Commit Graph

107 Commits

Author SHA1 Message Date
Lee Hinman 637301beca Adjust to Nullable moving into core (elastic/x-pack-elasticsearch#4275)
This is the x-pack side of https://github.com/elastic/elasticsearch/pull/29341

Original commit: elastic/x-pack-elasticsearch@08b6220009
2018-04-03 07:56:21 -06:00
Tim Brooks 383cadaee7 Fix SSL renegoation test (elastic/x-pack-elasticsearch#4273)
This commit fixes an issue in the security nio transport tests where
renegotiation was not actually being tested. We were not waiting on the
handshake complete latches. This commit fixes this issue.

Original commit: elastic/x-pack-elasticsearch@47bebc5c13
2018-04-02 21:35:35 -04:00
Andy Bristol 0144d20213 [test] remove Streamable serde assertions (elastic/x-pack-elasticsearch#4261)
Serialization assertions in ElasticsearchAssertions, a transport
interceptor that used them, and a plugin that added that interceptor
were removed from the test framework. This test case no longer needs to
exclude them from its plugins.

Original commit: elastic/x-pack-elasticsearch@07e5c58983
2018-03-30 14:09:36 -07:00
Tim Vernum e69c5d4d48 Add secure_bind_password to LDAP realm (elastic/x-pack-elasticsearch#4192)
Adds a SecureSetting option for the "bind_password" in LDAP/AD realms
and deprecates the non-secure version.

LDAP bind passwords should now be configured with the setting
`xpack.security.authc.realms.REALM_NAME.secure_bind_password`
in the elasticsearch keystore.

Original commit: elastic/x-pack-elasticsearch@1a0cebd77e
2018-03-29 16:31:45 +10:00
Yogesh Gaikwad 01ab4782a1 SAML: Enhance tests to randomly select crypto algorithms (elastic/x-pack-elasticsearch#4217)
- Changes in CertUtils to add algorithm parameter to
  generateSignedCertificates
- Changes in Tests to randomly pick signature algorithms
- Changes in Tests to randomly pick encryption algorithms

relates elastic/x-pack-elasticsearch#3983

Original commit: elastic/x-pack-elasticsearch@d1b5f3a166
2018-03-29 12:36:40 +11:00
Tim Vernum 94b6f637a6 Improve error if Indices Permission is too complex (elastic/x-pack-elasticsearch#4239)
If a user has roles that grant access to a large number of disparate
index patterns, then the resulting Automaton can become large and
too costly to determinise. This happens rarely, and is usually a sign
of a poorly implemented security model, so we have no immediate plans
to change the implementation. However the resulting error message is
not clear and does not provide sufficient information for users to
resolve the underlying problem.

This commit catches the underlying exception and provides a more
specific error message, with DEBUG logging of the offending index
patterns.

Original commit: elastic/x-pack-elasticsearch@532be70efc
2018-03-29 10:55:48 +10:00
Albert Zaharovits 53436450c4 All logging audit settings updateable (elastic/x-pack-elasticsearch#4227)
All logging audit settings are update-able via cluster settings
update API (prefix.emit_node_host_address,
prefix.emit_node_host_name, prefix.emit_node_name, events.include,
events.exclude).

Original commit: elastic/x-pack-elasticsearch@96adbd0ae2
2018-03-28 21:46:28 +03:00
Ioannis Kakavas febb46b702 [SAML] Saml metadata signing (elastic/x-pack-elasticsearch#4184)
Adds option to sign generated Service Provider SAML metadata
- Using a (possibly password protected) PEM encoded keypair
- Using a keypair stored in a (possibly password protected) PKCSelastic/x-pack-elasticsearch#12 keystore

Resolves elastic/x-pack-elasticsearch#3982


Original commit: elastic/x-pack-elasticsearch@7b806d76f8
2018-03-28 13:43:29 +03:00
Albert Zaharovits b7515f03cf LdapUserSearch rebind with bind DN after user bind (elastic/x-pack-elasticsearch#4209)
Fixes an inconsistency bug in which `LdapSession`s built by
`LdapUserSearchSessionFactory` are different if the factory is
configured to use a connection pool or not. The bind status of the
connection, or the connection(s) from the pool, passed through to
the newly minted `LdapSession` are now identical. Connections are
bind to the bind_dn configuration entry in the realm config.

Original commit: elastic/x-pack-elasticsearch@094af063ea
2018-03-28 09:36:02 +03:00
Lee Hinman b646abd12c Adjust to XContentBuilder decoupling (elastic/x-pack-elasticsearch#4212)
This is the x-pack side of https://github.com/elastic/elasticsearch/pull/29225
where some methods were renamed or take different arguments.

Original commit: elastic/x-pack-elasticsearch@525e118381
2018-03-27 12:58:26 -06:00
Lee Hinman cd4a073bb5 Decouple XContentBuilder classes for strict building (elastic/x-pack-elasticsearch#4188)
This is the x-pack side of https://github.com/elastic/elasticsearch/pull/29197

Original commit: elastic/x-pack-elasticsearch@7237622dee
2018-03-22 08:19:08 -06:00
Jay Modi b0cc5afe8b Disable security for trial licenses by default (elastic/x-pack-elasticsearch#4120)
This change disables security for trial licenses unless security is
explicitly enabled in the settings. This is done to facilitate users
getting started and not having to deal with some of the complexities
involved in getting security configured. In order to do this and avoid
disabling security for existing users that have gold or platinum
licenses, we have to disable security after cluster formation so that
the license can be retrieved.

relates elastic/x-pack-elasticsearch#4078

Original commit: elastic/x-pack-elasticsearch@96bdb889fc
2018-03-21 21:09:44 -06:00
Yogesh Gaikwad 57946a97df X-Pack-Security: Making setup-passwords work with protected keystores (elastic/x-pack-elasticsearch#3918)
Changes are done in SetupPasswordTool to load the keystore
and set security settings to load password protected keys in SSL configuration.
Check for the verification mode and appropriately use hostname verifier.
Close the keystore after setup-password is complete.
Unit test for CommandLineHttpClient

TODO: TLS documentation needs to be fixed, which will be taken up as a separate
fix due to documentation refactoring in progress.

relates elastic/x-pack-elasticsearch#3760 

Original commit: elastic/x-pack-elasticsearch@72e8666e21
2018-03-21 09:48:01 +11:00
Tim Vernum 063ed78c42 Provide clearer errors if SAML is not licensed (elastic/x-pack-elasticsearch#4096)
SAML is only available on a Platinum license. If you try and use SAML
on a Gold license, then the error message is misleading - it gives the
equivalent of "cannot find saml realm".

This change adds a standard license error of
    "current license is non-compliant for [saml]"
if SAML rest actions are used when SAML is not licensed.

Original commit: elastic/x-pack-elasticsearch@7c0e26d58e
2018-03-20 18:54:51 +10:00
Tim Vernum 7cd5e1d516 Check cluster heath before setup-passwords (elastic/x-pack-elasticsearch#4104)
Trying to setup passwords on a red cluster (or a cluster that cannot
reach a quorum) is generally not a good idea.

This commit:
- Adds a check for RED cluster status
- Prompts to confirm execution if the cluster is red
- Prints out the reason/type is an error response is received
- Increases the HTTP read timeout so that master election failures are
  reported correctly.

Original commit: elastic/x-pack-elasticsearch@4ffbda23db
2018-03-20 17:03:17 +10:00
Tim Vernum bc95ad80ce Add beats_system user to security (elastic/x-pack-elasticsearch#4103)
This creates a new "beats_system" user and role with the same
privileges as the existing "logstash_system" user/role.

The "beat_system" user is also added as a managed user within
the "setup-passwords" command.

Users who upgrade from an earlier version of Elasticsearch/X-Pack
will need to manually set a password for the beats_system user via
the change password API (or Kibana UI)

Original commit: elastic/x-pack-elasticsearch@6087d3a18e
2018-03-20 17:01:53 +10:00
Albert Zaharovits 7ea79c88ab Realm along the principal in audit authz events (elastic/x-pack-elasticsearch#3260)
Add realm name to all authz audit events: accessDenied, accessGranted,
runAsDenied and runAsGranted.
These event types receive the following attributes: realm,
run_by_realm and run_as_realm to go along with with the existing
attributes: principal, run_by_principal and run_as_principal. The
'effective realm name' (run_as_realm or run_by_realm) is certainly
filterable by ignore policies.

Original commit: elastic/x-pack-elasticsearch@cb3801e197
2018-03-18 11:27:28 +02:00
Albert Zaharovits 14acdcb4f7 Fix test after elastic/x-pack-elasticsearch#28919
After elastic/x-pack-elasticsearch#28919 some rest client exceptions are wrapped by the
IOException.

Original commit: elastic/x-pack-elasticsearch@6c658ae5b7
2018-03-17 16:58:12 +02:00
Albert Zaharovits 891013a17b Update audit trail filter policy settings (elastic/x-pack-elasticsearch#3984)
Audit trail filter policies can now be updated by the cluster update
settings API. Previously, policies were static inside the conf file.
This is helpful because, in practice, coming up with a reasonable
policy set is an iterative process, adding and changing policies to
shave off yet another pesky audit event.

Original commit: elastic/x-pack-elasticsearch@e8a670c427
2018-03-17 11:30:11 +02:00
Jay Modi bccf988e9d Run active directory tests against a samba4 fixture (elastic/x-pack-elasticsearch#4067)
This commit adds a Samba4 test fixture that acts as a domain controller
and has the same contents as the cloud active directory instance that
we previously used for tests.

The tests also support reading information from environment variables
so that they can be run against a real active directory instance in our
CI builds.

In addition, this commit also fixes a few issues that surfaced when
making this change. The first is a change in the base DN that is
searched when performing down-level authentication. The base DN is
now the configuration object instead of the domain DN. This change was
required due to the original producing unnecessary referrals, which we
cannot easily follow when running against this test figure. Referrals
cannot easily be followed as they are returned by the ldap server with
an unresolvable DNS name unless the host points to the samba4 instance
for DNS. The port returned in the referral url is the one samba is bound
to, which differs from the port that is forwarded to the host by the
test fixture.

The other issue that is resolved by this change is the addition of
settings that allow specifying non-standard ports for active directory.
This is needed for down-level authentication as we may need to query
the regular port of active directory instead of the global catalog
port as the configuration object is not replicated to the global
catalog.

relates elastic/x-pack-elasticsearch#185
Relates elastic/x-pack-elasticsearch#3800

Original commit: elastic/x-pack-elasticsearch@883c742fba
2018-03-16 10:44:23 -06:00
Lee Hinman b14baf4a6f Decouple XContentBuilder from BytesReference (elastic/x-pack-elasticsearch#4119)
* Decouple XContentBuilder from BytesReference

This commit handles the removal of all mentions of BytesReference from
XContentBuilder. This is needed so that we can completely decouple the XContent
code and move it into its own dependency.

This is the x-pack side of https://github.com/elastic/elasticsearch/pull/28972

Original commit: elastic/x-pack-elasticsearch@8ba2e97b26
2018-03-14 13:48:05 -06:00
Jason Tedor fbb752c273 Use Elasticsearch IOUtils (elastic/x-pack-elasticsearch#4105)
This commit replaces the usage of Lucene IOUtils with Elasticsearch
IOUtils, the former of which is now forbidden.

Original commit: elastic/x-pack-elasticsearch@8e0554001f
2018-03-13 12:49:52 -04:00
Yannick Welsch 4bce53a1ad Disallow logger methods with Object parameter
Relates to elastic/elasticsearch#28969

Original commit: elastic/x-pack-elasticsearch@1eff5eecd9
2018-03-12 11:03:23 +01:00
Tim Vernum 41af46688a Make PKI BootstrapCheck work with SecureSettings (elastic/x-pack-elasticsearch#3993)
SslConfiguration can depend on SecureSettings, so it must be
constructed during the correct lifecycle phase.
For PkiRealmBootstrapCheck, moved the construction of SslConfiguration
objets into the constructor rather than the check method

Original commit: elastic/x-pack-elasticsearch@1a4d147216
2018-03-12 10:48:35 +10:00
Albert Zaharovits d31d90d378 Auditing requests with null indices (elastic/x-pack-elasticsearch#4016)
Adds null check.

relates elastic/x-pack-elasticsearch#3988

Original commit: elastic/x-pack-elasticsearch@64bab62ca6
2018-03-11 13:13:14 +02:00
Ioannis Kakavas 558679f997 Disregard comments in XML documents (elastic/x-pack-elasticsearch#4047)
* Disregard comments in XML documents
* Add tests to verify comments in XML are ignored

Original commit: elastic/x-pack-elasticsearch@8b2d8d32ef
2018-03-08 22:32:33 -08:00
Tim Vernum 3a4fa16f03 [SAML] Handle ACS URL with existing query params (elastic/x-pack-elasticsearch#4060)
If the Assertion Consumer Service URL already contained query
parameters, we would incorrectly append an addtional '?' rather than
adding the SAML parameters to the end with '&'

Original commit: elastic/x-pack-elasticsearch@60b6a977d8
2018-03-09 17:15:55 +11:00
Lee Hinman 2147d217df Wrap stream passed to createParser in try-with-resources (elastic/x-pack-elasticsearch#4055)
This wraps the stream (`.streamInput()`) that is passed to many of the
`createParser` instances in the enclosing (or a new) try-with-resources block.
This ensures the `BytesReference.streamInput()` is closed.

Relates to elastic/x-pack-elasticsearch#28504

Original commit: elastic/x-pack-elasticsearch@7546e3b4d4
2018-03-04 16:48:15 -07:00
Lee Hinman c763a14132 Pass InputStream when creating XContent parser (elastic/x-pack-elasticsearch#4001)
* Pass InputStream when creating XContent parser

Rather than passing the raw `BytesReference` in when creating the xcontent
parser, this passes the StreamInput (which is an InputStream), this allows us to
decouple XContent from BytesReference.

This is the x-pack side of https://github.com/elastic/elasticsearch/pull/28754

* Use the streamInput variant, not sourceAsString

Original commit: elastic/x-pack-elasticsearch@dd5d8b1654
2018-02-23 15:22:28 -07:00
Zachary Tong bf1550a0b2 Rollups for Elasticsearch (elastic/x-pack-elasticsearch#4002)
This adds a new Rollup module to XPack, which allows users to configure periodic "rollup jobs" to pre-aggregate data.  That data is then available later for search through a special RollupSearch API, which mimics the DSL and functionality of regular search.

Rollups are used to drastically reduce the on-disk footprint of metric-based data (e.g. timestamped document with numeric and keyword fields).  It can also be used to speed up aggregations over large datasets, since the rolled data will be considerably smaller and fewer documents to search.

The PR adds seven new endpoints to interact with Rollups; create/get/delete job, start/stop job, a capabilities API similar to field-caps, and a Rollup-enabled search.

Original commit: elastic/x-pack-elasticsearch@dcde91aacf
2018-02-23 17:10:37 -05:00
Alexander Reelsen 7f166e1927 Cleanup: Move tests calling external services into QA projects (elastic/x-pack-elasticsearch#3869)
This also moves the hipchat/pagerduty/slack tests to REST tests which put real watches and also check the history.

Relates elastic/x-pack-elasticsearch#3800


Original commit: elastic/x-pack-elasticsearch@fce08d9cb7
2018-02-23 13:31:28 +01:00
Tim Brooks 33ae455e6c Selectors operate on channel contexts (elastic/x-pack-elasticsearch#3803)
This is related to elastic/elasticsearch#28468. It is a compatibility
commit to ensure that x-pack is compatible with those changes.

Original commit: elastic/x-pack-elasticsearch@3ddf719adc
2018-02-22 09:45:07 -07:00
Tim Vernum 828387a25a Add more info logging when loading roles.yml (elastic/x-pack-elasticsearch#3992)
Although not frequently used in production, we make heavy use of the
FileRolesStore within integration tests. This change adds a little bit
more logging at INFO level when the roles.yml file is (re)loaded.

Original commit: elastic/x-pack-elasticsearch@bbacd46e28
2018-02-22 11:10:27 +11:00
Jay Modi e3e82ccb2d Security: IndexAuditTrail updates mappings when indexing locally (elastic/x-pack-elasticsearch#3944)
This change makes the IndexAuditTrail update mappings for the current
index even when indexing locally. This is needed in a couple of
scenarios; the first being upgrades from 5x to 6x where the document
type was changed and the second is when upgrading minor versions and
a new field has been introduced. A new field was introduced in 6.2.

Additionally, writing tests for the rolling upgrade revealed a bug
where the actual node name was never being set as it was using the name
key instead of the node.name key.

relates elastic/x-pack-elasticsearch#3901
relates elastic/x-pack-elasticsearch#3718

Original commit: elastic/x-pack-elasticsearch@7374a62ff1
2018-02-20 11:09:56 -07:00
Jay Modi 0fc0034509 Test: remove outdated logic for file writing in security tests (elastic/x-pack-elasticsearch#3947)
This commit removes some outdated logic in the SecurityTestUtils class
for writing files and creating directories. A long, long time ago there
was a global cluster for tests that was used across suites and because
of this there were calls to delete files if they already existed. The
global cluster has been removed, so we no longer need the code that
deletes the content of a directory if it already exists.

Additionally, the file writing used in SecurityTestUtils did not use
atomic moves when possible and this commit changes the code such that a
temp file is written and we try to atomically move it to the correct
path; if atomic moves are not supported a regular move is performed.

relates elastic/x-pack-elasticsearch#3912

Original commit: elastic/x-pack-elasticsearch@973fcfe2e1
2018-02-20 09:34:17 -07:00
Lee Hinman 6728912c87 Handle removing log4j dependency from elasticsearch-core jar (elastic/x-pack-elasticsearch#3976)
This handles the removal of the log4j dependency from our elasticsearch-core
project. It was originally necessary only for our jar classpath checking. It is
now replaced by a `Consumer<String>`.

This is the x-pack side of https://github.com/elastic/elasticsearch/pull/28705

Original commit: elastic/x-pack-elasticsearch@1186a7eaf6
2018-02-20 09:15:56 -07:00
Tim Vernum 56c761f241 Log roles.yml changes in TokenAuthIntegTests
This test recently failed and it appears that the cause was that
roles.yml was deleted while the cluster was still running.
This turns on logging for the FileRolesStore so that changes to file
based roles can traced more easily.

Original commit: elastic/x-pack-elasticsearch@fbce5a8027
2018-02-20 17:19:39 +11:00
Tim Vernum c4582cdcd0 Additional settings for SAML NameID policy (elastic/x-pack-elasticsearch#3969)
* Additional settings for SAML NameID policy

We should not be populating SPNameQualifier by default as it is
intended to be used to specify an alternate SP EntityID rather than
our own. Some IdPs (ADFS) fail when presented with this value.

This commit
- makes the SPNameQualifier a setting that defaults to blank
- adds a setting for "AllowCreate"
- documents the above

Original commit: elastic/x-pack-elasticsearch@093557e88f
2018-02-20 13:51:42 +11:00
Albert Zaharovits 5833ed296e Fix embarrassing NPE in audit trail.
relates elastic/x-pack-elasticsearch#3988

Original commit: elastic/x-pack-elasticsearch@72c16ea50f
2018-02-19 20:14:37 +02:00
Lee Hinman affc9e3563 Move more XContent.createParser calls to non-deprecated version (elastic/x-pack-elasticsearch#3928)
Part 2

This moves more of the callers to pass in the DeprecationHandler.

Relates to elastic/x-pack-elasticsearch#28504

Original commit: elastic/x-pack-elasticsearch@e0b52bf050
2018-02-14 09:41:26 -07:00
Lee Hinman e8ef20b219 Move more XContent.createParser calls to non-deprecated version (elastic/x-pack-elasticsearch#3927)
* Move more XContent.createParser calls to non-deprecated version

This moves more of the callers to pass in the DeprecationHandler.

Relates to https://github.com/elastic/elasticsearch/issues/28504

* Mockito ಠ_ಠ

Original commit: elastic/x-pack-elasticsearch@81cb99ba52
2018-02-14 09:24:47 -07:00
Yogesh Gaikwad 20503a997f X-Pack-Security: Improve error messaging during setup password (elastic/x-pack-elasticsearch#3809)
* X-Pack-Security: Improve error messaging during setup password

Changes are done to improve logging and exception messages when
setup passwords. Now it checks whether
- X-Pack plugin is available
- X-Pack Security is available 
- X-Pack Security is enabled
by invoking /_xpack query and throws a specific error message.
1. Modifications to simple http client to return http response.
2. Changes in SetupPasswordTool for throwing appropriate exceptions.
2. Unit tests

relates elastic/x-pack-elasticsearch#3476

Original commit: elastic/x-pack-elasticsearch@eb0c5a19c5
2018-02-14 13:11:00 +11:00
Tim Brooks 5dbbe8fef8 Default to basic license at startup (elastic/x-pack-elasticsearch#3878)
This is related to elastic/x-pack-elasticsearch#3877. This commit modifies the license settings to
default to self generating a basic license.

Original commit: elastic/x-pack-elasticsearch@cd6ee8e06f
2018-02-12 12:57:04 -07:00
Ryan Ernst 4e578fe7cc Build: Replace provided configuration with compileOnly (elastic/x-pack-elasticsearch#3868)
This is the xpack side of elastic/elasticsearch#28564

Original commit: elastic/x-pack-elasticsearch@60033824a4
2018-02-09 11:30:43 -08:00
Ioannis Kakavas 7504e33da7 Change value of METADATA_REFRESH for the tests (elastic/x-pack-elasticsearch#3879)
Ensure that the next triggered metadata refresh is always in the
future. relates elastic/x-pack-elasticsearch#3815

Original commit: elastic/x-pack-elasticsearch@edd9ba911d
2018-02-09 18:22:26 +01:00
Albert Zaharovits fb8adb4a1c [Security][Tests] Azeri(Turkish) locale tripps opensaml dependency
Original commit: elastic/x-pack-elasticsearch@9c4ecabe48
2018-02-09 13:57:09 +02:00
Albert Zaharovits a57999e1e1 [Security][Tests] Print LDAP reconnect stacktrace on fail
Original commit: elastic/x-pack-elasticsearch@18f235197c
2018-02-08 13:41:02 +02:00
Alexander Reelsen 064a0819d9 Cleanup: Remove HaltedClock (elastic/x-pack-elasticsearch#3731)
java.time features it's own halted clock, called a fixed clock, we can
use that one.

On top of that the watcher xcontent parser does not need a clock at all,
just a timestamp when parsing happened.

Original commit: elastic/x-pack-elasticsearch@2061aeffe1
2018-02-08 09:24:08 +01:00
Tim Vernum 3102b94946 [TEST] Don't fail IndexAuditTrailTests if the test runs very fast
Relates: elastic/x-pack-elasticsearch#3472

Original commit: elastic/x-pack-elasticsearch@00fde8973f
2018-02-08 16:44:58 +11:00
Ryan Ernst f360d2d8d7 Build: Cleanup gradle files (elastic/x-pack-elasticsearch#3867)
There were a number of leftover unnecessary elements in the module
build.gradle files that were holdovers from copying the original plugin
build.gradle. This commit removes these elements.

Original commit: elastic/x-pack-elasticsearch@08babbd520
2018-02-07 16:58:09 -08:00