mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-07 05:28:34 +00:00
fe9442b05b
This commit adds an OpenID Connect authentication realm to elasticsearch. Elasticsearch (with the assistance of kibana or another web component) acts as an OpenID Connect Relying Party and supports the Authorization Code Grant and Implicit flows as described in http://ela.st/oidc-spec. It adds support for consuming and verifying signed ID Tokens, both RP initiated and 3rd party initiated Single Sign on and RP initiated signle logout. It also adds an OpenID Connect Provider in the idp-fixture to be used for the associated integration tests. This is a backport of #40674
331 lines
15 KiB
Groovy
331 lines
15 KiB
Groovy
evaluationDependsOn(xpackModule('core'))
|
|
|
|
apply plugin: 'elasticsearch.esplugin'
|
|
apply plugin: 'nebula.maven-scm'
|
|
esplugin {
|
|
name 'x-pack-security'
|
|
description 'Elasticsearch Expanded Pack Plugin - Security'
|
|
classname 'org.elasticsearch.xpack.security.Security'
|
|
requiresKeystore true
|
|
extendedPlugins = ['x-pack-core']
|
|
}
|
|
|
|
archivesBaseName = 'x-pack-security'
|
|
|
|
dependencies {
|
|
// "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here
|
|
compileOnly project(path: xpackModule('core'), configuration: 'default')
|
|
compileOnly project(path: ':modules:transport-netty4', configuration: 'runtime')
|
|
compileOnly project(path: ':plugins:transport-nio', configuration: 'runtime')
|
|
|
|
testCompile project(path: xpackModule('monitoring'))
|
|
testCompile project(path: xpackModule('sql:sql-action'))
|
|
|
|
testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
|
|
|
|
compile 'com.unboundid:unboundid-ldapsdk:4.0.8'
|
|
compileOnly 'org.bouncycastle:bcprov-jdk15on:1.59'
|
|
compileOnly 'org.bouncycastle:bcpkix-jdk15on:1.59'
|
|
|
|
// the following are all SAML dependencies - might as well download the whole internet
|
|
compile "org.opensaml:opensaml-core:3.3.0"
|
|
compile "org.opensaml:opensaml-saml-api:3.3.0"
|
|
compile "org.opensaml:opensaml-saml-impl:3.3.0"
|
|
compile "org.opensaml:opensaml-messaging-api:3.3.0"
|
|
compile "org.opensaml:opensaml-messaging-impl:3.3.0"
|
|
compile "org.opensaml:opensaml-security-api:3.3.0"
|
|
compile "org.opensaml:opensaml-security-impl:3.3.0"
|
|
compile "org.opensaml:opensaml-profile-api:3.3.0"
|
|
compile "org.opensaml:opensaml-profile-impl:3.3.0"
|
|
compile "org.opensaml:opensaml-xmlsec-api:3.3.0"
|
|
compile "org.opensaml:opensaml-xmlsec-impl:3.3.0"
|
|
compile "org.opensaml:opensaml-soap-api:3.3.0"
|
|
compile "org.opensaml:opensaml-soap-impl:3.3.0"
|
|
compile "org.opensaml:opensaml-storage-api:3.3.0"
|
|
compile "org.opensaml:opensaml-storage-impl:3.3.0"
|
|
compile "net.shibboleth.utilities:java-support:7.3.0"
|
|
compile "org.apache.santuario:xmlsec:2.0.8"
|
|
compile "io.dropwizard.metrics:metrics-core:3.2.2"
|
|
compile "org.cryptacular:cryptacular:1.2.0"
|
|
compile "org.slf4j:slf4j-api:${versions.slf4j}"
|
|
compile "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
|
|
compile "org.apache.httpcomponents:httpclient:${versions.httpclient}"
|
|
compile "org.apache.httpcomponents:httpcore:${versions.httpcore}"
|
|
compile "org.apache.httpcomponents:httpasyncclient:${versions.httpasyncclient}"
|
|
compile "org.apache.httpcomponents:httpcore-nio:${versions.httpcore}"
|
|
compile "org.apache.httpcomponents:httpclient-cache:${versions.httpclient}"
|
|
compile 'com.google.guava:guava:19.0'
|
|
|
|
// Dependencies for oidc
|
|
compile "com.nimbusds:oauth2-oidc-sdk:6.5"
|
|
compile "com.nimbusds:nimbus-jose-jwt:4.41.2"
|
|
compile "com.nimbusds:lang-tag:1.4.4"
|
|
compile "com.sun.mail:jakarta.mail:1.6.3"
|
|
compile "net.jcip:jcip-annotations:1.0"
|
|
compile "net.minidev:json-smart:2.3"
|
|
compile "net.minidev:accessors-smart:1.2"
|
|
compile "org.ow2.asm:asm:7.1"
|
|
|
|
testCompile 'org.elasticsearch:securemock:1.2'
|
|
testCompile "org.elasticsearch:mocksocket:${versions.mocksocket}"
|
|
//testCompile "org.yaml:snakeyaml:${versions.snakeyaml}"
|
|
|
|
// Test dependencies for Kerberos (MiniKdc)
|
|
testCompile('commons-io:commons-io:2.5')
|
|
testCompile('org.apache.kerby:kerb-simplekdc:1.1.1')
|
|
testCompile('org.apache.kerby:kerb-client:1.1.1')
|
|
testCompile('org.apache.kerby:kerby-config:1.1.1')
|
|
testCompile('org.apache.kerby:kerb-core:1.1.1')
|
|
testCompile('org.apache.kerby:kerby-pkix:1.1.1')
|
|
testCompile('org.apache.kerby:kerby-asn1:1.1.1')
|
|
testCompile('org.apache.kerby:kerby-util:1.1.1')
|
|
testCompile('org.apache.kerby:kerb-common:1.1.1')
|
|
testCompile('org.apache.kerby:kerb-crypto:1.1.1')
|
|
testCompile('org.apache.kerby:kerb-util:1.1.1')
|
|
testCompile('org.apache.kerby:token-provider:1.1.1')
|
|
testCompile('com.nimbusds:nimbus-jose-jwt:4.41.2')
|
|
testCompile('net.jcip:jcip-annotations:1.0')
|
|
testCompile('org.apache.kerby:kerb-admin:1.1.1')
|
|
testCompile('org.apache.kerby:kerb-server:1.1.1')
|
|
testCompile('org.apache.kerby:kerb-identity:1.1.1')
|
|
testCompile('org.apache.kerby:kerby-xdr:1.1.1')
|
|
|
|
// LDAP backend support for SimpleKdcServer
|
|
testCompile('org.apache.kerby:kerby-backend:1.1.1')
|
|
testCompile('org.apache.kerby:ldap-backend:1.1.1')
|
|
testCompile('org.apache.kerby:kerb-identity:1.1.1')
|
|
testCompile('org.apache.directory.api:api-ldap-client-api:1.0.0')
|
|
testCompile('org.apache.directory.api:api-ldap-schema-data:1.0.0')
|
|
testCompile('org.apache.directory.api:api-ldap-codec-core:1.0.0')
|
|
testCompile('org.apache.directory.api:api-ldap-extras-aci:1.0.0')
|
|
testCompile('org.apache.directory.api:api-ldap-extras-codec:1.0.0')
|
|
testCompile('org.apache.directory.api:api-ldap-extras-codec-api:1.0.0')
|
|
testCompile('commons-pool:commons-pool:1.6')
|
|
testCompile('commons-collections:commons-collections:3.2')
|
|
testCompile('org.apache.mina:mina-core:2.0.17')
|
|
testCompile('org.apache.directory.api:api-util:1.0.1')
|
|
testCompile('org.apache.directory.api:api-i18n:1.0.1')
|
|
testCompile('org.apache.directory.api:api-ldap-model:1.0.1')
|
|
testCompile('org.apache.directory.api:api-asn1-api:1.0.1')
|
|
testCompile('org.apache.directory.api:api-asn1-ber:1.0.1')
|
|
testCompile('org.apache.servicemix.bundles:org.apache.servicemix.bundles.antlr:2.7.7_5')
|
|
testCompile('org.apache.directory.server:apacheds-core-api:2.0.0-M24')
|
|
testCompile('org.apache.directory.server:apacheds-i18n:2.0.0-M24')
|
|
testCompile('org.apache.directory.api:api-ldap-extras-util:1.0.0')
|
|
testCompile('net.sf.ehcache:ehcache:2.10.4')
|
|
testCompile('org.apache.directory.server:apacheds-kerberos-codec:2.0.0-M24')
|
|
testCompile('org.apache.directory.server:apacheds-protocol-ldap:2.0.0-M24')
|
|
testCompile('org.apache.directory.server:apacheds-protocol-shared:2.0.0-M24')
|
|
testCompile('org.apache.directory.jdbm:apacheds-jdbm1:2.0.0-M3')
|
|
testCompile('org.apache.directory.server:apacheds-jdbm-partition:2.0.0-M24')
|
|
testCompile('org.apache.directory.server:apacheds-xdbm-partition:2.0.0-M24')
|
|
testCompile('org.apache.directory.api:api-ldap-extras-sp:1.0.0')
|
|
testCompile('org.apache.directory.server:apacheds-test-framework:2.0.0-M24')
|
|
testCompile('org.apache.directory.server:apacheds-core-annotations:2.0.0-M24')
|
|
testCompile('org.apache.directory.server:apacheds-ldif-partition:2.0.0-M24')
|
|
testCompile('org.apache.directory.server:apacheds-mavibot-partition:2.0.0-M24')
|
|
testCompile('org.apache.directory.server:apacheds-protocol-kerberos:2.0.0-M24')
|
|
testCompile('org.apache.directory.server:apacheds-server-annotations:2.0.0-M24')
|
|
testCompile('org.apache.directory.api:api-ldap-codec-standalone:1.0.0')
|
|
testCompile('org.apache.directory.api:api-ldap-net-mina:1.0.0')
|
|
testCompile('org.apache.directory.server:ldap-client-test:2.0.0-M24')
|
|
testCompile('org.apache.directory.server:apacheds-interceptor-kerberos:2.0.0-M24')
|
|
testCompile('org.apache.directory.mavibot:mavibot:1.0.0-M8')
|
|
}
|
|
|
|
compileJava.options.compilerArgs << "-Xlint:-rawtypes,-unchecked"
|
|
compileTestJava.options.compilerArgs << "-Xlint:-rawtypes,-unchecked"
|
|
|
|
processTestResources {
|
|
from(project(xpackModule('core')).file('src/main/config'))
|
|
from(project(xpackModule('core')).file('src/test/resources'))
|
|
}
|
|
|
|
configurations {
|
|
testArtifacts.extendsFrom testRuntime
|
|
}
|
|
task testJar(type: Jar) {
|
|
appendix 'test'
|
|
from sourceSets.test.output
|
|
}
|
|
artifacts {
|
|
// normal es plugins do not publish the jar but we need to since users need it for Transport Clients and extensions
|
|
archives jar
|
|
testArtifacts testJar
|
|
}
|
|
|
|
dependencyLicenses {
|
|
mapping from: /java-support|opensaml-.*/, to: 'shibboleth'
|
|
mapping from: /http.*/, to: 'httpclient'
|
|
}
|
|
|
|
licenseHeaders {
|
|
// This class was sourced from apache directory studio for some microsoft-specific logic
|
|
excludes << 'org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySIDUtil.java'
|
|
}
|
|
|
|
forbiddenPatterns {
|
|
exclude '**/*.key'
|
|
exclude '**/*.p12'
|
|
exclude '**/*.der'
|
|
exclude '**/*.zip'
|
|
}
|
|
|
|
forbiddenApisMain {
|
|
signaturesFiles += files('forbidden/ldap-signatures.txt', 'forbidden/xml-signatures.txt', 'forbidden/oidc-signatures.txt')
|
|
}
|
|
|
|
// classes are missing, e.g. com.ibm.icu.lang.UCharacter
|
|
thirdPartyAudit {
|
|
ignoreMissingClasses (
|
|
// SAML dependencies
|
|
// [missing classes] Some cli utilities that we don't use depend on these missing JCommander classes
|
|
'com.beust.jcommander.JCommander',
|
|
'com.beust.jcommander.converters.BaseConverter',
|
|
// [missing classes] Shibboleth + OpenSAML have servlet support that we don't use
|
|
'javax.servlet.AsyncContext',
|
|
'javax.servlet.DispatcherType',
|
|
'javax.servlet.Filter',
|
|
'javax.servlet.FilterChain',
|
|
'javax.servlet.FilterConfig',
|
|
'javax.servlet.RequestDispatcher',
|
|
'javax.servlet.ServletContext',
|
|
'javax.servlet.ServletException',
|
|
'javax.servlet.ServletInputStream',
|
|
'javax.servlet.ServletOutputStream',
|
|
'javax.servlet.ServletRequest',
|
|
'javax.servlet.ServletResponse',
|
|
'javax.servlet.http.Cookie',
|
|
'javax.servlet.http.HttpServletRequest',
|
|
'javax.servlet.http.HttpServletResponse',
|
|
'javax.servlet.http.HttpServletResponseWrapper',
|
|
'javax.servlet.http.HttpSession',
|
|
'javax.servlet.http.Part',
|
|
// [missing classes] Shibboleth + OpenSAML have velocity support that we don't use
|
|
'org.apache.velocity.VelocityContext',
|
|
'org.apache.velocity.app.VelocityEngine',
|
|
'org.apache.velocity.context.Context',
|
|
'org.apache.velocity.exception.VelocityException',
|
|
'org.apache.velocity.runtime.RuntimeServices',
|
|
'org.apache.velocity.runtime.log.LogChute',
|
|
'org.apache.velocity.runtime.resource.loader.StringResourceLoader',
|
|
'org.apache.velocity.runtime.resource.util.StringResourceRepository',
|
|
// [missing classes] OpenSAML depends on Apache XML security which depends on Xalan, but only for functionality that OpenSAML doesn't use
|
|
'org.apache.xml.dtm.DTM',
|
|
'org.apache.xml.utils.PrefixResolver',
|
|
'org.apache.xml.utils.PrefixResolverDefault',
|
|
'org.apache.xpath.Expression',
|
|
'org.apache.xpath.NodeSetDTM',
|
|
'org.apache.xpath.XPath',
|
|
'org.apache.xpath.XPathContext',
|
|
'org.apache.xpath.compiler.FunctionTable',
|
|
'org.apache.xpath.functions.Function',
|
|
'org.apache.xpath.objects.XNodeSet',
|
|
'org.apache.xpath.objects.XObject',
|
|
// [missing classes] OpenSAML storage has an optional LDAP storage impl
|
|
'org.ldaptive.AttributeModification',
|
|
'org.ldaptive.AttributeModificationType',
|
|
'org.ldaptive.Connection',
|
|
'org.ldaptive.DeleteOperation',
|
|
'org.ldaptive.DeleteRequest',
|
|
'org.ldaptive.LdapAttribute',
|
|
'org.ldaptive.LdapEntry',
|
|
'org.ldaptive.LdapException',
|
|
'org.ldaptive.ModifyOperation',
|
|
'org.ldaptive.ModifyRequest',
|
|
'org.ldaptive.Response',
|
|
'org.ldaptive.ResultCode',
|
|
'org.ldaptive.SearchOperation',
|
|
'org.ldaptive.SearchRequest',
|
|
'org.ldaptive.SearchResult',
|
|
'org.ldaptive.ext.MergeOperation',
|
|
'org.ldaptive.ext.MergeRequest',
|
|
'org.ldaptive.pool.ConnectionPool',
|
|
'org.ldaptive.pool.PooledConnectionFactory',
|
|
// [missing classes] OpenSAML storage has an optional JSON-backed storage impl
|
|
'javax.json.Json',
|
|
'javax.json.JsonException',
|
|
'javax.json.JsonNumber',
|
|
'javax.json.JsonObject',
|
|
'javax.json.JsonReader',
|
|
'javax.json.JsonValue$ValueType',
|
|
'javax.json.JsonValue',
|
|
'javax.json.stream.JsonGenerator',
|
|
// [missing classes] OpenSAML storage has an optional JPA storage impl
|
|
'javax.persistence.EntityManager',
|
|
'javax.persistence.EntityManagerFactory',
|
|
'javax.persistence.EntityTransaction',
|
|
'javax.persistence.LockModeType',
|
|
'javax.persistence.Query',
|
|
// [missing classes] OpenSAML storage and HttpClient cache have optional memcache support
|
|
'net.spy.memcached.CASResponse',
|
|
'net.spy.memcached.CASValue',
|
|
'net.spy.memcached.MemcachedClient',
|
|
'net.spy.memcached.MemcachedClientIF',
|
|
'net.spy.memcached.CachedData',
|
|
'net.spy.memcached.internal.OperationFuture',
|
|
'net.spy.memcached.transcoders.Transcoder',
|
|
// [missing classes] Http Client cache has optional ehcache support
|
|
'net.sf.ehcache.Ehcache',
|
|
'net.sf.ehcache.Element',
|
|
// [missing classes] SLF4j includes an optional class that depends on an extension class (!)
|
|
'org.slf4j.ext.EventData',
|
|
// Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE
|
|
'org.cryptomator.siv.SivMode'
|
|
)
|
|
|
|
ignoreViolations (
|
|
// Guava uses internal java api: sun.misc.Unsafe
|
|
'com.google.common.cache.Striped64',
|
|
'com.google.common.cache.Striped64$1',
|
|
'com.google.common.cache.Striped64$Cell',
|
|
'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator',
|
|
'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator$1',
|
|
'com.google.common.util.concurrent.AbstractFuture$UnsafeAtomicHelper',
|
|
'com.google.common.util.concurrent.AbstractFuture$UnsafeAtomicHelper$1',
|
|
)
|
|
}
|
|
|
|
if (project.runtimeJavaVersion > JavaVersion.VERSION_1_8) {
|
|
thirdPartyAudit.ignoreMissingClasses(
|
|
'javax.xml.bind.JAXBContext',
|
|
'javax.xml.bind.JAXBElement',
|
|
'javax.xml.bind.JAXBException',
|
|
'javax.xml.bind.Unmarshaller',
|
|
'javax.xml.bind.UnmarshallerHandler',
|
|
'javax.activation.ActivationDataFlavor',
|
|
'javax.activation.DataContentHandler',
|
|
'javax.activation.DataHandler',
|
|
'javax.activation.DataSource',
|
|
'javax.activation.FileDataSource',
|
|
'javax.activation.FileTypeMap'
|
|
)
|
|
}
|
|
|
|
run {
|
|
plugin xpackModule('core')
|
|
}
|
|
|
|
test {
|
|
/*
|
|
* We have to disable setting the number of available processors as tests in the same JVM randomize processors and will step on each
|
|
* other if we allow them to set the number of available processors as it's set-once in Netty.
|
|
*/
|
|
systemProperty 'es.set.netty.runtime.available.processors', 'false'
|
|
}
|
|
|
|
// xpack modules are installed in real clusters as the meta plugin, so
|
|
// installing them as individual plugins for integ tests doesn't make sense,
|
|
// so we disable integ tests
|
|
integTest.enabled = false
|
|
|
|
// add all sub-projects of the qa sub-project
|
|
gradle.projectsEvaluated {
|
|
project.subprojects
|
|
.find { it.path == project.path + ":qa" }
|
|
.subprojects
|
|
.findAll { it.path.startsWith(project.path + ":qa") }
|
|
.each { check.dependsOn it.check }
|
|
}
|
|
|