mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-03-02 17:09:18 +00:00
2bee27dd54
This commit allows the Transport Actions for the SSO realms to indicate the realm that should be used to authenticate the constructed AuthenticationToken. This is useful in the case that many authentication realms of the same type have been configured and where the caller of the API(Kibana or a custom web app) already know which realm should be used so there is no need to iterate all the realms of the same type. The realm parameter is added in the relevant REST APIs as optional so as not to introduce any breaking change.
108 lines
5.2 KiB
Groovy
108 lines
5.2 KiB
Groovy
Project idpFixtureProject = xpackProject("test:idp-fixture")
|
|
|
|
apply plugin: 'elasticsearch.testclusters'
|
|
apply plugin: 'elasticsearch.standalone-rest-test'
|
|
apply plugin: 'elasticsearch.rest-test'
|
|
apply plugin: 'elasticsearch.test.fixtures'
|
|
|
|
dependencies {
|
|
testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
|
|
testCompile 'com.google.jimfs:jimfs:1.1'
|
|
}
|
|
testFixtures.useFixture ":x-pack:test:idp-fixture"
|
|
|
|
|
|
String outputDir = "${project.buildDir}/generated-resources/${project.name}"
|
|
task copyIdpFiles(type: Copy) {
|
|
from idpFixtureProject.files('idp/shibboleth-idp/credentials/idp-browser.pem', 'idp/shibboleth-idp/metadata/idp-metadata.xml');
|
|
into outputDir
|
|
}
|
|
project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpFiles)
|
|
|
|
task setupPorts {
|
|
dependsOn copyIdpFiles, idpFixtureProject.postProcessFixture
|
|
// Don't attempt to get ephemeral ports when Docker is not available
|
|
onlyIf { idpFixtureProject.postProcessFixture.enabled }
|
|
doLast {
|
|
String portString = idpFixtureProject.postProcessFixture.ext."test.fixtures.shibboleth-idp.tcp.4443"
|
|
int ephemeralPort = Integer.valueOf(portString)
|
|
File idpMetaFile = file("$outputDir/idp-metadata.xml")
|
|
List<String> lines = idpMetaFile.readLines("UTF-8")
|
|
StringBuilder content = new StringBuilder()
|
|
for (String line : lines) {
|
|
content.append(line.replace("localhost:4443", "localhost:" + ephemeralPort))
|
|
}
|
|
idpMetaFile.delete()
|
|
idpMetaFile.createNewFile()
|
|
idpMetaFile.write(content.toString(), "UTF-8")
|
|
}
|
|
}
|
|
|
|
|
|
integTest.runner.dependsOn setupPorts
|
|
|
|
testClusters.integTest {
|
|
testDistribution = 'DEFAULT'
|
|
setting 'xpack.license.self_generated.type', 'trial'
|
|
setting 'xpack.security.enabled', 'true'
|
|
setting 'xpack.security.http.ssl.enabled', 'false'
|
|
setting 'xpack.security.authc.token.enabled', 'true'
|
|
setting 'xpack.security.authc.realms.file.file.order', '0'
|
|
// SAML realm 1 (no authorization_realms)
|
|
setting 'xpack.security.authc.realms.saml.shibboleth.order', '1'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth.idp.entity_id', 'https://test.shibboleth.elastic.local/'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth.idp.metadata.path', 'idp-metadata.xml'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth.sp.entity_id', 'http://mock1.http.elastic.local/'
|
|
// The port in the ACS URL is fake - the test will bind the mock webserver
|
|
// to a random port and then whenever it needs to connect to a URL on the
|
|
// mock webserver it will replace 54321 with the real port
|
|
setting 'xpack.security.authc.realms.saml.shibboleth.sp.acs', 'http://localhost:54321/saml/acs1'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth.attributes.principal', 'uid'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth.attributes.name', 'urn:oid:2.5.4.3'
|
|
// SAML realm 2 (uses authorization_realms)
|
|
setting 'xpack.security.authc.realms.saml.shibboleth_native.order', '2'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth_native.idp.entity_id', 'https://test.shibboleth.elastic.local/'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth_native.idp.metadata.path', 'idp-metadata.xml'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth_native.sp.entity_id', 'http://mock2.http.elastic.local/'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth_native.sp.acs', 'http://localhost:54321/saml/acs2'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth_native.attributes.principal', 'uid'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth_native.authorization_realms', 'native'
|
|
// SAML realm 3 (used for negative tests with multiple realms)
|
|
setting 'xpack.security.authc.realms.saml.shibboleth_negative.order', '3'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth_negative.idp.entity_id', 'https://test.shibboleth.elastic.local/'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth_negative.idp.metadata.path', 'idp-metadata.xml'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth_negative.sp.entity_id', 'somethingwronghere'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth_negative.sp.acs', 'http://localhost:54321/saml/acs3'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth_negative.attributes.principal', 'uid'
|
|
setting 'xpack.security.authc.realms.saml.shibboleth_negative.authorization_realms', 'native'
|
|
setting 'xpack.security.authc.realms.native.native.order', '4'
|
|
|
|
setting 'xpack.ml.enabled', 'false'
|
|
setting 'logger.org.elasticsearch.xpack.security', 'TRACE'
|
|
|
|
extraConfigFile 'idp-metadata.xml', file(outputDir + "/idp-metadata.xml")
|
|
|
|
user username: "test_admin", password: 'x-pack-test-password'
|
|
}
|
|
|
|
forbiddenPatterns {
|
|
exclude '**/*.der'
|
|
exclude '**/*.p12'
|
|
exclude '**/*.key'
|
|
}
|
|
|
|
thirdPartyAudit {
|
|
ignoreViolations (
|
|
// uses internal java api: sun.misc.Unsafe
|
|
'com.google.common.cache.Striped64',
|
|
'com.google.common.cache.Striped64$1',
|
|
'com.google.common.cache.Striped64$Cell',
|
|
'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator',
|
|
'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator$1'
|
|
)
|
|
|
|
ignoreMissingClasses (
|
|
'com.ibm.icu.lang.UCharacter'
|
|
)
|
|
}
|