Commit Graph

114 Commits

Author SHA1 Message Date
c-a-m 7f77627396 Merge branch 'mrsolo-enhance/static'
Original commit: elastic/x-pack-elasticsearch@c62fc1e081
2014-10-07 11:07:59 -06:00
Bill Hwang 0cb46872cf [CI] Added custom pmd xml file
Add missing file

Original commit: elastic/x-pack-elasticsearch@2939191b32
2014-10-07 11:06:35 -06:00
Bill Hwang 2a1ce81960 [CI] Added static analysis dependencies
Modified pom.xml to do static analysis without Jenkins

'mvn -DskipTests=true -Pstatic clean compile site' to start analysis
The reports are at target/site/project-reports.html.

Original commit: elastic/x-pack-elasticsearch@ddec28e8d0
2014-10-07 11:06:35 -06:00
Alexander Reelsen aec86a060e incorporated review comments
Original commit: elastic/x-pack-elasticsearch@f4c8ed918f
2014-10-07 18:10:08 +02:00
Alexander Reelsen 994f785715 Logging: Stop logging closed channel exceptions by default
Original commit: elastic/x-pack-elasticsearch@c563ecaafb
2014-10-07 18:10:08 +02:00
javanna 11ff005dc3 Internal: replace wildcard expressions and _all with matching indices that the current user is authorized for
Two reasons for this:
1) automatically convert the _all to its matching indices, in the context of the current user is authorized for, instead of resolving wildcards and then throwing authorization exception because the wildcard exp matches indices that the user is not authorized for
2) this makes the wildcards resolution secure, meaning that there is a single place that resolve wildcards. If it happened in shield while authorizing and in core while actually executing the operation, there would be mismatches which would allow to execute operation on indices that the user is not authorized for, if they get created with the "right" timing.

Closes elastic/elasticsearch#54
Closes elastic/elasticsearch#105

Original commit: elastic/x-pack-elasticsearch@a02c6fbccf
2014-10-07 17:16:55 +02:00
Alexander Reelsen c02277283c Add .esvmrc file to start SSL configured cluster fast
esvm is small commandline tool to start different cluster in a fast way.
This commit adds a preconfigured .esvmrc for starting a SSL enabled cluster
in no time.

All you need to do is to build the package and run

esvm shield

This starts a two node cluster with SSL enabled on HTTP and transport

Original commit: elastic/x-pack-elasticsearch@f701fd1134
2014-10-07 17:08:53 +02:00
javanna 6f4acfa93b [TEST] customize test global cluster for REST tests only if REST tests are enabled
Closes elastic/elasticsearch#107

Original commit: elastic/x-pack-elasticsearch@55eea46460
2014-10-06 12:22:23 +02:00
Alexander Reelsen 0d702c2fbc HTTPS: Do not require client auth by default
Original commit: elastic/x-pack-elasticsearch@795d40a705
2014-10-06 09:11:53 +02:00
Alexander Reelsen fe7d79384f CLI: Fix esusers tool to not create bogus role entry
If a user was created, but the user was not supplied roles on the commandline,
a bogus 'user:' was added to the roles file. This fix checks, if roles were
supplied when creating a user and only changes the roles file in that case.

Original commit: elastic/x-pack-elasticsearch@286951c016
2014-10-06 09:09:55 +02:00
javanna 14fed747fb Restore indices authorization for composite indices requests
Original commit: elastic/x-pack-elasticsearch@64ae3bf5c1
2014-10-02 16:43:09 +02:00
javanna 5b1dd41f23 Move to elasticsearch-1.4.0.Beta1 (no snapshot)
Original commit: elastic/x-pack-elasticsearch@18c93bcae2
2014-10-02 15:42:21 +02:00
Alexander Reelsen 2e6a8e0db8 IP filtering: Removing error messages claiming to reject all connections
Original commit: elastic/x-pack-elasticsearch@2fe77515e7
2014-10-02 11:06:32 +02:00
Alexander Reelsen 464bc0a752 Ip Filtering: Change default rule to allow
In order to prevent confusion when starting up nodes (so they can join easily together)
and adding some usability connections are not denied by default on the server side.

Original commit: elastic/x-pack-elasticsearch@6ffe3a7df2
2014-10-02 09:17:00 +02:00
c-a-m a47de7539c ldap: Changed LdapSslSocketFactory method of setting the static factory, plus miscellaneous cleanup
Original commit: elastic/x-pack-elasticsearch@1e1ba2aa7d
2014-10-01 15:11:26 -06:00
c-a-m 2ed4dd7fb6 ldap: Adds OpenLdap and Active Directory tests, and refactors SSLConfig
SSLConfig is split into SSLConfig and SSLTrustConfig.

OpenLdapTests and ActiveDirectory tests connect via TLS to EC2 instances.

Original commit: elastic/x-pack-elasticsearch@ea38e58dea
2014-10-01 15:11:26 -06:00
Paul Echeverri 7788c833e0 Merge branch 'doc-draft'
Merging Issue elastic/elasticsearch#99

Original commit: elastic/x-pack-elasticsearch@4ddbcb6e30
2014-10-01 13:00:05 -07:00
Paul Echeverri a0a7b9b7ff Merge branch 'master' into doc-draft
Merging PR elastic/elasticsearch#99 per Uri

Original commit: elastic/x-pack-elasticsearch@022a898a9f
2014-10-01 12:59:20 -07:00
Paul Echeverri 5137b21742 Merge pull request elastic/elasticsearch#72 from elasticsearch/doc-draft
Draft docs for Shield

Original commit: elastic/x-pack-elasticsearch@91492a4cf6
2014-10-01 11:55:19 -07:00
Michael McCandless 3b1ae0b593 Upgrade to Lucene 4.10.1
Original commit: elastic/x-pack-elasticsearch@31273b6769
2014-10-01 05:15:49 -04:00
Alexander Reelsen 2fbf4436aa Dependencies: Updating to elasticsearch 1.4.0.Beta1
Original commit: elastic/x-pack-elasticsearch@66cc907790
2014-10-01 11:11:33 +02:00
Alexander Reelsen f5589cffb2 SSL: Added more default ciphers
Original commit: elastic/x-pack-elasticsearch@c419eccec2
2014-10-01 11:03:08 +02:00
uboness 637a9e773c Added user authentication on rest requests
The authc service will now authenticate the user on the rest layer as well, meaning there will only be a single authentication process no matter what is then entry point to ES (for example, if a rest handler executes two internal requests... like some of the _cat APIs, there'll still be a single authentication process)

 In addition, the audit logs will now log REST authentication failures such that the remote address and the rest endpoint will show up in the logs as well.

Original commit: elastic/x-pack-elasticsearch@07af440147
2014-09-30 16:51:27 +02:00
c-a-m bd38b5237c Revert "passwordfix: This removes the password clearing from the authentication service"
This reverts commit elastic/x-pack@29462b494f.

Original commit: elastic/x-pack-elasticsearch@50e42933f0
2014-09-29 10:27:16 -06:00
javanna a57eae4f1f Internal: return better error message in SecurityFilter and InternalKeyService & share signing code
Closes elastic/elasticsearch#89

Original commit: elastic/x-pack-elasticsearch@a1dcd9c5aa
2014-09-29 11:50:38 +02:00
c-a-m 402749e12b passwordfix: This removes the password clearing from the authentication service
This fixes a bug when the UsernamePasswordToken is cached in the userContext and reused after it's cleared.

Original commit: elastic/x-pack-elasticsearch@9aab1d8530
2014-09-27 11:23:38 -06:00
c-a-m da3aacf107 Passwords: SecuredString to lock down and clear password usage.
SecuredString encapsulates handling of passwords and clearing them when done.  This change
includes changing everywhere passwords are used.  After authentication the authentication service will
clear the token - which will clear the password.  This avoids using any passwords in String objects.

This also adds commentary to BCrypt to show how it changed from the original external resource.  It moves utility methods to CharArrays.

Original commit: elastic/x-pack-elasticsearch@d0ffbae5c8
2014-09-26 10:39:04 -06:00
javanna f3164f1d24 [TEST] add system key to node settings in ShieldRestTests
Original commit: elastic/x-pack-elasticsearch@76be4c240a
2014-09-26 08:44:50 +02:00
uboness b3472bf3dc Changed the base64 encoding of the signatures to be URL safe
In InternalKeyService, we encode the signatures with base64. For things like scroll id, that need to be placed in URLs it's important that the signature will be URL safe.

Original commit: elastic/x-pack-elasticsearch@138d02d966
2014-09-25 13:52:55 +02:00
javanna b99f7be199 [TEST] add docs check to ScrollIdSigningTests
Original commit: elastic/x-pack-elasticsearch@30c026ac92
2014-09-25 11:58:13 +02:00
Michael McCandless d9d5cbeb32 upgrade to Lucene 4.10.1 snapshot
Original commit: elastic/x-pack-elasticsearch@d41ba71039
2014-09-24 16:35:42 -04:00
uboness 2482750435 Added a cli tool to generate the system_key file
Original commit: elastic/x-pack-elasticsearch@8c344ded6b
2014-09-23 12:24:05 +02:00
javanna f1b0c88bd4 [TEST] introduce base class for ldap tests that starts apache ds up and cleans it up afterwards
ApacheDSRule has been moved to `ExternalResource` which requires less code and implements `TestRule` instead of `MethodRule`. `TestRule` supports `ClassRule`s as well as ordinary `Rule`s. A class rule is exactly what we need for the ldap tests since we want to start the ldap server once before class and shut it down after all tests (after class). Also made sure that the static fields are cleaned up, otherwise `StaticFieldsInvariantRule` barfs.

Added `extends ElasticsearchTestsCase` where missing also.

Closes elastic/elasticsearch#80

Original commit: elastic/x-pack-elasticsearch@2143a2dcc6
2014-09-20 10:26:42 +02:00
javanna 723725753a [TEST] Make it possible to run REST tests against es+shield
Added `ShieldRestTests` that extends `ElasticsearchRestTests` allowing to run REST tests against es+shield. Tests won't be run by default as they require additional configuration (e.g. rest tests and spec location on file system). They can be activated via `-Dtests.rest=true`. Rest tests and spec location can be provided as follows:

```
-Dtests.rest.spec=/path/to/elasticsearch/rest-api-spec/api -Dtests.rest.suite=/path/to/elasticsearch/master/rest-api-spec/test
```

Some tests need to be blacklisted at this moment as follows:

```
-Dtests.rest.blacklist=scroll/*/*,mpercolate/*/*,msearch/*/*
```

Closes elastic/elasticsearch#79

Original commit: elastic/x-pack-elasticsearch@6f3e72dd87
2014-09-19 17:08:17 +02:00
javanna 932cfd9a33 [TEST] fix apache ds cleanup issues
Original commit: elastic/x-pack-elasticsearch@235a5de900
2014-09-19 15:01:19 +02:00
javanna d5d4be018d [TEST] fixed ScrollIdSigningTests to never use the signed scroll ids as tampered one
`randomInt` includes 0, thus the tampered id could stay the same as the signed scroll ids in some cases which would make everything work and the test fail.

Also cleared the scroll from a finally block, otherwise when the test fails the scroll stays around which might make after test checks fail.

Original commit: elastic/x-pack-elasticsearch@6f6b0d844d
2014-09-19 14:45:50 +02:00
uboness de893c544a Added key service
- Key service provides un/signing functionality
- will initially be used to un/sign scroll ids (for the scroll api)

Original commit: elastic/x-pack-elasticsearch@256e0e3c5d
2014-09-18 15:09:10 +02:00
javanna a313879f49 [TEST] enabled http where needed as it was disabled by default in es core
Original commit: elastic/x-pack-elasticsearch@3a56726c65
2014-09-16 17:08:54 +02:00
javanna 99c41997d9 Update es core version to 1.4.0.Beta1-SNAPSHOT
Original commit: elastic/x-pack-elasticsearch@07a12d3c58
2014-09-16 15:34:09 +02:00
javanna fee5a30f7f Update es core version to 1.4.0.Beta-SNAPSHOT
Original commit: elastic/x-pack-elasticsearch@acd0ab0292
2014-09-15 15:46:24 +02:00
Alexander Reelsen d604c63527 Netty: Move n2n filter in pipeline to first place
The current IP filter kicks in after the SSL handler, which only
makes sense, if you check things like the SSL certificate. For
now it makes most sense to really put this at the first place.

Original commit: elastic/x-pack-elasticsearch@bbaed67a3c
2014-09-12 08:32:38 +02:00
Alexander Reelsen 176517ba7e Testing: Changing ApacheDsRule to not use the same workdir for LDAP server
Original commit: elastic/x-pack-elasticsearch@532d02b014
2014-09-11 16:30:26 +02:00
uboness 1588c761ea Cleanup
- Formalized the notion of a client vs. node mode. Introduced an `AbstractShieldModule` that takes care of that
- For now, standarized on the `Shield` name across the board (e.g. change `SecurityModule` to `ShieldModule`)
- Introduces static methods to `ShieldPlugin` to resolve shield specific config files (on the way fixed the file resolving of the ldap group mapper)
- The n2n ip filtering is now resolved at the module level. If not enabled, null is injected and the netty handler is then not injected to the pipeline
- updated code base with the latest changes in es-core around how relevant http headers are registered and copied over to the transport request
- Added new known action in es-core  `indices:admin/get`

Original commit: elastic/x-pack-elasticsearch@ca8d85dc81
2014-09-11 15:21:57 +03:00
Alexander Reelsen 787a415c27 FileRolesStore: Make sure default path is loaded correctly on startup
The wrong path was used as default path. Also added logging information
for all files, so one can at least check the paths.

Original commit: elastic/x-pack-elasticsearch@893493fd17
2014-09-10 12:07:16 +02:00
Alexander Reelsen f15d5c4aa3 Testing: Create rule for starting/stopping ApacheDS
This ensures, that resources are cleaned up appropriately.

Original commit: elastic/x-pack-elasticsearch@d881562a3e
2014-09-09 21:28:40 +02:00
Alexander Reelsen 954ea51ef3 Test: Ensure that security plugin is not loaded via classpath
Original commit: elastic/x-pack-elasticsearch@765a3d5115
2014-09-09 16:26:23 +02:00
uboness 263ebfbbf2 Have AuthenticationService resolve the auth token from rest request
- Also made sure that we fallback on system token only if the system has permission to the action.
- While at it, change the binding of the different services to run as a singletons

Closes elastic/elasticsearch#64

Original commit: elastic/x-pack-elasticsearch@3705b7365a
2014-09-09 14:31:17 +03:00
uboness 5cc210bc9a Bug Fix: LdapModule now reports whether it's enabled/disabled correctly
- Also fixed a bug where if ldap/esuers module is disabled, injection failed (now injecting the appropriate `null` values to `Realms`
 - Also updated `SecurityFilter` with latest changes in es core (action filters API changed)

Original commit: elastic/x-pack-elasticsearch@71de64e6ad
2014-09-07 01:07:24 +02:00
uboness f4b4075cfa Upgraded to Lucene 4.10 and fixed the build
The automaton support changed quite a bit in 4.10 which required determinizing all the automatons used in the Privilege

Original commit: elastic/x-pack-elasticsearch@96a82f0f5d
2014-09-06 15:41:22 +02:00
uboness 5cc7d55568 cleaned up UsernamePasswordToken
Removed the caching of the token on the request context. Caching is now handled by the InternalAuthenticationService

Original commit: elastic/x-pack-elasticsearch@d60bc7af67
2014-09-05 15:24:43 +02:00