Security: remove SSL settings fallback (#36846)

This commit removes the fallback for SSL settings. While this may be
seen as a non user friendly change, the intention behind this change
is to simplify the reasoning needed to understand what is actually
being used for a given SSL configuration. Each configuration now needs
to be explicitly specified as there is no global configuration or
fallback to some other configuration.

Closes #29797
This commit is contained in:
Jay Modi 2019-01-14 14:06:22 -07:00 committed by GitHub
parent b86621c157
commit f3edbe2911
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
63 changed files with 783 additions and 1075 deletions

View File

@ -105,7 +105,7 @@ integTestCluster {
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.authc.token.enabled', 'true'
// Truststore settings are not used since TLS is not enabled. Included for testing the get certificates API
setting 'xpack.ssl.certificate_authorities', 'testnode.crt'
setting 'xpack.security.http.ssl.certificate_authorities', 'testnode.crt'
setting 'xpack.security.transport.ssl.truststore.path', 'testnode.jks'
keystoreSetting 'xpack.security.transport.ssl.truststore.secure_password', 'testnode'
setupCommand 'setupDummyUser',

View File

@ -121,3 +121,13 @@ xpack.security.authc.realms:
Any realm specific secure settings that have been stored in the elasticsearch
keystore (such as ldap bind passwords, or passwords for ssl keys) must be updated
in a similar way.
[float]
[[tls-setting-fallback]]
==== TLS/SSL settings
The default TLS/SSL settings, which were prefixed by `xpack.ssl`, have been removed.
The removal of these default settings also removes the ability for a component to
fallback to a default configuration when using TLS. Each component (realm, transport, http,
http client, etc) must now be configured with their own settings for TLS if it is being
used.

View File

@ -114,11 +114,14 @@ services:
- xpack.license.self_generated.type=trial <2>
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key
- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate <3>
- xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.ssl.certificate=$CERTS_DIR/es01/es01.crt
- xpack.ssl.key=$CERTS_DIR/es01/es01.key
- xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt
- xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key
volumes: ['esdata_01:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
ports:
- 9200:9200
@ -140,11 +143,14 @@ services:
- xpack.license.self_generated.type=trial
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=$CERTS_DIR/es02/es02.key
- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.security.http.ssl.certificate=$CERTS_DIR/es02/es02.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.ssl.certificate=$CERTS_DIR/es02/es02.crt
- xpack.ssl.key=$CERTS_DIR/es02/es02.key
- xpack.security.transport.ssl.verification_mode=certificate <3>
- xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.security.transport.ssl.certificate=$CERTS_DIR/es02/es02.crt
- xpack.security.transport.ssl.key=$CERTS_DIR/es02/es02.key
volumes: ['esdata_02:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
wait_until_ready:
@ -199,9 +205,9 @@ WARNING: Windows users not running PowerShell will need to remove `\` and join l
----
docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \
auto --batch \
-Expack.ssl.certificate=certificates/es01/es01.crt \
-Expack.ssl.certificate_authorities=certificates/ca/ca.crt \
-Expack.ssl.key=certificates/es01/es01.key \
-Expack.security.http.ssl.certificate=certificates/es01/es01.crt \
-Expack.security.http.ssl.certificate_authorities=certificates/ca/ca.crt \
-Expack.security.http.ssl.key=certificates/es01/es01.key \
--url https://localhost:9200"
----
--

View File

@ -25,7 +25,7 @@ xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12 <3>
<1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command
and you want to enable strict hostname checking, set the verification mode to
`full`.
See <<ssl-tls-settings, `xpack.ssl.verification_mode`>> for a description of these values.
See <<ssl-tls-settings, `xpack.security.transport.ssl.verification_mode`>> for a description of these values.
<2> If you created a separate certificate for each node, then you might need to
customize this path on each node. If the filename matches the node name, you can
@ -54,7 +54,7 @@ xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/ca.crt"
<1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command
and you want to enable strict hostname checking, set the verification mode to
`full`.
See <<ssl-tls-settings, `xpack.ssl.verification_mode`>> for a description of these values.
See <<ssl-tls-settings, `xpack.security.transport.ssl.verification_mode`>> for a description of these values.
<2> The full path to the node key file. This must be a location within the
{es} configuration directory.
<3> The full path to the node certificate. This must be a location within the

View File

@ -475,20 +475,18 @@ The default is `jks`.
`ssl.verification_mode`::
Indicates the type of verification when using `ldaps` to protect against man
in the middle attacks and certificate forgery. Values are `none`, `certificate`,
and `full`. Defaults to the value of `xpack.ssl.verification_mode`.
and `full`. Defaults to `full`.
+
See <<ssl-tls-settings,`xpack.ssl.verification_mode`>> for an explanation of
these values.
See <<ssl-tls-settings,`ssl.verification_mode`>> for an explanation of these values.
`ssl.supported_protocols`::
Supported protocols for TLS/SSL (with versions). Defaults to the value of
`xpack.ssl.supported_protocols`.
Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.2,TLSv1.1,TLSv1`.
`ssl.cipher_suites`:: Specifies the cipher suites that should be supported when
communicating with the LDAP server.
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to the value of
`xpack.ssl.cipher_suites`.
Java Cryptography Architecture documentation]. See <<ssl-tls-settings,`ssl.cipher_suites`>>
for the default value.
`cache.ttl`::
Specifies the time-to-live for cached user entries. A user and a hash of its
@ -721,20 +719,18 @@ The default is `jks`.
`ssl.verification_mode`::
Indicates the type of verification when using `ldaps` to protect against man
in the middle attacks and certificate forgery. Values are `none`, `certificate`,
and `full`. Defaults to the value of `xpack.ssl.verification_mode`.
and `full`. Defaults to `full`.
+
See <<ssl-tls-settings,`xpack.ssl.verification_mode`>> for an explanation of
these values.
See <<ssl-tls-settings,`ssl.verification_mode`>> for an explanation of these values.
`ssl.supported_protocols`::
Supported protocols for TLS/SSL (with versions). Defaults to the value of
`xpack.ssl.supported_protocols`.
Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.2, TLSv1.1, TLSv1`.
`ssl.cipher_suites`:: Specifies the cipher suites that should be supported when
communicating with the Active Directory server.
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to the value of
`xpack.ssl.cipher_suites`.
Java Cryptography Architecture documentation]. See <<ssl-tls-settings,`ssl.cipher_suites`>> for
the default values.
`cache.ttl`::
Specifies the time-to-live for cached user entries. A user and a hash of its
@ -1133,8 +1129,7 @@ One of `full`
certificate path, but not the hostname) or `none` (perform no verification).
Defaults to `full`.
+
See <<ssl-tls-settings,`xpack.ssl.verification_mode`>> for a more detailed
explanation of these values.
See <<ssl-tls-settings,`ssl.verification_mode`>> for a more detailed explanation of these values.
`ssl.supported_protocols`::
Specifies the supported protocols for TLS/SSL.
@ -1204,14 +1199,12 @@ through the list of URLs will continue until a successful connection is made.
[float]
[[ssl-tls-settings]]
==== Default TLS/SSL settings
You can configure the following TLS/SSL settings in
`elasticsearch.yml`. For more information, see
{stack-ov}/encrypting-communications.html[Encrypting communications]. These
settings are used unless they have been overridden by more specific
settings such as those for HTTP or Transport.
==== Default values for TLS/SSL settings
In general, the values below represent the default values for the various TLS
settings. For more information, see
{stack-ov}/encrypting-communications.html[Encrypting communications].
`xpack.ssl.supported_protocols`::
`ssl.supported_protocols`::
Supported protocols with versions. Valid protocols: `SSLv2Hello`,
`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`,
`TLSv1`.
@ -1221,15 +1214,15 @@ NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hell
or `SSLv3`. See <<fips-140-compliance>>.
--
`xpack.ssl.client_authentication`::
`ssl.client_authentication`::
Controls the server's behavior in regard to requesting a certificate
from client connections. Valid values are `required`, `optional`, and `none`.
`required` forces a client to present a certificate, while `optional`
requests a client certificate but the client is not required to present one.
Defaults to `required`. This global setting is not applicable for HTTP, see
Defaults to `required`, except for HTTP, which defaults to `none`. See
<<http-tls-ssl-settings>>.
`xpack.ssl.verification_mode`::
`ssl.verification_mode`::
Controls the verification of certificates. Valid values are:
- `full`, which verifies that the provided certificate is signed by a trusted
authority (CA) and also verifies that the server's hostname (or IP
@ -1244,7 +1237,7 @@ Controls the verification of certificates. Valid values are:
+
The default value is `full`.
`xpack.ssl.cipher_suites`::
`ssl.cipher_suites`::
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
@ -1255,112 +1248,15 @@ Jurisdiction Policy Files_ has been installed, the default value also includes `
[float]
[[tls-ssl-key-settings]]
===== Default TLS/SSL key and trusted certificate settings
===== TLS/SSL key and trusted certificate settings
The following settings are used to specify a private key, certificate, and the
trusted certificates that should be used when communicating over an SSL/TLS connection.
If none of the settings below are specified, the
<<ssl-tls-settings,default settings>> are used. If no trusted certificates are configured, the default certificates that are trusted by the JVM will be
trusted along with the certificate(s) from the <<tls-ssl-key-settings, key settings>>. The key and certificate must be in place
for connections that require client authentication or when acting as a SSL enabled server.
[float]
===== PEM encoded files
When using PEM encoded files, use the following settings:
`xpack.ssl.key`::
Path to the PEM encoded file containing the private key.
`xpack.ssl.key_passphrase`::
The passphrase that is used to decrypt the private key. This value is
optional as the key might not be encrypted.
`xpack.ssl.secure_key_passphrase` (<<secure-settings,Secure>>)::
The passphrase that is used to decrypt the private key. This value is
optional as the key might not be encrypted.
`xpack.ssl.certificate`::
Path to a PEM encoded file containing the certificate (or certificate chain)
that will be presented to clients when they connect.
`xpack.ssl.certificate_authorities`::
List of paths to the PEM encoded certificate files that should be trusted.
[float]
===== Java keystore files
When using Java keystore files (JKS), which contain the private key, certificate
and certificates that should be trusted, use the following settings:
`xpack.ssl.keystore.path`::
Path to the keystore that holds the private key and certificate.
`xpack.ssl.keystore.password`::
Password to the keystore.
`xpack.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
Password to the keystore.
`xpack.ssl.keystore.key_password`::
Password for the private key in the keystore. Defaults to the
same value as `xpack.ssl.keystore.password`.
`xpack.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
Password for the private key in the keystore.
`xpack.ssl.truststore.path`::
Path to the truststore file.
`xpack.ssl.truststore.password`::
Password to the truststore.
`xpack.ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
Password to the truststore.
WARNING: If `xpack.security.fips_mode.enabled` is `true`, you cannot use Java
keystore files. See <<fips-140-compliance>>.
[float]
===== PKCS#12 files
When using PKCS#12 container files (`.p12` or `.pfx`), which contain the
private key, certificate, and certificates that should be trusted, use
the following settings:
`xpack.ssl.keystore.path`::
Path to the PKCS#12 file that holds the private key and certificate.
`xpack.ssl.keystore.type`::
Set this to `PKCS12`.
`xpack.ssl.keystore.password`::
Password to the PKCS#12 file.
`xpack.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
Password to the PKCS#12 file.
`xpack.ssl.keystore.key_password`::
Password for the private key in the PKCS12 file.
Defaults to the same value as `xpack.ssl.keystore.password`.
`xpack.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
Password for the private key in the PKCS12 file.
`xpack.ssl.truststore.path`::
Path to the truststore file.
`xpack.ssl.truststore.type`::
Set this to `PKCS12`.
`xpack.ssl.truststore.password`::
Password to the truststore.
`xpack.ssl.truststore.secure_password` (<<secure-settings,Secure>>)::
Password to the truststore.
WARNING: If `xpack.security.fips_mode.enabled` is `true`, you cannot use PKCS#12
keystore files. See <<fips-140-compliance>>.
trusted certificates that should be used when communicating over an SSL/TLS
connection. If no trusted certificates are configured, the default certificates
that are trusted by the JVM will be trusted along with the certificate(s)
associated with a key in the same context. The key and certificate must be in
place for connections that require client authentication or when acting as a
SSL enabled server.
[[pkcs12-truststore-note]]
[NOTE]
@ -1375,33 +1271,6 @@ a PKCS#12 container includes trusted certificate ("anchor") entries look for
`openssl pkcs12 -info` output, or `trustedCertEntry` in the
`keytool -list` output.
[float]
===== PKCS#11 tokens
When using a PKCS#11 cryptographic token, which contains the
private key, certificate, and certificates that should be trusted, use
the following settings:
`xpack.ssl.keystore.type`::
Set this to `PKCS11`.
`xpack.ssl.truststore.type`::
Set this to `PKCS11`.
[[pkcs11-truststore-note]]
[NOTE]
When configuring the PKCS#11 token that your JVM is configured to use as
a keystore or a truststore for Elasticsearch, the PIN for the token can be
configured by setting the appropriate value to `xpack.ssl.truststore.password`
or `xpack.ssl.truststore.secure_password`. In the absence of the above, {es} will
fallback to use he appropriate JVM setting (`-Djavax.net.ssl.trustStorePassword`)
if that is set.
Since there can only be one PKCS#11 token configured, only one keystore and
truststore will be usable for configuration in {es}. This in turn means
that only one certificate can be used for TLS both in the transport and the
http layer.
[[http-tls-ssl-settings]]
:ssl-prefix: xpack.security.http
:component: HTTP
@ -1435,7 +1304,7 @@ append the portion of the setting after `xpack.security.transport.`. For the key
setting, this would be `transport.profiles.$PROFILE.xpack.security.ssl.key`.
[[auditing-tls-ssl-settings]]
:ssl-prefix: xpack.security.audit.index.client.xpack
:ssl-prefix: xpack.security.audit.index.client.xpack.security.transport
:component: Auditing
:client-auth-default!:
:server!:

View File

@ -12,7 +12,7 @@ endif::server[]
+{ssl-prefix}.ssl.supported_protocols+::
Supported protocols with versions. Valid protocols: `SSLv2Hello`,
`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`,
`TLSv1`. Defaults to the value of `xpack.ssl.supported_protocols`.
`TLSv1`.
ifdef::server[]
+{ssl-prefix}.ssl.client_authentication+::
@ -21,7 +21,7 @@ from client connections. Valid values are `required`, `optional`, and `none`.
`required` forces a client to present a certificate, while `optional`
requests a client certificate but the client is not required to present one.
ifndef::client-auth-default[]
Defaults to the value of `xpack.ssl.client_authentication`.
Defaults to `none``.
endif::client-auth-default[]
ifdef::client-auth-default[]
Defaults to +{client-auth-default}+.
@ -31,15 +31,12 @@ endif::server[]
ifdef::verifies[]
+{ssl-prefix}.ssl.verification_mode+::
Controls the verification of certificates. Valid values are `none`,
`certificate`, and `full`.
See <<ssl-tls-settings, `xpack.ssl.verification_mode`>> for a description of these values.
Defaults to the value of `xpack.ssl.verification_mode`.
`certificate`, and `full`. Defaults to `full`.
endif::verifies[]
+{ssl-prefix}.ssl.cipher_suites+::
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to the value of
`xpack.ssl.cipher_suites`.
Java Cryptography Architecture documentation]. Defaults to ``.
===== {component} TLS/SSL Key and Trusted Certificate Settings
@ -159,3 +156,13 @@ Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a keys
+{ssl-prefix}.truststore.type+::
Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a truststore.
[NOTE]
When configuring the PKCS#11 token that your JVM is configured to use as
a keystore or a truststore for Elasticsearch, the PIN for the token can be
configured by setting the appropriate value to `ssl.truststore.password`
or `ssl.truststore.secure_password` in the context that you are configuring.
Since there can only be one PKCS#11 token configured, only one keystore and
truststore will be usable for configuration in {es}. This in turn means
that only one certificate can be used for TLS both in the transport and the
http layer.

View File

@ -22,16 +22,16 @@ Transport Layer Security (TLS), see
The API returns a list that includes certificates from all TLS contexts
including:
* Default {es} TLS settings
* Settings for transport and HTTP interfaces
* TLS settings that are used within authentication realms
* TLS settings for remote monitoring exporters
The list includes certificates that are used for configuring trust, such as
those configured in the `xpack.ssl.truststore` and
`xpack.ssl.certificate_authorities` settings. It also includes certificates that
that are used for configuring server identity, such as `xpack.ssl.keystore` and
`xpack.ssl.certificate` settings.
those configured in the `xpack.security.transport.ssl.truststore` and
`xpack.security.transport.ssl.certificate_authorities` settings. It also
includes certificates that are used for configuring server identity, such as
`xpack.security.http.ssl.keystore` and
`xpack.security.http.ssl.certificate` settings.
The list does not include certificates that are sourced from the default SSL
context of the Java Runtime Environment (JRE), even if those certificates are in

View File

@ -46,8 +46,8 @@ to the `elasticsearch.yml` file:
[source,yaml]
-----------------------------------------------------------
xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/remote-elastic-certificates.p12
xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/remote-elastic-certificates.p12
xpack.security.audit.index.client.xpack.security.transport.ssl.keystore.path: certs/remote-elastic-certificates.p12
xpack.security.audit.index.client.xpack.security.transport.ssl.truststore.path: certs/remote-elastic-certificates.p12
-----------------------------------------------------------
For more information about these settings, see
@ -61,9 +61,9 @@ For more information about these settings, see
[source, yaml]
--------------------------------------------------
xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/audit-client.key
xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/audit-client.crt
xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ]
xpack.security.audit.index.client.xpack.security.transport.ssl.key: /home/es/config/audit-client.key
xpack.security.audit.index.client.xpack.security.transport.ssl.certificate: /home/es/config/audit-client.crt
xpack.security.audit.index.client.xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ]
--------------------------------------------------
For more information about these settings, see
@ -78,9 +78,9 @@ your {es} keystore:
--
[source,shell]
-----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.truststore.secure_password
-----------------------------------------------------------
--
@ -89,7 +89,7 @@ bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.trust
--
[source,shell]
-----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.secure_key_passphrase
-----------------------------------------------------------
--

View File

@ -90,7 +90,7 @@ In particular this means:
* The interface must _trust_ the certificate that is presented by the client
by configuring either the `truststore` or `certificate_authorities` paths,
or by setting `verification_mode` to `none`. See
<<ssl-tls-settings,`xpack.ssl.verification_mode`>> for an explanation of this
<<ssl-tls-settings,`ssl.verification_mode`>> for an explanation of this
setting.
* The _protocols_ supported by the interface must be compatible with those
used by the client.

View File

@ -105,9 +105,10 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
.put("cluster.name", "myClusterName")
.put("xpack.security.user", "transport_client_user:x-pack-test-password")
.put("xpack.ssl.key", "/path/to/client.key")
.put("xpack.ssl.certificate", "/path/to/client.crt")
.put("xpack.ssl.certificate_authorities", "/path/to/ca.crt")
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.security.transport.ssl.key", "/path/to/client.key")
.put("xpack.security.transport.ssl.certificate", "/path/to/client.crt")
.put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
...
.build());
--------------------------------------------------------------------------------------------------
@ -125,9 +126,10 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
.put("cluster.name", "myClusterName")
.put("xpack.security.user", "transport_client_user:x-pack-test-password")
.put("xpack.ssl.key", "/path/to/client.key")
.put("xpack.ssl.certificate", "/path/to/client.crt")
.put("xpack.ssl.certificate_authorities", "/path/to/ca.crt")
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.security.transport.ssl.key", "/path/to/client.key")
.put("xpack.security.transport.ssl.certificate", "/path/to/client.crt")
.put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
.put("xpack.security.transport.ssl.enabled", "true")
...
.build())
@ -155,7 +157,7 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
.put("cluster.name", "myClusterName")
.put("xpack.security.user", "test_user:x-pack-test-password")
.put("xpack.ssl.certificate_authorities", "/path/to/ca.crt")
.put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
.put("xpack.security.transport.ssl.enabled", "true")
...
.build())
@ -164,7 +166,7 @@ TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
------------------------------------------------------------------------------------------------------
NOTE: If you are using a public CA that is already trusted by the Java runtime,
you do not need to set the `xpack.ssl.certificate_authorities`.
you do not need to set the `xpack.security.transport.ssl.certificate_authorities`.
[float]
[[connecting-anonymously]]

View File

@ -50,12 +50,12 @@ and able to run {es} successfully in a FIPS 140-2 enabled JVM.
==== TLS
SSLv2 and SSLv3 are not allowed by FIPS 140-2, so `SSLv2Hello` and `SSLv3` cannot
be used for <<ssl-tls-settings, xpack.ssl.supported_protocols>>
be used for <<ssl-tls-settings, `ssl.supported_protocols`>>
NOTE: The use of TLS ciphers is mainly governed by the relevant crypto module
(the FIPS Approved Security Provider that your JVM uses). All the ciphers that
are configured by default in {es} are FIPS 140-2 compliant and as such can be
used in a FIPS 140-2 JVM. (see <<ssl-tls-settings, xpack.ssl.cipher_suites>>)
used in a FIPS 140-2 JVM. (see <<ssl-tls-settings, `ssl.cipher_suites`>>)
[float]
==== TLS Keystores and keys
@ -71,7 +71,7 @@ options, and for trust material you can use `*.certificate_authorities`.
FIPS 140-2 compliance dictates that the length of the public keys used for TLS
must correspond to the strength of the symmetric key algorithm in use in TLS.
Depending on the value of <<ssl-tls-settings, xpack.ssl.cipher_suites>> that
Depending on the value of <<ssl-tls-settings, `ssl.cipher_suites`>> that
you select to use, the TLS keys must have corresponding length according to
the following table:

View File

@ -159,10 +159,6 @@ public class XPackSettings {
public static final SSLClientAuth HTTP_CLIENT_AUTH_DEFAULT = SSLClientAuth.NONE;
public static final VerificationMode VERIFICATION_MODE_DEFAULT = VerificationMode.FULL;
// global settings that apply to everything!
public static final String GLOBAL_SSL_PREFIX = "xpack.ssl.";
private static final SSLConfigurationSettings GLOBAL_SSL = SSLConfigurationSettings.withPrefix(GLOBAL_SSL_PREFIX);
// http specific settings
public static final String HTTP_SSL_PREFIX = SecurityField.setting("http.ssl.");
private static final SSLConfigurationSettings HTTP_SSL = SSLConfigurationSettings.withPrefix(HTTP_SSL_PREFIX);
@ -174,7 +170,6 @@ public class XPackSettings {
/** Returns all settings created in {@link XPackSettings}. */
public static List<Setting<?>> getAllSettings() {
ArrayList<Setting<?>> settings = new ArrayList<>();
settings.addAll(GLOBAL_SSL.getAllSettings());
settings.addAll(HTTP_SSL.getAllSettings());
settings.addAll(TRANSPORT_SSL.getAllSettings());
settings.add(SECURITY_ENABLED);

View File

@ -83,13 +83,22 @@ public class SecurityNetty4Transport extends Netty4Transport {
Set<String> profileNames = settings.getGroups("transport.profiles.", true).keySet();
Map<String, SSLConfiguration> profileConfiguration = new HashMap<>(profileNames.size() + 1);
for (String profileName : profileNames) {
if (profileName.equals(TransportSettings.DEFAULT_PROFILE)) {
// don't attempt to parse ssl settings from the profile;
// profiles need to be killed with fire
if (settings.getByPrefix("transport.profiles.default.xpack.security.ssl.").isEmpty()) {
continue;
} else {
throw new IllegalArgumentException("SSL settings should not be configured for the default profile. " +
"Use the [xpack.security.transport.ssl] settings instead.");
}
}
SSLConfiguration configuration = sslService.getSSLConfiguration("transport.profiles." + profileName + "." + setting("ssl"));
profileConfiguration.put(profileName, configuration);
}
if (profileConfiguration.containsKey(TransportSettings.DEFAULT_PROFILE) == false) {
profileConfiguration.put(TransportSettings.DEFAULT_PROFILE, defaultConfiguration);
}
assert profileConfiguration.containsKey(TransportSettings.DEFAULT_PROFILE) == false;
profileConfiguration.put(TransportSettings.DEFAULT_PROFILE, defaultConfiguration);
return profileConfiguration;
}

View File

@ -25,6 +25,7 @@ import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
/**
* This class represents a trust configuration that corresponds to the default trusted certificates of the JDK
@ -71,12 +72,15 @@ class DefaultJDKTrustConfig extends TrustConfig {
@Override
public boolean equals(Object o) {
return o == this;
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
DefaultJDKTrustConfig that = (DefaultJDKTrustConfig) o;
return Objects.equals(trustStorePassword, that.trustStorePassword);
}
@Override
public int hashCode() {
return System.identityHashCode(this);
return Objects.hash(trustStorePassword);
}
/**

View File

@ -13,16 +13,11 @@ import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.ssl.cert.CertificateInfo;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
import java.io.IOException;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import static org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings.getKeyStoreType;
@ -51,32 +46,14 @@ public final class SSLConfiguration {
* @param settings the SSL specific settings; only the settings under a *.ssl. prefix
*/
SSLConfiguration(Settings settings) {
this.keyConfig = createKeyConfig(settings, (SSLConfiguration) null);
this.trustConfig = createTrustConfig(settings, keyConfig, null);
this.keyConfig = createKeyConfig(settings);
this.trustConfig = createTrustConfig(settings, keyConfig);
this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, XPackSettings.DEFAULT_CIPHERS);
this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings, XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS);
this.sslClientAuth = SETTINGS_PARSER.clientAuth.get(settings).orElse(XPackSettings.CLIENT_AUTH_DEFAULT);
this.verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(XPackSettings.VERIFICATION_MODE_DEFAULT);
}
/**
* Creates a new SSLConfiguration from the given settings and global/default SSLConfiguration. If the settings do not contain a value
* for a given aspect, the value from the global configuration will be used.
*
* @param settings the SSL specific settings; only the settings under a *.ssl. prefix
* @param globalSSLConfiguration the default configuration that is used as a fallback
*/
SSLConfiguration(Settings settings, SSLConfiguration globalSSLConfiguration) {
Objects.requireNonNull(globalSSLConfiguration);
this.keyConfig = createKeyConfig(settings, globalSSLConfiguration);
this.trustConfig = createTrustConfig(settings, keyConfig, globalSSLConfiguration);
this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, globalSSLConfiguration.cipherSuites());
this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings,
globalSSLConfiguration.supportedProtocols());
this.sslClientAuth = SETTINGS_PARSER.clientAuth.get(settings).orElse(globalSSLConfiguration.sslClientAuth());
this.verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(globalSSLConfiguration.verificationMode());
}
/**
* The configuration for the key, if any, that will be used as part of this ssl configuration
*/
@ -183,46 +160,28 @@ public final class SSLConfiguration {
return result;
}
private static KeyConfig createKeyConfig(Settings settings, SSLConfiguration global) {
private static KeyConfig createKeyConfig(Settings settings) {
final String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings);
final KeyConfig config = CertParsingUtils.createKeyConfig(SETTINGS_PARSER.x509KeyPair, settings, trustStoreAlgorithm);
if (config != null) {
return config;
}
if (global != null) {
return global.keyConfig();
}
if (System.getProperty("javax.net.ssl.keyStore") != null && System.getProperty("javax.net.ssl.keyStore").equals("NONE") == false) {
// TODO: we should not support loading a keystore from sysprops...
try (SecureString keystorePassword = new SecureString(System.getProperty("javax.net.ssl.keyStorePassword", ""))) {
return new StoreKeyConfig(System.getProperty("javax.net.ssl.keyStore"), KeyStore.getDefaultType(), keystorePassword,
keystorePassword, System.getProperty("ssl.KeyManagerFactory.algorithm", KeyManagerFactory.getDefaultAlgorithm()),
System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm()));
}
}
return KeyConfig.NONE;
return config == null ? KeyConfig.NONE : config;
}
private static TrustConfig createTrustConfig(Settings settings, KeyConfig keyConfig, SSLConfiguration global) {
final TrustConfig trustConfig = createCertChainTrustConfig(settings, keyConfig, global);
private static TrustConfig createTrustConfig(Settings settings, KeyConfig keyConfig) {
final TrustConfig trustConfig = createCertChainTrustConfig(settings, keyConfig);
return SETTINGS_PARSER.trustRestrictionsPath.get(settings)
.map(path -> (TrustConfig) new RestrictedTrustConfig(path, trustConfig))
.orElse(trustConfig);
}
private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConfig keyConfig, SSLConfiguration global) {
private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConfig keyConfig) {
String trustStorePath = SETTINGS_PARSER.truststorePath.get(settings).orElse(null);
String trustStoreType = getKeyStoreType(SETTINGS_PARSER.truststoreType, settings, trustStorePath);
List<String> caPaths = getListOrNull(SETTINGS_PARSER.caPaths, settings);
if (trustStorePath != null && caPaths != null) {
throw new IllegalArgumentException("you cannot specify a truststore and ca files");
}
VerificationMode verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElseGet(() -> {
if (global != null) {
return global.verificationMode();
}
return XPackSettings.VERIFICATION_MODE_DEFAULT;
});
VerificationMode verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(XPackSettings.VERIFICATION_MODE_DEFAULT);
if (verificationMode.isCertificateVerificationEnabled() == false) {
return TrustAllConfig.INSTANCE;
} else if (caPaths != null) {
@ -231,14 +190,6 @@ public final class SSLConfiguration {
String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings);
SecureString trustStorePassword = SETTINGS_PARSER.truststorePassword.get(settings);
return new StoreTrustConfig(trustStorePath, trustStoreType, trustStorePassword, trustStoreAlgorithm);
} else if (global == null && System.getProperty("javax.net.ssl.trustStore") != null
&& System.getProperty("javax.net.ssl.trustStore").equals("NONE") == false) {
try (SecureString truststorePassword = new SecureString(System.getProperty("javax.net.ssl.trustStorePassword", ""))) {
return new StoreTrustConfig(System.getProperty("javax.net.ssl.trustStore"), KeyStore.getDefaultType(), truststorePassword,
System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm()));
}
} else if (global != null && keyConfig == global.keyConfig()) {
return global.trustConfig();
} else if (keyConfig != KeyConfig.NONE) {
return DefaultJDKTrustConfig.merge(keyConfig, getDefaultTrustStorePassword(settings));
} else {

View File

@ -31,13 +31,14 @@ import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
@ -81,8 +82,6 @@ public class SSLService {
* always maps to the same {@link SSLContextHolder}, even if it is being used within a different context-name.
*/
private final Map<SSLConfiguration, SSLContextHolder> sslContexts;
private final SSLConfiguration globalSSLConfiguration;
private final SetOnce<SSLConfiguration> transportSSLConfiguration = new SetOnce<>();
private final Environment env;
@ -93,16 +92,14 @@ public class SSLService {
public SSLService(Settings settings, Environment environment) {
this.settings = settings;
this.env = environment;
this.globalSSLConfiguration = new SSLConfiguration(settings.getByPrefix(XPackSettings.GLOBAL_SSL_PREFIX));
this.sslConfigurations = new HashMap<>();
this.sslContexts = loadSSLConfigurations();
}
private SSLService(Settings settings, Environment environment, SSLConfiguration globalSSLConfiguration,
Map<String, SSLConfiguration> sslConfigurations, Map<SSLConfiguration, SSLContextHolder> sslContexts) {
private SSLService(Settings settings, Environment environment, Map<String, SSLConfiguration> sslConfigurations,
Map<SSLConfiguration, SSLContextHolder> sslContexts) {
this.settings = settings;
this.env = environment;
this.globalSSLConfiguration = globalSSLConfiguration;
this.sslConfigurations = sslConfigurations;
this.sslContexts = sslContexts;
}
@ -113,7 +110,7 @@ public class SSLService {
* have been created during initialization
*/
public SSLService createDynamicSSLService() {
return new SSLService(settings, env, globalSSLConfiguration, sslConfigurations, sslContexts) {
return new SSLService(settings, env, sslConfigurations, sslContexts) {
@Override
Map<SSLConfiguration, SSLContextHolder> loadSSLConfigurations() {
@ -265,13 +262,6 @@ public class SSLService {
return sslConfiguration.sslClientAuth().enabled();
}
/**
* Returns the {@link SSLContext} for the global configuration. Mainly used for testing
*/
public SSLContext sslContext() {
return sslContextHolder(globalSSLConfiguration).sslContext();
}
/**
* Returns the {@link SSLContext} for the configuration. Mainly used for testing
*/
@ -297,13 +287,10 @@ public class SSLService {
* Returns the existing {@link SSLConfiguration} for the given settings
*
* @param settings the settings for the ssl configuration
* @return the ssl configuration for the provided settings. If the settings are empty, the global configuration is returned
* @return the ssl configuration for the provided settings
*/
SSLConfiguration sslConfiguration(Settings settings) {
if (settings.isEmpty()) {
return globalSSLConfiguration;
}
return new SSLConfiguration(settings, globalSSLConfiguration);
public SSLConfiguration sslConfiguration(Settings settings) {
return new SSLConfiguration(settings);
}
public Set<String> getTransportProfileContextNames() {
@ -403,8 +390,6 @@ public class SSLService {
*/
Map<SSLConfiguration, SSLContextHolder> loadSSLConfigurations() {
Map<SSLConfiguration, SSLContextHolder> sslContextHolders = new HashMap<>();
sslContextHolders.put(globalSSLConfiguration, createSslContext(globalSSLConfiguration));
this.sslConfigurations.put("xpack.ssl", globalSSLConfiguration);
Map<String, Settings> sslSettingsMap = new HashMap<>();
sslSettingsMap.put(XPackSettings.HTTP_SSL_PREFIX, getHttpTransportSSLSettings(settings));
@ -413,23 +398,19 @@ public class SSLService {
sslSettingsMap.putAll(getMonitoringExporterSettings(settings));
sslSettingsMap.forEach((key, sslSettings) -> {
if (sslSettings.isEmpty()) {
storeSslConfiguration(key, globalSSLConfiguration);
} else {
final SSLConfiguration configuration = new SSLConfiguration(sslSettings, globalSSLConfiguration);
storeSslConfiguration(key, configuration);
sslContextHolders.computeIfAbsent(configuration, this::createSslContext);
}
final SSLConfiguration configuration = new SSLConfiguration(sslSettings);
storeSslConfiguration(key, configuration);
sslContextHolders.computeIfAbsent(configuration, this::createSslContext);
});
final Settings transportSSLSettings = settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX);
final SSLConfiguration transportSSLConfiguration = new SSLConfiguration(transportSSLSettings, globalSSLConfiguration);
final SSLConfiguration transportSSLConfiguration = new SSLConfiguration(transportSSLSettings);
this.transportSSLConfiguration.set(transportSSLConfiguration);
storeSslConfiguration(XPackSettings.TRANSPORT_SSL_PREFIX, transportSSLConfiguration);
Map<String, Settings> profileSettings = getTransportProfileSSLSettings(settings);
sslContextHolders.computeIfAbsent(transportSSLConfiguration, this::createSslContext);
profileSettings.forEach((key, profileSetting) -> {
final SSLConfiguration configuration = new SSLConfiguration(profileSetting, transportSSLConfiguration);
final SSLConfiguration configuration = new SSLConfiguration(profileSetting);
storeSslConfiguration(key, configuration);
sslContextHolders.computeIfAbsent(configuration, this::createSslContext);
});

View File

@ -71,7 +71,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
}
@After
public void cleanup() throws Exception {
public void cleanup() {
if (threadPool != null) {
terminate(threadPool);
}
@ -88,10 +88,10 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath);
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"), updatedKeystorePath);
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
final Settings settings = Settings.builder()
.put("path.home", createTempDir())
.put("xpack.ssl.keystore.path", keystorePath)
.put("xpack.security.transport.ssl.keystore.path", keystorePath)
.setSecureSettings(secureSettings)
.build();
final Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
@ -144,11 +144,12 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCertPath);
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), certPath);
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
final Settings settings = Settings.builder()
.put("path.home", createTempDir())
.put("xpack.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath)
.put("xpack.security.transport.ssl.key", keyPath)
.put("xpack.security.transport.ssl.certificate", certPath)
.putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString())
.setSecureSettings(secureSettings)
.build();
final Environment env = randomBoolean() ? null :
@ -202,9 +203,9 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"),
updatedTruststorePath);
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.truststore.path", trustStorePath)
.put("xpack.security.transport.ssl.truststore.path", trustStorePath)
.put("path.home", createTempDir())
.setSecureSettings(secureSettings)
.build();
@ -254,7 +255,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"), serverKeyPath);
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCert);
Settings settings = Settings.builder()
.put("xpack.ssl.certificate_authorities", serverCertPath)
.putList("xpack.security.transport.ssl.certificate_authorities", serverCertPath.toString())
.put("path.home", createTempDir())
.build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
@ -300,15 +301,15 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Path keystorePath = tempDir.resolve("testnode.jks");
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath);
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", keystorePath)
.put("xpack.security.transport.ssl.keystore.path", keystorePath)
.setSecureSettings(secureSettings)
.put("path.home", createTempDir())
.build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl.");
new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
@Override
void reloadSSLContext(SSLConfiguration configuration) {
@ -339,17 +340,17 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), certPath);
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath);
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath)
.putList("xpack.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString())
.put("xpack.security.transport.ssl.key", keyPath)
.put("xpack.security.transport.ssl.certificate", certPath)
.putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString())
.put("path.home", createTempDir())
.setSecureSettings(secureSettings)
.build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl.");
new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
@Override
void reloadSSLContext(SSLConfiguration configuration) {
@ -376,15 +377,15 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Path trustStorePath = tempDir.resolve("testnode.jks");
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), trustStorePath);
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.truststore.path", trustStorePath)
.put("xpack.security.transport.ssl.truststore.path", trustStorePath)
.put("path.home", createTempDir())
.setSecureSettings(secureSettings)
.build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl.");
new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
@Override
void reloadSSLContext(SSLConfiguration configuration) {
@ -411,12 +412,12 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Path clientCertPath = tempDir.resolve("testclient.crt");
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath);
Settings settings = Settings.builder()
.putList("xpack.ssl.certificate_authorities", clientCertPath.toString())
.putList("xpack.security.transport.ssl.certificate_authorities", clientCertPath.toString())
.put("path.home", createTempDir())
.build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
final SSLConfiguration config = sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl."));
new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
@Override
void reloadSSLContext(SSLConfiguration configuration) {
@ -442,7 +443,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Runnable modificationFunction, Consumer<SSLContext> postChecks) throws Exception {
final CountDownLatch reloadLatch = new CountDownLatch(1);
final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl");
new SSLConfigurationReloader(env, sslService, resourceWatcherService) {
@Override
void reloadSSLContext(SSLConfiguration configuration) {

View File

@ -21,7 +21,7 @@ public class SSLConfigurationSettingsTests extends ESTestCase {
final SSLConfigurationSettings ssl = SSLConfigurationSettings.withoutPrefix();
assertThat(ssl.ciphers.match("cipher_suites"), is(true));
assertThat(ssl.ciphers.match("ssl.cipher_suites"), is(false));
assertThat(ssl.ciphers.match("xpack.ssl.cipher_suites"), is(false));
assertThat(ssl.ciphers.match("xpack.transport.security.ssl.cipher_suites"), is(false));
final Settings settings = Settings.builder()
.put("cipher_suites.0", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256")

View File

@ -35,10 +35,6 @@ public class SSLConfigurationTests extends ESTestCase {
assertThat(globalConfig.keyConfig(), sameInstance(KeyConfig.NONE));
assertThat(globalConfig.trustConfig(), is(not((globalConfig.keyConfig()))));
assertThat(globalConfig.trustConfig(), instanceOf(DefaultJDKTrustConfig.class));
SSLConfiguration scopedConfig = new SSLConfiguration(Settings.EMPTY, globalConfig);
assertThat(scopedConfig.keyConfig(), sameInstance(globalConfig.keyConfig()));
assertThat(scopedConfig.trustConfig(), sameInstance(globalConfig.trustConfig()));
}
public void testThatOnlyKeystoreInSettingsSetsTruststoreSettings() {
@ -50,22 +46,17 @@ public class SSLConfigurationTests extends ESTestCase {
.setSecureSettings(secureSettings)
.build();
// Pass settings in as component settings
SSLConfiguration globalSettings = new SSLConfiguration(settings);
SSLConfiguration scopedSettings = new SSLConfiguration(settings, globalSettings);
SSLConfiguration scopedEmptyGlobalSettings =
new SSLConfiguration(settings, new SSLConfiguration(Settings.EMPTY));
for (SSLConfiguration sslConfiguration : Arrays.asList(globalSettings, scopedSettings, scopedEmptyGlobalSettings)) {
assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
SSLConfiguration sslConfiguration = new SSLConfiguration(settings);
assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
assertThat(ksKeyInfo.keyStorePath, is(equalTo(path)));
assertThat(ksKeyInfo.keyStorePassword, is(equalTo("testnode")));
assertThat(ksKeyInfo.keyStoreType, is(equalTo("jks")));
assertThat(ksKeyInfo.keyPassword, is(equalTo(ksKeyInfo.keyStorePassword)));
assertThat(ksKeyInfo.keyStoreAlgorithm, is(KeyManagerFactory.getDefaultAlgorithm()));
assertThat(sslConfiguration.trustConfig(), is(instanceOf(CombiningTrustConfig.class)));
assertCombiningTrustConfigContainsCorrectIssuers(sslConfiguration);
}
assertThat(ksKeyInfo.keyStorePath, is(equalTo(path)));
assertThat(ksKeyInfo.keyStorePassword, is(equalTo("testnode")));
assertThat(ksKeyInfo.keyStoreType, is(equalTo("jks")));
assertThat(ksKeyInfo.keyPassword, is(equalTo(ksKeyInfo.keyStorePassword)));
assertThat(ksKeyInfo.keyStoreAlgorithm, is(KeyManagerFactory.getDefaultAlgorithm()));
assertThat(sslConfiguration.trustConfig(), is(instanceOf(CombiningTrustConfig.class)));
assertCombiningTrustConfigContainsCorrectIssuers(sslConfiguration);
}
public void testKeystorePassword() {
@ -188,44 +179,13 @@ public class SSLConfigurationTests extends ESTestCase {
assertThat(ksKeyInfo.keyStoreType, is(equalTo(type)));
}
public void testThatProfileSettingsOverrideServiceSettings() {
MockSecureSettings profileSecureSettings = new MockSecureSettings();
profileSecureSettings.setString("keystore.secure_password", "password");
profileSecureSettings.setString("keystore.secure_key_password", "key");
profileSecureSettings.setString("truststore.secure_password", "password for trust");
Settings profileSettings = Settings.builder()
.put("keystore.path", "path")
.put("keystore.algorithm", "algo")
.put("truststore.path", "trust path")
.put("truststore.algorithm", "trusted")
.setSecureSettings(profileSecureSettings)
.build();
MockSecureSettings serviceSecureSettings = new MockSecureSettings();
serviceSecureSettings.setString("xpack.ssl.keystore.secure_password", "comp password");
serviceSecureSettings.setString("xpack.ssl.keystore.secure_key_password", "comp key");
serviceSecureSettings.setString("xpack.ssl.truststore.secure_password", "comp password for trust");
Settings serviceSettings = Settings.builder()
.put("xpack.ssl.keystore.path", "comp path")
.put("xpack.ssl.keystore.algorithm", "comp algo")
.put("xpack.ssl.truststore.path", "comp trust path")
.put("xpack.ssl.truststore.algorithm", "comp trusted")
.setSecureSettings(serviceSecureSettings)
.build();
SSLConfiguration globalSettings = new SSLConfiguration(serviceSettings);
SSLConfiguration sslConfiguration = new SSLConfiguration(profileSettings, globalSettings);
assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
assertThat(ksKeyInfo.keyStorePath, is(equalTo("path")));
assertThat(ksKeyInfo.keyStorePassword, is(equalTo("password")));
assertThat(ksKeyInfo.keyPassword, is(equalTo("key")));
assertThat(ksKeyInfo.keyStoreAlgorithm, is(equalTo("algo")));
assertThat(sslConfiguration.trustConfig(), instanceOf(StoreTrustConfig.class));
StoreTrustConfig ksTrustInfo = (StoreTrustConfig) sslConfiguration.trustConfig();
assertThat(ksTrustInfo.trustStorePath, is(equalTo("trust path")));
assertThat(ksTrustInfo.trustStorePassword, is(equalTo("password for trust")));
assertThat(ksTrustInfo.trustStoreAlgorithm, is(equalTo("trusted")));
public void testThatEmptySettingsAreEqual() {
SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.EMPTY);
SSLConfiguration sslConfiguration1 = new SSLConfiguration(Settings.EMPTY);
assertThat(sslConfiguration.equals(sslConfiguration1), is(equalTo(true)));
assertThat(sslConfiguration1.equals(sslConfiguration), is(equalTo(true)));
assertThat(sslConfiguration.equals(sslConfiguration), is(equalTo(true)));
assertThat(sslConfiguration1.equals(sslConfiguration1), is(equalTo(true)));
}
public void testThatSettingsWithDifferentKeystoresAreNotEqual() {
@ -254,6 +214,12 @@ public class SSLConfigurationTests extends ESTestCase {
assertThat(sslConfiguration1.equals(sslConfiguration1), is(equalTo(true)));
}
public void testThatEmptySettingsHaveSameHashCode() {
SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.EMPTY);
SSLConfiguration sslConfiguration1 = new SSLConfiguration(Settings.EMPTY);
assertThat(sslConfiguration.hashCode(), is(equalTo(sslConfiguration1.hashCode())));
}
public void testThatSettingsWithDifferentKeystoresHaveDifferentHashCode() {
SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.builder()
.put("keystore.path", "path")

View File

@ -109,11 +109,11 @@ public class SSLServiceTests extends ESTestCase {
assumeFalse("Can't run in a FIPS JVM", inFipsJvm());
Path testClientStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks");
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
secureSettings.setString("transport.profiles.foo.xpack.security.ssl.truststore.secure_password", "testclient");
Settings settings = Settings.builder()
.put("xpack.ssl.truststore.path", testnodeStore)
.put("xpack.ssl.truststore.type", testnodeStoreType)
.put("xpack.security.transport.ssl.truststore.path", testnodeStore)
.put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
.setSecureSettings(secureSettings)
.put("transport.profiles.foo.xpack.security.ssl.truststore.path", testClientStore)
.build();
@ -126,12 +126,12 @@ public class SSLServiceTests extends ESTestCase {
.setSecureSettings(secureCustomSettings)
.build();
SSLConfiguration configuration = new SSLConfiguration(customTruststoreSettings, globalConfiguration(sslService));
SSLConfiguration configuration = new SSLConfiguration(customTruststoreSettings);
SSLEngine sslEngineWithTruststore = sslService.createSSLEngine(configuration, null, -1);
assertThat(sslEngineWithTruststore, is(not(nullValue())));
SSLConfiguration globalConfig = globalConfiguration(sslService);
SSLEngine sslEngine = sslService.createSSLEngine(globalConfig, null, -1);
SSLConfiguration defaultConfig = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLEngine sslEngine = sslService.createSSLEngine(defaultConfig, null, -1);
assertThat(sslEngineWithTruststore, is(not(sameInstance(sslEngine))));
final SSLConfiguration profileConfiguration = sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl");
@ -142,20 +142,21 @@ public class SSLServiceTests extends ESTestCase {
public void testThatSslContextCachingWorks() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.certificate", testnodeCert)
.put("xpack.ssl.key", testnodeKey)
.put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("xpack.security.transport.ssl.key", testnodeKey)
.setSecureSettings(secureSettings)
.build();
SSLService sslService = new SSLService(settings, env);
SSLContext sslContext = sslService.sslContext();
SSLContext cachedSslContext = sslService.sslContext();
final Settings transportSSLSettings = settings.getByPrefix("xpack.security.transport.ssl.");
SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(transportSSLSettings));
SSLContext cachedSslContext = sslService.sslContext(sslService.sslConfiguration(transportSSLSettings));
assertThat(sslContext, is(sameInstance(cachedSslContext)));
final SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.ssl");
final SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
final SSLContext configContext = sslService.sslContext(configuration);
assertThat(configContext, is(sameInstance(sslContext)));
}
@ -165,14 +166,15 @@ public class SSLServiceTests extends ESTestCase {
Path differentPasswordsStore =
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-different-passwords.jks");
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
secureSettings.setString("xpack.ssl.keystore.secure_key_password", "testnode1");
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_key_password", "testnode1");
Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", differentPasswordsStore)
.setSecureSettings(secureSettings)
.build();
.put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore)
.setSecureSettings(secureSettings)
.build();
final SSLService sslService = new SSLService(settings, env);
SSLConfiguration configuration = globalConfiguration(sslService);
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
sslService.createSSLEngine(configuration, null, -1);
}
@ -182,13 +184,13 @@ public class SSLServiceTests extends ESTestCase {
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-different-passwords.jks");
try {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", differentPasswordsStore)
.setSecureSettings(secureSettings)
.build();
.put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore)
.setSecureSettings(secureSettings)
.build();
final SSLService sslService = new SSLService(settings, env);
SSLConfiguration configuration = globalConfiguration(sslService);
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
sslService.createSSLEngine(configuration, null, -1);
fail("expected an exception");
} catch (ElasticsearchException e) {
@ -198,34 +200,34 @@ public class SSLServiceTests extends ESTestCase {
public void testThatSSLv3IsNotEnabled() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.certificate", testnodeCert)
.put("xpack.ssl.key", testnodeKey)
.put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("xpack.security.transport.ssl.key", testnodeKey)
.setSecureSettings(secureSettings)
.build();
SSLService sslService = new SSLService(settings, env);
SSLConfiguration configuration = globalConfiguration(sslService);
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
assertThat(Arrays.asList(engine.getEnabledProtocols()), not(hasItem("SSLv3")));
}
public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception {
SSLService sslService = new SSLService(Settings.EMPTY, env);
SSLConfiguration configuration = globalConfiguration(sslService);
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1);
assertThat(sslEngine, notNullValue());
}
public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.truststore.secure_password", "testclient");
secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testclient");
Settings settings = Settings.builder()
.put("xpack.ssl.truststore.path", testclientStore)
.setSecureSettings(secureSettings)
.build();
.put("xpack.security.transport.ssl.truststore.path", testclientStore)
.setSecureSettings(secureSettings)
.build();
SSLService sslService = new SSLService(settings, env);
SSLConfiguration configuration = globalConfiguration(sslService);
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1);
assertThat(sslEngine, notNullValue());
}
@ -234,54 +236,52 @@ public class SSLServiceTests extends ESTestCase {
public void testCreateWithKeystoreIsValidForServer() throws Exception {
assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm());
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", testnodeStore)
.put("xpack.ssl.keystore.type", testnodeStoreType)
.setSecureSettings(secureSettings)
.build();
.put("xpack.security.transport.ssl.keystore.path", testnodeStore)
.put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
.setSecureSettings(secureSettings)
.build();
SSLService sslService = new SSLService(settings, env);
assertTrue(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService)));
assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
}
public void testValidForServerWithFallback() throws Exception {
public void testValidForServer() throws Exception {
assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm());
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.truststore.path", testnodeStore)
.put("xpack.ssl.truststore.type", testnodeStoreType)
.setSecureSettings(secureSettings)
.build();
.put("xpack.security.transport.ssl.truststore.path", testnodeStore)
.put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
.setSecureSettings(secureSettings)
.build();
SSLService sslService = new SSLService(settings, env);
assertFalse(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService)));
assertFalse(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
settings = Settings.builder()
.put("xpack.ssl.truststore.path", testnodeStore)
.put("xpack.ssl.truststore.type", testnodeStoreType)
.setSecureSettings(secureSettings)
.put("xpack.security.transport.ssl.keystore.path", testnodeStore)
.put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
.build();
.put("xpack.security.transport.ssl.truststore.path", testnodeStore)
.put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
.setSecureSettings(secureSettings)
.put("xpack.security.transport.ssl.keystore.path", testnodeStore)
.put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
.build();
sslService = new SSLService(settings, env);
assertFalse(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService)));
assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
}
public void testGetVerificationMode() throws Exception {
assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm());
SSLService sslService = new SSLService(Settings.EMPTY, env);
assertThat(globalConfiguration(sslService).verificationMode(), is(XPackSettings.VERIFICATION_MODE_DEFAULT));
assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl").verificationMode(),
is(XPackSettings.VERIFICATION_MODE_DEFAULT));
Settings settings = Settings.builder()
.put("xpack.ssl.verification_mode", "none")
.put("xpack.security.transport.ssl.verification_mode", "certificate")
.put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full")
.build();
.put("xpack.security.transport.ssl.verification_mode", "certificate")
.put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full")
.build();
sslService = new SSLService(settings, env);
assertThat(globalConfiguration(sslService).verificationMode(), is(VerificationMode.NONE));
assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl.").verificationMode(), is(VerificationMode.CERTIFICATE));
assertThat(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl.").verificationMode(),
is(VerificationMode.FULL));
@ -289,27 +289,25 @@ public class SSLServiceTests extends ESTestCase {
public void testIsSSLClientAuthEnabled() throws Exception {
SSLService sslService = new SSLService(Settings.EMPTY, env);
assertTrue(globalConfiguration(sslService).sslClientAuth().enabled());
assertTrue(sslService.getSSLConfiguration("xpack.security.transport.ssl").sslClientAuth().enabled());
Settings settings = Settings.builder()
.put("xpack.ssl.client_authentication", "none")
.put("xpack.security.transport.ssl.client_authentication", "optional")
.put("xpack.security.transport.ssl.client_authentication", "optional")
.put("transport.profiles.foo.port", "9400-9410")
.build();
.build();
sslService = new SSLService(settings, env);
assertFalse(sslService.isSSLClientAuthEnabled(globalConfiguration(sslService)));
assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("xpack.security.transport.ssl")));
assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl")));
}
public void testThatHttpClientAuthDefaultsToNone() throws Exception {
final Settings globalSettings = Settings.builder()
.put("xpack.security.http.ssl.enabled", true)
.put("xpack.ssl.client_authentication", SSLClientAuth.OPTIONAL.name())
.build();
.put("xpack.security.http.ssl.enabled", true)
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.OPTIONAL.name())
.build();
final SSLService sslService = new SSLService(globalSettings, env);
final SSLConfiguration globalConfig = globalConfiguration(sslService);
final SSLConfiguration globalConfig = sslService.getSSLConfiguration("xpack.security.transport.ssl");
assertThat(globalConfig.sslClientAuth(), is(SSLClientAuth.OPTIONAL));
final SSLConfiguration httpConfig = sslService.getHttpTransportSSLConfiguration();
@ -318,14 +316,14 @@ public class SSLServiceTests extends ESTestCase {
public void testThatTruststorePasswordIsRequired() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", testnodeStore)
.put("xpack.ssl.keystore.type", testnodeStoreType)
.setSecureSettings(secureSettings)
.put("xpack.ssl.truststore.path", testnodeStore)
.put("xpack.ssl.truststore.type", testnodeStoreType)
.build();
.put("xpack.security.transport.ssl.keystore.path", testnodeStore)
.put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
.setSecureSettings(secureSettings)
.put("xpack.security.transport.ssl.truststore.path", testnodeStore)
.put("xpack.security.transport.ssl.truststore.type", testnodeStoreType)
.build();
ElasticsearchException e =
expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env));
assertThat(e.getMessage(), is("failed to initialize a TrustManagerFactory"));
@ -333,9 +331,9 @@ public class SSLServiceTests extends ESTestCase {
public void testThatKeystorePasswordIsRequired() throws Exception {
Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", testnodeStore)
.put("xpack.ssl.keystore.type", testnodeStoreType)
.build();
.put("xpack.security.transport.ssl.keystore.path", testnodeStore)
.put("xpack.security.transport.ssl.keystore.type", testnodeStoreType)
.build();
ElasticsearchException e =
expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env));
assertThat(e.getMessage(), is("failed to create trust manager"));
@ -346,14 +344,15 @@ public class SSLServiceTests extends ESTestCase {
ciphers.add("foo");
ciphers.add("bar");
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.certificate", testnodeCert)
.put("xpack.ssl.key", testnodeKey)
.put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("xpack.security.transport.ssl.key", testnodeKey)
.setSecureSettings(secureSettings)
.putList("xpack.security.transport.ssl.ciphers", ciphers.toArray(new String[ciphers.size()]))
.build();
SSLService sslService = new SSLService(settings, env);
SSLConfiguration configuration = globalConfiguration(sslService);
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
assertThat(engine, is(notNullValue()));
String[] enabledCiphers = engine.getEnabledCipherSuites();
@ -362,14 +361,14 @@ public class SSLServiceTests extends ESTestCase {
public void testInvalidCiphersOnlyThrowsException() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.certificate", testnodeCert)
.put("xpack.ssl.key", testnodeKey)
.putList("xpack.ssl.cipher_suites", new String[]{"foo", "bar"})
.setSecureSettings(secureSettings)
.build();
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("xpack.security.transport.ssl.key", testnodeKey)
.setSecureSettings(secureSettings)
.putList("xpack.security.transport.ssl.cipher_suites", new String[] { "foo", "bar" })
.build();
IllegalArgumentException e =
expectThrows(IllegalArgumentException.class, () -> new SSLService(settings, env));
assertThat(e.getMessage(), is("none of the ciphers [foo, bar] are supported by this JVM"));
@ -377,14 +376,14 @@ public class SSLServiceTests extends ESTestCase {
public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.certificate", testnodeCert)
.put("xpack.ssl.key", testnodeKey)
.put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("xpack.security.transport.ssl.key", testnodeKey)
.setSecureSettings(secureSettings)
.build();
SSLService sslService = new SSLService(settings, env);
SSLConfiguration configuration = globalConfiguration(sslService);
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
assertThat(engine, is(notNullValue()));
assertTrue(engine.getSSLParameters().getUseCipherSuitesOrder());
@ -392,14 +391,14 @@ public class SSLServiceTests extends ESTestCase {
public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.certificate", testnodeCert)
.put("xpack.ssl.key", testnodeKey)
.put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("xpack.security.transport.ssl.key", testnodeKey)
.setSecureSettings(secureSettings)
.build();
SSLService sslService = new SSLService(settings, env);
SSLConfiguration config = globalConfiguration(sslService);
SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl");
final SSLSocketFactory factory = sslService.sslSocketFactory(config);
final String[] ciphers = sslService.supportedCiphers(factory.getSupportedCipherSuites(), config.cipherSuites(), false);
assertThat(factory.getDefaultCipherSuites(), is(ciphers));
@ -417,14 +416,14 @@ public class SSLServiceTests extends ESTestCase {
public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.certificate", testnodeCert)
.put("xpack.ssl.key", testnodeKey)
.put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("xpack.security.transport.ssl.key", testnodeKey)
.setSecureSettings(secureSettings)
.build();
SSLService sslService = new SSLService(settings, env);
SSLConfiguration configuration = globalConfiguration(sslService);
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
final String[] ciphers = sslService.supportedCiphers(engine.getSupportedCipherSuites(), configuration.cipherSuites(), false);
final String[] supportedProtocols = configuration.supportedProtocols().toArray(Strings.EMPTY_ARRAY);
@ -475,9 +474,9 @@ public class SSLServiceTests extends ESTestCase {
}
public void testEmptyTrustManager() throws Exception {
Settings settings = Settings.builder().build();
Settings settings = Settings.EMPTY;
final SSLService sslService = new SSLService(settings, env);
X509ExtendedTrustManager trustManager = sslService.sslContextHolder(sslService.getSSLConfiguration("xpack.ssl"))
X509ExtendedTrustManager trustManager = sslService.sslContextHolder(sslService.getSSLConfiguration("xpack.security.transport.ssl"))
.getEmptyTrustManager();
assertThat(trustManager.getAcceptedIssuers(), emptyArray());
}
@ -489,7 +488,6 @@ public class SSLServiceTests extends ESTestCase {
final String[] cipherSuites = sslContext.getSupportedSSLParameters().getCipherSuites();
final String[] contextNames = {
"xpack.ssl",
"xpack.http.ssl",
"xpack.security.http.ssl",
"xpack.security.transport.ssl",
@ -517,10 +515,6 @@ public class SSLServiceTests extends ESTestCase {
}
final Settings settings = builder
// Add a realm without SSL settings. This context name should be mapped to the global configuration
.put("xpack.security.authc.realms.file.realm3.order", 4)
// Add an exporter without SSL settings. This context name should be mapped to the global configuration
.put("xpack.monitoring.exporters.mon3.type", "http")
.setSecureSettings(secureSettings)
.build();
SSLService sslService = new SSLService(settings, env);
@ -535,14 +529,6 @@ public class SSLServiceTests extends ESTestCase {
assertThat("Cipher for " + name, configuration.cipherSuites(), contains(cipherSuites[i]));
assertThat("Configuration for " + name + ".", sslService.getSSLConfiguration(name + "."), sameInstance(configuration));
}
// These contexts have no SSL settings, but for convenience we want those components to be able to access their context
// by name, and get back the global configuration
final SSLConfiguration realm3Config = sslService.getSSLConfiguration("xpack.security.authc.realms.file.realm3.ssl");
final SSLConfiguration mon3Config = sslService.getSSLConfiguration("xpack.monitoring.exporters.mon3.ssl.");
final SSLConfiguration global = globalConfiguration(sslService);
assertThat(realm3Config, sameInstance(global));
assertThat(mon3Config, sameInstance(global));
}
public void testReadCertificateInformation() throws Exception {
@ -552,13 +538,13 @@ public class SSLServiceTests extends ESTestCase {
final Path pemPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt");
final MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode");
final Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", jksPath)
.put("xpack.ssl.truststore.path", jksPath)
.put("xpack.security.transport.ssl.keystore.path", jksPath)
.put("xpack.security.transport.ssl.truststore.path", jksPath)
.put("xpack.http.ssl.keystore.path", p12Path)
.put("xpack.security.authc.realms.active_directory.ad.ssl.certificate_authorities", pemPath)
.setSecureSettings(secureSettings)
@ -718,7 +704,7 @@ public class SSLServiceTests extends ESTestCase {
@Network
public void testThatSSLContextWithoutSettingsWorks() throws Exception {
SSLService sslService = new SSLService(Settings.EMPTY, env);
SSLContext sslContext = sslService.sslContext();
SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(Settings.EMPTY));
try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) {
// Execute a GET on a site known to have a valid certificate signed by a trusted public CA
// This will result in a SSLHandshakeException if the SSLContext does not trust the CA, but the default
@ -730,12 +716,13 @@ public class SSLServiceTests extends ESTestCase {
@Network
public void testThatSSLContextTrustsJDKTrustedCAs() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testclient");
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient");
Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", testclientStore)
.put("xpack.security.transport.ssl.keystore.path", testclientStore)
.setSecureSettings(secureSettings)
.build();
SSLContext sslContext = new SSLService(settings, env).sslContext();
SSLService sslService = new SSLService(settings, env);
SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl.")));
try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) {
// Execute a GET on a site known to have a valid certificate signed by a trusted public CA which will succeed because the JDK
// certs are trusted by default
@ -746,7 +733,7 @@ public class SSLServiceTests extends ESTestCase {
@Network
public void testThatSSLIOSessionStrategyWithoutSettingsWorks() throws Exception {
SSLService sslService = new SSLService(Settings.EMPTY, env);
SSLConfiguration sslConfiguration = globalConfiguration(sslService);
SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
logger.info("SSL Configuration: {}", sslConfiguration);
SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(sslConfiguration);
try (CloseableHttpAsyncClient client = getAsyncHttpClient(sslStrategy)) {
@ -762,13 +749,13 @@ public class SSLServiceTests extends ESTestCase {
@Network
public void testThatSSLIOSessionStrategyTrustsJDKTrustedCAs() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.keystore.secure_password", "testclient");
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient");
Settings settings = Settings.builder()
.put("xpack.ssl.keystore.path", testclientStore)
.put("xpack.security.transport.ssl.keystore.path", testclientStore)
.setSecureSettings(secureSettings)
.build();
final SSLService sslService = new SSLService(settings, env);
SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(globalConfiguration(sslService));
SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(sslService.getSSLConfiguration("xpack.security.transport.ssl"));
try (CloseableHttpAsyncClient client = getAsyncHttpClient(sslStrategy)) {
client.start();
@ -778,10 +765,6 @@ public class SSLServiceTests extends ESTestCase {
}
}
private static SSLConfiguration globalConfiguration(SSLService sslService) {
return sslService.getSSLConfiguration("xpack.ssl");
}
class AssertionCallback implements FutureCallback<HttpResponse> {
@Override

View File

@ -19,11 +19,6 @@ public class TestsSSLService extends SSLService {
super(settings, environment);
}
@Override
public SSLContext sslContext() {
return super.sslContext();
}
/**
* Allows to get alternative ssl context, like for the http client
*/

View File

@ -95,14 +95,14 @@ public class HttpExporterSslIT extends MonitoringIntegTestCase {
final Path key = getDataPath("/org/elasticsearch/xpack/monitoring/exporter/http/testnode.pem");
final Settings sslSettings = Settings.builder()
.put("xpack.ssl.certificate", cert)
.put("xpack.ssl.key", key)
.put("xpack.ssl.key_passphrase", "testnode")
.put("xpack.transport.security.ssl.certificate", cert)
.put("xpack.transport.security.ssl.key", key)
.put("xpack.transport.security.ssl.key_passphrase", "testnode")
.put(globalSettings)
.build();
TestsSSLService sslService = new TestsSSLService(sslSettings, environment);
final SSLContext sslContext = sslService.sslContext(Settings.EMPTY);
final SSLContext sslContext = sslService.sslContext("xpack.security.transport.ssl");
MockWebServer server = new MockWebServer(sslContext, false);
server.start();
return server;

View File

@ -9,7 +9,7 @@ import org.elasticsearch.bootstrap.BootstrapCheck;
import org.elasticsearch.bootstrap.BootstrapContext;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmConfig.RealmIdentifier;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.pki.PkiRealmSettings;
import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
@ -37,7 +37,7 @@ class PkiRealmBootstrapCheck implements BootstrapCheck {
@Override
public BootstrapCheckResult check(BootstrapContext context) {
final Settings settings = context.settings();
final Map<RealmConfig.RealmIdentifier, Settings> realms = RealmSettings.getRealmSettings(settings);
final Map<RealmIdentifier, Settings> realms = RealmSettings.getRealmSettings(settings);
final boolean pkiRealmEnabled = realms.entrySet().stream()
.filter(e -> PkiRealmSettings.TYPE.equals(e.getKey().getType()))
.map(Map.Entry::getValue)
@ -70,6 +70,7 @@ class PkiRealmBootstrapCheck implements BootstrapCheck {
return list;
}
// FIXME this is an antipattern move this out of a bootstrap check!
@Override
public boolean alwaysEnforce() {
return true;

View File

@ -67,7 +67,6 @@ import java.util.Map;
import java.util.Set;
import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
import static org.elasticsearch.xpack.core.security.SecurityField.setting;
/**
* This is the command-line tool used for migrating users and roles from the file-based realm into the new native realm using the API for
@ -149,7 +148,7 @@ public class ESNativeRealmMigrateTool extends LoggingAwareMultiCommand {
// If using SSL, need a custom service because it's likely a self-signed certificate
if ("https".equalsIgnoreCase(uri.getScheme())) {
final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration(setting("http.ssl"));
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.http.ssl");
final HttpsURLConnection httpsConn = (HttpsURLConnection) url.openConnection();
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
// Requires permission java.lang.RuntimePermission "setFactory";

View File

@ -86,7 +86,6 @@ public class SecurityNioTransport extends NioTransport {
Map<String, SSLConfiguration> profileConfiguration = SecurityNetty4Transport.getTransportProfileConfigurations(settings,
sslService, transportConfiguration);
this.profileConfiguration = Collections.unmodifiableMap(profileConfiguration);
} else {
profileConfiguration = Collections.emptyMap();
}

View File

@ -149,7 +149,7 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
@Override
public Settings transportClientSettings() {
Settings.Builder builder = Settings.builder();
addClientSSLSettings(builder, "");
addClientSSLSettings(builder, "xpack.security.transport.");
addDefaultSecurityTransportType(builder, Settings.EMPTY);
if (randomBoolean()) {
@ -208,22 +208,27 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
return new SecureString(SecuritySettingsSourceField.TEST_PASSWORD.toCharArray());
}
public static void addSSLSettingsForNodePEMFiles(Settings.Builder builder, String prefix, boolean hostnameVerificationEnabled) {
addSSLSettingsForPEMFiles(builder, prefix,
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"),
hostnameVerificationEnabled, false);
}
private void addNodeSSLSettings(Settings.Builder builder) {
if (sslEnabled) {
builder.put("xpack.security.transport.ssl.enabled", true);
if (usePEM) {
addSSLSettingsForPEMFiles(builder, "",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"),
sslEnabled, hostnameVerificationEnabled, false);
addSSLSettingsForNodePEMFiles(builder, "xpack.security.transport.", hostnameVerificationEnabled);
} else {
addSSLSettingsForStore(builder, "", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks",
"testnode", sslEnabled, hostnameVerificationEnabled, false);
addSSLSettingsForStore(builder, "xpack.security.transport.",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode",
hostnameVerificationEnabled, false);
}
} else if (randomBoolean()) {
builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), false);
@ -231,47 +236,53 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
}
public void addClientSSLSettings(Settings.Builder builder, String prefix) {
builder.put("xpack.security.transport.ssl.enabled", sslEnabled);
if (usePEM) {
addSSLSettingsForPEMFiles(builder, prefix,
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", "testclient",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"),
sslEnabled, hostnameVerificationEnabled, true);
hostnameVerificationEnabled, true);
} else {
addSSLSettingsForStore(builder, prefix, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks",
"testclient", sslEnabled, hostnameVerificationEnabled, true);
"testclient", hostnameVerificationEnabled, true);
}
}
/**
* Returns the configuration settings given the location of a certificate and its password
*
* @param resourcePathToStore the location of the keystore or truststore
* @param password the password
*/
public static void addSSLSettingsForStore(Settings.Builder builder, String resourcePathToStore, String password, String prefix) {
addSSLSettingsForStore(builder, prefix, resourcePathToStore, password, true, true);
}
private static void addSSLSettingsForStore(Settings.Builder builder, String prefix, String resourcePathToStore, String password,
boolean sslEnabled, boolean hostnameVerificationEnabled,
boolean transportClient) {
boolean hostnameVerificationEnabled, boolean transportClient) {
Path store = resolveResourcePath(resourcePathToStore);
if (transportClient == false) {
builder.put(prefix + "xpack.security.http.ssl.enabled", false);
}
builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled);
builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
builder.put(prefix + "xpack.ssl.keystore.path", store);
builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
builder.put(prefix + "ssl.keystore.path", store);
if (transportClient) {
// continue using insecure settings for clients until we figure out what to do there...
builder.put(prefix + "xpack.ssl.keystore.password", password);
builder.put(prefix + "ssl.keystore.password", password);
} else {
final String finalPrefix = prefix;
addSecureSettings(builder, secureSettings ->
secureSettings.setString(prefix + "xpack.ssl.keystore.secure_password", password));
secureSettings.setString(finalPrefix + "ssl.keystore.secure_password", password));
}
if (randomBoolean()) {
builder.put(prefix + "xpack.ssl.truststore.path", store);
builder.put(prefix + "ssl.truststore.path", store);
if (transportClient) {
// continue using insecure settings for clients until we figure out what to do there...
builder.put(prefix + "xpack.ssl.truststore.password", password);
builder.put(prefix + "ssl.truststore.password", password);
} else {
final String finalPrefix = prefix;
addSecureSettings(builder, secureSettings ->
secureSettings.setString(prefix + "xpack.ssl.truststore.secure_password", password));
secureSettings.setString(finalPrefix + "ssl.truststore.secure_password", password));
}
}
}
@ -289,31 +300,46 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
*/
public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String keyPath, String password,
String certificatePath, List<String> trustedCertificates) {
addSSLSettingsForPEMFiles(builder, "", keyPath, password, certificatePath, trustedCertificates, true, true, true);
addSSLSettingsForPEMFiles(builder, "", keyPath, password, certificatePath, trustedCertificates, true, true);
}
/**
* Returns the SSL related configuration settings given the location of a key and certificate and the location
* of the PEM certificates to be trusted
*
* @param keyPath The path to the Private key to be used for SSL
* @param password The password with which the private key is protected
* @param certificatePath The path to the PEM formatted Certificate encapsulating the public key that corresponds
* to the Private Key specified in {@code keyPath}. Will be presented to incoming
* SSL connections.
* @param prefix The settings prefix to use before ssl setting names
* @param trustedCertificates A list of PEM formatted certificates that will be trusted.
*/
public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String keyPath, String password,
String certificatePath, String prefix, List<String> trustedCertificates) {
addSSLSettingsForPEMFiles(builder, prefix, keyPath, password, certificatePath, trustedCertificates, true, true);
}
private static void addSSLSettingsForPEMFiles(Settings.Builder builder, String prefix, String keyPath, String password,
String certificatePath, List<String> trustedCertificates, boolean sslEnabled,
String certificatePath, List<String> trustedCertificates,
boolean hostnameVerificationEnabled, boolean transportClient) {
if (transportClient == false) {
builder.put(prefix + "xpack.security.http.ssl.enabled", false);
if (prefix.equals("")) {
prefix = "xpack.security.transport.";
}
builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled);
builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
builder.put(prefix + "xpack.ssl.key", resolveResourcePath(keyPath))
.put(prefix + "xpack.ssl.certificate", resolveResourcePath(certificatePath));
builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
builder.put(prefix + "ssl.key", resolveResourcePath(keyPath))
.put(prefix + "ssl.certificate", resolveResourcePath(certificatePath));
if (transportClient) {
// continue using insecure settings for clients until we figure out what to do there...
builder.put(prefix + "xpack.ssl.key_passphrase", password);
builder.put(prefix + "ssl.key_passphrase", password);
} else {
final String finalPrefix = prefix;
addSecureSettings(builder, secureSettings ->
secureSettings.setString(prefix + "xpack.ssl.secure_key_passphrase", password));
secureSettings.setString(finalPrefix + "ssl.secure_key_passphrase", password));
}
if (trustedCertificates.isEmpty() == false) {
builder.put(prefix + "xpack.ssl.certificate_authorities",
builder.put(prefix + "ssl.certificate_authorities",
Strings.arrayToCommaDelimitedString(resolvePathsToString(trustedCertificates)));
}
}

View File

@ -64,21 +64,21 @@ public class SettingsFilterTests extends ESTestCase {
if (inFipsJvm() == false) {
configureFilteredSetting("xpack.security.authc.realms.pki.pki1.truststore.path",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/truststore-testnode-only.jks").toString());
configureFilteredSetting("xpack.ssl.keystore.path",
configureFilteredSetting("xpack.security.transport.ssl.keystore.path",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks").toString());
}
configureSecureSetting("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only");
configureFilteredSetting("xpack.security.authc.realms.pki.pki1.truststore.algorithm", "SunX509");
configureFilteredSetting("xpack.ssl.cipher_suites",
configureFilteredSetting("xpack.security.transport.ssl.cipher_suites",
Strings.arrayToCommaDelimitedString(XPackSettings.DEFAULT_CIPHERS.toArray()));
configureFilteredSetting("xpack.ssl.supported_protocols", randomFrom("TLSv1", "TLSv1.1", "TLSv1.2"));
configureSecureSetting("xpack.ssl.keystore.secure_password", "testnode");
configureFilteredSetting("xpack.ssl.keystore.algorithm", KeyManagerFactory.getDefaultAlgorithm());
configureSecureSetting("xpack.ssl.keystore.secure_key_password", "testnode");
configureSecureSetting("xpack.ssl.truststore.secure_password", randomAlphaOfLength(5));
configureFilteredSetting("xpack.ssl.truststore.algorithm", TrustManagerFactory.getDefaultAlgorithm());
configureFilteredSetting("xpack.security.transport.ssl.supported_protocols", randomFrom("TLSv1", "TLSv1.1", "TLSv1.2"));
configureSecureSetting("xpack.security.transport.ssl.keystore.secure_password", "testnode");
configureFilteredSetting("xpack.security.transport.ssl.keystore.algorithm", KeyManagerFactory.getDefaultAlgorithm());
configureSecureSetting("xpack.security.transport.ssl.keystore.secure_key_password", "testnode");
configureSecureSetting("xpack.security.transport.ssl.truststore.secure_password", randomAlphaOfLength(5));
configureFilteredSetting("xpack.security.transport.ssl.truststore.algorithm", TrustManagerFactory.getDefaultAlgorithm());
// client profile
configureUnfilteredSetting("transport.profiles.client.port", "9500-9600");

View File

@ -16,22 +16,6 @@ public class FIPS140JKSKeystoreBootstrapCheckTests extends AbstractBootstrapChec
assertFalse(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure());
}
public void testSSLKeystoreTypeIsNotAllowed() {
final Settings.Builder settings = Settings.builder()
.put("xpack.security.fips_mode.enabled", "true")
.put("xpack.ssl.keystore.path", "/this/is/the/path")
.put("xpack.ssl.keystore.type", "JKS");
assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure());
}
public void testSSLImplicitKeystoreTypeIsNotAllowed() {
final Settings.Builder settings = Settings.builder()
.put("xpack.security.fips_mode.enabled", "true")
.put("xpack.ssl.keystore.path", "/this/is/the/path")
.put("xpack.ssl.keystore.type", "JKS");
assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure());
}
public void testTransportSSLKeystoreTypeIsNotAllowed() {
final Settings.Builder settings = Settings.builder()
.put("xpack.security.fips_mode.enabled", "true")

View File

@ -36,15 +36,9 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
.build();
assertFalse(runCheck(settings, env).isFailure());
// disable client auth default
settings = Settings.builder().put(settings)
.put("xpack.ssl.client_authentication", "none")
.build();
env = TestEnvironment.newEnvironment(settings);
assertTrue(runCheck(settings, env).isFailure());
// enable ssl for http
settings = Settings.builder().put(settings)
.put("xpack.security.transport.ssl.enabled", false)
.put("xpack.security.http.ssl.enabled", true)
.build();
env = TestEnvironment.newEnvironment(settings);
@ -73,6 +67,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
// test with transport profile
settings = Settings.builder().put(settings)
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.security.transport.client_authentication", "none")
.put("transport.profiles.foo.xpack.security.ssl.client_authentication", randomFrom("required", "optional"))
.build();
@ -87,7 +82,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
public void testBootstrapCheckWithDisabledRealm() throws Exception {
Settings settings = Settings.builder()
.put("xpack.security.authc.realms.pki.test_pki.enabled", false)
.put("xpack.ssl.client_authentication", "none")
.put("xpack.security.transport.ssl.client_authentication", "none")
.put("path.home", createTempDir())
.build();
Environment env = TestEnvironment.newEnvironment(settings);

View File

@ -246,7 +246,7 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
SecuritySettingsSourceField.TEST_PASSWORD);
if (remoteUseSSL) {
cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client.");
cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client.xpack.security.transport.");
builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", true);
}
if (useSecurity == false && builder.get(NetworkModule.TRANSPORT_TYPE_KEY) == null) {

View File

@ -111,7 +111,7 @@ public class RemoteIndexAuditTrailStartingTests extends SecurityIntegTestCase {
.put("xpack.security.audit.index.settings.index.number_of_shards", 1)
.put("xpack.security.audit.index.settings.index.number_of_replicas", 0);
addClientSSLSettings(builder, "xpack.security.audit.index.client.");
addClientSSLSettings(builder, "xpack.security.audit.index.client.xpack.security.transport.");
builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", sslEnabled);
return builder.build();
}

View File

@ -13,7 +13,6 @@ import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.test.NativeRealmIntegTestCase;
import org.elasticsearch.test.SecuritySettingsSource;
import org.elasticsearch.common.CharArrays;
import org.elasticsearch.xpack.core.security.client.SecurityClient;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
@ -21,10 +20,12 @@ import org.junit.BeforeClass;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is;
@ -49,11 +50,11 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
@Override
public Settings nodeSettings(int nodeOrdinal) {
logger.info("--> use SSL? {}", useSSL);
Settings s = Settings.builder()
.put(super.nodeSettings(nodeOrdinal))
.put("xpack.security.http.ssl.enabled", useSSL)
.build();
return s;
Settings.Builder builder = Settings.builder()
.put(super.nodeSettings(nodeOrdinal));
addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true);
builder.put("xpack.security.http.ssl.enabled", useSSL);
return builder.build();
}
@Override
@ -77,7 +78,7 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
SecurityClient c = new SecurityClient(client());
logger.error("--> creating users");
int numToAdd = randomIntBetween(1,10);
Set<String> addedUsers = new HashSet(numToAdd);
Set<String> addedUsers = new HashSet<>(numToAdd);
for (int i = 0; i < numToAdd; i++) {
String uname = randomAlphaOfLength(5);
c.preparePutUser(uname, "s3kirt".toCharArray(), getFastStoredHashAlgoForTests(), "role1", "user").get();
@ -94,13 +95,15 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
Settings.Builder builder = Settings.builder()
.put("path.home", home)
.put("path.conf", conf.toString());
SecuritySettingsSource.addSSLSettingsForPEMFiles(
.put("path.conf", conf.toString())
.put("xpack.security.http.ssl.client_authentication", "none");
addSSLSettingsForPEMFiles(
builder,
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem",
"testnode",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
"xpack.security.http.",
Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
Settings settings = builder.build();
logger.error("--> retrieving users using URL: {}, home: {}", url, home);
@ -140,12 +143,15 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
String password = new String(CharArrays.toUtf8Bytes(nodeClientPassword().getChars()), StandardCharsets.UTF_8);
String url = getHttpURL();
ESNativeRealmMigrateTool.MigrateUserOrRoles muor = new ESNativeRealmMigrateTool.MigrateUserOrRoles();
Settings.Builder builder = Settings.builder().put("path.home", home);
SecuritySettingsSource.addSSLSettingsForPEMFiles(builder,
Settings.Builder builder = Settings.builder()
.put("path.home", home)
.put("xpack.security.http.ssl.client_authentication", "none");
addSSLSettingsForPEMFiles(builder,
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem",
"testclient",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
"xpack.security.http.",
Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
Settings settings = builder.build();
logger.error("--> retrieving roles using URL: {}, home: {}", url, home);

View File

@ -44,29 +44,16 @@ public class CommandLineHttpClientTests extends ESTestCase {
}
@After
public void shutdown() throws Exception {
public void shutdown() {
webServer.close();
}
public void testCommandLineHttpClientCanExecuteAndReturnCorrectResultUsingSSLSettings() throws Exception {
Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
MockSecureSettings secureSettings = new MockSecureSettings();
Settings settings;
if (randomBoolean()) {
// with http ssl settings
secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
settings = Settings.builder().put("xpack.security.http.ssl.certificate_authorities", certPath.toString())
.put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE).setSecureSettings(secureSettings)
.build();
} else {
// with global settings
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
settings = Settings.builder()
.put("xpack.ssl.certificate_authorities", certPath.toString())
.put("xpack.ssl.verification_mode", VerificationMode.CERTIFICATE)
.setSecureSettings(secureSettings)
.build();
}
Settings settings = Settings.builder()
.put("xpack.security.http.ssl.certificate_authorities", certPath.toString())
.put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE)
.build();
CommandLineHttpClient client = new CommandLineHttpClient(settings, environment);
HttpResponse httpResponse = client.execute("GET", new URL("https://localhost:" + webServer.getPort() + "/test"), "u1",
new SecureString(new char[]{'p'}), () -> null, is -> responseBuilder(is));
@ -80,14 +67,14 @@ public class CommandLineHttpClientTests extends ESTestCase {
Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.key", keyPath.toString())
.put("xpack.ssl.certificate", certPath.toString())
.put("xpack.security.http.ssl.key", keyPath.toString())
.put("xpack.security.http.ssl.certificate", certPath.toString())
.setSecureSettings(secureSettings)
.build();
TestsSSLService sslService = new TestsSSLService(settings, environment);
return new MockWebServer(sslService.sslContext(), false);
return new MockWebServer(sslService.sslContext("xpack.security.http.ssl."), false);
}
private HttpResponseBuilder responseBuilder(final InputStream is) throws IOException {

View File

@ -13,7 +13,6 @@ import org.elasticsearch.common.settings.MockSecureSettings;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.env.TestEnvironment;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings;
import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
import org.elasticsearch.xpack.core.ssl.SSLService;
@ -29,26 +28,16 @@ public class LdapTestUtils {
}
public static LDAPConnection openConnection(String url, String bindDN, String bindPassword, Path truststore) throws Exception {
boolean useGlobalSSL = ESTestCase.randomBoolean();
Settings.Builder builder = Settings.builder().put("path.home", LuceneTestCase.createTempDir());
MockSecureSettings secureSettings = new MockSecureSettings();
builder.setSecureSettings(secureSettings);
if (useGlobalSSL) {
builder.put("xpack.ssl.truststore.path", truststore);
// fake realm to load config with certificate verification mode
builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore);
builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
secureSettings.setString("xpack.ssl.truststore.secure_password", "changeit");
secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit");
} else {
// fake realms so ssl will get loaded
builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore);
builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
secureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit");
}
// fake realms so ssl will get loaded
builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore);
builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
secureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit");
Settings settings = builder.build();
Environment env = TestEnvironment.newEnvironment(settings);
SSLService sslService = new SSLService(settings, env);
@ -60,12 +49,7 @@ public class LdapTestUtils {
options.setConnectTimeoutMillis(Math.toIntExact(SessionFactorySettings.TIMEOUT_DEFAULT.millis()));
options.setResponseTimeoutMillis(SessionFactorySettings.TIMEOUT_DEFAULT.millis());
final SSLConfiguration sslConfiguration;
if (useGlobalSSL) {
sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
} else {
sslConfiguration = sslService.getSSLConfiguration("xpack.security.authc.realms.ldap.foo.ssl");
}
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.authc.realms.ldap.foo.ssl");
return LdapUtils.privilegedConnect(() -> new LDAPConnection(sslService.sslSocketFactory(sslConfiguration), options,
ldapurl.getHost(), ldapurl.getPort(), bindDN, bindPassword));
}

View File

@ -65,7 +65,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
globalSettings = Settings.builder()
.put("path.home", createTempDir())
.put("xpack.ssl.certificate_authorities", certPath)
.put("xpack.security.transport.ssl.certificate_authorities", certPath)
.build();
sslService = new SSLService(globalSettings, env);
threadPool = new TestThreadPool("LdapUserSearchSessionFactoryTests");

View File

@ -18,7 +18,6 @@ import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.test.SecuritySettingsSource;
import org.elasticsearch.test.SecuritySingleNodeTestCase;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.xpack.core.TestXPackTransportClient;
@ -41,6 +40,7 @@ import java.util.List;
import java.util.Locale;
import java.util.stream.Collectors;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is;
@ -60,17 +60,15 @@ public class PkiAuthenticationTests extends SecuritySingleNodeTestCase {
SSLClientAuth sslClientAuth = randomBoolean() ? SSLClientAuth.REQUIRED : SSLClientAuth.OPTIONAL;
Settings.Builder builder = Settings.builder()
.put(super.nodeSettings())
.put("xpack.security.http.ssl.enabled", true)
.put(super.nodeSettings());
addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true);
builder.put("xpack.security.http.ssl.enabled", true)
.put("xpack.security.http.ssl.client_authentication", sslClientAuth)
.put("xpack.security.authc.realms.file.file.order", "0")
.put("xpack.security.authc.realms.pki.pki1.order", "1")
.put("xpack.security.authc.realms.pki.pki1.certificate_authorities",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml"));
SecuritySettingsSource.addSecureSettings(builder, secureSettings ->
secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only"));
return builder.build();
}
@ -158,13 +156,15 @@ public class PkiAuthenticationTests extends SecuritySingleNodeTestCase {
private TransportClient createTransportClient(Settings additionalSettings) {
Settings clientSettings = transportClientSettings();
if (additionalSettings.getByPrefix("xpack.ssl.").isEmpty() == false) {
clientSettings = clientSettings.filter(k -> k.startsWith("xpack.ssl.") == false);
if (additionalSettings.getByPrefix("xpack.security.transport.ssl.").isEmpty() == false) {
clientSettings = clientSettings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false);
}
Settings.Builder builder = Settings.builder().put(clientSettings, false)
.put(additionalSettings)
.put("cluster.name", node().settings().get("cluster.name"));
Settings.Builder builder = Settings.builder()
.put("xpack.security.transport.ssl.enabled", true)
.put(clientSettings, false)
.put(additionalSettings)
.put("cluster.name", node().settings().get("cluster.name"));
builder.remove(SecurityField.USER_SETTING.getKey());
builder.remove("request.headers.Authorization");
return new TestXPackTransportClient(builder.build(), LocalStateSecurity.class);

View File

@ -52,6 +52,9 @@ public class PkiOptionalClientAuthTests extends SecuritySingleNodeTestCase {
.put(super.nodeSettings())
.put("xpack.security.http.ssl.enabled", true)
.put("xpack.security.http.ssl.client_authentication", SSLClientAuth.OPTIONAL)
.put("xpack.security.http.ssl.keystore.path",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
.put("xpack.security.http.ssl.keystore.password", "testnode")
.put("xpack.security.authc.realms.file.file.order", "0")
.put("xpack.security.authc.realms.pki.pki1.order", "1")
.put("xpack.security.authc.realms.pki.pki1.truststore.path",
@ -59,10 +62,15 @@ public class PkiOptionalClientAuthTests extends SecuritySingleNodeTestCase {
.put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml"))
.put("transport.profiles.want_client_auth.port", randomClientPortRange)
.put("transport.profiles.want_client_auth.bind_host", "localhost")
.put("transport.profiles.want_client_auth.xpack.security.ssl.keystore.path",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
.put("transport.profiles.want_client_auth.xpack.security.ssl.keystore.password", "testnode")
.put("transport.profiles.want_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.OPTIONAL);
SecuritySettingsSource.addSecureSettings(builder, secureSettings ->
secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only"));
SecuritySettingsSource.addSecureSettings(builder, secureSettings -> {
secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only");
secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "testnode");
});
return builder.build();
}

View File

@ -123,19 +123,20 @@ public class SamlRealmTests extends SamlTestCase {
final Path path = getDataPath("idp1.xml");
final String body = new String(Files.readAllBytes(path), StandardCharsets.UTF_8);
final MockSecureSettings mockSecureSettings = new MockSecureSettings();
mockSecureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
mockSecureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
final Settings settings = Settings.builder()
.put("xpack.ssl.key",
.put("xpack.security.http.ssl.key",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
.put("xpack.ssl.certificate",
.put("xpack.security.http.ssl.certificate",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.put("xpack.ssl.certificate_authorities",
.put("xpack.security.http.ssl.certificate_authorities",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.put("path.home", createTempDir())
.setSecureSettings(mockSecureSettings)
.build();
TestsSSLService sslService = new TestsSSLService(settings, TestEnvironment.newEnvironment(settings));
try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(Settings.EMPTY), false)) {
try (MockWebServer proxyServer =
new MockWebServer(sslService.sslContext("xpack.security.http.ssl"), false)) {
proxyServer.start();
proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml"));
proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml"));

View File

@ -82,11 +82,11 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
Path testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
Path testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings1 = Settings.builder()
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.key", testnodeKey)
.put("xpack.ssl.certificate", testnodeCert)
.put("xpack.security.transport.ssl.key", testnodeKey)
.put("xpack.security.transport.ssl.certificate", testnodeCert)
.put("path.home", createTempDir())
.put(settings)
.setSecureSettings(secureSettings)
@ -153,7 +153,7 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
@SuppressForbidden(reason = "Need to open socket connection")
public void testRenegotiation() throws Exception {
SSLService sslService = createSSLService();
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SocketFactory factory = sslService.sslSocketFactory(sslConfiguration);
try (SSLSocket socket = (SSLSocket) factory.createSocket()) {
SocketAccess.doPrivileged(() -> socket.connect(serviceA.boundAddress().publishAddress().address()));
@ -205,7 +205,7 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm());
SSLService sslService = createSSLService();
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLContext sslContext = sslService.sslContext(sslConfiguration);
final SSLServerSocketFactory serverSocketFactory = sslContext.getServerSocketFactory();
final String sniIp = "sni-hostname";
@ -245,7 +245,9 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
InetSocketAddress serverAddress = (InetSocketAddress) SocketAccess.doPrivileged(sslServerSocket::getLocalSocketAddress);
Settings settings = Settings.builder().put("name", "TS_TEST").put("xpack.ssl.verification_mode", "none").build();
Settings settings = Settings.builder().put("name", "TS_TEST")
.put("xpack.security.transport.ssl.verification_mode", "none")
.build();
try (MockTransportService serviceC = build(settings, version0, null, true)) {
serviceC.acceptIncomingRequests();
@ -271,7 +273,7 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm());
SSLService sslService = createSSLService();
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLContext sslContext = sslService.sslContext(sslConfiguration);
final SSLServerSocketFactory serverSocketFactory = sslContext.getServerSocketFactory();
final String sniIp = "invalid_hostname";
@ -290,7 +292,9 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
InetSocketAddress serverAddress = (InetSocketAddress) SocketAccess.doPrivileged(sslServerSocket::getLocalSocketAddress);
Settings settings = Settings.builder().put("name", "TS_TEST").put("xpack.ssl.verification_mode", "none").build();
Settings settings = Settings.builder().put("name", "TS_TEST")
.put("xpack.security.transport.ssl.verification_mode", "none")
.build();
try (MockTransportService serviceC = build(settings, version0, null, true)) {
serviceC.acceptIncomingRequests();

View File

@ -32,7 +32,6 @@ import org.elasticsearch.transport.TransportResponseHandler;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.ssl.SSLClientAuth;
import org.elasticsearch.xpack.security.LocalStateSecurity;
import org.junit.BeforeClass;
@ -41,8 +40,10 @@ import java.nio.file.Files;
import java.nio.file.Path;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.concurrent.CountDownLatch;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
import static org.elasticsearch.xpack.security.test.SecurityTestUtils.writeFile;
import static org.hamcrest.CoreMatchers.equalTo;
@ -63,13 +64,12 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
@Override
protected Settings nodeSettings(int nodeOrdinal) {
Settings.Builder settingsBuilder = Settings.builder();
Settings.Builder settingsBuilder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
String randomClientPortRange = randomClientPort + "-" + (randomClientPort+100);
addSSLSettingsForNodePEMFiles(settingsBuilder, "transport.profiles.client.xpack.security.", true);
Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
settingsBuilder.put(super.nodeSettings(nodeOrdinal))
.putList("transport.profiles.client.xpack.security.ssl.certificate_authorities",
Arrays.asList(certPath.toString())) // settings for client truststore
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
settingsBuilder.putList("transport.profiles.client.xpack.security.ssl.certificate_authorities",
Collections.singletonList(certPath.toString())) // settings for client truststore
.put("transport.profiles.client.xpack.security.type", "client")
.put("transport.profiles.client.port", randomClientPortRange)
// make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent
@ -82,7 +82,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
}
SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings ->
secureSettings.setString("transport.profiles.client.xpack.security.ssl.truststore.secure_password", "testnode"));
secureSettings.setString("transport.profiles.client.xpack.security.ssl.keystore.secure_password", "testnode"));
return settingsBuilder.build();
}
@ -97,20 +97,20 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
// test that starting up a node works
Settings.Builder nodeSettings = Settings.builder()
.put("node.name", "my-test-node")
.put("network.host", "localhost")
.put("cluster.name", internalCluster().getClusterName())
.put("discovery.zen.ping.unicast.hosts", unicastHost)
.put("discovery.zen.minimum_master_nodes",
internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
.put("xpack.security.enabled", true)
.put("xpack.security.audit.enabled", false)
.put(XPackSettings.WATCHER_ENABLED.getKey(), false)
.put("path.home", home)
.put(Node.NODE_MASTER_SETTING.getKey(), false)
.put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2())
.put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false);
//.put("xpack.ml.autodetect_process", false);
.put("node.name", "my-test-node")
.put("network.host", "localhost")
.put("cluster.name", internalCluster().getClusterName())
.put("discovery.zen.ping.unicast.hosts", unicastHost)
.put("discovery.zen.minimum_master_nodes",
internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
.put("xpack.security.enabled", true)
.put("xpack.security.audit.enabled", false)
.put("xpack.security.transport.ssl.enabled", true)
.put(XPackSettings.WATCHER_ENABLED.getKey(), false)
.put("path.home", home)
.put(Node.NODE_MASTER_SETTING.getKey(), false)
.put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2())
.put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false);
Collection<Class<? extends Plugin>> mockPlugins = Arrays.asList(
LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class, MockHttpTransport.TestPlugin.class);
addSSLSettingsForPEMFiles(
@ -139,22 +139,22 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
// test that starting up a node works
Settings.Builder nodeSettings = Settings.builder()
.put("xpack.security.authc.realms.file.file.order", 0)
.put("node.name", "my-test-node")
.put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName())
.put("discovery.zen.ping.unicast.hosts", unicastHost)
.put("discovery.zen.minimum_master_nodes",
internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
.put("xpack.security.enabled", true)
.put("xpack.security.audit.enabled", false)
.put(XPackSettings.WATCHER_ENABLED.getKey(), false)
.put("discovery.initial_state_timeout", "0s")
.put("path.home", home)
.put(Node.NODE_MASTER_SETTING.getKey(), false)
.put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2())
.put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false);
//.put("xpack.ml.autodetect_process", false);
.put("xpack.security.authc.realms.file.file.order", 0)
.put("node.name", "my-test-node")
.put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName())
.put("discovery.zen.ping.unicast.hosts", unicastHost)
.put("discovery.zen.minimum_master_nodes",
internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
.put("xpack.security.enabled", true)
.put("xpack.security.audit.enabled", false)
.put("xpack.security.transport.ssl.enabled", true)
.put(XPackSettings.WATCHER_ENABLED.getKey(), false)
.put("discovery.initial_state_timeout", "0s")
.put("path.home", home)
.put(Node.NODE_MASTER_SETTING.getKey(), false)
.put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2())
.put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false);
Collection<Class<? extends Plugin>> mockPlugins = Arrays.asList(
LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class, MockHttpTransport.TestPlugin.class);
addSSLSettingsForPEMFiles(
@ -162,7 +162,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem",
"testnode",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
try (Node node = new MockNode(nodeSettings.build(), mockPlugins)) {
node.start();
TransportService instance = node.injector().getInstance(TransportService.class);

View File

@ -33,7 +33,7 @@ public class IPHostnameVerificationTests extends SecurityIntegTestCase {
protected Settings nodeSettings(int nodeOrdinal) {
Settings settings = super.nodeSettings(nodeOrdinal);
Settings.Builder builder = Settings.builder()
.put(settings.filter((s) -> s.startsWith("xpack.ssl.") == false), false);
.put(settings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false), false);
settings = builder.build();
// The default Unicast test behavior is to use 'localhost' with the port number. For this test we need to use IP
@ -56,27 +56,27 @@ public class IPHostnameVerificationTests extends SecurityIntegTestCase {
}
SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> {
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-ip-only");
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode-ip-only");
});
return settingsBuilder.put("xpack.ssl.key", keyPath.toAbsolutePath())
.put("xpack.ssl.certificate", certPath.toAbsolutePath())
.put("xpack.ssl.certificate_authorities", certPath.toAbsolutePath())
return settingsBuilder.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
.put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
.put("xpack.security.transport.ssl.certificate_authorities", certPath.toAbsolutePath())
.put(TransportSettings.BIND_HOST.getKey(), "127.0.0.1")
.put("network.host", "127.0.0.1")
.put("xpack.ssl.client_authentication", SSLClientAuth.NONE)
.put("xpack.ssl.verification_mode", "full")
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE)
.put("xpack.security.transport.ssl.verification_mode", "full")
.build();
}
@Override
protected Settings transportClientSettings() {
Settings clientSettings = super.transportClientSettings();
return Settings.builder().put(clientSettings.filter(k -> k.startsWith("xpack.ssl.") == false))
.put("xpack.ssl.verification_mode", "certificate")
.put("xpack.ssl.key", keyPath.toAbsolutePath())
.put("xpack.ssl.certificate", certPath.toAbsolutePath())
.put("xpack.ssl.key_passphrase", "testnode-ip-only")
.put("xpack.ssl.certificate_authorities", certPath)
return Settings.builder().put(clientSettings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false))
.put("xpack.security.transport.ssl.verification_mode", "certificate")
.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
.put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
.put("xpack.security.transport.ssl.key_passphrase", "testnode-ip-only")
.put("xpack.security.transport.ssl.certificate_authorities", certPath)
.build();
}

View File

@ -42,15 +42,15 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
private Path testnodeCert;
private Path testnodeKey;
@Before
public void createSSLService() throws Exception {
public void createSSLService() {
testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.key", testnodeKey)
.put("xpack.ssl.certificate", testnodeCert)
.put("xpack.security.http.ssl.key", testnodeKey)
.put("xpack.security.http.ssl.certificate", testnodeCert)
.put("path.home", createTempDir())
.setSecureSettings(secureSettings)
.build();
@ -149,7 +149,7 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() throws Exception {
Settings settings = Settings.builder()
.put("xpack.ssl.certificate_authorities", testnodeCert)
.put("xpack.security.http.ssl.certificate_authorities", testnodeCert)
.put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true)
.put("path.home", createTempDir())
.build();
@ -163,10 +163,10 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.key", testnodeKey)
.put("xpack.ssl.certificate", testnodeCert)
.put("xpack.security.http.ssl.key", testnodeKey)
.put("xpack.security.http.ssl.certificate", testnodeCert)
.setSecureSettings(secureSettings)
.put("path.home", createTempDir())
.build();

View File

@ -21,11 +21,9 @@ import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.transport.netty4.SecurityNetty4Transport;
import org.elasticsearch.xpack.core.ssl.SSLClientAuth;
import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.junit.Before;
import javax.net.ssl.SSLEngine;
import java.nio.file.Path;
import java.util.Collections;
import java.util.Locale;
@ -44,11 +42,11 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
Path testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
Path testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.key", testnodeKey)
.put("xpack.ssl.certificate", testnodeCert)
.put("xpack.security.transport.ssl.key", testnodeKey)
.put("xpack.security.transport.ssl.certificate", testnodeCert)
.setSecureSettings(secureSettings)
.put("path.home", createTempDir())
.build();
@ -97,7 +95,7 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
String value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT));
Settings settings = Settings.builder()
.put(env.settings())
.put("xpack.ssl.client_authentication", value)
.put("xpack.security.transport.ssl.client_authentication", value)
.build();
sslService = new SSLService(settings, env);
SecurityNetty4Transport transport = createTransport(settings);
@ -111,7 +109,7 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
String value = randomFrom(SSLClientAuth.NONE.name(), SSLClientAuth.NONE.name().toLowerCase(Locale.ROOT));
Settings settings = Settings.builder()
.put(env.settings())
.put("xpack.ssl.client_authentication", value)
.put("xpack.security.transport.ssl.client_authentication", value)
.build();
sslService = new SSLService(settings, env);
SecurityNetty4Transport transport = createTransport(settings);
@ -125,7 +123,7 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
String value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT));
Settings settings = Settings.builder()
.put(env.settings())
.put("xpack.ssl.client_authentication", value)
.put("xpack.security.transport.ssl.client_authentication", value)
.build();
sslService = new SSLService(settings, env);
SecurityNetty4Transport transport = createTransport(settings);
@ -179,36 +177,4 @@ public class SecurityNetty4ServerTransportTests extends ESTestCase {
assertThat(ch.pipeline().get(SslHandler.class).engine().getNeedClientAuth(), is(false));
assertThat(ch.pipeline().get(SslHandler.class).engine().getWantClientAuth(), is(true));
}
public void testTransportSSLOverridesGlobalSSL() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings.Builder builder = Settings.builder()
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.security.transport.ssl.key",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
.put("xpack.security.transport.ssl.certificate",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.put("xpack.security.transport.ssl.client_authentication", "none")
.put("xpack.ssl.certificate_authorities",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.setSecureSettings(secureSettings)
.put("path.home", createTempDir());
Settings settings = builder.build();
env = TestEnvironment.newEnvironment(settings);
sslService = new SSLService(settings, env);
SecurityNetty4Transport transport = createTransport(settings);
final ChannelHandler handler = transport.getServerChannelInitializer("default");
final EmbeddedChannel ch = new EmbeddedChannel(handler);
final SSLEngine engine = ch.pipeline().get(SslHandler.class).engine();
assertFalse(engine.getNeedClientAuth());
assertFalse(engine.getWantClientAuth());
// get the global and verify that it is different in that it requires client auth
SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.ssl");
assertNotNull(configuration);
final SSLEngine globalEngine = sslService.createSSLEngine(configuration, null, -1);
assertTrue(globalEngine.getNeedClientAuth());
assertFalse(globalEngine.getWantClientAuth());
}
}

View File

@ -35,7 +35,7 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
protected Settings nodeSettings(int nodeOrdinal) {
Settings settings = super.nodeSettings(nodeOrdinal);
Settings.Builder settingsBuilder = Settings.builder();
settingsBuilder.put(settings.filter(k -> k.startsWith("xpack.ssl.") == false), false);
settingsBuilder.put(settings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false), false);
Path keyPath;
Path certPath;
Path nodeCertPath;
@ -58,14 +58,15 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
}
SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> {
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-no-subjaltname");
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode-no-subjaltname");
});
return settingsBuilder.put("xpack.ssl.key", keyPath.toAbsolutePath())
.put("xpack.ssl.certificate", certPath.toAbsolutePath())
.putList("xpack.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString()))
// disable hostname verification as this test uses certs without a valid SAN or DNS in the CN
.put("xpack.ssl.verification_mode", "certificate")
.build();
return settingsBuilder.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
.put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
.putList("xpack.security.transport.ssl.certificate_authorities",
Arrays.asList(certPath.toString(), nodeCertPath.toString()))
// disable hostname verification as this test uses certs without a valid SAN or DNS in the CN
.put("xpack.security.transport.ssl.verification_mode", "certificate")
.build();
}
@Override
@ -89,13 +90,13 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
Settings settings = super.transportClientSettings();
// remove all ssl settings
Settings.Builder builder = Settings.builder();
builder.put(settings.filter( k -> k.startsWith("xpack.ssl.") == false), false);
builder.put(settings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false), false);
builder.put("xpack.ssl.verification_mode", "certificate")
.put("xpack.ssl.key", keyPath.toAbsolutePath())
.put("xpack.ssl.key_passphrase", "testnode-no-subjaltname")
.put("xpack.ssl.certificate", certPath.toAbsolutePath())
.putList("xpack.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString()));
builder.put("xpack.security.transport.ssl.verification_mode", "certificate")
.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath())
.put("xpack.security.transport.ssl.key_passphrase", "testnode-no-subjaltname")
.put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath())
.putList("xpack.security.transport.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString()));
return builder.build();
}
@ -105,7 +106,7 @@ public class SslHostnameVerificationTests extends SecurityIntegTestCase {
InetSocketAddress inetSocketAddress = transportAddress.address();
Settings settings = Settings.builder().put(transportClientSettings())
.put("xpack.ssl.verification_mode", "full")
.put("xpack.security.transport.ssl.verification_mode", "full")
.build();
try (TransportClient client = new TestXPackTransportClient(settings, LocalStateSecurity.class)) {

View File

@ -52,10 +52,10 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
Path testNodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
Path testNodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.key", testNodeKey)
.put("xpack.ssl.certificate", testNodeCert)
.put("xpack.security.http.ssl.key", testNodeKey)
.put("xpack.security.http.ssl.certificate", testNodeCert)
.put("path.home", createTempDir())
.setSecureSettings(secureSettings)
.build();
@ -173,9 +173,9 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.truststore.path",
.put("xpack.security.http.ssl.truststore.path",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
.setSecureSettings(secureSettings)
.put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true)
@ -193,9 +193,9 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode");
secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.truststore.path",
.put("xpack.security.http.ssl.truststore.path",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
.setSecureSettings(secureSettings)
.put("path.home", createTempDir())

View File

@ -42,11 +42,13 @@ public class EllipticCurveSSLTests extends SecurityIntegTestCase {
final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem");
final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem");
return Settings.builder()
.put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.ssl") == false))
.put("xpack.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath)
.put("xpack.ssl.certificate_authorities", certPath)
.put("xpack.ssl.verification_mode", "certificate") // disable hostname verificate since these certs aren't setup for that
.put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.security.transport.ssl.key", keyPath)
.put("xpack.security.transport.ssl.certificate", certPath)
.put("xpack.security.transport.ssl.certificate_authorities", certPath)
// disable hostname verificate since these certs aren't setup for that
.put("xpack.security.transport.ssl.verification_mode", "certificate")
.build();
}
@ -55,11 +57,13 @@ public class EllipticCurveSSLTests extends SecurityIntegTestCase {
final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem");
final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem");
return Settings.builder()
.put(super.transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false))
.put("xpack.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath)
.put("xpack.ssl.certificate_authorities", certPath)
.put("xpack.ssl.verification_mode", "certificate") // disable hostname verification since these certs aren't setup for that
.put(super.transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.security.transport.ssl.key", keyPath)
.put("xpack.security.transport.ssl.certificate", certPath)
.put("xpack.security.transport.ssl.certificate_authorities", certPath)
// disable hostname verificate since these certs aren't setup for that
.put("xpack.security.transport.ssl.verification_mode", "certificate")
.build();
}

View File

@ -48,6 +48,7 @@ import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.TrustManagerFactory;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.Matchers.containsString;
@ -61,8 +62,9 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
@Override
protected Settings nodeSettings(int nodeOrdinal) {
return Settings.builder().put(super.nodeSettings(nodeOrdinal))
.put("xpack.security.http.ssl.enabled", true).build();
final Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", randomBoolean());
return builder.put("xpack.security.http.ssl.enabled", true).build();
}
@Override
@ -82,7 +84,7 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
.put(transportClientSettings())
.put("node.name", "programmatic_transport_client")
.put("cluster.name", internalCluster().getClusterName())
.putList("xpack.ssl.cipher_suites", unconfiguredCiphers)
.putList("xpack.security.transport.ssl.cipher_suites", unconfiguredCiphers)
.build(), LocalStateSecurity.class)) {
TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses());
@ -101,7 +103,7 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
.put(transportClientSettings())
.put("node.name", "programmatic_transport_client")
.put("cluster.name", internalCluster().getClusterName())
.putList("xpack.ssl.supported_protocols", new String[]{"SSLv3"})
.putList("xpack.security.transport.ssl.supported_protocols", new String[]{"SSLv3"})
.build(), LocalStateSecurity.class)) {
TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses());
@ -120,13 +122,14 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem",
"testclient",
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
"xpack.security.http.",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
SSLService service = new SSLService(builder.build(), null);
CredentialsProvider provider = new BasicCredentialsProvider();
provider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(nodeClientUsername(),
new String(nodeClientPassword().getChars())));
SSLConfiguration sslConfiguration = service.getSSLConfiguration("xpack.ssl");
SSLConfiguration sslConfiguration = service.getSSLConfiguration("xpack.security.http.ssl");
try (CloseableHttpClient client = HttpClients.custom()
.setSSLSocketFactory(new SSLConnectionSocketFactory(service.sslSocketFactory(sslConfiguration),
SSLConnectionSocketFactory.getDefaultHostnameVerifier()))

View File

@ -24,6 +24,7 @@ import java.util.Arrays;
import java.util.Collections;
import static org.elasticsearch.test.SecuritySettingsSource.TEST_USER_NAME;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles;
import static org.elasticsearch.test.SecuritySettingsSourceField.TEST_PASSWORD;
import static org.hamcrest.CoreMatchers.is;
@ -61,17 +62,17 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
throw new RuntimeException(e);
}
Settings settings = Settings.builder()
.put(super.nodeSettings(nodeOrdinal))
// client set up here
.put("transport.profiles.client.port", randomClientPortRange)
Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
addSSLSettingsForNodePEMFiles(builder, "transport.profiles.client.xpack.security.", true);
builder.put("transport.profiles.client.port", randomClientPortRange)
// make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent
.put("transport.profiles.client.bind_host", "localhost")
.put("transport.profiles.client.xpack.security.ssl.certificate_authorities", trustCert.toAbsolutePath())
.put("transport.profiles.no_client_auth.port", randomNoClientAuthPortRange)
.put("transport.profiles.client.xpack.security.ssl.certificate_authorities", trustCert.toAbsolutePath());
addSSLSettingsForNodePEMFiles(builder, "transport.profiles.no_client_auth.xpack.security.", true);
builder.put("transport.profiles.no_client_auth.port", randomNoClientAuthPortRange)
.put("transport.profiles.no_client_auth.bind_host", "localhost")
.put("transport.profiles.no_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.NONE)
.build();
.put("transport.profiles.no_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.NONE);
final Settings settings = builder.build();
logger.info("node {} settings:\n{}", nodeOrdinal, settings);
return settings;
}
@ -83,7 +84,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
private TransportClient createTransportClient(Settings additionalSettings) {
Settings settings = Settings.builder()
.put(transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false))
.put(transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
.put("node.name", "programmatic_transport_client")
.put("cluster.name", internalCluster().getClusterName())
.put("xpack.security.transport.ssl.enabled", true)
@ -270,7 +271,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName())
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.certificate_authorities",
.put("xpack.security.transport.ssl.certificate_authorities",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.build();
try (TransportClient transportClient = new TestXPackTransportClient(settings,
@ -290,8 +291,8 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName())
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.ssl.certificate_authorities",
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.security.transport.ssl.certificate_authorities",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.build();
try (TransportClient transportClient = new TestXPackTransportClient(settings,
@ -314,8 +315,8 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName())
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.ssl.certificate_authorities",
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.security.transport.ssl.certificate_authorities",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.build();
try (TransportClient transportClient = new TestXPackTransportClient(settings,
@ -337,7 +338,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
Settings settings = Settings.builder()
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName())
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.security.transport.ssl.enabled", true)
.build();
try (TransportClient transportClient = new TestXPackTransportClient(settings,
@ -359,7 +360,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
Settings settings = Settings.builder()
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName())
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.security.transport.ssl.enabled", true)
.build();
try (TransportClient transportClient = new TestXPackTransportClient(settings,
@ -381,7 +382,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
Settings settings = Settings.builder()
.put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
.put("cluster.name", internalCluster().getClusterName())
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.security.transport.ssl.enabled", true)
.build();
try (TransportClient transportClient = new TestXPackTransportClient(settings,

View File

@ -17,6 +17,7 @@ import org.elasticsearch.client.Response;
import org.elasticsearch.client.RestClient;
import org.elasticsearch.client.transport.TransportClient;
import org.elasticsearch.common.settings.MockSecureSettings;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.test.SecurityIntegTestCase;
@ -31,14 +32,17 @@ import org.elasticsearch.xpack.security.LocalStateSecurity;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UncheckedIOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.SecureRandom;
import java.security.cert.CertPathBuilderException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.hamcrest.Matchers.containsString;
@ -54,13 +58,41 @@ public class SSLClientAuthTests extends SecurityIntegTestCase {
@Override
protected Settings nodeSettings(int nodeOrdinal) {
return Settings.builder()
.put(super.nodeSettings(nodeOrdinal))
Settings baseSettings = super.nodeSettings(nodeOrdinal);
Settings.Builder builder = Settings.builder().put(baseSettings);
baseSettings.getByPrefix("xpack.security.transport.ssl.")
.keySet()
.forEach(k -> {
String httpKey = "xpack.security.http.ssl." + k;
String value = baseSettings.get("xpack.security.transport.ssl." + k);
if (value != null) {
builder.put(httpKey, baseSettings.get("xpack.security.transport.ssl." + k));
}
});
MockSecureSettings secureSettings = (MockSecureSettings) builder.getSecureSettings();
for (String key : new HashSet<>(secureSettings.getSettingNames())) {
SecureString value = secureSettings.getString(key);
if (value == null) {
try {
if (key.startsWith("xpack.security.transport.ssl.")) {
byte[] file = toByteArray(secureSettings.getFile(key));
secureSettings.setFile(key.replace("xpack.security.transport.ssl.", "xpack.security.http.ssl."), file);
}
} catch (IOException e) {
throw new UncheckedIOException(e);
}
} else if (key.startsWith("xpack.security.transport.ssl.")) {
secureSettings.setString(key.replace("xpack.security.transport.ssl.", "xpack.security.http.ssl."), value.toString());
}
}
return builder
// invert the require auth settings
.put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE)
.put("xpack.security.http.ssl.enabled", true)
.put("xpack.security.http.ssl.client_authentication", SSLClientAuth.REQUIRED)
.put("transport.profiles.default.xpack.security.ssl.client_authentication", SSLClientAuth.NONE)
.build();
}
@ -109,13 +141,13 @@ public class SSLClientAuthTests extends SecurityIntegTestCase {
}
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testclient-client-profile");
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testclient-client-profile");
Settings settings = Settings.builder()
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.ssl.client_authentication", SSLClientAuth.NONE)
.put("xpack.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath)
.put("xpack.ssl.certificate_authorities", nodeCertPath)
.put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE)
.put("xpack.security.transport.ssl.key", keyPath)
.put("xpack.security.transport.ssl.certificate", certPath)
.put("xpack.security.transport.ssl.certificate_authorities", nodeCertPath)
.setSecureSettings(secureSettings)
.put("cluster.name", internalCluster().getClusterName())
.put(SecurityField.USER_SETTING.getKey(), transportClientUsername() + ":" + new String(transportClientPassword().getChars()))
@ -145,4 +177,15 @@ public class SSLClientAuthTests extends SecurityIntegTestCase {
throw new ElasticsearchException("failed to initialize SSLContext", e);
}
}
private byte[] toByteArray(InputStream is) throws IOException {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
byte[] internalBuffer = new byte[1024];
int read = is.read(internalBuffer);
while (read != -1) {
baos.write(internalBuffer, 0, read);
read = is.read(internalBuffer);
}
return baos.toByteArray();
}
}

View File

@ -72,16 +72,16 @@ public class SSLReloadIntegTests extends SecurityIntegTestCase {
Settings settings = super.nodeSettings(nodeOrdinal);
Settings.Builder builder = Settings.builder()
.put(settings.filter((s) -> s.startsWith("xpack.ssl.") == false));
.put(settings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false));
builder.put("path.home", createTempDir())
.put("xpack.ssl.key", nodeKeyPath)
.put("xpack.ssl.key_passphrase", "testnode")
.put("xpack.ssl.certificate", nodeCertPath)
.putList("xpack.ssl.certificate_authorities", Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(),
updateableCertPath.toString()))
.put("xpack.security.transport.ssl.key", nodeKeyPath)
.put("xpack.security.transport.ssl.key_passphrase", "testnode")
.put("xpack.security.transport.ssl.certificate", nodeCertPath)
.putList("xpack.security.transport.ssl.certificate_authorities",
Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), updateableCertPath.toString()))
.put("resource.reload.interval.high", "1s");
builder.put("xpack.security.transport.ssl.enabled", true);
return builder.build();
}
@ -96,18 +96,18 @@ public class SSLReloadIntegTests extends SecurityIntegTestCase {
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.pem"), keyPath);
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), certPath);
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("path.home", createTempDir())
.put("xpack.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath)
.putList("xpack.ssl.certificate_authorities", Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(),
updateableCertPath.toString()))
.put("xpack.security.transport.ssl.key", keyPath)
.put("xpack.security.transport.ssl.certificate", certPath)
.putList("xpack.security.transport.ssl.certificate_authorities",
Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), updateableCertPath.toString()))
.setSecureSettings(secureSettings)
.build();
String node = randomFrom(internalCluster().getNodeNames());
SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings));
SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration);
TransportAddress address = internalCluster()
.getInstance(Transport.class, node).boundAddress().publishAddress();

View File

@ -102,9 +102,9 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
nodeSSL = Settings.builder()
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.security.transport.ssl.verification_mode", "certificate")
.putList("xpack.ssl.certificate_authorities", ca.getCertPath().toString())
.put("xpack.ssl.key", trustedCert.getKeyPath())
.put("xpack.ssl.certificate", trustedCert.getCertPath())
.putList("xpack.security.transport.ssl.certificate_authorities", ca.getCertPath().toString())
.put("xpack.security.transport.ssl.key", trustedCert.getKeyPath())
.put("xpack.security.transport.ssl.certificate", trustedCert.getCertPath())
.build();
}
@ -122,14 +122,14 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
Settings parentSettings = super.nodeSettings(nodeOrdinal);
Settings.Builder builder = Settings.builder()
.put(parentSettings.filter((s) -> s.startsWith("xpack.ssl.") == false))
.put(parentSettings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false))
.put(nodeSSL);
restrictionsPath = configPath.resolve("trust_restrictions.yml");
restrictionsTmpPath = configPath.resolve("trust_restrictions.tmp");
writeRestrictions("*.trusted");
builder.put("xpack.ssl.trust_restrictions.path", restrictionsPath);
builder.put("xpack.security.transport.ssl.trust_restrictions.path", restrictionsPath);
return builder.build();
}
@ -152,7 +152,7 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
protected Settings transportClientSettings() {
Settings parentSettings = super.transportClientSettings();
Settings.Builder builder = Settings.builder()
.put(parentSettings.filter((s) -> s.startsWith("xpack.ssl.") == false))
.put(parentSettings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false))
.put(nodeSSL);
return builder.build();
}
@ -224,15 +224,15 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
private void tryConnect(CertificateInfo certificate) throws Exception {
Settings settings = Settings.builder()
.put("path.home", createTempDir())
.put("xpack.ssl.key", certificate.getKeyPath())
.put("xpack.ssl.certificate", certificate.getCertPath())
.putList("xpack.ssl.certificate_authorities", ca.getCertPath().toString())
.put("xpack.ssl.verification_mode", "certificate")
.put("xpack.security.transport.ssl.key", certificate.getKeyPath())
.put("xpack.security.transport.ssl.certificate", certificate.getCertPath())
.putList("xpack.security.transport.ssl.certificate_authorities", ca.getCertPath().toString())
.put("xpack.security.transport.ssl.verification_mode", "certificate")
.build();
String node = randomFrom(internalCluster().getNodeNames());
SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings));
SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl");
SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration);
TransportAddress address = internalCluster().getInstance(Transport.class, node).boundAddress().publishAddress();
try (SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(address.getAddress(), address.getPort())) {

View File

@ -151,8 +151,10 @@ integTestCluster {
setting 'xpack.security.transport.ssl.enabled', 'true'
// ceremony to set up ssl
setting 'xpack.ssl.keystore.path', 'test-node.jks'
keystoreSetting 'xpack.ssl.keystore.secure_password', 'keypass'
setting 'xpack.security.transport.ssl.keystore.path', 'test-node.jks'
keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'keypass'
setting 'xpack.security.http.ssl.keystore.path', 'test-node.jks'
keystoreSetting 'xpack.security.http.ssl.keystore.secure_password', 'keypass'
setting 'xpack.license.self_generated.type', 'trial'

View File

@ -81,7 +81,7 @@ public class HttpClientTests extends ESTestCase {
}
@After
public void shutdown() throws Exception {
public void shutdown() throws IOException {
webServer.close();
httpClient.close();
}
@ -179,30 +179,22 @@ public class HttpClientTests extends ESTestCase {
Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt");
Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem");
MockSecureSettings secureSettings = new MockSecureSettings();
Settings settings;
if (randomBoolean()) {
settings = Settings.builder()
.put("xpack.http.ssl.certificate_authorities", trustedCertPath)
.setSecureSettings(secureSettings)
.build();
} else {
settings = Settings.builder()
.put("xpack.ssl.certificate_authorities", trustedCertPath)
.setSecureSettings(secureSettings)
.build();
}
Settings settings = Settings.builder()
.put("xpack.http.ssl.certificate_authorities", trustedCertPath)
.setSecureSettings(secureSettings)
.build();
try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) {
secureSettings = new MockSecureSettings();
// We can't use the client created above for the server since it is only a truststore
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
Settings settings2 = Settings.builder()
.put("xpack.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath)
.put("xpack.security.http.ssl.key", keyPath)
.put("xpack.security.http.ssl.certificate", certPath)
.setSecureSettings(secureSettings)
.build();
TestsSSLService sslService = new TestsSSLService(settings2, environment);
testSslMockWebserver(client, sslService.sslContext(), false);
testSslMockWebserver(client, sslService.sslContext("xpack.security.http.ssl"), false);
}
}
@ -210,40 +202,27 @@ public class HttpClientTests extends ESTestCase {
Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.crt");
Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.pem");
Settings settings;
if (randomBoolean()) {
MockSecureSettings secureSettings = new MockSecureSettings();
Settings.Builder builder = Settings.builder()
.put("xpack.http.ssl.certificate_authorities", certPath);
if (inFipsJvm()) {
//Can't use TrustAllConfig in FIPS mode
builder.put("xpack.http.ssl.verification_mode", VerificationMode.CERTIFICATE);
} else {
builder.put("xpack.http.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE));
}
settings = builder.build();
Settings.Builder builder = Settings.builder()
.put("xpack.http.ssl.certificate_authorities", certPath);
if (inFipsJvm()) {
//Can't use TrustAllConfig in FIPS mode
builder.put("xpack.http.ssl.verification_mode", VerificationMode.CERTIFICATE);
} else {
Settings.Builder builder = Settings.builder()
.put("xpack.ssl.certificate_authorities", certPath);
if (inFipsJvm()) {
//Can't use TrustAllConfig in FIPS mode
builder.put("xpack.ssl.verification_mode", VerificationMode.CERTIFICATE);
} else {
builder.put("xpack.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE));
}
settings = builder.build();
builder.put("xpack.http.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE));
}
settings = builder.build();
try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) {
MockSecureSettings secureSettings = new MockSecureSettings();
// We can't use the client created above for the server since it only defines a truststore
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-no-subjaltname");
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode-no-subjaltname");
Settings settings2 = Settings.builder()
.put("xpack.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath)
.put("xpack.security.http.ssl.key", keyPath)
.put("xpack.security.http.ssl.certificate", certPath)
.setSecureSettings(secureSettings)
.build();
TestsSSLService sslService = new TestsSSLService(settings2, environment);
testSslMockWebserver(client, sslService.sslContext(), false);
testSslMockWebserver(client, sslService.sslContext("xpack.security.http.ssl"), false);
}
}
@ -251,16 +230,16 @@ public class HttpClientTests extends ESTestCase {
Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt");
Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem");
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode");
Settings settings = Settings.builder()
.put("xpack.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath)
.put("xpack.http.ssl.key", keyPath)
.put("xpack.http.ssl.certificate", certPath)
.setSecureSettings(secureSettings)
.build();
TestsSSLService sslService = new TestsSSLService(settings, environment);
try (HttpClient client = new HttpClient(settings, sslService, null, mockClusterService())) {
testSslMockWebserver(client, sslService.sslContext(), true);
testSslMockWebserver(client, sslService.sslContext("xpack.http.ssl"), true);
}
}
@ -387,19 +366,18 @@ public class HttpClientTests extends ESTestCase {
// on top of that the proxy request is HTTPS but the real request is HTTP only
MockSecureSettings serverSecureSettings = new MockSecureSettings();
// We can't use the client created above for the server since it is only a truststore
serverSecureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode");
serverSecureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode");
Settings serverSettings = Settings.builder()
.put("xpack.ssl.key", keyPath)
.put("xpack.ssl.certificate", certPath)
.put("xpack.http.ssl.key", keyPath)
.put("xpack.http.ssl.certificate", certPath)
.setSecureSettings(serverSecureSettings)
.build();
TestsSSLService sslService = new TestsSSLService(serverSettings, environment);
try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(), false)) {
try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(serverSettings.getByPrefix("xpack.http.ssl.")), false)) {
proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent"));
proxyServer.start();
MockSecureSettings secureSettings = new MockSecureSettings();
Settings settings = Settings.builder()
.put(HttpSettings.PROXY_HOST.getKey(), "localhost")
.put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort())

View File

@ -172,8 +172,8 @@ subprojects {
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.transport.ssl.enabled', 'true'
setting 'xpack.ssl.keystore.path', 'testnode.jks'
setting 'xpack.ssl.keystore.password', 'testnode'
setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
setting 'xpack.security.transport.ssl.keystore.password', 'testnode'
setting 'xpack.license.self_generated.type', 'trial'
dependsOn copyTestNodeKeystore
extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks')
@ -217,8 +217,8 @@ subprojects {
// some tests rely on the translog not being flushed
setting 'indices.memory.shard_inactive_time', '20m'
setting 'xpack.security.enabled', 'true'
setting 'xpack.ssl.keystore.path', 'testnode.jks'
keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode'
setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode'
setting 'xpack.license.self_generated.type', 'trial'
dependsOn copyTestNodeKeystore
extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks')

View File

@ -61,13 +61,12 @@ public class OpenLdapTests extends ESTestCase {
private static final SecureString PASSWORD_SECURE_STRING = new SecureString(PASSWORD.toCharArray());
public static final String REALM_NAME = "oldap-test";
private boolean useGlobalSSL;
private SSLService sslService;
private ThreadPool threadPool;
private Settings globalSettings;
@Before
public void init() throws Exception {
public void init() {
threadPool = new TestThreadPool("OpenLdapTests thread pool");
}
@ -89,32 +88,19 @@ public class OpenLdapTests extends ESTestCase {
* If we re-use a SSLContext, previously connected sessions can get re-established which breaks hostname
* verification tests since a re-established connection does not perform hostname verification.
*/
useGlobalSSL = randomBoolean();
MockSecureSettings mockSecureSettings = new MockSecureSettings();
Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
if (useGlobalSSL) {
builder.put("xpack.ssl.truststore.path", truststore);
mockSecureSettings.setString("xpack.ssl.truststore.secure_password", "changeit");
// fake realms so ssl will get loaded
builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
mockSecureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore);
mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit");
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE);
// configure realm to load config with certificate verification mode
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore);
mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit");
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE);
} else {
// fake realms so ssl will get loaded
builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore);
mockSecureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit");
builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL);
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore);
mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit");
builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE);
// If not using global ssl, need to set the truststore for the "full verification" realm
builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.path", truststore);
mockSecureSettings.setString("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.secure_password", "changeit");
}
builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.path", truststore);
mockSecureSettings.setString("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.secure_password", "changeit");
builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.verification_mode", VerificationMode.FULL);
globalSettings = builder.setSecureSettings(mockSecureSettings).build();
Environment environment = TestEnvironment.newEnvironment(globalSettings);
sslService = new SSLService(globalSettings, environment);
@ -290,11 +276,8 @@ public class OpenLdapTests extends ESTestCase {
final String[] urls = {ldapUrl};
final String[] templates = {userTemplate};
Settings.Builder builder = Settings.builder()
.put(LdapTestCase.buildLdapSettings(realmId, urls, templates, groupSearchBase, scope, null, false));
.put(LdapTestCase.buildLdapSettings(realmId, urls, templates, groupSearchBase, scope, null, false));
builder.put(getFullSettingKey(realmId.getName(), SearchGroupsResolverSettings.USER_ATTRIBUTE), "uid");
if (useGlobalSSL) {
return builder.build();
}
return builder
.put(getFullSettingKey(realmId, SSLConfigurationSettings.TRUST_STORE_PATH_REALM), getDataPath(LDAPTRUST_PATH))
.put(getFullSettingKey(realmId, SSLConfigurationSettings.LEGACY_TRUST_STORE_PASSWORD_REALM), "changeit")

View File

@ -60,13 +60,13 @@ public class OpenLdapUserSearchSessionFactoryTests extends ESTestCase {
*/
globalSettings = Settings.builder()
.put("path.home", createTempDir())
.put("xpack.ssl.certificate_authorities", caPath)
.put("xpack.security.authc.realms.ldap.ssl.certificate_authorities", caPath)
.build();
threadPool = new TestThreadPool("LdapUserSearchSessionFactoryTests");
}
@After
public void shutdown() throws InterruptedException {
public void shutdown() {
terminate(threadPool);
}

View File

@ -157,8 +157,8 @@ subprojects {
setting 'xpack.security.authc.token.enabled', 'true'
setting 'xpack.security.audit.enabled', 'true'
setting 'xpack.security.audit.outputs', 'index'
setting 'xpack.ssl.keystore.path', 'testnode.jks'
setting 'xpack.ssl.keystore.password', 'testnode'
setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
setting 'xpack.security.transport.ssl.keystore.password', 'testnode'
dependsOn copyTestNodeKeystore
extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks')
if (version.onOrAfter('7.0.0')) {
@ -226,8 +226,8 @@ subprojects {
setting 'xpack.license.self_generated.type', 'trial'
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.transport.ssl.enabled', 'true'
setting 'xpack.ssl.keystore.path', 'testnode.jks'
keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode'
setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks'
keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode'
setting 'node.attr.upgraded', 'true'
setting 'xpack.security.authc.token.enabled', 'true'
setting 'xpack.security.audit.enabled', 'true'

View File

@ -57,16 +57,17 @@ integTestCluster {
setting 'xpack.monitoring.collection.interval', '1s'
setting 'xpack.monitoring.exporters._http.type', 'http'
setting 'xpack.monitoring.exporters._http.enabled', 'false'
setting 'xpack.ssl.certificate_authorities', 'testnode.crt'
setting 'xpack.monitoring.exporters._http.auth.username', 'monitoring_agent'
setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password'
setting 'xpack.monitoring.exporters._http.ssl.verification_mode', 'full'
setting 'xpack.monitoring.exporters._http.ssl.certificate_authorities', 'testnode.crt'
setting 'xpack.license.self_generated.type', 'trial'
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.http.ssl.enabled', 'true'
setting 'xpack.security.http.ssl.key', 'testnode.pem'
setting 'xpack.security.http.ssl.certificate', 'testnode.crt'
setting 'xpack.security.http.ssl.certificate_authorities', 'testnode.crt'
keystoreSetting 'xpack.security.http.ssl.secure_key_passphrase', 'testnode'
setting 'xpack.ilm.enabled', 'false'

View File

@ -7,7 +7,6 @@ package org.elasticsearch.xpack.security.authc.ldap;
import org.elasticsearch.action.support.PlainActionFuture;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.MockSecureSettings;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
@ -50,23 +49,17 @@ public class ADLdapUserSearchSessionFactoryTests extends AbstractActiveDirectory
globalSettings = Settings.builder()
.put("path.home", createTempDir())
.put("xpack.ssl.certificate_authorities", certPath)
.put("xpack.security.authc.realms.active_directory.ad.ssl.certificate_authorities", certPath)
.build();
sslService = new SSLService(globalSettings, env);
threadPool = new TestThreadPool("ADLdapUserSearchSessionFactoryTests");
}
@After
public void shutdown() throws InterruptedException {
public void shutdown() {
terminate(threadPool);
}
private MockSecureSettings newSecureSettings(String key, String value) {
MockSecureSettings secureSettings = new MockSecureSettings();
secureSettings.setString(key, value);
return secureSettings;
}
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
public void testUserSearchWithActiveDirectory() throws Exception {
String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";

View File

@ -58,12 +58,10 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
protected SSLService sslService;
protected Settings globalSettings;
protected boolean useGlobalSSL;
protected List<String> certificatePaths;
@Before
public void initializeSslSocketFactory() throws Exception {
useGlobalSSL = randomBoolean();
// We use certificates in PEM format and `ssl.certificate_authorities` instead of ssl.trustore
// so that these tests can also run in a FIPS JVM where JKS keystores can't be used.
certificatePaths = new ArrayList<>();
@ -84,19 +82,12 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
* verification tests since a re-established connection does not perform hostname verification.
*/
Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
if (useGlobalSSL) {
builder.putList("xpack.ssl.certificate_authorities", certificatePaths);
// fake realm to load config with certificate verification mode
builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths);
builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
} else {
// fake realms so ssl will get loaded
builder.putList("xpack.security.authc.realms.foo.ssl.certificate_authorities", certificatePaths);
builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL);
builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths);
builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
}
// fake realms so ssl will get loaded
builder.putList("xpack.security.authc.realms.foo.ssl.certificate_authorities", certificatePaths);
builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL);
builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths);
builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
globalSettings = builder.build();
Environment environment = TestEnvironment.newEnvironment(globalSettings);
sslService = new SSLService(globalSettings, environment);
@ -106,24 +97,22 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
LdapSearchScope scope, boolean hostnameVerification) {
final String realmName = realmId.getName();
Settings.Builder builder = Settings.builder()
.putList(getFullSettingKey(realmId, SessionFactorySettings.URLS_SETTING), ldapUrl)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING), adDomainName)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_BASEDN_SETTING), userSearchDN)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_SCOPE_SETTING), scope)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT)
.put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS);
.putList(getFullSettingKey(realmId, SessionFactorySettings.URLS_SETTING), ldapUrl)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING), adDomainName)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_BASEDN_SETTING), userSearchDN)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_SCOPE_SETTING), scope)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT)
.put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT)
.put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS)
.putList(getFullSettingKey(realmId, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
if (randomBoolean()) {
builder.put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM),
hostnameVerification ? VerificationMode.FULL : VerificationMode.CERTIFICATE);
} else {
builder.put(getFullSettingKey(realmId, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), hostnameVerification);
}
if (useGlobalSSL == false) {
builder.putList(getFullSettingKey(realmId, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
}
return builder.build();
}

View File

@ -103,13 +103,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
protected static final String TESTNODE_CERT = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt";
protected static RealmConfig realmConfig;
protected static List<RoleMappingEntry> roleMappings;
protected static boolean useGlobalSSL;
@BeforeClass
public static void setupRealm() {
realmConfig = randomFrom(RealmConfig.values());
roleMappings = realmConfig.selectRoleMappings(ESTestCase::randomBoolean);
useGlobalSSL = randomBoolean();
LogManager.getLogger(AbstractAdLdapRealmTestCase.class).info(
"running test with realm configuration [{}], with direct group to role mapping [{}]. Settings [{}]",
realmConfig, realmConfig.mapGroupsAsRoles, realmConfig.settings);
@ -128,13 +126,13 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
Settings.Builder builder = Settings.builder();
// don't use filter since it returns a prefixed secure setting instead of mock!
Settings settingsToAdd = super.nodeSettings(nodeOrdinal);
builder.put(settingsToAdd.filter(k -> k.startsWith("xpack.ssl.") == false), false);
builder.put(settingsToAdd.filter(k -> k.startsWith("xpack.transport.security.ssl.") == false), false);
MockSecureSettings mockSecureSettings = (MockSecureSettings) Settings.builder().put(settingsToAdd).getSecureSettings();
if (mockSecureSettings != null) {
MockSecureSettings filteredSecureSettings = new MockSecureSettings();
builder.setSecureSettings(filteredSecureSettings);
for (String secureSetting : mockSecureSettings.getSettingNames()) {
if (secureSetting.startsWith("xpack.ssl.") == false) {
if (secureSetting.startsWith("xpack.transport.security.ssl.") == false) {
SecureString secureString = mockSecureSettings.getString(secureSetting);
if (secureString == null) {
final byte[] fileBytes;
@ -216,25 +214,6 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
.collect(Collectors.toList());
}
@Override
protected Settings transportClientSettings() {
if (useGlobalSSL) {
Path key = getDataPath(TESTNODE_KEY);
Path cert = getDataPath(TESTNODE_CERT);
Settings.Builder builder = Settings.builder()
.put(super.transportClientSettings().filter((s) -> s.startsWith("xpack.ssl.") == false));
addSslSettingsForKeyPair(builder, key, "testnode", cert, getNodeTrustedCertificates());
return builder.build();
} else {
return super.transportClientSettings();
}
}
@Override
protected boolean transportSSLEnabled() {
return useGlobalSSL;
}
protected final void configureFileRoleMappings(Settings.Builder builder, List<RoleMappingEntry> mappings) {
String content = getRoleMappingContent(RoleMappingEntry::getFileContent, mappings).stream().collect(Collectors.joining("\n"));
Path nodeFiles = createTempDir();
@ -310,11 +289,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
private void addSslSettingsForKeyPair(Settings.Builder builder, Path key, String keyPassphrase, Path cert,
List<String> certificateAuthorities) {
builder.put("xpack.ssl.key", key)
.put("xpack.ssl.key_passphrase", keyPassphrase)
.put("xpack.ssl.verification_mode", "certificate")
.put("xpack.ssl.certificate", cert)
.putList("xpack.ssl.certificate_authorities", certificateAuthorities);
builder.put("xpack.transport.security.ssl.key", key)
.put("xpack.transport.security.ssl.key_passphrase", keyPassphrase)
.put("xpack.transport.security.ssl.verification_mode", "certificate")
.put("xpack.transport.security.ssl.certificate", cert)
.putList("xpack.transport.security.ssl.certificate_authorities", certificateAuthorities);
}
/**
@ -462,11 +441,8 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".order", order)
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".hostname_verification", false)
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".unmapped_groups_as_roles", mapGroupsAsRoles)
.put(this.settings);
if (useGlobalSSL == false) {
builder.putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.certificate_authorities", certificateAuthorities);
}
.put(this.settings)
.putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.certificate_authorities", certificateAuthorities);
return builder.build();
}

View File

@ -280,21 +280,16 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
Settings settings = Settings.builder()
.put(LdapTestCase.buildLdapSettings(
new String[]{AD_LDAP_URL},
new String[]{userTemplate},
groupSearchBase,
LdapSearchScope.SUB_TREE,
null,
true))
.put("follow_referrals", FOLLOW_REFERRALS)
.build();
if (useGlobalSSL == false) {
settings = Settings.builder()
.put(settings)
.putList("ssl.certificate_authorities", certificatePaths)
.build();
}
.put(LdapTestCase.buildLdapSettings(
new String[]{AD_LDAP_URL},
new String[]{userTemplate},
groupSearchBase,
LdapSearchScope.SUB_TREE,
null,
true))
.put("follow_referrals", FOLLOW_REFERRALS)
.putList("ssl.certificate_authorities", certificatePaths)
.build();
RealmConfig config = configureRealm("ad-as-ldap-test", settings);
LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
@ -325,9 +320,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
null,
ignoreReferralErrors);
final Settings.Builder builder = Settings.builder().put(settings).put(globalSettings);
if (useGlobalSSL == false) {
builder.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths);
}
builder.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths);
settings = builder.build();
RealmConfig config = new RealmConfig(realmId,
settings, TestEnvironment.newEnvironment(globalSettings),
@ -352,12 +345,10 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
public void testStandardLdapWithAttributeGroups() throws Exception {
String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
Settings settings = LdapTestCase.buildLdapSettings(new String[]{AD_LDAP_URL}, userTemplate, false);
if (useGlobalSSL == false) {
settings = Settings.builder()
.put(settings)
.putList("ssl.certificate_authorities", certificatePaths)
.build();
}
settings = Settings.builder()
.put(settings)
.putList("ssl.certificate_authorities", certificatePaths)
.build();
RealmConfig config = configureRealm("ad-as-ldap-test", settings);
LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
@ -412,9 +403,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
builder.put(getFullSettingKey(REALM_ID, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), hostnameVerification);
}
if (useGlobalSSL == false) {
builder.putList(getFullSettingKey(REALM_ID, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
}
builder.putList(getFullSettingKey(REALM_ID, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths);
if (useBindUser) {
final String user = randomFrom("cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow", "cap@ad.test.elasticsearch.com",

View File

@ -251,9 +251,12 @@ node.data: false
discovery.zen.ping.unicast.hosts: ["127.0.0.1:9301"]
cluster.initial_master_nodes: ["node-master"]
xpack.ssl.key: $ESCONFIG/certs/node-master/node-master.key
xpack.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt
xpack.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
xpack.security.transport.ssl.key: $ESCONFIG/certs/node-master/node-master.key
xpack.security.transport.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt
xpack.security.transport.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
xpack.security.http.ssl.key: $ESCONFIG/certs/node-master/node-master.key
xpack.security.http.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt
xpack.security.http.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
xpack.security.transport.ssl.enabled: true
transport.tcp.port: 9300
@ -334,9 +337,12 @@ node.master: false
node.data: true
discovery.zen.ping.unicast.hosts: ["127.0.0.1:9300"]
xpack.ssl.key: $ESCONFIG/certs/node-data/node-data.key
xpack.ssl.certificate: $ESCONFIG/certs/node-data/node-data.crt
xpack.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
xpack.security.transport.ssl.key: $ESCONFIG/certs/node-data/node-data.key
xpack.security.transport.ssl.certificate: $ESCONFIG/certs/node-data/node-data.crt
xpack.security.transport.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
xpack.security.http.ssl.key: $ESCONFIG/certs/node-data/node-data.key
xpack.security.http.ssl.certificate: $ESCONFIG/certs//node-data/node-data.crt
xpack.security.http.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"]
xpack.security.transport.ssl.enabled: true
transport.tcp.port: 9301