Skip to content

Commit

Permalink
Fix settings prefix for realm truststore password
Browse files Browse the repository at this point in the history
As part of elastic#30241 realm settings were changed to be true affix
settings. In the process of this change, the "ssl." prefix was lost
from the realm truststore password. It should be:

    xpack.security.authc.realms.<type>.<name>.ssl.truststore.password

Due to a mismatch between the way we define SSL settings and  load SSL
contexts, there was no way to define this legacy password setting in a
realm config.

The settings validation would reject "ssl.truststore.password" but the
SSL service would ignore "truststore.password"

Resolves: elastic#41663

Backport of: elastic#42336
  • Loading branch information
tvernum committed May 22, 2019
1 parent a71d19e commit de767d4
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ public class SSLConfigurationSettings {
public static final Setting<SecureString> LEGACY_TRUSTSTORE_PASSWORD_PROFILES = Setting.affixKeySetting("transport.profiles.",
"xpack.security.ssl.truststore.password", LEGACY_TRUSTSTORE_PASSWORD_TEMPLATE);
public static final Function<String, Setting.AffixSetting<SecureString>> LEGACY_TRUST_STORE_PASSWORD_REALM = realmType ->
Setting.affixKeySetting("xpack.security.authc.realms." + realmType + ".", "truststore.password",
Setting.affixKeySetting("xpack.security.authc.realms." + realmType + ".", "ssl.truststore.password",
LEGACY_TRUSTSTORE_PASSWORD_TEMPLATE);

public static final Function<String, Setting<SecureString>> TRUSTSTORE_PASSWORD_TEMPLATE = key ->
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,17 @@
*/
package org.elasticsearch.xpack.core.ssl;

import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.test.ESTestCase;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;

import java.util.Arrays;

import static org.hamcrest.Matchers.instanceOf;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.startsWith;

public class SSLConfigurationSettingsTests extends ESTestCase {

Expand Down Expand Up @@ -91,4 +93,19 @@ public void testEmptySettingsParsesToDefaults() {
assertThat(SSLConfigurationSettings.getKeyStoreType(ssl.truststoreType, settings, null), is("jks"));
}

public void testRealmSettingPrefixes() {
SSLConfigurationSettings.getRealmSettings("_type").forEach(affix -> {
final String key = affix.getConcreteSettingForNamespace("_name").getKey();
assertThat(key, startsWith("xpack.security.authc.realms._type._name.ssl."));
});
}

public void testProfileSettingPrefixes() {
SSLConfigurationSettings.getProfileSettings().forEach(affix -> {
assertThat(affix, instanceOf(Setting.AffixSetting.class));
final String key = ((Setting.AffixSetting) affix).getConcreteSettingForNamespace("_name").getKey();
assertThat(key, startsWith("transport.profiles._name.xpack.security.ssl."));
});
}

}

0 comments on commit de767d4

Please sign in to comment.