Adds JNA as a test time dependency to work around it being required on
windows in elasticsearch core.
Original commit: elastic/x-pack-elasticsearch@b8fc70a051
This commit is a squashed commit of work done in conjunction with @rmuir to make
shield work properly with elasticsearch 2.0. This includes ensuring all tests
pass when running with the security manager and updating the code to be compatible
with the latest core forbidden apis.
Shield is now a child project of elasticsearch-parent and inherits a lot of common
build, test, and static coverage functionality from that project resulting in a much
smaller and simpler pom.xml for shield. As part of this work, Shield can now read
rest tests from the elasticsearch jar so the rest tests are run automatically when
running the slow tests.
Original commit: elastic/x-pack-elasticsearch@2ebbf4284a
The system user needs to be able to execute a reroute action to support the
DiskThresholdDecider. The DiskThresholdDecider executes an empty reroute
request when a high disk watermark has been exceeded.
Relates to elastic/elasticsearch#816
Original commit: elastic/x-pack-elasticsearch@890b44d79e
The testChangingAByte method was requesting a random length byte array ranging
from 0-1000. The issue is that a byte array with length of 0 cannot be changed and
therefore this test is not valid in this case. It now requests a range of 1-1000.
Original commit: elastic/x-pack-elasticsearch@88edf535f4
This changes the SignatureService into a CryptoService that now supports encryption
operations in addition to the signing operations. The encryption leverages the existing
system key and uses it with AES.
Closeselastic/elasticsearch#805
Original commit: elastic/x-pack-elasticsearch@a792ed4a54
For the CLI tools in Shield we create a new temp file and replace the existing file
to prevent issues with reloading a half written file. This has a potential side effect
of changing the user and group that own the file. Many times the commands are
run with root privileges (sudo) and when run with root privileges we can actually
reset the owner and group correctly.
Closeselastic/elasticsearch#812
Original commit: elastic/x-pack-elasticsearch@1ee3715376
For HMAC and password hash comparisons we need to use a time
constant comparison that always compares the whole value in order
to protect against timing attacks.
Original commit: elastic/x-pack-elasticsearch@f6082c76b9
Elasticsearch version 1.5.1 was released today, so move to testing against
the release version and add 1.5.2-SNAPSHOT.
Original commit: elastic/x-pack-elasticsearch@36b502dbb1
The contentUnsafe field was removed and this caused a compilation error
with two implementations of RestRequest in test code. This fixes the compilation
error and only uses a single implementation of RestRequest.
Original commit: elastic/x-pack-elasticsearch@d4d8a6ba6b
Adds randomization.yml file that contains the versions of elasticsearch
and lucene to test the current branch against. This allows us to control
the versions we test against in the repo vs having to continually modify
the randomization scripts.
Closeselastic/elasticsearch#773
Original commit: elastic/x-pack-elasticsearch@5e5645a627
- Added an option for other plugins to define reserved roles. These roles will be reserved for the plugins and will be used by the plugin when executing actions. The reserved roles cannot be overridden by the `roles.yml` file. While at it, also made sure the system role cannot be defined in the `roles.yml` file. The roles can be registered via the `AuthorizationModule.registerReservedRole` method.
- Enable plugins to add their own (new) cluster & index privileges. The can be done by simply calling `Cluster.addCustom` and `Index.addCustom` static methods.
Original commit: elastic/x-pack-elasticsearch@11f795bebd
The timeout test times an operation that involves much more than a simple
socket connect. There is overheard from the UnboundID library and its
asynchronous nature that could cause delay in a response. This removes
the assertion that the call to session took less than one second and adds
an assertion about the exceptions cause.
Closeselastic/elasticsearch#740
Original commit: elastic/x-pack-elasticsearch@45577626b6
- Introduced `ssha256` hashing (salted sha-256) which is now the default in-mem hashing algorithm (instead of bcrypt4)
- changed the `md5` to be a real MD5 algorithm (used to be md5crypt.
- introduced `apr1` hashing algo. which is the old md5crypt algorithm.
Also updated the relevant docs & tests
Original commit: elastic/x-pack-elasticsearch@c8c0be5b95
Enables filtering out sensitive settings from the nodes info API rest endpoint. Also provide a mechanism to filter out additional settings via a new `shield.hide_settings` setting.
Original commit: elastic/x-pack-elasticsearch@9bab5049e7
On Windows, ensureGreen times out due to some shards not being initialized so
this increases allocation logging.
Original commit: elastic/x-pack-elasticsearch@e3777a8e89
After the switch from elasticsearch.com to elastic.co, these tests started failing
due to socket connect errors. Now we will just connect to the OpenLDAP server
which should be a different machines than the ones running tests.
Original commit: elastic/x-pack-elasticsearch@7bf713a313
The resolved anonymous user was not added to the REST request context. This resulted in that when the request was "translated" to a transport request, the fallback was the `system user`. The commit fixes that.
Original commit: elastic/x-pack-elasticsearch@acea6becf1
Any exception caught during authentication is only logged if DEBUG is enabled.
This changes the behavior to log these exceptions are WARN with the exception
message only or at DEBUG with the full exception.
The user template ldap implementation could potentially cause a lot of
logging to be generated because it always prints the full exception at WARN
level. This changes it to print the message at WARN level and the exception
at DEBUG.
Original commit: elastic/x-pack-elasticsearch@c607567d88
This change filters out unsupported ciphers before setting the ciphers on the
SSLEngine. The unsupported ciphers are logged in a message at the error
level. If none of the specified ciphers are supported, then an exception will
be thrown.
Closeselastic/elasticsearch#698
Original commit: elastic/x-pack-elasticsearch@68cf47ec19
In order to be able to configure ip filtering in a dynamic way, all
the ip filter related settings have been made dynamic.
This commit also fixed a bug, as the setting shield.http.filter.enabled
was not working, but mentioned in the documentation.
Documentation has been updated along the way.
Closeselastic/elasticsearch#697
Original commit: elastic/x-pack-elasticsearch@2760c47b5b
tableizing means evaluation is strictly linear time O(inputLength),
but costs #states * alphabet in ram. alphabet here is unicode (64k) so it blows up huge.
With tableize=false, it just means evaluation is O(inputLength * log(numIntervals)).
This is plenty fast for our purposes.
For these same reasons lucene only tableizes ByteRunAutomaton (alphabet size=256)
by default, for CharRunAutomaton it defaults to false.
Ban the trappy RunAutomaton ctor that tableizes. Fix tests using it.
Closeselastic/elasticsearch#739.
Original commit: elastic/x-pack-elasticsearch@28ab66b0ee
A large number of recent test failures have been caused by failure to bind
a port in the range 32900 to 32999. The ports are now tested to see if they
can be bound by this JVM and if not tries to bind another port. This will
decrease the likelihood of a port bind failure but another application could
still bind a port before the node starts up.
Closeselastic/elasticsearch#737
Original commit: elastic/x-pack-elasticsearch@aaf098758f
REST tests that use expressions as the script language requires the
lucene-expressions library to be loaded.
Original commit: elastic/x-pack-elasticsearch@c0f2b8a4b2
This adds a second mode of operation to the ldap realm. This mode of operation
allows for single bind user to be specified. This bind user will be used to
search for user DNs starting from a base DN. The user DN will then be used to
authenticate via a bind operation. The bind user will then search for the user's
groups.
Closeselastic/elasticsearch#552Closeselastic/elasticsearch#323
Original commit: elastic/x-pack-elasticsearch@3338730a64
jaymode
uboness
Alexander Reelsen
Robert Muir