Register the legacy truststore password setting for the PKI realm (elastic/x-pack-elasticsearch#2487)
After the addition of the secure settings in 5.6, the truststore.password setting for the PKI realm was no longer registered. This would cause new nodes to fail for customers that were upgrading and had configured a PKI realm with a truststore. This change registers the setting and adds a test to ensure a realm configuration with the old setting passes validation. Relates elastic/support-dev-help#2505 Original commit: elastic/x-pack-elasticsearch@54da044a27
This commit is contained in:
Jay Modi
GitHub
parent
99ffbb1cd6
commit
f30e5c3fee
|
|
@ -209,6 +209,7 @@ public class PkiRealm extends Realm {
|
|||
|
||||
settings.add(SSL_SETTINGS.truststorePath);
|
||||
settings.add(SSL_SETTINGS.truststorePassword);
|
||||
settings.add(SSL_SETTINGS.legacyTruststorePassword);
|
||||
settings.add(SSL_SETTINGS.truststoreAlgorithm);
|
||||
settings.add(SSL_SETTINGS.caPaths);
|
||||
|
||||
|
|
|
|||
|
|
@ -47,10 +47,12 @@ public class SSLConfigurationSettings {
|
|||
public final Setting<Optional<SSLClientAuth>> clientAuth;
|
||||
public final Setting<Optional<VerificationMode>> verificationMode;
|
||||
|
||||
// public for PKI realm
|
||||
public final Setting<SecureString> legacyTruststorePassword;
|
||||
|
||||
// pkg private for tests
|
||||
final Setting<SecureString> legacyKeystorePassword;
|
||||
final Setting<SecureString> legacyKeystoreKeyPassword;
|
||||
final Setting<SecureString> legacyTruststorePassword;
|
||||
final Setting<SecureString> legacyKeyPassword;
|
||||
|
||||
private final List<Setting<?>> allSettings;
|
||||
|
|
|
|||
|
|
@ -11,25 +11,31 @@ import java.nio.file.Files;
|
|||
import java.nio.file.Path;
|
||||
import java.security.cert.CertificateFactory;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.action.support.PlainActionFuture;
|
||||
import org.elasticsearch.common.settings.ClusterSettings;
|
||||
import org.elasticsearch.common.settings.MockSecureSettings;
|
||||
import org.elasticsearch.common.settings.SecureString;
|
||||
import org.elasticsearch.common.settings.Setting;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.xpack.security.authc.AuthenticationResult;
|
||||
import org.elasticsearch.xpack.security.authc.RealmConfig;
|
||||
import org.elasticsearch.xpack.security.authc.RealmSettings;
|
||||
import org.elasticsearch.xpack.security.authc.support.UserRoleMapper;
|
||||
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
|
||||
import org.elasticsearch.xpack.security.support.NoOpLogger;
|
||||
import org.elasticsearch.xpack.security.user.User;
|
||||
import org.elasticsearch.xpack.ssl.SSLConfigurationSettings;
|
||||
import org.junit.Before;
|
||||
import org.mockito.Mockito;
|
||||
|
||||
|
|
@ -248,6 +254,20 @@ public class PkiRealmTests extends ESTestCase {
|
|||
assertThat(token.dn(), is("EMAILADDRESS=pki@elastic.co, CN=PKI Client, OU=Security"));
|
||||
}
|
||||
|
||||
public void testPKIRealmSettingsPassValidation() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.security.authc.realms.pki1.type", "pki")
|
||||
.put("xpack.security.authc.realms.pki1.truststore.path", "/foo/bar")
|
||||
.put("xpack.security.authc.realms.pki1.truststore.password", "supersecret")
|
||||
.build();
|
||||
List<Setting<?>> settingList = new ArrayList<>();
|
||||
RealmSettings.addSettings(settingList, Collections.emptyList());
|
||||
ClusterSettings clusterSettings = new ClusterSettings(settings, new HashSet<>(settingList));
|
||||
clusterSettings.validate(settings);
|
||||
|
||||
assertSettingDeprecationsAndWarnings(new Setting[] { SSLConfigurationSettings.withoutPrefix().legacyTruststorePassword });
|
||||
}
|
||||
|
||||
static X509Certificate readCert(Path path) throws Exception {
|
||||
try (InputStream in = Files.newInputStream(path)) {
|
||||
CertificateFactory factory = CertificateFactory.getInstance("X.509");
|
||||
|
|
|
|||
Loading…
Reference in New Issue