtendedKeyManager {
|
||||
|
||||
@Override
|
||||
public String[] getClientAliases(String s, Principal[] principals) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String chooseClientAlias(String[] strings, Principal[] principals, Socket socket) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String[] getServerAliases(String s, Principal[] principals) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String chooseServerAlias(String s, Principal[] principals, Socket socket) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public X509Certificate[] getCertificateChain(String s) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public PrivateKey getPrivateKey(String s) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
private static class EmptyX509TrustManager extends X509ExtendedTrustManager {
|
||||
|
||||
@Override
|
||||
public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
|
||||
throw new CertificateException("trust nothing");
|
||||
}
|
||||
|
||||
@Override
|
||||
public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
|
||||
throw new CertificateException("trust nothing");
|
||||
}
|
||||
|
||||
@Override
|
||||
public void checkClientTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) throws CertificateException {
|
||||
throw new CertificateException("trust nothing");
|
||||
}
|
||||
|
||||
@Override
|
||||
public void checkServerTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) throws CertificateException {
|
||||
throw new CertificateException("trust nothing");
|
||||
}
|
||||
|
||||
@Override
|
||||
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
|
||||
throw new CertificateException("trust nothing");
|
||||
}
|
||||
|
||||
@Override
|
||||
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
|
||||
throw new CertificateException("trust nothing");
|
||||
}
|
||||
|
||||
@Override
|
||||
public X509Certificate[] getAcceptedIssuers() {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
|
@ -64,6 +64,7 @@ abstract class KeyConfig extends TrustConfig {
|
|||
if (reloadEnabled && resourceWatcherService != null && listener != null) {
|
||||
ReloadableX509KeyManager reloadableX509KeyManager = new ReloadableX509KeyManager(keyManagers[0], environment);
|
||||
List<Path> filesToMonitor = filesToMonitor(environment);
|
||||
if (filesToMonitor.isEmpty() == false) {
|
||||
ChangeListener changeListener = new ChangeListener(filesToMonitor, reloadableX509KeyManager, listener);
|
||||
try {
|
||||
for (Path dir : directoriesToMonitor(filesToMonitor)) {
|
||||
|
@ -71,11 +72,12 @@ abstract class KeyConfig extends TrustConfig {
|
|||
fileWatcher.addListener(changeListener);
|
||||
resourceWatcherService.add(fileWatcher, Frequency.HIGH);
|
||||
}
|
||||
return new X509ExtendedKeyManager[] { reloadableX509KeyManager };
|
||||
return new X509ExtendedKeyManager[]{reloadableX509KeyManager};
|
||||
} catch (IOException e) {
|
||||
throw new ElasticsearchException("failed to add file watcher", e);
|
||||
}
|
||||
}
|
||||
}
|
||||
return keyManagers;
|
||||
}
|
||||
|
||||
|
|
|
@ -5,37 +5,22 @@
|
|||
*/
|
||||
package org.elasticsearch.shield.ssl;
|
||||
|
||||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
import org.elasticsearch.common.logging.ESLogger;
|
||||
import org.elasticsearch.common.logging.Loggers;
|
||||
import org.elasticsearch.common.settings.Setting;
|
||||
import org.elasticsearch.common.settings.Setting.Property;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.settings.SettingsModule;
|
||||
import org.elasticsearch.common.transport.BoundTransportAddress;
|
||||
import org.elasticsearch.common.transport.InetSocketTransportAddress;
|
||||
import org.elasticsearch.common.transport.TransportAddress;
|
||||
import org.elasticsearch.common.unit.TimeValue;
|
||||
import org.elasticsearch.node.Node;
|
||||
import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport;
|
||||
import org.elasticsearch.shield.transport.netty.ShieldNettyTransport;
|
||||
import org.elasticsearch.transport.TransportSettings;
|
||||
|
||||
import javax.net.ssl.KeyManagerFactory;
|
||||
import javax.net.ssl.TrustManagerFactory;
|
||||
import java.net.InetAddress;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Objects;
|
||||
import java.util.Optional;
|
||||
import java.util.Set;
|
||||
import java.util.function.Function;
|
||||
|
||||
import static org.elasticsearch.shield.Security.featureEnabledSetting;
|
||||
import static org.elasticsearch.shield.Security.setting;
|
||||
import static org.elasticsearch.shield.support.OptionalSettings.createInt;
|
||||
import static org.elasticsearch.shield.support.OptionalSettings.createString;
|
||||
|
@ -111,11 +96,6 @@ public abstract class SSLConfiguration {
|
|||
public static final int DEFAULT_SESSION_CACHE_SIZE = 1000;
|
||||
public static final String DEFAULT_PROTOCOL = "TLSv1.2";
|
||||
|
||||
public static final Setting<Boolean> AUTO_GENERATE_SSL_SETTING =
|
||||
Setting.boolSetting(featureEnabledSetting("ssl.auto_generate"), true, Property.NodeScope, Property.Filtered);
|
||||
static final Setting<Boolean> AUTO_GEN_RESOLVE_HOST_SETTING =
|
||||
Setting.boolSetting(setting("ssl.auto_generate.resolve_name"), true, Property.NodeScope, Property.Filtered);
|
||||
|
||||
// common settings
|
||||
static final Setting<List<String>> CIPHERS_SETTING = Setting.listSetting(globalKey(Custom.CIPHERS_SETTING), DEFAULT_CIPHERS,
|
||||
Function.identity(), Property.NodeScope, Property.Filtered);
|
||||
|
@ -184,14 +164,10 @@ public abstract class SSLConfiguration {
|
|||
settingsModule.registerSetting(Global.SESSION_CACHE_SIZE_SETTING);
|
||||
settingsModule.registerSetting(Global.SESSION_CACHE_TIMEOUT_SETTING);
|
||||
settingsModule.registerSetting(Global.CA_PATHS_SETTING);
|
||||
settingsModule.registerSetting(Global.AUTO_GENERATE_SSL_SETTING);
|
||||
settingsModule.registerSetting(Global.AUTO_GEN_RESOLVE_HOST_SETTING);
|
||||
settingsModule.registerSetting(Global.INCLUDE_JDK_CERTS_SETTING);
|
||||
settingsModule.registerSetting(Global.RELOAD_ENABLED_SETTING);
|
||||
}
|
||||
|
||||
private final ESLogger logger;
|
||||
private final Settings settings;
|
||||
private final KeyConfig keyConfig;
|
||||
private final TrustConfig trustConfig;
|
||||
private final String sslProtocol;
|
||||
|
@ -207,8 +183,6 @@ public abstract class SSLConfiguration {
|
|||
*/
|
||||
@Inject
|
||||
public Global(Settings settings) {
|
||||
this.settings = settings;
|
||||
this.logger = Loggers.getLogger(getClass(), settings);
|
||||
this.keyConfig = createGlobalKeyConfig(settings);
|
||||
this.trustConfig = createGlobalTrustConfig(settings, keyConfig);
|
||||
this.sslProtocol = PROTOCOL_SETTING.get(settings);
|
||||
|
@ -266,79 +240,11 @@ public abstract class SSLConfiguration {
|
|||
"]}";
|
||||
}
|
||||
|
||||
public void onTransportStart(BoundTransportAddress boundAddress, Map<String, BoundTransportAddress> profileBoundAddresses) {
|
||||
if (shouldAutoGenerateKeyAndCertificate(settings) == false) {
|
||||
return;
|
||||
}
|
||||
|
||||
Set<InetAddress> uniqueAddresses = new HashSet<>();
|
||||
if (boundAddress != null) {
|
||||
// this could be null if we came from a transport client
|
||||
addInetAddresses(uniqueAddresses, boundAddress.boundAddresses());
|
||||
addInetAddresses(uniqueAddresses, boundAddress.publishAddress());
|
||||
}
|
||||
|
||||
for (BoundTransportAddress profileAddress : profileBoundAddresses.values()) {
|
||||
addInetAddresses(uniqueAddresses, profileAddress.boundAddresses());
|
||||
addInetAddresses(uniqueAddresses, profileAddress.publishAddress());
|
||||
}
|
||||
|
||||
try {
|
||||
((AutoGeneratedKeyConfig) keyConfig).generateCertIfNecessary(AUTO_GEN_RESOLVE_HOST_SETTING.get(settings),
|
||||
Node.NODE_NAME_SETTING.get(settings), uniqueAddresses, logger);
|
||||
} catch (Exception e) {
|
||||
throw new ElasticsearchException("failed to initialize auto generated certificate and key");
|
||||
}
|
||||
}
|
||||
|
||||
private static String globalKey(Setting setting) {
|
||||
return setting("ssl." + setting.getKey());
|
||||
}
|
||||
|
||||
static void addInetAddresses(Set<InetAddress> addresses, TransportAddress... transportAddresses) {
|
||||
for (TransportAddress transportAddress : transportAddresses) {
|
||||
addresses.add(((InetSocketTransportAddress)transportAddress).address().getAddress());
|
||||
}
|
||||
}
|
||||
|
||||
static boolean shouldAutoGenerateKeyAndCertificate(Settings settings) {
|
||||
if (AUTO_GENERATE_SSL_SETTING.get(settings) == false) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// did they configure some SSL settings other than auto generate
|
||||
Settings.Builder builder = Settings.builder().put(settings);
|
||||
builder.remove(AUTO_GEN_RESOLVE_HOST_SETTING.getKey());
|
||||
builder.remove(AUTO_GENERATE_SSL_SETTING.getKey());
|
||||
builder.remove(INCLUDE_JDK_CERTS_SETTING.getKey());
|
||||
Settings nonAutoGen = builder.build();
|
||||
if (nonAutoGen.getByPrefix(setting("ssl.")).isEmpty() == false) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// SSL needs to be enabled somewhere
|
||||
final boolean transportEnabled = ShieldNettyTransport.SSL_SETTING.get(settings);
|
||||
final boolean httpEnabled = ShieldNettyHttpServerTransport.SSL_SETTING.get(settings);
|
||||
if (transportEnabled || httpEnabled) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// check the profiles... maybe disabled SSL on default transport and enabled on a profile
|
||||
Map<String, Settings> profiles = TransportSettings.TRANSPORT_PROFILES_SETTING.get(settings).getAsGroups(true);
|
||||
for (Settings profileSettings : profiles.values()) {
|
||||
if (ShieldNettyTransport.profileSsl(profileSettings, settings)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static KeyConfig createGlobalKeyConfig(Settings settings) {
|
||||
if (shouldAutoGenerateKeyAndCertificate(settings)) {
|
||||
return new AutoGeneratedKeyConfig(INCLUDE_JDK_CERTS_SETTING.get(settings));
|
||||
}
|
||||
|
||||
String keyStorePath = KEYSTORE_PATH_SETTING.get(settings).orElse(null);
|
||||
String keyPath = KEY_PATH_SETTING.get(settings).orElse(null);
|
||||
if (keyPath != null && keyStorePath != null) {
|
||||
|
@ -368,11 +274,6 @@ public abstract class SSLConfiguration {
|
|||
}
|
||||
|
||||
static TrustConfig createGlobalTrustConfig(Settings settings, KeyConfig keyInfo) {
|
||||
if (keyInfo instanceof AutoGeneratedKeyConfig) {
|
||||
assert shouldAutoGenerateKeyAndCertificate(settings);
|
||||
return keyInfo;
|
||||
}
|
||||
|
||||
String trustStorePath = TRUSTSTORE_PATH_SETTING.get(settings).orElse(null);
|
||||
List<String> caPaths = getListOrNull(CA_PATHS_SETTING, settings);
|
||||
boolean includeSystem = INCLUDE_JDK_CERTS_SETTING.get(settings);
|
||||
|
|
|
@ -58,6 +58,9 @@ class StoreTrustConfig extends TrustConfig {
|
|||
|
||||
@Override
|
||||
List<Path> filesToMonitor(@Nullable Environment environment) {
|
||||
if (trustStorePath == null) {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
return Collections.singletonList(CertUtils.resolvePath(trustStorePath, environment));
|
||||
}
|
||||
|
||||
|
|
|
@ -52,21 +52,16 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {
|
|||
private final ServerSSLService sslService;
|
||||
private final boolean ssl;
|
||||
private final Settings sslSettings;
|
||||
private final Global globalSSLConfiguration;
|
||||
|
||||
@Inject
|
||||
public ShieldNettyHttpServerTransport(Settings settings, NetworkService networkService, BigArrays bigArrays, IPFilter ipFilter,
|
||||
ServerSSLService sslService, ThreadPool threadPool, Global sslConfig) {
|
||||
ServerSSLService sslService, ThreadPool threadPool) {
|
||||
super(settings, networkService, bigArrays, threadPool);
|
||||
this.ipFilter = ipFilter;
|
||||
this.ssl = SSL_SETTING.get(settings);
|
||||
this.sslService = sslService;
|
||||
this.globalSSLConfiguration = sslConfig;
|
||||
if (ssl) {
|
||||
Settings.Builder builder = Settings.builder().put(settings.getByPrefix(setting("http.ssl.")));
|
||||
builder.remove("client.auth");
|
||||
builder.remove("enabled");
|
||||
sslSettings = builder.build();
|
||||
sslSettings = settings.getByPrefix(setting("http.ssl."));
|
||||
} else {
|
||||
sslSettings = Settings.EMPTY;
|
||||
}
|
||||
|
@ -101,7 +96,6 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {
|
|||
@Override
|
||||
protected void doStart() {
|
||||
super.doStart();
|
||||
globalSSLConfiguration.onTransportStart(this.boundAddress(), Collections.emptyMap());
|
||||
ipFilter.setBoundHttpTransportAddress(this.boundAddress());
|
||||
}
|
||||
|
||||
|
|
|
@ -18,7 +18,6 @@ import org.elasticsearch.common.settings.SettingsModule;
|
|||
import org.elasticsearch.common.util.BigArrays;
|
||||
import org.elasticsearch.indices.breaker.CircuitBreakerService;
|
||||
import org.elasticsearch.shield.ssl.ClientSSLService;
|
||||
import org.elasticsearch.shield.ssl.SSLConfiguration.Global;
|
||||
import org.elasticsearch.shield.ssl.ServerSSLService;
|
||||
import org.elasticsearch.shield.transport.SSLClientAuth;
|
||||
import org.elasticsearch.shield.transport.filter.IPFilter;
|
||||
|
@ -48,7 +47,7 @@ import static org.elasticsearch.shield.transport.SSLExceptionHelper.isNotSslReco
|
|||
public class ShieldNettyTransport extends NettyTransport {
|
||||
|
||||
public static final String CLIENT_AUTH_DEFAULT = SSLClientAuth.REQUIRED.name();
|
||||
public static final boolean SSL_DEFAULT = true;
|
||||
public static final boolean SSL_DEFAULT = false;
|
||||
|
||||
public static final Setting<Boolean> DEPRECATED_HOSTNAME_VERIFICATION_SETTING =
|
||||
Setting.boolSetting(setting("ssl.hostname_verification"), true, Property.NodeScope, Property.Filtered, Property.Deprecated);
|
||||
|
@ -79,7 +78,6 @@ public class ShieldNettyTransport extends NettyTransport {
|
|||
|
||||
private final ServerSSLService serverSslService;
|
||||
private final ClientSSLService clientSSLService;
|
||||
private final Global globalSSLConfiguration;
|
||||
private final @Nullable IPFilter authenticator;
|
||||
private final boolean ssl;
|
||||
|
||||
|
@ -87,21 +85,19 @@ public class ShieldNettyTransport extends NettyTransport {
|
|||
public ShieldNettyTransport(Settings settings, ThreadPool threadPool, NetworkService networkService, BigArrays bigArrays,
|
||||
Version version, @Nullable IPFilter authenticator, @Nullable ServerSSLService serverSSLService,
|
||||
ClientSSLService clientSSLService, NamedWriteableRegistry namedWriteableRegistry,
|
||||
CircuitBreakerService circuitBreakerService, Global globalSSLConfiguration) {
|
||||
CircuitBreakerService circuitBreakerService) {
|
||||
super(settings, threadPool, networkService, bigArrays, version, namedWriteableRegistry, circuitBreakerService);
|
||||
this.authenticator = authenticator;
|
||||
this.ssl = SSL_SETTING.get(settings);
|
||||
this.serverSslService = serverSSLService;
|
||||
this.clientSSLService = clientSSLService;
|
||||
this.globalSSLConfiguration = globalSSLConfiguration;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void doStart() {
|
||||
super.doStart();
|
||||
globalSSLConfiguration.onTransportStart(boundAddress, profileBoundAddresses);
|
||||
if (authenticator != null) {
|
||||
authenticator.setBoundTransportAddress(this.boundAddress(), profileBoundAddresses());
|
||||
authenticator.setBoundTransportAddress(boundAddress(), profileBoundAddresses());
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,22 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDsjCCApqgAwIBAgIJAKGDffMf8r51MA0GCSqGSIb3DQEBCwUAMEQxGTAXBgNV
|
||||
BAoTEEVsYXN0aWNzZWFyY2ggQlYxCzAJBgNVBAYTAk5MMRowGAYDVQQDExFYLVBh
|
||||
Y2sgRGVmYXVsdCBDQTAeFw0xNjA0MTkxNDQ1NDdaFw0yMTA0MTgxNDQ1NDdaMEQx
|
||||
GTAXBgNVBAoTEEVsYXN0aWNzZWFyY2ggQlYxCzAJBgNVBAYTAk5MMRowGAYDVQQD
|
||||
ExFYLVBhY2sgRGVmYXVsdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
|
||||
ggEBAMEtxhGU9TNgfaYFYFTehSkI1tCxPoe9WdvLd6Ag1DggN2Sp65xhDuWLNX4R
|
||||
mAo7PyXvic+shqfLDjca6R7OgisubldFN3qiw8IwXzjMey/MC0pThsPJS9TQFc6i
|
||||
a4oNmd4QpvoctqAW8qCOqB+PEUNMx6B54sjqX1/CBGuCB4HZJud//RRbANAf8WKN
|
||||
nf4z9vM4nk4m6UF0hShCuKdlU+zlDp0/LdkuYn+fn6JmWVNmwMR4Ym9M1i0RKaBI
|
||||
OE0pgPVIYTRhuU+VyCRGg4ue7tdPlWpps25EihgwEWoieS0lLSGPqEVPC7Msk+HA
|
||||
kOs4DwJahs0RAep+PJNNrcdSB/0CAwEAAaOBpjCBozAMBgNVHRMEBTADAQH/MB0G
|
||||
A1UdDgQWBBR5tSUNfOVoB2DrCDjFIauzzxsP+DB0BgNVHSMEbTBrgBR5tSUNfOVo
|
||||
B2DrCDjFIauzzxsP+KFIpEYwRDEZMBcGA1UEChMQRWxhc3RpY3NlYXJjaCBCVjEL
|
||||
MAkGA1UEBhMCTkwxGjAYBgNVBAMTEVgtUGFjayBEZWZhdWx0IENBggkAoYN98x/y
|
||||
vnUwDQYJKoZIhvcNAQELBQADggEBAIv6mt9qW93Y8ZKD7neiYvS6lzN6/yTCRDZ0
|
||||
sPMYX1BV4dgwIfa3Nc5Iz7fl9MJRQMUaQg1yDmQzoavtRtw8K2Rd1GHtF1pRBwz6
|
||||
y2th20gVGKXtIyaS5l8oxJ5nlV+GX439In8ovM8Q0CqRN/3X36v77OTTt/FCt24w
|
||||
8cA6igo9DMfLylfhIU6R3rcImMMPPE/cgXSE6lPCBX0zK2m1h3Bsp9cNAgndUsI6
|
||||
1xSfnDoO+DuOrze6NX9gzFvy6IwgcTF9vlQ55eXAgy263+k7IhBQydFscNrIFpM5
|
||||
enqQIqgzcEs5FZcq/V1RWlI5phxsOYaImoN9MJMSO9D3avWOtcE=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,30 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: DES-EDE3-CBC,BF10B2B7AF64C239
|
||||
|
||||
xWhoEPwuO8I2qXRG5nSVSPXLltxmzmTxK3VvZPxaf++PTMt+r3F414px763NWigr
|
||||
Wka3f6p2EJI3huafk47mth02OS268A6hCx3wrp9pq0SrzZVTHqML0OqyNyLJNK8j
|
||||
azu6IdCFNaFsh6Z5y2PSJ8SWAX11QcYF6g8IRBwGcGr4pmMdJmKEoliuxJ0oGJIy
|
||||
0hEdeeqiiwEMP2I97CH3g+CtD8eh3+XyNapzSWe7j2Y3wU9lrVUdicUPDOibLVbU
|
||||
xiLz+HJ0BmNbHF3ND8JiDAZUAYQVjvENHP3VIqm68kzRiHcxsHzVhW6iNz1QTwmR
|
||||
vugODGkOoYCV0Yfap1Fjawt7bT0emGU7Lbv/E80X43t4kgoeIOGxX96XYIfwJT9C
|
||||
VVYwtmn85Fr8FmmPRIUYJlMlqm+mvwcRdBxYXKyaamvN7cj8G5pj5A7dgXlSAz7z
|
||||
JaywteP3GzXdzXAS+ehYrZCkBkdIaMbtNIBFV9ZChDvKWJidGkpajDQtSTNixEnS
|
||||
42+qMmg4b0AWEcPtlJJJuYZmgl3XXLkfgiyiQ6dnATyq5tE5PxSzHorUCBIv4Bp3
|
||||
sJCcgsP7TTy3dhr+dyQdsWCVyM9HxUeUzxVj4ULfB6wTAd6duMNHxiIkh3bsxdni
|
||||
xRm2vNQraW64K/xDTsccbp2emhKpJT3KAU2+ZFAEQUJDMejoQv0b1klOcGZGFKh3
|
||||
IMmwaSdZfRfh3pIDyRJARHkQ5fPv19SKwtUmwL1ygqR0iRcK7kN9D+lvhzL7RYcP
|
||||
bKkndgr5jwHdqdGZvrFz2NshcqOwKzKr1tTkXRL8BN6s1s4Az1NQBWyK+bjotF+D
|
||||
zf3HDUGa94xYF5KFbZCKMUenL4OV+K4qqUvbwqBE/s4rsUkB6p9SSySFc9M8Obmm
|
||||
U6ZP4hr7/WZpO0AZr6OUX6HMXCeIex0tanINVijDR8Qq7zwa0Nt1t4bnfGbEqPo+
|
||||
ew5MWjxqEWOb7cJogIjTKokcLqlp4OyVYkP5XdXNqKrnNE23xQNeTeD+W1zZxuJo
|
||||
KdYQA82NC8vW1uHeEfCiJx4Giziqg6zEhNtF6t0wHebGfLORDICvNsb0Df2tYunj
|
||||
rtduSaQRVGTT8YRheJFl0B+n8xrLTOqtbFL6PPb/eU4O3C0La8h8VZNSmXBTY/0A
|
||||
UfeHsxmO7SoAdz8cSiXjvlwVwkt0gbPCbFBTSwALTS0vMas71xI62Dl53EsEup0K
|
||||
oV9agBfEZyVlse8VC/Js8sZi7cICmCrHcvhKWnju3QB47vPti00/aj6MgE0oLHC4
|
||||
8CicYeFCyREaxzF+HnOriuG3f82wUfJhtejwefE4xytvJTBTz+5f2j+FI2CL4OGp
|
||||
R6ix+r/JoygSSIssmxnpcUZQpCxbthfvfBQEvQKq6YDgwgSDfhWAFvLTx45HFDz5
|
||||
if/wgMDTlL9BP+PcNY4xY73qU9Za1AYdDdS9nWSD3pRz9SZc4gRrLLdLmRzUsCU+
|
||||
t2Lrvy0AAFVBzf1RZYN0kVArUdgFGiUQyvsyGyFu8FYww23VZuxglIniHVD5JBa+
|
||||
gymaHiWlKadGciVT552SuYFz89c8nkRFiSEwz/1aLNHP/fFqfVCD2A==
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -92,11 +92,6 @@ abstract public class AbstractAdLdapRealmTestCase extends ShieldIntegTestCase {
|
|||
return sslEnabled;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean autoSSLEnabled() {
|
||||
return sslEnabled && (useGlobalSSL == false);
|
||||
}
|
||||
|
||||
protected String configRoleMappings() {
|
||||
return realmConfig.configRoleMappings();
|
||||
}
|
||||
|
|
|
@ -131,7 +131,7 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase {
|
|||
final boolean useSSL = useShield && randomBoolean();
|
||||
logger.info("--> remote indexing enabled. shield enabled: [{}], SSL enabled: [{}], nodes: [{}]", useShield, useSSL, numNodes);
|
||||
ShieldSettingsSource cluster2SettingsSource =
|
||||
new ShieldSettingsSource(numNodes, useSSL, randomBoolean(), systemKey(), createTempDir(), Scope.SUITE) {
|
||||
new ShieldSettingsSource(numNodes, useSSL, systemKey(), createTempDir(), Scope.SUITE) {
|
||||
@Override
|
||||
public Settings nodeSettings(int nodeOrdinal) {
|
||||
Settings.Builder builder = Settings.builder()
|
||||
|
|
|
@ -42,7 +42,6 @@ public class RemoteIndexAuditTrailStartingTests extends ShieldIntegTestCase {
|
|||
private InternalTestCluster remoteCluster;
|
||||
|
||||
private final boolean useSSL = randomBoolean();
|
||||
private final boolean autoSSL = randomBoolean();
|
||||
private final boolean localAudit = randomBoolean();
|
||||
private final String outputs = randomFrom("index", "logfile", "index,logfile");
|
||||
|
||||
|
@ -51,11 +50,6 @@ public class RemoteIndexAuditTrailStartingTests extends ShieldIntegTestCase {
|
|||
return useSSL;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean autoSSLEnabled() {
|
||||
return autoSSL;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Settings nodeSettings(int nodeOrdinal) {
|
||||
return Settings.builder()
|
||||
|
@ -93,8 +87,7 @@ public class RemoteIndexAuditTrailStartingTests extends ShieldIntegTestCase {
|
|||
|
||||
// Setup a second test cluster with randomization for number of nodes, shield enabled, and SSL
|
||||
final int numNodes = randomIntBetween(2, 3);
|
||||
ShieldSettingsSource cluster2SettingsSource = new ShieldSettingsSource(numNodes, useSSL, autoSSL, systemKey(), createTempDir(),
|
||||
Scope.TEST) {
|
||||
ShieldSettingsSource cluster2SettingsSource = new ShieldSettingsSource(numNodes, useSSL, systemKey(), createTempDir(), Scope.TEST) {
|
||||
@Override
|
||||
public Settings nodeSettings(int nodeOrdinal) {
|
||||
Settings.Builder builder = Settings.builder()
|
||||
|
|
|
@ -25,25 +25,19 @@ public class AbstractActiveDirectoryIntegTests extends ESTestCase {
|
|||
|
||||
protected ClientSSLService clientSSLService;
|
||||
protected Settings globalSettings;
|
||||
protected boolean useGlobalSSL;
|
||||
|
||||
@Before
|
||||
public void initializeSslSocketFactory() throws Exception {
|
||||
useGlobalSSL = randomBoolean();
|
||||
Path keystore = getDataPath("../ldap/support/ldaptrust.jks");
|
||||
/*
|
||||
* Prior to each test we reinitialize the socket factory with a new SSLService so that we get a new SSLContext.
|
||||
* If we re-use a SSLContext, previously connected sessions can get re-established which breaks hostname
|
||||
* verification tests since a re-established connection does not perform hostname verification.
|
||||
*/
|
||||
Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
|
||||
if (useGlobalSSL) {
|
||||
builder.put("xpack.security.ssl.keystore.path", keystore)
|
||||
.put("xpack.security.ssl.keystore.password", "changeit");
|
||||
} else {
|
||||
builder.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false);
|
||||
}
|
||||
globalSettings = builder.build();
|
||||
globalSettings = Settings.builder().put("path.home", createTempDir())
|
||||
.put("xpack.security.ssl.keystore.path", keystore)
|
||||
.put("xpack.security.ssl.keystore.password", "changeit")
|
||||
.build();
|
||||
Environment environment = new Environment(globalSettings);
|
||||
clientSSLService = new ClientSSLService(globalSettings, new Global(globalSettings));
|
||||
clientSSLService.setEnvironment(environment);
|
||||
|
@ -56,11 +50,9 @@ public class AbstractActiveDirectoryIntegTests extends ESTestCase {
|
|||
.put(ActiveDirectorySessionFactory.AD_DOMAIN_NAME_SETTING, adDomainName)
|
||||
.put(ActiveDirectorySessionFactory.AD_USER_SEARCH_BASEDN_SETTING, userSearchDN)
|
||||
.put(ActiveDirectorySessionFactory.AD_USER_SEARCH_SCOPE_SETTING, scope)
|
||||
.put(ActiveDirectorySessionFactory.HOSTNAME_VERIFICATION_SETTING, hostnameVerification);
|
||||
if (useGlobalSSL == false) {
|
||||
builder.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
|
||||
.put(ActiveDirectorySessionFactory.HOSTNAME_VERIFICATION_SETTING, hostnameVerification)
|
||||
.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
|
||||
.put("ssl.truststore.password", "changeit");
|
||||
}
|
||||
return builder.build();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -208,14 +208,11 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryI
|
|||
public void testStandardLdapConnection() throws Exception {
|
||||
String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
Settings settings = LdapTestCase.buildLdapSettings(AD_LDAP_URL, userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE);
|
||||
if (useGlobalSSL == false) {
|
||||
settings = Settings.builder()
|
||||
.put(settings)
|
||||
Settings settings = Settings.builder()
|
||||
.put(LdapTestCase.buildLdapSettings(AD_LDAP_URL, userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE))
|
||||
.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
|
||||
.put("ssl.truststore.password", "changeit")
|
||||
.build();
|
||||
}
|
||||
RealmConfig config = new RealmConfig("ad-as-ldap-test", settings, globalSettings);
|
||||
LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService).init();
|
||||
|
||||
|
@ -234,14 +231,11 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryI
|
|||
@SuppressWarnings("unchecked")
|
||||
public void testStandardLdapWithAttributeGroups() throws Exception {
|
||||
String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
Settings settings = LdapTestCase.buildLdapSettings(new String[] { AD_LDAP_URL }, userTemplate, false);
|
||||
if (useGlobalSSL == false) {
|
||||
settings = Settings.builder()
|
||||
.put(settings)
|
||||
Settings settings = Settings.builder()
|
||||
.put(LdapTestCase.buildLdapSettings(new String[] { AD_LDAP_URL }, userTemplate, false))
|
||||
.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
|
||||
.put("ssl.truststore.password", "changeit")
|
||||
.build();
|
||||
}
|
||||
RealmConfig config = new RealmConfig("ad-as-ldap-test", settings, globalSettings);
|
||||
LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService).init();
|
||||
|
||||
|
@ -291,11 +285,9 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryI
|
|||
Settings.Builder builder = Settings.builder()
|
||||
.put(ActiveDirectorySessionFactory.URLS_SETTING, ldapUrl)
|
||||
.put(ActiveDirectorySessionFactory.AD_DOMAIN_NAME_SETTING, adDomainName)
|
||||
.put(ActiveDirectorySessionFactory.HOSTNAME_VERIFICATION_SETTING, hostnameVerification);
|
||||
if (useGlobalSSL == false) {
|
||||
builder.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
|
||||
.put(ActiveDirectorySessionFactory.HOSTNAME_VERIFICATION_SETTING, hostnameVerification)
|
||||
.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
|
||||
.put("ssl.truststore.password", "changeit");
|
||||
}
|
||||
return builder.build();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -33,14 +33,10 @@ public abstract class GroupsResolverTestCase extends ESTestCase {
|
|||
public void setUpLdapConnection() throws Exception {
|
||||
Path keystore = getDataPath("../ldap/support/ldaptrust.jks");
|
||||
boolean useGlobalSSL = randomBoolean();
|
||||
Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
|
||||
if (useGlobalSSL) {
|
||||
builder.put("xpack.security.ssl.keystore.path", keystore)
|
||||
.put("xpack.security.ssl.keystore.password", "changeit");
|
||||
} else {
|
||||
builder.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false);
|
||||
}
|
||||
Settings settings = builder.build();
|
||||
Settings settings = Settings.builder().put("path.home", createTempDir())
|
||||
.put("xpack.security.ssl.keystore.path", keystore)
|
||||
.put("xpack.security.ssl.keystore.password", "changeit")
|
||||
.build();
|
||||
Environment env = new Environment(settings);
|
||||
ClientSSLService clientSSLService = new ClientSSLService(settings, new Global(settings));
|
||||
clientSSLService.setEnvironment(env);
|
||||
|
|
|
@ -38,27 +38,21 @@ public class OpenLdapTests extends ESTestCase {
|
|||
public static final String OPEN_LDAP_URL = "ldaps://54.200.235.244:636";
|
||||
public static final String PASSWORD = "NickFuryHeartsES";
|
||||
|
||||
private boolean useGlobalSSL;
|
||||
private ClientSSLService clientSSLService;
|
||||
private Settings globalSettings;
|
||||
|
||||
@Before
|
||||
public void initializeSslSocketFactory() throws Exception {
|
||||
useGlobalSSL = randomBoolean();
|
||||
Path keystore = getDataPath("../ldap/support/ldaptrust.jks");
|
||||
/*
|
||||
* Prior to each test we reinitialize the socket factory with a new SSLService so that we get a new SSLContext.
|
||||
* If we re-use a SSLContext, previously connected sessions can get re-established which breaks hostname
|
||||
* verification tests since a re-established connection does not perform hostname verification.
|
||||
*/
|
||||
Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
|
||||
if (useGlobalSSL) {
|
||||
builder.put("xpack.security.ssl.keystore.path", keystore)
|
||||
.put("xpack.security.ssl.keystore.password", "changeit");
|
||||
} else {
|
||||
builder.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false);
|
||||
}
|
||||
globalSettings = builder.build();
|
||||
globalSettings = Settings.builder().put("path.home", createTempDir())
|
||||
.put("xpack.security.ssl.keystore.path", keystore)
|
||||
.put("xpack.security.ssl.keystore.password", "changeit")
|
||||
.build();
|
||||
Environment environment = new Environment(globalSettings);
|
||||
clientSSLService = new ClientSSLService(globalSettings, new Global(globalSettings));
|
||||
clientSSLService.setEnvironment(environment);
|
||||
|
@ -186,9 +180,6 @@ public class OpenLdapTests extends ESTestCase {
|
|||
|
||||
Settings buildLdapSettings(String ldapUrl, String userTemplate, String groupSearchBase, LdapSearchScope scope) {
|
||||
Settings baseSettings = LdapTestCase.buildLdapSettings(ldapUrl, userTemplate, groupSearchBase, scope);
|
||||
if (useGlobalSSL) {
|
||||
return baseSettings;
|
||||
}
|
||||
return Settings.builder()
|
||||
.put(baseSettings)
|
||||
.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
|
||||
|
|
|
@ -74,11 +74,6 @@ public class PkiAuthenticationTests extends ShieldIntegTestCase {
|
|||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean autoSSLEnabled() {
|
||||
return false;
|
||||
}
|
||||
|
||||
public void testTransportClientCanAuthenticateViaPki() {
|
||||
Settings settings = getSSLSettingsForStore("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks", "testnode");
|
||||
try (TransportClient client = createTransportClient(settings)) {
|
||||
|
|
|
@ -77,11 +77,6 @@ public class PkiOptionalClientAuthTests extends ShieldIntegTestCase {
|
|||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean autoSSLEnabled() {
|
||||
return false;
|
||||
}
|
||||
|
||||
public void testRestClientWithoutClientCertificate() throws Exception {
|
||||
HttpServerTransport httpServerTransport = internalCluster().getDataNodeInstance(HttpServerTransport.class);
|
||||
|
||||
|
|
|
@ -57,11 +57,6 @@ public class PkiWithoutClientAuthenticationTests extends ShieldIntegTestCase {
|
|||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean autoSSLEnabled() {
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Settings nodeSettings(int nodeOrdinal) {
|
||||
return Settings.builder()
|
||||
|
|
|
@ -1,60 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the Elastic License;
|
||||
* you may not use this file except in compliance with the Elastic License.
|
||||
*/
|
||||
package org.elasticsearch.shield.ssl;
|
||||
|
||||
import org.elasticsearch.client.transport.NoNodeAvailableException;
|
||||
import org.elasticsearch.client.transport.TransportClient;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.transport.TransportAddress;
|
||||
import org.elasticsearch.shield.Security;
|
||||
import org.elasticsearch.shield.transport.netty.ShieldNettyTransport;
|
||||
import org.elasticsearch.test.ShieldIntegTestCase;
|
||||
import org.elasticsearch.transport.Transport;
|
||||
import org.elasticsearch.xpack.XPackPlugin;
|
||||
|
||||
import static org.elasticsearch.test.ShieldSettingsSource.DEFAULT_PASSWORD;
|
||||
import static org.elasticsearch.test.ShieldSettingsSource.DEFAULT_USER_NAME;
|
||||
import static org.hamcrest.Matchers.containsString;
|
||||
|
||||
public class AutoSSLIntegTests extends ShieldIntegTestCase {
|
||||
|
||||
@Override
|
||||
public boolean sslTransportEnabled() {
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean autoSSLEnabled() {
|
||||
return true;
|
||||
}
|
||||
|
||||
public void testTransportClient() {
|
||||
String clusterName = internalCluster().getClusterName();
|
||||
TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses());
|
||||
try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class)
|
||||
.settings(Settings.builder()
|
||||
.put("cluster.name", clusterName)
|
||||
.put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD))
|
||||
.build()) {
|
||||
transportClient.addTransportAddress(transportAddress);
|
||||
assertGreenClusterState(transportClient);
|
||||
}
|
||||
|
||||
// now try with SSL disabled and it should fail
|
||||
try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class)
|
||||
.settings(Settings.builder()
|
||||
.put("cluster.name", clusterName)
|
||||
.put(ShieldNettyTransport.SSL_SETTING.getKey(), false)
|
||||
.put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD))
|
||||
.build()) {
|
||||
transportClient.addTransportAddress(transportAddress);
|
||||
assertGreenClusterState(transportClient);
|
||||
fail("should not have been able to connect");
|
||||
} catch (NoNodeAvailableException e) {
|
||||
assertThat(e.getMessage(), containsString("None of the configured nodes are available"));
|
||||
}
|
||||
}
|
||||
}
|
|
@ -152,9 +152,7 @@ public class ClientSSLServiceTests extends ESTestCase {
|
|||
}
|
||||
|
||||
public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception {
|
||||
ClientSSLService sslService = createClientSSLService(Settings.builder()
|
||||
.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false)
|
||||
.build());
|
||||
ClientSSLService sslService = createClientSSLService(Settings.EMPTY);
|
||||
SSLEngine sslEngine = sslService.createSSLEngine();
|
||||
assertThat(sslEngine, notNullValue());
|
||||
}
|
||||
|
@ -179,8 +177,7 @@ public class ClientSSLServiceTests extends ESTestCase {
|
|||
|
||||
@Network
|
||||
public void testThatSSLContextWithoutSettingsWorks() throws Exception {
|
||||
ClientSSLService sslService = createClientSSLService(Settings.builder()
|
||||
.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false).build());
|
||||
ClientSSLService sslService = createClientSSLService(Settings.EMPTY);
|
||||
SSLContext sslContext = sslService.sslContext();
|
||||
try (CloseableHttpClient client = HttpClients.custom().setSslcontext(sslContext).build()) {
|
||||
// Execute a GET on a site known to have a valid certificate signed by a trusted public CA
|
||||
|
|
|
@ -53,14 +53,11 @@ import static org.hamcrest.Matchers.sameInstance;
|
|||
|
||||
public class SSLConfigurationTests extends ESTestCase {
|
||||
|
||||
private static final Settings NO_AUTO_GEN = Settings.builder()
|
||||
.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false)
|
||||
.build();
|
||||
|
||||
public void testThatSSLConfigurationHasCorrectDefaults() {
|
||||
SSLConfiguration globalConfig = new Global(Settings.EMPTY);
|
||||
assertThat(globalConfig.keyConfig(), instanceOf(AutoGeneratedKeyConfig.class));
|
||||
assertThat(globalConfig.trustConfig(), sameInstance(globalConfig.keyConfig()));
|
||||
assertThat(globalConfig.keyConfig(), sameInstance(KeyConfig.NONE));
|
||||
assertThat(globalConfig.trustConfig(), is(not((globalConfig.keyConfig()))));
|
||||
assertThat(globalConfig.trustConfig(), instanceOf(StoreTrustConfig.class));
|
||||
assertThat(globalConfig.sessionCacheSize(), is(equalTo(Global.DEFAULT_SESSION_CACHE_SIZE)));
|
||||
assertThat(globalConfig.sessionCacheTimeout(), is(equalTo(Global.DEFAULT_SESSION_CACHE_TIMEOUT)));
|
||||
assertThat(globalConfig.protocol(), is(equalTo(Global.DEFAULT_PROTOCOL)));
|
||||
|
@ -74,7 +71,7 @@ public class SSLConfigurationTests extends ESTestCase {
|
|||
}
|
||||
|
||||
public void testThatSSLConfigurationWithoutAutoGenHasCorrectDefaults() {
|
||||
SSLConfiguration globalSettings = new Global(NO_AUTO_GEN);
|
||||
SSLConfiguration globalSettings = new Global(Settings.EMPTY);
|
||||
SSLConfiguration scopedSettings = new Custom(Settings.EMPTY, globalSettings);
|
||||
for (SSLConfiguration sslConfiguration : Arrays.asList(globalSettings, scopedSettings)) {
|
||||
assertThat(sslConfiguration.keyConfig(), sameInstance(KeyConfig.NONE));
|
||||
|
@ -101,7 +98,7 @@ public class SSLConfigurationTests extends ESTestCase {
|
|||
SSLConfiguration globalSettings = new Global(settings);
|
||||
SSLConfiguration scopedSettings = new Custom(profileSettings, globalSettings);
|
||||
SSLConfiguration scopedEmptyGlobalSettings =
|
||||
new Custom(profileSettings, new Global(NO_AUTO_GEN));
|
||||
new Custom(profileSettings, new Global(Settings.EMPTY));
|
||||
for (SSLConfiguration sslConfiguration : Arrays.asList(globalSettings, scopedSettings, scopedEmptyGlobalSettings)) {
|
||||
assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
|
||||
StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
|
||||
|
@ -129,7 +126,7 @@ public class SSLConfigurationTests extends ESTestCase {
|
|||
// Pass settings in as profile settings
|
||||
Settings profileSettings = settings.getByPrefix("xpack.security.ssl.");
|
||||
SSLConfiguration sslConfiguration1 = new Custom(profileSettings,
|
||||
randomBoolean() ? sslConfiguration : new Global(NO_AUTO_GEN));
|
||||
randomBoolean() ? sslConfiguration : new Global(Settings.EMPTY));
|
||||
assertThat(sslConfiguration1.keyConfig(), instanceOf(StoreKeyConfig.class));
|
||||
ksKeyInfo = (StoreKeyConfig) sslConfiguration1.keyConfig();
|
||||
assertThat(ksKeyInfo.keyStorePassword, is(equalTo("password")));
|
||||
|
@ -183,8 +180,8 @@ public class SSLConfigurationTests extends ESTestCase {
|
|||
}
|
||||
|
||||
public void testThatEmptySettingsAreEqual() {
|
||||
SSLConfiguration sslConfiguration = new Global(NO_AUTO_GEN);
|
||||
SSLConfiguration sslConfiguration1 = new Global(NO_AUTO_GEN);
|
||||
SSLConfiguration sslConfiguration = new Global(Settings.EMPTY);
|
||||
SSLConfiguration sslConfiguration1 = new Global(Settings.EMPTY);
|
||||
assertThat(sslConfiguration.equals(sslConfiguration1), is(equalTo(true)));
|
||||
assertThat(sslConfiguration1.equals(sslConfiguration), is(equalTo(true)));
|
||||
assertThat(sslConfiguration.equals(sslConfiguration), is(equalTo(true)));
|
||||
|
@ -230,8 +227,8 @@ public class SSLConfigurationTests extends ESTestCase {
|
|||
}
|
||||
|
||||
public void testThatEmptySettingsHaveSameHashCode() {
|
||||
SSLConfiguration sslConfiguration = new Global(NO_AUTO_GEN);
|
||||
SSLConfiguration sslConfiguration1 = new Global(NO_AUTO_GEN);
|
||||
SSLConfiguration sslConfiguration = new Global(Settings.EMPTY);
|
||||
SSLConfiguration sslConfiguration1 = new Global(Settings.EMPTY);
|
||||
assertThat(sslConfiguration.hashCode(), is(equalTo(sslConfiguration1.hashCode())));
|
||||
|
||||
SSLConfiguration profileSettings = new Custom(Settings.EMPTY, sslConfiguration);
|
||||
|
|
|
@ -90,11 +90,6 @@ public class SSLReloadIntegTests extends ShieldIntegTestCase {
|
|||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean autoSSLEnabled() {
|
||||
return false;
|
||||
}
|
||||
|
||||
public void testThatSSLConfigurationReloadsOnModification() throws Exception {
|
||||
KeyPair keyPair = CertUtils.generateKeyPair();
|
||||
X509Certificate certificate = getCertificate(keyPair);
|
||||
|
|
|
@ -152,8 +152,7 @@ public class ServerSSLServiceTests extends ESTestCase {
|
|||
}
|
||||
|
||||
public void testThatCreateSSLEngineWithoutAnySettingsDoesNotWork() throws Exception {
|
||||
ServerSSLService sslService = new ServerSSLService(Settings.EMPTY, env, new Global(Settings.builder()
|
||||
.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false).build()), null);
|
||||
ServerSSLService sslService = new ServerSSLService(Settings.EMPTY, env, new Global(Settings.EMPTY), null);
|
||||
try {
|
||||
sslService.createSSLEngine();
|
||||
fail("Expected IllegalArgumentException");
|
||||
|
|
|
@ -51,11 +51,6 @@ public class ServerTransportFilterIntegrationTests extends ShieldIntegTestCase {
|
|||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean autoSSLEnabled() {
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Settings nodeSettings(int nodeOrdinal) {
|
||||
Settings.Builder settingsBuilder = Settings.builder();
|
||||
|
|
|
@ -24,11 +24,6 @@ public class IPHostnameVerificationTests extends ShieldIntegTestCase {
|
|||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean autoSSLEnabled() {
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Settings nodeSettings(int nodeOrdinal) {
|
||||
Settings settings = super.nodeSettings(nodeOrdinal);
|
||||
|
|
|
@ -49,7 +49,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
|
|||
public void testDefaultClientAuth() throws Exception {
|
||||
Settings settings = Settings.builder().put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true).build();
|
||||
ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
|
||||
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
|
||||
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
|
||||
NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
|
||||
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
|
||||
|
@ -62,7 +62,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
|
|||
.put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true)
|
||||
.put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
|
||||
ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
|
||||
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
|
||||
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
|
||||
NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
|
||||
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
|
||||
|
@ -75,7 +75,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
|
|||
.put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true)
|
||||
.put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
|
||||
ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
|
||||
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
|
||||
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
|
||||
NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
|
||||
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(true));
|
||||
|
@ -88,7 +88,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
|
|||
.put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true)
|
||||
.put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
|
||||
ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
|
||||
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
|
||||
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
|
||||
NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
|
||||
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
|
||||
|
@ -99,7 +99,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
|
|||
Settings settings = Settings.builder()
|
||||
.put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true).build();
|
||||
ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
|
||||
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
|
||||
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
|
||||
NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
|
||||
SSLEngine defaultEngine = factory.getPipeline().get(SslHandler.class).getEngine();
|
||||
|
@ -109,7 +109,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
|
|||
.put("xpack.security.http.ssl.supported_protocols", "TLSv1.2")
|
||||
.build();
|
||||
transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
|
||||
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
|
||||
mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
|
||||
NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
factory = transport.configureServerChannelPipelineFactory();
|
||||
SSLEngine customEngine = factory.getPipeline().get(SslHandler.class).getEngine();
|
||||
|
|
|
@ -53,7 +53,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
|
|||
Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
|
||||
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
|
||||
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
|
||||
mock(CircuitBreakerService.class), mock(Global.class));
|
||||
mock(CircuitBreakerService.class));
|
||||
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
|
||||
Settings.builder().put("xpack.security.ssl", false).build());
|
||||
|
@ -64,7 +64,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
|
|||
Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), false).build();
|
||||
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
|
||||
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
|
||||
mock(CircuitBreakerService.class), mock(Global.class));
|
||||
mock(CircuitBreakerService.class));
|
||||
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
|
||||
Settings.builder().put("xpack.security.ssl", true).build());
|
||||
|
@ -75,7 +75,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
|
|||
Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
|
||||
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
|
||||
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
|
||||
mock(CircuitBreakerService.class), mock(Global.class));
|
||||
mock(CircuitBreakerService.class));
|
||||
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
|
||||
assertThat(factory.getPipeline().get(SslHandler.class).getEngine(), notNullValue());
|
||||
|
@ -85,7 +85,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
|
|||
Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
|
||||
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
|
||||
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
|
||||
mock(CircuitBreakerService.class), mock(Global.class));
|
||||
mock(CircuitBreakerService.class));
|
||||
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
|
||||
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(true));
|
||||
|
@ -99,7 +99,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
|
|||
.put(ShieldNettyTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
|
||||
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
|
||||
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
|
||||
mock(CircuitBreakerService.class), mock(Global.class));
|
||||
mock(CircuitBreakerService.class));
|
||||
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
|
||||
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(true));
|
||||
|
@ -113,7 +113,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
|
|||
.put(ShieldNettyTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
|
||||
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
|
||||
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
|
||||
mock(CircuitBreakerService.class), mock(Global.class));
|
||||
mock(CircuitBreakerService.class));
|
||||
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
|
||||
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
|
||||
|
@ -127,7 +127,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
|
|||
.put(ShieldNettyTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
|
||||
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
|
||||
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
|
||||
mock(CircuitBreakerService.class), mock(Global.class));
|
||||
mock(CircuitBreakerService.class));
|
||||
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
|
||||
assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
|
||||
|
@ -139,7 +139,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
|
|||
Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
|
||||
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
|
||||
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
|
||||
mock(CircuitBreakerService.class), mock(Global.class));
|
||||
mock(CircuitBreakerService.class));
|
||||
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
|
||||
Settings.builder().put(ShieldNettyTransport.PROFILE_CLIENT_AUTH_SETTING, value).build());
|
||||
|
@ -152,7 +152,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
|
|||
Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
|
||||
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
|
||||
mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
|
||||
mock(CircuitBreakerService.class), mock(Global.class));
|
||||
mock(CircuitBreakerService.class));
|
||||
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
|
||||
Settings.builder().put(ShieldNettyTransport.PROFILE_CLIENT_AUTH_SETTING.getKey(), value).build());
|
||||
|
@ -165,7 +165,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
|
|||
Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
|
||||
ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class),
|
||||
mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService,
|
||||
mock(NamedWriteableRegistry.class), mock(CircuitBreakerService.class), mock(Global.class));
|
||||
mock(NamedWriteableRegistry.class), mock(CircuitBreakerService.class));
|
||||
NettyMockUtil.setOpenChannelsHandlerToMock(transport);
|
||||
ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
|
||||
Settings.builder().put(ShieldNettyTransport.PROFILE_CLIENT_AUTH_SETTING.getKey(), value).build());
|
||||
|
|
|
@ -32,11 +32,6 @@ public class SslHostnameVerificationTests extends ShieldIntegTestCase {
|
|||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean autoSSLEnabled() {
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Settings nodeSettings(int nodeOrdinal) {
|
||||
Settings settings = super.nodeSettings(nodeOrdinal);
|
||||
|
|
|
@ -54,11 +54,6 @@ public class SslClientAuthTests extends ShieldIntegTestCase {
|
|||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean autoSSLEnabled() {
|
||||
return false;
|
||||
}
|
||||
|
||||
public void testThatHttpFailsWithoutSslClientAuth() throws IOException {
|
||||
SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
|
||||
SSLContexts.createDefault(),
|
||||
|
|
|
@ -56,11 +56,6 @@ public class SslIntegrationTests extends ShieldIntegTestCase {
|
|||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean autoSSLEnabled() {
|
||||
return false;
|
||||
}
|
||||
|
||||
// no SSL exception as this is the exception is returned when connecting
|
||||
public void testThatUnconfiguredCiphersAreRejected() {
|
||||
try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class).settings(Settings.builder()
|
||||
|
|
|
@ -87,11 +87,6 @@ public class SslMultiPortTests extends ShieldIntegTestCase {
|
|||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean autoSSLEnabled() {
|
||||
return false;
|
||||
}
|
||||
|
||||
private TransportClient createTransportClient(Settings additionalSettings) {
|
||||
Settings clientSettings = transportClientSettings();
|
||||
if (additionalSettings.getByPrefix("xpack.security.ssl.").isEmpty() == false) {
|
||||
|
|
|
@ -100,8 +100,7 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase {
|
|||
@BeforeClass
|
||||
public static void initDefaultSettings() {
|
||||
if (SHIELD_DEFAULT_SETTINGS == null) {
|
||||
SHIELD_DEFAULT_SETTINGS = new ShieldSettingsSource(maxNumberOfNodes(), randomBoolean(), randomBoolean(), createTempDir(),
|
||||
Scope.SUITE);
|
||||
SHIELD_DEFAULT_SETTINGS = new ShieldSettingsSource(maxNumberOfNodes(), randomBoolean(), createTempDir(), Scope.SUITE);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -124,13 +123,13 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase {
|
|||
switch (currentClusterScope) {
|
||||
case SUITE:
|
||||
if (customShieldSettingsSource == null) {
|
||||
customShieldSettingsSource = new CustomShieldSettingsSource(sslTransportEnabled(), autoSSLEnabled(),
|
||||
createTempDir(), currentClusterScope);
|
||||
customShieldSettingsSource =
|
||||
new CustomShieldSettingsSource(sslTransportEnabled(), createTempDir(), currentClusterScope);
|
||||
}
|
||||
break;
|
||||
case TEST:
|
||||
customShieldSettingsSource = new CustomShieldSettingsSource(sslTransportEnabled(), autoSSLEnabled(), createTempDir(),
|
||||
currentClusterScope);
|
||||
customShieldSettingsSource =
|
||||
new CustomShieldSettingsSource(sslTransportEnabled(), createTempDir(), currentClusterScope);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
@ -266,18 +265,14 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase {
|
|||
return randomBoolean();
|
||||
}
|
||||
|
||||
protected boolean autoSSLEnabled() {
|
||||
return randomBoolean();
|
||||
}
|
||||
|
||||
protected Class<? extends XPackPlugin> xpackPluginClass() {
|
||||
return SHIELD_DEFAULT_SETTINGS.xpackPluginClass();
|
||||
}
|
||||
|
||||
private class CustomShieldSettingsSource extends ShieldSettingsSource {
|
||||
|
||||
private CustomShieldSettingsSource(boolean sslTransportEnabled, boolean autoSSLEnabled, Path configDir, Scope scope) {
|
||||
super(maxNumberOfNodes(), sslTransportEnabled, autoSSLEnabled, configDir, scope);
|
||||
private CustomShieldSettingsSource(boolean sslTransportEnabled, Path configDir, Scope scope) {
|
||||
super(maxNumberOfNodes(), sslTransportEnabled, configDir, scope);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -12,6 +12,7 @@ import org.elasticsearch.common.settings.Settings;
|
|||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.marvel.Monitoring;
|
||||
import org.elasticsearch.plugins.Plugin;
|
||||
import org.elasticsearch.test.ESIntegTestCase.Scope;
|
||||
import org.elasticsearch.shield.authc.file.FileRealm;
|
||||
import org.elasticsearch.shield.authc.esnative.NativeRealm;
|
||||
import org.elasticsearch.shield.Security;
|
||||
|
@ -84,7 +85,6 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
|
|||
private final String subfolderPrefix;
|
||||
private final byte[] systemKey;
|
||||
private final boolean sslTransportEnabled;
|
||||
private final boolean autoSSLEnabled;
|
||||
private final boolean hostnameVerificationEnabled;
|
||||
private final boolean hostnameVerificationResolveNameEnabled;
|
||||
|
||||
|
@ -96,9 +96,8 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
|
|||
* @param parentFolder the parent folder that will contain all of the configuration files that need to be created
|
||||
* @param scope the scope of the test that is requiring an instance of ShieldSettingsSource
|
||||
*/
|
||||
public ShieldSettingsSource(int numOfNodes, boolean sslTransportEnabled, boolean autoSSLEnabled, Path parentFolder,
|
||||
ESIntegTestCase.Scope scope) {
|
||||
this(numOfNodes, sslTransportEnabled, autoSSLEnabled, generateKey(), parentFolder, scope);
|
||||
public ShieldSettingsSource(int numOfNodes, boolean sslTransportEnabled, Path parentFolder, Scope scope) {
|
||||
this(numOfNodes, sslTransportEnabled, generateKey(), parentFolder, scope);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -110,14 +109,12 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
|
|||
* @param parentFolder the parent folder that will contain all of the configuration files that need to be created
|
||||
* @param scope the scope of the test that is requiring an instance of ShieldSettingsSource
|
||||
*/
|
||||
public ShieldSettingsSource(int numOfNodes, boolean sslTransportEnabled, boolean autoSSLEnabled, byte[] systemKey, Path parentFolder,
|
||||
ESIntegTestCase.Scope scope) {
|
||||
public ShieldSettingsSource(int numOfNodes, boolean sslTransportEnabled, byte[] systemKey, Path parentFolder, Scope scope) {
|
||||
super(numOfNodes, DEFAULT_SETTINGS);
|
||||
this.systemKey = systemKey;
|
||||
this.parentFolder = parentFolder;
|
||||
this.subfolderPrefix = scope.name();
|
||||
this.sslTransportEnabled = sslTransportEnabled;
|
||||
this.autoSSLEnabled = autoSSLEnabled;
|
||||
this.hostnameVerificationEnabled = randomBoolean();
|
||||
this.hostnameVerificationResolveNameEnabled = randomBoolean();
|
||||
}
|
||||
|
@ -216,10 +213,6 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
|
|||
}
|
||||
|
||||
public Settings getNodeSSLSettings() {
|
||||
if (sslTransportEnabled && autoSSLEnabled) {
|
||||
return Settings.EMPTY;
|
||||
}
|
||||
|
||||
if (randomBoolean()) {
|
||||
return getSSLSettingsForPEMFiles("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.pem", "testnode",
|
||||
Collections.singletonList("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.crt"),
|
||||
|
@ -235,10 +228,6 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
|
|||
}
|
||||
|
||||
public Settings getClientSSLSettings() {
|
||||
if (sslTransportEnabled && autoSSLEnabled) {
|
||||
return Settings.EMPTY;
|
||||
}
|
||||
|
||||
if (randomBoolean()) {
|
||||
return getSSLSettingsForPEMFiles("/org/elasticsearch/shield/transport/ssl/certs/simple/testclient.pem", "testclient",
|
||||
Collections.singletonList("/org/elasticsearch/shield/transport/ssl/certs/simple/testclient.crt"),
|
||||
|
|
Loading…
Reference in New Issue