Commit Graph

1456 Commits

Author SHA1 Message Date
jaymode 166514651a SSL/TLS: Add option to disable reverse DNS resolution of hostname
This change adds the option to disable reverse DNS lookup of a hostname from
an IP address. This is needed if only an IP address is found in a SSL certificate
and hostname verification is enabled.

Closes elastic/elasticsearch#575

Original commit: elastic/x-pack-elasticsearch@07356bc885
2015-01-20 07:07:10 -05:00
Luca Cavanna 02682ff4ec Indices resolution: special treatment for IndicesAliasesRequest
IndicesAliasesRequest needs to be authorized against both indices and aliases. That means that the following request

curl -XPOST 'http://localhost:9200/_aliases' -d '
{
"actions" : [
{ "add" : { "index" : "test1", "alias" : "alias1" } }
]
}'

requires now indices:admin/aliases privileges for both test1 and alias1.

Added manage_aliases shortcut privilege that points to indices:admin/aliases.

Also, IndicesAliasesRequest used to not support replacing its indices (request doesn't implement IndicesRequest.Replaceable in es core). That can be worked around as well through the special treatment that we are introducing in shield for this specific request. Given that it is a composite action, every single operation has now its wildcards replaced with authorized indices (supported among aliases as well in case of remove operations). If any of the operation ends up relating to no indices after wildcards expansion, the whole request fails.

The DefaultIndicesResolver#explodeWildcards method, which used to expand wildcards as es core would do it, is not needed anymore, as all of the requests that support wildcards have now their indices properly replaced.

Added also special authorization pass for create index, if the request body contains aliases. The index can only be created if the current user has permission to create the index and to create the aliases that are part of the same request.

Closes elastic/elasticsearch#112
Closes elastic/elasticsearch#557
Closes elastic/elasticsearch#529

Original commit: elastic/x-pack-elasticsearch@d7201e8a8b
2015-01-20 12:23:52 +01:00
Luca Cavanna 16c7cfa50f review
Original commit: elastic/x-pack-elasticsearch@4f45b2de79
2015-01-20 11:01:03 +01:00
Luca Cavanna 58c5f95402 converted version check into a regular test class
Original commit: elastic/x-pack-elasticsearch@cefd362b70
2015-01-20 10:50:50 +01:00
javanna e04f4e2395 Track changes to be made once dependencies are upgraded
Added a class under test that is used to keep track of changes that we might have to make once we upgrade versions of dependencies, especially elasticsearch core.
 Every change is listed as a specific assert that trips with a future version of es core, with a meaningful description that explains what needs to be done.

 NOTE: changes suggested by asserts descriptions may break backwards compatibility. The same shield jar is supposed to work against multiple es core versions,
 thus if we make a change in shield that requires e.g. es core 1.4.1 it means that the next shield release won't support es core 1.4.0 anymore.
 In many cases we will just have to bump the version of the assert then, unless we want to break backwards compatibility, but the idea is that this class
 helps keeping track of this and eventually making changes when needed.

Closes elastic/elasticsearch#560

Original commit: elastic/x-pack-elasticsearch@fabe3858c1
2015-01-20 10:50:50 +01:00
javanna 1e2cea48d0 Authorization: enforced some assumptions through asserts
- made sure that clear_scroll all gets converted to the correspoinding shield cluster action in both action filter and transport filter (used to happen only on the action filter before): introduced the context of ShieldActionMapper that allows to convert action names based on an incoming request and its action name (will be useful for analyze api too)
- made sure that potential clear_scroll all errors contain the shield action name rather than the es core original one
- made it clearer that the only indices actions known not to be indices requests are scroll related ones, which we assert on and grant. Everything else gets denied.
- made it clearer that the only indices request whose indices might end up being resolved to an empty set is analyze request, as its index is optional
- simplified permissions check in Permission.Group by asserting on index argument not null

Original commit: elastic/x-pack-elasticsearch@7c01159b03
2015-01-20 10:45:21 +01:00
uboness 910d7c6372 Aligned users, users_roles and role_mapping file stores to behave like roles.yml
All three files are auto loaded by shield when modified. The behaviour that we agreed on is that when there's a parse failure in any of these files, we don't prevent the node from starting. Instead we skip the records that we failed to parse as if they don't exist. This is how `roles.yml` is handled today, and this commit makes sure that `users`,  `users_roles` and `role_mapping.yml` are aligned with this behaviour.

Also, the same behaviour is applied when the file is modified at runtime (so it's consistent with node start up).

This commit also adds a lot of missing tests for both `LdapGroupToRoleMapper` and `ActiveDirectoryGroupToRoleMapper` classes.

Original commit: elastic/x-pack-elasticsearch@7fdd6bb5cc
2015-01-20 02:20:25 +01:00
uboness d7d96d866e [Fix] removed null hosts in the audit logs
Some request are created locally by elasticsearch and therefore are not associated with a remote address (we only associate the remote address with a request that arrives remotely from via the transport layer). An example of such request is the periodic nodes info that is collected by elasticsearch. Also, requests that originate from the REST layer also create transport requests locally.

  This commit takes this behaviour into account and makes sure that we'll always log the host in the audit logs. We do that in the following way:

   - `host` is replaced by two attributes: `origin_type` and `origin_address`. `origin_type` can be either `rest`, `remote_node` or `local_node`. `origin_address` holds the host address of the origin
   - when no remote address is associated with the request, it's safe to assume it was created locally. We'll then output `origin_type=[local_node] origin_address=[<the localhost address>]`
   - when a rest request gets in, we'll copy and place its remote address in the context of the request (the context of the rest request is copied to the context of the transport request)
   - . in the audit logs, we'll inspect the transport request and look for a `rest_host` in its context. if we find it, we'll log the log entry under `origin_type=[rest], origin_address=[<the remote rest address>]` attributes. This way, the origin of the request won't get "lost" and we'll still differentiate between transport hosts and rest hosts.
   - if the request is holds a remote address, it can only come from the transport layer, so we'll output "origin_type=[transport] origin_address=[<remote address]"

 While at it, also changed the format of the log entries:

  - lowercased the whole message (e.g. `ANONYMOUS_ACCESS` to `[anonymous_access]` (for consistency sake)
  - introduced layer categorization for every entry to indicate whether its `[transport]`, `[rest]` or `[ip_filter]` related. I reckon this will make it easier to parse the logs if one wishes to do so.

Fixes elastic/elasticsearch#550

Original commit: elastic/x-pack-elasticsearch@b84f0c5548
2015-01-20 02:06:48 +01:00
javanna 98c3531bf9 move to es core 1.4.2
This commit moves the es core dependency to 1.4.2, which becomes the minimum version required from now on.

Changes made accordingly to this decision since we can break backwards compatibility and assume es core>=1.4.2

Closes elastic/elasticsearch#562

Original commit: elastic/x-pack-elasticsearch@484b4a2528
2015-01-19 08:24:18 +01:00
uboness 82c9b4fc61 [Cleanup] lowercased all log messages and exception messages
This to keep consistent with es core.

Also, where applicable, rephrased log messages to make it clearer.

Original commit: elastic/x-pack-elasticsearch@fae3188b17
2015-01-16 22:00:34 +01:00
Martijn van Groningen 2892154ace Merge pull request elastic/elasticsearch#64 from joehillen/fix-email-port
Fix email port setting

Original commit: elastic/x-pack-elasticsearch@ee669b55d8
2015-01-16 21:24:43 +01:00
uboness e3cb07132a [Fix] added the missing NoOpLogger
Original commit: elastic/x-pack-elasticsearch@2882baf8f9
2015-01-16 18:56:22 +01:00
uboness 66b4d5e6f8 Skip invalid roles in roles.yml
Today we require that the `roles.yml` file will be a valid yaml and all the role definitions there must be valid as well. If we can't fully parse this file, we simply throw an exception and ignore its content. After al long discussion, we decided that it would be much better to try and parse whatever we can out of this file and load the valid roles. Those invalid roles will be skipped and immediately removed from the system.

 This commit changes the way we parse the `roles.yml`. We first break it down to mini single-role yml constructs and then parse each separately from the others. This way, failing to parse one role, won't impact the others.

 Fixes elastic/elasticsearch#313

Original commit: elastic/x-pack-elasticsearch@31e3624594
2015-01-16 18:38:13 +01:00
uboness 9e078f4924 [Fix] a bug in ClearRealmCacheTests
Original commit: elastic/x-pack-elasticsearch@8d8fdf4c2a
2015-01-16 18:36:58 +01:00
uboness 56957f98bc [Fix] All loggers are not contextual
Meaning, all loggers are now settings aware, so all shield logs are now consistent with the rest of elasticsearch and will follow elasticsearch configuration and output format (printing out the node name by default).

Also:

- Changed the audit log to **not** be based on the elasticsearch settings as it needs to define its own format.
- Added the node name as a prefix to the audit logs by default (can be disabled but setting `shield.audit.logfile.prefix.node_name` to `false`
- As part of this change, the realms now changed and now created with a `RealmConfig`. This construct holds the realm settings, the environment and is served as a logger factory for all realm constructs.
- The only exceptions to the logs are the ssl socket factories.. the logs there are only used for tests by calling `clear`. This behaviour will change in the future such that `clear` will be removed and then there'll be no need for loggers in there.

 Fixes elastic/elasticsearch#446

Original commit: elastic/x-pack-elasticsearch@7a1058a54e
2015-01-16 17:55:25 +01:00
uboness 1d040c4c23 [Cleanup] - removed redundant overridden methods in esusers realm
Original commit: elastic/x-pack-elasticsearch@98ef6a9953
2015-01-16 02:53:23 +01:00
Brian Murphy c81a37a2ee Fix the email template test to be a lightweight unit test case and not start any unneeded services.
Original commit: elastic/x-pack-elasticsearch@93fc61d61a
2015-01-15 16:54:48 -05:00
Brian Murphy cef0976a6c Change the version to 1.0.0-beta2i
Original commit: elastic/x-pack-elasticsearch@aace18a423
2015-01-15 16:54:25 -05:00
Joe Hillenbrand 5c904dfafa Fix email port setting
The setting was mistyped as 'smpt' when it should have been 'smtp', but
it is better to change it to 'email' to be consistent with the other settings.

Original commit: elastic/x-pack-elasticsearch@0e610d89b5
2015-01-15 12:55:30 -08:00
uboness 2f373f692f Introduced an API to clear realms caches
Since both LDAP and AD realms are caching users. If the groups of the users change on the LDAP side, these changes will not be visible in shield until the relevant cached users will be evicted from cache. This poses a problem, specially when degrading users in terms of their permission (e.g. after degrading them on LDAP, they still have higher privileges until they're evicted from cache). The default cache timeout today is 1 hour. For this reason, a new API is introduced which will enable administrators to force cache evictions.

- Changed the default cache timeout to 20 minute
- `ClearRealmCacheAction was introduced (along with the relevant request and response constructs). This is a cluster action
- the corresponding rest action was introduced as well, under the `_shield/realm/{realm}/cache/clear` URI (where `{realm}` enables clearing specific realms, or all realms when passing `_all`.
- With the introduction of an action, the `ActionModule` now is no longer a node module - it's bound on both node and transport client.
- Added a new Cluster permission - `manage_shield`
- Also cleaned up the `Permission` and `AuthorizationService` class

Original commit: elastic/x-pack-elasticsearch@c59e244435
2015-01-15 19:13:02 +01:00
Brian Murphy a458e2df1d Register the ack handler again.
Original commit: elastic/x-pack-elasticsearch@b229c52f78
2015-01-15 10:31:59 -05:00
Brian Murphy cdd222aad5 Add email templating.
This commit adds support for email templating to alerting.

Original commit: elastic/x-pack-elasticsearch@6280801ce5
2015-01-15 09:34:17 -05:00
Brian Murphy f90d600a22 Add webhook action
This action can be added to an alert as :
      "webhook" : {
        "url" : "http://localhost:8080/alert/{{alert_name}}",
        "method" : "GET"
      }

Original commit: elastic/x-pack-elasticsearch@34e04229ab
2015-01-15 09:31:23 -05:00
Martijn van Groningen 30506ef41d Only primary shards are now required to be available during alerting initialization.
Original commit: elastic/x-pack-elasticsearch@4ef5fd87dc
2015-01-15 10:43:07 +01:00
Martijn van Groningen fc5cbd5d08 Fixed typo
Original commit: elastic/x-pack-elasticsearch@a549bd9e18
2015-01-15 10:15:49 +01:00
c-a-m be768d5a44 AD: Fixed user search lookup
The user search is using the wrong user attribute name, userPrincipalName which in most cases is correct.  But for the case of LA county, it isn't.  We now search for sAMAccountName and UserPrincipalName.

Fixes https://github.com/elasticsearch/elasticsearch-shield/issues/548

Original commit: elastic/x-pack-elasticsearch@7dd7d05f44
2015-01-13 17:18:34 -07:00
c-a-m 01c2016c49 ldap: closes NamingEnumerations
This checkin ensures all objects allocated by jndi requests are freed up.  It does this by wrapping NamingEnumerations with a ClosableNamingEnumeration that is placed in a try-with-resources block.

Original commit: elastic/x-pack-elasticsearch@8bed9585bd
2015-01-13 16:52:30 -07:00
jaymode be60f68367 Test: Add AwaitsFix to failing HandshakeWaitingHandler test
testWriteBeforeHandshakePassesWithHandshakeWaitingHandler is failing continually
on Windows.

See elastic/elasticsearch#533

Original commit: elastic/x-pack-elasticsearch@0d81cb99cd
2015-01-13 15:03:26 -05:00
jaymode 67928a57cb [Test] Ensure IpFilteringIntegrationTests connects to the port that is bound
A range is provided for the client profile and the test assumes that the first
port in the range is the port that the transport is bound to, which is not always
true. This change makes the test use the actual port that the client profile is
bound to.

Closes elastic/elasticsearch#531

Original commit: elastic/x-pack-elasticsearch@05962702ed
2015-01-13 06:37:11 -05:00
jaymode 6908f6f155 [Test] Make hostname verification a cluster wide setting
Hostname verification was previously randomized on a per node level, when it really
should have been a cluster level setting. This change makes hostname verification
randomization a cluster level settings.

Original commit: elastic/x-pack-elasticsearch@2a7da8aaf1
2015-01-12 08:51:33 -05:00
uboness 6a95a0d17e [Fix] - access granted on internal calls should be logged on trace
Since the system privilege also mapped to cluster/index monitoring actions, the access granted on those was only logged in `TRACE` level. This commit makes sure that these actions will be treated as any of the other actions, and only keep the *internal* system calls under `TRACE`

Fixes elastic/elasticsearch#554

Original commit: elastic/x-pack-elasticsearch@ffb719f547
2015-01-12 13:44:51 +01:00
uboness 8b38fde21d Provide better error messages for syskey cli tool
Output clearer error messages for different possibilities of an IO error

Original commit: elastic/x-pack-elasticsearch@47553e5eca
2015-01-12 13:42:08 +01:00
Alexander Reelsen 7020d1a9b4 Functional Testing: Check Cluster Privileges
Adds a functional test to check for cluster level privileges

Closes elasticsearch/elasticsearch-shield-qaelastic/elasticsearch#11

Original commit: elastic/x-pack-elasticsearch@dd79614c24
2015-01-12 10:50:22 +01:00
uboness 982a83943c [Cleanup] - moved LDAP integration tests to ldap package
Original commit: elastic/x-pack-elasticsearch@35627d6e24
2015-01-11 13:41:25 +01:00
javanna 6df767790f Indices resolution: don't go over the indices for requests that don't contain wildcards, just return them as they are
We have two ways of resolving wildcards in shield:
1) expanding them to matching authorized indices for the current user, which is used for every request that implements `IndicesRequest.Replaceable`, giving to wildcards a different meaning in the context of shield, abnd replacing the resolved names to the request on the coordinating node.
2) resolving them as es core would by default: we do this only for `IndicesAliasesRequest` since it's the only request that supports wildcards but doesn't allow to replace its indices. This is done on every node that processes the request, no replacement to the request takes place.

Shard/node level requests are a bit of a special case though since they could potentially contain wildcards. They hold the original indices and indices options, thus they effectively support wildcards, but given that wildcards always get replaced on the coordinating node even before shard/node level requests get created, we are sure they will never contain wildcards. Hence we should never even try to explode their wildcards, since they can't contain any.

We should make the above distinctions clearer in code by:
1) having an assert that verifies the IndicesAliasesRequest special case
2) making sure that we explode wildcards as core would only for IndicesAliasesRequest, not touching shard/node level requests
3) adding an assert that verifies that shard/node level requests never contain wildcards
i

Also, the process of going over the indices by using MetaData#convertFromWildcards (what option 2 does) has one side effect other than wildcards resolution: it causes unnecessary exceptions in shield, exceptions that would be thrown by core anyway when needed after the authorization process. This happens because we try and reuse code taken from es core that does wildcards resolution plus indices validation at once (even if there were no wildcards among indices).

In general all of the user requests that support wildcards (based on their indices options) should have their indices replaced on the coordinating node (the only exception being IndicesAliasesRequest, see elastic/elasticsearch#112), using shield specific code. Their subsequent (internal) shard level requests will never contain wildcards. That's why there is no need to go over all of the indices when there's no wildcards, which would cause some needless validation to happen as well.

Side note: the additional validation step caused tribe node failures with requests against indices belonging to multiple tribes (the exact purpose of the tribe node). Each tribe complained because it didn't have all of the indices in its own cluster state, which is perfectly fine (think of `tribe1` that holds `index1` and `tribe2` that holds `index2`, when searching against both indices from a tribe node). Although this commit makes sure that we don't throw any index missing exception for indices that are not available, all of the tribes will still need to authorize the action on all of the indices (`tribe1` requires privileges for `index2` so does `tribe2` for `index1`, otherwise the shard level requests will get rejected.

Closes elastic/elasticsearch#541

Original commit: elastic/x-pack-elasticsearch@dd81ec0177
2015-01-10 11:50:25 +01:00
uboness 95f125deda [Audit] - change the output for the requests/messages
As es core requests don't implement `toString` at the moment, we can't just render them as they are. Instead, for transport messages we'll only render the class name, and for rest requests we'll render the content if there is one (a rest request without a content will be rendered as an empty string)

Original commit: elastic/x-pack-elasticsearch@fb14b41a28
2015-01-09 13:52:32 +01:00
c-a-m 00e17aabec Test: Functional tests for LDAP and Group Mappings
This adds a framework class for setting up random LDAP realms.  Two implementations test group mapping.

Fixes https://github.com/elasticsearch/elasticsearch-shield-qa/issues/15

Original commit: elastic/x-pack-elasticsearch@2bdc25e306
2015-01-08 08:40:42 -07:00
Alexander Reelsen 112b6a0e57 Tests: Fix test to not collide on same ports
The build at https://build.elasticsearch.com/job/es_shield_plugin/5302/ failed
due to both tests running on the same port.
This cleans up a the test a bit to not have any static components and more independent behaviour.

Original commit: elastic/x-pack-elasticsearch@89db247d3d
2015-01-05 10:30:16 +01:00
Alexander Reelsen 4efe6f1640 Cleanup: Ensure no logic is executed in the constructor
The SignatureService tried to access the system key file in
the constructor, which could lead to endless loops. This PR
moves the service into a AbstractLifecycleComponent to keep
the constructor dumb.

Relates elastic/elasticsearch#517

Original commit: elastic/x-pack-elasticsearch@b1e5bfe98c
2015-01-02 17:33:46 +01:00
jaymode 7106d41315 [Test] invalidate any existing sessions prior to testing hostname verification
For LDAP hostname verification, we use the "default" SSLContext, which is cached in a map
and re-used. If a secure connection is established then the session is cached for use later. In
the tests, we sometimes run a test that connects without hostname verification and a SSL session
is cached. Then when the hostname verification test runs, it uses the cached session and does
not perform hostname verification causing the test to fail. This fix changes the test to always
use a new SSLContext for each test.

Closes elastic/elasticsearch#521

Original commit: elastic/x-pack-elasticsearch@46ffed34bb
2015-01-02 10:47:37 -05:00
Alexander Reelsen c2493f98d7 System key: Set permissions to owner read/write only
When generating the sysemkey, the permissions are set to owner read/write
only in order to protect the system key. This only works, if the underlying
filesystem supports posix permissions.

Closes elastic/elasticsearch#516

Original commit: elastic/x-pack-elasticsearch@32d6e1d745
2015-01-02 09:35:32 +01:00
jaymode b4b3101b63 Fix compilation error by removing use of SecureRandom.getInstanceStrong()
Original commit: elastic/x-pack-elasticsearch@3a5d1c0e89
2014-12-31 14:21:49 -05:00
jaymode 0a9f51f3f5 SSL/TLS: Do not allow writes before handshake is complete
SSLEngine will throw various SSLExceptions when the application initiates a write prior
to the handshake being completed. The NettySecuredTransport marks a channel as ready
for use once it is connected, even though the handshake has not completed. A handler
has been added that performs the handshake and queues writes until the handshake has
completed. Additionally, fix SslMultiPortTests to always connect to the proper client
profile port.

Closes elastic/elasticsearch#390. Closes elastic/elasticsearch#393. Closes elastic/elasticsearch#394. Closes elastic/elasticsearch#395. Closes elastic/elasticsearch#414

Original commit: elastic/x-pack-elasticsearch@1bb3218373
2014-12-31 14:04:03 -05:00
Alexander Reelsen 76735579d1 Scroll API: Allow to clear all scroll requests
Because elasticsearch core does not have a possibility to retrieve the
currently open search contexts across the cluster, there is no possiblity
to check if a user is allowed to close a context, when `_all` is
specified.

This commit introduces a new cluster privilege called
cluster:scroll/clear/_all
which allows to clear all scroll requests.

Closes elastic/elasticsearch#502

Original commit: elastic/x-pack-elasticsearch@5f5ce5de36
2014-12-24 13:48:54 +01:00
jaymode cc9568d1bb Add hostname verification support for transport and ldaps connections
SSL and TLS do not require hostname verification, but without it they are susceptible
to man in the middle attacks. This adds support for hostname verification for
transport client connections and for ldaps connections.

Closes elastic/elasticsearch#489

Original commit: elastic/x-pack-elasticsearch@c9380f0319
2014-12-23 14:22:00 -05:00
c-a-m c052a8ca95 Disable TCP read timeout tests
Added AwaitsFix(bugUrl = "https://github.com/elasticsearch/elasticsearch-shield/issues/499") to each test to ignore them to get CI working.

Original commit: elastic/x-pack-elasticsearch@2b0b1f0f21
2014-12-23 09:27:36 -07:00
Martijn van Groningen 9f014a9bf9 slightly improved logging.
Original commit: elastic/x-pack-elasticsearch@7a131bc4d8
2014-12-23 16:41:16 +01:00
Martijn van Groningen df7fc714e7 Ensure that the refresh has ran on all shards.
Original commit: elastic/x-pack-elasticsearch@6214514956
2014-12-23 16:30:04 +01:00
c-a-m cd9edbc75a Fixed AD leaked thread bug
The AD connection leaks a thread from the initial user search.  This fixes the issue.

Original commit: elastic/x-pack-elasticsearch@f8a3e4fa35
2014-12-23 08:26:58 -07:00
c-a-m 661b755639 test: ldap timeout test failing on windows
This extends the connect timeout on windows to give it enought time to complete.  It moves the ldap read timeout test to openldap and active directory.

We now have three timeouts configurable.  The timeout tests on active directory only work for TCP connect, and TCP read, but not LDAP Search.

Original commit: elastic/x-pack-elasticsearch@ff97396f60
2014-12-22 10:03:17 -07:00