From f30e5c3fee2746d95b0011b51b85d50f30a0c1a6 Mon Sep 17 00:00:00 2001 From: Jay Modi Date: Wed, 13 Sep 2017 13:11:54 -0600 Subject: [PATCH] Register the legacy truststore password setting for the PKI realm (elastic/x-pack-elasticsearch#2487) After the addition of the secure settings in 5.6, the truststore.password setting for the PKI realm was no longer registered. This would cause new nodes to fail for customers that were upgrading and had configured a PKI realm with a truststore. This change registers the setting and adds a test to ensure a realm configuration with the old setting passes validation. Relates elastic/support-dev-help#2505 Original commit: elastic/x-pack-elasticsearch@54da044a27d87f093a65bbf75fb15f835e004ac3 --- .../xpack/security/authc/pki/PkiRealm.java | 1 + .../xpack/ssl/SSLConfigurationSettings.java | 4 +++- .../security/authc/pki/PkiRealmTests.java | 20 +++++++++++++++++++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java index 78f9b9e9766..c4c948ef168 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java @@ -209,6 +209,7 @@ public class PkiRealm extends Realm { settings.add(SSL_SETTINGS.truststorePath); settings.add(SSL_SETTINGS.truststorePassword); + settings.add(SSL_SETTINGS.legacyTruststorePassword); settings.add(SSL_SETTINGS.truststoreAlgorithm); settings.add(SSL_SETTINGS.caPaths); diff --git a/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLConfigurationSettings.java b/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLConfigurationSettings.java index 248181b9b23..03a9b244137 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLConfigurationSettings.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLConfigurationSettings.java @@ -47,10 +47,12 @@ public class SSLConfigurationSettings { public final Setting> clientAuth; public final Setting> verificationMode; + // public for PKI realm + public final Setting legacyTruststorePassword; + // pkg private for tests final Setting legacyKeystorePassword; final Setting legacyKeystoreKeyPassword; - final Setting legacyTruststorePassword; final Setting legacyKeyPassword; private final List> allSettings; diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java index a68f0806bc0..12869ff3104 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java @@ -11,25 +11,31 @@ import java.nio.file.Files; import java.nio.file.Path; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import java.util.ArrayList; import java.util.Collections; import java.util.HashSet; +import java.util.List; import java.util.Set; import java.util.regex.Pattern; import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.support.PlainActionFuture; +import org.elasticsearch.common.settings.ClusterSettings; import org.elasticsearch.common.settings.MockSecureSettings; import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Setting; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.env.Environment; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.security.authc.AuthenticationResult; import org.elasticsearch.xpack.security.authc.RealmConfig; +import org.elasticsearch.xpack.security.authc.RealmSettings; import org.elasticsearch.xpack.security.authc.support.UserRoleMapper; import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.security.support.NoOpLogger; import org.elasticsearch.xpack.security.user.User; +import org.elasticsearch.xpack.ssl.SSLConfigurationSettings; import org.junit.Before; import org.mockito.Mockito; @@ -248,6 +254,20 @@ public class PkiRealmTests extends ESTestCase { assertThat(token.dn(), is("EMAILADDRESS=pki@elastic.co, CN=PKI Client, OU=Security")); } + public void testPKIRealmSettingsPassValidation() throws Exception { + Settings settings = Settings.builder() + .put("xpack.security.authc.realms.pki1.type", "pki") + .put("xpack.security.authc.realms.pki1.truststore.path", "/foo/bar") + .put("xpack.security.authc.realms.pki1.truststore.password", "supersecret") + .build(); + List> settingList = new ArrayList<>(); + RealmSettings.addSettings(settingList, Collections.emptyList()); + ClusterSettings clusterSettings = new ClusterSettings(settings, new HashSet<>(settingList)); + clusterSettings.validate(settings); + + assertSettingDeprecationsAndWarnings(new Setting[] { SSLConfigurationSettings.withoutPrefix().legacyTruststorePassword }); + } + static X509Certificate readCert(Path path) throws Exception { try (InputStream in = Files.newInputStream(path)) { CertificateFactory factory = CertificateFactory.getInstance("X.509");