diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc index 767dde7a8ca30..cfd28309474ab 100644 --- a/docs/reference/settings/security-settings.asciidoc +++ b/docs/reference/settings/security-settings.asciidoc @@ -1213,6 +1213,10 @@ through the list of URLs will continue until a successful connection is made. [[ssl-tls-settings]] ==== Default TLS/SSL settings +deprecated[6.7.0, fallback to the default TLS/SSL settings is deprecated as it +leads to ambiguity in what configuration is used. Fully configure each components' +TLS/SSL settings as the default settings will be removed in 7.0] + You can configure the following TLS/SSL settings in `elasticsearch.yml`. For more information, see {stack-ov}/encrypting-communications.html[Encrypting communications]. These diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/DefaultJDKTrustConfig.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/DefaultJDKTrustConfig.java index 4b5055a9e86fd..e9cb0da6e71ff 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/DefaultJDKTrustConfig.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/DefaultJDKTrustConfig.java @@ -25,6 +25,7 @@ import java.util.Collection; import java.util.Collections; import java.util.List; +import java.util.Objects; /** * This class represents a trust configuration that corresponds to the default trusted certificates of the JDK @@ -69,16 +70,6 @@ public String toString() { return "JDK trusted certs"; } - @Override - public boolean equals(Object o) { - return o == this; - } - - @Override - public int hashCode() { - return System.identityHashCode(this); - } - /** * Merges the default trust configuration with the provided {@link TrustConfig} * @param trustConfig the trust configuration to merge with @@ -109,4 +100,17 @@ private KeyStore getSystemTrustStore() throws KeyStoreException, CertificateExce } return null; } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + DefaultJDKTrustConfig that = (DefaultJDKTrustConfig) o; + return Objects.equals(trustStorePassword, that.trustStorePassword); + } + + @Override + public int hashCode() { + return Objects.hash(trustStorePassword); + } } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfiguration.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfiguration.java index 0862cb929ef98..466240f427e75 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfiguration.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfiguration.java @@ -256,7 +256,9 @@ private static SecureString getDefaultTrustStorePassword(Settings settings) { return trustStorePassword; } } - return systemTrustStorePassword; + // since we are in a try with resources block, we need to clone the value so it doesn't get + // cleared! + return systemTrustStorePassword.clone(); } } return null; diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings.java index 0cc01270ced53..d2c809d3ded7e 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings.java @@ -11,6 +11,7 @@ import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.CollectionUtils; +import org.elasticsearch.xpack.core.XPackSettings; import javax.net.ssl.TrustManagerFactory; @@ -57,12 +58,12 @@ public class SSLConfigurationSettings { private static final String PKCS12_KEYSTORE_TYPE = "PKCS12"; private static final Function>> CIPHERS_SETTING_TEMPLATE = key -> Setting.listSetting(key, Collections - .emptyList(), Function.identity(), Property.NodeScope, Property.Filtered); + .emptyList(), Function.identity(), propertiesFromKey(key)); public static final Setting> CIPHERS_SETTING_PROFILES = Setting.affixKeySetting("transport.profiles.", "xpack.security.ssl.cipher_suites", CIPHERS_SETTING_TEMPLATE); private static final Function>> SUPPORTED_PROTOCOLS_TEMPLATE = key -> Setting.listSetting(key, - Collections.emptyList(), Function.identity(), Property.NodeScope, Property.Filtered); + Collections.emptyList(), Function.identity(), propertiesFromKey(key)); public static final Setting> SUPPORTED_PROTOCOLS_PROFILES = Setting.affixKeySetting("transport.profiles.", "xpack.security.ssl.supported_protocols", SUPPORTED_PROTOCOLS_TEMPLATE) ; @@ -82,7 +83,7 @@ public class SSLConfigurationSettings { "xpack.security.ssl.keystore.secure_key_password", X509KeyPairSettings.KEYSTORE_KEY_PASSWORD_TEMPLATE); private static final Function>> TRUST_STORE_PATH_TEMPLATE = key -> new Setting<>(key, s -> null, - Optional::ofNullable, Property.NodeScope, Property.Filtered); + Optional::ofNullable, propertiesFromKey(key)); public static final Setting> TRUST_STORE_PATH_PROFILES = Setting.affixKeySetting("transport.profiles.", "xpack.security.ssl.truststore.path", TRUST_STORE_PATH_TEMPLATE); @@ -96,7 +97,8 @@ public class SSLConfigurationSettings { private static final Function> TRUSTSTORE_PASSWORD_TEMPLATE = key -> SecureSetting.secureString(key, LEGACY_TRUSTSTORE_PASSWORD_TEMPLATE.apply(key.replace("truststore.secure_password", - "truststore.password"))); + "truststore.password")), + key.startsWith(XPackSettings.GLOBAL_SSL_PREFIX) ? new Property[] { Property.Deprecated } : new Property[0]); public static final Setting TRUSTSTORE_PASSWORD_PROFILES = Setting.affixKeySetting("transport.profiles.", "xpack.security.ssl.truststore.secure_password", TRUSTSTORE_PASSWORD_TEMPLATE); @@ -105,7 +107,7 @@ public class SSLConfigurationSettings { private static final Function> TRUST_STORE_ALGORITHM_TEMPLATE = key -> new Setting<>(key, s -> TrustManagerFactory.getDefaultAlgorithm(), - Function.identity(), Property.NodeScope, Property.Filtered); + Function.identity(), propertiesFromKey(key)); public static final Setting TRUST_STORE_ALGORITHM_PROFILES = Setting.affixKeySetting("transport.profiles.", "xpack.security.ssl.truststore.algorithm", TRUST_STORE_ALGORITHM_TEMPLATE); @@ -118,7 +120,7 @@ public class SSLConfigurationSettings { "xpack.security.ssl.truststore.type", TRUST_STORE_TYPE_TEMPLATE); private static final Function>> TRUST_RESTRICTIONS_TEMPLATE = key -> new Setting<>(key, s -> null, - Optional::ofNullable, Property.NodeScope, Property.Filtered); + Optional::ofNullable, propertiesFromKey(key)); public static final Setting> TRUST_RESTRICTIONS_PROFILES = Setting.affixKeySetting("transport.profiles.", "xpack.security.ssl.trust_restrictions", TRUST_RESTRICTIONS_TEMPLATE); @@ -132,19 +134,19 @@ public class SSLConfigurationSettings { "xpack.security.ssl.certificate", X509KeyPairSettings.CERT_TEMPLATE); private static final Function>> CAPATH_SETTING_TEMPLATE = key -> Setting.listSetting(key, Collections - .emptyList(), Function.identity(), Property.NodeScope, Property.Filtered); + .emptyList(), Function.identity(), propertiesFromKey(key)); public static final Setting> CAPATH_SETTING_PROFILES = Setting.affixKeySetting("transport.profiles.", "xpack.security.ssl.certificate_authorities", CAPATH_SETTING_TEMPLATE); private static final Function>> CLIENT_AUTH_SETTING_TEMPLATE = key -> new Setting<>(key, (String) null, s -> s == null ? Optional.empty() : Optional.of(SSLClientAuth.parse(s)), - Property.NodeScope, Property.Filtered); + propertiesFromKey(key)); public static final Setting> CLIENT_AUTH_SETTING_PROFILES = Setting.affixKeySetting("transport.profiles.", "xpack.security.ssl.client_authentication", CLIENT_AUTH_SETTING_TEMPLATE); private static final Function>> VERIFICATION_MODE_SETTING_TEMPLATE = key -> new Setting<>(key, (String) null, s -> s == null ? Optional.empty() : Optional.of(VerificationMode.parse(s)), - Property.NodeScope, Property.Filtered); + propertiesFromKey(key)); public static final Setting> VERIFICATION_MODE_SETTING_PROFILES = Setting.affixKeySetting( "transport.profiles.", "xpack.security.ssl.verification_mode", VERIFICATION_MODE_SETTING_TEMPLATE); @@ -190,6 +192,14 @@ private static String inferKeyStoreType(String path) { } } + static Property[] propertiesFromKey(String key) { + if (key.startsWith(XPackSettings.GLOBAL_SSL_PREFIX)) { + return new Property[] { Property.NodeScope, Property.Filtered, Property.Deprecated }; + } else { + return new Property[] { Property.NodeScope, Property.Filtered }; + } + } + public List> getAllSettings() { return allSettings; } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java index a7377bf410882..e8e5f602ebf31 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java @@ -7,16 +7,21 @@ import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.apache.lucene.util.SetOnce; import org.elasticsearch.ElasticsearchException; import org.elasticsearch.common.CheckedSupplier; import org.elasticsearch.common.Strings; import org.elasticsearch.common.component.AbstractComponent; +import org.elasticsearch.common.logging.DeprecationLogger; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.common.socket.SocketAccess; import org.elasticsearch.xpack.core.security.SecurityField; +import org.elasticsearch.xpack.core.security.authc.ldap.LdapRealmSettings; +import org.elasticsearch.xpack.core.security.authc.saml.SamlRealmSettings; import org.elasticsearch.xpack.core.ssl.cert.CertificateInfo; import javax.net.ssl.HostnameVerifier; @@ -61,7 +66,8 @@ */ public class SSLService extends AbstractComponent { - private final Settings settings; + private static final Logger logger = LogManager.getLogger(SSLService.class); + private static final DeprecationLogger deprecationLogger = new DeprecationLogger(logger); /** * This is a mapping from "context name" (in general use, the name of a setting key) @@ -83,6 +89,7 @@ public class SSLService extends AbstractComponent { private final SSLConfiguration globalSSLConfiguration; private final SetOnce transportSSLConfiguration = new SetOnce<>(); private final Environment env; + private final Settings settings; /** * Create a new SSLService that parses the settings for the ssl contexts that need to be created, creates them, and then caches them @@ -119,6 +126,13 @@ Map loadSSLConfigurations() { return Collections.emptyMap(); } + @Override + SSLConfiguration sslConfiguration(Settings settings) { + SSLConfiguration sslConfiguration = super.sslConfiguration(settings); + SSLService.this.checkSSLConfigurationForFallback("monitoring.exporters", settings, sslConfiguration); + return sslConfiguration; + } + /** * Returns the existing {@link SSLContextHolder} for the configuration * @throws IllegalArgumentException if not found @@ -405,9 +419,15 @@ Map loadSSLConfigurations() { sslSettingsMap.forEach((key, sslSettings) -> { if (sslSettings.isEmpty()) { + if (shouldCheckForFallbackDeprecation(key)) { + checkSSLConfigurationForFallback(key, sslSettings, new SSLConfiguration(sslSettings, globalSSLConfiguration)); + } storeSslConfiguration(key, globalSSLConfiguration); } else { final SSLConfiguration configuration = new SSLConfiguration(sslSettings, globalSSLConfiguration); + if (shouldCheckForFallbackDeprecation(key)) { + checkSSLConfigurationForFallback(key, sslSettings, configuration); + } storeSslConfiguration(key, configuration); sslContextHolders.computeIfAbsent(configuration, this::createSslContext); } @@ -415,12 +435,19 @@ Map loadSSLConfigurations() { final Settings transportSSLSettings = settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX); final SSLConfiguration transportSSLConfiguration = new SSLConfiguration(transportSSLSettings, globalSSLConfiguration); + final boolean transportSSLEnabled = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings); + if (transportSSLEnabled) { + checkSSLConfigurationForFallback(XPackSettings.TRANSPORT_SSL_PREFIX, transportSSLSettings, transportSSLConfiguration); + } this.transportSSLConfiguration.set(transportSSLConfiguration); storeSslConfiguration(XPackSettings.TRANSPORT_SSL_PREFIX, transportSSLConfiguration); Map profileSettings = getTransportProfileSSLSettings(settings); sslContextHolders.computeIfAbsent(transportSSLConfiguration, this::createSslContext); profileSettings.forEach((key, profileSetting) -> { final SSLConfiguration configuration = new SSLConfiguration(profileSetting, transportSSLConfiguration); + if (transportSSLEnabled && key.equals("transport.profiles.default.xpack.security.ssl") == false) { + checkSSLConfigurationForFallback(key, profileSetting, configuration); + } storeSslConfiguration(key, configuration); sslContextHolders.computeIfAbsent(configuration, this::createSslContext); }); @@ -435,6 +462,57 @@ private void storeSslConfiguration(String key, SSLConfiguration configuration) { sslConfigurations.put(key, configuration); } + private boolean shouldCheckForFallbackDeprecation(String name) { + if (name.startsWith("xpack.security.authc.realms.")) { + // try to see if this is actually using TLS + Settings realm = settings.getByPrefix(name.substring(0, name.indexOf(".ssl"))); + String type = realm.get("type"); + // only check the types we know use ssl. custom realms may but we don't want to cause confusion + if (LdapRealmSettings.LDAP_TYPE.equals(type) || LdapRealmSettings.AD_TYPE.equals(type)) { + List urls = realm.getAsList("url"); + return urls.isEmpty() == false && urls.stream().anyMatch(s -> s.startsWith("ldaps://")); + } else if (SamlRealmSettings.TYPE.equals(type)) { + final String idpMetadataPath = SamlRealmSettings.IDP_METADATA_PATH.get(realm); + return Strings.hasText(idpMetadataPath) && idpMetadataPath.startsWith("https://"); + } + } else if (name.startsWith("xpack.monitoring.exporters.")) { + Settings exporterSettings = settings.getByPrefix(name.substring(0, name.indexOf(".ssl"))); + List hosts = exporterSettings.getAsList("host"); + return hosts.stream().anyMatch(s -> s.startsWith("https")); + } else if (name.equals(XPackSettings.HTTP_SSL_PREFIX) && XPackSettings.HTTP_SSL_ENABLED.get(settings)) { + return true; + } else if (name.equals("xpack.http.ssl") && XPackSettings.WATCHER_ENABLED.get(settings)) { + return true; + } + return false; + } + + private void checkSSLConfigurationForFallback(String name, Settings settings, SSLConfiguration config) { + final SSLConfiguration noFallBackConfig = new SSLConfiguration(settings); + if (config.equals(noFallBackConfig) == false) { + List fallbackReliers = new ArrayList<>(); + if (config.keyConfig().equals(noFallBackConfig.keyConfig()) == false) { + fallbackReliers.add("key configuration"); + } + if (config.trustConfig().equals(noFallBackConfig.trustConfig()) == false) { + fallbackReliers.add("trust configuration"); + } + if (config.cipherSuites().equals(noFallBackConfig.cipherSuites()) == false) { + fallbackReliers.add("enabled cipher suites"); + } + if (config.sslClientAuth() != noFallBackConfig.sslClientAuth()) { + fallbackReliers.add("client authentication"); + } + if (config.supportedProtocols().equals(noFallBackConfig.supportedProtocols()) == false) { + fallbackReliers.add("supported protocols"); + } + if (config.verificationMode() != noFallBackConfig.verificationMode()) { + fallbackReliers.add("certificate verification mode"); + } + deprecationLogger.deprecated("SSL configuration [{}] relies upon fallback to another configuration for {}, which is " + + "deprecated.", name, fallbackReliers); + } + } /** * Returns information about each certificate that is referenced by any SSL configuration. diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/X509KeyPairSettings.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/X509KeyPairSettings.java index 33b78b2da8609..9a45a7e71f569 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/X509KeyPairSettings.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/X509KeyPairSettings.java @@ -8,7 +8,9 @@ import org.elasticsearch.common.settings.SecureSetting; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.util.CollectionUtils; +import org.elasticsearch.xpack.core.XPackSettings; import javax.net.ssl.KeyManagerFactory; @@ -19,6 +21,8 @@ import java.util.Optional; import java.util.function.Function; +import static org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings.propertiesFromKey; + /** * An encapsulation of the configuration options for X.509 Key Pair support in X-Pack security. * The most common use is as the private key and associated certificate for SSL/TLS support, but it can also be used for providing @@ -28,58 +32,59 @@ public class X509KeyPairSettings { static final Function>> KEYSTORE_PATH_TEMPLATE = key -> new Setting<>(key, s -> null, - Optional::ofNullable, Setting.Property.NodeScope, Setting.Property.Filtered); + Optional::ofNullable, propertiesFromKey(key)); static final Function> LEGACY_KEYSTORE_PASSWORD_TEMPLATE = key -> new Setting<>(key, "", SecureString::new, Setting.Property.Deprecated, Setting.Property.Filtered, Setting.Property.NodeScope); static final Function> KEYSTORE_PASSWORD_TEMPLATE = key -> SecureSetting.secureString(key, - LEGACY_KEYSTORE_PASSWORD_TEMPLATE.apply(key.replace("keystore.secure_password", "keystore.password"))); + LEGACY_KEYSTORE_PASSWORD_TEMPLATE.apply(key.replace("keystore.secure_password", "keystore.password")), + key.startsWith(XPackSettings.GLOBAL_SSL_PREFIX) ? new Property[] { Property.Deprecated } : new Property[0]); static final Function> KEY_STORE_ALGORITHM_TEMPLATE = key -> new Setting<>(key, s -> KeyManagerFactory.getDefaultAlgorithm(), - Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered); + Function.identity(), propertiesFromKey(key)); static final Function>> KEY_STORE_TYPE_TEMPLATE = key -> - new Setting<>(key, s -> null, Optional::ofNullable, Setting.Property.NodeScope, Setting.Property.Filtered); + new Setting<>(key, s -> null, Optional::ofNullable, propertiesFromKey(key)); static final Function> LEGACY_KEYSTORE_KEY_PASSWORD_TEMPLATE = key -> new Setting<>(key, "", SecureString::new, Setting.Property.Deprecated, Setting.Property.Filtered, Setting.Property.NodeScope); static final Function> KEYSTORE_KEY_PASSWORD_TEMPLATE = key -> SecureSetting.secureString(key, LEGACY_KEYSTORE_KEY_PASSWORD_TEMPLATE.apply(key.replace("keystore.secure_key_password", - "keystore.key_password"))); + "keystore.key_password")), + key.startsWith(XPackSettings.GLOBAL_SSL_PREFIX) ? new Property[] { Property.Deprecated } : new Property[0]); static final Function>> KEY_PATH_TEMPLATE = key -> new Setting<>(key, s -> null, - Optional::ofNullable, Setting.Property.NodeScope, Setting.Property.Filtered); + Optional::ofNullable, propertiesFromKey(key)); static final Function>> CERT_TEMPLATE = key -> new Setting<>(key, s -> null, - Optional::ofNullable, Setting.Property.NodeScope, Setting.Property.Filtered); + Optional::ofNullable, propertiesFromKey(key)); static final Function> LEGACY_KEY_PASSWORD_TEMPLATE = key -> new Setting<>(key, "", SecureString::new, Setting.Property.Deprecated, Setting.Property.Filtered, Setting.Property.NodeScope); static final Function> KEY_PASSWORD_TEMPLATE = key -> - SecureSetting.secureString(key, LEGACY_KEY_PASSWORD_TEMPLATE.apply(key.replace("secure_key_passphrase", - "key_passphrase"))); + SecureSetting.secureString(key, LEGACY_KEY_PASSWORD_TEMPLATE.apply(key.replace("secure_key_passphrase", "key_passphrase")), + key.startsWith(XPackSettings.GLOBAL_SSL_PREFIX) ? new Property[] { Property.Deprecated } : new Property[0]); private final String prefix; // Specify private cert/key pair via keystore - final Setting> keystorePath; - final Setting keystorePassword; - final Setting keystoreAlgorithm; - final Setting> keystoreType; - final Setting keystoreKeyPassword; + public final Setting> keystorePath; + public final Setting keystorePassword; + public final Setting keystoreAlgorithm; + public final Setting> keystoreType; + public final Setting keystoreKeyPassword; // Specify private cert/key pair via key and certificate files - final Setting> keyPath; - final Setting keyPassword; - final Setting> certificatePath; + public final Setting> keyPath; + public final Setting keyPassword; + public final Setting> certificatePath; // Optional support for legacy (non secure) passwords - // pkg private for tests - final Setting legacyKeystorePassword; - final Setting legacyKeystoreKeyPassword; - final Setting legacyKeyPassword; + public final Setting legacyKeystorePassword; + public final Setting legacyKeystoreKeyPassword; + public final Setting legacyKeyPassword; private final List> allSettings; diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java index cb9996ac90db5..3136fba568d4f 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java @@ -91,6 +91,7 @@ public void testReloadingKeyStore() throws Exception { secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); final Settings settings = Settings.builder() .put("path.home", createTempDir()) + .put("xpack.watcher.enabled", false) // to avoid warnings about http.ssl fallback .put("xpack.ssl.keystore.path", keystorePath) .setSecureSettings(secureSettings) .build(); @@ -147,6 +148,7 @@ public void testPEMKeyConfigReloading() throws Exception { secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); final Settings settings = Settings.builder() .put("path.home", createTempDir()) + .put("xpack.watcher.enabled", false) // to avoid warnings about http.ssl fallback .put("xpack.ssl.key", keyPath) .put("xpack.ssl.certificate", certPath) .setSecureSettings(secureSettings) @@ -204,6 +206,7 @@ public void testReloadingTrustStore() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); Settings settings = Settings.builder() + .put("xpack.watcher.enabled", false) // to avoid warnings about http.ssl fallback .put("xpack.ssl.truststore.path", trustStorePath) .put("path.home", createTempDir()) .setSecureSettings(secureSettings) @@ -254,6 +257,7 @@ public void testReloadingPEMTrustConfig() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"), serverKeyPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCert); Settings settings = Settings.builder() + .put("xpack.watcher.enabled", false) // to avoid warnings about http.ssl fallback .put("xpack.ssl.certificate_authorities", serverCertPath) .put("path.home", createTempDir()) .build(); @@ -302,6 +306,7 @@ public void testReloadingKeyStoreException() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() + .put("xpack.watcher.enabled", false) // to avoid warnings about http.ssl fallback .put("xpack.ssl.keystore.path", keystorePath) .setSecureSettings(secureSettings) .put("path.home", createTempDir()) @@ -341,6 +346,7 @@ public void testReloadingPEMKeyConfigException() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() + .put("xpack.watcher.enabled", false) // to avoid warnings about http.ssl fallback .put("xpack.ssl.key", keyPath) .put("xpack.ssl.certificate", certPath) .putList("xpack.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString()) @@ -378,6 +384,7 @@ public void testTrustStoreReloadException() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); Settings settings = Settings.builder() + .put("xpack.watcher.enabled", false) // to avoid warnings about http.ssl fallback .put("xpack.ssl.truststore.path", trustStorePath) .put("path.home", createTempDir()) .setSecureSettings(secureSettings) @@ -411,6 +418,7 @@ public void testPEMTrustReloadException() throws Exception { Path clientCertPath = tempDir.resolve("testclient.crt"); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath); Settings settings = Settings.builder() + .put("xpack.watcher.enabled", false) // to avoid warnings about http.ssl fallback .putList("xpack.ssl.certificate_authorities", clientCertPath.toString()) .put("path.home", createTempDir()) .build(); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java index 88d10071e8543..0185da5967084 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java @@ -138,6 +138,8 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception { assertThat(profileConfiguration, notNullValue()); assertThat(profileConfiguration.trustConfig(), instanceOf(StoreTrustConfig.class)); assertThat(((StoreTrustConfig) profileConfiguration.trustConfig()).trustStorePath, equalTo(testClientStore.toString())); + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [" + + "trust configuration], which is deprecated."); } public void testThatSslContextCachingWorks() throws Exception { @@ -158,6 +160,8 @@ public void testThatSslContextCachingWorks() throws Exception { final SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.ssl"); final SSLContext configContext = sslService.sslContext(configuration); assertThat(configContext, is(sameInstance(sslContext))); + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [key configuration, " + + "trust configuration], which is deprecated."); } public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception { @@ -174,6 +178,8 @@ public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception { final SSLService sslService = new SSLService(settings, env); SSLConfiguration configuration = globalConfiguration(sslService); sslService.createSSLEngine(configuration, null, -1); + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [key configuration, " + + "trust configuration], which is deprecated."); } public void testIncorrectKeyPasswordThrowsException() throws Exception { @@ -208,6 +214,8 @@ public void testThatSSLv3IsNotEnabled() throws Exception { SSLConfiguration configuration = globalConfiguration(sslService); SSLEngine engine = sslService.createSSLEngine(configuration, null, -1); assertThat(Arrays.asList(engine.getEnabledProtocols()), not(hasItem("SSLv3"))); + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [key configuration, " + + "trust configuration], which is deprecated."); } public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception { @@ -228,6 +236,8 @@ public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception { SSLConfiguration configuration = globalConfiguration(sslService); SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1); assertThat(sslEngine, notNullValue()); + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [" + + "trust configuration], which is deprecated."); } @@ -243,6 +253,8 @@ public void testCreateWithKeystoreIsValidForServer() throws Exception { SSLService sslService = new SSLService(settings, env); assertTrue(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService))); + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [key configuration, " + + "trust configuration], which is deprecated."); } public void testValidForServerWithFallback() throws Exception { @@ -268,6 +280,8 @@ public void testValidForServerWithFallback() throws Exception { sslService = new SSLService(settings, env); assertFalse(sslService.isConfigurationValidForServerUsage(globalConfiguration(sslService))); assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl"))); + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [" + + "trust configuration], which is deprecated."); } public void testGetVerificationMode() throws Exception { @@ -285,6 +299,8 @@ public void testGetVerificationMode() throws Exception { assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl.").verificationMode(), is(VerificationMode.CERTIFICATE)); assertThat(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl.").verificationMode(), is(VerificationMode.FULL)); + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [trust configuration, " + + "certificate verification mode], which is deprecated."); } public void testIsSSLClientAuthEnabled() throws Exception { @@ -300,6 +316,8 @@ public void testIsSSLClientAuthEnabled() throws Exception { assertFalse(sslService.isSSLClientAuthEnabled(globalConfiguration(sslService))); assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("xpack.security.transport.ssl"))); assertTrue(sslService.isSSLClientAuthEnabled(sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl"))); + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [" + + "client authentication], which is deprecated."); } public void testThatHttpClientAuthDefaultsToNone() throws Exception { @@ -314,6 +332,8 @@ public void testThatHttpClientAuthDefaultsToNone() throws Exception { final SSLConfiguration httpConfig = sslService.getHttpTransportSSLConfiguration(); assertThat(httpConfig.sslClientAuth(), is(SSLClientAuth.NONE)); + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [client authentication" + + "], which is deprecated."); } public void testThatTruststorePasswordIsRequired() throws Exception { @@ -342,9 +362,6 @@ public void testThatKeystorePasswordIsRequired() throws Exception { } public void testCiphersAndInvalidCiphersWork() throws Exception { - List ciphers = new ArrayList<>(XPackSettings.DEFAULT_CIPHERS); - ciphers.add("foo"); - ciphers.add("bar"); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() @@ -358,6 +375,8 @@ public void testCiphersAndInvalidCiphersWork() throws Exception { assertThat(engine, is(notNullValue())); String[] enabledCiphers = engine.getEnabledCipherSuites(); assertThat(Arrays.asList(enabledCiphers), not(contains("foo", "bar"))); + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [key configuration, " + + "trust configuration], which is deprecated."); } public void testInvalidCiphersOnlyThrowsException() throws Exception { @@ -388,6 +407,8 @@ public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception { SSLEngine engine = sslService.createSSLEngine(configuration, null, -1); assertThat(engine, is(notNullValue())); assertTrue(engine.getSSLParameters().getUseCipherSuitesOrder()); + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [key configuration, " + + "trust configuration], which is deprecated."); } public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception { @@ -413,6 +434,8 @@ public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Except assertThat(socket.getSSLParameters().getProtocols(), arrayContainingInAnyOrder(supportedProtocols)); assertTrue(socket.getSSLParameters().getUseCipherSuitesOrder()); } + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [key configuration, " + + "trust configuration], which is deprecated."); } public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception { @@ -433,6 +456,8 @@ public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception { // the order we set the protocols in is not going to be what is returned as internally the JDK may sort the versions assertThat(engine.getEnabledProtocols(), arrayContainingInAnyOrder(supportedProtocols)); assertThat(engine.getSSLParameters().getProtocols(), arrayContainingInAnyOrder(supportedProtocols)); + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [key configuration, " + + "trust configuration], which is deprecated."); } public void testSSLStrategy() { diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java index a0596e740085e..ff94eea7945da 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java @@ -48,7 +48,8 @@ private DeprecationChecks() { NodeDeprecationChecks::discoveryConfigurationCheck, NodeDeprecationChecks::azureRepositoryChanges, NodeDeprecationChecks::gcsRepositoryChanges, - NodeDeprecationChecks::fileDiscoveryPluginRemoved + NodeDeprecationChecks::fileDiscoveryPluginRemoved, + NodeDeprecationChecks::defaultSSLSettingsRemoved )); static List> INDEX_SETTINGS_CHECKS = diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index 1895424e6ce21..ccb5ef0cceefc 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -197,4 +197,19 @@ static DeprecationIssue fileDiscoveryPluginRemoved(List nodeInfos, Lis } return null; } + + static DeprecationIssue defaultSSLSettingsRemoved(List nodeInfos, List nodeStats) { + List nodesFound = nodeInfos.stream() + .filter(nodeInfo -> nodeInfo.getSettings().getByPrefix("xpack.ssl").isEmpty() == false) + .map(nodeInfo -> nodeInfo.getNode().getName()) + .collect(Collectors.toList()); + if (nodesFound.size() > 0) { + return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "Default TLS/SSL settings have been removed", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + + "#tls-setting-fallback", + "Nodes with default TLS/SSL settings: " + nodesFound); + } + return null; + } } diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index a791a9e930f76..ede6351c8c88f 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -11,6 +11,7 @@ import org.elasticsearch.action.admin.cluster.node.info.PluginsAndModules; import org.elasticsearch.action.admin.cluster.node.stats.NodeStats; import org.elasticsearch.cluster.node.DiscoveryNode; +import org.elasticsearch.common.Strings; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.monitor.fs.FsInfo; @@ -229,4 +230,16 @@ public void testFileDiscoveryPluginCheck() { "nodes with discovery-file installed: [node_check]"); assertSettingsAndIssue("foo", "bar", expected); } + + public void testDefaultSSLSettingsCheck() { + DeprecationIssue expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "Default TLS/SSL settings have been removed", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + + "#tls-setting-fallback", + "Nodes with default TLS/SSL settings: [node_check]"); + assertSettingsAndIssue("xpack.ssl.keystore.path", randomAlphaOfLength(8), expected); + assertSettingsAndIssue("xpack.ssl.truststore.password", randomAlphaOfLengthBetween(2, 12), expected); + assertSettingsAndIssue("xpack.ssl.certificate_authorities", + Strings.arrayToCommaDelimitedString(randomArray(1, 4, String[]::new, () -> randomAlphaOfLengthBetween(4, 16))), expected); + } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java index 216d8e44148f7..883cf23bec6b6 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java @@ -149,7 +149,7 @@ public Path nodeConfigPath(int nodeOrdinal) { @Override public Settings transportClientSettings() { Settings.Builder builder = Settings.builder(); - addClientSSLSettings(builder, ""); + addClientSSLSettings(builder, "xpack.security.transport."); addDefaultSecurityTransportType(builder, Settings.EMPTY); if (randomBoolean()) { @@ -168,7 +168,6 @@ protected void addDefaultSecurityTransportType(Settings.Builder builder, Setting } } - @Override public Collection> nodePlugins() { return Arrays.asList(LocalStateSecurity.class, Netty4Plugin.class, ReindexPlugin.class, CommonAnalysisPlugin.class, @@ -208,22 +207,27 @@ protected SecureString transportClientPassword() { return new SecureString(SecuritySettingsSourceField.TEST_PASSWORD.toCharArray()); } + public static void addSSLSettingsForNodePEMFiles(Settings.Builder builder, String prefix, boolean hostnameVerificationEnabled) { + addSSLSettingsForPEMFiles(builder, prefix, + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", + Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), + hostnameVerificationEnabled, false); + } + private void addNodeSSLSettings(Settings.Builder builder) { if (sslEnabled) { if (usePEM) { - addSSLSettingsForPEMFiles(builder, "", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", - Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), - sslEnabled, hostnameVerificationEnabled, false); - + addSSLSettingsForNodePEMFiles(builder, "xpack.security.transport.", hostnameVerificationEnabled); + builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), true); } else { - addSSLSettingsForStore(builder, "", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", - "testnode", sslEnabled, hostnameVerificationEnabled, false); + addSSLSettingsForStore(builder, "xpack.security.transport.", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode", sslEnabled, + hostnameVerificationEnabled, false); } } else if (randomBoolean()) { builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), false); @@ -237,51 +241,38 @@ public void addClientSSLSettings(Settings.Builder builder, String prefix) { "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), - sslEnabled, hostnameVerificationEnabled, true); + hostnameVerificationEnabled, true); + builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled); } else { addSSLSettingsForStore(builder, prefix, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks", "testclient", sslEnabled, hostnameVerificationEnabled, true); } } - /** - * Returns the configuration settings given the location of a certificate and its password - * - * @param resourcePathToStore the location of the keystore or truststore - * @param password the password - */ - public static void addSSLSettingsForStore(Settings.Builder builder, String resourcePathToStore, String password) { - addSSLSettingsForStore(builder, "", resourcePathToStore, password, true, true, true); - } - private static void addSSLSettingsForStore(Settings.Builder builder, String prefix, String resourcePathToStore, String password, boolean sslEnabled, boolean hostnameVerificationEnabled, boolean transportClient) { Path store = resolveResourcePath(resourcePathToStore); - - if (transportClient == false) { - builder.put(prefix + "xpack.security.http.ssl.enabled", false); - } builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled); - builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); - builder.put(prefix + "xpack.ssl.keystore.path", store); + builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); + builder.put(prefix + "ssl.keystore.path", store); if (transportClient) { // continue using insecure settings for clients until we figure out what to do there... - builder.put(prefix + "xpack.ssl.keystore.password", password); + builder.put(prefix + "ssl.keystore.password", password); } else { addSecureSettings(builder, secureSettings -> - secureSettings.setString(prefix + "xpack.ssl.keystore.secure_password", password)); + secureSettings.setString(prefix + "ssl.keystore.secure_password", password)); } if (randomBoolean()) { - builder.put(prefix + "xpack.ssl.truststore.path", store); + builder.put(prefix + "ssl.truststore.path", store); if (transportClient) { // continue using insecure settings for clients until we figure out what to do there... - builder.put(prefix + "xpack.ssl.truststore.password", password); + builder.put(prefix + "ssl.truststore.password", password); } else { addSecureSettings(builder, secureSettings -> - secureSettings.setString(prefix + "xpack.ssl.truststore.secure_password", password)); + secureSettings.setString(prefix + "ssl.truststore.secure_password", password)); } } } @@ -299,31 +290,26 @@ private static void addSSLSettingsForStore(Settings.Builder builder, String pref */ public static void addSSLSettingsForPEMFiles(Settings.Builder builder, String keyPath, String password, String certificatePath, List trustedCertificates) { - addSSLSettingsForPEMFiles(builder, "", keyPath, password, certificatePath, trustedCertificates, true, true, true); + addSSLSettingsForPEMFiles(builder, "xpack.security.transport.", keyPath, password, certificatePath, trustedCertificates, true, + true); } private static void addSSLSettingsForPEMFiles(Settings.Builder builder, String prefix, String keyPath, String password, - String certificatePath, List trustedCertificates, boolean sslEnabled, + String certificatePath, List trustedCertificates, boolean hostnameVerificationEnabled, boolean transportClient) { - - if (transportClient == false) { - builder.put(prefix + "xpack.security.http.ssl.enabled", false); - } - builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled); - - builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); - builder.put(prefix + "xpack.ssl.key", resolveResourcePath(keyPath)) - .put(prefix + "xpack.ssl.certificate", resolveResourcePath(certificatePath)); + builder.put(prefix + "ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate"); + builder.put(prefix + "ssl.key", resolveResourcePath(keyPath)) + .put(prefix + "ssl.certificate", resolveResourcePath(certificatePath)); if (transportClient) { // continue using insecure settings for clients until we figure out what to do there... - builder.put(prefix + "xpack.ssl.key_passphrase", password); + builder.put(prefix + "ssl.key_passphrase", password); } else { addSecureSettings(builder, secureSettings -> - secureSettings.setString(prefix + "xpack.ssl.secure_key_passphrase", password)); + secureSettings.setString(prefix + "ssl.secure_key_passphrase", password)); } if (trustedCertificates.isEmpty() == false) { - builder.put(prefix + "xpack.ssl.certificate_authorities", + builder.put(prefix + "ssl.certificate_authorities", Strings.arrayToCommaDelimitedString(resolvePathsToString(trustedCertificates))); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SettingsFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SettingsFilterTests.java index 3bf3bb4dc8641..c2cd739fa9cbd 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SettingsFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SettingsFilterTests.java @@ -15,6 +15,8 @@ import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings; +import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings; +import org.elasticsearch.xpack.core.ssl.X509KeyPairSettings; import org.elasticsearch.xpack.security.LocalStateSecurity; import org.hamcrest.Matcher; @@ -22,6 +24,7 @@ import javax.net.ssl.TrustManagerFactory; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collections; import java.util.HashMap; import java.util.List; @@ -71,7 +74,6 @@ public void testFiltering() throws Exception { configureSecureSetting("xpack.security.authc.realms.pki1.truststore.secure_password", "truststore-testnode-only"); configureFilteredSetting("xpack.security.authc.realms.pki1.truststore.algorithm", "SunX509"); - configureFilteredSetting("xpack.ssl.cipher_suites", Strings.arrayToCommaDelimitedString(XPackSettings.DEFAULT_CIPHERS.toArray())); configureFilteredSetting("xpack.ssl.supported_protocols", randomFrom("TLSv1", "TLSv1.1", "TLSv1.2")); @@ -133,9 +135,20 @@ public void testFiltering() throws Exception { assertThat(filteredSettings.get(entry.getKey()), entry.getValue()); } + final SSLConfigurationSettings globalSSLSettings = SSLConfigurationSettings.withPrefix(XPackSettings.GLOBAL_SSL_PREFIX); + final X509KeyPairSettings keyPairSettings = new X509KeyPairSettings(XPackSettings.GLOBAL_SSL_PREFIX, true); + List> deprecatedSettings = new ArrayList<>(Arrays.asList(globalSSLSettings.ciphers, globalSSLSettings.supportedProtocols, + globalSSLSettings.truststoreAlgorithm, globalSSLSettings.truststorePassword, + keyPairSettings.keystoreKeyPassword, keyPairSettings.keystorePassword, keyPairSettings.keystoreAlgorithm)); + if (inFipsJvm() == false) { + deprecatedSettings.add(keyPairSettings.keystorePath); + } if (useLegacyLdapBindPassword) { - assertSettingDeprecationsAndWarnings(new Setting[]{PoolingSessionFactorySettings.LEGACY_BIND_PASSWORD}); + deprecatedSettings.add(PoolingSessionFactorySettings.LEGACY_BIND_PASSWORD); } + assertSettingDeprecationsAndWarnings(deprecatedSettings.toArray(new Setting[0]), "SSL configuration [xpack.http.ssl] relies " + + "upon fallback to another configuration for [key configuration, trust configuration, supported protocols], " + + "which is deprecated."); } private void configureUnfilteredSetting(String settingName, String value) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java index 1e30f1b9ee07a..d92a10f305304 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java @@ -39,8 +39,9 @@ public void testBootstrapCheckWithPkiRealm() throws Exception { // disable client auth default settings = Settings.builder().put(settings) - .put("xpack.ssl.client_authentication", "none") - .build(); + .put("xpack.watcher.enabled", false) // avoid deprecation warning for xpack.http.ssl + .put("xpack.ssl.client_authentication", "none") + .build(); env = TestEnvironment.newEnvironment(settings); assertTrue(runCheck(settings, env).isFailure()); @@ -79,6 +80,9 @@ public void testBootstrapCheckWithPkiRealm() throws Exception { .build(); env = TestEnvironment.newEnvironment(settings); assertFalse(runCheck(settings, env).isFailure()); + + assertWarnings("SSL configuration [xpack.security.transport.ssl.] relies upon fallback to another configuration for " + + "[client authentication], which is deprecated."); } private BootstrapCheck.BootstrapCheckResult runCheck(Settings settings, Environment env) throws Exception { @@ -87,11 +91,12 @@ private BootstrapCheck.BootstrapCheckResult runCheck(Settings settings, Environm public void testBootstrapCheckWithDisabledRealm() throws Exception { Settings settings = Settings.builder() - .put("xpack.security.authc.realms.test_pki.type", PkiRealmSettings.TYPE) - .put("xpack.security.authc.realms.test_pki.enabled", false) - .put("xpack.ssl.client_authentication", "none") - .put("path.home", createTempDir()) - .build(); + .put("xpack.security.authc.realms.test_pki.type", PkiRealmSettings.TYPE) + .put("xpack.security.authc.realms.test_pki.enabled", false) + .put("xpack.ssl.client_authentication", "none") + .put("xpack.watcher.enabled", false) // avoid deprecation warning for xpack.http.ssl + .put("path.home", createTempDir()) + .build(); Environment env = TestEnvironment.newEnvironment(settings); assertFalse(runCheck(settings, env).isFailure()); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java index 32a2be9d5a711..74d0390320db1 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java @@ -236,7 +236,7 @@ protected void addDefaultSecurityTransportType(Settings.Builder builder, Setting SecuritySettingsSourceField.TEST_PASSWORD); if (remoteUseSSL) { - cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client."); + cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client.xpack.security.transport."); builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", true); } if (useSecurity == false && builder.get(NetworkModule.TRANSPORT_TYPE_KEY) == null) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java index 12ff9de4a5f5f..9f679309a73c6 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java @@ -111,7 +111,7 @@ public Settings nodeSettings(int nodeOrdinal) { .put("xpack.security.audit.index.settings.index.number_of_shards", 1) .put("xpack.security.audit.index.settings.index.number_of_replicas", 0); - addClientSSLSettings(builder, "xpack.security.audit.index.client."); + addClientSSLSettings(builder, "xpack.security.audit.index.client.xpack.security.transport."); builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", sslEnabled); return builder.build(); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java index 27f6ff69b7f3e..0bba0902abb37 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java @@ -16,17 +16,16 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.test.NativeRealmIntegTestCase; -import org.elasticsearch.test.SecuritySettingsSource; import org.elasticsearch.xpack.core.security.client.SecurityClient; import org.elasticsearch.xpack.security.support.SecurityIndexManager; import org.junit.BeforeClass; import java.nio.charset.StandardCharsets; import java.nio.file.Path; -import java.util.Arrays; import java.util.HashSet; import java.util.Set; +import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.is; @@ -46,12 +45,11 @@ public static void setSSL() { @Override public Settings nodeSettings(int nodeOrdinal) { logger.info("--> use SSL? {}", useSSL); - Settings s = Settings.builder() - .put(super.nodeSettings(nodeOrdinal)) - .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put("xpack.security.http.ssl.enabled", useSSL) - .build(); - return s; + Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal)); + addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true); + return builder.put(NetworkModule.HTTP_ENABLED.getKey(), true) + .put("xpack.security.http.ssl.enabled", useSSL) + .build(); } @Override @@ -75,7 +73,7 @@ public void testRetrieveUsers() throws Exception { SecurityClient c = new SecurityClient(client()); logger.error("--> creating users"); int numToAdd = randomIntBetween(1,10); - Set addedUsers = new HashSet(numToAdd); + Set addedUsers = new HashSet<>(numToAdd); for (int i = 0; i < numToAdd; i++) { String uname = randomAlphaOfLength(5); c.preparePutUser(uname, "s3kirt".toCharArray(), getFastStoredHashAlgoForTests(), "role1", "user").get(); @@ -93,12 +91,7 @@ public void testRetrieveUsers() throws Exception { Settings.Builder builder = Settings.builder() .put("path.home", home) .put("path.conf", conf.toString()); - SecuritySettingsSource.addSSLSettingsForPEMFiles( - builder, - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", - "testnode", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", - Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); + addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true); Settings settings = builder.build(); logger.error("--> retrieving users using URL: {}, home: {}", url, home); @@ -139,11 +132,7 @@ public void testRetrieveRoles() throws Exception { String url = getHttpURL(); ESNativeRealmMigrateTool.MigrateUserOrRoles muor = new ESNativeRealmMigrateTool.MigrateUserOrRoles(); Settings.Builder builder = Settings.builder().put("path.home", home); - SecuritySettingsSource.addSSLSettingsForPEMFiles(builder, - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", - "testclient", - "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", - Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); + addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true); Settings settings = builder.build(); logger.error("--> retrieving roles using URL: {}, home: {}", url, home); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java index 9b8c3878a038d..256bd749eb135 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java @@ -62,6 +62,7 @@ public void testCommandLineHttpClientCanExecuteAndReturnCorrectResultUsingSSLSet // with global settings secureSettings.setString("xpack.ssl.truststore.secure_password", "testnode"); settings = Settings.builder() + .put("xpack.watcher.enabled", false) // to avoid xpack.http.ssl deprecation warnings .put("xpack.ssl.certificate_authorities", certPath.toString()) .put("xpack.ssl.verification_mode", VerificationMode.CERTIFICATE) .setSecureSettings(secureSettings) @@ -82,6 +83,7 @@ private MockWebServer createMockWebServer() { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() + .put("xpack.watcher.enabled", false) // to avoid xpack.http.ssl deprecation warnings .put("xpack.ssl.key", keyPath.toString()) .put("xpack.ssl.certificate", certPath.toString()) .setSecureSettings(secureSettings) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java index 966f2e3f5492d..0906d1ac3f762 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java @@ -13,7 +13,6 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; -import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings; import org.elasticsearch.xpack.core.ssl.SSLConfiguration; import org.elasticsearch.xpack.core.ssl.SSLService; @@ -29,26 +28,16 @@ private LdapTestUtils() { } public static LDAPConnection openConnection(String url, String bindDN, String bindPassword, Path truststore) throws Exception { - boolean useGlobalSSL = ESTestCase.randomBoolean(); Settings.Builder builder = Settings.builder().put("path.home", LuceneTestCase.createTempDir()); MockSecureSettings secureSettings = new MockSecureSettings(); builder.setSecureSettings(secureSettings); - if (useGlobalSSL) { - builder.put("xpack.ssl.truststore.path", truststore); - // fake realm to load config with certificate verification mode - builder.put("xpack.security.authc.realms.bar.ssl.truststore.path", truststore); - builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); - secureSettings.setString("xpack.ssl.truststore.secure_password", "changeit"); - secureSettings.setString("xpack.security.authc.realms.bar.ssl.truststore.secure_password", "changeit"); - } else { - // fake realms so ssl will get loaded - builder.put("xpack.security.authc.realms.foo.ssl.truststore.path", truststore); - builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL); - builder.put("xpack.security.authc.realms.bar.ssl.truststore.path", truststore); - builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); - secureSettings.setString("xpack.security.authc.realms.foo.ssl.truststore.secure_password", "changeit"); - secureSettings.setString("xpack.security.authc.realms.bar.ssl.truststore.secure_password", "changeit"); - } + // fake realms so ssl will get loaded + builder.put("xpack.security.authc.realms.foo.ssl.truststore.path", truststore); + builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL); + builder.put("xpack.security.authc.realms.bar.ssl.truststore.path", truststore); + builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); + secureSettings.setString("xpack.security.authc.realms.foo.ssl.truststore.secure_password", "changeit"); + secureSettings.setString("xpack.security.authc.realms.bar.ssl.truststore.secure_password", "changeit"); Settings settings = builder.build(); Environment env = TestEnvironment.newEnvironment(settings); SSLService sslService = new SSLService(settings, env); @@ -60,12 +49,7 @@ public static LDAPConnection openConnection(String url, String bindDN, String bi options.setConnectTimeoutMillis(Math.toIntExact(SessionFactorySettings.TIMEOUT_DEFAULT.millis())); options.setResponseTimeoutMillis(SessionFactorySettings.TIMEOUT_DEFAULT.millis()); - final SSLConfiguration sslConfiguration; - if (useGlobalSSL) { - sslConfiguration = sslService.getSSLConfiguration("xpack.ssl"); - } else { - sslConfiguration = sslService.getSSLConfiguration("xpack.security.authc.realms.foo.ssl"); - } + final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.authc.realms.foo.ssl"); return LdapUtils.privilegedConnect(() -> new LDAPConnection(sslService.sslSocketFactory(sslConfiguration), options, ldapurl.getHost(), ldapurl.getPort(), bindDN, bindPassword)); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java index 19b0d4e71bb8a..1f3f34fba4ba0 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java @@ -65,6 +65,7 @@ public void init() throws Exception { globalSettings = Settings.builder() .put("path.home", createTempDir()) .put("xpack.ssl.certificate_authorities", certPath) + .put("xpack.watcher.enabled", false) // to avoid xpack.http.ssl deprecation warnings .build(); sslService = new SSLService(globalSettings, env); threadPool = new TestThreadPool("LdapUserSearchSessionFactoryTests"); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java index 1f6e8cdeca600..ab3679b804a10 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java @@ -58,8 +58,9 @@ protected Settings nodeSettings() { SSLClientAuth sslClientAuth = randomBoolean() ? SSLClientAuth.REQUIRED : SSLClientAuth.OPTIONAL; Settings.Builder builder = Settings.builder() - .put(super.nodeSettings()) - .put(NetworkModule.HTTP_ENABLED.getKey(), true) + .put(super.nodeSettings()); + SecuritySettingsSource.addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true); + builder.put(NetworkModule.HTTP_ENABLED.getKey(), true) .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.client_authentication", sslClientAuth) .put("xpack.security.authc.realms.file.type", FileRealmSettings.TYPE) @@ -94,8 +95,7 @@ public void testTransportClientCanAuthenticateViaPki() { "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", - Arrays.asList - ("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); + Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); try (TransportClient client = createTransportClient(builder.build())) { client.addTransportAddress(randomFrom(node().injector().getInstance(Transport.class).boundAddress().boundAddresses())); IndexResponse response = client.prepareIndex("foo", "bar").setSource("pki", "auth").get(); @@ -159,13 +159,14 @@ private SSLContext getRestSSLContext(String keyPath, String password, String cer private TransportClient createTransportClient(Settings additionalSettings) { Settings clientSettings = transportClientSettings(); - if (additionalSettings.getByPrefix("xpack.ssl.").isEmpty() == false) { - clientSettings = clientSettings.filter(k -> k.startsWith("xpack.ssl.") == false); + if (additionalSettings.getByPrefix("xpack.security.transport.ssl.").isEmpty() == false) { + clientSettings = clientSettings.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false); } Settings.Builder builder = Settings.builder().put(clientSettings, false) - .put(additionalSettings) - .put("cluster.name", node().settings().get("cluster.name")); + .put("xpack.security.transport.ssl.enabled", true) + .put(additionalSettings) + .put("cluster.name", node().settings().get("cluster.name")); builder.remove(SecurityField.USER_SETTING.getKey()); builder.remove("request.headers.Authorization"); return new TestXPackTransportClient(builder.build(), LocalStateSecurity.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java index a2f15539ec64f..679ef23f327f9 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java @@ -30,6 +30,7 @@ import java.security.KeyStore; import java.security.SecureRandom; +import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles; import static org.hamcrest.Matchers.is; public class PkiOptionalClientAuthTests extends SecuritySingleNodeTestCase { @@ -46,20 +47,21 @@ protected Settings nodeSettings() { String randomClientPortRange = randomClientPort + "-" + (randomClientPort+100); Settings.Builder builder = Settings.builder() - .put(super.nodeSettings()) - .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put("xpack.security.http.ssl.enabled", true) - .put("xpack.security.http.ssl.client_authentication", SSLClientAuth.OPTIONAL) - .put("xpack.security.authc.realms.file.type", "file") - .put("xpack.security.authc.realms.file.order", "0") - .put("xpack.security.authc.realms.pki1.type", "pki") - .put("xpack.security.authc.realms.pki1.order", "1") - .put("xpack.security.authc.realms.pki1.truststore.path", - getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/truststore-testnode-only.jks")) - .put("xpack.security.authc.realms.pki1.files.role_mapping", getDataPath("role_mapping.yml")) - .put("transport.profiles.want_client_auth.port", randomClientPortRange) - .put("transport.profiles.want_client_auth.bind_host", "localhost") - .put("transport.profiles.want_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.OPTIONAL); + .put(super.nodeSettings()); + addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true); + builder.put(NetworkModule.HTTP_ENABLED.getKey(), true) + .put("xpack.security.http.ssl.enabled", true) + .put("xpack.security.http.ssl.client_authentication", SSLClientAuth.OPTIONAL) + .put("xpack.security.authc.realms.file.type", "file") + .put("xpack.security.authc.realms.file.order", "0") + .put("xpack.security.authc.realms.pki1.type", "pki") + .put("xpack.security.authc.realms.pki1.order", "1") + .put("xpack.security.authc.realms.pki1.truststore.path", + getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/truststore-testnode-only.jks")) + .put("xpack.security.authc.realms.pki1.files.role_mapping", getDataPath("role_mapping.yml")) + .put("transport.profiles.want_client_auth.port", randomClientPortRange) + .put("transport.profiles.want_client_auth.bind_host", "localhost") + .put("transport.profiles.want_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.OPTIONAL); SecuritySettingsSource.addSecureSettings(builder, secureSettings -> secureSettings.setString("xpack.security.authc.realms.pki1.truststore.secure_password", "truststore-testnode-only")); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java index 80bfdc03da482..22b13f8330752 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java @@ -123,6 +123,7 @@ public void testReadIdpMetadataFromHttps() throws Exception { final MockSecureSettings mockSecureSettings = new MockSecureSettings(); mockSecureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); final Settings settings = Settings.builder() + .put("xpack.watcher.enabled", false) // disable watcher to avoid xpack.http.ssl deprecation warning .put("xpack.ssl.key", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem")) .put("xpack.ssl.certificate", diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java index 83b9899f72aa0..f07cc3d58e915 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java @@ -55,12 +55,20 @@ protected SSLService createSSLService(Settings settings) { Path testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); Path testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("transport.profiles.some_profile.xpack.security.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("transport.profiles.some_other_profile.xpack.security.ssl.secure_key_passphrase", "testnode"); Settings settings1 = Settings.builder() .put(settings) .put("xpack.security.transport.ssl.enabled", true) - .put("xpack.ssl.key", testnodeKey) - .put("xpack.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) + .put("xpack.security.transport.ssl.certificate", testnodeCert) + .put("transport.profiles.some_profile.xpack.security.ssl.enabled", true) + .put("transport.profiles.some_profile.xpack.security.ssl.key", testnodeKey) + .put("transport.profiles.some_profile.xpack.security.ssl.certificate", testnodeCert) + .put("transport.profiles.some_other_profile.xpack.security.ssl.enabled", true) + .put("transport.profiles.some_other_profile.xpack.security.ssl.key", testnodeKey) + .put("transport.profiles.some_other_profile.xpack.security.ssl.certificate", testnodeCert) .put("path.home", createTempDir()) .setSecureSettings(secureSettings) .build(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java index 4b4d0a37ab66a..d3c90dab54bc2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java @@ -40,6 +40,7 @@ import java.nio.file.Files; import java.nio.file.Path; import java.util.Arrays; +import java.util.Collections; import java.util.concurrent.CountDownLatch; import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles; @@ -67,7 +68,7 @@ protected Settings nodeSettings(int nodeOrdinal) { Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); settingsBuilder.put(super.nodeSettings(nodeOrdinal)) .putList("transport.profiles.client.xpack.security.ssl.certificate_authorities", - Arrays.asList(certPath.toString())) // settings for client truststore + Collections.singletonList(certPath.toString())) // settings for client truststore .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) .put("transport.profiles.client.xpack.security.type", "client") .put("transport.profiles.client.port", randomClientPortRange) @@ -104,6 +105,7 @@ public void testThatConnectionToServerTypeConnectionWorks() throws IOException, internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes")) .put("xpack.security.enabled", true) .put("xpack.security.audit.enabled", false) + .put("xpack.security.transport.ssl.enabled", true) .put(XPackSettings.WATCHER_ENABLED.getKey(), false) .put("path.home", home) .put(NetworkModule.HTTP_ENABLED.getKey(), false) @@ -115,7 +117,7 @@ public void testThatConnectionToServerTypeConnectionWorks() throws IOException, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", - Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); + Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); try (Node node = new MockNode(nodeSettings.build(), Arrays.asList(LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class))) { node.start(); ensureStableCluster(cluster().size() + 1); @@ -146,6 +148,7 @@ public void testThatConnectionToClientTypeConnectionIsRejected() throws IOExcept internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes")) .put("xpack.security.enabled", true) .put("xpack.security.audit.enabled", false) + .put("xpack.security.transport.ssl.enabled", true) .put(XPackSettings.WATCHER_ENABLED.getKey(), false) .put(NetworkModule.HTTP_ENABLED.getKey(), false) .put("discovery.initial_state_timeout", "0s") @@ -158,7 +161,7 @@ public void testThatConnectionToClientTypeConnectionIsRejected() throws IOExcept "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", - Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); + Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); try (Node node = new MockNode(nodeSettings.build(), Arrays.asList(LocalStateSecurity.class, TestZenDiscovery.TestPlugin.class))) { node.start(); TransportService instance = node.injector().getInstance(TransportService.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java index 130fa22603940..a8de5e7ed5b40 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java @@ -33,7 +33,8 @@ protected boolean transportSSLEnabled() { protected Settings nodeSettings(int nodeOrdinal) { Settings settings = super.nodeSettings(nodeOrdinal); Settings.Builder builder = Settings.builder() - .put(settings.filter((s) -> s.startsWith("xpack.ssl.") == false), false); + .put(settings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false || + s.equals("xpack.security.transport.ssl.enabled")), false); settings = builder.build(); // The default Unicast test behavior is to use 'localhost' with the port number. For this test we need to use IP @@ -56,27 +57,29 @@ protected Settings nodeSettings(int nodeOrdinal) { } SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings -> { - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-ip-only"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode-ip-only"); }); - return settingsBuilder.put("xpack.ssl.key", keyPath.toAbsolutePath()) - .put("xpack.ssl.certificate", certPath.toAbsolutePath()) - .put("xpack.ssl.certificate_authorities", certPath.toAbsolutePath()) + return settingsBuilder.put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath()) + .put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath()) + .put("xpack.security.transport.ssl.certificate_authorities", certPath.toAbsolutePath()) .put(TransportSettings.BIND_HOST.getKey(), "127.0.0.1") .put("network.host", "127.0.0.1") - .put("xpack.ssl.client_authentication", SSLClientAuth.NONE) - .put("xpack.ssl.verification_mode", "full") + .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE) + .put("xpack.security.transport.ssl.verification_mode", "full") .build(); } @Override protected Settings transportClientSettings() { Settings clientSettings = super.transportClientSettings(); - return Settings.builder().put(clientSettings.filter(k -> k.startsWith("xpack.ssl.") == false)) - .put("xpack.ssl.verification_mode", "certificate") - .put("xpack.ssl.key", keyPath.toAbsolutePath()) - .put("xpack.ssl.certificate", certPath.toAbsolutePath()) - .put("xpack.ssl.key_passphrase", "testnode-ip-only") - .put("xpack.ssl.certificate_authorities", certPath) + return Settings.builder() + .put(clientSettings + .filter(k -> k.startsWith("xpack.security.transport.ssl.") == false || k.equals("xpack.security.transport.ssl.enabled"))) + .put("xpack.security.transport.ssl.verification_mode", "certificate") + .put("xpack.security.transport.ssl.key", keyPath.toAbsolutePath()) + .put("xpack.security.transport.ssl.certificate", certPath.toAbsolutePath()) + .put("xpack.security.transport.ssl.key_passphrase", "testnode-ip-only") + .put("xpack.security.transport.ssl.certificate_authorities", certPath) .build(); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java index c57ea34bc9738..0bba72584d9d1 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java @@ -50,10 +50,10 @@ public void createSSLService() throws Exception { testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.key", testnodeKey) - .put("xpack.ssl.certificate", testnodeCert) + .put("xpack.security.http.ssl.key", testnodeKey) + .put("xpack.security.http.ssl.certificate", testnodeCert) .put("path.home", createTempDir()) .setSecureSettings(secureSettings) .build(); @@ -186,7 +186,7 @@ public void testDoesNotChangeExplicitlySetCompression() throws Exception { public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() throws Exception { Settings settings = Settings.builder() - .put("xpack.ssl.certificate_authorities", testnodeCert) + .put("xpack.security.http.ssl.certificate_authorities", testnodeCert) .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) .put("path.home", createTempDir()) .build(); @@ -199,12 +199,8 @@ public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() throws Except } public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() throws Exception { - MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put("xpack.ssl.key", testnodeKey) - .put("xpack.ssl.certificate", testnodeCert) - .setSecureSettings(secureSettings) + .put("xpack.security.http.ssl.certificate", testnodeCert) .put("path.home", createTempDir()) .build(); env = TestEnvironment.newEnvironment(settings); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransportTests.java index 32f9828011849..54f9c90cc37f9 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransportTests.java @@ -44,11 +44,11 @@ public void createSSLService() throws Exception { Path testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); Path testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() .put("xpack.security.transport.ssl.enabled", true) - .put("xpack.ssl.key", testnodeKey) - .put("xpack.ssl.certificate", testnodeCert) + .put("xpack.security.transport.ssl.key", testnodeKey) + .put("xpack.security.transport.ssl.certificate", testnodeCert) .setSecureSettings(secureSettings) .put("path.home", createTempDir()) .build(); @@ -97,7 +97,7 @@ public void testRequiredClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT)); Settings settings = Settings.builder() .put(env.settings()) - .put("xpack.ssl.client_authentication", value) + .put("xpack.security.transport.ssl.client_authentication", value) .build(); sslService = new SSLService(settings, env); SecurityNetty4Transport transport = createTransport(settings); @@ -111,7 +111,7 @@ public void testNoClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.NONE.name(), SSLClientAuth.NONE.name().toLowerCase(Locale.ROOT)); Settings settings = Settings.builder() .put(env.settings()) - .put("xpack.ssl.client_authentication", value) + .put("xpack.security.transport.ssl.client_authentication", value) .build(); sslService = new SSLService(settings, env); SecurityNetty4Transport transport = createTransport(settings); @@ -125,7 +125,7 @@ public void testOptionalClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT)); Settings settings = Settings.builder() .put(env.settings()) - .put("xpack.ssl.client_authentication", value) + .put("xpack.security.transport.ssl.client_authentication", value) .build(); sslService = new SSLService(settings, env); SecurityNetty4Transport transport = createTransport(settings); @@ -148,6 +148,8 @@ public void testProfileRequiredClientAuth() throws Exception { final EmbeddedChannel ch = new EmbeddedChannel(handler); assertThat(ch.pipeline().get(SslHandler.class).engine().getNeedClientAuth(), is(true)); assertThat(ch.pipeline().get(SslHandler.class).engine().getWantClientAuth(), is(false)); + assertWarnings("SSL configuration [transport.profiles.client.xpack.security.ssl] relies upon fallback to another configuration " + + "for [key configuration, trust configuration], which is deprecated."); } public void testProfileNoClientAuth() throws Exception { @@ -163,6 +165,8 @@ public void testProfileNoClientAuth() throws Exception { final EmbeddedChannel ch = new EmbeddedChannel(handler); assertThat(ch.pipeline().get(SslHandler.class).engine().getNeedClientAuth(), is(false)); assertThat(ch.pipeline().get(SslHandler.class).engine().getWantClientAuth(), is(false)); + assertWarnings("SSL configuration [transport.profiles.client.xpack.security.ssl] relies upon fallback to another configuration " + + "for [key configuration, trust configuration], which is deprecated."); } public void testProfileOptionalClientAuth() throws Exception { @@ -178,12 +182,15 @@ public void testProfileOptionalClientAuth() throws Exception { final EmbeddedChannel ch = new EmbeddedChannel(handler); assertThat(ch.pipeline().get(SslHandler.class).engine().getNeedClientAuth(), is(false)); assertThat(ch.pipeline().get(SslHandler.class).engine().getWantClientAuth(), is(true)); + assertWarnings("SSL configuration [transport.profiles.client.xpack.security.ssl] relies upon fallback to another configuration " + + "for [key configuration, trust configuration], which is deprecated."); } public void testTransportSSLOverridesGlobalSSL() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings.Builder builder = Settings.builder() + .put("xpack.watcher.enabled", false) // to avoid warnings for xpack.http.ssl .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.key", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem")) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java index c61b5782f75c4..1dbe6a2186b51 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java @@ -35,7 +35,8 @@ protected boolean transportSSLEnabled() { protected Settings nodeSettings(int nodeOrdinal) { Settings settings = super.nodeSettings(nodeOrdinal); Settings.Builder settingsBuilder = Settings.builder(); - settingsBuilder.put(settings.filter(k -> k.startsWith("xpack.ssl.") == false), false); + settingsBuilder.put(settings.filter( + k -> k.startsWith("xpack.security.transport.ssl.") == false || k.equals("xpack.security.transport.ssl.enabled")), false); Path keyPath; Path certPath; Path nodeCertPath; @@ -89,7 +90,8 @@ protected Settings transportClientSettings() { Settings settings = super.transportClientSettings(); // remove all ssl settings Settings.Builder builder = Settings.builder(); - builder.put(settings.filter( k -> k.startsWith("xpack.ssl.") == false), false); + builder.put(settings.filter( + k -> k.startsWith("xpack.security.transport.ssl.") == false || k.equals("xpack.security.transport.ssl.enabled")), false); builder.put("xpack.ssl.verification_mode", "certificate") .put("xpack.ssl.key", keyPath.toAbsolutePath()) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java index df49103a25999..60607a6bc7634 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java @@ -42,12 +42,14 @@ protected Settings nodeSettings(int nodeOrdinal) { final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem"); final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem"); return Settings.builder() - .put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.ssl") == false)) - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) - .put("xpack.ssl.certificate_authorities", certPath) - .put("xpack.ssl.verification_mode", "certificate") // disable hostname verificate since these certs aren't setup for that - .build(); + .put(super.nodeSettings(nodeOrdinal) + .filter(s -> s.startsWith("xpack.security.transport.ssl") == false || s.equals("xpack.security.transport.ssl.enabled"))) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .put("xpack.security.transport.ssl.certificate_authorities", certPath) + // disable hostname verification since these certs aren't setup for that + .put("xpack.security.transport.ssl.verification_mode", "certificate") + .build(); } @Override @@ -55,12 +57,14 @@ protected Settings transportClientSettings() { final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem"); final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem"); return Settings.builder() - .put(super.transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false)) - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) - .put("xpack.ssl.certificate_authorities", certPath) - .put("xpack.ssl.verification_mode", "certificate") // disable hostname verification since these certs aren't setup for that - .build(); + .put(super.transportClientSettings() + .filter(s -> s.startsWith("xpack.security.transport.ssl") == false || s.equals("xpack.security.transport.ssl.enabled"))) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .put("xpack.security.transport.ssl.certificate_authorities", certPath) + // disable hostname verification since these certs aren't setup for that + .put("xpack.security.transport.ssl.verification_mode", "certificate") + .build(); } @Override diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java index 21ff46e34fd1f..6fda7d4c950bc 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java @@ -43,12 +43,12 @@ import java.security.KeyStore; import java.security.SecureRandom; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collections; import java.util.List; import java.util.Locale; import java.util.Set; +import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles; import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForPEMFiles; import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.Matchers.containsString; @@ -57,9 +57,11 @@ public class SslIntegrationTests extends SecurityIntegTestCase { @Override protected Settings nodeSettings(int nodeOrdinal) { - return Settings.builder().put(super.nodeSettings(nodeOrdinal)) - .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put("xpack.security.http.ssl.enabled", true).build(); + Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal)); + addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true); + return builder.put(NetworkModule.HTTP_ENABLED.getKey(), true) + .put("xpack.security.http.ssl.enabled", true) + .build(); } @Override @@ -98,7 +100,7 @@ public void testThatTransportClientUsingSSLv3ProtocolIsRejected() { .put(transportClientSettings()) .put("node.name", "programmatic_transport_client") .put("cluster.name", internalCluster().getClusterName()) - .putList("xpack.ssl.supported_protocols", new String[]{"SSLv3"}) + .putList("xpack.security.transport.ssl.supported_protocols", new String[]{"SSLv3"}) .build(), LocalStateSecurity.class)) { TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses()); @@ -117,13 +119,13 @@ public void testThatConnectionToHTTPWorks() throws Exception { builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", "testclient", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", - Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); + Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); SSLService service = new SSLService(builder.build(), null); CredentialsProvider provider = new BasicCredentialsProvider(); provider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(nodeClientUsername(), new String(nodeClientPassword().getChars()))); - SSLConfiguration sslConfiguration = service.getSSLConfiguration("xpack.ssl"); + SSLConfiguration sslConfiguration = service.getSSLConfiguration("xpack.security.transport.ssl"); try (CloseableHttpClient client = HttpClients.custom() .setSSLSocketFactory(new SSLConnectionSocketFactory(service.sslSocketFactory(sslConfiguration), SSLConnectionSocketFactory.getDefaultHostnameVerifier())) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java index d3ab5d092ab5b..79bd972c69bb6 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java @@ -83,7 +83,8 @@ protected boolean transportSSLEnabled() { private TransportClient createTransportClient(Settings additionalSettings) { Settings settings = Settings.builder() - .put(transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false)) + .put(transportClientSettings() + .filter(s -> s.startsWith("xpack.ssl") == false && s.startsWith("xpack.security.transport.ssl") == false)) .put("node.name", "programmatic_transport_client") .put("cluster.name", internalCluster().getClusterName()) .put("xpack.security.transport.ssl.enabled", true) @@ -192,7 +193,7 @@ public void testThatProfileTransportClientCannotConnectToDefaultProfile() throws "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient-client-profile.pem", "testclient-client-profile", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient-client-profile.crt", - Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); + Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); try (TransportClient transportClient = createTransportClient(builder.build())) { TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses()); transportClient.addTransportAddress(transportAddress); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java index 448331f4db255..46fedc8826ae4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java @@ -21,6 +21,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.test.SecurityIntegTestCase; +import org.elasticsearch.test.SecuritySettingsSource; import org.elasticsearch.transport.Transport; import org.elasticsearch.xpack.core.TestXPackTransportClient; import org.elasticsearch.xpack.core.security.SecurityField; @@ -50,15 +51,16 @@ public class SSLClientAuthTests extends SecurityIntegTestCase { @Override protected Settings nodeSettings(int nodeOrdinal) { - return Settings.builder() + Settings.Builder builder = Settings.builder() .put(super.nodeSettings(nodeOrdinal)) // invert the require auth settings .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED) - .put("xpack.security.http.ssl.enabled", true) - .put("xpack.security.http.ssl.client_authentication", SSLClientAuth.REQUIRED) .put("transport.profiles.default.xpack.security.ssl.client_authentication", SSLClientAuth.NONE) - .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .build(); + .put(NetworkModule.HTTP_ENABLED.getKey(), true); + SecuritySettingsSource.addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", true); + builder.put("xpack.security.http.ssl.enabled", true) + .put("xpack.security.http.ssl.client_authentication", SSLClientAuth.REQUIRED); + return builder.build(); } @Override diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java index 1097764ab1c29..2190d51ce5889 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java @@ -71,14 +71,15 @@ public Settings nodeSettings(int nodeOrdinal) { Settings settings = super.nodeSettings(nodeOrdinal); Settings.Builder builder = Settings.builder() - .put(settings.filter((s) -> s.startsWith("xpack.ssl.") == false)); + .put(settings.filter((s) -> s.startsWith("xpack.security.transport.ssl.") == false)); builder.put("path.home", createTempDir()) - .put("xpack.ssl.key", nodeKeyPath) - .put("xpack.ssl.key_passphrase", "testnode") - .put("xpack.ssl.certificate", nodeCertPath) - .putList("xpack.ssl.certificate_authorities", Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), - updateableCertPath.toString())) + .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.key", nodeKeyPath) + .put("xpack.security.transport.ssl.key_passphrase", "testnode") + .put("xpack.security.transport.ssl.certificate", nodeCertPath) + .putList("xpack.security.transport.ssl.certificate_authorities", + Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), updateableCertPath.toString())) .put("resource.reload.interval.high", "1s"); return builder.build(); @@ -95,18 +96,18 @@ public void testThatSSLConfigurationReloadsOnModification() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.pem"), keyPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), certPath); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.ssl.key", keyPath) - .put("xpack.ssl.certificate", certPath) - .putList("xpack.ssl.certificate_authorities", Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), - updateableCertPath.toString())) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .putList("xpack.security.transport.ssl.certificate_authorities", + Arrays.asList(nodeCertPath.toString(), clientCertPath.toString(), updateableCertPath.toString())) .setSecureSettings(secureSettings) .build(); String node = randomFrom(internalCluster().getNodeNames()); SSLService sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings)); - SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.ssl"); + SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration); TransportAddress address = internalCluster() .getInstance(Transport.class, node).boundAddress().publishAddress(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java index 22e4a6d4d96f5..990b1c6413e9c 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java @@ -102,9 +102,9 @@ public static void setupCertificates() throws Exception { nodeSSL = Settings.builder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.verification_mode", "certificate") - .putList("xpack.ssl.certificate_authorities", ca.getCertPath().toString()) - .put("xpack.ssl.key", trustedCert.getKeyPath()) - .put("xpack.ssl.certificate", trustedCert.getCertPath()) + .putList("xpack.security.transport.ssl.certificate_authorities", ca.getCertPath().toString()) + .put("xpack.security.transport.ssl.key", trustedCert.getKeyPath()) + .put("xpack.security.transport.ssl.certificate", trustedCert.getCertPath()) .build(); } @@ -122,14 +122,15 @@ public Settings nodeSettings(int nodeOrdinal) { Settings parentSettings = super.nodeSettings(nodeOrdinal); Settings.Builder builder = Settings.builder() - .put(parentSettings.filter((s) -> s.startsWith("xpack.ssl.") == false)) + .put(parentSettings + .filter((s) -> s.startsWith("xpack.ssl.") == false && s.startsWith("xpack.security.transport.ssl.") == false)) .put(nodeSSL); restrictionsPath = configPath.resolve("trust_restrictions.yml"); restrictionsTmpPath = configPath.resolve("trust_restrictions.tmp"); writeRestrictions("*.trusted"); - builder.put("xpack.ssl.trust_restrictions.path", restrictionsPath); + builder.put("xpack.security.transport.ssl.trust_restrictions.path", restrictionsPath); return builder.build(); } @@ -152,8 +153,9 @@ private void writeRestrictions(String trustedPattern) { protected Settings transportClientSettings() { Settings parentSettings = super.transportClientSettings(); Settings.Builder builder = Settings.builder() - .put(parentSettings.filter((s) -> s.startsWith("xpack.ssl.") == false)) - .put(nodeSSL); + .put(parentSettings + .filter((s) -> s.startsWith("xpack.ssl.") == false && s.startsWith("xpack.security.transport.ssl.") == false)) + .put(nodeSSL); return builder.build(); } diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java index 519dbbeee8685..bb66b7a6a9fb8 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java @@ -167,8 +167,9 @@ public void testHttps() throws Exception { Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); + final boolean noFallback = randomBoolean(); Settings settings; - if (randomBoolean()) { + if (noFallback) { settings = Settings.builder() .put("xpack.http.ssl.certificate_authorities", trustedCertPath) .setSecureSettings(secureSettings) @@ -186,20 +187,26 @@ public void testHttps() throws Exception { Settings settings2 = Settings.builder() .put("xpack.ssl.key", keyPath) .put("xpack.ssl.certificate", certPath) + .put("xpack.watcher.enabled", false) // avoid deprecation warning since this is used for the server .setSecureSettings(secureSettings) .build(); TestsSSLService sslService = new TestsSSLService(settings2, environment); testSslMockWebserver(client, sslService.sslContext(), false); } + + if (noFallback == false) { + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [" + + "trust configuration], which is deprecated."); + } } public void testHttpsDisableHostnameVerification() throws Exception { Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.crt"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.pem"); + final boolean useHttpSslSettings = randomBoolean(); Settings settings; - if (randomBoolean()) { - MockSecureSettings secureSettings = new MockSecureSettings(); + if (useHttpSslSettings) { Settings.Builder builder = Settings.builder() .put("xpack.http.ssl.certificate_authorities", certPath); if (inFipsJvm()) { @@ -227,12 +234,18 @@ public void testHttpsDisableHostnameVerification() throws Exception { Settings settings2 = Settings.builder() .put("xpack.ssl.key", keyPath) .put("xpack.ssl.certificate", certPath) + .put("xpack.watcher.enabled", false) // avoid deprecation warning since this is used for the server .setSecureSettings(secureSettings) .build(); TestsSSLService sslService = new TestsSSLService(settings2, environment); testSslMockWebserver(client, sslService.sslContext(), false); } + + if (useHttpSslSettings == false) { + assertWarnings("SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [" + + "trust configuration, certificate verification mode], which is deprecated."); + } } public void testHttpsClientAuth() throws Exception { @@ -240,9 +253,12 @@ public void testHttpsClientAuth() throws Exception { Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); + secureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() .put("xpack.ssl.key", keyPath) .put("xpack.ssl.certificate", certPath) + .put("xpack.http.ssl.key", keyPath) + .put("xpack.http.ssl.certificate", certPath) .setSecureSettings(secureSettings) .build(); @@ -379,6 +395,7 @@ public void testProxyCanHaveDifferentSchemeThanRequest() throws Exception { Settings serverSettings = Settings.builder() .put("xpack.ssl.key", keyPath) .put("xpack.ssl.certificate", certPath) + .put("xpack.watcher.enabled", false) // avoid deprecation warning since this is used for the server .setSecureSettings(serverSecureSettings) .build(); TestsSSLService sslService = new TestsSSLService(serverSettings, environment); @@ -388,12 +405,16 @@ public void testProxyCanHaveDifferentSchemeThanRequest() throws Exception { proxyServer.start(); MockSecureSettings secureSettings = new MockSecureSettings(); + secureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() - .put(HttpSettings.PROXY_HOST.getKey(), "localhost") - .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort()) - .put(HttpSettings.PROXY_SCHEME.getKey(), "https") + .put(HttpSettings.PROXY_HOST.getKey(), "localhost") + .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort()) + .put(HttpSettings.PROXY_SCHEME.getKey(), "https") + .put("xpack.http.ssl.key", keyPath) + .put("xpack.http.ssl.certificate", certPath) .put("xpack.http.ssl.certificate_authorities", trustedCertPath) - .build(); + .setSecureSettings(secureSettings) + .build(); HttpRequest.Builder requestBuilder = HttpRequest.builder("localhost", webServer.getPort()) .method(HttpMethod.GET) diff --git a/x-pack/qa/full-cluster-restart/build.gradle b/x-pack/qa/full-cluster-restart/build.gradle index 71f4c87d271bc..8c260ea15f877 100644 --- a/x-pack/qa/full-cluster-restart/build.gradle +++ b/x-pack/qa/full-cluster-restart/build.gradle @@ -177,8 +177,8 @@ subprojects { setting 'xpack.security.enabled', 'true' setting 'xpack.security.transport.ssl.enabled', version.onOrAfter("5.2.0").toString() - setting 'xpack.ssl.keystore.path', 'testnode.jks' - setting 'xpack.ssl.keystore.password', 'testnode' + setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks' + setting 'xpack.security.transport.ssl.keystore.password', 'testnode' if (version.onOrAfter('6.3.0')) { setting 'xpack.license.self_generated.type', 'trial' } @@ -229,8 +229,8 @@ subprojects { // some tests rely on the translog not being flushed setting 'indices.memory.shard_inactive_time', '20m' setting 'xpack.security.enabled', 'true' - setting 'xpack.ssl.keystore.path', 'testnode.jks' - keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode' + setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks' + keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode' setting 'xpack.license.self_generated.type', 'trial' dependsOn copyTestNodeKeystore extraConfigFile 'testnode.jks', new File(outputDir + '/testnode.jks') diff --git a/x-pack/qa/rolling-upgrade/build.gradle b/x-pack/qa/rolling-upgrade/build.gradle index f93443f95f09f..78d3eb4cae3e6 100644 --- a/x-pack/qa/rolling-upgrade/build.gradle +++ b/x-pack/qa/rolling-upgrade/build.gradle @@ -155,8 +155,8 @@ subprojects { setting 'xpack.security.authc.token.enabled', 'true' setting 'xpack.security.audit.enabled', 'true' setting 'xpack.security.audit.outputs', 'index' - setting 'xpack.ssl.keystore.path', 'testnode.jks' - setting 'xpack.ssl.keystore.password', 'testnode' + setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks' + setting 'xpack.security.transport.ssl.keystore.password', 'testnode' if (version.onOrAfter('6.0.0') == false) { // this is needed since in 5.6 we don't bootstrap the token service if there is no explicit initial password keystoreSetting 'xpack.security.authc.token.passphrase', 'xpack_token_passphrase' @@ -212,8 +212,8 @@ subprojects { setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.security.enabled', 'true' setting 'xpack.security.transport.ssl.enabled', 'true' - setting 'xpack.ssl.keystore.path', 'testnode.jks' - keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode' + setting 'xpack.security.transport.ssl.keystore.path', 'testnode.jks' + keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode' if (version.onOrAfter('6.0.0') == false) { // this is needed since in 5.6 we don't bootstrap the token service if there is no explicit initial password keystoreSetting 'xpack.security.authc.token.passphrase', 'xpack_token_passphrase' diff --git a/x-pack/qa/smoke-test-plugins-ssl/build.gradle b/x-pack/qa/smoke-test-plugins-ssl/build.gradle index 8fb7bfde9d9dc..4407dc28a7c96 100644 --- a/x-pack/qa/smoke-test-plugins-ssl/build.gradle +++ b/x-pack/qa/smoke-test-plugins-ssl/build.gradle @@ -57,7 +57,7 @@ integTestCluster { setting 'xpack.monitoring.collection.interval', '1s' setting 'xpack.monitoring.exporters._http.type', 'http' setting 'xpack.monitoring.exporters._http.enabled', 'false' - setting 'xpack.ssl.certificate_authorities', 'testnode.crt' + setting 'xpack.monitoring.exporters._http.ssl.certificate_authorities', 'testnode.crt' setting 'xpack.monitoring.exporters._http.auth.username', 'monitoring_agent' setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password' setting 'xpack.monitoring.exporters._http.ssl.verification_mode', 'full' @@ -68,6 +68,7 @@ integTestCluster { setting 'xpack.security.http.ssl.enabled', 'true' setting 'xpack.security.http.ssl.key', 'testnode.pem' setting 'xpack.security.http.ssl.certificate', 'testnode.crt' + setting 'xpack.security.http.ssl.certificate_authorities', 'testnode.crt' keystoreSetting 'xpack.security.http.ssl.secure_key_passphrase', 'testnode' setting 'xpack.ilm.enabled', 'false' diff --git a/x-pack/qa/tribe-tests-with-security/src/test/java/org/elasticsearch/xpack/security/SecurityTribeTests.java b/x-pack/qa/tribe-tests-with-security/src/test/java/org/elasticsearch/xpack/security/SecurityTribeTests.java index 31ad43987dfca..4f4bb09590cc1 100644 --- a/x-pack/qa/tribe-tests-with-security/src/test/java/org/elasticsearch/xpack/security/SecurityTribeTests.java +++ b/x-pack/qa/tribe-tests-with-security/src/test/java/org/elasticsearch/xpack/security/SecurityTribeTests.java @@ -50,6 +50,7 @@ import java.io.UncheckedIOException; import java.nio.file.Path; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.HashSet; @@ -258,9 +259,25 @@ public Settings nodeSettings(int nodeOrdinal) { return false; } else if (k.equals("transport.tcp.port")) { return false; + } else if (k.startsWith("xpack.security.transport.ssl.")) { + return false; } return true; }); + if (useSSL) { + Settings.Builder addSSLBuilder = Settings.builder().put(tribeSettings, false); + SecuritySettingsSource.addSSLSettingsForPEMFiles(addSSLBuilder, + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", + "testnode", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", + Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); + addSSLBuilder.put("xpack.security.transport.ssl.enabled", true); + tribeSettings = addSSLBuilder.build(); + } tribe1Defaults.put(tribeSettings, false); tribe1Defaults.normalizePrefix("tribe.t1."); tribe2Defaults.put(tribeSettings, false); @@ -271,6 +288,9 @@ public Settings nodeSettings(int nodeOrdinal) { MockSecureSettings secureSettings = new MockSecureSettings(); if (secureSettingsTemplate != null) { for (String settingName : secureSettingsTemplate.getSettingNames()) { + if (settingName.startsWith("xpack.security.transport.ssl.")) { + continue; + } String settingValue = secureSettingsTemplate.getString(settingName).toString(); secureSettings.setString(settingName, settingValue); secureSettings.setString("tribe.t1." + settingName, settingValue);