diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java index 78f9b9e9766..c4c948ef168 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java @@ -209,6 +209,7 @@ public class PkiRealm extends Realm { settings.add(SSL_SETTINGS.truststorePath); settings.add(SSL_SETTINGS.truststorePassword); + settings.add(SSL_SETTINGS.legacyTruststorePassword); settings.add(SSL_SETTINGS.truststoreAlgorithm); settings.add(SSL_SETTINGS.caPaths); diff --git a/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLConfigurationSettings.java b/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLConfigurationSettings.java index 248181b9b23..03a9b244137 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLConfigurationSettings.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLConfigurationSettings.java @@ -47,10 +47,12 @@ public class SSLConfigurationSettings { public final Setting> clientAuth; public final Setting> verificationMode; + // public for PKI realm + public final Setting legacyTruststorePassword; + // pkg private for tests final Setting legacyKeystorePassword; final Setting legacyKeystoreKeyPassword; - final Setting legacyTruststorePassword; final Setting legacyKeyPassword; private final List> allSettings; diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java index a68f0806bc0..12869ff3104 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java @@ -11,25 +11,31 @@ import java.nio.file.Files; import java.nio.file.Path; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import java.util.ArrayList; import java.util.Collections; import java.util.HashSet; +import java.util.List; import java.util.Set; import java.util.regex.Pattern; import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.support.PlainActionFuture; +import org.elasticsearch.common.settings.ClusterSettings; import org.elasticsearch.common.settings.MockSecureSettings; import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Setting; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.env.Environment; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.security.authc.AuthenticationResult; import org.elasticsearch.xpack.security.authc.RealmConfig; +import org.elasticsearch.xpack.security.authc.RealmSettings; import org.elasticsearch.xpack.security.authc.support.UserRoleMapper; import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.security.support.NoOpLogger; import org.elasticsearch.xpack.security.user.User; +import org.elasticsearch.xpack.ssl.SSLConfigurationSettings; import org.junit.Before; import org.mockito.Mockito; @@ -248,6 +254,20 @@ public class PkiRealmTests extends ESTestCase { assertThat(token.dn(), is("EMAILADDRESS=pki@elastic.co, CN=PKI Client, OU=Security")); } + public void testPKIRealmSettingsPassValidation() throws Exception { + Settings settings = Settings.builder() + .put("xpack.security.authc.realms.pki1.type", "pki") + .put("xpack.security.authc.realms.pki1.truststore.path", "/foo/bar") + .put("xpack.security.authc.realms.pki1.truststore.password", "supersecret") + .build(); + List> settingList = new ArrayList<>(); + RealmSettings.addSettings(settingList, Collections.emptyList()); + ClusterSettings clusterSettings = new ClusterSettings(settings, new HashSet<>(settingList)); + clusterSettings.validate(settings); + + assertSettingDeprecationsAndWarnings(new Setting[] { SSLConfigurationSettings.withoutPrefix().legacyTruststorePassword }); + } + static X509Certificate readCert(Path path) throws Exception { try (InputStream in = Files.newInputStream(path)) { CertificateFactory factory = CertificateFactory.getInstance("X.509");