diff --git a/elasticsearch/qa/shield-audit-tests/build.gradle b/elasticsearch/qa/shield-audit-tests/build.gradle index 454f3f33d33..228b9ecdce2 100644 --- a/elasticsearch/qa/shield-audit-tests/build.gradle +++ b/elasticsearch/qa/shield-audit-tests/build.gradle @@ -7,8 +7,8 @@ dependencies { integTest { cluster { plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack') - setting 'shield.audit.enabled', 'true' - setting 'shield.audit.outputs', 'index' + setting 'xpack.security.audit.enabled', 'true' + setting 'xpack.security.audit.outputs', 'index' setupCommand 'setupDummyUser', 'bin/x-pack/users', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' waitCondition = { node, ant -> diff --git a/elasticsearch/qa/shield-audit-tests/src/test/java/org/elasticsearch/shield/audit/IndexAuditIT.java b/elasticsearch/qa/shield-audit-tests/src/test/java/org/elasticsearch/shield/audit/IndexAuditIT.java index 421460e91f8..1ff6fa0e570 100644 --- a/elasticsearch/qa/shield-audit-tests/src/test/java/org/elasticsearch/shield/audit/IndexAuditIT.java +++ b/elasticsearch/qa/shield-audit-tests/src/test/java/org/elasticsearch/shield/audit/IndexAuditIT.java @@ -12,6 +12,7 @@ import org.elasticsearch.cluster.metadata.IndexTemplateMetaData; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.index.query.QueryBuilders; import org.elasticsearch.plugins.Plugin; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.audit.index.IndexAuditTrail; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.authc.support.UsernamePasswordToken; @@ -85,7 +86,7 @@ public class IndexAuditIT extends ESIntegTestCase { @Override protected Settings externalClusterClientSettings() { return Settings.builder() - .put("shield.user", USER + ":" + PASS) + .put(Security.USER_SETTING.getKey(), USER + ":" + PASS) .build(); } diff --git a/elasticsearch/qa/shield-client-tests/src/test/java/org/elasticsearch/shield/qa/ShieldTransportClientIT.java b/elasticsearch/qa/shield-client-tests/src/test/java/org/elasticsearch/shield/qa/ShieldTransportClientIT.java index 3d5e6f289bf..b0522871545 100644 --- a/elasticsearch/qa/shield-client-tests/src/test/java/org/elasticsearch/shield/qa/ShieldTransportClientIT.java +++ b/elasticsearch/qa/shield-client-tests/src/test/java/org/elasticsearch/shield/qa/ShieldTransportClientIT.java @@ -13,6 +13,7 @@ import org.elasticsearch.client.transport.TransportClient; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.plugins.Plugin; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.xpack.XPackPlugin; @@ -35,7 +36,7 @@ public class ShieldTransportClientIT extends ESIntegTestCase { @Override protected Settings externalClusterClientSettings() { return Settings.builder() - .put("shield.user", ADMIN_USER_PW) + .put(Security.USER_SETTING.getKey(), ADMIN_USER_PW) .build(); } @@ -56,7 +57,7 @@ public class ShieldTransportClientIT extends ESIntegTestCase { public void testThatTransportClientAuthenticationWithTransportClientRole() throws Exception { Settings settings = Settings.builder() - .put("shield.user", TRANSPORT_USER_PW) + .put(Security.USER_SETTING.getKey(), TRANSPORT_USER_PW) .build(); try (TransportClient client = transportClient(settings)) { boolean connected = awaitBusy(() -> { @@ -78,7 +79,7 @@ public class ShieldTransportClientIT extends ESIntegTestCase { public void testTransportClientWithAdminUser() throws Exception { final boolean useTransportUser = randomBoolean(); Settings settings = Settings.builder() - .put("shield.user", useTransportUser ? TRANSPORT_USER_PW : ADMIN_USER_PW) + .put(Security.USER_SETTING.getKey(), useTransportUser ? TRANSPORT_USER_PW : ADMIN_USER_PW) .build(); try (TransportClient client = transportClient(settings)) { boolean connected = awaitBusy(() -> { diff --git a/elasticsearch/qa/shield-example-realm/build.gradle b/elasticsearch/qa/shield-example-realm/build.gradle index f0803a3ebf1..3d46493c8ed 100644 --- a/elasticsearch/qa/shield-example-realm/build.gradle +++ b/elasticsearch/qa/shield-example-realm/build.gradle @@ -35,11 +35,10 @@ task buildZip(type:Zip, dependsOn: [jar]) { task integTest(type: org.elasticsearch.gradle.test.RestIntegTestTask, dependsOn: buildZip) { cluster { plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack') - // TODO: these should be settings? - setting 'shield.authc.realms.custom.order', '0' - setting 'shield.authc.realms.custom.type', 'custom' - setting 'shield.authc.realms.esusers.order', '1' - setting 'shield.authc.realms.esusers.type', 'file' + setting 'xpack.security.authc.realms.custom.order', '0' + setting 'xpack.security.authc.realms.custom.type', 'custom' + setting 'xpack.security.authc.realms.esusers.order', '1' + setting 'xpack.security.authc.realms.esusers.type', 'file' setupCommand 'setupDummyUser', 'bin/x-pack/users', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' diff --git a/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/src/test/java/org/elasticsearch/smoketest/MarvelClusterInfoIT.java b/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/src/test/java/org/elasticsearch/smoketest/MarvelClusterInfoIT.java index 6c4fe7c80e1..6c980ba3a13 100644 --- a/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/src/test/java/org/elasticsearch/smoketest/MarvelClusterInfoIT.java +++ b/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/src/test/java/org/elasticsearch/smoketest/MarvelClusterInfoIT.java @@ -13,6 +13,7 @@ import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.xpack.XPackPlugin; +import org.elasticsearch.shield.Shield; import org.hamcrest.Matcher; import java.util.Collection; @@ -31,7 +32,7 @@ public class MarvelClusterInfoIT extends ESIntegTestCase { @Override protected Settings externalClusterClientSettings() { return Settings.builder() - .put("shield.user", ADMIN_USER_PW) + .put(Shield.USER_SETTING.getKey(), ADMIN_USER_PW) .build(); } diff --git a/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/src/test/java/org/elasticsearch/smoketest/WatcherWithShieldIT.java b/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/src/test/java/org/elasticsearch/smoketest/WatcherWithShieldIT.java index d7d1943d4ec..21aa80f9daf 100644 --- a/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/src/test/java/org/elasticsearch/smoketest/WatcherWithShieldIT.java +++ b/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/src/test/java/org/elasticsearch/smoketest/WatcherWithShieldIT.java @@ -15,6 +15,7 @@ import org.elasticsearch.client.support.Headers; import org.elasticsearch.common.network.NetworkAddress; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.plugins.Plugin; +import org.elasticsearch.shield.Shield; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.authc.support.UsernamePasswordToken; import org.elasticsearch.test.rest.ESRestTestCase; @@ -80,7 +81,7 @@ public class WatcherWithShieldIT extends ESRestTestCase { @Override protected Settings externalClusterClientSettings() { return Settings.builder() - .put("shield.user", TEST_ADMIN_USERNAME + ":" + TEST_ADMIN_PASSWORD) + .put(Shield.USER_SETTING.getKey(), TEST_ADMIN_USERNAME + ":" + TEST_ADMIN_PASSWORD) .build(); } diff --git a/elasticsearch/qa/smoke-test-plugins-ssl/build.gradle b/elasticsearch/qa/smoke-test-plugins-ssl/build.gradle index 9e0675beaa0..ede834b2ed7 100644 --- a/elasticsearch/qa/smoke-test-plugins-ssl/build.gradle +++ b/elasticsearch/qa/smoke-test-plugins-ssl/build.gradle @@ -153,10 +153,10 @@ integTest { setting 'xpack.monitoring.agent.exporters._http.auth.username', 'monitoring_agent' setting 'xpack.monitoring.agent.exporters._http.auth.password', 'changeme' - setting 'shield.transport.ssl', 'true' - setting 'shield.http.ssl', 'true' - setting 'shield.ssl.keystore.path', nodeKeystore.name - setting 'shield.ssl.keystore.password', 'keypass' + setting 'xpack.security.transport.ssl.enabled', 'true' + setting 'xpack.security.http.ssl.enabled', 'true' + setting 'xpack.security.ssl.keystore.path', nodeKeystore.name + setting 'xpack.security.ssl.keystore.password', 'keypass' plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack') diff --git a/elasticsearch/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithShieldIT.java b/elasticsearch/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithShieldIT.java index fadd30cbbb4..f4f74d20c3f 100644 --- a/elasticsearch/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithShieldIT.java +++ b/elasticsearch/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithShieldIT.java @@ -12,6 +12,7 @@ import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.InetSocketTransportAddress; import org.elasticsearch.plugins.Plugin; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.transport.netty.ShieldNettyTransport; import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.xpack.XPackPlugin; @@ -58,10 +59,10 @@ public class SmokeTestMonitoringWithShieldIT extends ESIntegTestCase { @Override protected Settings externalClusterClientSettings() { return Settings.builder() - .put("shield.user", USER + ":" + PASS) - .put(ShieldNettyTransport.TRANSPORT_SSL_SETTING, true) - .put("shield.ssl.keystore.path", clientKeyStore) - .put("shield.ssl.keystore.password", KEYSTORE_PASS) + .put(Security.USER_SETTING.getKey(), USER + ":" + PASS) + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) + .put("xpack.security.ssl.keystore.path", clientKeyStore) + .put("xpack.security.ssl.keystore.password", KEYSTORE_PASS) .build(); } diff --git a/elasticsearch/qa/smoke-test-watcher-with-groovy/build.gradle b/elasticsearch/qa/smoke-test-watcher-with-groovy/build.gradle index 9c2fb304d8d..22b8d482a14 100644 --- a/elasticsearch/qa/smoke-test-watcher-with-groovy/build.gradle +++ b/elasticsearch/qa/smoke-test-watcher-with-groovy/build.gradle @@ -9,7 +9,7 @@ integTest { cluster { plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack') setting 'script.inline', 'true' - setting 'xpack.shield.enabled', 'false' + setting 'xpack.security.enabled', 'false' setting 'xpack.monitoring.enabled', 'false' } } diff --git a/elasticsearch/qa/smoke-test-watcher-with-mustache/build.gradle b/elasticsearch/qa/smoke-test-watcher-with-mustache/build.gradle index 37575d2605b..25831523b34 100644 --- a/elasticsearch/qa/smoke-test-watcher-with-mustache/build.gradle +++ b/elasticsearch/qa/smoke-test-watcher-with-mustache/build.gradle @@ -8,7 +8,7 @@ dependencies { integTest { cluster { plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack') - setting 'xpack.shield.enabled', 'false' + setting 'xpack.security.enabled', 'false' setting 'xpack.monitoring.enabled', 'false' setting 'http.port', '9400' } diff --git a/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/graph/test/GraphTests.java b/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/graph/test/GraphTests.java index 489b476d664..1c633cdf61a 100644 --- a/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/graph/test/GraphTests.java +++ b/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/graph/test/GraphTests.java @@ -27,7 +27,7 @@ import org.elasticsearch.script.NativeScriptFactory; import org.elasticsearch.script.Script; import org.elasticsearch.script.ScriptModule; import org.elasticsearch.script.ScriptService.ScriptType; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.test.ESSingleNodeTestCase; import org.elasticsearch.watcher.Watcher; import org.elasticsearch.xpack.XPackPlugin; @@ -125,7 +125,7 @@ public class GraphTests extends ESSingleNodeTestCase { public Settings nodeSettings() { // Disable Shield otherwise authentication failures happen creating indices. Builder newSettings = Settings.builder(); - newSettings.put(XPackPlugin.featureEnabledSetting(Shield.NAME), false); + newSettings.put(XPackPlugin.featureEnabledSetting(Security.NAME), false); newSettings.put(XPackPlugin.featureEnabledSetting(Marvel.NAME), false); newSettings.put(XPackPlugin.featureEnabledSetting(Watcher.NAME), false); return newSettings.build(); diff --git a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/AbstractLicensesIntegrationTestCase.java b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/AbstractLicensesIntegrationTestCase.java index 7f9bd210f13..e46027d642c 100644 --- a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/AbstractLicensesIntegrationTestCase.java +++ b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/AbstractLicensesIntegrationTestCase.java @@ -26,7 +26,7 @@ import org.elasticsearch.license.plugin.core.LicensesMetaData; import org.elasticsearch.license.plugin.core.LicensesStatus; import org.elasticsearch.marvel.Marvel; import org.elasticsearch.plugins.Plugin; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.test.InternalTestCluster; import org.elasticsearch.watcher.Watcher; @@ -48,7 +48,7 @@ public abstract class AbstractLicensesIntegrationTestCase extends ESIntegTestCas @Override protected Settings nodeSettings(int nodeOrdinal) { return Settings.builder() - .put(XPackPlugin.featureEnabledSetting(Shield.NAME), false) + .put(XPackPlugin.featureEnabledSetting(Security.NAME), false) .put(XPackPlugin.featureEnabledSetting(Marvel.NAME), false) .put(XPackPlugin.featureEnabledSetting(Watcher.NAME), false) .put(XPackPlugin.featureEnabledSetting(Graph.NAME), false) diff --git a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollector.java b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollector.java index cd120c46ab1..86ea9d2cfe6 100644 --- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollector.java +++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollector.java @@ -18,7 +18,7 @@ import org.elasticsearch.marvel.agent.collector.AbstractCollector; import org.elasticsearch.marvel.agent.exporter.MonitoringDoc; import org.elasticsearch.marvel.license.MarvelLicensee; import org.elasticsearch.shield.InternalClient; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import java.util.ArrayList; import java.util.Arrays; @@ -69,7 +69,7 @@ public class IndexRecoveryCollector extends AbstractCollector results.add(indexStatsDoc); } } catch (IndexNotFoundException e) { - if (Shield.enabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) { + if (Security.enabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) { logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex()); } else { throw e; diff --git a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollector.java b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollector.java index cbe2bdaec05..8c56780f640 100644 --- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollector.java +++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollector.java @@ -18,7 +18,7 @@ import org.elasticsearch.marvel.agent.collector.AbstractCollector; import org.elasticsearch.marvel.agent.exporter.MonitoringDoc; import org.elasticsearch.marvel.license.MarvelLicensee; import org.elasticsearch.shield.InternalClient; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import java.util.Arrays; import java.util.Collection; @@ -68,7 +68,7 @@ public class IndicesStatsCollector extends AbstractCollector> USER_SETTING = OptionalStringSetting.create(setting("user"), Property.NodeScope); private final Settings settings; private final boolean enabled; private final boolean transportClientMode; private ShieldLicenseState shieldLicenseState; - public Shield(Settings settings) { + public Security(Settings settings) { this.settings = settings; this.transportClientMode = XPackPlugin.transportClientMode(settings); this.enabled = XPackPlugin.featureEnabled(settings, NAME, true); @@ -166,57 +173,69 @@ public class Shield { } Settings.Builder settingsBuilder = Settings.settingsBuilder(); - settingsBuilder.put(NetworkModule.TRANSPORT_TYPE_KEY, Shield.NAME); - settingsBuilder.put(NetworkModule.TRANSPORT_SERVICE_TYPE_KEY, Shield.NAME); - settingsBuilder.put(NetworkModule.HTTP_TYPE_SETTING.getKey(), Shield.NAME); + settingsBuilder.put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME); + settingsBuilder.put(NetworkModule.TRANSPORT_SERVICE_TYPE_KEY, Security.NAME); + settingsBuilder.put(NetworkModule.HTTP_TYPE_SETTING.getKey(), Security.NAME); addUserSettings(settingsBuilder); addTribeSettings(settingsBuilder); return settingsBuilder.build(); } public void onModule(SettingsModule settingsModule) { - //TODO shouldn't we register these settings only if shield is enabled and we're not in a client mode? - settingsModule.registerSetting(IPFilter.IP_FILTER_ENABLED_SETTING); - settingsModule.registerSetting(IPFilter.IP_FILTER_ENABLED_HTTP_SETTING); - settingsModule.registerSetting(IPFilter.HTTP_FILTER_ALLOW_SETTING); - settingsModule.registerSetting(IPFilter.HTTP_FILTER_DENY_SETTING); - settingsModule.registerSetting(IPFilter.TRANSPORT_FILTER_ALLOW_SETTING); - settingsModule.registerSetting(IPFilter.TRANSPORT_FILTER_DENY_SETTING); + // always register for both client and node modes XPackPlugin.registerFeatureEnabledSettings(settingsModule, NAME, true); - XPackPlugin.registerFeatureEnabledSettings(settingsModule, DLS_FLS_FEATURE, true); - settingsModule.registerSetting(Setting.groupSetting("shield.audit.", Setting.Property.NodeScope)); - settingsModule.registerSetting(Setting.listSetting("shield.hide_settings", Collections.emptyList(), Function.identity(), - Setting.Property.NodeScope)); - settingsModule.registerSetting(Setting.groupSetting("shield.ssl.", Setting.Property.NodeScope)); - settingsModule.registerSetting(Setting.groupSetting("shield.authc.", Setting.Property.NodeScope)); - settingsModule.registerSetting(Setting.simpleString("shield.authz.store.files.roles", Setting.Property.NodeScope)); - settingsModule.registerSetting(Setting.simpleString("shield.system_key.file", Setting.Property.NodeScope)); - settingsModule.registerSetting(Setting.boolSetting(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, - ShieldNettyHttpServerTransport.HTTP_SSL_DEFAULT, Setting.Property.NodeScope)); - // FIXME need to register a real setting with the defaults here - settingsModule.registerSetting(Setting.simpleString(ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_SETTING, - Setting.Property.NodeScope)); - settingsModule.registerSetting(Setting.boolSetting(ShieldNettyTransport.TRANSPORT_SSL_SETTING, - ShieldNettyTransport.TRANSPORT_SSL_DEFAULT, Setting.Property.NodeScope)); - settingsModule.registerSetting(Setting.simpleString(ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING, - Setting.Property.NodeScope)); - settingsModule.registerSetting(Setting.simpleString("shield.user", Setting.Property.NodeScope)); - settingsModule.registerSetting(Setting.simpleString("shield.encryption_key.algorithm", Setting.Property.NodeScope)); - settingsModule.registerSetting(Setting.simpleString("shield.encryption.algorithm", Setting.Property.NodeScope)); + settingsModule.registerSetting(USER_SETTING); - String[] asArray = settings.getAsArray("shield.hide_settings"); + // SSL settings + SSLSettings.registerSettings(settingsModule); + + // transport settings + ShieldNettyTransport.registerSettings(settingsModule); + + if (transportClientMode) { + return; + } + + // The following just apply in node mode + XPackPlugin.registerFeatureEnabledSettings(settingsModule, DLS_FLS_FEATURE, true); + + // IP Filter settings + IPFilter.registerSettings(settingsModule); + + // audit settings + AuditTrailModule.registerSettings(settingsModule); + + // authentication settings + FileRolesStore.registerSettings(settingsModule); + AnonymousService.registerSettings(settingsModule); + Realms.registerSettings(settingsModule); + NativeUsersStore.registerSettings(settingsModule); + NativeRolesStore.registerSettings(settingsModule); + InternalAuthenticationService.registerSettings(settingsModule); + + // HTTP settings + ShieldNettyHttpServerTransport.registerSettings(settingsModule); + + // encryption settings + InternalCryptoService.registerSettings(settingsModule); + + // hide settings + settingsModule.registerSetting(Setting.listSetting(setting("hide_settings"), Collections.emptyList(), Function.identity(), + Property.NodeScope, Property.Filtered)); + String[] asArray = settings.getAsArray(setting("hide_settings")); for (String pattern : asArray) { settingsModule.registerSettingsFilter(pattern); } - settingsModule.registerSettingsFilter("shield.hide_settings"); - settingsModule.registerSettingsFilter("shield.ssl.*"); - settingsModule.registerSettingsFilter("shield.authc.realms.*.bind_dn"); - settingsModule.registerSettingsFilter("shield.authc.realms.*.bind_password"); - settingsModule.registerSettingsFilter("shield.authc.realms.*." + SessionFactory.HOSTNAME_VERIFICATION_SETTING); - settingsModule.registerSettingsFilter("shield.authc.realms.*.truststore.password"); - settingsModule.registerSettingsFilter("shield.authc.realms.*.truststore.path"); - settingsModule.registerSettingsFilter("shield.authc.realms.*.truststore.algorithm"); - settingsModule.registerSettingsFilter("transport.profiles.*.shield.*"); + + settingsModule.registerSettingsFilter(setting("authc.realms.*.bind_dn")); + settingsModule.registerSettingsFilter(setting("authc.realms.*.bind_password")); + settingsModule.registerSettingsFilter(setting("authc.realms.*." + SessionFactory.HOSTNAME_VERIFICATION_SETTING)); + settingsModule.registerSettingsFilter(setting("authc.realms.*.truststore.password")); + settingsModule.registerSettingsFilter(setting("authc.realms.*.truststore.path")); + settingsModule.registerSettingsFilter(setting("authc.realms.*.truststore.algorithm")); + + // hide settings where we don't define them - they are part of a group... + settingsModule.registerSettingsFilter("transport.profiles.*." + setting("*")); } public void onIndexModule(IndexModule module) { @@ -232,12 +251,12 @@ public class Shield { shieldLicenseState)); } if (transportClientMode == false) { - module.registerQueryCache(Shield.OPT_OUT_QUERY_CACHE, OptOutQueryCache::new); + module.registerQueryCache(Security.OPT_OUT_QUERY_CACHE, OptOutQueryCache::new); /* We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation. * This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do * forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to * unauthorized users. */ - module.forceQueryCacheType(Shield.OPT_OUT_QUERY_CACHE); + module.forceQueryCacheType(Security.OPT_OUT_QUERY_CACHE); } } @@ -265,8 +284,8 @@ public class Shield { if (transportClientMode) { if (enabled) { - module.registerTransport(Shield.NAME, ShieldNettyTransport.class); - module.registerTransportService(Shield.NAME, ShieldClientTransportService.class); + module.registerTransport(Security.NAME, ShieldNettyTransport.class); + module.registerTransportService(Security.NAME, ShieldClientTransportService.class); } return; } @@ -275,8 +294,8 @@ public class Shield { module.registerRestHandler(RestShieldInfoAction.class); if (enabled) { - module.registerTransport(Shield.NAME, ShieldNettyTransport.class); - module.registerTransportService(Shield.NAME, ShieldServerTransportService.class); + module.registerTransport(Security.NAME, ShieldNettyTransport.class); + module.registerTransportService(Security.NAME, ShieldServerTransportService.class); module.registerRestHandler(RestAuthenticateAction.class); module.registerRestHandler(RestClearRealmCacheAction.class); module.registerRestHandler(RestClearRolesCacheAction.class); @@ -286,7 +305,7 @@ public class Shield { module.registerRestHandler(RestGetRolesAction.class); module.registerRestHandler(RestPutRoleAction.class); module.registerRestHandler(RestDeleteRoleAction.class); - module.registerHttpTransport(Shield.NAME, ShieldNettyHttpServerTransport.class); + module.registerHttpTransport(Security.NAME, ShieldNettyHttpServerTransport.class); } } @@ -295,18 +314,18 @@ public class Shield { if (settings.get(authHeaderSettingName) != null) { return; } - String userSetting = settings.get("shield.user"); - if (userSetting == null) { - return; - } - int i = userSetting.indexOf(":"); - if (i < 0 || i == userSetting.length() - 1) { - throw new IllegalArgumentException("invalid [shield.user] setting. must be in the form of \":\""); - } - String username = userSetting.substring(0, i); - String password = userSetting.substring(i + 1); - settingsBuilder.put(authHeaderSettingName, UsernamePasswordToken.basicAuthHeaderValue(username, new SecuredString(password - .toCharArray()))); + Optional userOptional = USER_SETTING.get(settings); + userOptional.ifPresent(userSetting -> { + final int i = userSetting.indexOf(":"); + if (i < 0 || i == userSetting.length() - 1) { + throw new IllegalArgumentException("invalid [" + USER_SETTING.getKey() + "] setting. must be in the form of " + + "\":\""); + } + String username = userSetting.substring(0, i); + String password = userSetting.substring(i + 1); + settingsBuilder.put(authHeaderSettingName, UsernamePasswordToken.basicAuthHeaderValue(username, new SecuredString(password + .toCharArray()))); + }); } /** @@ -357,7 +376,7 @@ public class Shield { // we passed all the checks now we need to copy in all of the shield settings for (Map.Entry entry : settingsMap.entrySet()) { String key = entry.getKey(); - if (key.startsWith("shield.")) { + if (key.startsWith("xpack.security.")) { settingsBuilder.put(tribePrefix + key, entry.getValue()); } } @@ -372,6 +391,23 @@ public class Shield { return XPackPlugin.featureEnabled(settings, DLS_FLS_FEATURE, true); } + public static String enabledSetting() { + return XPackPlugin.featureEnabledSetting(NAME); + } + + public static String settingPrefix() { + return XPackPlugin.featureSettingPrefix(NAME) + "."; + } + + public static String setting(String setting) { + assert setting != null && setting.startsWith(".") == false; + return settingPrefix() + setting; + } + + public static String featureEnabledSetting(String feature) { + assert feature != null && feature.startsWith(".") == false; + return XPackPlugin.featureEnabledSetting("security." + feature); + } static void validateAutoCreateIndex(Settings settings) { String value = settings.get("action.auto_create_index"); diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionFilter.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionFilter.java index 90421c24143..41f75e9769b 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionFilter.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionFilter.java @@ -19,7 +19,7 @@ import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.license.plugin.core.LicenseUtils; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.SystemUser; import org.elasticsearch.shield.User; import org.elasticsearch.shield.action.interceptor.RequestInterceptor; @@ -88,7 +88,7 @@ public class ShieldActionFilter extends AbstractComponent implements ActionFilte logger.error("blocking [{}] operation due to expired license. Cluster health, cluster stats and indices stats \n" + "operations are blocked on shield license expiration. All data operations (read and write) continue to work. \n" + "If you have a new license, please update it. Otherwise, please reach out to your support contact.", action); - throw LicenseUtils.newComplianceException(Shield.NAME); + throw LicenseUtils.newComplianceException(Security.NAME); } // only restore the context if it is not empty. This is needed because sometimes a response is sent to the user diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/AuditTrailModule.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/AuditTrailModule.java index a79a0b357d2..f58e0f01b81 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/AuditTrailModule.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/AuditTrailModule.java @@ -7,24 +7,40 @@ package org.elasticsearch.shield.audit; import org.elasticsearch.ElasticsearchException; import org.elasticsearch.common.inject.multibindings.Multibinder; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.common.util.set.Sets; import org.elasticsearch.shield.audit.index.IndexAuditTrail; import org.elasticsearch.shield.audit.logfile.LoggingAuditTrail; import org.elasticsearch.shield.support.AbstractShieldModule; +import java.util.Collections; +import java.util.List; import java.util.Set; +import java.util.function.Function; + +import static org.elasticsearch.shield.Security.featureEnabledSetting; +import static org.elasticsearch.shield.Security.setting; /** * */ public class AuditTrailModule extends AbstractShieldModule.Node { + public static final Setting ENABLED_SETTING = + Setting.boolSetting(featureEnabledSetting("audit"), false, Property.NodeScope); + public static final Setting> OUTPUTS_SETTING = + Setting.listSetting(setting("audit.outputs"), + s -> s.getAsMap().containsKey(setting("audit.outputs")) ? + Collections.emptyList() : Collections.singletonList(LoggingAuditTrail.NAME), + Function.identity(), Property.NodeScope); private final boolean enabled; public AuditTrailModule(Settings settings) { super(settings); - enabled = auditingEnabled(settings); + enabled = ENABLED_SETTING.get(settings); } @Override @@ -33,8 +49,8 @@ public class AuditTrailModule extends AbstractShieldModule.Node { bind(AuditTrail.class).toInstance(AuditTrail.NOOP); return; } - String[] outputs = settings.getAsArray("shield.audit.outputs", new String[] { LoggingAuditTrail.NAME }); - if (outputs.length == 0) { + List outputs = OUTPUTS_SETTING.get(settings); + if (outputs.isEmpty()) { bind(AuditTrail.class).toInstance(AuditTrail.NOOP); return; } @@ -59,12 +75,12 @@ public class AuditTrailModule extends AbstractShieldModule.Node { } public static boolean auditingEnabled(Settings settings) { - return settings.getAsBoolean("shield.audit.enabled", false); + return ENABLED_SETTING.get(settings); } public static boolean indexAuditLoggingEnabled(Settings settings) { if (auditingEnabled(settings)) { - String[] outputs = settings.getAsArray("shield.audit.outputs"); + List outputs = OUTPUTS_SETTING.get(settings); for (String output : outputs) { if (output.equals(IndexAuditTrail.NAME)) { return true; @@ -76,7 +92,7 @@ public class AuditTrailModule extends AbstractShieldModule.Node { public static boolean fileAuditLoggingEnabled(Settings settings) { if (auditingEnabled(settings)) { - String[] outputs = settings.getAsArray("shield.audit.outputs", new String[] { LoggingAuditTrail.NAME }); + List outputs = OUTPUTS_SETTING.get(settings); for (String output : outputs) { if (output.equals(LoggingAuditTrail.NAME)) { return true; @@ -85,4 +101,11 @@ public class AuditTrailModule extends AbstractShieldModule.Node { } return false; } + + public static void registerSettings(SettingsModule settingsModule) { + settingsModule.registerSetting(ENABLED_SETTING); + settingsModule.registerSetting(OUTPUTS_SETTING); + LoggingAuditTrail.registerSettings(settingsModule); + IndexAuditTrail.registerSettings(settingsModule); + } } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditLevel.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditLevel.java index ff3c94aca3b..178dabde1a1 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditLevel.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditLevel.java @@ -7,6 +7,7 @@ package org.elasticsearch.shield.audit.index; import java.util.Arrays; import java.util.EnumSet; +import java.util.List; import java.util.Locale; public enum IndexAuditLevel { @@ -22,7 +23,7 @@ public enum IndexAuditLevel { RUN_AS_GRANTED, RUN_AS_DENIED; - static EnumSet parse(String[] levels) { + static EnumSet parse(List levels) { EnumSet enumSet = EnumSet.noneOf(IndexAuditLevel.class); for (String level : levels) { String lowerCaseLevel = level.trim().toLowerCase(Locale.ROOT); @@ -67,7 +68,7 @@ public enum IndexAuditLevel { return enumSet; } - public static EnumSet parse(String[] includeLevels, String[] excludeLevels) { + public static EnumSet parse(List includeLevels, List excludeLevels) { EnumSet included = parse(includeLevels); EnumSet excluded = parse(excludeLevels); included.removeAll(excluded); diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java index 0e353dae7a7..4d9a5258bc4 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java @@ -24,14 +24,16 @@ import org.elasticsearch.cluster.ClusterState; import org.elasticsearch.cluster.ClusterStateListener; import org.elasticsearch.cluster.metadata.IndexMetaData; import org.elasticsearch.common.Nullable; -import org.elasticsearch.common.Strings; import org.elasticsearch.common.collect.Tuple; import org.elasticsearch.common.component.AbstractComponent; import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.inject.Provider; import org.elasticsearch.common.io.Streams; import org.elasticsearch.common.network.NetworkAddress; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.common.transport.InetSocketTransportAddress; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.common.unit.TimeValue; @@ -49,7 +51,6 @@ import org.elasticsearch.shield.SystemUser; import org.elasticsearch.shield.User; import org.elasticsearch.shield.XPackUser; import org.elasticsearch.shield.audit.AuditTrail; -import org.elasticsearch.shield.authc.AuthenticationService; import org.elasticsearch.shield.authc.AuthenticationToken; import org.elasticsearch.shield.authz.privilege.SystemPrivilege; import org.elasticsearch.shield.rest.RemoteHostHeader; @@ -70,6 +71,7 @@ import java.net.SocketAddress; import java.net.UnknownHostException; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collections; import java.util.EnumSet; import java.util.List; import java.util.Locale; @@ -78,6 +80,7 @@ import java.util.concurrent.LinkedBlockingQueue; import java.util.concurrent.atomic.AtomicReference; import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; +import java.util.function.Function; import static org.elasticsearch.shield.audit.AuditUtil.indices; import static org.elasticsearch.shield.audit.AuditUtil.restRequestContent; @@ -93,6 +96,7 @@ import static org.elasticsearch.shield.audit.index.IndexAuditLevel.SYSTEM_ACCESS import static org.elasticsearch.shield.audit.index.IndexAuditLevel.TAMPERED_REQUEST; import static org.elasticsearch.shield.audit.index.IndexAuditLevel.parse; import static org.elasticsearch.shield.audit.index.IndexNameResolver.resolve; +import static org.elasticsearch.shield.Security.setting; /** * Audit trail implementation that writes events into an index. @@ -107,12 +111,15 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl public static final String NAME = "index"; public static final String INDEX_NAME_PREFIX = ".shield_audit_log"; public static final String DOC_TYPE = "event"; - public static final String ROLLOVER_SETTING = "shield.audit.index.rollover"; - public static final String QUEUE_SIZE_SETTING = "shield.audit.index.queue_max_size"; + public static final Setting ROLLOVER_SETTING = + new Setting<>(setting("audit.index.rollover"), (s) -> DEFAULT_ROLLOVER.name(), + s -> IndexNameResolver.Rollover.valueOf(s.toUpperCase(Locale.ENGLISH)), Property.NodeScope); + public static final Setting QUEUE_SIZE_SETTING = + Setting.intSetting(setting("audit.index.queue_max_size"), DEFAULT_MAX_QUEUE_SIZE, 1, Property.NodeScope); public static final String INDEX_TEMPLATE_NAME = "shield_audit_log"; public static final String DEFAULT_CLIENT_NAME = "shield-audit-client"; - static final String[] DEFAULT_EVENT_INCLUDES = new String[]{ + static final List DEFAULT_EVENT_INCLUDES = Arrays.asList( ACCESS_DENIED.toString(), ACCESS_GRANTED.toString(), ANONYMOUS_ACCESS_DENIED.toString(), @@ -122,14 +129,29 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl TAMPERED_REQUEST.toString(), RUN_AS_DENIED.toString(), RUN_AS_GRANTED.toString() - }; - + ); private static final String FORBIDDEN_INDEX_SETTING = "index.mapper.dynamic"; + public static final Setting INDEX_SETTINGS = + Setting.groupSetting(setting("audit.index.settings.index."), Property.NodeScope); + public static final Setting> INCLUDE_EVENT_SETTINGS = + Setting.listSetting(setting("audit.index.events.include"), DEFAULT_EVENT_INCLUDES, Function.identity(), + Property.NodeScope); + public static final Setting> EXCLUDE_EVENT_SETTINGS = + Setting.listSetting(setting("audit.index.events.exclude"), Collections.emptyList(), + Function.identity(), Property.NodeScope); + public static final Setting REMOTE_CLIENT_SETTINGS = + Setting.groupSetting(setting("audit.index.client."), Property.NodeScope); + public static final Setting BULK_SIZE_SETTING = + Setting.intSetting(setting("audit.index.bulk_size"), DEFAULT_BULK_SIZE, 1, MAX_BULK_SIZE, Property.NodeScope); + public static final Setting FLUSH_TIMEOUT_SETTING = + Setting.timeSetting(setting("audit.index.flush_interval"), DEFAULT_FLUSH_INTERVAL, + TimeValue.timeValueMillis(1L), Property.NodeScope); + + private final AtomicReference state = new AtomicReference<>(State.INITIALIZED); private final String nodeName; private final Provider clientProvider; - private final AuthenticationService authenticationService; private final LinkedBlockingQueue eventQueue; private final QueueConsumer queueConsumer; private final Transport transport; @@ -151,10 +173,9 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl } @Inject - public IndexAuditTrail(Settings settings, AuthenticationService authenticationService, Transport transport, + public IndexAuditTrail(Settings settings, Transport transport, Provider clientProvider, ThreadPool threadPool, ClusterService clusterService) { super(settings); - this.authenticationService = authenticationService; this.clientProvider = clientProvider; this.transport = transport; this.threadPool = threadPool; @@ -162,35 +183,23 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl this.nodeName = settings.get("name"); this.queueConsumer = new QueueConsumer(EsExecutors.threadName(settings, "audit-queue-consumer")); - int maxQueueSize = settings.getAsInt(QUEUE_SIZE_SETTING, DEFAULT_MAX_QUEUE_SIZE); - if (maxQueueSize <= 0) { - logger.warn("invalid value [{}] for setting [{}]. using default value [{}]", maxQueueSize, QUEUE_SIZE_SETTING, - DEFAULT_MAX_QUEUE_SIZE); - maxQueueSize = DEFAULT_MAX_QUEUE_SIZE; - } + int maxQueueSize = QUEUE_SIZE_SETTING.get(settings); this.eventQueue = new LinkedBlockingQueue<>(maxQueueSize); // we have to initialize this here since we use rollover in determining if we can start... - try { - rollover = IndexNameResolver.Rollover.valueOf( - settings.get(ROLLOVER_SETTING, DEFAULT_ROLLOVER.name()).toUpperCase(Locale.ENGLISH)); - } catch (IllegalArgumentException e) { - logger.warn("invalid value for setting [shield.audit.index.rollover]; falling back to default [{}]", - DEFAULT_ROLLOVER.name()); - rollover = DEFAULT_ROLLOVER; - } + rollover = ROLLOVER_SETTING.get(settings); // we have to initialize the events here since we can receive events before starting... - String[] includedEvents = settings.getAsArray("shield.audit.index.events.include", DEFAULT_EVENT_INCLUDES); - String[] excludedEvents = settings.getAsArray("shield.audit.index.events.exclude"); + List includedEvents = INCLUDE_EVENT_SETTINGS.get(settings); + List excludedEvents = EXCLUDE_EVENT_SETTINGS.get(settings); try { events = parse(includedEvents, excludedEvents); } catch (IllegalArgumentException e) { logger.warn("invalid event type specified, using default for audit index output. include events [{}], exclude events [{}]", e, includedEvents, excludedEvents); - events = parse(DEFAULT_EVENT_INCLUDES, Strings.EMPTY_ARRAY); + events = parse(DEFAULT_EVENT_INCLUDES, Collections.emptyList()); } - this.indexToRemoteCluster = settings.getByPrefix("shield.audit.index.client.").names().size() > 0; + this.indexToRemoteCluster = REMOTE_CLIENT_SETTINGS.get(settings).names().size() > 0; } @@ -684,16 +693,16 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl // in the absence of client settings for remote indexing, fall back to the client that was passed in. this.client = clientProvider.get(); } else { - Settings clientSettings = settings.getByPrefix("shield.audit.index.client."); + Settings clientSettings = REMOTE_CLIENT_SETTINGS.get(settings); String[] hosts = clientSettings.getAsArray("hosts"); if (hosts.length == 0) { throw new ElasticsearchException("missing required setting " + - "[shield.audit.index.client.hosts] for remote audit log indexing"); + "[" + REMOTE_CLIENT_SETTINGS.getKey() + ".hosts] for remote audit log indexing"); } if (clientSettings.get("cluster.name", "").isEmpty()) { throw new ElasticsearchException("missing required setting " + - "[shield.audit.index.client.cluster.name] for remote audit log indexing"); + "[" + REMOTE_CLIENT_SETTINGS.getKey() + ".cluster.name] for remote audit log indexing"); } List> hostPortPairs = new ArrayList<>(); @@ -701,13 +710,14 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl for (String host : hosts) { List hostPort = Arrays.asList(host.trim().split(":")); if (hostPort.size() != 1 && hostPort.size() != 2) { - logger.warn("invalid host:port specified: [{}] for setting [shield.audit.index.client.hosts]", host); + logger.warn("invalid host:port specified: [{}] for setting [" + REMOTE_CLIENT_SETTINGS.getKey() + ".hosts]", host); } hostPortPairs.add(new Tuple<>(hostPort.get(0), hostPort.size() == 2 ? Integer.valueOf(hostPort.get(1)) : 9300)); } if (hostPortPairs.size() == 0) { - throw new ElasticsearchException("no valid host:port pairs specified for setting [shield.audit.index.client.hosts]"); + throw new ElasticsearchException("no valid host:port pairs specified for setting [" + + REMOTE_CLIENT_SETTINGS.getKey() + ".hosts]"); } final Settings theClientSetting = clientSettings.filter((s) -> s.startsWith("hosts") == false); // hosts is not a valid setting final TransportClient transportClient = TransportClient.builder() @@ -732,7 +742,7 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl Settings customAuditIndexSettings(Settings nodeSettings) { Settings newSettings = Settings.builder() - .put(nodeSettings.getAsSettings("shield.audit.index.settings.index")) + .put(INDEX_SETTINGS.get(nodeSettings)) .build(); if (newSettings.names().isEmpty()) { return Settings.EMPTY; @@ -801,11 +811,8 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl private void initializeBulkProcessor() { - int bulkSize = Math.min(settings.getAsInt("shield.audit.index.bulk_size", DEFAULT_BULK_SIZE), MAX_BULK_SIZE); - bulkSize = (bulkSize < 1) ? DEFAULT_BULK_SIZE : bulkSize; - - TimeValue interval = settings.getAsTime("shield.audit.index.flush_interval", DEFAULT_FLUSH_INTERVAL); - interval = (interval.millis() < 1) ? DEFAULT_FLUSH_INTERVAL : interval; + final int bulkSize = BULK_SIZE_SETTING.get(settings); + final TimeValue interval = FLUSH_TIMEOUT_SETTING.get(settings); bulkProcessor = BulkProcessor.builder(client, new BulkProcessor.Listener() { @Override @@ -866,6 +873,17 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl } } + public static void registerSettings(SettingsModule settingsModule) { + settingsModule.registerSetting(INDEX_SETTINGS); + settingsModule.registerSetting(EXCLUDE_EVENT_SETTINGS); + settingsModule.registerSetting(INCLUDE_EVENT_SETTINGS); + settingsModule.registerSetting(ROLLOVER_SETTING); + settingsModule.registerSetting(BULK_SIZE_SETTING); + settingsModule.registerSetting(FLUSH_TIMEOUT_SETTING); + settingsModule.registerSetting(QUEUE_SIZE_SETTING); + settingsModule.registerSetting(REMOTE_CLIENT_SETTINGS); + } + private class QueueConsumer extends Thread { volatile boolean running = true; diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java index a21e75121e9..dde6eb2c748 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java @@ -12,7 +12,10 @@ import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.logging.ESLogger; import org.elasticsearch.common.logging.Loggers; import org.elasticsearch.common.network.NetworkAddress; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.common.transport.InetSocketTransportAddress; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.common.util.concurrent.ThreadContext; @@ -36,6 +39,7 @@ import java.net.SocketAddress; import static org.elasticsearch.common.Strings.arrayToCommaDelimitedString; import static org.elasticsearch.shield.audit.AuditUtil.indices; import static org.elasticsearch.shield.audit.AuditUtil.restRequestContent; +import static org.elasticsearch.shield.Security.setting; /** * @@ -43,6 +47,12 @@ import static org.elasticsearch.shield.audit.AuditUtil.restRequestContent; public class LoggingAuditTrail extends AbstractLifecycleComponent implements AuditTrail { public static final String NAME = "logfile"; + public static final Setting HOST_ADDRESS_SETTING = + Setting.boolSetting(setting("audit.logfile.prefix.emit_node_host_address"), false, Property.NodeScope); + public static final Setting HOST_NAME_SETTING = + Setting.boolSetting(setting("audit.logfile.prefix.emit_node_host_name"), false, Property.NodeScope); + public static final Setting NODE_NAME_SETTING = + Setting.boolSetting(setting("audit.logfile.prefix.emit_node_name"), true, Property.NodeScope); private final ESLogger logger; private final Transport transport; @@ -409,19 +419,19 @@ public class LoggingAuditTrail extends AbstractLifecycleComponent SETTING_AUTHORIZATION_EXCEPTION_ENABLED = + Setting.boolSetting(setting("authc.anonymous.authz_exception"), true, Property.NodeScope); + public static final Setting> ROLES_SETTING = + Setting.listSetting(setting("authc.anonymous.roles"), Collections.emptyList(), s -> s, Property.NodeScope); + public static final Setting USERNAME_SETTING = + new Setting<>(setting("authc.anonymous.username"), ANONYMOUS_USERNAME, s -> s, Property.NodeScope); @Nullable private final User anonymousUser; @@ -23,7 +36,7 @@ public class AnonymousService { @Inject public AnonymousService(Settings settings) { anonymousUser = resolveAnonymousUser(settings); - authzExceptionEnabled = settings.getAsBoolean(SETTING_AUTHORIZATION_EXCEPTION_ENABLED, true); + authzExceptionEnabled = SETTING_AUTHORIZATION_EXCEPTION_ENABLED.get(settings); } public boolean enabled() { @@ -46,11 +59,17 @@ public class AnonymousService { } static User resolveAnonymousUser(Settings settings) { - String[] roles = settings.getAsArray("shield.authc.anonymous.roles", null); - if (roles == null) { + List roles = ROLES_SETTING.get(settings); + if (roles.isEmpty()) { return null; } - String username = settings.get("shield.authc.anonymous.username", ANONYMOUS_USERNAME); - return new User(username, roles); + String username = USERNAME_SETTING.get(settings); + return new User(username, roles.toArray(Strings.EMPTY_ARRAY)); + } + + public static void registerSettings(SettingsModule settingsModule) { + settingsModule.registerSetting(ROLES_SETTING); + settingsModule.registerSetting(USERNAME_SETTING); + settingsModule.registerSetting(SETTING_AUTHORIZATION_EXCEPTION_ENABLED); } } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/AuthenticationModule.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/AuthenticationModule.java index 144f9f83c7c..963ac42b150 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/AuthenticationModule.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/AuthenticationModule.java @@ -9,6 +9,7 @@ import org.elasticsearch.common.inject.multibindings.MapBinder; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.shield.authc.activedirectory.ActiveDirectoryRealm; import org.elasticsearch.shield.authc.esnative.NativeRealm; +import org.elasticsearch.shield.authc.esnative.NativeUsersStore; import org.elasticsearch.shield.authc.file.FileRealm; import org.elasticsearch.shield.authc.ldap.LdapRealm; import org.elasticsearch.shield.authc.pki.PkiRealm; @@ -58,6 +59,7 @@ public class AuthenticationModule extends AbstractShieldModule.Node { bind(AuthenticationFailureHandler.class).to(authcFailureHandler).asEagerSingleton(); } bind(AuthenticationService.class).to(InternalAuthenticationService.class).asEagerSingleton(); + bind(NativeUsersStore.class).asEagerSingleton(); } /** diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java index d747f89cbf5..efcf84490d6 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java @@ -14,7 +14,10 @@ import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.io.stream.BytesStreamOutput; import org.elasticsearch.common.io.stream.StreamInput; import org.elasticsearch.common.logging.ESLogger; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.rest.RestRequest; import org.elasticsearch.shield.User; @@ -25,6 +28,7 @@ import org.elasticsearch.transport.TransportMessage; import java.io.IOException; +import static org.elasticsearch.shield.Security.setting; import static org.elasticsearch.shield.support.Exceptions.authenticationError; /** @@ -34,8 +38,10 @@ import static org.elasticsearch.shield.support.Exceptions.authenticationError; */ public class InternalAuthenticationService extends AbstractComponent implements AuthenticationService { - public static final String SETTING_SIGN_USER_HEADER = "shield.authc.sign_user_header"; - public static final String SETTING_RUN_AS_ENABLED = "shield.authc.run_as.enabled"; + public static final Setting SIGN_USER_HEADER = + Setting.boolSetting(setting("authc.sign_user_header"), true, Property.NodeScope); + public static final Setting RUN_AS_ENABLED = + Setting.boolSetting(setting("authc.run_as.enabled"), true, Property.NodeScope); public static final String RUN_AS_USER_HEADER = "es-shield-runas-user"; static final String TOKEN_KEY = "_shield_token"; @@ -61,8 +67,8 @@ public class InternalAuthenticationService extends AbstractComponent implements this.anonymousService = anonymousService; this.failureHandler = failureHandler; this.threadContext = threadPool.getThreadContext(); - this.signUserHeader = settings.getAsBoolean(SETTING_SIGN_USER_HEADER, true); - this.runAsEnabled = settings.getAsBoolean(SETTING_RUN_AS_ENABLED, true); + this.signUserHeader = SIGN_USER_HEADER.get(settings); + this.runAsEnabled = RUN_AS_ENABLED.get(settings); } @Override @@ -430,4 +436,9 @@ public class InternalAuthenticationService extends AbstractComponent implements } return null; } + + public static void registerSettings(SettingsModule settingsModule) { + settingsModule.registerSetting(SIGN_USER_HEADER); + settingsModule.registerSetting(RUN_AS_ENABLED); + } } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java index 39905e0ccbf..b9b829c386f 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java @@ -8,7 +8,10 @@ package org.elasticsearch.shield.authc; import org.elasticsearch.ElasticsearchException; import org.elasticsearch.common.component.AbstractLifecycleComponent; import org.elasticsearch.common.inject.Inject; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.env.Environment; import org.elasticsearch.shield.authc.esnative.NativeRealm; import org.elasticsearch.shield.authc.file.FileRealm; @@ -22,11 +25,15 @@ import java.util.List; import java.util.Map; import java.util.Set; +import static org.elasticsearch.shield.Security.setting; + /** * Serves as a realms registry (also responsible for ordering the realms appropriately) */ public class Realms extends AbstractLifecycleComponent implements Iterable { + public static final Setting REALMS_GROUPS_SETTINGS = Setting.groupSetting(setting("authc.realms."), Property.NodeScope); + private final Environment env; private final Map factories; private final ShieldLicenseState shieldLicenseState; @@ -92,7 +99,7 @@ public class Realms extends AbstractLifecycleComponent implements Iterab } protected List initRealms() { - Settings realmsSettings = settings.getAsSettings("shield.authc.realms"); + Settings realmsSettings = REALMS_GROUPS_SETTINGS.get(settings); Set internalTypes = new HashSet<>(); List realms = new ArrayList<>(); for (String name : realmsSettings.names()) { @@ -140,7 +147,7 @@ public class Realms extends AbstractLifecycleComponent implements Iterab * configured, there can only be one configured instance. */ public static Settings fileRealmSettings(Settings settings) { - Settings realmsSettings = settings.getAsSettings("shield.authc.realms"); + Settings realmsSettings = REALMS_GROUPS_SETTINGS.get(settings); Settings result = null; for (String name : realmsSettings.names()) { Settings realmSettings = realmsSettings.getAsSettings(name); @@ -164,9 +171,13 @@ public class Realms extends AbstractLifecycleComponent implements Iterab if (indexRealmFactory != null) { realms.add(indexRealmFactory.createDefault("default_" + NativeRealm.TYPE)); } - Realm.Factory esUsersRealm = factories.get(FileRealm.TYPE); - if (esUsersRealm != null) { - realms.add(esUsersRealm.createDefault("default_" + FileRealm.TYPE)); + Realm.Factory fileRealm = factories.get(FileRealm.TYPE); + if (fileRealm != null) { + realms.add(fileRealm.createDefault("default_" + FileRealm.TYPE)); } } + + public static void registerSettings(SettingsModule settingsModule) { + settingsModule.registerSetting(REALMS_GROUPS_SETTINGS); + } } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeRealm.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeRealm.java index ba5277380d7..6106632b833 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeRealm.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeRealm.java @@ -6,7 +6,10 @@ package org.elasticsearch.shield.authc.esnative; import org.elasticsearch.common.inject.Inject; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.unit.TimeValue; import org.elasticsearch.env.Environment; import org.elasticsearch.shield.User; import org.elasticsearch.shield.authc.Realm; @@ -81,5 +84,4 @@ public class NativeRealm extends CachingUsernamePasswordRealm { return create(config); } } - } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java index 2444cf7bffd..28a469d5614 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java @@ -36,7 +36,10 @@ import org.elasticsearch.common.ValidationException; import org.elasticsearch.common.component.AbstractComponent; import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.inject.Provider; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.common.unit.TimeValue; import org.elasticsearch.common.util.concurrent.AbstractRunnable; import org.elasticsearch.gateway.GatewayService; @@ -71,6 +74,8 @@ import java.util.concurrent.CountDownLatch; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicReference; +import static org.elasticsearch.shield.Security.setting; + /** * ESNativeUsersStore is a {@code UserStore} that, instead of reading from a * file, reads from an Elasticsearch index instead. This {@code UserStore} in @@ -82,6 +87,15 @@ import java.util.concurrent.atomic.AtomicReference; */ public class NativeUsersStore extends AbstractComponent implements ClusterStateListener { + public static final Setting SCROLL_SIZE_SETTING = + Setting.intSetting(setting("authc.native.scroll.size"), 1000, Property.NodeScope); + + public static final Setting SCROLL_KEEP_ALIVE_SETTING = + Setting.timeSetting(setting("authc.native.scroll.keep_alive"), TimeValue.timeValueSeconds(10L), Property.NodeScope); + + public static final Setting POLL_INTERVAL_SETTING = + Setting.timeSetting(setting("authc.native.reload.interval"), TimeValue.timeValueSeconds(30L), Property.NodeScope); + public enum State { INITIALIZED, STARTING, @@ -445,8 +459,8 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL try { if (state.compareAndSet(State.INITIALIZED, State.STARTING)) { this.client = clientProvider.get(); - this.scrollSize = settings.getAsInt("shield.authc.native.scroll.size", 1000); - this.scrollKeepAlive = settings.getAsTime("shield.authc.native.scroll.keep_alive", TimeValue.timeValueSeconds(10L)); + this.scrollSize = SCROLL_SIZE_SETTING.get(settings); + this.scrollKeepAlive = SCROLL_KEEP_ALIVE_SETTING.get(settings); // FIXME only start if a realm is using this UserStorePoller poller = new UserStorePoller(); @@ -455,8 +469,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL } catch (Exception e) { logger.warn("failed to do initial poll of users", e); } - userPoller = new SelfReschedulingRunnable(poller, threadPool, - settings.getAsTime("shield.authc.native.reload.interval", TimeValue.timeValueSeconds(30L)), Names.GENERIC, logger); + userPoller = new SelfReschedulingRunnable(poller, threadPool, POLL_INTERVAL_SETTING.get(settings), Names.GENERIC, logger); userPoller.start(); state.set(State.STARTED); } @@ -727,4 +740,10 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL void onUsersChanged(List username); } + + public static void registerSettings(SettingsModule settingsModule) { + settingsModule.registerSetting(SCROLL_SIZE_SETTING); + settingsModule.registerSetting(SCROLL_KEEP_ALIVE_SETTING); + settingsModule.registerSetting(POLL_INTERVAL_SETTING); + } } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/file/FileUserPasswdStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/file/FileUserPasswdStore.java index f8008329650..0086bf39fe5 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/file/FileUserPasswdStore.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/file/FileUserPasswdStore.java @@ -172,9 +172,9 @@ public class FileUserPasswdStore { return unmodifiableMap(users); } - public static void writeFile(Map esUsers, Path path) { + public static void writeFile(Map users, Path path) { try (PrintWriter writer = new PrintWriter(openAtomicMoveWriter(path))) { - for (Map.Entry entry : esUsers.entrySet()) { + for (Map.Entry entry : users.entrySet()) { writer.printf(Locale.ROOT, "%s:%s%s", entry.getKey(), new String(entry.getValue()), System.lineSeparator()); } } catch (IOException ioe) { diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/file/tool/UsersTool.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/file/tool/UsersTool.java index 1a64826210c..3959c004f47 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/file/tool/UsersTool.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/file/tool/UsersTool.java @@ -96,9 +96,9 @@ public class UsersTool extends MultiCommand { char[] password = parsePassword(terminal, passwordOption.value(options)); String[] roles = parseRoles(terminal, env, rolesOption.value(options)); - Settings esusersSettings = Realms.fileRealmSettings(env.settings()); - Path passwordFile = FileUserPasswdStore.resolveFile(esusersSettings, env); - Path rolesFile = FileUserRolesStore.resolveFile(esusersSettings, env); + Settings fileSettings = Realms.fileRealmSettings(env.settings()); + Path passwordFile = FileUserPasswdStore.resolveFile(fileSettings, env); + Path rolesFile = FileUserRolesStore.resolveFile(fileSettings, env); FileAttributesChecker attributesChecker = new FileAttributesChecker(passwordFile, rolesFile); Map users = new HashMap<>(FileUserPasswdStore.parseFile(passwordFile, null)); @@ -144,9 +144,9 @@ public class UsersTool extends MultiCommand { @Override protected void execute(Terminal terminal, OptionSet options) throws Exception { String username = parseUsername(arguments.values(options)); - Settings esusersSettings = Realms.fileRealmSettings(env.settings()); - Path passwordFile = FileUserPasswdStore.resolveFile(esusersSettings, env); - Path rolesFile = FileUserRolesStore.resolveFile(esusersSettings, env); + Settings fileSettings = Realms.fileRealmSettings(env.settings()); + Path passwordFile = FileUserPasswdStore.resolveFile(fileSettings, env); + Path rolesFile = FileUserRolesStore.resolveFile(fileSettings, env); FileAttributesChecker attributesChecker = new FileAttributesChecker(passwordFile, rolesFile); Map users = new HashMap<>(FileUserPasswdStore.parseFile(passwordFile, null)); @@ -203,8 +203,8 @@ public class UsersTool extends MultiCommand { String username = parseUsername(arguments.values(options)); char[] password = parsePassword(terminal, passwordOption.value(options)); - Settings esusersSettings = Realms.fileRealmSettings(env.settings()); - Path file = FileUserPasswdStore.resolveFile(esusersSettings, env); + Settings fileSettings = Realms.fileRealmSettings(env.settings()); + Path file = FileUserPasswdStore.resolveFile(fileSettings, env); FileAttributesChecker attributesChecker = new FileAttributesChecker(file); Map users = new HashMap<>(FileUserPasswdStore.parseFile(file, null)); if (users.containsKey(username) == false) { @@ -258,9 +258,9 @@ public class UsersTool extends MultiCommand { return; } - Settings esusersSettings = Realms.fileRealmSettings(env.settings()); - Path usersFile = FileUserPasswdStore.resolveFile(esusersSettings, env); - Path rolesFile = FileUserRolesStore.resolveFile(esusersSettings, env); + Settings fileSettings = Realms.fileRealmSettings(env.settings()); + Path usersFile = FileUserPasswdStore.resolveFile(fileSettings, env); + Path rolesFile = FileUserRolesStore.resolveFile(fileSettings, env); FileAttributesChecker attributesChecker = new FileAttributesChecker(usersFile, rolesFile); Map usersMap = FileUserPasswdStore.parseFile(usersFile, null); @@ -318,11 +318,11 @@ public class UsersTool extends MultiCommand { // pkg private for tests static void listUsersAndRoles(Terminal terminal, Environment env, String username) throws Exception { - Settings esusersSettings = Realms.fileRealmSettings(env.settings()); - Path userRolesFilePath = FileUserRolesStore.resolveFile(esusersSettings, env); + Settings fileSettings = Realms.fileRealmSettings(env.settings()); + Path userRolesFilePath = FileUserRolesStore.resolveFile(fileSettings, env); Map userRoles = FileUserRolesStore.parseFile(userRolesFilePath, null); - Path userFilePath = FileUserPasswdStore.resolveFile(esusersSettings, env); + Path userFilePath = FileUserPasswdStore.resolveFile(fileSettings, env); Set users = FileUserPasswdStore.parseFile(userFilePath, null).keySet(); Path rolesFilePath = FileRolesStore.resolveFile(env.settings(), env); @@ -341,7 +341,7 @@ public class UsersTool extends MultiCommand { "-" : s).collect(Collectors.joining(",")))); if (!unknownRoles.isEmpty()) { // at least one role is marked... so printing the legend - Path rolesFile = FileRolesStore.resolveFile(esusersSettings, env).toAbsolutePath(); + Path rolesFile = FileRolesStore.resolveFile(fileSettings, env).toAbsolutePath(); terminal.println(""); terminal.println(" [*] An unknown role. " + "Please check [" + rolesFile.toAbsolutePath() + "] to see available roles"); @@ -375,7 +375,7 @@ public class UsersTool extends MultiCommand { if (unknownRolesFound) { // at least one role is marked... so printing the legend - Path rolesFile = FileRolesStore.resolveFile(esusersSettings, env).toAbsolutePath(); + Path rolesFile = FileRolesStore.resolveFile(fileSettings, env).toAbsolutePath(); terminal.println(""); terminal.println(" [*] An unknown role. " + "Please check [" + rolesFile.toAbsolutePath() + "] to see available roles"); @@ -462,8 +462,8 @@ public class UsersTool extends MultiCommand { } } - Settings esusersSettings = Realms.fileRealmSettings(env.settings()); - verifyRoles(terminal, esusersSettings, env, roles); + Settings fileSettings = Realms.fileRealmSettings(env.settings()); + verifyRoles(terminal, fileSettings, env, roles); return roles; } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/pki/PkiRealm.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/pki/PkiRealm.java index 4d93af57f6e..dd4492f3e5b 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/pki/PkiRealm.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/pki/PkiRealm.java @@ -11,6 +11,7 @@ import org.elasticsearch.common.logging.ESLogger; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.env.Environment; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.User; import org.elasticsearch.shield.authc.AuthenticationToken; import org.elasticsearch.shield.authc.Realm; @@ -194,17 +195,16 @@ public class PkiRealm extends Realm { static void checkSSLEnabled(RealmConfig config, ESLogger logger) { Settings settings = config.globalSettings(); + final boolean httpSsl = ShieldNettyHttpServerTransport.SSL_SETTING.get(settings); + final boolean httpClientAuth = ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.get(settings).enabled(); // HTTP - if (settings.getAsBoolean(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, ShieldNettyHttpServerTransport.HTTP_SSL_DEFAULT) - && SSLClientAuth.parse(settings.get(ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_SETTING), - ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_DEFAULT).enabled()) { + if (httpSsl && httpClientAuth) { return; } // Default Transport - final boolean ssl = settings.getAsBoolean(ShieldNettyTransport.TRANSPORT_SSL_SETTING, ShieldNettyTransport.TRANSPORT_SSL_DEFAULT); - final SSLClientAuth clientAuth = SSLClientAuth.parse(settings.get(ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING), - ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_DEFAULT); + final boolean ssl = ShieldNettyTransport.SSL_SETTING.get(settings); + final SSLClientAuth clientAuth = ShieldNettyTransport.CLIENT_AUTH_SETTING.get(settings); if (ssl && clientAuth.enabled()) { return; } @@ -212,9 +212,9 @@ public class PkiRealm extends Realm { // Transport Profiles Map groupedSettings = settings.getGroups("transport.profiles."); for (Map.Entry entry : groupedSettings.entrySet()) { - Settings profileSettings = entry.getValue().getByPrefix("shield.filter."); - if (profileSettings.getAsBoolean(ShieldNettyTransport.TRANSPORT_PROFILE_SSL_SETTING, ssl) - && SSLClientAuth.parse(profileSettings.get(ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING), clientAuth).enabled()) { + Settings profileSettings = entry.getValue().getByPrefix(Security.settingPrefix()); + if (ShieldNettyTransport.profileSsl(profileSettings, settings) + && ShieldNettyTransport.CLIENT_AUTH_SETTING.get(profileSettings, settings).enabled()) { return; } } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/AuthorizationModule.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/AuthorizationModule.java index 5fcbf1d079f..0fa920064a2 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/AuthorizationModule.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/AuthorizationModule.java @@ -6,7 +6,6 @@ package org.elasticsearch.shield.authz; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.shield.authc.esnative.NativeUsersStore; import org.elasticsearch.shield.authz.store.CompositeRolesStore; import org.elasticsearch.shield.authz.store.FileRolesStore; import org.elasticsearch.shield.authz.store.NativeRolesStore; @@ -30,7 +29,6 @@ public class AuthorizationModule extends AbstractShieldModule.Node { bind(NativeRolesStore.class).asEagerSingleton(); // Then the composite roles store (which combines both) can be bound bind(RolesStore.class).to(CompositeRolesStore.class).asEagerSingleton(); - bind(NativeUsersStore.class).asEagerSingleton(); bind(AuthorizationService.class).to(InternalAuthorizationService.class).asEagerSingleton(); } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java index db5a00cd00d..172226ccd3c 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java @@ -11,11 +11,14 @@ import org.elasticsearch.ElasticsearchParseException; import org.elasticsearch.common.component.AbstractLifecycleComponent; import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.logging.ESLogger; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.common.xcontent.XContentParser; import org.elasticsearch.common.xcontent.yaml.YamlXContent; import org.elasticsearch.env.Environment; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.SystemUser; import org.elasticsearch.shield.XPackUser; import org.elasticsearch.shield.authc.support.RefreshListener; @@ -42,12 +45,15 @@ import java.util.regex.Pattern; import static java.util.Collections.emptyMap; import static java.util.Collections.emptySet; import static java.util.Collections.unmodifiableMap; +import static org.elasticsearch.shield.Security.setting; /** * */ public class FileRolesStore extends AbstractLifecycleComponent implements RolesStore { + public static final Setting ROLES_FILE_SETTING = + Setting.simpleString(setting("authz.store.files.roles"), Property.NodeScope); private static final Pattern IN_SEGMENT_LINE = Pattern.compile("^\\s+.+"); private static final Pattern SKIP_LINE = Pattern.compile("(^#.*|^\\s*)"); @@ -96,12 +102,12 @@ public class FileRolesStore extends AbstractLifecycleComponent imple } public static Path resolveFile(Settings settings, Environment env) { - String location = settings.get("shield.authz.store.files.roles"); - if (location == null) { + String location = ROLES_FILE_SETTING.get(settings); + if (location.isEmpty()) { return XPackPlugin.resolveConfigFile(env, "roles.yml"); } - return env.binFile().getParent().resolve(location); + return XPackPlugin.resolveConfigFile(env, location); } public static Set parseFileForRoleNames(Path path, ESLogger logger) { @@ -173,10 +179,10 @@ public class FileRolesStore extends AbstractLifecycleComponent imple // first check if FLS/DLS is enabled on the role... for (RoleDescriptor.IndicesPrivileges privilege : descriptor.getIndicesPrivileges()) { if ((privilege.getQuery() != null || privilege.getFields() != null) - && Shield.flsDlsEnabled(settings) == false) { + && Security.flsDlsEnabled(settings) == false) { logger.error("invalid role definition [{}] in roles file [{}]. document and field level security is not " + "enabled. set [{}] to [true] in the configuration file. skipping role...", roleName, path - .toAbsolutePath(), XPackPlugin.featureEnabledSetting(Shield.DLS_FLS_FEATURE)); + .toAbsolutePath(), XPackPlugin.featureEnabledSetting(Security.DLS_FLS_FEATURE)); return null; } } @@ -255,4 +261,8 @@ public class FileRolesStore extends AbstractLifecycleComponent imple } } } + + public static void registerSettings(SettingsModule settingsModule) { + settingsModule.registerSetting(ROLES_FILE_SETTING); + } } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java index 948ec4231b9..7d7b59e3a1c 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java @@ -27,7 +27,10 @@ import org.elasticsearch.common.bytes.BytesReference; import org.elasticsearch.common.component.AbstractComponent; import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.inject.Provider; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.common.unit.TimeValue; import org.elasticsearch.common.util.concurrent.AbstractRunnable; import org.elasticsearch.common.xcontent.ToXContent; @@ -64,6 +67,7 @@ import java.util.function.BiFunction; import java.util.function.Function; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; +import static org.elasticsearch.shield.Security.setting; /** * ESNativeRolesStore is a {@code RolesStore} that, instead of reading from a @@ -75,6 +79,15 @@ import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; */ public class NativeRolesStore extends AbstractComponent implements RolesStore, ClusterStateListener { + public static final Setting SCROLL_SIZE_SETTING = + Setting.intSetting(setting("authz.store.roles.index.scroll.size"), 1000, Property.NodeScope); + + public static final Setting SCROLL_KEEP_ALIVE_SETTING = + Setting.timeSetting(setting("authz.store.roles.index.scroll.keep_alive"), TimeValue.timeValueSeconds(10L), Property.NodeScope); + + public static final Setting POLL_INTERVAL_SETTING = + Setting.timeSetting(setting("authz.store.roles.index.reload.interval"), TimeValue.timeValueSeconds(30L), Property.NodeScope); + public enum State { INITIALIZED, STARTING, @@ -133,9 +146,9 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C if (state.compareAndSet(State.INITIALIZED, State.STARTING)) { this.client = clientProvider.get(); this.securityClient = new SecurityClient(client); - this.scrollSize = settings.getAsInt("shield.authc.native.scroll.size", 1000); - this.scrollKeepAlive = settings.getAsTime("shield.authc.native.scroll.keep_alive", TimeValue.timeValueSeconds(10L)); - TimeValue pollInterval = settings.getAsTime("shield.authc.native.reload.interval", TimeValue.timeValueSeconds(30L)); + this.scrollSize = SCROLL_SIZE_SETTING.get(settings); + this.scrollKeepAlive = SCROLL_KEEP_ALIVE_SETTING.get(settings); + TimeValue pollInterval = POLL_INTERVAL_SETTING.get(settings); RolesStorePoller poller = new RolesStorePoller(); try { poller.doRun(); @@ -589,4 +602,10 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C return version; } } + + public static void registerSettings(SettingsModule settingsModule) { + settingsModule.registerSetting(SCROLL_SIZE_SETTING); + settingsModule.registerSetting(SCROLL_KEEP_ALIVE_SETTING); + settingsModule.registerSetting(POLL_INTERVAL_SETTING); + } } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java index df4f28a1965..207c9851a19 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java @@ -10,7 +10,10 @@ import org.elasticsearch.common.Base64; import org.elasticsearch.common.Nullable; import org.elasticsearch.common.component.AbstractLifecycleComponent; import org.elasticsearch.common.inject.Inject; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.env.Environment; import org.elasticsearch.shield.authc.support.CharArrays; import org.elasticsearch.watcher.FileChangesListener; @@ -43,13 +46,13 @@ import java.util.concurrent.CopyOnWriteArrayList; import java.util.regex.Pattern; import static org.elasticsearch.shield.authc.support.SecuredString.constantTimeEquals; +import static org.elasticsearch.shield.Security.setting; /** * */ public class InternalCryptoService extends AbstractLifecycleComponent implements CryptoService { - public static final String FILE_SETTING = "shield.system_key.file"; public static final String KEY_ALGO = "HmacSHA512"; public static final int KEY_SIZE = 1024; @@ -65,6 +68,14 @@ public class InternalCryptoService extends AbstractLifecycleComponent FILE_SETTING = Setting.simpleString(setting("system_key.file"), Property.NodeScope); + public static final Setting ENCRYPTION_ALGO_SETTING = + new Setting<>(setting("encryption.algorithm"), s -> DEFAULT_ENCRYPTION_ALGORITHM, s -> s, Property.NodeScope); + public static final Setting ENCRYPTION_KEY_LENGTH_SETTING = + Setting.intSetting(setting("encryption_key.length"), DEFAULT_KEY_LENGTH, Property.NodeScope); + public static final Setting ENCRYPTION_KEY_ALGO_SETTING = + new Setting<>(setting("encryption_key.algorithm"), DEFAULT_KEY_ALGORITH, s -> s, Property.NodeScope); + private final Environment env; private final ResourceWatcherService watcherService; private final List listeners; @@ -93,10 +104,10 @@ public class InternalCryptoService extends AbstractLifecycleComponent(listeners); - this.encryptionAlgorithm = settings.get("shield.encryption.algorithm", DEFAULT_ENCRYPTION_ALGORITHM); - this.keyLength = settings.getAsInt("shield.encryption_key.length", DEFAULT_KEY_LENGTH); + this.encryptionAlgorithm = ENCRYPTION_ALGO_SETTING.get(settings); + this.keyLength = ENCRYPTION_KEY_LENGTH_SETTING.get(settings); this.ivLength = keyLength / 8; - this.keyAlgorithm = settings.get("shield.encryption_key.algorithm", DEFAULT_KEY_ALGORITH); + this.keyAlgorithm = ENCRYPTION_KEY_ALGO_SETTING.get(settings); } @Override @@ -157,11 +168,11 @@ public class InternalCryptoService extends AbstractLifecycleComponent im @Inject public ShieldLicensee(Settings settings, LicenseeRegistry clientService, ShieldLicenseState shieldLicenseState) { - super(settings, Shield.NAME, clientService); + super(settings, Security.NAME, clientService); this.shieldLicenseState = shieldLicenseState; this.isTribeNode = settings.getGroups("tribe", true).isEmpty() == false; } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/ShieldRestFilter.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/ShieldRestFilter.java index 7c8a6a5fee9..cb470ffa4d3 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/ShieldRestFilter.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/ShieldRestFilter.java @@ -19,7 +19,6 @@ import org.elasticsearch.rest.RestRequest; import org.elasticsearch.shield.authc.AuthenticationService; import org.elasticsearch.shield.authc.pki.PkiRealm; import org.elasticsearch.shield.license.ShieldLicenseState; -import org.elasticsearch.shield.transport.SSLClientAuth; import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport; import org.elasticsearch.threadpool.ThreadPool; import org.jboss.netty.handler.ssl.SslHandler; @@ -46,10 +45,8 @@ public class ShieldRestFilter extends RestFilter { this.licenseState = licenseState; this.threadContext = threadPool.getThreadContext(); controller.registerFilter(this); - boolean ssl = settings.getAsBoolean(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, - ShieldNettyHttpServerTransport.HTTP_SSL_DEFAULT); - extractClientCertificate = ssl && SSLClientAuth.parse(settings.get(ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_SETTING), - ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_DEFAULT).enabled(); + boolean ssl = ShieldNettyHttpServerTransport.SSL_SETTING.get(settings); + extractClientCertificate = ssl && ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.get(settings).enabled(); logger = Loggers.getLogger(getClass(), settings); } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/RestShieldInfoAction.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/RestShieldInfoAction.java index 34e98ce4c91..b79fbb9e51a 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/RestShieldInfoAction.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/RestShieldInfoAction.java @@ -20,7 +20,7 @@ import org.elasticsearch.rest.RestController; import org.elasticsearch.rest.RestRequest; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.shield.ShieldBuild; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.license.ShieldLicenseState; import static org.elasticsearch.rest.RestRequest.Method.GET; @@ -38,7 +38,7 @@ public class RestShieldInfoAction extends BaseRestHandler { super(settings, client); this.clusterName = clusterName; this.shieldLicenseState = licenseState; - this.shieldEnabled = Shield.enabled(settings); + this.shieldEnabled = Security.enabled(settings); controller.registerHandler(GET, "/_shield", this); controller.registerHandler(HEAD, "/_shield", this); } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/AbstractSSLService.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/AbstractSSLService.java index c553c87676a..ee5dd5ff771 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/AbstractSSLService.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/AbstractSSLService.java @@ -6,9 +6,8 @@ package org.elasticsearch.shield.ssl; import org.elasticsearch.ElasticsearchException; +import org.elasticsearch.common.Strings; import org.elasticsearch.common.component.AbstractComponent; -import org.elasticsearch.common.logging.ESLogger; -import org.elasticsearch.common.logging.Loggers; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.unit.TimeValue; import org.elasticsearch.env.Environment; @@ -40,17 +39,6 @@ import java.util.concurrent.ConcurrentHashMap; */ public abstract class AbstractSSLService extends AbstractComponent { - public static final String CIPHERS_SETTING = "shield.ssl.ciphers"; - public static final String SUPPORTED_PROTOCOLS_SETTING = "shield.ssl.supported_protocols"; - - public static final String[] DEFAULT_SUPPORTED_PROTOCOLS = new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"}; - - static final String[] DEFAULT_CIPHERS = new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}; - static final TimeValue DEFAULT_SESSION_CACHE_TIMEOUT = TimeValue.timeValueHours(24); - static final int DEFAULT_SESSION_CACHE_SIZE = 1000; - static final String DEFAULT_PROTOCOL = "TLSv1.2"; - private final ConcurrentHashMap sslContexts = new ConcurrentHashMap<>(); private final SSLContextCacheLoader cacheLoader = new SSLContextCacheLoader(); protected Environment env; @@ -70,11 +58,11 @@ public abstract class AbstractSSLService extends AbstractComponent { } public String[] supportedProtocols() { - return settings.getAsArray(SUPPORTED_PROTOCOLS_SETTING, DEFAULT_SUPPORTED_PROTOCOLS); + return SSLSettings.Globals.SUPPORTED_PROTOCOLS_SETTING.get(settings).toArray(Strings.EMPTY_ARRAY); } public String[] ciphers() { - return settings.getAsArray(CIPHERS_SETTING, DEFAULT_CIPHERS); + return SSLSettings.Globals.CIPHERS_SETTING.get(settings).toArray(Strings.EMPTY_ARRAY); } public SSLEngine createSSLEngine() { @@ -86,8 +74,9 @@ public abstract class AbstractSSLService extends AbstractComponent { } public SSLEngine createSSLEngine(Settings settings, String host, int port) { - String[] ciphers = settings.getAsArray(CIPHERS_SETTING, ciphers()); - String[] supportedProtocols = settings.getAsArray(SUPPORTED_PROTOCOLS_SETTING, supportedProtocols()); + String[] ciphers = SSLSettings.Globals.CIPHERS_SETTING.get(settings, this.settings).toArray(Strings.EMPTY_ARRAY); + String[] supportedProtocols = SSLSettings.Globals.SUPPORTED_PROTOCOLS_SETTING.get(settings, this.settings) + .toArray(Strings.EMPTY_ARRAY); return createSSLEngine(sslContext(settings), ciphers, supportedProtocols, host, port); } @@ -101,26 +90,6 @@ public abstract class AbstractSSLService extends AbstractComponent { cacheLoader.load(theSettings)); } - /** - * @return The list of sensitive settings. (these settings shouldnot be exposed via rest API for example) - */ - public static String[] sensitiveSettings() { - return new String[]{ - CIPHERS_SETTING, - SUPPORTED_PROTOCOLS_SETTING, - "protocol", - "session.cache_size", - "session.cache_timeout", - "keystore.path", - "keystore.password", - "keystore.algorithm", - "keystore.key_password", - "truststore.path", - "truststore.password", - "truststore.algorithm" - }; - } - protected abstract SSLSettings sslSettings(Settings customSettings); SSLEngine createSSLEngine(SSLContext sslContext, String[] ciphers, String[] supportedProtocols, String host, int port) { @@ -258,87 +227,6 @@ public abstract class AbstractSSLService extends AbstractComponent { } - public static class SSLSettings { - - private static final ESLogger logger = Loggers.getLogger(SSLSettings.class); - - String keyStorePath; - String keyStorePassword; - String keyStoreAlgorithm; - String keyPassword; - String trustStorePath; - String trustStorePassword; - String trustStoreAlgorithm; - String sslProtocol; - int sessionCacheSize; - TimeValue sessionCacheTimeout; - - SSLSettings(Settings settings, Settings sslServiceSettings) { - keyStorePath = settings.get("keystore.path", sslServiceSettings.get("shield.ssl.keystore.path", - System.getProperty("javax.net.ssl.keyStore"))); - keyStorePassword = settings.get("keystore.password", sslServiceSettings.get("shield.ssl.keystore.password", - System.getProperty("javax.net.ssl.keyStorePassword"))); - keyStoreAlgorithm = settings.get("keystore.algorithm", sslServiceSettings.get("shield.ssl.keystore.algorithm", - System.getProperty("ssl.KeyManagerFactory.algorithm", KeyManagerFactory.getDefaultAlgorithm()))); - keyPassword = settings.get("keystore.key_password", - sslServiceSettings.get("shield.ssl.keystore.key_password", keyStorePassword)); - - // Truststore settings - trustStorePath = settings.get("truststore.path", sslServiceSettings.get("shield.ssl.truststore.path", - System.getProperty("javax.net.ssl.trustStore"))); - trustStorePassword = settings.get("truststore.password", sslServiceSettings.get("shield.ssl.truststore.password", - System.getProperty("javax.net.ssl.trustStorePassword"))); - trustStoreAlgorithm = settings.get("truststore.algorithm", sslServiceSettings.get("shield.ssl.truststore.algorithm", - System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm()))); - - sslProtocol = settings.get("protocol", sslServiceSettings.get("shield.ssl.protocol", DEFAULT_PROTOCOL)); - sessionCacheSize = settings.getAsInt("session.cache_size", - sslServiceSettings.getAsInt("shield.ssl.session.cache_size", DEFAULT_SESSION_CACHE_SIZE)); - sessionCacheTimeout = settings.getAsTime("session.cache_timeout", - sslServiceSettings.getAsTime("shield.ssl.session.cache_timeout", DEFAULT_SESSION_CACHE_TIMEOUT)); - - if (trustStorePath == null) { - if (logger.isDebugEnabled()) { - logger.debug("no truststore defined. using keystore [{}] as truststore", keyStorePath); - } - trustStorePath = keyStorePath; - trustStorePassword = keyStorePassword; - } - } - - @Override - public boolean equals(Object o) { - if (this == o) { - return true; - } - if (o == null || getClass() != o.getClass()) { - return false; - } - - SSLSettings that = (SSLSettings) o; - - if (keyStorePath != null ? !keyStorePath.equals(that.keyStorePath) : that.keyStorePath != null) { - return false; - } - if (sslProtocol != null ? !sslProtocol.equals(that.sslProtocol) : that.sslProtocol != null) { - return false; - } - if (trustStorePath != null ? !trustStorePath.equals(that.trustStorePath) : that.trustStorePath != null) { - return false; - } - - return true; - } - - @Override - public int hashCode() { - int result = keyStorePath != null ? keyStorePath.hashCode() : 0; - result = 31 * result + (trustStorePath != null ? trustStorePath.hashCode() : 0); - result = 31 * result + (sslProtocol != null ? sslProtocol.hashCode() : 0); - return result; - } - } - /** * This socket factory set the protocols and ciphers on each SSLSocket after it is created */ diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/ClientSSLService.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/ClientSSLService.java index d754efac3dd..64f18f4022e 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/ClientSSLService.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/ClientSSLService.java @@ -35,6 +35,7 @@ public class ClientSSLService extends AbstractSSLService { if (sslSettings.keyStorePassword == null) { throw new IllegalArgumentException("no keystore password configured"); } + assert sslSettings.keyPassword != null; } if (sslSettings.trustStorePath != null) { diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/SSLSettings.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/SSLSettings.java new file mode 100644 index 00000000000..62fe6d1bb7b --- /dev/null +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/SSLSettings.java @@ -0,0 +1,180 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +package org.elasticsearch.shield.ssl; + +import org.elasticsearch.common.logging.ESLogger; +import org.elasticsearch.common.logging.Loggers; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.settings.SettingsModule; +import org.elasticsearch.common.unit.TimeValue; + +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.TrustManagerFactory; +import java.util.Arrays; +import java.util.List; +import java.util.Optional; +import java.util.function.Function; + +import static org.elasticsearch.shield.Security.setting; +import static org.elasticsearch.shield.support.OptionalStringSetting.create; + +/** + * Class that contains all settings related to SSL + */ +public class SSLSettings { + + public interface Globals { + List DEFAULT_SUPPORTED_PROTOCOLS = Arrays.asList("TLSv1", "TLSv1.1", "TLSv1.2"); + List DEFAULT_CIPHERS = + Arrays.asList("TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"); + TimeValue DEFAULT_SESSION_CACHE_TIMEOUT = TimeValue.timeValueHours(24); + int DEFAULT_SESSION_CACHE_SIZE = 1000; + String DEFAULT_PROTOCOL = "TLSv1.2"; + + Setting> CIPHERS_SETTING = + Setting.listSetting(setting("ssl.ciphers"), DEFAULT_CIPHERS, Function.identity(), Property.NodeScope, Property.Filtered); + Setting> SUPPORTED_PROTOCOLS_SETTING = + Setting.listSetting(setting("ssl.supported_protocols"), DEFAULT_SUPPORTED_PROTOCOLS, + Function.identity(), Property.NodeScope, Property.Filtered); + Setting> KEYSTORE_PATH_SETTING = create(setting("ssl.keystore.path"), + s -> System.getProperty("javax.net.ssl.keyStore"), Property.NodeScope, Property.Filtered); + Setting> KEYSTORE_PASSWORD_SETTING = create(setting("ssl.keystore.password"), + s -> System.getProperty("javax.net.ssl.keyStorePassword"), Property.NodeScope, Property.Filtered); + Setting KEYSTORE_ALGORITHM_SETTING = + new Setting<>(setting("ssl.keystore.algorithm"), + s -> System.getProperty("ssl.KeyManagerFactory.algorithm", KeyManagerFactory.getDefaultAlgorithm()), + Function.identity(), Property.NodeScope, Property.Filtered); + Setting> KEYSTORE_KEY_PASSWORD_SETTING = create(setting("ssl.keystore.key_password"), KEYSTORE_PASSWORD_SETTING, + Property.NodeScope, Property.Filtered); + Setting> TRUSTSTORE_PATH_SETTING = create(setting("ssl.truststore.path"), + s -> System.getProperty("javax.net.ssl.trustStore"), Property.NodeScope, Property.Filtered); + Setting> TRUSTSTORE_PASSWORD_SETTING = create(setting("ssl.truststore.password"), + s -> System.getProperty("javax.net.ssl.trustStorePassword"), Property.NodeScope, Property.Filtered); + Setting TRUSTSTORE_ALGORITHM_SETTING = + new Setting<>(setting("ssl.truststore.algorithm"), + s -> System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm()), + Function.identity(), Property.NodeScope, Property.Filtered); + Setting PROTOCOL_SETTING = + new Setting<>(setting("ssl.protocol"), DEFAULT_PROTOCOL, Function.identity(), Property.NodeScope, Property.Filtered); + Setting SESSION_CACHE_SIZE_SETTING = + Setting.intSetting(setting("ssl.session.cache_size"), DEFAULT_SESSION_CACHE_SIZE, Property.NodeScope, Property.Filtered); + Setting SESSION_CACHE_TIMEOUT_SETTING = + Setting.timeSetting(setting("ssl.session.cache_timeout"), DEFAULT_SESSION_CACHE_TIMEOUT, + Property.NodeScope, Property.Filtered); + } + + private static final ESLogger logger = Loggers.getLogger(SSLSettings.class); + + static Setting> KEYSTORE_PATH_SETTING = create("keystore.path", Globals.KEYSTORE_PATH_SETTING); + static Setting> KEYSTORE_PASSWORD_SETTING = create("keystore.password", Globals.KEYSTORE_PASSWORD_SETTING); + static Setting KEYSTORE_ALGORITHM_SETTING = + new Setting<>("keystore.algorithm", Globals.KEYSTORE_ALGORITHM_SETTING, s -> s); + + //key password fallback should be keystore.key_password -> keystore.password -> global keystore.key_pasword -> global keystore.password + static Setting> KEY_PASSWORD_FALLBACK = create("keystore.password", Globals.KEYSTORE_KEY_PASSWORD_SETTING); + static Setting> KEY_PASSWORD_SETTING = create("keystore.key_password", KEY_PASSWORD_FALLBACK); + + static Setting> TRUSTSTORE_PATH_SETTING = create("truststore.path", Globals.TRUSTSTORE_PATH_SETTING); + static Setting> TRUSTSTORE_PASSWORD_SETTING = create("truststore.password", Globals.TRUSTSTORE_PASSWORD_SETTING); + static Setting TRUSTSTORE_ALGORITHM_SETTING = + new Setting<>("truststore.algorithm", Globals.TRUSTSTORE_ALGORITHM_SETTING, s -> s); + static Setting PROTOCOL_SETTING = + new Setting<>("protocol", Globals.PROTOCOL_SETTING, s -> s); + static Setting CACHE_SIZE_SETTING = + new Setting<>("session.cache_size", Globals.SESSION_CACHE_SIZE_SETTING, Integer::parseInt); + static Setting CACHE_TIMEOUT_SETTING = + Setting.timeSetting("session.cache_timeout", Globals.SESSION_CACHE_TIMEOUT_SETTING); + + String keyStorePath; + String keyStorePassword; + String keyStoreAlgorithm; + String keyPassword; + String trustStorePath; + String trustStorePassword; + String trustStoreAlgorithm; + String sslProtocol; + int sessionCacheSize; + TimeValue sessionCacheTimeout; + + SSLSettings(Settings settings, Settings sslServiceSettings) { + keyStorePath = getStringOrNull(KEYSTORE_PATH_SETTING, settings, sslServiceSettings); + keyStorePassword = getStringOrNull(KEYSTORE_PASSWORD_SETTING, settings, sslServiceSettings); + keyStoreAlgorithm = KEYSTORE_ALGORITHM_SETTING.get(settings, sslServiceSettings); + keyPassword = getStringOrNull(KEY_PASSWORD_SETTING, settings, sslServiceSettings); + + // Truststore settings + trustStorePath = getStringOrNull(TRUSTSTORE_PATH_SETTING, settings, sslServiceSettings); + trustStorePassword = getStringOrNull(TRUSTSTORE_PASSWORD_SETTING, settings, sslServiceSettings); + trustStoreAlgorithm = TRUSTSTORE_ALGORITHM_SETTING.get(settings, sslServiceSettings); + + sslProtocol = PROTOCOL_SETTING.get(settings, sslServiceSettings); + sessionCacheSize = CACHE_SIZE_SETTING.get(settings, sslServiceSettings); + sessionCacheTimeout = CACHE_TIMEOUT_SETTING.get(settings, sslServiceSettings); + + if (trustStorePath == null) { + if (logger.isDebugEnabled()) { + logger.debug("no truststore defined. using keystore [{}] as truststore", keyStorePath); + } + trustStorePath = keyStorePath; + trustStorePassword = keyStorePassword; + } + } + + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + + SSLSettings that = (SSLSettings) o; + + if (keyStorePath != null ? !keyStorePath.equals(that.keyStorePath) : that.keyStorePath != null) { + return false; + } + if (sslProtocol != null ? !sslProtocol.equals(that.sslProtocol) : that.sslProtocol != null) { + return false; + } + if (trustStorePath != null ? !trustStorePath.equals(that.trustStorePath) : that.trustStorePath != null) { + return false; + } + + return true; + } + + @Override + public int hashCode() { + int result = keyStorePath != null ? keyStorePath.hashCode() : 0; + result = 31 * result + (trustStorePath != null ? trustStorePath.hashCode() : 0); + result = 31 * result + (sslProtocol != null ? sslProtocol.hashCode() : 0); + return result; + } + + public static void registerSettings(SettingsModule settingsModule) { + settingsModule.registerSetting(Globals.CIPHERS_SETTING); + settingsModule.registerSetting(Globals.SUPPORTED_PROTOCOLS_SETTING); + settingsModule.registerSetting(Globals.KEYSTORE_PATH_SETTING); + settingsModule.registerSetting(Globals.KEYSTORE_PASSWORD_SETTING); + settingsModule.registerSetting(Globals.KEYSTORE_ALGORITHM_SETTING); + settingsModule.registerSetting(Globals.KEYSTORE_KEY_PASSWORD_SETTING); + settingsModule.registerSetting(Globals.TRUSTSTORE_PATH_SETTING); + settingsModule.registerSetting(Globals.TRUSTSTORE_PASSWORD_SETTING); + settingsModule.registerSetting(Globals.TRUSTSTORE_ALGORITHM_SETTING); + settingsModule.registerSetting(Globals.PROTOCOL_SETTING); + settingsModule.registerSetting(Globals.SESSION_CACHE_SIZE_SETTING); + settingsModule.registerSetting(Globals.SESSION_CACHE_TIMEOUT_SETTING); + } + + private static String getStringOrNull(Setting> setting, Settings settings, Settings fallbackSettings) { + // for settings with complicated fallback we need to try to get it first, if not then try the fallback settings + Optional optional = setting.get(settings); + return optional.orElse(setting.get(fallbackSettings).orElse(null)); + } +} diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/ServerSSLService.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/ServerSSLService.java index 7e380dada84..376d70a66d4 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/ServerSSLService.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/ServerSSLService.java @@ -26,6 +26,7 @@ public class ServerSSLService extends AbstractSSLService { if (sslSettings.keyStorePassword == null) { throw new IllegalArgumentException("no keystore password configured"); } + assert sslSettings.keyPassword != null; assert sslSettings.trustStorePath != null; if (sslSettings.trustStorePassword == null) { diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/AbstractShieldModule.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/AbstractShieldModule.java index 9292ef9dfe2..dcad2314452 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/AbstractShieldModule.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/AbstractShieldModule.java @@ -9,7 +9,7 @@ import org.elasticsearch.client.Client; import org.elasticsearch.client.transport.TransportClient; import org.elasticsearch.common.inject.AbstractModule; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; /** * @@ -23,7 +23,7 @@ public abstract class AbstractShieldModule extends AbstractModule { public AbstractShieldModule(Settings settings) { this.settings = settings; this.clientMode = TransportClient.CLIENT_TYPE.equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey())); - this.shieldEnabled = Shield.enabled(settings); + this.shieldEnabled = Security.enabled(settings); } @Override diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/Exceptions.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/Exceptions.java index bc734d6cf76..caac6700b01 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/Exceptions.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/Exceptions.java @@ -7,7 +7,7 @@ package org.elasticsearch.shield.support; import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.rest.RestStatus; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; /** * @@ -19,13 +19,13 @@ public class Exceptions { public static ElasticsearchSecurityException authenticationError(String msg, Throwable cause, Object... args) { ElasticsearchSecurityException e = new ElasticsearchSecurityException(msg, RestStatus.UNAUTHORIZED, cause, args); - e.addHeader("WWW-Authenticate", "Basic realm=\"" + Shield.NAME + "\""); + e.addHeader("WWW-Authenticate", "Basic realm=\"" + Security.NAME + "\""); return e; } public static ElasticsearchSecurityException authenticationError(String msg, Object... args) { ElasticsearchSecurityException e = new ElasticsearchSecurityException(msg, RestStatus.UNAUTHORIZED, args); - e.addHeader("WWW-Authenticate", "Basic realm=\"" + Shield.NAME + "\""); + e.addHeader("WWW-Authenticate", "Basic realm=\"" + Security.NAME + "\""); return e; } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/OptionalStringSetting.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/OptionalStringSetting.java new file mode 100644 index 00000000000..f2b0a73616d --- /dev/null +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/OptionalStringSetting.java @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +package org.elasticsearch.shield.support; + +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; +import org.elasticsearch.common.settings.Settings; + +import java.util.Optional; +import java.util.function.Function; + +public class OptionalStringSetting { + + private OptionalStringSetting() {} + + public static Setting> create(String key, Property... properties) { + return create(key, s -> null, properties); + } + + public static Setting> create(String key, Function defaultValue, Property... properties) { + return new Setting<>(key, defaultValue, Optional::ofNullable, properties); + } + + public static Setting> create(String key, Setting> fallback, Property... properties) { + return new Setting<>(key, fallback, Optional::ofNullable, properties); + } +} diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/SSLClientAuth.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/SSLClientAuth.java index 7ffc4bec8da..f6343d151f9 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/SSLClientAuth.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/SSLClientAuth.java @@ -44,10 +44,8 @@ public enum SSLClientAuth { public abstract void configure(SSLEngine engine); - public static SSLClientAuth parse(String value, SSLClientAuth defaultValue) { - if (value == null) { - return defaultValue; - } + public static SSLClientAuth parse(String value) { + assert value != null; switch (value.toLowerCase(Locale.ROOT)) { case "no": case "false": diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/ShieldServerTransportService.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/ShieldServerTransportService.java index 0e4dad913f7..ee79f6628d0 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/ShieldServerTransportService.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/ShieldServerTransportService.java @@ -7,7 +7,6 @@ package org.elasticsearch.shield.transport; import org.elasticsearch.cluster.node.DiscoveryNode; import org.elasticsearch.common.inject.Inject; -import org.elasticsearch.common.io.stream.NamedWriteableRegistry; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.shield.action.ShieldActionMapper; @@ -35,12 +34,9 @@ import java.util.HashMap; import java.util.Map; import java.util.function.Supplier; -import static org.elasticsearch.shield.transport.netty.ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_DEFAULT; -import static org.elasticsearch.shield.transport.netty.ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING; -import static org.elasticsearch.shield.transport.netty.ShieldNettyTransport.TRANSPORT_PROFILE_CLIENT_AUTH_SETTING; -import static org.elasticsearch.shield.transport.netty.ShieldNettyTransport.TRANSPORT_PROFILE_SSL_SETTING; -import static org.elasticsearch.shield.transport.netty.ShieldNettyTransport.TRANSPORT_SSL_DEFAULT; -import static org.elasticsearch.shield.transport.netty.ShieldNettyTransport.TRANSPORT_SSL_SETTING; +import static org.elasticsearch.shield.transport.netty.ShieldNettyTransport.CLIENT_AUTH_SETTING; +import static org.elasticsearch.shield.transport.netty.ShieldNettyTransport.PROFILE_CLIENT_AUTH_SETTING; +import static org.elasticsearch.shield.transport.netty.ShieldNettyTransport.SSL_SETTING; /** * @@ -127,10 +123,8 @@ public class ShieldServerTransportService extends TransportService { for (Map.Entry entry : profileSettingsMap.entrySet()) { Settings profileSettings = entry.getValue(); - final boolean profileSsl = profileSettings.getAsBoolean(TRANSPORT_PROFILE_SSL_SETTING, - settings.getAsBoolean(TRANSPORT_SSL_SETTING, TRANSPORT_SSL_DEFAULT)); - final boolean clientAuth = SSLClientAuth.parse(profileSettings.get(TRANSPORT_PROFILE_CLIENT_AUTH_SETTING, - settings.get(TRANSPORT_CLIENT_AUTH_SETTING)), TRANSPORT_CLIENT_AUTH_DEFAULT).enabled(); + final boolean profileSsl = ShieldNettyTransport.profileSsl(profileSettings, settings); + final boolean clientAuth = PROFILE_CLIENT_AUTH_SETTING.get(profileSettings, settings).enabled(); final boolean extractClientCert = profileSsl && clientAuth; String type = entry.getValue().get(SETTING_NAME, "node"); switch (type) { @@ -145,9 +139,8 @@ public class ShieldServerTransportService extends TransportService { } if (!profileFilters.containsKey(TransportSettings.DEFAULT_PROFILE)) { - final boolean profileSsl = settings.getAsBoolean(TRANSPORT_SSL_SETTING, TRANSPORT_SSL_DEFAULT); - final boolean clientAuth = - SSLClientAuth.parse(settings.get(TRANSPORT_CLIENT_AUTH_SETTING), TRANSPORT_CLIENT_AUTH_DEFAULT).enabled(); + final boolean profileSsl = SSL_SETTING.get(settings); + final boolean clientAuth = CLIENT_AUTH_SETTING.get(settings).enabled(); final boolean extractClientCert = profileSsl && clientAuth; profileFilters.put(TransportSettings.DEFAULT_PROFILE, new ServerTransportFilter.NodeProfile(authcService, authzService, actionMapper, threadPool.getThreadContext(), extractClientCert)); diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/ShieldTransportModule.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/ShieldTransportModule.java index cacbce6a034..c29fc564a28 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/ShieldTransportModule.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/ShieldTransportModule.java @@ -27,7 +27,7 @@ public class ShieldTransportModule extends AbstractShieldModule { bind(ClientTransportFilter.class).to(ClientTransportFilter.TransportClient.class).asEagerSingleton(); } else { bind(ClientTransportFilter.class).to(ClientTransportFilter.Node.class).asEagerSingleton(); - if (settings.getAsBoolean("shield.transport.filter.enabled", true)) { + if (IPFilter.IP_FILTER_ENABLED_SETTING.get(settings)) { bind(IPFilter.class).asEagerSingleton(); } } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/filter/IPFilter.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/filter/IPFilter.java index e2ca1e50de4..7a4100c6bd6 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/filter/IPFilter.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/filter/IPFilter.java @@ -7,13 +7,14 @@ package org.elasticsearch.shield.transport.filter; import org.apache.lucene.util.SetOnce; -import org.elasticsearch.common.Booleans; import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.logging.ESLogger; import org.elasticsearch.common.logging.Loggers; import org.elasticsearch.common.settings.ClusterSettings; import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.common.transport.BoundTransportAddress; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.shield.audit.AuditTrail; @@ -30,6 +31,7 @@ import java.util.Map; import java.util.function.Function; import static java.util.Collections.unmodifiableMap; +import static org.elasticsearch.shield.Security.setting; public class IPFilter { @@ -41,24 +43,32 @@ public class IPFilter { */ public static final String HTTP_PROFILE_NAME = ".http"; - public static final Setting IP_FILTER_ENABLED_HTTP_SETTING = Setting.boolSetting("shield.http.filter.enabled", true, - Setting.Property.Dynamic, Setting.Property.NodeScope); - public static final Setting IP_FILTER_ENABLED_SETTING = new Setting<>("shield.transport.filter.enabled", (s) -> - IP_FILTER_ENABLED_HTTP_SETTING.getDefaultRaw(s), Booleans::parseBooleanExact, Setting.Property.Dynamic, - Setting.Property.NodeScope); - public static final Setting> TRANSPORT_FILTER_ALLOW_SETTING = Setting.listSetting("shield.transport.filter.allow", - Collections.emptyList(), Function.identity(), Setting.Property.Dynamic, Setting.Property.NodeScope); - public static final Setting> TRANSPORT_FILTER_DENY_SETTING = Setting.listSetting("shield.transport.filter.deny", - Collections.emptyList(), Function.identity(), Setting.Property.Dynamic, Setting.Property.NodeScope); + public static final Setting ALLOW_BOUND_ADDRESSES_SETTING = + Setting.boolSetting(setting("filter.always_allow_bound_address"), true, Property.NodeScope); - public static final Setting> HTTP_FILTER_ALLOW_SETTING = Setting.listSetting("shield.http.filter.allow", (s) -> { - return Arrays.asList(s.getAsArray("transport.profiles.default.shield.filter.allow", - TRANSPORT_FILTER_ALLOW_SETTING.get(s).toArray(new String[0]))); - }, Function.identity(), Setting.Property.Dynamic, Setting.Property.NodeScope); - public static final Setting> HTTP_FILTER_DENY_SETTING = Setting.listSetting("shield.http.filter.deny", (s) -> { - return Arrays.asList(s.getAsArray("transport.profiles.default.shield.filter.deny", - TRANSPORT_FILTER_DENY_SETTING.get(s).toArray(new String[0]))); - }, Function.identity(), Setting.Property.Dynamic, Setting.Property.NodeScope); + public static final Setting IP_FILTER_ENABLED_HTTP_SETTING = Setting.boolSetting(setting("http.filter.enabled"), + true, Property.Dynamic, Property.NodeScope); + + public static final Setting IP_FILTER_ENABLED_SETTING = Setting.boolSetting(setting("transport.filter.enabled"), + true, Property.Dynamic, Property.NodeScope); + + public static final Setting> TRANSPORT_FILTER_ALLOW_SETTING = Setting.listSetting(setting("transport.filter.allow"), + Collections.emptyList(), Function.identity(), Property.Dynamic, Property.NodeScope); + + public static final Setting> TRANSPORT_FILTER_DENY_SETTING = Setting.listSetting(setting("transport.filter.deny"), + Collections.emptyList(), Function.identity(), Property.Dynamic, Property.NodeScope); + + private static final Setting> HTTP_FILTER_ALLOW_FALLBACK = + Setting.listSetting("transport.profiles.default.xpack.security.filter.allow", TRANSPORT_FILTER_ALLOW_SETTING, s -> s, + Property.NodeScope); + public static final Setting> HTTP_FILTER_ALLOW_SETTING = Setting.listSetting(setting("http.filter.allow"), + HTTP_FILTER_ALLOW_FALLBACK, Function.identity(), Property.Dynamic, Property.NodeScope); + + private static final Setting> HTTP_FILTER_DENY_FALLBACK = + Setting.listSetting("transport.profiles.default.xpack.security.filter.deny", TRANSPORT_FILTER_DENY_SETTING, s -> s, + Property.NodeScope); + public static final Setting> HTTP_FILTER_DENY_SETTING = Setting.listSetting(setting("http.filter.deny"), + HTTP_FILTER_DENY_FALLBACK, Function.identity(), Property.Dynamic, Property.NodeScope); public static final ShieldIpFilterRule DEFAULT_PROFILE_ACCEPT_ALL = new ShieldIpFilterRule(true, "default:accept_all") { @@ -101,7 +111,7 @@ public class IPFilter { this.logger = Loggers.getLogger(getClass(), settings); this.auditTrail = auditTrail; this.licenseState = licenseState; - this.alwaysAllowBoundAddresses = settings.getAsBoolean("shield.filter.always_allow_bound_address", true); + this.alwaysAllowBoundAddresses = ALLOW_BOUND_ADDRESSES_SETTING.get(settings); httpDenyFilter = HTTP_FILTER_DENY_SETTING.get(settings); httpAllowFilter = HTTP_FILTER_ALLOW_SETTING.get(settings); transportAllowFilter = TRANSPORT_FILTER_ALLOW_SETTING.get(settings); @@ -205,7 +215,7 @@ public class IPFilter { logger.warn("skipping ip filter rules for profile [{}] since the profile is not bound to any addresses", profile); continue; } - Settings profileSettings = entry.getValue().getByPrefix("shield.filter."); + Settings profileSettings = entry.getValue().getByPrefix(setting("filter.")); profileRules.put(profile, createRules(Arrays.asList(profileSettings.getAsArray("allow")), Arrays.asList(profileSettings.getAsArray("deny")), profileBoundTransportAddress.boundAddresses())); } @@ -249,4 +259,14 @@ public class IPFilter { this.boundHttpTransportAddress.set(boundHttpTransportAddress); updateRules(); } + + public static void registerSettings(SettingsModule settingsModule) { + settingsModule.registerSetting(ALLOW_BOUND_ADDRESSES_SETTING); + settingsModule.registerSetting(IP_FILTER_ENABLED_SETTING); + settingsModule.registerSetting(IP_FILTER_ENABLED_HTTP_SETTING); + settingsModule.registerSetting(HTTP_FILTER_ALLOW_SETTING); + settingsModule.registerSetting(HTTP_FILTER_DENY_SETTING); + settingsModule.registerSetting(TRANSPORT_FILTER_ALLOW_SETTING); + settingsModule.registerSetting(TRANSPORT_FILTER_DENY_SETTING); + } } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java index 89fe349ecfb..d4a049a3228 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java @@ -7,7 +7,10 @@ package org.elasticsearch.shield.transport.netty; import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.network.NetworkService; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.common.util.BigArrays; import org.elasticsearch.http.netty.NettyHttpServerTransport; import org.elasticsearch.shield.ssl.ServerSSLService; @@ -22,6 +25,7 @@ import org.jboss.netty.handler.ssl.SslHandler; import javax.net.ssl.SSLEngine; +import static org.elasticsearch.shield.Security.setting; import static org.elasticsearch.shield.transport.SSLExceptionHelper.isCloseDuringHandshakeException; import static org.elasticsearch.shield.transport.SSLExceptionHelper.isNotSslRecordException; @@ -30,10 +34,16 @@ import static org.elasticsearch.shield.transport.SSLExceptionHelper.isNotSslReco */ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport { - public static final String HTTP_SSL_SETTING = "shield.http.ssl"; - public static final boolean HTTP_SSL_DEFAULT = false; - public static final String HTTP_CLIENT_AUTH_SETTING = "shield.http.ssl.client.auth"; - public static final SSLClientAuth HTTP_CLIENT_AUTH_DEFAULT = SSLClientAuth.NO; + public static final boolean SSL_DEFAULT = false; + public static final String CLIENT_AUTH_DEFAULT = SSLClientAuth.NO.name(); + + public static final Setting DEPRECATED_SSL_SETTING = + Setting.boolSetting(setting("http.ssl"), SSL_DEFAULT, Property.NodeScope, Property.Deprecated); + public static final Setting SSL_SETTING = + Setting.boolSetting(setting("http.ssl.enabled"), DEPRECATED_SSL_SETTING, Property.NodeScope); + public static final Setting CLIENT_AUTH_SETTING = + new Setting<>(setting("http.ssl.client.auth"), CLIENT_AUTH_DEFAULT, SSLClientAuth::parse, Property.NodeScope); + private final IPFilter ipFilter; private final ServerSSLService sslService; @@ -44,7 +54,7 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport { IPFilter ipFilter, ServerSSLService sslService, ThreadPool threadPool) { super(settings, networkService, bigArrays, threadPool); this.ipFilter = ipFilter; - this.ssl = settings.getAsBoolean(HTTP_SSL_SETTING, HTTP_SSL_DEFAULT); + this.ssl = SSL_SETTING.get(settings); this.sslService = sslService; } @@ -91,7 +101,7 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport { public HttpSslChannelPipelineFactory(NettyHttpServerTransport transport) { super(transport, detailedErrorsEnabled, threadPool.getThreadContext()); - clientAuth = SSLClientAuth.parse(settings.get(HTTP_CLIENT_AUTH_SETTING), HTTP_CLIENT_AUTH_DEFAULT); + clientAuth = CLIENT_AUTH_SETTING.get(settings); } @Override @@ -108,4 +118,10 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport { return pipeline; } } + + public static void registerSettings(SettingsModule settingsModule) { + settingsModule.registerSetting(SSL_SETTING); + settingsModule.registerSetting(CLIENT_AUTH_SETTING); + settingsModule.registerSetting(DEPRECATED_SSL_SETTING); + } } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransport.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransport.java index ecac5885c4e..1a38d4d3e24 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransport.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransport.java @@ -11,7 +11,10 @@ import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.inject.internal.Nullable; import org.elasticsearch.common.io.stream.NamedWriteableRegistry; import org.elasticsearch.common.network.NetworkService; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.common.util.BigArrays; import org.elasticsearch.shield.ssl.ClientSSLService; import org.elasticsearch.shield.ssl.ServerSSLService; @@ -31,6 +34,8 @@ import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; import java.net.InetSocketAddress; +import static org.elasticsearch.shield.Security.setting; +import static org.elasticsearch.shield.Security.settingPrefix; import static org.elasticsearch.shield.transport.SSLExceptionHelper.isCloseDuringHandshakeException; import static org.elasticsearch.shield.transport.SSLExceptionHelper.isNotSslRecordException; @@ -39,14 +44,32 @@ import static org.elasticsearch.shield.transport.SSLExceptionHelper.isNotSslReco */ public class ShieldNettyTransport extends NettyTransport { - public static final String HOSTNAME_VERIFICATION_SETTING = "shield.ssl.hostname_verification"; - public static final String HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING = "shield.ssl.hostname_verification.resolve_name"; - public static final String TRANSPORT_SSL_SETTING = "shield.transport.ssl"; - public static final boolean TRANSPORT_SSL_DEFAULT = false; - public static final String TRANSPORT_CLIENT_AUTH_SETTING = "shield.transport.ssl.client.auth"; - public static final SSLClientAuth TRANSPORT_CLIENT_AUTH_DEFAULT = SSLClientAuth.REQUIRED; - public static final String TRANSPORT_PROFILE_SSL_SETTING = "shield.ssl"; - public static final String TRANSPORT_PROFILE_CLIENT_AUTH_SETTING = "shield.ssl.client.auth"; + public static final String CLIENT_AUTH_DEFAULT = SSLClientAuth.REQUIRED.name(); + public static final boolean SSL_DEFAULT = false; + + public static final Setting HOSTNAME_VERIFICATION_SETTING = + Setting.boolSetting(setting("ssl.hostname_verification"), true, Property.NodeScope, Property.Filtered); + public static final Setting HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING = + Setting.boolSetting(setting("ssl.hostname_verification.resolve_name"), true, Property.NodeScope, Property.Filtered); + + public static final Setting DEPRECATED_SSL_SETTING = + Setting.boolSetting(setting("transport.ssl"), SSL_DEFAULT, + Property.Filtered, Property.NodeScope, Property.Deprecated); + public static final Setting SSL_SETTING = + Setting.boolSetting(setting("transport.ssl.enabled"), DEPRECATED_SSL_SETTING, Property.Filtered, Property.NodeScope); + + public static final Setting CLIENT_AUTH_SETTING = + new Setting<>(setting("transport.ssl.client.auth"), CLIENT_AUTH_DEFAULT, + SSLClientAuth::parse, Property.NodeScope, Property.Filtered); + + public static final Setting DEPRECATED_PROFILE_SSL_SETTING = + Setting.boolSetting(setting("ssl"), SSL_SETTING, Property.Filtered, Property.NodeScope, Property.Deprecated); + public static final Setting PROFILE_SSL_SETTING = + Setting.boolSetting(setting("ssl.enabled"), SSL_DEFAULT, Property.Filtered, Property.NodeScope); + + public static final Setting PROFILE_CLIENT_AUTH_SETTING = + new Setting<>(setting("ssl.client.auth"), CLIENT_AUTH_SETTING, SSLClientAuth::parse, + Property.NodeScope, Property.Filtered); private final ServerSSLService serverSslService; private final ClientSSLService clientSSLService; @@ -59,7 +82,7 @@ public class ShieldNettyTransport extends NettyTransport { ClientSSLService clientSSLService, NamedWriteableRegistry namedWriteableRegistry) { super(settings, threadPool, networkService, bigArrays, version, namedWriteableRegistry); this.authenticator = authenticator; - this.ssl = settings.getAsBoolean(TRANSPORT_SSL_SETTING, TRANSPORT_SSL_DEFAULT); + this.ssl = SSL_SETTING.get(settings); this.serverSslService = serverSSLService; this.clientSSLService = clientSSLService; } @@ -110,6 +133,18 @@ public class ShieldNettyTransport extends NettyTransport { } } + public static boolean profileSsl(Settings profileSettings, Settings settings) { + // we can't use the fallback mechanism here since it may not exist in the profile settings and we get the wrong value + // for the profile if they use the old setting + if (PROFILE_SSL_SETTING.exists(profileSettings)) { + return SSL_SETTING.get(profileSettings); + } else if (DEPRECATED_PROFILE_SSL_SETTING.exists(profileSettings)) { + return DEPRECATED_PROFILE_SSL_SETTING.get(profileSettings); + } else { + return SSL_SETTING.get(settings); + } + } + private class SslServerChannelPipelineFactory extends ServerChannelPipelineFactory { private final Settings profileSettings; @@ -122,13 +157,13 @@ public class ShieldNettyTransport extends NettyTransport { @Override public ChannelPipeline getPipeline() throws Exception { ChannelPipeline pipeline = super.getPipeline(); - final boolean profileSsl = profileSettings.getAsBoolean(TRANSPORT_PROFILE_SSL_SETTING, ssl); - final SSLClientAuth clientAuth = SSLClientAuth.parse(profileSettings.get(TRANSPORT_PROFILE_CLIENT_AUTH_SETTING, - settings.get(TRANSPORT_CLIENT_AUTH_SETTING)), TRANSPORT_CLIENT_AUTH_DEFAULT); + final boolean profileSsl = profileSsl(profileSettings, settings); + final SSLClientAuth clientAuth = PROFILE_CLIENT_AUTH_SETTING.get(profileSettings, settings); if (profileSsl) { SSLEngine serverEngine; - if (profileSettings.get("shield.truststore.path") != null) { - serverEngine = serverSslService.createSSLEngine(profileSettings.getByPrefix("shield.")); + Settings securityProfileSettings = profileSettings.getByPrefix(settingPrefix()); + if (securityProfileSettings.names().isEmpty() == false) { + serverEngine = serverSslService.createSSLEngine(securityProfileSettings); } else { serverEngine = serverSslService.createSSLEngine(); } @@ -168,7 +203,7 @@ public class ShieldNettyTransport extends NettyTransport { @Override public void connectRequested(ChannelHandlerContext ctx, ChannelStateEvent e) { SSLEngine sslEngine; - if (settings.getAsBoolean(HOSTNAME_VERIFICATION_SETTING, true)) { + if (HOSTNAME_VERIFICATION_SETTING.get(settings)) { InetSocketAddress inetSocketAddress = (InetSocketAddress) e.getValue(); sslEngine = clientSSLService.createSSLEngine(Settings.EMPTY, getHostname(inetSocketAddress), inetSocketAddress.getPort()); @@ -193,7 +228,7 @@ public class ShieldNettyTransport extends NettyTransport { @SuppressForbidden(reason = "need to use getHostName to resolve DNS name for SSL connections and hostname verification") private String getHostname(InetSocketAddress inetSocketAddress) { String hostname; - if (settings.getAsBoolean(HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING, true)) { + if (HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING.get(settings)) { hostname = inetSocketAddress.getHostName(); } else { hostname = inetSocketAddress.getHostString(); @@ -207,4 +242,17 @@ public class ShieldNettyTransport extends NettyTransport { } } } + + public static void registerSettings(SettingsModule settingsModule) { + settingsModule.registerSetting(SSL_SETTING); + settingsModule.registerSetting(HOSTNAME_VERIFICATION_SETTING); + settingsModule.registerSetting(HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING); + settingsModule.registerSetting(CLIENT_AUTH_SETTING); + settingsModule.registerSetting(PROFILE_SSL_SETTING); + settingsModule.registerSetting(PROFILE_CLIENT_AUTH_SETTING); + + // deprecated transport settings + settingsModule.registerSetting(DEPRECATED_SSL_SETTING); + settingsModule.registerSetting(DEPRECATED_PROFILE_SSL_SETTING); + } } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/BulkUpdateTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/BulkUpdateTests.java index 2f5f0023154..4c0f825a143 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/BulkUpdateTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/BulkUpdateTests.java @@ -10,7 +10,7 @@ import org.elasticsearch.action.get.GetResponse; import org.elasticsearch.action.update.UpdateResponse; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.authc.support.UsernamePasswordToken; import org.elasticsearch.test.ShieldIntegTestCase; @@ -31,7 +31,7 @@ public class BulkUpdateTests extends ShieldIntegTestCase { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put(XPackPlugin.featureEnabledSetting(Shield.DLS_FLS_FEATURE), randomBoolean()) + .put(XPackPlugin.featureEnabledSetting(Security.DLS_FLS_FEATURE), randomBoolean()) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java index 597e9805695..5ba86b58598 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java @@ -16,6 +16,7 @@ import org.elasticsearch.rest.RestStatus; import org.elasticsearch.shield.action.role.PutRoleResponse; import org.elasticsearch.shield.action.role.GetRolesResponse; import org.elasticsearch.shield.ShieldTemplateService; +import org.elasticsearch.shield.authc.esnative.NativeRealm; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.authc.support.UsernamePasswordToken; import org.elasticsearch.shield.authz.RoleDescriptor; @@ -78,7 +79,7 @@ public class ClearRolesCacheTests extends NativeRealmIntegTestCase { logger.debug("using poller interval [{}]", pollerInterval); return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put("shield.authc.native.reload.interval", pollerInterval) + .put(NativeRolesStore.POLL_INTERVAL_SETTING.getKey(), pollerInterval) .put(NetworkModule.HTTP_ENABLED.getKey(), true) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java index 52aa4572907..716b58652e8 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java @@ -9,7 +9,7 @@ import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.index.IndexModule; import org.elasticsearch.search.sort.SortOrder; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ShieldIntegTestCase; @@ -85,7 +85,7 @@ public class DocumentAndFieldLevelSecurityTests extends ShieldIntegTestCase { public Settings nodeSettings(int nodeOrdinal) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(XPackPlugin.featureEnabledSetting(Shield.DLS_FLS_FEATURE), true) + .put(XPackPlugin.featureEnabledSetting(Security.DLS_FLS_FEATURE), true) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java index 8c99f8e5086..8e160da372d 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java @@ -10,7 +10,7 @@ import org.elasticsearch.action.index.IndexRequestBuilder; import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.index.query.QueryBuilders; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ShieldIntegTestCase; @@ -88,7 +88,7 @@ public class DocumentLevelSecurityRandomTests extends ShieldIntegTestCase { public Settings nodeSettings(int nodeOrdinal) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(XPackPlugin.featureEnabledSetting(Shield.DLS_FLS_FEATURE), true) + .put(XPackPlugin.featureEnabledSetting(Security.DLS_FLS_FEATURE), true) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java index e414ed83c6d..3ad58bad8ad 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java @@ -26,7 +26,7 @@ import org.elasticsearch.search.aggregations.bucket.children.Children; import org.elasticsearch.search.aggregations.bucket.global.Global; import org.elasticsearch.search.aggregations.bucket.terms.Terms; import org.elasticsearch.search.sort.SortOrder; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ShieldIntegTestCase; @@ -100,7 +100,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase { public Settings nodeSettings(int nodeOrdinal) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(XPackPlugin.featureEnabledSetting(Shield.DLS_FLS_FEATURE), true) + .put(XPackPlugin.featureEnabledSetting(Security.DLS_FLS_FEATURE), true) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java index 8475d8c20ab..fc14ae859a9 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java @@ -10,7 +10,7 @@ import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.index.query.QueryBuilders; import org.elasticsearch.search.sort.SortOrder; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ShieldIntegTestCase; @@ -120,7 +120,7 @@ public class FieldLevelSecurityRandomTests extends ShieldIntegTestCase { public Settings nodeSettings(int nodeOrdinal) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(XPackPlugin.featureEnabledSetting(Shield.DLS_FLS_FEATURE), true) + .put(XPackPlugin.featureEnabledSetting(Security.DLS_FLS_FEATURE), true) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java index 5369569b101..23b12fc8563 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java @@ -24,7 +24,7 @@ import org.elasticsearch.rest.RestStatus; import org.elasticsearch.search.aggregations.AggregationBuilders; import org.elasticsearch.search.aggregations.bucket.terms.Terms; import org.elasticsearch.search.sort.SortOrder; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ESIntegTestCase; @@ -128,7 +128,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase { public Settings nodeSettings(int nodeOrdinal) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(XPackPlugin.featureEnabledSetting(Shield.DLS_FLS_FEATURE), true) + .put(XPackPlugin.featureEnabledSetting(Security.DLS_FLS_FEATURE), true) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java index 4134c15bb90..916321f80ba 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java @@ -8,7 +8,7 @@ package org.elasticsearch.integration; import org.elasticsearch.action.admin.indices.alias.Alias; import org.elasticsearch.action.get.GetResponse; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ShieldIntegTestCase; @@ -61,7 +61,7 @@ public class IndicesPermissionsWithAliasesWildcardsAndRegexsTests extends Shield public Settings nodeSettings(int nodeOrdinal) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(XPackPlugin.featureEnabledSetting(Shield.DLS_FLS_FEATURE), true) + .put(XPackPlugin.featureEnabledSetting(Security.DLS_FLS_FEATURE), true) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/LicensingTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/LicensingTests.java index 84c8784fc01..94034255d8f 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/LicensingTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/LicensingTests.java @@ -30,7 +30,7 @@ import org.elasticsearch.license.plugin.core.LicenseState; import org.elasticsearch.license.plugin.core.Licensee; import org.elasticsearch.license.plugin.core.LicenseeRegistry; import org.elasticsearch.rest.RestStatus; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.UsernamePasswordToken; import org.elasticsearch.test.ShieldIntegTestCase; import org.elasticsearch.test.ShieldSettingsSource; @@ -144,7 +144,7 @@ public class LicensingTests extends ShieldIntegTestCase { fail("expected an license expired exception when executing an index stats action"); } catch (ElasticsearchSecurityException ee) { // expected - assertThat(ee.getHeader("es.license.expired.feature"), hasItem(Shield.NAME)); + assertThat(ee.getHeader("es.license.expired.feature"), hasItem(Security.NAME)); assertThat(ee.status(), is(RestStatus.UNAUTHORIZED)); } @@ -153,7 +153,7 @@ public class LicensingTests extends ShieldIntegTestCase { fail("expected an license expired exception when executing cluster stats action"); } catch (ElasticsearchSecurityException ee) { // expected - assertThat(ee.getHeader("es.license.expired.feature"), hasItem(Shield.NAME)); + assertThat(ee.getHeader("es.license.expired.feature"), hasItem(Security.NAME)); assertThat(ee.status(), is(RestStatus.UNAUTHORIZED)); } @@ -162,7 +162,7 @@ public class LicensingTests extends ShieldIntegTestCase { fail("expected an license expired exception when executing cluster health action"); } catch (ElasticsearchSecurityException ee) { // expected - assertThat(ee.getHeader("es.license.expired.feature"), hasItem(Shield.NAME)); + assertThat(ee.getHeader("es.license.expired.feature"), hasItem(Security.NAME)); assertThat(ee.status(), is(RestStatus.UNAUTHORIZED)); } @@ -171,7 +171,7 @@ public class LicensingTests extends ShieldIntegTestCase { fail("expected an license expired exception when executing cluster health action"); } catch (ElasticsearchSecurityException ee) { // expected - assertThat(ee.getHeader("es.license.expired.feature"), hasItem(Shield.NAME)); + assertThat(ee.getHeader("es.license.expired.feature"), hasItem(Security.NAME)); assertThat(ee.status(), is(RestStatus.UNAUTHORIZED)); } @@ -207,7 +207,7 @@ public class LicensingTests extends ShieldIntegTestCase { Settings.Builder builder = Settings.builder() .put(internalCluster().transportClient().settings()); // remove user info - builder.remove("shield.user"); + builder.remove(Security.USER_SETTING.getKey()); builder.remove(ThreadContext.PREFIX + "." + UsernamePasswordToken.BASIC_AUTH_HEADER); // basic has no auth diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/SettingsFilterTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/SettingsFilterTests.java index 0f745b25045..3875bc209c5 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/SettingsFilterTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/SettingsFilterTests.java @@ -9,6 +9,7 @@ import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.common.xcontent.XContentBuilder; @@ -19,6 +20,7 @@ import org.elasticsearch.plugins.Plugin; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.authc.support.UsernamePasswordToken; import org.elasticsearch.shield.ssl.AbstractSSLService; +import org.elasticsearch.shield.ssl.SSLSettings; import org.elasticsearch.test.ESIntegTestCase.ClusterScope; import org.elasticsearch.test.ShieldIntegTestCase; import org.elasticsearch.test.ShieldSettingsSource; @@ -71,10 +73,10 @@ public class SettingsFilterTests extends ShieldIntegTestCase { } public void onModule(SettingsModule module) { - module.registerSetting(Setting.simpleString("foo.bar", Setting.Property.NodeScope)); - module.registerSetting(Setting.simpleString("foo.baz", Setting.Property.NodeScope)); - module.registerSetting(Setting.simpleString("bar.baz", Setting.Property.NodeScope)); - module.registerSetting(Setting.simpleString("baz.foo", Setting.Property.NodeScope)); + module.registerSetting(Setting.simpleString("foo.bar", Property.NodeScope)); + module.registerSetting(Setting.simpleString("foo.baz", Property.NodeScope)); + module.registerSetting(Setting.simpleString("bar.baz", Property.NodeScope)); + module.registerSetting(Setting.simpleString("baz.foo", Property.NodeScope)); } } @@ -84,56 +86,57 @@ public class SettingsFilterTests extends ShieldIntegTestCase { return Settings.builder().put(super.nodeSettings(nodeOrdinal)) .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put("shield.authc.realms.file.type", "file") + .put("xpack.security.authc.realms.file.type", "file") // ldap realm filtering - .put("shield.authc.realms.ldap1.type", "ldap") - .put("shield.authc.realms.ldap1.enabled", "false") - .put("shield.authc.realms.ldap1.url", "ldap://host.domain") - .put("shield.authc.realms.ldap1.hostname_verification", randomAsciiOfLength(5)) - .put("shield.authc.realms.ldap1.bind_dn", randomAsciiOfLength(5)) - .put("shield.authc.realms.ldap1.bind_password", randomAsciiOfLength(5)) + .put("xpack.security.authc.realms.ldap1.type", "ldap") + .put("xpack.security.authc.realms.ldap1.enabled", "false") + .put("xpack.security.authc.realms.ldap1.url", "ldap://host.domain") + .put("xpack.security.authc.realms.ldap1.hostname_verification", randomAsciiOfLength(5)) + .put("xpack.security.authc.realms.ldap1.bind_dn", randomAsciiOfLength(5)) + .put("xpack.security.authc.realms.ldap1.bind_password", randomAsciiOfLength(5)) // active directory filtering - .put("shield.authc.realms.ad1.type", "active_directory") - .put("shield.authc.realms.ad1.enabled", "false") - .put("shield.authc.realms.ad1.url", "ldap://host.domain") - .put("shield.authc.realms.ad1.hostname_verification", randomAsciiOfLength(5)) + .put("xpack.security.authc.realms.ad1.type", "active_directory") + .put("xpack.security.authc.realms.ad1.enabled", "false") + .put("xpack.security.authc.realms.ad1.url", "ldap://host.domain") + .put("xpack.security.authc.realms.ad1.hostname_verification", randomAsciiOfLength(5)) // pki filtering - .put("shield.authc.realms.pki1.type", "pki") - .put("shield.authc.realms.pki1.order", "0") - .put("shield.authc.realms.pki1.truststore.path", + .put("xpack.security.authc.realms.pki1.type", "pki") + .put("xpack.security.authc.realms.pki1.order", "0") + .put("xpack.security.authc.realms.pki1.truststore.path", getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/truststore-testnode-only.jks")) - .put("shield.authc.realms.pki1.truststore.password", "truststore-testnode-only") - .put("shield.authc.realms.pki1.truststore.algorithm", "SunX509") + .put("xpack.security.authc.realms.pki1.truststore.password", "truststore-testnode-only") + .put("xpack.security.authc.realms.pki1.truststore.algorithm", "SunX509") - .put("shield.ssl.keystore.path", "/path/to/keystore") - .put("shield.ssl.ciphers", "_ciphers") - .put("shield.ssl.supported_protocols", randomFrom(AbstractSSLService.DEFAULT_SUPPORTED_PROTOCOLS)) - .put("shield.ssl.keystore.password", randomAsciiOfLength(5)) - .put("shield.ssl.keystore.algorithm", "_algorithm") - .put("shield.ssl.keystore.key_password", randomAsciiOfLength(5)) - .put("shield.ssl.truststore.password", randomAsciiOfLength(5)) - .put("shield.ssl.truststore.algorithm", "_algorithm") + .put("xpack.security.ssl.keystore.path", "/path/to/keystore") + .put("xpack.security.ssl.ciphers", "_ciphers") + .put("xpack.security.ssl.supported_protocols", randomFrom(SSLSettings.Globals.DEFAULT_SUPPORTED_PROTOCOLS)) + .put("xpack.security.ssl.keystore.password", randomAsciiOfLength(5)) + .put("xpack.security.ssl.keystore.algorithm", "_algorithm") + .put("xpack.security.ssl.keystore.key_password", randomAsciiOfLength(5)) + .put("xpack.security.ssl.truststore.password", randomAsciiOfLength(5)) + .put("xpack.security.ssl.truststore.algorithm", "_algorithm") // client profile .put("transport.profiles.client.port", clientProfilePort + "-" + (clientProfilePort + 100)) - .put("transport.profiles.client.shield.keystore.path", "/path/to/keystore") - .put("transport.profiles.client.shield.ciphers", "_ciphers") - .put("transport.profiles.client.shield.supported_protocols", randomFrom(AbstractSSLService.DEFAULT_SUPPORTED_PROTOCOLS)) - .put("transport.profiles.client.shield.keystore.password", randomAsciiOfLength(5)) - .put("transport.profiles.client.shield.keystore.algorithm", "_algorithm") - .put("transport.profiles.client.shield.keystore.key_password", randomAsciiOfLength(5)) - .put("transport.profiles.client.shield.truststore.password", randomAsciiOfLength(5)) - .put("transport.profiles.client.shield.truststore.algorithm", "_algorithm") + .put("transport.profiles.client.xpack.security.keystore.path", "/path/to/keystore") + .put("transport.profiles.client.xpack.security.ciphers", "_ciphers") + .put("transport.profiles.client.xpack.security.supported_protocols", + randomFrom(SSLSettings.Globals.DEFAULT_SUPPORTED_PROTOCOLS)) + .put("transport.profiles.client.xpack.security.keystore.password", randomAsciiOfLength(5)) + .put("transport.profiles.client.xpack.security.keystore.algorithm", "_algorithm") + .put("transport.profiles.client.xpack.security.keystore.key_password", randomAsciiOfLength(5)) + .put("transport.profiles.client.xpack.security.truststore.password", randomAsciiOfLength(5)) + .put("transport.profiles.client.xpack.security.truststore.algorithm", "_algorithm") // custom settings .put("foo.bar", "_secret") .put("foo.baz", "_secret") .put("bar.baz", "_secret") .put("baz.foo", "_not_a_secret") // should not be filtered - .put("shield.hide_settings", "foo.*,bar.baz") + .put("xpack.security.hide_settings", "foo.*,bar.baz") .build(); } @@ -147,40 +150,40 @@ public class SettingsFilterTests extends ShieldIntegTestCase { List list = extractSettings(response.getBody()); for (Settings settings : list) { - assertThat(settings.get("shield.authc.realms.ldap1.hostname_verification"), nullValue()); - assertThat(settings.get("shield.authc.realms.ldap1.bind_password"), nullValue()); - assertThat(settings.get("shield.authc.realms.ldap1.bind_dn"), nullValue()); - assertThat(settings.get("shield.authc.realms.ldap1.url"), is("ldap://host.domain")); + assertThat(settings.get("xpack.security.authc.realms.ldap1.hostname_verification"), nullValue()); + assertThat(settings.get("xpack.security.authc.realms.ldap1.bind_password"), nullValue()); + assertThat(settings.get("xpack.security.authc.realms.ldap1.bind_dn"), nullValue()); + assertThat(settings.get("xpack.security.authc.realms.ldap1.url"), is("ldap://host.domain")); - assertThat(settings.get("shield.authc.realms.ad1.hostname_verification"), nullValue()); - assertThat(settings.get("shield.authc.realms.ad1.url"), is("ldap://host.domain")); + assertThat(settings.get("xpack.security.authc.realms.ad1.hostname_verification"), nullValue()); + assertThat(settings.get("xpack.security.authc.realms.ad1.url"), is("ldap://host.domain")); - assertThat(settings.get("shield.authc.realms.pki1.truststore.path"), nullValue()); - assertThat(settings.get("shield.authc.realms.pki1.truststore.password"), nullValue()); - assertThat(settings.get("shield.authc.realms.pki1.truststore.algorithm"), nullValue()); - assertThat(settings.get("shield.authc.realms.pki1.type"), is("pki")); + assertThat(settings.get("xpack.security.authc.realms.pki1.truststore.path"), nullValue()); + assertThat(settings.get("xpack.security.authc.realms.pki1.truststore.password"), nullValue()); + assertThat(settings.get("xpack.security.authc.realms.pki1.truststore.algorithm"), nullValue()); + assertThat(settings.get("xpack.security.authc.realms.pki1.type"), is("pki")); - assertThat(settings.get("shield.ssl.keystore.path"), nullValue()); - assertThat(settings.get("shield.ssl.ciphers"), nullValue()); - assertThat(settings.get("shield.ssl.supported_protocols"), nullValue()); - assertThat(settings.get("shield.ssl.keystore.password"), nullValue()); - assertThat(settings.get("shield.ssl.keystore.algorithm"), nullValue()); - assertThat(settings.get("shield.ssl.keystore.key_password"), nullValue()); - assertThat(settings.get("shield.ssl.truststore.password"), nullValue()); - assertThat(settings.get("shield.ssl.truststore.algorithm"), nullValue()); + assertThat(settings.get("xpack.security.ssl.keystore.path"), nullValue()); + assertThat(settings.get("xpack.security.ssl.ciphers"), nullValue()); + assertThat(settings.get("xpack.security.ssl.supported_protocols"), nullValue()); + assertThat(settings.get("xpack.security.ssl.keystore.password"), nullValue()); + assertThat(settings.get("xpack.security.ssl.keystore.algorithm"), nullValue()); + assertThat(settings.get("xpack.security.ssl.keystore.key_password"), nullValue()); + assertThat(settings.get("xpack.security.ssl.truststore.password"), nullValue()); + assertThat(settings.get("xpack.security.ssl.truststore.algorithm"), nullValue()); // the client profile settings is also filtered out assertThat(settings.get("transport.profiles.client.port"), notNullValue()); - assertThat(settings.get("transport.profiles.client.shield.keystore.path"), nullValue()); - assertThat(settings.get("transport.profiles.client.shield.ciphers"), nullValue()); - assertThat(settings.get("transport.profiles.client.shield.supported_protocols"), nullValue()); - assertThat(settings.get("transport.profiles.client.shield.keystore.password"), nullValue()); - assertThat(settings.get("transport.profiles.client.shield.keystore.algorithm"), nullValue()); - assertThat(settings.get("transport.profiles.client.shield.keystore.key_password"), nullValue()); - assertThat(settings.get("transport.profiles.client.shield.truststore.password"), nullValue()); - assertThat(settings.get("transport.profiles.client.shield.truststore.algorithm"), nullValue()); + assertThat(settings.get("transport.profiles.client.xpack.security.keystore.path"), nullValue()); + assertThat(settings.get("transport.profiles.client.xpack.security.ciphers"), nullValue()); + assertThat(settings.get("transport.profiles.client.xpack.security.supported_protocols"), nullValue()); + assertThat(settings.get("transport.profiles.client.xpack.security.keystore.password"), nullValue()); + assertThat(settings.get("transport.profiles.client.xpack.security.keystore.algorithm"), nullValue()); + assertThat(settings.get("transport.profiles.client.xpack.security.keystore.key_password"), nullValue()); + assertThat(settings.get("transport.profiles.client.xpack.security.truststore.password"), nullValue()); + assertThat(settings.get("transport.profiles.client.xpack.security.truststore.algorithm"), nullValue()); - assertThat(settings.get("shield.hide_settings"), nullValue()); + assertThat(settings.get("xpack.security.hide_settings"), nullValue()); assertThat(settings.get("foo.bar"), nullValue()); assertThat(settings.get("foo.baz"), nullValue()); assertThat(settings.get("bar.baz"), nullValue()); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ShieldClearScrollTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ShieldClearScrollTests.java index 4b8d243fef0..a687ad0b6e7 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ShieldClearScrollTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ShieldClearScrollTests.java @@ -12,6 +12,7 @@ import org.elasticsearch.action.search.ClearScrollResponse; import org.elasticsearch.action.search.MultiSearchRequestBuilder; import org.elasticsearch.action.search.MultiSearchResponse; import org.elasticsearch.action.search.SearchPhaseExecutionException; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ShieldIntegTestCase; @@ -90,7 +91,7 @@ public class ShieldClearScrollTests extends ShieldIntegTestCase { String shieldUser = "allowed_user:change_me"; String basicAuth = basicAuthHeaderValue("allowed_user", new SecuredString("change_me".toCharArray())); Map headers = new HashMap<>(); - headers.put("shield.user", shieldUser); + headers.put(Security.USER_SETTING.getKey(), shieldUser); headers.put(BASIC_AUTH_HEADER, basicAuth); ClearScrollResponse clearScrollResponse = internalCluster().transportClient().filterWithHeader(headers) .prepareClearScroll() @@ -104,7 +105,7 @@ public class ShieldClearScrollTests extends ShieldIntegTestCase { String shieldUser = "denied_user:change_me"; String basicAuth = basicAuthHeaderValue("denied_user", new SecuredString("change_me".toCharArray())); Map headers = new HashMap<>(); - headers.put("shield.user", shieldUser); + headers.put(Security.USER_SETTING.getKey(), shieldUser); headers.put(BASIC_AUTH_HEADER, basicAuth); assertThrows(internalCluster().transportClient().filterWithHeader(headers) .prepareClearScroll() diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ldap/AbstractAdLdapRealmTestCase.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ldap/AbstractAdLdapRealmTestCase.java index 4b6cd586e2a..e01b20eea08 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ldap/AbstractAdLdapRealmTestCase.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ldap/AbstractAdLdapRealmTestCase.java @@ -42,7 +42,7 @@ import static org.hamcrest.Matchers.is; */ abstract public class AbstractAdLdapRealmTestCase extends ShieldIntegTestCase { - public static final String SHIELD_AUTHC_REALMS_EXTERNAL = "shield.authc.realms.external"; + public static final String SHIELD_AUTHC_REALMS_EXTERNAL = "xpack.security.authc.realms.external"; public static final String PASSWORD = "NickFuryHeartsES"; public static final String ASGARDIAN_INDEX = "gods"; public static final String PHILANTHROPISTS_INDEX = "philanthropists"; @@ -161,11 +161,11 @@ abstract public class AbstractAdLdapRealmTestCase extends ShieldIntegTestCase { } return settingsBuilder() - .put("shield.ssl.keystore.path", store) - .put("shield.ssl.keystore.password", password) - .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING, false) - .put("shield.ssl.truststore.path", store) - .put("shield.ssl.truststore.password", password).build(); + .put("xpack.security.ssl.keystore.path", store) + .put("xpack.security.ssl.keystore.password", password) + .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING.getKey(), false) + .put("xpack.security.ssl.truststore.path", store) + .put("xpack.security.ssl.truststore.password", password).build(); } /** diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ldap/GroupMappingTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ldap/GroupMappingTests.java index ddaeb8910aa..fc879b46db8 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ldap/GroupMappingTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ldap/GroupMappingTests.java @@ -13,7 +13,7 @@ import java.io.IOException; * This tests the group to role mappings from LDAP sources provided by the super class - available from super.realmConfig. * The super class will provide appropriate group mappings via configGroupMappings() */ -//@Network +@Network public class GroupMappingTests extends AbstractAdLdapRealmTestCase { public void testAuthcAuthz() throws IOException { String avenger = realmConfig.loginWithCommonName ? "Natasha Romanoff" : "blackwidow"; diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginSettingsTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/SecuritySettingsTests.java similarity index 64% rename from elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginSettingsTests.java rename to elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/SecuritySettingsTests.java index 7689bf174bf..9f04443c89b 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginSettingsTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/SecuritySettingsTests.java @@ -7,6 +7,7 @@ package org.elasticsearch.shield; import org.elasticsearch.common.Strings; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.shield.audit.AuditTrailModule; import org.elasticsearch.shield.audit.index.IndexAuditTrail; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.XPackPlugin; @@ -19,18 +20,18 @@ import static org.hamcrest.CoreMatchers.nullValue; import static org.hamcrest.Matchers.arrayContaining; import static org.hamcrest.Matchers.not; -public class ShieldPluginSettingsTests extends ESTestCase { +public class SecuritySettingsTests extends ESTestCase { - private static final String TRIBE_T1_SHIELD_ENABLED = "tribe.t1." + XPackPlugin.featureEnabledSetting(Shield.NAME); - private static final String TRIBE_T2_SHIELD_ENABLED = "tribe.t2." + XPackPlugin.featureEnabledSetting(Shield.NAME); + private static final String TRIBE_T1_SHIELD_ENABLED = "tribe.t1." + Security.enabledSetting(); + private static final String TRIBE_T2_SHIELD_ENABLED = "tribe.t2." + Security.enabledSetting(); public void testShieldIsMandatoryOnTribes() { Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing") .put("tribe.t2.cluster.name", "non_existing").build(); - Shield shield = new Shield(settings); + Security security = new Security(settings); - Settings additionalSettings = shield.additionalSettings(); + Settings additionalSettings = security.additionalSettings(); assertThat(additionalSettings.getAsArray("tribe.t1.plugin.mandatory", null), arrayContaining(XPackPlugin.NAME)); @@ -41,11 +42,11 @@ public class ShieldPluginSettingsTests extends ESTestCase { Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing") .putArray("tribe.t1.plugin.mandatory", "test_plugin").build(); - Shield shield = new Shield(settings); + Security security = new Security(settings); //simulate what PluginsService#updatedSettings does to make sure we don't override existing mandatory plugins try { - Settings.builder().put(settings).put(shield.additionalSettings()).build(); + Settings.builder().put(settings).put(security.additionalSettings()).build(); fail("shield cannot change the value of a setting that is already defined, so a exception should be thrown"); } catch (IllegalStateException e) { assertThat(e.getMessage(), containsString(XPackPlugin.NAME)); @@ -57,10 +58,10 @@ public class ShieldPluginSettingsTests extends ESTestCase { Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing") .putArray("tribe.t1.plugin.mandatory", "test_plugin", XPackPlugin.NAME).build(); - Shield shield = new Shield(settings); + Security security = new Security(settings); //simulate what PluginsService#updatedSettings does to make sure we don't override existing mandatory plugins - Settings finalSettings = Settings.builder().put(settings).put(shield.additionalSettings()).build(); + Settings finalSettings = Settings.builder().put(settings).put(security.additionalSettings()).build(); String[] finalMandatoryPlugins = finalSettings.getAsArray("tribe.t1.plugin.mandatory", null); assertThat(finalMandatoryPlugins, notNullValue()); @@ -73,9 +74,9 @@ public class ShieldPluginSettingsTests extends ESTestCase { Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing") .put("tribe.t2.cluster.name", "non_existing").build(); - Shield shield = new Shield(settings); + Security security = new Security(settings); - Settings additionalSettings = shield.additionalSettings(); + Settings additionalSettings = security.additionalSettings(); assertThat(additionalSettings.getAsBoolean(TRIBE_T1_SHIELD_ENABLED, null), equalTo(true)); assertThat(additionalSettings.getAsBoolean(TRIBE_T2_SHIELD_ENABLED, null), equalTo(true)); @@ -86,10 +87,10 @@ public class ShieldPluginSettingsTests extends ESTestCase { .put(TRIBE_T1_SHIELD_ENABLED, false) .put("tribe.t2.cluster.name", "non_existing").build(); - Shield shield = new Shield(settings); + Security security = new Security(settings); try { - shield.additionalSettings(); + security.additionalSettings(); fail("shield cannot change the value of a setting that is already defined, so a exception should be thrown"); } catch (IllegalStateException e) { assertThat(e.getMessage(), containsString(TRIBE_T1_SHIELD_ENABLED)); @@ -102,10 +103,10 @@ public class ShieldPluginSettingsTests extends ESTestCase { .put("tribe.t2.cluster.name", "non_existing") .putArray("tribe.t1.plugin.mandatory", "test_plugin", XPackPlugin.NAME).build(); - Shield shield = new Shield(settings); + Security security = new Security(settings); try { - shield.additionalSettings(); + security.additionalSettings(); fail("shield cannot change the value of a setting that is already defined, so a exception should be thrown"); } catch (IllegalStateException e) { assertThat(e.getMessage(), containsString(TRIBE_T1_SHIELD_ENABLED)); @@ -116,43 +117,43 @@ public class ShieldPluginSettingsTests extends ESTestCase { Settings settings = Settings.builder() .put("tribe.t1.cluster.name", "non_existing") .put("tribe.t2.cluster.name", "non_existing") - .put("shield.foo", "bar") - .put("shield.bar", "foo") - .putArray("shield.something.else.here", new String[] { "foo", "bar" }) + .put("xpack.security.foo", "bar") + .put("xpack.security.bar", "foo") + .putArray("xpack.security.something.else.here", new String[] { "foo", "bar" }) .build(); - Shield shield = new Shield(settings); - Settings additionalSettings = shield.additionalSettings(); + Security security = new Security(settings); + Settings additionalSettings = security.additionalSettings(); - assertThat(additionalSettings.get("shield.foo"), nullValue()); - assertThat(additionalSettings.get("shield.bar"), nullValue()); - assertThat(additionalSettings.getAsArray("shield.something.else.here"), is(Strings.EMPTY_ARRAY)); - assertThat(additionalSettings.get("tribe.t1.shield.foo"), is("bar")); - assertThat(additionalSettings.get("tribe.t1.shield.bar"), is("foo")); - assertThat(additionalSettings.getAsArray("tribe.t1.shield.something.else.here"), arrayContaining("foo", "bar")); - assertThat(additionalSettings.get("tribe.t2.shield.foo"), is("bar")); - assertThat(additionalSettings.get("tribe.t2.shield.bar"), is("foo")); - assertThat(additionalSettings.getAsArray("tribe.t2.shield.something.else.here"), arrayContaining("foo", "bar")); + assertThat(additionalSettings.get("xpack.security.foo"), nullValue()); + assertThat(additionalSettings.get("xpack.security.bar"), nullValue()); + assertThat(additionalSettings.getAsArray("xpack.security.something.else.here"), is(Strings.EMPTY_ARRAY)); + assertThat(additionalSettings.get("tribe.t1.xpack.security.foo"), is("bar")); + assertThat(additionalSettings.get("tribe.t1.xpack.security.bar"), is("foo")); + assertThat(additionalSettings.getAsArray("tribe.t1.xpack.security.something.else.here"), arrayContaining("foo", "bar")); + assertThat(additionalSettings.get("tribe.t2.xpack.security.foo"), is("bar")); + assertThat(additionalSettings.get("tribe.t2.xpack.security.bar"), is("foo")); + assertThat(additionalSettings.getAsArray("tribe.t2.xpack.security.something.else.here"), arrayContaining("foo", "bar")); } public void testValidAutoCreateIndex() { - Shield.validateAutoCreateIndex(Settings.EMPTY); - Shield.validateAutoCreateIndex(Settings.builder().put("action.auto_create_index", true).build()); + Security.validateAutoCreateIndex(Settings.EMPTY); + Security.validateAutoCreateIndex(Settings.builder().put("action.auto_create_index", true).build()); try { - Shield.validateAutoCreateIndex(Settings.builder().put("action.auto_create_index", false).build()); + Security.validateAutoCreateIndex(Settings.builder().put("action.auto_create_index", false).build()); fail("IllegalArgumentException expected"); } catch (IllegalArgumentException e) { assertThat(e.getMessage(), containsString(ShieldTemplateService.SECURITY_INDEX_NAME)); assertThat(e.getMessage(), not(containsString(IndexAuditTrail.INDEX_NAME_PREFIX))); } - Shield.validateAutoCreateIndex(Settings.builder().put("action.auto_create_index", ".security").build()); - Shield.validateAutoCreateIndex(Settings.builder().put("action.auto_create_index", "*s*").build()); - Shield.validateAutoCreateIndex(Settings.builder().put("action.auto_create_index", ".s*").build()); + Security.validateAutoCreateIndex(Settings.builder().put("action.auto_create_index", ".security").build()); + Security.validateAutoCreateIndex(Settings.builder().put("action.auto_create_index", "*s*").build()); + Security.validateAutoCreateIndex(Settings.builder().put("action.auto_create_index", ".s*").build()); try { - Shield.validateAutoCreateIndex(Settings.builder().put("action.auto_create_index", "foo").build()); + Security.validateAutoCreateIndex(Settings.builder().put("action.auto_create_index", "foo").build()); fail("IllegalArgumentException expected"); } catch (IllegalArgumentException e) { assertThat(e.getMessage(), containsString(ShieldTemplateService.SECURITY_INDEX_NAME)); @@ -160,22 +161,22 @@ public class ShieldPluginSettingsTests extends ESTestCase { } try { - Shield.validateAutoCreateIndex(Settings.builder().put("action.auto_create_index", ".shield_audit_log*").build()); + Security.validateAutoCreateIndex(Settings.builder().put("action.auto_create_index", ".shield_audit_log*").build()); fail("IllegalArgumentException expected"); } catch (IllegalArgumentException e) { assertThat(e.getMessage(), containsString(ShieldTemplateService.SECURITY_INDEX_NAME)); } - Shield.validateAutoCreateIndex(Settings.builder() + Security.validateAutoCreateIndex(Settings.builder() .put("action.auto_create_index", ".security") - .put("shield.audit.enabled", true) + .put(AuditTrailModule.ENABLED_SETTING.getKey(), true) .build()); try { - Shield.validateAutoCreateIndex(Settings.builder() + Security.validateAutoCreateIndex(Settings.builder() .put("action.auto_create_index", ".security") - .put("shield.audit.enabled", true) - .put("shield.audit.outputs", randomFrom("index", "logfile,index")) + .put(AuditTrailModule.ENABLED_SETTING.getKey(), true) + .put(AuditTrailModule.OUTPUTS_SETTING.getKey(), randomFrom("index", "logfile,index")) .build()); fail("IllegalArgumentException expected"); } catch (IllegalArgumentException e) { @@ -183,10 +184,10 @@ public class ShieldPluginSettingsTests extends ESTestCase { assertThat(e.getMessage(), containsString(IndexAuditTrail.INDEX_NAME_PREFIX)); } - Shield.validateAutoCreateIndex(Settings.builder() + Security.validateAutoCreateIndex(Settings.builder() .put("action.auto_create_index", ".shield_audit_log*,.security") - .put("shield.audit.enabled", true) - .put("shield.audit.outputs", randomFrom("index", "logfile,index")) + .put(AuditTrailModule.ENABLED_SETTING.getKey(), true) + .put(AuditTrailModule.OUTPUTS_SETTING.getKey(), randomFrom("index", "logfile,index")) .build()); } } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldF.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldF.java index a5dba0b0006..62bf6ff6e99 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldF.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldF.java @@ -14,6 +14,7 @@ import org.elasticsearch.node.MockNode; import org.elasticsearch.node.Node; import org.elasticsearch.shield.authc.esnative.NativeRealm; import org.elasticsearch.shield.authc.file.FileRealm; +import org.elasticsearch.shield.authz.store.FileRolesStore; import org.elasticsearch.shield.test.ShieldTestUtils; import org.elasticsearch.test.ShieldSettingsSource; import org.elasticsearch.xpack.XPackPlugin; @@ -50,14 +51,16 @@ public class ShieldF { } Path folder = ShieldTestUtils.createFolder(ShieldTestUtils.createFolder(PathUtils.get(homeDir), "config"), "shield"); - settings.put("shield.authc.realms.file.type", FileRealm.TYPE); - settings.put("shield.authc.realms.file.order", "0"); - settings.put("shield.authc.realms.file.files.users", writeFile(folder, "users", ShieldSettingsSource.CONFIG_STANDARD_USER)); - settings.put("shield.authc.realms.file.files.users_roles", writeFile(folder, "users_roles", + settings.put("xpack.security.authc.realms.file.type", FileRealm.TYPE); + settings.put("xpack.security.authc.realms.file.order", "0"); + settings.put("xpack.security.authc.realms.file.files.users", + writeFile(folder, "users", ShieldSettingsSource.CONFIG_STANDARD_USER)); + settings.put("xpack.security.authc.realms.file.files.users_roles", writeFile(folder, "users_roles", ShieldSettingsSource.CONFIG_STANDARD_USER_ROLES)); - settings.put("shield.authc.realms.esnative.type", NativeRealm.TYPE); - settings.put("shield.authc.realms.esnative.order", "1"); - settings.put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", ShieldSettingsSource.CONFIG_ROLE_ALLOW_ALL)); + settings.put("xpack.security.authc.realms.esnative.type", NativeRealm.TYPE); + settings.put("xpack.security.authc.realms.esnative.order", "1"); + settings.put(FileRolesStore.ROLES_FILE_SETTING.getKey(), + writeFile(folder, "roles.yml", ShieldSettingsSource.CONFIG_ROLE_ALLOW_ALL)); final CountDownLatch latch = new CountDownLatch(1); final Node node = new MockNode(settings.build(), Version.CURRENT, Arrays.asList(XPackPlugin.class)); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginEnabledDisabledTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginEnabledDisabledTests.java index 2e155ca9d8d..5ed62628e57 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginEnabledDisabledTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginEnabledDisabledTests.java @@ -66,7 +66,7 @@ public class ShieldPluginEnabledDisabledTests extends ShieldIntegTestCase { logger.info("******* shield is {}", enabled ? "enabled" : "disabled"); return Settings.settingsBuilder() .put(super.nodeSettings(nodeOrdinal)) - .put(XPackPlugin.featureEnabledSetting(Shield.NAME), enabled) + .put(XPackPlugin.featureEnabledSetting(Security.NAME), enabled) .put(NetworkModule.HTTP_ENABLED.getKey(), true) .build(); } @@ -75,7 +75,7 @@ public class ShieldPluginEnabledDisabledTests extends ShieldIntegTestCase { protected Settings transportClientSettings() { return Settings.settingsBuilder() .put(super.transportClientSettings()) - .put(XPackPlugin.featureEnabledSetting(Shield.NAME), enabled) + .put(XPackPlugin.featureEnabledSetting(Security.NAME), enabled) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java index 3cea12bc6f7..13581354c22 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java @@ -33,10 +33,10 @@ public class AuditTrailModuleTests extends ESTestCase { public void testEnabled() throws Exception { Settings settings = Settings.builder() .put("client.type", "node") - .put("shield.audit.enabled", false) + .put(AuditTrailModule.ENABLED_SETTING.getKey(), false) .build(); SettingsModule settingsModule = new SettingsModule(settings); - settingsModule.registerSetting(Setting.boolSetting("shield.audit.enabled", true, Setting.Property.NodeScope)); + settingsModule.registerSetting(AuditTrailModule.ENABLED_SETTING); Injector injector = Guice.createInjector(settingsModule, new AuditTrailModule(settings)); AuditTrail auditTrail = injector.getInstance(AuditTrail.class); assertThat(auditTrail, is(AuditTrail.NOOP)); @@ -52,13 +52,13 @@ public class AuditTrailModuleTests extends ESTestCase { public void testLogfile() throws Exception { Settings settings = Settings.builder() - .put("shield.audit.enabled", true) + .put(AuditTrailModule.ENABLED_SETTING.getKey(), true) .put("client.type", "node") .build(); ThreadPool pool = new ThreadPool("testLogFile"); try { SettingsModule settingsModule = new SettingsModule(settings); - settingsModule.registerSetting(Setting.boolSetting("shield.audit.enabled", true, Setting.Property.NodeScope)); + settingsModule.registerSetting(AuditTrailModule.ENABLED_SETTING); Injector injector = Guice.createInjector( settingsModule, new NetworkModule(new NetworkService(settings), settings, false, new NamedWriteableRegistry()) { @@ -85,13 +85,13 @@ public class AuditTrailModuleTests extends ESTestCase { public void testUnknownOutput() throws Exception { Settings settings = Settings.builder() - .put("shield.audit.enabled", true) - .put("shield.audit.outputs" , "foo") + .put(AuditTrailModule.ENABLED_SETTING.getKey(), true) + .put(AuditTrailModule.OUTPUTS_SETTING.getKey() , "foo") .put("client.type", "node") .build(); SettingsModule settingsModule = new SettingsModule(settings); - settingsModule.registerSetting(Setting.boolSetting("shield.audit.enabled", true, Setting.Property.NodeScope)); - settingsModule.registerSetting(Setting.simpleString("shield.audit.outputs", Setting.Property.NodeScope)); + settingsModule.registerSetting(AuditTrailModule.ENABLED_SETTING); + settingsModule.registerSetting(AuditTrailModule.OUTPUTS_SETTING); try { Guice.createInjector(settingsModule, new AuditTrailModule(settings)); fail("Expect initialization to fail when an unknown audit trail output is configured"); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditLevelTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditLevelTests.java index d43cdc56fc3..85ffc3c01a3 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditLevelTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditLevelTests.java @@ -7,6 +7,7 @@ package org.elasticsearch.shield.audit.index; import org.elasticsearch.test.ESTestCase; +import java.util.Collections; import java.util.EnumSet; import java.util.Locale; @@ -15,7 +16,7 @@ import static org.hamcrest.Matchers.is; public class IndexAuditLevelTests extends ESTestCase { public void testAllIndexAuditLevel() { - EnumSet enumSet = IndexAuditLevel.parse(new String[] { "_all" }); + EnumSet enumSet = IndexAuditLevel.parse(Collections.singletonList("_all")); IndexAuditLevel[] levels = IndexAuditLevel.values(); assertThat(enumSet.size(), is(levels.length)); for (IndexAuditLevel level : levels) { @@ -24,13 +25,13 @@ public class IndexAuditLevelTests extends ESTestCase { } public void testExcludeHasPreference() { - EnumSet enumSet = IndexAuditLevel.parse(new String[] { "_all" }, new String[] { "_all" }); + EnumSet enumSet = IndexAuditLevel.parse(Collections.singletonList("_all"), Collections.singletonList("_all")); assertThat(enumSet.size(), is(0)); } public void testExcludeHasPreferenceSingle() { String excluded = randomFrom(IndexAuditLevel.values()).toString().toLowerCase(Locale.ROOT); - EnumSet enumSet = IndexAuditLevel.parse(new String[] { "_all" }, new String[] { excluded }); + EnumSet enumSet = IndexAuditLevel.parse(Collections.singletonList("_all"), Collections.singletonList(excluded)); EnumSet expected = EnumSet.allOf(IndexAuditLevel.class); expected.remove(IndexAuditLevel.valueOf(excluded.toUpperCase(Locale.ROOT))); assertThat(enumSet, equalTo(expected)); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java index 46c88beeefc..8d00afc6677 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java @@ -24,11 +24,9 @@ import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.rest.RestRequest; import org.elasticsearch.search.SearchHit; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.SystemUser; import org.elasticsearch.shield.User; -import org.elasticsearch.shield.XPackUser; -import org.elasticsearch.shield.authc.AuthenticationService; import org.elasticsearch.shield.authc.AuthenticationToken; import org.elasticsearch.shield.transport.filter.IPFilter; import org.elasticsearch.shield.transport.filter.ShieldIpFilterRule; @@ -100,30 +98,30 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase { private Settings commonSettings(IndexNameResolver.Rollover rollover) { return Settings.builder() - .put("shield.audit.enabled", true) - .put("shield.audit.outputs", "index, logfile") - .put("shield.audit.index.bulk_size", 1) - .put("shield.audit.index.flush_interval", "1ms") - .put("shield.audit.index.rollover", rollover.name().toLowerCase(Locale.ENGLISH)) - .put("shield.audit.index.settings.index.number_of_shards", numShards) - .put("shield.audit.index.settings.index.number_of_replicas", numReplicas) + .put("xpack.security.audit.enabled", true) + .put("xpack.security.audit.outputs", "index, logfile") + .put("xpack.security.audit.index.bulk_size", 1) + .put("xpack.security.audit.index.flush_interval", "1ms") + .put("xpack.security.audit.index.rollover", rollover.name().toLowerCase(Locale.ENGLISH)) + .put("xpack.security.audit.index.settings.index.number_of_shards", numShards) + .put("xpack.security.audit.index.settings.index.number_of_replicas", numReplicas) .build(); } private Settings remoteSettings(String address, int port, String clusterName) { return Settings.builder() - .put("shield.audit.index.client.hosts", address + ":" + port) - .put("shield.audit.index.client.cluster.name", clusterName) + .put("xpack.security.audit.index.client.hosts", address + ":" + port) + .put("xpack.security.audit.index.client.cluster.name", clusterName) .build(); } private Settings levelSettings(String[] includes, String[] excludes) { Settings.Builder builder = Settings.builder(); if (includes != null) { - builder.putArray("shield.audit.index.events.include", includes); + builder.putArray("xpack.security.audit.index.events.include", includes); } if (excludes != null) { - builder.putArray("shield.audit.index.events.exclude", excludes); + builder.putArray("xpack.security.audit.index.events.exclude", excludes); } return builder.build(); } @@ -148,7 +146,6 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase { numReplicas = numberOfReplicas(); numShards = numberOfShards(); Settings settings = settings(rollover, includes, excludes); - AuthenticationService authService = mock(AuthenticationService.class); remoteIndexing = randomBoolean(); if (remoteIndexing) { @@ -166,7 +163,7 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase { public Settings nodeSettings(int nodeOrdinal) { Settings.Builder builder = Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(XPackPlugin.featureEnabledSetting(Shield.NAME), useShield); + .put(XPackPlugin.featureEnabledSetting(Security.NAME), useShield); return builder.build(); } }; @@ -182,34 +179,27 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase { Settings.Builder builder = Settings.builder() .put(settings) - .put(XPackPlugin.featureEnabledSetting(Shield.NAME), useShield) + .put(XPackPlugin.featureEnabledSetting(Security.NAME), useShield) .put(remoteSettings(NetworkAddress.formatAddress(inet.address().getAddress()), inet.address().getPort(), cluster2Name)) - .put("shield.audit.index.client.shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD); + .put("xpack.security.audit.index.client." + Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD); if (useSSL) { for (Map.Entry entry : cluster2SettingsSource.getClientSSLSettings().getAsMap().entrySet()) { - builder.put("shield.audit.index.client." + entry.getKey(), entry.getValue()); + builder.put("xpack.security.audit.index.client." + entry.getKey(), entry.getValue()); } } settings = builder.build(); - - doThrow(new IllegalStateException("indexing user should not be attached when sending remotely")) - .when(authService).attachUserHeaderIfMissing(eq(XPackUser.INSTANCE)); } settings = Settings.builder().put(settings).put("path.home", createTempDir()).build(); logger.info("--> settings: [{}]", settings.getAsMap().toString()); - when(authService.authenticate(mock(RestRequest.class))).thenThrow(new UnsupportedOperationException("")); - when(authService.authenticate("_action", new LocalHostMockMessage(), XPackUser.INSTANCE)) - .thenThrow(new UnsupportedOperationException("")); Transport transport = mock(Transport.class); BoundTransportAddress boundTransportAddress = new BoundTransportAddress(new TransportAddress[]{DummyTransportAddress.INSTANCE}, DummyTransportAddress.INSTANCE); when(transport.boundAddress()).thenReturn(boundTransportAddress); threadPool = new ThreadPool("index audit trail tests"); - auditor = new IndexAuditTrail(settings, authService, transport, Providers.of(internalClient()), threadPool, - mock(ClusterService.class)); + auditor = new IndexAuditTrail(settings, transport, Providers.of(internalClient()), threadPool, mock(ClusterService.class)); auditor.start(true); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailUpdateMappingTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailUpdateMappingTests.java index 6f817421d88..e87b7026fba 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailUpdateMappingTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailUpdateMappingTests.java @@ -12,7 +12,6 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.BoundTransportAddress; import org.elasticsearch.common.transport.DummyTransportAddress; import org.elasticsearch.common.transport.TransportAddress; -import org.elasticsearch.shield.authc.AuthenticationService; import org.elasticsearch.test.ShieldIntegTestCase; import org.elasticsearch.test.rest.FakeRestRequest; import org.elasticsearch.threadpool.ThreadPool; @@ -46,13 +45,12 @@ public class IndexAuditTrailUpdateMappingTests extends ShieldIntegTestCase { public void testMappingIsUpdated() throws Exception { // Setup IndexNameResolver.Rollover rollover = randomFrom(HOURLY, DAILY, WEEKLY, MONTHLY); - AuthenticationService authService = mock(AuthenticationService.class); - Settings settings = Settings.builder().put("shield.audit.index.rollover", rollover.name().toLowerCase(Locale.ENGLISH)) + Settings settings = Settings.builder().put("xpack.security.audit.index.rollover", rollover.name().toLowerCase(Locale.ENGLISH)) .put("path.home", createTempDir()).build(); Transport transport = mock(Transport.class); when(transport.boundAddress()).thenReturn(new BoundTransportAddress(new TransportAddress[] { DummyTransportAddress.INSTANCE }, DummyTransportAddress.INSTANCE)); - auditor = new IndexAuditTrail(settings, authService, transport, Providers.of(internalClient()), threadPool, + auditor = new IndexAuditTrail(settings, transport, Providers.of(internalClient()), threadPool, mock(ClusterService.class)); // before starting we add an event diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/RemoteIndexAuditTrailStartingTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/RemoteIndexAuditTrailStartingTests.java index 1f5c0fbefbc..e0c6fcd61fc 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/RemoteIndexAuditTrailStartingTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/RemoteIndexAuditTrailStartingTests.java @@ -54,8 +54,8 @@ public class RemoteIndexAuditTrailStartingTests extends ShieldIntegTestCase { public Settings nodeSettings(int nodeOrdinal) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put("shield.audit.enabled", localAudit) - .put("shield.audit.outputs", outputs) + .put("xpack.security.audit.enabled", localAudit) + .put("xpack.security.audit.outputs", outputs) .build(); } @@ -92,15 +92,15 @@ public class RemoteIndexAuditTrailStartingTests extends ShieldIntegTestCase { public Settings nodeSettings(int nodeOrdinal) { Settings.Builder builder = Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put("shield.audit.enabled", true) - .put("shield.audit.outputs", randomFrom("index", "index,logfile")) - .putArray("shield.audit.index.client.hosts", addresses.toArray(new String[addresses.size()])) - .put("shield.audit.index.client.cluster.name", clusterName) - .put("shield.audit.index.client.shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD); + .put("xpack.security.audit.enabled", true) + .put("xpack.security.audit.outputs", randomFrom("index", "index,logfile")) + .putArray("xpack.security.audit.index.client.hosts", addresses.toArray(new String[addresses.size()])) + .put("xpack.security.audit.index.client.cluster.name", clusterName) + .put("xpack.security.audit.index.client.xpack.security.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD); if (useSSL) { for (Map.Entry entry : getClientSSLSettings().getAsMap().entrySet()) { - builder.put("shield.audit.index.client." + entry.getKey(), entry.getValue()); + builder.put("xpack.security.audit.index.client." + entry.getKey(), entry.getValue()); } } return builder.build(); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrailTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrailTests.java index 55e28313d7e..36b5c854d1d 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrailTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrailTests.java @@ -109,9 +109,9 @@ public class LoggingAuditTrailTests extends ESTestCase { @Before public void init() throws Exception { settings = Settings.builder() - .put("shield.audit.logfile.prefix.emit_node_host_address", randomBoolean()) - .put("shield.audit.logfile.prefix.emit_node_host_name", randomBoolean()) - .put("shield.audit.logfile.prefix.emit_node_name", randomBoolean()) + .put("xpack.security.audit.logfile.prefix.emit_node_host_address", randomBoolean()) + .put("xpack.security.audit.logfile.prefix.emit_node_host_name", randomBoolean()) + .put("xpack.security.audit.logfile.prefix.emit_node_name", randomBoolean()) .build(); transport = mock(Transport.class); when(transport.lifecycleState()).thenReturn(Lifecycle.State.STARTED); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/AnonymousUserHolderTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/AnonymousUserHolderTests.java index 9bd723c8066..5c8c155f34a 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/AnonymousUserHolderTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/AnonymousUserHolderTests.java @@ -22,8 +22,8 @@ import static org.hamcrest.Matchers.nullValue; public class AnonymousUserHolderTests extends ESTestCase { public void testResolveAnonymousUser() throws Exception { Settings settings = Settings.builder() - .put("shield.authc.anonymous.username", "anonym1") - .putArray("shield.authc.anonymous.roles", "r1", "r2", "r3") + .put(AnonymousService.USERNAME_SETTING.getKey(), "anonym1") + .putArray(AnonymousService.ROLES_SETTING.getKey(), "r1", "r2", "r3") .build(); User user = AnonymousService.resolveAnonymousUser(settings); assertThat(user, notNullValue()); @@ -31,7 +31,7 @@ public class AnonymousUserHolderTests extends ESTestCase { assertThat(user.roles(), arrayContainingInAnyOrder("r1", "r2", "r3")); settings = Settings.builder() - .putArray("shield.authc.anonymous.roles", "r1", "r2", "r3") + .putArray(AnonymousService.ROLES_SETTING.getKey(), "r1", "r2", "r3") .build(); user = AnonymousService.resolveAnonymousUser(settings); assertThat(user, notNullValue()); @@ -42,7 +42,7 @@ public class AnonymousUserHolderTests extends ESTestCase { public void testResolveAnonymousUser_NoSettings() throws Exception { Settings settings = randomBoolean() ? Settings.EMPTY : - Settings.builder().put("shield.authc.anonymous.username", "user1").build(); + Settings.builder().put(AnonymousService.USERNAME_SETTING.getKey(), "user1").build(); User user = AnonymousService.resolveAnonymousUser(settings); assertThat(user, nullValue()); } @@ -57,7 +57,7 @@ public class AnonymousUserHolderTests extends ESTestCase { public void testWhenAnonymousEnabled() throws Exception { Settings settings = Settings.builder() - .putArray("shield.authc.anonymous.roles", "r1", "r2", "r3") + .putArray(AnonymousService.ROLES_SETTING.getKey(), "r1", "r2", "r3") .build(); AnonymousService anonymousService = new AnonymousService(settings); assertThat(anonymousService.enabled(), is(true)); @@ -74,8 +74,8 @@ public class AnonymousUserHolderTests extends ESTestCase { public void testDisablingAuthorizationExceptions() { Settings settings = Settings.builder() - .putArray("shield.authc.anonymous.roles", "r1", "r2", "r3") - .put(AnonymousService.SETTING_AUTHORIZATION_EXCEPTION_ENABLED, false) + .putArray(AnonymousService.ROLES_SETTING.getKey(), "r1", "r2", "r3") + .put(AnonymousService.SETTING_AUTHORIZATION_EXCEPTION_ENABLED.getKey(), false) .build(); AnonymousService holder = new AnonymousService(settings); assertThat(holder.authorizationExceptionsEnabled(), is(false)); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/AnonymousUserTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/AnonymousUserTests.java index fe4c9023427..901bf595d45 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/AnonymousUserTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/AnonymousUserTests.java @@ -35,8 +35,8 @@ public class AnonymousUserTests extends ShieldIntegTestCase { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put("shield.authc.anonymous.roles", "anonymous") - .put(AnonymousService.SETTING_AUTHORIZATION_EXCEPTION_ENABLED, authorizationExceptionsEnabled) + .put(AnonymousService.ROLES_SETTING.getKey(), "anonymous") + .put(AnonymousService.SETTING_AUTHORIZATION_EXCEPTION_ENABLED.getKey(), authorizationExceptionsEnabled) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java index a77a3d06ff3..3c069eac172 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java @@ -378,7 +378,7 @@ public class InternalAuthenticationServiceTests extends ESTestCase { } public void testAutheticateTransportContextAndHeaderNoSigning() throws Exception { - Settings settings = Settings.builder().put(InternalAuthenticationService.SETTING_SIGN_USER_HEADER, false).build(); + Settings settings = Settings.builder().put(InternalAuthenticationService.SIGN_USER_HEADER.getKey(), false).build(); service = new InternalAuthenticationService(settings, realms, auditTrail, cryptoService, anonymousService, new DefaultAuthenticationFailureHandler(), threadPool); @@ -472,9 +472,9 @@ public class InternalAuthenticationServiceTests extends ESTestCase { public void testAnonymousUserRest() throws Exception { String username = randomBoolean() ? AnonymousService.ANONYMOUS_USERNAME : "user1"; Settings.Builder builder = Settings.builder() - .putArray("shield.authc.anonymous.roles", "r1", "r2", "r3"); + .putArray(AnonymousService.ROLES_SETTING.getKey(), "r1", "r2", "r3"); if (username != AnonymousService.ANONYMOUS_USERNAME) { - builder.put("shield.authc.anonymous.username", username); + builder.put(AnonymousService.USERNAME_SETTING.getKey(), username); } Settings settings = builder.build(); AnonymousService holder = new AnonymousService(settings); @@ -494,7 +494,7 @@ public class InternalAuthenticationServiceTests extends ESTestCase { public void testAnonymousUserTransportNoDefaultUser() throws Exception { Settings settings = Settings.builder() - .putArray("shield.authc.anonymous.roles", "r1", "r2", "r3") + .putArray(AnonymousService.ROLES_SETTING.getKey(), "r1", "r2", "r3") .build(); service = new InternalAuthenticationService(settings, realms, auditTrail, cryptoService, new AnonymousService(settings), new DefaultAuthenticationFailureHandler(), threadPool); @@ -509,7 +509,7 @@ public class InternalAuthenticationServiceTests extends ESTestCase { public void testAnonymousUserTransportWithDefaultUser() throws Exception { Settings settings = Settings.builder() - .putArray("shield.authc.anonymous.roles", "r1", "r2", "r3") + .putArray(AnonymousService.ROLES_SETTING.getKey(), "r1", "r2", "r3") .build(); service = new InternalAuthenticationService(settings, realms, auditTrail, cryptoService, new AnonymousService(settings), new DefaultAuthenticationFailureHandler(), threadPool); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java index 4a549536ef6..cb8d6f0ab6c 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java @@ -62,8 +62,8 @@ public class RealmsTests extends ESTestCase { Collections.shuffle(orders, random()); Map orderToIndex = new HashMap<>(); for (int i = 0; i < factories.size() - 2; i++) { - builder.put("shield.authc.realms.realm_" + i + ".type", "type_" + i); - builder.put("shield.authc.realms.realm_" + i + ".order", orders.get(i)); + builder.put("xpack.security.authc.realms.realm_" + i + ".type", "type_" + i); + builder.put("xpack.security.authc.realms.realm_" + i + ".order", orders.get(i)); orderToIndex.put(orders.get(i), i); } Settings settings = builder.build(); @@ -82,10 +82,10 @@ public class RealmsTests extends ESTestCase { public void testWithSettingsWithMultipleInternalRealmsOfSameType() throws Exception { Settings settings = Settings.builder() - .put("shield.authc.realms.realm_1.type", FileRealm.TYPE) - .put("shield.authc.realms.realm_1.order", 0) - .put("shield.authc.realms.realm_2.type", FileRealm.TYPE) - .put("shield.authc.realms.realm_2.order", 1) + .put("xpack.security.authc.realms.realm_1.type", FileRealm.TYPE) + .put("xpack.security.authc.realms.realm_1.order", 0) + .put("xpack.security.authc.realms.realm_2.type", FileRealm.TYPE) + .put("xpack.security.authc.realms.realm_2.order", 1) .put("path.home", createTempDir()) .build(); Environment env = new Environment(settings); @@ -124,8 +124,8 @@ public class RealmsTests extends ESTestCase { Collections.shuffle(orders, random()); Map orderToIndex = new HashMap<>(); for (int i = 0; i < factories.size() - 2; i++) { - builder.put("shield.authc.realms.realm_" + i + ".type", "type_" + i); - builder.put("shield.authc.realms.realm_" + i + ".order", orders.get(i)); + builder.put("xpack.security.authc.realms.realm_" + i + ".type", "type_" + i); + builder.put("xpack.security.authc.realms.realm_" + i + ".order", orders.get(i)); orderToIndex.put(orders.get(i), i); } Settings settings = builder.build(); @@ -156,10 +156,10 @@ public class RealmsTests extends ESTestCase { assertThat(factories.get("type_0"), notNullValue()); Settings.Builder builder = Settings.builder() .put("path.home", createTempDir()) - .put("shield.authc.realms.foo.type", "ldap") - .put("shield.authc.realms.foo.order", "0") - .put("shield.authc.realms.custom.type", "type_0") - .put("shield.authc.realms.custom.order", "1"); + .put("xpack.security.authc.realms.foo.type", "ldap") + .put("xpack.security.authc.realms.foo.order", "0") + .put("xpack.security.authc.realms.custom.type", "type_0") + .put("xpack.security.authc.realms.custom.order", "1"); Settings settings = builder.build(); Environment env = new Environment(settings); Realms realms = new Realms(settings, env, factories, shieldLicenseState); @@ -192,10 +192,10 @@ public class RealmsTests extends ESTestCase { Collections.shuffle(orders, random()); Map orderToIndex = new HashMap<>(); for (int i = 0; i < factories.size() - 2; i++) { - builder.put("shield.authc.realms.realm_" + i + ".type", "type_" + i); - builder.put("shield.authc.realms.realm_" + i + ".order", orders.get(i)); + builder.put("xpack.security.authc.realms.realm_" + i + ".type", "type_" + i); + builder.put("xpack.security.authc.realms.realm_" + i + ".order", orders.get(i)); boolean enabled = randomBoolean(); - builder.put("shield.authc.realms.realm_" + i + ".enabled", enabled); + builder.put("xpack.security.authc.realms.realm_" + i + ".enabled", enabled); if (enabled) { orderToIndex.put(orders.get(i), i); logger.error("put [{}] -> [{}]", orders.get(i), i); @@ -223,7 +223,7 @@ public class RealmsTests extends ESTestCase { } else { assertThat(realm.type(), equalTo("type_" + index)); assertThat(realm.name(), equalTo("realm_" + index)); - assertThat(settings.getAsBoolean("shield.authc.realms.realm_" + index + ".enabled", true), equalTo(Boolean.TRUE)); + assertThat(settings.getAsBoolean("xpack.security.authc.realms.realm_" + index + ".enabled", true), equalTo(Boolean.TRUE)); count++; } } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RunAsIntegTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RunAsIntegTests.java index f2e899521e6..9e22f20bdba 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RunAsIntegTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RunAsIntegTests.java @@ -13,6 +13,7 @@ import org.elasticsearch.client.transport.TransportClient; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.authc.support.SecuredStringTests; import org.elasticsearch.shield.authc.support.UsernamePasswordToken; @@ -73,8 +74,8 @@ public class RunAsIntegTests extends ShieldIntegTestCase { } public void testUserImpersonation() throws Exception { - try (TransportClient client = getTransportClient( - Settings.builder().put("shield.user", TRANSPORT_CLIENT_USER + ":" + ShieldSettingsSource.DEFAULT_PASSWORD).build())) { + try (TransportClient client = getTransportClient(Settings.builder() + .put(Security.USER_SETTING.getKey(), TRANSPORT_CLIENT_USER + ":" + ShieldSettingsSource.DEFAULT_PASSWORD).build())) { //ensure the client can connect awaitBusy(() -> { return client.connectedNodes().size() > 0; @@ -139,8 +140,8 @@ public class RunAsIntegTests extends ShieldIntegTestCase { } public void testEmptyUserImpersonationHeader() throws Exception { - try (TransportClient client = getTransportClient(Settings.builder().put("shield.user", TRANSPORT_CLIENT_USER + ":" + - ShieldSettingsSource.DEFAULT_PASSWORD).build())) { + try (TransportClient client = getTransportClient(Settings.builder() + .put(Security.USER_SETTING.getKey(), TRANSPORT_CLIENT_USER + ":" + ShieldSettingsSource.DEFAULT_PASSWORD).build())) { //ensure the client can connect awaitBusy(() -> { return client.connectedNodes().size() > 0; @@ -171,8 +172,8 @@ public class RunAsIntegTests extends ShieldIntegTestCase { } public void testNonExistentRunAsUser() throws Exception { - try (TransportClient client = getTransportClient(Settings.builder().put("shield.user", TRANSPORT_CLIENT_USER + ":" + - ShieldSettingsSource.DEFAULT_PASSWORD).build())) { + try (TransportClient client = getTransportClient(Settings.builder() + .put(Security.USER_SETTING.getKey(), TRANSPORT_CLIENT_USER + ":" + ShieldSettingsSource.DEFAULT_PASSWORD).build())) { //ensure the client can connect awaitBusy(() -> { return client.connectedNodes().size() > 0; diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryGroupsResolverTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryGroupsResolverTests.java index 5a96110a9eb..bc74b2583bc 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryGroupsResolverTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryGroupsResolverTests.java @@ -42,8 +42,8 @@ public class ActiveDirectoryGroupsResolverTests extends ESTestCase { Path keystore = getDataPath("../ldap/support/ldaptrust.jks"); Environment env = new Environment(Settings.builder().put("path.home", createTempDir()).build()); ClientSSLService clientSSLService = new ClientSSLService(Settings.builder() - .put("shield.ssl.keystore.path", keystore) - .put("shield.ssl.keystore.password", "changeit") + .put("xpack.security.ssl.keystore.path", keystore) + .put("xpack.security.ssl.keystore.password", "changeit") .build()); clientSSLService.setEnvironment(env); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactoryTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactoryTests.java index d26083c40d5..e285857eb04 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactoryTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactoryTests.java @@ -50,8 +50,8 @@ public class ActiveDirectorySessionFactoryTests extends ESTestCase { * verification tests since a re-established connection does not perform hostname verification. */ clientSSLService = new ClientSSLService(Settings.builder() - .put("shield.ssl.keystore.path", keystore) - .put("shield.ssl.keystore.password", "changeit") + .put("xpack.security.ssl.keystore.path", keystore) + .put("xpack.security.ssl.keystore.password", "changeit") .build()); clientSSLService.setEnvironment(env); globalSettings = Settings.builder().put("path.home", createTempDir()).build(); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserPasswdStoreTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserPasswdStoreTests.java index de255c6d51f..72c261e0c08 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserPasswdStoreTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserPasswdStoreTests.java @@ -77,11 +77,11 @@ public class FileUserPasswdStoreTests extends ESTestCase { // writing in utf_16 should cause a parsing error as we try to read the file in utf_8 Files.write(file, Collections.singletonList("aldlfkjldjdflkjd"), StandardCharsets.UTF_16); - Settings esusersSettings = Settings.builder() + Settings fileSettings = Settings.builder() .put("files.users", file.toAbsolutePath()) .build(); - RealmConfig config = new RealmConfig("file-test", esusersSettings, settings, env); + RealmConfig config = new RealmConfig("file-test", fileSettings, settings, env); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); FileUserPasswdStore store = new FileUserPasswdStore(config, watcherService); assertThat(store.usersCount(), is(0)); @@ -92,12 +92,12 @@ public class FileUserPasswdStoreTests extends ESTestCase { Path tmp = createTempFile(); Files.copy(users, tmp, StandardCopyOption.REPLACE_EXISTING); - Settings esusersSettings = Settings.builder() + Settings fileSettings = Settings.builder() .put("files.users", tmp.toAbsolutePath()) .build(); - RealmConfig config = new RealmConfig("file-test", esusersSettings, settings, env); + RealmConfig config = new RealmConfig("file-test", fileSettings, settings, env); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); final CountDownLatch latch = new CountDownLatch(1); @@ -131,12 +131,12 @@ public class FileUserPasswdStoreTests extends ESTestCase { Path tmp = createTempFile(); Files.copy(users, tmp, StandardCopyOption.REPLACE_EXISTING); - Settings esusersSettings = Settings.builder() + Settings fileSettings = Settings.builder() .put("files.users", tmp.toAbsolutePath()) .build(); - RealmConfig config = new RealmConfig("file-test", esusersSettings, settings, env); + RealmConfig config = new RealmConfig("file-test", fileSettings, settings, env); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); final CountDownLatch latch = new CountDownLatch(1); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserRolesStoreTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserRolesStoreTests.java index 14b16899d0e..4d07b10a932 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserRolesStoreTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserRolesStoreTests.java @@ -79,11 +79,11 @@ public class FileUserRolesStoreTests extends ESTestCase { // writing in utf_16 should cause a parsing error as we try to read the file in utf_8 Files.write(file, lines, StandardCharsets.UTF_16); - Settings esusersSettings = Settings.builder() + Settings fileSettings = Settings.builder() .put("files.users_roles", file.toAbsolutePath()) .build(); - RealmConfig config = new RealmConfig("file-test", esusersSettings, settings, env); + RealmConfig config = new RealmConfig("file-test", fileSettings, settings, env); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); FileUserRolesStore store = new FileUserRolesStore(config, watcherService); assertThat(store.entriesCount(), is(0)); @@ -94,11 +94,11 @@ public class FileUserRolesStoreTests extends ESTestCase { Path tmp = createTempFile(); Files.copy(users, tmp, StandardCopyOption.REPLACE_EXISTING); - Settings esusersSettings = Settings.builder() + Settings fileSettings = Settings.builder() .put("files.users_roles", tmp.toAbsolutePath()) .build(); - RealmConfig config = new RealmConfig("file-test", esusersSettings, settings, env); + RealmConfig config = new RealmConfig("file-test", fileSettings, settings, env); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); final CountDownLatch latch = new CountDownLatch(1); @@ -137,11 +137,11 @@ public class FileUserRolesStoreTests extends ESTestCase { Path tmp = createTempFile(); Files.copy(users, tmp, StandardCopyOption.REPLACE_EXISTING); - Settings esusersSettings = Settings.builder() + Settings fileSettings = Settings.builder() .put("files.users_roles", tmp.toAbsolutePath()) .build(); - RealmConfig config = new RealmConfig("file-test", esusersSettings, settings, env); + RealmConfig config = new RealmConfig("file-test", fileSettings, settings, env); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); final CountDownLatch latch = new CountDownLatch(1); @@ -232,12 +232,12 @@ public class FileUserRolesStoreTests extends ESTestCase { .put("path.home", createTempDir()) .build(); - Settings esusersSettings = Settings.builder() + Settings fileSettings = Settings.builder() .put("files.users_roles", usersRoles.toAbsolutePath()) .build(); Environment env = new Environment(settings); - RealmConfig config = new RealmConfig("file-test", esusersSettings, settings, env); + RealmConfig config = new RealmConfig("file-test", fileSettings, settings, env); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); FileUserRolesStore store = new FileUserRolesStore(config, watcherService); assertThat(store.roles("user"), equalTo(Strings.EMPTY_ARRAY)); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/tool/UsersToolTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/tool/UsersToolTests.java index 5ce65a328cc..73cdb37fe48 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/tool/UsersToolTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/tool/UsersToolTests.java @@ -78,7 +78,7 @@ public class UsersToolTests extends CommandTestCase { ), StandardCharsets.UTF_8); settingsBuilder = Settings.builder() .put("path.home", homeDir) - .put("shield.authc.realms.file.type", "file"); + .put("xpack.security.authc.realms.file.type", "file"); } @AfterClass diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactoryTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactoryTests.java index edb9ea2cb40..76065747ac9 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactoryTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactoryTests.java @@ -72,8 +72,8 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase { * verification tests since a re-established connection does not perform hostname verification. */ clientSSLService = new ClientSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", keystore) - .put("shield.ssl.keystore.password", "changeit") + .put("xpack.security.ssl.keystore.path", keystore) + .put("xpack.security.ssl.keystore.password", "changeit") .build()); clientSSLService.setEnvironment(env); @@ -528,7 +528,7 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase { Settings.Builder builder = settingsBuilder(); for (Map.Entry entry : ldapSettings.getAsMap().entrySet()) { - builder.put("shield.authc.realms.ldap1." + entry.getKey(), entry.getValue()); + builder.put("xpack.security.authc.realms.ldap1." + entry.getKey(), entry.getValue()); } builder.put("path.home", createTempDir()); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/OpenLdapTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/OpenLdapTests.java index 031f45f7588..6d7fe30eaa7 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/OpenLdapTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/OpenLdapTests.java @@ -45,8 +45,8 @@ public class OpenLdapTests extends ESTestCase { * verification tests since a re-established connection does not perform hostname verification. */ clientSSLService = new ClientSSLService(Settings.builder() - .put("shield.ssl.keystore.path", keystore) - .put("shield.ssl.keystore.password", "changeit") + .put("xpack.security.ssl.keystore.path", keystore) + .put("xpack.security.ssl.keystore.password", "changeit") .build()); clientSSLService.setEnvironment(env); globalSettings = Settings.builder().put("path.home", createTempDir()).build(); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/SearchGroupsResolverTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/SearchGroupsResolverTests.java index 96118c966ab..ccd4d952c3b 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/SearchGroupsResolverTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/SearchGroupsResolverTests.java @@ -43,8 +43,8 @@ public class SearchGroupsResolverTests extends ESTestCase { Path keystore = getDataPath("../ldap/support/ldaptrust.jks"); Environment env = new Environment(Settings.builder().put("path.home", createTempDir()).build()); ClientSSLService clientSSLService = new ClientSSLService(Settings.builder() - .put("shield.ssl.keystore.path", keystore) - .put("shield.ssl.keystore.password", "changeit") + .put("xpack.security.ssl.keystore.path", keystore) + .put("xpack.security.ssl.keystore.password", "changeit") .build()); clientSSLService.setEnvironment(env); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/UserAttributeGroupsResolverTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/UserAttributeGroupsResolverTests.java index 68ef6c8d825..78fe662cdf3 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/UserAttributeGroupsResolverTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/UserAttributeGroupsResolverTests.java @@ -41,8 +41,8 @@ public class UserAttributeGroupsResolverTests extends ESTestCase { Environment env = new Environment(Settings.builder().put("path.home", createTempDir()).build()); ClientSSLService clientSSLService = new ClientSSLService(Settings.builder() - .put("shield.ssl.keystore.path", keystore) - .put("shield.ssl.keystore.password", "changeit") + .put("xpack.security.ssl.keystore.path", keystore) + .put("xpack.security.ssl.keystore.password", "changeit") .build()); clientSSLService.setEnvironment(env); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiAuthenticationTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiAuthenticationTests.java index aa62e055f51..b5356f37cf0 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiAuthenticationTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiAuthenticationTests.java @@ -18,6 +18,8 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.InetSocketTransportAddress; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.http.HttpServerTransport; +import org.elasticsearch.shield.Security; +import org.elasticsearch.shield.authc.file.FileRealm; import org.elasticsearch.shield.transport.SSLClientAuth; import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport; import org.elasticsearch.test.ESIntegTestCase.ClusterScope; @@ -52,16 +54,17 @@ public class PkiAuthenticationTests extends ShieldIntegTestCase { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, true) - .put(ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_SETTING, sslClientAuth) - .put("shield.authc.realms.file.type", "file") - .put("shield.authc.realms.file.order", "0") - .put("shield.authc.realms.pki1.type", "pki") - .put("shield.authc.realms.pki1.order", "1") - .put("shield.authc.realms.pki1.truststore.path", + + .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true) + .put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), sslClientAuth) + .put("xpack.security.authc.realms.file.type", FileRealm.TYPE) + .put("xpack.security.authc.realms.file.order", "0") + .put("xpack.security.authc.realms.pki1.type", PkiRealm.TYPE) + .put("xpack.security.authc.realms.pki1.order", "1") + .put("xpack.security.authc.realms.pki1.truststore.path", getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/truststore-testnode-only.jks")) - .put("shield.authc.realms.pki1.truststore.password", "truststore-testnode-only") - .put("shield.authc.realms.pki1.files.role_mapping", getDataPath("role_mapping.yml")) + .put("xpack.security.authc.realms.pki1.truststore.password", "truststore-testnode-only") + .put("xpack.security.authc.realms.pki1.files.role_mapping", getDataPath("role_mapping.yml")) .build(); } @@ -139,7 +142,7 @@ public class PkiAuthenticationTests extends ShieldIntegTestCase { .put(transportClientSettings()) .put(additionalSettings) .put("cluster.name", internalCluster().getClusterName()); - builder.remove("shield.user"); + builder.remove(Security.USER_SETTING.getKey()); builder.remove("request.headers.Authorization"); return TransportClient.builder().settings(builder).addPlugin(XPackPlugin.class).build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiOptionalClientAuthTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiOptionalClientAuthTests.java index fc28a541bb6..4e983854641 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiOptionalClientAuthTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiOptionalClientAuthTests.java @@ -12,10 +12,12 @@ import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.InetSocketTransportAddress; import org.elasticsearch.http.HttpServerTransport; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.authc.support.UsernamePasswordToken; import org.elasticsearch.shield.transport.SSLClientAuth; import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport; +import org.elasticsearch.shield.transport.netty.ShieldNettyTransport; import org.elasticsearch.test.ShieldIntegTestCase; import org.elasticsearch.test.ShieldSettingsSource; import org.elasticsearch.test.rest.client.http.HttpRequestBuilder; @@ -54,19 +56,19 @@ public class PkiOptionalClientAuthTests extends ShieldIntegTestCase { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, true) - .put(ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_SETTING, SSLClientAuth.OPTIONAL) - .put("shield.authc.realms.file.type", "file") - .put("shield.authc.realms.file.order", "0") - .put("shield.authc.realms.pki1.type", "pki") - .put("shield.authc.realms.pki1.order", "1") - .put("shield.authc.realms.pki1.truststore.path", + .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true) + .put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), SSLClientAuth.OPTIONAL) + .put("xpack.security.authc.realms.file.type", "file") + .put("xpack.security.authc.realms.file.order", "0") + .put("xpack.security.authc.realms.pki1.type", "pki") + .put("xpack.security.authc.realms.pki1.order", "1") + .put("xpack.security.authc.realms.pki1.truststore.path", getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/truststore-testnode-only.jks")) - .put("shield.authc.realms.pki1.truststore.password", "truststore-testnode-only") - .put("shield.authc.realms.pki1.files.role_mapping", getDataPath("role_mapping.yml")) + .put("xpack.security.authc.realms.pki1.truststore.password", "truststore-testnode-only") + .put("xpack.security.authc.realms.pki1.files.role_mapping", getDataPath("role_mapping.yml")) .put("transport.profiles.want_client_auth.port", randomClientPortRange) .put("transport.profiles.want_client_auth.bind_host", "localhost") - .put("transport.profiles.want_client_auth.shield.ssl.client.auth", SSLClientAuth.OPTIONAL) + .put("transport.profiles.want_client_auth.xpack.security.ssl.client.auth", SSLClientAuth.OPTIONAL) .build(); } @@ -105,9 +107,9 @@ public class PkiOptionalClientAuthTests extends ShieldIntegTestCase { ("/org/elasticsearch/shield/transport/ssl/certs/simple/truststore-testnode-only.jks", "truststore-testnode-only"); Settings settings = Settings.builder() .put(sslSettingsForStore) - .put("shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) + .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) - .put("shield.transport.ssl", true) + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) .build(); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiWithoutClientAuthenticationTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiWithoutClientAuthenticationTests.java index 4f8c027cbbc..bd6c7fc5b94 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiWithoutClientAuthenticationTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiWithoutClientAuthenticationTests.java @@ -62,12 +62,12 @@ public class PkiWithoutClientAuthenticationTests extends ShieldIntegTestCase { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put(ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING, false) - .put(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, true) - .put(ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_SETTING, randomFrom(SSLClientAuth.NO.name(), false, "false", "FALSE", - SSLClientAuth.NO.name().toLowerCase(Locale.ROOT))) - .put("shield.authc.realms.pki1.type", "pki") - .put("shield.authc.realms.pki1.order", "0") + .put(ShieldNettyTransport.CLIENT_AUTH_SETTING.getKey(), false) + .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true) + .put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), + randomFrom(SSLClientAuth.NO.name(), false, "false", "FALSE", SSLClientAuth.NO.name().toLowerCase(Locale.ROOT))) + .put("xpack.security.authc.realms.pki1.type", "pki") + .put("xpack.security.authc.realms.pki1.order", "0") .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiWithoutSSLTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiWithoutSSLTests.java index bf6ac7ba96f..e1e6d933bc1 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiWithoutSSLTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiWithoutSSLTests.java @@ -33,8 +33,8 @@ public class PkiWithoutSSLTests extends ShieldIntegTestCase { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put("shield.authc.realms.pki1.type", "pki") - .put("shield.authc.realms.pki1.order", "0") + .put("xpack.security.authc.realms.pki1.type", "pki") + .put("xpack.security.authc.realms.pki1.order", "0") .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/InternalAuthorizationServiceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/InternalAuthorizationServiceTests.java index ad05d5b3d5c..e9e1323c755 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/InternalAuthorizationServiceTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/InternalAuthorizationServiceTests.java @@ -342,7 +342,8 @@ public class InternalAuthorizationServiceTests extends ESTestCase { public void testDenialForAnonymousUser() { TransportRequest request = new IndicesExistsRequest("b"); ClusterState state = mock(ClusterState.class); - AnonymousService anonymousService = new AnonymousService(Settings.builder().put("shield.authc.anonymous.roles", "a_all").build()); + AnonymousService anonymousService = + new AnonymousService(Settings.builder().put(AnonymousService.ROLES_SETTING.getKey(), "a_all").build()); internalAuthorizationService = new InternalAuthorizationService(Settings.EMPTY, rolesStore, clusterService, auditTrail, anonymousService, new DefaultAuthenticationFailureHandler(), threadPool); @@ -367,8 +368,8 @@ public class InternalAuthorizationServiceTests extends ESTestCase { TransportRequest request = new IndicesExistsRequest("b"); ClusterState state = mock(ClusterState.class); AnonymousService anonymousService = new AnonymousService(Settings.builder() - .put("shield.authc.anonymous.roles", "a_all") - .put(AnonymousService.SETTING_AUTHORIZATION_EXCEPTION_ENABLED, false) + .put(AnonymousService.ROLES_SETTING.getKey(), "a_all") + .put(AnonymousService.SETTING_AUTHORIZATION_EXCEPTION_ENABLED.getKey(), false) .build()); internalAuthorizationService = new InternalAuthorizationService(Settings.EMPTY, rolesStore, clusterService, auditTrail, anonymousService, new DefaultAuthenticationFailureHandler(), threadPool); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java index 7a3e498b624..ac1942a140e 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java @@ -7,7 +7,7 @@ package org.elasticsearch.shield.authz.store; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.audit.logfile.CapturingLogger; import org.elasticsearch.shield.authc.support.RefreshListener; import org.elasticsearch.shield.authz.permission.ClusterPermission; @@ -54,7 +54,7 @@ public class FileRolesStoreTests extends ESTestCase { public void testParseFile() throws Exception { Path path = getDataPath("roles.yml"); Map roles = FileRolesStore.parseFile(path, logger, Settings.builder() - .put(XPackPlugin.featureEnabledSetting(Shield.DLS_FLS_FEATURE), true) + .put(XPackPlugin.featureEnabledSetting(Security.DLS_FLS_FEATURE), true) .build()); assertThat(roles, notNullValue()); assertThat(roles.size(), is(9)); @@ -207,7 +207,7 @@ public class FileRolesStoreTests extends ESTestCase { Path path = getDataPath("roles.yml"); CapturingLogger logger = new CapturingLogger(CapturingLogger.Level.ERROR); Map roles = FileRolesStore.parseFile(path, logger, Settings.builder() - .put(XPackPlugin.featureEnabledSetting(Shield.DLS_FLS_FEATURE), false) + .put(XPackPlugin.featureEnabledSetting(Security.DLS_FLS_FEATURE), false) .build()); assertThat(roles, notNullValue()); assertThat(roles.size(), is(6)); @@ -257,7 +257,7 @@ public class FileRolesStoreTests extends ESTestCase { Settings settings = Settings.builder() .put("resource.reload.interval.high", "500ms") - .put("shield.authz.store.files.roles", tmp.toAbsolutePath()) + .put(FileRolesStore.ROLES_FILE_SETTING.getKey(), tmp.toAbsolutePath()) .put("path.home", createTempDir()) .build(); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/crypto/InternalCryptoServiceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/crypto/InternalCryptoServiceTests.java index 705a41a4ad6..d97d5fcf095 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/crypto/InternalCryptoServiceTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/crypto/InternalCryptoServiceTests.java @@ -48,7 +48,7 @@ public class InternalCryptoServiceTests extends ESTestCase { keyFile = createTempDir().resolve("system_key"); Files.write(keyFile, InternalCryptoService.generateKey()); settings = Settings.builder() - .put("shield.system_key.file", keyFile.toAbsolutePath()) + .put(InternalCryptoService.FILE_SETTING.getKey(), keyFile.toAbsolutePath()) .put("resource.reload.interval.high", "2s") .put("path.home", createTempDir()) .build(); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/crypto/tool/SystemKeyToolTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/crypto/tool/SystemKeyToolTests.java index 1fb778c7323..8065e097250 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/crypto/tool/SystemKeyToolTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/crypto/tool/SystemKeyToolTests.java @@ -64,7 +64,7 @@ public class SystemKeyToolTests extends CommandTestCase { Path path = jimfs.getPath(randomAsciiOfLength(10)).resolve("key"); Files.createDirectories(path.getParent()); - settingsBuilder.put("shield.system_key.file", path.toAbsolutePath().toString()); + settingsBuilder.put(InternalCryptoService.FILE_SETTING.getKey(), path.toAbsolutePath().toString()); execute(); byte[] bytes = Files.readAllBytes(path); assertEquals(InternalCryptoService.KEY_SIZE / 8, bytes.length); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/rest/action/RestAuthenticateActionTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/rest/action/RestAuthenticateActionTests.java index 97b4051c95f..3778d015f37 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/rest/action/RestAuthenticateActionTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/rest/action/RestAuthenticateActionTests.java @@ -8,6 +8,7 @@ package org.elasticsearch.shield.rest.action; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.node.Node; +import org.elasticsearch.shield.authc.AnonymousService; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ShieldIntegTestCase; import org.elasticsearch.test.ShieldSettingsSource; @@ -38,9 +39,9 @@ public class RestAuthenticateActionTests extends ShieldIntegTestCase { .put(NetworkModule.HTTP_ENABLED.getKey(), true); if (anonymousEnabled) { - builder.put("shield.authc.anonymous.username", "anon") - .putArray("shield.authc.anonymous.roles", ShieldSettingsSource.DEFAULT_ROLE, "foo") - .put("shield.authc.anonymous.authz_exception", false); + builder.put(AnonymousService.USERNAME_SETTING.getKey(), "anon") + .putArray(AnonymousService.ROLES_SETTING.getKey(), ShieldSettingsSource.DEFAULT_ROLE, "foo") + .put(AnonymousService.SETTING_AUTHORIZATION_EXCEPTION_ENABLED.getKey(), false); } return builder.build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ClientSSLServiceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ClientSSLServiceTests.java index d3a8b281896..7ab5813474b 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ClientSSLServiceTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ClientSSLServiceTests.java @@ -52,11 +52,11 @@ public class ClientSSLServiceTests extends ESTestCase { public void testThatInvalidProtocolThrowsException() throws Exception { try { new ClientSSLService(settingsBuilder() - .put("shield.ssl.protocol", "non-existing") - .put("shield.ssl.keystore.path", testclientStore) - .put("shield.ssl.keystore.password", "testclient") - .put("shield.ssl.truststore.path", testclientStore) - .put("shield.ssl.truststore.password", "testclient") + .put("xpack.security.ssl.protocol", "non-existing") + .put("xpack.security.ssl.keystore.path", testclientStore) + .put("xpack.security.ssl.keystore.password", "testclient") + .put("xpack.security.ssl.truststore.path", testclientStore) + .put("xpack.security.ssl.truststore.password", "testclient") .build()).createSSLEngine(); fail("expected an exception"); } catch (ElasticsearchException e) { @@ -68,8 +68,8 @@ public class ClientSSLServiceTests extends ESTestCase { Path testnodeStore = getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks"); ClientSSLService sslService = createClientSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testclientStore) - .put("shield.ssl.keystore.password", "testclient") + .put("xpack.security.ssl.keystore.path", testclientStore) + .put("xpack.security.ssl.keystore.password", "testclient") .build()); Settings.Builder settingsBuilder = settingsBuilder() @@ -85,8 +85,8 @@ public class ClientSSLServiceTests extends ESTestCase { public void testThatSslContextCachingWorks() throws Exception { ClientSSLService sslService = createClientSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testclientStore) - .put("shield.ssl.keystore.password", "testclient") + .put("xpack.security.ssl.keystore.path", testclientStore) + .put("xpack.security.ssl.keystore.password", "testclient") .build()); SSLContext sslContext = sslService.sslContext(); @@ -98,9 +98,9 @@ public class ClientSSLServiceTests extends ESTestCase { public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception { Path differentPasswordsStore = getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode-different-passwords.jks"); createClientSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", differentPasswordsStore) - .put("shield.ssl.keystore.password", "testnode") - .put("shield.ssl.keystore.key_password", "testnode1") + .put("xpack.security.ssl.keystore.path", differentPasswordsStore) + .put("xpack.security.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.keystore.key_password", "testnode1") .build()).createSSLEngine(); } @@ -108,8 +108,8 @@ public class ClientSSLServiceTests extends ESTestCase { Path differentPasswordsStore = getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode-different-passwords.jks"); try { createClientSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", differentPasswordsStore) - .put("shield.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.keystore.path", differentPasswordsStore) + .put("xpack.security.ssl.keystore.password", "testnode") .build()).createSSLEngine(); fail("expected an exception"); } catch (ElasticsearchException e) { @@ -119,8 +119,8 @@ public class ClientSSLServiceTests extends ESTestCase { public void testThatSSLv3IsNotEnabled() throws Exception { ClientSSLService sslService = createClientSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testclientStore) - .put("shield.ssl.keystore.password", "testclient") + .put("xpack.security.ssl.keystore.path", testclientStore) + .put("xpack.security.ssl.keystore.password", "testclient") .build()); SSLEngine engine = sslService.createSSLEngine(); assertThat(Arrays.asList(engine.getEnabledProtocols()), not(hasItem("SSLv3"))); @@ -128,8 +128,8 @@ public class ClientSSLServiceTests extends ESTestCase { public void testThatSSLSessionCacheHasDefaultLimits() throws Exception { ClientSSLService sslService = createClientSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testclientStore) - .put("shield.ssl.keystore.password", "testclient") + .put("xpack.security.ssl.keystore.path", testclientStore) + .put("xpack.security.ssl.keystore.password", "testclient") .build()); SSLSessionContext context = sslService.sslContext().getServerSessionContext(); assertThat(context.getSessionCacheSize(), equalTo(1000)); @@ -138,10 +138,10 @@ public class ClientSSLServiceTests extends ESTestCase { public void testThatSettingSSLSessionCacheLimitsWorks() throws Exception { ClientSSLService sslService = createClientSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testclientStore) - .put("shield.ssl.keystore.password", "testclient") - .put("shield.ssl.session.cache_size", "300") - .put("shield.ssl.session.cache_timeout", "600s") + .put("xpack.security.ssl.keystore.path", testclientStore) + .put("xpack.security.ssl.keystore.password", "testclient") + .put("xpack.security.ssl.session.cache_size", "300") + .put("xpack.security.ssl.session.cache_timeout", "600s") .build()); SSLSessionContext context = sslService.sslContext().getServerSessionContext(); assertThat(context.getSessionCacheSize(), equalTo(300)); @@ -156,8 +156,8 @@ public class ClientSSLServiceTests extends ESTestCase { public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception { ClientSSLService sslService = createClientSSLService(settingsBuilder() - .put("shield.ssl.truststore.path", testclientStore) - .put("shield.ssl.truststore.password", "testclient") + .put("xpack.security.ssl.truststore.path", testclientStore) + .put("xpack.security.ssl.truststore.password", "testclient") .build()); SSLEngine sslEngine = sslService.createSSLEngine(); assertThat(sslEngine, notNullValue()); @@ -165,8 +165,8 @@ public class ClientSSLServiceTests extends ESTestCase { public void testThatCreateSSLEngineWithOnlyKeystoreWorks() throws Exception { ClientSSLService sslService = createClientSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testclientStore) - .put("shield.ssl.keystore.password", "testclient") + .put("xpack.security.ssl.keystore.path", testclientStore) + .put("xpack.security.ssl.keystore.password", "testclient") .build()); SSLEngine sslEngine = sslService.createSSLEngine(); assertThat(sslEngine, notNullValue()); @@ -187,8 +187,8 @@ public class ClientSSLServiceTests extends ESTestCase { @Network public void testThatSSLContextWithKeystoreDoesNotTrustAllPublicCAs() throws Exception { ClientSSLService sslService = createClientSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testclientStore) - .put("shield.ssl.keystore.password", "testclient") + .put("xpack.security.ssl.keystore.path", testclientStore) + .put("xpack.security.ssl.keystore.password", "testclient") .build()); SSLContext sslContext = sslService.sslContext(); try (CloseableHttpClient client = HttpClients.custom().setSslcontext(sslContext).build()) { @@ -204,7 +204,7 @@ public class ClientSSLServiceTests extends ESTestCase { public void testThatTruststorePasswordIsRequired() throws Exception { ClientSSLService sslService = createClientSSLService(settingsBuilder() - .put("shield.ssl.truststore.path", testclientStore) + .put("xpack.security.ssl.truststore.path", testclientStore) .build()); try { sslService.sslContext(); @@ -216,7 +216,7 @@ public class ClientSSLServiceTests extends ESTestCase { public void testThatKeystorePasswordIsRequired() throws Exception { ClientSSLService sslService = createClientSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testclientStore) + .put("xpack.security.ssl.keystore.path", testclientStore) .build()); try { sslService.sslContext(); @@ -227,11 +227,11 @@ public class ClientSSLServiceTests extends ESTestCase { } public void testValidCiphersAndInvalidCiphersWork() throws Exception { - List ciphers = new ArrayList<>(Arrays.asList(AbstractSSLService.DEFAULT_CIPHERS)); + List ciphers = new ArrayList<>(SSLSettings.Globals.DEFAULT_CIPHERS); ciphers.add("foo"); ciphers.add("bar"); ClientSSLService sslService = createClientSSLService(settingsBuilder() - .putArray("shield.ssl.ciphers", ciphers.toArray(new String[ciphers.size()])) + .putArray("xpack.security.ssl.ciphers", ciphers.toArray(new String[ciphers.size()])) .build()); SSLEngine engine = sslService.createSSLEngine(); assertThat(engine, is(notNullValue())); @@ -241,7 +241,7 @@ public class ClientSSLServiceTests extends ESTestCase { public void testInvalidCiphersOnlyThrowsException() throws Exception { ClientSSLService sslService = createClientSSLService(settingsBuilder() - .putArray("shield.ssl.ciphers", new String[] { "foo", "bar" }) + .putArray("xpack.security.ssl.ciphers", new String[] { "foo", "bar" }) .build()); try { sslService.createSSLEngine(); @@ -253,8 +253,8 @@ public class ClientSSLServiceTests extends ESTestCase { public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception { ClientSSLService sslService = createClientSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testclientStore) - .put("shield.ssl.keystore.password", "testclient") + .put("xpack.security.ssl.keystore.path", testclientStore) + .put("xpack.security.ssl.keystore.password", "testclient") .build()); SSLSocketFactory factory = sslService.sslSocketFactory(); final String[] ciphers = sslService.supportedCiphers(factory.getSupportedCipherSuites(), sslService.ciphers()); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/SSLSettingsTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/SSLSettingsTests.java index 7bc330e443b..42b8999c7d4 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/SSLSettingsTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/SSLSettingsTests.java @@ -7,7 +7,6 @@ package org.elasticsearch.shield.ssl; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.unit.TimeValue; -import org.elasticsearch.shield.ssl.AbstractSSLService.SSLSettings; import org.elasticsearch.test.ESTestCase; import javax.net.ssl.KeyManagerFactory; @@ -22,22 +21,22 @@ import static org.hamcrest.Matchers.nullValue; public class SSLSettingsTests extends ESTestCase { public void testThatSSLSettingsWithEmptySettingsHaveCorrectDefaults() { SSLSettings sslSettings = new SSLSettings(Settings.EMPTY, Settings.EMPTY); - assertThat(sslSettings.keyStorePath, is(nullValue())); - assertThat(sslSettings.keyStorePassword, is(nullValue())); - assertThat(sslSettings.keyPassword, is(nullValue())); + assertThat(sslSettings.keyStorePath, nullValue()); + assertThat(sslSettings.keyStorePassword, nullValue()); + assertThat(sslSettings.keyPassword, nullValue()); assertThat(sslSettings.keyStoreAlgorithm, is(equalTo(KeyManagerFactory.getDefaultAlgorithm()))); - assertThat(sslSettings.sessionCacheSize, is(equalTo(AbstractSSLService.DEFAULT_SESSION_CACHE_SIZE))); - assertThat(sslSettings.sessionCacheTimeout, is(equalTo(AbstractSSLService.DEFAULT_SESSION_CACHE_TIMEOUT))); - assertThat(sslSettings.sslProtocol, is(equalTo(AbstractSSLService.DEFAULT_PROTOCOL))); + assertThat(sslSettings.sessionCacheSize, is(equalTo(SSLSettings.Globals.DEFAULT_SESSION_CACHE_SIZE))); + assertThat(sslSettings.sessionCacheTimeout, is(equalTo(SSLSettings.Globals.DEFAULT_SESSION_CACHE_TIMEOUT))); + assertThat(sslSettings.sslProtocol, is(equalTo(SSLSettings.Globals.DEFAULT_PROTOCOL))); assertThat(sslSettings.trustStoreAlgorithm, is(equalTo(TrustManagerFactory.getDefaultAlgorithm()))); - assertThat(sslSettings.trustStorePassword, is(nullValue())); - assertThat(sslSettings.trustStorePath, is(nullValue())); + assertThat(sslSettings.trustStorePassword, nullValue()); + assertThat(sslSettings.trustStorePath, nullValue()); } public void testThatOnlyKeystoreInSettingsSetsTruststoreSettings() { Settings settings = settingsBuilder() - .put("shield.ssl.keystore.path", "path") - .put("shield.ssl.keystore.password", "password") + .put("xpack.security.ssl.keystore.path", "path") + .put("xpack.security.ssl.keystore.password", "password") .build(); // Pass settings in as component settings SSLSettings sslSettings = new SSLSettings(Settings.EMPTY, settings); @@ -60,7 +59,7 @@ public class SSLSettingsTests extends ESTestCase { public void testThatKeystorePasswordIsDefaultKeyPassword() { Settings settings = settingsBuilder() - .put("shield.ssl.keystore.password", "password") + .put("xpack.security.ssl.keystore.password", "password") .build(); // Pass settings in as component settings SSLSettings sslSettings = new SSLSettings(Settings.EMPTY, settings); @@ -76,8 +75,8 @@ public class SSLSettingsTests extends ESTestCase { public void testThatKeyPasswordCanBeSet() { Settings settings = settingsBuilder() - .put("shield.ssl.keystore.password", "password") - .put("shield.ssl.keystore.key_password", "key") + .put("xpack.security.ssl.keystore.password", "password") + .put("xpack.security.ssl.keystore.key_password", "key") .build(); // Pass settings in as component settings SSLSettings sslSettings = new SSLSettings(Settings.EMPTY, settings); @@ -109,16 +108,16 @@ public class SSLSettingsTests extends ESTestCase { .build(); Settings serviceSettings = settingsBuilder() - .put("shield.ssl.keystore.path", "comp path") - .put("shield.ssl.keystore.password", "comp password") - .put("shield.ssl.keystore.key_password", "comp key") - .put("shield.ssl.keystore.algorithm", "comp algo") - .put("shield.ssl.truststore.path", "comp trust path") - .put("shield.ssl.truststore.password", "comp password for trust") - .put("shield.ssl.truststore.algorithm", "comp trusted") - .put("shield.ssl.protocol", "tls") - .put("shield.ssl.session.cache_size", "7") - .put("shield.ssl.session.cache_timeout", "20m") + .put("xpack.security.ssl.keystore.path", "comp path") + .put("xpack.security.ssl.keystore.password", "comp password") + .put("xpack.security.ssl.keystore.key_password", "comp key") + .put("xpack.security.ssl.keystore.algorithm", "comp algo") + .put("xpack.security.ssl.truststore.path", "comp trust path") + .put("xpack.security.ssl.truststore.password", "comp password for trust") + .put("xpack.security.ssl.truststore.algorithm", "comp trusted") + .put("xpack.security.ssl.protocol", "tls") + .put("xpack.security.ssl.session.cache_size", "7") + .put("xpack.security.ssl.session.cache_timeout", "20m") .build(); SSLSettings sslSettings = new SSLSettings(profileSettings, serviceSettings); @@ -145,9 +144,9 @@ public class SSLSettingsTests extends ESTestCase { public void testThatSettingsWithDifferentKeystoresAreNotEqual() { SSLSettings sslSettings = new SSLSettings(Settings.EMPTY, settingsBuilder() - .put("shield.ssl.keystore.path", "path").build()); + .put("xpack.security.ssl.keystore.path", "path").build()); SSLSettings sslSettings1 = new SSLSettings(Settings.EMPTY, settingsBuilder() - .put("shield.ssl.keystore.path", "path1").build()); + .put("xpack.security.ssl.keystore.path", "path1").build()); assertThat(sslSettings.equals(sslSettings1), is(equalTo(false))); assertThat(sslSettings1.equals(sslSettings), is(equalTo(false))); assertThat(sslSettings.equals(sslSettings), is(equalTo(true))); @@ -156,9 +155,9 @@ public class SSLSettingsTests extends ESTestCase { public void testThatSettingsWithDifferentProtocolsAreNotEqual() { SSLSettings sslSettings = new SSLSettings(Settings.EMPTY, settingsBuilder() - .put("shield.ssl.protocol", "ssl").build()); + .put("xpack.security.ssl.protocol", "ssl").build()); SSLSettings sslSettings1 = new SSLSettings(Settings.EMPTY, settingsBuilder() - .put("shield.ssl.protocol", "tls").build()); + .put("xpack.security.ssl.protocol", "tls").build()); assertThat(sslSettings.equals(sslSettings1), is(equalTo(false))); assertThat(sslSettings1.equals(sslSettings), is(equalTo(false))); assertThat(sslSettings.equals(sslSettings), is(equalTo(true))); @@ -167,9 +166,9 @@ public class SSLSettingsTests extends ESTestCase { public void testThatSettingsWithDifferentTruststoresAreNotEqual() { SSLSettings sslSettings = new SSLSettings(Settings.EMPTY, settingsBuilder() - .put("shield.ssl.truststore.path", "/trust").build()); + .put("xpack.security.ssl.truststore.path", "/trust").build()); SSLSettings sslSettings1 = new SSLSettings(Settings.EMPTY, settingsBuilder() - .put("shield.ssl.truststore.path", "/truststore").build()); + .put("xpack.security.ssl.truststore.path", "/truststore").build()); assertThat(sslSettings.equals(sslSettings1), is(equalTo(false))); assertThat(sslSettings1.equals(sslSettings), is(equalTo(false))); assertThat(sslSettings.equals(sslSettings), is(equalTo(true))); @@ -184,25 +183,25 @@ public class SSLSettingsTests extends ESTestCase { public void testThatSettingsWithDifferentKeystoresHaveDifferentHashCode() { SSLSettings sslSettings = new SSLSettings(Settings.EMPTY, settingsBuilder() - .put("shield.ssl.keystore.path", "path").build()); + .put("xpack.security.ssl.keystore.path", "path").build()); SSLSettings sslSettings1 = new SSLSettings(Settings.EMPTY, settingsBuilder() - .put("shield.ssl.keystore.path", "path1").build()); + .put("xpack.security.ssl.keystore.path", "path1").build()); assertThat(sslSettings.hashCode(), is(not(equalTo(sslSettings1.hashCode())))); } public void testThatSettingsWithDifferentProtocolsHaveDifferentHashCode() { SSLSettings sslSettings = new SSLSettings(Settings.EMPTY, settingsBuilder() - .put("shield.ssl.protocol", "ssl").build()); + .put("xpack.security.ssl.protocol", "ssl").build()); SSLSettings sslSettings1 = new SSLSettings(Settings.EMPTY, settingsBuilder() - .put("shield.ssl.protocol", "tls").build()); + .put("xpack.security.ssl.protocol", "tls").build()); assertThat(sslSettings.hashCode(), is(not(equalTo(sslSettings1.hashCode())))); } public void testThatSettingsWithDifferentTruststoresHaveDifferentHashCode() { SSLSettings sslSettings = new SSLSettings(Settings.EMPTY, settingsBuilder() - .put("shield.ssl.truststore.path", "/trust").build()); + .put("xpack.security.ssl.truststore.path", "/trust").build()); SSLSettings sslSettings1 = new SSLSettings(Settings.EMPTY, settingsBuilder() - .put("shield.ssl.truststore.path", "/truststore").build()); + .put("xpack.security.ssl.truststore.path", "/truststore").build()); assertThat(sslSettings.hashCode(), is(not(equalTo(sslSettings1.hashCode())))); } } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ServerSSLServiceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ServerSSLServiceTests.java index 2eafb33b722..b6202198de5 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ServerSSLServiceTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ServerSSLServiceTests.java @@ -45,11 +45,11 @@ public class ServerSSLServiceTests extends ESTestCase { public void testThatInvalidProtocolThrowsException() throws Exception { Settings settings = settingsBuilder() - .put("shield.ssl.protocol", "non-existing") - .put("shield.ssl.keystore.path", testnodeStore) - .put("shield.ssl.keystore.password", "testnode") - .put("shield.ssl.truststore.path", testnodeStore) - .put("shield.ssl.truststore.password", "testnode") + .put("xpack.security.ssl.protocol", "non-existing") + .put("xpack.security.ssl.keystore.path", testnodeStore) + .put("xpack.security.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.truststore.path", testnodeStore) + .put("xpack.security.ssl.truststore.password", "testnode") .build(); try { new ServerSSLService(settings, env).createSSLEngine(); @@ -63,8 +63,8 @@ public class ServerSSLServiceTests extends ESTestCase { Path testClientStore = getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/testclient.jks"); Settings settings = settingsBuilder() - .put("shield.ssl.keystore.path", testnodeStore) - .put("shield.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.keystore.path", testnodeStore) + .put("xpack.security.ssl.keystore.password", "testnode") .build(); ServerSSLService sslService = new ServerSSLService(settings, env); @@ -81,8 +81,8 @@ public class ServerSSLServiceTests extends ESTestCase { public void testThatSslContextCachingWorks() throws Exception { ServerSSLService sslService = new ServerSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testnodeStore) - .put("shield.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.keystore.path", testnodeStore) + .put("xpack.security.ssl.keystore.password", "testnode") .build(), env); SSLContext sslContext = sslService.sslContext(); @@ -94,9 +94,9 @@ public class ServerSSLServiceTests extends ESTestCase { public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception { Path differentPasswordsStore = getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode-different-passwords.jks"); new ServerSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", differentPasswordsStore) - .put("shield.ssl.keystore.password", "testnode") - .put("shield.ssl.keystore.key_password", "testnode1") + .put("xpack.security.ssl.keystore.path", differentPasswordsStore) + .put("xpack.security.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.keystore.key_password", "testnode1") .build(), env).createSSLEngine(); } @@ -104,8 +104,8 @@ public class ServerSSLServiceTests extends ESTestCase { Path differentPasswordsStore = getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode-different-passwords.jks"); try { new ServerSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", differentPasswordsStore) - .put("shield.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.keystore.path", differentPasswordsStore) + .put("xpack.security.ssl.keystore.password", "testnode") .build(), env).createSSLEngine(); fail("expected an exception"); } catch (ElasticsearchException e) { @@ -115,8 +115,8 @@ public class ServerSSLServiceTests extends ESTestCase { public void testThatSSLv3IsNotEnabled() throws Exception { ServerSSLService sslService = new ServerSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testnodeStore) - .put("shield.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.keystore.path", testnodeStore) + .put("xpack.security.ssl.keystore.password", "testnode") .build(), env); SSLEngine engine = sslService.createSSLEngine(); assertThat(Arrays.asList(engine.getEnabledProtocols()), not(hasItem("SSLv3"))); @@ -124,8 +124,8 @@ public class ServerSSLServiceTests extends ESTestCase { public void testThatSSLSessionCacheHasDefaultLimits() throws Exception { ServerSSLService sslService = new ServerSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testnodeStore) - .put("shield.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.keystore.path", testnodeStore) + .put("xpack.security.ssl.keystore.password", "testnode") .build(), env); SSLSessionContext context = sslService.sslContext().getServerSessionContext(); assertThat(context.getSessionCacheSize(), equalTo(1000)); @@ -134,10 +134,10 @@ public class ServerSSLServiceTests extends ESTestCase { public void testThatSettingSSLSessionCacheLimitsWorks() throws Exception { ServerSSLService sslService = new ServerSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testnodeStore) - .put("shield.ssl.keystore.password", "testnode") - .put("shield.ssl.session.cache_size", "300") - .put("shield.ssl.session.cache_timeout", "600s") + .put("xpack.security.ssl.keystore.path", testnodeStore) + .put("xpack.security.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.session.cache_size", "300") + .put("xpack.security.ssl.session.cache_timeout", "600s") .build(), env); SSLSessionContext context = sslService.sslContext().getServerSessionContext(); assertThat(context.getSessionCacheSize(), equalTo(300)); @@ -156,8 +156,8 @@ public class ServerSSLServiceTests extends ESTestCase { public void testThatCreateSSLEngineWithOnlyTruststoreDoesNotWork() throws Exception { ServerSSLService sslService = new ServerSSLService(settingsBuilder() - .put("shield.ssl.truststore.path", testnodeStore) - .put("shield.ssl.truststore.password", "testnode") + .put("xpack.security.ssl.truststore.path", testnodeStore) + .put("xpack.security.ssl.truststore.password", "testnode") .build(), env); try { sslService.createSSLEngine(); @@ -169,9 +169,9 @@ public class ServerSSLServiceTests extends ESTestCase { public void testThatTruststorePasswordIsRequired() throws Exception { ServerSSLService sslService = new ServerSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testnodeStore) - .put("shield.ssl.keystore.password", "testnode") - .put("shield.ssl.truststore.path", testnodeStore) + .put("xpack.security.ssl.keystore.path", testnodeStore) + .put("xpack.security.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.truststore.path", testnodeStore) .build(), env); try { sslService.sslContext(); @@ -183,7 +183,7 @@ public class ServerSSLServiceTests extends ESTestCase { public void testThatKeystorePasswordIsRequired() throws Exception { ServerSSLService sslService = new ServerSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testnodeStore) + .put("xpack.security.ssl.keystore.path", testnodeStore) .build(), env); try { sslService.sslContext(); @@ -194,13 +194,13 @@ public class ServerSSLServiceTests extends ESTestCase { } public void testCiphersAndInvalidCiphersWork() throws Exception { - List ciphers = new ArrayList<>(Arrays.asList(AbstractSSLService.DEFAULT_CIPHERS)); + List ciphers = new ArrayList<>(SSLSettings.Globals.DEFAULT_CIPHERS); ciphers.add("foo"); ciphers.add("bar"); ServerSSLService sslService = new ServerSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testnodeStore) - .put("shield.ssl.keystore.password", "testnode") - .putArray("shield.ssl.ciphers", ciphers.toArray(new String[ciphers.size()])) + .put("xpack.security.ssl.keystore.path", testnodeStore) + .put("xpack.security.ssl.keystore.password", "testnode") + .putArray("xpack.security.ssl.ciphers", ciphers.toArray(new String[ciphers.size()])) .build(), env); SSLEngine engine = sslService.createSSLEngine(); assertThat(engine, is(notNullValue())); @@ -210,9 +210,9 @@ public class ServerSSLServiceTests extends ESTestCase { public void testInvalidCiphersOnlyThrowsException() throws Exception { ServerSSLService sslService = new ServerSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testnodeStore) - .put("shield.ssl.keystore.password", "testnode") - .putArray("shield.ssl.ciphers", new String[] { "foo", "bar" }) + .put("xpack.security.ssl.keystore.path", testnodeStore) + .put("xpack.security.ssl.keystore.password", "testnode") + .putArray("xpack.security.ssl.ciphers", new String[] { "foo", "bar" }) .build(), env); try { sslService.createSSLEngine(); @@ -224,8 +224,8 @@ public class ServerSSLServiceTests extends ESTestCase { public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception { ServerSSLService sslService = new ServerSSLService(settingsBuilder() - .put("shield.ssl.keystore.path", testnodeStore) - .put("shield.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.keystore.path", testnodeStore) + .put("xpack.security.ssl.keystore.password", "testnode") .build(), env); SSLSocketFactory factory = sslService.sslSocketFactory(); final String[] ciphers = sslService.supportedCiphers(factory.getSupportedCipherSuites(), sslService.ciphers()); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/support/ValidationTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/support/ValidationTests.java index a3b58547942..6c501e1b966 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/support/ValidationTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/support/ValidationTests.java @@ -47,13 +47,13 @@ public class ValidationTests extends ESTestCase { return newArray; } - public void testESUsersValidateUsername() throws Exception { + public void testUsersValidateUsername() throws Exception { int length = randomIntBetween(1, 30); String name = new String(generateValidName(length)); assertThat(Users.validateUsername(name), nullValue()); } - public void testESUsersValidateUsernameInvalidLength() throws Exception { + public void testUsersValidateUsernameInvalidLength() throws Exception { int length = frequently() ? randomIntBetween(31, 200) : 0; // invalid length char[] name = new char[length]; if (length > 0) { @@ -62,13 +62,13 @@ public class ValidationTests extends ESTestCase { assertThat(Users.validateUsername(new String(name)), notNullValue()); } - public void testESUsersValidateUsernameInvalidCharacters() throws Exception { + public void testUsersValidateUsernameInvalidCharacters() throws Exception { int length = randomIntBetween(1, 30); // valid length String name = new String(generateInvalidName(length)); assertThat(Users.validateUsername(name), notNullValue()); } - public void testESUsersValidatePassword() throws Exception { + public void testUsersValidatePassword() throws Exception { String passwd = randomAsciiOfLength(randomIntBetween(0, 20)); logger.info("{}[{}]", passwd, passwd.length()); if (passwd.length() >= 6) { diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/test/ShieldAssertions.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/test/ShieldAssertions.java index 374191dbed6..d7c311e12b4 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/test/ShieldAssertions.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/test/ShieldAssertions.java @@ -7,7 +7,7 @@ package org.elasticsearch.shield.test; import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.rest.RestStatus; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.contains; @@ -21,6 +21,6 @@ public class ShieldAssertions { assertThat(e.status(), is(RestStatus.UNAUTHORIZED)); assertThat(e.getHeaderKeys(), hasSize(1)); assertThat(e.getHeader("WWW-Authenticate"), notNullValue()); - assertThat(e.getHeader("WWW-Authenticate"), contains("Basic realm=\"" + Shield.NAME + "\"")); + assertThat(e.getHeader("WWW-Authenticate"), contains("Basic realm=\"" + Security.NAME + "\"")); } } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ServerTransportFilterIntegrationTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ServerTransportFilterIntegrationTests.java index 15f6636748d..5df0d33e67b 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ServerTransportFilterIntegrationTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ServerTransportFilterIntegrationTests.java @@ -16,7 +16,10 @@ import org.elasticsearch.discovery.MasterNotDiscoveredException; import org.elasticsearch.node.MockNode; import org.elasticsearch.node.Node; import org.elasticsearch.shield.authc.file.FileRealm; +import org.elasticsearch.shield.Security; +import org.elasticsearch.shield.authz.store.FileRolesStore; import org.elasticsearch.shield.crypto.InternalCryptoService; +import org.elasticsearch.shield.transport.netty.ShieldNettyTransport; import org.elasticsearch.test.ShieldIntegTestCase; import org.elasticsearch.transport.Transport; import org.elasticsearch.xpack.XPackPlugin; @@ -65,7 +68,7 @@ public class ServerTransportFilterIntegrationTests extends ShieldIntegTestCase { if (sslTransportEnabled()) { settingsBuilder.put("transport.profiles.client.shield.truststore.path", store) // settings for client truststore .put("transport.profiles.client.shield.truststore.password", "testnode") - .put("shield.transport.ssl", true); + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true); } return settingsBuilder @@ -75,13 +78,13 @@ public class ServerTransportFilterIntegrationTests extends ShieldIntegTestCase { .put("transport.profiles.client.port", randomClientPortRange) // make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent .put("transport.profiles.client.bind_host", "localhost") - .put("shield.audit.enabled", false) + .put("xpack.security.audit.enabled", false) .build(); } public void testThatConnectionToServerTypeConnectionWorks() throws IOException { Settings dataNodeSettings = internalCluster().getDataNodeInstance(Settings.class); - String systemKeyFile = dataNodeSettings.get(InternalCryptoService.FILE_SETTING); + String systemKeyFile = InternalCryptoService.FILE_SETTING.get(dataNodeSettings); Transport transport = internalCluster().getDataNodeInstance(Transport.class); TransportAddress transportAddress = transport.boundAddress().publishAddress(); @@ -97,11 +100,11 @@ public class ServerTransportFilterIntegrationTests extends ShieldIntegTestCase { .put("network.host", "localhost") .put("cluster.name", internalCluster().getClusterName()) .put("discovery.zen.ping.unicast.hosts", unicastHost) - .put("shield.transport.ssl", sslTransportEnabled()) - .put("shield.audit.enabled", false) + .put(ShieldNettyTransport.SSL_SETTING.getKey(), sslTransportEnabled()) + .put("xpack.security.audit.enabled", false) .put("path.home", createTempDir()) .put(NetworkModule.HTTP_ENABLED.getKey(), false) - .put(InternalCryptoService.FILE_SETTING, systemKeyFile) + .put(InternalCryptoService.FILE_SETTING.getKey(), systemKeyFile) .build(); try (Node node = new MockNode(nodeSettings, Version.CURRENT, Collections.singletonList(XPackPlugin.class))) { node.start(); @@ -111,27 +114,27 @@ public class ServerTransportFilterIntegrationTests extends ShieldIntegTestCase { public void testThatConnectionToClientTypeConnectionIsRejected() throws IOException { Settings dataNodeSettings = internalCluster().getDataNodeInstance(Settings.class); - String systemKeyFile = dataNodeSettings.get(InternalCryptoService.FILE_SETTING); + String systemKeyFile = InternalCryptoService.FILE_SETTING.get(dataNodeSettings); Path folder = createFolder(createTempDir(), getClass().getSimpleName() + "-" + randomAsciiOfLength(10)); // test that starting up a node works Settings nodeSettings = settingsBuilder() - .put("shield.authc.realms.file.type", FileRealm.TYPE) - .put("shield.authc.realms.file.order", 0) - .put("shield.authc.realms.file.files.users", writeFile(folder, "users", configUsers())) - .put("shield.authc.realms.file.files.users_roles", writeFile(folder, "users_roles", configUsersRoles())) - .put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", configRoles())) + .put("xpack.security.authc.realms.file.type", FileRealm.TYPE) + .put("xpack.security.authc.realms.file.order", 0) + .put("xpack.security.authc.realms.file.files.users", writeFile(folder, "users", configUsers())) + .put("xpack.security.authc.realms.file.files.users_roles", writeFile(folder, "users_roles", configUsersRoles())) + .put(FileRolesStore.ROLES_FILE_SETTING.getKey(), writeFile(folder, "roles.yml", configRoles())) .put(getSSLSettingsForStore("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks", "testnode")) .put("node.mode", "network") .put("node.name", "my-test-node") - .put("shield.user", "test_user:changeme") + .put(Security.USER_SETTING.getKey(), "test_user:changeme") .put("cluster.name", internalCluster().getClusterName()) .put("discovery.zen.ping.unicast.hosts", "localhost:" + randomClientPort) - .put("shield.transport.ssl", sslTransportEnabled()) - .put("shield.audit.enabled", false) + .put(ShieldNettyTransport.SSL_SETTING.getKey(), sslTransportEnabled()) + .put("xpack.security.audit.enabled", false) .put(NetworkModule.HTTP_ENABLED.getKey(), false) - .put(InternalCryptoService.FILE_SETTING, systemKeyFile) + .put(InternalCryptoService.FILE_SETTING.getKey(), systemKeyFile) .put("discovery.initial_state_timeout", "2s") .put("path.home", createTempDir()) .put(Node.NODE_MASTER_SETTING.getKey(), false) diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/filter/IPFilterTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/filter/IPFilterTests.java index bf7bfb5d53d..08329694cf9 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/filter/IPFilterTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/filter/IPFilterTests.java @@ -83,8 +83,8 @@ public class IPFilterTests extends ESTestCase { public void testThatIpV4AddressesCanBeProcessed() throws Exception { Settings settings = settingsBuilder() - .put("shield.transport.filter.allow", "127.0.0.1") - .put("shield.transport.filter.deny", "10.0.0.0/8") + .put("xpack.security.transport.filter.allow", "127.0.0.1") + .put("xpack.security.transport.filter.deny", "10.0.0.0/8") .build(); ipFilter = new IPFilter(settings, auditTrail, clusterSettings, licenseState); ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses()); @@ -96,8 +96,8 @@ public class IPFilterTests extends ESTestCase { // you have to use the shortest possible notation in order to match, so // 1234:0db8:85a3:0000:0000:8a2e:0370:7334 becomes 1234:db8:85a3:0:0:8a2e:370:7334 Settings settings = settingsBuilder() - .put("shield.transport.filter.allow", "2001:0db8:1234::/48") - .putArray("shield.transport.filter.deny", "1234:db8:85a3:0:0:8a2e:370:7334", "4321:db8:1234::/48") + .put("xpack.security.transport.filter.allow", "2001:0db8:1234::/48") + .putArray("xpack.security.transport.filter.deny", "1234:db8:85a3:0:0:8a2e:370:7334", "4321:db8:1234::/48") .build(); ipFilter = new IPFilter(settings, auditTrail, clusterSettings, licenseState); ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses()); @@ -110,8 +110,8 @@ public class IPFilterTests extends ESTestCase { @Network // requires network for name resolution public void testThatHostnamesCanBeProcessed() throws Exception { Settings settings = settingsBuilder() - .put("shield.transport.filter.allow", "127.0.0.1") - .put("shield.transport.filter.deny", "*.google.com") + .put("xpack.security.transport.filter.allow", "127.0.0.1") + .put("xpack.security.transport.filter.deny", "*.google.com") .build(); ipFilter = new IPFilter(settings, auditTrail, clusterSettings, licenseState); ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses()); @@ -122,7 +122,7 @@ public class IPFilterTests extends ESTestCase { public void testThatAnAllowAllAuthenticatorWorks() throws Exception { Settings settings = settingsBuilder() - .put("shield.transport.filter.allow", "_all") + .put("xpack.security.transport.filter.allow", "_all") .build(); ipFilter = new IPFilter(settings, auditTrail, clusterSettings, licenseState); ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses()); @@ -132,10 +132,10 @@ public class IPFilterTests extends ESTestCase { public void testThatProfilesAreSupported() throws Exception { Settings settings = settingsBuilder() - .put("shield.transport.filter.allow", "localhost") - .put("shield.transport.filter.deny", "_all") - .put("transport.profiles.client.shield.filter.allow", "192.168.0.1") - .put("transport.profiles.client.shield.filter.deny", "_all") + .put("xpack.security.transport.filter.allow", "localhost") + .put("xpack.security.transport.filter.deny", "_all") + .put("transport.profiles.client.xpack.security.filter.allow", "192.168.0.1") + .put("transport.profiles.client.xpack.security.filter.deny", "_all") .build(); ipFilter = new IPFilter(settings, auditTrail, clusterSettings, licenseState); ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses()); @@ -147,8 +147,8 @@ public class IPFilterTests extends ESTestCase { public void testThatAllowWinsOverDeny() throws Exception { Settings settings = settingsBuilder() - .put("shield.transport.filter.allow", "10.0.0.1") - .put("shield.transport.filter.deny", "10.0.0.0/8") + .put("xpack.security.transport.filter.allow", "10.0.0.1") + .put("xpack.security.transport.filter.deny", "10.0.0.0/8") .build(); ipFilter = new IPFilter(settings, auditTrail, clusterSettings, licenseState); ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses()); @@ -166,10 +166,10 @@ public class IPFilterTests extends ESTestCase { public void testThatHttpWorks() throws Exception { Settings settings = settingsBuilder() - .put("shield.transport.filter.allow", "127.0.0.1") - .put("shield.transport.filter.deny", "10.0.0.0/8") - .put("shield.http.filter.allow", "10.0.0.0/8") - .put("shield.http.filter.deny", "192.168.0.1") + .put("xpack.security.transport.filter.allow", "127.0.0.1") + .put("xpack.security.transport.filter.deny", "10.0.0.0/8") + .put("xpack.security.http.filter.allow", "10.0.0.0/8") + .put("xpack.security.http.filter.deny", "192.168.0.1") .build(); ipFilter = new IPFilter(settings, auditTrail, clusterSettings, licenseState); ipFilter.setBoundHttpTransportAddress(httpTransport.boundAddress()); @@ -180,8 +180,8 @@ public class IPFilterTests extends ESTestCase { public void testThatHttpFallsbackToDefault() throws Exception { Settings settings = settingsBuilder() - .put("shield.transport.filter.allow", "127.0.0.1") - .put("shield.transport.filter.deny", "10.0.0.0/8") + .put("xpack.security.transport.filter.allow", "127.0.0.1") + .put("xpack.security.transport.filter.deny", "10.0.0.0/8") .build(); ipFilter = new IPFilter(settings, auditTrail, clusterSettings, licenseState); ipFilter.setBoundHttpTransportAddress(httpTransport.boundAddress()); @@ -199,10 +199,10 @@ public class IPFilterTests extends ESTestCase { Settings settings; if (randomBoolean()) { - settings = settingsBuilder().putArray("shield.transport.filter.deny", + settings = settingsBuilder().putArray("xpack.security.transport.filter.deny", addressStrings.toArray(new String[addressStrings.size()])).build(); } else { - settings = settingsBuilder().put("shield.transport.filter.deny", "_all").build(); + settings = settingsBuilder().put("xpack.security.transport.filter.deny", "_all").build(); } ipFilter = new IPFilter(settings, auditTrail, clusterSettings, licenseState); ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses()); @@ -216,7 +216,7 @@ public class IPFilterTests extends ESTestCase { public void testThatAllAddressesAreAllowedWhenLicenseDisablesSecurity() { Settings settings = settingsBuilder() - .put("shield.transport.filter.deny", "_all") + .put("xpack.security.transport.filter.deny", "_all") .build(); when(licenseState.securityEnabled()).thenReturn(false); ipFilter = new IPFilter(settings, auditTrail, clusterSettings, licenseState); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/filter/IpFilteringIntegrationTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/filter/IpFilteringIntegrationTests.java index a1af71dda89..4ea9bb7d3f5 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/filter/IpFilteringIntegrationTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/filter/IpFilteringIntegrationTests.java @@ -11,7 +11,6 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.InetSocketTransportAddress; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.http.HttpServerTransport; -import org.elasticsearch.node.Node; import org.elasticsearch.test.ESIntegTestCase.ClusterScope; import org.elasticsearch.test.ESIntegTestCase.Scope; import org.elasticsearch.test.ShieldIntegTestCase; @@ -46,8 +45,9 @@ public class IpFilteringIntegrationTests extends ShieldIntegTestCase { .put("transport.profiles.client.port", randomClientPortRange) // make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent .put("transport.profiles.client.bind_host", "localhost") - .put("transport.profiles.client.shield.filter.deny", "_all") - .put("shield.http.filter.deny", "_all").build(); + .put("transport.profiles.client.xpack.security.filter.deny", "_all") + .put(IPFilter.TRANSPORT_FILTER_DENY_SETTING.getKey(), "_all") + .build(); } public void testThatIpFilteringIsIntegratedIntoNettyPipelineViaHttp() throws Exception { diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/filter/IpFilteringUpdateTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/filter/IpFilteringUpdateTests.java index 1def3fde346..238d5f4d0d1 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/filter/IpFilteringUpdateTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/filter/IpFilteringUpdateTests.java @@ -8,7 +8,6 @@ package org.elasticsearch.shield.transport.filter; import org.elasticsearch.cluster.ClusterState; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.node.Node; import org.elasticsearch.test.ESIntegTestCase.ClusterScope; import org.elasticsearch.test.ShieldIntegTestCase; import org.junit.BeforeClass; @@ -40,7 +39,7 @@ public class IpFilteringUpdateTests extends ShieldIntegTestCase { return settingsBuilder() .put(super.nodeSettings(nodeOrdinal)) .put(NetworkModule.HTTP_ENABLED.getKey(), httpEnabled) - .put("shield.transport.filter.deny", "127.0.0.200") + .put("xpack.security.transport.filter.deny", "127.0.0.200") .put("transport.profiles.client.port", randomClientPortRange) .build(); } @@ -55,23 +54,23 @@ public class IpFilteringUpdateTests extends ShieldIntegTestCase { assertConnectionAccepted("client", "127.0.0.8"); Settings settings = settingsBuilder() - .put("shield.transport.filter.allow", "127.0.0.1") - .put("shield.transport.filter.deny", "127.0.0.8") + .put("xpack.security.transport.filter.allow", "127.0.0.1") + .put("xpack.security.transport.filter.deny", "127.0.0.8") .build(); updateSettings(settings); assertConnectionRejected("default", "127.0.0.8"); settings = settingsBuilder() - .putArray("shield.http.filter.allow", "127.0.0.1") - .putArray("shield.http.filter.deny", "127.0.0.8") + .putArray("xpack.security.http.filter.allow", "127.0.0.1") + .putArray("xpack.security.http.filter.deny", "127.0.0.8") .build(); updateSettings(settings); assertConnectionRejected("default", "127.0.0.8"); assertConnectionRejected(".http", "127.0.0.8"); settings = settingsBuilder() - .put("transport.profiles.client.shield.filter.allow", "127.0.0.1") - .put("transport.profiles.client.shield.filter.deny", "127.0.0.8") + .put("transport.profiles.client.xpack.security.filter.allow", "127.0.0.1") + .put("transport.profiles.client.xpack.security.filter.deny", "127.0.0.8") .build(); updateSettings(settings); assertConnectionRejected("default", "127.0.0.8"); @@ -80,12 +79,12 @@ public class IpFilteringUpdateTests extends ShieldIntegTestCase { // check that all is in cluster state ClusterState clusterState = client().admin().cluster().prepareState().get().getState(); - assertThat(clusterState.metaData().settings().get("shield.transport.filter.allow"), is("127.0.0.1")); - assertThat(clusterState.metaData().settings().get("shield.transport.filter.deny"), is("127.0.0.8")); - assertThat(clusterState.metaData().settings().get("shield.http.filter.allow.0"), is("127.0.0.1")); - assertThat(clusterState.metaData().settings().get("shield.http.filter.deny.0"), is("127.0.0.8")); - assertThat(clusterState.metaData().settings().get("transport.profiles.client.shield.filter.allow"), is("127.0.0.1")); - assertThat(clusterState.metaData().settings().get("transport.profiles.client.shield.filter.deny"), is("127.0.0.8")); + assertThat(clusterState.metaData().settings().get("xpack.security.transport.filter.allow"), is("127.0.0.1")); + assertThat(clusterState.metaData().settings().get("xpack.security.transport.filter.deny"), is("127.0.0.8")); + assertThat(clusterState.metaData().settings().get("xpack.security.http.filter.allow.0"), is("127.0.0.1")); + assertThat(clusterState.metaData().settings().get("xpack.security.http.filter.deny.0"), is("127.0.0.8")); + assertThat(clusterState.metaData().settings().get("transport.profiles.client.xpack.security.filter.allow"), is("127.0.0.1")); + assertThat(clusterState.metaData().settings().get("transport.profiles.client.xpack.security.filter.deny"), is("127.0.0.8")); // now disable ip filtering dynamically and make sure nothing is rejected settings = settingsBuilder() @@ -98,12 +97,12 @@ public class IpFilteringUpdateTests extends ShieldIntegTestCase { // disabling should not have any effect on the cluster state settings clusterState = client().admin().cluster().prepareState().get().getState(); - assertThat(clusterState.metaData().settings().get("shield.transport.filter.allow"), is("127.0.0.1")); - assertThat(clusterState.metaData().settings().get("shield.transport.filter.deny"), is("127.0.0.8")); - assertThat(clusterState.metaData().settings().get("shield.http.filter.allow.0"), is("127.0.0.1")); - assertThat(clusterState.metaData().settings().get("shield.http.filter.deny.0"), is("127.0.0.8")); - assertThat(clusterState.metaData().settings().get("transport.profiles.client.shield.filter.allow"), is("127.0.0.1")); - assertThat(clusterState.metaData().settings().get("transport.profiles.client.shield.filter.deny"), is("127.0.0.8")); + assertThat(clusterState.metaData().settings().get("xpack.security.transport.filter.allow"), is("127.0.0.1")); + assertThat(clusterState.metaData().settings().get("xpack.security.transport.filter.deny"), is("127.0.0.8")); + assertThat(clusterState.metaData().settings().get("xpack.security.http.filter.allow.0"), is("127.0.0.1")); + assertThat(clusterState.metaData().settings().get("xpack.security.http.filter.deny.0"), is("127.0.0.8")); + assertThat(clusterState.metaData().settings().get("transport.profiles.client.xpack.security.filter.allow"), is("127.0.0.1")); + assertThat(clusterState.metaData().settings().get("transport.profiles.client.xpack.security.filter.deny"), is("127.0.0.8")); // now also disable for HTTP if (httpEnabled) { @@ -121,13 +120,13 @@ public class IpFilteringUpdateTests extends ShieldIntegTestCase { // issue #762, occured because in the above test we use HTTP and transport public void testThatDisablingIpFilterWorksAsExpected() throws Exception { Settings settings = settingsBuilder() - .put("shield.transport.filter.deny", "127.0.0.8") + .put("xpack.security.transport.filter.deny", "127.0.0.8") .build(); updateSettings(settings); assertConnectionRejected("default", "127.0.0.8"); settings = settingsBuilder() - .put("shield.transport.filter.enabled", false) + .put(IPFilter.IP_FILTER_ENABLED_SETTING.getKey(), false) .build(); updateSettings(settings); assertConnectionAccepted("default", "127.0.0.8"); @@ -135,13 +134,13 @@ public class IpFilteringUpdateTests extends ShieldIntegTestCase { public void testThatDisablingIpFilterForProfilesWorksAsExpected() throws Exception { Settings settings = settingsBuilder() - .put("transport.profiles.client.shield.filter.deny", "127.0.0.8") + .put("transport.profiles.client.xpack.security.filter.deny", "127.0.0.8") .build(); updateSettings(settings); assertConnectionRejected("client", "127.0.0.8"); settings = settingsBuilder() - .put("shield.transport.filter.enabled", false) + .put(IPFilter.IP_FILTER_ENABLED_SETTING.getKey(), false) .build(); updateSettings(settings); assertConnectionAccepted("client", "127.0.0.8"); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/HandshakeWaitingHandlerTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/HandshakeWaitingHandlerTests.java index 15caa8b5c57..506cae73c27 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/HandshakeWaitingHandlerTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/HandshakeWaitingHandlerTests.java @@ -72,8 +72,8 @@ public class HandshakeWaitingHandlerTests extends ESTestCase { iterations = randomIntBetween(10, 100); Settings settings = settingsBuilder() - .put("shield.ssl.keystore.path", getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks")) - .put("shield.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.keystore.path", getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks")) + .put("xpack.security.ssl.keystore.password", "testnode") .build(); Environment env = new Environment(settingsBuilder().put("path.home", createTempDir()).build()); ServerSSLService sslService = new ServerSSLService(settings, env); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/IPFilterNettyUpstreamHandlerTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/IPFilterNettyUpstreamHandlerTests.java index e3939b8b224..f9d9274180a 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/IPFilterNettyUpstreamHandlerTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/IPFilterNettyUpstreamHandlerTests.java @@ -50,8 +50,8 @@ public class IPFilterNettyUpstreamHandlerTests extends ESTestCase { @Before public void init() throws Exception { Settings settings = settingsBuilder() - .put("shield.transport.filter.allow", "127.0.0.1") - .put("shield.transport.filter.deny", "10.0.0.0/8") + .put("xpack.security.transport.filter.allow", "127.0.0.1") + .put("xpack.security.transport.filter.deny", "10.0.0.0/8") .build(); boolean isHttpEnabled = randomBoolean(); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/IPHostnameVerificationTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/IPHostnameVerificationTests.java index 60f43659e72..e4f66fde91d 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/IPHostnameVerificationTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/IPHostnameVerificationTests.java @@ -46,27 +46,27 @@ public class IPHostnameVerificationTests extends ShieldIntegTestCase { throw new RuntimeException(e); } - return settingsBuilder.put("shield.ssl.keystore.path", keystore.toAbsolutePath()) // settings for client truststore - .put("shield.ssl.keystore.password", "testnode-ip-only") - .put("shield.ssl.truststore.path", keystore.toAbsolutePath()) // settings for client truststore - .put("shield.ssl.truststore.password", "testnode-ip-only") + return settingsBuilder.put("xpack.security.ssl.keystore.path", keystore.toAbsolutePath()) // settings for client truststore + .put("xpack.security.ssl.keystore.password", "testnode-ip-only") + .put("xpack.security.ssl.truststore.path", keystore.toAbsolutePath()) // settings for client truststore + .put("xpack.security.ssl.truststore.password", "testnode-ip-only") .put(TransportSettings.BIND_HOST.getKey(), "127.0.0.1") .put("network.host", "127.0.0.1") - .put("shield.ssl.client.auth", "false") - .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING, true) - .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING, false) + .put("xpack.security.ssl.client.auth", "false") + .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING.getKey(), true) + .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING.getKey(), false) .build(); } @Override protected Settings transportClientSettings() { return settingsBuilder().put(super.transportClientSettings()) - .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING, true) - .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING, false) - .put("shield.ssl.keystore.path", keystore.toAbsolutePath()) - .put("shield.ssl.keystore.password", "testnode-ip-only") - .put("shield.ssl.truststore.path", keystore.toAbsolutePath()) - .put("shield.ssl.truststore.password", "testnode-ip-only") + .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING.getKey(), true) + .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING.getKey(), false) + .put("xpack.security.ssl.keystore.path", keystore.toAbsolutePath()) + .put("xpack.security.ssl.keystore.password", "testnode-ip-only") + .put("xpack.security.ssl.truststore.path", keystore.toAbsolutePath()) + .put("xpack.security.ssl.truststore.password", "testnode-ip-only") .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransportTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransportTests.java index f0fc150f202..e851ab40005 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransportTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransportTests.java @@ -7,7 +7,6 @@ package org.elasticsearch.shield.transport.netty; import org.elasticsearch.common.network.NetworkService; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.common.settings.SettingsFilter; import org.elasticsearch.common.util.BigArrays; import org.elasticsearch.env.Environment; import org.elasticsearch.http.netty.NettyHttpMockUtil; @@ -35,15 +34,15 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase { public void createSSLService() throws Exception { Path testnodeStore = getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks"); Settings settings = settingsBuilder() - .put("shield.ssl.keystore.path", testnodeStore) - .put("shield.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.keystore.path", testnodeStore) + .put("xpack.security.ssl.keystore.password", "testnode") .build(); Environment env = new Environment(settingsBuilder().put("path.home", createTempDir()).build()); serverSSLService = new ServerSSLService(settings, env); } public void testDefaultClientAuth() throws Exception { - Settings settings = Settings.builder().put(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, true).build(); + Settings settings = Settings.builder().put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true).build(); ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class), mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class)); NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport); @@ -55,8 +54,8 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase { public void testOptionalClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT)); Settings settings = Settings.builder() - .put(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, true) - .put(ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_SETTING, value).build(); + .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true) + .put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), value).build(); ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class), mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class)); NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport); @@ -68,8 +67,8 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase { public void testRequiredClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT), "true", "TRUE"); Settings settings = Settings.builder() - .put(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, true) - .put(ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_SETTING, value).build(); + .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true) + .put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), value).build(); ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class), mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class)); NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport); @@ -81,8 +80,8 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase { public void testNoClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.NO.name(), SSLClientAuth.NO.name().toLowerCase(Locale.ROOT), "false", "FALSE"); Settings settings = Settings.builder() - .put(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, true) - .put(ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_SETTING, value).build(); + .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true) + .put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), value).build(); ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class), mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class)); NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransportTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransportTests.java index 6eb3b452ec1..1fc85bb1f47 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransportTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransportTests.java @@ -38,8 +38,8 @@ public class ShieldNettyTransportTests extends ESTestCase { public void createSSLService() throws Exception { Path testnodeStore = getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks"); Settings settings = settingsBuilder() - .put("shield.ssl.keystore.path", testnodeStore) - .put("shield.ssl.keystore.password", "testnode") + .put("xpack.security.ssl.keystore.path", testnodeStore) + .put("xpack.security.ssl.keystore.password", "testnode") .build(); Environment env = new Environment(settingsBuilder().put("path.home", createTempDir()).build()); serverSSLService = new ServerSSLService(settings, env); @@ -48,27 +48,27 @@ public class ShieldNettyTransportTests extends ESTestCase { } public void testThatSSLCanBeDisabledByProfile() throws Exception { - Settings settings = settingsBuilder().put("shield.transport.ssl", true).build(); + Settings settings = settingsBuilder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build(); ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class)); NettyMockUtil.setOpenChannelsHandlerToMock(transport); ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", - settingsBuilder().put("shield.ssl", false).build()); + settingsBuilder().put("xpack.security.ssl", false).build()); assertThat(factory.getPipeline().get(SslHandler.class), nullValue()); } public void testThatSSLCanBeEnabledByProfile() throws Exception { - Settings settings = settingsBuilder().put("shield.transport.ssl", false).build(); + Settings settings = settingsBuilder().put(ShieldNettyTransport.SSL_SETTING.getKey(), false).build(); ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class)); NettyMockUtil.setOpenChannelsHandlerToMock(transport); ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", - settingsBuilder().put("shield.ssl", true).build()); + settingsBuilder().put("xpack.security.ssl", true).build()); assertThat(factory.getPipeline().get(SslHandler.class), notNullValue()); } public void testThatProfileTakesDefaultSSLSetting() throws Exception { - Settings settings = settingsBuilder().put("shield.transport.ssl", true).build(); + Settings settings = settingsBuilder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build(); ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class)); NettyMockUtil.setOpenChannelsHandlerToMock(transport); @@ -77,7 +77,7 @@ public class ShieldNettyTransportTests extends ESTestCase { } public void testDefaultClientAuth() throws Exception { - Settings settings = settingsBuilder().put("shield.transport.ssl", true).build(); + Settings settings = settingsBuilder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build(); ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class)); NettyMockUtil.setOpenChannelsHandlerToMock(transport); @@ -89,8 +89,8 @@ public class ShieldNettyTransportTests extends ESTestCase { public void testRequiredClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT), "true"); Settings settings = settingsBuilder() - .put("shield.transport.ssl", true) - .put(ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING, value).build(); + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) + .put(ShieldNettyTransport.CLIENT_AUTH_SETTING.getKey(), value).build(); ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class)); NettyMockUtil.setOpenChannelsHandlerToMock(transport); @@ -102,8 +102,8 @@ public class ShieldNettyTransportTests extends ESTestCase { public void testNoClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.NO.name(), "false", "FALSE", SSLClientAuth.NO.name().toLowerCase(Locale.ROOT)); Settings settings = settingsBuilder() - .put("shield.transport.ssl", true) - .put(ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING, value).build(); + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) + .put(ShieldNettyTransport.CLIENT_AUTH_SETTING.getKey(), value).build(); ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class)); NettyMockUtil.setOpenChannelsHandlerToMock(transport); @@ -115,8 +115,8 @@ public class ShieldNettyTransportTests extends ESTestCase { public void testOptionalClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT)); Settings settings = settingsBuilder() - .put("shield.transport.ssl", true) - .put(ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING, value).build(); + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) + .put(ShieldNettyTransport.CLIENT_AUTH_SETTING.getKey(), value).build(); ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class)); NettyMockUtil.setOpenChannelsHandlerToMock(transport); @@ -127,37 +127,37 @@ public class ShieldNettyTransportTests extends ESTestCase { public void testProfileRequiredClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT), "true", "TRUE"); - Settings settings = settingsBuilder().put("shield.transport.ssl", true).build(); + Settings settings = settingsBuilder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build(); ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class)); NettyMockUtil.setOpenChannelsHandlerToMock(transport); ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", - Settings.builder().put(ShieldNettyTransport.TRANSPORT_PROFILE_CLIENT_AUTH_SETTING, value).build()); + Settings.builder().put(ShieldNettyTransport.PROFILE_CLIENT_AUTH_SETTING, value).build()); assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(true)); assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getWantClientAuth(), is(false)); } public void testProfileNoClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.NO.name(), "false", "FALSE", SSLClientAuth.NO.name().toLowerCase(Locale.ROOT)); - Settings settings = settingsBuilder().put("shield.transport.ssl", true).build(); + Settings settings = settingsBuilder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build(); ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class)); NettyMockUtil.setOpenChannelsHandlerToMock(transport); ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", - Settings.builder().put(ShieldNettyTransport.TRANSPORT_PROFILE_CLIENT_AUTH_SETTING, value).build()); + Settings.builder().put(ShieldNettyTransport.PROFILE_CLIENT_AUTH_SETTING.getKey(), value).build()); assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false)); assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getWantClientAuth(), is(false)); } public void testProfileOptionalClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT)); - Settings settings = settingsBuilder().put("shield.transport.ssl", true).build(); + Settings settings = settingsBuilder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build(); ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class)); NettyMockUtil.setOpenChannelsHandlerToMock(transport); ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", - Settings.builder().put(ShieldNettyTransport.TRANSPORT_PROFILE_CLIENT_AUTH_SETTING, value).build()); + Settings.builder().put(ShieldNettyTransport.PROFILE_CLIENT_AUTH_SETTING.getKey(), value).build()); assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false)); assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getWantClientAuth(), is(true)); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/SslHostnameVerificationTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/SslHostnameVerificationTests.java index 1df6a9871b8..5e2f222a506 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/SslHostnameVerificationTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/SslHostnameVerificationTests.java @@ -46,12 +46,12 @@ public class SslHostnameVerificationTests extends ShieldIntegTestCase { throw new RuntimeException(e); } - return settingsBuilder.put("shield.ssl.keystore.path", keystore.toAbsolutePath()) // settings for client truststore - .put("shield.ssl.keystore.password", "testnode-no-subjaltname") - .put("shield.ssl.truststore.path", keystore.toAbsolutePath()) // settings for client truststore - .put("shield.ssl.truststore.password", "testnode-no-subjaltname") + return settingsBuilder.put("xpack.security.ssl.keystore.path", keystore.toAbsolutePath()) // settings for client truststore + .put("xpack.security.ssl.keystore.password", "testnode-no-subjaltname") + .put("xpack.security.ssl.truststore.path", keystore.toAbsolutePath()) // settings for client truststore + .put("xpack.security.ssl.truststore.password", "testnode-no-subjaltname") // disable hostname verification as this test uses non-localhost addresses - .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING, false) + .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING.getKey(), false) .build(); } @@ -60,9 +60,9 @@ public class SslHostnameVerificationTests extends ShieldIntegTestCase { Path keystore = getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode-no-subjaltname.jks"); assert keystore != null; return Settings.builder().put(super.transportClientSettings()) - .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING, false) - .put("shield.ssl.truststore.path", keystore.toAbsolutePath()) // settings for client truststore - .put("shield.ssl.truststore.password", "testnode-no-subjaltname") + .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING.getKey(), false) + .put("xpack.security.ssl.truststore.path", keystore.toAbsolutePath()) // settings for client truststore + .put("xpack.security.ssl.truststore.password", "testnode-no-subjaltname") .build(); } @@ -73,7 +73,7 @@ public class SslHostnameVerificationTests extends ShieldIntegTestCase { InetSocketAddress inetSocketAddress = ((InetSocketTransportAddress) transportAddress).address(); Settings settings = settingsBuilder().put(transportClientSettings()) - .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING, true) + .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING.getKey(), true) .build(); try (TransportClient client = TransportClient.builder().addPlugin(XPackPlugin.class).settings(settings).build()) { diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslClientAuthTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslClientAuthTests.java index 7a12a947734..e74af5cb462 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslClientAuthTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslClientAuthTests.java @@ -15,8 +15,10 @@ import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.http.HttpServerTransport; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.ssl.ClientSSLService; import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport; +import org.elasticsearch.shield.transport.netty.ShieldNettyTransport; import org.elasticsearch.test.ShieldIntegTestCase; import org.elasticsearch.test.rest.client.http.HttpRequestBuilder; import org.elasticsearch.test.rest.client.http.HttpResponse; @@ -39,10 +41,10 @@ public class SslClientAuthTests extends ShieldIntegTestCase { return settingsBuilder() .put(super.nodeSettings(nodeOrdinal)) // invert the require auth settings - .put("shield.transport.ssl", true) - .put(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, true) - .put(ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_SETTING, true) - .put("transport.profiles.default.shield.ssl.client.auth", false) + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) + .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true) + .put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), true) + .put("transport.profiles.default.xpack.security.ssl.client.auth", false) .put(NetworkModule.HTTP_ENABLED.getKey(), true) .build(); } @@ -101,11 +103,12 @@ public class SslClientAuthTests extends ShieldIntegTestCase { } Settings settings = settingsBuilder() - .put("shield.transport.ssl", true) - .put("shield.ssl.keystore.path", store) - .put("shield.ssl.keystore.password", "testclient-client-profile") + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) + .put("xpack.security.ssl.keystore.path", store) + .put("xpack.security.ssl.keystore.password", "testclient-client-profile") .put("cluster.name", internalCluster().getClusterName()) - .put("shield.user", transportClientUsername() + ":" + new String(transportClientPassword().internalChars())) + .put(Security.USER_SETTING.getKey(), + transportClientUsername() + ":" + new String(transportClientPassword().internalChars())) .build(); try (TransportClient client = TransportClient.builder().settings(settings).addPlugin(XPackPlugin.class).build()) { Transport transport = internalCluster().getDataNodeInstance(Transport.class); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslIntegrationTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslIntegrationTests.java index ae01756e0e2..78a5ff5c56f 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslIntegrationTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslIntegrationTests.java @@ -48,7 +48,7 @@ public class SslIntegrationTests extends ShieldIntegTestCase { protected Settings nodeSettings(int nodeOrdinal) { return settingsBuilder().put(super.nodeSettings(nodeOrdinal)) .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, true).build(); + .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true).build(); } @Override @@ -62,7 +62,7 @@ public class SslIntegrationTests extends ShieldIntegTestCase { .put(transportClientSettings()) .put("node.name", "programmatic_transport_client") .put("cluster.name", internalCluster().getClusterName()) - .putArray("shield.ssl.ciphers", new String[]{"TLS_ECDH_anon_WITH_RC4_128_SHA", "SSL_RSA_WITH_3DES_EDE_CBC_SHA"}) + .putArray("xpack.security.ssl.ciphers", new String[]{"TLS_ECDH_anon_WITH_RC4_128_SHA", "SSL_RSA_WITH_3DES_EDE_CBC_SHA"}) .build()).build()) { TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses()); @@ -81,7 +81,7 @@ public class SslIntegrationTests extends ShieldIntegTestCase { .put(transportClientSettings()) .put("node.name", "programmatic_transport_client") .put("cluster.name", internalCluster().getClusterName()) - .putArray("shield.ssl.supported_protocols", new String[]{"SSLv3"}) + .putArray("xpack.security.ssl.supported_protocols", new String[]{"SSLv3"}) .build()).build()) { TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses()); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslMultiPortTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslMultiPortTests.java index 6102dffced9..d8828f3dd90 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslMultiPortTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslMultiPortTests.java @@ -10,6 +10,8 @@ import org.elasticsearch.client.transport.TransportClient; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.InetSocketTransportAddress; import org.elasticsearch.common.transport.TransportAddress; +import org.elasticsearch.shield.Security; +import org.elasticsearch.shield.transport.netty.ShieldNettyTransport; import org.elasticsearch.test.ShieldIntegTestCase; import org.elasticsearch.transport.Transport; import org.elasticsearch.xpack.XPackPlugin; @@ -68,14 +70,15 @@ public class SslMultiPortTests extends ShieldIntegTestCase { .put("transport.profiles.client.port", randomClientPortRange) // make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent .put("transport.profiles.client.bind_host", "localhost") - .put("transport.profiles.client.shield.truststore.path", store.toAbsolutePath()) // settings for client truststore - .put("transport.profiles.client.shield.truststore.password", "testnode-client-profile") + .put("transport.profiles.client.xpack.security.truststore.path", store.toAbsolutePath()) // settings for client truststore + .put("transport.profiles.client.xpack.security.truststore.password", "testnode-client-profile") .put("transport.profiles.no_ssl.port", randomNonSslPortRange) .put("transport.profiles.no_ssl.bind_host", "localhost") - .put("transport.profiles.no_ssl.shield.ssl", "false") + .put(randomFrom( + "transport.profiles.no_ssl.xpack.security.ssl.enabled", "transport.profiles.no_ssl.xpack.security.ssl"), "false") .put("transport.profiles.no_client_auth.port", randomNoClientAuthPortRange) .put("transport.profiles.no_client_auth.bind_host", "localhost") - .put("transport.profiles.no_client_auth.shield.ssl.client.auth", false) + .put("transport.profiles.no_client_auth.xpack.security.ssl.client.auth", false) .build(); } @@ -221,7 +224,7 @@ public class SslMultiPortTests extends ShieldIntegTestCase { */ public void testThatTransportClientCanConnectToNoSslProfile() throws Exception { Settings settings = settingsBuilder() - .put("shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) + .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) .build(); try (TransportClient transportClient = TransportClient.builder().settings(settings).addPlugin(XPackPlugin.class).build()) { @@ -236,7 +239,7 @@ public class SslMultiPortTests extends ShieldIntegTestCase { */ public void testThatTransportClientCannotConnectToDefaultProfile() throws Exception { Settings settings = settingsBuilder() - .put("shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) + .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) .build(); try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class).settings(settings).build()) { @@ -254,7 +257,7 @@ public class SslMultiPortTests extends ShieldIntegTestCase { */ public void testThatTransportClientCannotConnectToClientProfile() throws Exception { Settings settings = settingsBuilder() - .put("shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) + .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) .build(); try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class).settings(settings).build()) { @@ -272,7 +275,7 @@ public class SslMultiPortTests extends ShieldIntegTestCase { */ public void testThatTransportClientCannotConnectToNoClientAuthProfile() throws Exception { Settings settings = settingsBuilder() - .put("shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) + .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) .build(); try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class).settings(settings).build()) { @@ -292,12 +295,12 @@ public class SslMultiPortTests extends ShieldIntegTestCase { */ public void testThatTransportClientWithOnlyTruststoreCanConnectToNoClientAuthProfile() throws Exception { Settings settings = settingsBuilder() - .put("shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) + .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) - .put("shield.transport.ssl", true) - .put("shield.ssl.truststore.path", + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) + .put("xpack.security.ssl.truststore.path", getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/truststore-testnode-only.jks")) - .put("shield.ssl.truststore.password", "truststore-testnode-only") + .put("xpack.security.ssl.truststore.password", "truststore-testnode-only") .build(); try (TransportClient transportClient = TransportClient.builder().settings(settings).addPlugin(XPackPlugin.class).build()) { transportClient.addTransportAddress(new InetSocketTransportAddress(InetAddress.getLoopbackAddress(), @@ -314,12 +317,12 @@ public class SslMultiPortTests extends ShieldIntegTestCase { */ public void testThatTransportClientWithOnlyTruststoreCannotConnectToClientProfile() throws Exception { Settings settings = settingsBuilder() - .put("shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) + .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) - .put("shield.transport.ssl", true) - .put("shield.ssl.truststore.path", + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) + .put("xpack.security.ssl.truststore.path", getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/truststore-testnode-only.jks")) - .put("shield.ssl.truststore.password", "truststore-testnode-only") + .put("xpack.security.ssl.truststore.password", "truststore-testnode-only") .build(); try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class).settings(settings).build()) { transportClient.addTransportAddress(new InetSocketTransportAddress(InetAddress.getLoopbackAddress(), getProfilePort("client"))); @@ -338,12 +341,12 @@ public class SslMultiPortTests extends ShieldIntegTestCase { */ public void testThatTransportClientWithOnlyTruststoreCannotConnectToDefaultProfile() throws Exception { Settings settings = settingsBuilder() - .put("shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) + .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) - .put("shield.transport.ssl", true) - .put("shield.ssl.truststore.path", + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) + .put("xpack.security.ssl.truststore.path", getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/truststore-testnode-only.jks")) - .put("shield.ssl.truststore.password", "truststore-testnode-only") + .put("xpack.security.ssl.truststore.password", "truststore-testnode-only") .build(); try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class).settings(settings).build()) { transportClient.addTransportAddress(randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses())); @@ -361,12 +364,12 @@ public class SslMultiPortTests extends ShieldIntegTestCase { */ public void testThatTransportClientWithOnlyTruststoreCannotConnectToNoSslProfile() throws Exception { Settings settings = settingsBuilder() - .put("shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) + .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) - .put("shield.transport.ssl", true) - .put("shield.ssl.truststore.path", + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) + .put("xpack.security.ssl.truststore.path", getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/truststore-testnode-only.jks")) - .put("shield.ssl.truststore.password", "truststore-testnode-only") + .put("xpack.security.ssl.truststore.password", "truststore-testnode-only") .build(); try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class).settings(settings).build()) { transportClient.addTransportAddress(new InetSocketTransportAddress(InetAddress.getLoopbackAddress(), getProfilePort("no_ssl"))); @@ -384,9 +387,9 @@ public class SslMultiPortTests extends ShieldIntegTestCase { */ public void testThatSSLTransportClientWithNoTruststoreCannotConnectToDefaultProfile() throws Exception { Settings settings = settingsBuilder() - .put("shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) + .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) - .put("shield.transport.ssl", true) + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) .build(); try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class).settings(settings).build()) { transportClient.addTransportAddress(randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses())); @@ -404,9 +407,9 @@ public class SslMultiPortTests extends ShieldIntegTestCase { */ public void testThatSSLTransportClientWithNoTruststoreCannotConnectToClientProfile() throws Exception { Settings settings = settingsBuilder() - .put("shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) + .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) - .put("shield.transport.ssl", true) + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) .build(); try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class).settings(settings).build()) { transportClient.addTransportAddress(new InetSocketTransportAddress(InetAddress.getLoopbackAddress(), getProfilePort("client"))); @@ -424,9 +427,9 @@ public class SslMultiPortTests extends ShieldIntegTestCase { */ public void testThatSSLTransportClientWithNoTruststoreCannotConnectToNoClientAuthProfile() throws Exception { Settings settings = settingsBuilder() - .put("shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) + .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) - .put("shield.transport.ssl", true) + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) .build(); try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class).settings(settings).build()) { transportClient.addTransportAddress(new InetSocketTransportAddress(InetAddress.getLoopbackAddress(), @@ -445,9 +448,9 @@ public class SslMultiPortTests extends ShieldIntegTestCase { */ public void testThatSSLTransportClientWithNoTruststoreCannotConnectToNoSslProfile() throws Exception { Settings settings = settingsBuilder() - .put("shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) + .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) - .put("shield.transport.ssl", true) + .put(ShieldNettyTransport.SSL_SETTING.getKey(), true) .build(); try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class).settings(settings).build()) { transportClient.addTransportAddress(new InetSocketTransportAddress(InetAddress.getLoopbackAddress(), getProfilePort("no_ssl"))); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldIntegTestCase.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldIntegTestCase.java index 340c6ab3fd1..5faaefa3f59 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldIntegTestCase.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldIntegTestCase.java @@ -14,6 +14,7 @@ import org.elasticsearch.cluster.health.ClusterHealthStatus; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.shield.InternalClient; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.client.SecurityClient; import org.elasticsearch.test.ESIntegTestCase.SuppressLocalMode; @@ -182,7 +183,7 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase { @Override protected Settings externalClusterClientSettings() { return Settings.builder() - .put("shield.user", ShieldSettingsSource.DEFAULT_USER_NAME + ":" + ShieldSettingsSource.DEFAULT_PASSWORD) + .put(Security.USER_SETTING.getKey(), ShieldSettingsSource.DEFAULT_USER_NAME + ":" + ShieldSettingsSource.DEFAULT_PASSWORD) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java index 655b99902c2..90ef8dbe197 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java @@ -13,8 +13,12 @@ import org.elasticsearch.marvel.Marvel; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.shield.authc.file.FileRealm; import org.elasticsearch.shield.authc.esnative.NativeRealm; +import org.elasticsearch.shield.Security; +import org.elasticsearch.shield.audit.AuditTrailModule; +import org.elasticsearch.shield.audit.logfile.LoggingAuditTrail; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; +import org.elasticsearch.shield.authz.store.FileRolesStore; import org.elasticsearch.shield.crypto.InternalCryptoService; import org.elasticsearch.shield.test.ShieldTestUtils; import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport; @@ -32,6 +36,7 @@ import java.util.Collections; import static com.carrotsearch.randomizedtesting.RandomizedTest.randomBoolean; import static org.elasticsearch.common.settings.Settings.settingsBuilder; +import static org.elasticsearch.test.ESTestCase.randomFrom; import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.shield.test.ShieldTestUtils.writeFile; @@ -120,19 +125,18 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ //TODO: for now isolate shield tests from watcher & monitoring (randomize this later) .put(XPackPlugin.featureEnabledSetting(Watcher.NAME), false) .put(XPackPlugin.featureEnabledSetting(Marvel.NAME), false) - - .put("shield.audit.enabled", randomBoolean()) - .put("shield.audit.logfile.prefix.emit_node_host_address", randomBoolean()) - .put("shield.audit.logfile.prefix.emit_node_host_name", randomBoolean()) - .put("shield.audit.logfile.prefix.emit_node_name", randomBoolean()) - .put(InternalCryptoService.FILE_SETTING, writeFile(folder, "system_key", systemKey)) - .put("shield.authc.realms.file.type", FileRealm.TYPE) - .put("shield.authc.realms.file.order", 0) - .put("shield.authc.realms.file.files.users", writeFile(folder, "users", configUsers())) - .put("shield.authc.realms.file.files.users_roles", writeFile(folder, "users_roles", configUsersRoles())) - .put("shield.authc.realms.index.type", NativeRealm.TYPE) - .put("shield.authc.realms.index.order", "1") - .put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", configRoles())) + .put(AuditTrailModule.ENABLED_SETTING.getKey(), randomBoolean()) + .put(LoggingAuditTrail.HOST_ADDRESS_SETTING.getKey(), randomBoolean()) + .put(LoggingAuditTrail.HOST_NAME_SETTING.getKey(), randomBoolean()) + .put(LoggingAuditTrail.NODE_NAME_SETTING.getKey(), randomBoolean()) + .put(InternalCryptoService.FILE_SETTING.getKey(), writeFile(folder, "system_key", systemKey)) + .put("xpack.security.authc.realms.file.type", FileRealm.TYPE) + .put("xpack.security.authc.realms.file.order", 0) + .put("xpack.security.authc.realms.file.files.users", writeFile(folder, "users", configUsers())) + .put("xpack.security.authc.realms.file.files.users_roles", writeFile(folder, "users_roles", configUsersRoles())) + .put("xpack.security.authc.realms.index.type", NativeRealm.TYPE) + .put("xpack.security.authc.realms.index.order", "1") + .put(FileRolesStore.ROLES_FILE_SETTING.getKey(), writeFile(folder, "roles.yml", configRoles())) .put(getNodeSSLSettings()); return builder.build(); @@ -143,7 +147,8 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ Settings.Builder builder = settingsBuilder().put(super.transportClientSettings()) .put(getClientSSLSettings()); if (randomBoolean()) { - builder.put("shield.user", transportClientUsername() + ":" + new String(transportClientPassword().internalChars())); + builder.put(Security.USER_SETTING.getKey(), + transportClientUsername() + ":" + new String(transportClientPassword().internalChars())); } else { builder.put(ThreadContext.PREFIX + ".Authorization", basicAuthHeaderValue(transportClientUsername(), transportClientPassword())); @@ -207,12 +212,12 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ public Settings getNodeSSLSettings() { return getSSLSettingsForStore("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks", "testnode", - sslTransportEnabled, hostnameVerificationEnabled, hostnameVerificationResolveNameEnabled); + sslTransportEnabled, hostnameVerificationEnabled, hostnameVerificationResolveNameEnabled, false); } public Settings getClientSSLSettings() { return getSSLSettingsForStore("/org/elasticsearch/shield/transport/ssl/certs/simple/testclient.jks", "testclient", - sslTransportEnabled, hostnameVerificationEnabled, hostnameVerificationResolveNameEnabled); + sslTransportEnabled, hostnameVerificationEnabled, hostnameVerificationResolveNameEnabled, true); } /** @@ -223,11 +228,12 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ * @return the configuration settings */ public static Settings getSSLSettingsForStore(String resourcePathToStore, String password) { - return getSSLSettingsForStore(resourcePathToStore, password, true, true, true); + return getSSLSettingsForStore(resourcePathToStore, password, true, true, true, true); } private static Settings getSSLSettingsForStore(String resourcePathToStore, String password, boolean sslTransportEnabled, - boolean hostnameVerificationEnabled, boolean hostnameVerificationResolveNameEnabled) { + boolean hostnameVerificationEnabled, boolean hostnameVerificationResolveNameEnabled, + boolean transportClient) { Path store; try { store = PathUtils.get(ShieldSettingsSource.class.getResource(resourcePathToStore).toURI()); @@ -239,20 +245,24 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ throw new ElasticsearchException("store path doesn't exist"); } - Settings.Builder builder = settingsBuilder() - .put("shield.transport.ssl", sslTransportEnabled) - .put(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, false); + final String sslEnabledSetting = + randomFrom(ShieldNettyTransport.SSL_SETTING.getKey(), ShieldNettyTransport.DEPRECATED_SSL_SETTING.getKey()); + Settings.Builder builder = settingsBuilder().put(sslEnabledSetting, sslTransportEnabled); + + if (transportClient == false) { + builder.put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), false); + } if (sslTransportEnabled) { - builder.put("shield.ssl.keystore.path", store) - .put("shield.ssl.keystore.password", password) - .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING, hostnameVerificationEnabled) - .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING, hostnameVerificationResolveNameEnabled); + builder.put("xpack.security.ssl.keystore.path", store) + .put("xpack.security.ssl.keystore.password", password) + .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING.getKey(), hostnameVerificationEnabled) + .put(ShieldNettyTransport.HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING.getKey(), hostnameVerificationResolveNameEnabled); } if (sslTransportEnabled && randomBoolean()) { - builder.put("shield.ssl.truststore.path", store) - .put("shield.ssl.truststore.password", password); + builder.put("xpack.security.ssl.truststore.path", store) + .put("xpack.security.ssl.truststore.password", password); } return builder.build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/ShieldServerTransportServiceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/ShieldServerTransportServiceTests.java index 11ad047d857..84b1081c602 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/ShieldServerTransportServiceTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/ShieldServerTransportServiceTests.java @@ -6,10 +6,9 @@ package org.elasticsearch.transport; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.transport.ShieldServerTransportService; import org.elasticsearch.test.ShieldIntegTestCase; -import org.elasticsearch.xpack.XPackPlugin; import java.util.Map; @@ -22,7 +21,7 @@ public class ShieldServerTransportServiceTests extends ShieldIntegTestCase { protected Settings transportClientSettings() { return Settings.settingsBuilder() .put(super.transportClientSettings()) - .put(XPackPlugin.featureEnabledSetting(Shield.NAME), true) + .put(Security.enabledSetting(), true) .build(); } diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java index b615bc42ef6..c1ffacccdd3 100644 --- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java +++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java @@ -22,8 +22,8 @@ import org.elasticsearch.license.plugin.Licensing; import org.elasticsearch.marvel.Marvel; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.script.ScriptModule; -import org.elasticsearch.shield.Shield; import org.elasticsearch.shield.authc.AuthenticationModule; +import org.elasticsearch.shield.Security; import org.elasticsearch.watcher.Watcher; import org.elasticsearch.xpack.common.init.LazyInitializationModule; import org.elasticsearch.xpack.common.init.LazyInitializationService; @@ -78,7 +78,7 @@ public class XPackPlugin extends Plugin { protected final XPackExtensionsService extensionsService; protected Licensing licensing; - protected Shield shield; + protected Security security; protected Marvel marvel; protected Watcher watcher; protected Graph graph; @@ -86,7 +86,7 @@ public class XPackPlugin extends Plugin { public XPackPlugin(Settings settings) { this.settings = settings; this.licensing = new Licensing(settings); - this.shield = new Shield(settings); + this.security = new Security(settings); this.marvel = new Marvel(settings); this.watcher = new Watcher(settings); this.graph = new Graph(settings); @@ -118,7 +118,7 @@ public class XPackPlugin extends Plugin { ArrayList modules = new ArrayList<>(); modules.add(new LazyInitializationModule()); modules.addAll(licensing.nodeModules()); - modules.addAll(shield.nodeModules()); + modules.addAll(security.nodeModules()); modules.addAll(watcher.nodeModules()); modules.addAll(marvel.nodeModules()); modules.addAll(graph.nodeModules()); @@ -133,7 +133,7 @@ public class XPackPlugin extends Plugin { // constructs services.add(LazyInitializationService.class); services.addAll(licensing.nodeServices()); - services.addAll(shield.nodeServices()); + services.addAll(security.nodeServices()); services.addAll(watcher.nodeServices()); services.addAll(marvel.nodeServices()); services.addAll(graph.nodeServices()); @@ -143,7 +143,7 @@ public class XPackPlugin extends Plugin { @Override public Settings additionalSettings() { Settings.Builder builder = Settings.builder(); - builder.put(shield.additionalSettings()); + builder.put(security.additionalSettings()); builder.put(watcher.additionalSettings()); builder.put(graph.additionalSettings()); return builder.build(); @@ -158,7 +158,7 @@ public class XPackPlugin extends Plugin { // we add the `xpack.version` setting to all internal indices module.registerSetting(Setting.simpleString("index.xpack.version", Setting.Property.IndexScope)); - shield.onModule(module); + security.onModule(module); marvel.onModule(module); watcher.onModule(module); graph.onModule(module); @@ -168,7 +168,7 @@ public class XPackPlugin extends Plugin { public void onModule(NetworkModule module) { licensing.onModule(module); marvel.onModule(module); - shield.onModule(module); + security.onModule(module); watcher.onModule(module); graph.onModule(module); } @@ -176,7 +176,7 @@ public class XPackPlugin extends Plugin { public void onModule(ActionModule module) { licensing.onModule(module); marvel.onModule(module); - shield.onModule(module); + security.onModule(module); watcher.onModule(module); graph.onModule(module); } @@ -188,7 +188,7 @@ public class XPackPlugin extends Plugin { } public void onIndexModule(IndexModule module) { - shield.onIndexModule(module); + security.onIndexModule(module); graph.onIndexModule(module); } diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/http/HttpClient.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/http/HttpClient.java index dc751ee27d2..d340f77755d 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/http/HttpClient.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/http/HttpClient.java @@ -50,7 +50,7 @@ public class HttpClient extends AbstractLifecycleComponent { static final String SETTINGS_SSL_PREFIX = "watcher.http.ssl."; static final String SETTINGS_PROXY_PREFIX = "watcher.http.proxy."; - static final String SETTINGS_SSL_SHIELD_PREFIX = "shield.ssl."; + static final String SETTINGS_SSL_SHIELD_PREFIX = "xpack.security.ssl."; public static final String SETTINGS_SSL_PROTOCOL = SETTINGS_SSL_PREFIX + "protocol"; static final String SETTINGS_SSL_SHIELD_PROTOCOL = SETTINGS_SSL_SHIELD_PREFIX + "protocol"; diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretModule.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretModule.java index afa077aba89..ced761b293c 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretModule.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretModule.java @@ -7,22 +7,22 @@ package org.elasticsearch.watcher.support.secret; import org.elasticsearch.common.inject.AbstractModule; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; /** * */ public class SecretModule extends AbstractModule { - private final boolean shieldEnabled; + private final boolean securityEnabled; public SecretModule(Settings settings) { - shieldEnabled = Shield.enabled(settings); + securityEnabled = Security.enabled(settings); } @Override protected void configure() { - if (shieldEnabled) { + if (securityEnabled) { bind(SecretService.Secure.class).asEagerSingleton(); bind(SecretService.class).to(SecretService.Secure.class); } else { diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherF.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherF.java index 1bc9fab8b2f..bcbcb44fb38 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherF.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherF.java @@ -33,7 +33,7 @@ public class WatcherF { settings.put("http.cors.enabled", "true"); settings.put("http.cors.allow-origin", "*"); settings.put("script.inline", "true"); - settings.put("shield.enabled", "false"); + settings.put("xpack.security.enabled", "false"); settings.put("security.manager.enabled", "false"); settings.put("cluster.name", WatcherF.class.getSimpleName()); diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginDisableTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginDisableTests.java index 168c3953968..1101e08a6ab 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginDisableTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginDisableTests.java @@ -15,7 +15,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.http.HttpServerTransport; import org.elasticsearch.marvel.Marvel; import org.elasticsearch.plugins.Plugin; -import org.elasticsearch.shield.Shield; +import org.elasticsearch.shield.Security; import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.test.ESIntegTestCase.ClusterScope; import org.elasticsearch.test.rest.client.http.HttpRequestBuilder; @@ -44,7 +44,7 @@ public class WatcherPluginDisableTests extends ESIntegTestCase { .put(XPackPlugin.featureEnabledSetting(Watcher.NAME), false) // disable shield because of query cache check and authentication/authorization - .put(XPackPlugin.featureEnabledSetting(Shield.NAME), false) + .put(XPackPlugin.featureEnabledSetting(Security.NAME), false) .put(XPackPlugin.featureEnabledSetting(Marvel.NAME), false) .put(NetworkModule.HTTP_ENABLED.getKey(), true) diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/shield/BasicShieldTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/shield/BasicShieldTests.java index 72920eceb8c..3d8d707bbb7 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/shield/BasicShieldTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/shield/BasicShieldTests.java @@ -6,6 +6,7 @@ package org.elasticsearch.watcher.shield; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.watcher.WatcherState; import org.elasticsearch.watcher.test.AbstractWatcherIntegrationTestCase; @@ -40,7 +41,7 @@ public class BasicShieldTests extends AbstractWatcherIntegrationTestCase { return Settings.builder() .put("client.transport.sniff", false) // Use just the transport user here, so we can test Watcher roles specifically - .put("shield.user", "transport_client:changeme") + .put(Security.USER_SETTING.getKey(), "transport_client:changeme") .build(); } diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java index 042ca0e80f9..614d9c05c5f 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java @@ -28,8 +28,10 @@ import org.elasticsearch.script.MockMustacheScriptEngine; import org.elasticsearch.search.SearchHit; import org.elasticsearch.search.builder.SearchSourceBuilder; import org.elasticsearch.shield.authc.file.FileRealm; +import org.elasticsearch.shield.Security; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; +import org.elasticsearch.shield.authz.store.FileRolesStore; import org.elasticsearch.shield.crypto.InternalCryptoService; import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.test.ESIntegTestCase.ClusterScope; @@ -262,7 +264,7 @@ public abstract class AbstractWatcherIntegrationTestCase extends ESIntegTestCase return Settings.builder() .put("client.transport.sniff", false) - .put("shield.user", "admin:changeme") + .put(Security.USER_SETTING.getKey(), "admin:changeme") .build(); } @@ -703,20 +705,20 @@ public abstract class AbstractWatcherIntegrationTestCase extends ESIntegTestCase public static Settings settings(boolean enabled) { Settings.Builder builder = Settings.builder(); if (!enabled) { - return builder.put("shield.enabled", false).build(); + return builder.put("xpack.security.enabled", false).build(); } try { Path folder = createTempDir().resolve("watcher_shield"); Files.createDirectories(folder); - return builder.put("shield.enabled", true) - .put("shield.authc.realms.file.type", FileRealm.TYPE) - .put("shield.authc.realms.file.order", 0) - .put("shield.authc.realms.file.files.users", writeFile(folder, "users", USERS)) - .put("shield.authc.realms.file.files.users_roles", writeFile(folder, "users_roles", USER_ROLES)) - .put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", ROLES)) - .put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey)) - .put("shield.authc.sign_user_header", false) - .put("shield.audit.enabled", auditLogsEnabled) + return builder.put("xpack.security.enabled", true) + .put("xpack.security.authc.realms.esusers.type", FileRealm.TYPE) + .put("xpack.security.authc.realms.esusers.order", 0) + .put("xpack.security.authc.realms.esusers.files.users", writeFile(folder, "users", USERS)) + .put("xpack.security.authc.realms.esusers.files.users_roles", writeFile(folder, "users_roles", USER_ROLES)) + .put(FileRolesStore.ROLES_FILE_SETTING.getKey(), writeFile(folder, "roles.yml", ROLES)) + .put(InternalCryptoService.FILE_SETTING.getKey(), writeFile(folder, "system_key.yml", systemKey)) + .put("xpack.security.authc.sign_user_header", false) + .put("xpack.security.audit.enabled", auditLogsEnabled) .build(); } catch (IOException ex) { throw new RuntimeException("failed to build settings for shield", ex); diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/bench/WatcherExecutorServiceBenchmark.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/bench/WatcherExecutorServiceBenchmark.java index 91a585d96b8..c0f620dcca9 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/bench/WatcherExecutorServiceBenchmark.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/bench/WatcherExecutorServiceBenchmark.java @@ -44,7 +44,7 @@ import static org.elasticsearch.watcher.trigger.schedule.Schedules.interval; public class WatcherExecutorServiceBenchmark { private final static Settings SETTINGS = Settings.builder() - .put("shield.enabled", false) + .put("xpack.security.enabled", false) .put("cluster.name", "bench") .put("network.host", "localhost") .put("script.disable_dynamic", false) diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/bench/WatcherScheduleEngineBenchmark.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/bench/WatcherScheduleEngineBenchmark.java index 87f324d933e..44747bfd166 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/bench/WatcherScheduleEngineBenchmark.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/bench/WatcherScheduleEngineBenchmark.java @@ -59,7 +59,7 @@ import static org.elasticsearch.watcher.trigger.schedule.Schedules.interval; public class WatcherScheduleEngineBenchmark { private final static Settings SETTINGS = Settings.builder() - .put("shield.enabled", false) + .put("xpack.security.enabled", false) .put("cluster.name", "bench") .put("script.disable_dynamic", false) .put("http.cors.enabled", true)