honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-03-01 00:19:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Security: remove SSL settings fallback (#36846)

Browse Source 
This commit removes the fallback for SSL settings. While this may be
seen as a non user friendly change, the intention behind this change
is to simplify the reasoning needed to understand what is actually
being used for a given SSL configuration. Each configuration now needs
to be explicitly specified as there is no global configuration or
fallback to some other configuration.

Closes #29797
This commit is contained in:
Jay Modi 2019-01-14 14:06:22 -07:00 committed by GitHub
parent b86621c157
commit f3edbe2911
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
63 changed files with 783 additions and 1075 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
client/rest-high-level/build.gradle
View File

@ -105,7 +105,7 @@ integTestCluster {
setting 'xpack.security.enabled', 'true' setting 'xpack.security.enabled', 'true'
setting 'xpack.security.authc.token.enabled', 'true' setting 'xpack.security.authc.token.enabled', 'true'
// Truststore settings are not used since TLS is not enabled. Included for testing the get certificates API // Truststore settings are not used since TLS is not enabled. Included for testing the get certificates API
setting 'xpack.ssl.certificate_authorities', 'testnode.crt' setting 'xpack.security.http.ssl.certificate_authorities', 'testnode.crt'
setting 'xpack.security.transport.ssl.truststore.path', 'testnode.jks' setting 'xpack.security.transport.ssl.truststore.path', 'testnode.jks'
keystoreSetting 'xpack.security.transport.ssl.truststore.secure_password', 'testnode' keystoreSetting 'xpack.security.transport.ssl.truststore.secure_password', 'testnode'
setupCommand 'setupDummyUser', setupCommand 'setupDummyUser',

10
docs/reference/migration/migrate_7_0/settings.asciidoc
View File

@ -121,3 +121,13 @@ xpack.security.authc.realms:
Any realm specific secure settings that have been stored in the elasticsearch Any realm specific secure settings that have been stored in the elasticsearch
keystore (such as ldap bind passwords, or passwords for ssl keys) must be updated keystore (such as ldap bind passwords, or passwords for ssl keys) must be updated
in a similar way. in a similar way.
[float]
[[tls-setting-fallback]]
==== TLS/SSL settings
The default TLS/SSL settings, which were prefixed by `xpack.ssl`, have been removed.
The removal of these default settings also removes the ability for a component to
fallback to a default configuration when using TLS. Each component (realm, transport, http,
http client, etc) must now be configured with their own settings for TLS if it is being
used.

26
docs/reference/security/securing-communications/configuring-tls-docker.asciidoc
View File

@ -114,11 +114,14 @@ services:
- xpack.license.self_generated.type=trial <2> - xpack.license.self_generated.type=trial <2>
- xpack.security.enabled=true - xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true - xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key
- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt
- xpack.security.transport.ssl.enabled=true - xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate <3> - xpack.security.transport.ssl.verification_mode=certificate <3>
- xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.ssl.certificate=$CERTS_DIR/es01/es01.crt - xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt
- xpack.ssl.key=$CERTS_DIR/es01/es01.key - xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key
volumes: ['esdata_01:/usr/share/elasticsearch/data', './certs:$CERTS_DIR'] volumes: ['esdata_01:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
ports: ports:
- 9200:9200 - 9200:9200
@ -140,11 +143,14 @@ services:
- xpack.license.self_generated.type=trial - xpack.license.self_generated.type=trial
- xpack.security.enabled=true - xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true - xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=$CERTS_DIR/es02/es02.key
- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.security.http.ssl.certificate=$CERTS_DIR/es02/es02.crt
- xpack.security.transport.ssl.enabled=true - xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate - xpack.security.transport.ssl.verification_mode=certificate <3>
- xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.ssl.certificate=$CERTS_DIR/es02/es02.crt - xpack.security.transport.ssl.certificate=$CERTS_DIR/es02/es02.crt
- xpack.ssl.key=$CERTS_DIR/es02/es02.key - xpack.security.transport.ssl.key=$CERTS_DIR/es02/es02.key
volumes: ['esdata_02:/usr/share/elasticsearch/data', './certs:$CERTS_DIR'] volumes: ['esdata_02:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
wait_until_ready: wait_until_ready:
@ -199,9 +205,9 @@ WARNING: Windows users not running PowerShell will need to remove `\` and join l
---- ----
docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \ docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \
auto --batch \ auto --batch \
-Expack.ssl.certificate=certificates/es01/es01.crt \ -Expack.security.http.ssl.certificate=certificates/es01/es01.crt \
-Expack.ssl.certificate_authorities=certificates/ca/ca.crt \ -Expack.security.http.ssl.certificate_authorities=certificates/ca/ca.crt \
-Expack.ssl.key=certificates/es01/es01.key \ -Expack.security.http.ssl.key=certificates/es01/es01.key \
--url https://localhost:9200" --url https://localhost:9200"
---- ----
-- --

4
docs/reference/security/securing-communications/tls-transport.asciidoc
View File

@ -25,7 +25,7 @@ xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12 <3>
<1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command <1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command
and you want to enable strict hostname checking, set the verification mode to and you want to enable strict hostname checking, set the verification mode to
`full`. `full`.
See <<ssl-tls-settings, `xpack.ssl.verification_mode`>> for a description of these values. See <<ssl-tls-settings, `xpack.security.transport.ssl.verification_mode`>> for a description of these values.
<2> If you created a separate certificate for each node, then you might need to <2> If you created a separate certificate for each node, then you might need to
customize this path on each node. If the filename matches the node name, you can customize this path on each node. If the filename matches the node name, you can
@ -54,7 +54,7 @@ xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/ca.crt"
<1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command <1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command
and you want to enable strict hostname checking, set the verification mode to and you want to enable strict hostname checking, set the verification mode to
`full`. `full`.
See <<ssl-tls-settings, `xpack.ssl.verification_mode`>> for a description of these values. See <<ssl-tls-settings, `xpack.security.transport.ssl.verification_mode`>> for a description of these values.
<2> The full path to the node key file. This must be a location within the <2> The full path to the node key file. This must be a location within the
{es} configuration directory. {es} configuration directory.
<3> The full path to the node certificate. This must be a location within the <3> The full path to the node certificate. This must be a location within the

187
docs/reference/settings/security-settings.asciidoc
View File

@ -475,20 +475,18 @@ The default is `jks`.
`ssl.verification_mode`:: `ssl.verification_mode`::
Indicates the type of verification when using `ldaps` to protect against man Indicates the type of verification when using `ldaps` to protect against man
in the middle attacks and certificate forgery. Values are `none`, `certificate`, in the middle attacks and certificate forgery. Values are `none`, `certificate`,
and `full`. Defaults to the value of `xpack.ssl.verification_mode`. and `full`. Defaults to `full`.
+ +
See <<ssl-tls-settings,`xpack.ssl.verification_mode`>> for an explanation of See <<ssl-tls-settings,`ssl.verification_mode`>> for an explanation of these values.
these values.
`ssl.supported_protocols`:: `ssl.supported_protocols`::
Supported protocols for TLS/SSL (with versions). Defaults to the value of Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.2,TLSv1.1,TLSv1`.
`xpack.ssl.supported_protocols`.
`ssl.cipher_suites`:: Specifies the cipher suites that should be supported when `ssl.cipher_suites`:: Specifies the cipher suites that should be supported when
communicating with the LDAP server. communicating with the LDAP server.
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to the value of Java Cryptography Architecture documentation]. See <<ssl-tls-settings,`ssl.cipher_suites`>>
`xpack.ssl.cipher_suites`. for the default value.
`cache.ttl`:: `cache.ttl`::
Specifies the time-to-live for cached user entries. A user and a hash of its Specifies the time-to-live for cached user entries. A user and a hash of its
@ -721,20 +719,18 @@ The default is `jks`.
`ssl.verification_mode`:: `ssl.verification_mode`::
Indicates the type of verification when using `ldaps` to protect against man Indicates the type of verification when using `ldaps` to protect against man
in the middle attacks and certificate forgery. Values are `none`, `certificate`, in the middle attacks and certificate forgery. Values are `none`, `certificate`,
and `full`. Defaults to the value of `xpack.ssl.verification_mode`. and `full`. Defaults to `full`.
+ +
See <<ssl-tls-settings,`xpack.ssl.verification_mode`>> for an explanation of See <<ssl-tls-settings,`ssl.verification_mode`>> for an explanation of these values.
these values.
`ssl.supported_protocols`:: `ssl.supported_protocols`::
Supported protocols for TLS/SSL (with versions). Defaults to the value of Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.2, TLSv1.1, TLSv1`.
`xpack.ssl.supported_protocols`.
`ssl.cipher_suites`:: Specifies the cipher suites that should be supported when `ssl.cipher_suites`:: Specifies the cipher suites that should be supported when
communicating with the Active Directory server. communicating with the Active Directory server.
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to the value of Java Cryptography Architecture documentation]. See <<ssl-tls-settings,`ssl.cipher_suites`>> for
`xpack.ssl.cipher_suites`. the default values.
`cache.ttl`:: `cache.ttl`::
Specifies the time-to-live for cached user entries. A user and a hash of its Specifies the time-to-live for cached user entries. A user and a hash of its
@ -1133,8 +1129,7 @@ One of `full`
certificate path, but not the hostname) or `none` (perform no verification). certificate path, but not the hostname) or `none` (perform no verification).
Defaults to `full`. Defaults to `full`.
+ +
See <<ssl-tls-settings,`xpack.ssl.verification_mode`>> for a more detailed See <<ssl-tls-settings,`ssl.verification_mode`>> for a more detailed explanation of these values.
explanation of these values.
`ssl.supported_protocols`:: `ssl.supported_protocols`::
Specifies the supported protocols for TLS/SSL. Specifies the supported protocols for TLS/SSL.
@ -1204,14 +1199,12 @@ through the list of URLs will continue until a successful connection is made.
[float] [float]
[[ssl-tls-settings]] [[ssl-tls-settings]]
==== Default TLS/SSL settings ==== Default values for TLS/SSL settings
You can configure the following TLS/SSL settings in In general, the values below represent the default values for the various TLS
`elasticsearch.yml`. For more information, see settings. For more information, see
{stack-ov}/encrypting-communications.html[Encrypting communications]. These {stack-ov}/encrypting-communications.html[Encrypting communications].
settings are used unless they have been overridden by more specific
settings such as those for HTTP or Transport.
`xpack.ssl.supported_protocols`:: `ssl.supported_protocols`::
Supported protocols with versions. Valid protocols: `SSLv2Hello`, Supported protocols with versions. Valid protocols: `SSLv2Hello`,
`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`,
`TLSv1`. `TLSv1`.
@ -1221,15 +1214,15 @@ NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hell
or `SSLv3`. See <<fips-140-compliance>>. or `SSLv3`. See <<fips-140-compliance>>.
-- --
`xpack.ssl.client_authentication`:: `ssl.client_authentication`::
Controls the server's behavior in regard to requesting a certificate Controls the server's behavior in regard to requesting a certificate
from client connections. Valid values are `required`, `optional`, and `none`. from client connections. Valid values are `required`, `optional`, and `none`.
`required` forces a client to present a certificate, while `optional` `required` forces a client to present a certificate, while `optional`
requests a client certificate but the client is not required to present one. requests a client certificate but the client is not required to present one.
Defaults to `required`. This global setting is not applicable for HTTP, see Defaults to `required`, except for HTTP, which defaults to `none`. See
<<http-tls-ssl-settings>>. <<http-tls-ssl-settings>>.
`xpack.ssl.verification_mode`:: `ssl.verification_mode`::
Controls the verification of certificates. Valid values are: Controls the verification of certificates. Valid values are:
- `full`, which verifies that the provided certificate is signed by a trusted - `full`, which verifies that the provided certificate is signed by a trusted
authority (CA) and also verifies that the server's hostname (or IP authority (CA) and also verifies that the server's hostname (or IP
@ -1244,7 +1237,7 @@ Controls the verification of certificates. Valid values are:
+ +
The default value is `full`. The default value is `full`.
`xpack.ssl.cipher_suites`:: `ssl.cipher_suites`::
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
@ -1255,112 +1248,15 @@ Jurisdiction Policy Files_ has been installed, the default value also includes `
[float] [float]
[[tls-ssl-key-settings]] [[tls-ssl-key-settings]]
===== Default TLS/SSL key and trusted certificate settings ===== TLS/SSL key and trusted certificate settings
The following settings are used to specify a private key, certificate, and the The following settings are used to specify a private key, certificate, and the
trusted certificates that should be used when communicating over an SSL/TLS connection. trusted certificates that should be used when communicating over an SSL/TLS
If none of the settings below are specified, the connection. If no trusted certificates are configured, the default certificates
<<ssl-tls-settings,default settings>> are used. If no trusted certificates are configured, the default certificates that are trusted by the JVM will be that are trusted by the JVM will be trusted along with the certificate(s)
trusted along with the certificate(s) from the <<tls-ssl-key-settings, key settings>>. The key and certificate must be in place associated with a key in the same context. The key and certificate must be in
for connections that require client authentication or when acting as a SSL enabled server. place for connections that require client authentication or when acting as a
SSL enabled server.
[float]
===== PEM encoded files
When using PEM encoded files, use the following settings:
`xpack.ssl.key`::
Path to the PEM encoded file containing the private key.
`xpack.ssl.key_passphrase`::
The passphrase that is used to decrypt the private key. This value is
optional as the key might not be encrypted.
`xpack.ssl.secure_key_passphrase` (<<secure-settings,Secure>>)::
The passphrase that is used to decrypt the private key. This value is
optional as the key might not be encrypted.
`xpack.ssl.certificate`::
Path to a PEM encoded file containing the certificate (or certificate chain)
that will be presented to clients when they connect.
`xpack.ssl.certificate_authorities`::
List of paths to the PEM encoded certificate files that should be trusted.
[float]
===== Java keystore files
When using Java keystore files (JKS), which contain the private key, certificate
and certificates that should be trusted, use the following settings:
`xpack.ssl.keystore.path`::
Path to the keystore that holds the private key and certificate.
`xpack.ssl.keystore.password`::
Password to the keystore.
`xpack.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
Password to the keystore.
`xpack.ssl.keystore.key_password`::
Password for the private key in the keystore. Defaults to the
same value as `xpack.ssl.keystore.password`.
`xpack.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
Password for the private key in the keystore.
`xpack.ssl.truststore.path`::
Path to the truststore file.
`xpack.ssl.truststore.password`::
Password to the truststore.
`xpack.ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
Password to the truststore.
WARNING: If `xpack.security.fips_mode.enabled` is `true`, you cannot use Java
keystore files. See <<fips-140-compliance>>.
[float]
===== PKCS#12 files
When using PKCS#12 container files (`.p12` or `.pfx`), which contain the
private key, certificate, and certificates that should be trusted, use
the following settings:
`xpack.ssl.keystore.path`::
Path to the PKCS#12 file that holds the private key and certificate.
`xpack.ssl.keystore.type`::
Set this to `PKCS12`.
`xpack.ssl.keystore.password`::
Password to the PKCS#12 file.
`xpack.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
Password to the PKCS#12 file.
`xpack.ssl.keystore.key_password`::
Password for the private key in the PKCS12 file.
Defaults to the same value as `xpack.ssl.keystore.password`.
`xpack.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
Password for the private key in the PKCS12 file.
`xpack.ssl.truststore.path`::
Path to the truststore file.
`xpack.ssl.truststore.type`::
Set this to `PKCS12`.
`xpack.ssl.truststore.password`::
Password to the truststore.
`xpack.ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
Password to the truststore.
WARNING: If `xpack.security.fips_mode.enabled` is `true`, you cannot use PKCS#12
keystore files. See <<fips-140-compliance>>.
[[pkcs12-truststore-note]] [[pkcs12-truststore-note]]
[NOTE] [NOTE]
@ -1375,33 +1271,6 @@ a PKCS#12 container includes trusted certificate ("anchor") entries look for
`openssl pkcs12 -info` output, or `trustedCertEntry` in the `openssl pkcs12 -info` output, or `trustedCertEntry` in the
`keytool -list` output. `keytool -list` output.
[float]
===== PKCS#11 tokens
When using a PKCS#11 cryptographic token, which contains the
private key, certificate, and certificates that should be trusted, use
the following settings:
`xpack.ssl.keystore.type`::
Set this to `PKCS11`.
`xpack.ssl.truststore.type`::
Set this to `PKCS11`.
[[pkcs11-truststore-note]]
[NOTE]
When configuring the PKCS#11 token that your JVM is configured to use as
a keystore or a truststore for Elasticsearch, the PIN for the token can be
configured by setting the appropriate value to `xpack.ssl.truststore.password`
or `xpack.ssl.truststore.secure_password`. In the absence of the above, {es} will
fallback to use he appropriate JVM setting (`-Djavax.net.ssl.trustStorePassword`)
if that is set.
Since there can only be one PKCS#11 token configured, only one keystore and
truststore will be usable for configuration in {es}. This in turn means
that only one certificate can be used for TLS both in the transport and the
http layer.
[[http-tls-ssl-settings]] [[http-tls-ssl-settings]]
:ssl-prefix: xpack.security.http :ssl-prefix: xpack.security.http
:component: HTTP :component: HTTP
@ -1435,7 +1304,7 @@ append the portion of the setting after `xpack.security.transport.`. For the key
setting, this would be `transport.profiles.$PROFILE.xpack.security.ssl.key`. setting, this would be `transport.profiles.$PROFILE.xpack.security.ssl.key`.
[[auditing-tls-ssl-settings]] [[auditing-tls-ssl-settings]]
:ssl-prefix: xpack.security.audit.index.client.xpack :ssl-prefix: xpack.security.audit.index.client.xpack.security.transport
:component: Auditing :component: Auditing
:client-auth-default!: :client-auth-default!:
:server!: :server!:

21
docs/reference/settings/ssl-settings.asciidoc
View File

@ -12,7 +12,7 @@ endif::server[]
+{ssl-prefix}.ssl.supported_protocols+:: +{ssl-prefix}.ssl.supported_protocols+::
Supported protocols with versions. Valid protocols: `SSLv2Hello`, Supported protocols with versions. Valid protocols: `SSLv2Hello`,
`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`,
`TLSv1`. Defaults to the value of `xpack.ssl.supported_protocols`. `TLSv1`.
ifdef::server[] ifdef::server[]
+{ssl-prefix}.ssl.client_authentication+:: +{ssl-prefix}.ssl.client_authentication+::
@ -21,7 +21,7 @@ from client connections. Valid values are `required`, `optional`, and `none`.
`required` forces a client to present a certificate, while `optional` `required` forces a client to present a certificate, while `optional`
requests a client certificate but the client is not required to present one. requests a client certificate but the client is not required to present one.
ifndef::client-auth-default[] ifndef::client-auth-default[]
Defaults to the value of `xpack.ssl.client_authentication`. Defaults to `none``.
endif::client-auth-default[] endif::client-auth-default[]
ifdef::client-auth-default[] ifdef::client-auth-default[]
Defaults to +{client-auth-default}+. Defaults to +{client-auth-default}+.
@ -31,15 +31,12 @@ endif::server[]
ifdef::verifies[] ifdef::verifies[]
+{ssl-prefix}.ssl.verification_mode+:: +{ssl-prefix}.ssl.verification_mode+::
Controls the verification of certificates. Valid values are `none`, Controls the verification of certificates. Valid values are `none`,
`certificate`, and `full`. `certificate`, and `full`. Defaults to `full`.
See <<ssl-tls-settings, `xpack.ssl.verification_mode`>> for a description of these values.
Defaults to the value of `xpack.ssl.verification_mode`.
endif::verifies[] endif::verifies[]
+{ssl-prefix}.ssl.cipher_suites+:: +{ssl-prefix}.ssl.cipher_suites+::
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to the value of Java Cryptography Architecture documentation]. Defaults to ``.
`xpack.ssl.cipher_suites`.
===== {component} TLS/SSL Key and Trusted Certificate Settings ===== {component} TLS/SSL Key and Trusted Certificate Settings
@ -159,3 +156,13 @@ Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a keys
+{ssl-prefix}.truststore.type+:: +{ssl-prefix}.truststore.type+::
Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a truststore. Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a truststore.
[NOTE]
When configuring the PKCS#11 token that your JVM is configured to use as
a keystore or a truststore for Elasticsearch, the PIN for the token can be
configured by setting the appropriate value to `ssl.truststore.password`
or `ssl.truststore.secure_password` in the context that you are configuring.
Since there can only be one PKCS#11 token configured, only one keystore and
truststore will be usable for configuration in {es}. This in turn means
that only one certificate can be used for TLS both in the transport and the
http layer.

10
x-pack/docs/en/rest-api/security/ssl.asciidoc
View File

@ -22,16 +22,16 @@ Transport Layer Security (TLS), see
The API returns a list that includes certificates from all TLS contexts The API returns a list that includes certificates from all TLS contexts
including: including:
* Default {es} TLS settings
* Settings for transport and HTTP interfaces * Settings for transport and HTTP interfaces
* TLS settings that are used within authentication realms * TLS settings that are used within authentication realms
* TLS settings for remote monitoring exporters * TLS settings for remote monitoring exporters
The list includes certificates that are used for configuring trust, such as The list includes certificates that are used for configuring trust, such as
those configured in the `xpack.ssl.truststore` and those configured in the `xpack.security.transport.ssl.truststore` and
`xpack.ssl.certificate_authorities` settings. It also includes certificates that `xpack.security.transport.ssl.certificate_authorities` settings. It also
that are used for configuring server identity, such as `xpack.ssl.keystore` and includes certificates that are used for configuring server identity, such as
`xpack.ssl.certificate` settings. `xpack.security.http.ssl.keystore` and
`xpack.security.http.ssl.certificate` settings.
The list does not include certificates that are sourced from the default SSL The list does not include certificates that are sourced from the default SSL
context of the Java Runtime Environment (JRE), even if those certificates are in context of the Java Runtime Environment (JRE), even if those certificates are in

16
x-pack/docs/en/security/auditing/forwarding-logs.asciidoc
View File

@ -46,8 +46,8 @@ to the `elasticsearch.yml` file:
[source,yaml] [source,yaml]
----------------------------------------------------------- -----------------------------------------------------------
xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/remote-elastic-certificates.p12 xpack.security.audit.index.client.xpack.security.transport.ssl.keystore.path: certs/remote-elastic-certificates.p12
xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/remote-elastic-certificates.p12 xpack.security.audit.index.client.xpack.security.transport.ssl.truststore.path: certs/remote-elastic-certificates.p12
----------------------------------------------------------- -----------------------------------------------------------
For more information about these settings, see For more information about these settings, see
@ -61,9 +61,9 @@ For more information about these settings, see
[source, yaml] [source, yaml]
-------------------------------------------------- --------------------------------------------------
xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/audit-client.key xpack.security.audit.index.client.xpack.security.transport.ssl.key: /home/es/config/audit-client.key
xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/audit-client.crt xpack.security.audit.index.client.xpack.security.transport.ssl.certificate: /home/es/config/audit-client.crt
xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ] xpack.security.audit.index.client.xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ]
-------------------------------------------------- --------------------------------------------------
For more information about these settings, see For more information about these settings, see
@ -78,9 +78,9 @@ your {es} keystore:
-- --
[source,shell] [source,shell]
----------------------------------------------------------- -----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.truststore.secure_password
----------------------------------------------------------- -----------------------------------------------------------
-- --
@ -89,7 +89,7 @@ bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.trust
-- --
[source,shell] [source,shell]
----------------------------------------------------------- -----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.secure_key_passphrase
----------------------------------------------------------- -----------------------------------------------------------
-- --

2
x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc
View File

@ -90,7 +90,7 @@ In particular this means:
* The interface must _trust_ the certificate that is presented by the client * The interface must _trust_ the certificate that is presented by the client
by configuring either the `truststore` or `certificate_authorities` paths, by configuring either the `truststore` or `certificate_authorities` paths,
or by setting `verification_mode` to `none`. See or by setting `verification_mode` to `none`. See
<<ssl-tls-settings,`xpack.ssl.verification_mode`>> for an explanation of this <<ssl-tls-settings,`ssl.verification_mode`>> for an explanation of this
setting. setting.
* The _protocols_ supported by the interface must be compatible with those * The _protocols_ supported by the interface must be compatible with those
used by the client. used by the client.

18
x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc
View File

@ -105,9 +105,10 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder() TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
.put("cluster.name", "myClusterName") .put("cluster.name", "myClusterName")
.put("xpack.security.user", "transport_client_user:x-pack-test-password") .put("xpack.security.user", "transport_client_user:x-pack-test-password")
.put("xpack.ssl.key", "/path/to/client.key") .put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.certificate", "/path/to/client.crt") .put("xpack.security.transport.ssl.key", "/path/to/client.key")
.put("xpack.ssl.certificate_authorities", "/path/to/ca.crt") .put("xpack.security.transport.ssl.certificate", "/path/to/client.crt")
.put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
... ...
.build()); .build());
-------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------
@ -125,9 +126,10 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder() TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
.put("cluster.name", "myClusterName") .put("cluster.name", "myClusterName")
.put("xpack.security.user", "transport_client_user:x-pack-test-password") .put("xpack.security.user", "transport_client_user:x-pack-test-password")
.put("xpack.ssl.key", "/path/to/client.key") .put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.certificate", "/path/to/client.crt") .put("xpack.security.transport.ssl.key", "/path/to/client.key")
.put("xpack.ssl.certificate_authorities", "/path/to/ca.crt") .put("xpack.security.transport.ssl.certificate", "/path/to/client.crt")
.put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
.put("xpack.security.transport.ssl.enabled", "true") .put("xpack.security.transport.ssl.enabled", "true")
... ...
.build()) .build())
@ -155,7 +157,7 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder() TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
.put("cluster.name", "myClusterName") .put("cluster.name", "myClusterName")
.put("xpack.security.user", "test_user:x-pack-test-password") .put("xpack.security.user", "test_user:x-pack-test-password")
.put("xpack.ssl.certificate_authorities", "/path/to/ca.crt") .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
.put("xpack.security.transport.ssl.enabled", "true") .put("xpack.security.transport.ssl.enabled", "true")
... ...
.build()) .build())
@ -164,7 +166,7 @@ TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------
NOTE: If you are using a public CA that is already trusted by the Java runtime, NOTE: If you are using a public CA that is already trusted by the Java runtime,
you do not need to set the `xpack.ssl.certificate_authorities`. you do not need to set the `xpack.security.transport.ssl.certificate_authorities`.
[float] [float]
[[connecting-anonymously]] [[connecting-anonymously]]

6
x-pack/docs/en/security/fips-140-compliance.asciidoc
View File

@ -50,12 +50,12 @@ and able to run {es} successfully in a FIPS 140-2 enabled JVM.
==== TLS ==== TLS
SSLv2 and SSLv3 are not allowed by FIPS 140-2, so `SSLv2Hello` and `SSLv3` cannot SSLv2 and SSLv3 are not allowed by FIPS 140-2, so `SSLv2Hello` and `SSLv3` cannot
be used for <<ssl-tls-settings, xpack.ssl.supported_protocols>> be used for <<ssl-tls-settings, `ssl.supported_protocols`>>
NOTE: The use of TLS ciphers is mainly governed by the relevant crypto module NOTE: The use of TLS ciphers is mainly governed by the relevant crypto module
(the FIPS Approved Security Provider that your JVM uses). All the ciphers that (the FIPS Approved Security Provider that your JVM uses). All the ciphers that
are configured by default in {es} are FIPS 140-2 compliant and as such can be are configured by default in {es} are FIPS 140-2 compliant and as such can be
used in a FIPS 140-2 JVM. (see <<ssl-tls-settings, xpack.ssl.cipher_suites>>) used in a FIPS 140-2 JVM. (see <<ssl-tls-settings, `ssl.cipher_suites`>>)
[float] [float]
==== TLS Keystores and keys ==== TLS Keystores and keys
@ -71,7 +71,7 @@ options, and for trust material you can use `*.certificate_authorities`.
FIPS 140-2 compliance dictates that the length of the public keys used for TLS FIPS 140-2 compliance dictates that the length of the public keys used for TLS
must correspond to the strength of the symmetric key algorithm in use in TLS. must correspond to the strength of the symmetric key algorithm in use in TLS.
Depending on the value of <<ssl-tls-settings, xpack.ssl.cipher_suites>> that Depending on the value of <<ssl-tls-settings, `ssl.cipher_suites`>> that
you select to use, the TLS keys must have corresponding length according to you select to use, the TLS keys must have corresponding length according to
the following table: the following table:

5
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
View File

@ -159,10 +159,6 @@ public class XPackSettings {
public static final SSLClientAuth HTTP_CLIENT_AUTH_DEFAULT = SSLClientAuth.NONE; public static final SSLClientAuth HTTP_CLIENT_AUTH_DEFAULT = SSLClientAuth.NONE;
public static final VerificationMode VERIFICATION_MODE_DEFAULT = VerificationMode.FULL; public static final VerificationMode VERIFICATION_MODE_DEFAULT = VerificationMode.FULL;
// global settings that apply to everything!
public static final String GLOBAL_SSL_PREFIX = "xpack.ssl.";
private static final SSLConfigurationSettings GLOBAL_SSL = SSLConfigurationSettings.withPrefix(GLOBAL_SSL_PREFIX);
// http specific settings // http specific settings
public static final String HTTP_SSL_PREFIX = SecurityField.setting("http.ssl."); public static final String HTTP_SSL_PREFIX = SecurityField.setting("http.ssl.");
private static final SSLConfigurationSettings HTTP_SSL = SSLConfigurationSettings.withPrefix(HTTP_SSL_PREFIX); private static final SSLConfigurationSettings HTTP_SSL = SSLConfigurationSettings.withPrefix(HTTP_SSL_PREFIX);
@ -174,7 +170,6 @@ public class XPackSettings {
/** Returns all settings created in {@link XPackSettings}. */ /** Returns all settings created in {@link XPackSettings}. */
public static List<Setting<?>> getAllSettings() { public static List<Setting<?>> getAllSettings() {
ArrayList<Setting<?>> settings = new ArrayList<>(); ArrayList<Setting<?>> settings = new ArrayList<>();
settings.addAll(GLOBAL_SSL.getAllSettings());
settings.addAll(HTTP_SSL.getAllSettings()); settings.addAll(HTTP_SSL.getAllSettings());
settings.addAll(TRANSPORT_SSL.getAllSettings()); settings.addAll(TRANSPORT_SSL.getAllSettings());
settings.add(SECURITY_ENABLED); settings.add(SECURITY_ENABLED);

15
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport.java
View File

@ -83,13 +83,22 @@ public class SecurityNetty4Transport extends Netty4Transport {
Set<String> profileNames = settings.getGroups("transport.profiles.", true).keySet(); Set<String> profileNames = settings.getGroups("transport.profiles.", true).keySet();
Map<String, SSLConfiguration> profileConfiguration = new HashMap<>(profileNames.size() + 1); Map<String, SSLConfiguration> profileConfiguration = new HashMap<>(profileNames.size() + 1);
for (String profileName : profileNames) { for (String profileName : profileNames) {
if (profileName.equals(TransportSettings.DEFAULT_PROFILE)) {
// don't attempt to parse ssl settings from the profile;
// profiles need to be killed with fire
if (settings.getByPrefix("transport.profiles.default.xpack.security.ssl.").isEmpty()) {
continue;
} else {
throw new IllegalArgumentException("SSL settings should not be configured for the default profile. " +
"Use the [xpack.security.transport.ssl] settings instead.");
}
}
SSLConfiguration configuration = sslService.getSSLConfiguration("transport.profiles." + profileName + "." + setting("ssl")); SSLConfiguration configuration = sslService.getSSLConfiguration("transport.profiles." + profileName + "." + setting("ssl"));
profileConfiguration.put(profileName, configuration); profileConfiguration.put(profileName, configuration);
} }
if (profileConfiguration.containsKey(TransportSettings.DEFAULT_PROFILE) == false) { assert profileConfiguration.containsKey(TransportSettings.DEFAULT_PROFILE) == false;
profileConfiguration.put(TransportSettings.DEFAULT_PROFILE, defaultConfiguration); profileConfiguration.put(TransportSettings.DEFAULT_PROFILE, defaultConfiguration);
}
return profileConfiguration; return profileConfiguration;
} }

8
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/DefaultJDKTrustConfig.java
View File

@ -25,6 +25,7 @@ import java.util.Arrays;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.List; import java.util.List;
import java.util.Objects;
/** /**
* This class represents a trust configuration that corresponds to the default trusted certificates of the JDK * This class represents a trust configuration that corresponds to the default trusted certificates of the JDK
@ -71,12 +72,15 @@ class DefaultJDKTrustConfig extends TrustConfig {
@Override @Override
public boolean equals(Object o) { public boolean equals(Object o) {
return o == this; if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
DefaultJDKTrustConfig that = (DefaultJDKTrustConfig) o;
return Objects.equals(trustStorePassword, that.trustStorePassword);
} }
@Override @Override
public int hashCode() { public int hashCode() {
return System.identityHashCode(this); return Objects.hash(trustStorePassword);
} }
/** /**

67
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfiguration.java
View File

@ -13,16 +13,11 @@ import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.ssl.cert.CertificateInfo; import org.elasticsearch.xpack.core.ssl.cert.CertificateInfo;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
import java.io.IOException; import java.io.IOException;
import java.nio.file.Path; import java.nio.file.Path;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Objects;
import static org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings.getKeyStoreType; import static org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings.getKeyStoreType;
@ -51,32 +46,14 @@ public final class SSLConfiguration {
* @param settings the SSL specific settings; only the settings under a *.ssl. prefix * @param settings the SSL specific settings; only the settings under a *.ssl. prefix
*/ */
SSLConfiguration(Settings settings) { SSLConfiguration(Settings settings) {
this.keyConfig = createKeyConfig(settings, (SSLConfiguration) null); this.keyConfig = createKeyConfig(settings);
this.trustConfig = createTrustConfig(settings, keyConfig, null); this.trustConfig = createTrustConfig(settings, keyConfig);
this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, XPackSettings.DEFAULT_CIPHERS); this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, XPackSettings.DEFAULT_CIPHERS);
this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings, XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS); this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings, XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS);
this.sslClientAuth = SETTINGS_PARSER.clientAuth.get(settings).orElse(XPackSettings.CLIENT_AUTH_DEFAULT); this.sslClientAuth = SETTINGS_PARSER.clientAuth.get(settings).orElse(XPackSettings.CLIENT_AUTH_DEFAULT);
this.verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(XPackSettings.VERIFICATION_MODE_DEFAULT); this.verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(XPackSettings.VERIFICATION_MODE_DEFAULT);
} }
/**
* Creates a new SSLConfiguration from the given settings and global/default SSLConfiguration. If the settings do not contain a value
* for a given aspect, the value from the global configuration will be used.
*
* @param settings the SSL specific settings; only the settings under a *.ssl. prefix
* @param globalSSLConfiguration the default configuration that is used as a fallback
*/
SSLConfiguration(Settings settings, SSLConfiguration globalSSLConfiguration) {
Objects.requireNonNull(globalSSLConfiguration);
this.keyConfig = createKeyConfig(settings, globalSSLConfiguration);
this.trustConfig = createTrustConfig(settings, keyConfig, globalSSLConfiguration);
this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, globalSSLConfiguration.cipherSuites());
this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings,
globalSSLConfiguration.supportedProtocols());
this.sslClientAuth = SETTINGS_PARSER.clientAuth.get(settings).orElse(globalSSLConfiguration.sslClientAuth());
this.verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(globalSSLConfiguration.verificationMode());
}
/** /**
* The configuration for the key, if any, that will be used as part of this ssl configuration * The configuration for the key, if any, that will be used as part of this ssl configuration
*/ */
@ -183,46 +160,28 @@ public final class SSLConfiguration {
return result; return result;
} }
private static KeyConfig createKeyConfig(Settings settings, SSLConfiguration global) { private static KeyConfig createKeyConfig(Settings settings) {
final String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings); final String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings);
final KeyConfig config = CertParsingUtils.createKeyConfig(SETTINGS_PARSER.x509KeyPair, settings, trustStoreAlgorithm); final KeyConfig config = CertParsingUtils.createKeyConfig(SETTINGS_PARSER.x509KeyPair, settings, trustStoreAlgorithm);
if (config != null) { return config == null ? KeyConfig.NONE : config;
return config;
}
if (global != null) {
return global.keyConfig();
}
if (System.getProperty("javax.net.ssl.keyStore") != null && System.getProperty("javax.net.ssl.keyStore").equals("NONE") == false) {
// TODO: we should not support loading a keystore from sysprops...
try (SecureString keystorePassword = new SecureString(System.getProperty("javax.net.ssl.keyStorePassword", ""))) {
return new StoreKeyConfig(System.getProperty("javax.net.ssl.keyStore"), KeyStore.getDefaultType(), keystorePassword,
keystorePassword, System.getProperty("ssl.KeyManagerFactory.algorithm", KeyManagerFactory.getDefaultAlgorithm()),
System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm()));
}
}
return KeyConfig.NONE;
} }
private static TrustConfig createTrustConfig(Settings settings, KeyConfig keyConfig, SSLConfiguration global) { private static TrustConfig createTrustConfig(Settings settings, KeyConfig keyConfig) {
final TrustConfig trustConfig = createCertChainTrustConfig(settings, keyConfig, global); final TrustConfig trustConfig = createCertChainTrustConfig(settings, keyConfig);
return SETTINGS_PARSER.trustRestrictionsPath.get(settings) return SETTINGS_PARSER.trustRestrictionsPath.get(settings)
.map(path -> (TrustConfig) new RestrictedTrustConfig(path, trustConfig)) .map(path -> (TrustConfig) new RestrictedTrustConfig(path, trustConfig))
.orElse(trustConfig); .orElse(trustConfig);
} }
private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConfig keyConfig, SSLConfiguration global) { private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConfig keyConfig) {
String trustStorePath = SETTINGS_PARSER.truststorePath.get(settings).orElse(null); String trustStorePath = SETTINGS_PARSER.truststorePath.get(settings).orElse(null);
String trustStoreType = getKeyStoreType(SETTINGS_PARSER.truststoreType, settings, trustStorePath); String trustStoreType = getKeyStoreType(SETTINGS_PARSER.truststoreType, settings, trustStorePath);
List<String> caPaths = getListOrNull(SETTINGS_PARSER.caPaths, settings); List<String> caPaths = getListOrNull(SETTINGS_PARSER.caPaths, settings);
if (trustStorePath != null && caPaths != null) { if (trustStorePath != null && caPaths != null) {
throw new IllegalArgumentException("you cannot specify a truststore and ca files"); throw new IllegalArgumentException("you cannot specify a truststore and ca files");
} }
VerificationMode verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElseGet(() -> {
if (global != null) { VerificationMode verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(XPackSettings.VERIFICATION_MODE_DEFAULT);
return global.verificationMode();
}
return XPackSettings.VERIFICATION_MODE_DEFAULT;
});
if (verificationMode.isCertificateVerificationEnabled() == false) { if (verificationMode.isCertificateVerificationEnabled() == false) {
return TrustAllConfig.INSTANCE; return TrustAllConfig.INSTANCE;
} else if (caPaths != null) { } else if (caPaths != null) {
@ -231,14 +190,6 @@ public final class SSLConfiguration {
String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings); String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings);
SecureString trustStorePassword = SETTINGS_PARSER.truststorePassword.get(settings); SecureString trustStorePassword = SETTINGS_PARSER.truststorePassword.get(settings);
return new StoreTrustConfig(trustStorePath, trustStoreType, trustStorePassword, trustStoreAlgorithm); return new StoreTrustConfig(trustStorePath, trustStoreType, trustStorePassword, trustStoreAlgorithm);
} else if (global == null && System.getProperty("javax.net.ssl.trustStore") != null
&& System.getProperty("javax.net.ssl.trustStore").equals("NONE") == false) {
try (SecureString truststorePassword = new SecureString(System.getProperty("javax.net.ssl.trustStorePassword", ""))) {
return new StoreTrustConfig(System.getProperty("javax.net.ssl.trustStore"), KeyStore.getDefaultType(), truststorePassword,
System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm()));
}
} else if (global != null && keyConfig == global.keyConfig()) {
return global.trustConfig();
} else if (keyConfig != KeyConfig.NONE) { } else if (keyConfig != KeyConfig.NONE) {
return DefaultJDKTrustConfig.merge(keyConfig, getDefaultTrustStorePassword(settings)); return DefaultJDKTrustConfig.merge(keyConfig, getDefaultTrustStorePassword(settings));
} else { } else {

45
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java
View File

@ -31,13 +31,14 @@ import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager; import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager; import javax.net.ssl.X509ExtendedTrustManager;
import java.io.IOException; import java.io.IOException;
import java.net.InetAddress; import java.net.InetAddress;
import java.net.Socket; import java.net.Socket;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
import java.security.KeyManagementException; import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.KeyStore;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collection; import java.util.Collection;
@ -81,8 +82,6 @@ public class SSLService {
* always maps to the same {@link SSLContextHolder}, even if it is being used within a different context-name. * always maps to the same {@link SSLContextHolder}, even if it is being used within a different context-name.
*/ */
private final Map<SSLConfiguration, SSLContextHolder> sslContexts; private final Map<SSLConfiguration, SSLContextHolder> sslContexts;
private final SSLConfiguration globalSSLConfiguration;
private final SetOnce<SSLConfiguration> transportSSLConfiguration = new SetOnce<>(); private final SetOnce<SSLConfiguration> transportSSLConfiguration = new SetOnce<>();
private final Environment env; private final Environment env;
@ -93,16 +92,14 @@ public class SSLService {
public SSLService(Settings settings, Environment environment) { public SSLService(Settings settings, Environment environment) {
this.settings = settings; this.settings = settings;
this.env = environment; this.env = environment;
this.globalSSLConfiguration = new SSLConfiguration(settings.getByPrefix(XPackSettings.GLOBAL_SSL_PREFIX));
this.sslConfigurations = new HashMap<>(); this.sslConfigurations = new HashMap<>();
this.sslContexts = loadSSLConfigurations(); this.sslContexts = loadSSLConfigurations();
} }
private SSLService(Settings settings, Environment environment, SSLConfiguration globalSSLConfiguration, private SSLService(Settings settings, Environment environment, Map<String, SSLConfiguration> sslConfigurations,
Map<String, SSLConfiguration> sslConfigurations, Map<SSLConfiguration, SSLContextHolder> sslContexts) { Map<SSLConfiguration, SSLContextHolder> sslContexts) {
this.settings = settings; this.settings = settings;
this.env = environment; this.env = environment;
this.globalSSLConfiguration = globalSSLConfiguration;
this.sslConfigurations = sslConfigurations; this.sslConfigurations = sslConfigurations;
this.sslContexts = sslContexts; this.sslContexts = sslContexts;
} }
@ -113,7 +110,7 @@ public class SSLService {
* have been created during initialization * have been created during initialization
*/ */
public SSLService createDynamicSSLService() { public SSLService createDynamicSSLService() {
return new SSLService(settings, env, globalSSLConfiguration, sslConfigurations, sslContexts) { return new SSLService(settings, env, sslConfigurations, sslContexts) {
@Override @Override
Map<SSLConfiguration, SSLContextHolder> loadSSLConfigurations() { Map<SSLConfiguration, SSLContextHolder> loadSSLConfigurations() {
@ -265,13 +262,6 @@ public class SSLService {
return sslConfiguration.sslClientAuth().enabled(); return sslConfiguration.sslClientAuth().enabled();
} }
/**
* Returns the {@link SSLContext} for the global configuration. Mainly used for testing
*/
public SSLContext sslContext() {
return sslContextHolder(globalSSLConfiguration).sslContext();
}
/** /**
* Returns the {@link SSLContext} for the configuration. Mainly used for testing * Returns the {@link SSLContext} for the configuration. Mainly used for testing
*/ */
@ -297,13 +287,10 @@ public class SSLService {
* Returns the existing {@link SSLConfiguration} for the given settings * Returns the existing {@link SSLConfiguration} for the given settings
* *
* @param settings the settings for the ssl configuration * @param settings the settings for the ssl configuration
* @return the ssl configuration for the provided settings. If the settings are empty, the global configuration is returned * @return the ssl configuration for the provided settings
*/ */
SSLConfiguration sslConfiguration(Settings settings) { public SSLConfiguration sslConfiguration(Settings settings) {
if (settings.isEmpty()) { return new SSLConfiguration(settings);
return globalSSLConfiguration;
}
return new SSLConfiguration(settings, globalSSLConfiguration);
} }
public Set<String> getTransportProfileContextNames() { public Set<String> getTransportProfileContextNames() {
@ -403,8 +390,6 @@ public class SSLService {
*/ */
Map<SSLConfiguration, SSLContextHolder> loadSSLConfigurations() { Map<SSLConfiguration, SSLContextHolder> loadSSLConfigurations() {
Map<SSLConfiguration, SSLContextHolder> sslContextHolders = new HashMap<>(); Map<SSLConfiguration, SSLContextHolder> sslContextHolders = new HashMap<>();
sslContextHolders.put(globalSSLConfiguration, createSslContext(globalSSLConfiguration));
this.sslConfigurations.put("xpack.ssl", globalSSLConfiguration);
Map<String, Settings> sslSettingsMap = new HashMap<>(); Map<String, Settings> sslSettingsMap = new HashMap<>();
sslSettingsMap.put(XPackSettings.HTTP_SSL_PREFIX, getHttpTransportSSLSettings(settings)); sslSettingsMap.put(XPackSettings.HTTP_SSL_PREFIX, getHttpTransportSSLSettings(settings));
@ -413,23 +398,19 @@ public class SSLService {
sslSettingsMap.putAll(getMonitoringExporterSettings(settings)); sslSettingsMap.putAll(getMonitoringExporterSettings(settings));
sslSettingsMap.forEach((key, sslSettings) -> { sslSettingsMap.forEach((key, sslSettings) -> {
if (sslSettings.isEmpty()) { final SSLConfiguration configuration = new SSLConfiguration(sslSettings);
storeSslConfiguration(key, globalSSLConfiguration); storeSslConfiguration(key, configuration);
} else { sslContextHolders.computeIfAbsent(configuration, this::createSslContext);
final SSLConfiguration configuration = new SSLConfiguration(sslSettings, globalSSLConfiguration);
storeSslConfiguration(key, configuration);
sslContextHolders.computeIfAbsent(configuration, this::createSslContext);
}
}); });
final Settings transportSSLSettings = settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX); final Settings transportSSLSettings = settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX);
final SSLConfiguration transportSSLConfiguration = new SSLConfiguration(transportSSLSettings, globalSSLConfiguration); final SSLConfiguration transportSSLConfiguration = new SSLConfiguration(transportSSLSettings);
this.transportSSLConfiguration.set(transportSSLConfiguration); this.transportSSLConfiguration.set(transportSSLConfiguration);
storeSslConfiguration(XPackSettings.TRANSPORT_SSL_PREFIX, transportSSLConfiguration); storeSslConfiguration(XPackSettings.TRANSPORT_SSL_PREFIX, transportSSLConfiguration);
Map<String, Settings> profileSettings = getTransportProfileSSLSettings(settings); Map<String, Settings> profileSettings = getTransportProfileSSLSettings(settings);
sslContextHolders.computeIfAbsent(transportSSLConfiguration, this::createSslContext); sslContextHolders.computeIfAbsent(transportSSLConfiguration, this::createSslContext);
profileSettings.forEach((key, profileSetting) -> { profileSettings.forEach((key, profileSetting) -> {
final SSLConfiguration configuration = new SSLConfiguration(profileSetting, transportSSLConfiguration); final SSLConfiguration configuration = new SSLConfiguration(profileSetting);
storeSslConfiguration(key, configuration); storeSslConfiguration(key, configuration);
sslContextHolders.computeIfAbsent(configuration, this::createSslContext); sslContextHolders.computeIfAbsent(configuration, this::createSslContext);
}); });

47
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java
View File

@ -71,7 +71,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
} }
@After @After
public void cleanup() throws Exception { public void cleanup() {
if (threadPool != null) { if (threadPool != null) {
terminate(threadPool); terminate(threadPool);
} }
@ -88,10 +88,10 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath);
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"), updatedKeystorePath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"), updatedKeystorePath);
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
final Settings settings = Settings.builder() final Settings settings = Settings.builder()
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.put("xpack.ssl.keystore.path", keystorePath) .put("xpack.security.transport.ssl.keystore.path", keystorePath)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
final Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); final Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
@ -144,11 +144,12 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCertPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCertPath);
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), certPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), certPath);
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
final Settings settings = Settings.builder() final Settings settings = Settings.builder()
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.put("xpack.ssl.key", keyPath) .put("xpack.security.transport.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath) .put("xpack.security.transport.ssl.certificate", certPath)
.putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString())
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
final Environment env = randomBoolean() ? null : final Environment env = randomBoolean() ? null :
@ -202,9 +203,9 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"), Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"),
updatedTruststorePath); updatedTruststorePath);
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.truststore.path", trustStorePath) .put("xpack.security.transport.ssl.truststore.path", trustStorePath)
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
@ -254,7 +255,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"), serverKeyPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"), serverKeyPath);
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCert); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCert);
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.certificate_authorities", serverCertPath) .putList("xpack.security.transport.ssl.certificate_authorities", serverCertPath.toString())
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.build(); .build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
@ -300,15 +301,15 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Path keystorePath = tempDir.resolve("testnode.jks"); Path keystorePath = tempDir.resolve("testnode.jks");
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath);
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", keystorePath) .put("xpack.security.transport.ssl.keystore.path", keystorePath)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.build(); .build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
final SSLService sslService = new SSLService(settings, env); final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl"); final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl.");
new SSLConfigurationReloader(env, sslService, resourceWatcherService) { new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
@Override @Override
void reloadSSLContext(SSLConfiguration configuration) { void reloadSSLContext(SSLConfiguration configuration) {
@ -339,17 +340,17 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), certPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), certPath);
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath);
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.key", keyPath) .put("xpack.security.transport.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath) .put("xpack.security.transport.ssl.certificate", certPath)
.putList("xpack.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString()) .putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString())
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
final SSLService sslService = new SSLService(settings, env); final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl"); final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl.");
new SSLConfigurationReloader(env, sslService, resourceWatcherService) { new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
@Override @Override
void reloadSSLContext(SSLConfiguration configuration) { void reloadSSLContext(SSLConfiguration configuration) {
@ -376,15 +377,15 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Path trustStorePath = tempDir.resolve("testnode.jks"); Path trustStorePath = tempDir.resolve("testnode.jks");
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), trustStorePath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), trustStorePath);
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.truststore.path", trustStorePath) .put("xpack.security.transport.ssl.truststore.path", trustStorePath)
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
final SSLService sslService = new SSLService(settings, env); final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl"); final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl.");
new SSLConfigurationReloader(env, sslService, resourceWatcherService) { new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
@Override @Override
void reloadSSLContext(SSLConfiguration configuration) { void reloadSSLContext(SSLConfiguration configuration) {
@ -411,12 +412,12 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Path clientCertPath = tempDir.resolve("testclient.crt"); Path clientCertPath = tempDir.resolve("testclient.crt");
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath);
Settings settings = Settings.builder() Settings settings = Settings.builder()
.putList("xpack.ssl.certificate_authorities", clientCertPath.toString()) .putList("xpack.security.transport.ssl.certificate_authorities", clientCertPath.toString())
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.build(); .build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
final SSLService sslService = new SSLService(settings, env); final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl"); final SSLConfiguration config = sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl."));
new SSLConfigurationReloader(env, sslService, resourceWatcherService) { new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
@Override @Override
void reloadSSLContext(SSLConfiguration configuration) { void reloadSSLContext(SSLConfiguration configuration) {
@ -442,7 +443,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Runnable modificationFunction, Consumer<SSLContext> postChecks) throws Exception { Runnable modificationFunction, Consumer<SSLContext> postChecks) throws Exception {
final CountDownLatch reloadLatch = new CountDownLatch(1); final CountDownLatch reloadLatch = new CountDownLatch(1);
final SSLService sslService = new SSLService(settings, env); final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl"); final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl");
new SSLConfigurationReloader(env, sslService, resourceWatcherService) { new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
@Override @Override
void reloadSSLContext(SSLConfiguration configuration) { void reloadSSLContext(SSLConfiguration configuration) {

2
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettingsTests.java
View File

@ -21,7 +21,7 @@ public class SSLConfigurationSettingsTests extends ESTestCase {
final SSLConfigurationSettings ssl = SSLConfigurationSettings.withoutPrefix(); final SSLConfigurationSettings ssl = SSLConfigurationSettings.withoutPrefix();
assertThat(ssl.ciphers.match("cipher_suites"), is(true)); assertThat(ssl.ciphers.match("cipher_suites"), is(true));
assertThat(ssl.ciphers.match("ssl.cipher_suites"), is(false)); assertThat(ssl.ciphers.match("ssl.cipher_suites"), is(false));
assertThat(ssl.ciphers.match("xpack.ssl.cipher_suites"), is(false)); assertThat(ssl.ciphers.match("xpack.transport.security.ssl.cipher_suites"), is(false));
final Settings settings = Settings.builder() final Settings settings = Settings.builder()
.put("cipher_suites.0", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") .put("cipher_suites.0", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256")

80
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationTests.java
View File

@ -35,10 +35,6 @@ public class SSLConfigurationTests extends ESTestCase {
assertThat(globalConfig.keyConfig(), sameInstance(KeyConfig.NONE)); assertThat(globalConfig.keyConfig(), sameInstance(KeyConfig.NONE));
assertThat(globalConfig.trustConfig(), is(not((globalConfig.keyConfig())))); assertThat(globalConfig.trustConfig(), is(not((globalConfig.keyConfig()))));
assertThat(globalConfig.trustConfig(), instanceOf(DefaultJDKTrustConfig.class)); assertThat(globalConfig.trustConfig(), instanceOf(DefaultJDKTrustConfig.class));
SSLConfiguration scopedConfig = new SSLConfiguration(Settings.EMPTY, globalConfig);
assertThat(scopedConfig.keyConfig(), sameInstance(globalConfig.keyConfig()));
assertThat(scopedConfig.trustConfig(), sameInstance(globalConfig.trustConfig()));
} }
public void testThatOnlyKeystoreInSettingsSetsTruststoreSettings() { public void testThatOnlyKeystoreInSettingsSetsTruststoreSettings() {
@ -50,22 +46,17 @@ public class SSLConfigurationTests extends ESTestCase {
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
// Pass settings in as component settings // Pass settings in as component settings
SSLConfiguration globalSettings = new SSLConfiguration(settings); SSLConfiguration sslConfiguration = new SSLConfiguration(settings);
SSLConfiguration scopedSettings = new SSLConfiguration(settings, globalSettings); assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
SSLConfiguration scopedEmptyGlobalSettings = StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
new SSLConfiguration(settings, new SSLConfiguration(Settings.EMPTY));
for (SSLConfiguration sslConfiguration : Arrays.asList(globalSettings, scopedSettings, scopedEmptyGlobalSettings)) {
assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
assertThat(ksKeyInfo.keyStorePath, is(equalTo(path))); assertThat(ksKeyInfo.keyStorePath, is(equalTo(path)));
assertThat(ksKeyInfo.keyStorePassword, is(equalTo("testnode"))); assertThat(ksKeyInfo.keyStorePassword, is(equalTo("testnode")));
assertThat(ksKeyInfo.keyStoreType, is(equalTo("jks"))); assertThat(ksKeyInfo.keyStoreType, is(equalTo("jks")));
assertThat(ksKeyInfo.keyPassword, is(equalTo(ksKeyInfo.keyStorePassword))); assertThat(ksKeyInfo.keyPassword, is(equalTo(ksKeyInfo.keyStorePassword)));
assertThat(ksKeyInfo.keyStoreAlgorithm, is(KeyManagerFactory.getDefaultAlgorithm())); assertThat(ksKeyInfo.keyStoreAlgorithm, is(KeyManagerFactory.getDefaultAlgorithm()));
assertThat(sslConfiguration.trustConfig(), is(instanceOf(CombiningTrustConfig.class))); assertThat(sslConfiguration.trustConfig(), is(instanceOf(CombiningTrustConfig.class)));
assertCombiningTrustConfigContainsCorrectIssuers(sslConfiguration); assertCombiningTrustConfigContainsCorrectIssuers(sslConfiguration);
}
} }
public void testKeystorePassword() { public void testKeystorePassword() {
@ -188,44 +179,13 @@ public class SSLConfigurationTests extends ESTestCase {
assertThat(ksKeyInfo.keyStoreType, is(equalTo(type))); assertThat(ksKeyInfo.keyStoreType, is(equalTo(type)));
} }
public void testThatProfileSettingsOverrideServiceSettings() { public void testThatEmptySettingsAreEqual() {
MockSecureSettings profileSecureSettings = new MockSecureSettings(); SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.EMPTY);
profileSecureSettings.setString("keystore.secure_password", "password"); SSLConfiguration sslConfiguration1 = new SSLConfiguration(Settings.EMPTY);
profileSecureSettings.setString("keystore.secure_key_password", "key"); assertThat(sslConfiguration.equals(sslConfiguration1), is(equalTo(true)));
profileSecureSettings.setString("truststore.secure_password", "password for trust"); assertThat(sslConfiguration1.equals(sslConfiguration), is(equalTo(true)));
Settings profileSettings = Settings.builder() assertThat(sslConfiguration.equals(sslConfiguration), is(equalTo(true)));
.put("keystore.path", "path") assertThat(sslConfiguration1.equals(sslConfiguration1), is(equalTo(true)));
.put("keystore.algorithm", "algo")
.put("truststore.path", "trust path")
.put("truststore.algorithm", "trusted")
.setSecureSettings(profileSecureSettings)
.build();
MockSecureSettings serviceSecureSettings = new MockSecureSettings();
serviceSecureSettings.setString("xpack.ssl.keystore.secure_password", "comp password");
serviceSecureSettings.setString("xpack.ssl.keystore.secure_key_password", "comp key");
serviceSecureSettings.setString("xpack.ssl.truststore.secure_password", "comp password for trust");
Settings serviceSettings = Settings.builder()
.put("xpack.ssl.keystore.path", "comp path")
.put("xpack.ssl.keystore.algorithm", "comp algo")
.put("xpack.ssl.truststore.path", "comp trust path")
.put("xpack.ssl.truststore.algorithm", "comp trusted")
.setSecureSettings(serviceSecureSettings)
.build();
SSLConfiguration globalSettings = new SSLConfiguration(serviceSettings);
SSLConfiguration sslConfiguration = new SSLConfiguration(profileSettings, globalSettings);
assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
assertThat(ksKeyInfo.keyStorePath, is(equalTo("path")));
assertThat(ksKeyInfo.keyStorePassword, is(equalTo("password")));
assertThat(ksKeyInfo.keyPassword, is(equalTo("key")));
assertThat(ksKeyInfo.keyStoreAlgorithm, is(equalTo("algo")));
assertThat(sslConfiguration.trustConfig(), instanceOf(StoreTrustConfig.class));
StoreTrustConfig ksTrustInfo = (StoreTrustConfig) sslConfiguration.trustConfig();
assertThat(ksTrustInfo.trustStorePath, is(equalTo("trust path")));
assertThat(ksTrustInfo.trustStorePassword, is(equalTo("password for trust")));
assertThat(ksTrustInfo.trustStoreAlgorithm, is(equalTo("trusted")));
} }
public void testThatSettingsWithDifferentKeystoresAreNotEqual() { public void testThatSettingsWithDifferentKeystoresAreNotEqual() {
@ -254,6 +214,12 @@ public class SSLConfigurationTests extends ESTestCase {
assertThat(sslConfiguration1.equals(sslConfiguration1), is(equalTo(true))); assertThat(sslConfiguration1.equals(sslConfiguration1), is(equalTo(true)));
} }
public void testThatEmptySettingsHaveSameHashCode() {
SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.EMPTY);
SSLConfiguration sslConfiguration1 = new SSLConfiguration(Settings.EMPTY);
assertThat(sslConfiguration.hashCode(), is(equalTo(sslConfiguration1.hashCode())));
}
public void testThatSettingsWithDifferentKeystoresHaveDifferentHashCode() { public void testThatSettingsWithDifferentKeystoresHaveDifferentHashCode() {
SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.builder() SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.builder()
.put("keystore.path", "path") .put("keystore.path", "path")

247
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java
View File

@ -109,11 +109,11 @@ public class SSLServiceTests extends ESTestCase {
assumeFalse("Can't run in a FIPS JVM", inFipsJvm()); assumeFalse("Can't run in a FIPS JVM", inFipsJvm());
Path testClientStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks"); Path testClientStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks");
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
secureSettings.setString("transport.profiles.foo.xpack.security.ssl.truststore.secure_password", "testclient"); secureSettings.setString("transport.profiles.foo.xpack.security.ssl.truststore.secure_password", "testclient");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.truststore.path", testnodeStore) .put("xpack.security.transport.ssl.truststore.path", testnodeStore)
.put("xpack.ssl.truststore.type", testnodeStoreType) .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.put("transport.profiles.foo.xpack.security.ssl.truststore.path", testClientStore) .put("transport.profiles.foo.xpack.security.ssl.truststore.path", testClientStore)
.build(); .build();
@ -126,12 +126,12 @@ public class SSLServiceTests extends ESTestCase {
.setSecureSettings(secureCustomSettings) .setSecureSettings(secureCustomSettings)
.build(); .build();
SSLConfiguration configuration = new SSLConfiguration(customTruststoreSettings, globalConfiguration(sslService)); SSLConfiguration configuration = new SSLConfiguration(customTruststoreSettings);
SSLEngine sslEngineWithTruststore = sslService.createSSLEngine(configuration, null, -1); SSLEngine sslEngineWithTruststore = sslService.createSSLEngine(configuration, null, -1);
assertThat(sslEngineWithTruststore, is(not(nullValue()))); assertThat(sslEngineWithTruststore, is(not(nullValue())));
SSLConfiguration globalConfig = globalConfiguration(sslService); SSLConfiguration defaultConfig = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLEngine sslEngine = sslService.createSSLEngine(globalConfig, null, -1); SSLEngine sslEngine = sslService.createSSLEngine(defaultConfig, null, -1);
assertThat(sslEngineWithTruststore, is(not(sameInstance(sslEngine)))); assertThat(sslEngineWithTruststore, is(not(sameInstance(sslEngine))));
final SSLConfiguration profileConfiguration = sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl"); final SSLConfiguration profileConfiguration = sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl");
@ -142,20 +142,21 @@ public class SSLServiceTests extends ESTestCase {
public void testThatSslContextCachingWorks() throws Exception { public void testThatSslContextCachingWorks() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("xpack.ssl.key", testnodeKey) .put("xpack.security.transport.ssl.key", testnodeKey)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
SSLService sslService = new SSLService(settings, env); SSLService sslService = new SSLService(settings, env);
SSLContext sslContext = sslService.sslContext(); final Settings transportSSLSettings = settings.getByPrefix("xpack.security.transport.ssl.");
SSLContext cachedSslContext = sslService.sslContext(); SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(transportSSLSettings));
SSLContext cachedSslContext = sslService.sslContext(sslService.sslConfiguration(transportSSLSettings));
assertThat(sslContext, is(sameInstance(cachedSslContext))); assertThat(sslContext, is(sameInstance(cachedSslContext)));
final SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.ssl"); final SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
final SSLContext configContext = sslService.sslContext(configuration); final SSLContext configContext = sslService.sslContext(configuration);
assertThat(configContext, is(sameInstance(sslContext))); assertThat(configContext, is(sameInstance(sslContext)));
} }
@ -165,14 +166,15 @@ public class SSLServiceTests extends ESTestCase {
Path differentPasswordsStore = Path differentPasswordsStore =
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-different-passwords.jks"); getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-different-passwords.jks");
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
secureSettings.setString("xpack.ssl.keystore.secure_key_password", "testnode1"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_key_password", "testnode1");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", differentPasswordsStore) .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
final SSLService sslService = new SSLService(settings, env); final SSLService sslService = new SSLService(settings, env);
SSLConfiguration configuration = globalConfiguration(sslService); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
sslService.createSSLEngine(configuration, null, -1); sslService.createSSLEngine(configuration, null, -1);
} }
@ -182,13 +184,13 @@ public class SSLServiceTests extends ESTestCase {
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-different-passwords.jks"); getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-different-passwords.jks");
try { try {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", differentPasswordsStore) .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
final SSLService sslService = new SSLService(settings, env); final SSLService sslService = new SSLService(settings, env);
SSLConfiguration configuration = globalConfiguration(sslService); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
sslService.createSSLEngine(configuration, null, -1); sslService.createSSLEngine(configuration, null, -1);
fail("expected an exception"); fail("expected an exception");
} catch (ElasticsearchException e) { } catch (ElasticsearchException e) {
@ -198,34 +200,34 @@ public class SSLServiceTests extends ESTestCase {
public void testThatSSLv3IsNotEnabled() throws Exception { public void testThatSSLv3IsNotEnabled() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("xpack.ssl.key", testnodeKey) .put("xpack.security.transport.ssl.key", testnodeKey)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
SSLService sslService = new SSLService(settings, env); SSLService sslService = new SSLService(settings, env);
SSLConfiguration configuration = globalConfiguration(sslService); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLEngine engine = sslService.createSSLEngine(configuration, null, -1); SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
assertThat(Arrays.asList(engine.getEnabledProtocols()), not(hasItem("SSLv3"))); assertThat(Arrays.asList(engine.getEnabledProtocols()), not(hasItem("SSLv3")));
} }
public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception { public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception {
SSLService sslService = new SSLService(Settings.EMPTY, env); SSLService sslService = new SSLService(Settings.EMPTY, env);
SSLConfiguration configuration = globalConfiguration(sslService); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1); SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1);
assertThat(sslEngine, notNullValue()); assertThat(sslEngine, notNullValue());
} }
public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception { public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.truststore.secure_password", "testclient"); secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testclient");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.truststore.path", testclientStore) .put("xpack.security.transport.ssl.truststore.path", testclientStore)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
SSLService sslService = new SSLService(settings, env); SSLService sslService = new SSLService(settings, env);
SSLConfiguration configuration = globalConfiguration(sslService); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1); SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1);
assertThat(sslEngine, notNullValue()); assertThat(sslEngine, notNullValue());
} }
@ -234,54 +236,52 @@ public class SSLServiceTests extends ESTestCase {
public void testCreateWithKeystoreIsValidForServer() throws Exception { public void testCreateWithKeystoreIsValidForServer() throws Exception {
assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm());
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.path", testnodeStore)
.put("xpack.ssl.keystore.type", testnodeStoreType) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
SSLService sslService = new SSLService(settings, env); SSLService sslService = new SSLService(settings, env);
assertTrue(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService))); assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
} }
public void testValidForServerWithFallback() throws Exception { public void testValidForServer() throws Exception {
assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm());
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.truststore.path", testnodeStore) .put("xpack.security.transport.ssl.truststore.path", testnodeStore)
.put("xpack.ssl.truststore.type", testnodeStoreType) .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
SSLService sslService = new SSLService(settings, env); SSLService sslService = new SSLService(settings, env);
assertFalse(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService))); assertFalse(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
settings = Settings.builder() settings = Settings.builder()
.put("xpack.ssl.truststore.path", testnodeStore) .put("xpack.security.transport.ssl.truststore.path", testnodeStore)
.put("xpack.ssl.truststore.type", testnodeStoreType) .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.put("xpack.security.transport.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.path", testnodeStore)
.put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
.build(); .build();
sslService = new SSLService(settings, env); sslService = new SSLService(settings, env);
assertFalse(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService)));
assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl"))); assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
} }
public void testGetVerificationMode() throws Exception { public void testGetVerificationMode() throws Exception {
assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm()); assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm());
SSLService sslService = new SSLService(Settings.EMPTY, env); SSLService sslService = new SSLService(Settings.EMPTY, env);
assertThat(globalConfiguration(sslService).verificationMode(), is(XPackSettings.VERIFICATION_MODE_DEFAULT)); assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl").verificationMode(),
is(XPackSettings.VERIFICATION_MODE_DEFAULT));
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.verification_mode", "none") .put("xpack.security.transport.ssl.verification_mode", "certificate")
.put("xpack.security.transport.ssl.verification_mode", "certificate") .put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full")
.put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full") .build();
.build();
sslService = new SSLService(settings, env); sslService = new SSLService(settings, env);
assertThat(globalConfiguration(sslService).verificationMode(), is(VerificationMode.NONE));
assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl.").verificationMode(), is(VerificationMode.CERTIFICATE)); assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl.").verificationMode(), is(VerificationMode.CERTIFICATE));
assertThat(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl.").verificationMode(), assertThat(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl.").verificationMode(),
is(VerificationMode.FULL)); is(VerificationMode.FULL));
@ -289,27 +289,25 @@ public class SSLServiceTests extends ESTestCase {
public void testIsSSLClientAuthEnabled() throws Exception { public void testIsSSLClientAuthEnabled() throws Exception {
SSLService sslService = new SSLService(Settings.EMPTY, env); SSLService sslService = new SSLService(Settings.EMPTY, env);
assertTrue(globalConfiguration(sslService).sslClientAuth().enabled()); assertTrue(sslService.getSSLConfiguration("xpack.security.transport.ssl").sslClientAuth().enabled());
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.client_authentication", "none") .put("xpack.security.transport.ssl.client_authentication", "optional")
.put("xpack.security.transport.ssl.client_authentication", "optional")
.put("transport.profiles.foo.port", "9400-9410") .put("transport.profiles.foo.port", "9400-9410")
.build(); .build();
sslService = new SSLService(settings, env); sslService = new SSLService(settings, env);
assertFalse(sslService.isSSLClientAuthEnabled(globalConfiguration(sslService)));
assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("xpack.security.transport.ssl"))); assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl"))); assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl")));
} }
public void testThatHttpClientAuthDefaultsToNone() throws Exception { public void testThatHttpClientAuthDefaultsToNone() throws Exception {
final Settings globalSettings = Settings.builder() final Settings globalSettings = Settings.builder()
.put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.enabled", true)
.put("xpack.ssl.client_authentication", SSLClientAuth.OPTIONAL.name()) .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.OPTIONAL.name())
.build(); .build();
final SSLService sslService = new SSLService(globalSettings, env); final SSLService sslService = new SSLService(globalSettings, env);
final SSLConfiguration globalConfig = globalConfiguration(sslService); final SSLConfiguration globalConfig = sslService.getSSLConfiguration("xpack.security.transport.ssl");
assertThat(globalConfig.sslClientAuth(), is(SSLClientAuth.OPTIONAL)); assertThat(globalConfig.sslClientAuth(), is(SSLClientAuth.OPTIONAL));
final SSLConfiguration httpConfig = sslService.getHttpTransportSSLConfiguration(); final SSLConfiguration httpConfig = sslService.getHttpTransportSSLConfiguration();
@ -318,14 +316,14 @@ public class SSLServiceTests extends ESTestCase {
public void testThatTruststorePasswordIsRequired() throws Exception { public void testThatTruststorePasswordIsRequired() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.path", testnodeStore)
.put("xpack.ssl.keystore.type", testnodeStoreType) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.put("xpack.ssl.truststore.path", testnodeStore) .put("xpack.security.transport.ssl.truststore.path", testnodeStore)
.put("xpack.ssl.truststore.type", testnodeStoreType) .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
.build(); .build();
ElasticsearchException e = ElasticsearchException e =
expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env)); expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env));
assertThat(e.getMessage(), is("failed to initialize a TrustManagerFactory")); assertThat(e.getMessage(), is("failed to initialize a TrustManagerFactory"));
@ -333,9 +331,9 @@ public class SSLServiceTests extends ESTestCase {
public void testThatKeystorePasswordIsRequired() throws Exception { public void testThatKeystorePasswordIsRequired() throws Exception {
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.path", testnodeStore)
.put("xpack.ssl.keystore.type", testnodeStoreType) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
.build(); .build();
ElasticsearchException e = ElasticsearchException e =
expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env)); expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env));
assertThat(e.getMessage(), is("failed to create trust manager")); assertThat(e.getMessage(), is("failed to create trust manager"));
@ -346,14 +344,15 @@ public class SSLServiceTests extends ESTestCase {
ciphers.add("foo"); ciphers.add("foo");
ciphers.add("bar"); ciphers.add("bar");
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("xpack.ssl.key", testnodeKey) .put("xpack.security.transport.ssl.key", testnodeKey)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.putList("xpack.security.transport.ssl.ciphers", ciphers.toArray(new String[ciphers.size()]))
.build(); .build();
SSLService sslService = new SSLService(settings, env); SSLService sslService = new SSLService(settings, env);
SSLConfiguration configuration = globalConfiguration(sslService); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLEngine engine = sslService.createSSLEngine(configuration, null, -1); SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
assertThat(engine, is(notNullValue())); assertThat(engine, is(notNullValue()));
String[] enabledCiphers = engine.getEnabledCipherSuites(); String[] enabledCiphers = engine.getEnabledCipherSuites();
@ -362,14 +361,14 @@ public class SSLServiceTests extends ESTestCase {
public void testInvalidCiphersOnlyThrowsException() throws Exception { public void testInvalidCiphersOnlyThrowsException() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.certificate", testnodeCert)
.put("xpack.ssl.key", testnodeKey)
.putList("xpack.ssl.cipher_suites", new String[]{"foo", "bar"})
.setSecureSettings(secureSettings)
.build();
Settings settings = Settings.builder()
.put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("xpack.security.transport.ssl.key", testnodeKey)
.setSecureSettings(secureSettings)
.putList("xpack.security.transport.ssl.cipher_suites", new String[] { "foo", "bar" })
.build();
IllegalArgumentException e = IllegalArgumentException e =
expectThrows(IllegalArgumentException.class, () -> new SSLService(settings, env)); expectThrows(IllegalArgumentException.class, () -> new SSLService(settings, env));
assertThat(e.getMessage(), is("none of the ciphers [foo, bar] are supported by this JVM")); assertThat(e.getMessage(), is("none of the ciphers [foo, bar] are supported by this JVM"));
@ -377,14 +376,14 @@ public class SSLServiceTests extends ESTestCase {
public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception { public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("xpack.ssl.key", testnodeKey) .put("xpack.security.transport.ssl.key", testnodeKey)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
SSLService sslService = new SSLService(settings, env); SSLService sslService = new SSLService(settings, env);
SSLConfiguration configuration = globalConfiguration(sslService); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLEngine engine = sslService.createSSLEngine(configuration, null, -1); SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
assertThat(engine, is(notNullValue())); assertThat(engine, is(notNullValue()));
assertTrue(engine.getSSLParameters().getUseCipherSuitesOrder()); assertTrue(engine.getSSLParameters().getUseCipherSuitesOrder());
@ -392,14 +391,14 @@ public class SSLServiceTests extends ESTestCase {
public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception { public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("xpack.ssl.key", testnodeKey) .put("xpack.security.transport.ssl.key", testnodeKey)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
SSLService sslService = new SSLService(settings, env); SSLService sslService = new SSLService(settings, env);
SSLConfiguration config = globalConfiguration(sslService); SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl");
final SSLSocketFactory factory = sslService.sslSocketFactory(config); final SSLSocketFactory factory = sslService.sslSocketFactory(config);
final String[] ciphers = sslService.supportedCiphers(factory.getSupportedCipherSuites(), config.cipherSuites(), false); final String[] ciphers = sslService.supportedCiphers(factory.getSupportedCipherSuites(), config.cipherSuites(), false);
assertThat(factory.getDefaultCipherSuites(), is(ciphers)); assertThat(factory.getDefaultCipherSuites(), is(ciphers));
@ -417,14 +416,14 @@ public class SSLServiceTests extends ESTestCase {
public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception { public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("xpack.ssl.key", testnodeKey) .put("xpack.security.transport.ssl.key", testnodeKey)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
SSLService sslService = new SSLService(settings, env); SSLService sslService = new SSLService(settings, env);
SSLConfiguration configuration = globalConfiguration(sslService); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLEngine engine = sslService.createSSLEngine(configuration, null, -1); SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
final String[] ciphers = sslService.supportedCiphers(engine.getSupportedCipherSuites(), configuration.cipherSuites(), false); final String[] ciphers = sslService.supportedCiphers(engine.getSupportedCipherSuites(), configuration.cipherSuites(), false);
final String[] supportedProtocols = configuration.supportedProtocols().toArray(Strings.EMPTY_ARRAY); final String[] supportedProtocols = configuration.supportedProtocols().toArray(Strings.EMPTY_ARRAY);
@ -475,9 +474,9 @@ public class SSLServiceTests extends ESTestCase {
} }
public void testEmptyTrustManager() throws Exception { public void testEmptyTrustManager() throws Exception {
Settings settings = Settings.builder().build(); Settings settings = Settings.EMPTY;
final SSLService sslService = new SSLService(settings, env); final SSLService sslService = new SSLService(settings, env);
X509ExtendedTrustManager trustManager = sslService.sslContextHolder(sslService.getSSLConfiguration("xpack.ssl")) X509ExtendedTrustManager trustManager = sslService.sslContextHolder(sslService.getSSLConfiguration("xpack.security.transport.ssl"))
.getEmptyTrustManager(); .getEmptyTrustManager();
assertThat(trustManager.getAcceptedIssuers(), emptyArray()); assertThat(trustManager.getAcceptedIssuers(), emptyArray());
} }
@ -489,7 +488,6 @@ public class SSLServiceTests extends ESTestCase {
final String[] cipherSuites = sslContext.getSupportedSSLParameters().getCipherSuites(); final String[] cipherSuites = sslContext.getSupportedSSLParameters().getCipherSuites();
final String[] contextNames = { final String[] contextNames = {
"xpack.ssl",
"xpack.http.ssl", "xpack.http.ssl",
"xpack.security.http.ssl", "xpack.security.http.ssl",
"xpack.security.transport.ssl", "xpack.security.transport.ssl",
@ -517,10 +515,6 @@ public class SSLServiceTests extends ESTestCase {
} }
final Settings settings = builder final Settings settings = builder
// Add a realm without SSL settings. This context name should be mapped to the global configuration
.put("xpack.security.authc.realms.file.realm3.order", 4)
// Add an exporter without SSL settings. This context name should be mapped to the global configuration
.put("xpack.monitoring.exporters.mon3.type", "http")
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
SSLService sslService = new SSLService(settings, env); SSLService sslService = new SSLService(settings, env);
@ -535,14 +529,6 @@ public class SSLServiceTests extends ESTestCase {
assertThat("Cipher for " + name, configuration.cipherSuites(), contains(cipherSuites[i])); assertThat("Cipher for " + name, configuration.cipherSuites(), contains(cipherSuites[i]));
assertThat("Configuration for " + name + ".", sslService.getSSLConfiguration(name + "."), sameInstance(configuration)); assertThat("Configuration for " + name + ".", sslService.getSSLConfiguration(name + "."), sameInstance(configuration));
} }
// These contexts have no SSL settings, but for convenience we want those components to be able to access their context
// by name, and get back the global configuration
final SSLConfiguration realm3Config = sslService.getSSLConfiguration("xpack.security.authc.realms.file.realm3.ssl");
final SSLConfiguration mon3Config = sslService.getSSLConfiguration("xpack.monitoring.exporters.mon3.ssl.");
final SSLConfiguration global = globalConfiguration(sslService);
assertThat(realm3Config, sameInstance(global));
assertThat(mon3Config, sameInstance(global));
} }
public void testReadCertificateInformation() throws Exception { public void testReadCertificateInformation() throws Exception {
@ -552,13 +538,13 @@ public class SSLServiceTests extends ESTestCase {
final Path pemPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt"); final Path pemPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt");
final MockSecureSettings secureSettings = new MockSecureSettings(); final MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode");
final Settings settings = Settings.builder() final Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", jksPath) .put("xpack.security.transport.ssl.keystore.path", jksPath)
.put("xpack.ssl.truststore.path", jksPath) .put("xpack.security.transport.ssl.truststore.path", jksPath)
.put("xpack.http.ssl.keystore.path", p12Path) .put("xpack.http.ssl.keystore.path", p12Path)
.put("xpack.security.authc.realms.active_directory.ad.ssl.certificate_authorities", pemPath) .put("xpack.security.authc.realms.active_directory.ad.ssl.certificate_authorities", pemPath)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
@ -718,7 +704,7 @@ public class SSLServiceTests extends ESTestCase {
@Network @Network
public void testThatSSLContextWithoutSettingsWorks() throws Exception { public void testThatSSLContextWithoutSettingsWorks() throws Exception {
SSLService sslService = new SSLService(Settings.EMPTY, env); SSLService sslService = new SSLService(Settings.EMPTY, env);
SSLContext sslContext = sslService.sslContext(); SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(Settings.EMPTY));
try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) { try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) {
// Execute a GET on a site known to have a valid certificate signed by a trusted public CA // Execute a GET on a site known to have a valid certificate signed by a trusted public CA
// This will result in a SSLHandshakeException if the SSLContext does not trust the CA, but the default // This will result in a SSLHandshakeException if the SSLContext does not trust the CA, but the default
@ -730,12 +716,13 @@ public class SSLServiceTests extends ESTestCase {
@Network @Network
public void testThatSSLContextTrustsJDKTrustedCAs() throws Exception { public void testThatSSLContextTrustsJDKTrustedCAs() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testclient"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", testclientStore) .put("xpack.security.transport.ssl.keystore.path", testclientStore)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
SSLContext sslContext = new SSLService(settings, env).sslContext(); SSLService sslService = new SSLService(settings, env);
SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl.")));
try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) { try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) {
// Execute a GET on a site known to have a valid certificate signed by a trusted public CA which will succeed because the JDK // Execute a GET on a site known to have a valid certificate signed by a trusted public CA which will succeed because the JDK
// certs are trusted by default // certs are trusted by default
@ -746,7 +733,7 @@ public class SSLServiceTests extends ESTestCase {
@Network @Network
public void testThatSSLIOSessionStrategyWithoutSettingsWorks() throws Exception { public void testThatSSLIOSessionStrategyWithoutSettingsWorks() throws Exception {
SSLService sslService = new SSLService(Settings.EMPTY, env); SSLService sslService = new SSLService(Settings.EMPTY, env);
SSLConfiguration sslConfiguration = globalConfiguration(sslService); SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
logger.info("SSL Configuration: {}", sslConfiguration); logger.info("SSL Configuration: {}", sslConfiguration);
SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(sslConfiguration); SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(sslConfiguration);
try (CloseableHttpAsyncClient client = getAsyncHttpClient(sslStrategy)) { try (CloseableHttpAsyncClient client = getAsyncHttpClient(sslStrategy)) {
@ -762,13 +749,13 @@ public class SSLServiceTests extends ESTestCase {
@Network @Network
public void testThatSSLIOSessionStrategyTrustsJDKTrustedCAs() throws Exception { public void testThatSSLIOSessionStrategyTrustsJDKTrustedCAs() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testclient"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", testclientStore) .put("xpack.security.transport.ssl.keystore.path", testclientStore)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
final SSLService sslService = new SSLService(settings, env); final SSLService sslService = new SSLService(settings, env);
SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(globalConfiguration(sslService)); SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(sslService.getSSLConfiguration("xpack.security.transport.ssl"));
try (CloseableHttpAsyncClient client = getAsyncHttpClient(sslStrategy)) { try (CloseableHttpAsyncClient client = getAsyncHttpClient(sslStrategy)) {
client.start(); client.start();
@ -778,10 +765,6 @@ public class SSLServiceTests extends ESTestCase {
} }
} }
private static SSLConfiguration globalConfiguration(SSLService sslService) {
return sslService.getSSLConfiguration("xpack.ssl");
}
class AssertionCallback implements FutureCallback<HttpResponse> { class AssertionCallback implements FutureCallback<HttpResponse> {
@Override @Override

5
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TestsSSLService.java
View File

@ -19,11 +19,6 @@ public class TestsSSLService extends SSLService {
super(settings, environment); super(settings, environment);
} }
@Override
public SSLContext sslContext() {
return super.sslContext();
}
/** /**
* Allows to get alternative ssl context, like for the http client * Allows to get alternative ssl context, like for the http client
*/ */

8
x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterSslIT.java
View File

@ -95,14 +95,14 @@ public class HttpExporterSslIT extends MonitoringIntegTestCase {
final Path key = getDataPath("/org/elasticsearch/xpack/monitoring/exporter/http/testnode.pem"); final Path key = getDataPath("/org/elasticsearch/xpack/monitoring/exporter/http/testnode.pem");
final Settings sslSettings = Settings.builder() final Settings sslSettings = Settings.builder()
.put("xpack.ssl.certificate", cert) .put("xpack.transport.security.ssl.certificate", cert)
.put("xpack.ssl.key", key) .put("xpack.transport.security.ssl.key", key)
.put("xpack.ssl.key_passphrase", "testnode") .put("xpack.transport.security.ssl.key_passphrase", "testnode")
.put(globalSettings) .put(globalSettings)
.build(); .build();
TestsSSLService sslService = new TestsSSLService(sslSettings, environment); TestsSSLService sslService = new TestsSSLService(sslSettings, environment);
final SSLContext sslContext = sslService.sslContext(Settings.EMPTY); final SSLContext sslContext = sslService.sslContext("xpack.security.transport.ssl");
MockWebServer server = new MockWebServer(sslContext, false); MockWebServer server = new MockWebServer(sslContext, false);
server.start(); server.start();
return server; return server;

5
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java
View File

@ -9,7 +9,7 @@ import org.elasticsearch.bootstrap.BootstrapCheck;
import org.elasticsearch.bootstrap.BootstrapContext; import org.elasticsearch.bootstrap.BootstrapContext;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmConfig.RealmIdentifier;
import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.pki.PkiRealmSettings; import org.elasticsearch.xpack.core.security.authc.pki.PkiRealmSettings;
import org.elasticsearch.xpack.core.ssl.SSLConfiguration; import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
@ -37,7 +37,7 @@ class PkiRealmBootstrapCheck implements BootstrapCheck {
@Override @Override
public BootstrapCheckResult check(BootstrapContext context) { public BootstrapCheckResult check(BootstrapContext context) {
final Settings settings = context.settings(); final Settings settings = context.settings();
final Map<RealmConfig.RealmIdentifier, Settings> realms = RealmSettings.getRealmSettings(settings); final Map<RealmIdentifier, Settings> realms = RealmSettings.getRealmSettings(settings);
final boolean pkiRealmEnabled = realms.entrySet().stream() final boolean pkiRealmEnabled = realms.entrySet().stream()
.filter(e -> PkiRealmSettings.TYPE.equals(e.getKey().getType())) .filter(e -> PkiRealmSettings.TYPE.equals(e.getKey().getType()))
.map(Map.Entry::getValue) .map(Map.Entry::getValue)
@ -70,6 +70,7 @@ class PkiRealmBootstrapCheck implements BootstrapCheck {
return list; return list;
} }
// FIXME this is an antipattern move this out of a bootstrap check!
@Override @Override
public boolean alwaysEnforce() { public boolean alwaysEnforce() {
return true; return true;

3
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java
View File

@ -67,7 +67,6 @@ import java.util.Map;
import java.util.Set; import java.util.Set;
import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
import static org.elasticsearch.xpack.core.security.SecurityField.setting;
/** /**
* This is the command-line tool used for migrating users and roles from the file-based realm into the new native realm using the API for * This is the command-line tool used for migrating users and roles from the file-based realm into the new native realm using the API for
@ -149,7 +148,7 @@ public class ESNativeRealmMigrateTool extends LoggingAwareMultiCommand {
// If using SSL, need a custom service because it's likely a self-signed certificate // If using SSL, need a custom service because it's likely a self-signed certificate
if ("https".equalsIgnoreCase(uri.getScheme())) { if ("https".equalsIgnoreCase(uri.getScheme())) {
final SSLService sslService = new SSLService(settings, env); final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration(setting("http.ssl")); final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.http.ssl");
final HttpsURLConnection httpsConn = (HttpsURLConnection) url.openConnection(); final HttpsURLConnection httpsConn = (HttpsURLConnection) url.openConnection();
AccessController.doPrivileged((PrivilegedAction<Void>) () -> { AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
// Requires permission java.lang.RuntimePermission "setFactory"; // Requires permission java.lang.RuntimePermission "setFactory";

1
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioTransport.java
View File

@ -86,7 +86,6 @@ public class SecurityNioTransport extends NioTransport {
Map<String, SSLConfiguration> profileConfiguration = SecurityNetty4Transport.getTransportProfileConfigurations(settings, Map<String, SSLConfiguration> profileConfiguration = SecurityNetty4Transport.getTransportProfileConfigurations(settings,
sslService, transportConfiguration); sslService, transportConfiguration);
this.profileConfiguration = Collections.unmodifiableMap(profileConfiguration); this.profileConfiguration = Collections.unmodifiableMap(profileConfiguration);
} else { } else {
profileConfiguration = Collections.emptyMap(); profileConfiguration = Collections.emptyMap();
} }

112
x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java
View File

@ -149,7 +149,7 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
@Override @Override
public Settings transportClientSettings() { public Settings transportClientSettings() {
Settings.Builder builder = Settings.builder(); Settings.Builder builder = Settings.builder();
addClientSSLSettings(builder, ""); addClientSSLSettings(builder, "xpack.security.transport.");
addDefaultSecurityTransportType(builder, Settings.EMPTY); addDefaultSecurityTransportType(builder, Settings.EMPTY);
if (randomBoolean()) { if (randomBoolean()) {
@ -208,22 +208,27 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
return new SecureString(SecuritySettingsSourceField.TEST_PASSWORD.toCharArray()); return new SecureString(SecuritySettingsSourceField.TEST_PASSWORD.toCharArray());
} }
public static void addSSLSettingsForNodePEMFiles(Settings.Builder builder, String prefix, boolean hostnameVerificationEnabled) {
addSSLSettingsForPEMFiles(builder, prefix,
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"),
hostnameVerificationEnabled, false);
}
private void addNodeSSLSettings(Settings.Builder builder) { private void addNodeSSLSettings(Settings.Builder builder) {
if (sslEnabled) { if (sslEnabled) {
builder.put("xpack.security.transport.ssl.enabled", true);
if (usePEM) { if (usePEM) {
addSSLSettingsForPEMFiles(builder, "", addSSLSettingsForNodePEMFiles(builder, "xpack.security.transport.", hostnameVerificationEnabled);
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"),
sslEnabled, hostnameVerificationEnabled, false);
} else { } else {
addSSLSettingsForStore(builder, "", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", addSSLSettingsForStore(builder, "xpack.security.transport.",
"testnode", sslEnabled, hostnameVerificationEnabled, false); "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode",
hostnameVerificationEnabled, false);
} }
} else if (randomBoolean()) { } else if (randomBoolean()) {
builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), false); builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), false);
@ -231,47 +236,53 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
} }
public void addClientSSLSettings(Settings.Builder builder, String prefix) { public void addClientSSLSettings(Settings.Builder builder, String prefix) {
builder.put("xpack.security.transport.ssl.enabled", sslEnabled);
if (usePEM) { if (usePEM) {
addSSLSettingsForPEMFiles(builder, prefix, addSSLSettingsForPEMFiles(builder, prefix,
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", "testclient", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", "testclient",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"),
sslEnabled, hostnameVerificationEnabled, true); hostnameVerificationEnabled, true);
} else { } else {
addSSLSettingsForStore(builder, prefix, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks", addSSLSettingsForStore(builder, prefix, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks",
"testclient", sslEnabled, hostnameVerificationEnabled, true); "testclient", hostnameVerificationEnabled, true);
} }
} }
/**
* Returns the configuration settings given the location of a certificate and its password
*
* @param resourcePathToStore the location of the keystore or truststore
* @param password the password
*/
public static void addSSLSettingsForStore(Settings.Builder builder, String resourcePathToStore, String password, String prefix) {
addSSLSettingsForStore(builder, prefix, resourcePathToStore, password, true, true);
}
private static void addSSLSettingsForStore(Settings.Builder builder, String prefix, String resourcePathToStore, String password, private static void addSSLSettingsForStore(Settings.Builder builder, String prefix, String resourcePathToStore, String password,
boolean sslEnabled, boolean hostnameVerificationEnabled, boolean hostnameVerificationEnabled, boolean transportClient) {
boolean transportClient) {
Path store = resolveResourcePath(resourcePathToStore); Path store = resolveResourcePath(resourcePathToStore);
builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
if (transportClient == false) { builder.put(prefix + "ssl.keystore.path", store);
builder.put(prefix + "xpack.security.http.ssl.enabled", false);
}
builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled);
builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
builder.put(prefix + "xpack.ssl.keystore.path", store);
if (transportClient) { if (transportClient) {
// continue using insecure settings for clients until we figure out what to do there... // continue using insecure settings for clients until we figure out what to do there...
builder.put(prefix + "xpack.ssl.keystore.password", password); builder.put(prefix + "ssl.keystore.password", password);
} else { } else {
final String finalPrefix = prefix;
addSecureSettings(builder, secureSettings -> addSecureSettings(builder, secureSettings ->
secureSettings.setString(prefix + "xpack.ssl.keystore.secure_password", password)); secureSettings.setString(finalPrefix + "ssl.keystore.secure_password", password));
} }
if (randomBoolean()) { if (randomBoolean()) {
builder.put(prefix + "xpack.ssl.truststore.path", store); builder.put(prefix + "ssl.truststore.path", store);
if (transportClient) { if (transportClient) {
// continue using insecure settings for clients until we figure out what to do there... // continue using insecure settings for clients until we figure out what to do there...
builder.put(prefix + "xpack.ssl.truststore.password", password); builder.put(prefix + "ssl.truststore.password", password);
} else { } else {
final String finalPrefix = prefix;
addSecureSettings(builder, secureSettings -> addSecureSettings(builder, secureSettings ->
secureSettings.setString(prefix + "xpack.ssl.truststore.secure_password", password)); secureSettings.setString(finalPrefix + "ssl.truststore.secure_password", password));
} }
} }
} }
@ -289,31 +300,46 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
*/ */
public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String keyPath, String password, public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String keyPath, String password,
String certificatePath, List<String> trustedCertificates) { String certificatePath, List<String> trustedCertificates) {
addSSLSettingsForPEMFiles(builder, "", keyPath, password, certificatePath, trustedCertificates, true, true, true); addSSLSettingsForPEMFiles(builder, "", keyPath, password, certificatePath, trustedCertificates, true, true);
}
/**
* Returns the SSL related configuration settings given the location of a key and certificate and the location
* of the PEM certificates to be trusted
*
* @param keyPath The path to the Private key to be used for SSL
* @param password The password with which the private key is protected
* @param certificatePath The path to the PEM formatted Certificate encapsulating the public key that corresponds
* to the Private Key specified in {@code keyPath}. Will be presented to incoming
* SSL connections.
* @param prefix The settings prefix to use before ssl setting names
* @param trustedCertificates A list of PEM formatted certificates that will be trusted.
*/
public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String keyPath, String password,
String certificatePath, String prefix, List<String> trustedCertificates) {
addSSLSettingsForPEMFiles(builder, prefix, keyPath, password, certificatePath, trustedCertificates, true, true);
} }
private static void addSSLSettingsForPEMFiles(Settings.Builder builder, String prefix, String keyPath, String password, private static void addSSLSettingsForPEMFiles(Settings.Builder builder, String prefix, String keyPath, String password,
String certificatePath, List<String> trustedCertificates, boolean sslEnabled, String certificatePath, List<String> trustedCertificates,
boolean hostnameVerificationEnabled, boolean transportClient) { boolean hostnameVerificationEnabled, boolean transportClient) {
if (prefix.equals("")) {
if (transportClient == false) { prefix = "xpack.security.transport.";
builder.put(prefix + "xpack.security.http.ssl.enabled", false);
} }
builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled); builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
builder.put(prefix + "ssl.key", resolveResourcePath(keyPath))
builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); .put(prefix + "ssl.certificate", resolveResourcePath(certificatePath));
builder.put(prefix + "xpack.ssl.key", resolveResourcePath(keyPath))
.put(prefix + "xpack.ssl.certificate", resolveResourcePath(certificatePath));
if (transportClient) { if (transportClient) {
// continue using insecure settings for clients until we figure out what to do there... // continue using insecure settings for clients until we figure out what to do there...
builder.put(prefix + "xpack.ssl.key_passphrase", password); builder.put(prefix + "ssl.key_passphrase", password);
} else { } else {
final String finalPrefix = prefix;
addSecureSettings(builder, secureSettings -> addSecureSettings(builder, secureSettings ->
secureSettings.setString(prefix + "xpack.ssl.secure_key_passphrase", password)); secureSettings.setString(finalPrefix + "ssl.secure_key_passphrase", password));
} }
if (trustedCertificates.isEmpty() == false) { if (trustedCertificates.isEmpty() == false) {
builder.put(prefix + "xpack.ssl.certificate_authorities", builder.put(prefix + "ssl.certificate_authorities",
Strings.arrayToCommaDelimitedString(resolvePathsToString(trustedCertificates))); Strings.arrayToCommaDelimitedString(resolvePathsToString(trustedCertificates)));
} }
} }

16
x-pack/plugin/security/src/test/java/org/elasticsearch/test/SettingsFilterTests.java
View File

@ -64,21 +64,21 @@ public class SettingsFilterTests extends ESTestCase {
if (inFipsJvm() == false) { if (inFipsJvm() == false) {
configureFilteredSetting("xpack.security.authc.realms.pki.pki1.truststore.path", configureFilteredSetting("xpack.security.authc.realms.pki.pki1.truststore.path",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/truststore-testnode-only.jks").toString()); getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/truststore-testnode-only.jks").toString());
configureFilteredSetting("xpack.ssl.keystore.path", configureFilteredSetting("xpack.security.transport.ssl.keystore.path",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks").toString()); getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks").toString());
} }
configureSecureSetting("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only"); configureSecureSetting("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only");
configureFilteredSetting("xpack.security.authc.realms.pki.pki1.truststore.algorithm", "SunX509"); configureFilteredSetting("xpack.security.authc.realms.pki.pki1.truststore.algorithm", "SunX509");
configureFilteredSetting("xpack.ssl.cipher_suites", configureFilteredSetting("xpack.security.transport.ssl.cipher_suites",
Strings.arrayToCommaDelimitedString(XPackSettings.DEFAULT_CIPHERS.toArray())); Strings.arrayToCommaDelimitedString(XPackSettings.DEFAULT_CIPHERS.toArray()));
configureFilteredSetting("xpack.ssl.supported_protocols", randomFrom("TLSv1", "TLSv1.1", "TLSv1.2")); configureFilteredSetting("xpack.security.transport.ssl.supported_protocols", randomFrom("TLSv1", "TLSv1.1", "TLSv1.2"));
configureSecureSetting("xpack.ssl.keystore.secure_password", "testnode"); configureSecureSetting("xpack.security.transport.ssl.keystore.secure_password", "testnode");
configureFilteredSetting("xpack.ssl.keystore.algorithm", KeyManagerFactory.getDefaultAlgorithm()); configureFilteredSetting("xpack.security.transport.ssl.keystore.algorithm", KeyManagerFactory.getDefaultAlgorithm());
configureSecureSetting("xpack.ssl.keystore.secure_key_password", "testnode"); configureSecureSetting("xpack.security.transport.ssl.keystore.secure_key_password", "testnode");
configureSecureSetting("xpack.ssl.truststore.secure_password", randomAlphaOfLength(5)); configureSecureSetting("xpack.security.transport.ssl.truststore.secure_password", randomAlphaOfLength(5));
configureFilteredSetting("xpack.ssl.truststore.algorithm", TrustManagerFactory.getDefaultAlgorithm()); configureFilteredSetting("xpack.security.transport.ssl.truststore.algorithm", TrustManagerFactory.getDefaultAlgorithm());
// client profile // client profile
configureUnfilteredSetting("transport.profiles.client.port", "9500-9600"); configureUnfilteredSetting("transport.profiles.client.port", "9500-9600");

16
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/FIPS140JKSKeystoreBootstrapCheckTests.java
View File

@ -16,22 +16,6 @@ public class FIPS140JKSKeystoreBootstrapCheckTests extends AbstractBootstrapChec
assertFalse(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure()); assertFalse(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure());
} }
public void testSSLKeystoreTypeIsNotAllowed() {
final Settings.Builder settings = Settings.builder()
.put("xpack.security.fips_mode.enabled", "true")
.put("xpack.ssl.keystore.path", "/this/is/the/path")
.put("xpack.ssl.keystore.type", "JKS");
assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure());
}
public void testSSLImplicitKeystoreTypeIsNotAllowed() {
final Settings.Builder settings = Settings.builder()
.put("xpack.security.fips_mode.enabled", "true")
.put("xpack.ssl.keystore.path", "/this/is/the/path")
.put("xpack.ssl.keystore.type", "JKS");
assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure());
}
public void testTransportSSLKeystoreTypeIsNotAllowed() { public void testTransportSSLKeystoreTypeIsNotAllowed() {
final Settings.Builder settings = Settings.builder() final Settings.Builder settings = Settings.builder()
.put("xpack.security.fips_mode.enabled", "true") .put("xpack.security.fips_mode.enabled", "true")

11
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java
View File

@ -36,15 +36,9 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
.build(); .build();
assertFalse(runCheck(settings, env).isFailure()); assertFalse(runCheck(settings, env).isFailure());
// disable client auth default
settings = Settings.builder().put(settings)
.put("xpack.ssl.client_authentication", "none")
.build();
env = TestEnvironment.newEnvironment(settings);
assertTrue(runCheck(settings, env).isFailure());
// enable ssl for http // enable ssl for http
settings = Settings.builder().put(settings) settings = Settings.builder().put(settings)
.put("xpack.security.transport.ssl.enabled", false)
.put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.enabled", true)
.build(); .build();
env = TestEnvironment.newEnvironment(settings); env = TestEnvironment.newEnvironment(settings);
@ -73,6 +67,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
// test with transport profile // test with transport profile
settings = Settings.builder().put(settings) settings = Settings.builder().put(settings)
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.security.transport.client_authentication", "none") .put("xpack.security.transport.client_authentication", "none")
.put("transport.profiles.foo.xpack.security.ssl.client_authentication", randomFrom("required", "optional")) .put("transport.profiles.foo.xpack.security.ssl.client_authentication", randomFrom("required", "optional"))
.build(); .build();
@ -87,7 +82,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
public void testBootstrapCheckWithDisabledRealm() throws Exception { public void testBootstrapCheckWithDisabledRealm() throws Exception {
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.security.authc.realms.pki.test_pki.enabled", false) .put("xpack.security.authc.realms.pki.test_pki.enabled", false)
.put("xpack.ssl.client_authentication", "none") .put("xpack.security.transport.ssl.client_authentication", "none")
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.build(); .build();
Environment env = TestEnvironment.newEnvironment(settings); Environment env = TestEnvironment.newEnvironment(settings);

2
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java
View File

@ -246,7 +246,7 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
SecuritySettingsSourceField.TEST_PASSWORD); SecuritySettingsSourceField.TEST_PASSWORD);
if (remoteUseSSL) { if (remoteUseSSL) {
cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client."); cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client.xpack.security.transport.");
builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", true); builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", true);
} }
if (useSecurity == false && builder.get(NetworkModule.TRANSPORT_TYPE_KEY) == null) { if (useSecurity == false && builder.get(NetworkModule.TRANSPORT_TYPE_KEY) == null) {

2
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java
View File

@ -111,7 +111,7 @@ public class RemoteIndexAuditTrailStartingTests extends SecurityIntegTestCase {
.put("xpack.security.audit.index.settings.index.number_of_shards", 1) .put("xpack.security.audit.index.settings.index.number_of_shards", 1)
.put("xpack.security.audit.index.settings.index.number_of_replicas", 0); .put("xpack.security.audit.index.settings.index.number_of_replicas", 0);
addClientSSLSettings(builder, "xpack.security.audit.index.client."); addClientSSLSettings(builder, "xpack.security.audit.index.client.xpack.security.transport.");
builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", sslEnabled); builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", sslEnabled);
return builder.build(); return builder.build();
} }

34
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java
View File

@ -13,7 +13,6 @@ import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment; import org.elasticsearch.env.Environment;
import org.elasticsearch.test.NativeRealmIntegTestCase; import org.elasticsearch.test.NativeRealmIntegTestCase;
import org.elasticsearch.test.SecuritySettingsSource;
import org.elasticsearch.common.CharArrays; import org.elasticsearch.common.CharArrays;
import org.elasticsearch.xpack.core.security.client.SecurityClient; import org.elasticsearch.xpack.core.security.client.SecurityClient;
import org.elasticsearch.xpack.security.support.SecurityIndexManager; import org.elasticsearch.xpack.security.support.SecurityIndexManager;
@ -21,10 +20,12 @@ import org.junit.BeforeClass;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.nio.file.Path; import java.nio.file.Path;
import java.util.Arrays; import java.util.Collections;
import java.util.HashSet; import java.util.HashSet;
import java.util.Set; import java.util.Set;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.is;
@ -49,11 +50,11 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
@Override @Override
public Settings nodeSettings(int nodeOrdinal) { public Settings nodeSettings(int nodeOrdinal) {
logger.info("--> use SSL? {}", useSSL); logger.info("--> use SSL? {}", useSSL);
Settings s = Settings.builder() Settings.Builder builder = Settings.builder()
.put(super.nodeSettings(nodeOrdinal)) .put(super.nodeSettings(nodeOrdinal));
.put("xpack.security.http.ssl.enabled", useSSL) addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true);
.build(); builder.put("xpack.security.http.ssl.enabled", useSSL);
return s; return builder.build();
} }
@Override @Override
@ -77,7 +78,7 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
SecurityClient c = new SecurityClient(client()); SecurityClient c = new SecurityClient(client());
logger.error("--> creating users"); logger.error("--> creating users");
int numToAdd = randomIntBetween(1,10); int numToAdd = randomIntBetween(1,10);
Set<String> addedUsers = new HashSet(numToAdd); Set<String> addedUsers = new HashSet<>(numToAdd);
for (int i = 0; i < numToAdd; i++) { for (int i = 0; i < numToAdd; i++) {
String uname = randomAlphaOfLength(5); String uname = randomAlphaOfLength(5);
c.preparePutUser(uname, "s3kirt".toCharArray(), getFastStoredHashAlgoForTests(), "role1", "user").get(); c.preparePutUser(uname, "s3kirt".toCharArray(), getFastStoredHashAlgoForTests(), "role1", "user").get();
@ -94,13 +95,15 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
Settings.Builder builder = Settings.builder() Settings.Builder builder = Settings.builder()
.put("path.home", home) .put("path.home", home)
.put("path.conf", conf.toString()); .put("path.conf", conf.toString())
SecuritySettingsSource.addSSLSettingsForPEMFiles( .put("xpack.security.http.ssl.client_authentication", "none");
addSSLSettingsForPEMFiles(
builder, builder,
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem",
"testnode", "testnode",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); "xpack.security.http.",
Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
Settings settings = builder.build(); Settings settings = builder.build();
logger.error("--> retrieving users using URL: {}, home: {}", url, home); logger.error("--> retrieving users using URL: {}, home: {}", url, home);
@ -140,12 +143,15 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
String password = new String(CharArrays.toUtf8Bytes(nodeClientPassword().getChars()), StandardCharsets.UTF_8); String password = new String(CharArrays.toUtf8Bytes(nodeClientPassword().getChars()), StandardCharsets.UTF_8);
String url = getHttpURL(); String url = getHttpURL();
ESNativeRealmMigrateTool.MigrateUserOrRoles muor = new ESNativeRealmMigrateTool.MigrateUserOrRoles(); ESNativeRealmMigrateTool.MigrateUserOrRoles muor = new ESNativeRealmMigrateTool.MigrateUserOrRoles();
Settings.Builder builder = Settings.builder().put("path.home", home); Settings.Builder builder = Settings.builder()
SecuritySettingsSource.addSSLSettingsForPEMFiles(builder, .put("path.home", home)
.put("xpack.security.http.ssl.client_authentication", "none");
addSSLSettingsForPEMFiles(builder,
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem",
"testclient", "testclient",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); "xpack.security.http.",
Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
Settings settings = builder.build(); Settings settings = builder.build();
logger.error("--> retrieving roles using URL: {}, home: {}", url, home); logger.error("--> retrieving roles using URL: {}, home: {}", url, home);

31
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java
View File

@ -44,29 +44,16 @@ public class CommandLineHttpClientTests extends ESTestCase {
} }
@After @After
public void shutdown() throws Exception { public void shutdown() {
webServer.close(); webServer.close();
} }
public void testCommandLineHttpClientCanExecuteAndReturnCorrectResultUsingSSLSettings() throws Exception { public void testCommandLineHttpClientCanExecuteAndReturnCorrectResultUsingSSLSettings() throws Exception {
Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
MockSecureSettings secureSettings = new MockSecureSettings(); Settings settings = Settings.builder()
Settings settings; .put("xpack.security.http.ssl.certificate_authorities", certPath.toString())
if (randomBoolean()) { .put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE)
// with http ssl settings .build();
secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
settings = Settings.builder().put("xpack.security.http.ssl.certificate_authorities", certPath.toString())
.put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE).setSecureSettings(secureSettings)
.build();
} else {
// with global settings
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
settings = Settings.builder()
.put("xpack.ssl.certificate_authorities", certPath.toString())
.put("xpack.ssl.verification_mode", VerificationMode.CERTIFICATE)
.setSecureSettings(secureSettings)
.build();
}
CommandLineHttpClient client = new CommandLineHttpClient(settings, environment); CommandLineHttpClient client = new CommandLineHttpClient(settings, environment);
HttpResponse httpResponse = client.execute("GET", new URL("https://localhost:" + webServer.getPort() + "/test"), "u1", HttpResponse httpResponse = client.execute("GET", new URL("https://localhost:" + webServer.getPort() + "/test"), "u1",
new SecureString(new char[]{'p'}), () -> null, is -> responseBuilder(is)); new SecureString(new char[]{'p'}), () -> null, is -> responseBuilder(is));
@ -80,14 +67,14 @@ public class CommandLineHttpClientTests extends ESTestCase {
Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.key", keyPath.toString()) .put("xpack.security.http.ssl.key", keyPath.toString())
.put("xpack.ssl.certificate", certPath.toString()) .put("xpack.security.http.ssl.certificate", certPath.toString())
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
TestsSSLService sslService = new TestsSSLService(settings, environment); TestsSSLService sslService = new TestsSSLService(settings, environment);
return new MockWebServer(sslService.sslContext(), false); return new MockWebServer(sslService.sslContext("xpack.security.http.ssl."), false);
} }
private HttpResponseBuilder responseBuilder(final InputStream is) throws IOException { private HttpResponseBuilder responseBuilder(final InputStream is) throws IOException {

32
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java
View File

@ -13,7 +13,6 @@ import org.elasticsearch.common.settings.MockSecureSettings;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment; import org.elasticsearch.env.Environment;
import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.env.TestEnvironment;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings;
import org.elasticsearch.xpack.core.ssl.SSLConfiguration; import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.core.ssl.SSLService;
@ -29,26 +28,16 @@ public class LdapTestUtils {
} }
public static LDAPConnection openConnection(String url, String bindDN, String bindPassword, Path truststore) throws Exception { public static LDAPConnection openConnection(String url, String bindDN, String bindPassword, Path truststore) throws Exception {
boolean useGlobalSSL = ESTestCase.randomBoolean();
Settings.Builder builder = Settings.builder().put("path.home", LuceneTestCase.createTempDir()); Settings.Builder builder = Settings.builder().put("path.home", LuceneTestCase.createTempDir());
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
builder.setSecureSettings(secureSettings); builder.setSecureSettings(secureSettings);
if (useGlobalSSL) { // fake realms so ssl will get loaded
builder.put("xpack.ssl.truststore.path", truststore); builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
// fake realm to load config with certificate verification mode builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore); builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore);
builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
secureSettings.setString("xpack.ssl.truststore.secure_password", "changeit"); secureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit"); secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit");
} else {
// fake realms so ssl will get loaded
builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore);
builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
secureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit");
}
Settings settings = builder.build(); Settings settings = builder.build();
Environment env = TestEnvironment.newEnvironment(settings); Environment env = TestEnvironment.newEnvironment(settings);
SSLService sslService = new SSLService(settings, env); SSLService sslService = new SSLService(settings, env);
@ -60,12 +49,7 @@ public class LdapTestUtils {
options.setConnectTimeoutMillis(Math.toIntExact(SessionFactorySettings.TIMEOUT_DEFAULT.millis())); options.setConnectTimeoutMillis(Math.toIntExact(SessionFactorySettings.TIMEOUT_DEFAULT.millis()));
options.setResponseTimeoutMillis(SessionFactorySettings.TIMEOUT_DEFAULT.millis()); options.setResponseTimeoutMillis(SessionFactorySettings.TIMEOUT_DEFAULT.millis());
final SSLConfiguration sslConfiguration; final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.authc.realms.ldap.foo.ssl");
if (useGlobalSSL) {
sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
} else {
sslConfiguration = sslService.getSSLConfiguration("xpack.security.authc.realms.ldap.foo.ssl");
}
return LdapUtils.privilegedConnect(() -> new LDAPConnection(sslService.sslSocketFactory(sslConfiguration), options, return LdapUtils.privilegedConnect(() -> new LDAPConnection(sslService.sslSocketFactory(sslConfiguration), options,
ldapurl.getHost(), ldapurl.getPort(), bindDN, bindPassword)); ldapurl.getHost(), ldapurl.getPort(), bindDN, bindPassword));
} }

2
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java
View File

@ -65,7 +65,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
globalSettings = Settings.builder() globalSettings = Settings.builder()
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.put("xpack.ssl.certificate_authorities", certPath) .put("xpack.security.transport.ssl.certificate_authorities", certPath)
.build(); .build();
sslService = new SSLService(globalSettings, env); sslService = new SSLService(globalSettings, env);
threadPool = new TestThreadPool("LdapUserSearchSessionFactoryTests"); threadPool = new TestThreadPool("LdapUserSearchSessionFactoryTests");

22
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java
View File

@ -18,7 +18,6 @@ import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.http.HttpServerTransport; import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.test.SecuritySettingsSource;
import org.elasticsearch.test.SecuritySingleNodeTestCase; import org.elasticsearch.test.SecuritySingleNodeTestCase;
import org.elasticsearch.transport.Transport; import org.elasticsearch.transport.Transport;
import org.elasticsearch.xpack.core.TestXPackTransportClient; import org.elasticsearch.xpack.core.TestXPackTransportClient;
@ -41,6 +40,7 @@ import java.util.List;
import java.util.Locale; import java.util.Locale;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles; import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.is;
@ -60,17 +60,15 @@ public class PkiAuthenticationTests extends SecuritySingleNodeTestCase {
SSLClientAuth sslClientAuth = randomBoolean() ? SSLClientAuth.REQUIRED : SSLClientAuth.OPTIONAL; SSLClientAuth sslClientAuth = randomBoolean() ? SSLClientAuth.REQUIRED : SSLClientAuth.OPTIONAL;
Settings.Builder builder = Settings.builder() Settings.Builder builder = Settings.builder()
.put(super.nodeSettings()) .put(super.nodeSettings());
.put("xpack.security.http.ssl.enabled", true) addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true);
builder.put("xpack.security.http.ssl.enabled", true)
.put("xpack.security.http.ssl.client_authentication", sslClientAuth) .put("xpack.security.http.ssl.client_authentication", sslClientAuth)
.put("xpack.security.authc.realms.file.file.order", "0") .put("xpack.security.authc.realms.file.file.order", "0")
.put("xpack.security.authc.realms.pki.pki1.order", "1") .put("xpack.security.authc.realms.pki.pki1.order", "1")
.put("xpack.security.authc.realms.pki.pki1.certificate_authorities", .put("xpack.security.authc.realms.pki.pki1.certificate_authorities",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml")); .put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml"));
SecuritySettingsSource.addSecureSettings(builder, secureSettings ->
secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only"));
return builder.build(); return builder.build();
} }
@ -158,13 +156,15 @@ public class PkiAuthenticationTests extends SecuritySingleNodeTestCase {
private TransportClient createTransportClient(Settings additionalSettings) { private TransportClient createTransportClient(Settings additionalSettings) {
Settings clientSettings = transportClientSettings(); Settings clientSettings = transportClientSettings();
if (additionalSettings.getByPrefix("xpack.ssl.").isEmpty() == false) { if (additionalSettings.getByPrefix("xpack.security.transport.ssl.").isEmpty() == false) {
clientSettings = clientSettings.filter(k -> k.startsWith("xpack.ssl.") == false); clientSettings = clientSettings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false);
} }
Settings.Builder builder = Settings.builder().put(clientSettings, false) Settings.Builder builder = Settings.builder()
.put(additionalSettings) .put("xpack.security.transport.ssl.enabled", true)
.put("cluster.name", node().settings().get("cluster.name")); .put(clientSettings, false)
.put(additionalSettings)
.put("cluster.name", node().settings().get("cluster.name"));
builder.remove(SecurityField.USER_SETTING.getKey()); builder.remove(SecurityField.USER_SETTING.getKey());
builder.remove("request.headers.Authorization"); builder.remove("request.headers.Authorization");
return new TestXPackTransportClient(builder.build(), LocalStateSecurity.class); return new TestXPackTransportClient(builder.build(), LocalStateSecurity.class);

12
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java
View File

@ -52,6 +52,9 @@ public class PkiOptionalClientAuthTests extends SecuritySingleNodeTestCase {
.put(super.nodeSettings()) .put(super.nodeSettings())
.put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.enabled", true)
.put("xpack.security.http.ssl.client_authentication", SSLClientAuth.OPTIONAL) .put("xpack.security.http.ssl.client_authentication", SSLClientAuth.OPTIONAL)
.put("xpack.security.http.ssl.keystore.path",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
.put("xpack.security.http.ssl.keystore.password", "testnode")
.put("xpack.security.authc.realms.file.file.order", "0") .put("xpack.security.authc.realms.file.file.order", "0")
.put("xpack.security.authc.realms.pki.pki1.order", "1") .put("xpack.security.authc.realms.pki.pki1.order", "1")
.put("xpack.security.authc.realms.pki.pki1.truststore.path", .put("xpack.security.authc.realms.pki.pki1.truststore.path",
@ -59,10 +62,15 @@ public class PkiOptionalClientAuthTests extends SecuritySingleNodeTestCase {
.put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml")) .put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml"))
.put("transport.profiles.want_client_auth.port", randomClientPortRange) .put("transport.profiles.want_client_auth.port", randomClientPortRange)
.put("transport.profiles.want_client_auth.bind_host", "localhost") .put("transport.profiles.want_client_auth.bind_host", "localhost")
.put("transport.profiles.want_client_auth.xpack.security.ssl.keystore.path",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
.put("transport.profiles.want_client_auth.xpack.security.ssl.keystore.password", "testnode")
.put("transport.profiles.want_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.OPTIONAL); .put("transport.profiles.want_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.OPTIONAL);
SecuritySettingsSource.addSecureSettings(builder, secureSettings -> SecuritySettingsSource.addSecureSettings(builder, secureSettings -> {
secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only")); secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only");
secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "testnode");
});
return builder.build(); return builder.build();
} }

11
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java
View File

@ -123,19 +123,20 @@ public class SamlRealmTests extends SamlTestCase {
final Path path = getDataPath("idp1.xml"); final Path path = getDataPath("idp1.xml");
final String body = new String(Files.readAllBytes(path), StandardCharsets.UTF_8); final String body = new String(Files.readAllBytes(path), StandardCharsets.UTF_8);
final MockSecureSettings mockSecureSettings = new MockSecureSettings(); final MockSecureSettings mockSecureSettings = new MockSecureSettings();
mockSecureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); mockSecureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
final Settings settings = Settings.builder() final Settings settings = Settings.builder()
.put("xpack.ssl.key", .put("xpack.security.http.ssl.key",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem")) getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
.put("xpack.ssl.certificate", .put("xpack.security.http.ssl.certificate",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.put("xpack.ssl.certificate_authorities", .put("xpack.security.http.ssl.certificate_authorities",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.setSecureSettings(mockSecureSettings) .setSecureSettings(mockSecureSettings)
.build(); .build();
TestsSSLService sslService = new TestsSSLService(settings, TestEnvironment.newEnvironment(settings)); TestsSSLService sslService = new TestsSSLService(settings, TestEnvironment.newEnvironment(settings));
try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(Settings.EMPTY), false)) { try (MockWebServer proxyServer =
new MockWebServer(sslService.sslContext("xpack.security.http.ssl"), false)) {
proxyServer.start(); proxyServer.start();
proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml")); proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml"));
proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml")); proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml"));

20
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java
View File

@ -82,11 +82,11 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
Path testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); Path testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
Path testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); Path testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings1 = Settings.builder() Settings settings1 = Settings.builder()
.put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.key", testnodeKey) .put("xpack.security.transport.ssl.key", testnodeKey)
.put("xpack.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.put(settings) .put(settings)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
@ -153,7 +153,7 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
@SuppressForbidden(reason = "Need to open socket connection") @SuppressForbidden(reason = "Need to open socket connection")
public void testRenegotiation() throws Exception { public void testRenegotiation() throws Exception {
SSLService sslService = createSSLService(); SSLService sslService = createSSLService();
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl"); final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SocketFactory factory = sslService.sslSocketFactory(sslConfiguration); SocketFactory factory = sslService.sslSocketFactory(sslConfiguration);
try (SSLSocket socket = (SSLSocket) factory.createSocket()) { try (SSLSocket socket = (SSLSocket) factory.createSocket()) {
SocketAccess.doPrivileged(() -> socket.connect(serviceA.boundAddress().publishAddress().address())); SocketAccess.doPrivileged(() -> socket.connect(serviceA.boundAddress().publishAddress().address()));
@ -205,7 +205,7 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm()); assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm());
SSLService sslService = createSSLService(); SSLService sslService = createSSLService();
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl"); final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLContext sslContext = sslService.sslContext(sslConfiguration); SSLContext sslContext = sslService.sslContext(sslConfiguration);
final SSLServerSocketFactory serverSocketFactory = sslContext.getServerSocketFactory(); final SSLServerSocketFactory serverSocketFactory = sslContext.getServerSocketFactory();
final String sniIp = "sni-hostname"; final String sniIp = "sni-hostname";
@ -245,7 +245,9 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
InetSocketAddress serverAddress = (InetSocketAddress) SocketAccess.doPrivileged(sslServerSocket::getLocalSocketAddress); InetSocketAddress serverAddress = (InetSocketAddress) SocketAccess.doPrivileged(sslServerSocket::getLocalSocketAddress);
Settings settings = Settings.builder().put("name", "TS_TEST").put("xpack.ssl.verification_mode", "none").build(); Settings settings = Settings.builder().put("name", "TS_TEST")
.put("xpack.security.transport.ssl.verification_mode", "none")
.build();
try (MockTransportService serviceC = build(settings, version0, null, true)) { try (MockTransportService serviceC = build(settings, version0, null, true)) {
serviceC.acceptIncomingRequests(); serviceC.acceptIncomingRequests();
@ -271,7 +273,7 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm()); assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm());
SSLService sslService = createSSLService(); SSLService sslService = createSSLService();
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl"); final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLContext sslContext = sslService.sslContext(sslConfiguration); SSLContext sslContext = sslService.sslContext(sslConfiguration);
final SSLServerSocketFactory serverSocketFactory = sslContext.getServerSocketFactory(); final SSLServerSocketFactory serverSocketFactory = sslContext.getServerSocketFactory();
final String sniIp = "invalid_hostname"; final String sniIp = "invalid_hostname";
@ -290,7 +292,9 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
InetSocketAddress serverAddress = (InetSocketAddress) SocketAccess.doPrivileged(sslServerSocket::getLocalSocketAddress); InetSocketAddress serverAddress = (InetSocketAddress) SocketAccess.doPrivileged(sslServerSocket::getLocalSocketAddress);
Settings settings = Settings.builder().put("name", "TS_TEST").put("xpack.ssl.verification_mode", "none").build(); Settings settings = Settings.builder().put("name", "TS_TEST")
.put("xpack.security.transport.ssl.verification_mode", "none")
.build();
try (MockTransportService serviceC = build(settings, version0, null, true)) { try (MockTransportService serviceC = build(settings, version0, null, true)) {
serviceC.acceptIncomingRequests(); serviceC.acceptIncomingRequests();

76
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java
View File

@ -32,7 +32,6 @@ import org.elasticsearch.transport.TransportResponseHandler;
import org.elasticsearch.transport.TransportService; import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.SecurityField; import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.ssl.SSLClientAuth;
import org.elasticsearch.xpack.security.LocalStateSecurity; import org.elasticsearch.xpack.security.LocalStateSecurity;
import org.junit.BeforeClass; import org.junit.BeforeClass;
@ -41,8 +40,10 @@ import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collection; import java.util.Collection;
import java.util.Collections;
import java.util.concurrent.CountDownLatch; import java.util.concurrent.CountDownLatch;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles; import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
import static org.elasticsearch.xpack.security.test.SecurityTestUtils.writeFile; import static org.elasticsearch.xpack.security.test.SecurityTestUtils.writeFile;
import static org.hamcrest.CoreMatchers.equalTo; import static org.hamcrest.CoreMatchers.equalTo;
@ -63,13 +64,12 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
@Override @Override
protected Settings nodeSettings(int nodeOrdinal) { protected Settings nodeSettings(int nodeOrdinal) {
Settings.Builder settingsBuilder = Settings.builder(); Settings.Builder settingsBuilder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
String randomClientPortRange = randomClientPort + "-" + (randomClientPort+100); String randomClientPortRange = randomClientPort + "-" + (randomClientPort+100);
addSSLSettingsForNodePEMFiles(settingsBuilder, "transport.profiles.client.xpack.security.", true);
Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
settingsBuilder.put(super.nodeSettings(nodeOrdinal)) settingsBuilder.putList("transport.profiles.client.xpack.security.ssl.certificate_authorities",
.putList("transport.profiles.client.xpack.security.ssl.certificate_authorities", Collections.singletonList(certPath.toString())) // settings for client truststore
Arrays.asList(certPath.toString())) // settings for client truststore
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("transport.profiles.client.xpack.security.type", "client") .put("transport.profiles.client.xpack.security.type", "client")
.put("transport.profiles.client.port", randomClientPortRange) .put("transport.profiles.client.port", randomClientPortRange)
// make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent // make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent
@ -82,7 +82,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
} }
SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings ->
secureSettings.setString("transport.profiles.client.xpack.security.ssl.truststore.secure_password", "testnode")); secureSettings.setString("transport.profiles.client.xpack.security.ssl.keystore.secure_password", "testnode"));
return settingsBuilder.build(); return settingsBuilder.build();
} }
@ -97,20 +97,20 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
// test that starting up a node works // test that starting up a node works
Settings.Builder nodeSettings = Settings.builder() Settings.Builder nodeSettings = Settings.builder()
.put("node.name", "my-test-node") .put("node.name", "my-test-node")
.put("network.host", "localhost") .put("network.host", "localhost")
.put("cluster.name", internalCluster().getClusterName()) .put("cluster.name", internalCluster().getClusterName())
.put("discovery.zen.ping.unicast.hosts", unicastHost) .put("discovery.zen.ping.unicast.hosts", unicastHost)
.put("discovery.zen.minimum_master_nodes", .put("discovery.zen.minimum_master_nodes",
internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes")) internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
.put("xpack.security.enabled", true) .put("xpack.security.enabled", true)
.put("xpack.security.audit.enabled", false) .put("xpack.security.audit.enabled", false)
.put(XPackSettings.WATCHER_ENABLED.getKey(), false) .put("xpack.security.transport.ssl.enabled", true)
.put("path.home", home) .put(XPackSettings.WATCHER_ENABLED.getKey(), false)
.put(Node.NODE_MASTER_SETTING.getKey(), false) .put("path.home", home)
.put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2()) .put(Node.NODE_MASTER_SETTING.getKey(), false)
.put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); .put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2())
//.put("xpack.ml.autodetect_process", false); .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false);
Collection<Class<? extends Plugin>> mockPlugins = Arrays.asList( Collection<Class<? extends Plugin>> mockPlugins = Arrays.asList(
LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class, MockHttpTransport.TestPlugin.class); LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class, MockHttpTransport.TestPlugin.class);
addSSLSettingsForPEMFiles( addSSLSettingsForPEMFiles(
@ -139,22 +139,22 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
// test that starting up a node works // test that starting up a node works
Settings.Builder nodeSettings = Settings.builder() Settings.Builder nodeSettings = Settings.builder()
.put("xpack.security.authc.realms.file.file.order", 0) .put("xpack.security.authc.realms.file.file.order", 0)
.put("node.name", "my-test-node") .put("node.name", "my-test-node")
.put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD) .put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName()) .put("cluster.name", internalCluster().getClusterName())
.put("discovery.zen.ping.unicast.hosts", unicastHost) .put("discovery.zen.ping.unicast.hosts", unicastHost)
.put("discovery.zen.minimum_master_nodes", .put("discovery.zen.minimum_master_nodes",
internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes")) internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
.put("xpack.security.enabled", true) .put("xpack.security.enabled", true)
.put("xpack.security.audit.enabled", false) .put("xpack.security.audit.enabled", false)
.put(XPackSettings.WATCHER_ENABLED.getKey(), false) .put("xpack.security.transport.ssl.enabled", true)
.put("discovery.initial_state_timeout", "0s") .put(XPackSettings.WATCHER_ENABLED.getKey(), false)
.put("path.home", home) .put("discovery.initial_state_timeout", "0s")
.put(Node.NODE_MASTER_SETTING.getKey(), false) .put("path.home", home)
.put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2()) .put(Node.NODE_MASTER_SETTING.getKey(), false)
.put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); .put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2())
//.put("xpack.ml.autodetect_process", false); .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false);
Collection<Class<? extends Plugin>> mockPlugins = Arrays.asList( Collection<Class<? extends Plugin>> mockPlugins = Arrays.asList(
LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class, MockHttpTransport.TestPlugin.class); LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class, MockHttpTransport.TestPlugin.class);
addSSLSettingsForPEMFiles( addSSLSettingsForPEMFiles(
@ -162,7 +162,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem",
"testnode", "testnode",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
try (Node node = new MockNode(nodeSettings.build(), mockPlugins)) { try (Node node = new MockNode(nodeSettings.build(), mockPlugins)) {
node.start(); node.start();
TransportService instance = node.injector().getInstance(TransportService.class); TransportService instance = node.injector().getInstance(TransportService.class);

26
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java
View File

@ -33,7 +33,7 @@ public class IPHostnameVerificationTests extends SecurityIntegTestCase {
protected Settings nodeSettings(int nodeOrdinal) { protected Settings nodeSettings(int nodeOrdinal) {
Settings settings = super.nodeSettings(nodeOrdinal); Settings settings = super.nodeSettings(nodeOrdinal);
Settings.Builder builder = Settings.builder() Settings.Builder builder = Settings.builder()
.put(settings.filter((s) -> s.startsWith("xpack.ssl.") == false), false); .put(settings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false), false);
settings = builder.build(); settings = builder.build();
// The default Unicast test behavior is to use 'localhost' with the port number. For this test we need to use IP // The default Unicast test behavior is to use 'localhost' with the port number. For this test we need to use IP
@ -56,27 +56,27 @@ public class IPHostnameVerificationTests extends SecurityIntegTestCase {
} }
SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> { SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> {
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-ip-only"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode-ip-only");
}); });
return settingsBuilder.put("xpack.ssl.key", keyPath.toAbsolutePath()) return settingsBuilder.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
.put("xpack.ssl.certificate", certPath.toAbsolutePath()) .put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
.put("xpack.ssl.certificate_authorities", certPath.toAbsolutePath()) .put("xpack.security.transport.ssl.certificate_authorities", certPath.toAbsolutePath())
.put(TransportSettings.BIND_HOST.getKey(), "127.0.0.1") .put(TransportSettings.BIND_HOST.getKey(), "127.0.0.1")
.put("network.host", "127.0.0.1") .put("network.host", "127.0.0.1")
.put("xpack.ssl.client_authentication", SSLClientAuth.NONE) .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE)
.put("xpack.ssl.verification_mode", "full") .put("xpack.security.transport.ssl.verification_mode", "full")
.build(); .build();
} }
@Override @Override
protected Settings transportClientSettings() { protected Settings transportClientSettings() {
Settings clientSettings = super.transportClientSettings(); Settings clientSettings = super.transportClientSettings();
return Settings.builder().put(clientSettings.filter(k -> k.startsWith("xpack.ssl.") == false)) return Settings.builder().put(clientSettings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false))
.put("xpack.ssl.verification_mode", "certificate") .put("xpack.security.transport.ssl.verification_mode", "certificate")
.put("xpack.ssl.key", keyPath.toAbsolutePath()) .put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
.put("xpack.ssl.certificate", certPath.toAbsolutePath()) .put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
.put("xpack.ssl.key_passphrase", "testnode-ip-only") .put("xpack.security.transport.ssl.key_passphrase", "testnode-ip-only")
.put("xpack.ssl.certificate_authorities", certPath) .put("xpack.security.transport.ssl.certificate_authorities", certPath)
.build(); .build();
} }

16
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java
View File

@ -42,15 +42,15 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
private Path testnodeCert; private Path testnodeCert;
private Path testnodeKey; private Path testnodeKey;
@Before @Before
public void createSSLService() throws Exception { public void createSSLService() {
testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.key", testnodeKey) .put("xpack.security.http.ssl.key", testnodeKey)
.put("xpack.ssl.certificate", testnodeCert) .put("xpack.security.http.ssl.certificate", testnodeCert)
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
@ -149,7 +149,7 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() throws Exception { public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() throws Exception {
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.certificate_authorities", testnodeCert) .put("xpack.security.http.ssl.certificate_authorities", testnodeCert)
.put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true)
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.build(); .build();
@ -163,10 +163,10 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() throws Exception { public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.key", testnodeKey) .put("xpack.security.http.ssl.key", testnodeKey)
.put("xpack.ssl.certificate", testnodeCert) .put("xpack.security.http.ssl.certificate", testnodeCert)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.build(); .build();

46
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransportTests.java
View File

@ -21,11 +21,9 @@ import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.transport.netty4.SecurityNetty4Transport; import org.elasticsearch.xpack.core.security.transport.netty4.SecurityNetty4Transport;
import org.elasticsearch.xpack.core.ssl.SSLClientAuth; import org.elasticsearch.xpack.core.ssl.SSLClientAuth;
import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.core.ssl.SSLService;
import org.junit.Before; import org.junit.Before;
import javax.net.ssl.SSLEngine;
import java.nio.file.Path; import java.nio.file.Path;
import java.util.Collections; import java.util.Collections;
import java.util.Locale; import java.util.Locale;
@ -44,11 +42,11 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
Path testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); Path testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
Path testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); Path testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.key", testnodeKey) .put("xpack.security.transport.ssl.key", testnodeKey)
.put("xpack.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.certificate", testnodeCert)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.build(); .build();
@ -97,7 +95,7 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
String value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT)); String value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT));
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put(env.settings()) .put(env.settings())
.put("xpack.ssl.client_authentication", value) .put("xpack.security.transport.ssl.client_authentication", value)
.build(); .build();
sslService = new SSLService(settings, env); sslService = new SSLService(settings, env);
SecurityNetty4Transport transport = createTransport(settings); SecurityNetty4Transport transport = createTransport(settings);
@ -111,7 +109,7 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
String value = randomFrom(SSLClientAuth.NONE.name(), SSLClientAuth.NONE.name().toLowerCase(Locale.ROOT)); String value = randomFrom(SSLClientAuth.NONE.name(), SSLClientAuth.NONE.name().toLowerCase(Locale.ROOT));
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put(env.settings()) .put(env.settings())
.put("xpack.ssl.client_authentication", value) .put("xpack.security.transport.ssl.client_authentication", value)
.build(); .build();
sslService = new SSLService(settings, env); sslService = new SSLService(settings, env);
SecurityNetty4Transport transport = createTransport(settings); SecurityNetty4Transport transport = createTransport(settings);
@ -125,7 +123,7 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
String value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT)); String value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT));
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put(env.settings()) .put(env.settings())
.put("xpack.ssl.client_authentication", value) .put("xpack.security.transport.ssl.client_authentication", value)
.build(); .build();
sslService = new SSLService(settings, env); sslService = new SSLService(settings, env);
SecurityNetty4Transport transport = createTransport(settings); SecurityNetty4Transport transport = createTransport(settings);
@ -179,36 +177,4 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
assertThat(ch.pipeline().get(SslHandler.class).engine().getNeedClientAuth(), is(false)); assertThat(ch.pipeline().get(SslHandler.class).engine().getNeedClientAuth(), is(false));
assertThat(ch.pipeline().get(SslHandler.class).engine().getWantClientAuth(), is(true)); assertThat(ch.pipeline().get(SslHandler.class).engine().getWantClientAuth(), is(true));
} }
public void testTransportSSLOverridesGlobalSSL() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings.Builder builder = Settings.builder()
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.security.transport.ssl.key",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
.put("xpack.security.transport.ssl.certificate",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.put("xpack.security.transport.ssl.client_authentication", "none")
.put("xpack.ssl.certificate_authorities",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.setSecureSettings(secureSettings)
.put("path.home", createTempDir());
Settings settings = builder.build();
env = TestEnvironment.newEnvironment(settings);
sslService = new SSLService(settings, env);
SecurityNetty4Transport transport = createTransport(settings);
final ChannelHandler handler = transport.getServerChannelInitializer("default");
final EmbeddedChannel ch = new EmbeddedChannel(handler);
final SSLEngine engine = ch.pipeline().get(SslHandler.class).engine();
assertFalse(engine.getNeedClientAuth());
assertFalse(engine.getWantClientAuth());
// get the global and verify that it is different in that it requires client auth
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.ssl");
assertNotNull(configuration);
final SSLEngine globalEngine = sslService.createSSLEngine(configuration, null, -1);
assertTrue(globalEngine.getNeedClientAuth());
assertFalse(globalEngine.getWantClientAuth());
}
} }

31
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java
View File

@ -35,7 +35,7 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
protected Settings nodeSettings(int nodeOrdinal) { protected Settings nodeSettings(int nodeOrdinal) {
Settings settings = super.nodeSettings(nodeOrdinal); Settings settings = super.nodeSettings(nodeOrdinal);
Settings.Builder settingsBuilder = Settings.builder(); Settings.Builder settingsBuilder = Settings.builder();
settingsBuilder.put(settings.filter(k -> k.startsWith("xpack.ssl.") == false), false); settingsBuilder.put(settings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false), false);
Path keyPath; Path keyPath;
Path certPath; Path certPath;
Path nodeCertPath; Path nodeCertPath;
@ -58,14 +58,15 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
} }
SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> { SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> {
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-no-subjaltname"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode-no-subjaltname");
}); });
return settingsBuilder.put("xpack.ssl.key", keyPath.toAbsolutePath()) return settingsBuilder.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
.put("xpack.ssl.certificate", certPath.toAbsolutePath()) .put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
.putList("xpack.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString())) .putList("xpack.security.transport.ssl.certificate_authorities",
// disable hostname verification as this test uses certs without a valid SAN or DNS in the CN Arrays.asList(certPath.toString(), nodeCertPath.toString()))
.put("xpack.ssl.verification_mode", "certificate") // disable hostname verification as this test uses certs without a valid SAN or DNS in the CN
.build(); .put("xpack.security.transport.ssl.verification_mode", "certificate")
.build();
} }
@Override @Override
@ -89,13 +90,13 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
Settings settings = super.transportClientSettings(); Settings settings = super.transportClientSettings();
// remove all ssl settings // remove all ssl settings
Settings.Builder builder = Settings.builder(); Settings.Builder builder = Settings.builder();
builder.put(settings.filter( k -> k.startsWith("xpack.ssl.") == false), false); builder.put(settings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false), false);
builder.put("xpack.ssl.verification_mode", "certificate") builder.put("xpack.security.transport.ssl.verification_mode", "certificate")
.put("xpack.ssl.key", keyPath.toAbsolutePath()) .put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
.put("xpack.ssl.key_passphrase", "testnode-no-subjaltname") .put("xpack.security.transport.ssl.key_passphrase", "testnode-no-subjaltname")
.put("xpack.ssl.certificate", certPath.toAbsolutePath()) .put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
.putList("xpack.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString())); .putList("xpack.security.transport.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString()));
return builder.build(); return builder.build();
} }
@ -105,7 +106,7 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
InetSocketAddress inetSocketAddress = transportAddress.address(); InetSocketAddress inetSocketAddress = transportAddress.address();
Settings settings = Settings.builder().put(transportClientSettings()) Settings settings = Settings.builder().put(transportClientSettings())
.put("xpack.ssl.verification_mode", "full") .put("xpack.security.transport.ssl.verification_mode", "full")
.build(); .build();
try (TransportClient client = new TestXPackTransportClient(settings, LocalStateSecurity.class)) { try (TransportClient client = new TestXPackTransportClient(settings, LocalStateSecurity.class)) {

14
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioHttpServerTransportTests.java
View File

@ -52,10 +52,10 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
Path testNodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); Path testNodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
Path testNodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); Path testNodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.key", testNodeKey) .put("xpack.security.http.ssl.key", testNodeKey)
.put("xpack.ssl.certificate", testNodeCert) .put("xpack.security.http.ssl.certificate", testNodeCert)
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
@ -173,9 +173,9 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() { public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.truststore.path", .put("xpack.security.http.ssl.truststore.path",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks")) getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true)
@ -193,9 +193,9 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() { public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.truststore.path", .put("xpack.security.http.ssl.truststore.path",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks")) getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.put("path.home", createTempDir()) .put("path.home", createTempDir())

24
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java
View File

@ -42,11 +42,13 @@ public class EllipticCurveSSLTests extends SecurityIntegTestCase {
final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem"); final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem");
final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem"); final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem");
return Settings.builder() return Settings.builder()
.put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.ssl") == false)) .put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
.put("xpack.ssl.key", keyPath) .put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.certificate", certPath) .put("xpack.security.transport.ssl.key", keyPath)
.put("xpack.ssl.certificate_authorities", certPath) .put("xpack.security.transport.ssl.certificate", certPath)
.put("xpack.ssl.verification_mode", "certificate") // disable hostname verificate since these certs aren't setup for that .put("xpack.security.transport.ssl.certificate_authorities", certPath)
// disable hostname verificate since these certs aren't setup for that
.put("xpack.security.transport.ssl.verification_mode", "certificate")
.build(); .build();
} }
@ -55,11 +57,13 @@ public class EllipticCurveSSLTests extends SecurityIntegTestCase {
final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem"); final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem");
final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem"); final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem");
return Settings.builder() return Settings.builder()
.put(super.transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false)) .put(super.transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
.put("xpack.ssl.key", keyPath) .put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.certificate", certPath) .put("xpack.security.transport.ssl.key", keyPath)
.put("xpack.ssl.certificate_authorities", certPath) .put("xpack.security.transport.ssl.certificate", certPath)
.put("xpack.ssl.verification_mode", "certificate") // disable hostname verification since these certs aren't setup for that .put("xpack.security.transport.ssl.certificate_authorities", certPath)
// disable hostname verificate since these certs aren't setup for that
.put("xpack.security.transport.ssl.verification_mode", "certificate")
.build(); .build();
} }

13
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java
View File

@ -48,6 +48,7 @@ import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLHandshakeException; import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.TrustManagerFactory;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles; import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.containsString;
@ -61,8 +62,9 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
@Override @Override
protected Settings nodeSettings(int nodeOrdinal) { protected Settings nodeSettings(int nodeOrdinal) {
return Settings.builder().put(super.nodeSettings(nodeOrdinal)) final Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
.put("xpack.security.http.ssl.enabled", true).build(); addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", randomBoolean());
return builder.put("xpack.security.http.ssl.enabled", true).build();
} }
@Override @Override
@ -82,7 +84,7 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
.put(transportClientSettings()) .put(transportClientSettings())
.put("node.name", "programmatic_transport_client") .put("node.name", "programmatic_transport_client")
.put("cluster.name", internalCluster().getClusterName()) .put("cluster.name", internalCluster().getClusterName())
.putList("xpack.ssl.cipher_suites", unconfiguredCiphers) .putList("xpack.security.transport.ssl.cipher_suites", unconfiguredCiphers)
.build(), LocalStateSecurity.class)) { .build(), LocalStateSecurity.class)) {
TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses()); TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses());
@ -101,7 +103,7 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
.put(transportClientSettings()) .put(transportClientSettings())
.put("node.name", "programmatic_transport_client") .put("node.name", "programmatic_transport_client")
.put("cluster.name", internalCluster().getClusterName()) .put("cluster.name", internalCluster().getClusterName())
.putList("xpack.ssl.supported_protocols", new String[]{"SSLv3"}) .putList("xpack.security.transport.ssl.supported_protocols", new String[]{"SSLv3"})
.build(), LocalStateSecurity.class)) { .build(), LocalStateSecurity.class)) {
TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses()); TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses());
@ -120,13 +122,14 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem",
"testclient", "testclient",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
"xpack.security.http.",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
SSLService service = new SSLService(builder.build(), null); SSLService service = new SSLService(builder.build(), null);
CredentialsProvider provider = new BasicCredentialsProvider(); CredentialsProvider provider = new BasicCredentialsProvider();
provider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(nodeClientUsername(), provider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(nodeClientUsername(),
new String(nodeClientPassword().getChars()))); new String(nodeClientPassword().getChars())));
SSLConfiguration sslConfiguration = service.getSSLConfiguration("xpack.ssl"); SSLConfiguration sslConfiguration = service.getSSLConfiguration("xpack.security.http.ssl");
try (CloseableHttpClient client = HttpClients.custom() try (CloseableHttpClient client = HttpClients.custom()
.setSSLSocketFactory(new SSLConnectionSocketFactory(service.sslSocketFactory(sslConfiguration), .setSSLSocketFactory(new SSLConnectionSocketFactory(service.sslSocketFactory(sslConfiguration),
SSLConnectionSocketFactory.getDefaultHostnameVerifier())) SSLConnectionSocketFactory.getDefaultHostnameVerifier()))

35
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java
View File

@ -24,6 +24,7 @@ import java.util.Arrays;
import java.util.Collections; import java.util.Collections;
import static org.elasticsearch.test.SecuritySettingsSource.TEST_USER_NAME; import static org.elasticsearch.test.SecuritySettingsSource.TEST_USER_NAME;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles; import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
import static org.elasticsearch.test.SecuritySettingsSourceField.TEST_PASSWORD; import static org.elasticsearch.test.SecuritySettingsSourceField.TEST_PASSWORD;
import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.CoreMatchers.is;
@ -61,17 +62,17 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
throw new RuntimeException(e); throw new RuntimeException(e);
} }
Settings settings = Settings.builder() Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
.put(super.nodeSettings(nodeOrdinal)) addSSLSettingsForNodePEMFiles(builder, "transport.profiles.client.xpack.security.", true);
// client set up here builder.put("transport.profiles.client.port", randomClientPortRange)
.put("transport.profiles.client.port", randomClientPortRange)
// make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent // make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent
.put("transport.profiles.client.bind_host", "localhost") .put("transport.profiles.client.bind_host", "localhost")
.put("transport.profiles.client.xpack.security.ssl.certificate_authorities", trustCert.toAbsolutePath()) .put("transport.profiles.client.xpack.security.ssl.certificate_authorities", trustCert.toAbsolutePath());
.put("transport.profiles.no_client_auth.port", randomNoClientAuthPortRange) addSSLSettingsForNodePEMFiles(builder, "transport.profiles.no_client_auth.xpack.security.", true);
builder.put("transport.profiles.no_client_auth.port", randomNoClientAuthPortRange)
.put("transport.profiles.no_client_auth.bind_host", "localhost") .put("transport.profiles.no_client_auth.bind_host", "localhost")
.put("transport.profiles.no_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.NONE) .put("transport.profiles.no_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.NONE);
.build(); final Settings settings = builder.build();
logger.info("node {} settings:\n{}", nodeOrdinal, settings); logger.info("node {} settings:\n{}", nodeOrdinal, settings);
return settings; return settings;
} }
@ -83,7 +84,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
private TransportClient createTransportClient(Settings additionalSettings) { private TransportClient createTransportClient(Settings additionalSettings) {
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put(transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false)) .put(transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
.put("node.name", "programmatic_transport_client") .put("node.name", "programmatic_transport_client")
.put("cluster.name", internalCluster().getClusterName()) .put("cluster.name", internalCluster().getClusterName())
.put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.enabled", true)
@ -270,7 +271,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD) .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName()) .put("cluster.name", internalCluster().getClusterName())
.put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.certificate_authorities", .put("xpack.security.transport.ssl.certificate_authorities",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.build(); .build();
try (TransportClient transportClient = new TestXPackTransportClient(settings, try (TransportClient transportClient = new TestXPackTransportClient(settings,
@ -290,8 +291,8 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD) .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName()) .put("cluster.name", internalCluster().getClusterName())
.put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.ssl.certificate_authorities", .put("xpack.security.transport.ssl.certificate_authorities",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.build(); .build();
try (TransportClient transportClient = new TestXPackTransportClient(settings, try (TransportClient transportClient = new TestXPackTransportClient(settings,
@ -314,8 +315,8 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD) .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName()) .put("cluster.name", internalCluster().getClusterName())
.put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.ssl.certificate_authorities", .put("xpack.security.transport.ssl.certificate_authorities",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.build(); .build();
try (TransportClient transportClient = new TestXPackTransportClient(settings, try (TransportClient transportClient = new TestXPackTransportClient(settings,
@ -337,7 +338,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD) .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName()) .put("cluster.name", internalCluster().getClusterName())
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.enabled", true)
.build(); .build();
try (TransportClient transportClient = new TestXPackTransportClient(settings, try (TransportClient transportClient = new TestXPackTransportClient(settings,
@ -359,7 +360,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD) .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName()) .put("cluster.name", internalCluster().getClusterName())
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.enabled", true)
.build(); .build();
try (TransportClient transportClient = new TestXPackTransportClient(settings, try (TransportClient transportClient = new TestXPackTransportClient(settings,
@ -381,7 +382,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD) .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName()) .put("cluster.name", internalCluster().getClusterName())
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.enabled", true)
.build(); .build();
try (TransportClient transportClient = new TestXPackTransportClient(settings, try (TransportClient transportClient = new TestXPackTransportClient(settings,

63
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java
View File

@ -17,6 +17,7 @@ import org.elasticsearch.client.Response;
import org.elasticsearch.client.RestClient; import org.elasticsearch.client.RestClient;
import org.elasticsearch.client.transport.TransportClient; import org.elasticsearch.client.transport.TransportClient;
import org.elasticsearch.common.settings.MockSecureSettings; import org.elasticsearch.common.settings.MockSecureSettings;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.test.SecurityIntegTestCase; import org.elasticsearch.test.SecurityIntegTestCase;
@ -31,14 +32,17 @@ import org.elasticsearch.xpack.security.LocalStateSecurity;
import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManager;
import java.io.ByteArrayOutputStream;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream;
import java.io.UncheckedIOException;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import java.security.SecureRandom; import java.security.SecureRandom;
import java.security.cert.CertPathBuilderException; import java.security.cert.CertPathBuilderException;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collections; import java.util.Collections;
import java.util.HashSet;
import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.containsString;
@ -54,13 +58,41 @@ public class SSLClientAuthTests extends SecurityIntegTestCase {
@Override @Override
protected Settings nodeSettings(int nodeOrdinal) { protected Settings nodeSettings(int nodeOrdinal) {
return Settings.builder() Settings baseSettings = super.nodeSettings(nodeOrdinal);
.put(super.nodeSettings(nodeOrdinal))
Settings.Builder builder = Settings.builder().put(baseSettings);
baseSettings.getByPrefix("xpack.security.transport.ssl.")
.keySet()
.forEach(k -> {
String httpKey = "xpack.security.http.ssl." + k;
String value = baseSettings.get("xpack.security.transport.ssl." + k);
if (value != null) {
builder.put(httpKey, baseSettings.get("xpack.security.transport.ssl." + k));
}
});
MockSecureSettings secureSettings = (MockSecureSettings) builder.getSecureSettings();
for (String key : new HashSet<>(secureSettings.getSettingNames())) {
SecureString value = secureSettings.getString(key);
if (value == null) {
try {
if (key.startsWith("xpack.security.transport.ssl.")) {
byte[] file = toByteArray(secureSettings.getFile(key));
secureSettings.setFile(key.replace("xpack.security.transport.ssl.", "xpack.security.http.ssl."), file);
}
} catch (IOException e) {
throw new UncheckedIOException(e);
}
} else if (key.startsWith("xpack.security.transport.ssl.")) {
secureSettings.setString(key.replace("xpack.security.transport.ssl.", "xpack.security.http.ssl."), value.toString());
}
}
return builder
// invert the require auth settings // invert the require auth settings
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE)
.put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.enabled", true)
.put("xpack.security.http.ssl.client_authentication", SSLClientAuth.REQUIRED) .put("xpack.security.http.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("transport.profiles.default.xpack.security.ssl.client_authentication", SSLClientAuth.NONE)
.build(); .build();
} }
@ -109,13 +141,13 @@ public class SSLClientAuthTests extends SecurityIntegTestCase {
} }
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testclient-client-profile"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testclient-client-profile");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.client_authentication", SSLClientAuth.NONE) .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE)
.put("xpack.ssl.key", keyPath) .put("xpack.security.transport.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath) .put("xpack.security.transport.ssl.certificate", certPath)
.put("xpack.ssl.certificate_authorities", nodeCertPath) .put("xpack.security.transport.ssl.certificate_authorities", nodeCertPath)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.put("cluster.name", internalCluster().getClusterName()) .put("cluster.name", internalCluster().getClusterName())
.put(SecurityField.USER_SETTING.getKey(), transportClientUsername() + ":" + new String(transportClientPassword().getChars())) .put(SecurityField.USER_SETTING.getKey(), transportClientUsername() + ":" + new String(transportClientPassword().getChars()))
@ -145,4 +177,15 @@ public class SSLClientAuthTests extends SecurityIntegTestCase {
throw new ElasticsearchException("failed to initialize SSLContext", e); throw new ElasticsearchException("failed to initialize SSLContext", e);
} }
} }
private byte[] toByteArray(InputStream is) throws IOException {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
byte[] internalBuffer = new byte[1024];
int read = is.read(internalBuffer);
while (read != -1) {
baos.write(internalBuffer, 0, read);
read = is.read(internalBuffer);
}
return baos.toByteArray();
}
} }

26
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java
View File

@ -72,16 +72,16 @@ public class SSLReloadIntegTests extends SecurityIntegTestCase {
Settings settings = super.nodeSettings(nodeOrdinal); Settings settings = super.nodeSettings(nodeOrdinal);
Settings.Builder builder = Settings.builder() Settings.Builder builder = Settings.builder()
.put(settings.filter((s) -> s.startsWith("xpack.ssl.") == false)); .put(settings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false));
builder.put("path.home", createTempDir()) builder.put("path.home", createTempDir())
.put("xpack.ssl.key", nodeKeyPath) .put("xpack.security.transport.ssl.key", nodeKeyPath)
.put("xpack.ssl.key_passphrase", "testnode") .put("xpack.security.transport.ssl.key_passphrase", "testnode")
.put("xpack.ssl.certificate", nodeCertPath) .put("xpack.security.transport.ssl.certificate", nodeCertPath)
.putList("xpack.ssl.certificate_authorities", Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), .putList("xpack.security.transport.ssl.certificate_authorities",
updateableCertPath.toString())) Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), updateableCertPath.toString()))
.put("resource.reload.interval.high", "1s"); .put("resource.reload.interval.high", "1s");
builder.put("xpack.security.transport.ssl.enabled", true);
return builder.build(); return builder.build();
} }
@ -96,18 +96,18 @@ public class SSLReloadIntegTests extends SecurityIntegTestCase {
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.pem"), keyPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.pem"), keyPath);
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), certPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), certPath);
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.put("xpack.ssl.key", keyPath) .put("xpack.security.transport.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath) .put("xpack.security.transport.ssl.certificate", certPath)
.putList("xpack.ssl.certificate_authorities", Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), .putList("xpack.security.transport.ssl.certificate_authorities",
updateableCertPath.toString())) Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), updateableCertPath.toString()))
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
String node = randomFrom(internalCluster().getNodeNames()); String node = randomFrom(internalCluster().getNodeNames());
SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings)); SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings));
SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl"); SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration); SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration);
TransportAddress address = internalCluster() TransportAddress address = internalCluster()
.getInstance(Transport.class, node).boundAddress().publishAddress(); .getInstance(Transport.class, node).boundAddress().publishAddress();

22
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java
View File

@ -102,9 +102,9 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
nodeSSL = Settings.builder() nodeSSL = Settings.builder()
.put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.enabled", true)
.put("xpack.security.transport.ssl.verification_mode", "certificate") .put("xpack.security.transport.ssl.verification_mode", "certificate")
.putList("xpack.ssl.certificate_authorities", ca.getCertPath().toString()) .putList("xpack.security.transport.ssl.certificate_authorities", ca.getCertPath().toString())
.put("xpack.ssl.key", trustedCert.getKeyPath()) .put("xpack.security.transport.ssl.key", trustedCert.getKeyPath())
.put("xpack.ssl.certificate", trustedCert.getCertPath()) .put("xpack.security.transport.ssl.certificate", trustedCert.getCertPath())
.build(); .build();
} }
@ -122,14 +122,14 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
Settings parentSettings = super.nodeSettings(nodeOrdinal); Settings parentSettings = super.nodeSettings(nodeOrdinal);
Settings.Builder builder = Settings.builder() Settings.Builder builder = Settings.builder()
.put(parentSettings.filter((s) -> s.startsWith("xpack.ssl.") == false)) .put(parentSettings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false))
.put(nodeSSL); .put(nodeSSL);
restrictionsPath = configPath.resolve("trust_restrictions.yml"); restrictionsPath = configPath.resolve("trust_restrictions.yml");
restrictionsTmpPath = configPath.resolve("trust_restrictions.tmp"); restrictionsTmpPath = configPath.resolve("trust_restrictions.tmp");
writeRestrictions("*.trusted"); writeRestrictions("*.trusted");
builder.put("xpack.ssl.trust_restrictions.path", restrictionsPath); builder.put("xpack.security.transport.ssl.trust_restrictions.path", restrictionsPath);
return builder.build(); return builder.build();
} }
@ -152,7 +152,7 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
protected Settings transportClientSettings() { protected Settings transportClientSettings() {
Settings parentSettings = super.transportClientSettings(); Settings parentSettings = super.transportClientSettings();
Settings.Builder builder = Settings.builder() Settings.Builder builder = Settings.builder()
.put(parentSettings.filter((s) -> s.startsWith("xpack.ssl.") == false)) .put(parentSettings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false))
.put(nodeSSL); .put(nodeSSL);
return builder.build(); return builder.build();
} }
@ -224,15 +224,15 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
private void tryConnect(CertificateInfo certificate) throws Exception { private void tryConnect(CertificateInfo certificate) throws Exception {
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.put("xpack.ssl.key", certificate.getKeyPath()) .put("xpack.security.transport.ssl.key", certificate.getKeyPath())
.put("xpack.ssl.certificate", certificate.getCertPath()) .put("xpack.security.transport.ssl.certificate", certificate.getCertPath())
.putList("xpack.ssl.certificate_authorities", ca.getCertPath().toString()) .putList("xpack.security.transport.ssl.certificate_authorities", ca.getCertPath().toString())
.put("xpack.ssl.verification_mode", "certificate") .put("xpack.security.transport.ssl.verification_mode", "certificate")
.build(); .build();
String node = randomFrom(internalCluster().getNodeNames()); String node = randomFrom(internalCluster().getNodeNames());
SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings)); SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings));
SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl"); SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration); SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration);
TransportAddress address = internalCluster().getInstance(Transport.class, node).boundAddress().publishAddress(); TransportAddress address = internalCluster().getInstance(Transport.class, node).boundAddress().publishAddress();
try (SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(address.getAddress(), address.getPort())) { try (SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(address.getAddress(), address.getPort())) {

6
x-pack/plugin/sql/qa/security/with-ssl/build.gradle
View File

@ -151,8 +151,10 @@ integTestCluster {
setting 'xpack.security.transport.ssl.enabled', 'true' setting 'xpack.security.transport.ssl.enabled', 'true'
// ceremony to set up ssl // ceremony to set up ssl
setting 'xpack.ssl.keystore.path', 'test-node.jks' setting 'xpack.security.transport.ssl.keystore.path', 'test-node.jks'
keystoreSetting 'xpack.ssl.keystore.secure_password', 'keypass' keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'keypass'
setting 'xpack.security.http.ssl.keystore.path', 'test-node.jks'
keystoreSetting 'xpack.security.http.ssl.keystore.secure_password', 'keypass'
setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.license.self_generated.type', 'trial'

78
x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java
View File

@ -81,7 +81,7 @@ public class HttpClientTests extends ESTestCase {
} }
@After @After
public void shutdown() throws Exception { public void shutdown() throws IOException {
webServer.close(); webServer.close();
httpClient.close(); httpClient.close();
} }
@ -179,30 +179,22 @@ public class HttpClientTests extends ESTestCase {
Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt"); Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt");
Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem");
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
Settings settings; Settings settings = Settings.builder()
if (randomBoolean()) { .put("xpack.http.ssl.certificate_authorities", trustedCertPath)
settings = Settings.builder() .setSecureSettings(secureSettings)
.put("xpack.http.ssl.certificate_authorities", trustedCertPath) .build();
.setSecureSettings(secureSettings)
.build();
} else {
settings = Settings.builder()
.put("xpack.ssl.certificate_authorities", trustedCertPath)
.setSecureSettings(secureSettings)
.build();
}
try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) { try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) {
secureSettings = new MockSecureSettings(); secureSettings = new MockSecureSettings();
// We can't use the client created above for the server since it is only a truststore // We can't use the client created above for the server since it is only a truststore
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
Settings settings2 = Settings.builder() Settings settings2 = Settings.builder()
.put("xpack.ssl.key", keyPath) .put("xpack.security.http.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath) .put("xpack.security.http.ssl.certificate", certPath)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
TestsSSLService sslService = new TestsSSLService(settings2, environment); TestsSSLService sslService = new TestsSSLService(settings2, environment);
testSslMockWebserver(client, sslService.sslContext(), false); testSslMockWebserver(client, sslService.sslContext("xpack.security.http.ssl"), false);
} }
} }
@ -210,40 +202,27 @@ public class HttpClientTests extends ESTestCase {
Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.crt"); Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.crt");
Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.pem"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.pem");
Settings settings; Settings settings;
if (randomBoolean()) { Settings.Builder builder = Settings.builder()
MockSecureSettings secureSettings = new MockSecureSettings(); .put("xpack.http.ssl.certificate_authorities", certPath);
Settings.Builder builder = Settings.builder() if (inFipsJvm()) {
.put("xpack.http.ssl.certificate_authorities", certPath); //Can't use TrustAllConfig in FIPS mode
if (inFipsJvm()) { builder.put("xpack.http.ssl.verification_mode", VerificationMode.CERTIFICATE);
//Can't use TrustAllConfig in FIPS mode
builder.put("xpack.http.ssl.verification_mode", VerificationMode.CERTIFICATE);
} else {
builder.put("xpack.http.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE));
}
settings = builder.build();
} else { } else {
Settings.Builder builder = Settings.builder() builder.put("xpack.http.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE));
.put("xpack.ssl.certificate_authorities", certPath);
if (inFipsJvm()) {
//Can't use TrustAllConfig in FIPS mode
builder.put("xpack.ssl.verification_mode", VerificationMode.CERTIFICATE);
} else {
builder.put("xpack.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE));
}
settings = builder.build();
} }
settings = builder.build();
try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) { try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) {
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
// We can't use the client created above for the server since it only defines a truststore // We can't use the client created above for the server since it only defines a truststore
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-no-subjaltname"); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode-no-subjaltname");
Settings settings2 = Settings.builder() Settings settings2 = Settings.builder()
.put("xpack.ssl.key", keyPath) .put("xpack.security.http.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath) .put("xpack.security.http.ssl.certificate", certPath)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
TestsSSLService sslService = new TestsSSLService(settings2, environment); TestsSSLService sslService = new TestsSSLService(settings2, environment);
testSslMockWebserver(client, sslService.sslContext(), false); testSslMockWebserver(client, sslService.sslContext("xpack.security.http.ssl"), false);
} }
} }
@ -251,16 +230,16 @@ public class HttpClientTests extends ESTestCase {
Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt"); Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt");
Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem");
MockSecureSettings secureSettings = new MockSecureSettings(); MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); secureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put("xpack.ssl.key", keyPath) .put("xpack.http.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath) .put("xpack.http.ssl.certificate", certPath)
.setSecureSettings(secureSettings) .setSecureSettings(secureSettings)
.build(); .build();
TestsSSLService sslService = new TestsSSLService(settings, environment); TestsSSLService sslService = new TestsSSLService(settings, environment);
try (HttpClient client = new HttpClient(settings, sslService, null, mockClusterService())) { try (HttpClient client = new HttpClient(settings, sslService, null, mockClusterService())) {
testSslMockWebserver(client, sslService.sslContext(), true); testSslMockWebserver(client, sslService.sslContext("xpack.http.ssl"), true);
} }
} }
@ -387,19 +366,18 @@ public class HttpClientTests extends ESTestCase {
// on top of that the proxy request is HTTPS but the real request is HTTP only // on top of that the proxy request is HTTPS but the real request is HTTP only
MockSecureSettings serverSecureSettings = new MockSecureSettings(); MockSecureSettings serverSecureSettings = new MockSecureSettings();
// We can't use the client created above for the server since it is only a truststore // We can't use the client created above for the server since it is only a truststore
serverSecureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); serverSecureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode");
Settings serverSettings = Settings.builder() Settings serverSettings = Settings.builder()
.put("xpack.ssl.key", keyPath) .put("xpack.http.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath) .put("xpack.http.ssl.certificate", certPath)
.setSecureSettings(serverSecureSettings) .setSecureSettings(serverSecureSettings)
.build(); .build();
TestsSSLService sslService = new TestsSSLService(serverSettings, environment); TestsSSLService sslService = new TestsSSLService(serverSettings, environment);
try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(), false)) { try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(serverSettings.getByPrefix("xpack.http.ssl.")), false)) {
proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent")); proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent"));
proxyServer.start(); proxyServer.start();
MockSecureSettings secureSettings = new MockSecureSettings();
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put(HttpSettings.PROXY_HOST.getKey(), "localhost") .put(HttpSettings.PROXY_HOST.getKey(), "localhost")
.put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort()) .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort())

8
x-pack/qa/full-cluster-restart/build.gradle
View File

@ -172,8 +172,8 @@ subprojects {
setting 'xpack.security.enabled', 'true' setting 'xpack.security.enabled', 'true'
setting 'xpack.security.transport.ssl.enabled', 'true' setting 'xpack.security.transport.ssl.enabled', 'true'
setting 'xpack.ssl.keystore.path', 'testnode.jks' setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
setting 'xpack.ssl.keystore.password', 'testnode' setting 'xpack.security.transport.ssl.keystore.password', 'testnode'
setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.license.self_generated.type', 'trial'
dependsOn copyTestNodeKeystore dependsOn copyTestNodeKeystore
extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks') extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks')
@ -217,8 +217,8 @@ subprojects {
// some tests rely on the translog not being flushed // some tests rely on the translog not being flushed
setting 'indices.memory.shard_inactive_time', '20m' setting 'indices.memory.shard_inactive_time', '20m'
setting 'xpack.security.enabled', 'true' setting 'xpack.security.enabled', 'true'
setting 'xpack.ssl.keystore.path', 'testnode.jks' setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode' keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode'
setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.license.self_generated.type', 'trial'
dependsOn copyTestNodeKeystore dependsOn copyTestNodeKeystore
extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks') extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks')

39
x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java
View File

@ -61,13 +61,12 @@ public class OpenLdapTests extends ESTestCase {
private static final SecureString PASSWORD_SECURE_STRING = new SecureString(PASSWORD.toCharArray()); private static final SecureString PASSWORD_SECURE_STRING = new SecureString(PASSWORD.toCharArray());
public static final String REALM_NAME = "oldap-test"; public static final String REALM_NAME = "oldap-test";
private boolean useGlobalSSL;
private SSLService sslService; private SSLService sslService;
private ThreadPool threadPool; private ThreadPool threadPool;
private Settings globalSettings; private Settings globalSettings;
@Before @Before
public void init() throws Exception { public void init() {
threadPool = new TestThreadPool("OpenLdapTests thread pool"); threadPool = new TestThreadPool("OpenLdapTests thread pool");
} }
@ -89,32 +88,19 @@ public class OpenLdapTests extends ESTestCase {
* If we re-use a SSLContext, previously connected sessions can get re-established which breaks hostname * If we re-use a SSLContext, previously connected sessions can get re-established which breaks hostname
* verification tests since a re-established connection does not perform hostname verification. * verification tests since a re-established connection does not perform hostname verification.
*/ */
useGlobalSSL = randomBoolean();
MockSecureSettings mockSecureSettings = new MockSecureSettings(); MockSecureSettings mockSecureSettings = new MockSecureSettings();
Settings.Builder builder = Settings.builder().put("path.home", createTempDir()); Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
if (useGlobalSSL) { // fake realms so ssl will get loaded
builder.put("xpack.ssl.truststore.path", truststore); builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
mockSecureSettings.setString("xpack.ssl.truststore.secure_password", "changeit"); mockSecureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore);
mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit");
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE);
// configure realm to load config with certificate verification mode builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.path", truststore);
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore); mockSecureSettings.setString("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.secure_password", "changeit");
mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit");
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE);
} else {
// fake realms so ssl will get loaded
builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
mockSecureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore);
mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit");
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE);
// If not using global ssl, need to set the truststore for the "full verification" realm
builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.path", truststore);
mockSecureSettings.setString("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.secure_password", "changeit");
}
builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.verification_mode", VerificationMode.FULL); builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.verification_mode", VerificationMode.FULL);
globalSettings = builder.setSecureSettings(mockSecureSettings).build(); globalSettings = builder.setSecureSettings(mockSecureSettings).build();
Environment environment = TestEnvironment.newEnvironment(globalSettings); Environment environment = TestEnvironment.newEnvironment(globalSettings);
sslService = new SSLService(globalSettings, environment); sslService = new SSLService(globalSettings, environment);
@ -290,11 +276,8 @@ public class OpenLdapTests extends ESTestCase {
final String[] urls = {ldapUrl}; final String[] urls = {ldapUrl};
final String[] templates = {userTemplate}; final String[] templates = {userTemplate};
Settings.Builder builder = Settings.builder() Settings.Builder builder = Settings.builder()
.put(LdapTestCase.buildLdapSettings(realmId, urls, templates, groupSearchBase, scope, null, false)); .put(LdapTestCase.buildLdapSettings(realmId, urls, templates, groupSearchBase, scope, null, false));
builder.put(getFullSettingKey(realmId.getName(), SearchGroupsResolverSettings.USER_ATTRIBUTE), "uid"); builder.put(getFullSettingKey(realmId.getName(), SearchGroupsResolverSettings.USER_ATTRIBUTE), "uid");
if (useGlobalSSL) {
return builder.build();
}
return builder return builder
.put(getFullSettingKey(realmId, SSLConfigurationSettings.TRUST_STORE_PATH_REALM), getDataPath(LDAPTRUST_PATH)) .put(getFullSettingKey(realmId, SSLConfigurationSettings.TRUST_STORE_PATH_REALM), getDataPath(LDAPTRUST_PATH))
.put(getFullSettingKey(realmId, SSLConfigurationSettings.LEGACY_TRUST_STORE_PASSWORD_REALM), "changeit") .put(getFullSettingKey(realmId, SSLConfigurationSettings.LEGACY_TRUST_STORE_PASSWORD_REALM), "changeit")

4
x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java
View File

@ -60,13 +60,13 @@ public class OpenLdapUserSearchSessionFactoryTests extends ESTestCase {
*/ */
globalSettings = Settings.builder() globalSettings = Settings.builder()
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.put("xpack.ssl.certificate_authorities", caPath) .put("xpack.security.authc.realms.ldap.ssl.certificate_authorities", caPath)
.build(); .build();
threadPool = new TestThreadPool("LdapUserSearchSessionFactoryTests"); threadPool = new TestThreadPool("LdapUserSearchSessionFactoryTests");
} }
@After @After
public void shutdown() throws InterruptedException { public void shutdown() {
terminate(threadPool); terminate(threadPool);
} }

8
x-pack/qa/rolling-upgrade/build.gradle
View File

@ -157,8 +157,8 @@ subprojects {
setting 'xpack.security.authc.token.enabled', 'true' setting 'xpack.security.authc.token.enabled', 'true'
setting 'xpack.security.audit.enabled', 'true' setting 'xpack.security.audit.enabled', 'true'
setting 'xpack.security.audit.outputs', 'index' setting 'xpack.security.audit.outputs', 'index'
setting 'xpack.ssl.keystore.path', 'testnode.jks' setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
setting 'xpack.ssl.keystore.password', 'testnode' setting 'xpack.security.transport.ssl.keystore.password', 'testnode'
dependsOn copyTestNodeKeystore dependsOn copyTestNodeKeystore
extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks') extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks')
if (version.onOrAfter('7.0.0')) { if (version.onOrAfter('7.0.0')) {
@ -226,8 +226,8 @@ subprojects {
setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.license.self_generated.type', 'trial'
setting 'xpack.security.enabled', 'true' setting 'xpack.security.enabled', 'true'
setting 'xpack.security.transport.ssl.enabled', 'true' setting 'xpack.security.transport.ssl.enabled', 'true'
setting 'xpack.ssl.keystore.path', 'testnode.jks' setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode' keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode'
setting 'node.attr.upgraded', 'true' setting 'node.attr.upgraded', 'true'
setting 'xpack.security.authc.token.enabled', 'true' setting 'xpack.security.authc.token.enabled', 'true'
setting 'xpack.security.audit.enabled', 'true' setting 'xpack.security.audit.enabled', 'true'

3
x-pack/qa/smoke-test-plugins-ssl/build.gradle
View File

@ -57,16 +57,17 @@ integTestCluster {
setting 'xpack.monitoring.collection.interval', '1s' setting 'xpack.monitoring.collection.interval', '1s'
setting 'xpack.monitoring.exporters._http.type', 'http' setting 'xpack.monitoring.exporters._http.type', 'http'
setting 'xpack.monitoring.exporters._http.enabled', 'false' setting 'xpack.monitoring.exporters._http.enabled', 'false'
setting 'xpack.ssl.certificate_authorities', 'testnode.crt'
setting 'xpack.monitoring.exporters._http.auth.username', 'monitoring_agent' setting 'xpack.monitoring.exporters._http.auth.username', 'monitoring_agent'
setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password' setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password'
setting 'xpack.monitoring.exporters._http.ssl.verification_mode', 'full' setting 'xpack.monitoring.exporters._http.ssl.verification_mode', 'full'
setting 'xpack.monitoring.exporters._http.ssl.certificate_authorities', 'testnode.crt'
setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.license.self_generated.type', 'trial'
setting 'xpack.security.enabled', 'true' setting 'xpack.security.enabled', 'true'
setting 'xpack.security.http.ssl.enabled', 'true' setting 'xpack.security.http.ssl.enabled', 'true'
setting 'xpack.security.http.ssl.key', 'testnode.pem' setting 'xpack.security.http.ssl.key', 'testnode.pem'
setting 'xpack.security.http.ssl.certificate', 'testnode.crt' setting 'xpack.security.http.ssl.certificate', 'testnode.crt'
setting 'xpack.security.http.ssl.certificate_authorities', 'testnode.crt'
keystoreSetting 'xpack.security.http.ssl.secure_key_passphrase', 'testnode' keystoreSetting 'xpack.security.http.ssl.secure_key_passphrase', 'testnode'
setting 'xpack.ilm.enabled', 'false' setting 'xpack.ilm.enabled', 'false'

11
x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java vendored
View File

@ -7,7 +7,6 @@ package org.elasticsearch.xpack.security.authc.ldap;
import org.elasticsearch.action.support.PlainActionFuture; import org.elasticsearch.action.support.PlainActionFuture;
import org.elasticsearch.common.Strings; import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.MockSecureSettings;
import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
@ -50,23 +49,17 @@ public class ADLdapUserSearchSessionFactoryTests extends AbstractActiveDirectory
globalSettings = Settings.builder() globalSettings = Settings.builder()
.put("path.home", createTempDir()) .put("path.home", createTempDir())
.put("xpack.ssl.certificate_authorities", certPath) .put("xpack.security.authc.realms.active_directory.ad.ssl.certificate_authorities", certPath)
.build(); .build();
sslService = new SSLService(globalSettings, env); sslService = new SSLService(globalSettings, env);
threadPool = new TestThreadPool("ADLdapUserSearchSessionFactoryTests"); threadPool = new TestThreadPool("ADLdapUserSearchSessionFactoryTests");
} }
@After @After
public void shutdown() throws InterruptedException { public void shutdown() {
terminate(threadPool); terminate(threadPool);
} }
private MockSecureSettings newSecureSettings(String key, String value) {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString(key, value);
return secureSettings;
}
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738") @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
public void testUserSearchWithActiveDirectory() throws Exception { public void testUserSearchWithActiveDirectory() throws Exception {
String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";

41
x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java vendored
View File

@ -58,12 +58,10 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
protected SSLService sslService; protected SSLService sslService;
protected Settings globalSettings; protected Settings globalSettings;
protected boolean useGlobalSSL;
protected List<String> certificatePaths; protected List<String> certificatePaths;
@Before @Before
public void initializeSslSocketFactory() throws Exception { public void initializeSslSocketFactory() throws Exception {
useGlobalSSL = randomBoolean();
// We use certificates in PEM format and `ssl.certificate_authorities` instead of ssl.trustore // We use certificates in PEM format and `ssl.certificate_authorities` instead of ssl.trustore
// so that these tests can also run in a FIPS JVM where JKS keystores can't be used. // so that these tests can also run in a FIPS JVM where JKS keystores can't be used.
certificatePaths = new ArrayList<>(); certificatePaths = new ArrayList<>();
@ -84,19 +82,12 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
* verification tests since a re-established connection does not perform hostname verification. * verification tests since a re-established connection does not perform hostname verification.
*/ */
Settings.Builder builder = Settings.builder().put("path.home", createTempDir()); Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
if (useGlobalSSL) {
builder.putList("xpack.ssl.certificate_authorities", certificatePaths);
// fake realm to load config with certificate verification mode // fake realms so ssl will get loaded
builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths); builder.putList("xpack.security.authc.realms.foo.ssl.certificate_authorities", certificatePaths);
builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL);
} else { builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths);
// fake realms so ssl will get loaded builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
builder.putList("xpack.security.authc.realms.foo.ssl.certificate_authorities", certificatePaths);
builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL);
builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths);
builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
}
globalSettings = builder.build(); globalSettings = builder.build();
Environment environment = TestEnvironment.newEnvironment(globalSettings); Environment environment = TestEnvironment.newEnvironment(globalSettings);
sslService = new SSLService(globalSettings, environment); sslService = new SSLService(globalSettings, environment);
@ -106,24 +97,22 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
LdapSearchScope scope, boolean hostnameVerification) { LdapSearchScope scope, boolean hostnameVerification) {
final String realmName = realmId.getName(); final String realmName = realmId.getName();
Settings.Builder builder = Settings.builder() Settings.Builder builder = Settings.builder()
.putList(getFullSettingKey(realmId, SessionFactorySettings.URLS_SETTING), ldapUrl) .putList(getFullSettingKey(realmId, SessionFactorySettings.URLS_SETTING), ldapUrl)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING), adDomainName) .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING), adDomainName)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_BASEDN_SETTING), userSearchDN) .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_BASEDN_SETTING), userSearchDN)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_SCOPE_SETTING), scope) .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_SCOPE_SETTING), scope)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT) .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT) .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT) .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT) .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT)
.put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS); .put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS)
.putList(getFullSettingKey(realmId, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
if (randomBoolean()) { if (randomBoolean()) {
builder.put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), builder.put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM),
hostnameVerification ? VerificationMode.FULL : VerificationMode.CERTIFICATE); hostnameVerification ? VerificationMode.FULL : VerificationMode.CERTIFICATE);
} else { } else {
builder.put(getFullSettingKey(realmId, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), hostnameVerification); builder.put(getFullSettingKey(realmId, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), hostnameVerification);
} }
if (useGlobalSSL == false) {
builder.putList(getFullSettingKey(realmId, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
}
return builder.build(); return builder.build();
} }

42
x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java vendored
View File

@ -103,13 +103,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
protected static final String TESTNODE_CERT = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"; protected static final String TESTNODE_CERT = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt";
protected static RealmConfig realmConfig; protected static RealmConfig realmConfig;
protected static List<RoleMappingEntry> roleMappings; protected static List<RoleMappingEntry> roleMappings;
protected static boolean useGlobalSSL;
@BeforeClass @BeforeClass
public static void setupRealm() { public static void setupRealm() {
realmConfig = randomFrom(RealmConfig.values()); realmConfig = randomFrom(RealmConfig.values());
roleMappings = realmConfig.selectRoleMappings(ESTestCase::randomBoolean); roleMappings = realmConfig.selectRoleMappings(ESTestCase::randomBoolean);
useGlobalSSL = randomBoolean();
LogManager.getLogger(AbstractAdLdapRealmTestCase.class).info( LogManager.getLogger(AbstractAdLdapRealmTestCase.class).info(
"running test with realm configuration [{}], with direct group to role mapping [{}]. Settings [{}]", "running test with realm configuration [{}], with direct group to role mapping [{}]. Settings [{}]",
realmConfig, realmConfig.mapGroupsAsRoles, realmConfig.settings); realmConfig, realmConfig.mapGroupsAsRoles, realmConfig.settings);
@ -128,13 +126,13 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
Settings.Builder builder = Settings.builder(); Settings.Builder builder = Settings.builder();
// don't use filter since it returns a prefixed secure setting instead of mock! // don't use filter since it returns a prefixed secure setting instead of mock!
Settings settingsToAdd = super.nodeSettings(nodeOrdinal); Settings settingsToAdd = super.nodeSettings(nodeOrdinal);
builder.put(settingsToAdd.filter(k -> k.startsWith("xpack.ssl.") == false), false); builder.put(settingsToAdd.filter(k -> k.startsWith("xpack.transport.security.ssl.") == false), false);
MockSecureSettings mockSecureSettings = (MockSecureSettings) Settings.builder().put(settingsToAdd).getSecureSettings(); MockSecureSettings mockSecureSettings = (MockSecureSettings) Settings.builder().put(settingsToAdd).getSecureSettings();
if (mockSecureSettings != null) { if (mockSecureSettings != null) {
MockSecureSettings filteredSecureSettings = new MockSecureSettings(); MockSecureSettings filteredSecureSettings = new MockSecureSettings();
builder.setSecureSettings(filteredSecureSettings); builder.setSecureSettings(filteredSecureSettings);
for (String secureSetting : mockSecureSettings.getSettingNames()) { for (String secureSetting : mockSecureSettings.getSettingNames()) {
if (secureSetting.startsWith("xpack.ssl.") == false) { if (secureSetting.startsWith("xpack.transport.security.ssl.") == false) {
SecureString secureString = mockSecureSettings.getString(secureSetting); SecureString secureString = mockSecureSettings.getString(secureSetting);
if (secureString == null) { if (secureString == null) {
final byte[] fileBytes; final byte[] fileBytes;
@ -216,25 +214,6 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
.collect(Collectors.toList()); .collect(Collectors.toList());
} }
@Override
protected Settings transportClientSettings() {
if (useGlobalSSL) {
Path key = getDataPath(TESTNODE_KEY);
Path cert = getDataPath(TESTNODE_CERT);
Settings.Builder builder = Settings.builder()
.put(super.transportClientSettings().filter((s) -> s.startsWith("xpack.ssl.") == false));
addSslSettingsForKeyPair(builder, key, "testnode", cert, getNodeTrustedCertificates());
return builder.build();
} else {
return super.transportClientSettings();
}
}
@Override
protected boolean transportSSLEnabled() {
return useGlobalSSL;
}
protected final void configureFileRoleMappings(Settings.Builder builder, List<RoleMappingEntry> mappings) { protected final void configureFileRoleMappings(Settings.Builder builder, List<RoleMappingEntry> mappings) {
String content = getRoleMappingContent(RoleMappingEntry::getFileContent, mappings).stream().collect(Collectors.joining("\n")); String content = getRoleMappingContent(RoleMappingEntry::getFileContent, mappings).stream().collect(Collectors.joining("\n"));
Path nodeFiles = createTempDir(); Path nodeFiles = createTempDir();
@ -310,11 +289,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
private void addSslSettingsForKeyPair(Settings.Builder builder, Path key, String keyPassphrase, Path cert, private void addSslSettingsForKeyPair(Settings.Builder builder, Path key, String keyPassphrase, Path cert,
List<String> certificateAuthorities) { List<String> certificateAuthorities) {
builder.put("xpack.ssl.key", key) builder.put("xpack.transport.security.ssl.key", key)
.put("xpack.ssl.key_passphrase", keyPassphrase) .put("xpack.transport.security.ssl.key_passphrase", keyPassphrase)
.put("xpack.ssl.verification_mode", "certificate") .put("xpack.transport.security.ssl.verification_mode", "certificate")
.put("xpack.ssl.certificate", cert) .put("xpack.transport.security.ssl.certificate", cert)
.putList("xpack.ssl.certificate_authorities", certificateAuthorities); .putList("xpack.transport.security.ssl.certificate_authorities", certificateAuthorities);
} }
/** /**
@ -462,11 +441,8 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".order", order) .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".order", order)
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".hostname_verification", false) .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".hostname_verification", false)
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".unmapped_groups_as_roles", mapGroupsAsRoles) .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".unmapped_groups_as_roles", mapGroupsAsRoles)
.put(this.settings); .put(this.settings)
if (useGlobalSSL == false) { .putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.certificate_authorities", certificateAuthorities);
builder.putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.certificate_authorities", certificateAuthorities);
}
return builder.build(); return builder.build();
} }

43
x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java vendored
View File

@ -280,21 +280,16 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
Settings settings = Settings.builder() Settings settings = Settings.builder()
.put(LdapTestCase.buildLdapSettings( .put(LdapTestCase.buildLdapSettings(
new String[]{AD_LDAP_URL}, new String[]{AD_LDAP_URL},
new String[]{userTemplate}, new String[]{userTemplate},
groupSearchBase, groupSearchBase,
LdapSearchScope.SUB_TREE, LdapSearchScope.SUB_TREE,
null, null,
true)) true))
.put("follow_referrals", FOLLOW_REFERRALS) .put("follow_referrals", FOLLOW_REFERRALS)
.build(); .putList("ssl.certificate_authorities", certificatePaths)
if (useGlobalSSL == false) { .build();
settings = Settings.builder()
.put(settings)
.putList("ssl.certificate_authorities", certificatePaths)
.build();
}
RealmConfig config = configureRealm("ad-as-ldap-test", settings); RealmConfig config = configureRealm("ad-as-ldap-test", settings);
LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
@ -325,9 +320,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
null, null,
ignoreReferralErrors); ignoreReferralErrors);
final Settings.Builder builder = Settings.builder().put(settings).put(globalSettings); final Settings.Builder builder = Settings.builder().put(settings).put(globalSettings);
if (useGlobalSSL == false) { builder.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths);
builder.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths);
}
settings = builder.build(); settings = builder.build();
RealmConfig config = new RealmConfig(realmId, RealmConfig config = new RealmConfig(realmId,
settings, TestEnvironment.newEnvironment(globalSettings), settings, TestEnvironment.newEnvironment(globalSettings),
@ -352,12 +345,10 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
public void testStandardLdapWithAttributeGroups() throws Exception { public void testStandardLdapWithAttributeGroups() throws Exception {
String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
Settings settings = LdapTestCase.buildLdapSettings(new String[]{AD_LDAP_URL}, userTemplate, false); Settings settings = LdapTestCase.buildLdapSettings(new String[]{AD_LDAP_URL}, userTemplate, false);
if (useGlobalSSL == false) { settings = Settings.builder()
settings = Settings.builder() .put(settings)
.put(settings) .putList("ssl.certificate_authorities", certificatePaths)
.putList("ssl.certificate_authorities", certificatePaths) .build();
.build();
}
RealmConfig config = configureRealm("ad-as-ldap-test", settings); RealmConfig config = configureRealm("ad-as-ldap-test", settings);
LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
@ -412,9 +403,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
builder.put(getFullSettingKey(REALM_ID, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), hostnameVerification); builder.put(getFullSettingKey(REALM_ID, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), hostnameVerification);
} }
if (useGlobalSSL == false) { builder.putList(getFullSettingKey(REALM_ID, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
builder.putList(getFullSettingKey(REALM_ID, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
}
if (useBindUser) { if (useBindUser) {
final String user = randomFrom("cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow", "cap@ad.test.elasticsearch.com", final String user = randomFrom("cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow", "cap@ad.test.elasticsearch.com",

18
x-pack/qa/vagrant/src/test/resources/packaging/tests/certgen.bash
View File

@ -251,9 +251,12 @@ node.data: false
discovery.zen.ping.unicast.hosts: ["127.0.0.1:9301"] discovery.zen.ping.unicast.hosts: ["127.0.0.1:9301"]
cluster.initial_master_nodes: ["node-master"] cluster.initial_master_nodes: ["node-master"]
xpack.ssl.key: $ESCONFIG/certs/node-master/node-master.key xpack.security.transport.ssl.key: $ESCONFIG/certs/node-master/node-master.key
xpack.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt xpack.security.transport.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt
xpack.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"] xpack.security.transport.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
xpack.security.http.ssl.key: $ESCONFIG/certs/node-master/node-master.key
xpack.security.http.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt
xpack.security.http.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.enabled: true
transport.tcp.port: 9300 transport.tcp.port: 9300
@ -334,9 +337,12 @@ node.master: false
node.data: true node.data: true
discovery.zen.ping.unicast.hosts: ["127.0.0.1:9300"] discovery.zen.ping.unicast.hosts: ["127.0.0.1:9300"]
xpack.ssl.key: $ESCONFIG/certs/node-data/node-data.key xpack.security.transport.ssl.key: $ESCONFIG/certs/node-data/node-data.key
xpack.ssl.certificate: $ESCONFIG/certs/node-data/node-data.crt xpack.security.transport.ssl.certificate: $ESCONFIG/certs/node-data/node-data.crt
xpack.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"] xpack.security.transport.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
xpack.security.http.ssl.key: $ESCONFIG/certs/node-data/node-data.key
xpack.security.http.ssl.certificate: $ESCONFIG/certs//node-data/node-data.crt
xpack.security.http.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.enabled: true
transport.tcp.port: 9301 transport.tcp.port: 9301