security: fix initialization of server sets in ldap session factories

The SessionFactory construction was calling the `ldapServers` method in the constructor,
which was fine for all of the session factories except for the ActiveDirectorySessionFactory.
The ActiveDirectorySessionFactory overrides the ldapServers method and use class variables
that are initialized in its constructor so the value was always null.

This change moves setup to an init method for objects that depend on variables set during
construction.

Closes elastic/elasticsearch#2011

Original commit: elastic/x-pack-elasticsearch@07c15ce171

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryRealm.java

@@ -41,7 +41,7 @@ public class ActiveDirectoryRealm extends AbstractLdapRealm {
 
         @Override
         public ActiveDirectoryRealm create(RealmConfig config) {
-            ActiveDirectorySessionFactory connectionFactory = new ActiveDirectorySessionFactory(config, clientSSLService);
+            ActiveDirectorySessionFactory connectionFactory = new ActiveDirectorySessionFactory(config, clientSSLService).init();
             DnRoleMapper roleMapper = new DnRoleMapper(TYPE, config, watcherService, null);
             return new ActiveDirectoryRealm(config, connectionFactory, roleMapper);
         }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactory.java

@@ -76,7 +76,7 @@ public class ActiveDirectorySessionFactory extends SessionFactory {
      * @return An authenticated
      */
     @Override
-    public LdapSession session(String userName, SecuredString password) throws Exception {
+    protected LdapSession getSession(String userName, SecuredString password) throws Exception {
         LDAPConnection connection;
 
         try {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapRealm.java

@@ -60,9 +60,9 @@ public class LdapRealm extends AbstractLdapRealm {
                             "Please remove the settings for the mode you do not wish to use. For more details refer to the ldap " +
                             "authentication section of the Shield guide.");
                 }
-                return new LdapUserSearchSessionFactory(config, clientSSLService);
+                return new LdapUserSearchSessionFactory(config, clientSSLService).init();
             }
-            return new LdapSessionFactory(config, clientSSLService);
+            return new LdapSessionFactory(config, clientSSLService).init();
         }
     }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapSessionFactory.java

@@ -53,7 +53,7 @@ public class LdapSessionFactory extends SessionFactory {
      * @return authenticated exception
      */
     @Override
-    public LdapSession session(String username, SecuredString password) throws Exception {
+    protected LdapSession getSession(String username, SecuredString password) throws Exception {
         LDAPConnection connection;
 
         try {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactory.java

@@ -40,12 +40,12 @@ public class LdapUserSearchSessionFactory extends SessionFactory {
     static final String DEFAULT_USERNAME_ATTRIBUTE = "uid";
     static final TimeValue DEFAULT_HEALTH_CHECK_INTERVAL = TimeValue.timeValueSeconds(60L);
 
-    private final GroupsResolver groupResolver;
     private final String userSearchBaseDn;
     private final LdapSearchScope scope;
     private final String userAttribute;
 
     private LDAPConnectionPool connectionPool;
+    private GroupsResolver groupResolver;
 
     public LdapUserSearchSessionFactory(RealmConfig config, ClientSSLService sslService) {
         super(config, sslService);
@@ -56,8 +56,14 @@ public class LdapUserSearchSessionFactory extends SessionFactory {
         }
         scope = LdapSearchScope.resolve(settings.get("user_search.scope"), LdapSearchScope.SUB_TREE);
         userAttribute = settings.get("user_search.attribute", DEFAULT_USERNAME_ATTRIBUTE);
+    }
+
+    @Override
+    public LdapUserSearchSessionFactory init() {
+        super.init();
         connectionPool = createConnectionPool(config, serverSet, timeout, logger);
-        groupResolver = groupResolver(settings);
+        groupResolver = groupResolver(config.settings());
+        return this;
     }
 
     private synchronized LDAPConnectionPool connectionPool() throws IOException {
@@ -119,7 +125,7 @@ public class LdapUserSearchSessionFactory extends SessionFactory {
     }
 
     @Override
-    public LdapSession session(String user, SecuredString password) throws Exception {
+    protected LdapSession getSession(String user, SecuredString password) throws Exception {
         try {
             String dn = findUserDN(user);
             tryBind(dn, password);

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/ldap/support/SessionFactory.java

@@ -51,7 +51,8 @@ public abstract class SessionFactory {
     protected final ESLogger connectionLogger;
     protected final RealmConfig config;
     protected final TimeValue timeout;
-    protected final ServerSet serverSet;
+    protected final ClientSSLService sslService;
+    protected ServerSet serverSet;
 
     protected SessionFactory(RealmConfig config, ClientSSLService sslService) {
         this.config = config;
@@ -64,7 +65,7 @@ public abstract class SessionFactory {
             searchTimeout = TimeValue.timeValueSeconds(1L);
         }
         this.timeout = searchTimeout;
-        this.serverSet = serverSet(config.settings(), sslService, ldapServers(config.settings()));
+        this.sslService = sslService;
     }
 
     /**
@@ -76,7 +77,24 @@ public abstract class SessionFactory {
      * @return LdapSession representing a connection to LDAP as the provided user
      * @throws Exception if an error occurred when creating the session
      */
-    public abstract LdapSession session(String user, SecuredString password) throws Exception;
+    public final LdapSession session(String user, SecuredString password) throws Exception {
+        if (serverSet == null) {
+            throw new IllegalStateException("session factory is not initialized");
+        }
+        return getSession(user, password);
+    }
+
+    /**
+     * Implementors should create a {@link LdapSession} that will be used to Authenticates the given user. This connection
+     * should be bound to the user (meaning, all operations under the returned connection will be executed on behalf of the authenticated
+     * user.
+     *
+     * @param user     The name of the user to authenticate the connection with.
+     * @param password The password of the user
+     * @return LdapSession representing a connection to LDAP as the provided user
+     * @throws Exception if an error occurred when creating the session
+     */
+    protected abstract LdapSession getSession(String user, SecuredString password) throws Exception;
 
     /**
      * Returns a flag to indicate if this session factory supports unauthenticated sessions. This means that a session can
@@ -99,6 +117,11 @@ public abstract class SessionFactory {
         throw new UnsupportedOperationException("unauthenticated sessions are not supported");
     }
 
+    public <T extends SessionFactory> T init() {
+        this.serverSet = serverSet(config.settings(), sslService, ldapServers(config.settings()));
+        return (T) this;
+    }
+
     protected static LDAPConnectionOptions connectionOptions(Settings settings) {
         LDAPConnectionOptions options = new LDAPConnectionOptions();
         options.setConnectTimeoutMillis(Math.toIntExact(settings.getAsTime(TIMEOUT_TCP_CONNECTION_SETTING, TIMEOUT_DEFAULT).millis()));

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ldap/AbstractAdLdapRealmTestCase.java

@@ -178,7 +178,15 @@ abstract public class AbstractAdLdapRealmTestCase extends ShieldIntegTestCase {
                         .put(SHIELD_AUTHC_REALMS_EXTERNAL + ".domain_name", "ad.test.elasticsearch.com")
                         .put(SHIELD_AUTHC_REALMS_EXTERNAL + ".group_search.base_dn", "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com")
                         .put(SHIELD_AUTHC_REALMS_EXTERNAL + ".group_search.scope", randomBoolean() ? SUB_TREE : ONE_LEVEL)
-                        .put(SHIELD_AUTHC_REALMS_EXTERNAL + ".url", "ldaps://ad.test.elasticsearch.com:636")
+                        .build()),
+
+        AD_SSL(false, AD_ROLE_MAPPING,
+                Settings.builder()
+                        .put(SHIELD_AUTHC_REALMS_EXTERNAL + ".type", ActiveDirectoryRealm.TYPE)
+                        .put(SHIELD_AUTHC_REALMS_EXTERNAL + ".domain_name", "ad.test.elasticsearch.com")
+                        .put(SHIELD_AUTHC_REALMS_EXTERNAL + ".group_search.base_dn", "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com")
+                        .put(SHIELD_AUTHC_REALMS_EXTERNAL + ".group_search.scope", randomBoolean() ? SUB_TREE : ONE_LEVEL)
+                        .put(SHIELD_AUTHC_REALMS_EXTERNAL + ".url", "ldap://ad.test.elasticsearch.com:389")
                         .build()),
 
         AD_LDAP_GROUPS_FROM_SEARCH(true, AD_ROLE_MAPPING,

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryRealmTests.java

@@ -108,7 +108,7 @@ public class ActiveDirectoryRealmTests extends ESTestCase {
     public void testAuthenticateUserPrincipleName() throws Exception {
         Settings settings = settings();
         RealmConfig config = new RealmConfig("testAuthenticateUserPrincipleName", settings, globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, null);
+        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, null).init();
         DnRoleMapper roleMapper = new DnRoleMapper(ActiveDirectoryRealm.TYPE, config, resourceWatcherService, null);
         ActiveDirectoryRealm realm = new ActiveDirectoryRealm(config, sessionFactory, roleMapper);
 
@@ -120,7 +120,7 @@ public class ActiveDirectoryRealmTests extends ESTestCase {
     public void testAuthenticateSAMAccountName() throws Exception {
         Settings settings = settings();
         RealmConfig config = new RealmConfig("testAuthenticateSAMAccountName", settings, globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, null);
+        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, null).init();
         DnRoleMapper roleMapper = new DnRoleMapper(ActiveDirectoryRealm.TYPE, config, resourceWatcherService, null);
         ActiveDirectoryRealm realm = new ActiveDirectoryRealm(config, sessionFactory, roleMapper);
 
@@ -142,7 +142,7 @@ public class ActiveDirectoryRealmTests extends ESTestCase {
     public void testAuthenticateCachesSuccesfulAuthentications() throws Exception {
         Settings settings = settings();
         RealmConfig config = new RealmConfig("testAuthenticateCachesSuccesfulAuthentications", settings, globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = spy(new ActiveDirectorySessionFactory(config, null));
+        ActiveDirectorySessionFactory sessionFactory = spy(new ActiveDirectorySessionFactory(config, null).init());
         DnRoleMapper roleMapper = new DnRoleMapper(ActiveDirectoryRealm.TYPE, config, resourceWatcherService, null);
         ActiveDirectoryRealm realm = new ActiveDirectoryRealm(config, sessionFactory, roleMapper);
 
@@ -158,7 +158,7 @@ public class ActiveDirectoryRealmTests extends ESTestCase {
     public void testAuthenticateCachingCanBeDisabled() throws Exception {
         Settings settings = settings(Settings.builder().put(CachingUsernamePasswordRealm.CACHE_TTL_SETTING, -1).build());
         RealmConfig config = new RealmConfig("testAuthenticateCachingCanBeDisabled", settings, globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = spy(new ActiveDirectorySessionFactory(config, null));
+        ActiveDirectorySessionFactory sessionFactory = spy(new ActiveDirectorySessionFactory(config, null).init());
         DnRoleMapper roleMapper = new DnRoleMapper(ActiveDirectoryRealm.TYPE, config, resourceWatcherService, null);
         ActiveDirectoryRealm realm = new ActiveDirectoryRealm(config, sessionFactory, roleMapper);
 
@@ -174,7 +174,7 @@ public class ActiveDirectoryRealmTests extends ESTestCase {
     public void testAuthenticateCachingClearsCacheOnRoleMapperRefresh() throws Exception {
         Settings settings = settings();
         RealmConfig config = new RealmConfig("testAuthenticateCachingClearsCacheOnRoleMapperRefresh", settings, globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = spy(new ActiveDirectorySessionFactory(config, null));
+        ActiveDirectorySessionFactory sessionFactory = spy(new ActiveDirectorySessionFactory(config, null).init());
         DnRoleMapper roleMapper = new DnRoleMapper(ActiveDirectoryRealm.TYPE, config, resourceWatcherService, null);
         ActiveDirectoryRealm realm = new ActiveDirectoryRealm(config, sessionFactory, roleMapper);
 
@@ -201,7 +201,7 @@ public class ActiveDirectoryRealmTests extends ESTestCase {
                 .put(DnRoleMapper.ROLE_MAPPING_FILE_SETTING, getDataPath("role_mapping.yml"))
                 .build());
         RealmConfig config = new RealmConfig("testRealmMapsGroupsToRoles", settings, globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, null);
+        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, null).init();
         DnRoleMapper roleMapper = new DnRoleMapper(ActiveDirectoryRealm.TYPE, config, resourceWatcherService, null);
         ActiveDirectoryRealm realm = new ActiveDirectoryRealm(config, sessionFactory, roleMapper);
 
@@ -215,7 +215,7 @@ public class ActiveDirectoryRealmTests extends ESTestCase {
                 .put(DnRoleMapper.ROLE_MAPPING_FILE_SETTING, getDataPath("role_mapping.yml"))
                 .build());
         RealmConfig config = new RealmConfig("testRealmMapsGroupsToRoles", settings, globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, null);
+        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, null).init();
         DnRoleMapper roleMapper = new DnRoleMapper(ActiveDirectoryRealm.TYPE, config, resourceWatcherService, null);
         ActiveDirectoryRealm realm = new ActiveDirectoryRealm(config, sessionFactory, roleMapper);
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactoryTests.java

@@ -60,7 +60,7 @@ public class ActiveDirectorySessionFactoryTests extends ESTestCase {
     @SuppressWarnings("unchecked")
     public void testAdAuth() throws Exception {
         RealmConfig config = new RealmConfig("ad-test", buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false), globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService);
+        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService).init();
 
         String userName = "ironman";
         try (LdapSession ldap = sessionFactory.session(userName, SecuredStringTests.build(PASSWORD))) {
@@ -86,7 +86,7 @@ public class ActiveDirectorySessionFactoryTests extends ESTestCase {
                 .put(SessionFactory.TIMEOUT_TCP_READ_SETTING, "1ms")
                 .build();
         RealmConfig config = new RealmConfig("ad-test", settings, globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService);
+        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService).init();
 
         try (LdapSession ldap = sessionFactory.session("ironman", SecuredStringTests.build(PASSWORD))) {
             // In certain cases we may have a successful bind, but a search should take longer and cause a timeout
@@ -100,7 +100,7 @@ public class ActiveDirectorySessionFactoryTests extends ESTestCase {
 
     public void testAdAuthAvengers() throws Exception {
         RealmConfig config = new RealmConfig("ad-test", buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false), globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService);
+        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService).init();
 
         String[] users = new String[]{"cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow", };
         for(String user: users) {
@@ -115,7 +115,7 @@ public class ActiveDirectorySessionFactoryTests extends ESTestCase {
         Settings settings = buildAdSettings(AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com",
                 LdapSearchScope.ONE_LEVEL, false);
         RealmConfig config = new RealmConfig("ad-test", settings, globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService);
+        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService).init();
 
         String userName = "hulk";
         try (LdapSession ldap = sessionFactory.session(userName, SecuredStringTests.build(PASSWORD))) {
@@ -137,7 +137,7 @@ public class ActiveDirectorySessionFactoryTests extends ESTestCase {
         Settings settings = buildAdSettings(AD_LDAP_URL, AD_DOMAIN, "CN=Bruce Banner, CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com",
                 LdapSearchScope.BASE, false);
         RealmConfig config = new RealmConfig("ad-test", settings, globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService);
+        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService).init();
 
         String userName = "hulk";
         try (LdapSession ldap = sessionFactory.session(userName, SecuredStringTests.build(PASSWORD))) {
@@ -163,7 +163,7 @@ public class ActiveDirectorySessionFactoryTests extends ESTestCase {
                 .put(ActiveDirectorySessionFactory.AD_GROUP_SEARCH_SCOPE_SETTING, LdapSearchScope.BASE)
                 .build();
         RealmConfig config = new RealmConfig("ad-test", settings, globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService);
+        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService).init();
 
         String userName = "hulk";
         try (LdapSession ldap = sessionFactory.session(userName, SecuredStringTests.build(PASSWORD))) {
@@ -178,7 +178,7 @@ public class ActiveDirectorySessionFactoryTests extends ESTestCase {
         Settings settings = buildAdSettings(AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com",
                 LdapSearchScope.ONE_LEVEL, false);
         RealmConfig config = new RealmConfig("ad-test", settings, globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService);
+        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService).init();
 
         //Login with the UserPrincipalName
         String userDN = "CN=Erik Selvig,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
@@ -196,7 +196,7 @@ public class ActiveDirectorySessionFactoryTests extends ESTestCase {
         Settings settings = buildAdSettings(AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com",
                 LdapSearchScope.ONE_LEVEL, false);
         RealmConfig config = new RealmConfig("ad-test", settings, globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService);
+        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService).init();
 
         //login with sAMAccountName
         String userDN = "CN=Erik Selvig,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
@@ -220,7 +220,7 @@ public class ActiveDirectorySessionFactoryTests extends ESTestCase {
                         "(&(objectclass=user)(userPrincipalName={0}@ad.test.elasticsearch.com))")
                 .build();
         RealmConfig config = new RealmConfig("ad-test", settings, globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService);
+        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService).init();
 
         //Login with the UserPrincipalName
         try (LdapSession ldap = sessionFactory.session("erik.selvig", SecuredStringTests.build(PASSWORD))) {
@@ -239,7 +239,7 @@ public class ActiveDirectorySessionFactoryTests extends ESTestCase {
         String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
         Settings settings = LdapTestCase.buildLdapSettings(AD_LDAP_URL, userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE);
         RealmConfig config = new RealmConfig("ad-as-ldap-test", settings, globalSettings);
-        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService);
+        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService).init();
 
         String user = "Bruce Banner";
         try (LdapSession ldap = sessionFactory.session(user, SecuredStringTests.build(PASSWORD))) {
@@ -258,7 +258,7 @@ public class ActiveDirectorySessionFactoryTests extends ESTestCase {
         String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
         Settings settings = LdapTestCase.buildLdapSettings(new String[] { AD_LDAP_URL }, userTemplate, false);
         RealmConfig config = new RealmConfig("ad-as-ldap-test", settings, globalSettings);
-        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService);
+        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService).init();
 
         String user = "Bruce Banner";
         try (LdapSession ldap = sessionFactory.session(user, SecuredStringTests.build(PASSWORD))) {
@@ -274,7 +274,7 @@ public class ActiveDirectorySessionFactoryTests extends ESTestCase {
 
     public void testAdAuthWithHostnameVerification() throws Exception {
         RealmConfig config = new RealmConfig("ad-test", buildAdSettings(AD_LDAP_URL, AD_DOMAIN, true), globalSettings);
-        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService);
+        ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, clientSSLService).init();
 
         String userName = "ironman";
         try (LdapSession ldap = sessionFactory.session(userName, SecuredStringTests.build(PASSWORD))) {
@@ -292,7 +292,7 @@ public class ActiveDirectorySessionFactoryTests extends ESTestCase {
                 .put(LdapSessionFactory.HOSTNAME_VERIFICATION_SETTING, true)
                 .build();
         RealmConfig config = new RealmConfig("ad-test", settings, globalSettings);
-        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService);
+        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService).init();
 
         String user = "Bruce Banner";
         try (LdapSession ldap = sessionFactory.session(user, SecuredStringTests.build(PASSWORD))) {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/LdapRealmTests.java

@@ -61,7 +61,7 @@ public class LdapRealmTests extends LdapTestCase {
         String userTemplate = VALID_USER_TEMPLATE;
         Settings settings = buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE);
         RealmConfig config = new RealmConfig("test-ldap-realm", settings, globalSettings);
-        LdapSessionFactory ldapFactory = new LdapSessionFactory(config, null);
+        LdapSessionFactory ldapFactory = new LdapSessionFactory(config, null).init();
         LdapRealm ldap = new LdapRealm(config, ldapFactory, buildGroupAsRoleMapper(resourceWatcherService));
 
         User user = ldap.authenticate(new UsernamePasswordToken(VALID_USERNAME, SecuredStringTests.build(PASSWORD)));
@@ -77,7 +77,7 @@ public class LdapRealmTests extends LdapTestCase {
                 .build();
         RealmConfig config = new RealmConfig("test-ldap-realm", settings, globalSettings);
 
-        LdapSessionFactory ldapFactory = new LdapSessionFactory(config, null);
+        LdapSessionFactory ldapFactory = new LdapSessionFactory(config, null).init();
         LdapRealm ldap = new LdapRealm(config, ldapFactory, buildGroupAsRoleMapper(resourceWatcherService));
 
         User user = ldap.authenticate(new UsernamePasswordToken(VALID_USERNAME, SecuredStringTests.build(PASSWORD)));
@@ -93,7 +93,7 @@ public class LdapRealmTests extends LdapTestCase {
                 .build();
         RealmConfig config = new RealmConfig("test-ldap-realm", settings, globalSettings);
 
-        LdapSessionFactory ldapFactory = new LdapSessionFactory(config, null);
+        LdapSessionFactory ldapFactory = new LdapSessionFactory(config, null).init();
         ldapFactory = spy(ldapFactory);
         LdapRealm ldap = new LdapRealm(config, ldapFactory, buildGroupAsRoleMapper(resourceWatcherService));
         ldap.authenticate(new UsernamePasswordToken(VALID_USERNAME, SecuredStringTests.build(PASSWORD)));
@@ -111,7 +111,7 @@ public class LdapRealmTests extends LdapTestCase {
                 .build();
         RealmConfig config = new RealmConfig("test-ldap-realm", settings, globalSettings);
 
-        LdapSessionFactory ldapFactory = new LdapSessionFactory(config, null);
+        LdapSessionFactory ldapFactory = new LdapSessionFactory(config, null).init();
         DnRoleMapper roleMapper = buildGroupAsRoleMapper(resourceWatcherService);
         ldapFactory = spy(ldapFactory);
         LdapRealm ldap = new LdapRealm(config, ldapFactory, roleMapper);
@@ -138,7 +138,7 @@ public class LdapRealmTests extends LdapTestCase {
                 .build();
         RealmConfig config = new RealmConfig("test-ldap-realm", settings, globalSettings);
 
-        LdapSessionFactory ldapFactory = new LdapSessionFactory(config, null);
+        LdapSessionFactory ldapFactory = new LdapSessionFactory(config, null).init();
         ldapFactory = spy(ldapFactory);
         LdapRealm ldap = new LdapRealm(config, ldapFactory, buildGroupAsRoleMapper(resourceWatcherService));
         ldap.authenticate(new UsernamePasswordToken(VALID_USERNAME, SecuredStringTests.build(PASSWORD)));
@@ -210,7 +210,7 @@ public class LdapRealmTests extends LdapTestCase {
                 .build();
         RealmConfig config = new RealmConfig("test-ldap-realm-userdn", settings, globalSettings);
 
-        LdapSessionFactory ldapFactory = new LdapSessionFactory(config, null);
+        LdapSessionFactory ldapFactory = new LdapSessionFactory(config, null).init();
         LdapRealm ldap = new LdapRealm(config, ldapFactory, new DnRoleMapper(LdapRealm.TYPE, config, resourceWatcherService, null));
 
         User user = ldap.authenticate(new UsernamePasswordToken("Horatio Hornblower", SecuredStringTests.build(PASSWORD)));

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/LdapSessionFactoryTests.java

@@ -49,7 +49,7 @@ public class LdapSessionFactoryTests extends LdapTestCase {
                 .build();
 
         RealmConfig config = new RealmConfig("ldap_realm", settings, globalSettings);
-        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, null);
+        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, null).init();
         String user = "Horatio Hornblower";
         SecuredString userPass = SecuredStringTests.build("pass");
 
@@ -78,7 +78,7 @@ public class LdapSessionFactoryTests extends LdapTestCase {
                 .build();
 
         RealmConfig config = new RealmConfig("ldap_realm", settings, globalSettings);
-        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, null);
+        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, null).init();
         String user = "Horatio Hornblower";
         SecuredString userPass = SecuredStringTests.build("pass");
 
@@ -103,7 +103,7 @@ public class LdapSessionFactoryTests extends LdapTestCase {
         RealmConfig config = new RealmConfig("ldap_realm", buildLdapSettings(ldapUrls(), userTemplates, groupSearchBase,
                 LdapSearchScope.SUB_TREE), globalSettings);
 
-        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, null);
+        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, null).init();
 
         String user = "Horatio Hornblower";
         SecuredString userPass = SecuredStringTests.build("pass");
@@ -124,7 +124,7 @@ public class LdapSessionFactoryTests extends LdapTestCase {
         RealmConfig config = new RealmConfig("ldap_realm", buildLdapSettings(ldapUrls(), userTemplates, groupSearchBase,
                 LdapSearchScope.SUB_TREE), globalSettings);
 
-        LdapSessionFactory ldapFac = new LdapSessionFactory(config, null);
+        LdapSessionFactory ldapFac = new LdapSessionFactory(config, null).init();
 
         String user = "Horatio Hornblower";
         SecuredString userPass = SecuredStringTests.build("pass");
@@ -141,7 +141,7 @@ public class LdapSessionFactoryTests extends LdapTestCase {
         RealmConfig config = new RealmConfig("ldap_realm", buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase,
                 LdapSearchScope.SUB_TREE), globalSettings);
 
-        LdapSessionFactory ldapFac = new LdapSessionFactory(config, null);
+        LdapSessionFactory ldapFac = new LdapSessionFactory(config, null).init();
 
         String user = "Horatio Hornblower";
         SecuredString userPass = SecuredStringTests.build("pass");
@@ -158,7 +158,7 @@ public class LdapSessionFactoryTests extends LdapTestCase {
         RealmConfig config = new RealmConfig("ldap_realm", buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase,
                 LdapSearchScope.ONE_LEVEL), globalSettings);
 
-        LdapSessionFactory ldapFac = new LdapSessionFactory(config, null);
+        LdapSessionFactory ldapFac = new LdapSessionFactory(config, null).init();
 
         String user = "Horatio Hornblower";
         try (LdapSession ldap = ldapFac.session(user, SecuredStringTests.build("pass"))) {
@@ -173,7 +173,7 @@ public class LdapSessionFactoryTests extends LdapTestCase {
         RealmConfig config = new RealmConfig("ldap_realm", buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase,
                 LdapSearchScope.BASE), globalSettings);
 
-        LdapSessionFactory ldapFac = new LdapSessionFactory(config, null);
+        LdapSessionFactory ldapFac = new LdapSessionFactory(config, null).init();
 
         String user = "Horatio Hornblower";
         SecuredString userPass = SecuredStringTests.build("pass");

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactoryTests.java

@@ -88,7 +88,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
                 .put("user_search.attribute", "cn")
                 .build(), globalSettings);
 
-        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null);
+        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null).init();
         try {
             assertThat(sessionFactory.supportsUnauthenticatedSession(), is(true));
         } finally {
@@ -108,7 +108,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
                 .put("user_search.attribute", "cn")
                 .build(), globalSettings);
 
-        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null);
+        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null).init();
 
         String user = "William Bush";
         SecuredString userPass = SecuredStringTests.build("pass");
@@ -143,7 +143,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
                 .put("user_search.attribute", "cn")
                 .build(), globalSettings);
 
-        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null);
+        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null).init();
 
         String user = "William Bush";
         SecuredString userPass = SecuredStringTests.build("pass");
@@ -182,7 +182,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
                 .put("user_search.attribute", "cn")
                 .build(), globalSettings);
 
-        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null);
+        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null).init();
 
         String user = "William Bush";
         SecuredString userPass = SecuredStringTests.build("pass");
@@ -217,7 +217,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
                 .put("user_search.attribute", "cn")
                 .build(), globalSettings);
 
-        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null);
+        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null).init();
 
         String user = "William Bush";
         SecuredString userPass = SecuredStringTests.build("pass");
@@ -256,7 +256,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
                 .put("user_search.attribute", "cn")
                 .build(), globalSettings);
 
-        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null);
+        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null).init();
 
         String user = "William Bush";
         SecuredString userPass = SecuredStringTests.build("pass");
@@ -290,7 +290,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
                 .put("user_search.attribute", "uid1")
                 .build(), globalSettings);
 
-        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null);
+        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null).init();
 
         String user = "William Bush";
         SecuredString userPass = SecuredStringTests.build("pass");
@@ -327,7 +327,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
                 .put("bind_password", "pass")
                 .build(), globalSettings);
 
-        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null);
+        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, null).init();
 
         String user = "wbush";
         SecuredString userPass = SecuredStringTests.build("pass");
@@ -362,7 +362,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
                 .put("user_search.attribute", "cn")
                 .build();
         RealmConfig config = new RealmConfig("ad-as-ldap-test", settings, globalSettings);
-        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, clientSSLService);
+        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, clientSSLService).init();
 
         String user = "Bruce Banner";
         try {
@@ -403,7 +403,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
                 .put("bind_dn", "uid=blackwidow,ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com")
                 .put("bind_password", OpenLdapTests.PASSWORD)
                 .build(), globalSettings);
-        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, clientSSLService);
+        LdapUserSearchSessionFactory sessionFactory = new LdapUserSearchSessionFactory(config, clientSSLService).init();
 
         String[] users = new String[] { "cap", "hawkeye", "hulk", "ironman", "thor" };
         try {
@@ -488,7 +488,8 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
                 .build(), globalSettings);
 
         try {
-            new LdapUserSearchSessionFactory(config, null);
+            new LdapUserSearchSessionFactory(config, null).init();
+            fail("expected an exception");
         } catch (IllegalArgumentException e) {
             assertThat(e.getMessage(), containsString("[bind_dn] has not been specified so a value must be specified for [user_search" +
                     ".pool.health_check.dn] or [user_search.pool.health_check.enabled] must be set to false"));

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/OpenLdapTests.java

@@ -58,7 +58,7 @@ public class OpenLdapTests extends ESTestCase {
         String userTemplate = "uid={0},ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com";
         RealmConfig config = new RealmConfig("oldap-test", LdapTestCase.buildLdapSettings(OPEN_LDAP_URL, userTemplate, groupSearchBase,
                 LdapSearchScope.ONE_LEVEL), globalSettings);
-        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService);
+        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService).init();
 
         String[] users = new String[] { "blackwidow", "cap", "hawkeye", "hulk", "ironman", "thor" };
         for (String user : users) {
@@ -75,7 +75,7 @@ public class OpenLdapTests extends ESTestCase {
         String userTemplate = "uid={0},ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com";
         RealmConfig config = new RealmConfig("oldap-test", LdapTestCase.buildLdapSettings(OPEN_LDAP_URL, userTemplate, groupSearchBase,
                 LdapSearchScope.BASE), globalSettings);
-        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService);
+        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService).init();
 
         String[] users = new String[] { "blackwidow", "cap", "hawkeye", "hulk", "ironman", "thor" };
         for (String user : users) {
@@ -94,7 +94,7 @@ public class OpenLdapTests extends ESTestCase {
                 .put("group_search.user_attribute", "uid")
                 .build();
         RealmConfig config = new RealmConfig("oldap-test", settings, globalSettings);
-        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService);
+        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService).init();
 
         try (LdapSession ldap = sessionFactory.session("selvig", SecuredStringTests.build(PASSWORD))){
             assertThat(ldap.groups(), hasItem(containsString("Geniuses")));
@@ -111,7 +111,7 @@ public class OpenLdapTests extends ESTestCase {
                 .put(SessionFactory.TIMEOUT_TCP_READ_SETTING, "1ms") //1 millisecond
                 .build();
         RealmConfig config = new RealmConfig("oldap-test", settings, globalSettings);
-        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService);
+        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService).init();
 
         try (LdapSession ldap = sessionFactory.session("thor", SecuredStringTests.build(PASSWORD))) {
             // In certain cases we may have a successful bind, but a search should take longer and cause a timeout
@@ -132,7 +132,7 @@ public class OpenLdapTests extends ESTestCase {
                 .build();
 
         RealmConfig config = new RealmConfig("oldap-test", settings, globalSettings);
-        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService);
+        LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService).init();
 
         String user = "blackwidow";
         try (LdapSession ldap = sessionFactory.session(user, SecuredStringTests.build(PASSWORD))) {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/support/SessionFactoryLoadBalancingTests.java

@@ -166,7 +166,7 @@ public class SessionFactoryLoadBalancingTests extends LdapTestCase {
                 LdapSearchScope.SUB_TREE, loadBalancing);
         RealmConfig config = new RealmConfig("test-session-factory", settings, Settings.builder().put("path.home",
                 createTempDir()).build());
-        return new TestSessionFactory(config, null);
+        return new TestSessionFactory(config, null).init();
     }
 
     static class TestSessionFactory extends SessionFactory {
@@ -176,7 +176,7 @@ public class SessionFactoryLoadBalancingTests extends LdapTestCase {
         }
 
         @Override
-        public LdapSession session(String user, SecuredString password) throws Exception {
+        protected LdapSession getSession(String user, SecuredString password) throws Exception {
             return null;
         }
     }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/support/SessionFactoryTests.java

@@ -60,9 +60,9 @@ public class SessionFactoryTests extends ESTestCase {
         return new SessionFactory(new RealmConfig("_name", Settings.builder().put("url", "ldap://localhost:389").build(), global), null) {
 
             @Override
-            public LdapSession session(String user, SecuredString password) {
+            protected LdapSession getSession(String user, SecuredString password) {
                 return null;
             }
-        };
+        }.init();
     }
 }