mirror of
https://github.com/valitydev/opendistro-security-ssl.git
synced 2024-11-06 00:45:16 +00:00
Alexey
GitHub
commit
a2a014ae53
@ -22,4 +22,4 @@ java.version=1.8
|
||||
# elasticsearch release. This version is checked when the plugin
|
||||
# is loaded so Elasticsearch will refuse to start in the presence of
|
||||
# plugins with the incorrect elasticsearch.version.
|
||||
elasticsearch.version=6.5.4
|
||||
elasticsearch.version=6.6.1
|
||||
|
||||
8
pom.xml
8
pom.xml
@ -56,10 +56,10 @@
|
||||
</licenses>
|
||||
|
||||
<properties>
|
||||
<elasticsearch.version>6.5.4</elasticsearch.version>
|
||||
<elasticsearch.version>6.6.1</elasticsearch.version>
|
||||
|
||||
<!-- deps -->
|
||||
<netty-native.version>2.0.15.Final</netty-native.version>
|
||||
<netty-native.version>2.0.20.Final</netty-native.version>
|
||||
<log4j.version>2.11.1</log4j.version>
|
||||
</properties>
|
||||
|
||||
@ -172,7 +172,7 @@
|
||||
<dependency>
|
||||
<groupId>com.floragunn</groupId>
|
||||
<artifactId>search-guard-static-tcnative-beta</artifactId>
|
||||
<version>1.1.0j-${netty-native.version}-non-fedora-linux-x86_64</version>
|
||||
<version>1.1.1a-${netty-native.version}-non-fedora-linux-x86_64</version>
|
||||
<scope>provided</scope>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
@ -183,7 +183,7 @@
|
||||
<dependency>
|
||||
<groupId>com.floragunn</groupId>
|
||||
<artifactId>search-guard-static-tcnative-beta</artifactId>
|
||||
<version>1.1.0j-${netty-native.version}-fedora-linux-x86_64</version>
|
||||
<version>1.1.1a-${netty-native.version}-fedora-linux-x86_64</version>
|
||||
<scope>provided</scope>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
@ -50,6 +50,7 @@ import org.apache.logging.log4j.LogManager;
|
||||
import org.apache.logging.log4j.Logger;
|
||||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.SpecialPermission;
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
|
||||
import org.elasticsearch.cluster.node.DiscoveryNodes;
|
||||
@ -255,14 +256,14 @@ public class OpenDistroSecuritySSLPlugin extends Plugin implements ActionPlugin,
|
||||
|
||||
|
||||
@Override
|
||||
public Map<String, Supplier<Transport>> getTransports(Settings settings, ThreadPool threadPool, BigArrays bigArrays,
|
||||
public Map<String, Supplier<Transport>> getTransports(Settings settings, ThreadPool threadPool,
|
||||
PageCacheRecycler pageCacheRecycler, CircuitBreakerService circuitBreakerService,
|
||||
NamedWriteableRegistry namedWriteableRegistry, NetworkService networkService) {
|
||||
|
||||
Map<String, Supplier<Transport>> transports = new HashMap<String, Supplier<Transport>>();
|
||||
if (transportSSLEnabled) {
|
||||
transports.put("com.amazon.opendistroforelasticsearch.security.ssl.http.netty.OpenDistroSecuritySSLNettyTransport",
|
||||
() -> new OpenDistroSecuritySSLNettyTransport(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService, odsks, NOOP_SSL_EXCEPTION_HANDLER));
|
||||
() -> new OpenDistroSecuritySSLNettyTransport(settings, Version.CURRENT, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService, odsks, NOOP_SSL_EXCEPTION_HANDLER));
|
||||
}
|
||||
return transports;
|
||||
|
||||
|
||||
@ -40,6 +40,8 @@ import io.netty.handler.ssl.SslHandler;
|
||||
import javax.net.ssl.SSLException;
|
||||
import javax.net.ssl.SSLHandshakeException;
|
||||
|
||||
import org.apache.logging.log4j.LogManager;
|
||||
import org.apache.logging.log4j.Logger;
|
||||
import org.elasticsearch.common.network.NetworkService;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.BigArrays;
|
||||
@ -53,6 +55,7 @@ import com.amazon.opendistroforelasticsearch.security.ssl.SslExceptionHandler;
|
||||
|
||||
public class OpenDistroSecuritySSLNettyHttpServerTransport extends Netty4HttpServerTransport {
|
||||
|
||||
private static final Logger logger = LogManager.getLogger(OpenDistroSecuritySSLNettyHttpServerTransport.class);
|
||||
private final OpenDistroSecurityKeyStore sgks;
|
||||
private final ThreadContext threadContext;
|
||||
private final SslExceptionHandler errorHandler;
|
||||
|
||||
@ -59,6 +59,7 @@ public class OpenDistroSecuritySSLInfoAction extends BaseRestHandler {
|
||||
private final OpenDistroSecurityKeyStore sgks;
|
||||
final PrincipalExtractor principalExtractor;
|
||||
private final Path configPath;
|
||||
private final Settings settings;
|
||||
|
||||
public OpenDistroSecuritySSLInfoAction(final Settings settings, final Path configPath, final RestController controller,
|
||||
final OpenDistroSecurityKeyStore sgks, final PrincipalExtractor principalExtractor) {
|
||||
@ -66,6 +67,7 @@ public class OpenDistroSecuritySSLInfoAction extends BaseRestHandler {
|
||||
this.sgks = sgks;
|
||||
this.principalExtractor = principalExtractor;
|
||||
this.configPath = configPath;
|
||||
this.settings = settings;
|
||||
controller.registerHandler(GET, "/_opendistro/_security/sslinfo", this);
|
||||
}
|
||||
|
||||
|
||||
@ -30,15 +30,6 @@
|
||||
|
||||
package com.amazon.opendistroforelasticsearch.security.ssl.transport;
|
||||
|
||||
import io.netty.channel.Channel;
|
||||
import io.netty.channel.ChannelHandler;
|
||||
import io.netty.channel.ChannelHandlerContext;
|
||||
import io.netty.channel.ChannelOutboundHandlerAdapter;
|
||||
import io.netty.channel.ChannelPromise;
|
||||
import io.netty.handler.codec.DecoderException;
|
||||
import io.netty.handler.ssl.NotSslRecordException;
|
||||
import io.netty.handler.ssl.SslHandler;
|
||||
|
||||
import java.net.InetSocketAddress;
|
||||
import java.net.SocketAddress;
|
||||
|
||||
@ -49,11 +40,13 @@ import javax.net.ssl.SSLHandshakeException;
|
||||
import org.apache.logging.log4j.LogManager;
|
||||
import org.apache.logging.log4j.Logger;
|
||||
import org.elasticsearch.ExceptionsHelper;
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.cluster.node.DiscoveryNode;
|
||||
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
|
||||
import org.elasticsearch.common.network.CloseableChannel;
|
||||
import org.elasticsearch.common.network.NetworkService;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.BigArrays;
|
||||
import org.elasticsearch.common.util.PageCacheRecycler;
|
||||
import org.elasticsearch.indices.breaker.CircuitBreakerService;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.transport.TcpChannel;
|
||||
@ -63,21 +56,31 @@ import com.amazon.opendistroforelasticsearch.security.ssl.OpenDistroSecurityKeyS
|
||||
import com.amazon.opendistroforelasticsearch.security.ssl.SslExceptionHandler;
|
||||
import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLConfigConstants;
|
||||
|
||||
import io.netty.channel.Channel;
|
||||
import io.netty.channel.ChannelHandler;
|
||||
import io.netty.channel.ChannelHandlerContext;
|
||||
import io.netty.channel.ChannelOutboundHandlerAdapter;
|
||||
import io.netty.channel.ChannelPromise;
|
||||
import io.netty.handler.codec.DecoderException;
|
||||
import io.netty.handler.ssl.NotSslRecordException;
|
||||
import io.netty.handler.ssl.SslHandler;
|
||||
|
||||
public class OpenDistroSecuritySSLNettyTransport extends Netty4Transport {
|
||||
|
||||
private static final Logger logger = LogManager.getLogger(OpenDistroSecuritySSLNettyTransport.class);
|
||||
private final OpenDistroSecurityKeyStore sgks;
|
||||
private final SslExceptionHandler errorHandler;
|
||||
|
||||
public OpenDistroSecuritySSLNettyTransport(final Settings settings, final ThreadPool threadPool, final NetworkService networkService,
|
||||
final BigArrays bigArrays, final NamedWriteableRegistry namedWriteableRegistry,
|
||||
public OpenDistroSecuritySSLNettyTransport(final Settings settings, final Version version, final ThreadPool threadPool, final NetworkService networkService,
|
||||
final PageCacheRecycler pageCacheRecycler, final NamedWriteableRegistry namedWriteableRegistry,
|
||||
final CircuitBreakerService circuitBreakerService, final OpenDistroSecurityKeyStore sgks, final SslExceptionHandler errorHandler) {
|
||||
super(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService);
|
||||
super(settings, version, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService);
|
||||
this.sgks = sgks;
|
||||
this.errorHandler = errorHandler;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void onException(TcpChannel channel, Exception e) {
|
||||
public void onException(TcpChannel channel, Exception e) {
|
||||
|
||||
|
||||
if (lifecycle.started()) {
|
||||
@ -92,15 +95,15 @@ public class OpenDistroSecuritySSLNettyTransport extends Netty4Transport {
|
||||
|
||||
if(cause instanceof NotSslRecordException) {
|
||||
logger.warn("Someone ({}) speaks transport plaintext instead of ssl, will close the channel", channel.getLocalAddress());
|
||||
TcpChannel.closeChannel(channel, false);
|
||||
CloseableChannel.closeChannel(channel, false);
|
||||
return;
|
||||
} else if (cause instanceof SSLException) {
|
||||
logger.error("SSL Problem "+cause.getMessage(),cause);
|
||||
TcpChannel.closeChannel(channel, false);
|
||||
CloseableChannel.closeChannel(channel, false);
|
||||
return;
|
||||
} else if (cause instanceof SSLHandshakeException) {
|
||||
logger.error("Problem during handshake "+cause.getMessage());
|
||||
TcpChannel.closeChannel(channel, false);
|
||||
CloseableChannel.closeChannel(channel, false);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
@ -30,9 +30,6 @@
|
||||
|
||||
package com.amazon.opendistroforelasticsearch.security.ssl.transport;
|
||||
|
||||
import io.netty.channel.Channel;
|
||||
import io.netty.handler.ssl.SslHandler;
|
||||
|
||||
import java.lang.reflect.Method;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.X509Certificate;
|
||||
@ -53,12 +50,14 @@ import org.elasticsearch.transport.TcpTransportChannel;
|
||||
import org.elasticsearch.transport.TransportChannel;
|
||||
import org.elasticsearch.transport.TransportRequest;
|
||||
import org.elasticsearch.transport.TransportRequestHandler;
|
||||
import org.elasticsearch.transport.netty4.NettyTcpChannel;
|
||||
import org.elasticsearch.transport.netty4.Netty4TcpChannel;
|
||||
|
||||
import com.amazon.opendistroforelasticsearch.security.ssl.SslExceptionHandler;
|
||||
import com.amazon.opendistroforelasticsearch.security.ssl.util.ExceptionUtils;
|
||||
import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLRequestHelper;
|
||||
|
||||
import io.netty.handler.ssl.SslHandler;
|
||||
|
||||
public class OpenDistroSecuritySSLRequestHandler<T extends TransportRequest>
|
||||
implements TransportRequestHandler<T> {
|
||||
|
||||
@ -120,15 +119,15 @@ implements TransportRequestHandler<T> {
|
||||
|
||||
try {
|
||||
|
||||
NettyTcpChannel nettyChannel = null;
|
||||
Netty4TcpChannel nettyChannel = null;
|
||||
|
||||
if (innerChannel instanceof TaskTransportChannel) {
|
||||
final TransportChannel inner = ((TaskTransportChannel) innerChannel).getChannel();
|
||||
nettyChannel = (NettyTcpChannel) ((TcpTransportChannel) inner).getChannel();
|
||||
nettyChannel = (Netty4TcpChannel ) ((TcpTransportChannel) inner).getChannel();
|
||||
} else
|
||||
if (innerChannel instanceof TcpTransportChannel) {
|
||||
final TcpChannel inner = ((TcpTransportChannel) innerChannel).getChannel();
|
||||
nettyChannel = (NettyTcpChannel) inner;
|
||||
nettyChannel = (Netty4TcpChannel) inner;
|
||||
} else {
|
||||
throw new Exception("Invalid channel of type "+innerChannel.getClass()+ " ("+innerChannel.getChannelType()+")");
|
||||
}
|
||||
|
||||
@ -187,6 +187,8 @@ public final class SSLConfigConstants {
|
||||
|
||||
//TLS 1.3 OpenSSL
|
||||
"TLS_CHACHA20_POLY1305_SHA256",
|
||||
"TLS_AES_128_CCM_8_SHA256",
|
||||
"TLS_AES_128_CCM_SHA256",
|
||||
|
||||
//IBM
|
||||
"SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
|
||||
@ -30,12 +30,18 @@
|
||||
|
||||
package com.amazon.opendistroforelasticsearch.security.ssl;
|
||||
|
||||
import io.netty.handler.ssl.OpenSsl;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.Random;
|
||||
import java.util.Set;
|
||||
|
||||
import org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest;
|
||||
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
|
||||
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.unit.TimeValue;
|
||||
import org.elasticsearch.node.Node;
|
||||
import org.elasticsearch.node.PluginAwareNode;
|
||||
import org.elasticsearch.transport.Netty4Plugin;
|
||||
import org.junit.Assert;
|
||||
import org.junit.Assume;
|
||||
import org.junit.Before;
|
||||
@ -43,6 +49,8 @@ import org.junit.Test;
|
||||
|
||||
import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLConfigConstants;
|
||||
|
||||
import io.netty.handler.ssl.OpenSsl;
|
||||
|
||||
public class OpenSSLTest extends SSLTest {
|
||||
|
||||
@Before
|
||||
|
||||
Loading…
Reference in New Issue
Block a user