Internal: Remove guice from audit trail construction
This change removes guice from audit trails. Original commit: elastic/x-pack-elasticsearch@ace1f11dc4
This commit is contained in:
Ryan Ernst
parent
c3a3898da9
commit
f03683fb18
|
|
@ -11,14 +11,19 @@ import java.util.Arrays;
|
|||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Optional;
|
||||
import java.util.Set;
|
||||
import java.util.function.Function;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import org.elasticsearch.action.ActionRequest;
|
||||
import org.elasticsearch.action.ActionResponse;
|
||||
import org.elasticsearch.action.support.ActionFilter;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.common.Booleans;
|
||||
import org.elasticsearch.common.Strings;
|
||||
import org.elasticsearch.common.component.LifecycleComponent;
|
||||
|
|
@ -63,12 +68,12 @@ import org.elasticsearch.xpack.security.action.user.TransportChangePasswordActio
|
|||
import org.elasticsearch.xpack.security.action.user.TransportDeleteUserAction;
|
||||
import org.elasticsearch.xpack.security.action.user.TransportGetUsersAction;
|
||||
import org.elasticsearch.xpack.security.action.user.TransportPutUserAction;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrailModule;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrail;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrailService;
|
||||
import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
|
||||
import org.elasticsearch.xpack.security.audit.index.IndexNameResolver;
|
||||
import org.elasticsearch.xpack.security.authc.AuthenticationFailureHandler;
|
||||
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
|
||||
import org.elasticsearch.xpack.security.authc.AuthenticationModule;
|
||||
import org.elasticsearch.xpack.security.authc.DefaultAuthenticationFailureHandler;
|
||||
import org.elasticsearch.xpack.security.authc.InternalAuthenticationService;
|
||||
import org.elasticsearch.xpack.security.authc.Realm;
|
||||
import org.elasticsearch.xpack.security.authc.Realms;
|
||||
|
|
@ -128,6 +133,14 @@ public class Security implements ActionPlugin {
|
|||
public static final String DLS_FLS_FEATURE = "security.dls_fls";
|
||||
public static final Setting<Optional<String>> USER_SETTING = OptionalSettings.createString(setting("user"), Property.NodeScope);
|
||||
|
||||
public static final Setting<Boolean> AUDIT_ENABLED_SETTING =
|
||||
Setting.boolSetting(featureEnabledSetting("audit"), false, Property.NodeScope);
|
||||
public static final Setting<List<String>> AUDIT_OUTPUTS_SETTING =
|
||||
Setting.listSetting(setting("audit.outputs"),
|
||||
s -> s.getAsMap().containsKey(setting("audit.outputs")) ?
|
||||
Collections.emptyList() : Collections.singletonList(LoggingAuditTrail.NAME),
|
||||
Function.identity(), Property.NodeScope);
|
||||
|
||||
private final Settings settings;
|
||||
private final Environment env;
|
||||
private final boolean enabled;
|
||||
|
|
@ -182,10 +195,17 @@ public class Security implements ActionPlugin {
|
|||
|
||||
modules.add(new AuthenticationModule(settings));
|
||||
modules.add(new AuthorizationModule(settings));
|
||||
if (enabled == false || auditingEnabled(settings) == false) {
|
||||
modules.add(b -> {
|
||||
b.bind(AuditTrailService.class).toProvider(Providers.of(null));
|
||||
b.bind(AuditTrail.class).toInstance(AuditTrail.NOOP);
|
||||
});
|
||||
}
|
||||
if (enabled == false) {
|
||||
modules.add(b -> b.bind(CryptoService.class).toProvider(Providers.of(null)));
|
||||
modules.add(b -> {
|
||||
b.bind(CryptoService.class).toProvider(Providers.of(null));
|
||||
});
|
||||
modules.add(new SecurityModule(settings));
|
||||
modules.add(new AuditTrailModule(settings));
|
||||
modules.add(new SecurityTransportModule(settings));
|
||||
return modules;
|
||||
}
|
||||
|
|
@ -193,10 +213,16 @@ public class Security implements ActionPlugin {
|
|||
// we can't load that at construction time since the license plugin might not have been loaded at that point
|
||||
// which might not be the case during Plugin class instantiation. Once nodeModules are pulled
|
||||
// everything should have been loaded
|
||||
|
||||
modules.add(b -> b.bind(CryptoService.class).toInstance(cryptoService));
|
||||
modules.add(b -> {
|
||||
b.bind(CryptoService.class).toInstance(cryptoService);
|
||||
if (auditingEnabled(settings)) {
|
||||
b.bind(AuditTrail.class).to(AuditTrailService.class); // interface used by some actions...
|
||||
} else {
|
||||
// TODO: remove this once we can construct SecurityLifecycleService without guice
|
||||
b.bind(IndexAuditTrail.class).toProvider(Providers.of(null));
|
||||
}
|
||||
});
|
||||
modules.add(new SecurityModule(settings));
|
||||
modules.add(new AuditTrailModule(settings));
|
||||
modules.add(new SecurityRestModule(settings));
|
||||
modules.add(new SecurityActionModule(settings));
|
||||
modules.add(new SecurityTransportModule(settings));
|
||||
|
|
@ -212,15 +238,18 @@ public class Security implements ActionPlugin {
|
|||
return list;
|
||||
}
|
||||
|
||||
public Collection<Object> createComponents(InternalClient client, ThreadPool threadPool,
|
||||
public Collection<Object> createComponents(InternalClient client, ThreadPool threadPool, ClusterService clusterService,
|
||||
ResourceWatcherService resourceWatcherService, List<XPackExtension> extensions) {
|
||||
if (enabled == false) {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
List<Object> components = new ArrayList<>();
|
||||
|
||||
final SSLConfiguration.Global globalSslConfig = new SSLConfiguration.Global(settings);
|
||||
final ClientSSLService clientSSLService = new ClientSSLService(settings, env, globalSslConfig, resourceWatcherService);
|
||||
final ServerSSLService serverSSLService = new ServerSSLService(settings, env, globalSslConfig, resourceWatcherService);
|
||||
components.add(clientSSLService);
|
||||
components.add(serverSSLService);
|
||||
|
||||
// realms construction
|
||||
final NativeUsersStore nativeUsersStore = new NativeUsersStore(settings, client, threadPool);
|
||||
|
|
@ -241,8 +270,33 @@ public class Security implements ActionPlugin {
|
|||
}
|
||||
}
|
||||
final Realms realms = new Realms(settings, env, realmFactories, securityLicenseState, reservedRealm);
|
||||
components.add(nativeUsersStore);
|
||||
components.add(realms);
|
||||
|
||||
return Arrays.asList(clientSSLService, serverSSLService, nativeUsersStore, realms);
|
||||
// audit trails construction
|
||||
if (AUDIT_ENABLED_SETTING.get(settings)) {
|
||||
List<String> outputs = AUDIT_OUTPUTS_SETTING.get(settings);
|
||||
if (outputs.isEmpty()) {
|
||||
throw new IllegalArgumentException("Audit logging is enabled but there are zero output types in "
|
||||
+ AUDIT_ENABLED_SETTING.getKey());
|
||||
}
|
||||
Set<AuditTrail> auditTrails = new LinkedHashSet<>();
|
||||
for (String output : outputs) {
|
||||
switch (output) {
|
||||
case LoggingAuditTrail.NAME:
|
||||
auditTrails.add(new LoggingAuditTrail(settings, clusterService, threadPool));
|
||||
break;
|
||||
case IndexAuditTrail.NAME:
|
||||
auditTrails.add(new IndexAuditTrail(settings, client, threadPool, clusterService));
|
||||
break;
|
||||
default:
|
||||
throw new IllegalArgumentException("Unknown audit trail output [" + output + "]");
|
||||
}
|
||||
}
|
||||
components.add(new AuditTrailService(settings, auditTrails.stream().collect(Collectors.toList()), securityLicenseState));
|
||||
}
|
||||
|
||||
return components;
|
||||
}
|
||||
|
||||
public Settings additionalSettings() {
|
||||
|
|
@ -288,7 +342,10 @@ public class Security implements ActionPlugin {
|
|||
IPFilter.addSettings(settingsList);
|
||||
|
||||
// audit settings
|
||||
AuditTrailModule.addSettings(settingsList);
|
||||
settingsList.add(AUDIT_ENABLED_SETTING);
|
||||
settingsList.add(AUDIT_OUTPUTS_SETTING);
|
||||
LoggingAuditTrail.registerSettings(settingsList);
|
||||
IndexAuditTrail.registerSettings(settingsList);
|
||||
|
||||
// authentication settings
|
||||
FileRolesStore.addSettings(settingsList);
|
||||
|
|
@ -515,13 +572,29 @@ public class Security implements ActionPlugin {
|
|||
return XPackPlugin.featureEnabledSetting("security." + feature);
|
||||
}
|
||||
|
||||
public static boolean auditingEnabled(Settings settings) {
|
||||
return AUDIT_ENABLED_SETTING.get(settings);
|
||||
}
|
||||
|
||||
public static boolean indexAuditLoggingEnabled(Settings settings) {
|
||||
if (auditingEnabled(settings)) {
|
||||
List<String> outputs = AUDIT_OUTPUTS_SETTING.get(settings);
|
||||
for (String output : outputs) {
|
||||
if (output.equals(IndexAuditTrail.NAME)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
static void validateAutoCreateIndex(Settings settings) {
|
||||
String value = settings.get("action.auto_create_index");
|
||||
if (value == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
final boolean indexAuditingEnabled = AuditTrailModule.indexAuditLoggingEnabled(settings);
|
||||
final boolean indexAuditingEnabled = Security.indexAuditLoggingEnabled(settings);
|
||||
final String auditIndex = indexAuditingEnabled ? "," + IndexAuditTrail.INDEX_NAME_PREFIX + "*" : "";
|
||||
String errorMessage = LoggerMessageFormat.format("the [action.auto_create_index] setting value [{}] is too" +
|
||||
" restrictive. disable [action.auto_create_index] or set it to " +
|
||||
|
|
|
|||
|
|
@ -11,10 +11,8 @@ import org.elasticsearch.cluster.ClusterStateListener;
|
|||
import org.elasticsearch.common.component.AbstractComponent;
|
||||
import org.elasticsearch.common.component.LifecycleListener;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
import org.elasticsearch.common.inject.Provider;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrailModule;
|
||||
import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
|
||||
import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
|
||||
import org.elasticsearch.xpack.security.authz.store.NativeRolesStore;
|
||||
|
|
@ -111,7 +109,7 @@ public class SecurityLifecycleService extends AbstractComponent implements Clust
|
|||
}
|
||||
|
||||
try {
|
||||
if (AuditTrailModule.indexAuditLoggingEnabled(settings) &&
|
||||
if (Security.indexAuditLoggingEnabled(settings) &&
|
||||
indexAuditTrail.state() == IndexAuditTrail.State.INITIALIZED) {
|
||||
if (indexAuditTrail.canStart(event, master)) {
|
||||
threadPool.generic().execute(new AbstractRunnable() {
|
||||
|
|
|
|||
|
|
@ -1,108 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the Elastic License;
|
||||
* you may not use this file except in compliance with the Elastic License.
|
||||
*/
|
||||
package org.elasticsearch.xpack.security.audit;
|
||||
|
||||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.common.inject.multibindings.Multibinder;
|
||||
import org.elasticsearch.common.inject.util.Providers;
|
||||
import org.elasticsearch.common.settings.Setting;
|
||||
import org.elasticsearch.common.settings.Setting.Property;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.set.Sets;
|
||||
import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
|
||||
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
|
||||
import org.elasticsearch.xpack.security.support.AbstractSecurityModule;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.function.Function;
|
||||
|
||||
import static org.elasticsearch.xpack.security.Security.featureEnabledSetting;
|
||||
import static org.elasticsearch.xpack.security.Security.setting;
|
||||
|
||||
/**
|
||||
*
|
||||
*/
|
||||
public class AuditTrailModule extends AbstractSecurityModule.Node {
|
||||
|
||||
public static final Setting<Boolean> ENABLED_SETTING =
|
||||
Setting.boolSetting(featureEnabledSetting("audit"), false, Property.NodeScope);
|
||||
public static final Setting<List<String>> OUTPUTS_SETTING =
|
||||
Setting.listSetting(setting("audit.outputs"),
|
||||
s -> s.getAsMap().containsKey(setting("audit.outputs")) ?
|
||||
Collections.emptyList() : Collections.singletonList(LoggingAuditTrail.NAME),
|
||||
Function.identity(), Property.NodeScope);
|
||||
private final boolean enabled;
|
||||
|
||||
public AuditTrailModule(Settings settings) {
|
||||
super(settings);
|
||||
enabled = ENABLED_SETTING.get(settings);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void configureNode() {
|
||||
List<String> outputs = OUTPUTS_SETTING.get(settings);
|
||||
if (securityEnabled == false || enabled == false || outputs.isEmpty()) {
|
||||
bind(AuditTrailService.class).toProvider(Providers.of(null));
|
||||
bind(AuditTrail.class).toInstance(AuditTrail.NOOP);
|
||||
return;
|
||||
}
|
||||
|
||||
bind(AuditTrailService.class).asEagerSingleton();
|
||||
bind(AuditTrail.class).to(AuditTrailService.class);
|
||||
Multibinder<AuditTrail> binder = Multibinder.newSetBinder(binder(), AuditTrail.class);
|
||||
for (String output : outputs) {
|
||||
switch (output) {
|
||||
case LoggingAuditTrail.NAME:
|
||||
binder.addBinding().to(LoggingAuditTrail.class);
|
||||
bind(LoggingAuditTrail.class).asEagerSingleton();
|
||||
break;
|
||||
case IndexAuditTrail.NAME:
|
||||
binder.addBinding().to(IndexAuditTrail.class);
|
||||
bind(IndexAuditTrail.class).asEagerSingleton();
|
||||
break;
|
||||
default:
|
||||
throw new IllegalArgumentException("unknown audit trail output [" + output + "]");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public static boolean auditingEnabled(Settings settings) {
|
||||
return ENABLED_SETTING.get(settings);
|
||||
}
|
||||
|
||||
public static boolean indexAuditLoggingEnabled(Settings settings) {
|
||||
if (auditingEnabled(settings)) {
|
||||
List<String> outputs = OUTPUTS_SETTING.get(settings);
|
||||
for (String output : outputs) {
|
||||
if (output.equals(IndexAuditTrail.NAME)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
public static boolean fileAuditLoggingEnabled(Settings settings) {
|
||||
if (auditingEnabled(settings)) {
|
||||
List<String> outputs = OUTPUTS_SETTING.get(settings);
|
||||
for (String output : outputs) {
|
||||
if (output.equals(LoggingAuditTrail.NAME)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
public static void addSettings(List<Setting<?>> settings) {
|
||||
settings.add(ENABLED_SETTING);
|
||||
settings.add(OUTPUTS_SETTING);
|
||||
LoggingAuditTrail.registerSettings(settings);
|
||||
IndexAuditTrail.registerSettings(settings);
|
||||
}
|
||||
}
|
||||
|
|
@ -5,20 +5,23 @@
|
|||
*/
|
||||
package org.elasticsearch.xpack.security.audit;
|
||||
|
||||
import java.net.InetAddress;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import org.elasticsearch.common.component.AbstractComponent;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.rest.RestRequest;
|
||||
import org.elasticsearch.transport.TransportMessage;
|
||||
import org.elasticsearch.xpack.security.Security;
|
||||
import org.elasticsearch.xpack.security.SecurityLicenseState;
|
||||
import org.elasticsearch.xpack.security.user.User;
|
||||
import org.elasticsearch.xpack.security.authc.AuthenticationToken;
|
||||
import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
|
||||
import org.elasticsearch.transport.TransportMessage;
|
||||
|
||||
import java.net.InetAddress;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import org.elasticsearch.xpack.security.user.User;
|
||||
|
||||
/**
|
||||
*
|
||||
|
|
@ -26,20 +29,24 @@ import java.util.Set;
|
|||
public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
private final SecurityLicenseState securityLicenseState;
|
||||
final AuditTrail[] auditTrails;
|
||||
final List<AuditTrail> auditTrails;
|
||||
|
||||
@Override
|
||||
public String name() {
|
||||
return "service";
|
||||
}
|
||||
|
||||
@Inject
|
||||
public AuditTrailService(Settings settings, Set<AuditTrail> auditTrails, SecurityLicenseState licenseState) {
|
||||
public AuditTrailService(Settings settings, List<AuditTrail> auditTrails, SecurityLicenseState licenseState) {
|
||||
super(settings);
|
||||
this.auditTrails = auditTrails.toArray(new AuditTrail[auditTrails.size()]);
|
||||
this.auditTrails = Collections.unmodifiableList(auditTrails);
|
||||
this.securityLicenseState = licenseState;
|
||||
}
|
||||
|
||||
/** Returns the audit trail implementations that this service delegates to. */
|
||||
public List<AuditTrail> getAuditTrails() {
|
||||
return auditTrails;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void anonymousAccessDenied(String action, TransportMessage message) {
|
||||
if (securityLicenseState.auditingEnabled()) {
|
||||
|
|
@ -202,8 +209,8 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
|||
|
||||
public Map<String, Object> usageStats() {
|
||||
Map<String, Object> map = new HashMap<>(2);
|
||||
map.put("enabled", AuditTrailModule.ENABLED_SETTING.get(settings));
|
||||
map.put("outputs", AuditTrailModule.OUTPUTS_SETTING.get(settings));
|
||||
map.put("enabled", Security.AUDIT_ENABLED_SETTING.get(settings));
|
||||
map.put("outputs", Security.AUDIT_OUTPUTS_SETTING.get(settings));
|
||||
return map;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -169,9 +169,7 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl
|
|||
return NAME;
|
||||
}
|
||||
|
||||
@Inject
|
||||
public IndexAuditTrail(Settings settings, InternalClient client, ThreadPool threadPool,
|
||||
ClusterService clusterService) {
|
||||
public IndexAuditTrail(Settings settings, InternalClient client, ThreadPool threadPool, ClusterService clusterService) {
|
||||
super(settings);
|
||||
this.threadPool = threadPool;
|
||||
this.clusterService = clusterService;
|
||||
|
|
|
|||
|
|
@ -68,7 +68,6 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail {
|
|||
return NAME;
|
||||
}
|
||||
|
||||
@Inject
|
||||
public LoggingAuditTrail(Settings settings, ClusterService clusterService, ThreadPool threadPool) {
|
||||
this(settings, clusterService, Loggers.getLogger(LoggingAuditTrail.class), threadPool.getThreadContext());
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,7 +18,6 @@ import org.elasticsearch.test.ESIntegTestCase.Scope;
|
|||
import org.elasticsearch.xpack.security.authc.file.FileRealm;
|
||||
import org.elasticsearch.xpack.security.authc.esnative.NativeRealm;
|
||||
import org.elasticsearch.xpack.security.Security;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrailModule;
|
||||
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
|
||||
import org.elasticsearch.xpack.security.authc.support.Hasher;
|
||||
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||
|
|
@ -129,7 +128,7 @@ public class SecuritySettingsSource extends ClusterDiscoveryConfiguration.Unicas
|
|||
//TODO: for now isolate security tests from watcher & monitoring (randomize this later)
|
||||
.put(XPackPlugin.featureEnabledSetting(Watcher.NAME), false)
|
||||
.put(XPackPlugin.featureEnabledSetting(Monitoring.NAME), false)
|
||||
.put(AuditTrailModule.ENABLED_SETTING.getKey(), randomBoolean())
|
||||
.put(Security.AUDIT_ENABLED_SETTING.getKey(), randomBoolean())
|
||||
.put(LoggingAuditTrail.HOST_ADDRESS_SETTING.getKey(), randomBoolean())
|
||||
.put(LoggingAuditTrail.HOST_NAME_SETTING.getKey(), randomBoolean())
|
||||
.put(LoggingAuditTrail.NODE_NAME_SETTING.getKey(), randomBoolean())
|
||||
|
|
|
|||
|
|
@ -9,8 +9,6 @@ import java.io.IOException;
|
|||
|
||||
import org.elasticsearch.common.Strings;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrailModule;
|
||||
import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.xpack.XPackPlugin;
|
||||
|
|
@ -159,14 +157,14 @@ public class SecuritySettingsTests extends ESTestCase {
|
|||
|
||||
Security.validateAutoCreateIndex(Settings.builder()
|
||||
.put("action.auto_create_index", ".security")
|
||||
.put(AuditTrailModule.ENABLED_SETTING.getKey(), true)
|
||||
.put(Security.AUDIT_ENABLED_SETTING.getKey(), true)
|
||||
.build());
|
||||
|
||||
try {
|
||||
Security.validateAutoCreateIndex(Settings.builder()
|
||||
.put("action.auto_create_index", ".security")
|
||||
.put(AuditTrailModule.ENABLED_SETTING.getKey(), true)
|
||||
.put(AuditTrailModule.OUTPUTS_SETTING.getKey(), randomFrom("index", "logfile,index"))
|
||||
.put(Security.AUDIT_ENABLED_SETTING.getKey(), true)
|
||||
.put(Security.AUDIT_OUTPUTS_SETTING.getKey(), randomFrom("index", "logfile,index"))
|
||||
.build());
|
||||
fail("IllegalArgumentException expected");
|
||||
} catch (IllegalArgumentException e) {
|
||||
|
|
@ -176,8 +174,8 @@ public class SecuritySettingsTests extends ESTestCase {
|
|||
|
||||
Security.validateAutoCreateIndex(Settings.builder()
|
||||
.put("action.auto_create_index", ".security_audit_log*,.security")
|
||||
.put(AuditTrailModule.ENABLED_SETTING.getKey(), true)
|
||||
.put(AuditTrailModule.OUTPUTS_SETTING.getKey(), randomFrom("index", "logfile,index"))
|
||||
.put(Security.AUDIT_ENABLED_SETTING.getKey(), true)
|
||||
.put(Security.AUDIT_OUTPUTS_SETTING.getKey(), randomFrom("index", "logfile,index"))
|
||||
.build());
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import java.io.IOException;
|
|||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
@ -16,6 +17,10 @@ import org.elasticsearch.env.Environment;
|
|||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.xpack.extensions.XPackExtension;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrail;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrailService;
|
||||
import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
|
||||
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
|
||||
import org.elasticsearch.xpack.security.authc.Realm;
|
||||
import org.elasticsearch.xpack.security.authc.Realms;
|
||||
import org.elasticsearch.xpack.security.authc.file.FileRealm;
|
||||
|
|
@ -49,7 +54,7 @@ public class SecurityTests extends ESTestCase {
|
|||
Environment env = new Environment(settings);
|
||||
Security security = new Security(settings, env);
|
||||
ThreadPool threadPool = mock(ThreadPool.class);
|
||||
return security.createComponents(null, threadPool, null, Arrays.asList(extensions));
|
||||
return security.createComponents(null, threadPool, null, null, Arrays.asList(extensions));
|
||||
}
|
||||
|
||||
private <T> T findComponent(Class<T> type, Collection<Object> components) {
|
||||
|
|
@ -58,12 +63,13 @@ public class SecurityTests extends ESTestCase {
|
|||
return type.cast(obj);
|
||||
}
|
||||
}
|
||||
throw new AssertionError("Could not find component of type " + type + " in components");
|
||||
return null;
|
||||
}
|
||||
|
||||
public void testCustomRealmExtension() throws Exception {
|
||||
Collection<Object> components = createComponents(Settings.EMPTY, new DummyExtension("myrealm"));
|
||||
Realms realms = findComponent(Realms.class, components);
|
||||
assertNotNull(realms);
|
||||
assertNotNull(realms.realmFactory("myrealm"));
|
||||
}
|
||||
|
||||
|
|
@ -72,4 +78,50 @@ public class SecurityTests extends ESTestCase {
|
|||
() -> createComponents(Settings.EMPTY, new DummyExtension(FileRealm.TYPE)));
|
||||
assertEquals("Realm type [" + FileRealm.TYPE + "] is already registered", e.getMessage());
|
||||
}
|
||||
|
||||
|
||||
public void testAuditEnabled() throws Exception {
|
||||
Settings settings = Settings.builder().put(Security.AUDIT_ENABLED_SETTING.getKey(), true).build();
|
||||
Collection<Object> components = createComponents(settings);
|
||||
AuditTrailService service = findComponent(AuditTrailService.class, components);
|
||||
assertNotNull(service);
|
||||
assertEquals(1, service.getAuditTrails().size());
|
||||
assertEquals(LoggingAuditTrail.NAME, service.getAuditTrails().get(0).name());
|
||||
}
|
||||
|
||||
public void testDisabledByDefault() throws Exception {
|
||||
Collection<Object> components = createComponents(Settings.EMPTY);
|
||||
assertNull(findComponent(AuditTrailService.class, components));
|
||||
}
|
||||
|
||||
public void testIndexAuditTrail() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put(Security.AUDIT_ENABLED_SETTING.getKey(), true)
|
||||
.put(Security.AUDIT_OUTPUTS_SETTING.getKey(), "index").build();
|
||||
Collection<Object> components = createComponents(settings);
|
||||
AuditTrailService service = findComponent(AuditTrailService.class, components);
|
||||
assertNotNull(service);
|
||||
assertEquals(1, service.getAuditTrails().size());
|
||||
assertEquals(IndexAuditTrail.NAME, service.getAuditTrails().get(0).name());
|
||||
}
|
||||
|
||||
public void testIndexAndLoggingAuditTrail() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put(Security.AUDIT_ENABLED_SETTING.getKey(), true)
|
||||
.put(Security.AUDIT_OUTPUTS_SETTING.getKey(), "index,logfile").build();
|
||||
Collection<Object> components = createComponents(settings);
|
||||
AuditTrailService service = findComponent(AuditTrailService.class, components);
|
||||
assertNotNull(service);
|
||||
assertEquals(2, service.getAuditTrails().size());
|
||||
assertEquals(IndexAuditTrail.NAME, service.getAuditTrails().get(0).name());
|
||||
assertEquals(LoggingAuditTrail.NAME, service.getAuditTrails().get(1).name());
|
||||
}
|
||||
|
||||
public void testUnknownOutput() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put(Security.AUDIT_ENABLED_SETTING.getKey(), true)
|
||||
.put(Security.AUDIT_OUTPUTS_SETTING.getKey(), "foo").build();
|
||||
IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () -> createComponents(settings));
|
||||
assertEquals("Unknown audit trail output [foo]", e.getMessage());
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,50 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the Elastic License;
|
||||
* you may not use this file except in compliance with the Elastic License.
|
||||
*/
|
||||
package org.elasticsearch.xpack.security.audit;
|
||||
|
||||
import org.elasticsearch.common.inject.ModuleTestCase;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
|
||||
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
|
||||
|
||||
public class AuditTrailModuleTests extends ModuleTestCase {
|
||||
|
||||
public void testEnabled() throws Exception {
|
||||
Settings settings = Settings.builder().put(AuditTrailModule.ENABLED_SETTING.getKey(), true).build();
|
||||
AuditTrailModule module = new AuditTrailModule(settings);
|
||||
assertBinding(module, AuditTrail.class, AuditTrailService.class);
|
||||
assertSetMultiBinding(module, AuditTrail.class, LoggingAuditTrail.class);
|
||||
}
|
||||
|
||||
public void testDisabledByDefault() throws Exception {
|
||||
AuditTrailModule module = new AuditTrailModule(Settings.EMPTY);
|
||||
assertInstanceBinding(module, AuditTrail.class, x -> x == AuditTrail.NOOP);
|
||||
}
|
||||
|
||||
public void testIndexAuditTrail() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put(AuditTrailModule.ENABLED_SETTING.getKey(), true)
|
||||
.put(AuditTrailModule.OUTPUTS_SETTING.getKey(), "index").build();
|
||||
AuditTrailModule module = new AuditTrailModule(settings);
|
||||
assertSetMultiBinding(module, AuditTrail.class, IndexAuditTrail.class);
|
||||
}
|
||||
|
||||
public void testIndexAndLoggingAuditTrail() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put(AuditTrailModule.ENABLED_SETTING.getKey(), true)
|
||||
.put(AuditTrailModule.OUTPUTS_SETTING.getKey(), "index,logfile").build();
|
||||
AuditTrailModule module = new AuditTrailModule(settings);
|
||||
assertSetMultiBinding(module, AuditTrail.class, IndexAuditTrail.class, LoggingAuditTrail.class);
|
||||
}
|
||||
|
||||
public void testUnknownOutput() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put(AuditTrailModule.ENABLED_SETTING.getKey(), true)
|
||||
.put(AuditTrailModule.OUTPUTS_SETTING.getKey(), "foo").build();
|
||||
AuditTrailModule module = new AuditTrailModule(settings);
|
||||
assertBindingFailure(module, "unknown audit trail output [foo]");
|
||||
}
|
||||
}
|
||||
|
|
@ -17,10 +17,12 @@ import org.elasticsearch.transport.TransportMessage;
|
|||
import org.junit.Before;
|
||||
|
||||
import java.net.InetAddress;
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
import static java.util.Collections.unmodifiableSet;
|
||||
import static java.util.Collections.unmodifiableList;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyZeroInteractions;
|
||||
|
|
@ -30,7 +32,7 @@ import static org.mockito.Mockito.when;
|
|||
*
|
||||
*/
|
||||
public class AuditTrailServiceTests extends ESTestCase {
|
||||
private Set<AuditTrail> auditTrails;
|
||||
private List<AuditTrail> auditTrails;
|
||||
private AuditTrailService service;
|
||||
|
||||
private AuthenticationToken token;
|
||||
|
|
@ -41,11 +43,11 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
|
||||
@Before
|
||||
public void init() throws Exception {
|
||||
Set<AuditTrail> auditTrailsBuilder = new HashSet<>();
|
||||
List<AuditTrail> auditTrailsBuilder = new ArrayList<>();
|
||||
for (int i = 0; i < randomIntBetween(1, 4); i++) {
|
||||
auditTrailsBuilder.add(mock(AuditTrail.class));
|
||||
}
|
||||
auditTrails = unmodifiableSet(auditTrailsBuilder);
|
||||
auditTrails = unmodifiableList(auditTrailsBuilder);
|
||||
securityLicenseState = mock(SecurityLicenseState.class);
|
||||
service = new AuditTrailService(Settings.EMPTY, auditTrails, securityLicenseState);
|
||||
auditingEnabled = randomBoolean();
|
||||
|
|
|
|||
|
|
@ -192,7 +192,8 @@ public class XPackPlugin extends Plugin implements ScriptPlugin, ActionPlugin {
|
|||
|
||||
components.addAll(licensing.createComponents(clusterService, getClock(), env, resourceWatcherService,
|
||||
security.getSecurityLicenseState()));
|
||||
components.addAll(security.createComponents(internalClient, threadPool, resourceWatcherService, extensionsService.getExtensions()));
|
||||
components.addAll(security.createComponents(internalClient, threadPool, clusterService, resourceWatcherService,
|
||||
extensionsService.getExtensions()));
|
||||
|
||||
// watcher http stuff
|
||||
Map<String, HttpAuthFactory> httpAuthFactories = new HashMap<>();
|
||||
|
|
|
|||
Loading…
Reference in New Issue