From f3edbe291146d92888087c6458a08d2e4cbb602d Mon Sep 17 00:00:00 2001 From: Jay Modi Date: Mon, 14 Jan 2019 14:06:22 -0700 Subject: [PATCH] Security: remove SSL settings fallback (#36846) This commit removes the fallback for SSL settings. While this may be seen as a non user friendly change, the intention behind this change is to simplify the reasoning needed to understand what is actually being used for a given SSL configuration. Each configuration now needs to be explicitly specified as there is no global configuration or fallback to some other configuration. Closes #29797 --- client/rest-high-level/build.gradle | 2 +- .../migration/migrate_7_0/settings.asciidoc | 10 + .../configuring-tls-docker.asciidoc | 26 +- .../tls-transport.asciidoc | 4 +- .../settings/security-settings.asciidoc | 189 +++----------- docs/reference/settings/ssl-settings.asciidoc | 23 +- x-pack/docs/en/rest-api/security/ssl.asciidoc | 10 +- .../auditing/forwarding-logs.asciidoc | 16 +- .../configuring-pki-realm.asciidoc | 2 +- .../ccs-clients-integrations/java.asciidoc | 18 +- .../en/security/fips-140-compliance.asciidoc | 6 +- .../xpack/core/XPackSettings.java | 5 - .../netty4/SecurityNetty4Transport.java | 15 +- .../xpack/core/ssl/DefaultJDKTrustConfig.java | 8 +- .../xpack/core/ssl/SSLConfiguration.java | 67 +---- .../xpack/core/ssl/SSLService.java | 45 +--- .../ssl/SSLConfigurationReloaderTests.java | 47 ++-- .../ssl/SSLConfigurationSettingsTests.java | 2 +- .../xpack/core/ssl/SSLConfigurationTests.java | 80 ++---- .../xpack/core/ssl/SSLServiceTests.java | 243 ++++++++---------- .../xpack/core/ssl/TestsSSLService.java | 5 - .../exporter/http/HttpExporterSslIT.java | 8 +- .../security/PkiRealmBootstrapCheck.java | 5 +- .../esnative/ESNativeRealmMigrateTool.java | 3 +- .../transport/nio/SecurityNioTransport.java | 1 - .../test/SecuritySettingsSource.java | 112 ++++---- .../test/SettingsFilterTests.java | 16 +- ...FIPS140JKSKeystoreBootstrapCheckTests.java | 16 -- .../security/PkiRealmBootstrapCheckTests.java | 11 +- .../audit/index/IndexAuditTrailTests.java | 2 +- .../RemoteIndexAuditTrailStartingTests.java | 2 +- .../esnative/ESNativeMigrateToolTests.java | 34 ++- .../tool/CommandLineHttpClientTests.java | 31 +-- .../security/authc/ldap/LdapTestUtils.java | 32 +-- .../LdapUserSearchSessionFactoryTests.java | 2 +- .../authc/pki/PkiAuthenticationTests.java | 22 +- .../authc/pki/PkiOptionalClientAuthTests.java | 12 +- .../security/authc/saml/SamlRealmTests.java | 11 +- ...stractSimpleSecurityTransportTestCase.java | 20 +- ...ServerTransportFilterIntegrationTests.java | 76 +++--- .../netty4/IPHostnameVerificationTests.java | 26 +- ...ecurityNetty4HttpServerTransportTests.java | 16 +- .../SecurityNetty4ServerTransportTests.java | 46 +--- .../netty4/SslHostnameVerificationTests.java | 31 +-- .../SecurityNioHttpServerTransportTests.java | 14 +- .../transport/ssl/EllipticCurveSSLTests.java | 24 +- .../transport/ssl/SslIntegrationTests.java | 13 +- .../transport/ssl/SslMultiPortTests.java | 35 +-- .../xpack/ssl/SSLClientAuthTests.java | 63 ++++- .../xpack/ssl/SSLReloadIntegTests.java | 26 +- .../xpack/ssl/SSLTrustRestrictionsTests.java | 22 +- .../sql/qa/security/with-ssl/build.gradle | 6 +- .../watcher/common/http/HttpClientTests.java | 78 ++---- x-pack/qa/full-cluster-restart/build.gradle | 8 +- .../org/elasticsearch/test/OpenLdapTests.java | 41 +-- ...OpenLdapUserSearchSessionFactoryTests.java | 4 +- x-pack/qa/rolling-upgrade/build.gradle | 8 +- x-pack/qa/smoke-test-plugins-ssl/build.gradle | 3 +- .../ADLdapUserSearchSessionFactoryTests.java | 11 +- .../ldap/AbstractActiveDirectoryTestCase.java | 41 ++- .../ldap/AbstractAdLdapRealmTestCase.java | 42 +-- .../ActiveDirectorySessionFactoryTests.java | 43 ++-- .../resources/packaging/tests/certgen.bash | 18 +- 63 files changed, 783 insertions(+), 1075 deletions(-) diff --git a/client/rest-high-level/build.gradle b/client/rest-high-level/build.gradle index ed9b4451db350..b71ca82c7d094 100644 --- a/client/rest-high-level/build.gradle +++ b/client/rest-high-level/build.gradle @@ -105,7 +105,7 @@ integTestCluster { setting 'xpack.security.enabled', 'true' setting 'xpack.security.authc.token.enabled', 'true' // Truststore settings are not used since TLS is not enabled. Included for testing the get certificates API - setting 'xpack.ssl.certificate_authorities', 'testnode.crt' + setting 'xpack.security.http.ssl.certificate_authorities', 'testnode.crt' setting 'xpack.security.transport.ssl.truststore.path', 'testnode.jks' keystoreSetting 'xpack.security.transport.ssl.truststore.secure_password', 'testnode' setupCommand 'setupDummyUser', diff --git a/docs/reference/migration/migrate_7_0/settings.asciidoc b/docs/reference/migration/migrate_7_0/settings.asciidoc index 6144888fb545d..9a271c65271a3 100644 --- a/docs/reference/migration/migrate_7_0/settings.asciidoc +++ b/docs/reference/migration/migrate_7_0/settings.asciidoc @@ -121,3 +121,13 @@ xpack.security.authc.realms: Any realm specific secure settings that have been stored in the elasticsearch keystore (such as ldap bind passwords, or passwords for ssl keys) must be updated in a similar way. + +[float] +[[tls-setting-fallback]] +==== TLS/SSL settings + +The default TLS/SSL settings, which were prefixed by `xpack.ssl`, have been removed. +The removal of these default settings also removes the ability for a component to +fallback to a default configuration when using TLS. Each component (realm, transport, http, +http client, etc) must now be configured with their own settings for TLS if it is being +used. diff --git a/docs/reference/security/securing-communications/configuring-tls-docker.asciidoc b/docs/reference/security/securing-communications/configuring-tls-docker.asciidoc index c9d645e4fa234..50c63de4b4fef 100644 --- a/docs/reference/security/securing-communications/configuring-tls-docker.asciidoc +++ b/docs/reference/security/securing-communications/configuring-tls-docker.asciidoc @@ -114,11 +114,14 @@ services: - xpack.license.self_generated.type=trial <2> - xpack.security.enabled=true - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key + - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt + - xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt - xpack.security.transport.ssl.enabled=true - xpack.security.transport.ssl.verification_mode=certificate <3> - - xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - - xpack.ssl.certificate=$CERTS_DIR/es01/es01.crt - - xpack.ssl.key=$CERTS_DIR/es01/es01.key + - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt + - xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt + - xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key volumes: ['esdata_01:/usr/share/elasticsearch/data', './certs:$CERTS_DIR'] ports: - 9200:9200 @@ -140,11 +143,14 @@ services: - xpack.license.self_generated.type=trial - xpack.security.enabled=true - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.key=$CERTS_DIR/es02/es02.key + - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt + - xpack.security.http.ssl.certificate=$CERTS_DIR/es02/es02.crt - xpack.security.transport.ssl.enabled=true - - xpack.security.transport.ssl.verification_mode=certificate - - xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - - xpack.ssl.certificate=$CERTS_DIR/es02/es02.crt - - xpack.ssl.key=$CERTS_DIR/es02/es02.key + - xpack.security.transport.ssl.verification_mode=certificate <3> + - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt + - xpack.security.transport.ssl.certificate=$CERTS_DIR/es02/es02.crt + - xpack.security.transport.ssl.key=$CERTS_DIR/es02/es02.key volumes: ['esdata_02:/usr/share/elasticsearch/data', './certs:$CERTS_DIR'] wait_until_ready: @@ -199,9 +205,9 @@ WARNING: Windows users not running PowerShell will need to remove `\` and join l ---- docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \ auto --batch \ --Expack.ssl.certificate=certificates/es01/es01.crt \ --Expack.ssl.certificate_authorities=certificates/ca/ca.crt \ --Expack.ssl.key=certificates/es01/es01.key \ +-Expack.security.http.ssl.certificate=certificates/es01/es01.crt \ +-Expack.security.http.ssl.certificate_authorities=certificates/ca/ca.crt \ +-Expack.security.http.ssl.key=certificates/es01/es01.key \ --url https://localhost:9200" ---- -- diff --git a/docs/reference/security/securing-communications/tls-transport.asciidoc b/docs/reference/security/securing-communications/tls-transport.asciidoc index fee775078d6a2..e32d123140a65 100644 --- a/docs/reference/security/securing-communications/tls-transport.asciidoc +++ b/docs/reference/security/securing-communications/tls-transport.asciidoc @@ -25,7 +25,7 @@ xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12 <3> <1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command and you want to enable strict hostname checking, set the verification mode to `full`. -See <> for a description of these values. +See <> for a description of these values. <2> If you created a separate certificate for each node, then you might need to customize this path on each node. If the filename matches the node name, you can @@ -54,7 +54,7 @@ xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/ca.crt" <1> If you used the `--dns` or `--ip` options with the `elasticsearch-certutil cert` command and you want to enable strict hostname checking, set the verification mode to `full`. -See <> for a description of these values. +See <> for a description of these values. <2> The full path to the node key file. This must be a location within the {es} configuration directory. <3> The full path to the node certificate. This must be a location within the diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc index 28c30bf665cf2..0a88a19f6f050 100644 --- a/docs/reference/settings/security-settings.asciidoc +++ b/docs/reference/settings/security-settings.asciidoc @@ -475,20 +475,18 @@ The default is `jks`. `ssl.verification_mode`:: Indicates the type of verification when using `ldaps` to protect against man in the middle attacks and certificate forgery. Values are `none`, `certificate`, -and `full`. Defaults to the value of `xpack.ssl.verification_mode`. +and `full`. Defaults to `full`. + -See <> for an explanation of -these values. +See <> for an explanation of these values. `ssl.supported_protocols`:: -Supported protocols for TLS/SSL (with versions). Defaults to the value of -`xpack.ssl.supported_protocols`. +Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.2,TLSv1.1,TLSv1`. `ssl.cipher_suites`:: Specifies the cipher suites that should be supported when communicating with the LDAP server. Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ -Java Cryptography Architecture documentation]. Defaults to the value of -`xpack.ssl.cipher_suites`. +Java Cryptography Architecture documentation]. See <> +for the default value. `cache.ttl`:: Specifies the time-to-live for cached user entries. A user and a hash of its @@ -721,20 +719,18 @@ The default is `jks`. `ssl.verification_mode`:: Indicates the type of verification when using `ldaps` to protect against man in the middle attacks and certificate forgery. Values are `none`, `certificate`, -and `full`. Defaults to the value of `xpack.ssl.verification_mode`. +and `full`. Defaults to `full`. + -See <> for an explanation of -these values. +See <> for an explanation of these values. `ssl.supported_protocols`:: -Supported protocols for TLS/SSL (with versions). Defaults to the value of -`xpack.ssl.supported_protocols`. +Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.2, TLSv1.1, TLSv1`. `ssl.cipher_suites`:: Specifies the cipher suites that should be supported when communicating with the Active Directory server. Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ -Java Cryptography Architecture documentation]. Defaults to the value of -`xpack.ssl.cipher_suites`. +Java Cryptography Architecture documentation]. See <> for +the default values. `cache.ttl`:: Specifies the time-to-live for cached user entries. A user and a hash of its @@ -1133,8 +1129,7 @@ One of `full` certificate path, but not the hostname) or `none` (perform no verification). Defaults to `full`. + -See <> for a more detailed -explanation of these values. +See <> for a more detailed explanation of these values. `ssl.supported_protocols`:: Specifies the supported protocols for TLS/SSL. @@ -1204,14 +1199,12 @@ through the list of URLs will continue until a successful connection is made. [float] [[ssl-tls-settings]] -==== Default TLS/SSL settings -You can configure the following TLS/SSL settings in -`elasticsearch.yml`. For more information, see -{stack-ov}/encrypting-communications.html[Encrypting communications]. These -settings are used unless they have been overridden by more specific -settings such as those for HTTP or Transport. - -`xpack.ssl.supported_protocols`:: +==== Default values for TLS/SSL settings +In general, the values below represent the default values for the various TLS +settings. For more information, see +{stack-ov}/encrypting-communications.html[Encrypting communications]. + +`ssl.supported_protocols`:: Supported protocols with versions. Valid protocols: `SSLv2Hello`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`, `TLSv1`. @@ -1221,15 +1214,15 @@ NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hell or `SSLv3`. See <>. -- -`xpack.ssl.client_authentication`:: +`ssl.client_authentication`:: Controls the server's behavior in regard to requesting a certificate from client connections. Valid values are `required`, `optional`, and `none`. `required` forces a client to present a certificate, while `optional` requests a client certificate but the client is not required to present one. -Defaults to `required`. This global setting is not applicable for HTTP, see +Defaults to `required`, except for HTTP, which defaults to `none`. See <>. -`xpack.ssl.verification_mode`:: +`ssl.verification_mode`:: Controls the verification of certificates. Valid values are: - `full`, which verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server's hostname (or IP @@ -1244,7 +1237,7 @@ Controls the verification of certificates. Valid values are: + The default value is `full`. -`xpack.ssl.cipher_suites`:: +`ssl.cipher_suites`:: Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, @@ -1255,112 +1248,15 @@ Jurisdiction Policy Files_ has been installed, the default value also includes ` [float] [[tls-ssl-key-settings]] -===== Default TLS/SSL key and trusted certificate settings +===== TLS/SSL key and trusted certificate settings The following settings are used to specify a private key, certificate, and the -trusted certificates that should be used when communicating over an SSL/TLS connection. -If none of the settings below are specified, the -<> are used. If no trusted certificates are configured, the default certificates that are trusted by the JVM will be -trusted along with the certificate(s) from the <>. The key and certificate must be in place -for connections that require client authentication or when acting as a SSL enabled server. - -[float] -===== PEM encoded files - -When using PEM encoded files, use the following settings: - -`xpack.ssl.key`:: -Path to the PEM encoded file containing the private key. - -`xpack.ssl.key_passphrase`:: -The passphrase that is used to decrypt the private key. This value is -optional as the key might not be encrypted. - -`xpack.ssl.secure_key_passphrase` (<>):: -The passphrase that is used to decrypt the private key. This value is -optional as the key might not be encrypted. - -`xpack.ssl.certificate`:: -Path to a PEM encoded file containing the certificate (or certificate chain) -that will be presented to clients when they connect. - -`xpack.ssl.certificate_authorities`:: -List of paths to the PEM encoded certificate files that should be trusted. - -[float] -===== Java keystore files - -When using Java keystore files (JKS), which contain the private key, certificate -and certificates that should be trusted, use the following settings: - -`xpack.ssl.keystore.path`:: -Path to the keystore that holds the private key and certificate. - -`xpack.ssl.keystore.password`:: -Password to the keystore. - -`xpack.ssl.keystore.secure_password` (<>):: -Password to the keystore. - -`xpack.ssl.keystore.key_password`:: -Password for the private key in the keystore. Defaults to the -same value as `xpack.ssl.keystore.password`. - -`xpack.ssl.keystore.secure_key_password` (<>):: -Password for the private key in the keystore. - -`xpack.ssl.truststore.path`:: -Path to the truststore file. - -`xpack.ssl.truststore.password`:: -Password to the truststore. - -`xpack.ssl.truststore.secure_password` (<>):: -Password to the truststore. - -WARNING: If `xpack.security.fips_mode.enabled` is `true`, you cannot use Java -keystore files. See <>. - -[float] -===== PKCS#12 files - -When using PKCS#12 container files (`.p12` or `.pfx`), which contain the -private key, certificate, and certificates that should be trusted, use -the following settings: - -`xpack.ssl.keystore.path`:: -Path to the PKCS#12 file that holds the private key and certificate. - -`xpack.ssl.keystore.type`:: -Set this to `PKCS12`. - -`xpack.ssl.keystore.password`:: -Password to the PKCS#12 file. - -`xpack.ssl.keystore.secure_password` (<>):: -Password to the PKCS#12 file. - -`xpack.ssl.keystore.key_password`:: -Password for the private key in the PKCS12 file. -Defaults to the same value as `xpack.ssl.keystore.password`. - -`xpack.ssl.keystore.secure_key_password` (<>):: -Password for the private key in the PKCS12 file. - -`xpack.ssl.truststore.path`:: -Path to the truststore file. - -`xpack.ssl.truststore.type`:: -Set this to `PKCS12`. - -`xpack.ssl.truststore.password`:: -Password to the truststore. - -`xpack.ssl.truststore.secure_password` (<>):: -Password to the truststore. - -WARNING: If `xpack.security.fips_mode.enabled` is `true`, you cannot use PKCS#12 -keystore files. See <>. +trusted certificates that should be used when communicating over an SSL/TLS +connection. If no trusted certificates are configured, the default certificates +that are trusted by the JVM will be trusted along with the certificate(s) +associated with a key in the same context. The key and certificate must be in +place for connections that require client authentication or when acting as a +SSL enabled server. [[pkcs12-truststore-note]] [NOTE] @@ -1375,33 +1271,6 @@ a PKCS#12 container includes trusted certificate ("anchor") entries look for `openssl pkcs12 -info` output, or `trustedCertEntry` in the `keytool -list` output. -[float] -===== PKCS#11 tokens - -When using a PKCS#11 cryptographic token, which contains the -private key, certificate, and certificates that should be trusted, use -the following settings: - -`xpack.ssl.keystore.type`:: -Set this to `PKCS11`. - -`xpack.ssl.truststore.type`:: -Set this to `PKCS11`. - - -[[pkcs11-truststore-note]] -[NOTE] -When configuring the PKCS#11 token that your JVM is configured to use as -a keystore or a truststore for Elasticsearch, the PIN for the token can be -configured by setting the appropriate value to `xpack.ssl.truststore.password` -or `xpack.ssl.truststore.secure_password`. In the absence of the above, {es} will -fallback to use he appropriate JVM setting (`-Djavax.net.ssl.trustStorePassword`) -if that is set. -Since there can only be one PKCS#11 token configured, only one keystore and -truststore will be usable for configuration in {es}. This in turn means -that only one certificate can be used for TLS both in the transport and the -http layer. - [[http-tls-ssl-settings]] :ssl-prefix: xpack.security.http :component: HTTP @@ -1435,7 +1304,7 @@ append the portion of the setting after `xpack.security.transport.`. For the key setting, this would be `transport.profiles.$PROFILE.xpack.security.ssl.key`. [[auditing-tls-ssl-settings]] -:ssl-prefix: xpack.security.audit.index.client.xpack +:ssl-prefix: xpack.security.audit.index.client.xpack.security.transport :component: Auditing :client-auth-default!: :server!: diff --git a/docs/reference/settings/ssl-settings.asciidoc b/docs/reference/settings/ssl-settings.asciidoc index 1757cc481c3fe..1ff9ebc03ae8d 100644 --- a/docs/reference/settings/ssl-settings.asciidoc +++ b/docs/reference/settings/ssl-settings.asciidoc @@ -12,7 +12,7 @@ endif::server[] +{ssl-prefix}.ssl.supported_protocols+:: Supported protocols with versions. Valid protocols: `SSLv2Hello`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`, -`TLSv1`. Defaults to the value of `xpack.ssl.supported_protocols`. +`TLSv1`. ifdef::server[] +{ssl-prefix}.ssl.client_authentication+:: @@ -21,7 +21,7 @@ from client connections. Valid values are `required`, `optional`, and `none`. `required` forces a client to present a certificate, while `optional` requests a client certificate but the client is not required to present one. ifndef::client-auth-default[] -Defaults to the value of `xpack.ssl.client_authentication`. +Defaults to `none``. endif::client-auth-default[] ifdef::client-auth-default[] Defaults to +{client-auth-default}+. @@ -31,15 +31,12 @@ endif::server[] ifdef::verifies[] +{ssl-prefix}.ssl.verification_mode+:: Controls the verification of certificates. Valid values are `none`, -`certificate`, and `full`. -See <> for a description of these values. -Defaults to the value of `xpack.ssl.verification_mode`. +`certificate`, and `full`. Defaults to `full`. endif::verifies[] +{ssl-prefix}.ssl.cipher_suites+:: Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ -Java Cryptography Architecture documentation]. Defaults to the value of -`xpack.ssl.cipher_suites`. +Java Cryptography Architecture documentation]. Defaults to ``. ===== {component} TLS/SSL Key and Trusted Certificate Settings @@ -158,4 +155,14 @@ via the following settings: Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a keystore. +{ssl-prefix}.truststore.type+:: -Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a truststore. \ No newline at end of file +Set this to `PKCS11` to indicate that the PKCS#11 token should be used as a truststore. + +[NOTE] +When configuring the PKCS#11 token that your JVM is configured to use as +a keystore or a truststore for Elasticsearch, the PIN for the token can be +configured by setting the appropriate value to `ssl.truststore.password` +or `ssl.truststore.secure_password` in the context that you are configuring. +Since there can only be one PKCS#11 token configured, only one keystore and +truststore will be usable for configuration in {es}. This in turn means +that only one certificate can be used for TLS both in the transport and the +http layer. diff --git a/x-pack/docs/en/rest-api/security/ssl.asciidoc b/x-pack/docs/en/rest-api/security/ssl.asciidoc index de73407355b17..d3480ac8bc006 100644 --- a/x-pack/docs/en/rest-api/security/ssl.asciidoc +++ b/x-pack/docs/en/rest-api/security/ssl.asciidoc @@ -22,16 +22,16 @@ Transport Layer Security (TLS), see The API returns a list that includes certificates from all TLS contexts including: -* Default {es} TLS settings * Settings for transport and HTTP interfaces * TLS settings that are used within authentication realms * TLS settings for remote monitoring exporters The list includes certificates that are used for configuring trust, such as -those configured in the `xpack.ssl.truststore` and -`xpack.ssl.certificate_authorities` settings. It also includes certificates that -that are used for configuring server identity, such as `xpack.ssl.keystore` and -`xpack.ssl.certificate` settings. +those configured in the `xpack.security.transport.ssl.truststore` and +`xpack.security.transport.ssl.certificate_authorities` settings. It also +includes certificates that are used for configuring server identity, such as +`xpack.security.http.ssl.keystore` and +`xpack.security.http.ssl.certificate` settings. The list does not include certificates that are sourced from the default SSL context of the Java Runtime Environment (JRE), even if those certificates are in diff --git a/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc b/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc index f08945a6f8a0d..5bdc25238ad2e 100644 --- a/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc +++ b/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc @@ -46,8 +46,8 @@ to the `elasticsearch.yml` file: [source,yaml] ----------------------------------------------------------- xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true -xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/remote-elastic-certificates.p12 -xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/remote-elastic-certificates.p12 +xpack.security.audit.index.client.xpack.security.transport.ssl.keystore.path: certs/remote-elastic-certificates.p12 +xpack.security.audit.index.client.xpack.security.transport.ssl.truststore.path: certs/remote-elastic-certificates.p12 ----------------------------------------------------------- For more information about these settings, see @@ -61,9 +61,9 @@ For more information about these settings, see [source, yaml] -------------------------------------------------- xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true -xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/audit-client.key -xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/audit-client.crt -xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ] +xpack.security.audit.index.client.xpack.security.transport.ssl.key: /home/es/config/audit-client.key +xpack.security.audit.index.client.xpack.security.transport.ssl.certificate: /home/es/config/audit-client.crt +xpack.security.audit.index.client.xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ] -------------------------------------------------- For more information about these settings, see @@ -78,9 +78,9 @@ your {es} keystore: -- [source,shell] ----------------------------------------------------------- -bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password +bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.keystore.secure_password -bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password +bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.truststore.secure_password ----------------------------------------------------------- -- @@ -89,7 +89,7 @@ bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.trust -- [source,shell] ----------------------------------------------------------- -bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase +bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.security.transport.ssl.secure_key_passphrase ----------------------------------------------------------- -- diff --git a/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc index 0554be2f87286..58144d0b23c1a 100644 --- a/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc @@ -90,7 +90,7 @@ In particular this means: * The interface must _trust_ the certificate that is presented by the client by configuring either the `truststore` or `certificate_authorities` paths, or by setting `verification_mode` to `none`. See - <> for an explanation of this + <> for an explanation of this setting. * The _protocols_ supported by the interface must be compatible with those used by the client. diff --git a/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc b/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc index 8166f5cff9bcb..a19532bdb67c5 100644 --- a/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc +++ b/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc @@ -105,9 +105,10 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; TransportClient client = new PreBuiltXPackTransportClient(Settings.builder() .put("cluster.name", "myClusterName") .put("xpack.security.user", "transport_client_user:x-pack-test-password") - .put("xpack.ssl.key", "/path/to/client.key") - .put("xpack.ssl.certificate", "/path/to/client.crt") - .put("xpack.ssl.certificate_authorities", "/path/to/ca.crt") + .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.key", "/path/to/client.key") + .put("xpack.security.transport.ssl.certificate", "/path/to/client.crt") + .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt") ... .build()); -------------------------------------------------------------------------------------------------- @@ -125,9 +126,10 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; TransportClient client = new PreBuiltXPackTransportClient(Settings.builder() .put("cluster.name", "myClusterName") .put("xpack.security.user", "transport_client_user:x-pack-test-password") - .put("xpack.ssl.key", "/path/to/client.key") - .put("xpack.ssl.certificate", "/path/to/client.crt") - .put("xpack.ssl.certificate_authorities", "/path/to/ca.crt") + .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.key", "/path/to/client.key") + .put("xpack.security.transport.ssl.certificate", "/path/to/client.crt") + .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt") .put("xpack.security.transport.ssl.enabled", "true") ... .build()) @@ -155,7 +157,7 @@ import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; TransportClient client = new PreBuiltXPackTransportClient(Settings.builder() .put("cluster.name", "myClusterName") .put("xpack.security.user", "test_user:x-pack-test-password") - .put("xpack.ssl.certificate_authorities", "/path/to/ca.crt") + .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt") .put("xpack.security.transport.ssl.enabled", "true") ... .build()) @@ -164,7 +166,7 @@ TransportClient client = new PreBuiltXPackTransportClient(Settings.builder() ------------------------------------------------------------------------------------------------------ NOTE: If you are using a public CA that is already trusted by the Java runtime, - you do not need to set the `xpack.ssl.certificate_authorities`. + you do not need to set the `xpack.security.transport.ssl.certificate_authorities`. [float] [[connecting-anonymously]] diff --git a/x-pack/docs/en/security/fips-140-compliance.asciidoc b/x-pack/docs/en/security/fips-140-compliance.asciidoc index 0216e61784cdb..6bc9be512db4e 100644 --- a/x-pack/docs/en/security/fips-140-compliance.asciidoc +++ b/x-pack/docs/en/security/fips-140-compliance.asciidoc @@ -50,12 +50,12 @@ and able to run {es} successfully in a FIPS 140-2 enabled JVM. ==== TLS SSLv2 and SSLv3 are not allowed by FIPS 140-2, so `SSLv2Hello` and `SSLv3` cannot -be used for <> +be used for <> NOTE: The use of TLS ciphers is mainly governed by the relevant crypto module (the FIPS Approved Security Provider that your JVM uses). All the ciphers that are configured by default in {es} are FIPS 140-2 compliant and as such can be -used in a FIPS 140-2 JVM. (see <>) +used in a FIPS 140-2 JVM. (see <>) [float] ==== TLS Keystores and keys @@ -71,7 +71,7 @@ options, and for trust material you can use `*.certificate_authorities`. FIPS 140-2 compliance dictates that the length of the public keys used for TLS must correspond to the strength of the symmetric key algorithm in use in TLS. -Depending on the value of <> that +Depending on the value of <> that you select to use, the TLS keys must have corresponding length according to the following table: diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java index 13cc4c121daf6..22bc6f4b29482 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java @@ -159,10 +159,6 @@ private XPackSettings() { public static final SSLClientAuth HTTP_CLIENT_AUTH_DEFAULT = SSLClientAuth.NONE; public static final VerificationMode VERIFICATION_MODE_DEFAULT = VerificationMode.FULL; - // global settings that apply to everything! - public static final String GLOBAL_SSL_PREFIX = "xpack.ssl."; - private static final SSLConfigurationSettings GLOBAL_SSL = SSLConfigurationSettings.withPrefix(GLOBAL_SSL_PREFIX); - // http specific settings public static final String HTTP_SSL_PREFIX = SecurityField.setting("http.ssl."); private static final SSLConfigurationSettings HTTP_SSL = SSLConfigurationSettings.withPrefix(HTTP_SSL_PREFIX); @@ -174,7 +170,6 @@ private XPackSettings() { /** Returns all settings created in {@link XPackSettings}. */ public static List> getAllSettings() { ArrayList> settings = new ArrayList<>(); - settings.addAll(GLOBAL_SSL.getAllSettings()); settings.addAll(HTTP_SSL.getAllSettings()); settings.addAll(TRANSPORT_SSL.getAllSettings()); settings.add(SECURITY_ENABLED); diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport.java index 4ed4246597bb5..9c32dd1e80b34 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport.java @@ -83,13 +83,22 @@ public static Map getTransportProfileConfigurations(Se Set profileNames = settings.getGroups("transport.profiles.", true).keySet(); Map profileConfiguration = new HashMap<>(profileNames.size() + 1); for (String profileName : profileNames) { + if (profileName.equals(TransportSettings.DEFAULT_PROFILE)) { + // don't attempt to parse ssl settings from the profile; + // profiles need to be killed with fire + if (settings.getByPrefix("transport.profiles.default.xpack.security.ssl.").isEmpty()) { + continue; + } else { + throw new IllegalArgumentException("SSL settings should not be configured for the default profile. " + + "Use the [xpack.security.transport.ssl] settings instead."); + } + } SSLConfiguration configuration = sslService.getSSLConfiguration("transport.profiles." + profileName + "." + setting("ssl")); profileConfiguration.put(profileName, configuration); } - if (profileConfiguration.containsKey(TransportSettings.DEFAULT_PROFILE) == false) { - profileConfiguration.put(TransportSettings.DEFAULT_PROFILE, defaultConfiguration); - } + assert profileConfiguration.containsKey(TransportSettings.DEFAULT_PROFILE) == false; + profileConfiguration.put(TransportSettings.DEFAULT_PROFILE, defaultConfiguration); return profileConfiguration; } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/DefaultJDKTrustConfig.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/DefaultJDKTrustConfig.java index 4b5055a9e86fd..25076937f5a96 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/DefaultJDKTrustConfig.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/DefaultJDKTrustConfig.java @@ -25,6 +25,7 @@ import java.util.Collection; import java.util.Collections; import java.util.List; +import java.util.Objects; /** * This class represents a trust configuration that corresponds to the default trusted certificates of the JDK @@ -71,12 +72,15 @@ public String toString() { @Override public boolean equals(Object o) { - return o == this; + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + DefaultJDKTrustConfig that = (DefaultJDKTrustConfig) o; + return Objects.equals(trustStorePassword, that.trustStorePassword); } @Override public int hashCode() { - return System.identityHashCode(this); + return Objects.hash(trustStorePassword); } /** diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfiguration.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfiguration.java index 0862cb929ef98..5857f9a6edd11 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfiguration.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfiguration.java @@ -13,16 +13,11 @@ import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.cert.CertificateInfo; -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.TrustManagerFactory; - import java.io.IOException; import java.nio.file.Path; import java.security.GeneralSecurityException; -import java.security.KeyStore; import java.util.ArrayList; import java.util.List; -import java.util.Objects; import static org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings.getKeyStoreType; @@ -51,32 +46,14 @@ public final class SSLConfiguration { * @param settings the SSL specific settings; only the settings under a *.ssl. prefix */ SSLConfiguration(Settings settings) { - this.keyConfig = createKeyConfig(settings, (SSLConfiguration) null); - this.trustConfig = createTrustConfig(settings, keyConfig, null); + this.keyConfig = createKeyConfig(settings); + this.trustConfig = createTrustConfig(settings, keyConfig); this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, XPackSettings.DEFAULT_CIPHERS); this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings, XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS); this.sslClientAuth = SETTINGS_PARSER.clientAuth.get(settings).orElse(XPackSettings.CLIENT_AUTH_DEFAULT); this.verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(XPackSettings.VERIFICATION_MODE_DEFAULT); } - /** - * Creates a new SSLConfiguration from the given settings and global/default SSLConfiguration. If the settings do not contain a value - * for a given aspect, the value from the global configuration will be used. - * - * @param settings the SSL specific settings; only the settings under a *.ssl. prefix - * @param globalSSLConfiguration the default configuration that is used as a fallback - */ - SSLConfiguration(Settings settings, SSLConfiguration globalSSLConfiguration) { - Objects.requireNonNull(globalSSLConfiguration); - this.keyConfig = createKeyConfig(settings, globalSSLConfiguration); - this.trustConfig = createTrustConfig(settings, keyConfig, globalSSLConfiguration); - this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, globalSSLConfiguration.cipherSuites()); - this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings, - globalSSLConfiguration.supportedProtocols()); - this.sslClientAuth = SETTINGS_PARSER.clientAuth.get(settings).orElse(globalSSLConfiguration.sslClientAuth()); - this.verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(globalSSLConfiguration.verificationMode()); - } - /** * The configuration for the key, if any, that will be used as part of this ssl configuration */ @@ -183,46 +160,28 @@ public int hashCode() { return result; } - private static KeyConfig createKeyConfig(Settings settings, SSLConfiguration global) { + private static KeyConfig createKeyConfig(Settings settings) { final String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings); final KeyConfig config = CertParsingUtils.createKeyConfig(SETTINGS_PARSER.x509KeyPair, settings, trustStoreAlgorithm); - if (config != null) { - return config; - } - if (global != null) { - return global.keyConfig(); - } - if (System.getProperty("javax.net.ssl.keyStore") != null && System.getProperty("javax.net.ssl.keyStore").equals("NONE") == false) { - // TODO: we should not support loading a keystore from sysprops... - try (SecureString keystorePassword = new SecureString(System.getProperty("javax.net.ssl.keyStorePassword", ""))) { - return new StoreKeyConfig(System.getProperty("javax.net.ssl.keyStore"), KeyStore.getDefaultType(), keystorePassword, - keystorePassword, System.getProperty("ssl.KeyManagerFactory.algorithm", KeyManagerFactory.getDefaultAlgorithm()), - System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm())); - } - } - return KeyConfig.NONE; + return config == null ? KeyConfig.NONE : config; } - private static TrustConfig createTrustConfig(Settings settings, KeyConfig keyConfig, SSLConfiguration global) { - final TrustConfig trustConfig = createCertChainTrustConfig(settings, keyConfig, global); + private static TrustConfig createTrustConfig(Settings settings, KeyConfig keyConfig) { + final TrustConfig trustConfig = createCertChainTrustConfig(settings, keyConfig); return SETTINGS_PARSER.trustRestrictionsPath.get(settings) .map(path -> (TrustConfig) new RestrictedTrustConfig(path, trustConfig)) .orElse(trustConfig); } - private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConfig keyConfig, SSLConfiguration global) { + private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConfig keyConfig) { String trustStorePath = SETTINGS_PARSER.truststorePath.get(settings).orElse(null); String trustStoreType = getKeyStoreType(SETTINGS_PARSER.truststoreType, settings, trustStorePath); List caPaths = getListOrNull(SETTINGS_PARSER.caPaths, settings); if (trustStorePath != null && caPaths != null) { throw new IllegalArgumentException("you cannot specify a truststore and ca files"); } - VerificationMode verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElseGet(() -> { - if (global != null) { - return global.verificationMode(); - } - return XPackSettings.VERIFICATION_MODE_DEFAULT; - }); + + VerificationMode verificationMode = SETTINGS_PARSER.verificationMode.get(settings).orElse(XPackSettings.VERIFICATION_MODE_DEFAULT); if (verificationMode.isCertificateVerificationEnabled() == false) { return TrustAllConfig.INSTANCE; } else if (caPaths != null) { @@ -231,14 +190,6 @@ private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConf String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings); SecureString trustStorePassword = SETTINGS_PARSER.truststorePassword.get(settings); return new StoreTrustConfig(trustStorePath, trustStoreType, trustStorePassword, trustStoreAlgorithm); - } else if (global == null && System.getProperty("javax.net.ssl.trustStore") != null - && System.getProperty("javax.net.ssl.trustStore").equals("NONE") == false) { - try (SecureString truststorePassword = new SecureString(System.getProperty("javax.net.ssl.trustStorePassword", ""))) { - return new StoreTrustConfig(System.getProperty("javax.net.ssl.trustStore"), KeyStore.getDefaultType(), truststorePassword, - System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm())); - } - } else if (global != null && keyConfig == global.keyConfig()) { - return global.trustConfig(); } else if (keyConfig != KeyConfig.NONE) { return DefaultJDKTrustConfig.merge(keyConfig, getDefaultTrustStorePassword(settings)); } else { diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java index 900d9468e2aa8..e832de629359a 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java @@ -31,13 +31,14 @@ import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509ExtendedKeyManager; import javax.net.ssl.X509ExtendedTrustManager; + import java.io.IOException; import java.net.InetAddress; import java.net.Socket; import java.security.GeneralSecurityException; import java.security.KeyManagementException; -import java.security.KeyStore; import java.security.NoSuchAlgorithmException; +import java.security.KeyStore; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -81,8 +82,6 @@ public class SSLService { * always maps to the same {@link SSLContextHolder}, even if it is being used within a different context-name. */ private final Map sslContexts; - - private final SSLConfiguration globalSSLConfiguration; private final SetOnce transportSSLConfiguration = new SetOnce<>(); private final Environment env; @@ -93,16 +92,14 @@ public class SSLService { public SSLService(Settings settings, Environment environment) { this.settings = settings; this.env = environment; - this.globalSSLConfiguration = new SSLConfiguration(settings.getByPrefix(XPackSettings.GLOBAL_SSL_PREFIX)); this.sslConfigurations = new HashMap<>(); this.sslContexts = loadSSLConfigurations(); } - private SSLService(Settings settings, Environment environment, SSLConfiguration globalSSLConfiguration, - Map sslConfigurations, Map sslContexts) { + private SSLService(Settings settings, Environment environment, Map sslConfigurations, + Map sslContexts) { this.settings = settings; this.env = environment; - this.globalSSLConfiguration = globalSSLConfiguration; this.sslConfigurations = sslConfigurations; this.sslContexts = sslContexts; } @@ -113,7 +110,7 @@ private SSLService(Settings settings, Environment environment, SSLConfiguration * have been created during initialization */ public SSLService createDynamicSSLService() { - return new SSLService(settings, env, globalSSLConfiguration, sslConfigurations, sslContexts) { + return new SSLService(settings, env, sslConfigurations, sslContexts) { @Override Map loadSSLConfigurations() { @@ -265,13 +262,6 @@ public boolean isSSLClientAuthEnabled(SSLConfiguration sslConfiguration) { return sslConfiguration.sslClientAuth().enabled(); } - /** - * Returns the {@link SSLContext} for the global configuration. Mainly used for testing - */ - public SSLContext sslContext() { - return sslContextHolder(globalSSLConfiguration).sslContext(); - } - /** * Returns the {@link SSLContext} for the configuration. Mainly used for testing */ @@ -297,13 +287,10 @@ SSLContextHolder sslContextHolder(SSLConfiguration sslConfiguration) { * Returns the existing {@link SSLConfiguration} for the given settings * * @param settings the settings for the ssl configuration - * @return the ssl configuration for the provided settings. If the settings are empty, the global configuration is returned + * @return the ssl configuration for the provided settings */ - SSLConfiguration sslConfiguration(Settings settings) { - if (settings.isEmpty()) { - return globalSSLConfiguration; - } - return new SSLConfiguration(settings, globalSSLConfiguration); + public SSLConfiguration sslConfiguration(Settings settings) { + return new SSLConfiguration(settings); } public Set getTransportProfileContextNames() { @@ -403,8 +390,6 @@ private SSLContextHolder createSslContext(X509ExtendedKeyManager keyManager, X50 */ Map loadSSLConfigurations() { Map sslContextHolders = new HashMap<>(); - sslContextHolders.put(globalSSLConfiguration, createSslContext(globalSSLConfiguration)); - this.sslConfigurations.put("xpack.ssl", globalSSLConfiguration); Map sslSettingsMap = new HashMap<>(); sslSettingsMap.put(XPackSettings.HTTP_SSL_PREFIX, getHttpTransportSSLSettings(settings)); @@ -413,23 +398,19 @@ Map loadSSLConfigurations() { sslSettingsMap.putAll(getMonitoringExporterSettings(settings)); sslSettingsMap.forEach((key, sslSettings) -> { - if (sslSettings.isEmpty()) { - storeSslConfiguration(key, globalSSLConfiguration); - } else { - final SSLConfiguration configuration = new SSLConfiguration(sslSettings, globalSSLConfiguration); - storeSslConfiguration(key, configuration); - sslContextHolders.computeIfAbsent(configuration, this::createSslContext); - } + final SSLConfiguration configuration = new SSLConfiguration(sslSettings); + storeSslConfiguration(key, configuration); + sslContextHolders.computeIfAbsent(configuration, this::createSslContext); }); final Settings transportSSLSettings = settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX); - final SSLConfiguration transportSSLConfiguration = new SSLConfiguration(transportSSLSettings, globalSSLConfiguration); + final SSLConfiguration transportSSLConfiguration = new SSLConfiguration(transportSSLSettings); this.transportSSLConfiguration.set(transportSSLConfiguration); storeSslConfiguration(XPackSettings.TRANSPORT_SSL_PREFIX, transportSSLConfiguration); Map profileSettings = getTransportProfileSSLSettings(settings); sslContextHolders.computeIfAbsent(transportSSLConfiguration, this::createSslContext); profileSettings.forEach((key, profileSetting) -> { - final SSLConfiguration configuration = new SSLConfiguration(profileSetting, transportSSLConfiguration); + final SSLConfiguration configuration = new SSLConfiguration(profileSetting); storeSslConfiguration(key, configuration); sslContextHolders.computeIfAbsent(configuration, this::createSslContext); }); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java index cb9996ac90db5..318d8e4150a1d 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java @@ -71,7 +71,7 @@ public void setup() { } @After - public void cleanup() throws Exception { + public void cleanup() { if (threadPool != null) { terminate(threadPool); } @@ -88,10 +88,10 @@ public void testReloadingKeyStore() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"), updatedKeystorePath); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); final Settings settings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.ssl.keystore.path", keystorePath) + .put("xpack.security.transport.ssl.keystore.path", keystorePath) .setSecureSettings(secureSettings) .build(); final Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); @@ -144,11 +144,12 @@ public void testPEMKeyConfigReloading() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCertPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), certPath); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); final Settings settings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString()) .setSecureSettings(secureSettings) .build(); final Environment env = randomBoolean() ? null : @@ -202,9 +203,9 @@ public void testReloadingTrustStore() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"), updatedTruststorePath); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.truststore.path", trustStorePath) + .put("xpack.security.transport.ssl.truststore.path", trustStorePath) .put("path.home", createTempDir()) .setSecureSettings(secureSettings) .build(); @@ -254,7 +255,7 @@ public void testReloadingPEMTrustConfig() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"), serverKeyPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCert); Settings settings = Settings.builder() - .put("xpack.ssl.certificate_authorities", serverCertPath) + .putList("xpack.security.transport.ssl.certificate_authorities", serverCertPath.toString()) .put("path.home", createTempDir()) .build(); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); @@ -300,15 +301,15 @@ public void testReloadingKeyStoreException() throws Exception { Path keystorePath = tempDir.resolve("testnode.jks"); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", keystorePath) + .put("xpack.security.transport.ssl.keystore.path", keystorePath) .setSecureSettings(secureSettings) .put("path.home", createTempDir()) .build(); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); final SSLService sslService = new SSLService(settings, env); - final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl"); + final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl."); new SSLConfigurationReloader(env, sslService, resourceWatcherService) { @Override void reloadSSLContext(SSLConfiguration configuration) { @@ -339,17 +340,17 @@ public void testReloadingPEMKeyConfigException() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), certPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) - .putList("xpack.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString()) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString()) .put("path.home", createTempDir()) .setSecureSettings(secureSettings) .build(); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); final SSLService sslService = new SSLService(settings, env); - final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl"); + final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl."); new SSLConfigurationReloader(env, sslService, resourceWatcherService) { @Override void reloadSSLContext(SSLConfiguration configuration) { @@ -376,15 +377,15 @@ public void testTrustStoreReloadException() throws Exception { Path trustStorePath = tempDir.resolve("testnode.jks"); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), trustStorePath); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.truststore.path", trustStorePath) + .put("xpack.security.transport.ssl.truststore.path", trustStorePath) .put("path.home", createTempDir()) .setSecureSettings(secureSettings) .build(); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); final SSLService sslService = new SSLService(settings, env); - final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl"); + final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl."); new SSLConfigurationReloader(env, sslService, resourceWatcherService) { @Override void reloadSSLContext(SSLConfiguration configuration) { @@ -411,12 +412,12 @@ public void testPEMTrustReloadException() throws Exception { Path clientCertPath = tempDir.resolve("testclient.crt"); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath); Settings settings = Settings.builder() - .putList("xpack.ssl.certificate_authorities", clientCertPath.toString()) + .putList("xpack.security.transport.ssl.certificate_authorities", clientCertPath.toString()) .put("path.home", createTempDir()) .build(); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); final SSLService sslService = new SSLService(settings, env); - final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl"); + final SSLConfiguration config = sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl.")); new SSLConfigurationReloader(env, sslService, resourceWatcherService) { @Override void reloadSSLContext(SSLConfiguration configuration) { @@ -442,7 +443,7 @@ private void validateSSLConfigurationIsReloaded(Settings settings, Environment e Runnable modificationFunction, Consumer postChecks) throws Exception { final CountDownLatch reloadLatch = new CountDownLatch(1); final SSLService sslService = new SSLService(settings, env); - final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl"); + final SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl"); new SSLConfigurationReloader(env, sslService, resourceWatcherService) { @Override void reloadSSLContext(SSLConfiguration configuration) { diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettingsTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettingsTests.java index 4b045951d6658..072f7d0d57da7 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettingsTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettingsTests.java @@ -21,7 +21,7 @@ public void testParseCipherSettingsWithoutPrefix() { final SSLConfigurationSettings ssl = SSLConfigurationSettings.withoutPrefix(); assertThat(ssl.ciphers.match("cipher_suites"), is(true)); assertThat(ssl.ciphers.match("ssl.cipher_suites"), is(false)); - assertThat(ssl.ciphers.match("xpack.ssl.cipher_suites"), is(false)); + assertThat(ssl.ciphers.match("xpack.transport.security.ssl.cipher_suites"), is(false)); final Settings settings = Settings.builder() .put("cipher_suites.0", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationTests.java index e0b70c09add0b..74ae2ae55c126 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationTests.java @@ -35,10 +35,6 @@ public void testThatSSLConfigurationHasCorrectDefaults() { assertThat(globalConfig.keyConfig(), sameInstance(KeyConfig.NONE)); assertThat(globalConfig.trustConfig(), is(not((globalConfig.keyConfig())))); assertThat(globalConfig.trustConfig(), instanceOf(DefaultJDKTrustConfig.class)); - - SSLConfiguration scopedConfig = new SSLConfiguration(Settings.EMPTY, globalConfig); - assertThat(scopedConfig.keyConfig(), sameInstance(globalConfig.keyConfig())); - assertThat(scopedConfig.trustConfig(), sameInstance(globalConfig.trustConfig())); } public void testThatOnlyKeystoreInSettingsSetsTruststoreSettings() { @@ -50,22 +46,17 @@ public void testThatOnlyKeystoreInSettingsSetsTruststoreSettings() { .setSecureSettings(secureSettings) .build(); // Pass settings in as component settings - SSLConfiguration globalSettings = new SSLConfiguration(settings); - SSLConfiguration scopedSettings = new SSLConfiguration(settings, globalSettings); - SSLConfiguration scopedEmptyGlobalSettings = - new SSLConfiguration(settings, new SSLConfiguration(Settings.EMPTY)); - for (SSLConfiguration sslConfiguration : Arrays.asList(globalSettings, scopedSettings, scopedEmptyGlobalSettings)) { - assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class)); - StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig(); + SSLConfiguration sslConfiguration = new SSLConfiguration(settings); + assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class)); + StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig(); - assertThat(ksKeyInfo.keyStorePath, is(equalTo(path))); - assertThat(ksKeyInfo.keyStorePassword, is(equalTo("testnode"))); - assertThat(ksKeyInfo.keyStoreType, is(equalTo("jks"))); - assertThat(ksKeyInfo.keyPassword, is(equalTo(ksKeyInfo.keyStorePassword))); - assertThat(ksKeyInfo.keyStoreAlgorithm, is(KeyManagerFactory.getDefaultAlgorithm())); - assertThat(sslConfiguration.trustConfig(), is(instanceOf(CombiningTrustConfig.class))); - assertCombiningTrustConfigContainsCorrectIssuers(sslConfiguration); - } + assertThat(ksKeyInfo.keyStorePath, is(equalTo(path))); + assertThat(ksKeyInfo.keyStorePassword, is(equalTo("testnode"))); + assertThat(ksKeyInfo.keyStoreType, is(equalTo("jks"))); + assertThat(ksKeyInfo.keyPassword, is(equalTo(ksKeyInfo.keyStorePassword))); + assertThat(ksKeyInfo.keyStoreAlgorithm, is(KeyManagerFactory.getDefaultAlgorithm())); + assertThat(sslConfiguration.trustConfig(), is(instanceOf(CombiningTrustConfig.class))); + assertCombiningTrustConfigContainsCorrectIssuers(sslConfiguration); } public void testKeystorePassword() { @@ -188,44 +179,13 @@ public void testExplicitKeystoreType() { assertThat(ksKeyInfo.keyStoreType, is(equalTo(type))); } - public void testThatProfileSettingsOverrideServiceSettings() { - MockSecureSettings profileSecureSettings = new MockSecureSettings(); - profileSecureSettings.setString("keystore.secure_password", "password"); - profileSecureSettings.setString("keystore.secure_key_password", "key"); - profileSecureSettings.setString("truststore.secure_password", "password for trust"); - Settings profileSettings = Settings.builder() - .put("keystore.path", "path") - .put("keystore.algorithm", "algo") - .put("truststore.path", "trust path") - .put("truststore.algorithm", "trusted") - .setSecureSettings(profileSecureSettings) - .build(); - - MockSecureSettings serviceSecureSettings = new MockSecureSettings(); - serviceSecureSettings.setString("xpack.ssl.keystore.secure_password", "comp password"); - serviceSecureSettings.setString("xpack.ssl.keystore.secure_key_password", "comp key"); - serviceSecureSettings.setString("xpack.ssl.truststore.secure_password", "comp password for trust"); - Settings serviceSettings = Settings.builder() - .put("xpack.ssl.keystore.path", "comp path") - .put("xpack.ssl.keystore.algorithm", "comp algo") - .put("xpack.ssl.truststore.path", "comp trust path") - .put("xpack.ssl.truststore.algorithm", "comp trusted") - .setSecureSettings(serviceSecureSettings) - .build(); - - SSLConfiguration globalSettings = new SSLConfiguration(serviceSettings); - SSLConfiguration sslConfiguration = new SSLConfiguration(profileSettings, globalSettings); - assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class)); - StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig(); - assertThat(ksKeyInfo.keyStorePath, is(equalTo("path"))); - assertThat(ksKeyInfo.keyStorePassword, is(equalTo("password"))); - assertThat(ksKeyInfo.keyPassword, is(equalTo("key"))); - assertThat(ksKeyInfo.keyStoreAlgorithm, is(equalTo("algo"))); - assertThat(sslConfiguration.trustConfig(), instanceOf(StoreTrustConfig.class)); - StoreTrustConfig ksTrustInfo = (StoreTrustConfig) sslConfiguration.trustConfig(); - assertThat(ksTrustInfo.trustStorePath, is(equalTo("trust path"))); - assertThat(ksTrustInfo.trustStorePassword, is(equalTo("password for trust"))); - assertThat(ksTrustInfo.trustStoreAlgorithm, is(equalTo("trusted"))); + public void testThatEmptySettingsAreEqual() { + SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.EMPTY); + SSLConfiguration sslConfiguration1 = new SSLConfiguration(Settings.EMPTY); + assertThat(sslConfiguration.equals(sslConfiguration1), is(equalTo(true))); + assertThat(sslConfiguration1.equals(sslConfiguration), is(equalTo(true))); + assertThat(sslConfiguration.equals(sslConfiguration), is(equalTo(true))); + assertThat(sslConfiguration1.equals(sslConfiguration1), is(equalTo(true))); } public void testThatSettingsWithDifferentKeystoresAreNotEqual() { @@ -254,6 +214,12 @@ public void testThatSettingsWithDifferentTruststoresAreNotEqual() { assertThat(sslConfiguration1.equals(sslConfiguration1), is(equalTo(true))); } + public void testThatEmptySettingsHaveSameHashCode() { + SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.EMPTY); + SSLConfiguration sslConfiguration1 = new SSLConfiguration(Settings.EMPTY); + assertThat(sslConfiguration.hashCode(), is(equalTo(sslConfiguration1.hashCode()))); + } + public void testThatSettingsWithDifferentKeystoresHaveDifferentHashCode() { SSLConfiguration sslConfiguration = new SSLConfiguration(Settings.builder() .put("keystore.path", "path") diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java index 545a8f91574a7..9b697e9f08f01 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java @@ -109,11 +109,11 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception { assumeFalse("Can't run in a FIPS JVM", inFipsJvm()); Path testClientStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); secureSettings.setString("transport.profiles.foo.xpack.security.ssl.truststore.secure_password", "testclient"); Settings settings = Settings.builder() - .put("xpack.ssl.truststore.path", testnodeStore) - .put("xpack.ssl.truststore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.truststore.path", testnodeStore) + .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) .setSecureSettings(secureSettings) .put("transport.profiles.foo.xpack.security.ssl.truststore.path", testClientStore) .build(); @@ -126,12 +126,12 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception { .setSecureSettings(secureCustomSettings) .build(); - SSLConfiguration configuration = new SSLConfiguration(customTruststoreSettings, globalConfiguration(sslService)); + SSLConfiguration configuration = new SSLConfiguration(customTruststoreSettings); SSLEngine sslEngineWithTruststore = sslService.createSSLEngine(configuration, null, -1); assertThat(sslEngineWithTruststore, is(not(nullValue()))); - SSLConfiguration globalConfig = globalConfiguration(sslService); - SSLEngine sslEngine = sslService.createSSLEngine(globalConfig, null, -1); + SSLConfiguration defaultConfig = sslService.getSSLConfiguration("xpack.security.transport.ssl"); + SSLEngine sslEngine = sslService.createSSLEngine(defaultConfig, null, -1); assertThat(sslEngineWithTruststore, is(not(sameInstance(sslEngine)))); final SSLConfiguration profileConfiguration = sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl"); @@ -142,20 +142,21 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception { public void testThatSslContextCachingWorks() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.certificate", testnodeCert) - .put("xpack.ssl.key", testnodeKey) + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); - SSLContext sslContext = sslService.sslContext(); - SSLContext cachedSslContext = sslService.sslContext(); + final Settings transportSSLSettings = settings.getByPrefix("xpack.security.transport.ssl."); + SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(transportSSLSettings)); + SSLContext cachedSslContext = sslService.sslContext(sslService.sslConfiguration(transportSSLSettings)); assertThat(sslContext, is(sameInstance(cachedSslContext))); - final SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.ssl"); + final SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); final SSLContext configContext = sslService.sslContext(configuration); assertThat(configContext, is(sameInstance(sslContext))); } @@ -165,14 +166,15 @@ public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception { Path differentPasswordsStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-different-passwords.jks"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); - secureSettings.setString("xpack.ssl.keystore.secure_key_password", "testnode1"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_key_password", "testnode1"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", differentPasswordsStore) - .setSecureSettings(secureSettings) - .build(); + .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) + .setSecureSettings(secureSettings) + .build(); + final SSLService sslService = new SSLService(settings, env); - SSLConfiguration configuration = globalConfiguration(sslService); + SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); sslService.createSSLEngine(configuration, null, -1); } @@ -182,13 +184,13 @@ public void testIncorrectKeyPasswordThrowsException() throws Exception { getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-different-passwords.jks"); try { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", differentPasswordsStore) - .setSecureSettings(secureSettings) - .build(); + .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) + .setSecureSettings(secureSettings) + .build(); final SSLService sslService = new SSLService(settings, env); - SSLConfiguration configuration = globalConfiguration(sslService); + SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); sslService.createSSLEngine(configuration, null, -1); fail("expected an exception"); } catch (ElasticsearchException e) { @@ -198,34 +200,34 @@ public void testIncorrectKeyPasswordThrowsException() throws Exception { public void testThatSSLv3IsNotEnabled() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.certificate", testnodeCert) - .put("xpack.ssl.key", testnodeKey) + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); - SSLConfiguration configuration = globalConfiguration(sslService); + SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLEngine engine = sslService.createSSLEngine(configuration, null, -1); assertThat(Arrays.asList(engine.getEnabledProtocols()), not(hasItem("SSLv3"))); } public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception { SSLService sslService = new SSLService(Settings.EMPTY, env); - SSLConfiguration configuration = globalConfiguration(sslService); + SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1); assertThat(sslEngine, notNullValue()); } public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testclient"); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testclient"); Settings settings = Settings.builder() - .put("xpack.ssl.truststore.path", testclientStore) - .setSecureSettings(secureSettings) - .build(); + .put("xpack.security.transport.ssl.truststore.path", testclientStore) + .setSecureSettings(secureSettings) + .build(); SSLService sslService = new SSLService(settings, env); - SSLConfiguration configuration = globalConfiguration(sslService); + SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1); assertThat(sslEngine, notNullValue()); } @@ -234,54 +236,52 @@ public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception { public void testCreateWithKeystoreIsValidForServer() throws Exception { assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testnodeStore) - .put("xpack.ssl.keystore.type", testnodeStoreType) - .setSecureSettings(secureSettings) - .build(); + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) + .setSecureSettings(secureSettings) + .build(); SSLService sslService = new SSLService(settings, env); - assertTrue(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService))); + assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl"))); } - public void testValidForServerWithFallback() throws Exception { + public void testValidForServer() throws Exception { assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.truststore.path", testnodeStore) - .put("xpack.ssl.truststore.type", testnodeStoreType) - .setSecureSettings(secureSettings) - .build(); + .put("xpack.security.transport.ssl.truststore.path", testnodeStore) + .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) + .setSecureSettings(secureSettings) + .build(); SSLService sslService = new SSLService(settings, env); - assertFalse(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService))); + assertFalse(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl"))); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); settings = Settings.builder() - .put("xpack.ssl.truststore.path", testnodeStore) - .put("xpack.ssl.truststore.type", testnodeStoreType) - .setSecureSettings(secureSettings) - .put("xpack.security.transport.ssl.keystore.path", testnodeStore) - .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) - .build(); + .put("xpack.security.transport.ssl.truststore.path", testnodeStore) + .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) + .setSecureSettings(secureSettings) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) + .build(); sslService = new SSLService(settings, env); - assertFalse(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService))); assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl"))); } public void testGetVerificationMode() throws Exception { assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm()); SSLService sslService = new SSLService(Settings.EMPTY, env); - assertThat(globalConfiguration(sslService).verificationMode(), is(XPackSettings.VERIFICATION_MODE_DEFAULT)); + assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl").verificationMode(), + is(XPackSettings.VERIFICATION_MODE_DEFAULT)); Settings settings = Settings.builder() - .put("xpack.ssl.verification_mode", "none") - .put("xpack.security.transport.ssl.verification_mode", "certificate") - .put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full") - .build(); + .put("xpack.security.transport.ssl.verification_mode", "certificate") + .put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full") + .build(); sslService = new SSLService(settings, env); - assertThat(globalConfiguration(sslService).verificationMode(), is(VerificationMode.NONE)); assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl.").verificationMode(), is(VerificationMode.CERTIFICATE)); assertThat(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl.").verificationMode(), is(VerificationMode.FULL)); @@ -289,27 +289,25 @@ public void testGetVerificationMode() throws Exception { public void testIsSSLClientAuthEnabled() throws Exception { SSLService sslService = new SSLService(Settings.EMPTY, env); - assertTrue(globalConfiguration(sslService).sslClientAuth().enabled()); + assertTrue(sslService.getSSLConfiguration("xpack.security.transport.ssl").sslClientAuth().enabled()); Settings settings = Settings.builder() - .put("xpack.ssl.client_authentication", "none") - .put("xpack.security.transport.ssl.client_authentication", "optional") + .put("xpack.security.transport.ssl.client_authentication", "optional") .put("transport.profiles.foo.port", "9400-9410") - .build(); + .build(); sslService = new SSLService(settings, env); - assertFalse(sslService.isSSLClientAuthEnabled(globalConfiguration(sslService))); assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("xpack.security.transport.ssl"))); assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl"))); } public void testThatHttpClientAuthDefaultsToNone() throws Exception { final Settings globalSettings = Settings.builder() - .put("xpack.security.http.ssl.enabled", true) - .put("xpack.ssl.client_authentication", SSLClientAuth.OPTIONAL.name()) - .build(); + .put("xpack.security.http.ssl.enabled", true) + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.OPTIONAL.name()) + .build(); final SSLService sslService = new SSLService(globalSettings, env); - final SSLConfiguration globalConfig = globalConfiguration(sslService); + final SSLConfiguration globalConfig = sslService.getSSLConfiguration("xpack.security.transport.ssl"); assertThat(globalConfig.sslClientAuth(), is(SSLClientAuth.OPTIONAL)); final SSLConfiguration httpConfig = sslService.getHttpTransportSSLConfiguration(); @@ -318,14 +316,14 @@ public void testThatHttpClientAuthDefaultsToNone() throws Exception { public void testThatTruststorePasswordIsRequired() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testnodeStore) - .put("xpack.ssl.keystore.type", testnodeStoreType) - .setSecureSettings(secureSettings) - .put("xpack.ssl.truststore.path", testnodeStore) - .put("xpack.ssl.truststore.type", testnodeStoreType) - .build(); + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) + .setSecureSettings(secureSettings) + .put("xpack.security.transport.ssl.truststore.path", testnodeStore) + .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) + .build(); ElasticsearchException e = expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env)); assertThat(e.getMessage(), is("failed to initialize a TrustManagerFactory")); @@ -333,9 +331,9 @@ public void testThatTruststorePasswordIsRequired() throws Exception { public void testThatKeystorePasswordIsRequired() throws Exception { Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testnodeStore) - .put("xpack.ssl.keystore.type", testnodeStoreType) - .build(); + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) + .build(); ElasticsearchException e = expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env)); assertThat(e.getMessage(), is("failed to create trust manager")); @@ -346,14 +344,15 @@ public void testCiphersAndInvalidCiphersWork() throws Exception { ciphers.add("foo"); ciphers.add("bar"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.certificate", testnodeCert) - .put("xpack.ssl.key", testnodeKey) + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) + .putList("xpack.security.transport.ssl.ciphers", ciphers.toArray(new String[ciphers.size()])) .build(); SSLService sslService = new SSLService(settings, env); - SSLConfiguration configuration = globalConfiguration(sslService); + SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLEngine engine = sslService.createSSLEngine(configuration, null, -1); assertThat(engine, is(notNullValue())); String[] enabledCiphers = engine.getEnabledCipherSuites(); @@ -362,14 +361,14 @@ public void testCiphersAndInvalidCiphersWork() throws Exception { public void testInvalidCiphersOnlyThrowsException() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); + Settings settings = Settings.builder() - .put("xpack.ssl.certificate", testnodeCert) - .put("xpack.ssl.key", testnodeKey) - .putList("xpack.ssl.cipher_suites", new String[]{"foo", "bar"}) + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) + .putList("xpack.security.transport.ssl.cipher_suites", new String[] { "foo", "bar" }) .build(); - IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () -> new SSLService(settings, env)); assertThat(e.getMessage(), is("none of the ciphers [foo, bar] are supported by this JVM")); @@ -377,14 +376,14 @@ public void testInvalidCiphersOnlyThrowsException() throws Exception { public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.certificate", testnodeCert) - .put("xpack.ssl.key", testnodeKey) + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); - SSLConfiguration configuration = globalConfiguration(sslService); + SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLEngine engine = sslService.createSSLEngine(configuration, null, -1); assertThat(engine, is(notNullValue())); assertTrue(engine.getSSLParameters().getUseCipherSuitesOrder()); @@ -392,14 +391,14 @@ public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception { public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.certificate", testnodeCert) - .put("xpack.ssl.key", testnodeKey) + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); - SSLConfiguration config = globalConfiguration(sslService); + SSLConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl"); final SSLSocketFactory factory = sslService.sslSocketFactory(config); final String[] ciphers = sslService.supportedCiphers(factory.getSupportedCipherSuites(), config.cipherSuites(), false); assertThat(factory.getDefaultCipherSuites(), is(ciphers)); @@ -417,14 +416,14 @@ public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Except public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.certificate", testnodeCert) - .put("xpack.ssl.key", testnodeKey) + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); - SSLConfiguration configuration = globalConfiguration(sslService); + SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLEngine engine = sslService.createSSLEngine(configuration, null, -1); final String[] ciphers = sslService.supportedCiphers(engine.getSupportedCipherSuites(), configuration.cipherSuites(), false); final String[] supportedProtocols = configuration.supportedProtocols().toArray(Strings.EMPTY_ARRAY); @@ -475,9 +474,9 @@ public void testSSLStrategy() { } public void testEmptyTrustManager() throws Exception { - Settings settings = Settings.builder().build(); + Settings settings = Settings.EMPTY; final SSLService sslService = new SSLService(settings, env); - X509ExtendedTrustManager trustManager = sslService.sslContextHolder(sslService.getSSLConfiguration("xpack.ssl")) + X509ExtendedTrustManager trustManager = sslService.sslContextHolder(sslService.getSSLConfiguration("xpack.security.transport.ssl")) .getEmptyTrustManager(); assertThat(trustManager.getAcceptedIssuers(), emptyArray()); } @@ -489,7 +488,6 @@ public void testGetConfigurationByContextName() throws Exception { final String[] cipherSuites = sslContext.getSupportedSSLParameters().getCipherSuites(); final String[] contextNames = { - "xpack.ssl", "xpack.http.ssl", "xpack.security.http.ssl", "xpack.security.transport.ssl", @@ -517,10 +515,6 @@ public void testGetConfigurationByContextName() throws Exception { } final Settings settings = builder - // Add a realm without SSL settings. This context name should be mapped to the global configuration - .put("xpack.security.authc.realms.file.realm3.order", 4) - // Add an exporter without SSL settings. This context name should be mapped to the global configuration - .put("xpack.monitoring.exporters.mon3.type", "http") .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); @@ -535,14 +529,6 @@ public void testGetConfigurationByContextName() throws Exception { assertThat("Cipher for " + name, configuration.cipherSuites(), contains(cipherSuites[i])); assertThat("Configuration for " + name + ".", sslService.getSSLConfiguration(name + "."), sameInstance(configuration)); } - - // These contexts have no SSL settings, but for convenience we want those components to be able to access their context - // by name, and get back the global configuration - final SSLConfiguration realm3Config = sslService.getSSLConfiguration("xpack.security.authc.realms.file.realm3.ssl"); - final SSLConfiguration mon3Config = sslService.getSSLConfiguration("xpack.monitoring.exporters.mon3.ssl."); - final SSLConfiguration global = globalConfiguration(sslService); - assertThat(realm3Config, sameInstance(global)); - assertThat(mon3Config, sameInstance(global)); } public void testReadCertificateInformation() throws Exception { @@ -552,13 +538,13 @@ public void testReadCertificateInformation() throws Exception { final Path pemPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt"); final MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode"); final Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", jksPath) - .put("xpack.ssl.truststore.path", jksPath) + .put("xpack.security.transport.ssl.keystore.path", jksPath) + .put("xpack.security.transport.ssl.truststore.path", jksPath) .put("xpack.http.ssl.keystore.path", p12Path) .put("xpack.security.authc.realms.active_directory.ad.ssl.certificate_authorities", pemPath) .setSecureSettings(secureSettings) @@ -718,7 +704,7 @@ public int getSessionCacheSize() { @Network public void testThatSSLContextWithoutSettingsWorks() throws Exception { SSLService sslService = new SSLService(Settings.EMPTY, env); - SSLContext sslContext = sslService.sslContext(); + SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(Settings.EMPTY)); try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) { // Execute a GET on a site known to have a valid certificate signed by a trusted public CA // This will result in a SSLHandshakeException if the SSLContext does not trust the CA, but the default @@ -730,12 +716,13 @@ public void testThatSSLContextWithoutSettingsWorks() throws Exception { @Network public void testThatSSLContextTrustsJDKTrustedCAs() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testclient"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testclientStore) + .put("xpack.security.transport.ssl.keystore.path", testclientStore) .setSecureSettings(secureSettings) .build(); - SSLContext sslContext = new SSLService(settings, env).sslContext(); + SSLService sslService = new SSLService(settings, env); + SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(settings.getByPrefix("xpack.security.transport.ssl."))); try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) { // Execute a GET on a site known to have a valid certificate signed by a trusted public CA which will succeed because the JDK // certs are trusted by default @@ -746,7 +733,7 @@ public void testThatSSLContextTrustsJDKTrustedCAs() throws Exception { @Network public void testThatSSLIOSessionStrategyWithoutSettingsWorks() throws Exception { SSLService sslService = new SSLService(Settings.EMPTY, env); - SSLConfiguration sslConfiguration = globalConfiguration(sslService); + SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); logger.info("SSL Configuration: {}", sslConfiguration); SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(sslConfiguration); try (CloseableHttpAsyncClient client = getAsyncHttpClient(sslStrategy)) { @@ -762,13 +749,13 @@ public void testThatSSLIOSessionStrategyWithoutSettingsWorks() throws Exception @Network public void testThatSSLIOSessionStrategyTrustsJDKTrustedCAs() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.keystore.secure_password", "testclient"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient"); Settings settings = Settings.builder() - .put("xpack.ssl.keystore.path", testclientStore) + .put("xpack.security.transport.ssl.keystore.path", testclientStore) .setSecureSettings(secureSettings) .build(); final SSLService sslService = new SSLService(settings, env); - SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(globalConfiguration(sslService)); + SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(sslService.getSSLConfiguration("xpack.security.transport.ssl")); try (CloseableHttpAsyncClient client = getAsyncHttpClient(sslStrategy)) { client.start(); @@ -778,10 +765,6 @@ public void testThatSSLIOSessionStrategyTrustsJDKTrustedCAs() throws Exception { } } - private static SSLConfiguration globalConfiguration(SSLService sslService) { - return sslService.getSSLConfiguration("xpack.ssl"); - } - class AssertionCallback implements FutureCallback { @Override diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TestsSSLService.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TestsSSLService.java index 25dc017261819..e8766225a7a92 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TestsSSLService.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TestsSSLService.java @@ -19,11 +19,6 @@ public TestsSSLService(Settings settings, Environment environment) { super(settings, environment); } - @Override - public SSLContext sslContext() { - return super.sslContext(); - } - /** * Allows to get alternative ssl context, like for the http client */ diff --git a/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterSslIT.java b/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterSslIT.java index 9b108d4f8c69f..ae363cd3c8258 100644 --- a/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterSslIT.java +++ b/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterSslIT.java @@ -95,14 +95,14 @@ private MockWebServer buildWebServer() throws IOException { final Path key = getDataPath("/org/elasticsearch/xpack/monitoring/exporter/http/testnode.pem"); final Settings sslSettings = Settings.builder() - .put("xpack.ssl.certificate", cert) - .put("xpack.ssl.key", key) - .put("xpack.ssl.key_passphrase", "testnode") + .put("xpack.transport.security.ssl.certificate", cert) + .put("xpack.transport.security.ssl.key", key) + .put("xpack.transport.security.ssl.key_passphrase", "testnode") .put(globalSettings) .build(); TestsSSLService sslService = new TestsSSLService(sslSettings, environment); - final SSLContext sslContext = sslService.sslContext(Settings.EMPTY); + final SSLContext sslContext = sslService.sslContext("xpack.security.transport.ssl"); MockWebServer server = new MockWebServer(sslContext, false); server.start(); return server; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java index d4b05b1772e27..8f5012e1ecaf1 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java @@ -9,7 +9,7 @@ import org.elasticsearch.bootstrap.BootstrapContext; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.xpack.core.XPackSettings; -import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmConfig.RealmIdentifier; import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.pki.PkiRealmSettings; import org.elasticsearch.xpack.core.ssl.SSLConfiguration; @@ -37,7 +37,7 @@ class PkiRealmBootstrapCheck implements BootstrapCheck { @Override public BootstrapCheckResult check(BootstrapContext context) { final Settings settings = context.settings(); - final Map realms = RealmSettings.getRealmSettings(settings); + final Map realms = RealmSettings.getRealmSettings(settings); final boolean pkiRealmEnabled = realms.entrySet().stream() .filter(e -> PkiRealmSettings.TYPE.equals(e.getKey().getType())) .map(Map.Entry::getValue) @@ -70,6 +70,7 @@ private List getSslContextNames(Settings settings) { return list; } + // FIXME this is an antipattern move this out of a bootstrap check! @Override public boolean alwaysEnforce() { return true; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java index 3cc6c997f282f..6368f4a7510c9 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java @@ -67,7 +67,6 @@ import java.util.Set; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; -import static org.elasticsearch.xpack.core.security.SecurityField.setting; /** * This is the command-line tool used for migrating users and roles from the file-based realm into the new native realm using the API for @@ -149,7 +148,7 @@ private String postURL(Settings settings, Environment env, String method, String // If using SSL, need a custom service because it's likely a self-signed certificate if ("https".equalsIgnoreCase(uri.getScheme())) { final SSLService sslService = new SSLService(settings, env); - final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration(setting("http.ssl")); + final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.http.ssl"); final HttpsURLConnection httpsConn = (HttpsURLConnection) url.openConnection(); AccessController.doPrivileged((PrivilegedAction) () -> { // Requires permission java.lang.RuntimePermission "setFactory"; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioTransport.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioTransport.java index b536644ad6121..7fdf946675ffd 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioTransport.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioTransport.java @@ -86,7 +86,6 @@ public SecurityNioTransport(Settings settings, Version version, ThreadPool threa Map profileConfiguration = SecurityNetty4Transport.getTransportProfileConfigurations(settings, sslService, transportConfiguration); this.profileConfiguration = Collections.unmodifiableMap(profileConfiguration); - } else { profileConfiguration = Collections.emptyMap(); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java index fa1cfbcba9993..adeb4a7f86569 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java @@ -149,7 +149,7 @@ public Path nodeConfigPath(int nodeOrdinal) { @Override public Settings transportClientSettings() { Settings.Builder builder = Settings.builder(); - addClientSSLSettings(builder, ""); + addClientSSLSettings(builder, "xpack.security.transport."); addDefaultSecurityTransportType(builder, Settings.EMPTY); if (randomBoolean()) { @@ -208,22 +208,27 @@ protected SecureString transportClientPassword() { return new SecureString(SecuritySettingsSourceField.TEST_PASSWORD.toCharArray()); } + public static void addSSLSettingsForNodePEMFiles(Settings.Builder builder, String prefix, boolean hostnameVerificationEnabled) { + addSSLSettingsForPEMFiles(builder, prefix, + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", + Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), + hostnameVerificationEnabled, false); + } + private void addNodeSSLSettings(Settings.Builder builder) { if (sslEnabled) { + builder.put("xpack.security.transport.ssl.enabled", true); if (usePEM) { - addSSLSettingsForPEMFiles(builder, "", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", - Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), - sslEnabled, hostnameVerificationEnabled, false); - + addSSLSettingsForNodePEMFiles(builder, "xpack.security.transport.", hostnameVerificationEnabled); } else { - addSSLSettingsForStore(builder, "", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", - "testnode", sslEnabled, hostnameVerificationEnabled, false); + addSSLSettingsForStore(builder, "xpack.security.transport.", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode", + hostnameVerificationEnabled, false); } } else if (randomBoolean()) { builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), false); @@ -231,47 +236,53 @@ private void addNodeSSLSettings(Settings.Builder builder) { } public void addClientSSLSettings(Settings.Builder builder, String prefix) { + builder.put("xpack.security.transport.ssl.enabled", sslEnabled); if (usePEM) { addSSLSettingsForPEMFiles(builder, prefix, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", "testclient", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), - sslEnabled, hostnameVerificationEnabled, true); + hostnameVerificationEnabled, true); } else { addSSLSettingsForStore(builder, prefix, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks", - "testclient", sslEnabled, hostnameVerificationEnabled, true); + "testclient", hostnameVerificationEnabled, true); } } + /** + * Returns the configuration settings given the location of a certificate and its password + * + * @param resourcePathToStore the location of the keystore or truststore + * @param password the password + */ + public static void addSSLSettingsForStore(Settings.Builder builder, String resourcePathToStore, String password, String prefix) { + addSSLSettingsForStore(builder, prefix, resourcePathToStore, password, true, true); + } + private static void addSSLSettingsForStore(Settings.Builder builder, String prefix, String resourcePathToStore, String password, - boolean sslEnabled, boolean hostnameVerificationEnabled, - boolean transportClient) { + boolean hostnameVerificationEnabled, boolean transportClient) { Path store = resolveResourcePath(resourcePathToStore); - - if (transportClient == false) { - builder.put(prefix + "xpack.security.http.ssl.enabled", false); - } - builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled); - - builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); - builder.put(prefix + "xpack.ssl.keystore.path", store); + builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); + builder.put(prefix + "ssl.keystore.path", store); if (transportClient) { // continue using insecure settings for clients until we figure out what to do there... - builder.put(prefix + "xpack.ssl.keystore.password", password); + builder.put(prefix + "ssl.keystore.password", password); } else { + final String finalPrefix = prefix; addSecureSettings(builder, secureSettings -> - secureSettings.setString(prefix + "xpack.ssl.keystore.secure_password", password)); + secureSettings.setString(finalPrefix + "ssl.keystore.secure_password", password)); } if (randomBoolean()) { - builder.put(prefix + "xpack.ssl.truststore.path", store); + builder.put(prefix + "ssl.truststore.path", store); if (transportClient) { // continue using insecure settings for clients until we figure out what to do there... - builder.put(prefix + "xpack.ssl.truststore.password", password); + builder.put(prefix + "ssl.truststore.password", password); } else { + final String finalPrefix = prefix; addSecureSettings(builder, secureSettings -> - secureSettings.setString(prefix + "xpack.ssl.truststore.secure_password", password)); + secureSettings.setString(finalPrefix + "ssl.truststore.secure_password", password)); } } } @@ -289,31 +300,46 @@ private static void addSSLSettingsForStore(Settings.Builder builder, String pref */ public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String keyPath, String password, String certificatePath, List trustedCertificates) { - addSSLSettingsForPEMFiles(builder, "", keyPath, password, certificatePath, trustedCertificates, true, true, true); + addSSLSettingsForPEMFiles(builder, "", keyPath, password, certificatePath, trustedCertificates, true, true); + } + + /** + * Returns the SSL related configuration settings given the location of a key and certificate and the location + * of the PEM certificates to be trusted + * + * @param keyPath The path to the Private key to be used for SSL + * @param password The password with which the private key is protected + * @param certificatePath The path to the PEM formatted Certificate encapsulating the public key that corresponds + * to the Private Key specified in {@code keyPath}. Will be presented to incoming + * SSL connections. + * @param prefix The settings prefix to use before ssl setting names + * @param trustedCertificates A list of PEM formatted certificates that will be trusted. + */ + public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String keyPath, String password, + String certificatePath, String prefix, List trustedCertificates) { + addSSLSettingsForPEMFiles(builder, prefix, keyPath, password, certificatePath, trustedCertificates, true, true); } private static void addSSLSettingsForPEMFiles(Settings.Builder builder, String prefix, String keyPath, String password, - String certificatePath, List trustedCertificates, boolean sslEnabled, + String certificatePath, List trustedCertificates, boolean hostnameVerificationEnabled, boolean transportClient) { - - if (transportClient == false) { - builder.put(prefix + "xpack.security.http.ssl.enabled", false); + if (prefix.equals("")) { + prefix = "xpack.security.transport."; } - builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled); - - builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); - builder.put(prefix + "xpack.ssl.key", resolveResourcePath(keyPath)) - .put(prefix + "xpack.ssl.certificate", resolveResourcePath(certificatePath)); + builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); + builder.put(prefix + "ssl.key", resolveResourcePath(keyPath)) + .put(prefix + "ssl.certificate", resolveResourcePath(certificatePath)); if (transportClient) { // continue using insecure settings for clients until we figure out what to do there... - builder.put(prefix + "xpack.ssl.key_passphrase", password); + builder.put(prefix + "ssl.key_passphrase", password); } else { + final String finalPrefix = prefix; addSecureSettings(builder, secureSettings -> - secureSettings.setString(prefix + "xpack.ssl.secure_key_passphrase", password)); + secureSettings.setString(finalPrefix + "ssl.secure_key_passphrase", password)); } if (trustedCertificates.isEmpty() == false) { - builder.put(prefix + "xpack.ssl.certificate_authorities", + builder.put(prefix + "ssl.certificate_authorities", Strings.arrayToCommaDelimitedString(resolvePathsToString(trustedCertificates))); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SettingsFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SettingsFilterTests.java index b4584200a4a33..014ebc72a982b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SettingsFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SettingsFilterTests.java @@ -64,21 +64,21 @@ public void testFiltering() throws Exception { if (inFipsJvm() == false) { configureFilteredSetting("xpack.security.authc.realms.pki.pki1.truststore.path", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/truststore-testnode-only.jks").toString()); - configureFilteredSetting("xpack.ssl.keystore.path", + configureFilteredSetting("xpack.security.transport.ssl.keystore.path", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks").toString()); } configureSecureSetting("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only"); configureFilteredSetting("xpack.security.authc.realms.pki.pki1.truststore.algorithm", "SunX509"); - configureFilteredSetting("xpack.ssl.cipher_suites", + configureFilteredSetting("xpack.security.transport.ssl.cipher_suites", Strings.arrayToCommaDelimitedString(XPackSettings.DEFAULT_CIPHERS.toArray())); - configureFilteredSetting("xpack.ssl.supported_protocols", randomFrom("TLSv1", "TLSv1.1", "TLSv1.2")); - configureSecureSetting("xpack.ssl.keystore.secure_password", "testnode"); - configureFilteredSetting("xpack.ssl.keystore.algorithm", KeyManagerFactory.getDefaultAlgorithm()); - configureSecureSetting("xpack.ssl.keystore.secure_key_password", "testnode"); - configureSecureSetting("xpack.ssl.truststore.secure_password", randomAlphaOfLength(5)); - configureFilteredSetting("xpack.ssl.truststore.algorithm", TrustManagerFactory.getDefaultAlgorithm()); + configureFilteredSetting("xpack.security.transport.ssl.supported_protocols", randomFrom("TLSv1", "TLSv1.1", "TLSv1.2")); + configureSecureSetting("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + configureFilteredSetting("xpack.security.transport.ssl.keystore.algorithm", KeyManagerFactory.getDefaultAlgorithm()); + configureSecureSetting("xpack.security.transport.ssl.keystore.secure_key_password", "testnode"); + configureSecureSetting("xpack.security.transport.ssl.truststore.secure_password", randomAlphaOfLength(5)); + configureFilteredSetting("xpack.security.transport.ssl.truststore.algorithm", TrustManagerFactory.getDefaultAlgorithm()); // client profile configureUnfilteredSetting("transport.profiles.client.port", "9500-9600"); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/FIPS140JKSKeystoreBootstrapCheckTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/FIPS140JKSKeystoreBootstrapCheckTests.java index 53554c9fad09f..b35b8009f12ee 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/FIPS140JKSKeystoreBootstrapCheckTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/FIPS140JKSKeystoreBootstrapCheckTests.java @@ -16,22 +16,6 @@ public void testNoKeystoreIsAllowed() { assertFalse(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure()); } - public void testSSLKeystoreTypeIsNotAllowed() { - final Settings.Builder settings = Settings.builder() - .put("xpack.security.fips_mode.enabled", "true") - .put("xpack.ssl.keystore.path", "/this/is/the/path") - .put("xpack.ssl.keystore.type", "JKS"); - assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure()); - } - - public void testSSLImplicitKeystoreTypeIsNotAllowed() { - final Settings.Builder settings = Settings.builder() - .put("xpack.security.fips_mode.enabled", "true") - .put("xpack.ssl.keystore.path", "/this/is/the/path") - .put("xpack.ssl.keystore.type", "JKS"); - assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(createTestContext(settings.build(), null)).isFailure()); - } - public void testTransportSSLKeystoreTypeIsNotAllowed() { final Settings.Builder settings = Settings.builder() .put("xpack.security.fips_mode.enabled", "true") diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java index 2bfa560ff13e8..2c62ce71d45a9 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java @@ -36,15 +36,9 @@ public void testBootstrapCheckWithPkiRealm() throws Exception { .build(); assertFalse(runCheck(settings, env).isFailure()); - // disable client auth default - settings = Settings.builder().put(settings) - .put("xpack.ssl.client_authentication", "none") - .build(); - env = TestEnvironment.newEnvironment(settings); - assertTrue(runCheck(settings, env).isFailure()); - // enable ssl for http settings = Settings.builder().put(settings) + .put("xpack.security.transport.ssl.enabled", false) .put("xpack.security.http.ssl.enabled", true) .build(); env = TestEnvironment.newEnvironment(settings); @@ -73,6 +67,7 @@ public void testBootstrapCheckWithPkiRealm() throws Exception { // test with transport profile settings = Settings.builder().put(settings) + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.client_authentication", "none") .put("transport.profiles.foo.xpack.security.ssl.client_authentication", randomFrom("required", "optional")) .build(); @@ -87,7 +82,7 @@ private BootstrapCheck.BootstrapCheckResult runCheck(Settings settings, Environm public void testBootstrapCheckWithDisabledRealm() throws Exception { Settings settings = Settings.builder() .put("xpack.security.authc.realms.pki.test_pki.enabled", false) - .put("xpack.ssl.client_authentication", "none") + .put("xpack.security.transport.ssl.client_authentication", "none") .put("path.home", createTempDir()) .build(); Environment env = TestEnvironment.newEnvironment(settings); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java index 9fe510435c5ab..2f910658b3569 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java @@ -246,7 +246,7 @@ protected void addDefaultSecurityTransportType(Settings.Builder builder, Setting SecuritySettingsSourceField.TEST_PASSWORD); if (remoteUseSSL) { - cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client."); + cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client.xpack.security.transport."); builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", true); } if (useSecurity == false && builder.get(NetworkModule.TRANSPORT_TYPE_KEY) == null) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java index ba62e5b52c40e..bc893538642d0 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java @@ -111,7 +111,7 @@ public Settings nodeSettings(int nodeOrdinal) { .put("xpack.security.audit.index.settings.index.number_of_shards", 1) .put("xpack.security.audit.index.settings.index.number_of_replicas", 0); - addClientSSLSettings(builder, "xpack.security.audit.index.client."); + addClientSSLSettings(builder, "xpack.security.audit.index.client.xpack.security.transport."); builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", sslEnabled); return builder.build(); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java index 7f3e2cfce9854..66bff81e5dd56 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java @@ -13,7 +13,6 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.test.NativeRealmIntegTestCase; -import org.elasticsearch.test.SecuritySettingsSource; import org.elasticsearch.common.CharArrays; import org.elasticsearch.xpack.core.security.client.SecurityClient; import org.elasticsearch.xpack.security.support.SecurityIndexManager; @@ -21,10 +20,12 @@ import java.nio.charset.StandardCharsets; import java.nio.file.Path; -import java.util.Arrays; +import java.util.Collections; import java.util.HashSet; import java.util.Set; +import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles; +import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.is; @@ -49,11 +50,11 @@ protected boolean addMockHttpTransport() { @Override public Settings nodeSettings(int nodeOrdinal) { logger.info("--> use SSL? {}", useSSL); - Settings s = Settings.builder() - .put(super.nodeSettings(nodeOrdinal)) - .put("xpack.security.http.ssl.enabled", useSSL) - .build(); - return s; + Settings.Builder builder = Settings.builder() + .put(super.nodeSettings(nodeOrdinal)); + addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true); + builder.put("xpack.security.http.ssl.enabled", useSSL); + return builder.build(); } @Override @@ -77,7 +78,7 @@ public void testRetrieveUsers() throws Exception { SecurityClient c = new SecurityClient(client()); logger.error("--> creating users"); int numToAdd = randomIntBetween(1,10); - Set addedUsers = new HashSet(numToAdd); + Set addedUsers = new HashSet<>(numToAdd); for (int i = 0; i < numToAdd; i++) { String uname = randomAlphaOfLength(5); c.preparePutUser(uname, "s3kirt".toCharArray(), getFastStoredHashAlgoForTests(), "role1", "user").get(); @@ -94,13 +95,15 @@ public void testRetrieveUsers() throws Exception { Settings.Builder builder = Settings.builder() .put("path.home", home) - .put("path.conf", conf.toString()); - SecuritySettingsSource.addSSLSettingsForPEMFiles( + .put("path.conf", conf.toString()) + .put("xpack.security.http.ssl.client_authentication", "none"); + addSSLSettingsForPEMFiles( builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", - Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); + "xpack.security.http.", + Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); Settings settings = builder.build(); logger.error("--> retrieving users using URL: {}, home: {}", url, home); @@ -140,12 +143,15 @@ public void testRetrieveRoles() throws Exception { String password = new String(CharArrays.toUtf8Bytes(nodeClientPassword().getChars()), StandardCharsets.UTF_8); String url = getHttpURL(); ESNativeRealmMigrateTool.MigrateUserOrRoles muor = new ESNativeRealmMigrateTool.MigrateUserOrRoles(); - Settings.Builder builder = Settings.builder().put("path.home", home); - SecuritySettingsSource.addSSLSettingsForPEMFiles(builder, + Settings.Builder builder = Settings.builder() + .put("path.home", home) + .put("xpack.security.http.ssl.client_authentication", "none"); + addSSLSettingsForPEMFiles(builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", "testclient", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", - Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); + "xpack.security.http.", + Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); Settings settings = builder.build(); logger.error("--> retrieving roles using URL: {}, home: {}", url, home); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java index 9b8c3878a038d..dd4b747c5b19b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java @@ -44,29 +44,16 @@ public void setup() throws Exception { } @After - public void shutdown() throws Exception { + public void shutdown() { webServer.close(); } public void testCommandLineHttpClientCanExecuteAndReturnCorrectResultUsingSSLSettings() throws Exception { Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); - MockSecureSettings secureSettings = new MockSecureSettings(); - Settings settings; - if (randomBoolean()) { - // with http ssl settings - secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode"); - settings = Settings.builder().put("xpack.security.http.ssl.certificate_authorities", certPath.toString()) - .put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE).setSecureSettings(secureSettings) - .build(); - } else { - // with global settings - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); - settings = Settings.builder() - .put("xpack.ssl.certificate_authorities", certPath.toString()) - .put("xpack.ssl.verification_mode", VerificationMode.CERTIFICATE) - .setSecureSettings(secureSettings) - .build(); - } + Settings settings = Settings.builder() + .put("xpack.security.http.ssl.certificate_authorities", certPath.toString()) + .put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE) + .build(); CommandLineHttpClient client = new CommandLineHttpClient(settings, environment); HttpResponse httpResponse = client.execute("GET", new URL("https://localhost:" + webServer.getPort() + "/test"), "u1", new SecureString(new char[]{'p'}), () -> null, is -> responseBuilder(is)); @@ -80,14 +67,14 @@ private MockWebServer createMockWebServer() { Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.key", keyPath.toString()) - .put("xpack.ssl.certificate", certPath.toString()) + .put("xpack.security.http.ssl.key", keyPath.toString()) + .put("xpack.security.http.ssl.certificate", certPath.toString()) .setSecureSettings(secureSettings) .build(); TestsSSLService sslService = new TestsSSLService(settings, environment); - return new MockWebServer(sslService.sslContext(), false); + return new MockWebServer(sslService.sslContext("xpack.security.http.ssl."), false); } private HttpResponseBuilder responseBuilder(final InputStream is) throws IOException { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java index c91f634c1a786..65eb36aeba73b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java @@ -13,7 +13,6 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; -import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings; import org.elasticsearch.xpack.core.ssl.SSLConfiguration; import org.elasticsearch.xpack.core.ssl.SSLService; @@ -29,26 +28,16 @@ private LdapTestUtils() { } public static LDAPConnection openConnection(String url, String bindDN, String bindPassword, Path truststore) throws Exception { - boolean useGlobalSSL = ESTestCase.randomBoolean(); Settings.Builder builder = Settings.builder().put("path.home", LuceneTestCase.createTempDir()); MockSecureSettings secureSettings = new MockSecureSettings(); builder.setSecureSettings(secureSettings); - if (useGlobalSSL) { - builder.put("xpack.ssl.truststore.path", truststore); - // fake realm to load config with certificate verification mode - builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore); - builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); - secureSettings.setString("xpack.ssl.truststore.secure_password", "changeit"); - secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit"); - } else { - // fake realms so ssl will get loaded - builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore); - builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL); - builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore); - builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); - secureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit"); - secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit"); - } + // fake realms so ssl will get loaded + builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore); + builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL); + builder.put("xpack.security.authc.realms.ldap.bar.ssl.truststore.path", truststore); + builder.put("xpack.security.authc.realms.ldap.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); + secureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit"); + secureSettings.setString("xpack.security.authc.realms.ldap.bar.ssl.truststore.secure_password", "changeit"); Settings settings = builder.build(); Environment env = TestEnvironment.newEnvironment(settings); SSLService sslService = new SSLService(settings, env); @@ -60,12 +49,7 @@ public static LDAPConnection openConnection(String url, String bindDN, String bi options.setConnectTimeoutMillis(Math.toIntExact(SessionFactorySettings.TIMEOUT_DEFAULT.millis())); options.setResponseTimeoutMillis(SessionFactorySettings.TIMEOUT_DEFAULT.millis()); - final SSLConfiguration sslConfiguration; - if (useGlobalSSL) { - sslConfiguration = sslService.getSSLConfiguration("xpack.ssl"); - } else { - sslConfiguration = sslService.getSSLConfiguration("xpack.security.authc.realms.ldap.foo.ssl"); - } + final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.authc.realms.ldap.foo.ssl"); return LdapUtils.privilegedConnect(() -> new LDAPConnection(sslService.sslSocketFactory(sslConfiguration), options, ldapurl.getHost(), ldapurl.getPort(), bindDN, bindPassword)); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java index 29a96f11060e3..2598b9da5507f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java @@ -65,7 +65,7 @@ public void init() throws Exception { globalSettings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.ssl.certificate_authorities", certPath) + .put("xpack.security.transport.ssl.certificate_authorities", certPath) .build(); sslService = new SSLService(globalSettings, env); threadPool = new TestThreadPool("LdapUserSearchSessionFactoryTests"); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java index 7cd6833260ac4..52c87c75a13a7 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java @@ -18,7 +18,6 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.http.HttpServerTransport; -import org.elasticsearch.test.SecuritySettingsSource; import org.elasticsearch.test.SecuritySingleNodeTestCase; import org.elasticsearch.transport.Transport; import org.elasticsearch.xpack.core.TestXPackTransportClient; @@ -41,6 +40,7 @@ import java.util.Locale; import java.util.stream.Collectors; +import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles; import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.is; @@ -60,17 +60,15 @@ protected Settings nodeSettings() { SSLClientAuth sslClientAuth = randomBoolean() ? SSLClientAuth.REQUIRED : SSLClientAuth.OPTIONAL; Settings.Builder builder = Settings.builder() - .put(super.nodeSettings()) - .put("xpack.security.http.ssl.enabled", true) + .put(super.nodeSettings()); + addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true); + builder.put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.client_authentication", sslClientAuth) .put("xpack.security.authc.realms.file.file.order", "0") .put("xpack.security.authc.realms.pki.pki1.order", "1") .put("xpack.security.authc.realms.pki.pki1.certificate_authorities", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) .put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml")); - - SecuritySettingsSource.addSecureSettings(builder, secureSettings -> - secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only")); return builder.build(); } @@ -158,13 +156,15 @@ private SSLContext getRestSSLContext(String keyPath, String password, String cer private TransportClient createTransportClient(Settings additionalSettings) { Settings clientSettings = transportClientSettings(); - if (additionalSettings.getByPrefix("xpack.ssl.").isEmpty() == false) { - clientSettings = clientSettings.filter(k -> k.startsWith("xpack.ssl.") == false); + if (additionalSettings.getByPrefix("xpack.security.transport.ssl.").isEmpty() == false) { + clientSettings = clientSettings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false); } - Settings.Builder builder = Settings.builder().put(clientSettings, false) - .put(additionalSettings) - .put("cluster.name", node().settings().get("cluster.name")); + Settings.Builder builder = Settings.builder() + .put("xpack.security.transport.ssl.enabled", true) + .put(clientSettings, false) + .put(additionalSettings) + .put("cluster.name", node().settings().get("cluster.name")); builder.remove(SecurityField.USER_SETTING.getKey()); builder.remove("request.headers.Authorization"); return new TestXPackTransportClient(builder.build(), LocalStateSecurity.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java index 6e1a2480d2bcb..f2a6212107307 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java @@ -52,6 +52,9 @@ protected Settings nodeSettings() { .put(super.nodeSettings()) .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.client_authentication", SSLClientAuth.OPTIONAL) + .put("xpack.security.http.ssl.keystore.path", + getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks")) + .put("xpack.security.http.ssl.keystore.password", "testnode") .put("xpack.security.authc.realms.file.file.order", "0") .put("xpack.security.authc.realms.pki.pki1.order", "1") .put("xpack.security.authc.realms.pki.pki1.truststore.path", @@ -59,10 +62,15 @@ protected Settings nodeSettings() { .put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml")) .put("transport.profiles.want_client_auth.port", randomClientPortRange) .put("transport.profiles.want_client_auth.bind_host", "localhost") + .put("transport.profiles.want_client_auth.xpack.security.ssl.keystore.path", + getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks")) + .put("transport.profiles.want_client_auth.xpack.security.ssl.keystore.password", "testnode") .put("transport.profiles.want_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.OPTIONAL); - SecuritySettingsSource.addSecureSettings(builder, secureSettings -> - secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only")); + SecuritySettingsSource.addSecureSettings(builder, secureSettings -> { + secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only"); + secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "testnode"); + }); return builder.build(); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java index b528008273779..d139d99bf9ce2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java @@ -123,19 +123,20 @@ public void testReadIdpMetadataFromHttps() throws Exception { final Path path = getDataPath("idp1.xml"); final String body = new String(Files.readAllBytes(path), StandardCharsets.UTF_8); final MockSecureSettings mockSecureSettings = new MockSecureSettings(); - mockSecureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + mockSecureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); final Settings settings = Settings.builder() - .put("xpack.ssl.key", + .put("xpack.security.http.ssl.key", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem")) - .put("xpack.ssl.certificate", + .put("xpack.security.http.ssl.certificate", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) - .put("xpack.ssl.certificate_authorities", + .put("xpack.security.http.ssl.certificate_authorities", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) .put("path.home", createTempDir()) .setSecureSettings(mockSecureSettings) .build(); TestsSSLService sslService = new TestsSSLService(settings, TestEnvironment.newEnvironment(settings)); - try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(Settings.EMPTY), false)) { + try (MockWebServer proxyServer = + new MockWebServer(sslService.sslContext("xpack.security.http.ssl"), false)) { proxyServer.start(); proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml")); proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody(body).addHeader("Content-Type", "application/xml")); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java index e01fecf97e1b3..bd7030f22e50b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java @@ -82,11 +82,11 @@ protected SSLService createSSLService(Settings settings) { Path testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); Path testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings1 = Settings.builder() .put("xpack.security.transport.ssl.enabled", true) - .put("xpack.ssl.key", testnodeKey) - .put("xpack.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) + .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("path.home", createTempDir()) .put(settings) .setSecureSettings(secureSettings) @@ -153,7 +153,7 @@ public void testTcpHandshake() { @SuppressForbidden(reason = "Need to open socket connection") public void testRenegotiation() throws Exception { SSLService sslService = createSSLService(); - final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl"); + final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SocketFactory factory = sslService.sslSocketFactory(sslConfiguration); try (SSLSocket socket = (SSLSocket) factory.createSocket()) { SocketAccess.doPrivileged(() -> socket.connect(serviceA.boundAddress().publishAddress().address())); @@ -205,7 +205,7 @@ public void testSNIServerNameIsPropagated() throws Exception { assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm()); SSLService sslService = createSSLService(); - final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl"); + final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLContext sslContext = sslService.sslContext(sslConfiguration); final SSLServerSocketFactory serverSocketFactory = sslContext.getServerSocketFactory(); final String sniIp = "sni-hostname"; @@ -245,7 +245,9 @@ public boolean matches(SNIServerName sniServerName) { InetSocketAddress serverAddress = (InetSocketAddress) SocketAccess.doPrivileged(sslServerSocket::getLocalSocketAddress); - Settings settings = Settings.builder().put("name", "TS_TEST").put("xpack.ssl.verification_mode", "none").build(); + Settings settings = Settings.builder().put("name", "TS_TEST") + .put("xpack.security.transport.ssl.verification_mode", "none") + .build(); try (MockTransportService serviceC = build(settings, version0, null, true)) { serviceC.acceptIncomingRequests(); @@ -271,7 +273,7 @@ public void testInvalidSNIServerName() throws Exception { assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm()); SSLService sslService = createSSLService(); - final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl"); + final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLContext sslContext = sslService.sslContext(sslConfiguration); final SSLServerSocketFactory serverSocketFactory = sslContext.getServerSocketFactory(); final String sniIp = "invalid_hostname"; @@ -290,7 +292,9 @@ public void testInvalidSNIServerName() throws Exception { InetSocketAddress serverAddress = (InetSocketAddress) SocketAccess.doPrivileged(sslServerSocket::getLocalSocketAddress); - Settings settings = Settings.builder().put("name", "TS_TEST").put("xpack.ssl.verification_mode", "none").build(); + Settings settings = Settings.builder().put("name", "TS_TEST") + .put("xpack.security.transport.ssl.verification_mode", "none") + .build(); try (MockTransportService serviceC = build(settings, version0, null, true)) { serviceC.acceptIncomingRequests(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java index 6e95fd6aed170..2383f3b3ac739 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java @@ -32,7 +32,6 @@ import org.elasticsearch.transport.TransportService; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityField; -import org.elasticsearch.xpack.core.ssl.SSLClientAuth; import org.elasticsearch.xpack.security.LocalStateSecurity; import org.junit.BeforeClass; @@ -41,8 +40,10 @@ import java.nio.file.Path; import java.util.Arrays; import java.util.Collection; +import java.util.Collections; import java.util.concurrent.CountDownLatch; +import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles; import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles; import static org.elasticsearch.xpack.security.test.SecurityTestUtils.writeFile; import static org.hamcrest.CoreMatchers.equalTo; @@ -63,13 +64,12 @@ public boolean transportSSLEnabled() { @Override protected Settings nodeSettings(int nodeOrdinal) { - Settings.Builder settingsBuilder = Settings.builder(); + Settings.Builder settingsBuilder = Settings.builder().put(super.nodeSettings(nodeOrdinal)); String randomClientPortRange = randomClientPort + "-" + (randomClientPort+100); + addSSLSettingsForNodePEMFiles(settingsBuilder, "transport.profiles.client.xpack.security.", true); Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); - settingsBuilder.put(super.nodeSettings(nodeOrdinal)) - .putList("transport.profiles.client.xpack.security.ssl.certificate_authorities", - Arrays.asList(certPath.toString())) // settings for client truststore - .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) + settingsBuilder.putList("transport.profiles.client.xpack.security.ssl.certificate_authorities", + Collections.singletonList(certPath.toString())) // settings for client truststore .put("transport.profiles.client.xpack.security.type", "client") .put("transport.profiles.client.port", randomClientPortRange) // make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent @@ -82,7 +82,7 @@ protected Settings nodeSettings(int nodeOrdinal) { } SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> - secureSettings.setString("transport.profiles.client.xpack.security.ssl.truststore.secure_password", "testnode")); + secureSettings.setString("transport.profiles.client.xpack.security.ssl.keystore.secure_password", "testnode")); return settingsBuilder.build(); } @@ -97,20 +97,20 @@ public void testThatConnectionToServerTypeConnectionWorks() throws IOException, // test that starting up a node works Settings.Builder nodeSettings = Settings.builder() - .put("node.name", "my-test-node") - .put("network.host", "localhost") - .put("cluster.name", internalCluster().getClusterName()) - .put("discovery.zen.ping.unicast.hosts", unicastHost) - .put("discovery.zen.minimum_master_nodes", - internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes")) - .put("xpack.security.enabled", true) - .put("xpack.security.audit.enabled", false) - .put(XPackSettings.WATCHER_ENABLED.getKey(), false) - .put("path.home", home) - .put(Node.NODE_MASTER_SETTING.getKey(), false) - .put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2()) - .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); - //.put("xpack.ml.autodetect_process", false); + .put("node.name", "my-test-node") + .put("network.host", "localhost") + .put("cluster.name", internalCluster().getClusterName()) + .put("discovery.zen.ping.unicast.hosts", unicastHost) + .put("discovery.zen.minimum_master_nodes", + internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes")) + .put("xpack.security.enabled", true) + .put("xpack.security.audit.enabled", false) + .put("xpack.security.transport.ssl.enabled", true) + .put(XPackSettings.WATCHER_ENABLED.getKey(), false) + .put("path.home", home) + .put(Node.NODE_MASTER_SETTING.getKey(), false) + .put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2()) + .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); Collection> mockPlugins = Arrays.asList( LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class, MockHttpTransport.TestPlugin.class); addSSLSettingsForPEMFiles( @@ -139,22 +139,22 @@ public void testThatConnectionToClientTypeConnectionIsRejected() throws IOExcept // test that starting up a node works Settings.Builder nodeSettings = Settings.builder() - .put("xpack.security.authc.realms.file.file.order", 0) - .put("node.name", "my-test-node") - .put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD) - .put("cluster.name", internalCluster().getClusterName()) - .put("discovery.zen.ping.unicast.hosts", unicastHost) - .put("discovery.zen.minimum_master_nodes", - internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes")) - .put("xpack.security.enabled", true) - .put("xpack.security.audit.enabled", false) - .put(XPackSettings.WATCHER_ENABLED.getKey(), false) - .put("discovery.initial_state_timeout", "0s") - .put("path.home", home) - .put(Node.NODE_MASTER_SETTING.getKey(), false) - .put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2()) - .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); - //.put("xpack.ml.autodetect_process", false); + .put("xpack.security.authc.realms.file.file.order", 0) + .put("node.name", "my-test-node") + .put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD) + .put("cluster.name", internalCluster().getClusterName()) + .put("discovery.zen.ping.unicast.hosts", unicastHost) + .put("discovery.zen.minimum_master_nodes", + internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes")) + .put("xpack.security.enabled", true) + .put("xpack.security.audit.enabled", false) + .put("xpack.security.transport.ssl.enabled", true) + .put(XPackSettings.WATCHER_ENABLED.getKey(), false) + .put("discovery.initial_state_timeout", "0s") + .put("path.home", home) + .put(Node.NODE_MASTER_SETTING.getKey(), false) + .put(TestZenDiscovery.USE_ZEN2.getKey(), getUseZen2()) + .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); Collection> mockPlugins = Arrays.asList( LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class, MockHttpTransport.TestPlugin.class); addSSLSettingsForPEMFiles( @@ -162,7 +162,7 @@ public void testThatConnectionToClientTypeConnectionIsRejected() throws IOExcept "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", - Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); + Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); try (Node node = new MockNode(nodeSettings.build(), mockPlugins)) { node.start(); TransportService instance = node.injector().getInstance(TransportService.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java index 130fa22603940..b1ecad0e4b4a5 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java @@ -33,7 +33,7 @@ protected boolean transportSSLEnabled() { protected Settings nodeSettings(int nodeOrdinal) { Settings settings = super.nodeSettings(nodeOrdinal); Settings.Builder builder = Settings.builder() - .put(settings.filter((s) -> s.startsWith("xpack.ssl.") == false), false); + .put(settings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false), false); settings = builder.build(); // The default Unicast test behavior is to use 'localhost' with the port number. For this test we need to use IP @@ -56,27 +56,27 @@ protected Settings nodeSettings(int nodeOrdinal) { } SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> { - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-ip-only"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode-ip-only"); }); - return settingsBuilder.put("xpack.ssl.key", keyPath.toAbsolutePath()) - .put("xpack.ssl.certificate", certPath.toAbsolutePath()) - .put("xpack.ssl.certificate_authorities", certPath.toAbsolutePath()) + return settingsBuilder.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath()) + .put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath()) + .put("xpack.security.transport.ssl.certificate_authorities", certPath.toAbsolutePath()) .put(TransportSettings.BIND_HOST.getKey(), "127.0.0.1") .put("network.host", "127.0.0.1") - .put("xpack.ssl.client_authentication", SSLClientAuth.NONE) - .put("xpack.ssl.verification_mode", "full") + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE) + .put("xpack.security.transport.ssl.verification_mode", "full") .build(); } @Override protected Settings transportClientSettings() { Settings clientSettings = super.transportClientSettings(); - return Settings.builder().put(clientSettings.filter(k -> k.startsWith("xpack.ssl.") == false)) - .put("xpack.ssl.verification_mode", "certificate") - .put("xpack.ssl.key", keyPath.toAbsolutePath()) - .put("xpack.ssl.certificate", certPath.toAbsolutePath()) - .put("xpack.ssl.key_passphrase", "testnode-ip-only") - .put("xpack.ssl.certificate_authorities", certPath) + return Settings.builder().put(clientSettings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false)) + .put("xpack.security.transport.ssl.verification_mode", "certificate") + .put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath()) + .put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath()) + .put("xpack.security.transport.ssl.key_passphrase", "testnode-ip-only") + .put("xpack.security.transport.ssl.certificate_authorities", certPath) .build(); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java index 23ca3c1fe9fe4..20ceee5d52e92 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java @@ -42,15 +42,15 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase { private Path testnodeCert; private Path testnodeKey; @Before - public void createSSLService() throws Exception { + public void createSSLService() { testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.key", testnodeKey) - .put("xpack.ssl.certificate", testnodeCert) + .put("xpack.security.http.ssl.key", testnodeKey) + .put("xpack.security.http.ssl.certificate", testnodeCert) .put("path.home", createTempDir()) .setSecureSettings(secureSettings) .build(); @@ -149,7 +149,7 @@ public void testCustomSSLConfiguration() throws Exception { public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() throws Exception { Settings settings = Settings.builder() - .put("xpack.ssl.certificate_authorities", testnodeCert) + .put("xpack.security.http.ssl.certificate_authorities", testnodeCert) .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) .put("path.home", createTempDir()) .build(); @@ -163,10 +163,10 @@ public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() throws Except public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.key", testnodeKey) - .put("xpack.ssl.certificate", testnodeCert) + .put("xpack.security.http.ssl.key", testnodeKey) + .put("xpack.security.http.ssl.certificate", testnodeCert) .setSecureSettings(secureSettings) .put("path.home", createTempDir()) .build(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransportTests.java index 32f9828011849..f552c586409e9 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransportTests.java @@ -21,11 +21,9 @@ import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.xpack.core.security.transport.netty4.SecurityNetty4Transport; import org.elasticsearch.xpack.core.ssl.SSLClientAuth; -import org.elasticsearch.xpack.core.ssl.SSLConfiguration; import org.elasticsearch.xpack.core.ssl.SSLService; import org.junit.Before; -import javax.net.ssl.SSLEngine; import java.nio.file.Path; import java.util.Collections; import java.util.Locale; @@ -44,11 +42,11 @@ public void createSSLService() throws Exception { Path testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); Path testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() .put("xpack.security.transport.ssl.enabled", true) - .put("xpack.ssl.key", testnodeKey) - .put("xpack.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) + .put("xpack.security.transport.ssl.certificate", testnodeCert) .setSecureSettings(secureSettings) .put("path.home", createTempDir()) .build(); @@ -97,7 +95,7 @@ public void testRequiredClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT)); Settings settings = Settings.builder() .put(env.settings()) - .put("xpack.ssl.client_authentication", value) + .put("xpack.security.transport.ssl.client_authentication", value) .build(); sslService = new SSLService(settings, env); SecurityNetty4Transport transport = createTransport(settings); @@ -111,7 +109,7 @@ public void testNoClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.NONE.name(), SSLClientAuth.NONE.name().toLowerCase(Locale.ROOT)); Settings settings = Settings.builder() .put(env.settings()) - .put("xpack.ssl.client_authentication", value) + .put("xpack.security.transport.ssl.client_authentication", value) .build(); sslService = new SSLService(settings, env); SecurityNetty4Transport transport = createTransport(settings); @@ -125,7 +123,7 @@ public void testOptionalClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT)); Settings settings = Settings.builder() .put(env.settings()) - .put("xpack.ssl.client_authentication", value) + .put("xpack.security.transport.ssl.client_authentication", value) .build(); sslService = new SSLService(settings, env); SecurityNetty4Transport transport = createTransport(settings); @@ -179,36 +177,4 @@ public void testProfileOptionalClientAuth() throws Exception { assertThat(ch.pipeline().get(SslHandler.class).engine().getNeedClientAuth(), is(false)); assertThat(ch.pipeline().get(SslHandler.class).engine().getWantClientAuth(), is(true)); } - - public void testTransportSSLOverridesGlobalSSL() throws Exception { - MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings.Builder builder = Settings.builder() - .put("xpack.security.transport.ssl.enabled", true) - .put("xpack.security.transport.ssl.key", - getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem")) - .put("xpack.security.transport.ssl.certificate", - getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) - .put("xpack.security.transport.ssl.client_authentication", "none") - .put("xpack.ssl.certificate_authorities", - getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) - .setSecureSettings(secureSettings) - .put("path.home", createTempDir()); - Settings settings = builder.build(); - env = TestEnvironment.newEnvironment(settings); - sslService = new SSLService(settings, env); - SecurityNetty4Transport transport = createTransport(settings); - final ChannelHandler handler = transport.getServerChannelInitializer("default"); - final EmbeddedChannel ch = new EmbeddedChannel(handler); - final SSLEngine engine = ch.pipeline().get(SslHandler.class).engine(); - assertFalse(engine.getNeedClientAuth()); - assertFalse(engine.getWantClientAuth()); - - // get the global and verify that it is different in that it requires client auth - SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.ssl"); - assertNotNull(configuration); - final SSLEngine globalEngine = sslService.createSSLEngine(configuration, null, -1); - assertTrue(globalEngine.getNeedClientAuth()); - assertFalse(globalEngine.getWantClientAuth()); - } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java index c61b5782f75c4..30208a1158075 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java @@ -35,7 +35,7 @@ protected boolean transportSSLEnabled() { protected Settings nodeSettings(int nodeOrdinal) { Settings settings = super.nodeSettings(nodeOrdinal); Settings.Builder settingsBuilder = Settings.builder(); - settingsBuilder.put(settings.filter(k -> k.startsWith("xpack.ssl.") == false), false); + settingsBuilder.put(settings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false), false); Path keyPath; Path certPath; Path nodeCertPath; @@ -58,14 +58,15 @@ protected Settings nodeSettings(int nodeOrdinal) { } SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> { - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-no-subjaltname"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode-no-subjaltname"); }); - return settingsBuilder.put("xpack.ssl.key", keyPath.toAbsolutePath()) - .put("xpack.ssl.certificate", certPath.toAbsolutePath()) - .putList("xpack.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString())) - // disable hostname verification as this test uses certs without a valid SAN or DNS in the CN - .put("xpack.ssl.verification_mode", "certificate") - .build(); + return settingsBuilder.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath()) + .put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath()) + .putList("xpack.security.transport.ssl.certificate_authorities", + Arrays.asList(certPath.toString(), nodeCertPath.toString())) + // disable hostname verification as this test uses certs without a valid SAN or DNS in the CN + .put("xpack.security.transport.ssl.verification_mode", "certificate") + .build(); } @Override @@ -89,13 +90,13 @@ protected Settings transportClientSettings() { Settings settings = super.transportClientSettings(); // remove all ssl settings Settings.Builder builder = Settings.builder(); - builder.put(settings.filter( k -> k.startsWith("xpack.ssl.") == false), false); + builder.put(settings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false), false); - builder.put("xpack.ssl.verification_mode", "certificate") - .put("xpack.ssl.key", keyPath.toAbsolutePath()) - .put("xpack.ssl.key_passphrase", "testnode-no-subjaltname") - .put("xpack.ssl.certificate", certPath.toAbsolutePath()) - .putList("xpack.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString())); + builder.put("xpack.security.transport.ssl.verification_mode", "certificate") + .put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath()) + .put("xpack.security.transport.ssl.key_passphrase", "testnode-no-subjaltname") + .put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath()) + .putList("xpack.security.transport.ssl.certificate_authorities", Arrays.asList(certPath.toString(), nodeCertPath.toString())); return builder.build(); } @@ -105,7 +106,7 @@ public void testThatHostnameMismatchDeniesTransportClientConnection() throws Exc InetSocketAddress inetSocketAddress = transportAddress.address(); Settings settings = Settings.builder().put(transportClientSettings()) - .put("xpack.ssl.verification_mode", "full") + .put("xpack.security.transport.ssl.verification_mode", "full") .build(); try (TransportClient client = new TestXPackTransportClient(settings, LocalStateSecurity.class)) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioHttpServerTransportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioHttpServerTransportTests.java index 9c490176eccdb..2f26456112a67 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioHttpServerTransportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioHttpServerTransportTests.java @@ -52,10 +52,10 @@ public void createSSLService() { Path testNodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); Path testNodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.key", testNodeKey) - .put("xpack.ssl.certificate", testNodeCert) + .put("xpack.security.http.ssl.key", testNodeKey) + .put("xpack.security.http.ssl.certificate", testNodeCert) .put("path.home", createTempDir()) .setSecureSettings(secureSettings) .build(); @@ -173,9 +173,9 @@ public void testCustomSSLConfiguration() throws IOException { public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.truststore.path", + .put("xpack.security.http.ssl.truststore.path", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks")) .setSecureSettings(secureSettings) .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) @@ -193,9 +193,9 @@ public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() { public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.truststore.path", + .put("xpack.security.http.ssl.truststore.path", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks")) .setSecureSettings(secureSettings) .put("path.home", createTempDir()) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java index df49103a25999..5f0f3c94e36e8 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java @@ -42,11 +42,13 @@ protected Settings nodeSettings(int nodeOrdinal) { final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem"); final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem"); return Settings.builder() - .put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.ssl") == false)) - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) - .put("xpack.ssl.certificate_authorities", certPath) - .put("xpack.ssl.verification_mode", "certificate") // disable hostname verificate since these certs aren't setup for that + .put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.security.transport.ssl") == false)) + .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .put("xpack.security.transport.ssl.certificate_authorities", certPath) + // disable hostname verificate since these certs aren't setup for that + .put("xpack.security.transport.ssl.verification_mode", "certificate") .build(); } @@ -55,11 +57,13 @@ protected Settings transportClientSettings() { final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem"); final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem"); return Settings.builder() - .put(super.transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false)) - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) - .put("xpack.ssl.certificate_authorities", certPath) - .put("xpack.ssl.verification_mode", "certificate") // disable hostname verification since these certs aren't setup for that + .put(super.transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false)) + .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .put("xpack.security.transport.ssl.certificate_authorities", certPath) + // disable hostname verificate since these certs aren't setup for that + .put("xpack.security.transport.ssl.verification_mode", "certificate") .build(); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java index c147c660b74a4..5f25213beefa1 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java @@ -48,6 +48,7 @@ import javax.net.ssl.SSLHandshakeException; import javax.net.ssl.TrustManagerFactory; +import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles; import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles; import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.Matchers.containsString; @@ -61,8 +62,9 @@ protected boolean addMockHttpTransport() { @Override protected Settings nodeSettings(int nodeOrdinal) { - return Settings.builder().put(super.nodeSettings(nodeOrdinal)) - .put("xpack.security.http.ssl.enabled", true).build(); + final Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal)); + addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", randomBoolean()); + return builder.put("xpack.security.http.ssl.enabled", true).build(); } @Override @@ -82,7 +84,7 @@ public void testThatUnconfiguredCiphersAreRejected() throws Exception { .put(transportClientSettings()) .put("node.name", "programmatic_transport_client") .put("cluster.name", internalCluster().getClusterName()) - .putList("xpack.ssl.cipher_suites", unconfiguredCiphers) + .putList("xpack.security.transport.ssl.cipher_suites", unconfiguredCiphers) .build(), LocalStateSecurity.class)) { TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses()); @@ -101,7 +103,7 @@ public void testThatTransportClientUsingSSLv3ProtocolIsRejected() { .put(transportClientSettings()) .put("node.name", "programmatic_transport_client") .put("cluster.name", internalCluster().getClusterName()) - .putList("xpack.ssl.supported_protocols", new String[]{"SSLv3"}) + .putList("xpack.security.transport.ssl.supported_protocols", new String[]{"SSLv3"}) .build(), LocalStateSecurity.class)) { TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses()); @@ -120,13 +122,14 @@ public void testThatConnectionToHTTPWorks() throws Exception { builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", "testclient", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", + "xpack.security.http.", Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); SSLService service = new SSLService(builder.build(), null); CredentialsProvider provider = new BasicCredentialsProvider(); provider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(nodeClientUsername(), new String(nodeClientPassword().getChars()))); - SSLConfiguration sslConfiguration = service.getSSLConfiguration("xpack.ssl"); + SSLConfiguration sslConfiguration = service.getSSLConfiguration("xpack.security.http.ssl"); try (CloseableHttpClient client = HttpClients.custom() .setSSLSocketFactory(new SSLConnectionSocketFactory(service.sslSocketFactory(sslConfiguration), SSLConnectionSocketFactory.getDefaultHostnameVerifier())) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java index d3ab5d092ab5b..a948fafb77a52 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java @@ -24,6 +24,7 @@ import java.util.Collections; import static org.elasticsearch.test.SecuritySettingsSource.TEST_USER_NAME; +import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles; import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles; import static org.elasticsearch.test.SecuritySettingsSourceField.TEST_PASSWORD; import static org.hamcrest.CoreMatchers.is; @@ -61,17 +62,17 @@ protected Settings nodeSettings(int nodeOrdinal) { throw new RuntimeException(e); } - Settings settings = Settings.builder() - .put(super.nodeSettings(nodeOrdinal)) - // client set up here - .put("transport.profiles.client.port", randomClientPortRange) + Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal)); + addSSLSettingsForNodePEMFiles(builder, "transport.profiles.client.xpack.security.", true); + builder.put("transport.profiles.client.port", randomClientPortRange) // make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent .put("transport.profiles.client.bind_host", "localhost") - .put("transport.profiles.client.xpack.security.ssl.certificate_authorities", trustCert.toAbsolutePath()) - .put("transport.profiles.no_client_auth.port", randomNoClientAuthPortRange) + .put("transport.profiles.client.xpack.security.ssl.certificate_authorities", trustCert.toAbsolutePath()); + addSSLSettingsForNodePEMFiles(builder, "transport.profiles.no_client_auth.xpack.security.", true); + builder.put("transport.profiles.no_client_auth.port", randomNoClientAuthPortRange) .put("transport.profiles.no_client_auth.bind_host", "localhost") - .put("transport.profiles.no_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.NONE) - .build(); + .put("transport.profiles.no_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.NONE); + final Settings settings = builder.build(); logger.info("node {} settings:\n{}", nodeOrdinal, settings); return settings; } @@ -83,7 +84,7 @@ protected boolean transportSSLEnabled() { private TransportClient createTransportClient(Settings additionalSettings) { Settings settings = Settings.builder() - .put(transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false)) + .put(transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false)) .put("node.name", "programmatic_transport_client") .put("cluster.name", internalCluster().getClusterName()) .put("xpack.security.transport.ssl.enabled", true) @@ -270,7 +271,7 @@ public void testThatTransportClientWithOnlyTruststoreCanConnectToNoClientAuthPro .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) .put("xpack.security.transport.ssl.enabled", true) - .put("xpack.ssl.certificate_authorities", + .put("xpack.security.transport.ssl.certificate_authorities", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) .build(); try (TransportClient transportClient = new TestXPackTransportClient(settings, @@ -290,8 +291,8 @@ public void testThatTransportClientWithOnlyTruststoreCannotConnectToClientProfil .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) .put("xpack.security.transport.ssl.enabled", true) - .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) - .put("xpack.ssl.certificate_authorities", + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED) + .put("xpack.security.transport.ssl.certificate_authorities", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) .build(); try (TransportClient transportClient = new TestXPackTransportClient(settings, @@ -314,8 +315,8 @@ public void testThatTransportClientWithOnlyTruststoreCannotConnectToDefaultProfi .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) .put("xpack.security.transport.ssl.enabled", true) - .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) - .put("xpack.ssl.certificate_authorities", + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED) + .put("xpack.security.transport.ssl.certificate_authorities", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) .build(); try (TransportClient transportClient = new TestXPackTransportClient(settings, @@ -337,7 +338,7 @@ public void testThatSSLTransportClientWithNoTruststoreCannotConnectToDefaultProf Settings settings = Settings.builder() .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) - .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED) .put("xpack.security.transport.ssl.enabled", true) .build(); try (TransportClient transportClient = new TestXPackTransportClient(settings, @@ -359,7 +360,7 @@ public void testThatSSLTransportClientWithNoTruststoreCannotConnectToClientProfi Settings settings = Settings.builder() .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) - .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED) .put("xpack.security.transport.ssl.enabled", true) .build(); try (TransportClient transportClient = new TestXPackTransportClient(settings, @@ -381,7 +382,7 @@ public void testThatSSLTransportClientWithNoTruststoreCannotConnectToNoClientAut Settings settings = Settings.builder() .put(SecurityField.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD) .put("cluster.name", internalCluster().getClusterName()) - .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.REQUIRED) .put("xpack.security.transport.ssl.enabled", true) .build(); try (TransportClient transportClient = new TestXPackTransportClient(settings, diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java index 21da604374f7a..7075a677a26ce 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java @@ -17,6 +17,7 @@ import org.elasticsearch.client.RestClient; import org.elasticsearch.client.transport.TransportClient; import org.elasticsearch.common.settings.MockSecureSettings; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.test.SecurityIntegTestCase; @@ -31,14 +32,17 @@ import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; - +import java.io.ByteArrayOutputStream; import java.io.IOException; +import java.io.InputStream; +import java.io.UncheckedIOException; import java.nio.file.Files; import java.nio.file.Path; import java.security.SecureRandom; import java.security.cert.CertPathBuilderException; import java.util.Arrays; import java.util.Collections; +import java.util.HashSet; import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.containsString; @@ -54,13 +58,41 @@ protected boolean addMockHttpTransport() { @Override protected Settings nodeSettings(int nodeOrdinal) { - return Settings.builder() - .put(super.nodeSettings(nodeOrdinal)) + Settings baseSettings = super.nodeSettings(nodeOrdinal); + + Settings.Builder builder = Settings.builder().put(baseSettings); + baseSettings.getByPrefix("xpack.security.transport.ssl.") + .keySet() + .forEach(k -> { + String httpKey = "xpack.security.http.ssl." + k; + String value = baseSettings.get("xpack.security.transport.ssl." + k); + if (value != null) { + builder.put(httpKey, baseSettings.get("xpack.security.transport.ssl." + k)); + } + }); + + MockSecureSettings secureSettings = (MockSecureSettings) builder.getSecureSettings(); + for (String key : new HashSet<>(secureSettings.getSettingNames())) { + SecureString value = secureSettings.getString(key); + if (value == null) { + try { + if (key.startsWith("xpack.security.transport.ssl.")) { + byte[] file = toByteArray(secureSettings.getFile(key)); + secureSettings.setFile(key.replace("xpack.security.transport.ssl.", "xpack.security.http.ssl."), file); + } + } catch (IOException e) { + throw new UncheckedIOException(e); + } + } else if (key.startsWith("xpack.security.transport.ssl.")) { + secureSettings.setString(key.replace("xpack.security.transport.ssl.", "xpack.security.http.ssl."), value.toString()); + } + } + + return builder // invert the require auth settings - .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE) .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.client_authentication", SSLClientAuth.REQUIRED) - .put("transport.profiles.default.xpack.security.ssl.client_authentication", SSLClientAuth.NONE) .build(); } @@ -109,13 +141,13 @@ public void testThatTransportWorksWithoutSslClientAuth() throws IOException { } MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testclient-client-profile"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testclient-client-profile"); Settings settings = Settings.builder() .put("xpack.security.transport.ssl.enabled", true) - .put("xpack.ssl.client_authentication", SSLClientAuth.NONE) - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) - .put("xpack.ssl.certificate_authorities", nodeCertPath) + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .put("xpack.security.transport.ssl.certificate_authorities", nodeCertPath) .setSecureSettings(secureSettings) .put("cluster.name", internalCluster().getClusterName()) .put(SecurityField.USER_SETTING.getKey(), transportClientUsername() + ":" + new String(transportClientPassword().getChars())) @@ -145,4 +177,15 @@ private SSLContext getSSLContext() { throw new ElasticsearchException("failed to initialize SSLContext", e); } } + + private byte[] toByteArray(InputStream is) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + byte[] internalBuffer = new byte[1024]; + int read = is.read(internalBuffer); + while (read != -1) { + baos.write(internalBuffer, 0, read); + read = is.read(internalBuffer); + } + return baos.toByteArray(); + } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java index 2928353269823..dd6985889d7ee 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java @@ -72,16 +72,16 @@ public Settings nodeSettings(int nodeOrdinal) { Settings settings = super.nodeSettings(nodeOrdinal); Settings.Builder builder = Settings.builder() - .put(settings.filter((s) -> s.startsWith("xpack.ssl.") == false)); - + .put(settings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false)); builder.put("path.home", createTempDir()) - .put("xpack.ssl.key", nodeKeyPath) - .put("xpack.ssl.key_passphrase", "testnode") - .put("xpack.ssl.certificate", nodeCertPath) - .putList("xpack.ssl.certificate_authorities", Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), - updateableCertPath.toString())) + .put("xpack.security.transport.ssl.key", nodeKeyPath) + .put("xpack.security.transport.ssl.key_passphrase", "testnode") + .put("xpack.security.transport.ssl.certificate", nodeCertPath) + .putList("xpack.security.transport.ssl.certificate_authorities", + Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), updateableCertPath.toString())) .put("resource.reload.interval.high", "1s"); + builder.put("xpack.security.transport.ssl.enabled", true); return builder.build(); } @@ -96,18 +96,18 @@ public void testThatSSLConfigurationReloadsOnModification() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.pem"), keyPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), certPath); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) - .putList("xpack.ssl.certificate_authorities", Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), - updateableCertPath.toString())) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .putList("xpack.security.transport.ssl.certificate_authorities", + Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), updateableCertPath.toString())) .setSecureSettings(secureSettings) .build(); String node = randomFrom(internalCluster().getNodeNames()); SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings)); - SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl"); + SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration); TransportAddress address = internalCluster() .getInstance(Transport.class, node).boundAddress().publishAddress(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java index f513d70e881ae..a89b8fcdd6981 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java @@ -102,9 +102,9 @@ public static void setupCertificates() throws Exception { nodeSSL = Settings.builder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.verification_mode", "certificate") - .putList("xpack.ssl.certificate_authorities", ca.getCertPath().toString()) - .put("xpack.ssl.key", trustedCert.getKeyPath()) - .put("xpack.ssl.certificate", trustedCert.getCertPath()) + .putList("xpack.security.transport.ssl.certificate_authorities", ca.getCertPath().toString()) + .put("xpack.security.transport.ssl.key", trustedCert.getKeyPath()) + .put("xpack.security.transport.ssl.certificate", trustedCert.getCertPath()) .build(); } @@ -122,14 +122,14 @@ public Settings nodeSettings(int nodeOrdinal) { Settings parentSettings = super.nodeSettings(nodeOrdinal); Settings.Builder builder = Settings.builder() - .put(parentSettings.filter((s) -> s.startsWith("xpack.ssl.") == false)) + .put(parentSettings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false)) .put(nodeSSL); restrictionsPath = configPath.resolve("trust_restrictions.yml"); restrictionsTmpPath = configPath.resolve("trust_restrictions.tmp"); writeRestrictions("*.trusted"); - builder.put("xpack.ssl.trust_restrictions.path", restrictionsPath); + builder.put("xpack.security.transport.ssl.trust_restrictions.path", restrictionsPath); return builder.build(); } @@ -152,7 +152,7 @@ private void writeRestrictions(String trustedPattern) { protected Settings transportClientSettings() { Settings parentSettings = super.transportClientSettings(); Settings.Builder builder = Settings.builder() - .put(parentSettings.filter((s) -> s.startsWith("xpack.ssl.") == false)) + .put(parentSettings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false)) .put(nodeSSL); return builder.build(); } @@ -224,15 +224,15 @@ private void runResourceWatcher() { private void tryConnect(CertificateInfo certificate) throws Exception { Settings settings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.ssl.key", certificate.getKeyPath()) - .put("xpack.ssl.certificate", certificate.getCertPath()) - .putList("xpack.ssl.certificate_authorities", ca.getCertPath().toString()) - .put("xpack.ssl.verification_mode", "certificate") + .put("xpack.security.transport.ssl.key", certificate.getKeyPath()) + .put("xpack.security.transport.ssl.certificate", certificate.getCertPath()) + .putList("xpack.security.transport.ssl.certificate_authorities", ca.getCertPath().toString()) + .put("xpack.security.transport.ssl.verification_mode", "certificate") .build(); String node = randomFrom(internalCluster().getNodeNames()); SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings)); - SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl"); + SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration); TransportAddress address = internalCluster().getInstance(Transport.class, node).boundAddress().publishAddress(); try (SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(address.getAddress(), address.getPort())) { diff --git a/x-pack/plugin/sql/qa/security/with-ssl/build.gradle b/x-pack/plugin/sql/qa/security/with-ssl/build.gradle index cfc04f97188a4..483ba513b5fa1 100644 --- a/x-pack/plugin/sql/qa/security/with-ssl/build.gradle +++ b/x-pack/plugin/sql/qa/security/with-ssl/build.gradle @@ -151,8 +151,10 @@ integTestCluster { setting 'xpack.security.transport.ssl.enabled', 'true' // ceremony to set up ssl - setting 'xpack.ssl.keystore.path', 'test-node.jks' - keystoreSetting 'xpack.ssl.keystore.secure_password', 'keypass' + setting 'xpack.security.transport.ssl.keystore.path', 'test-node.jks' + keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'keypass' + setting 'xpack.security.http.ssl.keystore.path', 'test-node.jks' + keystoreSetting 'xpack.security.http.ssl.keystore.secure_password', 'keypass' setting 'xpack.license.self_generated.type', 'trial' diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java index 88225efba466a..6bb607d6805a3 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java @@ -81,7 +81,7 @@ public void init() throws Exception { } @After - public void shutdown() throws Exception { + public void shutdown() throws IOException { webServer.close(); httpClient.close(); } @@ -179,30 +179,22 @@ public void testHttps() throws Exception { Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); - Settings settings; - if (randomBoolean()) { - settings = Settings.builder() - .put("xpack.http.ssl.certificate_authorities", trustedCertPath) - .setSecureSettings(secureSettings) - .build(); - } else { - settings = Settings.builder() - .put("xpack.ssl.certificate_authorities", trustedCertPath) - .setSecureSettings(secureSettings) - .build(); - } + Settings settings = Settings.builder() + .put("xpack.http.ssl.certificate_authorities", trustedCertPath) + .setSecureSettings(secureSettings) + .build(); try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) { secureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it is only a truststore - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); Settings settings2 = Settings.builder() - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) + .put("xpack.security.http.ssl.key", keyPath) + .put("xpack.security.http.ssl.certificate", certPath) .setSecureSettings(secureSettings) .build(); TestsSSLService sslService = new TestsSSLService(settings2, environment); - testSslMockWebserver(client, sslService.sslContext(), false); + testSslMockWebserver(client, sslService.sslContext("xpack.security.http.ssl"), false); } } @@ -210,40 +202,27 @@ public void testHttpsDisableHostnameVerification() throws Exception { Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.crt"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.pem"); Settings settings; - if (randomBoolean()) { - MockSecureSettings secureSettings = new MockSecureSettings(); - Settings.Builder builder = Settings.builder() - .put("xpack.http.ssl.certificate_authorities", certPath); - if (inFipsJvm()) { - //Can't use TrustAllConfig in FIPS mode - builder.put("xpack.http.ssl.verification_mode", VerificationMode.CERTIFICATE); - } else { - builder.put("xpack.http.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE)); - } - settings = builder.build(); + Settings.Builder builder = Settings.builder() + .put("xpack.http.ssl.certificate_authorities", certPath); + if (inFipsJvm()) { + //Can't use TrustAllConfig in FIPS mode + builder.put("xpack.http.ssl.verification_mode", VerificationMode.CERTIFICATE); } else { - Settings.Builder builder = Settings.builder() - .put("xpack.ssl.certificate_authorities", certPath); - if (inFipsJvm()) { - //Can't use TrustAllConfig in FIPS mode - builder.put("xpack.ssl.verification_mode", VerificationMode.CERTIFICATE); - } else { - builder.put("xpack.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE)); - } - settings = builder.build(); + builder.put("xpack.http.ssl.verification_mode", randomFrom(VerificationMode.NONE, VerificationMode.CERTIFICATE)); } + settings = builder.build(); try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) { MockSecureSettings secureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it only defines a truststore - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-no-subjaltname"); + secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode-no-subjaltname"); Settings settings2 = Settings.builder() - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) + .put("xpack.security.http.ssl.key", keyPath) + .put("xpack.security.http.ssl.certificate", certPath) .setSecureSettings(secureSettings) .build(); TestsSSLService sslService = new TestsSSLService(settings2, environment); - testSslMockWebserver(client, sslService.sslContext(), false); + testSslMockWebserver(client, sslService.sslContext("xpack.security.http.ssl"), false); } } @@ -251,16 +230,16 @@ public void testHttpsClientAuth() throws Exception { Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) + .put("xpack.http.ssl.key", keyPath) + .put("xpack.http.ssl.certificate", certPath) .setSecureSettings(secureSettings) .build(); TestsSSLService sslService = new TestsSSLService(settings, environment); try (HttpClient client = new HttpClient(settings, sslService, null, mockClusterService())) { - testSslMockWebserver(client, sslService.sslContext(), true); + testSslMockWebserver(client, sslService.sslContext("xpack.http.ssl"), true); } } @@ -387,19 +366,18 @@ public void testProxyCanHaveDifferentSchemeThanRequest() throws Exception { // on top of that the proxy request is HTTPS but the real request is HTTP only MockSecureSettings serverSecureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it is only a truststore - serverSecureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + serverSecureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode"); Settings serverSettings = Settings.builder() - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) + .put("xpack.http.ssl.key", keyPath) + .put("xpack.http.ssl.certificate", certPath) .setSecureSettings(serverSecureSettings) .build(); TestsSSLService sslService = new TestsSSLService(serverSettings, environment); - try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(), false)) { + try (MockWebServer proxyServer = new MockWebServer(sslService.sslContext(serverSettings.getByPrefix("xpack.http.ssl.")), false)) { proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent")); proxyServer.start(); - MockSecureSettings secureSettings = new MockSecureSettings(); Settings settings = Settings.builder() .put(HttpSettings.PROXY_HOST.getKey(), "localhost") .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort()) diff --git a/x-pack/qa/full-cluster-restart/build.gradle b/x-pack/qa/full-cluster-restart/build.gradle index 716289359faa2..fe7d4e9974cb7 100644 --- a/x-pack/qa/full-cluster-restart/build.gradle +++ b/x-pack/qa/full-cluster-restart/build.gradle @@ -172,8 +172,8 @@ subprojects { setting 'xpack.security.enabled', 'true' setting 'xpack.security.transport.ssl.enabled', 'true' - setting 'xpack.ssl.keystore.path', 'testnode.jks' - setting 'xpack.ssl.keystore.password', 'testnode' + setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks' + setting 'xpack.security.transport.ssl.keystore.password', 'testnode' setting 'xpack.license.self_generated.type', 'trial' dependsOn copyTestNodeKeystore extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks') @@ -217,8 +217,8 @@ subprojects { // some tests rely on the translog not being flushed setting 'indices.memory.shard_inactive_time', '20m' setting 'xpack.security.enabled', 'true' - setting 'xpack.ssl.keystore.path', 'testnode.jks' - keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode' + setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks' + keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode' setting 'xpack.license.self_generated.type', 'trial' dependsOn copyTestNodeKeystore extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks') diff --git a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java index 9abac404cea14..bb88103048a40 100644 --- a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java +++ b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java @@ -61,13 +61,12 @@ public class OpenLdapTests extends ESTestCase { private static final SecureString PASSWORD_SECURE_STRING = new SecureString(PASSWORD.toCharArray()); public static final String REALM_NAME = "oldap-test"; - private boolean useGlobalSSL; private SSLService sslService; private ThreadPool threadPool; private Settings globalSettings; @Before - public void init() throws Exception { + public void init() { threadPool = new TestThreadPool("OpenLdapTests thread pool"); } @@ -89,32 +88,19 @@ public void initializeSslSocketFactory() throws Exception { * If we re-use a SSLContext, previously connected sessions can get re-established which breaks hostname * verification tests since a re-established connection does not perform hostname verification. */ - useGlobalSSL = randomBoolean(); MockSecureSettings mockSecureSettings = new MockSecureSettings(); Settings.Builder builder = Settings.builder().put("path.home", createTempDir()); - if (useGlobalSSL) { - builder.put("xpack.ssl.truststore.path", truststore); - mockSecureSettings.setString("xpack.ssl.truststore.secure_password", "changeit"); - - // configure realm to load config with certificate verification mode - builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore); - mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit"); - builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE); - } else { - // fake realms so ssl will get loaded - builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore); - mockSecureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit"); - builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL); - builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore); - mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit"); - builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE); - - // If not using global ssl, need to set the truststore for the "full verification" realm - builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.path", truststore); - mockSecureSettings.setString("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.secure_password", "changeit"); - } + // fake realms so ssl will get loaded + builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore); + mockSecureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit"); + builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL); + builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.path", truststore); + mockSecureSettings.setString("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.truststore.secure_password", "changeit"); + builder.put("xpack.security.authc.realms.ldap." + REALM_NAME + ".ssl.verification_mode", VerificationMode.CERTIFICATE); + + builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.path", truststore); + mockSecureSettings.setString("xpack.security.authc.realms.ldap.vmode_full.ssl.truststore.secure_password", "changeit"); builder.put("xpack.security.authc.realms.ldap.vmode_full.ssl.verification_mode", VerificationMode.FULL); - globalSettings = builder.setSecureSettings(mockSecureSettings).build(); Environment environment = TestEnvironment.newEnvironment(globalSettings); sslService = new SSLService(globalSettings, environment); @@ -290,11 +276,8 @@ private Settings buildLdapSettings(RealmConfig.RealmIdentifier realmId, String l final String[] urls = {ldapUrl}; final String[] templates = {userTemplate}; Settings.Builder builder = Settings.builder() - .put(LdapTestCase.buildLdapSettings(realmId, urls, templates, groupSearchBase, scope, null, false)); + .put(LdapTestCase.buildLdapSettings(realmId, urls, templates, groupSearchBase, scope, null, false)); builder.put(getFullSettingKey(realmId.getName(), SearchGroupsResolverSettings.USER_ATTRIBUTE), "uid"); - if (useGlobalSSL) { - return builder.build(); - } return builder .put(getFullSettingKey(realmId, SSLConfigurationSettings.TRUST_STORE_PATH_REALM), getDataPath(LDAPTRUST_PATH)) .put(getFullSettingKey(realmId, SSLConfigurationSettings.LEGACY_TRUST_STORE_PASSWORD_REALM), "changeit") diff --git a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java index 5030fdecadf64..ae73c140d9eef 100644 --- a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java @@ -60,13 +60,13 @@ public void init() throws Exception { */ globalSettings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.ssl.certificate_authorities", caPath) + .put("xpack.security.authc.realms.ldap.ssl.certificate_authorities", caPath) .build(); threadPool = new TestThreadPool("LdapUserSearchSessionFactoryTests"); } @After - public void shutdown() throws InterruptedException { + public void shutdown() { terminate(threadPool); } diff --git a/x-pack/qa/rolling-upgrade/build.gradle b/x-pack/qa/rolling-upgrade/build.gradle index 0636f943c6d32..d154a1e248633 100644 --- a/x-pack/qa/rolling-upgrade/build.gradle +++ b/x-pack/qa/rolling-upgrade/build.gradle @@ -157,8 +157,8 @@ subprojects { setting 'xpack.security.authc.token.enabled', 'true' setting 'xpack.security.audit.enabled', 'true' setting 'xpack.security.audit.outputs', 'index' - setting 'xpack.ssl.keystore.path', 'testnode.jks' - setting 'xpack.ssl.keystore.password', 'testnode' + setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks' + setting 'xpack.security.transport.ssl.keystore.password', 'testnode' dependsOn copyTestNodeKeystore extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks') if (version.onOrAfter('7.0.0')) { @@ -226,8 +226,8 @@ subprojects { setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.security.enabled', 'true' setting 'xpack.security.transport.ssl.enabled', 'true' - setting 'xpack.ssl.keystore.path', 'testnode.jks' - keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode' + setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks' + keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode' setting 'node.attr.upgraded', 'true' setting 'xpack.security.authc.token.enabled', 'true' setting 'xpack.security.audit.enabled', 'true' diff --git a/x-pack/qa/smoke-test-plugins-ssl/build.gradle b/x-pack/qa/smoke-test-plugins-ssl/build.gradle index 5d1bccd10a6fe..5721815f07856 100644 --- a/x-pack/qa/smoke-test-plugins-ssl/build.gradle +++ b/x-pack/qa/smoke-test-plugins-ssl/build.gradle @@ -57,16 +57,17 @@ integTestCluster { setting 'xpack.monitoring.collection.interval', '1s' setting 'xpack.monitoring.exporters._http.type', 'http' setting 'xpack.monitoring.exporters._http.enabled', 'false' - setting 'xpack.ssl.certificate_authorities', 'testnode.crt' setting 'xpack.monitoring.exporters._http.auth.username', 'monitoring_agent' setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password' setting 'xpack.monitoring.exporters._http.ssl.verification_mode', 'full' + setting 'xpack.monitoring.exporters._http.ssl.certificate_authorities', 'testnode.crt' setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.security.enabled', 'true' setting 'xpack.security.http.ssl.enabled', 'true' setting 'xpack.security.http.ssl.key', 'testnode.pem' setting 'xpack.security.http.ssl.certificate', 'testnode.crt' + setting 'xpack.security.http.ssl.certificate_authorities', 'testnode.crt' keystoreSetting 'xpack.security.http.ssl.secure_key_passphrase', 'testnode' setting 'xpack.ilm.enabled', 'false' diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java index 63a0acb1b03e0..85d4955cc7f87 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java @@ -7,7 +7,6 @@ import org.elasticsearch.action.support.PlainActionFuture; import org.elasticsearch.common.Strings; -import org.elasticsearch.common.settings.MockSecureSettings; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; @@ -50,23 +49,17 @@ public void init() throws Exception { globalSettings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.ssl.certificate_authorities", certPath) + .put("xpack.security.authc.realms.active_directory.ad.ssl.certificate_authorities", certPath) .build(); sslService = new SSLService(globalSettings, env); threadPool = new TestThreadPool("ADLdapUserSearchSessionFactoryTests"); } @After - public void shutdown() throws InterruptedException { + public void shutdown() { terminate(threadPool); } - private MockSecureSettings newSecureSettings(String key, String value) { - MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString(key, value); - return secureSettings; - } - @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738") public void testUserSearchWithActiveDirectory() throws Exception { String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java index 5c4df3eedb812..faf225668e198 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java @@ -58,12 +58,10 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase { protected SSLService sslService; protected Settings globalSettings; - protected boolean useGlobalSSL; protected List certificatePaths; @Before public void initializeSslSocketFactory() throws Exception { - useGlobalSSL = randomBoolean(); // We use certificates in PEM format and `ssl.certificate_authorities` instead of ssl.trustore // so that these tests can also run in a FIPS JVM where JKS keystores can't be used. certificatePaths = new ArrayList<>(); @@ -84,19 +82,12 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IO * verification tests since a re-established connection does not perform hostname verification. */ Settings.Builder builder = Settings.builder().put("path.home", createTempDir()); - if (useGlobalSSL) { - builder.putList("xpack.ssl.certificate_authorities", certificatePaths); - // fake realm to load config with certificate verification mode - builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths); - builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); - } else { - // fake realms so ssl will get loaded - builder.putList("xpack.security.authc.realms.foo.ssl.certificate_authorities", certificatePaths); - builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL); - builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths); - builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); - } + // fake realms so ssl will get loaded + builder.putList("xpack.security.authc.realms.foo.ssl.certificate_authorities", certificatePaths); + builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL); + builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths); + builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); globalSettings = builder.build(); Environment environment = TestEnvironment.newEnvironment(globalSettings); sslService = new SSLService(globalSettings, environment); @@ -106,24 +97,22 @@ Settings buildAdSettings(RealmConfig.RealmIdentifier realmId, String ldapUrl, St LdapSearchScope scope, boolean hostnameVerification) { final String realmName = realmId.getName(); Settings.Builder builder = Settings.builder() - .putList(getFullSettingKey(realmId, SessionFactorySettings.URLS_SETTING), ldapUrl) - .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING), adDomainName) - .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_BASEDN_SETTING), userSearchDN) - .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_SCOPE_SETTING), scope) - .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT) - .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT) - .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT) - .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT) - .put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS); + .putList(getFullSettingKey(realmId, SessionFactorySettings.URLS_SETTING), ldapUrl) + .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING), adDomainName) + .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_BASEDN_SETTING), userSearchDN) + .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_SCOPE_SETTING), scope) + .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT) + .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT) + .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT) + .put(getFullSettingKey(realmName, ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT) + .put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS) + .putList(getFullSettingKey(realmId, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths); if (randomBoolean()) { builder.put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), hostnameVerification ? VerificationMode.FULL : VerificationMode.CERTIFICATE); } else { builder.put(getFullSettingKey(realmId, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), hostnameVerification); } - if (useGlobalSSL == false) { - builder.putList(getFullSettingKey(realmId, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths); - } return builder.build(); } diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java index 135ae14b9c85b..bfec6d100a984 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java @@ -103,13 +103,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase protected static final String TESTNODE_CERT = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"; protected static RealmConfig realmConfig; protected static List roleMappings; - protected static boolean useGlobalSSL; @BeforeClass public static void setupRealm() { realmConfig = randomFrom(RealmConfig.values()); roleMappings = realmConfig.selectRoleMappings(ESTestCase::randomBoolean); - useGlobalSSL = randomBoolean(); LogManager.getLogger(AbstractAdLdapRealmTestCase.class).info( "running test with realm configuration [{}], with direct group to role mapping [{}]. Settings [{}]", realmConfig, realmConfig.mapGroupsAsRoles, realmConfig.settings); @@ -128,13 +126,13 @@ protected Settings nodeSettings(int nodeOrdinal) { Settings.Builder builder = Settings.builder(); // don't use filter since it returns a prefixed secure setting instead of mock! Settings settingsToAdd = super.nodeSettings(nodeOrdinal); - builder.put(settingsToAdd.filter(k -> k.startsWith("xpack.ssl.") == false), false); + builder.put(settingsToAdd.filter(k -> k.startsWith("xpack.transport.security.ssl.") == false), false); MockSecureSettings mockSecureSettings = (MockSecureSettings) Settings.builder().put(settingsToAdd).getSecureSettings(); if (mockSecureSettings != null) { MockSecureSettings filteredSecureSettings = new MockSecureSettings(); builder.setSecureSettings(filteredSecureSettings); for (String secureSetting : mockSecureSettings.getSettingNames()) { - if (secureSetting.startsWith("xpack.ssl.") == false) { + if (secureSetting.startsWith("xpack.transport.security.ssl.") == false) { SecureString secureString = mockSecureSettings.getString(secureSetting); if (secureString == null) { final byte[] fileBytes; @@ -216,25 +214,6 @@ private List getRoleMappingContent(Function co .collect(Collectors.toList()); } - @Override - protected Settings transportClientSettings() { - if (useGlobalSSL) { - Path key = getDataPath(TESTNODE_KEY); - Path cert = getDataPath(TESTNODE_CERT); - Settings.Builder builder = Settings.builder() - .put(super.transportClientSettings().filter((s) -> s.startsWith("xpack.ssl.") == false)); - addSslSettingsForKeyPair(builder, key, "testnode", cert, getNodeTrustedCertificates()); - return builder.build(); - } else { - return super.transportClientSettings(); - } - } - - @Override - protected boolean transportSSLEnabled() { - return useGlobalSSL; - } - protected final void configureFileRoleMappings(Settings.Builder builder, List mappings) { String content = getRoleMappingContent(RoleMappingEntry::getFileContent, mappings).stream().collect(Collectors.joining("\n")); Path nodeFiles = createTempDir(); @@ -310,11 +289,11 @@ protected static String userHeader(String username, String password) { private void addSslSettingsForKeyPair(Settings.Builder builder, Path key, String keyPassphrase, Path cert, List certificateAuthorities) { - builder.put("xpack.ssl.key", key) - .put("xpack.ssl.key_passphrase", keyPassphrase) - .put("xpack.ssl.verification_mode", "certificate") - .put("xpack.ssl.certificate", cert) - .putList("xpack.ssl.certificate_authorities", certificateAuthorities); + builder.put("xpack.transport.security.ssl.key", key) + .put("xpack.transport.security.ssl.key_passphrase", keyPassphrase) + .put("xpack.transport.security.ssl.verification_mode", "certificate") + .put("xpack.transport.security.ssl.certificate", cert) + .putList("xpack.transport.security.ssl.certificate_authorities", certificateAuthorities); } /** @@ -462,11 +441,8 @@ protected Settings buildSettings(List certificateAuthorities, int order) .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".order", order) .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".hostname_verification", false) .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".unmapped_groups_as_roles", mapGroupsAsRoles) - .put(this.settings); - if (useGlobalSSL == false) { - builder.putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.certificate_authorities", certificateAuthorities); - } - + .put(this.settings) + .putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.certificate_authorities", certificateAuthorities); return builder.build(); } diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java index aecee76f81831..73e1df5dd08bd 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java @@ -280,21 +280,16 @@ public void testStandardLdapConnection() throws Exception { String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; Settings settings = Settings.builder() - .put(LdapTestCase.buildLdapSettings( - new String[]{AD_LDAP_URL}, - new String[]{userTemplate}, - groupSearchBase, - LdapSearchScope.SUB_TREE, - null, - true)) - .put("follow_referrals", FOLLOW_REFERRALS) - .build(); - if (useGlobalSSL == false) { - settings = Settings.builder() - .put(settings) - .putList("ssl.certificate_authorities", certificatePaths) - .build(); - } + .put(LdapTestCase.buildLdapSettings( + new String[]{AD_LDAP_URL}, + new String[]{userTemplate}, + groupSearchBase, + LdapSearchScope.SUB_TREE, + null, + true)) + .put("follow_referrals", FOLLOW_REFERRALS) + .putList("ssl.certificate_authorities", certificatePaths) + .build(); RealmConfig config = configureRealm("ad-as-ldap-test", settings); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); @@ -325,9 +320,7 @@ public void testHandlingLdapReferralErrors() throws Exception { null, ignoreReferralErrors); final Settings.Builder builder = Settings.builder().put(settings).put(globalSettings); - if (useGlobalSSL == false) { - builder.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths); - } + builder.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths); settings = builder.build(); RealmConfig config = new RealmConfig(realmId, settings, TestEnvironment.newEnvironment(globalSettings), @@ -352,12 +345,10 @@ public void testHandlingLdapReferralErrors() throws Exception { public void testStandardLdapWithAttributeGroups() throws Exception { String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; Settings settings = LdapTestCase.buildLdapSettings(new String[]{AD_LDAP_URL}, userTemplate, false); - if (useGlobalSSL == false) { - settings = Settings.builder() - .put(settings) - .putList("ssl.certificate_authorities", certificatePaths) - .build(); - } + settings = Settings.builder() + .put(settings) + .putList("ssl.certificate_authorities", certificatePaths) + .build(); RealmConfig config = configureRealm("ad-as-ldap-test", settings); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); @@ -412,9 +403,7 @@ private Settings buildAdSettings(String ldapUrl, String adDomainName, boolean ho builder.put(getFullSettingKey(REALM_ID, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), hostnameVerification); } - if (useGlobalSSL == false) { - builder.putList(getFullSettingKey(REALM_ID, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths); - } + builder.putList(getFullSettingKey(REALM_ID, SSLConfigurationSettings.CAPATH_SETTING_REALM), certificatePaths); if (useBindUser) { final String user = randomFrom("cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow", "cap@ad.test.elasticsearch.com", diff --git a/x-pack/qa/vagrant/src/test/resources/packaging/tests/certgen.bash b/x-pack/qa/vagrant/src/test/resources/packaging/tests/certgen.bash index 1f81bfcbd490a..dd41b93ea6b28 100644 --- a/x-pack/qa/vagrant/src/test/resources/packaging/tests/certgen.bash +++ b/x-pack/qa/vagrant/src/test/resources/packaging/tests/certgen.bash @@ -251,9 +251,12 @@ node.data: false discovery.zen.ping.unicast.hosts: ["127.0.0.1:9301"] cluster.initial_master_nodes: ["node-master"] -xpack.ssl.key: $ESCONFIG/certs/node-master/node-master.key -xpack.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt -xpack.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"] +xpack.security.transport.ssl.key: $ESCONFIG/certs/node-master/node-master.key +xpack.security.transport.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt +xpack.security.transport.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"] +xpack.security.http.ssl.key: $ESCONFIG/certs/node-master/node-master.key +xpack.security.http.ssl.certificate: $ESCONFIG/certs/node-master/node-master.crt +xpack.security.http.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"] xpack.security.transport.ssl.enabled: true transport.tcp.port: 9300 @@ -334,9 +337,12 @@ node.master: false node.data: true discovery.zen.ping.unicast.hosts: ["127.0.0.1:9300"] -xpack.ssl.key: $ESCONFIG/certs/node-data/node-data.key -xpack.ssl.certificate: $ESCONFIG/certs/node-data/node-data.crt -xpack.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"] +xpack.security.transport.ssl.key: $ESCONFIG/certs/node-data/node-data.key +xpack.security.transport.ssl.certificate: $ESCONFIG/certs/node-data/node-data.crt +xpack.security.transport.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"] +xpack.security.http.ssl.key: $ESCONFIG/certs/node-data/node-data.key +xpack.security.http.ssl.certificate: $ESCONFIG/certs//node-data/node-data.crt +xpack.security.http.ssl.certificate_authorities: ["$ESCONFIG/certs/ca/ca.crt"] xpack.security.transport.ssl.enabled: true transport.tcp.port: 9301