Commit Graph

278 Commits

Author SHA1 Message Date
uboness 982a83943c [Cleanup] - moved LDAP integration tests to ldap package
Original commit: elastic/x-pack-elasticsearch@35627d6e24
2015-01-11 13:41:25 +01:00
javanna 6df767790f Indices resolution: don't go over the indices for requests that don't contain wildcards, just return them as they are
We have two ways of resolving wildcards in shield:
1) expanding them to matching authorized indices for the current user, which is used for every request that implements `IndicesRequest.Replaceable`, giving to wildcards a different meaning in the context of shield, abnd replacing the resolved names to the request on the coordinating node.
2) resolving them as es core would by default: we do this only for `IndicesAliasesRequest` since it's the only request that supports wildcards but doesn't allow to replace its indices. This is done on every node that processes the request, no replacement to the request takes place.

Shard/node level requests are a bit of a special case though since they could potentially contain wildcards. They hold the original indices and indices options, thus they effectively support wildcards, but given that wildcards always get replaced on the coordinating node even before shard/node level requests get created, we are sure they will never contain wildcards. Hence we should never even try to explode their wildcards, since they can't contain any.

We should make the above distinctions clearer in code by:
1) having an assert that verifies the IndicesAliasesRequest special case
2) making sure that we explode wildcards as core would only for IndicesAliasesRequest, not touching shard/node level requests
3) adding an assert that verifies that shard/node level requests never contain wildcards
i

Also, the process of going over the indices by using MetaData#convertFromWildcards (what option 2 does) has one side effect other than wildcards resolution: it causes unnecessary exceptions in shield, exceptions that would be thrown by core anyway when needed after the authorization process. This happens because we try and reuse code taken from es core that does wildcards resolution plus indices validation at once (even if there were no wildcards among indices).

In general all of the user requests that support wildcards (based on their indices options) should have their indices replaced on the coordinating node (the only exception being IndicesAliasesRequest, see elastic/elasticsearch#112), using shield specific code. Their subsequent (internal) shard level requests will never contain wildcards. That's why there is no need to go over all of the indices when there's no wildcards, which would cause some needless validation to happen as well.

Side note: the additional validation step caused tribe node failures with requests against indices belonging to multiple tribes (the exact purpose of the tribe node). Each tribe complained because it didn't have all of the indices in its own cluster state, which is perfectly fine (think of `tribe1` that holds `index1` and `tribe2` that holds `index2`, when searching against both indices from a tribe node). Although this commit makes sure that we don't throw any index missing exception for indices that are not available, all of the tribes will still need to authorize the action on all of the indices (`tribe1` requires privileges for `index2` so does `tribe2` for `index1`, otherwise the shard level requests will get rejected.

Closes elastic/elasticsearch#541

Original commit: elastic/x-pack-elasticsearch@dd81ec0177
2015-01-10 11:50:25 +01:00
uboness 95f125deda [Audit] - change the output for the requests/messages
As es core requests don't implement `toString` at the moment, we can't just render them as they are. Instead, for transport messages we'll only render the class name, and for rest requests we'll render the content if there is one (a rest request without a content will be rendered as an empty string)

Original commit: elastic/x-pack-elasticsearch@fb14b41a28
2015-01-09 13:52:32 +01:00
c-a-m 00e17aabec Test: Functional tests for LDAP and Group Mappings
This adds a framework class for setting up random LDAP realms.  Two implementations test group mapping.

Fixes https://github.com/elasticsearch/elasticsearch-shield-qa/issues/15

Original commit: elastic/x-pack-elasticsearch@2bdc25e306
2015-01-08 08:40:42 -07:00
Alexander Reelsen 112b6a0e57 Tests: Fix test to not collide on same ports
The build at https://build.elasticsearch.com/job/es_shield_plugin/5302/ failed
due to both tests running on the same port.
This cleans up a the test a bit to not have any static components and more independent behaviour.

Original commit: elastic/x-pack-elasticsearch@89db247d3d
2015-01-05 10:30:16 +01:00
Alexander Reelsen 4efe6f1640 Cleanup: Ensure no logic is executed in the constructor
The SignatureService tried to access the system key file in
the constructor, which could lead to endless loops. This PR
moves the service into a AbstractLifecycleComponent to keep
the constructor dumb.

Relates elastic/elasticsearch#517

Original commit: elastic/x-pack-elasticsearch@b1e5bfe98c
2015-01-02 17:33:46 +01:00
jaymode 7106d41315 [Test] invalidate any existing sessions prior to testing hostname verification
For LDAP hostname verification, we use the "default" SSLContext, which is cached in a map
and re-used. If a secure connection is established then the session is cached for use later. In
the tests, we sometimes run a test that connects without hostname verification and a SSL session
is cached. Then when the hostname verification test runs, it uses the cached session and does
not perform hostname verification causing the test to fail. This fix changes the test to always
use a new SSLContext for each test.

Closes elastic/elasticsearch#521

Original commit: elastic/x-pack-elasticsearch@46ffed34bb
2015-01-02 10:47:37 -05:00
Alexander Reelsen c2493f98d7 System key: Set permissions to owner read/write only
When generating the sysemkey, the permissions are set to owner read/write
only in order to protect the system key. This only works, if the underlying
filesystem supports posix permissions.

Closes elastic/elasticsearch#516

Original commit: elastic/x-pack-elasticsearch@32d6e1d745
2015-01-02 09:35:32 +01:00
jaymode b4b3101b63 Fix compilation error by removing use of SecureRandom.getInstanceStrong()
Original commit: elastic/x-pack-elasticsearch@3a5d1c0e89
2014-12-31 14:21:49 -05:00
jaymode 0a9f51f3f5 SSL/TLS: Do not allow writes before handshake is complete
SSLEngine will throw various SSLExceptions when the application initiates a write prior
to the handshake being completed. The NettySecuredTransport marks a channel as ready
for use once it is connected, even though the handshake has not completed. A handler
has been added that performs the handshake and queues writes until the handshake has
completed. Additionally, fix SslMultiPortTests to always connect to the proper client
profile port.

Closes elastic/elasticsearch#390. Closes elastic/elasticsearch#393. Closes elastic/elasticsearch#394. Closes elastic/elasticsearch#395. Closes elastic/elasticsearch#414

Original commit: elastic/x-pack-elasticsearch@1bb3218373
2014-12-31 14:04:03 -05:00
Alexander Reelsen 76735579d1 Scroll API: Allow to clear all scroll requests
Because elasticsearch core does not have a possibility to retrieve the
currently open search contexts across the cluster, there is no possiblity
to check if a user is allowed to close a context, when `_all` is
specified.

This commit introduces a new cluster privilege called
cluster:scroll/clear/_all
which allows to clear all scroll requests.

Closes elastic/elasticsearch#502

Original commit: elastic/x-pack-elasticsearch@5f5ce5de36
2014-12-24 13:48:54 +01:00
jaymode cc9568d1bb Add hostname verification support for transport and ldaps connections
SSL and TLS do not require hostname verification, but without it they are susceptible
to man in the middle attacks. This adds support for hostname verification for
transport client connections and for ldaps connections.

Closes elastic/elasticsearch#489

Original commit: elastic/x-pack-elasticsearch@c9380f0319
2014-12-23 14:22:00 -05:00
c-a-m c052a8ca95 Disable TCP read timeout tests
Added AwaitsFix(bugUrl = "https://github.com/elasticsearch/elasticsearch-shield/issues/499") to each test to ignore them to get CI working.

Original commit: elastic/x-pack-elasticsearch@2b0b1f0f21
2014-12-23 09:27:36 -07:00
c-a-m cd9edbc75a Fixed AD leaked thread bug
The AD connection leaks a thread from the initial user search.  This fixes the issue.

Original commit: elastic/x-pack-elasticsearch@f8a3e4fa35
2014-12-23 08:26:58 -07:00
c-a-m 661b755639 test: ldap timeout test failing on windows
This extends the connect timeout on windows to give it enought time to complete.  It moves the ldap read timeout test to openldap and active directory.

We now have three timeouts configurable.  The timeout tests on active directory only work for TCP connect, and TCP read, but not LDAP Search.

Original commit: elastic/x-pack-elasticsearch@ff97396f60
2014-12-22 10:03:17 -07:00
Alexander Reelsen 38a0ec9c3e Guice: Ensure no exceptions are thrown in constructor
Because this leads to endless loops when starting elasticsearch
some components have been refactored to AbstractLifecycleComponents
so that the exception throwing logic can executed in the
`doStart()` method.

Closes elastic/elasticsearch#505

Original commit: elastic/x-pack-elasticsearch@75d1fd358a
2014-12-20 13:10:57 +01:00
Alexander Reelsen 9d5dc3552b Test: Do not try to do an external network connection in LDAPConnectionTest
As no test has been marked with the @Network annotation, the test should not
try to connect to example.com (which needs to be resolved and thus requires an
internet connection). We can simply bind a local socket and run into the 1ms
timeout there.

Original commit: elastic/x-pack-elasticsearch@2c2da90607
2014-12-17 17:06:22 +01:00
Alexander Reelsen 431f30893f Cleanup: Split service transport service for client & server
In order to be more flexible this clean up commit splits the
TransportService into a client and server one. As part of this
we can safely remove the slightly misused TransportFilters class.

Renamed shield.type from server to node, so we can differentiate between node2node and node2client communication.

Original commit: elastic/x-pack-elasticsearch@a3a2f9bf38
2014-12-16 14:28:32 +01:00
c-a-m 060e17bc91 ldap: Adds configuration for timeouts
This adds configuration for ldap connection timeouts and ldap operation timeouts.  Both default to 5 seconds.

Fixes https://github.com/elasticsearch/elasticsearch-shield/issues/461

Original commit: elastic/x-pack-elasticsearch@3e6ed97d52
2014-12-15 10:45:49 -07:00
jaymode a710deb505 Cleanup logging on automatically reloaded files
Fixes duplicate messages being logged on reload of the user_roles file. Add the realm name
to the logging on reload of the role mappings file since there can be a distinct file per
ldap/ad realm.

Closes elastic/elasticsearch#485

Original commit: elastic/x-pack-elasticsearch@90932fcec7
2014-12-15 08:36:55 -05:00
javanna e3768b6cff [TEST] upgrade randomized runner to 2.1.11
2.1.11 contains the fix for this issue: carrotsearch/randomizedtestingelastic/elasticsearch#179 which will resolve these recurring failures described in elastic/elasticsearch#386.

Closed elastic/elasticsearch#490

Original commit: elastic/x-pack-elasticsearch@3a396d6302
2014-12-15 13:48:04 +01:00
Alexander Reelsen 2b7679ec33 Files: Create temp files first instead of overwriting existing files
Until now the store implementations truncated the existing file and recreated it in-place.
This has problems with bigger files as the files may not yet have finished to be written,
when the WatchService tries to pick them up.

This commit fixes the problem by creating a temp file first to write the new roles or user files
and then moves it over. Also an atomic move is tried first, if the file system supports this.

Closes elastic/elasticsearch#477

Original commit: elastic/x-pack-elasticsearch@75894dd75d
2014-12-12 15:08:19 +01:00
jaymode 88162d142b Add the option to specify both a keystore and key password
Previously, we always used the keystore password as the key password, which does not
work if a user specifies a different password when generating the key with keytool. If the
key password is not specified, the keystore password will be used.

Closes elastic/elasticsearch#473

Original commit: elastic/x-pack-elasticsearch@8a6efdbf21
2014-12-12 08:38:27 -05:00
jaymode 9bfab4d8d5 Do not add a disabled realm to the list of realms
The realm documentation has a 'enabled' parameter to indicate whether the realm
should be used or not. This value is now being honored so that a realm can be disabled.

Closes elastic/elasticsearch#474

Original commit: elastic/x-pack-elasticsearch@3638a14c22
2014-12-12 08:25:16 -05:00
c-a-m 2902ccb5f0 Updates the esvm files to esvm 0.0.10, and latest shield format
This moves the esvm files into dev-tools and collapses the settings with "." This will require the latest version of esvm 0.0.10.  It combines the ldap and ad config into the same file.
Added readme to dev-tools/esvm

Original commit: elastic/x-pack-elasticsearch@dab9fa643d
2014-12-11 12:19:23 -07:00
javanna af0f04ed17 Add more info to _shield info output, align output to core main action
New output looks like this:

```
{
  "status" : "enabled",
  "name" : "Plantman",
  "cluster_name" : "cluster1",
  "version" : {
    "number" : "1.0.0",
    "build_hash" : "3bc25c3c94e494baa55a56f7d459cd4e08b2a362",
    "build_timestamp" : "2014-12-05T11:45:30Z",
    "build_snapshot" : true
  },
  "tagline" : "You know, for security"
}
```

Status can be either enabled, disabled or unlicensed.

Closes elastic/elasticsearch#429

Original commit: elastic/x-pack-elasticsearch@647eb3aea8
2014-12-11 12:06:19 +01:00
c-a-m d17c0f6d83 Bugfix: Any LDAP or AD exceptions are not getting logged.
The AD and LDAP realms now catch and log Throwable.  This changes LDAPException and ActiveDirectoryExceptions to be ShieldExceptions instead of SecurityExceptions

Fixes https://github.com/elasticsearch/elasticsearch-shield/issues/452

Original commit: elastic/x-pack-elasticsearch@aff428e5c1
2014-12-10 17:07:44 -07:00
Alexander Reelsen cf0987a4a0 Cleanup: Fix SSLService design problems
In order to fix various issues with the SSL service, the following cleanups have been done

* Removed SSLServiceProvider and all the lazy loading magic
* Do not try to create an SSLContext in the constructor. According to Guice docs the constructor
  should only be used ever for variable declarations but not business logic. This also fixes a nasty
  OOM, in case an exception was thrown in the constructor, because Guice tried to recreate that class
  in an endless loop
* Get responsibilities right (which resulted in this nasty lazy loading provider design).
  The SSLService allows to create a SSLEngine at the time you need it, but you need to supply
  specific configuration if you want it to instead of using the default configuration
  and creating a SSLContext on startup like we did before.

All changes are internal.

Closes elastic/elasticsearch#454
Closes elastic/elasticsearch#453

Original commit: elastic/x-pack-elasticsearch@7ca49f781c
2014-12-10 15:16:57 +01:00
jaymode b55180f3f8 [TEST] Use operating system specific line ending
The line endings differ between operating systems and the existing test failed
on Windows systems. This change uses the OS specific line ending.

Closes elastic/elasticsearch#443

Original commit: elastic/x-pack-elasticsearch@a458472322
2014-12-08 09:00:17 -05:00
uboness 9a932f8ae8 Fixed typos in validation error message
Original commit: elastic/x-pack-elasticsearch@8164ee18ed
2014-12-08 14:40:12 +01:00
uboness 9970267058 Fixes wrong password validation
Now, minimum length of 6 is properly checked

Closes elastic/elasticsearch#441

Original commit: elastic/x-pack-elasticsearch@d644528570
2014-12-08 14:17:53 +01:00
uboness 87a2a2afc6 Added "no user found" output to esusers tool
for the `list` command and when no users are defined

Original commit: elastic/x-pack-elasticsearch@3ca7b9a62b
2014-12-08 13:41:35 +01:00
javanna cf71f3f05e [TEST] update ShieldPluginTests
The shield test infra already verifies that the plugin is loaded before each test, it makes little sense to check again in this specific test. Left the second part that tests the shield info endpoint and renamed the test method

Closes elastic/elasticsearch#423

Original commit: elastic/x-pack-elasticsearch@ac2d566c42
2014-12-08 13:01:34 +01:00
uboness aa4269ff82 Added info logging for auto-related files
- users
- users_roles
- roles.yml

Original commit: elastic/x-pack-elasticsearch@e3ee647915
2014-12-07 04:57:17 +01:00
javanna 8320be7b09 Build: add scm info to pom.xml
Build number maven plugin requires this info to retrieve the build number and make it available as a variable, which is then published through RestShieldInfoAction, which is currently null. This commit makes sure the build number gets currently published.

Closes elastic/elasticsearch#428

Original commit: elastic/x-pack-elasticsearch@0a2bc7646b
2014-12-05 12:42:44 +01:00
uboness 08b33e8854 Fixed a bug where when shield is disabled it still replaced the transport
Closes elastic/elasticsearch#430

Original commit: elastic/x-pack-elasticsearch@422ba76d81
2014-12-05 11:27:50 +01:00
javanna 02c3601ac5 Build: fix dependencies order in pom
tests-framework.jar must be before lucene-core.jar

Original commit: elastic/x-pack-elasticsearch@7aa48f737a
2014-12-05 08:49:36 +01:00
javanna 093d9a901c Packaging: set es core as provided dependency
Also update the assembly configuration and the commons-codec version

Closes elastic/elasticsearch#423

Original commit: elastic/x-pack-elasticsearch@27e76c5307
2014-12-05 07:41:19 +01:00
uboness d7c54a5d1b Fixes a bug in LicensingTests
- where the licenses were enabled on any cluster event. Instead they should only be enabled either explicitly by the test or at start up.
- also modified `ShieldActionModule` to for `ShieldActionFilter` to be bound as an eager singleton (es core doesn't define the scope for the registered action filters)

Original commit: elastic/x-pack-elasticsearch@47ac0d2e6f
2014-12-05 01:08:04 +01:00
uboness e646fd5edc Integration with license plugin
- Added a `LicenseService` to handle license feature enable/disable events
 - LicenseEventNotifier is responsible for notifying the license events to whatever registered listeners that are interested in them
 - In Shield, when a license is disabled for `shield` feature, we block all read operations (done in the `ShieldActionFilter`)
 - Added initial documentation around licensing

Closes elastic/elasticsearch#347

Original commit: elastic/x-pack-elasticsearch@6ba7a10cd4
2014-12-04 20:49:35 +01:00
javanna 070dbebb7a [TEST] delete unused ip_filter.yml
Original commit: elastic/x-pack-elasticsearch@1ac69ba59f
2014-12-04 16:31:36 +01:00
uboness 970dbaec77 Updated the min es compatibility to 1.4.0
Original commit: elastic/x-pack-elasticsearch@6aa954c3bb
2014-12-04 15:01:47 +01:00
Alexander Reelsen 2aafcf40dd Performance: Only iterate ip filter rules per profile
This is a little cleanup to only iterate IP filter rules for each
profile instead of iterating all of them and check for the profile
inside of the rule.

Original commit: elastic/x-pack-elasticsearch@6774f1f165
2014-12-04 14:16:10 +01:00
uboness 150ac97ffe Reduced audit logs
- Moved ACCESS_GRANTED logging of internal actions to TRACE level

Original commit: elastic/x-pack-elasticsearch@fe9bd3e64d
2014-12-04 10:25:40 +01:00
Alexander Reelsen 347374b56d Cleanup: Removed leftover and unused ip_filter.yml
Also fixed a minor tabbing issue

Original commit: elastic/x-pack-elasticsearch@cc761fd278
2014-12-03 15:39:52 +01:00
uboness 2bd541e40f Added EULA
Original commit: elastic/x-pack-elasticsearch@dd9ebdd082
2014-12-03 14:09:55 +01:00
javanna 847fc21def [TEST] temporarily log the default locale in REST tests
The locale is being randomized but never printed out for now (fixed upstream but we still depend on 1.4.0). We need to temporarily log it out manually to debug some test failures that might be related to the locale randomization (in combination with build machines settings).

Original commit: elastic/x-pack-elasticsearch@6f7e9625d1
2014-12-02 19:24:12 +01:00
uboness eac85eda10 [Cleanup] - FileRolesStore no longer depends on AuthorizationService
It used to be required, but since elastic/x-pack@607fabbade it's no longer needed.

Original commit: elastic/x-pack-elasticsearch@3c60798c2e
2014-12-02 19:04:25 +01:00
javanna 452851be6a [TEST] fixed tests repeatability issue
Every random call should happen all the time on all platforms (unless randomized!), otherwise tests won't reproduce on different platforms.

Original commit: elastic/x-pack-elasticsearch@d5b2d2079c
2014-12-02 18:43:43 +01:00
Alexander Reelsen 1d4422fc79 Profiles: Add client server transport filter
This PR allows to configure different ServerTransportFilters per profile.
By default there is a `server` transport filter, that does authentication
and a `client` on that rejects internal actions and shard actions.

Closes elastic/elasticsearch#312

Original commit: elastic/x-pack-elasticsearch@1ce66495a5
2014-12-02 16:59:20 +01:00