valitydev/opendistro-security-ssl
14
0
Fork 0
mirror of https://github.com/valitydev/opendistro-security-ssl.git synced 2024-11-06 00:45:16 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1 from rbkmoney/es-6.6.1

Browse Source 
ES 6.6.1
This commit is contained in:
Alexey 2019-03-28 15:00:12 +03:00 committed by GitHub
commit a2a014ae53
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 51 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plugin-descriptor.properties
View File

@ -22,4 +22,4 @@ java.version=1.8
# elasticsearch release. This version is checked when the plugin # elasticsearch release. This version is checked when the plugin
# is loaded so Elasticsearch will refuse to start in the presence of # is loaded so Elasticsearch will refuse to start in the presence of
# plugins with the incorrect elasticsearch.version. # plugins with the incorrect elasticsearch.version.
elasticsearch.version=6.5.4 elasticsearch.version=6.6.1

8
pom.xml
View File

@ -56,10 +56,10 @@
</licenses> </licenses>
<properties> <properties>
<elasticsearch.version>6.5.4</elasticsearch.version> <elasticsearch.version>6.6.1</elasticsearch.version>
<!-- deps --> <!-- deps -->
<netty-native.version>2.0.15.Final</netty-native.version> <netty-native.version>2.0.20.Final</netty-native.version>
<log4j.version>2.11.1</log4j.version> <log4j.version>2.11.1</log4j.version>
</properties> </properties>
@ -172,7 +172,7 @@
<dependency> <dependency>
<groupId>com.floragunn</groupId> <groupId>com.floragunn</groupId>
<artifactId>search-guard-static-tcnative-beta</artifactId> <artifactId>search-guard-static-tcnative-beta</artifactId>
<version>1.1.0j-${netty-native.version}-non-fedora-linux-x86_64</version> <version>1.1.1a-${netty-native.version}-non-fedora-linux-x86_64</version>
<scope>provided</scope> <scope>provided</scope>
</dependency> </dependency>
</dependencies> </dependencies>
@ -183,7 +183,7 @@
<dependency> <dependency>
<groupId>com.floragunn</groupId> <groupId>com.floragunn</groupId>
<artifactId>search-guard-static-tcnative-beta</artifactId> <artifactId>search-guard-static-tcnative-beta</artifactId>
<version>1.1.0j-${netty-native.version}-fedora-linux-x86_64</version> <version>1.1.1a-${netty-native.version}-fedora-linux-x86_64</version>
<scope>provided</scope> <scope>provided</scope>
</dependency> </dependency>
</dependencies> </dependencies>

5
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLPlugin.java
View File

@ -50,6 +50,7 @@ import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException; import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.SpecialPermission; import org.elasticsearch.SpecialPermission;
import org.elasticsearch.Version;
import org.elasticsearch.client.Client; import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver; import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.node.DiscoveryNodes; import org.elasticsearch.cluster.node.DiscoveryNodes;
@ -255,14 +256,14 @@ public class OpenDistroSecuritySSLPlugin extends Plugin implements ActionPlugin,
@Override @Override
public Map<String, Supplier<Transport>> getTransports(Settings settings, ThreadPool threadPool, BigArrays bigArrays, public Map<String, Supplier<Transport>> getTransports(Settings settings, ThreadPool threadPool,
PageCacheRecycler pageCacheRecycler, CircuitBreakerService circuitBreakerService, PageCacheRecycler pageCacheRecycler, CircuitBreakerService circuitBreakerService,
NamedWriteableRegistry namedWriteableRegistry, NetworkService networkService) { NamedWriteableRegistry namedWriteableRegistry, NetworkService networkService) {
Map<String, Supplier<Transport>> transports = new HashMap<String, Supplier<Transport>>(); Map<String, Supplier<Transport>> transports = new HashMap<String, Supplier<Transport>>();
if (transportSSLEnabled) { if (transportSSLEnabled) {
transports.put("com.amazon.opendistroforelasticsearch.security.ssl.http.netty.OpenDistroSecuritySSLNettyTransport", transports.put("com.amazon.opendistroforelasticsearch.security.ssl.http.netty.OpenDistroSecuritySSLNettyTransport",
() -> new OpenDistroSecuritySSLNettyTransport(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService, odsks, NOOP_SSL_EXCEPTION_HANDLER)); () -> new OpenDistroSecuritySSLNettyTransport(settings, Version.CURRENT, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService, odsks, NOOP_SSL_EXCEPTION_HANDLER));
} }
return transports; return transports;

3
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/http/netty/OpenDistroSecuritySSLNettyHttpServerTransport.java
View File

@ -40,6 +40,8 @@ import io.netty.handler.ssl.SslHandler;
import javax.net.ssl.SSLException; import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException; import javax.net.ssl.SSLHandshakeException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.network.NetworkService; import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.BigArrays; import org.elasticsearch.common.util.BigArrays;
@ -53,6 +55,7 @@ import com.amazon.opendistroforelasticsearch.security.ssl.SslExceptionHandler;
public class OpenDistroSecuritySSLNettyHttpServerTransport extends Netty4HttpServerTransport { public class OpenDistroSecuritySSLNettyHttpServerTransport extends Netty4HttpServerTransport {
private static final Logger logger = LogManager.getLogger(OpenDistroSecuritySSLNettyHttpServerTransport.class);
private final OpenDistroSecurityKeyStore sgks; private final OpenDistroSecurityKeyStore sgks;
private final ThreadContext threadContext; private final ThreadContext threadContext;
private final SslExceptionHandler errorHandler; private final SslExceptionHandler errorHandler;

2
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/OpenDistroSecuritySSLInfoAction.java
View File

@ -59,6 +59,7 @@ public class OpenDistroSecuritySSLInfoAction extends BaseRestHandler {
private final OpenDistroSecurityKeyStore sgks; private final OpenDistroSecurityKeyStore sgks;
final PrincipalExtractor principalExtractor; final PrincipalExtractor principalExtractor;
private final Path configPath; private final Path configPath;
private final Settings settings;
public OpenDistroSecuritySSLInfoAction(final Settings settings, final Path configPath, final RestController controller, public OpenDistroSecuritySSLInfoAction(final Settings settings, final Path configPath, final RestController controller,
final OpenDistroSecurityKeyStore sgks, final PrincipalExtractor principalExtractor) { final OpenDistroSecurityKeyStore sgks, final PrincipalExtractor principalExtractor) {
@ -66,6 +67,7 @@ public class OpenDistroSecuritySSLInfoAction extends BaseRestHandler {
this.sgks = sgks; this.sgks = sgks;
this.principalExtractor = principalExtractor; this.principalExtractor = principalExtractor;
this.configPath = configPath; this.configPath = configPath;
this.settings = settings;
controller.registerHandler(GET, "/_opendistro/_security/sslinfo", this); controller.registerHandler(GET, "/_opendistro/_security/sslinfo", this);
} }

37
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/OpenDistroSecuritySSLNettyTransport.java
View File

@ -30,15 +30,6 @@
package com.amazon.opendistroforelasticsearch.security.ssl.transport; package com.amazon.opendistroforelasticsearch.security.ssl.transport;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelOutboundHandlerAdapter;
import io.netty.channel.ChannelPromise;
import io.netty.handler.codec.DecoderException;
import io.netty.handler.ssl.NotSslRecordException;
import io.netty.handler.ssl.SslHandler;
import java.net.InetSocketAddress; import java.net.InetSocketAddress;
import java.net.SocketAddress; import java.net.SocketAddress;
@ -49,11 +40,13 @@ import javax.net.ssl.SSLHandshakeException;
import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.Logger;
import org.elasticsearch.ExceptionsHelper; import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.Version;
import org.elasticsearch.cluster.node.DiscoveryNode; import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry; import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.network.CloseableChannel;
import org.elasticsearch.common.network.NetworkService; import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.BigArrays; import org.elasticsearch.common.util.PageCacheRecycler;
import org.elasticsearch.indices.breaker.CircuitBreakerService; import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TcpChannel; import org.elasticsearch.transport.TcpChannel;
@ -63,21 +56,31 @@ import com.amazon.opendistroforelasticsearch.security.ssl.OpenDistroSecurityKeyS
import com.amazon.opendistroforelasticsearch.security.ssl.SslExceptionHandler; import com.amazon.opendistroforelasticsearch.security.ssl.SslExceptionHandler;
import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLConfigConstants; import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLConfigConstants;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelOutboundHandlerAdapter;
import io.netty.channel.ChannelPromise;
import io.netty.handler.codec.DecoderException;
import io.netty.handler.ssl.NotSslRecordException;
import io.netty.handler.ssl.SslHandler;
public class OpenDistroSecuritySSLNettyTransport extends Netty4Transport { public class OpenDistroSecuritySSLNettyTransport extends Netty4Transport {
private static final Logger logger = LogManager.getLogger(OpenDistroSecuritySSLNettyTransport.class);
private final OpenDistroSecurityKeyStore sgks; private final OpenDistroSecurityKeyStore sgks;
private final SslExceptionHandler errorHandler; private final SslExceptionHandler errorHandler;
public OpenDistroSecuritySSLNettyTransport(final Settings settings, final ThreadPool threadPool, final NetworkService networkService, public OpenDistroSecuritySSLNettyTransport(final Settings settings, final Version version, final ThreadPool threadPool, final NetworkService networkService,
final BigArrays bigArrays, final NamedWriteableRegistry namedWriteableRegistry, final PageCacheRecycler pageCacheRecycler, final NamedWriteableRegistry namedWriteableRegistry,
final CircuitBreakerService circuitBreakerService, final OpenDistroSecurityKeyStore sgks, final SslExceptionHandler errorHandler) { final CircuitBreakerService circuitBreakerService, final OpenDistroSecurityKeyStore sgks, final SslExceptionHandler errorHandler) {
super(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService); super(settings, version, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService);
this.sgks = sgks; this.sgks = sgks;
this.errorHandler = errorHandler; this.errorHandler = errorHandler;
} }
@Override @Override
protected void onException(TcpChannel channel, Exception e) { public void onException(TcpChannel channel, Exception e) {
if (lifecycle.started()) { if (lifecycle.started()) {
@ -92,15 +95,15 @@ public class OpenDistroSecuritySSLNettyTransport extends Netty4Transport {
if(cause instanceof NotSslRecordException) { if(cause instanceof NotSslRecordException) {
logger.warn("Someone ({}) speaks transport plaintext instead of ssl, will close the channel", channel.getLocalAddress()); logger.warn("Someone ({}) speaks transport plaintext instead of ssl, will close the channel", channel.getLocalAddress());
TcpChannel.closeChannel(channel, false); CloseableChannel.closeChannel(channel, false);
return; return;
} else if (cause instanceof SSLException) { } else if (cause instanceof SSLException) {
logger.error("SSL Problem "+cause.getMessage(),cause); logger.error("SSL Problem "+cause.getMessage(),cause);
TcpChannel.closeChannel(channel, false); CloseableChannel.closeChannel(channel, false);
return; return;
} else if (cause instanceof SSLHandshakeException) { } else if (cause instanceof SSLHandshakeException) {
logger.error("Problem during handshake "+cause.getMessage()); logger.error("Problem during handshake "+cause.getMessage());
TcpChannel.closeChannel(channel, false); CloseableChannel.closeChannel(channel, false);
return; return;
} }
} }

13
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/OpenDistroSecuritySSLRequestHandler.java
View File

@ -30,9 +30,6 @@
package com.amazon.opendistroforelasticsearch.security.ssl.transport; package com.amazon.opendistroforelasticsearch.security.ssl.transport;
import io.netty.channel.Channel;
import io.netty.handler.ssl.SslHandler;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
@ -53,12 +50,14 @@ import org.elasticsearch.transport.TcpTransportChannel;
import org.elasticsearch.transport.TransportChannel; import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler; import org.elasticsearch.transport.TransportRequestHandler;
import org.elasticsearch.transport.netty4.NettyTcpChannel; import org.elasticsearch.transport.netty4.Netty4TcpChannel;
import com.amazon.opendistroforelasticsearch.security.ssl.SslExceptionHandler; import com.amazon.opendistroforelasticsearch.security.ssl.SslExceptionHandler;
import com.amazon.opendistroforelasticsearch.security.ssl.util.ExceptionUtils; import com.amazon.opendistroforelasticsearch.security.ssl.util.ExceptionUtils;
import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLRequestHelper; import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLRequestHelper;
import io.netty.handler.ssl.SslHandler;
public class OpenDistroSecuritySSLRequestHandler<T extends TransportRequest> public class OpenDistroSecuritySSLRequestHandler<T extends TransportRequest>
implements TransportRequestHandler<T> { implements TransportRequestHandler<T> {
@ -120,15 +119,15 @@ implements TransportRequestHandler<T> {
try { try {
NettyTcpChannel nettyChannel = null; Netty4TcpChannel nettyChannel = null;
if (innerChannel instanceof TaskTransportChannel) { if (innerChannel instanceof TaskTransportChannel) {
final TransportChannel inner = ((TaskTransportChannel) innerChannel).getChannel(); final TransportChannel inner = ((TaskTransportChannel) innerChannel).getChannel();
nettyChannel = (NettyTcpChannel) ((TcpTransportChannel) inner).getChannel(); nettyChannel = (Netty4TcpChannel ) ((TcpTransportChannel) inner).getChannel();
} else } else
if (innerChannel instanceof TcpTransportChannel) { if (innerChannel instanceof TcpTransportChannel) {
final TcpChannel inner = ((TcpTransportChannel) innerChannel).getChannel(); final TcpChannel inner = ((TcpTransportChannel) innerChannel).getChannel();
nettyChannel = (NettyTcpChannel) inner; nettyChannel = (Netty4TcpChannel) inner;
} else { } else {
throw new Exception("Invalid channel of type "+innerChannel.getClass()+ " ("+innerChannel.getChannelType()+")"); throw new Exception("Invalid channel of type "+innerChannel.getClass()+ " ("+innerChannel.getChannelType()+")");
} }

2
src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/util/SSLConfigConstants.java
View File

@ -187,6 +187,8 @@ public final class SSLConfigConstants {
//TLS 1.3 OpenSSL //TLS 1.3 OpenSSL
"TLS_CHACHA20_POLY1305_SHA256", "TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_CCM_8_SHA256",
"TLS_AES_128_CCM_SHA256",
//IBM //IBM
"SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

12
src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenSSLTest.java
View File

@ -30,12 +30,18 @@
package com.amazon.opendistroforelasticsearch.security.ssl; package com.amazon.opendistroforelasticsearch.security.ssl;
import io.netty.handler.ssl.OpenSsl;
import java.util.HashSet; import java.util.HashSet;
import java.util.Random;
import java.util.Set; import java.util.Set;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.node.Node;
import org.elasticsearch.node.PluginAwareNode;
import org.elasticsearch.transport.Netty4Plugin;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Assume; import org.junit.Assume;
import org.junit.Before; import org.junit.Before;
@ -43,6 +49,8 @@ import org.junit.Test;
import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLConfigConstants; import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLConfigConstants;
import io.netty.handler.ssl.OpenSsl;
public class OpenSSLTest extends SSLTest { public class OpenSSLTest extends SSLTest {
@Before @Before