From 65cf24cde3ad90794487983a6b4bc74857fe631c Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Sat, 18 Jan 2020 00:02:38 +1100 Subject: [PATCH 01/24] WIP: making realm order config mandatory --- .../xpack/core/security/authc/RealmConfig.java | 6 ++++++ .../xpack/security/authc/esnative/NativeRealmTests.java | 4 +++- .../xpack/security/authc/file/FileRealmTests.java | 5 +++-- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java index 5de1cf3b38e03..3ce810a7ae17b 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java @@ -28,6 +28,12 @@ public RealmConfig(RealmIdentifier identifier, Settings settings, Environment en this.settings = settings; this.env = env; this.enabled = getSetting(RealmSettings.ENABLED_SETTING); + if (hasSetting(RealmSettings.ORDER_SETTING.apply(type())) == false) { + throw new IllegalArgumentException("'order' is a mandatory parameter for realm config. " + + "Found invalid realm config: '" + identifier.name + "'\n" + + "Please see the breaking changes documentation." + ); + } this.order = getSetting(RealmSettings.ORDER_SETTING); this.threadContext = threadContext; } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmTests.java index a8682c4e21d84..ba3f80e04158a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmTests.java @@ -13,6 +13,7 @@ import org.elasticsearch.test.ESTestCase; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.index.RestrictedIndicesNames; import org.elasticsearch.xpack.security.support.SecurityIndexManager; @@ -38,8 +39,9 @@ public void testCacheClearOnIndexHealthChange() { when(threadPool.getThreadContext()).thenReturn(threadContext); final AtomicInteger numInvalidation = new AtomicInteger(0); int expectedInvalidation = 0; - Settings settings = Settings.builder().put("path.home", createTempDir()).build(); RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("native", "native"); + Settings settings = Settings.builder().put("path.home", createTempDir()) + .put(RealmSettings.realmSettingPrefix(realmId) + "order", 0).build(); RealmConfig config = new RealmConfig(realmId, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); final NativeRealm nativeRealm = new NativeRealm(config, mock(NativeUsersStore.class), threadPool) { @Override diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileRealmTests.java index d2ab879d4d4ff..6e994869a9512 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileRealmTests.java @@ -61,7 +61,8 @@ public void init() throws Exception { userPasswdStore = mock(FileUserPasswdStore.class); userRolesStore = mock(FileUserRolesStore.class); globalSettings = Settings.builder().put("path.home", createTempDir()).put("xpack.security.authc.password_hashing.algorithm", - randomFrom("bcrypt9", "pbkdf2")).build(); + randomFrom("bcrypt9", "pbkdf2")). + put(RealmSettings.realmSettingPrefix(REALM_IDENTIFIER) + "order", 0).build(); threadPool = mock(ThreadPool.class); threadContext = new ThreadContext(globalSettings); when(threadPool.getThreadContext()).thenReturn(threadContext); @@ -243,8 +244,8 @@ public void testUsageStats() throws Exception { final int order = randomIntBetween(0, 10); Settings settings = Settings.builder() - .put(RealmSettings.realmSettingPrefix(REALM_IDENTIFIER) + "order", order) .put(globalSettings) + .put(RealmSettings.realmSettingPrefix(REALM_IDENTIFIER) + "order", order) .build(); RealmConfig config = getRealmConfig(settings); From d186b0a40c8a3c2d60f1a63b76aa3626d61f64c3 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Sun, 19 Jan 2020 22:54:12 +1100 Subject: [PATCH 02/24] Support explicit order parameter for RealmConfig Reserved realm and default native realms now use the new constructor to specifiy order explicitly --- .../xpack/core/security/authc/RealmConfig.java | 11 +++++++++-- .../elasticsearch/xpack/security/authc/Realms.java | 4 ++-- .../xpack/security/authc/esnative/ReservedRealm.java | 3 ++- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java index 3ce810a7ae17b..ef65ae0464d37 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java @@ -24,17 +24,24 @@ public class RealmConfig { private final ThreadContext threadContext; public RealmConfig(RealmIdentifier identifier, Settings settings, Environment env, ThreadContext threadContext) { + this(identifier, settings, env, threadContext, null); + } + + public RealmConfig(RealmIdentifier identifier, Settings settings, Environment env, ThreadContext threadContext, Integer order) { this.identifier = identifier; this.settings = settings; this.env = env; this.enabled = getSetting(RealmSettings.ENABLED_SETTING); - if (hasSetting(RealmSettings.ORDER_SETTING.apply(type())) == false) { + if (order != null) { + this.order = order; + } else if (order == null && hasSetting(RealmSettings.ORDER_SETTING.apply(type())) == false) { throw new IllegalArgumentException("'order' is a mandatory parameter for realm config. " + "Found invalid realm config: '" + identifier.name + "'\n" + "Please see the breaking changes documentation." ); + } else { + this.order = getSetting(RealmSettings.ORDER_SETTING); } - this.order = getSetting(RealmSettings.ORDER_SETTING); this.threadContext = threadContext; } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java index c783842ba6faf..66e275358debb 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java @@ -307,13 +307,13 @@ private void addNativeRealms(List realms) throws Exception { if (fileRealm != null) { realms.add(fileRealm.create(new RealmConfig( new RealmConfig.RealmIdentifier(FileRealmSettings.TYPE, "default_" + FileRealmSettings.TYPE), - settings, env, threadContext))); + settings, env, threadContext, Integer.MIN_VALUE))); } Realm.Factory indexRealmFactory = factories.get(NativeRealmSettings.TYPE); if (indexRealmFactory != null) { realms.add(indexRealmFactory.create(new RealmConfig( new RealmConfig.RealmIdentifier(NativeRealmSettings.TYPE, "default_" + NativeRealmSettings.TYPE), - settings, env, threadContext))); + settings, env, threadContext, Integer.MIN_VALUE))); } } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java index ac6248f4f30d6..efab5f8f73242 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java @@ -63,7 +63,8 @@ public class ReservedRealm extends CachingUsernamePasswordRealm { public ReservedRealm(Environment env, Settings settings, NativeUsersStore nativeUsersStore, AnonymousUser anonymousUser, SecurityIndexManager securityIndex, ThreadPool threadPool) { - super(new RealmConfig(new RealmConfig.RealmIdentifier(TYPE, TYPE), settings, env, threadPool.getThreadContext()), threadPool); + super(new RealmConfig(new RealmConfig.RealmIdentifier(TYPE, TYPE), settings, env, threadPool.getThreadContext(), + Integer.MIN_VALUE), threadPool); this.nativeUsersStore = nativeUsersStore; this.realmEnabled = XPackSettings.RESERVED_REALM_ENABLED_SETTING.get(settings); this.anonymousUser = anonymousUser; From 82e08d27356bc1c37e3f9040fbfdb94c5d174e7a Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Sun, 19 Jan 2020 23:39:43 +1100 Subject: [PATCH 03/24] Fix security plugin tests for required order param --- ...ansportOpenIdConnectLogoutActionTests.java | 2 +- ...sportSamlInvalidateSessionActionTests.java | 2 +- .../saml/TransportSamlLogoutActionTests.java | 2 +- .../security/authc/InternalRealmsTests.java | 4 +-- .../authc/file/FileUserPasswdStoreTests.java | 2 +- .../authc/file/FileUserRolesStoreTests.java | 8 +++--- .../KerberosRealmAuthenticateFailedTests.java | 2 +- .../kerberos/KerberosRealmSettingsTests.java | 2 +- .../authc/kerberos/KerberosRealmTestCase.java | 2 +- .../authc/kerberos/KerberosRealmTests.java | 4 +-- .../authc/ldap/ActiveDirectoryRealmTests.java | 3 ++- .../security/authc/ldap/LdapRealmTests.java | 6 ++--- .../authc/ldap/LdapSessionFactoryTests.java | 14 +++++------ .../LdapUserSearchSessionFactoryTests.java | 7 +++--- .../SearchGroupsResolverInMemoryTests.java | 3 ++- .../ldap/support/LdapLoadBalancingTests.java | 3 ++- .../support/LdapMetaDataResolverTests.java | 2 +- .../authc/ldap/support/LdapTestCase.java | 2 +- .../SessionFactoryLoadBalancingTests.java | 2 +- .../ldap/support/SessionFactoryTests.java | 12 ++++----- .../oidc/OpenIdConnectRealmSettingsTests.java | 2 +- .../authc/oidc/OpenIdConnectRealmTests.java | 2 +- .../authc/oidc/OpenIdConnectTestCase.java | 2 +- .../security/authc/pki/PkiRealmTests.java | 17 +++++++------ .../authc/saml/SamlMetadataCommandTests.java | 4 +++ .../security/authc/saml/SamlRealmTests.java | 7 +++--- .../CachingUsernamePasswordRealmTests.java | 25 ++++++++++--------- .../DelegatedAuthorizationSupportTests.java | 2 +- .../authc/support/DnRoleMapperTests.java | 8 +++--- .../authc/support/RealmUserLookupTests.java | 6 +++-- .../RoleMappingFileBootstrapCheckTests.java | 3 ++- .../mapper/ExpressionRoleMappingTests.java | 2 +- .../mapper/NativeRoleMappingStoreTests.java | 4 +-- 33 files changed, 91 insertions(+), 77 deletions(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java index 9a750409e9aeb..1cf393c02c1a1 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java @@ -181,7 +181,7 @@ public void setup() throws Exception { final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("oidc", REALM_NAME); - final RealmConfig realmConfig = new RealmConfig(realmIdentifier, settings, env, threadContext); + final RealmConfig realmConfig = new RealmConfig(realmIdentifier, settings, env, threadContext, Integer.MAX_VALUE); oidcRealm = new OpenIdConnectRealm(realmConfig, new SSLService(TestEnvironment.newEnvironment(sslSettings)), mock(UserRoleMapper.class), mock(ResourceWatcherService.class)); when(realms.realm(realmConfig.name())).thenReturn(oidcRealm); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java index 810428e3c0a50..36c7908a4780b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java @@ -219,7 +219,7 @@ void doExecute(ActionType action, Request request, ActionListener Stream.of(samlRealm)); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlLogoutActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlLogoutActionTests.java index e24f38824adc8..53807da03b034 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlLogoutActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlLogoutActionTests.java @@ -214,7 +214,7 @@ public void setup() throws Exception { final RealmIdentifier realmIdentifier = new RealmIdentifier("saml", REALM_NAME); - final RealmConfig realmConfig = new RealmConfig(realmIdentifier, settings, env, threadContext); + final RealmConfig realmConfig = new RealmConfig(realmIdentifier, settings, env, threadContext, Integer.MAX_VALUE); samlRealm = SamlRealm.create(realmConfig, mock(SSLService.class), mock(ResourceWatcherService.class), mock(UserRoleMapper.class)); when(realms.realm(realmConfig.name())).thenReturn(samlRealm); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/InternalRealmsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/InternalRealmsTests.java index e3298e5103772..e83d98230e026 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/InternalRealmsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/InternalRealmsTests.java @@ -51,10 +51,10 @@ public void testNativeRealmRegistersIndexHealthChangeListener() throws Exception final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(NativeRealmSettings.TYPE, "test"); final Environment env = TestEnvironment.newEnvironment(settings); final ThreadContext threadContext = new ThreadContext(settings); - factories.get(NativeRealmSettings.TYPE).create(new RealmConfig(realmId, settings, env, threadContext)); + factories.get(NativeRealmSettings.TYPE).create(new RealmConfig(realmId, settings, env, threadContext, Integer.MAX_VALUE)); verify(securityIndex).addIndexStateListener(isA(BiConsumer.class)); - factories.get(NativeRealmSettings.TYPE).create(new RealmConfig(realmId, settings, env, threadContext)); + factories.get(NativeRealmSettings.TYPE).create(new RealmConfig(realmId, settings, env, threadContext, Integer.MAX_VALUE)); verify(securityIndex, times(2)).addIndexStateListener(isA(BiConsumer.class)); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java index 42cd5530f306d..0c9546e6ac08b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java @@ -134,7 +134,7 @@ public void testStore_AutoReload() throws Exception { private RealmConfig getRealmConfig() { final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier("file", "file-test"); - return new RealmConfig(identifier, settings, env, threadPool.getThreadContext()); + return new RealmConfig(identifier, settings, env, threadPool.getThreadContext(), Integer.MAX_VALUE); } public void testStore_AutoReload_WithParseFailures() throws Exception { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStoreTests.java index 4e1dd0644911c..aea6bb3df905b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStoreTests.java @@ -75,7 +75,7 @@ public void testStore_ConfiguredWithUnreadableFile() throws Exception { Files.write(file, lines, StandardCharsets.UTF_16); RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("file", "file-test"); - RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY)); + RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); FileUserRolesStore store = new FileUserRolesStore(config, watcherService); assertThat(store.entriesCount(), is(0)); @@ -88,7 +88,7 @@ public void testStoreAutoReload() throws Exception { final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("file", "file-test"); - RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY)); + RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); final CountDownLatch latch = new CountDownLatch(1); @@ -134,7 +134,7 @@ public void testStoreAutoReloadWithParseFailure() throws Exception { Files.copy(users, tmp, StandardCopyOption.REPLACE_EXISTING); final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("file", "file-test"); - RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY)); + RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); final CountDownLatch latch = new CountDownLatch(1); @@ -224,7 +224,7 @@ public void testParseFileEmptyRolesDoesNotCauseNPE() throws Exception { Environment env = TestEnvironment.newEnvironment(settings); final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("file", "file-test"); - RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY)); + RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); FileUserRolesStore store = new FileUserRolesStore(config, watcherService); assertThat(store.roles("user"), equalTo(Strings.EMPTY_ARRAY)); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java index e2aafc98e65e2..8b2e51bf15364 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java @@ -122,7 +122,7 @@ public void testAuthenticateDifferentFailureScenarios() throws LoginException, G public void testDelegatedAuthorizationFailedToResolve() throws Exception { final String username = randomPrincipalName(); final MockLookupRealm otherRealm = new MockLookupRealm(new RealmConfig(new RealmConfig.RealmIdentifier("mock", "other_realm"), - globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings))); + globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE)); final User lookupUser = new User(randomAlphaOfLength(5)); otherRealm.registerUser(lookupUser); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmSettingsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmSettingsTests.java index eb1e32037d5ef..10907ee3aeb49 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmSettingsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmSettingsTests.java @@ -40,7 +40,7 @@ public void testKerberosRealmSettings() throws IOException { keytabPathConfig, maxUsers, cacheTTL, enableDebugLogs, removeRealmName); final RealmIdentifier identifier = new RealmIdentifier(KerberosRealmSettings.TYPE, KerberosRealmTestCase.REALM_NAME); final RealmConfig config = new RealmConfig(identifier, - settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); + settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings), Integer.MAX_VALUE); assertThat(config.getSetting(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH), equalTo(keytabPathConfig)); assertThat(config.getSetting(KerberosRealmSettings.CACHE_TTL_SETTING), diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java index aa09db07d20ad..571573569574f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java @@ -123,7 +123,7 @@ protected KerberosRealm createKerberosRealm(final String... userForRoleMapping) protected KerberosRealm createKerberosRealm(final List delegatedRealms, final String... userForRoleMapping) { final RealmConfig.RealmIdentifier id = new RealmConfig.RealmIdentifier(KerberosRealmSettings.TYPE, REALM_NAME); config = new RealmConfig(id, merge(id, settings, globalSettings), - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); mockNativeRoleMappingStore = roleMappingStore(Arrays.asList(userForRoleMapping)); mockKerberosTicketValidator = mock(KerberosTicketValidator.class); final KerberosRealm kerberosRealm = diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java index 3e4d69a2f7f3f..b4365fe054474 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java @@ -163,7 +163,7 @@ private void assertKerberosRealmConstructorFails(final String keytabPath, final final String realmName = "test-kerb-realm"; settings = buildKerberosRealmSettings(realmName, keytabPath, 100, "10m", true, randomBoolean(), globalSettings); config = new RealmConfig(new RealmConfig.RealmIdentifier(KerberosRealmSettings.TYPE, realmName), settings, - TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); + TestEnvironment.newEnvironment(settings), new ThreadContext(settings), Integer.MAX_VALUE); mockNativeRoleMappingStore = roleMappingStore(Arrays.asList("user")); mockKerberosTicketValidator = mock(KerberosTicketValidator.class); final IllegalArgumentException iae = expectThrows(IllegalArgumentException.class, @@ -175,7 +175,7 @@ public void testDelegatedAuthorization() throws Exception { final String username = randomPrincipalName(); final String expectedUsername = maybeRemoveRealmName(username); final MockLookupRealm otherRealm = spy(new MockLookupRealm(new RealmConfig(new RealmConfig.RealmIdentifier("mock", "other_realm"), - globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)))); + globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE))); final User lookupUser = new User(expectedUsername, new String[] { "admin-role" }, expectedUsername, expectedUsername + "@example.com", Collections.singletonMap("k1", "v1"), true); otherRealm.registerUser(lookupUser); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java index fea74c5d660be..17278859ce419 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java @@ -172,7 +172,8 @@ private RealmConfig setupRealm(RealmConfig.RealmIdentifier realmIdentifier, Sett return new RealmConfig( realmIdentifier, mergedSettings, - env, new ThreadContext(mergedSettings) + env, new ThreadContext(mergedSettings), + Integer.MAX_VALUE ); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java index 39268be35a8db..8d5a824f0604d 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java @@ -138,7 +138,7 @@ public void testAuthenticateSubTreeGroupSearch() throws Exception { private RealmConfig getRealmConfig(RealmConfig.RealmIdentifier identifier, Settings settings) { final Environment env = TestEnvironment.newEnvironment(settings); - return new RealmConfig(identifier, settings, env, new ThreadContext(settings)); + return new RealmConfig(identifier, settings, env, new ThreadContext(settings), Integer.MAX_VALUE); } public void testAuthenticateOneLevelGroupSearch() throws Exception { @@ -271,14 +271,14 @@ public void testDelegatedAuthorization() throws Exception { final Settings realmSettings = builder.build(); final Environment env = TestEnvironment.newEnvironment(defaultGlobalSettings); - RealmConfig config = new RealmConfig(REALM_IDENTIFIER, realmSettings, env, threadPool.getThreadContext()); + RealmConfig config = new RealmConfig(REALM_IDENTIFIER, realmSettings, env, threadPool.getThreadContext(), Integer.MAX_VALUE); final LdapSessionFactory ldapFactory = new LdapSessionFactory(config, sslService, threadPool); final DnRoleMapper roleMapper = buildGroupAsRoleMapper(resourceWatcherService); final LdapRealm ldap = new LdapRealm(config, ldapFactory, roleMapper, threadPool); final MockLookupRealm mockLookup = new MockLookupRealm(new RealmConfig(new RealmConfig.RealmIdentifier("mock", "mock_lookup"), - defaultGlobalSettings, env, threadPool.getThreadContext())); + defaultGlobalSettings, env, threadPool.getThreadContext(), Integer.MAX_VALUE)); ldap.initialize(Arrays.asList(ldap, mockLookup), licenseState); mockLookup.initialize(Arrays.asList(ldap, mockLookup), licenseState); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java index 3ba6d0da34824..ef2f78bc96ab4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java @@ -92,7 +92,7 @@ public void testBindWithReadTimeout() throws Exception { .build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); String user = "Horatio Hornblower"; SecureString userPass = new SecureString("pass"); @@ -121,7 +121,7 @@ public void testBindWithTemplates() throws Exception { .put(buildLdapSettings(ldapUrls(), userTemplates, groupSearchBase, LdapSearchScope.SUB_TREE)) .build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); @@ -148,7 +148,7 @@ public void testBindWithBogusTemplates() throws Exception { .put(buildLdapSettings(ldapUrls(), userTemplates, groupSearchBase, LdapSearchScope.SUB_TREE)) .build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); LdapSessionFactory ldapFac = new LdapSessionFactory(config, sslService, threadPool); @@ -170,7 +170,7 @@ public void testGroupLookupSubtree() throws Exception { .put(buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE)) .build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); LdapSessionFactory ldapFac = new LdapSessionFactory(config, sslService, threadPool); @@ -193,7 +193,7 @@ public void testGroupLookupOneLevel() throws Exception { .put(buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase, LdapSearchScope.ONE_LEVEL)) .build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); LdapSessionFactory ldapFac = new LdapSessionFactory(config, sslService, threadPool); @@ -215,7 +215,7 @@ public void testGroupLookupBase() throws Exception { .put(buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase, LdapSearchScope.BASE)) .build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); LdapSessionFactory ldapFac = new LdapSessionFactory(config, sslService, threadPool); @@ -262,7 +262,7 @@ public void testSslTrustIsReloaded() throws Exception { final Environment environment = TestEnvironment.newEnvironment(settings); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - environment, new ThreadContext(settings)); + environment, new ThreadContext(settings), Integer.MAX_VALUE); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); String user = "Horatio Hornblower"; SecureString userPass = new SecureString("pass"); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java index b59d95cb7a9da..30c8018ed536c 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java @@ -110,7 +110,8 @@ public void testSupportsUnauthenticatedSessions() throws Exception { } private RealmConfig getRealmConfig(Settings settings) { - return new RealmConfig(REALM_IDENTIFIER, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); + return new RealmConfig(REALM_IDENTIFIER, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings), + Integer.MAX_VALUE); } public void testUserSearchSubTree() throws Exception { @@ -520,7 +521,7 @@ public void testEmptyBindDNReturnsAnonymousBindRequest() throws LDAPException { .put(getFullSettingKey(REALM_IDENTIFIER.getName(), LdapUserSearchSessionFactorySettings.SEARCH_BASE_DN), userSearchBase); final boolean useLegacyBindPassword = configureBindPassword(realmSettings); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, realmSettings.build(), - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); try (LdapUserSearchSessionFactory searchSessionFactory = getLdapUserSearchSessionFactory(config, sslService, threadPool)) { assertThat(searchSessionFactory.bindCredentials, notNullValue()); assertThat(searchSessionFactory.bindCredentials.getBindDN(), isEmptyString()); @@ -538,7 +539,7 @@ public void testThatBindRequestReturnsSimpleBindRequest() throws LDAPException { .put(getFullSettingKey(REALM_IDENTIFIER.getName(), LdapUserSearchSessionFactorySettings.SEARCH_BASE_DN), userSearchBase); final boolean useLegacyBindPassword = configureBindPassword(realmSettings); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, realmSettings.build(), - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); try (LdapUserSearchSessionFactory searchSessionFactory = getLdapUserSearchSessionFactory(config, sslService, threadPool)) { assertThat(searchSessionFactory.bindCredentials, notNullValue()); assertThat(searchSessionFactory.bindCredentials.getBindDN(), is("cn=ironman")); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverInMemoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverInMemoryTests.java index a1bd0d59d6f89..95b7f4907b97f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverInMemoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverInMemoryTests.java @@ -167,7 +167,8 @@ private RealmConfig getConfig(Settings settings) { if (settings.hasValue("path.home") == false) { settings = Settings.builder().put(settings).put("path.home", createTempDir()).build(); } - return new RealmConfig(REALM_IDENTIFIER, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); + return new RealmConfig(REALM_IDENTIFIER, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings), + Integer.MAX_VALUE); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapLoadBalancingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapLoadBalancingTests.java index f0420339dc75c..84b16df01b247 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapLoadBalancingTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapLoadBalancingTests.java @@ -121,6 +121,7 @@ public void testDnsRoundRobinBadArgs() { } public RealmConfig getConfig(Settings settings) { - return new RealmConfig(REALM_IDENTIFIER, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); + return new RealmConfig(REALM_IDENTIFIER, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings), + Integer.MAX_VALUE); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapMetaDataResolverTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapMetaDataResolverTests.java index e2c2ae4aa2c04..8036e9ef9a2c8 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapMetaDataResolverTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapMetaDataResolverTests.java @@ -44,7 +44,7 @@ public void testParseSettings() throws Exception { "cn", "uid") .build(); RealmConfig config = new RealmConfig(realmId, - settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); + settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings), Integer.MAX_VALUE); resolver = new LdapMetaDataResolver(config, false); assertThat(resolver.attributeNames(), arrayContaining("cn", "uid")); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java index 957167e60d281..6e95d546b19d3 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java @@ -194,7 +194,7 @@ protected DnRoleMapper buildGroupAsRoleMapper(ResourceWatcherService resourceWat .put("path.home", createTempDir()) .build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); return new DnRoleMapper(config, resourceWatcherService); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java index f0ace87cd6990..10699edd54dd6 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java @@ -291,7 +291,7 @@ private TestSessionFactory createSessionFactory(LdapLoadBalancing loadBalancing) LdapSearchScope.SUB_TREE, loadBalancing); Settings globalSettings = Settings.builder().put("path.home", createTempDir()).put(settings).build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, globalSettings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); return new TestSessionFactory(config, new SSLService(TestEnvironment.newEnvironment(config.settings())), threadPool); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java index 313cd943f19a3..672eca8c903a5 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java @@ -51,7 +51,7 @@ public void shutdown() throws InterruptedException { public void testConnectionFactoryReturnsCorrectLDAPConnectionOptionsWithDefaultSettings() throws Exception { final Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); RealmConfig realmConfig = new RealmConfig(new RealmConfig.RealmIdentifier("ldap", "conn_settings"), - environment.settings(), environment, new ThreadContext(Settings.EMPTY)); + environment.settings(), environment, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); LDAPConnectionOptions options = SessionFactory.connectionOptions(realmConfig, new SSLService(environment), logger); assertThat(options.followReferrals(), is(equalTo(true))); @@ -73,7 +73,7 @@ public void testConnectionFactoryReturnsCorrectLDAPConnectionOptions() throws Ex .build(); Environment environment = TestEnvironment.newEnvironment(settings); - RealmConfig realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings)); + RealmConfig realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings), Integer.MAX_VALUE); LDAPConnectionOptions options = SessionFactory.connectionOptions(realmConfig, new SSLService(environment), logger); assertThat(options.followReferrals(), is(equalTo(false))); assertThat(options.allowConcurrentSocketFactoryUse(), is(equalTo(true))); @@ -87,7 +87,7 @@ public void testConnectionFactoryReturnsCorrectLDAPConnectionOptions() throws Ex .put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.CERTIFICATE) .put("path.home", pathHome) .build(); - realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings)); + realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings), Integer.MAX_VALUE); options = SessionFactory.connectionOptions(realmConfig, new SSLService(TestEnvironment.newEnvironment(settings)), logger); assertThat(options.getSSLSocketVerifier(), is(instanceOf(TrustAllSSLSocketVerifier.class))); @@ -98,7 +98,7 @@ public void testConnectionFactoryReturnsCorrectLDAPConnectionOptions() throws Ex .put("path.home", pathHome) .build(); environment = TestEnvironment.newEnvironment(settings); - realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings)); + realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings), Integer.MAX_VALUE); options = SessionFactory.connectionOptions(realmConfig, new SSLService(environment), logger); assertThat(options.getSSLSocketVerifier(), is(instanceOf(TrustAllSSLSocketVerifier.class))); } @@ -108,7 +108,7 @@ public void testConnectionFactoryReturnsCorrectLDAPConnectionOptions() throws Ex .put("path.home", pathHome) .build(); environment = TestEnvironment.newEnvironment(settings); - realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings)); + realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings), Integer.MAX_VALUE); options = SessionFactory.connectionOptions(realmConfig, new SSLService(environment), logger); assertThat(options.getSSLSocketVerifier(), is(instanceOf(HostNameSSLSocketVerifier.class))); } @@ -131,7 +131,7 @@ private SessionFactory createSessionFactory() { .put(getFullSettingKey(realmIdentifier, SessionFactorySettings.URLS_SETTING), "ldap://localhost:389") .put(global) .build(), - TestEnvironment.newEnvironment(global), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(global), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); return new SessionFactory(realmConfig, null, threadPool) { @Override diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmSettingsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmSettingsTests.java index e8b02c815c964..d8280d887c4cb 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmSettingsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmSettingsTests.java @@ -275,6 +275,6 @@ private RealmConfig buildConfig(Settings realmSettings) { .put("path.home", createTempDir()) .put(realmSettings).build(); final Environment env = TestEnvironment.newEnvironment(settings); - return new RealmConfig(new RealmConfig.RealmIdentifier("oidc", REALM_NAME), settings, env, threadContext); + return new RealmConfig(new RealmConfig.RealmIdentifier("oidc", REALM_NAME), settings, env, threadContext, Integer.MAX_VALUE); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java index 61177719679b8..d7d4bea1bb201 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java @@ -309,7 +309,7 @@ private AuthenticationResult authenticateWithOidc(String principal, UserRoleMapp ,String authenticatingRealm) throws Exception { final MockLookupRealm lookupRealm = new MockLookupRealm( - new RealmConfig(new RealmConfig.RealmIdentifier("mock", "mock_lookup"), globalSettings, env, threadContext)); + new RealmConfig(new RealmConfig.RealmIdentifier("mock", "mock_lookup"), globalSettings, env, threadContext, Integer.MAX_VALUE)); final OpenIdConnectAuthenticator authenticator = mock(OpenIdConnectAuthenticator.class); final Settings.Builder builder = getBasicRealmSettings(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java index 63071a3d1cb40..eb5f0857f4723 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java @@ -91,7 +91,7 @@ protected RealmConfig buildConfig(Settings realmSettings, ThreadContext threadCo .put("path.home", createTempDir()) .put(realmSettings).build(); final Environment env = TestEnvironment.newEnvironment(settings); - return new RealmConfig(new RealmConfig.RealmIdentifier("oidc", REALM_NAME), settings, env, threadContext); + return new RealmConfig(new RealmConfig.RealmIdentifier("oidc", REALM_NAME), settings, env, threadContext, Integer.MAX_VALUE); } public static void writeJwkSetToFile(Path file) throws IOException { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java index f9123c231cd9a..bab1dc9f92c6a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java @@ -79,7 +79,7 @@ public void setup() throws Exception { public void testTokenSupport() throws Exception { RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("pki", "my_pki"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); PkiRealm realm = new PkiRealm(config, mock(UserRoleMapper.class)); assertRealmUsageStats(realm, false, false, true, false); @@ -96,7 +96,7 @@ public void testExtractToken() throws Exception { ThreadContext threadContext = new ThreadContext(Settings.EMPTY); threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, new X509Certificate[]{certificate}); PkiRealm realm = new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier("pki", "my_pki"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), threadContext), mock(UserRoleMapper.class)); + TestEnvironment.newEnvironment(globalSettings), threadContext, Integer.MAX_VALUE), mock(UserRoleMapper.class)); X509AuthenticationToken token = realm.token(threadContext); assertThat(token, is(notNullValue())); @@ -179,7 +179,7 @@ private UserRoleMapper buildRoleMapper(Set roles, String dn) { private PkiRealm buildRealm(UserRoleMapper roleMapper, Settings settings, Realm... otherRealms) { final RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("pki", REALM_NAME), settings, - TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); + TestEnvironment.newEnvironment(settings), new ThreadContext(settings), Integer.MAX_VALUE); PkiRealm realm = new PkiRealm(config, roleMapper); List allRealms = CollectionUtils.arrayAsArrayList(otherRealms); allRealms.add(realm); @@ -270,7 +270,7 @@ public void testAuthenticationDelegationFailsWithoutTokenServiceAndTruststore() .build(); IllegalStateException e = expectThrows(IllegalStateException.class, () -> new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier("pki", "my_pki"), settings, - TestEnvironment.newEnvironment(globalSettings), threadContext), mock(UserRoleMapper.class))); + TestEnvironment.newEnvironment(globalSettings), threadContext, Integer.MAX_VALUE), mock(UserRoleMapper.class))); assertThat(e.getMessage(), is("PKI realms with delegation enabled require a trust configuration " + "(xpack.security.authc.realms.pki.my_pki.certificate_authorities or " @@ -287,7 +287,7 @@ public void testAuthenticationDelegationFailsWithoutTruststore() throws Exceptio .build(); IllegalStateException e = expectThrows(IllegalStateException.class, () -> new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier("pki", "my_pki"), settings, - TestEnvironment.newEnvironment(globalSettings), threadContext), mock(UserRoleMapper.class))); + TestEnvironment.newEnvironment(globalSettings), threadContext, Integer.MAX_VALUE), mock(UserRoleMapper.class))); assertThat(e.getMessage(), is("PKI realms with delegation enabled require a trust configuration " + "(xpack.security.authc.realms.pki.my_pki.certificate_authorities " @@ -389,7 +389,8 @@ public void testTruststorePathWithoutPasswordThrowsException() throws Exception .build(); IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () -> new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier("pki", "mypki"), settings, - TestEnvironment.newEnvironment(settings), new ThreadContext(settings)), mock(UserRoleMapper.class)) + TestEnvironment.newEnvironment(settings), new ThreadContext(settings), Integer.MAX_VALUE), + mock(UserRoleMapper.class)) ); assertThat(e.getMessage(), containsString("Neither [xpack.security.authc.realms.pki.mypki.truststore.secure_password] or [" + "xpack.security.authc.realms.pki.mypki.truststore.password] is configured")); @@ -404,7 +405,7 @@ public void testTruststorePathWithLegacyPasswordDoesNotThrow() throws Exception .put("xpack.security.authc.realms.pki.mypki.truststore.password", "testnode-client-profile") .build(); new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier("pki", "mypki"), settings, - TestEnvironment.newEnvironment(settings), new ThreadContext(settings)), mock(UserRoleMapper.class)); + TestEnvironment.newEnvironment(settings), new ThreadContext(settings), Integer.MAX_VALUE), mock(UserRoleMapper.class)); assertSettingDeprecationsAndWarnings(new Setting[]{ PkiRealmSettings.LEGACY_TRUST_STORE_PASSWORD.getConcreteSettingForNamespace("mypki") }); @@ -474,7 +475,7 @@ public void testDelegatedAuthorization() throws Exception { NoOpLogger.INSTANCE); final MockLookupRealm otherRealm = new MockLookupRealm(new RealmConfig(new RealmConfig.RealmIdentifier("mock", "other_realm"), - globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings))); + globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE)); final User lookupUser = new User(parsedPrincipal); otherRealm.registerUser(lookupUser); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java index fc0eb25e3a49d..3ce3db6792796 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java @@ -173,9 +173,11 @@ public void testFailIfMultipleRealmsExist() throws Exception { public void testSpecifyRealmNameAsParameter() throws Exception { final Settings settings = Settings.builder() .put("path.home", createTempDir()) + .put(RealmSettings.PREFIX + "saml.saml_a.order", 1) .put(RealmSettings.PREFIX + "saml.saml_a.type", "saml") .put(RealmSettings.PREFIX + "saml.saml_a.sp.entity_id", "https://saml.a/") .put(RealmSettings.PREFIX + "saml.saml_a.sp.acs", "https://saml.a/acs") + .put(RealmSettings.PREFIX + "saml.saml_b.order", 2) .put(RealmSettings.PREFIX + "saml.saml_b.type", "saml") .put(RealmSettings.PREFIX + "saml.saml_b.sp.entity_id", "https://saml.b/") .put(RealmSettings.PREFIX + "saml.saml_b.sp.acs", "https://saml.b/acs") @@ -204,6 +206,7 @@ public void testSpecifyRealmNameAsParameter() throws Exception { public void testHandleAttributes() throws Exception { final Settings settings = Settings.builder() .put("path.home", createTempDir()) + .put(RealmSettings.PREFIX + "saml.saml1.order", 1) .put(RealmSettings.PREFIX + "saml.saml1.type", "saml") .put(RealmSettings.PREFIX + "saml.saml1.sp.entity_id", "https://saml.example.com/") .put(RealmSettings.PREFIX + "saml.saml1.sp.acs", "https://saml.example.com/") @@ -258,6 +261,7 @@ public void testHandleAttributes() throws Exception { public void testHandleAttributesInBatchMode() throws Exception { final Settings settings = Settings.builder() .put("path.home", createTempDir()) + .put(RealmSettings.PREFIX + "saml.saml1.order", 1) .put(RealmSettings.PREFIX + "saml.saml1.type", "saml") .put(RealmSettings.PREFIX + "saml.saml1.sp.entity_id", "https://saml.example.com/") .put(RealmSettings.PREFIX + "saml.saml1.sp.acs", "https://saml.example.com/") diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java index 020b58422f13f..1bb8677631d3b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java @@ -247,7 +247,7 @@ private AuthenticationResult performAuthentication(UserRoleMapper roleMapper, bo final String uidValue = principalIsEmailAddress ? "cbarton@shield.gov" : "cbarton"; final MockLookupRealm lookupRealm = new MockLookupRealm( - new RealmConfig(new RealmConfig.RealmIdentifier("mock","mock_lookup"), globalSettings, env, threadContext)); + new RealmConfig(new RealmConfig.RealmIdentifier("mock","mock_lookup"), globalSettings, env, threadContext, Integer.MAX_VALUE)); final Settings.Builder settingsBuilder = Settings.builder() .put(getFullSettingKey(REALM_NAME, SamlRealmSettings.PRINCIPAL_ATTRIBUTE.getAttribute()), useNameId ? "nameid" : "uid") @@ -718,12 +718,13 @@ private RealmConfig buildConfig(Settings realmSettings) { .put("path.home", createTempDir()) .put(realmSettings).build(); final Environment env = TestEnvironment.newEnvironment(settings); - return new RealmConfig(new RealmConfig.RealmIdentifier("saml", REALM_NAME), settings, env, threadContext); + return new RealmConfig(new RealmConfig.RealmIdentifier("saml", REALM_NAME), settings, env, threadContext, Integer.MAX_VALUE); } private RealmConfig realmConfigFromGlobalSettings(Settings globalSettings) { final Environment env = TestEnvironment.newEnvironment(globalSettings); - return new RealmConfig(new RealmConfig.RealmIdentifier("saml", REALM_NAME), globalSettings, env, new ThreadContext(globalSettings)); + return new RealmConfig(new RealmConfig.RealmIdentifier("saml", REALM_NAME), globalSettings, env, + new ThreadContext(globalSettings), Integer.MAX_VALUE); } private void assertIdp1MetadataParsedCorrectly(EntityDescriptor descriptor) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java index 91a0fc9d94e2e..871704ccf3d40 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java @@ -76,7 +76,7 @@ public void testCacheSettings() { .build(); RealmConfig config = new RealmConfig(identifier, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); CachingUsernamePasswordRealm realm = new CachingUsernamePasswordRealm(config, threadPool) { @Override protected void doAuthenticate(UsernamePasswordToken token, ActionListener listener) { @@ -99,7 +99,8 @@ public void testCacheSizeWhenCacheDisabled() { .build(); final RealmConfig config = - new RealmConfig(identifier, settings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + new RealmConfig(identifier, settings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), + Integer.MAX_VALUE); final CachingUsernamePasswordRealm realm = new CachingUsernamePasswordRealm(config, threadPool) { @Override protected void doAuthenticate(UsernamePasswordToken token, ActionListener listener) { @@ -278,7 +279,7 @@ public void testCacheWithVeryLowTtlExpiresBetweenAuthenticateCalls() throws Inte .put(RealmSettings.getFullSettingKey(identifier, CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING), ttl) .build(); RealmConfig config = new RealmConfig(identifier, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); AlwaysAuthenticateCachingRealm realm = new AlwaysAuthenticateCachingRealm(config, threadPool); final UsernamePasswordToken authToken = new UsernamePasswordToken("the-user", new SecureString("the-password")); @@ -309,7 +310,7 @@ public void testReadsDoNotPreventCacheExpiry() throws InterruptedException { .put(RealmSettings.getFullSettingKey(identifier, CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING), ttl) .build(); RealmConfig config = new RealmConfig(identifier, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); AlwaysAuthenticateCachingRealm realm = new AlwaysAuthenticateCachingRealm(config, threadPool); final UsernamePasswordToken authToken = new UsernamePasswordToken("the-user", new SecureString("the-password")); @@ -413,7 +414,7 @@ public void testSingleAuthPerUserLimit() throws Exception { final Hasher pwdHasher = Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")); final String passwordHash = new String(pwdHasher.hash(password)); RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("caching", "test_realm"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); final CachingUsernamePasswordRealm realm = new CachingUsernamePasswordRealm(config, threadPool) { @Override protected void doAuthenticate(UsernamePasswordToken token, ActionListener listener) { @@ -479,7 +480,7 @@ public void testUnauthenticatedResultPropagatesWithSameCreds() throws Exception final Hasher pwdHasher = Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")); final String passwordHash = new String(pwdHasher.hash(password)); RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("caching", "test_realm"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); final int numberOfProcessors = Runtime.getRuntime().availableProcessors(); final int numberOfThreads = scaledRandomIntBetween((numberOfProcessors + 1) / 2, numberOfProcessors * 3); @@ -562,7 +563,7 @@ public void testCacheConcurrency() throws Exception { final Hasher localHasher = Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")); final String passwordHash = new String(localHasher.hash(password)); RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("caching", "test_realm"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); final CachingUsernamePasswordRealm realm = new CachingUsernamePasswordRealm(config, threadPool) { @Override protected void doAuthenticate(UsernamePasswordToken token, ActionListener listener) { @@ -630,7 +631,7 @@ public void testUserLookupConcurrency() throws Exception { final AtomicInteger lookupCounter = new AtomicInteger(0); RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("caching", "test_realm"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); final CachingUsernamePasswordRealm realm = new CachingUsernamePasswordRealm(config, threadPool) { @Override protected void doAuthenticate(UsernamePasswordToken token, ActionListener listener) { @@ -693,7 +694,7 @@ public void testAuthenticateDisabled() throws Exception { .build(); final Environment env = TestEnvironment.newEnvironment(settings); final ThreadContext threadContext = new ThreadContext(settings); - final RealmConfig config = new RealmConfig(realmId, settings, env, threadContext); + final RealmConfig config = new RealmConfig(realmId, settings, env, threadContext, Integer.MAX_VALUE); final AlwaysAuthenticateCachingRealm realm = new AlwaysAuthenticateCachingRealm(config, threadPool); final UsernamePasswordToken token = new UsernamePasswordToken("phil", new SecureString("tahiti")); @@ -719,7 +720,7 @@ static class FailingAuthenticationRealm extends CachingUsernamePasswordRealm { FailingAuthenticationRealm(Settings global, ThreadPool threadPool) { super(new RealmConfig(new RealmConfig.RealmIdentifier("caching", "failing-test"), global, TestEnvironment.newEnvironment(global), - threadPool.getThreadContext()), threadPool); + threadPool.getThreadContext(), Integer.MAX_VALUE), threadPool); } @Override @@ -738,7 +739,7 @@ static class ThrowingAuthenticationRealm extends CachingUsernamePasswordRealm { ThrowingAuthenticationRealm(Settings globalSettings, ThreadPool threadPool) { super(new RealmConfig(new RealmConfig.RealmIdentifier("caching", "throwing-test"), globalSettings, TestEnvironment.newEnvironment(globalSettings), - threadPool.getThreadContext()), threadPool); + threadPool.getThreadContext(), Integer.MAX_VALUE), threadPool); } @Override @@ -762,7 +763,7 @@ static class AlwaysAuthenticateCachingRealm extends CachingUsernamePasswordRealm AlwaysAuthenticateCachingRealm(Settings globalSettings, ThreadPool threadPool) { this(new RealmConfig(new RealmConfig.RealmIdentifier("caching", "always-test"), globalSettings, TestEnvironment.newEnvironment(globalSettings), - threadPool.getThreadContext()), threadPool); + threadPool.getThreadContext(), Integer.MAX_VALUE), threadPool); } AlwaysAuthenticateCachingRealm(RealmConfig config, ThreadPool threadPool) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java index 20a8d8b27c3d1..9c82b826c3b22 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java @@ -68,7 +68,7 @@ private RealmConfig buildRealmConfig(String name, Settings settings) { .normalizePrefix("xpack.security.authc.realms.test." + name + ".") .put(globalSettings) .build(), - env, threadContext); + env, threadContext, Integer.MAX_VALUE); } public void testEmptyDelegationList() throws ExecutionException, InterruptedException { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapperTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapperTests.java index 2f62c35ba1130..f2dd0ff6f1b40 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapperTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapperTests.java @@ -298,7 +298,7 @@ public void testYaml() throws Exception { .put(getFullSettingKey(realmIdentifier, DnRoleMapperSettings.ROLE_MAPPING_FILE_SETTING), file.toAbsolutePath()) .build(); RealmConfig config = new RealmConfig(realmIdentifier, ldapSettings, - TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); DnRoleMapper mapper = new DnRoleMapper(config, new ResourceWatcherService(settings, threadPool)); @@ -315,7 +315,7 @@ public void testRelativeDN() { .put(getFullSettingKey(realmIdentifier, DnRoleMapperSettings.USE_UNMAPPED_GROUPS_AS_ROLES_SETTING), true) .build(); RealmConfig config = new RealmConfig(realmIdentifier, ldapSettings, - TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); DnRoleMapper mapper = new DnRoleMapper(config, new ResourceWatcherService(settings, threadPool)); @@ -332,7 +332,7 @@ public void testUserDNMapping() throws Exception { .put(getFullSettingKey(realmIdentifier, DnRoleMapperSettings.USE_UNMAPPED_GROUPS_AS_ROLES_SETTING), false) .build(); RealmConfig config = new RealmConfig(realmIdentifier, ldapSettings, - TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); DnRoleMapper mapper = new DnRoleMapper(config, new ResourceWatcherService(settings, threadPool)); @@ -346,7 +346,7 @@ protected DnRoleMapper createMapper(Path file, ResourceWatcherService watcherSer .put(settings) .put(getFullSettingKey(identifier, DnRoleMapperSettings.ROLE_MAPPING_FILE_SETTING), file.toAbsolutePath()) .build(); - RealmConfig config = new RealmConfig(identifier, mergedSettings, env, new ThreadContext(Settings.EMPTY)); + RealmConfig config = new RealmConfig(identifier, mergedSettings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); return new DnRoleMapper(config, watcherService); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RealmUserLookupTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RealmUserLookupTests.java index 7e0ade512bf5f..83e2d8a943ad9 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RealmUserLookupTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RealmUserLookupTests.java @@ -85,7 +85,8 @@ public void testUserNotFound() throws Exception { } public void testRealmException() { - final Realm realm = new Realm(new RealmConfig(new RealmIdentifier("test", "test"), globalSettings, env, threadContext)) { + final Realm realm = new Realm(new RealmConfig(new RealmIdentifier("test", "test"), globalSettings, env, threadContext, + Integer.MAX_VALUE)) { @Override public boolean supports(AuthenticationToken token) { return false; @@ -116,7 +117,8 @@ public void lookupUser(String username, ActionListener listener) { private List buildRealms(int realmCount) { final List realms = new ArrayList<>(realmCount); for (int i = 1; i <= realmCount; i++) { - final RealmConfig config = new RealmConfig(new RealmIdentifier("mock","lookup-" + i), globalSettings, env, threadContext); + final RealmConfig config = new RealmConfig(new RealmIdentifier("mock","lookup-" + i), globalSettings, env, + threadContext, Integer.MAX_VALUE); final MockLookupRealm realm = new MockLookupRealm(config); for (int j = 0; j < 5; j++) { realm.registerUser(new User(randomAlphaOfLengthBetween(6, 12))); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java index 823ac5c02dae9..063ef37879af2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java @@ -55,7 +55,8 @@ public void testBootstrapCheckOfValidFile() { } private static RealmConfig getRealmConfig(Settings settings) { - return new RealmConfig(REALM_ID, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY)); + return new RealmConfig(REALM_ID, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY), + Integer.MAX_VALUE); } public void testBootstrapCheckOfMissingFile() { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/ExpressionRoleMappingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/ExpressionRoleMappingTests.java index 3b67fb1954c2e..a0f09e8054b45 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/ExpressionRoleMappingTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/ExpressionRoleMappingTests.java @@ -58,7 +58,7 @@ public class ExpressionRoleMappingTests extends ESTestCase { @Before public void setupMapping() throws Exception { realm = new RealmConfig(new RealmConfig.RealmIdentifier("ldap", "ldap1"), - Settings.EMPTY, Mockito.mock(Environment.class), new ThreadContext(Settings.EMPTY)); + Settings.EMPTY, Mockito.mock(Environment.class), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); } public void testValidExpressionWithFixedRoleNames() throws Exception { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStoreTests.java index a7af38a05379a..665dccac9cfdc 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStoreTests.java @@ -101,7 +101,7 @@ protected void loadMappings(ActionListener> listener }; final RealmConfig realm = new RealmConfig(new RealmConfig.RealmIdentifier("ldap", "ldap1"), Settings.EMPTY, - mock(Environment.class), new ThreadContext(Settings.EMPTY)); + mock(Environment.class), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); final PlainActionFuture> future = new PlainActionFuture<>(); final UserRoleMapper.UserData user = new UserRoleMapper.UserData("sasquatch", @@ -235,7 +235,7 @@ private NativeRoleMappingStore buildRoleMappingStoreForInvalidationTesting(Atomi if (attachRealm) { final Environment env = TestEnvironment.newEnvironment(settings); final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier("ldap", realmName); - final RealmConfig realmConfig = new RealmConfig(identifier, settings, env, threadContext); + final RealmConfig realmConfig = new RealmConfig(identifier, settings, env, threadContext, Integer.MAX_VALUE); final CachingUsernamePasswordRealm mockRealm = new CachingUsernamePasswordRealm(realmConfig, threadPool) { @Override protected void doAuthenticate(UsernamePasswordToken token, ActionListener listener) { From 71bfb3e4a851386fddda7803900fa3c8e6da970c Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Mon, 20 Jan 2020 00:47:35 +1100 Subject: [PATCH 04/24] Fix more tests for required order param --- .../org/elasticsearch/example/realm/CustomRealmTests.java | 4 ++-- .../example/realm/CustomRoleMappingRealmTests.java | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmTests.java b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmTests.java index cc7579df27fb3..0553e80db0e8c 100644 --- a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmTests.java +++ b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmTests.java @@ -23,7 +23,7 @@ public class CustomRealmTests extends ESTestCase { public void testAuthenticate() { Settings globalSettings = Settings.builder().put("path.home", createTempDir()).build(); CustomRealm realm = new CustomRealm(new RealmConfig(new RealmConfig.RealmIdentifier(CustomRealm.TYPE, "test"), - globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings))); + globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE)); SecureString password = CustomRealm.KNOWN_PW.clone(); UsernamePasswordToken token = new UsernamePasswordToken(CustomRealm.KNOWN_USER, password); PlainActionFuture plainActionFuture = new PlainActionFuture<>(); @@ -37,7 +37,7 @@ public void testAuthenticate() { public void testAuthenticateBadUser() { Settings globalSettings = Settings.builder().put("path.home", createTempDir()).build(); CustomRealm realm = new CustomRealm(new RealmConfig(new RealmConfig.RealmIdentifier(CustomRealm.TYPE, "test"), - globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings))); + globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE)); SecureString password = CustomRealm.KNOWN_PW.clone(); UsernamePasswordToken token = new UsernamePasswordToken(CustomRealm.KNOWN_USER + "1", password); PlainActionFuture plainActionFuture = new PlainActionFuture<>(); diff --git a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRoleMappingRealmTests.java b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRoleMappingRealmTests.java index 4057f2636d08f..7a61201ca754a 100644 --- a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRoleMappingRealmTests.java +++ b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRoleMappingRealmTests.java @@ -32,7 +32,7 @@ public void testCachingOfUserLookup() throws Exception { final UserRoleMapper roleMapper = mock(UserRoleMapper.class); final RealmConfig realmConfig = new RealmConfig( new RealmConfig.RealmIdentifier(CustomRoleMappingRealm.TYPE, "test"), - env.settings(), env, new ThreadContext(env.settings()) + env.settings(), env, new ThreadContext(env.settings()), Integer.MAX_VALUE ); CustomRoleMappingRealm realm = new CustomRoleMappingRealm(realmConfig, roleMapper); From 53701636b31b521b736007d1367645ad5643683b Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Mon, 20 Jan 2020 08:56:09 +1100 Subject: [PATCH 05/24] Fix ci/2 failures --- .../authc/ldap/GroupsResolverTestCase.java | 3 ++- .../org/elasticsearch/test/OpenLdapTests.java | 16 ++++++++-------- .../OpenLdapUserSearchSessionFactoryTests.java | 2 +- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/GroupsResolverTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/GroupsResolverTestCase.java index a4557171fe48b..a7727fb8b1fb4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/GroupsResolverTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/GroupsResolverTestCase.java @@ -32,7 +32,8 @@ protected static RealmConfig config(RealmConfig.RealmIdentifier realmId, Setting if (settings.hasValue("path.home") == false) { settings = Settings.builder().put(settings).put("path.home", createTempDir()).build(); } - return new RealmConfig(realmId, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY)); + return new RealmConfig(realmId, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY), + Integer.MAX_VALUE); } protected abstract String ldapUrl(); diff --git a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java index 2e9ecdfbc67f4..b020869c0698b 100644 --- a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java +++ b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java @@ -112,7 +112,7 @@ public void testConnect() throws Exception { final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("ldap", "oldap-test"); RealmConfig config = new RealmConfig(realmId, buildLdapSettings(realmId, OPEN_LDAP_DNS_URL, userTemplate, groupSearchBase, LdapSearchScope.ONE_LEVEL), - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); String[] users = new String[]{"blackwidow", "cap", "hawkeye", "hulk", "ironman", "thor"}; @@ -132,7 +132,7 @@ public void testGroupSearchScopeBase() throws Exception { final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("ldap", REALM_NAME); RealmConfig config = new RealmConfig(realmId, buildLdapSettings(realmId, OPEN_LDAP_DNS_URL, userTemplate, groupSearchBase, LdapSearchScope.BASE), - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); String[] users = new String[]{"blackwidow", "cap", "hawkeye", "hulk", "ironman", "thor"}; @@ -153,7 +153,7 @@ public void testCustomFilter() throws Exception { .put(getFullSettingKey(realmId.getName(), SearchGroupsResolverSettings.USER_ATTRIBUTE), "uid") .build(); RealmConfig config = new RealmConfig(realmId, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); try (LdapSession ldap = session(sessionFactory, "selvig", PASSWORD_SECURE_STRING)) { @@ -171,7 +171,7 @@ public void testStandardLdapConnectionHostnameVerificationFailure() throws Excep .put(buildLdapSettings(realmId, OPEN_LDAP_IP_URL, userTemplate, groupSearchBase, LdapSearchScope.ONE_LEVEL)) .build(); final Environment env = TestEnvironment.newEnvironment(globalSettings); - RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY)); + RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); String user = "blackwidow"; @@ -194,7 +194,7 @@ public void testStandardLdapConnectionHostnameVerificationSuccess() throws Excep .build(); RealmConfig config = new RealmConfig(realmId, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); final String user = "blackwidow"; @@ -211,7 +211,7 @@ public void testResolveSingleValuedAttributeFromConnection() throws Exception { "cn", "sn") .build(); final RealmConfig config = new RealmConfig(realmId, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); LdapMetaDataResolver resolver = new LdapMetaDataResolver(config, true); try (LDAPConnection ldapConnection = setupOpenLdapConnection()) { final Map map = resolve(ldapConnection, resolver); @@ -228,7 +228,7 @@ public void testResolveMultiValuedAttributeFromConnection() throws Exception { "objectClass") .build(); final RealmConfig config = new RealmConfig(realmId, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); LdapMetaDataResolver resolver = new LdapMetaDataResolver(config, true); try (LDAPConnection ldapConnection = setupOpenLdapConnection()) { final Map map = resolve(ldapConnection, resolver); @@ -245,7 +245,7 @@ public void testResolveMissingAttributeFromConnection() throws Exception { "alias") .build(); final RealmConfig config = new RealmConfig(realmId, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); LdapMetaDataResolver resolver = new LdapMetaDataResolver(config, true); try (LDAPConnection ldapConnection = setupOpenLdapConnection()) { final Map map = resolve(ldapConnection, resolver); diff --git a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java index 74396e3ff9837..7ab5b60936c61 100644 --- a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java @@ -92,7 +92,7 @@ public void testUserSearchWithBindUserOpenLDAP() throws Exception { } final Settings settings = realmSettings.put(globalSettings).build(); RealmConfig config = new RealmConfig(realmId, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); SSLService sslService = new SSLService(TestEnvironment.newEnvironment(settings)); From 7fa20a3d6d42d21b252b0279bf576d55db76b4b2 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Mon, 20 Jan 2020 09:59:57 +1100 Subject: [PATCH 06/24] Fix more require order parameter failure --- .../authc/ldap/ADLdapUserSearchSessionFactoryTests.java | 2 +- .../security/authc/ldap/ActiveDirectorySessionFactoryTests.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java index 54e6cd1e0ed0b..2e0e604935b16 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java @@ -79,7 +79,7 @@ public void testUserSearchWithActiveDirectory() throws Exception { Settings fullSettings = builder.build(); sslService = new SSLService(TestEnvironment.newEnvironment(fullSettings)); RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("ldap", "ad-as-ldap-test"), fullSettings, - TestEnvironment.newEnvironment(fullSettings), new ThreadContext(fullSettings)); + TestEnvironment.newEnvironment(fullSettings), new ThreadContext(fullSettings), Integer.MAX_VALUE); LdapUserSearchSessionFactory sessionFactory = getLdapUserSearchSessionFactory(config, sslService, threadPool); String user = "Bruce Banner"; diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java index 65936248b4db5..ef3a2eb50d5ae 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java @@ -95,7 +95,7 @@ private RealmConfig configureRealm(String name, String type, Settings settings) final Environment env = TestEnvironment.newEnvironment(mergedSettings); this.sslService = new SSLService(env); final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier(type, name); - return new RealmConfig(identifier, mergedSettings, env, new ThreadContext(globalSettings)); + return new RealmConfig(identifier, mergedSettings, env, new ThreadContext(globalSettings), Integer.MAX_VALUE); } public void testNetbiosAuth() throws Exception { From 3d724e84eb91c87f7ed3a9387fb0232b088be289 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Mon, 20 Jan 2020 22:41:07 +1100 Subject: [PATCH 07/24] Enforce no same order for realms. Add tests for mandatory order setting of RealmConfig. Fix broken tests due to unique order setting requirement. --- .../core/security/authc/RealmConfig.java | 20 ++++---- .../core/security/authc/RealmConfigTests.java | 51 +++++++++++++++++++ .../xpack/security/authc/Realms.java | 17 ++++++- .../test/SecuritySettingsSource.java | 6 +-- .../xpack/security/authc/RealmsTests.java | 26 ++-------- 5 files changed, 86 insertions(+), 34 deletions(-) create mode 100644 x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/RealmConfigTests.java diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java index ef65ae0464d37..f9e93212b8091 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java @@ -24,25 +24,27 @@ public class RealmConfig { private final ThreadContext threadContext; public RealmConfig(RealmIdentifier identifier, Settings settings, Environment env, ThreadContext threadContext) { - this(identifier, settings, env, threadContext, null); - } - - public RealmConfig(RealmIdentifier identifier, Settings settings, Environment env, ThreadContext threadContext, Integer order) { this.identifier = identifier; this.settings = settings; this.env = env; + this.threadContext = threadContext; this.enabled = getSetting(RealmSettings.ENABLED_SETTING); - if (order != null) { - this.order = order; - } else if (order == null && hasSetting(RealmSettings.ORDER_SETTING.apply(type())) == false) { + if (hasSetting(RealmSettings.ORDER_SETTING.apply(type())) == false) { throw new IllegalArgumentException("'order' is a mandatory parameter for realm config. " + "Found invalid realm config: '" + identifier.name + "'\n" + "Please see the breaking changes documentation." ); - } else { - this.order = getSetting(RealmSettings.ORDER_SETTING); } + this.order = getSetting(RealmSettings.ORDER_SETTING); + } + + public RealmConfig(RealmIdentifier identifier, Settings settings, Environment env, ThreadContext threadContext, int order) { + this.identifier = identifier; + this.settings = settings; + this.env = env; this.threadContext = threadContext; + this.enabled = getSetting(RealmSettings.ENABLED_SETTING); + this.order = order; } public RealmIdentifier identifier() { diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/RealmConfigTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/RealmConfigTests.java new file mode 100644 index 0000000000000..5bc1e28471d39 --- /dev/null +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/RealmConfigTests.java @@ -0,0 +1,51 @@ +/* + * + * * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * * or more contributor license agreements. Licensed under the Elastic License; + * * you may not use this file except in compliance with the Elastic License. + * + */ + +package org.elasticsearch.xpack.core.security.authc; + +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; +import org.elasticsearch.env.Environment; +import org.elasticsearch.test.ESTestCase; +import org.junit.Before; +import org.mockito.Mockito; + +import static org.hamcrest.Matchers.containsString; + +public class RealmConfigTests extends ESTestCase { + + private RealmConfig.RealmIdentifier realmIdentifier; + private Settings globalSettings; + private Environment environment; + private ThreadContext threadContext; + + @Before + public void setUp() throws Exception { + realmIdentifier = new RealmConfig.RealmIdentifier(randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4,12)); + environment = Mockito.mock(Environment.class); + globalSettings = Settings.builder().put("path.home", createTempDir()).build(); + threadContext = new ThreadContext(globalSettings); + super.setUp(); + } + + public void testWillPassWhenOrderSettingIsConfigured() { + Settings settings = Settings.builder() + .put(globalSettings) + .put(RealmSettings.realmSettingPrefix(realmIdentifier) + "order", 0) + .build(); + + RealmConfig realmConfig = new RealmConfig(realmIdentifier, settings, environment, threadContext); + assertEquals(0, realmConfig.order); + } + + public void testWillFailWhenOrderSettingIsMissing() { + Settings settings = Settings.builder().put(globalSettings).build(); + var e = expectThrows(IllegalArgumentException.class, () -> new RealmConfig(realmIdentifier, settings, environment, threadContext)); + assertThat(e.getMessage(), containsString("'order' is a mandatory parameter for realm config")); + } +} diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java index 66e275358debb..86cc21496bc74 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java @@ -186,6 +186,7 @@ protected List initRealms() throws Exception { List realms = new ArrayList<>(); List kerberosRealmNames = new ArrayList<>(); Map> nameToRealmIdentifier = new HashMap<>(); + Map> orderToRealmIdentifier = new HashMap<>(); for (RealmConfig.RealmIdentifier identifier: realmsSettings.keySet()) { Realm.Factory factory = factories.get(identifier.getType()); if (factory == null) { @@ -218,9 +219,13 @@ protected List initRealms() throws Exception { Realm realm = factory.create(config); nameToRealmIdentifier.computeIfAbsent(realm.name(), k -> new HashSet<>()).add(RealmSettings.realmSettingPrefix(realm.type()) + realm.name()); + orderToRealmIdentifier.computeIfAbsent(realm.order(), k -> new HashSet<>()) + .add(RealmSettings.realmSettingPrefix(realm.type()) + realm.name()); realms.add(realm); } + ensureNoDuplicateOrders(orderToRealmIdentifier); + if (!realms.isEmpty()) { Collections.sort(realms); } else { @@ -313,7 +318,17 @@ private void addNativeRealms(List realms) throws Exception { if (indexRealmFactory != null) { realms.add(indexRealmFactory.create(new RealmConfig( new RealmConfig.RealmIdentifier(NativeRealmSettings.TYPE, "default_" + NativeRealmSettings.TYPE), - settings, env, threadContext, Integer.MIN_VALUE))); + settings, env, threadContext, Integer.MIN_VALUE + 1))); + } + } + + private void ensureNoDuplicateOrders(Map> orderToRealmIdentifier) { + String duplicateOrders = orderToRealmIdentifier.entrySet().stream() + .filter(entry -> entry.getValue().size() > 1) + .map(entry -> entry.getKey() + ": " + entry.getValue()) + .collect(Collectors.joining("; ")); + if (Strings.hasText(duplicateOrders)) { + throw new IllegalArgumentException("Found multiple realms configured with the same order: " + duplicateOrders + ""); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java index 973eadcc3c846..d71eba9b56c14 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java @@ -141,8 +141,8 @@ public Settings nodeSettings(int nodeOrdinal) { .put(LoggingAuditTrail.EMIT_HOST_NAME_SETTING.getKey(), randomBoolean()) .put(LoggingAuditTrail.EMIT_NODE_NAME_SETTING.getKey(), randomBoolean()) .put(LoggingAuditTrail.EMIT_NODE_ID_SETTING.getKey(), randomBoolean()) - .put("xpack.security.authc.realms." + FileRealmSettings.TYPE + ".file.order", 0) - .put("xpack.security.authc.realms." + NativeRealmSettings.TYPE + ".index.order", "1") + .put("xpack.security.authc.realms." + FileRealmSettings.TYPE + ".file.order", Integer.MIN_VALUE) + .put("xpack.security.authc.realms." + NativeRealmSettings.TYPE + ".index.order", String.valueOf(Integer.MIN_VALUE + 1)) .put("xpack.license.self_generated.type", "trial"); addNodeSSLSettings(builder); return builder.build(); @@ -185,7 +185,7 @@ protected String nodeClientUsername() { protected SecureString nodeClientPassword() { return new SecureString(TEST_PASSWORD.toCharArray()); } - + public static void addSSLSettingsForNodePEMFiles(Settings.Builder builder, String prefix, boolean hostnameVerificationEnabled) { addSSLSettingsForPEMFiles(builder, prefix, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode", diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java index bce2e96bffd34..2a6891ab5dedc 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java @@ -65,7 +65,7 @@ public void init() throws Exception { factories.put(FileRealmSettings.TYPE, config -> new DummyRealm(FileRealmSettings.TYPE, config)); factories.put(NativeRealmSettings.TYPE, config -> new DummyRealm(NativeRealmSettings.TYPE, config)); factories.put(KerberosRealmSettings.TYPE, config -> new DummyRealm(KerberosRealmSettings.TYPE, config)); - randomRealmTypesCount = randomIntBetween(1, 5); + randomRealmTypesCount = randomIntBetween(2, 5); for (int i = 0; i < randomRealmTypesCount; i++) { String name = "type_" + i; factories.put(name, config -> new DummyRealm(name, config)); @@ -134,26 +134,10 @@ public void testWithSettingsWhereDifferentRealmsHaveSameOrder() throws Exception } Settings settings = builder.build(); Environment env = TestEnvironment.newEnvironment(settings); - Realms realms = new Realms(settings, env, factories, licenseState, threadContext, reservedRealm); - - Iterator iterator = realms.iterator(); - assertThat(iterator.hasNext(), is(true)); - Realm realm = iterator.next(); - assertThat(realm, is(reservedRealm)); - - // As order is same for all realms, it should fall back secondary comparison on name - // Verify that realms are iterated in order based on name - Iterator expectedSortedOrderNames = nameToRealmId.keySet().iterator(); - while (iterator.hasNext()) { - realm = iterator.next(); - String expectedRealmName = expectedSortedOrderNames.next(); - assertThat(realm.order(), equalTo(1)); - assertThat(realm.type(), equalTo("type_" + nameToRealmId.get(expectedRealmName))); - assertThat(realm.name(), equalTo(expectedRealmName)); - } - - assertThat(realms.getUnlicensedRealms(), empty()); - assertThat(realms.getUnlicensedRealms(), sameInstance(realms.getUnlicensedRealms())); + IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () ->{ + new Realms(settings, env, factories, licenseState, threadContext, reservedRealm); + }); + assertThat(e.getMessage(), containsString("Found multiple realms configured with the same order")); } public void testWithSettingsWithMultipleInternalRealmsOfSameType() throws Exception { From adca1bf64a18fbabb4f3f5f90b82d88d3bb8b5b0 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Mon, 20 Jan 2020 23:41:48 +1100 Subject: [PATCH 08/24] Fix duplicate order for tests --- .../xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java index f7e35a1fdff82..6eeb16a615c7b 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java @@ -381,7 +381,7 @@ enum RealmConfig { } public Settings buildSettings(List certificateAuthorities) { - return buildSettings(certificateAuthorities, 1); + return buildSettings(certificateAuthorities, randomInt()); } From 0f60b225757fa08ed3c2082d38dd23b1123ca0cb Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Mon, 20 Jan 2020 23:41:58 +1100 Subject: [PATCH 09/24] Add realm order to breaking change doc --- .../migration/migrate_8_0/security.asciidoc | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/docs/reference/migration/migrate_8_0/security.asciidoc b/docs/reference/migration/migrate_8_0/security.asciidoc index 7433250a6cbad..8771e0f78b964 100644 --- a/docs/reference/migration/migrate_8_0/security.asciidoc +++ b/docs/reference/migration/migrate_8_0/security.asciidoc @@ -6,6 +6,12 @@ //Installation and Upgrade Guide //tag::notable-breaking-changes[] +[float] +==== Mandatory realm order configuration + +The `order` setting is now mandatory and must be specified for each explicitly +configured realms. Their values must be unique. The cluster will fail to start if +the requirements are not met. // end::notable-breaking-changes[] @@ -79,8 +85,8 @@ It is now an error to configure any SSL settings for For example, the following configuration is invalid: [source,yaml] -------------------------------------------------- -xpack.security.http.ssl.certificate: elasticsearch.crt -xpack.security.http.ssl.key: elasticsearch.key +xpack.security.http.ssl.certificate: elasticsearch.crt +xpack.security.http.ssl.key: elasticsearch.key xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ] -------------------------------------------------- @@ -88,8 +94,8 @@ And must be configured as either: [source,yaml] -------------------------------------------------- xpack.security.http.ssl.enabled: true <1> -xpack.security.http.ssl.certificate: elasticsearch.crt -xpack.security.http.ssl.key: elasticsearch.key +xpack.security.http.ssl.certificate: elasticsearch.crt +xpack.security.http.ssl.key: elasticsearch.key xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ] -------------------------------------------------- <1> or `false`. From 3cb7a83301c9574de80a204c0ef24a0de64f3e27 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Mon, 20 Jan 2020 23:54:41 +1100 Subject: [PATCH 10/24] Start updating docs for realm order --- docs/reference/settings/security-settings.asciidoc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc index e5fc39ea9036a..3ec8420ba2a95 100644 --- a/docs/reference/settings/security-settings.asciidoc +++ b/docs/reference/settings/security-settings.asciidoc @@ -189,7 +189,7 @@ namespace in `elasticsearch.yml`. For example: xpack.security.authc.realms: native.realm1: <1> - order: 0 + order: 0 <2> ... ldap.realm2: @@ -204,6 +204,8 @@ xpack.security.authc.realms: <1> Specifies the type of realm (for example, `native`, `ldap`, `active_directory`, `pki`, `file`, `kerberos`, `saml`) and the realm name. This information is required. +<2> Specifies priority of a realm in the realm chain. This information +is required. The valid settings vary depending on the realm type. For more information, see <>. @@ -214,8 +216,7 @@ information, see <>. `order`:: The priority of the realm within the realm chain. Realms with a lower order are -consulted first. Although not required, use of this setting is strongly -recommended when you configure multiple realms. Defaults to `Integer.MAX_VALUE`. +consulted first. This setting is required. `enabled`:: Indicates whether a realm is enabled. You can use this setting to disable a From 22399cee002903d51c2d9a7b2edf66e801cc4b0c Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Tue, 21 Jan 2020 15:56:32 +1100 Subject: [PATCH 11/24] Add missing order config in docs Also update descriptions --- .../migration/migrate_8_0/security.asciidoc | 25 ++++++++++++++++--- .../settings/security-settings.asciidoc | 2 +- .../configuring-ldap-realm.asciidoc | 1 + .../configuring-pki-realm.asciidoc | 2 ++ 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/docs/reference/migration/migrate_8_0/security.asciidoc b/docs/reference/migration/migrate_8_0/security.asciidoc index 8771e0f78b964..98b015c50f71e 100644 --- a/docs/reference/migration/migrate_8_0/security.asciidoc +++ b/docs/reference/migration/migrate_8_0/security.asciidoc @@ -7,11 +7,28 @@ //tag::notable-breaking-changes[] [float] -==== Mandatory realm order configuration +==== The realm `order` setting is required -The `order` setting is now mandatory and must be specified for each explicitly -configured realms. Their values must be unique. The cluster will fail to start if -the requirements are not met. +The `xpack.security.authc.realms.*.*.order` setting is now required and must be +specified for each explicitly configured realms. Their values must be unique. +The cluster will fail to start if the requirements are not met. + +For example, the following configuration is invalid: +[source,yaml] +-------------------------------------------------- +xpack.security.authc.relams.kerberos.kerb1: + keytab.path: es.keytab + remove_realm_name: false +-------------------------------------------------- + +And must be configured as: +[source,yaml] +-------------------------------------------------- +xpack.security.authc.relams.kerberos.kerb1: + order: 0 + keytab.path: es.keytab + remove_realm_name: false +-------------------------------------------------- // end::notable-breaking-changes[] diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc index 3ec8420ba2a95..9400c9a921d2a 100644 --- a/docs/reference/settings/security-settings.asciidoc +++ b/docs/reference/settings/security-settings.asciidoc @@ -216,7 +216,7 @@ information, see <>. `order`:: The priority of the realm within the realm chain. Realms with a lower order are -consulted first. This setting is required. +consulted first. The value must be unique for each realm. This setting is required. `enabled`:: Indicates whether a realm is enabled. You can use this setting to disable a diff --git a/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc index 6dc67e4acdc75..edc80786f3add 100644 --- a/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc @@ -206,6 +206,7 @@ xpack: realms: ldap: ldap1: + order: 0 metadata: cn -------------------------------------------------- -- diff --git a/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc index 96dbf2a6eec44..0537b8a1bed87 100644 --- a/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc @@ -61,6 +61,7 @@ xpack: realms: pki: pki1: + order: 1 username_pattern: "EMAILADDRESS=(.*?)(?:,|$)" ------------------------------------------------------------ @@ -118,6 +119,7 @@ xpack: realms: pki: pki1: + order: 1 truststore: path: "pki1_truststore.jks" ------------------------------------------------------------ From b439a49c8a68cf6dad8823261db77c44b7361326 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Wed, 22 Jan 2020 10:03:06 +1100 Subject: [PATCH 12/24] Update docs/reference/migration/migrate_8_0/security.asciidoc Co-Authored-By: Lisa Cawley --- docs/reference/migration/migrate_8_0/security.asciidoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/reference/migration/migrate_8_0/security.asciidoc b/docs/reference/migration/migrate_8_0/security.asciidoc index 98b015c50f71e..2c3d946d6bfa5 100644 --- a/docs/reference/migration/migrate_8_0/security.asciidoc +++ b/docs/reference/migration/migrate_8_0/security.asciidoc @@ -10,7 +10,7 @@ ==== The realm `order` setting is required The `xpack.security.authc.realms.*.*.order` setting is now required and must be -specified for each explicitly configured realms. Their values must be unique. +specified for each explicitly configured realm. Each value must be unique. The cluster will fail to start if the requirements are not met. For example, the following configuration is invalid: @@ -133,4 +133,3 @@ a certificate and key through use of the `xpack.security.http.ssl.keystore.path` setting or the `xpack.security.http.ssl.certificate` and `xpack.security.http.ssl.key` settings. - From a74482efa5defac9be29c193e7bc60a0426a9f31 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Wed, 22 Jan 2020 10:34:45 +1100 Subject: [PATCH 13/24] Update for docs feedback --- .../en/security/authentication/configuring-ldap-realm.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc index edc80786f3add..a5ffd4fd77947 100644 --- a/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc @@ -23,7 +23,7 @@ However, multiple bind operations might be needed to find the correct user DN. `xpack.security.authc.realms.ldap` namespace. At a minimum, you must specify the `url` of the LDAP server, and set `user_search.base_dn` to the container DN where the users are searched for. -If you are configuring multiple realms, you should also explicitly set the +If you are configuring multiple realms, you must also explicitly set the `order` attribute to control the order in which the realms are consulted during authentication. See <> for all of the options you can set for an `ldap` realm. From e0aa65bfb200d97013ada5a308a7f120e3f34a3f Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Wed, 22 Jan 2020 13:56:59 +1100 Subject: [PATCH 14/24] Update doc to address feedback --- .../en/security/authentication/configuring-pki-realm.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc index 0537b8a1bed87..2bda15b6158ad 100644 --- a/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc @@ -21,7 +21,7 @@ clients connect directly to {es}. . Add a realm configuration for a `pki` realm to `elasticsearch.yml` under the `xpack.security.authc.realms.pki` namespace. -If you are configuring multiple realms, you should +If you are configuring multiple realms, you must explicitly set the `order` attribute. See <> for all of the options you can set for a `pki` realm. + From 994c0af8d053c683eaca306770beaf3207c16dc5 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Wed, 22 Jan 2020 14:09:05 +1100 Subject: [PATCH 15/24] More wording changes based on feedback --- .../configuring-active-directory-realm.asciidoc | 2 +- .../security/authentication/configuring-ldap-realm.asciidoc | 2 +- .../docs/en/security/authentication/custom-realm.asciidoc | 6 +++--- .../docs/en/security/authentication/realm-chains.asciidoc | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/x-pack/docs/en/security/authentication/configuring-active-directory-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-active-directory-realm.asciidoc index 6c76623dd4ea2..98de847bb4f42 100644 --- a/x-pack/docs/en/security/authentication/configuring-active-directory-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-active-directory-realm.asciidoc @@ -4,7 +4,7 @@ realm and map Active Directory users and groups to roles in the role mapping fil . Add a realm configuration of type `active_directory` to `elasticsearch.yml` under the `xpack.security.authc.realms.active_directory` namespace. At a minimum, you must specify the Active Directory `domain_name`. -If you are configuring multiple realms, you should also +If you are configuring multiple realms, you must also explicitly set the `order` attribute to control the order in which the realms are consulted during authentication. + diff --git a/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc index a5ffd4fd77947..944db20e7b845 100644 --- a/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc @@ -73,7 +73,7 @@ realms you specify are used for authentication. If you also want to use the .. Add a realm configuration to `elasticsearch.yml` in the `xpack.security.authc.realms.ldap` namespace. At a minimum, you must specify the `url` of the LDAP server, and specify at least one template with the -`user_dn_templates` option. If you are configuring multiple realms, you should +`user_dn_templates` option. If you are configuring multiple realms, you must also explicitly set the `order` attribute to control the order in which the realms are consulted during authentication. See <> for all of the options you can set for an `ldap` realm. diff --git a/x-pack/docs/en/security/authentication/custom-realm.asciidoc b/x-pack/docs/en/security/authentication/custom-realm.asciidoc index 3985e7457045f..336fba3f90683 100644 --- a/x-pack/docs/en/security/authentication/custom-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/custom-realm.asciidoc @@ -89,11 +89,11 @@ under the `xpack.security.authc.realms` namespace. You must define your realm within the namespace that matchesto the type defined by the extension. The options you can set depend on the settings exposed by the custom realm. -If you are configuring multiple realms, you should also explicitly set the +If you are configuring multiple realms, you must also explicitly set the `order` attribute to control the order in which the realms are consulted during -authentication. You should make sure each configured realm has a distinct +authentication. You must make sure each configured realm has a distinct `order` setting. In the event that two or more realms have the same `order`, -they will be processed in realm `name` order. +the cluster will fail to start. + IMPORTANT: When you configure realms in `elasticsearch.yml`, only the realms you specify are used for authentication. If you also want to use the diff --git a/x-pack/docs/en/security/authentication/realm-chains.asciidoc b/x-pack/docs/en/security/authentication/realm-chains.asciidoc index a7d7166239aac..2bf9a97f3ff7c 100644 --- a/x-pack/docs/en/security/authentication/realm-chains.asciidoc +++ b/x-pack/docs/en/security/authentication/realm-chains.asciidoc @@ -5,9 +5,9 @@ <> live within a _realm chain_. It is essentially a prioritized list of configured realms (typically of various types). Realms are consulted in ascending order (that is to say, the realm with the lowest `order` value is -consulted first). You should make sure each configured realm has a distinct +consulted first). You must make sure each configured realm has a distinct `order` setting. In the event that two or more realms have the same `order`, -they are processed in `name` order. +the cluster will fail to start. During the authentication process, {stack} {security-features} consult and try to authenticate the request one realm at a time. Once one of the realms From da8e7e3bc0ab71c63ae7132cd4958c86e9d75167 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Fri, 24 Jan 2020 11:26:24 +1100 Subject: [PATCH 16/24] Address feedback for docs --- docs/reference/migration/migrate_8_0/security.asciidoc | 4 ++-- .../configuring-active-directory-realm.asciidoc | 5 +---- .../authentication/configuring-ldap-realm.asciidoc | 7 +++---- .../authentication/configuring-pki-realm.asciidoc | 5 ++--- .../en/security/authentication/custom-realm.asciidoc | 9 ++++----- 5 files changed, 12 insertions(+), 18 deletions(-) diff --git a/docs/reference/migration/migrate_8_0/security.asciidoc b/docs/reference/migration/migrate_8_0/security.asciidoc index 2c3d946d6bfa5..7b1a698f3b974 100644 --- a/docs/reference/migration/migrate_8_0/security.asciidoc +++ b/docs/reference/migration/migrate_8_0/security.asciidoc @@ -16,7 +16,7 @@ The cluster will fail to start if the requirements are not met. For example, the following configuration is invalid: [source,yaml] -------------------------------------------------- -xpack.security.authc.relams.kerberos.kerb1: +xpack.security.authc.realms.kerberos.kerb1: keytab.path: es.keytab remove_realm_name: false -------------------------------------------------- @@ -24,7 +24,7 @@ xpack.security.authc.relams.kerberos.kerb1: And must be configured as: [source,yaml] -------------------------------------------------- -xpack.security.authc.relams.kerberos.kerb1: +xpack.security.authc.realms.kerberos.kerb1: order: 0 keytab.path: es.keytab remove_realm_name: false diff --git a/x-pack/docs/en/security/authentication/configuring-active-directory-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-active-directory-realm.asciidoc index 98de847bb4f42..57d4c46374df7 100644 --- a/x-pack/docs/en/security/authentication/configuring-active-directory-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-active-directory-realm.asciidoc @@ -3,10 +3,7 @@ realm and map Active Directory users and groups to roles in the role mapping fil . Add a realm configuration of type `active_directory` to `elasticsearch.yml` under the `xpack.security.authc.realms.active_directory` namespace. -At a minimum, you must specify the Active Directory `domain_name`. -If you are configuring multiple realms, you must also -explicitly set the `order` attribute to control the order in which the realms -are consulted during authentication. +At a minimum, you must specify the Active Directory `domain_name` and `order`. + -- See <> for all of the options you can set for an diff --git a/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc index 944db20e7b845..5456e290d0ece 100644 --- a/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc @@ -21,10 +21,9 @@ However, multiple bind operations might be needed to find the correct user DN. .. Add a realm configuration of to `elasticsearch.yml` under the `xpack.security.authc.realms.ldap` namespace. At a minimum, you must specify -the `url` of the LDAP server, and set `user_search.base_dn` to the container DN -where the users are searched for. -If you are configuring multiple realms, you must also explicitly set the -`order` attribute to control the order in which the realms are consulted during +the `url` and `order` of the LDAP server, and set `user_search.base_dn` to the +container DN where the users are searched for. +The `order` attribute to control the order in which the realms are consulted during authentication. See <> for all of the options you can set for an `ldap` realm. + diff --git a/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc index 2bda15b6158ad..b31383dd2e033 100644 --- a/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-pki-realm.asciidoc @@ -21,9 +21,8 @@ clients connect directly to {es}. . Add a realm configuration for a `pki` realm to `elasticsearch.yml` under the `xpack.security.authc.realms.pki` namespace. -If you are configuring multiple realms, you must -explicitly set the `order` attribute. See <> for all of the -options you can set for a `pki` realm. +You must explicitly set the `order` attribute. See <> for all +of the options you can set for a `pki` realm. + -- For example, the following snippet shows the most basic `pki` realm configuration: diff --git a/x-pack/docs/en/security/authentication/custom-realm.asciidoc b/x-pack/docs/en/security/authentication/custom-realm.asciidoc index 336fba3f90683..0c6c07945e6d9 100644 --- a/x-pack/docs/en/security/authentication/custom-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/custom-realm.asciidoc @@ -89,11 +89,10 @@ under the `xpack.security.authc.realms` namespace. You must define your realm within the namespace that matchesto the type defined by the extension. The options you can set depend on the settings exposed by the custom realm. -If you are configuring multiple realms, you must also explicitly set the -`order` attribute to control the order in which the realms are consulted during -authentication. You must make sure each configured realm has a distinct -`order` setting. In the event that two or more realms have the same `order`, -the cluster will fail to start. +At a minimum, you must explicitly set the `order` attribute to control the +order in which the realms are consulted during authentication. You must also +make sure each configured realm has a distinct `order` setting. In the event +that two or more realms have the same `order`, the cluster will fail to start. + IMPORTANT: When you configure realms in `elasticsearch.yml`, only the realms you specify are used for authentication. If you also want to use the From 7fbf06159a029a925ef5303cc624d3e3b3b519c6 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Fri, 24 Jan 2020 11:33:46 +1100 Subject: [PATCH 17/24] Address feedback to revert accident change --- .../java/org/elasticsearch/test/SecuritySettingsSource.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java index d71eba9b56c14..ed5c9b743226f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java @@ -141,8 +141,8 @@ public Settings nodeSettings(int nodeOrdinal) { .put(LoggingAuditTrail.EMIT_HOST_NAME_SETTING.getKey(), randomBoolean()) .put(LoggingAuditTrail.EMIT_NODE_NAME_SETTING.getKey(), randomBoolean()) .put(LoggingAuditTrail.EMIT_NODE_ID_SETTING.getKey(), randomBoolean()) - .put("xpack.security.authc.realms." + FileRealmSettings.TYPE + ".file.order", Integer.MIN_VALUE) - .put("xpack.security.authc.realms." + NativeRealmSettings.TYPE + ".index.order", String.valueOf(Integer.MIN_VALUE + 1)) + .put("xpack.security.authc.realms." + FileRealmSettings.TYPE + ".file.order", 0) + .put("xpack.security.authc.realms." + NativeRealmSettings.TYPE + ".index.order", "1") .put("xpack.license.self_generated.type", "trial"); addNodeSSLSettings(builder); return builder.build(); From 64d0292fc33d26a27199392dbaccb6afc1dfe89d Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Fri, 24 Jan 2020 14:51:23 +1100 Subject: [PATCH 18/24] Update based on discussion with Tim. --- .../core/security/authc/RealmConfig.java | 13 +-- .../xpack/security/authc/Realms.java | 21 ++-- .../authc/esnative/ReservedRealm.java | 8 +- ...ansportOpenIdConnectLogoutActionTests.java | 7 +- ...sportSamlInvalidateSessionActionTests.java | 6 +- .../saml/TransportSamlLogoutActionTests.java | 7 +- .../security/authc/InternalRealmsTests.java | 8 +- .../authc/file/FileUserPasswdStoreTests.java | 5 +- .../authc/file/FileUserRolesStoreTests.java | 18 +++- .../KerberosRealmAuthenticateFailedTests.java | 8 +- .../kerberos/KerberosRealmSettingsTests.java | 2 +- .../authc/kerberos/KerberosRealmTestCase.java | 4 +- .../authc/kerberos/KerberosRealmTests.java | 11 ++- .../authc/ldap/ActiveDirectoryRealmTests.java | 7 +- .../authc/ldap/GroupsResolverTestCase.java | 10 +- .../security/authc/ldap/LdapRealmTests.java | 23 ++++- .../authc/ldap/LdapSessionFactoryTests.java | 14 +-- .../LdapUserSearchSessionFactoryTests.java | 7 +- .../SearchGroupsResolverInMemoryTests.java | 6 +- .../ldap/support/LdapLoadBalancingTests.java | 5 +- .../support/LdapMetaDataResolverTests.java | 3 +- .../authc/ldap/support/LdapTestCase.java | 5 +- .../SessionFactoryLoadBalancingTests.java | 2 +- .../ldap/support/SessionFactoryTests.java | 26 +++-- .../oidc/OpenIdConnectRealmSettingsTests.java | 8 +- .../authc/oidc/OpenIdConnectRealmTests.java | 7 +- .../authc/oidc/OpenIdConnectTestCase.java | 10 +- .../pki/PkiAuthDelegationIntegTests.java | 6 +- .../authc/pki/PkiAuthenticationTests.java | 4 +- .../authc/pki/PkiOptionalClientAuthTests.java | 2 +- .../security/authc/pki/PkiRealmTests.java | 52 +++++----- .../security/authc/saml/SamlRealmTests.java | 17 +++- .../CachingUsernamePasswordRealmTests.java | 96 +++++++++++++------ .../DelegatedAuthorizationSupportTests.java | 8 +- .../authc/support/DnRoleMapperTests.java | 13 ++- .../authc/support/RealmUserLookupTests.java | 16 +++- .../RoleMappingFileBootstrapCheckTests.java | 5 +- .../mapper/ExpressionRoleMappingTests.java | 8 +- .../mapper/NativeRoleMappingStoreTests.java | 13 ++- .../org/elasticsearch/test/OpenLdapTests.java | 21 ++-- ...OpenLdapUserSearchSessionFactoryTests.java | 6 +- .../example/realm/CustomRealmTests.java | 16 +++- .../realm/CustomRoleMappingRealmTests.java | 9 +- .../ADLdapUserSearchSessionFactoryTests.java | 7 +- .../ActiveDirectorySessionFactoryTests.java | 5 +- 45 files changed, 371 insertions(+), 184 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java index f9e93212b8091..29f48ea0cc1e6 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java @@ -29,24 +29,15 @@ public RealmConfig(RealmIdentifier identifier, Settings settings, Environment en this.env = env; this.threadContext = threadContext; this.enabled = getSetting(RealmSettings.ENABLED_SETTING); - if (hasSetting(RealmSettings.ORDER_SETTING.apply(type())) == false) { + if (false == hasSetting(RealmSettings.ORDER_SETTING.apply(type()))) { throw new IllegalArgumentException("'order' is a mandatory parameter for realm config. " + - "Found invalid realm config: '" + identifier.name + "'\n" + + "Found invalid config for realm: '" + identifier.name + "'\n" + "Please see the breaking changes documentation." ); } this.order = getSetting(RealmSettings.ORDER_SETTING); } - public RealmConfig(RealmIdentifier identifier, Settings settings, Environment env, ThreadContext threadContext, int order) { - this.identifier = identifier; - this.settings = settings; - this.env = env; - this.threadContext = threadContext; - this.enabled = getSetting(RealmSettings.ENABLED_SETTING); - this.order = order; - } - public RealmIdentifier identifier() { return identifier; } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java index 86cc21496bc74..c4bee1ac689eb 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java @@ -224,7 +224,7 @@ protected List initRealms() throws Exception { realms.add(realm); } - ensureNoDuplicateOrders(orderToRealmIdentifier); + checkUniqueOrders(orderToRealmIdentifier); if (!realms.isEmpty()) { Collections.sort(realms); @@ -310,19 +310,28 @@ public void usageStats(ActionListener> listener) { private void addNativeRealms(List realms) throws Exception { Realm.Factory fileRealm = factories.get(FileRealmSettings.TYPE); if (fileRealm != null) { + var realmIdentifier = new RealmConfig.RealmIdentifier(FileRealmSettings.TYPE, "default_" + FileRealmSettings.TYPE); realms.add(fileRealm.create(new RealmConfig( - new RealmConfig.RealmIdentifier(FileRealmSettings.TYPE, "default_" + FileRealmSettings.TYPE), - settings, env, threadContext, Integer.MIN_VALUE))); + realmIdentifier, + ensureOrderSetting(settings, realmIdentifier, Integer.MIN_VALUE + 1), + env, threadContext))); } Realm.Factory indexRealmFactory = factories.get(NativeRealmSettings.TYPE); if (indexRealmFactory != null) { + var realmIdentifier = new RealmConfig.RealmIdentifier(NativeRealmSettings.TYPE, "default_" + NativeRealmSettings.TYPE); realms.add(indexRealmFactory.create(new RealmConfig( - new RealmConfig.RealmIdentifier(NativeRealmSettings.TYPE, "default_" + NativeRealmSettings.TYPE), - settings, env, threadContext, Integer.MIN_VALUE + 1))); + realmIdentifier, + ensureOrderSetting(settings, realmIdentifier, Integer.MIN_VALUE + 2), + env, threadContext))); } } - private void ensureNoDuplicateOrders(Map> orderToRealmIdentifier) { + private Settings ensureOrderSetting(Settings settings, RealmConfig.RealmIdentifier realmIdentifier, int order) { + String orderSettingKey = RealmSettings.realmSettingPrefix(realmIdentifier) + "order"; + return Settings.builder().put(settings).put(orderSettingKey, order).build(); + } + + private void checkUniqueOrders(Map> orderToRealmIdentifier) { String duplicateOrders = orderToRealmIdentifier.entrySet().stream() .filter(entry -> entry.getValue().size() > 1) .map(entry -> entry.getKey() + ": " + entry.getValue()) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java index efab5f8f73242..3b356e8373f33 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java @@ -18,6 +18,7 @@ import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.esnative.ClientReservedRealm; import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; @@ -63,8 +64,11 @@ public class ReservedRealm extends CachingUsernamePasswordRealm { public ReservedRealm(Environment env, Settings settings, NativeUsersStore nativeUsersStore, AnonymousUser anonymousUser, SecurityIndexManager securityIndex, ThreadPool threadPool) { - super(new RealmConfig(new RealmConfig.RealmIdentifier(TYPE, TYPE), settings, env, threadPool.getThreadContext(), - Integer.MIN_VALUE), threadPool); + super(new RealmConfig(new RealmConfig.RealmIdentifier(TYPE, TYPE), + Settings.builder() + .put(settings) + .put(RealmSettings.realmSettingPrefix(new RealmConfig.RealmIdentifier(TYPE, TYPE)) + "order", Integer.MIN_VALUE) + .build(), env, threadPool.getThreadContext()), threadPool); this.nativeUsersStore = nativeUsersStore; this.realmEnabled = XPackSettings.RESERVED_REALM_ENABLED_SETTING.get(settings); this.anonymousUser = anonymousUser; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java index 1cf393c02c1a1..70665111ded36 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java @@ -44,6 +44,7 @@ import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutResponse; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings; import org.elasticsearch.xpack.core.security.user.User; import org.elasticsearch.xpack.core.ssl.SSLService; @@ -88,9 +89,11 @@ public class TransportOpenIdConnectLogoutActionTests extends OpenIdConnectTestCa @Before public void setup() throws Exception { + final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("oidc", REALM_NAME); final Settings settings = getBasicRealmSettings() .put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true) .put("path.home", createTempDir()) + .put(RealmSettings.getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0) .build(); final Settings sslSettings = Settings.builder() .put("xpack.security.authc.realms.oidc.oidc-realm.ssl.verification_mode", "certificate") @@ -179,9 +182,7 @@ public void setup() throws Exception { final Environment env = TestEnvironment.newEnvironment(settings); - final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("oidc", REALM_NAME); - - final RealmConfig realmConfig = new RealmConfig(realmIdentifier, settings, env, threadContext, Integer.MAX_VALUE); + final RealmConfig realmConfig = new RealmConfig(realmIdentifier, settings, env, threadContext); oidcRealm = new OpenIdConnectRealm(realmConfig, new SSLService(TestEnvironment.newEnvironment(sslSettings)), mock(UserRoleMapper.class), mock(ResourceWatcherService.class)); when(realms.realm(realmConfig.name())).thenReturn(oidcRealm); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java index 36c7908a4780b..4c27f2da5422d 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java @@ -63,6 +63,7 @@ import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmConfig.RealmIdentifier; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings; import org.elasticsearch.xpack.core.security.authc.saml.SamlRealmSettings; import org.elasticsearch.xpack.core.security.user.User; @@ -121,6 +122,7 @@ public class TransportSamlInvalidateSessionActionTests extends SamlTestCase { @Before public void setup() throws Exception { + final RealmIdentifier realmId = new RealmIdentifier("saml", REALM_NAME); final Path metadata = PathUtils.get(SamlRealm.class.getResource("idp1.xml").toURI()); final Settings settings = Settings.builder() .put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true) @@ -131,6 +133,7 @@ public void setup() throws Exception { .put(getFullSettingKey(REALM_NAME, SamlRealmSettings.SP_ACS), SamlRealmTestHelper.SP_ACS_URL) .put(getFullSettingKey(REALM_NAME, SamlRealmSettings.SP_LOGOUT), SamlRealmTestHelper.SP_LOGOUT_URL) .put(getFullSettingKey(REALM_NAME, SamlRealmSettings.PRINCIPAL_ATTRIBUTE.getAttribute()), "uid") + .put(getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0) .build(); final ThreadContext threadContext = new ThreadContext(settings); @@ -215,11 +218,10 @@ void doExecute(ActionType action, Request request, ActionListener Stream.of(samlRealm)); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlLogoutActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlLogoutActionTests.java index 53807da03b034..f95eeeb13063e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlLogoutActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlLogoutActionTests.java @@ -52,6 +52,7 @@ import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmConfig.RealmIdentifier; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.saml.SamlRealmSettings; import org.elasticsearch.xpack.core.security.user.User; import org.elasticsearch.xpack.core.ssl.SSLService; @@ -103,6 +104,7 @@ public class TransportSamlLogoutActionTests extends SamlTestCase { @Before public void setup() throws Exception { + final RealmIdentifier realmIdentifier = new RealmIdentifier("saml", REALM_NAME); final Path metadata = PathUtils.get(SamlRealm.class.getResource("idp1.xml").toURI()); final Settings settings = Settings.builder() .put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true) @@ -112,6 +114,7 @@ public void setup() throws Exception { .put(getFullSettingKey(REALM_NAME, SamlRealmSettings.SP_ENTITY_ID), SP_URL) .put(getFullSettingKey(REALM_NAME, SamlRealmSettings.SP_ACS), SP_URL) .put(getFullSettingKey(REALM_NAME, SamlRealmSettings.PRINCIPAL_ATTRIBUTE.getAttribute()), "uid") + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0) .build(); final ThreadContext threadContext = new ThreadContext(settings); @@ -212,9 +215,7 @@ public void setup() throws Exception { final Environment env = TestEnvironment.newEnvironment(settings); - final RealmIdentifier realmIdentifier = new RealmIdentifier("saml", REALM_NAME); - - final RealmConfig realmConfig = new RealmConfig(realmIdentifier, settings, env, threadContext, Integer.MAX_VALUE); + final RealmConfig realmConfig = new RealmConfig(realmIdentifier, settings, env, threadContext); samlRealm = SamlRealm.create(realmConfig, mock(SSLService.class), mock(ResourceWatcherService.class), mock(UserRoleMapper.class)); when(realms.realm(realmConfig.name())).thenReturn(samlRealm); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/InternalRealmsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/InternalRealmsTests.java index e83d98230e026..03b355497ec31 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/InternalRealmsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/InternalRealmsTests.java @@ -14,6 +14,7 @@ import org.elasticsearch.watcher.ResourceWatcherService; import org.elasticsearch.xpack.core.security.authc.Realm; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings; import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings; import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings; @@ -47,14 +48,15 @@ public void testNativeRealmRegistersIndexHealthChangeListener() throws Exception assertThat(factories, hasEntry(is(NativeRealmSettings.TYPE), any(Realm.Factory.class))); verifyZeroInteractions(securityIndex); - Settings settings = Settings.builder().put("path.home", createTempDir()).build(); final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(NativeRealmSettings.TYPE, "test"); + Settings settings = Settings.builder().put("path.home", createTempDir()) + .put(RealmSettings.getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0).build(); final Environment env = TestEnvironment.newEnvironment(settings); final ThreadContext threadContext = new ThreadContext(settings); - factories.get(NativeRealmSettings.TYPE).create(new RealmConfig(realmId, settings, env, threadContext, Integer.MAX_VALUE)); + factories.get(NativeRealmSettings.TYPE).create(new RealmConfig(realmId, settings, env, threadContext)); verify(securityIndex).addIndexStateListener(isA(BiConsumer.class)); - factories.get(NativeRealmSettings.TYPE).create(new RealmConfig(realmId, settings, env, threadContext, Integer.MAX_VALUE)); + factories.get(NativeRealmSettings.TYPE).create(new RealmConfig(realmId, settings, env, threadContext)); verify(securityIndex, times(2)).addIndexStateListener(isA(BiConsumer.class)); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java index 0c9546e6ac08b..bff3be436b16f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java @@ -18,6 +18,7 @@ import org.elasticsearch.xpack.core.security.audit.logfile.CapturingLogger; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.elasticsearch.xpack.core.security.user.User; import org.junit.After; @@ -134,7 +135,9 @@ public void testStore_AutoReload() throws Exception { private RealmConfig getRealmConfig() { final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier("file", "file-test"); - return new RealmConfig(identifier, settings, env, threadPool.getThreadContext(), Integer.MAX_VALUE); + return new RealmConfig(identifier, + Settings.builder().put(settings).put(RealmSettings.getFullSettingKey(identifier, RealmSettings.ORDER_SETTING), 0).build(), + env, threadPool.getThreadContext()); } public void testStore_AutoReload_WithParseFailures() throws Exception { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStoreTests.java index aea6bb3df905b..559c0005f460c 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStoreTests.java @@ -19,6 +19,7 @@ import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.audit.logfile.CapturingLogger; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.junit.After; import org.junit.Before; @@ -75,7 +76,9 @@ public void testStore_ConfiguredWithUnreadableFile() throws Exception { Files.write(file, lines, StandardCharsets.UTF_16); RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("file", "file-test"); - RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + RealmConfig config = new RealmConfig(realmId, + Settings.builder().put(settings).put(RealmSettings.getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0).build(), + env, new ThreadContext(Settings.EMPTY)); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); FileUserRolesStore store = new FileUserRolesStore(config, watcherService); assertThat(store.entriesCount(), is(0)); @@ -88,7 +91,9 @@ public void testStoreAutoReload() throws Exception { final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("file", "file-test"); - RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + RealmConfig config = new RealmConfig(realmId, + Settings.builder().put(settings).put(RealmSettings.getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0).build(), + env, new ThreadContext(Settings.EMPTY)); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); final CountDownLatch latch = new CountDownLatch(1); @@ -134,7 +139,9 @@ public void testStoreAutoReloadWithParseFailure() throws Exception { Files.copy(users, tmp, StandardCopyOption.REPLACE_EXISTING); final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("file", "file-test"); - RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + RealmConfig config = new RealmConfig(realmId, + Settings.builder().put(settings).put(RealmSettings.getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0).build(), + env, new ThreadContext(Settings.EMPTY)); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); final CountDownLatch latch = new CountDownLatch(1); @@ -217,14 +224,15 @@ public void testParseFileEmptyRolesDoesNotCauseNPE() throws Exception { threadPool = new TestThreadPool("test"); Path usersRoles = writeUsersRoles("role1:admin"); + final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("file", "file-test"); Settings settings = Settings.builder() .put(XPackSettings.WATCHER_ENABLED.getKey(), "false") .put("path.home", createTempDir()) + .put(RealmSettings.getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0) .build(); Environment env = TestEnvironment.newEnvironment(settings); - final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("file", "file-test"); - RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY)); ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool); FileUserRolesStore store = new FileUserRolesStore(config, watcherService); assertThat(store.roles("user"), equalTo(Strings.EMPTY_ARRAY)); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java index 8b2e51bf15364..c829aec188f79 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java @@ -16,6 +16,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.core.security.user.User; @@ -121,8 +122,11 @@ public void testAuthenticateDifferentFailureScenarios() throws LoginException, G public void testDelegatedAuthorizationFailedToResolve() throws Exception { final String username = randomPrincipalName(); - final MockLookupRealm otherRealm = new MockLookupRealm(new RealmConfig(new RealmConfig.RealmIdentifier("mock", "other_realm"), - globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE)); + RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("mock", "other_realm"); + final MockLookupRealm otherRealm = new MockLookupRealm(new RealmConfig(realmIdentifier, + Settings.builder().put(globalSettings) + .put(RealmSettings.getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings))); final User lookupUser = new User(randomAlphaOfLength(5)); otherRealm.registerUser(lookupUser); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmSettingsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmSettingsTests.java index 10907ee3aeb49..eb1e32037d5ef 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmSettingsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmSettingsTests.java @@ -40,7 +40,7 @@ public void testKerberosRealmSettings() throws IOException { keytabPathConfig, maxUsers, cacheTTL, enableDebugLogs, removeRealmName); final RealmIdentifier identifier = new RealmIdentifier(KerberosRealmSettings.TYPE, KerberosRealmTestCase.REALM_NAME); final RealmConfig config = new RealmConfig(identifier, - settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings), Integer.MAX_VALUE); + settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); assertThat(config.getSetting(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH), equalTo(keytabPathConfig)); assertThat(config.getSetting(KerberosRealmSettings.CACHE_TTL_SETTING), diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java index 571573569574f..a856b24ce67b2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java @@ -123,7 +123,7 @@ protected KerberosRealm createKerberosRealm(final String... userForRoleMapping) protected KerberosRealm createKerberosRealm(final List delegatedRealms, final String... userForRoleMapping) { final RealmConfig.RealmIdentifier id = new RealmConfig.RealmIdentifier(KerberosRealmSettings.TYPE, REALM_NAME); config = new RealmConfig(id, merge(id, settings, globalSettings), - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); mockNativeRoleMappingStore = roleMappingStore(Arrays.asList(userForRoleMapping)); mockKerberosTicketValidator = mock(KerberosTicketValidator.class); final KerberosRealm kerberosRealm = @@ -137,6 +137,7 @@ private Settings merge(RealmConfig.RealmIdentifier identifier, Settings realmSet return Settings.builder().put(realmSettings) .normalizePrefix(RealmSettings.realmSettingPrefix(identifier)) .put(globalSettings) + .put(RealmSettings.getFullSettingKey(identifier, RealmSettings.ORDER_SETTING), 0) .build(); } @@ -266,6 +267,7 @@ public static Settings buildKerberosRealmSettings(String realmName, String keyta .put(RealmSettings.getFullSettingKey(realmName, KerberosRealmSettings.CACHE_TTL_SETTING), cacheTTL) .put(RealmSettings.getFullSettingKey(realmName, KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE), enableDebugging) .put(RealmSettings.getFullSettingKey(realmName, KerberosRealmSettings.SETTING_REMOVE_REALM_NAME), removeRealmName) + .put(RealmSettings.getFullSettingKey(realmName, RealmSettings.ORDER_SETTING.apply(KerberosRealmSettings.TYPE)), 0) .put(globalSettings); return builder.build(); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java index b4365fe054474..037af8a7b51ce 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java @@ -18,6 +18,7 @@ import org.elasticsearch.rest.RestStatus; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.core.security.user.User; @@ -163,7 +164,7 @@ private void assertKerberosRealmConstructorFails(final String keytabPath, final final String realmName = "test-kerb-realm"; settings = buildKerberosRealmSettings(realmName, keytabPath, 100, "10m", true, randomBoolean(), globalSettings); config = new RealmConfig(new RealmConfig.RealmIdentifier(KerberosRealmSettings.TYPE, realmName), settings, - TestEnvironment.newEnvironment(settings), new ThreadContext(settings), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); mockNativeRoleMappingStore = roleMappingStore(Arrays.asList("user")); mockKerberosTicketValidator = mock(KerberosTicketValidator.class); final IllegalArgumentException iae = expectThrows(IllegalArgumentException.class, @@ -174,8 +175,12 @@ private void assertKerberosRealmConstructorFails(final String keytabPath, final public void testDelegatedAuthorization() throws Exception { final String username = randomPrincipalName(); final String expectedUsername = maybeRemoveRealmName(username); - final MockLookupRealm otherRealm = spy(new MockLookupRealm(new RealmConfig(new RealmConfig.RealmIdentifier("mock", "other_realm"), - globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE))); + RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("mock", "other_realm"); + final MockLookupRealm otherRealm = spy(new MockLookupRealm(new RealmConfig( + realmIdentifier, + Settings.builder().put(globalSettings) + .put(RealmSettings.getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)))); final User lookupUser = new User(expectedUsername, new String[] { "admin-role" }, expectedUsername, expectedUsername + "@example.com", Collections.singletonMap("k1", "v1"), true); otherRealm.registerUser(lookupUser); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java index 17278859ce419..146b6d11986dd 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java @@ -35,6 +35,7 @@ import org.elasticsearch.watcher.ResourceWatcherService; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.ldap.ActiveDirectorySessionFactorySettings; import org.elasticsearch.xpack.core.security.authc.ldap.LdapRealmSettings; import org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings; @@ -166,14 +167,14 @@ public boolean enableWarningsCheck() { * the RealmConfig */ private RealmConfig setupRealm(RealmConfig.RealmIdentifier realmIdentifier, Settings localSettings) { - final Settings mergedSettings = Settings.builder().put(globalSettings).put(localSettings).build(); + final Settings mergedSettings = Settings.builder().put(globalSettings).put(localSettings) + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), "0").build(); final Environment env = TestEnvironment.newEnvironment(mergedSettings); this.sslService = new SSLService(env); return new RealmConfig( realmIdentifier, mergedSettings, - env, new ThreadContext(mergedSettings), - Integer.MAX_VALUE + env, new ThreadContext(mergedSettings) ); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/GroupsResolverTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/GroupsResolverTestCase.java index a7727fb8b1fb4..466a572ece939 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/GroupsResolverTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/GroupsResolverTestCase.java @@ -15,6 +15,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession.GroupsResolver; import org.elasticsearch.test.ESTestCase; import org.junit.After; @@ -24,16 +25,19 @@ import java.util.Collection; import java.util.List; +import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey; + public abstract class GroupsResolverTestCase extends ESTestCase { LDAPConnection ldapConnection; protected static RealmConfig config(RealmConfig.RealmIdentifier realmId, Settings settings) { if (settings.hasValue("path.home") == false) { - settings = Settings.builder().put(settings).put("path.home", createTempDir()).build(); + settings = Settings.builder().put(settings).put("path.home", createTempDir()) + .put(getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0) + .build(); } - return new RealmConfig(realmId, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY), - Integer.MAX_VALUE); + return new RealmConfig(realmId, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY)); } protected abstract String ldapUrl(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java index 8d5a824f0604d..c9b787e82663e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java @@ -116,6 +116,7 @@ public void testAuthenticateSubTreeGroupSearch() throws Exception { Settings settings = Settings.builder() .put(defaultGlobalSettings) .put(buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE)) + .put(getFullSettingKey(REALM_IDENTIFIER, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = getRealmConfig(REALM_IDENTIFIER, settings); LdapSessionFactory ldapFactory = new LdapSessionFactory(config, sslService, threadPool); @@ -138,7 +139,7 @@ public void testAuthenticateSubTreeGroupSearch() throws Exception { private RealmConfig getRealmConfig(RealmConfig.RealmIdentifier identifier, Settings settings) { final Environment env = TestEnvironment.newEnvironment(settings); - return new RealmConfig(identifier, settings, env, new ThreadContext(settings), Integer.MAX_VALUE); + return new RealmConfig(identifier, settings, env, new ThreadContext(settings)); } public void testAuthenticateOneLevelGroupSearch() throws Exception { @@ -147,6 +148,7 @@ public void testAuthenticateOneLevelGroupSearch() throws Exception { Settings settings = Settings.builder() .put(defaultGlobalSettings) .put(buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase, LdapSearchScope.ONE_LEVEL)) + .put(getFullSettingKey(REALM_IDENTIFIER, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = getRealmConfig(REALM_IDENTIFIER, settings); @@ -174,6 +176,7 @@ public void testAuthenticateCaching() throws Exception { Settings settings = Settings.builder() .put(defaultGlobalSettings) .put(buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE)) + .put(getFullSettingKey(REALM_IDENTIFIER, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = getRealmConfig(REALM_IDENTIFIER, settings); @@ -201,6 +204,7 @@ public void testAuthenticateCachingRefresh() throws Exception { Settings settings = Settings.builder() .put(buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE)) .put(defaultGlobalSettings) + .put(getFullSettingKey(REALM_IDENTIFIER, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = getRealmConfig(REALM_IDENTIFIER, settings); @@ -237,6 +241,7 @@ public void testAuthenticateNoncaching() throws Exception { .put(defaultGlobalSettings) .put(buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE)) .put(getFullSettingKey(REALM_IDENTIFIER, CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING), -1) + .put(getFullSettingKey(REALM_IDENTIFIER, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = getRealmConfig(REALM_IDENTIFIER, settings); @@ -268,17 +273,22 @@ public void testDelegatedAuthorization() throws Exception { // maybe disable caching builder.put(getFullSettingKey(REALM_IDENTIFIER, CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING), -1); } + builder.put(getFullSettingKey(REALM_IDENTIFIER, RealmSettings.ORDER_SETTING), 0); final Settings realmSettings = builder.build(); final Environment env = TestEnvironment.newEnvironment(defaultGlobalSettings); - RealmConfig config = new RealmConfig(REALM_IDENTIFIER, realmSettings, env, threadPool.getThreadContext(), Integer.MAX_VALUE); + RealmConfig config = new RealmConfig(REALM_IDENTIFIER, realmSettings, env, threadPool.getThreadContext()); final LdapSessionFactory ldapFactory = new LdapSessionFactory(config, sslService, threadPool); final DnRoleMapper roleMapper = buildGroupAsRoleMapper(resourceWatcherService); final LdapRealm ldap = new LdapRealm(config, ldapFactory, roleMapper, threadPool); - final MockLookupRealm mockLookup = new MockLookupRealm(new RealmConfig(new RealmConfig.RealmIdentifier("mock", "mock_lookup"), - defaultGlobalSettings, env, threadPool.getThreadContext(), Integer.MAX_VALUE)); + RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("mock", "mock_lookup"); + final MockLookupRealm mockLookup = new MockLookupRealm(new RealmConfig( + realmIdentifier, + Settings.builder().put(defaultGlobalSettings) + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + env, threadPool.getThreadContext())); ldap.initialize(Arrays.asList(ldap, mockLookup), licenseState); mockLookup.initialize(Arrays.asList(ldap, mockLookup), licenseState); @@ -311,6 +321,7 @@ public void testLdapRealmSelectsLdapSessionFactory() throws Exception { .put(getFullSettingKey(identifier, SearchGroupsResolverSettings.BASE_DN), groupSearchBase) .put(getFullSettingKey(identifier, SearchGroupsResolverSettings.SCOPE), LdapSearchScope.SUB_TREE) .put(getFullSettingKey(identifier, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.CERTIFICATE) + .put(getFullSettingKey(identifier, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = getRealmConfig(identifier, settings); final SSLService ssl = new SSLService(config.env()); @@ -332,6 +343,7 @@ public void testLdapRealmSelectsLdapUserSearchSessionFactory() throws Exception .put(getFullSettingKey(identifier, SearchGroupsResolverSettings.BASE_DN), groupSearchBase) .put(getFullSettingKey(identifier, SearchGroupsResolverSettings.SCOPE), LdapSearchScope.SUB_TREE) .put(getFullSettingKey(identifier, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.CERTIFICATE) + .put(getFullSettingKey(identifier, RealmSettings.ORDER_SETTING), 0) .build(); final RealmConfig config = getRealmConfig(identifier, settings); SessionFactory sessionFactory = LdapRealm.sessionFactory(config, new SSLService(config.env()), threadPool); @@ -353,6 +365,7 @@ public void testLdapRealmThrowsExceptionForUserTemplateAndSearchSettings() throw .put(getFullSettingKey(identifier, SearchGroupsResolverSettings.BASE_DN), "") .put(getFullSettingKey(identifier, SearchGroupsResolverSettings.SCOPE), LdapSearchScope.SUB_TREE) .put(getFullSettingKey(identifier, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.CERTIFICATE) + .put(getFullSettingKey(identifier, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = getRealmConfig(identifier, settings); IllegalArgumentException e = expectThrows(IllegalArgumentException.class, @@ -372,6 +385,7 @@ public void testLdapRealmThrowsExceptionWhenNeitherUserTemplateNorSearchSettings .put(getFullSettingKey(identifier, SearchGroupsResolverSettings.BASE_DN), "") .put(getFullSettingKey(identifier, SearchGroupsResolverSettings.SCOPE), LdapSearchScope.SUB_TREE) .put(getFullSettingKey(identifier, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.CERTIFICATE) + .put(getFullSettingKey(identifier, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = getRealmConfig(identifier, settings); IllegalArgumentException e = expectThrows(IllegalArgumentException.class, @@ -491,6 +505,7 @@ public void testLdapConnectionFailureIsTreatedAsAuthenticationFailure() throws E Settings settings = Settings.builder() .put(defaultGlobalSettings) .put(buildLdapSettings(new String[]{url.toString()}, userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE)) + .put(getFullSettingKey(REALM_IDENTIFIER, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = getRealmConfig(REALM_IDENTIFIER, settings); LdapSessionFactory ldapFactory = new LdapSessionFactory(config, sslService, threadPool); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java index ef2f78bc96ab4..3ba6d0da34824 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java @@ -92,7 +92,7 @@ public void testBindWithReadTimeout() throws Exception { .build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); String user = "Horatio Hornblower"; SecureString userPass = new SecureString("pass"); @@ -121,7 +121,7 @@ public void testBindWithTemplates() throws Exception { .put(buildLdapSettings(ldapUrls(), userTemplates, groupSearchBase, LdapSearchScope.SUB_TREE)) .build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); @@ -148,7 +148,7 @@ public void testBindWithBogusTemplates() throws Exception { .put(buildLdapSettings(ldapUrls(), userTemplates, groupSearchBase, LdapSearchScope.SUB_TREE)) .build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); LdapSessionFactory ldapFac = new LdapSessionFactory(config, sslService, threadPool); @@ -170,7 +170,7 @@ public void testGroupLookupSubtree() throws Exception { .put(buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE)) .build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); LdapSessionFactory ldapFac = new LdapSessionFactory(config, sslService, threadPool); @@ -193,7 +193,7 @@ public void testGroupLookupOneLevel() throws Exception { .put(buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase, LdapSearchScope.ONE_LEVEL)) .build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); LdapSessionFactory ldapFac = new LdapSessionFactory(config, sslService, threadPool); @@ -215,7 +215,7 @@ public void testGroupLookupBase() throws Exception { .put(buildLdapSettings(ldapUrls(), userTemplate, groupSearchBase, LdapSearchScope.BASE)) .build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); LdapSessionFactory ldapFac = new LdapSessionFactory(config, sslService, threadPool); @@ -262,7 +262,7 @@ public void testSslTrustIsReloaded() throws Exception { final Environment environment = TestEnvironment.newEnvironment(settings); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - environment, new ThreadContext(settings), Integer.MAX_VALUE); + environment, new ThreadContext(settings)); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); String user = "Horatio Hornblower"; SecureString userPass = new SecureString("pass"); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java index 30c8018ed536c..b59d95cb7a9da 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java @@ -110,8 +110,7 @@ public void testSupportsUnauthenticatedSessions() throws Exception { } private RealmConfig getRealmConfig(Settings settings) { - return new RealmConfig(REALM_IDENTIFIER, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings), - Integer.MAX_VALUE); + return new RealmConfig(REALM_IDENTIFIER, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); } public void testUserSearchSubTree() throws Exception { @@ -521,7 +520,7 @@ public void testEmptyBindDNReturnsAnonymousBindRequest() throws LDAPException { .put(getFullSettingKey(REALM_IDENTIFIER.getName(), LdapUserSearchSessionFactorySettings.SEARCH_BASE_DN), userSearchBase); final boolean useLegacyBindPassword = configureBindPassword(realmSettings); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, realmSettings.build(), - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); try (LdapUserSearchSessionFactory searchSessionFactory = getLdapUserSearchSessionFactory(config, sslService, threadPool)) { assertThat(searchSessionFactory.bindCredentials, notNullValue()); assertThat(searchSessionFactory.bindCredentials.getBindDN(), isEmptyString()); @@ -539,7 +538,7 @@ public void testThatBindRequestReturnsSimpleBindRequest() throws LDAPException { .put(getFullSettingKey(REALM_IDENTIFIER.getName(), LdapUserSearchSessionFactorySettings.SEARCH_BASE_DN), userSearchBase); final boolean useLegacyBindPassword = configureBindPassword(realmSettings); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, realmSettings.build(), - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); try (LdapUserSearchSessionFactory searchSessionFactory = getLdapUserSearchSessionFactory(config, sslService, threadPool)) { assertThat(searchSessionFactory.bindCredentials, notNullValue()); assertThat(searchSessionFactory.bindCredentials.getBindDN(), is("cn=ironman")); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverInMemoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverInMemoryTests.java index 95b7f4907b97f..b5ac29c36dd62 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverInMemoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverInMemoryTests.java @@ -19,6 +19,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings; import org.elasticsearch.xpack.core.security.authc.ldap.SearchGroupsResolverSettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope; @@ -167,8 +168,9 @@ private RealmConfig getConfig(Settings settings) { if (settings.hasValue("path.home") == false) { settings = Settings.builder().put(settings).put("path.home", createTempDir()).build(); } - return new RealmConfig(REALM_IDENTIFIER, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings), - Integer.MAX_VALUE); + return new RealmConfig(REALM_IDENTIFIER, + Settings.builder().put(settings).put(getFullSettingKey(REALM_IDENTIFIER, RealmSettings.ORDER_SETTING), 0).build(), + TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapLoadBalancingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapLoadBalancingTests.java index 84b16df01b247..5b741f67481ea 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapLoadBalancingTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapLoadBalancingTests.java @@ -14,6 +14,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapLoadBalancingSettings; import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey; @@ -40,6 +41,7 @@ public Settings getSettings(String loadBalancerType) { return Settings.builder() .put(getFullSettingKey(REALM_IDENTIFIER, LdapLoadBalancingSettings.LOAD_BALANCE_TYPE_SETTING), loadBalancerType) .put("path.home", createTempDir()) + .put(getFullSettingKey(REALM_IDENTIFIER, RealmSettings.ORDER_SETTING), 0) .build(); } @@ -121,7 +123,6 @@ public void testDnsRoundRobinBadArgs() { } public RealmConfig getConfig(Settings settings) { - return new RealmConfig(REALM_IDENTIFIER, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings), - Integer.MAX_VALUE); + return new RealmConfig(REALM_IDENTIFIER, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapMetaDataResolverTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapMetaDataResolverTests.java index 8036e9ef9a2c8..67671a96de69e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapMetaDataResolverTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapMetaDataResolverTests.java @@ -42,9 +42,10 @@ public void testParseSettings() throws Exception { .putList(RealmSettings.getFullSettingKey(realmId.getName(), LdapMetaDataResolverSettings.ADDITIONAL_META_DATA_SETTING.apply(LdapRealmSettings.LDAP_TYPE)), "cn", "uid") + .put(RealmSettings.getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = new RealmConfig(realmId, - settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings), Integer.MAX_VALUE); + settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); resolver = new LdapMetaDataResolver(config, false); assertThat(resolver.attributeNames(), arrayContaining("cn", "uid")); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java index 6e95d546b19d3..a9ac1817bd2b9 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java @@ -28,6 +28,7 @@ import org.elasticsearch.watcher.ResourceWatcherService; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.ldap.LdapSessionFactorySettings; import org.elasticsearch.xpack.core.security.authc.ldap.SearchGroupsResolverSettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapLoadBalancingSettings; @@ -172,6 +173,7 @@ public static Settings buildLdapSettings(RealmConfig.RealmIdentifier realmId, St if (serverSetType != null) { builder.put(getFullSettingKey(realmId, LdapLoadBalancingSettings.LOAD_BALANCE_TYPE_SETTING), serverSetType.toString()); } + builder.put(getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0); return builder.build(); } @@ -192,9 +194,10 @@ protected DnRoleMapper buildGroupAsRoleMapper(ResourceWatcherService resourceWat Settings settings = Settings.builder() .put(getFullSettingKey(REALM_IDENTIFIER, DnRoleMapperSettings.USE_UNMAPPED_GROUPS_AS_ROLES_SETTING), true) .put("path.home", createTempDir()) + .put(getFullSettingKey(REALM_IDENTIFIER, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, settings, - TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY)); return new DnRoleMapper(config, resourceWatcherService); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java index 10699edd54dd6..f0ace87cd6990 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java @@ -291,7 +291,7 @@ private TestSessionFactory createSessionFactory(LdapLoadBalancing loadBalancing) LdapSearchScope.SUB_TREE, loadBalancing); Settings globalSettings = Settings.builder().put("path.home", createTempDir()).put(settings).build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, globalSettings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); return new TestSessionFactory(config, new SSLService(TestEnvironment.newEnvironment(config.settings())), threadPool); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java index 672eca8c903a5..15ae60907bb35 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java @@ -19,6 +19,7 @@ import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings; import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings; import org.elasticsearch.xpack.core.ssl.SSLService; @@ -49,9 +50,13 @@ public void shutdown() throws InterruptedException { } public void testConnectionFactoryReturnsCorrectLDAPConnectionOptionsWithDefaultSettings() throws Exception { - final Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); - RealmConfig realmConfig = new RealmConfig(new RealmConfig.RealmIdentifier("ldap", "conn_settings"), - environment.settings(), environment, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("ldap", "conn_settings"); + final Environment environment = TestEnvironment.newEnvironment( + Settings.builder().put("path.home", createTempDir()) + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build()); + RealmConfig realmConfig = new RealmConfig( + realmIdentifier, + environment.settings(), environment, new ThreadContext(Settings.EMPTY)); LDAPConnectionOptions options = SessionFactory.connectionOptions(realmConfig, new SSLService(environment), logger); assertThat(options.followReferrals(), is(equalTo(true))); @@ -69,11 +74,12 @@ public void testConnectionFactoryReturnsCorrectLDAPConnectionOptions() throws Ex .put(getFullSettingKey(realmId, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), "false") .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_READ_SETTING), "20ms") .put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), "false") + .put(getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0) .put("path.home", pathHome) .build(); Environment environment = TestEnvironment.newEnvironment(settings); - RealmConfig realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings), Integer.MAX_VALUE); + RealmConfig realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings)); LDAPConnectionOptions options = SessionFactory.connectionOptions(realmConfig, new SSLService(environment), logger); assertThat(options.followReferrals(), is(equalTo(false))); assertThat(options.allowConcurrentSocketFactoryUse(), is(equalTo(true))); @@ -86,8 +92,9 @@ public void testConnectionFactoryReturnsCorrectLDAPConnectionOptions() throws Ex settings = Settings.builder() .put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.CERTIFICATE) .put("path.home", pathHome) + .put(getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0) .build(); - realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings), Integer.MAX_VALUE); + realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings)); options = SessionFactory.connectionOptions(realmConfig, new SSLService(TestEnvironment.newEnvironment(settings)), logger); assertThat(options.getSSLSocketVerifier(), is(instanceOf(TrustAllSSLSocketVerifier.class))); @@ -96,9 +103,10 @@ public void testConnectionFactoryReturnsCorrectLDAPConnectionOptions() throws Ex settings = Settings.builder() .put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.NONE) .put("path.home", pathHome) + .put(getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0) .build(); environment = TestEnvironment.newEnvironment(settings); - realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings), Integer.MAX_VALUE); + realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings)); options = SessionFactory.connectionOptions(realmConfig, new SSLService(environment), logger); assertThat(options.getSSLSocketVerifier(), is(instanceOf(TrustAllSSLSocketVerifier.class))); } @@ -106,9 +114,10 @@ public void testConnectionFactoryReturnsCorrectLDAPConnectionOptions() throws Ex settings = Settings.builder() .put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.FULL) .put("path.home", pathHome) + .put(getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0) .build(); environment = TestEnvironment.newEnvironment(settings); - realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings), Integer.MAX_VALUE); + realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings)); options = SessionFactory.connectionOptions(realmConfig, new SSLService(environment), logger); assertThat(options.getSSLSocketVerifier(), is(instanceOf(HostNameSSLSocketVerifier.class))); } @@ -130,8 +139,9 @@ private SessionFactory createSessionFactory() { Settings.builder() .put(getFullSettingKey(realmIdentifier, SessionFactorySettings.URLS_SETTING), "ldap://localhost:389") .put(global) + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0) .build(), - TestEnvironment.newEnvironment(global), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(global), new ThreadContext(Settings.EMPTY)); return new SessionFactory(realmConfig, null, threadPool) { @Override diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmSettingsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmSettingsTests.java index d8280d887c4cb..cdeb59b79533c 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmSettingsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmSettingsTests.java @@ -14,6 +14,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings; import org.hamcrest.Matchers; import org.junit.Before; @@ -271,10 +272,13 @@ private MockSecureSettings getSecureSettings() { } private RealmConfig buildConfig(Settings realmSettings) { + RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("oidc", REALM_NAME); final Settings settings = Settings.builder() .put("path.home", createTempDir()) - .put(realmSettings).build(); + .put(realmSettings) + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0) + .build(); final Environment env = TestEnvironment.newEnvironment(settings); - return new RealmConfig(new RealmConfig.RealmIdentifier("oidc", REALM_NAME), settings, env, threadContext, Integer.MAX_VALUE); + return new RealmConfig(realmIdentifier, settings, env, threadContext); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java index d7d4bea1bb201..41de06c9afeb0 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java @@ -21,6 +21,7 @@ import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.Realm; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings; import org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings; import org.elasticsearch.xpack.core.security.user.User; @@ -308,8 +309,12 @@ private AuthenticationResult authenticateWithOidc(String principal, UserRoleMapp boolean useAuthorizingRealm ,String authenticatingRealm) throws Exception { + RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("mock", "mock_lookup"); final MockLookupRealm lookupRealm = new MockLookupRealm( - new RealmConfig(new RealmConfig.RealmIdentifier("mock", "mock_lookup"), globalSettings, env, threadContext, Integer.MAX_VALUE)); + new RealmConfig(realmIdentifier, + Settings.builder().put(globalSettings) + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + env, threadContext)); final OpenIdConnectAuthenticator authenticator = mock(OpenIdConnectAuthenticator.class); final Settings.Builder builder = getBasicRealmSettings(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java index eb5f0857f4723..409881db58157 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java @@ -19,6 +19,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings; import java.io.IOException; @@ -37,6 +38,7 @@ public abstract class OpenIdConnectTestCase extends ESTestCase { protected static final String REALM_NAME = "oidc-realm"; protected static Settings.Builder getBasicRealmSettings() { + final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier(OpenIdConnectRealmSettings.TYPE, REALM_NAME); return Settings.builder() .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.OP_AUTHORIZATION_ENDPOINT), "https://op.example.org/login") .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.OP_TOKEN_ENDPOINT), "https://op.example.org/token") @@ -52,6 +54,7 @@ protected static Settings.Builder getBasicRealmSettings() { .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.GROUPS_CLAIM.getClaim()), "groups") .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.MAIL_CLAIM.getClaim()), "mail") .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.NAME_CLAIM.getClaim()), "name") + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0) .setSecureSettings(getSecureSettings()); } @@ -87,11 +90,14 @@ protected JWT generateIdToken(String subject, String audience, String issuer) th } protected RealmConfig buildConfig(Settings realmSettings, ThreadContext threadContext) { + RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("oidc", REALM_NAME); final Settings settings = Settings.builder() .put("path.home", createTempDir()) - .put(realmSettings).build(); + .put(realmSettings) + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0) + .build(); final Environment env = TestEnvironment.newEnvironment(settings); - return new RealmConfig(new RealmConfig.RealmIdentifier("oidc", REALM_NAME), settings, env, threadContext, Integer.MAX_VALUE); + return new RealmConfig(realmIdentifier, settings, env, threadContext); } public static void writeJwkSetToFile(Path file) throws IOException { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthDelegationIntegTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthDelegationIntegTests.java index fd84e71b91e0a..d707e9dee5be2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthDelegationIntegTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthDelegationIntegTests.java @@ -54,19 +54,19 @@ public Settings nodeSettings(int nodeOrdinal) { .put(super.nodeSettings(nodeOrdinal)) .put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true) // pki1 does not allow delegation - .put("xpack.security.authc.realms.pki.pki1.order", "1") + .put("xpack.security.authc.realms.pki.pki1.order", "2") .putList("xpack.security.authc.realms.pki.pki1.certificate_authorities", getDataPath("/org/elasticsearch/xpack/security/action/pki_delegation/testRootCA.crt").toString()) .put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml")) // pki2 allows delegation but has a non-matching username pattern - .put("xpack.security.authc.realms.pki.pki2.order", "2") + .put("xpack.security.authc.realms.pki.pki2.order", "3") .putList("xpack.security.authc.realms.pki.pki2.certificate_authorities", getDataPath("/org/elasticsearch/xpack/security/action/pki_delegation/testRootCA.crt").toString()) .put("xpack.security.authc.realms.pki.pki2.username_pattern", "CN=MISMATCH(.*?)(?:,|$)") .put("xpack.security.authc.realms.pki.pki2.delegation.enabled", true) .put("xpack.security.authc.realms.pki.pki2.files.role_mapping", getDataPath("role_mapping.yml")) // pki3 allows delegation and the username pattern (default) matches - .put("xpack.security.authc.realms.pki.pki3.order", "3") + .put("xpack.security.authc.realms.pki.pki3.order", "4") .putList("xpack.security.authc.realms.pki.pki3.certificate_authorities", getDataPath("/org/elasticsearch/xpack/security/action/pki_delegation/testRootCA.crt").toString()) .put("xpack.security.authc.realms.pki.pki3.delegation.enabled", true) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java index 1e5b188160ce2..bbb3b1d3c6684 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java @@ -55,14 +55,14 @@ protected Settings nodeSettings() { builder.put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.client_authentication", sslClientAuth) .put("xpack.security.authc.realms.file.file.order", "0") - .put("xpack.security.authc.realms.pki.pki1.order", "1") + .put("xpack.security.authc.realms.pki.pki1.order", "2") .putList("xpack.security.authc.realms.pki.pki1.certificate_authorities", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt").toString()) .put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml")) .put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml")) // pki1 never authenticates because of the principal pattern .put("xpack.security.authc.realms.pki.pki1.username_pattern", "CN=(MISMATCH.*?)(?:,|$)") - .put("xpack.security.authc.realms.pki.pki2.order", "2") + .put("xpack.security.authc.realms.pki.pki2.order", "3") .putList("xpack.security.authc.realms.pki.pki2.certificate_authorities", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt").toString(), getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt").toString()) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java index 3dd749c86705a..066fd797203f7 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java @@ -57,7 +57,7 @@ protected Settings nodeSettings() { .put("xpack.security.http.ssl.certificate", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")) .put("xpack.security.authc.realms.file.file.order", "0") - .put("xpack.security.authc.realms.pki.pki1.order", "1") + .put("xpack.security.authc.realms.pki.pki1.order", "2") .put("xpack.security.authc.realms.pki.pki1.truststore.path", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/truststore-testnode-only.jks")) .put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml")) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java index bab1dc9f92c6a..5073391e666af 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java @@ -23,6 +23,7 @@ import org.elasticsearch.xpack.core.security.authc.InternalRealmsSettings; import org.elasticsearch.xpack.core.security.authc.Realm; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.pki.PkiRealmSettings; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.core.security.support.NoOpLogger; @@ -70,16 +71,19 @@ public class PkiRealmTests extends ESTestCase { @Before public void setup() throws Exception { + RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier(PkiRealmSettings.TYPE, REALM_NAME); globalSettings = Settings.builder() .put("path.home", createTempDir()) + .put(RealmSettings.getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0) .build(); licenseState = mock(XPackLicenseState.class); when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true); } public void testTokenSupport() throws Exception { - RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("pki", "my_pki"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); + RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier(PkiRealmSettings.TYPE, REALM_NAME), + globalSettings, + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); PkiRealm realm = new PkiRealm(config, mock(UserRoleMapper.class)); assertRealmUsageStats(realm, false, false, true, false); @@ -95,8 +99,8 @@ public void testExtractToken() throws Exception { X509Certificate certificate = readCert(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); ThreadContext threadContext = new ThreadContext(Settings.EMPTY); threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, new X509Certificate[]{certificate}); - PkiRealm realm = new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier("pki", "my_pki"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), threadContext, Integer.MAX_VALUE), mock(UserRoleMapper.class)); + PkiRealm realm = new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier(PkiRealmSettings.TYPE, REALM_NAME), globalSettings, + TestEnvironment.newEnvironment(globalSettings), threadContext), mock(UserRoleMapper.class)); X509AuthenticationToken token = realm.token(threadContext); assertThat(token, is(notNullValue())); @@ -178,8 +182,8 @@ private UserRoleMapper buildRoleMapper(Set roles, String dn) { } private PkiRealm buildRealm(UserRoleMapper roleMapper, Settings settings, Realm... otherRealms) { - final RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("pki", REALM_NAME), settings, - TestEnvironment.newEnvironment(settings), new ThreadContext(settings), Integer.MAX_VALUE); + final RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier(PkiRealmSettings.TYPE, REALM_NAME), settings, + TestEnvironment.newEnvironment(settings), new ThreadContext(settings)); PkiRealm realm = new PkiRealm(config, roleMapper); List allRealms = CollectionUtils.arrayAsArrayList(otherRealms); allRealms.add(realm); @@ -269,8 +273,8 @@ public void testAuthenticationDelegationFailsWithoutTokenServiceAndTruststore() .put("xpack.security.authc.realms.pki.my_pki.delegation.enabled", true) .build(); IllegalStateException e = expectThrows(IllegalStateException.class, - () -> new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier("pki", "my_pki"), settings, - TestEnvironment.newEnvironment(globalSettings), threadContext, Integer.MAX_VALUE), mock(UserRoleMapper.class))); + () -> new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier(PkiRealmSettings.TYPE, REALM_NAME), settings, + TestEnvironment.newEnvironment(globalSettings), threadContext), mock(UserRoleMapper.class))); assertThat(e.getMessage(), is("PKI realms with delegation enabled require a trust configuration " + "(xpack.security.authc.realms.pki.my_pki.certificate_authorities or " @@ -286,8 +290,8 @@ public void testAuthenticationDelegationFailsWithoutTruststore() throws Exceptio .put("xpack.security.authc.token.enabled", true) .build(); IllegalStateException e = expectThrows(IllegalStateException.class, - () -> new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier("pki", "my_pki"), settings, - TestEnvironment.newEnvironment(globalSettings), threadContext, Integer.MAX_VALUE), mock(UserRoleMapper.class))); + () -> new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier(PkiRealmSettings.TYPE, REALM_NAME), settings, + TestEnvironment.newEnvironment(globalSettings), threadContext), mock(UserRoleMapper.class))); assertThat(e.getMessage(), is("PKI realms with delegation enabled require a trust configuration " + "(xpack.security.authc.realms.pki.my_pki.certificate_authorities " @@ -384,30 +388,30 @@ public void testTruststorePathWithoutPasswordThrowsException() throws Exception assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); Settings settings = Settings.builder() .put(globalSettings) - .put("xpack.security.authc.realms.pki.mypki.truststore.path", + .put("xpack.security.authc.realms.pki.my_pki.truststore.path", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.jks")) .build(); IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () -> - new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier("pki", "mypki"), settings, - TestEnvironment.newEnvironment(settings), new ThreadContext(settings), Integer.MAX_VALUE), + new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier(PkiRealmSettings.TYPE, REALM_NAME), settings, + TestEnvironment.newEnvironment(settings), new ThreadContext(settings)), mock(UserRoleMapper.class)) ); - assertThat(e.getMessage(), containsString("Neither [xpack.security.authc.realms.pki.mypki.truststore.secure_password] or [" + - "xpack.security.authc.realms.pki.mypki.truststore.password] is configured")); + assertThat(e.getMessage(), containsString("Neither [xpack.security.authc.realms.pki.my_pki.truststore.secure_password] or [" + + "xpack.security.authc.realms.pki.my_pki.truststore.password] is configured")); } public void testTruststorePathWithLegacyPasswordDoesNotThrow() throws Exception { assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); Settings settings = Settings.builder() .put(globalSettings) - .put("xpack.security.authc.realms.pki.mypki.truststore.path", + .put("xpack.security.authc.realms.pki.my_pki.truststore.path", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.jks")) - .put("xpack.security.authc.realms.pki.mypki.truststore.password", "testnode-client-profile") + .put("xpack.security.authc.realms.pki.my_pki.truststore.password", "testnode-client-profile") .build(); - new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier("pki", "mypki"), settings, - TestEnvironment.newEnvironment(settings), new ThreadContext(settings), Integer.MAX_VALUE), mock(UserRoleMapper.class)); + new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier(PkiRealmSettings.TYPE, REALM_NAME), settings, + TestEnvironment.newEnvironment(settings), new ThreadContext(settings)), mock(UserRoleMapper.class)); assertSettingDeprecationsAndWarnings(new Setting[]{ - PkiRealmSettings.LEGACY_TRUST_STORE_PASSWORD.getConcreteSettingForNamespace("mypki") + PkiRealmSettings.LEGACY_TRUST_STORE_PASSWORD.getConcreteSettingForNamespace(REALM_NAME) }); } @@ -474,8 +478,12 @@ public void testDelegatedAuthorization() throws Exception { String parsedPrincipal = PkiRealm.getPrincipalFromSubjectDN(Pattern.compile(PkiRealmSettings.DEFAULT_USERNAME_PATTERN), token, NoOpLogger.INSTANCE); - final MockLookupRealm otherRealm = new MockLookupRealm(new RealmConfig(new RealmConfig.RealmIdentifier("mock", "other_realm"), - globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE)); + RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("mock", "other_realm"); + final MockLookupRealm otherRealm = new MockLookupRealm(new RealmConfig( + realmIdentifier, + Settings.builder().put(globalSettings) + .put(RealmSettings.getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings))); final User lookupUser = new User(parsedPrincipal); otherRealm.registerUser(lookupUser); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java index 1bb8677631d3b..8959b4ae29a54 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java @@ -246,8 +246,11 @@ private AuthenticationResult performAuthentication(UserRoleMapper roleMapper, bo final String nameIdValue = principalIsEmailAddress ? "clint.barton@shield.gov" : "clint.barton"; final String uidValue = principalIsEmailAddress ? "cbarton@shield.gov" : "cbarton"; + final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("mock", "mock_lookup"); final MockLookupRealm lookupRealm = new MockLookupRealm( - new RealmConfig(new RealmConfig.RealmIdentifier("mock","mock_lookup"), globalSettings, env, threadContext, Integer.MAX_VALUE)); + new RealmConfig(realmIdentifier, + Settings.builder().put(globalSettings).put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + env, threadContext)); final Settings.Builder settingsBuilder = Settings.builder() .put(getFullSettingKey(REALM_NAME, SamlRealmSettings.PRINCIPAL_ATTRIBUTE.getAttribute()), useNameId ? "nameid" : "uid") @@ -718,13 +721,19 @@ private RealmConfig buildConfig(Settings realmSettings) { .put("path.home", createTempDir()) .put(realmSettings).build(); final Environment env = TestEnvironment.newEnvironment(settings); - return new RealmConfig(new RealmConfig.RealmIdentifier("saml", REALM_NAME), settings, env, threadContext, Integer.MAX_VALUE); + final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("saml", REALM_NAME); + return new RealmConfig(realmIdentifier, + Settings.builder().put(settings).put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + env, threadContext); } private RealmConfig realmConfigFromGlobalSettings(Settings globalSettings) { final Environment env = TestEnvironment.newEnvironment(globalSettings); - return new RealmConfig(new RealmConfig.RealmIdentifier("saml", REALM_NAME), globalSettings, env, - new ThreadContext(globalSettings), Integer.MAX_VALUE); + final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("saml", REALM_NAME); + return new RealmConfig(realmIdentifier, + Settings.builder().put(globalSettings).put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + env, + new ThreadContext(globalSettings)); } private void assertIdp1MetadataParsedCorrectly(EntityDescriptor descriptor) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java index 871704ccf3d40..3390f4280ebf6 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java @@ -35,6 +35,7 @@ import java.util.concurrent.atomic.AtomicReference; import static java.util.Collections.emptyMap; +import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey; import static org.hamcrest.Matchers.arrayContaining; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; @@ -70,13 +71,14 @@ public void testCacheSettings() { final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier("caching", "test_realm"); Settings settings = Settings.builder() .put(globalSettings) - .put(RealmSettings.getFullSettingKey(identifier, CachingUsernamePasswordRealmSettings.CACHE_HASH_ALGO_SETTING), cachingHashAlgo) - .put(RealmSettings.getFullSettingKey(identifier, CachingUsernamePasswordRealmSettings.CACHE_MAX_USERS_SETTING), maxUsers) - .put(RealmSettings.getFullSettingKey(identifier, CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING), ttl) + .put(getFullSettingKey(identifier, CachingUsernamePasswordRealmSettings.CACHE_HASH_ALGO_SETTING), cachingHashAlgo) + .put(getFullSettingKey(identifier, CachingUsernamePasswordRealmSettings.CACHE_MAX_USERS_SETTING), maxUsers) + .put(getFullSettingKey(identifier, CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING), ttl) + .put(getFullSettingKey(identifier, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = new RealmConfig(identifier, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); CachingUsernamePasswordRealm realm = new CachingUsernamePasswordRealm(config, threadPool) { @Override protected void doAuthenticate(UsernamePasswordToken token, ActionListener listener) { @@ -95,12 +97,12 @@ public void testCacheSizeWhenCacheDisabled() { final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier("caching", "test_realm"); final Settings settings = Settings.builder() .put(globalSettings) - .put(RealmSettings.getFullSettingKey(identifier, CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING), -1) + .put(getFullSettingKey(identifier, CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING), -1) + .put(getFullSettingKey(identifier, RealmSettings.ORDER_SETTING), 0) .build(); final RealmConfig config = - new RealmConfig(identifier, settings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), - Integer.MAX_VALUE); + new RealmConfig(identifier, settings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); final CachingUsernamePasswordRealm realm = new CachingUsernamePasswordRealm(config, threadPool) { @Override protected void doAuthenticate(UsernamePasswordToken token, ActionListener listener) { @@ -276,10 +278,11 @@ public void testCacheWithVeryLowTtlExpiresBetweenAuthenticateCalls() throws Inte final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier("caching", "test_cache_ttl"); Settings settings = Settings.builder() .put(globalSettings) - .put(RealmSettings.getFullSettingKey(identifier, CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING), ttl) + .put(getFullSettingKey(identifier, CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING), ttl) + .put(getFullSettingKey(identifier, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = new RealmConfig(identifier, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); AlwaysAuthenticateCachingRealm realm = new AlwaysAuthenticateCachingRealm(config, threadPool); final UsernamePasswordToken authToken = new UsernamePasswordToken("the-user", new SecureString("the-password")); @@ -307,10 +310,11 @@ public void testReadsDoNotPreventCacheExpiry() throws InterruptedException { final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier("caching", "test_cache_ttl"); Settings settings = Settings.builder() .put(globalSettings) - .put(RealmSettings.getFullSettingKey(identifier, CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING), ttl) + .put(getFullSettingKey(identifier, CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING), ttl) + .put(getFullSettingKey(identifier, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = new RealmConfig(identifier, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); AlwaysAuthenticateCachingRealm realm = new AlwaysAuthenticateCachingRealm(config, threadPool); final UsernamePasswordToken authToken = new UsernamePasswordToken("the-user", new SecureString("the-password")); @@ -413,8 +417,12 @@ public void testSingleAuthPerUserLimit() throws Exception { final AtomicInteger authCounter = new AtomicInteger(0); final Hasher pwdHasher = Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")); final String passwordHash = new String(pwdHasher.hash(password)); - RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("caching", "test_realm"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("caching", "test_realm"); + RealmConfig config = new RealmConfig( + realmIdentifier, + Settings.builder().put(globalSettings) + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); final CachingUsernamePasswordRealm realm = new CachingUsernamePasswordRealm(config, threadPool) { @Override protected void doAuthenticate(UsernamePasswordToken token, ActionListener listener) { @@ -479,8 +487,12 @@ public void testUnauthenticatedResultPropagatesWithSameCreds() throws Exception final AtomicInteger authCounter = new AtomicInteger(0); final Hasher pwdHasher = Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")); final String passwordHash = new String(pwdHasher.hash(password)); - RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("caching", "test_realm"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("caching", "test_realm"); + RealmConfig config = new RealmConfig( + realmIdentifier, + Settings.builder().put(globalSettings) + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); final int numberOfProcessors = Runtime.getRuntime().availableProcessors(); final int numberOfThreads = scaledRandomIntBetween((numberOfProcessors + 1) / 2, numberOfProcessors * 3); @@ -562,8 +574,11 @@ public void testCacheConcurrency() throws Exception { final SecureString randomPassword = new SecureString(randomAlphaOfLength(password.length()).toCharArray()); final Hasher localHasher = Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")); final String passwordHash = new String(localHasher.hash(password)); - RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("caching", "test_realm"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("caching", "test_realm"); + RealmConfig config = new RealmConfig(realmIdentifier, + Settings.builder().put(globalSettings) + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); final CachingUsernamePasswordRealm realm = new CachingUsernamePasswordRealm(config, threadPool) { @Override protected void doAuthenticate(UsernamePasswordToken token, ActionListener listener) { @@ -630,8 +645,11 @@ public void testUserLookupConcurrency() throws Exception { final String username = "username"; final AtomicInteger lookupCounter = new AtomicInteger(0); - RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("caching", "test_realm"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("caching", "test_realm"); + RealmConfig config = new RealmConfig(realmIdentifier, + Settings.builder().put(globalSettings) + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); final CachingUsernamePasswordRealm realm = new CachingUsernamePasswordRealm(config, threadPool) { @Override protected void doAuthenticate(UsernamePasswordToken token, ActionListener listener) { @@ -689,12 +707,13 @@ protected void doLookupUser(String username, ActionListener listener) { public void testAuthenticateDisabled() throws Exception { final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("caching", "test_authentication_disabled"); final Settings settings = Settings.builder() - .put(RealmSettings.getFullSettingKey(realmId, CachingUsernamePasswordRealmSettings.AUTHC_ENABLED_SETTING), false) + .put(getFullSettingKey(realmId, CachingUsernamePasswordRealmSettings.AUTHC_ENABLED_SETTING), false) .put(globalSettings) + .put(getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0) .build(); final Environment env = TestEnvironment.newEnvironment(settings); final ThreadContext threadContext = new ThreadContext(settings); - final RealmConfig config = new RealmConfig(realmId, settings, env, threadContext, Integer.MAX_VALUE); + final RealmConfig config = new RealmConfig(realmId, settings, env, threadContext); final AlwaysAuthenticateCachingRealm realm = new AlwaysAuthenticateCachingRealm(config, threadPool); final UsernamePasswordToken token = new UsernamePasswordToken("phil", new SecureString("tahiti")); @@ -718,9 +737,16 @@ public void testAuthenticateDisabled() throws Exception { static class FailingAuthenticationRealm extends CachingUsernamePasswordRealm { FailingAuthenticationRealm(Settings global, ThreadPool threadPool) { - super(new RealmConfig(new RealmConfig.RealmIdentifier("caching", "failing-test"), global, - TestEnvironment.newEnvironment(global), - threadPool.getThreadContext(), Integer.MAX_VALUE), threadPool); + super(new RealmConfig( + new RealmConfig.RealmIdentifier("caching", "failing-test"), + Settings.builder() + .put(global) + .put(getFullSettingKey( + new RealmConfig.RealmIdentifier("caching", "failing-test"), + RealmSettings.ORDER_SETTING), 0) + .build(), + TestEnvironment.newEnvironment(global), + threadPool.getThreadContext()), threadPool); } @Override @@ -737,9 +763,14 @@ protected void doLookupUser(String username, ActionListener listener) { static class ThrowingAuthenticationRealm extends CachingUsernamePasswordRealm { ThrowingAuthenticationRealm(Settings globalSettings, ThreadPool threadPool) { - super(new RealmConfig(new RealmConfig.RealmIdentifier("caching", "throwing-test"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), - threadPool.getThreadContext(), Integer.MAX_VALUE), threadPool); + super(new RealmConfig( + new RealmConfig.RealmIdentifier("caching", "throwing-test"), + Settings.builder() + .put(globalSettings) + .put(getFullSettingKey(new RealmConfig.RealmIdentifier("caching", "throwing-test"), RealmSettings.ORDER_SETTING), 0) + .build(), + TestEnvironment.newEnvironment(globalSettings), + threadPool.getThreadContext()), threadPool); } @Override @@ -761,9 +792,14 @@ static class AlwaysAuthenticateCachingRealm extends CachingUsernamePasswordRealm private boolean usersEnabled = true; AlwaysAuthenticateCachingRealm(Settings globalSettings, ThreadPool threadPool) { - this(new RealmConfig(new RealmConfig.RealmIdentifier("caching", "always-test"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), - threadPool.getThreadContext(), Integer.MAX_VALUE), threadPool); + this(new RealmConfig( + new RealmConfig.RealmIdentifier("caching", "always-test"), + Settings.builder() + .put(globalSettings) + .put(getFullSettingKey(new RealmConfig.RealmIdentifier("caching", "always-test"), RealmSettings.ORDER_SETTING), 0) + .build(), + TestEnvironment.newEnvironment(globalSettings), + threadPool.getThreadContext()), threadPool); } AlwaysAuthenticateCachingRealm(RealmConfig config, ThreadPool threadPool) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java index 9c82b826c3b22..0e562b4365edc 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java @@ -16,6 +16,7 @@ import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.Realm; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.user.User; import org.junit.Before; @@ -63,12 +64,15 @@ private List shuffle(List list) { } private RealmConfig buildRealmConfig(String name, Settings settings) { - return new RealmConfig(new RealmConfig.RealmIdentifier("test", name), + RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("test", name); + return new RealmConfig( + realmIdentifier, Settings.builder().put(settings) .normalizePrefix("xpack.security.authc.realms.test." + name + ".") .put(globalSettings) + .put(RealmSettings.getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0) .build(), - env, threadContext, Integer.MAX_VALUE); + env, threadContext); } public void testEmptyDelegationList() throws ExecutionException, InterruptedException { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapperTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapperTests.java index f2dd0ff6f1b40..f15679498fe14 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapperTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapperTests.java @@ -19,6 +19,7 @@ import org.elasticsearch.watcher.ResourceWatcherService; import org.elasticsearch.xpack.core.security.audit.logfile.CapturingLogger; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.support.DnRoleMapperSettings; import org.junit.After; import org.junit.Before; @@ -296,9 +297,10 @@ public void testYaml() throws Exception { Settings ldapSettings = Settings.builder() .put(settings) .put(getFullSettingKey(realmIdentifier, DnRoleMapperSettings.ROLE_MAPPING_FILE_SETTING), file.toAbsolutePath()) + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = new RealmConfig(realmIdentifier, ldapSettings, - TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY)); DnRoleMapper mapper = new DnRoleMapper(config, new ResourceWatcherService(settings, threadPool)); @@ -313,9 +315,10 @@ public void testRelativeDN() { Settings ldapSettings = Settings.builder() .put(settings) .put(getFullSettingKey(realmIdentifier, DnRoleMapperSettings.USE_UNMAPPED_GROUPS_AS_ROLES_SETTING), true) + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = new RealmConfig(realmIdentifier, ldapSettings, - TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY)); DnRoleMapper mapper = new DnRoleMapper(config, new ResourceWatcherService(settings, threadPool)); @@ -330,9 +333,10 @@ public void testUserDNMapping() throws Exception { .put(settings) .put(getFullSettingKey(realmIdentifier, DnRoleMapperSettings.ROLE_MAPPING_FILE_SETTING), file.toAbsolutePath()) .put(getFullSettingKey(realmIdentifier, DnRoleMapperSettings.USE_UNMAPPED_GROUPS_AS_ROLES_SETTING), false) + .put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0) .build(); RealmConfig config = new RealmConfig(realmIdentifier, ldapSettings, - TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY)); DnRoleMapper mapper = new DnRoleMapper(config, new ResourceWatcherService(settings, threadPool)); @@ -345,8 +349,9 @@ protected DnRoleMapper createMapper(Path file, ResourceWatcherService watcherSer Settings mergedSettings = Settings.builder() .put(settings) .put(getFullSettingKey(identifier, DnRoleMapperSettings.ROLE_MAPPING_FILE_SETTING), file.toAbsolutePath()) + .put(getFullSettingKey(identifier, RealmSettings.ORDER_SETTING), 0) .build(); - RealmConfig config = new RealmConfig(identifier, mergedSettings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + RealmConfig config = new RealmConfig(identifier, mergedSettings, env, new ThreadContext(Settings.EMPTY)); return new DnRoleMapper(config, watcherService); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RealmUserLookupTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RealmUserLookupTests.java index 83e2d8a943ad9..3fbd90642d4bc 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RealmUserLookupTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RealmUserLookupTests.java @@ -19,6 +19,7 @@ import org.elasticsearch.xpack.core.security.authc.Realm; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmConfig.RealmIdentifier; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.user.User; import org.junit.Before; @@ -85,8 +86,11 @@ public void testUserNotFound() throws Exception { } public void testRealmException() { - final Realm realm = new Realm(new RealmConfig(new RealmIdentifier("test", "test"), globalSettings, env, threadContext, - Integer.MAX_VALUE)) { + RealmIdentifier realmIdentifier = new RealmIdentifier("test", "test"); + final Realm realm = new Realm(new RealmConfig(realmIdentifier, + Settings.builder().put(globalSettings) + .put(RealmSettings.getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + env, threadContext)) { @Override public boolean supports(AuthenticationToken token) { return false; @@ -117,8 +121,12 @@ public void lookupUser(String username, ActionListener listener) { private List buildRealms(int realmCount) { final List realms = new ArrayList<>(realmCount); for (int i = 1; i <= realmCount; i++) { - final RealmConfig config = new RealmConfig(new RealmIdentifier("mock","lookup-" + i), globalSettings, env, - threadContext, Integer.MAX_VALUE); + RealmIdentifier realmIdentifier = new RealmIdentifier("mock", "lookup-" + i); + final RealmConfig config = new RealmConfig(realmIdentifier, + Settings.builder().put(globalSettings) + .put(RealmSettings.getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + env, + threadContext); final MockLookupRealm realm = new MockLookupRealm(config); for (int j = 0; j < 5; j++) { realm.registerUser(new User(randomAlphaOfLengthBetween(6, 12))); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java index 063ef37879af2..933b4035bfe6e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java @@ -55,8 +55,9 @@ public void testBootstrapCheckOfValidFile() { } private static RealmConfig getRealmConfig(Settings settings) { - return new RealmConfig(REALM_ID, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY), - Integer.MAX_VALUE); + return new RealmConfig(REALM_ID, + Settings.builder().put(settings).put(RealmSettings.getFullSettingKey(REALM_ID, RealmSettings.ORDER_SETTING), 0).build(), + TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY)); } public void testBootstrapCheckOfMissingFile() { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/ExpressionRoleMappingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/ExpressionRoleMappingTests.java index a0f09e8054b45..dfb62b4e73bb4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/ExpressionRoleMappingTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/ExpressionRoleMappingTests.java @@ -28,6 +28,7 @@ import org.elasticsearch.test.VersionUtils; import org.elasticsearch.xpack.core.XPackClientPlugin; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.support.mapper.ExpressionRoleMapping; import org.elasticsearch.xpack.core.security.authc.support.mapper.TemplateRoleName; import org.elasticsearch.xpack.core.security.authc.support.mapper.expressiondsl.AllExpression; @@ -57,8 +58,11 @@ public class ExpressionRoleMappingTests extends ESTestCase { @Before public void setupMapping() throws Exception { - realm = new RealmConfig(new RealmConfig.RealmIdentifier("ldap", "ldap1"), - Settings.EMPTY, Mockito.mock(Environment.class), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("ldap", "ldap1"); + realm = new RealmConfig( + realmIdentifier, + Settings.builder().put(RealmSettings.getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + Mockito.mock(Environment.class), new ThreadContext(Settings.EMPTY)); } public void testValidExpressionWithFixedRoleNames() throws Exception { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStoreTests.java index 665dccac9cfdc..9d96f1e115869 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStoreTests.java @@ -26,6 +26,7 @@ import org.elasticsearch.xpack.core.security.action.realm.ClearRealmCacheResponse; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.core.security.authc.support.mapper.ExpressionRoleMapping; import org.elasticsearch.xpack.core.security.authc.support.mapper.TemplateRoleName; @@ -100,8 +101,11 @@ protected void loadMappings(ActionListener> listener } }; - final RealmConfig realm = new RealmConfig(new RealmConfig.RealmIdentifier("ldap", "ldap1"), Settings.EMPTY, - mock(Environment.class), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("ldap", "ldap1"); + final Settings settings = Settings.builder() + .put(RealmSettings.getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(); + final RealmConfig realm = new RealmConfig(realmIdentifier, settings, + mock(Environment.class), new ThreadContext(settings)); final PlainActionFuture> future = new PlainActionFuture<>(); final UserRoleMapper.UserData user = new UserRoleMapper.UserData("sasquatch", @@ -235,7 +239,10 @@ private NativeRoleMappingStore buildRoleMappingStoreForInvalidationTesting(Atomi if (attachRealm) { final Environment env = TestEnvironment.newEnvironment(settings); final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier("ldap", realmName); - final RealmConfig realmConfig = new RealmConfig(identifier, settings, env, threadContext, Integer.MAX_VALUE); + final RealmConfig realmConfig = new RealmConfig(identifier, + Settings.builder().put(settings) + .put(RealmSettings.getFullSettingKey(identifier, RealmSettings.ORDER_SETTING), 0).build(), + env, threadContext); final CachingUsernamePasswordRealm mockRealm = new CachingUsernamePasswordRealm(realmConfig, threadPool) { @Override protected void doAuthenticate(UsernamePasswordToken token, ActionListener listener) { diff --git a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java index b020869c0698b..e5db31f09afe6 100644 --- a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java +++ b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java @@ -19,6 +19,7 @@ import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.ldap.SearchGroupsResolverSettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapMetaDataResolverSettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope; @@ -112,7 +113,7 @@ public void testConnect() throws Exception { final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("ldap", "oldap-test"); RealmConfig config = new RealmConfig(realmId, buildLdapSettings(realmId, OPEN_LDAP_DNS_URL, userTemplate, groupSearchBase, LdapSearchScope.ONE_LEVEL), - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); String[] users = new String[]{"blackwidow", "cap", "hawkeye", "hulk", "ironman", "thor"}; @@ -132,7 +133,7 @@ public void testGroupSearchScopeBase() throws Exception { final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("ldap", REALM_NAME); RealmConfig config = new RealmConfig(realmId, buildLdapSettings(realmId, OPEN_LDAP_DNS_URL, userTemplate, groupSearchBase, LdapSearchScope.BASE), - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); String[] users = new String[]{"blackwidow", "cap", "hawkeye", "hulk", "ironman", "thor"}; @@ -153,7 +154,7 @@ public void testCustomFilter() throws Exception { .put(getFullSettingKey(realmId.getName(), SearchGroupsResolverSettings.USER_ATTRIBUTE), "uid") .build(); RealmConfig config = new RealmConfig(realmId, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); try (LdapSession ldap = session(sessionFactory, "selvig", PASSWORD_SECURE_STRING)) { @@ -171,7 +172,7 @@ public void testStandardLdapConnectionHostnameVerificationFailure() throws Excep .put(buildLdapSettings(realmId, OPEN_LDAP_IP_URL, userTemplate, groupSearchBase, LdapSearchScope.ONE_LEVEL)) .build(); final Environment env = TestEnvironment.newEnvironment(globalSettings); - RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY)); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); String user = "blackwidow"; @@ -194,7 +195,7 @@ public void testStandardLdapConnectionHostnameVerificationSuccess() throws Excep .build(); RealmConfig config = new RealmConfig(realmId, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); final String user = "blackwidow"; @@ -209,9 +210,10 @@ public void testResolveSingleValuedAttributeFromConnection() throws Exception { final Settings settings = Settings.builder() .putList(getFullSettingKey(realmId.getName(), LdapMetaDataResolverSettings.ADDITIONAL_META_DATA_SETTING.apply("ldap")), "cn", "sn") + .put(getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0) .build(); final RealmConfig config = new RealmConfig(realmId, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); LdapMetaDataResolver resolver = new LdapMetaDataResolver(config, true); try (LDAPConnection ldapConnection = setupOpenLdapConnection()) { final Map map = resolve(ldapConnection, resolver); @@ -226,9 +228,10 @@ public void testResolveMultiValuedAttributeFromConnection() throws Exception { final Settings settings = Settings.builder() .putList(getFullSettingKey(realmId.getName(), LdapMetaDataResolverSettings.ADDITIONAL_META_DATA_SETTING.apply("ldap")), "objectClass") + .put(getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0) .build(); final RealmConfig config = new RealmConfig(realmId, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); LdapMetaDataResolver resolver = new LdapMetaDataResolver(config, true); try (LDAPConnection ldapConnection = setupOpenLdapConnection()) { final Map map = resolve(ldapConnection, resolver); @@ -243,9 +246,10 @@ public void testResolveMissingAttributeFromConnection() throws Exception { final Settings settings = Settings.builder() .putList(getFullSettingKey(realmId.getName(), LdapMetaDataResolverSettings.ADDITIONAL_META_DATA_SETTING.apply("ldap")), "alias") + .put(getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0) .build(); final RealmConfig config = new RealmConfig(realmId, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); LdapMetaDataResolver resolver = new LdapMetaDataResolver(config, true); try (LDAPConnection ldapConnection = setupOpenLdapConnection()) { final Map map = resolve(ldapConnection, resolver); @@ -264,6 +268,7 @@ private Settings buildLdapSettings(RealmConfig.RealmIdentifier realmId, String l .put(getFullSettingKey(realmId, SSLConfigurationSettings.TRUST_STORE_PATH_REALM), getDataPath(LDAPTRUST_PATH)) .put(getFullSettingKey(realmId, SSLConfigurationSettings.LEGACY_TRUST_STORE_PASSWORD_REALM), "changeit") .put(globalSettings) + .put(getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0) .build(); } diff --git a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java index 7ab5b60936c61..17c9275dafd35 100644 --- a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java @@ -18,6 +18,7 @@ import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.ldap.LdapUserSearchSessionFactorySettings; import org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings; import org.elasticsearch.xpack.core.security.authc.ldap.SearchGroupsResolverSettings; @@ -90,9 +91,10 @@ public void testUserSearchWithBindUserOpenLDAP() throws Exception { } else { realmSettings.put(getFullSettingKey(realmId, PoolingSessionFactorySettings.LEGACY_BIND_PASSWORD), OpenLdapTests.PASSWORD); } - final Settings settings = realmSettings.put(globalSettings).build(); + final Settings settings = realmSettings.put(globalSettings) + .put(getFullSettingKey(realmId, RealmSettings.ORDER_SETTING), 0).build(); RealmConfig config = new RealmConfig(realmId, settings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); SSLService sslService = new SSLService(TestEnvironment.newEnvironment(settings)); diff --git a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmTests.java b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmTests.java index 0553e80db0e8c..cbf714346e30f 100644 --- a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmTests.java +++ b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmTests.java @@ -13,17 +13,22 @@ import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.core.security.user.User; +import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.notNullValue; public class CustomRealmTests extends ESTestCase { public void testAuthenticate() { Settings globalSettings = Settings.builder().put("path.home", createTempDir()).build(); - CustomRealm realm = new CustomRealm(new RealmConfig(new RealmConfig.RealmIdentifier(CustomRealm.TYPE, "test"), - globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE)); + final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier(CustomRealm.TYPE, "test"); + CustomRealm realm = new CustomRealm(new RealmConfig( + realmIdentifier, + Settings.builder().put(globalSettings).put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings))); SecureString password = CustomRealm.KNOWN_PW.clone(); UsernamePasswordToken token = new UsernamePasswordToken(CustomRealm.KNOWN_USER, password); PlainActionFuture plainActionFuture = new PlainActionFuture<>(); @@ -36,8 +41,11 @@ public void testAuthenticate() { public void testAuthenticateBadUser() { Settings globalSettings = Settings.builder().put("path.home", createTempDir()).build(); - CustomRealm realm = new CustomRealm(new RealmConfig(new RealmConfig.RealmIdentifier(CustomRealm.TYPE, "test"), - globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE)); + final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier(CustomRealm.TYPE, "test"); + CustomRealm realm = new CustomRealm(new RealmConfig( + realmIdentifier, + Settings.builder().put(globalSettings).put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings))); SecureString password = CustomRealm.KNOWN_PW.clone(); UsernamePasswordToken token = new UsernamePasswordToken(CustomRealm.KNOWN_USER + "1", password); PlainActionFuture plainActionFuture = new PlainActionFuture<>(); diff --git a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRoleMappingRealmTests.java b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRoleMappingRealmTests.java index 7a61201ca754a..d50acb04e6966 100644 --- a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRoleMappingRealmTests.java +++ b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRoleMappingRealmTests.java @@ -7,10 +7,12 @@ import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.support.PlainActionFuture; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.env.Environment; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper; import org.elasticsearch.xpack.core.security.user.User; @@ -18,6 +20,7 @@ import java.util.concurrent.atomic.AtomicInteger; import java.util.function.Supplier; +import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey; import static org.hamcrest.Matchers.arrayContainingInAnyOrder; import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.sameInstance; @@ -30,9 +33,11 @@ public class CustomRoleMappingRealmTests extends ESTestCase { public void testCachingOfUserLookup() throws Exception { final Environment env = super.newEnvironment(); final UserRoleMapper roleMapper = mock(UserRoleMapper.class); + final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier(CustomRoleMappingRealm.TYPE, "test"); final RealmConfig realmConfig = new RealmConfig( - new RealmConfig.RealmIdentifier(CustomRoleMappingRealm.TYPE, "test"), - env.settings(), env, new ThreadContext(env.settings()), Integer.MAX_VALUE + realmIdentifier, + Settings.builder().put(env.settings()).put(getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0).build(), + env, new ThreadContext(env.settings()) ); CustomRoleMappingRealm realm = new CustomRoleMappingRealm(realmConfig, roleMapper); diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java index 2e0e604935b16..a6b21720a6e77 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java @@ -58,6 +58,7 @@ public void shutdown() { } public void testUserSearchWithActiveDirectory() throws Exception { + final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("ldap", "ad-as-ldap-test"); String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; String userSearchBase = "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; Settings settings = Settings.builder() @@ -69,17 +70,17 @@ public void testUserSearchWithActiveDirectory() throws Exception { .put("user_search.filter", "(cn={0})") .put("user_search.pool.enabled", randomBoolean()) .put("follow_referrals", ActiveDirectorySessionFactoryTests.FOLLOW_REFERRALS) + .put("order", 0) .build(); Settings.Builder builder = Settings.builder() .put(globalSettings); settings.keySet().forEach(k -> { builder.copy("xpack.security.authc.realms.ldap.ad-as-ldap-test." + k, k, settings); - }); Settings fullSettings = builder.build(); sslService = new SSLService(TestEnvironment.newEnvironment(fullSettings)); - RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("ldap", "ad-as-ldap-test"), fullSettings, - TestEnvironment.newEnvironment(fullSettings), new ThreadContext(fullSettings), Integer.MAX_VALUE); + RealmConfig config = new RealmConfig(realmIdentifier, fullSettings, + TestEnvironment.newEnvironment(fullSettings), new ThreadContext(fullSettings)); LdapUserSearchSessionFactory sessionFactory = getLdapUserSearchSessionFactory(config, sslService, threadPool); String user = "Bruce Banner"; diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java index ef3a2eb50d5ae..e24de9345ab33 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java @@ -87,15 +87,16 @@ public void testAdAuth() throws Exception { } private RealmConfig configureRealm(String name, String type, Settings settings) { + final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier(type, name); final Settings mergedSettings = Settings.builder() .put(settings) .normalizePrefix("xpack.security.authc.realms." + type + "." + name + ".") .put(globalSettings) + .put(getFullSettingKey(identifier, RealmSettings.ORDER_SETTING), 0) .build(); final Environment env = TestEnvironment.newEnvironment(mergedSettings); this.sslService = new SSLService(env); - final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier(type, name); - return new RealmConfig(identifier, mergedSettings, env, new ThreadContext(globalSettings), Integer.MAX_VALUE); + return new RealmConfig(identifier, mergedSettings, env, new ThreadContext(globalSettings)); } public void testNetbiosAuth() throws Exception { From aad6d19bea5e08c816a5c3ca8bc7478927ab33a7 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Fri, 24 Jan 2020 19:43:02 +1100 Subject: [PATCH 19/24] Address feedback for consistent err msg --- .../elasticsearch/xpack/security/authc/Realms.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java index c4bee1ac689eb..aefb8aac4905e 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java @@ -186,7 +186,7 @@ protected List initRealms() throws Exception { List realms = new ArrayList<>(); List kerberosRealmNames = new ArrayList<>(); Map> nameToRealmIdentifier = new HashMap<>(); - Map> orderToRealmIdentifier = new HashMap<>(); + Map> orderToRealmName = new HashMap<>(); for (RealmConfig.RealmIdentifier identifier: realmsSettings.keySet()) { Realm.Factory factory = factories.get(identifier.getType()); if (factory == null) { @@ -219,12 +219,12 @@ protected List initRealms() throws Exception { Realm realm = factory.create(config); nameToRealmIdentifier.computeIfAbsent(realm.name(), k -> new HashSet<>()).add(RealmSettings.realmSettingPrefix(realm.type()) + realm.name()); - orderToRealmIdentifier.computeIfAbsent(realm.order(), k -> new HashSet<>()) - .add(RealmSettings.realmSettingPrefix(realm.type()) + realm.name()); + orderToRealmName.computeIfAbsent(realm.order(), k -> new HashSet<>()) + .add(realm.name()); realms.add(realm); } - checkUniqueOrders(orderToRealmIdentifier); + checkUniqueOrders(orderToRealmName); if (!realms.isEmpty()) { Collections.sort(realms); @@ -331,8 +331,8 @@ private Settings ensureOrderSetting(Settings settings, RealmConfig.RealmIdentifi return Settings.builder().put(settings).put(orderSettingKey, order).build(); } - private void checkUniqueOrders(Map> orderToRealmIdentifier) { - String duplicateOrders = orderToRealmIdentifier.entrySet().stream() + private void checkUniqueOrders(Map> orderToRealmName) { + String duplicateOrders = orderToRealmName.entrySet().stream() .filter(entry -> entry.getValue().size() > 1) .map(entry -> entry.getKey() + ": " + entry.getValue()) .collect(Collectors.joining("; ")); From 84cb684a91b5ae51c1fa01712e1c528811f620df Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Tue, 28 Jan 2020 09:39:19 +1100 Subject: [PATCH 20/24] Update x-pack/docs/en/security/authentication/custom-realm.asciidoc Co-Authored-By: Albert Zaharovits --- x-pack/docs/en/security/authentication/custom-realm.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/authentication/custom-realm.asciidoc b/x-pack/docs/en/security/authentication/custom-realm.asciidoc index 0c6c07945e6d9..857444c0836d7 100644 --- a/x-pack/docs/en/security/authentication/custom-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/custom-realm.asciidoc @@ -92,7 +92,7 @@ The options you can set depend on the settings exposed by the custom realm. At a minimum, you must explicitly set the `order` attribute to control the order in which the realms are consulted during authentication. You must also make sure each configured realm has a distinct `order` setting. In the event -that two or more realms have the same `order`, the cluster will fail to start. +that two or more realms have the same `order`, the node will fail to start. + IMPORTANT: When you configure realms in `elasticsearch.yml`, only the realms you specify are used for authentication. If you also want to use the From 4c61828c0a49a28372b95b249afe217505549f64 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Tue, 28 Jan 2020 09:39:42 +1100 Subject: [PATCH 21/24] Update x-pack/docs/en/security/authentication/realm-chains.asciidoc Co-Authored-By: Albert Zaharovits --- x-pack/docs/en/security/authentication/realm-chains.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/authentication/realm-chains.asciidoc b/x-pack/docs/en/security/authentication/realm-chains.asciidoc index 2bf9a97f3ff7c..b130baa45a553 100644 --- a/x-pack/docs/en/security/authentication/realm-chains.asciidoc +++ b/x-pack/docs/en/security/authentication/realm-chains.asciidoc @@ -7,7 +7,7 @@ list of configured realms (typically of various types). Realms are consulted in ascending order (that is to say, the realm with the lowest `order` value is consulted first). You must make sure each configured realm has a distinct `order` setting. In the event that two or more realms have the same `order`, -the cluster will fail to start. +the node will fail to start. During the authentication process, {stack} {security-features} consult and try to authenticate the request one realm at a time. Once one of the realms From c264e31ca5ffbf048e478cfb0ba1edc03a9c54f0 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Tue, 28 Jan 2020 09:41:30 +1100 Subject: [PATCH 22/24] Address feedback for docs --- .../authentication/configuring-ldap-realm.asciidoc | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc index 5456e290d0ece..cf91e602ad46d 100644 --- a/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc @@ -23,8 +23,7 @@ However, multiple bind operations might be needed to find the correct user DN. `xpack.security.authc.realms.ldap` namespace. At a minimum, you must specify the `url` and `order` of the LDAP server, and set `user_search.base_dn` to the container DN where the users are searched for. -The `order` attribute to control the order in which the realms are consulted during -authentication. See <> for all of the options you can set for +See <> for all of the options you can set for an `ldap` realm. + -- @@ -71,10 +70,8 @@ realms you specify are used for authentication. If you also want to use the .. Add a realm configuration to `elasticsearch.yml` in the `xpack.security.authc.realms.ldap` namespace. At a minimum, you must specify -the `url` of the LDAP server, and specify at least one template with the -`user_dn_templates` option. If you are configuring multiple realms, you must -also explicitly set the `order` attribute to control the order in which the -realms are consulted during authentication. +the `url` and `order` of the LDAP server, and specify at least one template +with the `user_dn_templates` option. See <> for all of the options you can set for an `ldap` realm. + -- From 0614cbc0ef2c82f7b52904d2bf96e82a9f93463b Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Tue, 28 Jan 2020 16:47:22 +1100 Subject: [PATCH 23/24] Update docs/reference/migration/migrate_8_0/security.asciidoc Co-Authored-By: Tim Vernum --- docs/reference/migration/migrate_8_0/security.asciidoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/reference/migration/migrate_8_0/security.asciidoc b/docs/reference/migration/migrate_8_0/security.asciidoc index 7b1a698f3b974..80e5a27534e47 100644 --- a/docs/reference/migration/migrate_8_0/security.asciidoc +++ b/docs/reference/migration/migrate_8_0/security.asciidoc @@ -9,7 +9,7 @@ [float] ==== The realm `order` setting is required -The `xpack.security.authc.realms.*.*.order` setting is now required and must be +The `xpack.security.authc.realms.{type}.{name}.order` setting is now required and must be specified for each explicitly configured realm. Each value must be unique. The cluster will fail to start if the requirements are not met. @@ -132,4 +132,3 @@ It is now an error to enable SSL for the HTTP (Rest) server without also configu a certificate and key through use of the `xpack.security.http.ssl.keystore.path` setting or the `xpack.security.http.ssl.certificate` and `xpack.security.http.ssl.key` settings. - From fe13c71c8630380817ddfb2635db20c2127455ea Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Tue, 28 Jan 2020 16:47:43 +1100 Subject: [PATCH 24/24] Update x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java Co-Authored-By: Tim Vernum --- .../java/org/elasticsearch/xpack/security/authc/Realms.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java index aefb8aac4905e..482775cf5b613 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java @@ -337,7 +337,7 @@ private void checkUniqueOrders(Map> orderToRealmName) { .map(entry -> entry.getKey() + ": " + entry.getValue()) .collect(Collectors.joining("; ")); if (Strings.hasText(duplicateOrders)) { - throw new IllegalArgumentException("Found multiple realms configured with the same order: " + duplicateOrders + ""); + throw new IllegalArgumentException("Found multiple realms configured with the same order: " + duplicateOrders); } }