import org.elasticsearch.gradle.info.BuildParams evaluationDependsOn(xpackModule('core')) apply plugin: 'elasticsearch.esplugin' apply plugin: 'nebula.maven-scm' esplugin { name 'x-pack-security' description 'Elasticsearch Expanded Pack Plugin - Security' classname 'org.elasticsearch.xpack.security.Security' requiresKeystore true extendedPlugins = ['x-pack-core'] } archivesBaseName = 'x-pack-security' dependencies { compileOnly project(path: xpackModule('core'), configuration: 'default') compileOnly project(path: ':modules:transport-netty4', configuration: 'runtime') compileOnly project(path: ':plugins:transport-nio', configuration: 'runtime') testCompile project(path: xpackModule('monitoring')) testCompile project(path: xpackModule('sql:sql-action')) testCompile project(path: xpackModule('core'), configuration: 'testArtifacts') compile 'com.unboundid:unboundid-ldapsdk:4.0.8' compileOnly 'org.bouncycastle:bcprov-jdk15on:1.59' compileOnly 'org.bouncycastle:bcpkix-jdk15on:1.59' // the following are all SAML dependencies - might as well download the whole internet compile "org.opensaml:opensaml-core:3.4.5" compile "org.opensaml:opensaml-saml-api:3.4.5" compile "org.opensaml:opensaml-saml-impl:3.4.5" compile "org.opensaml:opensaml-messaging-api:3.4.5" compile "org.opensaml:opensaml-messaging-impl:3.4.5" compile "org.opensaml:opensaml-security-api:3.4.5" compile "org.opensaml:opensaml-security-impl:3.4.5" compile "org.opensaml:opensaml-profile-api:3.4.5" compile "org.opensaml:opensaml-profile-impl:3.4.5" compile "org.opensaml:opensaml-xmlsec-api:3.4.5" compile "org.opensaml:opensaml-xmlsec-impl:3.4.5" compile "org.opensaml:opensaml-soap-api:3.4.5" compile "org.opensaml:opensaml-soap-impl:3.4.5" compile "org.opensaml:opensaml-storage-api:3.4.5" compile "org.opensaml:opensaml-storage-impl:3.4.5" compile "net.shibboleth.utilities:java-support:7.5.1" compile "org.apache.santuario:xmlsec:2.1.4" compile "io.dropwizard.metrics:metrics-core:3.2.2" compile "org.cryptacular:cryptacular:1.2.3" compile "org.slf4j:slf4j-api:${versions.slf4j}" compile "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}" compile "org.apache.httpcomponents:httpclient:${versions.httpclient}" compile "org.apache.httpcomponents:httpcore:${versions.httpcore}" compile "org.apache.httpcomponents:httpasyncclient:${versions.httpasyncclient}" compile "org.apache.httpcomponents:httpcore-nio:${versions.httpcore}" compile "org.apache.httpcomponents:httpclient-cache:${versions.httpclient}" compile 'com.google.guava:guava:19.0' // Dependencies for oidc compile "com.nimbusds:oauth2-oidc-sdk:6.16.5" compile "com.nimbusds:nimbus-jose-jwt:8.2" compile "com.nimbusds:lang-tag:1.4.4" compile "com.sun.mail:jakarta.mail:1.6.3" compile "net.jcip:jcip-annotations:1.0" compile "net.minidev:json-smart:2.3" compile "net.minidev:accessors-smart:1.2" compile "org.ow2.asm:asm:7.1" testCompile 'org.elasticsearch:securemock:1.2' testCompile "org.elasticsearch:mocksocket:${versions.mocksocket}" //testCompile "org.yaml:snakeyaml:${versions.snakeyaml}" // Test dependencies for Kerberos (MiniKdc) testCompile('commons-io:commons-io:2.5') testCompile('org.apache.kerby:kerb-simplekdc:1.1.1') testCompile('org.apache.kerby:kerb-client:1.1.1') testCompile('org.apache.kerby:kerby-config:1.1.1') testCompile('org.apache.kerby:kerb-core:1.1.1') testCompile('org.apache.kerby:kerby-pkix:1.1.1') testCompile('org.apache.kerby:kerby-asn1:1.1.1') testCompile('org.apache.kerby:kerby-util:1.1.1') testCompile('org.apache.kerby:kerb-common:1.1.1') testCompile('org.apache.kerby:kerb-crypto:1.1.1') testCompile('org.apache.kerby:kerb-util:1.1.1') testCompile('org.apache.kerby:token-provider:1.1.1') testCompile('com.nimbusds:nimbus-jose-jwt:8.2') testCompile('net.jcip:jcip-annotations:1.0') testCompile('org.apache.kerby:kerb-admin:1.1.1') testCompile('org.apache.kerby:kerb-server:1.1.1') testCompile('org.apache.kerby:kerb-identity:1.1.1') testCompile('org.apache.kerby:kerby-xdr:1.1.1') // LDAP backend support for SimpleKdcServer testCompile('org.apache.kerby:kerby-backend:1.1.1') testCompile('org.apache.kerby:ldap-backend:1.1.1') testCompile('org.apache.kerby:kerb-identity:1.1.1') testCompile('org.apache.directory.api:api-ldap-client-api:1.0.0') testCompile('org.apache.directory.api:api-ldap-schema-data:1.0.0') testCompile('org.apache.directory.api:api-ldap-codec-core:1.0.0') testCompile('org.apache.directory.api:api-ldap-extras-aci:1.0.0') testCompile('org.apache.directory.api:api-ldap-extras-codec:1.0.0') testCompile('org.apache.directory.api:api-ldap-extras-codec-api:1.0.0') testCompile('commons-pool:commons-pool:1.6') testCompile('commons-collections:commons-collections:3.2') testCompile('org.apache.mina:mina-core:2.0.17') testCompile('org.apache.directory.api:api-util:1.0.1') testCompile('org.apache.directory.api:api-i18n:1.0.1') testCompile('org.apache.directory.api:api-ldap-model:1.0.1') testCompile('org.apache.directory.api:api-asn1-api:1.0.1') testCompile('org.apache.directory.api:api-asn1-ber:1.0.1') testCompile('org.apache.servicemix.bundles:org.apache.servicemix.bundles.antlr:2.7.7_5') testCompile('org.apache.directory.server:apacheds-core-api:2.0.0-M24') testCompile('org.apache.directory.server:apacheds-i18n:2.0.0-M24') testCompile('org.apache.directory.api:api-ldap-extras-util:1.0.0') testCompile('net.sf.ehcache:ehcache:2.10.4') testCompile('org.apache.directory.server:apacheds-kerberos-codec:2.0.0-M24') testCompile('org.apache.directory.server:apacheds-protocol-ldap:2.0.0-M24') testCompile('org.apache.directory.server:apacheds-protocol-shared:2.0.0-M24') testCompile('org.apache.directory.jdbm:apacheds-jdbm1:2.0.0-M3') testCompile('org.apache.directory.server:apacheds-jdbm-partition:2.0.0-M24') testCompile('org.apache.directory.server:apacheds-xdbm-partition:2.0.0-M24') testCompile('org.apache.directory.api:api-ldap-extras-sp:1.0.0') testCompile('org.apache.directory.server:apacheds-test-framework:2.0.0-M24') testCompile('org.apache.directory.server:apacheds-core-annotations:2.0.0-M24') testCompile('org.apache.directory.server:apacheds-ldif-partition:2.0.0-M24') testCompile('org.apache.directory.server:apacheds-mavibot-partition:2.0.0-M24') testCompile('org.apache.directory.server:apacheds-protocol-kerberos:2.0.0-M24') testCompile('org.apache.directory.server:apacheds-server-annotations:2.0.0-M24') testCompile('org.apache.directory.api:api-ldap-codec-standalone:1.0.0') testCompile('org.apache.directory.api:api-ldap-net-mina:1.0.0') testCompile('org.apache.directory.server:ldap-client-test:2.0.0-M24') testCompile('org.apache.directory.server:apacheds-interceptor-kerberos:2.0.0-M24') testCompile('org.apache.directory.mavibot:mavibot:1.0.0-M8') } compileJava.options.compilerArgs << "-Xlint:-rawtypes,-unchecked" compileTestJava.options.compilerArgs << "-Xlint:-rawtypes,-unchecked" processTestResources { from(project(xpackModule('core')).file('src/main/config')) from(project(xpackModule('core')).file('src/test/resources')) } configurations { testArtifacts.extendsFrom testRuntime } task testJar(type: Jar) { appendix 'test' from sourceSets.test.output } artifacts { // normal es plugins do not publish the jar but we need to since users need it for Transport Clients and extensions archives jar testArtifacts testJar } dependencyLicenses { mapping from: /java-support|opensaml-.*/, to: 'shibboleth' mapping from: /http.*/, to: 'httpclient' } licenseHeaders { // This class was sourced from apache directory studio for some microsoft-specific logic excludes << 'org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySIDUtil.java' } forbiddenPatterns { exclude '**/*.key' exclude '**/*.p12' exclude '**/*.der' exclude '**/*.zip' } forbiddenApisMain { signaturesFiles += files('forbidden/ldap-signatures.txt', 'forbidden/xml-signatures.txt', 'forbidden/oidc-signatures.txt') } // classes are missing, e.g. com.ibm.icu.lang.UCharacter thirdPartyAudit { ignoreMissingClasses ( // SAML dependencies // [missing classes] Some cli utilities that we don't use depend on these missing JCommander classes 'com.beust.jcommander.JCommander', 'com.beust.jcommander.converters.BaseConverter', // [missing classes] Shibboleth + OpenSAML have servlet support that we don't use 'javax.servlet.AsyncContext', 'javax.servlet.DispatcherType', 'javax.servlet.Filter', 'javax.servlet.FilterChain', 'javax.servlet.FilterConfig', 'javax.servlet.RequestDispatcher', 'javax.servlet.ServletContext', 'javax.servlet.ServletException', 'javax.servlet.ServletInputStream', 'javax.servlet.ServletOutputStream', 'javax.servlet.ServletRequest', 'javax.servlet.ServletResponse', 'javax.servlet.http.Cookie', 'javax.servlet.http.HttpServletRequest', 'javax.servlet.http.HttpServletResponse', 'javax.servlet.http.HttpServletResponseWrapper', 'javax.servlet.http.HttpSession', 'javax.servlet.http.Part', // [missing classes] Shibboleth + OpenSAML have velocity support that we don't use 'org.apache.velocity.VelocityContext', 'org.apache.velocity.app.VelocityEngine', 'org.apache.velocity.context.Context', 'org.apache.velocity.exception.VelocityException', 'org.apache.velocity.runtime.RuntimeServices', 'org.apache.velocity.runtime.log.LogChute', 'org.apache.velocity.runtime.resource.loader.StringResourceLoader', 'org.apache.velocity.runtime.resource.util.StringResourceRepository', // [missing classes] OpenSAML depends on Apache XML security which depends on Xalan, but only for functionality that OpenSAML doesn't use 'org.apache.xml.dtm.DTM', 'org.apache.xml.utils.PrefixResolver', 'org.apache.xml.utils.PrefixResolverDefault', 'org.apache.xpath.Expression', 'org.apache.xpath.NodeSetDTM', 'org.apache.xpath.XPath', 'org.apache.xpath.XPathContext', 'org.apache.xpath.compiler.FunctionTable', 'org.apache.xpath.functions.Function', 'org.apache.xpath.objects.XNodeSet', 'org.apache.xpath.objects.XObject', // [missing classes] OpenSAML storage has an optional LDAP storage impl 'org.ldaptive.AttributeModification', 'org.ldaptive.AttributeModificationType', 'org.ldaptive.Connection', 'org.ldaptive.DeleteOperation', 'org.ldaptive.DeleteRequest', 'org.ldaptive.LdapAttribute', 'org.ldaptive.LdapEntry', 'org.ldaptive.LdapException', 'org.ldaptive.ModifyOperation', 'org.ldaptive.ModifyRequest', 'org.ldaptive.Response', 'org.ldaptive.ResultCode', 'org.ldaptive.SearchOperation', 'org.ldaptive.SearchRequest', 'org.ldaptive.SearchResult', 'org.ldaptive.ext.MergeOperation', 'org.ldaptive.ext.MergeRequest', 'org.ldaptive.pool.ConnectionPool', 'org.ldaptive.pool.PooledConnectionFactory', // [missing classes] OpenSAML storage has an optional JSON-backed storage impl 'javax.json.Json', 'javax.json.JsonException', 'javax.json.JsonNumber', 'javax.json.JsonObject', 'javax.json.JsonReader', 'javax.json.JsonValue$ValueType', 'javax.json.JsonValue', 'javax.json.stream.JsonGenerator', // [missing classes] OpenSAML storage has an optional JPA storage impl 'javax.persistence.EntityManager', 'javax.persistence.EntityManagerFactory', 'javax.persistence.EntityTransaction', 'javax.persistence.LockModeType', 'javax.persistence.Query', // [missing classes] OpenSAML storage and HttpClient cache have optional memcache support 'net.spy.memcached.CASResponse', 'net.spy.memcached.CASValue', 'net.spy.memcached.MemcachedClient', 'net.spy.memcached.MemcachedClientIF', 'net.spy.memcached.CachedData', 'net.spy.memcached.internal.OperationFuture', 'net.spy.memcached.transcoders.Transcoder', // [missing classes] Http Client cache has optional ehcache support 'net.sf.ehcache.Ehcache', 'net.sf.ehcache.Element', // [missing classes] SLF4j includes an optional class that depends on an extension class (!) 'org.slf4j.ext.EventData', // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE 'org.cryptomator.siv.SivMode', // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037) 'com.google.crypto.tink.subtle.Ed25519Sign', 'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair', 'com.google.crypto.tink.subtle.Ed25519Verify', 'com.google.crypto.tink.subtle.X25519' ) ignoreViolations( // Guava uses internal java api: sun.misc.Unsafe 'com.google.common.cache.Striped64', 'com.google.common.cache.Striped64$1', 'com.google.common.cache.Striped64$Cell', 'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator', 'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator$1', 'com.google.common.util.concurrent.AbstractFuture$UnsafeAtomicHelper', 'com.google.common.util.concurrent.AbstractFuture$UnsafeAtomicHelper$1', ) } rootProject.globalInfo.ready { if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_1_8) { thirdPartyAudit.ignoreMissingClasses( 'javax.xml.bind.JAXBContext', 'javax.xml.bind.JAXBElement', 'javax.xml.bind.JAXBException', 'javax.xml.bind.Unmarshaller', 'javax.xml.bind.UnmarshallerHandler', 'javax.activation.ActivationDataFlavor', 'javax.activation.DataContentHandler', 'javax.activation.DataHandler', 'javax.activation.DataSource', 'javax.activation.FileDataSource', 'javax.activation.FileTypeMap' ) } } test { /* * We have to disable setting the number of available processors as tests in the same JVM randomize processors and will step on each * other if we allow them to set the number of available processors as it's set-once in Netty. */ systemProperty 'es.set.netty.runtime.available.processors', 'false' /* * Some tests in this module set up a lot of transport threads so we reduce the buffer size per transport thread from the 1M default * to keep direct memory usage under control. */ systemProperty 'es.transport.buffer.size', '256k' } // xpack modules are installed in real clusters as the meta plugin, so // installing them as individual plugins for integ tests doesn't make sense, // so we disable integ tests integTest.enabled = false // add all sub-projects of the qa sub-project gradle.projectsEvaluated { project.subprojects .find { it.path == project.path + ":qa" } .subprojects .findAll { it.path.startsWith(project.path + ":qa") } .each { check.dependsOn it.check } }