Security: remove SSL settings fallback (#36846)
This commit removes the fallback for SSL settings. While this may be seen as a non user friendly change, the intention behind this change is to simplify the reasoning needed to understand what is actually being used for a given SSL configuration. Each configuration now needs to be explicitly specified as there is no global configuration or fallback to some other configuration. Closes #29797
This commit is contained in:
parent
b86621c157
commit
f3edbe2911
|
@ -105,7 +105,7 @@ integTestCluster {
|
|||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.security.authc.token.enabled', 'true'
|
||||
// Truststore settings are not used since TLS is not enabled. Included for testing the get certificates API
|
||||
setting 'xpack.ssl.certificate_authorities', 'testnode.crt'
|
||||
setting 'xpack.security.http.ssl.certificate_authorities', 'testnode.crt'
|
||||
setting 'xpack.security.transport.ssl.truststore.path', 'testnode.jks'
|
||||
keystoreSetting 'xpack.security.transport.ssl.truststore.secure_password', 'testnode'
|
||||
setupCommand 'setupDummyUser',
|
||||
|
|
|
@ -121,3 +121,13 @@ xpack.security.authc.realms:
|
|||
Any realm specific secure settings that have been stored in the elasticsearch
|
||||
keystore (such as ldap bind passwords, or passwords for ssl keys) must be updated
|
||||
in a similar way.
|
||||
|
||||
[float]
|
||||
[[tls-setting-fallback]]
|
||||
==== TLS/SSL settings
|
||||
|
||||
The default TLS/SSL settings, which were prefixed by `xpack.ssl`, have been removed.
|
||||
The removal of these default settings also removes the ability for a component to
|
||||
fallback to a default configuration when using TLS. Each component (realm, transport, http,
|
||||
http client, etc) must now be configured with their own settings for TLS if it is being
|
||||
used.
|
||||
|
|
|
@ -114,11 +114,14 @@ services:
|
|||
- xpack.license.self_generated.type=trial <2>
|
||||
- xpack.security.enabled=true
|
||||
- xpack.security.http.ssl.enabled=true
|
||||
- xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key
|
||||
- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
|
||||
- xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt
|
||||
- xpack.security.transport.ssl.enabled=true
|
||||
- xpack.security.transport.ssl.verification_mode=certificate <3>
|
||||
- xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
|
||||
- xpack.ssl.certificate=$CERTS_DIR/es01/es01.crt
|
||||
- xpack.ssl.key=$CERTS_DIR/es01/es01.key
|
||||
- xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
|
||||
- xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt
|
||||
- xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key
|
||||
volumes: ['esdata_01:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
|
||||
ports:
|
||||
- 9200:9200
|
||||
|
@ -140,11 +143,14 @@ services:
|
|||
- xpack.license.self_generated.type=trial
|
||||
- xpack.security.enabled=true
|
||||
- xpack.security.http.ssl.enabled=true
|
||||
- xpack.security.http.ssl.key=$CERTS_DIR/es02/es02.key
|
||||
- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
|
||||
- xpack.security.http.ssl.certificate=$CERTS_DIR/es02/es02.crt
|
||||
- xpack.security.transport.ssl.enabled=true
|
||||
- xpack.security.transport.ssl.verification_mode=certificate
|
||||
- xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
|
||||
- xpack.ssl.certificate=$CERTS_DIR/es02/es02.crt
|
||||
- xpack.ssl.key=$CERTS_DIR/es02/es02.key
|
||||
- xpack.security.transport.ssl.verification_mode=certificate <3>
|
||||
- xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
|
||||
- xpack.security.transport.ssl.certificate=$CERTS_DIR/es02/es02.crt
|
||||
- xpack.security.transport.ssl.key=$CERTS_DIR/es02/es02.key
|
||||
volumes: ['esdata_02:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
|
||||
|
||||
wait_until_ready:
|
||||
|
@ -199,9 +205,9 @@ WARNING: Windows users not running PowerShell will need to remove `\` and join l
|
|||
----
|
||||
docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \
|
||||
auto --batch \
|
||||
-Expack.ssl.certificate=certificates/es01/es01.crt \
|
||||
-Expack.ssl.certificate_authorities=certificates/ca/ca.crt \
|
||||
-Expack.ssl.key=certificates/es01/es01.key \
|
||||
-Expack.security.http.ssl.certificate=certificates/es01/es01.crt \
|
||||
-Expack.security.http.ssl.certificate_authorities=certificates/ca/ca.crt \
|
||||
-Expack.security.http.ssl.key=certificates/es01/es01.key \
|
||||
--url https://localhost:9200"
|
||||
----
|
||||
--
|
||||
|
|
|
@ -25,7 +25,7 @@ xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12 <3>
|
|||
<1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command
|
||||
and you want to enable strict hostname checking, set the verification mode to
|
||||
`full`.
|
||||
See <<ssl-tls-settings, `xpack.ssl.verification_mode`>> for a description of these values.
|
||||
See <<ssl-tls-settings, `xpack.security.transport.ssl.verification_mode`>> for a description of these values.
|
||||
|
||||
<2> If you created a separate certificate for each node, then you might need to
|
||||
customize this path on each node. If the filename matches the node name, you can
|
||||
|
@ -54,7 +54,7 @@ xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/ca.crt"
|
|||
<1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command
|
||||
and you want to enable strict hostname checking, set the verification mode to
|
||||
`full`.
|
||||
See <<ssl-tls-settings, `xpack.ssl.verification_mode`>> for a description of these values.
|
||||
See <<ssl-tls-settings, `xpack.security.transport.ssl.verification_mode`>> for a description of these values.
|
||||
<2> The full path to the node key file. This must be a location within the
|
||||
{es} configuration directory.
|
||||
<3> The full path to the node certificate. This must be a location within the
|
||||
|
|
|
@ -475,20 +475,18 @@ The default is `jks`.
|
|||
`ssl.verification_mode`::
|
||||
Indicates the type of verification when using `ldaps` to protect against man
|
||||
in the middle attacks and certificate forgery. Values are `none`, `certificate`,
|
||||
and `full`. Defaults to the value of `xpack.ssl.verification_mode`.
|
||||
and `full`. Defaults to `full`.
|
||||
+
|
||||
See <<ssl-tls-settings,`xpack.ssl.verification_mode`>> for an explanation of
|
||||
these values.
|
||||
See <<ssl-tls-settings,`ssl.verification_mode`>> for an explanation of these values.
|
||||
|
||||
`ssl.supported_protocols`::
|
||||
Supported protocols for TLS/SSL (with versions). Defaults to the value of
|
||||
`xpack.ssl.supported_protocols`.
|
||||
Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.2,TLSv1.1,TLSv1`.
|
||||
|
||||
`ssl.cipher_suites`:: Specifies the cipher suites that should be supported when
|
||||
communicating with the LDAP server.
|
||||
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
|
||||
Java Cryptography Architecture documentation]. Defaults to the value of
|
||||
`xpack.ssl.cipher_suites`.
|
||||
Java Cryptography Architecture documentation]. See <<ssl-tls-settings,`ssl.cipher_suites`>>
|
||||
for the default value.
|
||||
|
||||
`cache.ttl`::
|
||||
Specifies the time-to-live for cached user entries. A user and a hash of its
|
||||
|
@ -721,20 +719,18 @@ The default is `jks`.
|
|||
`ssl.verification_mode`::
|
||||
Indicates the type of verification when using `ldaps` to protect against man
|
||||
in the middle attacks and certificate forgery. Values are `none`, `certificate`,
|
||||
and `full`. Defaults to the value of `xpack.ssl.verification_mode`.
|
||||
and `full`. Defaults to `full`.
|
||||
+
|
||||
See <<ssl-tls-settings,`xpack.ssl.verification_mode`>> for an explanation of
|
||||
these values.
|
||||
See <<ssl-tls-settings,`ssl.verification_mode`>> for an explanation of these values.
|
||||
|
||||
`ssl.supported_protocols`::
|
||||
Supported protocols for TLS/SSL (with versions). Defaults to the value of
|
||||
`xpack.ssl.supported_protocols`.
|
||||
Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.2, TLSv1.1, TLSv1`.
|
||||
|
||||
`ssl.cipher_suites`:: Specifies the cipher suites that should be supported when
|
||||
communicating with the Active Directory server.
|
||||
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
|
||||
Java Cryptography Architecture documentation]. Defaults to the value of
|
||||
`xpack.ssl.cipher_suites`.
|
||||
Java Cryptography Architecture documentation]. See <<ssl-tls-settings,`ssl.cipher_suites`>> for
|
||||
the default values.
|
||||
|
||||
`cache.ttl`::
|
||||
Specifies the time-to-live for cached user entries. A user and a hash of its
|
||||
|
@ -1133,8 +1129,7 @@ One of `full`
|
|||
certificate path, but not the hostname) or `none` (perform no verification).
|
||||
Defaults to `full`.
|
||||
+
|
||||
See <<ssl-tls-settings,`xpack.ssl.verification_mode`>> for a more detailed
|
||||
explanation of these values.
|
||||
See <<ssl-tls-settings,`ssl.verification_mode`>> for a more detailed explanation of these values.
|
||||
|
||||
`ssl.supported_protocols`::
|
||||
Specifies the supported protocols for TLS/SSL.
|
||||
|
@ -1204,14 +1199,12 @@ through the list of URLs will continue until a successful connection is made.
|
|||
|
||||
[float]
|
||||
[[ssl-tls-settings]]
|
||||
==== Default TLS/SSL settings
|
||||
You can configure the following TLS/SSL settings in
|
||||
`elasticsearch.yml`. For more information, see
|
||||
{stack-ov}/encrypting-communications.html[Encrypting communications]. These
|
||||
settings are used unless they have been overridden by more specific
|
||||
settings such as those for HTTP or Transport.
|
||||
==== Default values for TLS/SSL settings
|
||||
In general, the values below represent the default values for the various TLS
|
||||
settings. For more information, see
|
||||
{stack-ov}/encrypting-communications.html[Encrypting communications].
|
||||
|
||||
`xpack.ssl.supported_protocols`::
|
||||
`ssl.supported_protocols`::
|
||||
Supported protocols with versions. Valid protocols: `SSLv2Hello`,
|
||||
`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`,
|
||||
`TLSv1`.
|
||||
|
@ -1221,15 +1214,15 @@ NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hell
|
|||
or `SSLv3`. See <<fips-140-compliance>>.
|
||||
--
|
||||
|
||||
`xpack.ssl.client_authentication`::
|
||||
`ssl.client_authentication`::
|
||||
Controls the server's behavior in regard to requesting a certificate
|
||||
from client connections. Valid values are `required`, `optional`, and `none`.
|
||||
`required` forces a client to present a certificate, while `optional`
|
||||
requests a client certificate but the client is not required to present one.
|
||||
Defaults to `required`. This global setting is not applicable for HTTP, see
|
||||
Defaults to `required`, except for HTTP, which defaults to `none`. See
|
||||
<<http-tls-ssl-settings>>.
|
||||
|
||||
`xpack.ssl.verification_mode`::
|
||||
`ssl.verification_mode`::
|
||||
Controls the verification of certificates. Valid values are:
|
||||
- `full`, which verifies that the provided certificate is signed by a trusted
|
||||
authority (CA) and also verifies that the server's hostname (or IP
|
||||
|
@ -1244,7 +1237,7 @@ Controls the verification of certificates. Valid values are:
|
|||
+
|
||||
The default value is `full`.
|
||||
|
||||
`xpack.ssl.cipher_suites`::
|
||||
`ssl.cipher_suites`::
|
||||
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
|
||||
Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
|
||||
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
|
||||
|
@ -1255,112 +1248,15 @@ Jurisdiction Policy Files_ has been installed, the default value also includes `
|
|||
|
||||
[float]
|
||||
[[tls-ssl-key-settings]]
|
||||
===== Default TLS/SSL key and trusted certificate settings
|
||||
===== TLS/SSL key and trusted certificate settings
|
||||
|
||||
The following settings are used to specify a private key, certificate, and the
|
||||
trusted certificates that should be used when communicating over an SSL/TLS connection.
|
||||
If none of the settings below are specified, the
|
||||
<<ssl-tls-settings,default settings>> are used. If no trusted certificates are configured, the default certificates that are trusted by the JVM will be
|
||||
trusted along with the certificate(s) from the <<tls-ssl-key-settings, key settings>>. The key and certificate must be in place
|
||||
for connections that require client authentication or when acting as a SSL enabled server.
|
||||
|
||||
[float]
|
||||
===== PEM encoded files
|
||||
|
||||
When using PEM encoded files, use the following settings:
|
||||
|
||||
`xpack.ssl.key`::
|
||||
Path to the PEM encoded file containing the private key.
|
||||
|
||||
`xpack.ssl.key_passphrase`::
|
||||
The passphrase that is used to decrypt the private key. This value is
|
||||
optional as the key might not be encrypted.
|
||||
|
||||
`xpack.ssl.secure_key_passphrase` (<<secure-settings,Secure>>)::
|
||||
The passphrase that is used to decrypt the private key. This value is
|
||||
optional as the key might not be encrypted.
|
||||
|
||||
`xpack.ssl.certificate`::
|
||||
Path to a PEM encoded file containing the certificate (or certificate chain)
|
||||
that will be presented to clients when they connect.
|
||||
|
||||
`xpack.ssl.certificate_authorities`::
|
||||
List of paths to the PEM encoded certificate files that should be trusted.
|
||||
|
||||
[float]
|
||||
===== Java keystore files
|
||||
|
||||
When using Java keystore files (JKS), which contain the private key, certificate
|
||||
and certificates that should be trusted, use the following settings:
|
||||
|
||||
`xpack.ssl.keystore.path`::
|
||||
Path to the keystore that holds the private key and certificate.
|
||||
|
||||
`xpack.ssl.keystore.password`::
|
||||
Password to the keystore.
|
||||
|
||||
`xpack.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
|
||||
Password to the keystore.
|
||||
|
||||
`xpack.ssl.keystore.key_password`::
|
||||
Password for the private key in the keystore. Defaults to the
|
||||
same value as `xpack.ssl.keystore.password`.
|
||||
|
||||
`xpack.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
|
||||
Password for the private key in the keystore.
|
||||
|
||||
`xpack.ssl.truststore.path`::
|
||||
Path to the truststore file.
|
||||
|
||||
`xpack.ssl.truststore.password`::
|
||||
Password to the truststore.
|
||||
|
||||
`xpack.ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
|
||||
Password to the truststore.
|
||||
|
||||
WARNING: If `xpack.security.fips_mode.enabled` is `true`, you cannot use Java
|
||||
keystore files. See <<fips-140-compliance>>.
|
||||
|
||||
[float]
|
||||
===== PKCS#12 files
|
||||
|
||||
When using PKCS#12 container files (`.p12` or `.pfx`), which contain the
|
||||
private key, certificate, and certificates that should be trusted, use
|
||||
the following settings:
|
||||
|
||||
`xpack.ssl.keystore.path`::
|
||||
Path to the PKCS#12 file that holds the private key and certificate.
|
||||
|
||||
`xpack.ssl.keystore.type`::
|
||||
Set this to `PKCS12`.
|
||||
|
||||
`xpack.ssl.keystore.password`::
|
||||
Password to the PKCS#12 file.
|
||||
|
||||
`xpack.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
|
||||
Password to the PKCS#12 file.
|
||||
|
||||
`xpack.ssl.keystore.key_password`::
|
||||
Password for the private key in the PKCS12 file.
|
||||
Defaults to the same value as `xpack.ssl.keystore.password`.
|
||||
|
||||
`xpack.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
|
||||
Password for the private key in the PKCS12 file.
|
||||
|
||||
`xpack.ssl.truststore.path`::
|
||||
Path to the truststore file.
|
||||
|
||||
`xpack.ssl.truststore.type`::
|
||||
Set this to `PKCS12`.
|
||||
|
||||
`xpack.ssl.truststore.password`::
|
||||
Password to the truststore.
|
||||
|
||||
`xpack.ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
|
||||
Password to the truststore.
|
||||
|
||||
WARNING: If `xpack.security.fips_mode.enabled` is `true`, you cannot use PKCS#12
|
||||
keystore files. See <<fips-140-compliance>>.
|
||||
trusted certificates that should be used when communicating over an SSL/TLS
|
||||
connection. If no trusted certificates are configured, the default certificates
|
||||
that are trusted by the JVM will be trusted along with the certificate(s)
|
||||
associated with a key in the same context. The key and certificate must be in
|
||||
place for connections that require client authentication or when acting as a
|
||||
SSL enabled server.
|
||||
|
||||
[[pkcs12-truststore-note]]
|
||||
[NOTE]
|
||||
|
@ -1375,33 +1271,6 @@ a PKCS#12 container includes trusted certificate ("anchor") entries look for
|
|||
`openssl pkcs12 -info` output, or `trustedCertEntry` in the
|
||||
`keytool -list` output.
|
||||
|
||||
[float]
|
||||
===== PKCS#11 tokens
|
||||
|
||||
When using a PKCS#11 cryptographic token, which contains the
|
||||
private key, certificate, and certificates that should be trusted, use
|
||||
the following settings:
|
||||
|
||||
`xpack.ssl.keystore.type`::
|
||||
Set this to `PKCS11`.
|
||||
|
||||
`xpack.ssl.truststore.type`::
|
||||
Set this to `PKCS11`.
|
||||
|
||||
|
||||
[[pkcs11-truststore-note]]
|
||||
[NOTE]
|
||||
When configuring the PKCS#11 token that your JVM is configured to use as
|
||||
a keystore or a truststore for Elasticsearch, the PIN for the token can be
|
||||
configured by setting the appropriate value to `xpack.ssl.truststore.password`
|
||||
or `xpack.ssl.truststore.secure_password`. In the absence of the above, {es} will
|
||||
fallback to use he appropriate JVM setting (`-Djavax.net.ssl.trustStorePassword`)
|
||||
if that is set.
|
||||
Since there can only be one PKCS#11 token configured, only one keystore and
|
||||
truststore will be usable for configuration in {es}. This in turn means
|
||||
that only one certificate can be used for TLS both in the transport and the
|
||||
http layer.
|
||||
|
||||
[[http-tls-ssl-settings]]
|
||||
:ssl-prefix: xpack.security.http
|
||||
:component: HTTP
|
||||
|
@ -1435,7 +1304,7 @@ append the portion of the setting after `xpack.security.transport.`. For the key
|
|||
setting, this would be `transport.profiles.$PROFILE.xpack.security.ssl.key`.
|
||||
|
||||
[[auditing-tls-ssl-settings]]
|
||||
:ssl-prefix: xpack.security.audit.index.client.xpack
|
||||
:ssl-prefix: xpack.security.audit.index.client.xpack.security.transport
|
||||
:component: Auditing
|
||||
:client-auth-default!:
|
||||
:server!:
|
||||
|
|
|
@ -12,7 +12,7 @@ endif::server[]
|
|||
+{ssl-prefix}.ssl.supported_protocols+::
|
||||
Supported protocols with versions. Valid protocols: `SSLv2Hello`,
|
||||
`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`,
|
||||
`TLSv1`. Defaults to the value of `xpack.ssl.supported_protocols`.
|
||||
`TLSv1`.
|
||||
|
||||
ifdef::server[]
|
||||
+{ssl-prefix}.ssl.client_authentication+::
|
||||
|
@ -21,7 +21,7 @@ from client connections. Valid values are `required`, `optional`, and `none`.
|
|||
`required` forces a client to present a certificate, while `optional`
|
||||
requests a client certificate but the client is not required to present one.
|
||||
ifndef::client-auth-default[]
|
||||
Defaults to the value of `xpack.ssl.client_authentication`.
|
||||
Defaults to `none``.
|
||||
endif::client-auth-default[]
|
||||
ifdef::client-auth-default[]
|
||||
Defaults to +{client-auth-default}+.
|
||||
|
@ -31,15 +31,12 @@ endif::server[]
|
|||
ifdef::verifies[]
|
||||
+{ssl-prefix}.ssl.verification_mode+::
|
||||
Controls the verification of certificates. Valid values are `none`,
|
||||
`certificate`, and `full`.
|
||||
See <<ssl-tls-settings, `xpack.ssl.verification_mode`>> for a description of these values.
|
||||
Defaults to the value of `xpack.ssl.verification_mode`.
|
||||
`certificate`, and `full`. Defaults to `full`.
|
||||
endif::verifies[]
|
||||
|
||||
+{ssl-prefix}.ssl.cipher_suites+::
|
||||
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
|
||||
Java Cryptography Architecture documentation]. Defaults to the value of
|
||||
`xpack.ssl.cipher_suites`.
|
||||
Java Cryptography Architecture documentation]. Defaults to ``.
|
||||
|
||||
|
||||
===== {component} TLS/SSL Key and Trusted Certificate Settings
|
||||
|
@ -159,3 +156,13 @@ Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a keys
|
|||
|
||||
+{ssl-prefix}.truststore.type+::
|
||||
Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a truststore.
|
||||
|
||||
[NOTE]
|
||||
When configuring the PKCS#11 token that your JVM is configured to use as
|
||||
a keystore or a truststore for Elasticsearch, the PIN for the token can be
|
||||
configured by setting the appropriate value to `ssl.truststore.password`
|
||||
or `ssl.truststore.secure_password` in the context that you are configuring.
|
||||
Since there can only be one PKCS#11 token configured, only one keystore and
|
||||
truststore will be usable for configuration in {es}. This in turn means
|
||||
that only one certificate can be used for TLS both in the transport and the
|
||||
http layer.
|
||||
|
|
|
@ -22,16 +22,16 @@ Transport Layer Security (TLS), see
|
|||
The API returns a list that includes certificates from all TLS contexts
|
||||
including:
|
||||
|
||||
* Default {es} TLS settings
|
||||
* Settings for transport and HTTP interfaces
|
||||
* TLS settings that are used within authentication realms
|
||||
* TLS settings for remote monitoring exporters
|
||||
|
||||
The list includes certificates that are used for configuring trust, such as
|
||||
those configured in the `xpack.ssl.truststore` and
|
||||
`xpack.ssl.certificate_authorities` settings. It also includes certificates that
|
||||
that are used for configuring server identity, such as `xpack.ssl.keystore` and
|
||||
`xpack.ssl.certificate` settings.
|
||||
those configured in the `xpack.security.transport.ssl.truststore` and
|
||||
`xpack.security.transport.ssl.certificate_authorities` settings. It also
|
||||
includes certificates that are used for configuring server identity, such as
|
||||
`xpack.security.http.ssl.keystore` and
|
||||
`xpack.security.http.ssl.certificate` settings.
|
||||
|
||||
The list does not include certificates that are sourced from the default SSL
|
||||
context of the Java Runtime Environment (JRE), even if those certificates are in
|
||||
|
|
|
@ -46,8 +46,8 @@ to the `elasticsearch.yml` file:
|
|||
[source,yaml]
|
||||
-----------------------------------------------------------
|
||||
xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
|
||||
xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/remote-elastic-certificates.p12
|
||||
xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/remote-elastic-certificates.p12
|
||||
xpack.security.audit.index.client.xpack.security.transport.ssl.keystore.path: certs/remote-elastic-certificates.p12
|
||||
xpack.security.audit.index.client.xpack.security.transport.ssl.truststore.path: certs/remote-elastic-certificates.p12
|
||||
-----------------------------------------------------------
|
||||
|
||||
For more information about these settings, see
|
||||
|
@ -61,9 +61,9 @@ For more information about these settings, see
|
|||
[source, yaml]
|
||||
--------------------------------------------------
|
||||
xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
|
||||
xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/audit-client.key
|
||||
xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/audit-client.crt
|
||||
xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ]
|
||||
xpack.security.audit.index.client.xpack.security.transport.ssl.key: /home/es/config/audit-client.key
|
||||
xpack.security.audit.index.client.xpack.security.transport.ssl.certificate: /home/es/config/audit-client.crt
|
||||
xpack.security.audit.index.client.xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ]
|
||||
--------------------------------------------------
|
||||
|
||||
For more information about these settings, see
|
||||
|
@ -78,9 +78,9 @@ your {es} keystore:
|
|||
--
|
||||
[source,shell]
|
||||
-----------------------------------------------------------
|
||||
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password
|
||||
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.keystore.secure_password
|
||||
|
||||
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password
|
||||
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.truststore.secure_password
|
||||
-----------------------------------------------------------
|
||||
--
|
||||
|
||||
|
@ -89,7 +89,7 @@ bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.trust
|
|||
--
|
||||
[source,shell]
|
||||
-----------------------------------------------------------
|
||||
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase
|
||||
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.secure_key_passphrase
|
||||
-----------------------------------------------------------
|
||||
--
|
||||
|
||||
|
|
|
@ -90,7 +90,7 @@ In particular this means:
|
|||
* The interface must _trust_ the certificate that is presented by the client
|
||||
by configuring either the `truststore` or `certificate_authorities` paths,
|
||||
or by setting `verification_mode` to `none`. See
|
||||
<<ssl-tls-settings,`xpack.ssl.verification_mode`>> for an explanation of this
|
||||
<<ssl-tls-settings,`ssl.verification_mode`>> for an explanation of this
|
||||
setting.
|
||||
* The _protocols_ supported by the interface must be compatible with those
|
||||
used by the client.
|
||||
|
|
|
@ -105,9 +105,10 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
|
|||
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
|
||||
.put("cluster.name", "myClusterName")
|
||||
.put("xpack.security.user", "transport_client_user:x-pack-test-password")
|
||||
.put("xpack.ssl.key", "/path/to/client.key")
|
||||
.put("xpack.ssl.certificate", "/path/to/client.crt")
|
||||
.put("xpack.ssl.certificate_authorities", "/path/to/ca.crt")
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.security.transport.ssl.key", "/path/to/client.key")
|
||||
.put("xpack.security.transport.ssl.certificate", "/path/to/client.crt")
|
||||
.put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
|
||||
...
|
||||
.build());
|
||||
--------------------------------------------------------------------------------------------------
|
||||
|
@ -125,9 +126,10 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
|
|||
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
|
||||
.put("cluster.name", "myClusterName")
|
||||
.put("xpack.security.user", "transport_client_user:x-pack-test-password")
|
||||
.put("xpack.ssl.key", "/path/to/client.key")
|
||||
.put("xpack.ssl.certificate", "/path/to/client.crt")
|
||||
.put("xpack.ssl.certificate_authorities", "/path/to/ca.crt")
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.security.transport.ssl.key", "/path/to/client.key")
|
||||
.put("xpack.security.transport.ssl.certificate", "/path/to/client.crt")
|
||||
.put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
|
||||
.put("xpack.security.transport.ssl.enabled", "true")
|
||||
...
|
||||
.build())
|
||||
|
@ -155,7 +157,7 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
|
|||
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
|
||||
.put("cluster.name", "myClusterName")
|
||||
.put("xpack.security.user", "test_user:x-pack-test-password")
|
||||
.put("xpack.ssl.certificate_authorities", "/path/to/ca.crt")
|
||||
.put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
|
||||
.put("xpack.security.transport.ssl.enabled", "true")
|
||||
...
|
||||
.build())
|
||||
|
@ -164,7 +166,7 @@ TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
|
|||
------------------------------------------------------------------------------------------------------
|
||||
|
||||
NOTE: If you are using a public CA that is already trusted by the Java runtime,
|
||||
you do not need to set the `xpack.ssl.certificate_authorities`.
|
||||
you do not need to set the `xpack.security.transport.ssl.certificate_authorities`.
|
||||
|
||||
[float]
|
||||
[[connecting-anonymously]]
|
||||
|
|
|
@ -50,12 +50,12 @@ and able to run {es} successfully in a FIPS 140-2 enabled JVM.
|
|||
==== TLS
|
||||
|
||||
SSLv2 and SSLv3 are not allowed by FIPS 140-2, so `SSLv2Hello` and `SSLv3` cannot
|
||||
be used for <<ssl-tls-settings, xpack.ssl.supported_protocols>>
|
||||
be used for <<ssl-tls-settings, `ssl.supported_protocols`>>
|
||||
|
||||
NOTE: The use of TLS ciphers is mainly governed by the relevant crypto module
|
||||
(the FIPS Approved Security Provider that your JVM uses). All the ciphers that
|
||||
are configured by default in {es} are FIPS 140-2 compliant and as such can be
|
||||
used in a FIPS 140-2 JVM. (see <<ssl-tls-settings, xpack.ssl.cipher_suites>>)
|
||||
used in a FIPS 140-2 JVM. (see <<ssl-tls-settings, `ssl.cipher_suites`>>)
|
||||
|
||||
[float]
|
||||
==== TLS Keystores and keys
|
||||
|
@ -71,7 +71,7 @@ options, and for trust material you can use `*.certificate_authorities`.
|
|||
|
||||
FIPS 140-2 compliance dictates that the length of the public keys used for TLS
|
||||
must correspond to the strength of the symmetric key algorithm in use in TLS.
|
||||
Depending on the value of <<ssl-tls-settings, xpack.ssl.cipher_suites>> that
|
||||
Depending on the value of <<ssl-tls-settings, `ssl.cipher_suites`>> that
|
||||
you select to use, the TLS keys must have corresponding length according to
|
||||
the following table:
|
||||
|
||||
|
|
|
@ -159,10 +159,6 @@ public class XPackSettings {
|
|||
public static final SSLClientAuth HTTP_CLIENT_AUTH_DEFAULT = SSLClientAuth.NONE;
|
||||
public static final VerificationMode VERIFICATION_MODE_DEFAULT = VerificationMode.FULL;
|
||||
|
||||
// global settings that apply to everything!
|
||||
public static final String GLOBAL_SSL_PREFIX = "xpack.ssl.";
|
||||
private static final SSLConfigurationSettings GLOBAL_SSL = SSLConfigurationSettings.withPrefix(GLOBAL_SSL_PREFIX);
|
||||
|
||||
// http specific settings
|
||||
public static final String HTTP_SSL_PREFIX = SecurityField.setting("http.ssl.");
|
||||
private static final SSLConfigurationSettings HTTP_SSL = SSLConfigurationSettings.withPrefix(HTTP_SSL_PREFIX);
|
||||
|
@ -174,7 +170,6 @@ public class XPackSettings {
|
|||
/** Returns all settings created in {@link XPackSettings}. */
|
||||
public static List<Setting<?>> getAllSettings() {
|
||||
ArrayList<Setting<?>> settings = new ArrayList<>();
|
||||
settings.addAll(GLOBAL_SSL.getAllSettings());
|
||||
settings.addAll(HTTP_SSL.getAllSettings());
|
||||
settings.addAll(TRANSPORT_SSL.getAllSettings());
|
||||
settings.add(SECURITY_ENABLED);
|
||||
|
|
|
@ -83,13 +83,22 @@ public class SecurityNetty4Transport extends Netty4Transport {
|
|||
Set<String> profileNames = settings.getGroups("transport.profiles.", true).keySet();
|
||||
Map<String, SSLConfiguration> profileConfiguration = new HashMap<>(profileNames.size() + 1);
|
||||
for (String profileName : profileNames) {
|
||||
if (profileName.equals(TransportSettings.DEFAULT_PROFILE)) {
|
||||
// don't attempt to parse ssl settings from the profile;
|
||||
// profiles need to be killed with fire
|
||||
if (settings.getByPrefix("transport.profiles.default.xpack.security.ssl.").isEmpty()) {
|
||||
continue;
|
||||
} else {
|
||||
throw new IllegalArgumentException("SSL settings should not be configured for the default profile. " +
|
||||
"Use the [xpack.security.transport.ssl] settings instead.");
|
||||
}
|
||||
}
|
||||
SSLConfiguration configuration = sslService.getSSLConfiguration("transport.profiles." + profileName + "." + setting("ssl"));
|
||||
profileConfiguration.put(profileName, configuration);
|
||||
}
|
||||
|
||||
if (profileConfiguration.containsKey(TransportSettings.DEFAULT_PROFILE) == false) {
|
||||
profileConfiguration.put(TransportSettings.DEFAULT_PROFILE, defaultConfiguration);
|
||||
}
|
||||
assert profileConfiguration.containsKey(TransportSettings.DEFAULT_PROFILE) == false;
|
||||
profileConfiguration.put(TransportSettings.DEFAULT_PROFILE, defaultConfiguration);
|
||||
return profileConfiguration;
|
||||
}
|
||||
|
||||
|
|
|
@ -25,6 +25,7 @@ import java.util.Arrays;
|
|||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Objects;
|
||||
|
||||
/**
|
||||
* This class represents a trust configuration that corresponds to the default trusted certificates of the JDK
|
||||
|
@ -71,12 +72,15 @@ class DefaultJDKTrustConfig extends TrustConfig {
|
|||
|
||||
@Override
|
||||
public boolean equals(Object o) {
|
||||
return o == this;
|
||||
if (this == o) return true;
|
||||
if (o == null || getClass() != o.getClass()) return false;
|
||||
DefaultJDKTrustConfig that = (DefaultJDKTrustConfig) o;
|
||||
return Objects.equals(trustStorePassword, that.trustStorePassword);
|
||||
}
|
||||
|
||||
@Override
|
||||
public int hashCode() {
|
||||
return System.identityHashCode(this);
|
||||
return Objects.hash(trustStorePassword);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -13,16 +13,11 @@ import org.elasticsearch.env.Environment;
|
|||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.ssl.cert.CertificateInfo;
|
||||
|
||||
import javax.net.ssl.KeyManagerFactory;
|
||||
import javax.net.ssl.TrustManagerFactory;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.nio.file.Path;
|
||||
import java.security.GeneralSecurityException;
|
||||
import java.security.KeyStore;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Objects;
|
||||
|
||||
import static org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings.getKeyStoreType;
|
||||
|
||||
|
@ -51,32 +46,14 @@ public final class SSLConfiguration {
|
|||
* @param settings the SSL specific settings; only the settings under a *.ssl. prefix
|
||||
*/
|
||||
SSLConfiguration(Settings settings) {
|
||||
this.keyConfig = createKeyConfig(settings, (SSLConfiguration) null);
|
||||
this.trustConfig = createTrustConfig(settings, keyConfig, null);
|
||||
this.keyConfig = createKeyConfig(settings);
|
||||
this.trustConfig = createTrustConfig(settings, keyConfig);
|
||||
this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, XPackSettings.DEFAULT_CIPHERS);
|
||||
this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings, XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS);
|
||||
this.sslClientAuth = SETTINGS_PARSER.clientAuth.get(settings).orElse(XPackSettings.CLIENT_AUTH_DEFAULT);
|
||||
this.verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(XPackSettings.VERIFICATION_MODE_DEFAULT);
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a new SSLConfiguration from the given settings and global/default SSLConfiguration. If the settings do not contain a value
|
||||
* for a given aspect, the value from the global configuration will be used.
|
||||
*
|
||||
* @param settings the SSL specific settings; only the settings under a *.ssl. prefix
|
||||
* @param globalSSLConfiguration the default configuration that is used as a fallback
|
||||
*/
|
||||
SSLConfiguration(Settings settings, SSLConfiguration globalSSLConfiguration) {
|
||||
Objects.requireNonNull(globalSSLConfiguration);
|
||||
this.keyConfig = createKeyConfig(settings, globalSSLConfiguration);
|
||||
this.trustConfig = createTrustConfig(settings, keyConfig, globalSSLConfiguration);
|
||||
this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, globalSSLConfiguration.cipherSuites());
|
||||
this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings,
|
||||
globalSSLConfiguration.supportedProtocols());
|
||||
this.sslClientAuth = SETTINGS_PARSER.clientAuth.get(settings).orElse(globalSSLConfiguration.sslClientAuth());
|
||||
this.verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(globalSSLConfiguration.verificationMode());
|
||||
}
|
||||
|
||||
/**
|
||||
* The configuration for the key, if any, that will be used as part of this ssl configuration
|
||||
*/
|
||||
|
@ -183,46 +160,28 @@ public final class SSLConfiguration {
|
|||
return result;
|
||||
}
|
||||
|
||||
private static KeyConfig createKeyConfig(Settings settings, SSLConfiguration global) {
|
||||
private static KeyConfig createKeyConfig(Settings settings) {
|
||||
final String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings);
|
||||
final KeyConfig config = CertParsingUtils.createKeyConfig(SETTINGS_PARSER.x509KeyPair, settings, trustStoreAlgorithm);
|
||||
if (config != null) {
|
||||
return config;
|
||||
}
|
||||
if (global != null) {
|
||||
return global.keyConfig();
|
||||
}
|
||||
if (System.getProperty("javax.net.ssl.keyStore") != null && System.getProperty("javax.net.ssl.keyStore").equals("NONE") == false) {
|
||||
// TODO: we should not support loading a keystore from sysprops...
|
||||
try (SecureString keystorePassword = new SecureString(System.getProperty("javax.net.ssl.keyStorePassword", ""))) {
|
||||
return new StoreKeyConfig(System.getProperty("javax.net.ssl.keyStore"), KeyStore.getDefaultType(), keystorePassword,
|
||||
keystorePassword, System.getProperty("ssl.KeyManagerFactory.algorithm", KeyManagerFactory.getDefaultAlgorithm()),
|
||||
System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm()));
|
||||
}
|
||||
}
|
||||
return KeyConfig.NONE;
|
||||
return config == null ? KeyConfig.NONE : config;
|
||||
}
|
||||
|
||||
private static TrustConfig createTrustConfig(Settings settings, KeyConfig keyConfig, SSLConfiguration global) {
|
||||
final TrustConfig trustConfig = createCertChainTrustConfig(settings, keyConfig, global);
|
||||
private static TrustConfig createTrustConfig(Settings settings, KeyConfig keyConfig) {
|
||||
final TrustConfig trustConfig = createCertChainTrustConfig(settings, keyConfig);
|
||||
return SETTINGS_PARSER.trustRestrictionsPath.get(settings)
|
||||
.map(path -> (TrustConfig) new RestrictedTrustConfig(path, trustConfig))
|
||||
.orElse(trustConfig);
|
||||
}
|
||||
|
||||
private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConfig keyConfig, SSLConfiguration global) {
|
||||
private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConfig keyConfig) {
|
||||
String trustStorePath = SETTINGS_PARSER.truststorePath.get(settings).orElse(null);
|
||||
String trustStoreType = getKeyStoreType(SETTINGS_PARSER.truststoreType, settings, trustStorePath);
|
||||
List<String> caPaths = getListOrNull(SETTINGS_PARSER.caPaths, settings);
|
||||
if (trustStorePath != null && caPaths != null) {
|
||||
throw new IllegalArgumentException("you cannot specify a truststore and ca files");
|
||||
}
|
||||
VerificationMode verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElseGet(() -> {
|
||||
if (global != null) {
|
||||
return global.verificationMode();
|
||||
}
|
||||
return XPackSettings.VERIFICATION_MODE_DEFAULT;
|
||||
});
|
||||
|
||||
VerificationMode verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(XPackSettings.VERIFICATION_MODE_DEFAULT);
|
||||
if (verificationMode.isCertificateVerificationEnabled() == false) {
|
||||
return TrustAllConfig.INSTANCE;
|
||||
} else if (caPaths != null) {
|
||||
|
@ -231,14 +190,6 @@ public final class SSLConfiguration {
|
|||
String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings);
|
||||
SecureString trustStorePassword = SETTINGS_PARSER.truststorePassword.get(settings);
|
||||
return new StoreTrustConfig(trustStorePath, trustStoreType, trustStorePassword, trustStoreAlgorithm);
|
||||
} else if (global == null && System.getProperty("javax.net.ssl.trustStore") != null
|
||||
&& System.getProperty("javax.net.ssl.trustStore").equals("NONE") == false) {
|
||||
try (SecureString truststorePassword = new SecureString(System.getProperty("javax.net.ssl.trustStorePassword", ""))) {
|
||||
return new StoreTrustConfig(System.getProperty("javax.net.ssl.trustStore"), KeyStore.getDefaultType(), truststorePassword,
|
||||
System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm()));
|
||||
}
|
||||
} else if (global != null && keyConfig == global.keyConfig()) {
|
||||
return global.trustConfig();
|
||||
} else if (keyConfig != KeyConfig.NONE) {
|
||||
return DefaultJDKTrustConfig.merge(keyConfig, getDefaultTrustStorePassword(settings));
|
||||
} else {
|
||||
|
|
|
@ -31,13 +31,14 @@ import javax.net.ssl.SSLSocketFactory;
|
|||
import javax.net.ssl.TrustManagerFactory;
|
||||
import javax.net.ssl.X509ExtendedKeyManager;
|
||||
import javax.net.ssl.X509ExtendedTrustManager;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.InetAddress;
|
||||
import java.net.Socket;
|
||||
import java.security.GeneralSecurityException;
|
||||
import java.security.KeyManagementException;
|
||||
import java.security.KeyStore;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.KeyStore;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
|
@ -81,8 +82,6 @@ public class SSLService {
|
|||
* always maps to the same {@link SSLContextHolder}, even if it is being used within a different context-name.
|
||||
*/
|
||||
private final Map<SSLConfiguration, SSLContextHolder> sslContexts;
|
||||
|
||||
private final SSLConfiguration globalSSLConfiguration;
|
||||
private final SetOnce<SSLConfiguration> transportSSLConfiguration = new SetOnce<>();
|
||||
private final Environment env;
|
||||
|
||||
|
@ -93,16 +92,14 @@ public class SSLService {
|
|||
public SSLService(Settings settings, Environment environment) {
|
||||
this.settings = settings;
|
||||
this.env = environment;
|
||||
this.globalSSLConfiguration = new SSLConfiguration(settings.getByPrefix(XPackSettings.GLOBAL_SSL_PREFIX));
|
||||
this.sslConfigurations = new HashMap<>();
|
||||
this.sslContexts = loadSSLConfigurations();
|
||||
}
|
||||
|
||||
private SSLService(Settings settings, Environment environment, SSLConfiguration globalSSLConfiguration,
|
||||
Map<String, SSLConfiguration> sslConfigurations, Map<SSLConfiguration, SSLContextHolder> sslContexts) {
|
||||
private SSLService(Settings settings, Environment environment, Map<String, SSLConfiguration> sslConfigurations,
|
||||
Map<SSLConfiguration, SSLContextHolder> sslContexts) {
|
||||
this.settings = settings;
|
||||
this.env = environment;
|
||||
this.globalSSLConfiguration = globalSSLConfiguration;
|
||||
this.sslConfigurations = sslConfigurations;
|
||||
this.sslContexts = sslContexts;
|
||||
}
|
||||
|
@ -113,7 +110,7 @@ public class SSLService {
|
|||
* have been created during initialization
|
||||
*/
|
||||
public SSLService createDynamicSSLService() {
|
||||
return new SSLService(settings, env, globalSSLConfiguration, sslConfigurations, sslContexts) {
|
||||
return new SSLService(settings, env, sslConfigurations, sslContexts) {
|
||||
|
||||
@Override
|
||||
Map<SSLConfiguration, SSLContextHolder> loadSSLConfigurations() {
|
||||
|
@ -265,13 +262,6 @@ public class SSLService {
|
|||
return sslConfiguration.sslClientAuth().enabled();
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the {@link SSLContext} for the global configuration. Mainly used for testing
|
||||
*/
|
||||
public SSLContext sslContext() {
|
||||
return sslContextHolder(globalSSLConfiguration).sslContext();
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the {@link SSLContext} for the configuration. Mainly used for testing
|
||||
*/
|
||||
|
@ -297,13 +287,10 @@ public class SSLService {
|
|||
* Returns the existing {@link SSLConfiguration} for the given settings
|
||||
*
|
||||
* @param settings the settings for the ssl configuration
|
||||
* @return the ssl configuration for the provided settings. If the settings are empty, the global configuration is returned
|
||||
* @return the ssl configuration for the provided settings
|
||||
*/
|
||||
SSLConfiguration sslConfiguration(Settings settings) {
|
||||
if (settings.isEmpty()) {
|
||||
return globalSSLConfiguration;
|
||||
}
|
||||
return new SSLConfiguration(settings, globalSSLConfiguration);
|
||||
public SSLConfiguration sslConfiguration(Settings settings) {
|
||||
return new SSLConfiguration(settings);
|
||||
}
|
||||
|
||||
public Set<String> getTransportProfileContextNames() {
|
||||
|
@ -403,8 +390,6 @@ public class SSLService {
|
|||
*/
|
||||
Map<SSLConfiguration, SSLContextHolder> loadSSLConfigurations() {
|
||||
Map<SSLConfiguration, SSLContextHolder> sslContextHolders = new HashMap<>();
|
||||
sslContextHolders.put(globalSSLConfiguration, createSslContext(globalSSLConfiguration));
|
||||
this.sslConfigurations.put("xpack.ssl", globalSSLConfiguration);
|
||||
|
||||
Map<String, Settings> sslSettingsMap = new HashMap<>();
|
||||
sslSettingsMap.put(XPackSettings.HTTP_SSL_PREFIX, getHttpTransportSSLSettings(settings));
|
||||
|
@ -413,23 +398,19 @@ public class SSLService {
|
|||
sslSettingsMap.putAll(getMonitoringExporterSettings(settings));
|
||||
|
||||
sslSettingsMap.forEach((key, sslSettings) -> {
|
||||
if (sslSettings.isEmpty()) {
|
||||
storeSslConfiguration(key, globalSSLConfiguration);
|
||||
} else {
|
||||
final SSLConfiguration configuration = new SSLConfiguration(sslSettings, globalSSLConfiguration);
|
||||
storeSslConfiguration(key, configuration);
|
||||
sslContextHolders.computeIfAbsent(configuration, this::createSslContext);
|
||||
}
|
||||
final SSLConfiguration configuration = new SSLConfiguration(sslSettings);
|
||||
storeSslConfiguration(key, configuration);
|
||||
sslContextHolders.computeIfAbsent(configuration, this::createSslContext);
|
||||
});
|
||||
|
||||
final Settings transportSSLSettings = settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX);
|
||||
final SSLConfiguration transportSSLConfiguration = new SSLConfiguration(transportSSLSettings, globalSSLConfiguration);
|
||||
final SSLConfiguration transportSSLConfiguration = new SSLConfiguration(transportSSLSettings);
|
||||
this.transportSSLConfiguration.set(transportSSLConfiguration);
|
||||
storeSslConfiguration(XPackSettings.TRANSPORT_SSL_PREFIX, transportSSLConfiguration);
|
||||
Map<String, Settings> profileSettings = getTransportProfileSSLSettings(settings);
|
||||
sslContextHolders.computeIfAbsent(transportSSLConfiguration, this::createSslContext);
|
||||
profileSettings.forEach((key, profileSetting) -> {
|
||||
final SSLConfiguration configuration = new SSLConfiguration(profileSetting, transportSSLConfiguration);
|
||||
final SSLConfiguration configuration = new SSLConfiguration(profileSetting);
|
||||
storeSslConfiguration(key, configuration);
|
||||
sslContextHolders.computeIfAbsent(configuration, this::createSslContext);
|
||||
});
|
||||
|
|
|
@ -71,7 +71,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
|
|||
}
|
||||
|
||||
@After
|
||||
public void cleanup() throws Exception {
|
||||
public void cleanup() {
|
||||
if (threadPool != null) {
|
||||
terminate(threadPool);
|
||||
}
|
||||
|
@ -88,10 +88,10 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
|
|||
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath);
|
||||
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"), updatedKeystorePath);
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
|
||||
final Settings settings = Settings.builder()
|
||||
.put("path.home", createTempDir())
|
||||
.put("xpack.ssl.keystore.path", keystorePath)
|
||||
.put("xpack.security.transport.ssl.keystore.path", keystorePath)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
final Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
|
||||
|
@ -144,11 +144,12 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
|
|||
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCertPath);
|
||||
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), certPath);
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
final Settings settings = Settings.builder()
|
||||
.put("path.home", createTempDir())
|
||||
.put("xpack.ssl.key", keyPath)
|
||||
.put("xpack.ssl.certificate", certPath)
|
||||
.put("xpack.security.transport.ssl.key", keyPath)
|
||||
.put("xpack.security.transport.ssl.certificate", certPath)
|
||||
.putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString())
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
final Environment env = randomBoolean() ? null :
|
||||
|
@ -202,9 +203,9 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
|
|||
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"),
|
||||
updatedTruststorePath);
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.truststore.path", trustStorePath)
|
||||
.put("xpack.security.transport.ssl.truststore.path", trustStorePath)
|
||||
.put("path.home", createTempDir())
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
|
@ -254,7 +255,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
|
|||
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"), serverKeyPath);
|
||||
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCert);
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.certificate_authorities", serverCertPath)
|
||||
.putList("xpack.security.transport.ssl.certificate_authorities", serverCertPath.toString())
|
||||
.put("path.home", createTempDir())
|
||||
.build();
|
||||
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
|
||||
|
@ -300,15 +301,15 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
|
|||
Path keystorePath = tempDir.resolve("testnode.jks");
|
||||
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath);
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.keystore.path", keystorePath)
|
||||
.put("xpack.security.transport.ssl.keystore.path", keystorePath)
|
||||
.setSecureSettings(secureSettings)
|
||||
.put("path.home", createTempDir())
|
||||
.build();
|
||||
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
|
||||
final SSLService sslService = new SSLService(settings, env);
|
||||
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
|
||||
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl.");
|
||||
new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
|
||||
@Override
|
||||
void reloadSSLContext(SSLConfiguration configuration) {
|
||||
|
@ -339,17 +340,17 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
|
|||
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), certPath);
|
||||
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath);
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.key", keyPath)
|
||||
.put("xpack.ssl.certificate", certPath)
|
||||
.putList("xpack.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString())
|
||||
.put("xpack.security.transport.ssl.key", keyPath)
|
||||
.put("xpack.security.transport.ssl.certificate", certPath)
|
||||
.putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString())
|
||||
.put("path.home", createTempDir())
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
|
||||
final SSLService sslService = new SSLService(settings, env);
|
||||
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
|
||||
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl.");
|
||||
new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
|
||||
@Override
|
||||
void reloadSSLContext(SSLConfiguration configuration) {
|
||||
|
@ -376,15 +377,15 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
|
|||
Path trustStorePath = tempDir.resolve("testnode.jks");
|
||||
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), trustStorePath);
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.truststore.path", trustStorePath)
|
||||
.put("xpack.security.transport.ssl.truststore.path", trustStorePath)
|
||||
.put("path.home", createTempDir())
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
|
||||
final SSLService sslService = new SSLService(settings, env);
|
||||
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
|
||||
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl.");
|
||||
new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
|
||||
@Override
|
||||
void reloadSSLContext(SSLConfiguration configuration) {
|
||||
|
@ -411,12 +412,12 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
|
|||
Path clientCertPath = tempDir.resolve("testclient.crt");
|
||||
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath);
|
||||
Settings settings = Settings.builder()
|
||||
.putList("xpack.ssl.certificate_authorities", clientCertPath.toString())
|
||||
.putList("xpack.security.transport.ssl.certificate_authorities", clientCertPath.toString())
|
||||
.put("path.home", createTempDir())
|
||||
.build();
|
||||
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
|
||||
final SSLService sslService = new SSLService(settings, env);
|
||||
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
|
||||
final SSLConfiguration config = sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl."));
|
||||
new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
|
||||
@Override
|
||||
void reloadSSLContext(SSLConfiguration configuration) {
|
||||
|
@ -442,7 +443,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
|
|||
Runnable modificationFunction, Consumer<SSLContext> postChecks) throws Exception {
|
||||
final CountDownLatch reloadLatch = new CountDownLatch(1);
|
||||
final SSLService sslService = new SSLService(settings, env);
|
||||
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
|
||||
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
|
||||
@Override
|
||||
void reloadSSLContext(SSLConfiguration configuration) {
|
||||
|
|
|
@ -21,7 +21,7 @@ public class SSLConfigurationSettingsTests extends ESTestCase {
|
|||
final SSLConfigurationSettings ssl = SSLConfigurationSettings.withoutPrefix();
|
||||
assertThat(ssl.ciphers.match("cipher_suites"), is(true));
|
||||
assertThat(ssl.ciphers.match("ssl.cipher_suites"), is(false));
|
||||
assertThat(ssl.ciphers.match("xpack.ssl.cipher_suites"), is(false));
|
||||
assertThat(ssl.ciphers.match("xpack.transport.security.ssl.cipher_suites"), is(false));
|
||||
|
||||
final Settings settings = Settings.builder()
|
||||
.put("cipher_suites.0", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256")
|
||||
|
|
|
@ -35,10 +35,6 @@ public class SSLConfigurationTests extends ESTestCase {
|
|||
assertThat(globalConfig.keyConfig(), sameInstance(KeyConfig.NONE));
|
||||
assertThat(globalConfig.trustConfig(), is(not((globalConfig.keyConfig()))));
|
||||
assertThat(globalConfig.trustConfig(), instanceOf(DefaultJDKTrustConfig.class));
|
||||
|
||||
SSLConfiguration scopedConfig = new SSLConfiguration(Settings.EMPTY, globalConfig);
|
||||
assertThat(scopedConfig.keyConfig(), sameInstance(globalConfig.keyConfig()));
|
||||
assertThat(scopedConfig.trustConfig(), sameInstance(globalConfig.trustConfig()));
|
||||
}
|
||||
|
||||
public void testThatOnlyKeystoreInSettingsSetsTruststoreSettings() {
|
||||
|
@ -50,22 +46,17 @@ public class SSLConfigurationTests extends ESTestCase {
|
|||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
// Pass settings in as component settings
|
||||
SSLConfiguration globalSettings = new SSLConfiguration(settings);
|
||||
SSLConfiguration scopedSettings = new SSLConfiguration(settings, globalSettings);
|
||||
SSLConfiguration scopedEmptyGlobalSettings =
|
||||
new SSLConfiguration(settings, new SSLConfiguration(Settings.EMPTY));
|
||||
for (SSLConfiguration sslConfiguration : Arrays.asList(globalSettings, scopedSettings, scopedEmptyGlobalSettings)) {
|
||||
assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
|
||||
StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
|
||||
SSLConfiguration sslConfiguration = new SSLConfiguration(settings);
|
||||
assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
|
||||
StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
|
||||
|
||||
assertThat(ksKeyInfo.keyStorePath, is(equalTo(path)));
|
||||
assertThat(ksKeyInfo.keyStorePassword, is(equalTo("testnode")));
|
||||
assertThat(ksKeyInfo.keyStoreType, is(equalTo("jks")));
|
||||
assertThat(ksKeyInfo.keyPassword, is(equalTo(ksKeyInfo.keyStorePassword)));
|
||||
assertThat(ksKeyInfo.keyStoreAlgorithm, is(KeyManagerFactory.getDefaultAlgorithm()));
|
||||
assertThat(sslConfiguration.trustConfig(), is(instanceOf(CombiningTrustConfig.class)));
|
||||
assertCombiningTrustConfigContainsCorrectIssuers(sslConfiguration);
|
||||
}
|
||||
assertThat(ksKeyInfo.keyStorePath, is(equalTo(path)));
|
||||
assertThat(ksKeyInfo.keyStorePassword, is(equalTo("testnode")));
|
||||
assertThat(ksKeyInfo.keyStoreType, is(equalTo("jks")));
|
||||
assertThat(ksKeyInfo.keyPassword, is(equalTo(ksKeyInfo.keyStorePassword)));
|
||||
assertThat(ksKeyInfo.keyStoreAlgorithm, is(KeyManagerFactory.getDefaultAlgorithm()));
|
||||
assertThat(sslConfiguration.trustConfig(), is(instanceOf(CombiningTrustConfig.class)));
|
||||
assertCombiningTrustConfigContainsCorrectIssuers(sslConfiguration);
|
||||
}
|
||||
|
||||
public void testKeystorePassword() {
|
||||
|
@ -188,44 +179,13 @@ public class SSLConfigurationTests extends ESTestCase {
|
|||
assertThat(ksKeyInfo.keyStoreType, is(equalTo(type)));
|
||||
}
|
||||
|
||||
public void testThatProfileSettingsOverrideServiceSettings() {
|
||||
MockSecureSettings profileSecureSettings = new MockSecureSettings();
|
||||
profileSecureSettings.setString("keystore.secure_password", "password");
|
||||
profileSecureSettings.setString("keystore.secure_key_password", "key");
|
||||
profileSecureSettings.setString("truststore.secure_password", "password for trust");
|
||||
Settings profileSettings = Settings.builder()
|
||||
.put("keystore.path", "path")
|
||||
.put("keystore.algorithm", "algo")
|
||||
.put("truststore.path", "trust path")
|
||||
.put("truststore.algorithm", "trusted")
|
||||
.setSecureSettings(profileSecureSettings)
|
||||
.build();
|
||||
|
||||
MockSecureSettings serviceSecureSettings = new MockSecureSettings();
|
||||
serviceSecureSettings.setString("xpack.ssl.keystore.secure_password", "comp password");
|
||||
serviceSecureSettings.setString("xpack.ssl.keystore.secure_key_password", "comp key");
|
||||
serviceSecureSettings.setString("xpack.ssl.truststore.secure_password", "comp password for trust");
|
||||
Settings serviceSettings = Settings.builder()
|
||||
.put("xpack.ssl.keystore.path", "comp path")
|
||||
.put("xpack.ssl.keystore.algorithm", "comp algo")
|
||||
.put("xpack.ssl.truststore.path", "comp trust path")
|
||||
.put("xpack.ssl.truststore.algorithm", "comp trusted")
|
||||
.setSecureSettings(serviceSecureSettings)
|
||||
.build();
|
||||
|
||||
SSLConfiguration globalSettings = new SSLConfiguration(serviceSettings);
|
||||
SSLConfiguration sslConfiguration = new SSLConfiguration(profileSettings, globalSettings);
|
||||
assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
|
||||
StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
|
||||
assertThat(ksKeyInfo.keyStorePath, is(equalTo("path")));
|
||||
assertThat(ksKeyInfo.keyStorePassword, is(equalTo("password")));
|
||||
assertThat(ksKeyInfo.keyPassword, is(equalTo("key")));
|
||||
assertThat(ksKeyInfo.keyStoreAlgorithm, is(equalTo("algo")));
|
||||
assertThat(sslConfiguration.trustConfig(), instanceOf(StoreTrustConfig.class));
|
||||
StoreTrustConfig ksTrustInfo = (StoreTrustConfig) sslConfiguration.trustConfig();
|
||||
assertThat(ksTrustInfo.trustStorePath, is(equalTo("trust path")));
|
||||
assertThat(ksTrustInfo.trustStorePassword, is(equalTo("password for trust")));
|
||||
assertThat(ksTrustInfo.trustStoreAlgorithm, is(equalTo("trusted")));
|
||||
public void testThatEmptySettingsAreEqual() {
|
||||
SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.EMPTY);
|
||||
SSLConfiguration sslConfiguration1 = new SSLConfiguration(Settings.EMPTY);
|
||||
assertThat(sslConfiguration.equals(sslConfiguration1), is(equalTo(true)));
|
||||
assertThat(sslConfiguration1.equals(sslConfiguration), is(equalTo(true)));
|
||||
assertThat(sslConfiguration.equals(sslConfiguration), is(equalTo(true)));
|
||||
assertThat(sslConfiguration1.equals(sslConfiguration1), is(equalTo(true)));
|
||||
}
|
||||
|
||||
public void testThatSettingsWithDifferentKeystoresAreNotEqual() {
|
||||
|
@ -254,6 +214,12 @@ public class SSLConfigurationTests extends ESTestCase {
|
|||
assertThat(sslConfiguration1.equals(sslConfiguration1), is(equalTo(true)));
|
||||
}
|
||||
|
||||
public void testThatEmptySettingsHaveSameHashCode() {
|
||||
SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.EMPTY);
|
||||
SSLConfiguration sslConfiguration1 = new SSLConfiguration(Settings.EMPTY);
|
||||
assertThat(sslConfiguration.hashCode(), is(equalTo(sslConfiguration1.hashCode())));
|
||||
}
|
||||
|
||||
public void testThatSettingsWithDifferentKeystoresHaveDifferentHashCode() {
|
||||
SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.builder()
|
||||
.put("keystore.path", "path")
|
||||
|
|
|
@ -109,11 +109,11 @@ public class SSLServiceTests extends ESTestCase {
|
|||
assumeFalse("Can't run in a FIPS JVM", inFipsJvm());
|
||||
Path testClientStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks");
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
|
||||
secureSettings.setString("transport.profiles.foo.xpack.security.ssl.truststore.secure_password", "testclient");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.truststore.path", testnodeStore)
|
||||
.put("xpack.ssl.truststore.type", testnodeStoreType)
|
||||
.put("xpack.security.transport.ssl.truststore.path", testnodeStore)
|
||||
.put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
|
||||
.setSecureSettings(secureSettings)
|
||||
.put("transport.profiles.foo.xpack.security.ssl.truststore.path", testClientStore)
|
||||
.build();
|
||||
|
@ -126,12 +126,12 @@ public class SSLServiceTests extends ESTestCase {
|
|||
.setSecureSettings(secureCustomSettings)
|
||||
.build();
|
||||
|
||||
SSLConfiguration configuration = new SSLConfiguration(customTruststoreSettings, globalConfiguration(sslService));
|
||||
SSLConfiguration configuration = new SSLConfiguration(customTruststoreSettings);
|
||||
SSLEngine sslEngineWithTruststore = sslService.createSSLEngine(configuration, null, -1);
|
||||
assertThat(sslEngineWithTruststore, is(not(nullValue())));
|
||||
|
||||
SSLConfiguration globalConfig = globalConfiguration(sslService);
|
||||
SSLEngine sslEngine = sslService.createSSLEngine(globalConfig, null, -1);
|
||||
SSLConfiguration defaultConfig = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
SSLEngine sslEngine = sslService.createSSLEngine(defaultConfig, null, -1);
|
||||
assertThat(sslEngineWithTruststore, is(not(sameInstance(sslEngine))));
|
||||
|
||||
final SSLConfiguration profileConfiguration = sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl");
|
||||
|
@ -142,20 +142,21 @@ public class SSLServiceTests extends ESTestCase {
|
|||
|
||||
public void testThatSslContextCachingWorks() throws Exception {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.certificate", testnodeCert)
|
||||
.put("xpack.ssl.key", testnodeKey)
|
||||
.put("xpack.security.transport.ssl.certificate", testnodeCert)
|
||||
.put("xpack.security.transport.ssl.key", testnodeKey)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
SSLService sslService = new SSLService(settings, env);
|
||||
|
||||
SSLContext sslContext = sslService.sslContext();
|
||||
SSLContext cachedSslContext = sslService.sslContext();
|
||||
final Settings transportSSLSettings = settings.getByPrefix("xpack.security.transport.ssl.");
|
||||
SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(transportSSLSettings));
|
||||
SSLContext cachedSslContext = sslService.sslContext(sslService.sslConfiguration(transportSSLSettings));
|
||||
|
||||
assertThat(sslContext, is(sameInstance(cachedSslContext)));
|
||||
|
||||
final SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.ssl");
|
||||
final SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
final SSLContext configContext = sslService.sslContext(configuration);
|
||||
assertThat(configContext, is(sameInstance(sslContext)));
|
||||
}
|
||||
|
@ -165,14 +166,15 @@ public class SSLServiceTests extends ESTestCase {
|
|||
Path differentPasswordsStore =
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-different-passwords.jks");
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.ssl.keystore.secure_key_password", "testnode1");
|
||||
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_key_password", "testnode1");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.keystore.path", differentPasswordsStore)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
.put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
|
||||
final SSLService sslService = new SSLService(settings, env);
|
||||
SSLConfiguration configuration = globalConfiguration(sslService);
|
||||
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
sslService.createSSLEngine(configuration, null, -1);
|
||||
}
|
||||
|
||||
|
@ -182,13 +184,13 @@ public class SSLServiceTests extends ESTestCase {
|
|||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-different-passwords.jks");
|
||||
try {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.keystore.path", differentPasswordsStore)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
.put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
final SSLService sslService = new SSLService(settings, env);
|
||||
SSLConfiguration configuration = globalConfiguration(sslService);
|
||||
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
sslService.createSSLEngine(configuration, null, -1);
|
||||
fail("expected an exception");
|
||||
} catch (ElasticsearchException e) {
|
||||
|
@ -198,34 +200,34 @@ public class SSLServiceTests extends ESTestCase {
|
|||
|
||||
public void testThatSSLv3IsNotEnabled() throws Exception {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.certificate", testnodeCert)
|
||||
.put("xpack.ssl.key", testnodeKey)
|
||||
.put("xpack.security.transport.ssl.certificate", testnodeCert)
|
||||
.put("xpack.security.transport.ssl.key", testnodeKey)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
SSLService sslService = new SSLService(settings, env);
|
||||
SSLConfiguration configuration = globalConfiguration(sslService);
|
||||
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
|
||||
assertThat(Arrays.asList(engine.getEnabledProtocols()), not(hasItem("SSLv3")));
|
||||
}
|
||||
|
||||
public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception {
|
||||
SSLService sslService = new SSLService(Settings.EMPTY, env);
|
||||
SSLConfiguration configuration = globalConfiguration(sslService);
|
||||
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1);
|
||||
assertThat(sslEngine, notNullValue());
|
||||
}
|
||||
|
||||
public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.truststore.secure_password", "testclient");
|
||||
secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testclient");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.truststore.path", testclientStore)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
.put("xpack.security.transport.ssl.truststore.path", testclientStore)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
SSLService sslService = new SSLService(settings, env);
|
||||
SSLConfiguration configuration = globalConfiguration(sslService);
|
||||
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1);
|
||||
assertThat(sslEngine, notNullValue());
|
||||
}
|
||||
|
@ -234,54 +236,52 @@ public class SSLServiceTests extends ESTestCase {
|
|||
public void testCreateWithKeystoreIsValidForServer() throws Exception {
|
||||
assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm());
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.keystore.path", testnodeStore)
|
||||
.put("xpack.ssl.keystore.type", testnodeStoreType)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
.put("xpack.security.transport.ssl.keystore.path", testnodeStore)
|
||||
.put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
SSLService sslService = new SSLService(settings, env);
|
||||
|
||||
assertTrue(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService)));
|
||||
assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
|
||||
}
|
||||
|
||||
public void testValidForServerWithFallback() throws Exception {
|
||||
public void testValidForServer() throws Exception {
|
||||
assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm());
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.truststore.path", testnodeStore)
|
||||
.put("xpack.ssl.truststore.type", testnodeStoreType)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
.put("xpack.security.transport.ssl.truststore.path", testnodeStore)
|
||||
.put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
SSLService sslService = new SSLService(settings, env);
|
||||
assertFalse(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService)));
|
||||
assertFalse(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
|
||||
|
||||
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
|
||||
settings = Settings.builder()
|
||||
.put("xpack.ssl.truststore.path", testnodeStore)
|
||||
.put("xpack.ssl.truststore.type", testnodeStoreType)
|
||||
.setSecureSettings(secureSettings)
|
||||
.put("xpack.security.transport.ssl.keystore.path", testnodeStore)
|
||||
.put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
|
||||
.build();
|
||||
.put("xpack.security.transport.ssl.truststore.path", testnodeStore)
|
||||
.put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
|
||||
.setSecureSettings(secureSettings)
|
||||
.put("xpack.security.transport.ssl.keystore.path", testnodeStore)
|
||||
.put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
|
||||
.build();
|
||||
sslService = new SSLService(settings, env);
|
||||
assertFalse(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService)));
|
||||
assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
|
||||
}
|
||||
|
||||
public void testGetVerificationMode() throws Exception {
|
||||
assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm());
|
||||
SSLService sslService = new SSLService(Settings.EMPTY, env);
|
||||
assertThat(globalConfiguration(sslService).verificationMode(), is(XPackSettings.VERIFICATION_MODE_DEFAULT));
|
||||
assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl").verificationMode(),
|
||||
is(XPackSettings.VERIFICATION_MODE_DEFAULT));
|
||||
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.verification_mode", "none")
|
||||
.put("xpack.security.transport.ssl.verification_mode", "certificate")
|
||||
.put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full")
|
||||
.build();
|
||||
.put("xpack.security.transport.ssl.verification_mode", "certificate")
|
||||
.put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full")
|
||||
.build();
|
||||
sslService = new SSLService(settings, env);
|
||||
assertThat(globalConfiguration(sslService).verificationMode(), is(VerificationMode.NONE));
|
||||
assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl.").verificationMode(), is(VerificationMode.CERTIFICATE));
|
||||
assertThat(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl.").verificationMode(),
|
||||
is(VerificationMode.FULL));
|
||||
|
@ -289,27 +289,25 @@ public class SSLServiceTests extends ESTestCase {
|
|||
|
||||
public void testIsSSLClientAuthEnabled() throws Exception {
|
||||
SSLService sslService = new SSLService(Settings.EMPTY, env);
|
||||
assertTrue(globalConfiguration(sslService).sslClientAuth().enabled());
|
||||
assertTrue(sslService.getSSLConfiguration("xpack.security.transport.ssl").sslClientAuth().enabled());
|
||||
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.client_authentication", "none")
|
||||
.put("xpack.security.transport.ssl.client_authentication", "optional")
|
||||
.put("xpack.security.transport.ssl.client_authentication", "optional")
|
||||
.put("transport.profiles.foo.port", "9400-9410")
|
||||
.build();
|
||||
.build();
|
||||
sslService = new SSLService(settings, env);
|
||||
assertFalse(sslService.isSSLClientAuthEnabled(globalConfiguration(sslService)));
|
||||
assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
|
||||
assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl")));
|
||||
}
|
||||
|
||||
public void testThatHttpClientAuthDefaultsToNone() throws Exception {
|
||||
final Settings globalSettings = Settings.builder()
|
||||
.put("xpack.security.http.ssl.enabled", true)
|
||||
.put("xpack.ssl.client_authentication", SSLClientAuth.OPTIONAL.name())
|
||||
.build();
|
||||
.put("xpack.security.http.ssl.enabled", true)
|
||||
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.OPTIONAL.name())
|
||||
.build();
|
||||
final SSLService sslService = new SSLService(globalSettings, env);
|
||||
|
||||
final SSLConfiguration globalConfig = globalConfiguration(sslService);
|
||||
final SSLConfiguration globalConfig = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
assertThat(globalConfig.sslClientAuth(), is(SSLClientAuth.OPTIONAL));
|
||||
|
||||
final SSLConfiguration httpConfig = sslService.getHttpTransportSSLConfiguration();
|
||||
|
@ -318,14 +316,14 @@ public class SSLServiceTests extends ESTestCase {
|
|||
|
||||
public void testThatTruststorePasswordIsRequired() throws Exception {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.keystore.path", testnodeStore)
|
||||
.put("xpack.ssl.keystore.type", testnodeStoreType)
|
||||
.setSecureSettings(secureSettings)
|
||||
.put("xpack.ssl.truststore.path", testnodeStore)
|
||||
.put("xpack.ssl.truststore.type", testnodeStoreType)
|
||||
.build();
|
||||
.put("xpack.security.transport.ssl.keystore.path", testnodeStore)
|
||||
.put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
|
||||
.setSecureSettings(secureSettings)
|
||||
.put("xpack.security.transport.ssl.truststore.path", testnodeStore)
|
||||
.put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
|
||||
.build();
|
||||
ElasticsearchException e =
|
||||
expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env));
|
||||
assertThat(e.getMessage(), is("failed to initialize a TrustManagerFactory"));
|
||||
|
@ -333,9 +331,9 @@ public class SSLServiceTests extends ESTestCase {
|
|||
|
||||
public void testThatKeystorePasswordIsRequired() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.keystore.path", testnodeStore)
|
||||
.put("xpack.ssl.keystore.type", testnodeStoreType)
|
||||
.build();
|
||||
.put("xpack.security.transport.ssl.keystore.path", testnodeStore)
|
||||
.put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
|
||||
.build();
|
||||
ElasticsearchException e =
|
||||
expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env));
|
||||
assertThat(e.getMessage(), is("failed to create trust manager"));
|
||||
|
@ -346,14 +344,15 @@ public class SSLServiceTests extends ESTestCase {
|
|||
ciphers.add("foo");
|
||||
ciphers.add("bar");
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.certificate", testnodeCert)
|
||||
.put("xpack.ssl.key", testnodeKey)
|
||||
.put("xpack.security.transport.ssl.certificate", testnodeCert)
|
||||
.put("xpack.security.transport.ssl.key", testnodeKey)
|
||||
.setSecureSettings(secureSettings)
|
||||
.putList("xpack.security.transport.ssl.ciphers", ciphers.toArray(new String[ciphers.size()]))
|
||||
.build();
|
||||
SSLService sslService = new SSLService(settings, env);
|
||||
SSLConfiguration configuration = globalConfiguration(sslService);
|
||||
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
|
||||
assertThat(engine, is(notNullValue()));
|
||||
String[] enabledCiphers = engine.getEnabledCipherSuites();
|
||||
|
@ -362,14 +361,14 @@ public class SSLServiceTests extends ESTestCase {
|
|||
|
||||
public void testInvalidCiphersOnlyThrowsException() throws Exception {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.certificate", testnodeCert)
|
||||
.put("xpack.ssl.key", testnodeKey)
|
||||
.putList("xpack.ssl.cipher_suites", new String[]{"foo", "bar"})
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.security.transport.ssl.certificate", testnodeCert)
|
||||
.put("xpack.security.transport.ssl.key", testnodeKey)
|
||||
.setSecureSettings(secureSettings)
|
||||
.putList("xpack.security.transport.ssl.cipher_suites", new String[] { "foo", "bar" })
|
||||
.build();
|
||||
IllegalArgumentException e =
|
||||
expectThrows(IllegalArgumentException.class, () -> new SSLService(settings, env));
|
||||
assertThat(e.getMessage(), is("none of the ciphers [foo, bar] are supported by this JVM"));
|
||||
|
@ -377,14 +376,14 @@ public class SSLServiceTests extends ESTestCase {
|
|||
|
||||
public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.certificate", testnodeCert)
|
||||
.put("xpack.ssl.key", testnodeKey)
|
||||
.put("xpack.security.transport.ssl.certificate", testnodeCert)
|
||||
.put("xpack.security.transport.ssl.key", testnodeKey)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
SSLService sslService = new SSLService(settings, env);
|
||||
SSLConfiguration configuration = globalConfiguration(sslService);
|
||||
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
|
||||
assertThat(engine, is(notNullValue()));
|
||||
assertTrue(engine.getSSLParameters().getUseCipherSuitesOrder());
|
||||
|
@ -392,14 +391,14 @@ public class SSLServiceTests extends ESTestCase {
|
|||
|
||||
public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.certificate", testnodeCert)
|
||||
.put("xpack.ssl.key", testnodeKey)
|
||||
.put("xpack.security.transport.ssl.certificate", testnodeCert)
|
||||
.put("xpack.security.transport.ssl.key", testnodeKey)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
SSLService sslService = new SSLService(settings, env);
|
||||
SSLConfiguration config = globalConfiguration(sslService);
|
||||
SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
final SSLSocketFactory factory = sslService.sslSocketFactory(config);
|
||||
final String[] ciphers = sslService.supportedCiphers(factory.getSupportedCipherSuites(), config.cipherSuites(), false);
|
||||
assertThat(factory.getDefaultCipherSuites(), is(ciphers));
|
||||
|
@ -417,14 +416,14 @@ public class SSLServiceTests extends ESTestCase {
|
|||
|
||||
public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.certificate", testnodeCert)
|
||||
.put("xpack.ssl.key", testnodeKey)
|
||||
.put("xpack.security.transport.ssl.certificate", testnodeCert)
|
||||
.put("xpack.security.transport.ssl.key", testnodeKey)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
SSLService sslService = new SSLService(settings, env);
|
||||
SSLConfiguration configuration = globalConfiguration(sslService);
|
||||
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
|
||||
final String[] ciphers = sslService.supportedCiphers(engine.getSupportedCipherSuites(), configuration.cipherSuites(), false);
|
||||
final String[] supportedProtocols = configuration.supportedProtocols().toArray(Strings.EMPTY_ARRAY);
|
||||
|
@ -475,9 +474,9 @@ public class SSLServiceTests extends ESTestCase {
|
|||
}
|
||||
|
||||
public void testEmptyTrustManager() throws Exception {
|
||||
Settings settings = Settings.builder().build();
|
||||
Settings settings = Settings.EMPTY;
|
||||
final SSLService sslService = new SSLService(settings, env);
|
||||
X509ExtendedTrustManager trustManager = sslService.sslContextHolder(sslService.getSSLConfiguration("xpack.ssl"))
|
||||
X509ExtendedTrustManager trustManager = sslService.sslContextHolder(sslService.getSSLConfiguration("xpack.security.transport.ssl"))
|
||||
.getEmptyTrustManager();
|
||||
assertThat(trustManager.getAcceptedIssuers(), emptyArray());
|
||||
}
|
||||
|
@ -489,7 +488,6 @@ public class SSLServiceTests extends ESTestCase {
|
|||
final String[] cipherSuites = sslContext.getSupportedSSLParameters().getCipherSuites();
|
||||
|
||||
final String[] contextNames = {
|
||||
"xpack.ssl",
|
||||
"xpack.http.ssl",
|
||||
"xpack.security.http.ssl",
|
||||
"xpack.security.transport.ssl",
|
||||
|
@ -517,10 +515,6 @@ public class SSLServiceTests extends ESTestCase {
|
|||
}
|
||||
|
||||
final Settings settings = builder
|
||||
// Add a realm without SSL settings. This context name should be mapped to the global configuration
|
||||
.put("xpack.security.authc.realms.file.realm3.order", 4)
|
||||
// Add an exporter without SSL settings. This context name should be mapped to the global configuration
|
||||
.put("xpack.monitoring.exporters.mon3.type", "http")
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
SSLService sslService = new SSLService(settings, env);
|
||||
|
@ -535,14 +529,6 @@ public class SSLServiceTests extends ESTestCase {
|
|||
assertThat("Cipher for " + name, configuration.cipherSuites(), contains(cipherSuites[i]));
|
||||
assertThat("Configuration for " + name + ".", sslService.getSSLConfiguration(name + "."), sameInstance(configuration));
|
||||
}
|
||||
|
||||
// These contexts have no SSL settings, but for convenience we want those components to be able to access their context
|
||||
// by name, and get back the global configuration
|
||||
final SSLConfiguration realm3Config = sslService.getSSLConfiguration("xpack.security.authc.realms.file.realm3.ssl");
|
||||
final SSLConfiguration mon3Config = sslService.getSSLConfiguration("xpack.monitoring.exporters.mon3.ssl.");
|
||||
final SSLConfiguration global = globalConfiguration(sslService);
|
||||
assertThat(realm3Config, sameInstance(global));
|
||||
assertThat(mon3Config, sameInstance(global));
|
||||
}
|
||||
|
||||
public void testReadCertificateInformation() throws Exception {
|
||||
|
@ -552,13 +538,13 @@ public class SSLServiceTests extends ESTestCase {
|
|||
final Path pemPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt");
|
||||
|
||||
final MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode");
|
||||
|
||||
final Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.keystore.path", jksPath)
|
||||
.put("xpack.ssl.truststore.path", jksPath)
|
||||
.put("xpack.security.transport.ssl.keystore.path", jksPath)
|
||||
.put("xpack.security.transport.ssl.truststore.path", jksPath)
|
||||
.put("xpack.http.ssl.keystore.path", p12Path)
|
||||
.put("xpack.security.authc.realms.active_directory.ad.ssl.certificate_authorities", pemPath)
|
||||
.setSecureSettings(secureSettings)
|
||||
|
@ -718,7 +704,7 @@ public class SSLServiceTests extends ESTestCase {
|
|||
@Network
|
||||
public void testThatSSLContextWithoutSettingsWorks() throws Exception {
|
||||
SSLService sslService = new SSLService(Settings.EMPTY, env);
|
||||
SSLContext sslContext = sslService.sslContext();
|
||||
SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(Settings.EMPTY));
|
||||
try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) {
|
||||
// Execute a GET on a site known to have a valid certificate signed by a trusted public CA
|
||||
// This will result in a SSLHandshakeException if the SSLContext does not trust the CA, but the default
|
||||
|
@ -730,12 +716,13 @@ public class SSLServiceTests extends ESTestCase {
|
|||
@Network
|
||||
public void testThatSSLContextTrustsJDKTrustedCAs() throws Exception {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.keystore.secure_password", "testclient");
|
||||
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.keystore.path", testclientStore)
|
||||
.put("xpack.security.transport.ssl.keystore.path", testclientStore)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
SSLContext sslContext = new SSLService(settings, env).sslContext();
|
||||
SSLService sslService = new SSLService(settings, env);
|
||||
SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl.")));
|
||||
try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) {
|
||||
// Execute a GET on a site known to have a valid certificate signed by a trusted public CA which will succeed because the JDK
|
||||
// certs are trusted by default
|
||||
|
@ -746,7 +733,7 @@ public class SSLServiceTests extends ESTestCase {
|
|||
@Network
|
||||
public void testThatSSLIOSessionStrategyWithoutSettingsWorks() throws Exception {
|
||||
SSLService sslService = new SSLService(Settings.EMPTY, env);
|
||||
SSLConfiguration sslConfiguration = globalConfiguration(sslService);
|
||||
SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
logger.info("SSL Configuration: {}", sslConfiguration);
|
||||
SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(sslConfiguration);
|
||||
try (CloseableHttpAsyncClient client = getAsyncHttpClient(sslStrategy)) {
|
||||
|
@ -762,13 +749,13 @@ public class SSLServiceTests extends ESTestCase {
|
|||
@Network
|
||||
public void testThatSSLIOSessionStrategyTrustsJDKTrustedCAs() throws Exception {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.keystore.secure_password", "testclient");
|
||||
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.keystore.path", testclientStore)
|
||||
.put("xpack.security.transport.ssl.keystore.path", testclientStore)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
final SSLService sslService = new SSLService(settings, env);
|
||||
SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(globalConfiguration(sslService));
|
||||
SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(sslService.getSSLConfiguration("xpack.security.transport.ssl"));
|
||||
try (CloseableHttpAsyncClient client = getAsyncHttpClient(sslStrategy)) {
|
||||
client.start();
|
||||
|
||||
|
@ -778,10 +765,6 @@ public class SSLServiceTests extends ESTestCase {
|
|||
}
|
||||
}
|
||||
|
||||
private static SSLConfiguration globalConfiguration(SSLService sslService) {
|
||||
return sslService.getSSLConfiguration("xpack.ssl");
|
||||
}
|
||||
|
||||
class AssertionCallback implements FutureCallback<HttpResponse> {
|
||||
|
||||
@Override
|
||||
|
|
|
@ -19,11 +19,6 @@ public class TestsSSLService extends SSLService {
|
|||
super(settings, environment);
|
||||
}
|
||||
|
||||
@Override
|
||||
public SSLContext sslContext() {
|
||||
return super.sslContext();
|
||||
}
|
||||
|
||||
/**
|
||||
* Allows to get alternative ssl context, like for the http client
|
||||
*/
|
||||
|
|
|
@ -95,14 +95,14 @@ public class HttpExporterSslIT extends MonitoringIntegTestCase {
|
|||
final Path key = getDataPath("/org/elasticsearch/xpack/monitoring/exporter/http/testnode.pem");
|
||||
|
||||
final Settings sslSettings = Settings.builder()
|
||||
.put("xpack.ssl.certificate", cert)
|
||||
.put("xpack.ssl.key", key)
|
||||
.put("xpack.ssl.key_passphrase", "testnode")
|
||||
.put("xpack.transport.security.ssl.certificate", cert)
|
||||
.put("xpack.transport.security.ssl.key", key)
|
||||
.put("xpack.transport.security.ssl.key_passphrase", "testnode")
|
||||
.put(globalSettings)
|
||||
.build();
|
||||
|
||||
TestsSSLService sslService = new TestsSSLService(sslSettings, environment);
|
||||
final SSLContext sslContext = sslService.sslContext(Settings.EMPTY);
|
||||
final SSLContext sslContext = sslService.sslContext("xpack.security.transport.ssl");
|
||||
MockWebServer server = new MockWebServer(sslContext, false);
|
||||
server.start();
|
||||
return server;
|
||||
|
|
|
@ -9,7 +9,7 @@ import org.elasticsearch.bootstrap.BootstrapCheck;
|
|||
import org.elasticsearch.bootstrap.BootstrapContext;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig.RealmIdentifier;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
|
||||
import org.elasticsearch.xpack.core.security.authc.pki.PkiRealmSettings;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
|
||||
|
@ -37,7 +37,7 @@ class PkiRealmBootstrapCheck implements BootstrapCheck {
|
|||
@Override
|
||||
public BootstrapCheckResult check(BootstrapContext context) {
|
||||
final Settings settings = context.settings();
|
||||
final Map<RealmConfig.RealmIdentifier, Settings> realms = RealmSettings.getRealmSettings(settings);
|
||||
final Map<RealmIdentifier, Settings> realms = RealmSettings.getRealmSettings(settings);
|
||||
final boolean pkiRealmEnabled = realms.entrySet().stream()
|
||||
.filter(e -> PkiRealmSettings.TYPE.equals(e.getKey().getType()))
|
||||
.map(Map.Entry::getValue)
|
||||
|
@ -70,6 +70,7 @@ class PkiRealmBootstrapCheck implements BootstrapCheck {
|
|||
return list;
|
||||
}
|
||||
|
||||
// FIXME this is an antipattern move this out of a bootstrap check!
|
||||
@Override
|
||||
public boolean alwaysEnforce() {
|
||||
return true;
|
||||
|
|
|
@ -67,7 +67,6 @@ import java.util.Map;
|
|||
import java.util.Set;
|
||||
|
||||
import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
|
||||
import static org.elasticsearch.xpack.core.security.SecurityField.setting;
|
||||
|
||||
/**
|
||||
* This is the command-line tool used for migrating users and roles from the file-based realm into the new native realm using the API for
|
||||
|
@ -149,7 +148,7 @@ public class ESNativeRealmMigrateTool extends LoggingAwareMultiCommand {
|
|||
// If using SSL, need a custom service because it's likely a self-signed certificate
|
||||
if ("https".equalsIgnoreCase(uri.getScheme())) {
|
||||
final SSLService sslService = new SSLService(settings, env);
|
||||
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration(setting("http.ssl"));
|
||||
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.http.ssl");
|
||||
final HttpsURLConnection httpsConn = (HttpsURLConnection) url.openConnection();
|
||||
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
|
||||
// Requires permission java.lang.RuntimePermission "setFactory";
|
||||
|
|
|
@ -86,7 +86,6 @@ public class SecurityNioTransport extends NioTransport {
|
|||
Map<String, SSLConfiguration> profileConfiguration = SecurityNetty4Transport.getTransportProfileConfigurations(settings,
|
||||
sslService, transportConfiguration);
|
||||
this.profileConfiguration = Collections.unmodifiableMap(profileConfiguration);
|
||||
|
||||
} else {
|
||||
profileConfiguration = Collections.emptyMap();
|
||||
}
|
||||
|
|
|
@ -149,7 +149,7 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
|
|||
@Override
|
||||
public Settings transportClientSettings() {
|
||||
Settings.Builder builder = Settings.builder();
|
||||
addClientSSLSettings(builder, "");
|
||||
addClientSSLSettings(builder, "xpack.security.transport.");
|
||||
addDefaultSecurityTransportType(builder, Settings.EMPTY);
|
||||
|
||||
if (randomBoolean()) {
|
||||
|
@ -208,22 +208,27 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
|
|||
return new SecureString(SecuritySettingsSourceField.TEST_PASSWORD.toCharArray());
|
||||
}
|
||||
|
||||
public static void addSSLSettingsForNodePEMFiles(Settings.Builder builder, String prefix, boolean hostnameVerificationEnabled) {
|
||||
addSSLSettingsForPEMFiles(builder, prefix,
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
|
||||
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"),
|
||||
hostnameVerificationEnabled, false);
|
||||
}
|
||||
|
||||
private void addNodeSSLSettings(Settings.Builder builder) {
|
||||
if (sslEnabled) {
|
||||
builder.put("xpack.security.transport.ssl.enabled", true);
|
||||
if (usePEM) {
|
||||
addSSLSettingsForPEMFiles(builder, "",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
|
||||
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"),
|
||||
sslEnabled, hostnameVerificationEnabled, false);
|
||||
|
||||
addSSLSettingsForNodePEMFiles(builder, "xpack.security.transport.", hostnameVerificationEnabled);
|
||||
} else {
|
||||
addSSLSettingsForStore(builder, "", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks",
|
||||
"testnode", sslEnabled, hostnameVerificationEnabled, false);
|
||||
addSSLSettingsForStore(builder, "xpack.security.transport.",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode",
|
||||
hostnameVerificationEnabled, false);
|
||||
}
|
||||
} else if (randomBoolean()) {
|
||||
builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), false);
|
||||
|
@ -231,47 +236,53 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
|
|||
}
|
||||
|
||||
public void addClientSSLSettings(Settings.Builder builder, String prefix) {
|
||||
builder.put("xpack.security.transport.ssl.enabled", sslEnabled);
|
||||
if (usePEM) {
|
||||
addSSLSettingsForPEMFiles(builder, prefix,
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", "testclient",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
|
||||
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"),
|
||||
sslEnabled, hostnameVerificationEnabled, true);
|
||||
hostnameVerificationEnabled, true);
|
||||
} else {
|
||||
addSSLSettingsForStore(builder, prefix, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks",
|
||||
"testclient", sslEnabled, hostnameVerificationEnabled, true);
|
||||
"testclient", hostnameVerificationEnabled, true);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the configuration settings given the location of a certificate and its password
|
||||
*
|
||||
* @param resourcePathToStore the location of the keystore or truststore
|
||||
* @param password the password
|
||||
*/
|
||||
public static void addSSLSettingsForStore(Settings.Builder builder, String resourcePathToStore, String password, String prefix) {
|
||||
addSSLSettingsForStore(builder, prefix, resourcePathToStore, password, true, true);
|
||||
}
|
||||
|
||||
private static void addSSLSettingsForStore(Settings.Builder builder, String prefix, String resourcePathToStore, String password,
|
||||
boolean sslEnabled, boolean hostnameVerificationEnabled,
|
||||
boolean transportClient) {
|
||||
boolean hostnameVerificationEnabled, boolean transportClient) {
|
||||
Path store = resolveResourcePath(resourcePathToStore);
|
||||
|
||||
if (transportClient == false) {
|
||||
builder.put(prefix + "xpack.security.http.ssl.enabled", false);
|
||||
}
|
||||
builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled);
|
||||
|
||||
builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
|
||||
builder.put(prefix + "xpack.ssl.keystore.path", store);
|
||||
builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
|
||||
builder.put(prefix + "ssl.keystore.path", store);
|
||||
if (transportClient) {
|
||||
// continue using insecure settings for clients until we figure out what to do there...
|
||||
builder.put(prefix + "xpack.ssl.keystore.password", password);
|
||||
builder.put(prefix + "ssl.keystore.password", password);
|
||||
} else {
|
||||
final String finalPrefix = prefix;
|
||||
addSecureSettings(builder, secureSettings ->
|
||||
secureSettings.setString(prefix + "xpack.ssl.keystore.secure_password", password));
|
||||
secureSettings.setString(finalPrefix + "ssl.keystore.secure_password", password));
|
||||
}
|
||||
|
||||
if (randomBoolean()) {
|
||||
builder.put(prefix + "xpack.ssl.truststore.path", store);
|
||||
builder.put(prefix + "ssl.truststore.path", store);
|
||||
if (transportClient) {
|
||||
// continue using insecure settings for clients until we figure out what to do there...
|
||||
builder.put(prefix + "xpack.ssl.truststore.password", password);
|
||||
builder.put(prefix + "ssl.truststore.password", password);
|
||||
} else {
|
||||
final String finalPrefix = prefix;
|
||||
addSecureSettings(builder, secureSettings ->
|
||||
secureSettings.setString(prefix + "xpack.ssl.truststore.secure_password", password));
|
||||
secureSettings.setString(finalPrefix + "ssl.truststore.secure_password", password));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -289,31 +300,46 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
|
|||
*/
|
||||
public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String keyPath, String password,
|
||||
String certificatePath, List<String> trustedCertificates) {
|
||||
addSSLSettingsForPEMFiles(builder, "", keyPath, password, certificatePath, trustedCertificates, true, true, true);
|
||||
addSSLSettingsForPEMFiles(builder, "", keyPath, password, certificatePath, trustedCertificates, true, true);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the SSL related configuration settings given the location of a key and certificate and the location
|
||||
* of the PEM certificates to be trusted
|
||||
*
|
||||
* @param keyPath The path to the Private key to be used for SSL
|
||||
* @param password The password with which the private key is protected
|
||||
* @param certificatePath The path to the PEM formatted Certificate encapsulating the public key that corresponds
|
||||
* to the Private Key specified in {@code keyPath}. Will be presented to incoming
|
||||
* SSL connections.
|
||||
* @param prefix The settings prefix to use before ssl setting names
|
||||
* @param trustedCertificates A list of PEM formatted certificates that will be trusted.
|
||||
*/
|
||||
public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String keyPath, String password,
|
||||
String certificatePath, String prefix, List<String> trustedCertificates) {
|
||||
addSSLSettingsForPEMFiles(builder, prefix, keyPath, password, certificatePath, trustedCertificates, true, true);
|
||||
}
|
||||
|
||||
private static void addSSLSettingsForPEMFiles(Settings.Builder builder, String prefix, String keyPath, String password,
|
||||
String certificatePath, List<String> trustedCertificates, boolean sslEnabled,
|
||||
String certificatePath, List<String> trustedCertificates,
|
||||
boolean hostnameVerificationEnabled, boolean transportClient) {
|
||||
|
||||
if (transportClient == false) {
|
||||
builder.put(prefix + "xpack.security.http.ssl.enabled", false);
|
||||
if (prefix.equals("")) {
|
||||
prefix = "xpack.security.transport.";
|
||||
}
|
||||
builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled);
|
||||
|
||||
builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
|
||||
builder.put(prefix + "xpack.ssl.key", resolveResourcePath(keyPath))
|
||||
.put(prefix + "xpack.ssl.certificate", resolveResourcePath(certificatePath));
|
||||
builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
|
||||
builder.put(prefix + "ssl.key", resolveResourcePath(keyPath))
|
||||
.put(prefix + "ssl.certificate", resolveResourcePath(certificatePath));
|
||||
if (transportClient) {
|
||||
// continue using insecure settings for clients until we figure out what to do there...
|
||||
builder.put(prefix + "xpack.ssl.key_passphrase", password);
|
||||
builder.put(prefix + "ssl.key_passphrase", password);
|
||||
} else {
|
||||
final String finalPrefix = prefix;
|
||||
addSecureSettings(builder, secureSettings ->
|
||||
secureSettings.setString(prefix + "xpack.ssl.secure_key_passphrase", password));
|
||||
secureSettings.setString(finalPrefix + "ssl.secure_key_passphrase", password));
|
||||
}
|
||||
|
||||
if (trustedCertificates.isEmpty() == false) {
|
||||
builder.put(prefix + "xpack.ssl.certificate_authorities",
|
||||
builder.put(prefix + "ssl.certificate_authorities",
|
||||
Strings.arrayToCommaDelimitedString(resolvePathsToString(trustedCertificates)));
|
||||
}
|
||||
}
|
||||
|
|
|
@ -64,21 +64,21 @@ public class SettingsFilterTests extends ESTestCase {
|
|||
if (inFipsJvm() == false) {
|
||||
configureFilteredSetting("xpack.security.authc.realms.pki.pki1.truststore.path",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/truststore-testnode-only.jks").toString());
|
||||
configureFilteredSetting("xpack.ssl.keystore.path",
|
||||
configureFilteredSetting("xpack.security.transport.ssl.keystore.path",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks").toString());
|
||||
}
|
||||
configureSecureSetting("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only");
|
||||
configureFilteredSetting("xpack.security.authc.realms.pki.pki1.truststore.algorithm", "SunX509");
|
||||
|
||||
|
||||
configureFilteredSetting("xpack.ssl.cipher_suites",
|
||||
configureFilteredSetting("xpack.security.transport.ssl.cipher_suites",
|
||||
Strings.arrayToCommaDelimitedString(XPackSettings.DEFAULT_CIPHERS.toArray()));
|
||||
configureFilteredSetting("xpack.ssl.supported_protocols", randomFrom("TLSv1", "TLSv1.1", "TLSv1.2"));
|
||||
configureSecureSetting("xpack.ssl.keystore.secure_password", "testnode");
|
||||
configureFilteredSetting("xpack.ssl.keystore.algorithm", KeyManagerFactory.getDefaultAlgorithm());
|
||||
configureSecureSetting("xpack.ssl.keystore.secure_key_password", "testnode");
|
||||
configureSecureSetting("xpack.ssl.truststore.secure_password", randomAlphaOfLength(5));
|
||||
configureFilteredSetting("xpack.ssl.truststore.algorithm", TrustManagerFactory.getDefaultAlgorithm());
|
||||
configureFilteredSetting("xpack.security.transport.ssl.supported_protocols", randomFrom("TLSv1", "TLSv1.1", "TLSv1.2"));
|
||||
configureSecureSetting("xpack.security.transport.ssl.keystore.secure_password", "testnode");
|
||||
configureFilteredSetting("xpack.security.transport.ssl.keystore.algorithm", KeyManagerFactory.getDefaultAlgorithm());
|
||||
configureSecureSetting("xpack.security.transport.ssl.keystore.secure_key_password", "testnode");
|
||||
configureSecureSetting("xpack.security.transport.ssl.truststore.secure_password", randomAlphaOfLength(5));
|
||||
configureFilteredSetting("xpack.security.transport.ssl.truststore.algorithm", TrustManagerFactory.getDefaultAlgorithm());
|
||||
|
||||
// client profile
|
||||
configureUnfilteredSetting("transport.profiles.client.port", "9500-9600");
|
||||
|
|
|
@ -16,22 +16,6 @@ public class FIPS140JKSKeystoreBootstrapCheckTests extends AbstractBootstrapChec
|
|||
assertFalse(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure());
|
||||
}
|
||||
|
||||
public void testSSLKeystoreTypeIsNotAllowed() {
|
||||
final Settings.Builder settings = Settings.builder()
|
||||
.put("xpack.security.fips_mode.enabled", "true")
|
||||
.put("xpack.ssl.keystore.path", "/this/is/the/path")
|
||||
.put("xpack.ssl.keystore.type", "JKS");
|
||||
assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure());
|
||||
}
|
||||
|
||||
public void testSSLImplicitKeystoreTypeIsNotAllowed() {
|
||||
final Settings.Builder settings = Settings.builder()
|
||||
.put("xpack.security.fips_mode.enabled", "true")
|
||||
.put("xpack.ssl.keystore.path", "/this/is/the/path")
|
||||
.put("xpack.ssl.keystore.type", "JKS");
|
||||
assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure());
|
||||
}
|
||||
|
||||
public void testTransportSSLKeystoreTypeIsNotAllowed() {
|
||||
final Settings.Builder settings = Settings.builder()
|
||||
.put("xpack.security.fips_mode.enabled", "true")
|
||||
|
|
|
@ -36,15 +36,9 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
|||
.build();
|
||||
assertFalse(runCheck(settings, env).isFailure());
|
||||
|
||||
// disable client auth default
|
||||
settings = Settings.builder().put(settings)
|
||||
.put("xpack.ssl.client_authentication", "none")
|
||||
.build();
|
||||
env = TestEnvironment.newEnvironment(settings);
|
||||
assertTrue(runCheck(settings, env).isFailure());
|
||||
|
||||
// enable ssl for http
|
||||
settings = Settings.builder().put(settings)
|
||||
.put("xpack.security.transport.ssl.enabled", false)
|
||||
.put("xpack.security.http.ssl.enabled", true)
|
||||
.build();
|
||||
env = TestEnvironment.newEnvironment(settings);
|
||||
|
@ -73,6 +67,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
|||
|
||||
// test with transport profile
|
||||
settings = Settings.builder().put(settings)
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.security.transport.client_authentication", "none")
|
||||
.put("transport.profiles.foo.xpack.security.ssl.client_authentication", randomFrom("required", "optional"))
|
||||
.build();
|
||||
|
@ -87,7 +82,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
|||
public void testBootstrapCheckWithDisabledRealm() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.security.authc.realms.pki.test_pki.enabled", false)
|
||||
.put("xpack.ssl.client_authentication", "none")
|
||||
.put("xpack.security.transport.ssl.client_authentication", "none")
|
||||
.put("path.home", createTempDir())
|
||||
.build();
|
||||
Environment env = TestEnvironment.newEnvironment(settings);
|
||||
|
|
|
@ -246,7 +246,7 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
|
|||
SecuritySettingsSourceField.TEST_PASSWORD);
|
||||
|
||||
if (remoteUseSSL) {
|
||||
cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client.");
|
||||
cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client.xpack.security.transport.");
|
||||
builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", true);
|
||||
}
|
||||
if (useSecurity == false && builder.get(NetworkModule.TRANSPORT_TYPE_KEY) == null) {
|
||||
|
|
|
@ -111,7 +111,7 @@ public class RemoteIndexAuditTrailStartingTests extends SecurityIntegTestCase {
|
|||
.put("xpack.security.audit.index.settings.index.number_of_shards", 1)
|
||||
.put("xpack.security.audit.index.settings.index.number_of_replicas", 0);
|
||||
|
||||
addClientSSLSettings(builder, "xpack.security.audit.index.client.");
|
||||
addClientSSLSettings(builder, "xpack.security.audit.index.client.xpack.security.transport.");
|
||||
builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", sslEnabled);
|
||||
return builder.build();
|
||||
}
|
||||
|
|
|
@ -13,7 +13,6 @@ import org.elasticsearch.common.bytes.BytesArray;
|
|||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.test.NativeRealmIntegTestCase;
|
||||
import org.elasticsearch.test.SecuritySettingsSource;
|
||||
import org.elasticsearch.common.CharArrays;
|
||||
import org.elasticsearch.xpack.core.security.client.SecurityClient;
|
||||
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
|
||||
|
@ -21,10 +20,12 @@ import org.junit.BeforeClass;
|
|||
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.nio.file.Path;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
|
||||
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
|
||||
import static org.hamcrest.Matchers.containsString;
|
||||
import static org.hamcrest.Matchers.is;
|
||||
|
||||
|
@ -49,11 +50,11 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
|
|||
@Override
|
||||
public Settings nodeSettings(int nodeOrdinal) {
|
||||
logger.info("--> use SSL? {}", useSSL);
|
||||
Settings s = Settings.builder()
|
||||
.put(super.nodeSettings(nodeOrdinal))
|
||||
.put("xpack.security.http.ssl.enabled", useSSL)
|
||||
.build();
|
||||
return s;
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put(super.nodeSettings(nodeOrdinal));
|
||||
addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true);
|
||||
builder.put("xpack.security.http.ssl.enabled", useSSL);
|
||||
return builder.build();
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -77,7 +78,7 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
|
|||
SecurityClient c = new SecurityClient(client());
|
||||
logger.error("--> creating users");
|
||||
int numToAdd = randomIntBetween(1,10);
|
||||
Set<String> addedUsers = new HashSet(numToAdd);
|
||||
Set<String> addedUsers = new HashSet<>(numToAdd);
|
||||
for (int i = 0; i < numToAdd; i++) {
|
||||
String uname = randomAlphaOfLength(5);
|
||||
c.preparePutUser(uname, "s3kirt".toCharArray(), getFastStoredHashAlgoForTests(), "role1", "user").get();
|
||||
|
@ -94,13 +95,15 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
|
|||
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put("path.home", home)
|
||||
.put("path.conf", conf.toString());
|
||||
SecuritySettingsSource.addSSLSettingsForPEMFiles(
|
||||
.put("path.conf", conf.toString())
|
||||
.put("xpack.security.http.ssl.client_authentication", "none");
|
||||
addSSLSettingsForPEMFiles(
|
||||
builder,
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem",
|
||||
"testnode",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
|
||||
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
|
||||
"xpack.security.http.",
|
||||
Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
|
||||
Settings settings = builder.build();
|
||||
logger.error("--> retrieving users using URL: {}, home: {}", url, home);
|
||||
|
||||
|
@ -140,12 +143,15 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
|
|||
String password = new String(CharArrays.toUtf8Bytes(nodeClientPassword().getChars()), StandardCharsets.UTF_8);
|
||||
String url = getHttpURL();
|
||||
ESNativeRealmMigrateTool.MigrateUserOrRoles muor = new ESNativeRealmMigrateTool.MigrateUserOrRoles();
|
||||
Settings.Builder builder = Settings.builder().put("path.home", home);
|
||||
SecuritySettingsSource.addSSLSettingsForPEMFiles(builder,
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put("path.home", home)
|
||||
.put("xpack.security.http.ssl.client_authentication", "none");
|
||||
addSSLSettingsForPEMFiles(builder,
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem",
|
||||
"testclient",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
|
||||
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
|
||||
"xpack.security.http.",
|
||||
Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
|
||||
Settings settings = builder.build();
|
||||
logger.error("--> retrieving roles using URL: {}, home: {}", url, home);
|
||||
|
||||
|
|
|
@ -44,29 +44,16 @@ public class CommandLineHttpClientTests extends ESTestCase {
|
|||
}
|
||||
|
||||
@After
|
||||
public void shutdown() throws Exception {
|
||||
public void shutdown() {
|
||||
webServer.close();
|
||||
}
|
||||
|
||||
public void testCommandLineHttpClientCanExecuteAndReturnCorrectResultUsingSSLSettings() throws Exception {
|
||||
Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
Settings settings;
|
||||
if (randomBoolean()) {
|
||||
// with http ssl settings
|
||||
secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
|
||||
settings = Settings.builder().put("xpack.security.http.ssl.certificate_authorities", certPath.toString())
|
||||
.put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE).setSecureSettings(secureSettings)
|
||||
.build();
|
||||
} else {
|
||||
// with global settings
|
||||
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
|
||||
settings = Settings.builder()
|
||||
.put("xpack.ssl.certificate_authorities", certPath.toString())
|
||||
.put("xpack.ssl.verification_mode", VerificationMode.CERTIFICATE)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
}
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.security.http.ssl.certificate_authorities", certPath.toString())
|
||||
.put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE)
|
||||
.build();
|
||||
CommandLineHttpClient client = new CommandLineHttpClient(settings, environment);
|
||||
HttpResponse httpResponse = client.execute("GET", new URL("https://localhost:" + webServer.getPort() + "/test"), "u1",
|
||||
new SecureString(new char[]{'p'}), () -> null, is -> responseBuilder(is));
|
||||
|
@ -80,14 +67,14 @@ public class CommandLineHttpClientTests extends ESTestCase {
|
|||
Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
|
||||
Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.key", keyPath.toString())
|
||||
.put("xpack.ssl.certificate", certPath.toString())
|
||||
.put("xpack.security.http.ssl.key", keyPath.toString())
|
||||
.put("xpack.security.http.ssl.certificate", certPath.toString())
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
TestsSSLService sslService = new TestsSSLService(settings, environment);
|
||||
return new MockWebServer(sslService.sslContext(), false);
|
||||
return new MockWebServer(sslService.sslContext("xpack.security.http.ssl."), false);
|
||||
}
|
||||
|
||||
private HttpResponseBuilder responseBuilder(final InputStream is) throws IOException {
|
||||
|
|
|
@ -13,7 +13,6 @@ import org.elasticsearch.common.settings.MockSecureSettings;
|
|||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.env.TestEnvironment;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLService;
|
||||
|
@ -29,26 +28,16 @@ public class LdapTestUtils {
|
|||
}
|
||||
|
||||
public static LDAPConnection openConnection(String url, String bindDN, String bindPassword, Path truststore) throws Exception {
|
||||
boolean useGlobalSSL = ESTestCase.randomBoolean();
|
||||
Settings.Builder builder = Settings.builder().put("path.home", LuceneTestCase.createTempDir());
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
builder.setSecureSettings(secureSettings);
|
||||
if (useGlobalSSL) {
|
||||
builder.put("xpack.ssl.truststore.path", truststore);
|
||||
// fake realm to load config with certificate verification mode
|
||||
builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore);
|
||||
builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
|
||||
secureSettings.setString("xpack.ssl.truststore.secure_password", "changeit");
|
||||
secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit");
|
||||
} else {
|
||||
// fake realms so ssl will get loaded
|
||||
builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
|
||||
builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
|
||||
builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore);
|
||||
builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
|
||||
secureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
|
||||
secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit");
|
||||
}
|
||||
// fake realms so ssl will get loaded
|
||||
builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
|
||||
builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
|
||||
builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore);
|
||||
builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
|
||||
secureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
|
||||
secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit");
|
||||
Settings settings = builder.build();
|
||||
Environment env = TestEnvironment.newEnvironment(settings);
|
||||
SSLService sslService = new SSLService(settings, env);
|
||||
|
@ -60,12 +49,7 @@ public class LdapTestUtils {
|
|||
options.setConnectTimeoutMillis(Math.toIntExact(SessionFactorySettings.TIMEOUT_DEFAULT.millis()));
|
||||
options.setResponseTimeoutMillis(SessionFactorySettings.TIMEOUT_DEFAULT.millis());
|
||||
|
||||
final SSLConfiguration sslConfiguration;
|
||||
if (useGlobalSSL) {
|
||||
sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
|
||||
} else {
|
||||
sslConfiguration = sslService.getSSLConfiguration("xpack.security.authc.realms.ldap.foo.ssl");
|
||||
}
|
||||
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.authc.realms.ldap.foo.ssl");
|
||||
return LdapUtils.privilegedConnect(() -> new LDAPConnection(sslService.sslSocketFactory(sslConfiguration), options,
|
||||
ldapurl.getHost(), ldapurl.getPort(), bindDN, bindPassword));
|
||||
}
|
||||
|
|
|
@ -65,7 +65,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
|
|||
|
||||
globalSettings = Settings.builder()
|
||||
.put("path.home", createTempDir())
|
||||
.put("xpack.ssl.certificate_authorities", certPath)
|
||||
.put("xpack.security.transport.ssl.certificate_authorities", certPath)
|
||||
.build();
|
||||
sslService = new SSLService(globalSettings, env);
|
||||
threadPool = new TestThreadPool("LdapUserSearchSessionFactoryTests");
|
||||
|
|
|
@ -18,7 +18,6 @@ import org.elasticsearch.common.network.NetworkAddress;
|
|||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.transport.TransportAddress;
|
||||
import org.elasticsearch.http.HttpServerTransport;
|
||||
import org.elasticsearch.test.SecuritySettingsSource;
|
||||
import org.elasticsearch.test.SecuritySingleNodeTestCase;
|
||||
import org.elasticsearch.transport.Transport;
|
||||
import org.elasticsearch.xpack.core.TestXPackTransportClient;
|
||||
|
@ -41,6 +40,7 @@ import java.util.List;
|
|||
import java.util.Locale;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
|
||||
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
|
||||
import static org.hamcrest.Matchers.containsString;
|
||||
import static org.hamcrest.Matchers.is;
|
||||
|
@ -60,17 +60,15 @@ public class PkiAuthenticationTests extends SecuritySingleNodeTestCase {
|
|||
SSLClientAuth sslClientAuth = randomBoolean() ? SSLClientAuth.REQUIRED : SSLClientAuth.OPTIONAL;
|
||||
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put(super.nodeSettings())
|
||||
.put("xpack.security.http.ssl.enabled", true)
|
||||
.put(super.nodeSettings());
|
||||
addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true);
|
||||
builder.put("xpack.security.http.ssl.enabled", true)
|
||||
.put("xpack.security.http.ssl.client_authentication", sslClientAuth)
|
||||
.put("xpack.security.authc.realms.file.file.order", "0")
|
||||
.put("xpack.security.authc.realms.pki.pki1.order", "1")
|
||||
.put("xpack.security.authc.realms.pki.pki1.certificate_authorities",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
|
||||
.put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml"));
|
||||
|
||||
SecuritySettingsSource.addSecureSettings(builder, secureSettings ->
|
||||
secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only"));
|
||||
return builder.build();
|
||||
}
|
||||
|
||||
|
@ -158,13 +156,15 @@ public class PkiAuthenticationTests extends SecuritySingleNodeTestCase {
|
|||
|
||||
private TransportClient createTransportClient(Settings additionalSettings) {
|
||||
Settings clientSettings = transportClientSettings();
|
||||
if (additionalSettings.getByPrefix("xpack.ssl.").isEmpty() == false) {
|
||||
clientSettings = clientSettings.filter(k -> k.startsWith("xpack.ssl.") == false);
|
||||
if (additionalSettings.getByPrefix("xpack.security.transport.ssl.").isEmpty() == false) {
|
||||
clientSettings = clientSettings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false);
|
||||
}
|
||||
|
||||
Settings.Builder builder = Settings.builder().put(clientSettings, false)
|
||||
.put(additionalSettings)
|
||||
.put("cluster.name", node().settings().get("cluster.name"));
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put(clientSettings, false)
|
||||
.put(additionalSettings)
|
||||
.put("cluster.name", node().settings().get("cluster.name"));
|
||||
builder.remove(SecurityField.USER_SETTING.getKey());
|
||||
builder.remove("request.headers.Authorization");
|
||||
return new TestXPackTransportClient(builder.build(), LocalStateSecurity.class);
|
||||
|
|
|
@ -52,6 +52,9 @@ public class PkiOptionalClientAuthTests extends SecuritySingleNodeTestCase {
|
|||
.put(super.nodeSettings())
|
||||
.put("xpack.security.http.ssl.enabled", true)
|
||||
.put("xpack.security.http.ssl.client_authentication", SSLClientAuth.OPTIONAL)
|
||||
.put("xpack.security.http.ssl.keystore.path",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
|
||||
.put("xpack.security.http.ssl.keystore.password", "testnode")
|
||||
.put("xpack.security.authc.realms.file.file.order", "0")
|
||||
.put("xpack.security.authc.realms.pki.pki1.order", "1")
|
||||
.put("xpack.security.authc.realms.pki.pki1.truststore.path",
|
||||
|
@ -59,10 +62,15 @@ public class PkiOptionalClientAuthTests extends SecuritySingleNodeTestCase {
|
|||
.put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml"))
|
||||
.put("transport.profiles.want_client_auth.port", randomClientPortRange)
|
||||
.put("transport.profiles.want_client_auth.bind_host", "localhost")
|
||||
.put("transport.profiles.want_client_auth.xpack.security.ssl.keystore.path",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
|
||||
.put("transport.profiles.want_client_auth.xpack.security.ssl.keystore.password", "testnode")
|
||||
.put("transport.profiles.want_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.OPTIONAL);
|
||||
|
||||
SecuritySettingsSource.addSecureSettings(builder, secureSettings ->
|
||||
secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only"));
|
||||
SecuritySettingsSource.addSecureSettings(builder, secureSettings -> {
|
||||
secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only");
|
||||
secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "testnode");
|
||||
});
|
||||
return builder.build();
|
||||
|
||||
}
|
||||
|
|
|
@ -123,19 +123,20 @@ public class SamlRealmTests extends SamlTestCase {
|
|||
final Path path = getDataPath("idp1.xml");
|
||||
final String body = new String(Files.readAllBytes(path), StandardCharsets.UTF_8);
|
||||
final MockSecureSettings mockSecureSettings = new MockSecureSettings();
|
||||
mockSecureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
mockSecureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||
final Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.key",
|
||||
.put("xpack.security.http.ssl.key",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
|
||||
.put("xpack.ssl.certificate",
|
||||
.put("xpack.security.http.ssl.certificate",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
|
||||
.put("xpack.ssl.certificate_authorities",
|
||||
.put("xpack.security.http.ssl.certificate_authorities",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
|
||||
.put("path.home", createTempDir())
|
||||
.setSecureSettings(mockSecureSettings)
|
||||
.build();
|
||||
TestsSSLService sslService = new TestsSSLService(settings, TestEnvironment.newEnvironment(settings));
|
||||
try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(Settings.EMPTY), false)) {
|
||||
try (MockWebServer proxyServer =
|
||||
new MockWebServer(sslService.sslContext("xpack.security.http.ssl"), false)) {
|
||||
proxyServer.start();
|
||||
proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml"));
|
||||
proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml"));
|
||||
|
|
|
@ -82,11 +82,11 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
|
|||
Path testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
|
||||
Path testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings1 = Settings.builder()
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.ssl.key", testnodeKey)
|
||||
.put("xpack.ssl.certificate", testnodeCert)
|
||||
.put("xpack.security.transport.ssl.key", testnodeKey)
|
||||
.put("xpack.security.transport.ssl.certificate", testnodeCert)
|
||||
.put("path.home", createTempDir())
|
||||
.put(settings)
|
||||
.setSecureSettings(secureSettings)
|
||||
|
@ -153,7 +153,7 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
|
|||
@SuppressForbidden(reason = "Need to open socket connection")
|
||||
public void testRenegotiation() throws Exception {
|
||||
SSLService sslService = createSSLService();
|
||||
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
|
||||
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
SocketFactory factory = sslService.sslSocketFactory(sslConfiguration);
|
||||
try (SSLSocket socket = (SSLSocket) factory.createSocket()) {
|
||||
SocketAccess.doPrivileged(() -> socket.connect(serviceA.boundAddress().publishAddress().address()));
|
||||
|
@ -205,7 +205,7 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
|
|||
assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm());
|
||||
SSLService sslService = createSSLService();
|
||||
|
||||
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
|
||||
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
SSLContext sslContext = sslService.sslContext(sslConfiguration);
|
||||
final SSLServerSocketFactory serverSocketFactory = sslContext.getServerSocketFactory();
|
||||
final String sniIp = "sni-hostname";
|
||||
|
@ -245,7 +245,9 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
|
|||
|
||||
InetSocketAddress serverAddress = (InetSocketAddress) SocketAccess.doPrivileged(sslServerSocket::getLocalSocketAddress);
|
||||
|
||||
Settings settings = Settings.builder().put("name", "TS_TEST").put("xpack.ssl.verification_mode", "none").build();
|
||||
Settings settings = Settings.builder().put("name", "TS_TEST")
|
||||
.put("xpack.security.transport.ssl.verification_mode", "none")
|
||||
.build();
|
||||
try (MockTransportService serviceC = build(settings, version0, null, true)) {
|
||||
serviceC.acceptIncomingRequests();
|
||||
|
||||
|
@ -271,7 +273,7 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
|
|||
assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm());
|
||||
SSLService sslService = createSSLService();
|
||||
|
||||
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
|
||||
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
SSLContext sslContext = sslService.sslContext(sslConfiguration);
|
||||
final SSLServerSocketFactory serverSocketFactory = sslContext.getServerSocketFactory();
|
||||
final String sniIp = "invalid_hostname";
|
||||
|
@ -290,7 +292,9 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
|
|||
|
||||
InetSocketAddress serverAddress = (InetSocketAddress) SocketAccess.doPrivileged(sslServerSocket::getLocalSocketAddress);
|
||||
|
||||
Settings settings = Settings.builder().put("name", "TS_TEST").put("xpack.ssl.verification_mode", "none").build();
|
||||
Settings settings = Settings.builder().put("name", "TS_TEST")
|
||||
.put("xpack.security.transport.ssl.verification_mode", "none")
|
||||
.build();
|
||||
try (MockTransportService serviceC = build(settings, version0, null, true)) {
|
||||
serviceC.acceptIncomingRequests();
|
||||
|
||||
|
|
|
@ -32,7 +32,6 @@ import org.elasticsearch.transport.TransportResponseHandler;
|
|||
import org.elasticsearch.transport.TransportService;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.security.SecurityField;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLClientAuth;
|
||||
import org.elasticsearch.xpack.security.LocalStateSecurity;
|
||||
import org.junit.BeforeClass;
|
||||
|
||||
|
@ -41,8 +40,10 @@ import java.nio.file.Files;
|
|||
import java.nio.file.Path;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.concurrent.CountDownLatch;
|
||||
|
||||
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
|
||||
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
|
||||
import static org.elasticsearch.xpack.security.test.SecurityTestUtils.writeFile;
|
||||
import static org.hamcrest.CoreMatchers.equalTo;
|
||||
|
@ -63,13 +64,12 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
|
|||
|
||||
@Override
|
||||
protected Settings nodeSettings(int nodeOrdinal) {
|
||||
Settings.Builder settingsBuilder = Settings.builder();
|
||||
Settings.Builder settingsBuilder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
|
||||
String randomClientPortRange = randomClientPort + "-" + (randomClientPort+100);
|
||||
addSSLSettingsForNodePEMFiles(settingsBuilder, "transport.profiles.client.xpack.security.", true);
|
||||
Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
|
||||
settingsBuilder.put(super.nodeSettings(nodeOrdinal))
|
||||
.putList("transport.profiles.client.xpack.security.ssl.certificate_authorities",
|
||||
Arrays.asList(certPath.toString())) // settings for client truststore
|
||||
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
|
||||
settingsBuilder.putList("transport.profiles.client.xpack.security.ssl.certificate_authorities",
|
||||
Collections.singletonList(certPath.toString())) // settings for client truststore
|
||||
.put("transport.profiles.client.xpack.security.type", "client")
|
||||
.put("transport.profiles.client.port", randomClientPortRange)
|
||||
// make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent
|
||||
|
@ -82,7 +82,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
|
|||
}
|
||||
|
||||
SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings ->
|
||||
secureSettings.setString("transport.profiles.client.xpack.security.ssl.truststore.secure_password", "testnode"));
|
||||
secureSettings.setString("transport.profiles.client.xpack.security.ssl.keystore.secure_password", "testnode"));
|
||||
return settingsBuilder.build();
|
||||
}
|
||||
|
||||
|
@ -97,20 +97,20 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
|
|||
|
||||
// test that starting up a node works
|
||||
Settings.Builder nodeSettings = Settings.builder()
|
||||
.put("node.name", "my-test-node")
|
||||
.put("network.host", "localhost")
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
.put("discovery.zen.ping.unicast.hosts", unicastHost)
|
||||
.put("discovery.zen.minimum_master_nodes",
|
||||
internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
|
||||
.put("xpack.security.enabled", true)
|
||||
.put("xpack.security.audit.enabled", false)
|
||||
.put(XPackSettings.WATCHER_ENABLED.getKey(), false)
|
||||
.put("path.home", home)
|
||||
.put(Node.NODE_MASTER_SETTING.getKey(), false)
|
||||
.put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2())
|
||||
.put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false);
|
||||
//.put("xpack.ml.autodetect_process", false);
|
||||
.put("node.name", "my-test-node")
|
||||
.put("network.host", "localhost")
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
.put("discovery.zen.ping.unicast.hosts", unicastHost)
|
||||
.put("discovery.zen.minimum_master_nodes",
|
||||
internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
|
||||
.put("xpack.security.enabled", true)
|
||||
.put("xpack.security.audit.enabled", false)
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put(XPackSettings.WATCHER_ENABLED.getKey(), false)
|
||||
.put("path.home", home)
|
||||
.put(Node.NODE_MASTER_SETTING.getKey(), false)
|
||||
.put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2())
|
||||
.put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false);
|
||||
Collection<Class<? extends Plugin>> mockPlugins = Arrays.asList(
|
||||
LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class, MockHttpTransport.TestPlugin.class);
|
||||
addSSLSettingsForPEMFiles(
|
||||
|
@ -139,22 +139,22 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
|
|||
|
||||
// test that starting up a node works
|
||||
Settings.Builder nodeSettings = Settings.builder()
|
||||
.put("xpack.security.authc.realms.file.file.order", 0)
|
||||
.put("node.name", "my-test-node")
|
||||
.put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD)
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
.put("discovery.zen.ping.unicast.hosts", unicastHost)
|
||||
.put("discovery.zen.minimum_master_nodes",
|
||||
internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
|
||||
.put("xpack.security.enabled", true)
|
||||
.put("xpack.security.audit.enabled", false)
|
||||
.put(XPackSettings.WATCHER_ENABLED.getKey(), false)
|
||||
.put("discovery.initial_state_timeout", "0s")
|
||||
.put("path.home", home)
|
||||
.put(Node.NODE_MASTER_SETTING.getKey(), false)
|
||||
.put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2())
|
||||
.put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false);
|
||||
//.put("xpack.ml.autodetect_process", false);
|
||||
.put("xpack.security.authc.realms.file.file.order", 0)
|
||||
.put("node.name", "my-test-node")
|
||||
.put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD)
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
.put("discovery.zen.ping.unicast.hosts", unicastHost)
|
||||
.put("discovery.zen.minimum_master_nodes",
|
||||
internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
|
||||
.put("xpack.security.enabled", true)
|
||||
.put("xpack.security.audit.enabled", false)
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put(XPackSettings.WATCHER_ENABLED.getKey(), false)
|
||||
.put("discovery.initial_state_timeout", "0s")
|
||||
.put("path.home", home)
|
||||
.put(Node.NODE_MASTER_SETTING.getKey(), false)
|
||||
.put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2())
|
||||
.put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false);
|
||||
Collection<Class<? extends Plugin>> mockPlugins = Arrays.asList(
|
||||
LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class, MockHttpTransport.TestPlugin.class);
|
||||
addSSLSettingsForPEMFiles(
|
||||
|
@ -162,7 +162,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
|
|||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem",
|
||||
"testnode",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
|
||||
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
|
||||
Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
|
||||
try (Node node = new MockNode(nodeSettings.build(), mockPlugins)) {
|
||||
node.start();
|
||||
TransportService instance = node.injector().getInstance(TransportService.class);
|
||||
|
|
|
@ -33,7 +33,7 @@ public class IPHostnameVerificationTests extends SecurityIntegTestCase {
|
|||
protected Settings nodeSettings(int nodeOrdinal) {
|
||||
Settings settings = super.nodeSettings(nodeOrdinal);
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put(settings.filter((s) -> s.startsWith("xpack.ssl.") == false), false);
|
||||
.put(settings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false), false);
|
||||
settings = builder.build();
|
||||
|
||||
// The default Unicast test behavior is to use 'localhost' with the port number. For this test we need to use IP
|
||||
|
@ -56,27 +56,27 @@ public class IPHostnameVerificationTests extends SecurityIntegTestCase {
|
|||
}
|
||||
|
||||
SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> {
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-ip-only");
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode-ip-only");
|
||||
});
|
||||
return settingsBuilder.put("xpack.ssl.key", keyPath.toAbsolutePath())
|
||||
.put("xpack.ssl.certificate", certPath.toAbsolutePath())
|
||||
.put("xpack.ssl.certificate_authorities", certPath.toAbsolutePath())
|
||||
return settingsBuilder.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
|
||||
.put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
|
||||
.put("xpack.security.transport.ssl.certificate_authorities", certPath.toAbsolutePath())
|
||||
.put(TransportSettings.BIND_HOST.getKey(), "127.0.0.1")
|
||||
.put("network.host", "127.0.0.1")
|
||||
.put("xpack.ssl.client_authentication", SSLClientAuth.NONE)
|
||||
.put("xpack.ssl.verification_mode", "full")
|
||||
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE)
|
||||
.put("xpack.security.transport.ssl.verification_mode", "full")
|
||||
.build();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Settings transportClientSettings() {
|
||||
Settings clientSettings = super.transportClientSettings();
|
||||
return Settings.builder().put(clientSettings.filter(k -> k.startsWith("xpack.ssl.") == false))
|
||||
.put("xpack.ssl.verification_mode", "certificate")
|
||||
.put("xpack.ssl.key", keyPath.toAbsolutePath())
|
||||
.put("xpack.ssl.certificate", certPath.toAbsolutePath())
|
||||
.put("xpack.ssl.key_passphrase", "testnode-ip-only")
|
||||
.put("xpack.ssl.certificate_authorities", certPath)
|
||||
return Settings.builder().put(clientSettings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false))
|
||||
.put("xpack.security.transport.ssl.verification_mode", "certificate")
|
||||
.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
|
||||
.put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
|
||||
.put("xpack.security.transport.ssl.key_passphrase", "testnode-ip-only")
|
||||
.put("xpack.security.transport.ssl.certificate_authorities", certPath)
|
||||
.build();
|
||||
}
|
||||
|
||||
|
|
|
@ -42,15 +42,15 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
|
|||
private Path testnodeCert;
|
||||
private Path testnodeKey;
|
||||
@Before
|
||||
public void createSSLService() throws Exception {
|
||||
public void createSSLService() {
|
||||
testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
|
||||
testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
|
||||
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.key", testnodeKey)
|
||||
.put("xpack.ssl.certificate", testnodeCert)
|
||||
.put("xpack.security.http.ssl.key", testnodeKey)
|
||||
.put("xpack.security.http.ssl.certificate", testnodeCert)
|
||||
.put("path.home", createTempDir())
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
|
@ -149,7 +149,7 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
|
|||
|
||||
public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.certificate_authorities", testnodeCert)
|
||||
.put("xpack.security.http.ssl.certificate_authorities", testnodeCert)
|
||||
.put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true)
|
||||
.put("path.home", createTempDir())
|
||||
.build();
|
||||
|
@ -163,10 +163,10 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
|
|||
|
||||
public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() throws Exception {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.key", testnodeKey)
|
||||
.put("xpack.ssl.certificate", testnodeCert)
|
||||
.put("xpack.security.http.ssl.key", testnodeKey)
|
||||
.put("xpack.security.http.ssl.certificate", testnodeCert)
|
||||
.setSecureSettings(secureSettings)
|
||||
.put("path.home", createTempDir())
|
||||
.build();
|
||||
|
|
|
@ -21,11 +21,9 @@ import org.elasticsearch.test.ESTestCase;
|
|||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.xpack.core.security.transport.netty4.SecurityNetty4Transport;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLClientAuth;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLService;
|
||||
import org.junit.Before;
|
||||
|
||||
import javax.net.ssl.SSLEngine;
|
||||
import java.nio.file.Path;
|
||||
import java.util.Collections;
|
||||
import java.util.Locale;
|
||||
|
@ -44,11 +42,11 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
|
|||
Path testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
|
||||
Path testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.ssl.key", testnodeKey)
|
||||
.put("xpack.ssl.certificate", testnodeCert)
|
||||
.put("xpack.security.transport.ssl.key", testnodeKey)
|
||||
.put("xpack.security.transport.ssl.certificate", testnodeCert)
|
||||
.setSecureSettings(secureSettings)
|
||||
.put("path.home", createTempDir())
|
||||
.build();
|
||||
|
@ -97,7 +95,7 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
|
|||
String value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT));
|
||||
Settings settings = Settings.builder()
|
||||
.put(env.settings())
|
||||
.put("xpack.ssl.client_authentication", value)
|
||||
.put("xpack.security.transport.ssl.client_authentication", value)
|
||||
.build();
|
||||
sslService = new SSLService(settings, env);
|
||||
SecurityNetty4Transport transport = createTransport(settings);
|
||||
|
@ -111,7 +109,7 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
|
|||
String value = randomFrom(SSLClientAuth.NONE.name(), SSLClientAuth.NONE.name().toLowerCase(Locale.ROOT));
|
||||
Settings settings = Settings.builder()
|
||||
.put(env.settings())
|
||||
.put("xpack.ssl.client_authentication", value)
|
||||
.put("xpack.security.transport.ssl.client_authentication", value)
|
||||
.build();
|
||||
sslService = new SSLService(settings, env);
|
||||
SecurityNetty4Transport transport = createTransport(settings);
|
||||
|
@ -125,7 +123,7 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
|
|||
String value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT));
|
||||
Settings settings = Settings.builder()
|
||||
.put(env.settings())
|
||||
.put("xpack.ssl.client_authentication", value)
|
||||
.put("xpack.security.transport.ssl.client_authentication", value)
|
||||
.build();
|
||||
sslService = new SSLService(settings, env);
|
||||
SecurityNetty4Transport transport = createTransport(settings);
|
||||
|
@ -179,36 +177,4 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
|
|||
assertThat(ch.pipeline().get(SslHandler.class).engine().getNeedClientAuth(), is(false));
|
||||
assertThat(ch.pipeline().get(SslHandler.class).engine().getWantClientAuth(), is(true));
|
||||
}
|
||||
|
||||
public void testTransportSSLOverridesGlobalSSL() throws Exception {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.security.transport.ssl.key",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
|
||||
.put("xpack.security.transport.ssl.certificate",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
|
||||
.put("xpack.security.transport.ssl.client_authentication", "none")
|
||||
.put("xpack.ssl.certificate_authorities",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
|
||||
.setSecureSettings(secureSettings)
|
||||
.put("path.home", createTempDir());
|
||||
Settings settings = builder.build();
|
||||
env = TestEnvironment.newEnvironment(settings);
|
||||
sslService = new SSLService(settings, env);
|
||||
SecurityNetty4Transport transport = createTransport(settings);
|
||||
final ChannelHandler handler = transport.getServerChannelInitializer("default");
|
||||
final EmbeddedChannel ch = new EmbeddedChannel(handler);
|
||||
final SSLEngine engine = ch.pipeline().get(SslHandler.class).engine();
|
||||
assertFalse(engine.getNeedClientAuth());
|
||||
assertFalse(engine.getWantClientAuth());
|
||||
|
||||
// get the global and verify that it is different in that it requires client auth
|
||||
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.ssl");
|
||||
assertNotNull(configuration);
|
||||
final SSLEngine globalEngine = sslService.createSSLEngine(configuration, null, -1);
|
||||
assertTrue(globalEngine.getNeedClientAuth());
|
||||
assertFalse(globalEngine.getWantClientAuth());
|
||||
}
|
||||
}
|
||||
|
|
|
@ -35,7 +35,7 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
|
|||
protected Settings nodeSettings(int nodeOrdinal) {
|
||||
Settings settings = super.nodeSettings(nodeOrdinal);
|
||||
Settings.Builder settingsBuilder = Settings.builder();
|
||||
settingsBuilder.put(settings.filter(k -> k.startsWith("xpack.ssl.") == false), false);
|
||||
settingsBuilder.put(settings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false), false);
|
||||
Path keyPath;
|
||||
Path certPath;
|
||||
Path nodeCertPath;
|
||||
|
@ -58,14 +58,15 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
|
|||
}
|
||||
|
||||
SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> {
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-no-subjaltname");
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode-no-subjaltname");
|
||||
});
|
||||
return settingsBuilder.put("xpack.ssl.key", keyPath.toAbsolutePath())
|
||||
.put("xpack.ssl.certificate", certPath.toAbsolutePath())
|
||||
.putList("xpack.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString()))
|
||||
// disable hostname verification as this test uses certs without a valid SAN or DNS in the CN
|
||||
.put("xpack.ssl.verification_mode", "certificate")
|
||||
.build();
|
||||
return settingsBuilder.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
|
||||
.put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
|
||||
.putList("xpack.security.transport.ssl.certificate_authorities",
|
||||
Arrays.asList(certPath.toString(), nodeCertPath.toString()))
|
||||
// disable hostname verification as this test uses certs without a valid SAN or DNS in the CN
|
||||
.put("xpack.security.transport.ssl.verification_mode", "certificate")
|
||||
.build();
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -89,13 +90,13 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
|
|||
Settings settings = super.transportClientSettings();
|
||||
// remove all ssl settings
|
||||
Settings.Builder builder = Settings.builder();
|
||||
builder.put(settings.filter( k -> k.startsWith("xpack.ssl.") == false), false);
|
||||
builder.put(settings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false), false);
|
||||
|
||||
builder.put("xpack.ssl.verification_mode", "certificate")
|
||||
.put("xpack.ssl.key", keyPath.toAbsolutePath())
|
||||
.put("xpack.ssl.key_passphrase", "testnode-no-subjaltname")
|
||||
.put("xpack.ssl.certificate", certPath.toAbsolutePath())
|
||||
.putList("xpack.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString()));
|
||||
builder.put("xpack.security.transport.ssl.verification_mode", "certificate")
|
||||
.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
|
||||
.put("xpack.security.transport.ssl.key_passphrase", "testnode-no-subjaltname")
|
||||
.put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
|
||||
.putList("xpack.security.transport.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString()));
|
||||
return builder.build();
|
||||
}
|
||||
|
||||
|
@ -105,7 +106,7 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
|
|||
InetSocketAddress inetSocketAddress = transportAddress.address();
|
||||
|
||||
Settings settings = Settings.builder().put(transportClientSettings())
|
||||
.put("xpack.ssl.verification_mode", "full")
|
||||
.put("xpack.security.transport.ssl.verification_mode", "full")
|
||||
.build();
|
||||
|
||||
try (TransportClient client = new TestXPackTransportClient(settings, LocalStateSecurity.class)) {
|
||||
|
|
|
@ -52,10 +52,10 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
|
|||
Path testNodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
|
||||
Path testNodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.key", testNodeKey)
|
||||
.put("xpack.ssl.certificate", testNodeCert)
|
||||
.put("xpack.security.http.ssl.key", testNodeKey)
|
||||
.put("xpack.security.http.ssl.certificate", testNodeCert)
|
||||
.put("path.home", createTempDir())
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
|
@ -173,9 +173,9 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
|
|||
|
||||
public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.truststore.path",
|
||||
.put("xpack.security.http.ssl.truststore.path",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
|
||||
.setSecureSettings(secureSettings)
|
||||
.put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true)
|
||||
|
@ -193,9 +193,9 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
|
|||
|
||||
public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
|
||||
secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.truststore.path",
|
||||
.put("xpack.security.http.ssl.truststore.path",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
|
||||
.setSecureSettings(secureSettings)
|
||||
.put("path.home", createTempDir())
|
||||
|
|
|
@ -42,11 +42,13 @@ public class EllipticCurveSSLTests extends SecurityIntegTestCase {
|
|||
final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem");
|
||||
final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem");
|
||||
return Settings.builder()
|
||||
.put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.ssl") == false))
|
||||
.put("xpack.ssl.key", keyPath)
|
||||
.put("xpack.ssl.certificate", certPath)
|
||||
.put("xpack.ssl.certificate_authorities", certPath)
|
||||
.put("xpack.ssl.verification_mode", "certificate") // disable hostname verificate since these certs aren't setup for that
|
||||
.put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.security.transport.ssl.key", keyPath)
|
||||
.put("xpack.security.transport.ssl.certificate", certPath)
|
||||
.put("xpack.security.transport.ssl.certificate_authorities", certPath)
|
||||
// disable hostname verificate since these certs aren't setup for that
|
||||
.put("xpack.security.transport.ssl.verification_mode", "certificate")
|
||||
.build();
|
||||
}
|
||||
|
||||
|
@ -55,11 +57,13 @@ public class EllipticCurveSSLTests extends SecurityIntegTestCase {
|
|||
final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem");
|
||||
final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem");
|
||||
return Settings.builder()
|
||||
.put(super.transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false))
|
||||
.put("xpack.ssl.key", keyPath)
|
||||
.put("xpack.ssl.certificate", certPath)
|
||||
.put("xpack.ssl.certificate_authorities", certPath)
|
||||
.put("xpack.ssl.verification_mode", "certificate") // disable hostname verification since these certs aren't setup for that
|
||||
.put(super.transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.security.transport.ssl.key", keyPath)
|
||||
.put("xpack.security.transport.ssl.certificate", certPath)
|
||||
.put("xpack.security.transport.ssl.certificate_authorities", certPath)
|
||||
// disable hostname verificate since these certs aren't setup for that
|
||||
.put("xpack.security.transport.ssl.verification_mode", "certificate")
|
||||
.build();
|
||||
}
|
||||
|
||||
|
|
|
@ -48,6 +48,7 @@ import javax.net.ssl.SSLContext;
|
|||
import javax.net.ssl.SSLHandshakeException;
|
||||
import javax.net.ssl.TrustManagerFactory;
|
||||
|
||||
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
|
||||
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
|
||||
import static org.hamcrest.CoreMatchers.is;
|
||||
import static org.hamcrest.Matchers.containsString;
|
||||
|
@ -61,8 +62,9 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
|
|||
|
||||
@Override
|
||||
protected Settings nodeSettings(int nodeOrdinal) {
|
||||
return Settings.builder().put(super.nodeSettings(nodeOrdinal))
|
||||
.put("xpack.security.http.ssl.enabled", true).build();
|
||||
final Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
|
||||
addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", randomBoolean());
|
||||
return builder.put("xpack.security.http.ssl.enabled", true).build();
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -82,7 +84,7 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
|
|||
.put(transportClientSettings())
|
||||
.put("node.name", "programmatic_transport_client")
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
.putList("xpack.ssl.cipher_suites", unconfiguredCiphers)
|
||||
.putList("xpack.security.transport.ssl.cipher_suites", unconfiguredCiphers)
|
||||
.build(), LocalStateSecurity.class)) {
|
||||
|
||||
TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses());
|
||||
|
@ -101,7 +103,7 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
|
|||
.put(transportClientSettings())
|
||||
.put("node.name", "programmatic_transport_client")
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
.putList("xpack.ssl.supported_protocols", new String[]{"SSLv3"})
|
||||
.putList("xpack.security.transport.ssl.supported_protocols", new String[]{"SSLv3"})
|
||||
.build(), LocalStateSecurity.class)) {
|
||||
|
||||
TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses());
|
||||
|
@ -120,13 +122,14 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
|
|||
builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem",
|
||||
"testclient",
|
||||
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
|
||||
"xpack.security.http.",
|
||||
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
|
||||
SSLService service = new SSLService(builder.build(), null);
|
||||
|
||||
CredentialsProvider provider = new BasicCredentialsProvider();
|
||||
provider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(nodeClientUsername(),
|
||||
new String(nodeClientPassword().getChars())));
|
||||
SSLConfiguration sslConfiguration = service.getSSLConfiguration("xpack.ssl");
|
||||
SSLConfiguration sslConfiguration = service.getSSLConfiguration("xpack.security.http.ssl");
|
||||
try (CloseableHttpClient client = HttpClients.custom()
|
||||
.setSSLSocketFactory(new SSLConnectionSocketFactory(service.sslSocketFactory(sslConfiguration),
|
||||
SSLConnectionSocketFactory.getDefaultHostnameVerifier()))
|
||||
|
|
|
@ -24,6 +24,7 @@ import java.util.Arrays;
|
|||
import java.util.Collections;
|
||||
|
||||
import static org.elasticsearch.test.SecuritySettingsSource.TEST_USER_NAME;
|
||||
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
|
||||
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
|
||||
import static org.elasticsearch.test.SecuritySettingsSourceField.TEST_PASSWORD;
|
||||
import static org.hamcrest.CoreMatchers.is;
|
||||
|
@ -61,17 +62,17 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
|
|||
throw new RuntimeException(e);
|
||||
}
|
||||
|
||||
Settings settings = Settings.builder()
|
||||
.put(super.nodeSettings(nodeOrdinal))
|
||||
// client set up here
|
||||
.put("transport.profiles.client.port", randomClientPortRange)
|
||||
Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
|
||||
addSSLSettingsForNodePEMFiles(builder, "transport.profiles.client.xpack.security.", true);
|
||||
builder.put("transport.profiles.client.port", randomClientPortRange)
|
||||
// make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent
|
||||
.put("transport.profiles.client.bind_host", "localhost")
|
||||
.put("transport.profiles.client.xpack.security.ssl.certificate_authorities", trustCert.toAbsolutePath())
|
||||
.put("transport.profiles.no_client_auth.port", randomNoClientAuthPortRange)
|
||||
.put("transport.profiles.client.xpack.security.ssl.certificate_authorities", trustCert.toAbsolutePath());
|
||||
addSSLSettingsForNodePEMFiles(builder, "transport.profiles.no_client_auth.xpack.security.", true);
|
||||
builder.put("transport.profiles.no_client_auth.port", randomNoClientAuthPortRange)
|
||||
.put("transport.profiles.no_client_auth.bind_host", "localhost")
|
||||
.put("transport.profiles.no_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.NONE)
|
||||
.build();
|
||||
.put("transport.profiles.no_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.NONE);
|
||||
final Settings settings = builder.build();
|
||||
logger.info("node {} settings:\n{}", nodeOrdinal, settings);
|
||||
return settings;
|
||||
}
|
||||
|
@ -83,7 +84,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
|
|||
|
||||
private TransportClient createTransportClient(Settings additionalSettings) {
|
||||
Settings settings = Settings.builder()
|
||||
.put(transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false))
|
||||
.put(transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
|
||||
.put("node.name", "programmatic_transport_client")
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
|
@ -270,7 +271,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
|
|||
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.ssl.certificate_authorities",
|
||||
.put("xpack.security.transport.ssl.certificate_authorities",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
|
||||
.build();
|
||||
try (TransportClient transportClient = new TestXPackTransportClient(settings,
|
||||
|
@ -290,8 +291,8 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
|
|||
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
|
||||
.put("xpack.ssl.certificate_authorities",
|
||||
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
|
||||
.put("xpack.security.transport.ssl.certificate_authorities",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
|
||||
.build();
|
||||
try (TransportClient transportClient = new TestXPackTransportClient(settings,
|
||||
|
@ -314,8 +315,8 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
|
|||
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
|
||||
.put("xpack.ssl.certificate_authorities",
|
||||
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
|
||||
.put("xpack.security.transport.ssl.certificate_authorities",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
|
||||
.build();
|
||||
try (TransportClient transportClient = new TestXPackTransportClient(settings,
|
||||
|
@ -337,7 +338,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
|
|||
Settings settings = Settings.builder()
|
||||
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
|
||||
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.build();
|
||||
try (TransportClient transportClient = new TestXPackTransportClient(settings,
|
||||
|
@ -359,7 +360,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
|
|||
Settings settings = Settings.builder()
|
||||
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
|
||||
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.build();
|
||||
try (TransportClient transportClient = new TestXPackTransportClient(settings,
|
||||
|
@ -381,7 +382,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
|
|||
Settings settings = Settings.builder()
|
||||
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
|
||||
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.build();
|
||||
try (TransportClient transportClient = new TestXPackTransportClient(settings,
|
||||
|
|
|
@ -17,6 +17,7 @@ import org.elasticsearch.client.Response;
|
|||
import org.elasticsearch.client.RestClient;
|
||||
import org.elasticsearch.client.transport.TransportClient;
|
||||
import org.elasticsearch.common.settings.MockSecureSettings;
|
||||
import org.elasticsearch.common.settings.SecureString;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.transport.TransportAddress;
|
||||
import org.elasticsearch.test.SecurityIntegTestCase;
|
||||
|
@ -31,14 +32,17 @@ import org.elasticsearch.xpack.security.LocalStateSecurity;
|
|||
import javax.net.ssl.KeyManager;
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.TrustManager;
|
||||
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.UncheckedIOException;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.security.SecureRandom;
|
||||
import java.security.cert.CertPathBuilderException;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
|
||||
import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||
import static org.hamcrest.Matchers.containsString;
|
||||
|
@ -54,13 +58,41 @@ public class SSLClientAuthTests extends SecurityIntegTestCase {
|
|||
|
||||
@Override
|
||||
protected Settings nodeSettings(int nodeOrdinal) {
|
||||
return Settings.builder()
|
||||
.put(super.nodeSettings(nodeOrdinal))
|
||||
Settings baseSettings = super.nodeSettings(nodeOrdinal);
|
||||
|
||||
Settings.Builder builder = Settings.builder().put(baseSettings);
|
||||
baseSettings.getByPrefix("xpack.security.transport.ssl.")
|
||||
.keySet()
|
||||
.forEach(k -> {
|
||||
String httpKey = "xpack.security.http.ssl." + k;
|
||||
String value = baseSettings.get("xpack.security.transport.ssl." + k);
|
||||
if (value != null) {
|
||||
builder.put(httpKey, baseSettings.get("xpack.security.transport.ssl." + k));
|
||||
}
|
||||
});
|
||||
|
||||
MockSecureSettings secureSettings = (MockSecureSettings) builder.getSecureSettings();
|
||||
for (String key : new HashSet<>(secureSettings.getSettingNames())) {
|
||||
SecureString value = secureSettings.getString(key);
|
||||
if (value == null) {
|
||||
try {
|
||||
if (key.startsWith("xpack.security.transport.ssl.")) {
|
||||
byte[] file = toByteArray(secureSettings.getFile(key));
|
||||
secureSettings.setFile(key.replace("xpack.security.transport.ssl.", "xpack.security.http.ssl."), file);
|
||||
}
|
||||
} catch (IOException e) {
|
||||
throw new UncheckedIOException(e);
|
||||
}
|
||||
} else if (key.startsWith("xpack.security.transport.ssl.")) {
|
||||
secureSettings.setString(key.replace("xpack.security.transport.ssl.", "xpack.security.http.ssl."), value.toString());
|
||||
}
|
||||
}
|
||||
|
||||
return builder
|
||||
// invert the require auth settings
|
||||
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
|
||||
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE)
|
||||
.put("xpack.security.http.ssl.enabled", true)
|
||||
.put("xpack.security.http.ssl.client_authentication", SSLClientAuth.REQUIRED)
|
||||
.put("transport.profiles.default.xpack.security.ssl.client_authentication", SSLClientAuth.NONE)
|
||||
.build();
|
||||
}
|
||||
|
||||
|
@ -109,13 +141,13 @@ public class SSLClientAuthTests extends SecurityIntegTestCase {
|
|||
}
|
||||
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testclient-client-profile");
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testclient-client-profile");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.ssl.client_authentication", SSLClientAuth.NONE)
|
||||
.put("xpack.ssl.key", keyPath)
|
||||
.put("xpack.ssl.certificate", certPath)
|
||||
.put("xpack.ssl.certificate_authorities", nodeCertPath)
|
||||
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE)
|
||||
.put("xpack.security.transport.ssl.key", keyPath)
|
||||
.put("xpack.security.transport.ssl.certificate", certPath)
|
||||
.put("xpack.security.transport.ssl.certificate_authorities", nodeCertPath)
|
||||
.setSecureSettings(secureSettings)
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
.put(SecurityField.USER_SETTING.getKey(), transportClientUsername() + ":" + new String(transportClientPassword().getChars()))
|
||||
|
@ -145,4 +177,15 @@ public class SSLClientAuthTests extends SecurityIntegTestCase {
|
|||
throw new ElasticsearchException("failed to initialize SSLContext", e);
|
||||
}
|
||||
}
|
||||
|
||||
private byte[] toByteArray(InputStream is) throws IOException {
|
||||
ByteArrayOutputStream baos = new ByteArrayOutputStream();
|
||||
byte[] internalBuffer = new byte[1024];
|
||||
int read = is.read(internalBuffer);
|
||||
while (read != -1) {
|
||||
baos.write(internalBuffer, 0, read);
|
||||
read = is.read(internalBuffer);
|
||||
}
|
||||
return baos.toByteArray();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -72,16 +72,16 @@ public class SSLReloadIntegTests extends SecurityIntegTestCase {
|
|||
|
||||
Settings settings = super.nodeSettings(nodeOrdinal);
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put(settings.filter((s) -> s.startsWith("xpack.ssl.") == false));
|
||||
|
||||
.put(settings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false));
|
||||
builder.put("path.home", createTempDir())
|
||||
.put("xpack.ssl.key", nodeKeyPath)
|
||||
.put("xpack.ssl.key_passphrase", "testnode")
|
||||
.put("xpack.ssl.certificate", nodeCertPath)
|
||||
.putList("xpack.ssl.certificate_authorities", Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(),
|
||||
updateableCertPath.toString()))
|
||||
.put("xpack.security.transport.ssl.key", nodeKeyPath)
|
||||
.put("xpack.security.transport.ssl.key_passphrase", "testnode")
|
||||
.put("xpack.security.transport.ssl.certificate", nodeCertPath)
|
||||
.putList("xpack.security.transport.ssl.certificate_authorities",
|
||||
Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), updateableCertPath.toString()))
|
||||
.put("resource.reload.interval.high", "1s");
|
||||
|
||||
builder.put("xpack.security.transport.ssl.enabled", true);
|
||||
return builder.build();
|
||||
}
|
||||
|
||||
|
@ -96,18 +96,18 @@ public class SSLReloadIntegTests extends SecurityIntegTestCase {
|
|||
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.pem"), keyPath);
|
||||
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), certPath);
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("path.home", createTempDir())
|
||||
.put("xpack.ssl.key", keyPath)
|
||||
.put("xpack.ssl.certificate", certPath)
|
||||
.putList("xpack.ssl.certificate_authorities", Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(),
|
||||
updateableCertPath.toString()))
|
||||
.put("xpack.security.transport.ssl.key", keyPath)
|
||||
.put("xpack.security.transport.ssl.certificate", certPath)
|
||||
.putList("xpack.security.transport.ssl.certificate_authorities",
|
||||
Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), updateableCertPath.toString()))
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
String node = randomFrom(internalCluster().getNodeNames());
|
||||
SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings));
|
||||
SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
|
||||
SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration);
|
||||
TransportAddress address = internalCluster()
|
||||
.getInstance(Transport.class, node).boundAddress().publishAddress();
|
||||
|
|
|
@ -102,9 +102,9 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
|
|||
nodeSSL = Settings.builder()
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.security.transport.ssl.verification_mode", "certificate")
|
||||
.putList("xpack.ssl.certificate_authorities", ca.getCertPath().toString())
|
||||
.put("xpack.ssl.key", trustedCert.getKeyPath())
|
||||
.put("xpack.ssl.certificate", trustedCert.getCertPath())
|
||||
.putList("xpack.security.transport.ssl.certificate_authorities", ca.getCertPath().toString())
|
||||
.put("xpack.security.transport.ssl.key", trustedCert.getKeyPath())
|
||||
.put("xpack.security.transport.ssl.certificate", trustedCert.getCertPath())
|
||||
.build();
|
||||
}
|
||||
|
||||
|
@ -122,14 +122,14 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
|
|||
|
||||
Settings parentSettings = super.nodeSettings(nodeOrdinal);
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put(parentSettings.filter((s) -> s.startsWith("xpack.ssl.") == false))
|
||||
.put(parentSettings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false))
|
||||
.put(nodeSSL);
|
||||
|
||||
restrictionsPath = configPath.resolve("trust_restrictions.yml");
|
||||
restrictionsTmpPath = configPath.resolve("trust_restrictions.tmp");
|
||||
|
||||
writeRestrictions("*.trusted");
|
||||
builder.put("xpack.ssl.trust_restrictions.path", restrictionsPath);
|
||||
builder.put("xpack.security.transport.ssl.trust_restrictions.path", restrictionsPath);
|
||||
|
||||
return builder.build();
|
||||
}
|
||||
|
@ -152,7 +152,7 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
|
|||
protected Settings transportClientSettings() {
|
||||
Settings parentSettings = super.transportClientSettings();
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put(parentSettings.filter((s) -> s.startsWith("xpack.ssl.") == false))
|
||||
.put(parentSettings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false))
|
||||
.put(nodeSSL);
|
||||
return builder.build();
|
||||
}
|
||||
|
@ -224,15 +224,15 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
|
|||
private void tryConnect(CertificateInfo certificate) throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put("path.home", createTempDir())
|
||||
.put("xpack.ssl.key", certificate.getKeyPath())
|
||||
.put("xpack.ssl.certificate", certificate.getCertPath())
|
||||
.putList("xpack.ssl.certificate_authorities", ca.getCertPath().toString())
|
||||
.put("xpack.ssl.verification_mode", "certificate")
|
||||
.put("xpack.security.transport.ssl.key", certificate.getKeyPath())
|
||||
.put("xpack.security.transport.ssl.certificate", certificate.getCertPath())
|
||||
.putList("xpack.security.transport.ssl.certificate_authorities", ca.getCertPath().toString())
|
||||
.put("xpack.security.transport.ssl.verification_mode", "certificate")
|
||||
.build();
|
||||
|
||||
String node = randomFrom(internalCluster().getNodeNames());
|
||||
SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings));
|
||||
SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
|
||||
SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
|
||||
SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration);
|
||||
TransportAddress address = internalCluster().getInstance(Transport.class, node).boundAddress().publishAddress();
|
||||
try (SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(address.getAddress(), address.getPort())) {
|
||||
|
|
|
@ -151,8 +151,10 @@ integTestCluster {
|
|||
setting 'xpack.security.transport.ssl.enabled', 'true'
|
||||
|
||||
// ceremony to set up ssl
|
||||
setting 'xpack.ssl.keystore.path', 'test-node.jks'
|
||||
keystoreSetting 'xpack.ssl.keystore.secure_password', 'keypass'
|
||||
setting 'xpack.security.transport.ssl.keystore.path', 'test-node.jks'
|
||||
keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'keypass'
|
||||
setting 'xpack.security.http.ssl.keystore.path', 'test-node.jks'
|
||||
keystoreSetting 'xpack.security.http.ssl.keystore.secure_password', 'keypass'
|
||||
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
|
||||
|
|
|
@ -81,7 +81,7 @@ public class HttpClientTests extends ESTestCase {
|
|||
}
|
||||
|
||||
@After
|
||||
public void shutdown() throws Exception {
|
||||
public void shutdown() throws IOException {
|
||||
webServer.close();
|
||||
httpClient.close();
|
||||
}
|
||||
|
@ -179,30 +179,22 @@ public class HttpClientTests extends ESTestCase {
|
|||
Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt");
|
||||
Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem");
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
Settings settings;
|
||||
if (randomBoolean()) {
|
||||
settings = Settings.builder()
|
||||
.put("xpack.http.ssl.certificate_authorities", trustedCertPath)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
} else {
|
||||
settings = Settings.builder()
|
||||
.put("xpack.ssl.certificate_authorities", trustedCertPath)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
}
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.http.ssl.certificate_authorities", trustedCertPath)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) {
|
||||
secureSettings = new MockSecureSettings();
|
||||
// We can't use the client created above for the server since it is only a truststore
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings2 = Settings.builder()
|
||||
.put("xpack.ssl.key", keyPath)
|
||||
.put("xpack.ssl.certificate", certPath)
|
||||
.put("xpack.security.http.ssl.key", keyPath)
|
||||
.put("xpack.security.http.ssl.certificate", certPath)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
|
||||
TestsSSLService sslService = new TestsSSLService(settings2, environment);
|
||||
testSslMockWebserver(client, sslService.sslContext(), false);
|
||||
testSslMockWebserver(client, sslService.sslContext("xpack.security.http.ssl"), false);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -210,40 +202,27 @@ public class HttpClientTests extends ESTestCase {
|
|||
Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.crt");
|
||||
Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.pem");
|
||||
Settings settings;
|
||||
if (randomBoolean()) {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put("xpack.http.ssl.certificate_authorities", certPath);
|
||||
if (inFipsJvm()) {
|
||||
//Can't use TrustAllConfig in FIPS mode
|
||||
builder.put("xpack.http.ssl.verification_mode", VerificationMode.CERTIFICATE);
|
||||
} else {
|
||||
builder.put("xpack.http.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE));
|
||||
}
|
||||
settings = builder.build();
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put("xpack.http.ssl.certificate_authorities", certPath);
|
||||
if (inFipsJvm()) {
|
||||
//Can't use TrustAllConfig in FIPS mode
|
||||
builder.put("xpack.http.ssl.verification_mode", VerificationMode.CERTIFICATE);
|
||||
} else {
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put("xpack.ssl.certificate_authorities", certPath);
|
||||
if (inFipsJvm()) {
|
||||
//Can't use TrustAllConfig in FIPS mode
|
||||
builder.put("xpack.ssl.verification_mode", VerificationMode.CERTIFICATE);
|
||||
} else {
|
||||
builder.put("xpack.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE));
|
||||
}
|
||||
settings = builder.build();
|
||||
builder.put("xpack.http.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE));
|
||||
}
|
||||
settings = builder.build();
|
||||
try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
// We can't use the client created above for the server since it only defines a truststore
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-no-subjaltname");
|
||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode-no-subjaltname");
|
||||
Settings settings2 = Settings.builder()
|
||||
.put("xpack.ssl.key", keyPath)
|
||||
.put("xpack.ssl.certificate", certPath)
|
||||
.put("xpack.security.http.ssl.key", keyPath)
|
||||
.put("xpack.security.http.ssl.certificate", certPath)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
|
||||
TestsSSLService sslService = new TestsSSLService(settings2, environment);
|
||||
testSslMockWebserver(client, sslService.sslContext(), false);
|
||||
testSslMockWebserver(client, sslService.sslContext("xpack.security.http.ssl"), false);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -251,16 +230,16 @@ public class HttpClientTests extends ESTestCase {
|
|||
Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt");
|
||||
Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem");
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
secureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.ssl.key", keyPath)
|
||||
.put("xpack.ssl.certificate", certPath)
|
||||
.put("xpack.http.ssl.key", keyPath)
|
||||
.put("xpack.http.ssl.certificate", certPath)
|
||||
.setSecureSettings(secureSettings)
|
||||
.build();
|
||||
|
||||
TestsSSLService sslService = new TestsSSLService(settings, environment);
|
||||
try (HttpClient client = new HttpClient(settings, sslService, null, mockClusterService())) {
|
||||
testSslMockWebserver(client, sslService.sslContext(), true);
|
||||
testSslMockWebserver(client, sslService.sslContext("xpack.http.ssl"), true);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -387,19 +366,18 @@ public class HttpClientTests extends ESTestCase {
|
|||
// on top of that the proxy request is HTTPS but the real request is HTTP only
|
||||
MockSecureSettings serverSecureSettings = new MockSecureSettings();
|
||||
// We can't use the client created above for the server since it is only a truststore
|
||||
serverSecureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
|
||||
serverSecureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode");
|
||||
Settings serverSettings = Settings.builder()
|
||||
.put("xpack.ssl.key", keyPath)
|
||||
.put("xpack.ssl.certificate", certPath)
|
||||
.put("xpack.http.ssl.key", keyPath)
|
||||
.put("xpack.http.ssl.certificate", certPath)
|
||||
.setSecureSettings(serverSecureSettings)
|
||||
.build();
|
||||
TestsSSLService sslService = new TestsSSLService(serverSettings, environment);
|
||||
|
||||
try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(), false)) {
|
||||
try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(serverSettings.getByPrefix("xpack.http.ssl.")), false)) {
|
||||
proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent"));
|
||||
proxyServer.start();
|
||||
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
Settings settings = Settings.builder()
|
||||
.put(HttpSettings.PROXY_HOST.getKey(), "localhost")
|
||||
.put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort())
|
||||
|
|
|
@ -172,8 +172,8 @@ subprojects {
|
|||
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.security.transport.ssl.enabled', 'true'
|
||||
setting 'xpack.ssl.keystore.path', 'testnode.jks'
|
||||
setting 'xpack.ssl.keystore.password', 'testnode'
|
||||
setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
|
||||
setting 'xpack.security.transport.ssl.keystore.password', 'testnode'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
dependsOn copyTestNodeKeystore
|
||||
extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks')
|
||||
|
@ -217,8 +217,8 @@ subprojects {
|
|||
// some tests rely on the translog not being flushed
|
||||
setting 'indices.memory.shard_inactive_time', '20m'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.ssl.keystore.path', 'testnode.jks'
|
||||
keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode'
|
||||
setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
|
||||
keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
dependsOn copyTestNodeKeystore
|
||||
extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks')
|
||||
|
|
|
@ -61,13 +61,12 @@ public class OpenLdapTests extends ESTestCase {
|
|||
private static final SecureString PASSWORD_SECURE_STRING = new SecureString(PASSWORD.toCharArray());
|
||||
public static final String REALM_NAME = "oldap-test";
|
||||
|
||||
private boolean useGlobalSSL;
|
||||
private SSLService sslService;
|
||||
private ThreadPool threadPool;
|
||||
private Settings globalSettings;
|
||||
|
||||
@Before
|
||||
public void init() throws Exception {
|
||||
public void init() {
|
||||
threadPool = new TestThreadPool("OpenLdapTests thread pool");
|
||||
}
|
||||
|
||||
|
@ -89,32 +88,19 @@ public class OpenLdapTests extends ESTestCase {
|
|||
* If we re-use a SSLContext, previously connected sessions can get re-established which breaks hostname
|
||||
* verification tests since a re-established connection does not perform hostname verification.
|
||||
*/
|
||||
useGlobalSSL = randomBoolean();
|
||||
MockSecureSettings mockSecureSettings = new MockSecureSettings();
|
||||
Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
|
||||
if (useGlobalSSL) {
|
||||
builder.put("xpack.ssl.truststore.path", truststore);
|
||||
mockSecureSettings.setString("xpack.ssl.truststore.secure_password", "changeit");
|
||||
// fake realms so ssl will get loaded
|
||||
builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
|
||||
mockSecureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
|
||||
builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
|
||||
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore);
|
||||
mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit");
|
||||
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE);
|
||||
|
||||
// configure realm to load config with certificate verification mode
|
||||
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore);
|
||||
mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit");
|
||||
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE);
|
||||
} else {
|
||||
// fake realms so ssl will get loaded
|
||||
builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
|
||||
mockSecureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
|
||||
builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
|
||||
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore);
|
||||
mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit");
|
||||
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE);
|
||||
|
||||
// If not using global ssl, need to set the truststore for the "full verification" realm
|
||||
builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.path", truststore);
|
||||
mockSecureSettings.setString("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.secure_password", "changeit");
|
||||
}
|
||||
builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.path", truststore);
|
||||
mockSecureSettings.setString("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.secure_password", "changeit");
|
||||
builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.verification_mode", VerificationMode.FULL);
|
||||
|
||||
globalSettings = builder.setSecureSettings(mockSecureSettings).build();
|
||||
Environment environment = TestEnvironment.newEnvironment(globalSettings);
|
||||
sslService = new SSLService(globalSettings, environment);
|
||||
|
@ -290,11 +276,8 @@ public class OpenLdapTests extends ESTestCase {
|
|||
final String[] urls = {ldapUrl};
|
||||
final String[] templates = {userTemplate};
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put(LdapTestCase.buildLdapSettings(realmId, urls, templates, groupSearchBase, scope, null, false));
|
||||
.put(LdapTestCase.buildLdapSettings(realmId, urls, templates, groupSearchBase, scope, null, false));
|
||||
builder.put(getFullSettingKey(realmId.getName(), SearchGroupsResolverSettings.USER_ATTRIBUTE), "uid");
|
||||
if (useGlobalSSL) {
|
||||
return builder.build();
|
||||
}
|
||||
return builder
|
||||
.put(getFullSettingKey(realmId, SSLConfigurationSettings.TRUST_STORE_PATH_REALM), getDataPath(LDAPTRUST_PATH))
|
||||
.put(getFullSettingKey(realmId, SSLConfigurationSettings.LEGACY_TRUST_STORE_PASSWORD_REALM), "changeit")
|
||||
|
|
|
@ -60,13 +60,13 @@ public class OpenLdapUserSearchSessionFactoryTests extends ESTestCase {
|
|||
*/
|
||||
globalSettings = Settings.builder()
|
||||
.put("path.home", createTempDir())
|
||||
.put("xpack.ssl.certificate_authorities", caPath)
|
||||
.put("xpack.security.authc.realms.ldap.ssl.certificate_authorities", caPath)
|
||||
.build();
|
||||
threadPool = new TestThreadPool("LdapUserSearchSessionFactoryTests");
|
||||
}
|
||||
|
||||
@After
|
||||
public void shutdown() throws InterruptedException {
|
||||
public void shutdown() {
|
||||
terminate(threadPool);
|
||||
}
|
||||
|
||||
|
|
|
@ -157,8 +157,8 @@ subprojects {
|
|||
setting 'xpack.security.authc.token.enabled', 'true'
|
||||
setting 'xpack.security.audit.enabled', 'true'
|
||||
setting 'xpack.security.audit.outputs', 'index'
|
||||
setting 'xpack.ssl.keystore.path', 'testnode.jks'
|
||||
setting 'xpack.ssl.keystore.password', 'testnode'
|
||||
setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
|
||||
setting 'xpack.security.transport.ssl.keystore.password', 'testnode'
|
||||
dependsOn copyTestNodeKeystore
|
||||
extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks')
|
||||
if (version.onOrAfter('7.0.0')) {
|
||||
|
@ -226,8 +226,8 @@ subprojects {
|
|||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.security.transport.ssl.enabled', 'true'
|
||||
setting 'xpack.ssl.keystore.path', 'testnode.jks'
|
||||
keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode'
|
||||
setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
|
||||
keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode'
|
||||
setting 'node.attr.upgraded', 'true'
|
||||
setting 'xpack.security.authc.token.enabled', 'true'
|
||||
setting 'xpack.security.audit.enabled', 'true'
|
||||
|
|
|
@ -57,16 +57,17 @@ integTestCluster {
|
|||
setting 'xpack.monitoring.collection.interval', '1s'
|
||||
setting 'xpack.monitoring.exporters._http.type', 'http'
|
||||
setting 'xpack.monitoring.exporters._http.enabled', 'false'
|
||||
setting 'xpack.ssl.certificate_authorities', 'testnode.crt'
|
||||
setting 'xpack.monitoring.exporters._http.auth.username', 'monitoring_agent'
|
||||
setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password'
|
||||
setting 'xpack.monitoring.exporters._http.ssl.verification_mode', 'full'
|
||||
setting 'xpack.monitoring.exporters._http.ssl.certificate_authorities', 'testnode.crt'
|
||||
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.security.http.ssl.enabled', 'true'
|
||||
setting 'xpack.security.http.ssl.key', 'testnode.pem'
|
||||
setting 'xpack.security.http.ssl.certificate', 'testnode.crt'
|
||||
setting 'xpack.security.http.ssl.certificate_authorities', 'testnode.crt'
|
||||
keystoreSetting 'xpack.security.http.ssl.secure_key_passphrase', 'testnode'
|
||||
|
||||
setting 'xpack.ilm.enabled', 'false'
|
||||
|
|
|
@ -7,7 +7,6 @@ package org.elasticsearch.xpack.security.authc.ldap;
|
|||
|
||||
import org.elasticsearch.action.support.PlainActionFuture;
|
||||
import org.elasticsearch.common.Strings;
|
||||
import org.elasticsearch.common.settings.MockSecureSettings;
|
||||
import org.elasticsearch.common.settings.SecureString;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
|
@ -50,23 +49,17 @@ public class ADLdapUserSearchSessionFactoryTests extends AbstractActiveDirectory
|
|||
|
||||
globalSettings = Settings.builder()
|
||||
.put("path.home", createTempDir())
|
||||
.put("xpack.ssl.certificate_authorities", certPath)
|
||||
.put("xpack.security.authc.realms.active_directory.ad.ssl.certificate_authorities", certPath)
|
||||
.build();
|
||||
sslService = new SSLService(globalSettings, env);
|
||||
threadPool = new TestThreadPool("ADLdapUserSearchSessionFactoryTests");
|
||||
}
|
||||
|
||||
@After
|
||||
public void shutdown() throws InterruptedException {
|
||||
public void shutdown() {
|
||||
terminate(threadPool);
|
||||
}
|
||||
|
||||
private MockSecureSettings newSecureSettings(String key, String value) {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString(key, value);
|
||||
return secureSettings;
|
||||
}
|
||||
|
||||
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
|
||||
public void testUserSearchWithActiveDirectory() throws Exception {
|
||||
String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
|
|
|
@ -58,12 +58,10 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
|
|||
|
||||
protected SSLService sslService;
|
||||
protected Settings globalSettings;
|
||||
protected boolean useGlobalSSL;
|
||||
protected List<String> certificatePaths;
|
||||
|
||||
@Before
|
||||
public void initializeSslSocketFactory() throws Exception {
|
||||
useGlobalSSL = randomBoolean();
|
||||
// We use certificates in PEM format and `ssl.certificate_authorities` instead of ssl.trustore
|
||||
// so that these tests can also run in a FIPS JVM where JKS keystores can't be used.
|
||||
certificatePaths = new ArrayList<>();
|
||||
|
@ -84,19 +82,12 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
|
|||
* verification tests since a re-established connection does not perform hostname verification.
|
||||
*/
|
||||
Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
|
||||
if (useGlobalSSL) {
|
||||
builder.putList("xpack.ssl.certificate_authorities", certificatePaths);
|
||||
|
||||
// fake realm to load config with certificate verification mode
|
||||
builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths);
|
||||
builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
|
||||
} else {
|
||||
// fake realms so ssl will get loaded
|
||||
builder.putList("xpack.security.authc.realms.foo.ssl.certificate_authorities", certificatePaths);
|
||||
builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL);
|
||||
builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths);
|
||||
builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
|
||||
}
|
||||
// fake realms so ssl will get loaded
|
||||
builder.putList("xpack.security.authc.realms.foo.ssl.certificate_authorities", certificatePaths);
|
||||
builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL);
|
||||
builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths);
|
||||
builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
|
||||
globalSettings = builder.build();
|
||||
Environment environment = TestEnvironment.newEnvironment(globalSettings);
|
||||
sslService = new SSLService(globalSettings, environment);
|
||||
|
@ -106,24 +97,22 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
|
|||
LdapSearchScope scope, boolean hostnameVerification) {
|
||||
final String realmName = realmId.getName();
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.putList(getFullSettingKey(realmId, SessionFactorySettings.URLS_SETTING), ldapUrl)
|
||||
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING), adDomainName)
|
||||
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_BASEDN_SETTING), userSearchDN)
|
||||
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_SCOPE_SETTING), scope)
|
||||
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT)
|
||||
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT)
|
||||
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT)
|
||||
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT)
|
||||
.put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS);
|
||||
.putList(getFullSettingKey(realmId, SessionFactorySettings.URLS_SETTING), ldapUrl)
|
||||
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING), adDomainName)
|
||||
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_BASEDN_SETTING), userSearchDN)
|
||||
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_SCOPE_SETTING), scope)
|
||||
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT)
|
||||
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT)
|
||||
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT)
|
||||
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT)
|
||||
.put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS)
|
||||
.putList(getFullSettingKey(realmId, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
|
||||
if (randomBoolean()) {
|
||||
builder.put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM),
|
||||
hostnameVerification ? VerificationMode.FULL : VerificationMode.CERTIFICATE);
|
||||
} else {
|
||||
builder.put(getFullSettingKey(realmId, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), hostnameVerification);
|
||||
}
|
||||
if (useGlobalSSL == false) {
|
||||
builder.putList(getFullSettingKey(realmId, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
|
||||
}
|
||||
return builder.build();
|
||||
}
|
||||
|
||||
|
|
|
@ -103,13 +103,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
|
|||
protected static final String TESTNODE_CERT = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt";
|
||||
protected static RealmConfig realmConfig;
|
||||
protected static List<RoleMappingEntry> roleMappings;
|
||||
protected static boolean useGlobalSSL;
|
||||
|
||||
@BeforeClass
|
||||
public static void setupRealm() {
|
||||
realmConfig = randomFrom(RealmConfig.values());
|
||||
roleMappings = realmConfig.selectRoleMappings(ESTestCase::randomBoolean);
|
||||
useGlobalSSL = randomBoolean();
|
||||
LogManager.getLogger(AbstractAdLdapRealmTestCase.class).info(
|
||||
"running test with realm configuration [{}], with direct group to role mapping [{}]. Settings [{}]",
|
||||
realmConfig, realmConfig.mapGroupsAsRoles, realmConfig.settings);
|
||||
|
@ -128,13 +126,13 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
|
|||
Settings.Builder builder = Settings.builder();
|
||||
// don't use filter since it returns a prefixed secure setting instead of mock!
|
||||
Settings settingsToAdd = super.nodeSettings(nodeOrdinal);
|
||||
builder.put(settingsToAdd.filter(k -> k.startsWith("xpack.ssl.") == false), false);
|
||||
builder.put(settingsToAdd.filter(k -> k.startsWith("xpack.transport.security.ssl.") == false), false);
|
||||
MockSecureSettings mockSecureSettings = (MockSecureSettings) Settings.builder().put(settingsToAdd).getSecureSettings();
|
||||
if (mockSecureSettings != null) {
|
||||
MockSecureSettings filteredSecureSettings = new MockSecureSettings();
|
||||
builder.setSecureSettings(filteredSecureSettings);
|
||||
for (String secureSetting : mockSecureSettings.getSettingNames()) {
|
||||
if (secureSetting.startsWith("xpack.ssl.") == false) {
|
||||
if (secureSetting.startsWith("xpack.transport.security.ssl.") == false) {
|
||||
SecureString secureString = mockSecureSettings.getString(secureSetting);
|
||||
if (secureString == null) {
|
||||
final byte[] fileBytes;
|
||||
|
@ -216,25 +214,6 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
|
|||
.collect(Collectors.toList());
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Settings transportClientSettings() {
|
||||
if (useGlobalSSL) {
|
||||
Path key = getDataPath(TESTNODE_KEY);
|
||||
Path cert = getDataPath(TESTNODE_CERT);
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put(super.transportClientSettings().filter((s) -> s.startsWith("xpack.ssl.") == false));
|
||||
addSslSettingsForKeyPair(builder, key, "testnode", cert, getNodeTrustedCertificates());
|
||||
return builder.build();
|
||||
} else {
|
||||
return super.transportClientSettings();
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean transportSSLEnabled() {
|
||||
return useGlobalSSL;
|
||||
}
|
||||
|
||||
protected final void configureFileRoleMappings(Settings.Builder builder, List<RoleMappingEntry> mappings) {
|
||||
String content = getRoleMappingContent(RoleMappingEntry::getFileContent, mappings).stream().collect(Collectors.joining("\n"));
|
||||
Path nodeFiles = createTempDir();
|
||||
|
@ -310,11 +289,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
|
|||
|
||||
private void addSslSettingsForKeyPair(Settings.Builder builder, Path key, String keyPassphrase, Path cert,
|
||||
List<String> certificateAuthorities) {
|
||||
builder.put("xpack.ssl.key", key)
|
||||
.put("xpack.ssl.key_passphrase", keyPassphrase)
|
||||
.put("xpack.ssl.verification_mode", "certificate")
|
||||
.put("xpack.ssl.certificate", cert)
|
||||
.putList("xpack.ssl.certificate_authorities", certificateAuthorities);
|
||||
builder.put("xpack.transport.security.ssl.key", key)
|
||||
.put("xpack.transport.security.ssl.key_passphrase", keyPassphrase)
|
||||
.put("xpack.transport.security.ssl.verification_mode", "certificate")
|
||||
.put("xpack.transport.security.ssl.certificate", cert)
|
||||
.putList("xpack.transport.security.ssl.certificate_authorities", certificateAuthorities);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -462,11 +441,8 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
|
|||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".order", order)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".hostname_verification", false)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".unmapped_groups_as_roles", mapGroupsAsRoles)
|
||||
.put(this.settings);
|
||||
if (useGlobalSSL == false) {
|
||||
builder.putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.certificate_authorities", certificateAuthorities);
|
||||
}
|
||||
|
||||
.put(this.settings)
|
||||
.putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.certificate_authorities", certificateAuthorities);
|
||||
return builder.build();
|
||||
}
|
||||
|
||||
|
|
|
@ -280,21 +280,16 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
Settings settings = Settings.builder()
|
||||
.put(LdapTestCase.buildLdapSettings(
|
||||
new String[]{AD_LDAP_URL},
|
||||
new String[]{userTemplate},
|
||||
groupSearchBase,
|
||||
LdapSearchScope.SUB_TREE,
|
||||
null,
|
||||
true))
|
||||
.put("follow_referrals", FOLLOW_REFERRALS)
|
||||
.build();
|
||||
if (useGlobalSSL == false) {
|
||||
settings = Settings.builder()
|
||||
.put(settings)
|
||||
.putList("ssl.certificate_authorities", certificatePaths)
|
||||
.build();
|
||||
}
|
||||
.put(LdapTestCase.buildLdapSettings(
|
||||
new String[]{AD_LDAP_URL},
|
||||
new String[]{userTemplate},
|
||||
groupSearchBase,
|
||||
LdapSearchScope.SUB_TREE,
|
||||
null,
|
||||
true))
|
||||
.put("follow_referrals", FOLLOW_REFERRALS)
|
||||
.putList("ssl.certificate_authorities", certificatePaths)
|
||||
.build();
|
||||
RealmConfig config = configureRealm("ad-as-ldap-test", settings);
|
||||
LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
|
||||
|
||||
|
@ -325,9 +320,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
null,
|
||||
ignoreReferralErrors);
|
||||
final Settings.Builder builder = Settings.builder().put(settings).put(globalSettings);
|
||||
if (useGlobalSSL == false) {
|
||||
builder.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths);
|
||||
}
|
||||
builder.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths);
|
||||
settings = builder.build();
|
||||
RealmConfig config = new RealmConfig(realmId,
|
||||
settings, TestEnvironment.newEnvironment(globalSettings),
|
||||
|
@ -352,12 +345,10 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
public void testStandardLdapWithAttributeGroups() throws Exception {
|
||||
String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
Settings settings = LdapTestCase.buildLdapSettings(new String[]{AD_LDAP_URL}, userTemplate, false);
|
||||
if (useGlobalSSL == false) {
|
||||
settings = Settings.builder()
|
||||
.put(settings)
|
||||
.putList("ssl.certificate_authorities", certificatePaths)
|
||||
.build();
|
||||
}
|
||||
settings = Settings.builder()
|
||||
.put(settings)
|
||||
.putList("ssl.certificate_authorities", certificatePaths)
|
||||
.build();
|
||||
RealmConfig config = configureRealm("ad-as-ldap-test", settings);
|
||||
LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
|
||||
|
||||
|
@ -412,9 +403,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
builder.put(getFullSettingKey(REALM_ID, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), hostnameVerification);
|
||||
}
|
||||
|
||||
if (useGlobalSSL == false) {
|
||||
builder.putList(getFullSettingKey(REALM_ID, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
|
||||
}
|
||||
builder.putList(getFullSettingKey(REALM_ID, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
|
||||
|
||||
if (useBindUser) {
|
||||
final String user = randomFrom("cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow", "cap@ad.test.elasticsearch.com",
|
||||
|
|
|
@ -251,9 +251,12 @@ node.data: false
|
|||
discovery.zen.ping.unicast.hosts: ["127.0.0.1:9301"]
|
||||
cluster.initial_master_nodes: ["node-master"]
|
||||
|
||||
xpack.ssl.key: $ESCONFIG/certs/node-master/node-master.key
|
||||
xpack.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt
|
||||
xpack.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
|
||||
xpack.security.transport.ssl.key: $ESCONFIG/certs/node-master/node-master.key
|
||||
xpack.security.transport.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt
|
||||
xpack.security.transport.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
|
||||
xpack.security.http.ssl.key: $ESCONFIG/certs/node-master/node-master.key
|
||||
xpack.security.http.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt
|
||||
xpack.security.http.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
|
||||
|
||||
xpack.security.transport.ssl.enabled: true
|
||||
transport.tcp.port: 9300
|
||||
|
@ -334,9 +337,12 @@ node.master: false
|
|||
node.data: true
|
||||
discovery.zen.ping.unicast.hosts: ["127.0.0.1:9300"]
|
||||
|
||||
xpack.ssl.key: $ESCONFIG/certs/node-data/node-data.key
|
||||
xpack.ssl.certificate: $ESCONFIG/certs/node-data/node-data.crt
|
||||
xpack.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
|
||||
xpack.security.transport.ssl.key: $ESCONFIG/certs/node-data/node-data.key
|
||||
xpack.security.transport.ssl.certificate: $ESCONFIG/certs/node-data/node-data.crt
|
||||
xpack.security.transport.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
|
||||
xpack.security.http.ssl.key: $ESCONFIG/certs/node-data/node-data.key
|
||||
xpack.security.http.ssl.certificate: $ESCONFIG/certs//node-data/node-data.crt
|
||||
xpack.security.http.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
|
||||
|
||||
xpack.security.transport.ssl.enabled: true
|
||||
transport.tcp.port: 9301
|
||||
|
|
Loading…
Reference in New Issue