private Settings.Builder getMinimumNonSgNodeSettingsBuilder(final int nodenum, final boolean masterNode, final boolean dataNode, final boolean tribeNode, int nodeCount, int masterCount, SortedSet<Integer> tcpPorts, int tcpPort, int httpPort) { return Settings.builder() .put("node.name", "node_"+clustername+ "_num" + nodenum) .put("node.data", dataNode) .put("node.master", masterNode) .put("cluster.name", clustername) .put("path.data", "data/"+clustername+"/data") .put("path.logs", "data/"+clustername+"/logs") .put("node.max_local_storage_nodes", nodeCount) .put("discovery.zen.minimum_master_nodes", minMasterNodes(masterCount)) .put("discovery.zen.no_master_block", "all") .put("discovery.zen.fd.ping_timeout", "5s") .put("discovery.initial_state_timeout","8s") .putList("discovery.zen.ping.unicast.hosts", tcpPorts.stream().map(s->"127.0.0.1:"+s).collect(Collectors.toList())) .put("transport.tcp.port", tcpPort) .put("http.port", httpPort) .put("http.enabled", true) .put("cluster.routing.allocation.disk.threshold_enabled", false) .put("http.cors.enabled", true) .put("path.home", "."); } // @formatter:on
protected Settings.Builder minimumSearchGuardSettingsBuilder(int node, boolean sslOnly) { final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; Settings.Builder builder = Settings.builder() //.put("searchguard.ssl.transport.enabled", true) //.put("searchguard.no_default_init", true) //.put("searchguard.ssl.http.enable_openssl_if_available", false) //.put("searchguard.ssl.transport.enable_openssl_if_available", false) .put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put("searchguard.ssl.transport.keystore_alias", "node-0") .put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath(prefix+"node-0-keystore.jks")) .put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks")) .put("searchguard.ssl.transport.enforce_hostname_verification", false); if(!sslOnly) { builder.putList("searchguard.authcz.admin_dn", "CN=kirk,OU=client,O=client,l=tEst, C=De"); //.put(other==null?Settings.EMPTY:other); } return builder; }
@Test public void testInjectedAdminUserAdminInjectionDisabled() throws Exception { final Settings settings = Settings.builder() .put(ConfigConstants.SEARCHGUARD_UNSUPPORTED_INJECT_USER_ENABLED, true) .putList(ConfigConstants.SEARCHGUARD_AUTHCZ_ADMIN_DN, Lists.newArrayList("CN=kirk,OU=client,O=client,L=Test,C=DE","injectedadmin")) .put("http.type", "com.floragunn.searchguard.http.UserInjectingServerTransport") .build(); setup(settings, ClusterConfiguration.USERINJECTOR); final RestHelper rh = nonSslRestHelper(); HttpResponse resc; // injected user is admin, access to SG index must be allowed resc = rh.executeGetRequest("searchguard/_search?pretty", new BasicHeader(ConfigConstants.SG_INJECTED_USER, "injectedadmin|role1|127.0.0:80|key1,value1")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); Assert.assertFalse(resc.getBody().contains("\"_id\" : \"config\"")); Assert.assertFalse(resc.getBody().contains("\"_id\" : \"roles\"")); Assert.assertFalse(resc.getBody().contains("\"_id\" : \"internalusers\"")); Assert.assertFalse(resc.getBody().contains("\"_id\" : \"tattr\"")); Assert.assertFalse(resc.getBody().contains("\"total\" : 6")); }
.putList(ConfigConstants.SEARCHGUARD_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") .build(); setup(settings);
.putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) .put("searchguard.enable_snapshot_restore_privilege", true) .put("searchguard.check_snapshot_restore_write_privileges", false)
.put("searchguard.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) .put("searchguard.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) .putList(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") .putList(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") .putList(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") .putList(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") .build();
.putList(ConfigConstants.SEARCHGUARD_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") .build(); setup(settings);
@Test public void testSearchScroll() throws Exception { Thread.setDefaultUncaughtExceptionHandler(new UncaughtExceptionHandler() { @Override public void uncaughtException(Thread t, Throwable e) { e.printStackTrace(); } }); final Settings settings = Settings.builder() .putList(ConfigConstants.SEARCHGUARD_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") .build(); setup(settings); final RestHelper rh = nonSslRestHelper(); try (TransportClient tc = getInternalTransportClient()) { for(int i=0; i<3; i++) tc.index(new IndexRequest("vulcangov").type("kolinahr").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); } System.out.println("########search"); HttpResponse res; Assert.assertEquals(HttpStatus.SC_OK, (res=rh.executeGetRequest("vulcangov/_search?scroll=1m&pretty=true", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); System.out.println(res.getBody()); int start = res.getBody().indexOf("_scroll_id") + 15; String scrollid = res.getBody().substring(start, res.getBody().indexOf("\"", start+1)); System.out.println(scrollid); System.out.println("########search scroll"); Assert.assertEquals(HttpStatus.SC_OK, (res=rh.executePostRequest("/_search/scroll?pretty=true", "{\"scroll_id\" : \""+scrollid+"\"}", encodeBasicHeader("nagilum", "nagilum"))).getStatusCode()); System.out.println("########search done"); }
@Test public void testTransportClientImpersonationUsernameAttribute() throws Exception { final Settings settings = Settings.builder() .putList("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", "worf", "nagilum") .build(); setup(Settings.EMPTY, new DynamicSgConfig().setSgConfig("sg_config_transport_username.yml") .setSgRolesMapping("sg_roles_mapping_transport_username.yml") .setSgInternalUsers("sg_internal_users_transport_username.yml") , settings); try (TransportClient tc = getInternalTransportClient()) { tc.index(new IndexRequest("starfleet").type("ships").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config","roles","rolesmapping","internalusers","actiongroups"})).actionGet(); Assert.assertEquals(clusterInfo.numNodes, cur.getNodes().size()); } Settings tcSettings = Settings.builder() .put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .put("path.home", ".") .put("request.headers.sg_impersonate_as", "worf") .build(); try (TransportClient tc = getInternalTransportClient(clusterInfo, tcSettings)) { NodesInfoRequest nir = new NodesInfoRequest(); Assert.assertEquals(clusterInfo.numNodes, tc.admin().cluster().nodesInfo(nir).actionGet().getNodes().size()); } }
@Test public void testTransportClientImpersonation() throws Exception { final Settings settings = Settings.builder() .putList("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", "worf", "nagilum") .build(); setup(settings); try (TransportClient tc = getInternalTransportClient()) { tc.index(new IndexRequest("starfleet").type("ships").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); ConfigUpdateResponse cur = tc.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config","roles","rolesmapping","internalusers","actiongroups"})).actionGet(); Assert.assertEquals(clusterInfo.numNodes, cur.getNodes().size()); } Settings tcSettings = Settings.builder() .put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .put("path.home", ".") .put("request.headers.sg_impersonate_as", "worf") .build(); try (TransportClient tc = getInternalTransportClient(clusterInfo, tcSettings)) { NodesInfoRequest nir = new NodesInfoRequest(); Assert.assertEquals(clusterInfo.numNodes, tc.admin().cluster().nodesInfo(nir).actionGet().getNodes().size()); } }
@SuppressWarnings("resource") @Test public void testNodeClientAllowedWithServerCertificate() throws Exception { setup(); Assert.assertEquals(clusterInfo.numNodes, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes()); Assert.assertEquals(ClusterHealthStatus.GREEN, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus()); final Settings tcSettings = Settings.builder() .put(minimumSearchGuardSettings(Settings.EMPTY).get(0)) .put("cluster.name", clusterInfo.clustername) .put("node.data", false) .put("node.master", false) .put("node.ingest", false) .put("path.home", ".") .put("discovery.initial_state_timeout","8s") .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost+":"+clusterInfo.nodePort) .build(); log.debug("Start node client"); try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, SearchGuardPlugin.class).start()) { Thread.sleep(50); Assert.assertEquals(clusterInfo.numNodes+1, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size()); } }
@Test public void testInjectedAdminUser() throws Exception { final Settings settings = Settings.builder() .put(ConfigConstants.SEARCHGUARD_UNSUPPORTED_INJECT_USER_ENABLED, true) .put(ConfigConstants.SEARCHGUARD_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED, true) .putList(ConfigConstants.SEARCHGUARD_AUTHCZ_ADMIN_DN, Lists.newArrayList("CN=kirk,OU=client,O=client,L=Test,C=DE","injectedadmin")) .put("http.type", "com.floragunn.searchguard.http.UserInjectingServerTransport") .build(); setup(settings, ClusterConfiguration.USERINJECTOR); final RestHelper rh = nonSslRestHelper(); HttpResponse resc; // injected user is admin, access to SG index must be allowed resc = rh.executeGetRequest("searchguard/_search?pretty", new BasicHeader(ConfigConstants.SG_INJECTED_USER, "injectedadmin|role1|127.0.0:80|key1,value1")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("\"_id\" : \"config\"")); Assert.assertTrue(resc.getBody().contains("\"_id\" : \"roles\"")); Assert.assertTrue(resc.getBody().contains("\"_id\" : \"internalusers\"")); Assert.assertTrue(resc.getBody().contains("\"_id\" : \"tattr\"")); Assert.assertTrue(resc.getBody().contains("\"total\" : 6")); resc = rh.executeGetRequest("searchguard/_search?pretty", new BasicHeader(ConfigConstants.SG_INJECTED_USER, "wrongadmin|role1|127.0.0:80|key1,value1")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); }
@Test public void testRestImpersonation() throws Exception { final Settings settings = Settings.builder() .putList(ConfigConstants.SEARCHGUARD_AUTHCZ_REST_IMPERSONATION_USERS+".spock", "knuddel","userwhonotexists").build(); setup(settings); RestHelper rh = nonSslRestHelper(); //knuddel: // hash: _rest_impersonation_only_ HttpResponse resp; resp = rh.executeGetRequest("/_searchguard/authinfo", new BasicHeader("sg_impersonate_as", "knuddel"), encodeBasicHeader("worf", "worf")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resp.getStatusCode()); resp = rh.executeGetRequest("/_searchguard/authinfo", new BasicHeader("sg_impersonate_as", "knuddel"), encodeBasicHeader("spock", "spock")); Assert.assertEquals(HttpStatus.SC_OK, resp.getStatusCode()); Assert.assertTrue(resp.getBody().contains("name=knuddel")); Assert.assertFalse(resp.getBody().contains("spock")); resp = rh.executeGetRequest("/_searchguard/authinfo", new BasicHeader("sg_impersonate_as", "userwhonotexists"), encodeBasicHeader("spock", "spock")); System.out.println(resp.getBody()); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resp.getStatusCode()); resp = rh.executeGetRequest("/_searchguard/authinfo", new BasicHeader("sg_impersonate_as", "invalid"), encodeBasicHeader("spock", "spock")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resp.getStatusCode()); }
@Test public void testTransportClientImpersonationWildcardUsernameAttribute() throws Exception { final Settings settings = Settings.builder() .putList("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", "*") .build(); setup(Settings.EMPTY, new DynamicSgConfig().setSgConfig("sg_config_transport_username.yml") .setSgRolesMapping("sg_roles_mapping_transport_username.yml") .setSgInternalUsers("sg_internal_users_transport_username.yml") , settings); Settings tcSettings = Settings.builder() .put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .put("path.home", ".") .put("request.headers.sg_impersonate_as", "worf") .build(); try (TransportClient tc = getInternalTransportClient(clusterInfo, tcSettings)) { NodesInfoRequest nir = new NodesInfoRequest(); Assert.assertEquals(clusterInfo.numNodes, tc.admin().cluster().nodesInfo(nir).actionGet().getNodes().size()); } }
@Test public void testDNSpecials() throws Exception { final Settings settings = Settings.builder() .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12")) .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") .putList("searchguard.nodes_dn", "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") .putList("searchguard.authcz.admin_dn", "EMAILADDRESS=unt@xxx.com,CN=node-untspec6.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") .put("searchguard.cert.oid","1.2.3.4.5.6") .build(); Settings tcSettings = Settings.builder() .put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12")) .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") .build(); setup(tcSettings, new DynamicSgConfig(), settings, true); RestHelper rh = nonSslRestHelper(); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("").getStatusCode()); Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("worf", "worf")).getStatusCode()); }
@Test public void testDNSpecials1() throws Exception { final Settings settings = Settings.builder() .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12")) .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") .putList("searchguard.nodes_dn", "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") .putList("searchguard.authcz.admin_dn", "EMAILADDREss=unt@xxx.com, cn=node-untspec6.example.com, OU=SSL,O=Te\\, st,L=Test, c=DE") .put("searchguard.cert.oid","1.2.3.4.5.6") .build(); Settings tcSettings = Settings.builder() .put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12")) .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") .build(); setup(tcSettings, new DynamicSgConfig(), settings, true); RestHelper rh = nonSslRestHelper(); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, rh.executeGetRequest("").getStatusCode()); Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("worf", "worf")).getStatusCode()); }
@Test public void testTransportClientImpersonationWildcard() throws Exception { final Settings settings = Settings.builder() .putList("searchguard.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", "*") .build(); setup(settings); Settings tcSettings = Settings.builder() .put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .put("path.home", ".") .put("request.headers.sg_impersonate_as", "worf") .build(); try (TransportClient tc = getInternalTransportClient(clusterInfo, tcSettings)) { NodesInfoRequest nir = new NodesInfoRequest(); Assert.assertEquals(clusterInfo.numNodes, tc.admin().cluster().nodesInfo(nir).actionGet().getNodes().size()); } }
@Test public void testRestImpersonation() throws Exception { final Settings settings = Settings.builder() .putList(ConfigConstants.SEARCHGUARD_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "someotherusernotininternalusersfile") .build(); setup(Settings.EMPTY, new DynamicSgConfig().setSgConfig("sg_config_rest_impersonation.yml"), settings); final RestHelper rh = nonSslRestHelper(); //rest impersonation HttpResponse res = rh.executeGetRequest("/_searchguard/authinfo", new BasicHeader("sg_impersonate_as","someotherusernotininternalusersfile"), encodeBasicHeader("worf", "worf")); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); Assert.assertTrue(res.getBody().contains("name=someotherusernotininternalusersfile")); Assert.assertFalse(res.getBody().contains("worf")); }
private Settings crossClusterNodeSettings(ClusterInfo remote) { Settings.Builder builder = Settings.builder() .putList("search.remote.cross_cluster_two.seeds", remote.nodeHost+":"+remote.nodePort); return builder.build(); }
private Settings crossClusterNodeSettings(ClusterInfo remote) { Settings.Builder builder = Settings.builder() .putList("reindex.remote.whitelist", remote.httpHost+":"+remote.httpPort); return builder.build(); }