Fix settings prefix for realm truststore password

As part of elastic#30241 realm settings were changed to be true affix settings. In the process of this change, the "ssl." prefix was lost from the realm truststore password. It should be: xpack.security.authc.realms.<type>.<name>.ssl.truststore.password Due to a mismatch between the way we define SSL settings and load SSL contexts, there was no way to define this legacy password setting in a realm config. The settings validation would reject "ssl.truststore.password" but the SSL service would ignore "truststore.password" Resolves: elastic#41663 Backport of: elastic#42336
tvernum · May 23, 2019 · 290f0da · 290f0da
1 parent 4a5b329
commit 290f0da
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/.../plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings.java b/.../plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings.java
@@ -117,7 +117,7 @@ public class SSLConfigurationSettings {
     public static final Setting<SecureString> LEGACY_TRUSTSTORE_PASSWORD_PROFILES = Setting.affixKeySetting("transport.profiles.",
             "xpack.security.ssl.truststore.password", LEGACY_TRUSTSTORE_PASSWORD_TEMPLATE);
     public static final Function<String, Setting.AffixSetting<SecureString>> LEGACY_TRUST_STORE_PASSWORD_REALM = realmType ->
-            Setting.affixKeySetting("xpack.security.authc.realms." + realmType + ".", "truststore.password",
+            Setting.affixKeySetting("xpack.security.authc.realms." + realmType + ".", "ssl.truststore.password",
                     LEGACY_TRUSTSTORE_PASSWORD_TEMPLATE);
 
     public static final Function<String, Setting<SecureString>> TRUSTSTORE_PASSWORD_TEMPLATE = key ->

diff --git a/...in/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettingsTests.java b/...in/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettingsTests.java
@@ -5,15 +5,17 @@
  */
 package org.elasticsearch.xpack.core.ssl;
 
+import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.ESTestCase;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManagerFactory;
-
 import java.util.Arrays;
 
+import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.startsWith;
 
 public class SSLConfigurationSettingsTests extends ESTestCase {
 
@@ -91,4 +93,19 @@ public void testEmptySettingsParsesToDefaults() {
         assertThat(SSLConfigurationSettings.getKeyStoreType(ssl.truststoreType, settings, null), is("jks"));
     }
 
+    public void testRealmSettingPrefixes() {
+        SSLConfigurationSettings.getRealmSettings("_type").forEach(affix -> {
+            final String key = affix.getConcreteSettingForNamespace("_name").getKey();
+            assertThat(key, startsWith("xpack.security.authc.realms._type._name.ssl."));
+        });
+    }
+
+    public void testProfileSettingPrefixes() {
+        SSLConfigurationSettings.getProfileSettings().forEach(affix -> {
+            assertThat(affix, instanceOf(Setting.AffixSetting.class));
+            final String key = ((Setting.AffixSetting) affix).getConcreteSettingForNamespace("_name").getKey();
+            assertThat(key, startsWith("transport.profiles._name.xpack.security.ssl."));
+        });
+    }
+
 }