├── .github └── workflows │ └── ci.yml ├── .gitignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── NOTICE.txt ├── README.md ├── THIRD-PARTY.txt ├── opendistro-elasticsearch-security-advanced-modules.release-notes ├── output.txt ├── pom.xml └── src ├── main └── java │ └── com │ └── amazon │ ├── dlic │ ├── auth │ │ ├── http │ │ │ ├── jwt │ │ │ │ ├── AbstractHTTPJwtAuthenticator.java │ │ │ │ ├── HTTPJwtAuthenticator.java │ │ │ │ ├── keybyoidc │ │ │ │ │ ├── AuthenticatorUnavailableException.java │ │ │ │ │ ├── BadCredentialsException.java │ │ │ │ │ ├── HTTPJwtKeyByOpenIdConnectAuthenticator.java │ │ │ │ │ ├── JwtVerifier.java │ │ │ │ │ ├── KeyProvider.java │ │ │ │ │ ├── KeySetProvider.java │ │ │ │ │ ├── KeySetRetriever.java │ │ │ │ │ └── SelfRefreshingKeySet.java │ │ │ │ └── oidc │ │ │ │ │ └── json │ │ │ │ │ └── OpenIdProviderConfiguration.java │ │ │ ├── kerberos │ │ │ │ ├── HTTPSpnegoAuthenticator.java │ │ │ │ └── util │ │ │ │ │ ├── JaasKrbUtil.java │ │ │ │ │ └── KrbConstants.java │ │ │ └── saml │ │ │ │ ├── AuthTokenProcessorHandler.java │ │ │ │ ├── HTTPSamlAuthenticator.java │ │ │ │ ├── Saml2SettingsProvider.java │ │ │ │ ├── SamlConfigException.java │ │ │ │ ├── SamlFilesystemMetadataResolver.java │ │ │ │ ├── SamlHTTPMetadataResolver.java │ │ │ │ └── SamlNameIdFormat.java │ │ ├── ldap │ │ │ ├── LdapUser.java │ │ │ ├── backend │ │ │ │ ├── LDAPAuthenticationBackend.java │ │ │ │ └── LDAPAuthorizationBackend.java │ │ │ └── util │ │ │ │ ├── ConfigConstants.java │ │ │ │ ├── LdapHelper.java │ │ │ │ └── Utils.java │ │ └── ldap2 │ │ │ ├── LDAPAuthenticationBackend2.java │ │ │ ├── LDAPAuthorizationBackend2.java │ │ │ ├── LDAPConnectionFactoryFactory.java │ │ │ ├── LDAPUserSearcher.java │ │ │ ├── MakeJava9Happy.java │ │ │ └── PrivilegedProvider.java │ └── util │ │ └── SettingsBasedSSLConfigurator.java │ └── opendistroforelasticsearch │ └── security │ ├── auditlog │ ├── impl │ │ ├── AbstractAuditLog.java │ │ ├── AuditLogImpl.java │ │ ├── AuditMessage.java │ │ └── RequestResolver.java │ ├── routing │ │ ├── AsyncStoragePool.java │ │ └── AuditMessageRouter.java │ └── sink │ │ ├── AuditLogSink.java │ │ ├── DebugSink.java │ │ ├── ExternalESSink.java │ │ ├── InternalESSink.java │ │ ├── KafkaSink.java │ │ ├── Log4JSink.java │ │ ├── NoopSink.java │ │ ├── SinkProvider.java │ │ └── WebhookSink.java │ ├── compliance │ ├── ComplianceIndexingOperationListenerImpl.java │ └── FieldReadCallback.java │ ├── configuration │ ├── DlsFlsFilterLeafReader.java │ ├── DlsFlsValveImpl.java │ ├── DlsQueryParser.java │ ├── MaskedField.java │ ├── OpenDistroSecurityFlsDlsIndexSearcherWrapper.java │ └── PrivilegesInterceptorImpl.java │ ├── dlic │ └── rest │ │ ├── api │ │ ├── AbstractApiAction.java │ │ ├── ActionGroupsApiAction.java │ │ ├── AuthTokenProcessorAction.java │ │ ├── Endpoint.java │ │ ├── FlushCacheApiAction.java │ │ ├── InternalUsersApiAction.java │ │ ├── OpenDistroSecurityConfigAction.java │ │ ├── OpenDistroSecurityRestApiActions.java │ │ ├── PatchableResourceApiAction.java │ │ ├── PermissionsInfoAction.java │ │ ├── RestApiPrivilegesEvaluator.java │ │ ├── RolesApiAction.java │ │ ├── RolesMappingApiAction.java │ │ └── TenantsApiAction.java │ │ ├── support │ │ └── Utils.java │ │ └── validation │ │ ├── AbstractConfigurationValidator.java │ │ ├── ActionGroupValidator.java │ │ ├── InternalUsersValidator.java │ │ ├── NoOpValidator.java │ │ ├── RolesMappingValidator.java │ │ ├── RolesValidator.java │ │ ├── SecurityConfigValidator.java │ │ └── TenantValidator.java │ └── httpclient │ └── HttpClient.java └── test ├── java └── com │ └── amazon │ ├── dlic │ └── auth │ │ ├── http │ │ ├── jwt │ │ │ ├── HTTPJwtAuthenticatorTest.java │ │ │ └── keybyoidc │ │ │ │ ├── CxfTestTools.java │ │ │ │ ├── HTTPJwtKeyByOpenIdConnectAuthenticatorTest.java │ │ │ │ ├── KeySetRetrieverTest.java │ │ │ │ ├── MockIpdServer.java │ │ │ │ ├── SelfRefreshingKeySetTest.java │ │ │ │ ├── SingleKeyHTTPJwtKeyByOpenIdConnectAuthenticatorTest.java │ │ │ │ ├── TestJwk.java │ │ │ │ └── TestJwts.java │ │ └── saml │ │ │ ├── HTTPSamlAuthenticatorTest.java │ │ │ └── MockSamlIdpServer.java │ │ ├── ldap │ │ ├── LdapBackendIntegTest.java │ │ ├── LdapBackendTest.java │ │ ├── LdapBackendTestClientCert.java │ │ ├── LdapBackendTestNewStyleConfig.java │ │ ├── UtilsTest.java │ │ └── srv │ │ │ ├── EmbeddedLDAPServer.java │ │ │ └── LdapServer.java │ │ └── ldap2 │ │ ├── LdapBackendIntegTest2.java │ │ ├── LdapBackendTestClientCert2.java │ │ ├── LdapBackendTestNewStyleConfig2.java │ │ └── LdapBackendTestOldStyleConfig2.java │ └── opendistroforelasticsearch │ └── security │ ├── auditlog │ ├── AbstractAuditlogiUnitTest.java │ ├── AuditLogTestSuite.java │ ├── compliance │ │ ├── ComplianceAuditlogTest.java │ │ └── RestApiComplianceAuditlogTest.java │ ├── helper │ │ ├── ErroneousHttpHandler.java │ │ ├── FailingSink.java │ │ ├── LoggingSink.java │ │ ├── MockAuditMessageFactory.java │ │ ├── MockRestRequest.java │ │ ├── MyOwnAuditLog.java │ │ ├── RetrySink.java │ │ ├── SlowSink.java │ │ └── TestHttpHandler.java │ ├── impl │ │ ├── AuditlogTest.java │ │ ├── DelegateTest.java │ │ ├── DisabledCategoriesTest.java │ │ ├── IgnoreAuditUsersTest.java │ │ └── TracingTests.java │ ├── integration │ │ ├── BasicAuditlogTest.java │ │ ├── SSLAuditlogTest.java │ │ └── TestAuditlogImpl.java │ ├── routing │ │ ├── FallbackTest.java │ │ ├── PerfTest.java │ │ ├── RouterTest.java │ │ ├── RoutingConfigurationTest.java │ │ └── ThreadPoolSettingsTest.java │ └── sink │ │ ├── KafkaSinkTest.java │ │ ├── MockWebhookAuditLog.java │ │ ├── SinkProviderTLSTest.java │ │ ├── SinkProviderTest.java │ │ └── WebhookAuditLogTest.java │ ├── cache │ ├── CachingTest.java │ ├── DummyAuthenticationBackend.java │ ├── DummyAuthorizer.java │ └── DummyHTTPAuthenticator.java │ ├── dlic │ ├── dlsfls │ │ ├── AbstractDlsFlsTest.java │ │ ├── CustomFieldMaskedComplexMappingTest.java │ │ ├── CustomFieldMaskedTest.java │ │ ├── DateMathTest.java │ │ ├── DlsDateMathTest.java │ │ ├── DlsFlsCrossClusterSearchTest.java │ │ ├── DlsNestedTest.java │ │ ├── DlsPropsReplaceTest.java │ │ ├── DlsScrollTest.java │ │ ├── DlsTest.java │ │ ├── FieldMaskedTest.java │ │ ├── Fls983Test.java │ │ ├── FlsDlsTestAB.java │ │ ├── FlsDlsTestForbiddenField.java │ │ ├── FlsDlsTestMulti.java │ │ ├── FlsExistsFieldsTest.java │ │ ├── FlsFieldsTest.java │ │ ├── FlsFieldsWcTest.java │ │ ├── FlsPerfTest.java │ │ ├── FlsTest.java │ │ ├── IndexPatternTest.java │ │ └── MFlsTest.java │ └── rest │ │ └── api │ │ ├── AbstractRestApiUnitTest.java │ │ ├── ActionGroupsApiTest.java │ │ ├── FlushCacheApiTest.java │ │ ├── GetConfigurationApiTest.java │ │ ├── IndexMissingTest.java │ │ ├── OpenDistroSecurityApiAccessTest.java │ │ ├── RoleBasedAccessTest.java │ │ ├── RolesApiTest.java │ │ ├── RolesMappingApiTest.java │ │ ├── SecurityConfigApiTest.java │ │ └── UserApiTest.java │ ├── httpclient │ └── HttpClientTest.java │ ├── multitenancy │ └── test │ │ └── MultitenancyTests.java │ └── util │ ├── FakeRestRequest.java │ └── SettingsBasedSSLConfiguratorTest.java └── resources ├── auditlog ├── action_groups.yml ├── chain-ca.pem ├── config.yml ├── data1.json ├── data1mod.json ├── data2.json ├── data3.json ├── endpoints │ ├── configuration_wrong_endpoint_names.yml │ ├── routing │ │ ├── configuration_no_default.yml │ │ ├── configuration_valid.yml │ │ ├── configuration_wrong_categories.yml │ │ ├── configuration_wrong_endpoint_names.yml │ │ ├── configuration_wrong_endpoint_types.yml │ │ ├── fallback.yml │ │ ├── perftest.yml │ │ └── routing.yml │ └── sink │ │ ├── configuration_all_variants.yml │ │ ├── configuration_kafka.yml │ │ ├── configuration_no_default.yml │ │ ├── configuration_no_multiple_endpoints.yml │ │ └── configuration_tls.yml ├── internal_users.yml ├── kirk-keystore.jks ├── kirk-keystore.p12 ├── kirk.all.pem ├── kirk.crt.pem ├── kirk.crtfull.pem ├── kirk.key.pem ├── mapping1.json ├── mapping2.json ├── mapping3.json ├── mapping4.json ├── messageasjson.json ├── node-0-keystore.jks ├── node-0-keystore.p12 ├── node-0.crt.pem ├── node-0.key.pem ├── roles.yml ├── roles_2.yml ├── roles_2_tenants.yml ├── roles_mapping.yml ├── roles_tenants.yml ├── root-ca.pem ├── signing-ca.pem ├── spock-keystore.jks ├── spock-keystore.p12 ├── spock.all.pem ├── spock.crt.pem ├── spock.crtfull.pem ├── spock.key.pem ├── truststore.jks └── truststore_fail.jks ├── cache ├── action_groups.yml ├── config.yml ├── internal_users.yml ├── kirk-keystore.jks ├── node-0-keystore.jks ├── roles.yml ├── roles_mapping.yml ├── roles_tenants.yml ├── spock-keystore.jks └── truststore.jks ├── dlsfls ├── action_groups.yml ├── config.yml ├── doc1.json ├── flsquery.json ├── flsquery2.json ├── internal_users.yml ├── kirk-keystore.jks ├── logs_bulk_data.json ├── masked_field_mapping.json ├── node-0-keystore.jks ├── roles.yml ├── roles_983.yml ├── roles_983_tenants.yml ├── roles_ccs2.yml ├── roles_ccs2_tenants.yml ├── roles_mapping.yml ├── roles_tenants.yml ├── scenarios.txt ├── spock-keystore.jks └── truststore.jks ├── jwt ├── kirk-keystore.jks ├── node-0-keystore.jks ├── spock-keystore.jks └── truststore.jks ├── ldap ├── action_groups.yml ├── base.ldif ├── base2.ldif ├── chain-ca.pem ├── config.yml ├── config_ldap2.yml ├── internal_users.yml ├── kirk-keystore.jks ├── kirk.key.pem ├── node-0-keystore.jks ├── node-0.crt.pem ├── node-0.key.pem ├── roles.yml ├── roles_mapping.yml ├── roles_tenants.yml ├── root-ca.pem ├── spock-keystore.jks ├── spock.crt.pem ├── spock.crtfull.pem ├── spock.key.pem ├── test1.yml └── truststore.jks ├── log4j2-test.properties ├── multitenancy ├── action_groups.yml ├── config.yml ├── config_basic_auth.yml ├── config_nodnfof.yml ├── internal_users.yml ├── kirk-keystore.jks ├── node-0-keystore.jks ├── roles.yml ├── roles_mapping.yml ├── roles_tenants.yml ├── spock-keystore.jks └── truststore.jks ├── restapi ├── action_groups.yml ├── actiongroup_crud.json ├── actiongroup_not_parseable.json ├── actiongroup_read.json ├── actiongroup_readonly.json ├── config.yml ├── internal_users.yml ├── invalid_config.json ├── kirk-keystore.jks ├── kirk.key.pem ├── node-0-keystore.jks ├── roles.yml ├── roles_captains.json ├── roles_captains_different_content.json ├── roles_captains_no_tenants.json ├── roles_captains_tenants.json ├── roles_captains_tenants2.json ├── roles_captains_tenants_malformed.json ├── roles_complete_invalid.json ├── roles_field_masks_invalid.json ├── roles_field_masks_valid.json ├── roles_invalid_keys.json ├── roles_mapping.yml ├── roles_multiple.json ├── roles_multiple_2.json ├── roles_not_parseable.json ├── roles_starfleet.json ├── roles_tenants.yml ├── roles_wrong_datatype.json ├── rolesmapping_all_access.json ├── rolesmapping_all_noaccess.json ├── rolesmapping_backendroles_captains_list.json ├── rolesmapping_backendroles_captains_single.json ├── rolesmapping_backendroles_captains_single_wrong_datatype.json ├── rolesmapping_hosts_list.json ├── rolesmapping_hosts_single.json ├── rolesmapping_hosts_single_wrong_datatype.json ├── rolesmapping_invalid_keys.json ├── rolesmapping_not_parseable.json ├── rolesmapping_users_picard_list.json ├── rolesmapping_users_picard_single.json ├── rolesmapping_users_picard_single_wrong_datatype.json ├── security_config.json ├── securityconfig.json ├── simple_role.json ├── spock-keystore.jks ├── truststore.jks ├── users_key_not_quoted.json ├── users_wrong_datatypes.json ├── users_wrong_datatypes2.json └── users_wrong_datatypes3.json ├── saml ├── kirk-keystore.jks └── spock-keystore.jks └── sslConfigurator ├── jks ├── node1-keystore.jks ├── other-root-ca.jks ├── other-root-ca.pem └── truststore.jks └── pem ├── kirk.key ├── kirk.pem ├── node-wrong-hostname-keystore.jks ├── node-wrong-hostname.key ├── node-wrong-hostname.pem ├── node1-keystore.jks ├── node1.key ├── node1.pem ├── other-root-ca.pem ├── root-ca.pem ├── signing-ca.pem ├── spock.key ├── spock.pem ├── truststore.jks ├── wrong-kirk.key └── wrong-kirk.pem /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: 4 | pull_request: 5 | branches: 6 | - '*' 7 | push: 8 | branches: 9 | - master 10 | 11 | jobs: 12 | build: 13 | runs-on: ubuntu-latest 14 | container: opendistroforelasticsearch/security-maven:v1 15 | 16 | steps: 17 | 18 | - name: Checkout security-parent 19 | uses: actions/checkout@v1 20 | with: 21 | repository: opendistro-for-elasticsearch/security-parent 22 | ref: refs/heads/master 23 | - name: Install security-parent 24 | run: mvn clean install -DskipTests --file ../security-parent/pom.xml 25 | 26 | - name: Checkout security 27 | uses: actions/checkout@v1 28 | with: 29 | repository: opendistro-for-elasticsearch/security 30 | ref: refs/heads/master 31 | - name: Install security 32 | run: mvn clean install -DskipTests --file ../security/pom.xml 33 | 34 | - name: Checkout security-advanced-modules 35 | uses: actions/checkout@v1 36 | 37 | - name: Checkstyle 38 | run: mvn checkstyle:checkstyle 39 | 40 | - name: Test 41 | run: mvn test 42 | 43 | - name: Install 44 | run: mvn clean install -DskipTests 45 | 46 | - name: Package 47 | run: mvn clean package -Padvanced -DskipTests --file ../security/pom.xml 48 | 49 | - name: Upload Artifacts 50 | uses: actions/upload-artifact@v1 51 | with: 52 | name: artifacts 53 | path: ../security/target/releases/ 54 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | target/ 2 | test-output/ 3 | 4 | /build.gradle 5 | *.log 6 | .externalToolBuilders 7 | maven-eclipse.xml 8 | 9 | ## eclipse ignores (use 'mvn eclipse:eclipse' to build eclipse projects) 10 | ## The only configuration files which are not ignored are certain files in 11 | ## .settings (as listed below) since these files ensure common coding 12 | ## style across Eclipse and IDEA. 13 | ## Other files (.project, .classpath) should be generated through Maven which 14 | ## will correctly set the classpath based on the declared dependencies. 15 | .project 16 | .classpath 17 | eclipse-build 18 | */.project 19 | */.classpath 20 | */eclipse-build 21 | /.settings/ 22 | !/.settings/org.eclipse.core.resources.prefs 23 | !/.settings/org.eclipse.jdt.core.prefs 24 | !/.settings/org.eclipse.jdt.ui.prefs 25 | !/.settings/org.eclipse.jdt.groovy.core.prefs 26 | bin 27 | elasticsearch-*/ 28 | .DS_Store 29 | data/ 30 | puppet/.vagrant 31 | test.sh 32 | .vagrant/ 33 | .idea/ 34 | *.iml 35 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted an [Open Source Code of Conduct](https://opendistro.github.io/for-elasticsearch/codeofconduct.html). 3 | -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- 1 | Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | This product includes software developed by The Apache Software 4 | Foundation (http://www.apache.org/). 5 | 6 | This product includes software developed by The Legion of the Bouncy Castle Inc. 7 | (http://www.bouncycastle.org) 8 | 9 | See THIRD-PARTY.txt for additional third party licenses used by this product. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![CI](https://github.com/opendistro-for-elasticsearch/security-advanced-modules/workflows/CI/badge.svg?branch=master)](https://github.com/opendistro-for-elasticsearch/security-advanced-modules/actions) 2 | 3 | # Open Distro For Elasticsearch Security Advanced Modules 4 | 5 | The Open Distro For Elasticsearch Security Advanced Modules builds on Open Distro for Elasticsearch Security to provide additional advanced features for securing your cluster. 6 | 7 | ## Deprecated as of Opendistro version 1.4: 8 | 9 | * Security-advanced-modules and security-parent have been merged into security. 10 | 11 | ## Highlights 12 | 13 | * Active Directory and LDAP Authentication/Authorization 14 | * Kerberos/SPNEGO Authentication/Authorization 15 | * JSON Web Token (JWT) Authentication/Authorization 16 | * Document level security 17 | * Field level security 18 | * Audit logging with multiple audit log storage types 19 | * Security configuration REST API 20 | * Kibana multi tenancy 21 | 22 | # Technical documentation 23 | 24 | Please see our [technical documentation](https://opendistro.github.io/for-elasticsearch-docs/) for installation and configuration instructions. 25 | 26 | # Developer setup, build, and run steps 27 | 28 | 29 | ## Setup 30 | 31 | 1. Check out this package from version control. 32 | 1. Launch Intellij IDEA, choose **Import Project**, select the root of this package and import it as maven project. 33 | 1. To build from the command line, set `JAVA_HOME` to point to a JDK >=11 before running `mvn`. 34 | 35 | 36 | ## Build 37 | 38 | * Source build instructions can be found here : 39 | 40 | https://github.com/opendistro-for-elasticsearch/security-parent/blob/master/README.md 41 | 42 | ## Custom CI build for testing 43 | 44 | This project is dependent on [security-parent](https://github.com/opendistro-for-elasticsearch/security-parent) repository and [security](https://github.com/opendistro-for-elasticsearch/security) repository. 45 | By default the Github Actions CI workflow checks out the master branch of both the repos. 46 | In order to point to a different repository/fork/branch/tag for testing a pull request, please update `repository` and `ref` inputs of the respective checkout actions in the [ci.yml](.github/workflows/ci.yml) file. Here is a sample which uses `opendistro-1.3` branch of `security-parent` project during building. 47 | 48 | ``` 49 | - name: Checkout security-parent 50 | uses: actions/checkout@v1 51 | with: 52 | repository: opendistro-for-elasticsearch/security-parent 53 | ref: refs/heads/opendistro-1.3 54 | ``` 55 | 56 | ## Debugging 57 | 58 | Please refer to the well documented instructions provided by popular IDEs like Intellij and Eclipse on how to setup a debugger to debug code/test failures. 59 | 60 | 61 | ## License 62 | 63 | This code is licensed under the Apache 2.0 License. 64 | 65 | ## Copyright 66 | 67 | Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 68 | 69 | -------------------------------------------------------------------------------- /opendistro-elasticsearch-security-advanced-modules.release-notes: -------------------------------------------------------------------------------- 1 | ## 2019-11-18 Version 1.3.0.0 (Current) 2 | 3 | - Support for Elasticsearch 7.3.2 4 | - Fixed leaked ldap connection 5 | - Use combine bitset for DLS 6 | - Fixed FLS exists query on fields without norms and doc values 7 | - Fixed field masking with aggregations 8 | - Introduced MaskedTermsEnum to fix field anonymization with aggregations 9 | - Added _seq_no and _primary_term to meta fields for FLS 10 | - Fixed rest API validator to accept opendistro_secuirty_roles for internal users 11 | - Exception handling for SAML IdP at startup 12 | - Updated Jackson databind dependency to 2.9.9 13 | - Updated Kafka client dependency to 2.0.1 14 | - Fixed access control exception for ldap2 15 | - Upgraded CXF to 2.3.9 16 | - Bumped jackson-databind from 2.9.9.2 to 2.9.10.1 17 | - Other minor fixes for detailed error logging 18 | 19 | ## 2019-10-10, Version 1.2.1.0 20 | 21 | - Support for Elasticsearch 7.2.1 22 | 23 | ## 2019-08-07, Version 1.2.0.0 24 | 25 | - Support for Elasticsearch 7.2.0 26 | 27 | ## 2019-06-21, Version 1.1.0.0 28 | 29 | - Support for Elasticsearch 7.1 30 | 31 | ## 2019-06-21, Version 1.0.0.0 32 | 33 | - New configuration syntax 34 | - Streamlined the YAML configuration file syntax and added a migration feature to `securityadmin.sh` to help you move from the old file format to the new format. 35 | - Request bodies for calls to the REST API are also slightly different. 36 | 37 | - Static default roles 38 | - Previously, all roles were dynamically configured and stored in the Security plugin configuration index, including default roles such as `kibana_read_only` and `logstash` 39 | - Now, all default roles are static, so permission changes to these roles are automatically applied when you upgrade Open Distro for Elasticsearch. 40 | 41 | - New LDAP/Active Directory module 42 | - We’ve added a new version of the LDAP/Active Directory module that supports querying multiple userbases/rolebases and more sophisticated connection pooling. 43 | - It replaces the existing module and is fully backward-compatible. 44 | 45 | 46 | PRs: 47 | https://github.com/opendistro-for-elasticsearch/security-advanced-modules/pull/11 48 | Algorithm is not mandatory for the key material, so we set it to the same as the JWT. Thanks MichelZ@ for contribution. 49 | 50 | https://github.com/opendistro-for-elasticsearch/security-advanced-modules/pull/16 51 | Allow KID of JWK's to contain forward slashes 52 | 53 | ## 2019-04-23, Version 0.9.0.0 54 | 55 | - Support For Elasticsearch 6.7 56 | 57 | ## 2019-04-04, Version 0.8.0.0 58 | 59 | - Support For Elasticsearch 6.6 60 | 61 | ## 2019-03-19, Version 0.7.0.1 62 | 63 | - Fixed git repo URLs in pom.xml 64 | - Minor config fixes 65 | 66 | ## 2019-03-12, Version 0.7.0.0 67 | 68 | - Initial launch of security-advanced-modules for opendistro-for-elasticsearch 69 | -------------------------------------------------------------------------------- /output.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/output.txt -------------------------------------------------------------------------------- /src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/AuthenticatorUnavailableException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.dlic.auth.http.jwt.keybyoidc; 17 | 18 | public class AuthenticatorUnavailableException extends RuntimeException { 19 | private static final long serialVersionUID = -7007025852090301416L; 20 | 21 | public AuthenticatorUnavailableException() { 22 | super(); 23 | } 24 | 25 | public AuthenticatorUnavailableException(String message, Throwable cause, boolean enableSuppression, 26 | boolean writableStackTrace) { 27 | super(message, cause, enableSuppression, writableStackTrace); 28 | } 29 | 30 | public AuthenticatorUnavailableException(String message, Throwable cause) { 31 | super(message, cause); 32 | } 33 | 34 | public AuthenticatorUnavailableException(String message) { 35 | super(message); 36 | } 37 | 38 | public AuthenticatorUnavailableException(Throwable cause) { 39 | super(cause); 40 | } 41 | 42 | } 43 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/BadCredentialsException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.dlic.auth.http.jwt.keybyoidc; 17 | 18 | public class BadCredentialsException extends Exception { 19 | 20 | private static final long serialVersionUID = 9092575587366580869L; 21 | 22 | public BadCredentialsException() { 23 | super(); 24 | } 25 | 26 | public BadCredentialsException(String message, Throwable cause, boolean enableSuppression, 27 | boolean writableStackTrace) { 28 | super(message, cause, enableSuppression, writableStackTrace); 29 | } 30 | 31 | public BadCredentialsException(String message, Throwable cause) { 32 | super(message, cause); 33 | } 34 | 35 | public BadCredentialsException(String message) { 36 | super(message); 37 | } 38 | 39 | public BadCredentialsException(Throwable cause) { 40 | super(cause); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticator.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.dlic.auth.http.jwt.keybyoidc; 17 | 18 | import java.nio.file.Path; 19 | 20 | import org.elasticsearch.common.settings.Settings; 21 | 22 | import com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator; 23 | import com.amazon.dlic.util.SettingsBasedSSLConfigurator; 24 | 25 | public class HTTPJwtKeyByOpenIdConnectAuthenticator extends AbstractHTTPJwtAuthenticator { 26 | 27 | //private final static Logger log = LogManager.getLogger(HTTPJwtKeyByOpenIdConnectAuthenticator.class); 28 | 29 | public HTTPJwtKeyByOpenIdConnectAuthenticator(Settings settings, Path configPath) { 30 | super(settings, configPath); 31 | } 32 | 33 | protected KeyProvider initKeyProvider(Settings settings, Path configPath) throws Exception { 34 | int idpRequestTimeoutMs = settings.getAsInt("idp_request_timeout_ms", 5000); 35 | int idpQueuedThreadTimeoutMs = settings.getAsInt("idp_queued_thread_timeout_ms", 2500); 36 | 37 | int refreshRateLimitTimeWindowMs = settings.getAsInt("refresh_rate_limit_time_window_ms", 10000); 38 | int refreshRateLimitCount = settings.getAsInt("refresh_rate_limit_count", 10); 39 | 40 | KeySetRetriever keySetRetriever = new KeySetRetriever(settings.get("openid_connect_url"), 41 | getSSLConfig(settings, configPath), settings.getAsBoolean("cache_jwks_endpoint", false)); 42 | 43 | keySetRetriever.setRequestTimeoutMs(idpRequestTimeoutMs); 44 | 45 | SelfRefreshingKeySet selfRefreshingKeySet = new SelfRefreshingKeySet(keySetRetriever); 46 | 47 | selfRefreshingKeySet.setRequestTimeoutMs(idpRequestTimeoutMs); 48 | selfRefreshingKeySet.setQueuedThreadTimeoutMs(idpQueuedThreadTimeoutMs); 49 | selfRefreshingKeySet.setRefreshRateLimitTimeWindowMs(refreshRateLimitTimeWindowMs); 50 | selfRefreshingKeySet.setRefreshRateLimitCount(refreshRateLimitCount); 51 | 52 | return selfRefreshingKeySet; 53 | } 54 | 55 | private static SettingsBasedSSLConfigurator.SSLConfig getSSLConfig(Settings settings, Path configPath) 56 | throws Exception { 57 | return new SettingsBasedSSLConfigurator(settings, configPath, "openid_connect_idp").buildSSLConfig(); 58 | } 59 | 60 | @Override 61 | public String getType() { 62 | return "jwt-key-by-oidc"; 63 | } 64 | 65 | } 66 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeyProvider.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.dlic.auth.http.jwt.keybyoidc; 17 | 18 | import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; 19 | 20 | public interface KeyProvider { 21 | public JsonWebKey getKey(String kid) throws AuthenticatorUnavailableException, BadCredentialsException; 22 | public JsonWebKey getKeyAfterRefresh(String kid) throws AuthenticatorUnavailableException, BadCredentialsException; 23 | } 24 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeySetProvider.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.dlic.auth.http.jwt.keybyoidc; 17 | 18 | import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys; 19 | 20 | @FunctionalInterface 21 | public interface KeySetProvider { 22 | JsonWebKeys get() throws AuthenticatorUnavailableException; 23 | } 24 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/dlic/auth/http/jwt/oidc/json/OpenIdProviderConfiguration.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.dlic.auth.http.jwt.oidc.json; 17 | 18 | import com.fasterxml.jackson.annotation.JsonIgnoreProperties; 19 | import com.fasterxml.jackson.annotation.JsonProperty; 20 | 21 | @JsonIgnoreProperties(ignoreUnknown = true) 22 | public class OpenIdProviderConfiguration { 23 | 24 | @JsonProperty("jwks_uri") 25 | private String jwksUri; 26 | 27 | public String getJwksUri() { 28 | return jwksUri; 29 | } 30 | 31 | public void setJwksUri(String jwksUri) { 32 | this.jwksUri = jwksUri; 33 | } 34 | 35 | } -------------------------------------------------------------------------------- /src/main/java/com/amazon/dlic/auth/http/kerberos/util/KrbConstants.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.dlic.auth.http.kerberos.util; 17 | 18 | import org.ietf.jgss.GSSException; 19 | import org.ietf.jgss.Oid; 20 | 21 | public final class KrbConstants { 22 | 23 | static { 24 | Oid spnegoTmp = null; 25 | Oid krbTmp = null; 26 | try { 27 | spnegoTmp = new Oid("1.3.6.1.5.5.2"); 28 | krbTmp = new Oid("1.2.840.113554.1.2.2"); 29 | } catch (final GSSException e) { 30 | 31 | } 32 | SPNEGO = spnegoTmp; 33 | KRB5MECH = krbTmp; 34 | } 35 | 36 | public static final Oid SPNEGO; 37 | public static final Oid KRB5MECH; 38 | public static final String KRB5_CONF_PROP = "java.security.krb5.conf"; 39 | public static final String JAAS_LOGIN_CONF_PROP = "java.security.auth.login.config"; 40 | public static final String USE_SUBJECT_CREDS_ONLY_PROP = "javax.security.auth.useSubjectCredsOnly"; 41 | public static final String NEGOTIATE = "Negotiate"; 42 | public static final String WWW_AUTHENTICATE = "WWW-Authenticate"; 43 | 44 | private KrbConstants() { 45 | } 46 | 47 | } 48 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/dlic/auth/http/saml/SamlConfigException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.dlic.auth.http.saml; 17 | 18 | public class SamlConfigException extends Exception { 19 | 20 | private static final long serialVersionUID = 6888715101647475455L; 21 | 22 | public SamlConfigException() { 23 | super(); 24 | } 25 | 26 | public SamlConfigException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) { 27 | super(message, cause, enableSuppression, writableStackTrace); 28 | } 29 | 30 | public SamlConfigException(String message, Throwable cause) { 31 | super(message, cause); 32 | } 33 | 34 | public SamlConfigException(String message) { 35 | super(message); 36 | } 37 | 38 | public SamlConfigException(Throwable cause) { 39 | super(cause); 40 | } 41 | 42 | } 43 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.dlic.auth.http.saml; 17 | 18 | import java.io.File; 19 | import java.nio.file.Path; 20 | import java.security.AccessController; 21 | import java.security.PrivilegedActionException; 22 | import java.security.PrivilegedExceptionAction; 23 | 24 | import org.elasticsearch.common.settings.Settings; 25 | import org.elasticsearch.env.Environment; 26 | import org.opensaml.saml.metadata.resolver.impl.FilesystemMetadataResolver; 27 | 28 | import net.shibboleth.utilities.java.support.resolver.ResolverException; 29 | import net.shibboleth.utilities.java.support.xml.BasicParserPool; 30 | 31 | public class SamlFilesystemMetadataResolver extends FilesystemMetadataResolver { 32 | private static int componentIdCounter = 0; 33 | 34 | SamlFilesystemMetadataResolver(Settings esSettings, Path configPath) throws Exception { 35 | super(getMetadataFile(esSettings, configPath)); 36 | setId(SamlFilesystemMetadataResolver.class.getName() + "_" + (++componentIdCounter)); 37 | setRequireValidMetadata(true); 38 | BasicParserPool basicParserPool = new BasicParserPool(); 39 | basicParserPool.initialize(); 40 | setParserPool(basicParserPool); 41 | } 42 | 43 | @Override 44 | protected byte[] fetchMetadata() throws ResolverException { 45 | try { 46 | return AccessController.doPrivileged(new PrivilegedExceptionAction() { 47 | @Override 48 | public byte[] run() throws ResolverException { 49 | return SamlFilesystemMetadataResolver.super.fetchMetadata(); 50 | } 51 | }); 52 | } catch (PrivilegedActionException e) { 53 | 54 | if (e.getCause() instanceof ResolverException) { 55 | throw (ResolverException) e.getCause(); 56 | } else { 57 | throw new RuntimeException(e); 58 | } 59 | } 60 | } 61 | 62 | private static File getMetadataFile(Settings settings, Path configPath) { 63 | 64 | String originalPath = settings.get("idp.metadata_file", null); 65 | Environment env = new Environment(settings, configPath); 66 | 67 | return env.configFile().resolve(originalPath).toAbsolutePath().toFile(); 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/dlic/auth/http/saml/SamlNameIdFormat.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.dlic.auth.http.saml; 17 | 18 | import java.util.HashMap; 19 | import java.util.Map; 20 | 21 | public class SamlNameIdFormat { 22 | private static Map KNOWN_NAME_ID_FORMATS_BY_URI = new HashMap<>(); 23 | private static Map KNOWN_NAME_ID_FORMATS_BY_SHORT_NAME = new HashMap<>(); 24 | 25 | static { 26 | add("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "u"); 27 | add("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "email"); 28 | add("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName", "sn"); 29 | add("urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos", "ker"); 30 | add("urn:oasis:names:tc:SAML:2.0:nameid-format:entity", "ent"); 31 | add("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "p"); 32 | add("urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "t"); 33 | } 34 | 35 | private final String uri; 36 | private final String shortName; 37 | 38 | SamlNameIdFormat(String uri, String shortName) { 39 | this.uri = uri; 40 | this.shortName = shortName; 41 | } 42 | 43 | public String getUri() { 44 | return uri; 45 | } 46 | 47 | public String getShortName() { 48 | return shortName; 49 | } 50 | 51 | static SamlNameIdFormat getByUri(String uri) { 52 | SamlNameIdFormat samlNameIdFormat = KNOWN_NAME_ID_FORMATS_BY_URI.get(uri); 53 | 54 | if (samlNameIdFormat == null) { 55 | samlNameIdFormat = new SamlNameIdFormat(uri, uri); 56 | } 57 | 58 | return samlNameIdFormat; 59 | } 60 | 61 | static SamlNameIdFormat getByShortName(String shortNameOrUri) { 62 | SamlNameIdFormat samlNameIdFormat = KNOWN_NAME_ID_FORMATS_BY_SHORT_NAME.get(shortNameOrUri); 63 | 64 | if (samlNameIdFormat == null) { 65 | samlNameIdFormat = new SamlNameIdFormat(shortNameOrUri, shortNameOrUri); 66 | } 67 | 68 | return samlNameIdFormat; 69 | } 70 | 71 | private static void add(String uri, String shortName) { 72 | SamlNameIdFormat samlNameIdFormat = new SamlNameIdFormat(uri, shortName); 73 | KNOWN_NAME_ID_FORMATS_BY_URI.put(uri, samlNameIdFormat); 74 | KNOWN_NAME_ID_FORMATS_BY_SHORT_NAME.put(shortName, samlNameIdFormat); 75 | } 76 | 77 | } 78 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/opendistroforelasticsearch/security/auditlog/sink/DebugSink.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.sink; 17 | 18 | import org.elasticsearch.common.settings.Settings; 19 | 20 | import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditMessage; 21 | 22 | public final class DebugSink extends AuditLogSink { 23 | 24 | public DebugSink(String name, Settings settings, AuditLogSink fallbackSink) { 25 | super(name, settings, null, fallbackSink); 26 | } 27 | 28 | @Override 29 | public boolean isHandlingBackpressure() { 30 | return true; 31 | } 32 | 33 | @Override 34 | public boolean doStore(final AuditMessage msg) { 35 | System.out.println("AUDIT_LOG: " + msg.toPrettyString()); 36 | return true; 37 | } 38 | 39 | } 40 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/opendistroforelasticsearch/security/auditlog/sink/Log4JSink.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.sink; 17 | 18 | import org.apache.logging.log4j.Level; 19 | import org.apache.logging.log4j.LogManager; 20 | import org.apache.logging.log4j.Logger; 21 | import org.elasticsearch.common.settings.Settings; 22 | 23 | import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditMessage; 24 | 25 | public final class Log4JSink extends AuditLogSink { 26 | 27 | final Logger auditLogger; 28 | final String loggerName; 29 | final Level logLevel; 30 | final boolean enabled; 31 | 32 | public Log4JSink(final String name, final Settings settings, final String settingsPrefix, AuditLogSink fallbackSink) { 33 | super(name, settings, settingsPrefix, fallbackSink); 34 | loggerName = settings.get( settingsPrefix + ".log4j.logger_name","sgaudit"); 35 | auditLogger = LogManager.getLogger(loggerName); 36 | logLevel = Level.toLevel(settings.get(settingsPrefix + ".log4j.level","INFO").toUpperCase()); 37 | enabled = auditLogger.isEnabled(logLevel); 38 | } 39 | 40 | public boolean isHandlingBackpressure() { 41 | return !enabled; //no submit to thread pool if not enabled 42 | } 43 | 44 | 45 | public boolean doStore(final AuditMessage msg) { 46 | if(enabled) { 47 | auditLogger.log(logLevel, msg.toJson()); 48 | } 49 | return true; 50 | } 51 | 52 | } 53 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/opendistroforelasticsearch/security/auditlog/sink/NoopSink.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.sink; 17 | 18 | import org.elasticsearch.common.settings.Settings; 19 | 20 | import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditMessage; 21 | 22 | public final class NoopSink extends AuditLogSink { 23 | 24 | public NoopSink(String name, Settings settings, AuditLogSink fallbackSink) { 25 | super(name, settings, null, fallbackSink); 26 | } 27 | 28 | @Override 29 | public boolean isHandlingBackpressure() { 30 | return true; 31 | } 32 | 33 | @Override 34 | public boolean doStore(final AuditMessage msg) { 35 | //do nothing 36 | return true; 37 | } 38 | 39 | } 40 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/Endpoint.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.dlic.rest.api; 17 | 18 | public enum Endpoint { 19 | ACTIONGROUPS, 20 | CACHE, 21 | CONFIG, 22 | ROLES, 23 | ROLESMAPPING, 24 | INTERNALUSERS, 25 | SYSTEMINFO, 26 | PERMISSIONSINFO, 27 | AUTHTOKEN, 28 | TENANTS; 29 | } 30 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/validation/ActionGroupValidator.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.dlic.rest.validation; 17 | 18 | import org.elasticsearch.common.bytes.BytesReference; 19 | import org.elasticsearch.common.settings.Settings; 20 | import org.elasticsearch.rest.RestRequest; 21 | import org.elasticsearch.rest.RestRequest.Method; 22 | 23 | import com.amazon.opendistroforelasticsearch.security.dlic.rest.validation.AbstractConfigurationValidator.DataType; 24 | 25 | public class ActionGroupValidator extends AbstractConfigurationValidator { 26 | 27 | public ActionGroupValidator(final RestRequest request, BytesReference ref, final Settings esSettings, Object... param) { 28 | super(request, ref, esSettings, param); 29 | this.payloadMandatory = true; 30 | allowedKeys.put("allowed_actions", DataType.ARRAY); 31 | allowedKeys.put("description", DataType.STRING); 32 | allowedKeys.put("type", DataType.STRING); 33 | 34 | mandatoryKeys.add("allowed_actions"); 35 | } 36 | 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/validation/NoOpValidator.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.dlic.rest.validation; 17 | 18 | import org.elasticsearch.common.bytes.BytesReference; 19 | import org.elasticsearch.common.settings.Settings; 20 | import org.elasticsearch.rest.RestRequest; 21 | 22 | public class NoOpValidator extends AbstractConfigurationValidator { 23 | 24 | public NoOpValidator(final RestRequest request, BytesReference ref, final Settings esSettings, Object... param) { 25 | super(request, ref, esSettings, param); 26 | } 27 | 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/validation/RolesMappingValidator.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.dlic.rest.validation; 17 | 18 | import org.elasticsearch.common.bytes.BytesReference; 19 | import org.elasticsearch.common.settings.Settings; 20 | import org.elasticsearch.rest.RestRequest; 21 | 22 | public class RolesMappingValidator extends AbstractConfigurationValidator { 23 | 24 | public RolesMappingValidator(final RestRequest request, final BytesReference ref, final Settings esSettings, Object... param) { 25 | super(request, ref, esSettings, param); 26 | this.payloadMandatory = true; 27 | allowedKeys.put("backend_roles", DataType.ARRAY); 28 | allowedKeys.put("and_backend_roles", DataType.ARRAY); 29 | allowedKeys.put("hosts", DataType.ARRAY); 30 | allowedKeys.put("users", DataType.ARRAY); 31 | allowedKeys.put("description", DataType.STRING); 32 | 33 | mandatoryOrKeys.add("backend_roles"); 34 | mandatoryOrKeys.add("and_backend_roles"); 35 | mandatoryOrKeys.add("hosts"); 36 | mandatoryOrKeys.add("users"); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/validation/RolesValidator.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.dlic.rest.validation; 17 | 18 | import java.util.List; 19 | 20 | import org.elasticsearch.common.bytes.BytesReference; 21 | import org.elasticsearch.common.settings.Settings; 22 | import org.elasticsearch.rest.RestRequest; 23 | 24 | import com.amazon.opendistroforelasticsearch.security.configuration.MaskedField; 25 | import com.jayway.jsonpath.JsonPath; 26 | import com.jayway.jsonpath.ReadContext; 27 | 28 | public class RolesValidator extends AbstractConfigurationValidator { 29 | 30 | public RolesValidator(final RestRequest request, final BytesReference ref, final Settings esSettings, Object... param) { 31 | super(request, ref, esSettings, param); 32 | this.payloadMandatory = true; 33 | allowedKeys.put("cluster_permissions", DataType.ARRAY); 34 | allowedKeys.put("tenant_permissions", DataType.ARRAY); 35 | allowedKeys.put("index_permissions", DataType.ARRAY); 36 | allowedKeys.put("description", DataType.STRING); 37 | } 38 | 39 | @Override 40 | public boolean validate() { 41 | 42 | if (!super.validate()) { 43 | return false; 44 | } 45 | 46 | boolean valid=true; 47 | 48 | if (this.content != null && this.content.length() > 0) { 49 | 50 | final ReadContext ctx = JsonPath.parse(this.content.utf8ToString()); 51 | final List maskedFields = ctx.read("$..masked_fields[*]"); 52 | 53 | if (maskedFields != null) { 54 | 55 | for (String mf : maskedFields) { 56 | if (!validateMaskedFieldSyntax(mf)) { 57 | valid = false; 58 | } 59 | } 60 | } 61 | } 62 | 63 | if(!valid) { 64 | this.errorType = ErrorType.WRONG_DATATYPE; 65 | } 66 | 67 | return valid; 68 | } 69 | 70 | private boolean validateMaskedFieldSyntax(String mf) { 71 | try { 72 | new MaskedField(mf, new byte[] {1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,6}).isValid(); 73 | } catch (Exception e) { 74 | wrongDatatypes.put("Masked field not valid: "+mf, e.getMessage()); 75 | return false; 76 | } 77 | return true; 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/validation/SecurityConfigValidator.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.dlic.rest.validation; 17 | 18 | import org.elasticsearch.common.bytes.BytesReference; 19 | import org.elasticsearch.common.settings.Settings; 20 | import org.elasticsearch.rest.RestRequest; 21 | 22 | public class SecurityConfigValidator extends AbstractConfigurationValidator { 23 | 24 | public SecurityConfigValidator(final RestRequest request, BytesReference ref, final Settings esSettings, Object... param) { 25 | super(request, ref, esSettings, param); 26 | this.payloadMandatory = true; 27 | allowedKeys.put("dynamic", DataType.OBJECT); 28 | } 29 | 30 | } 31 | -------------------------------------------------------------------------------- /src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/validation/TenantValidator.java: -------------------------------------------------------------------------------- 1 | package com.amazon.opendistroforelasticsearch.security.dlic.rest.validation; 2 | 3 | 4 | 5 | import org.elasticsearch.common.bytes.BytesReference; 6 | import org.elasticsearch.common.settings.Settings; 7 | import org.elasticsearch.rest.RestRequest; 8 | 9 | public class TenantValidator extends AbstractConfigurationValidator { 10 | 11 | public TenantValidator(final RestRequest request, BytesReference ref, final Settings esSettings, Object... param) { 12 | super(request, ref, esSettings, param); 13 | this.payloadMandatory = false; 14 | allowedKeys.put("description", DataType.STRING); 15 | } 16 | 17 | } -------------------------------------------------------------------------------- /src/test/java/com/amazon/dlic/auth/http/jwt/keybyoidc/CxfTestTools.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.dlic.auth.http.jwt.keybyoidc; 17 | 18 | import org.apache.cxf.jaxrs.json.basic.JsonMapObject; 19 | import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter; 20 | 21 | class CxfTestTools { 22 | 23 | static String toJson(JsonMapObject jsonMapObject) { 24 | return new JsonMapObjectReaderWriter().toJson(jsonMapObject); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/dlic/auth/ldap/UtilsTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.dlic.auth.ldap; 17 | 18 | import javax.naming.InvalidNameException; 19 | import javax.naming.ldap.LdapName; 20 | 21 | import org.junit.Assert; 22 | import org.junit.Test; 23 | 24 | import com.amazon.dlic.auth.ldap.util.Utils; 25 | 26 | public class UtilsTest { 27 | 28 | 29 | @Test 30 | public void testLDAPName() throws Exception { 31 | //same ldapname 32 | Assert.assertEquals(new LdapName("CN=1,OU=2,O=3,C=4"),new LdapName("CN=1,OU=2,O=3,C=4")); 33 | 34 | //case differ 35 | Assert.assertEquals(new LdapName("CN=1,OU=2,O=3,C=4".toLowerCase()),new LdapName("CN=1,OU=2,O=3,C=4".toUpperCase())); 36 | 37 | //case differ 38 | Assert.assertEquals(new LdapName("CN=abc,OU=xyz,O=3,C=4".toLowerCase()),new LdapName("CN=abc,OU=xyz,O=3,C=4".toUpperCase())); 39 | 40 | //same ldapname 41 | Assert.assertEquals(new LdapName("CN=a,OU=2,O=3,C=xxx"),new LdapName("CN=A,OU=2,O=3,C=XxX")); 42 | 43 | //case differ and spaces 44 | Assert.assertEquals(new LdapName("Cn =1 ,OU=2, O = 3,C=4"),new LdapName("CN= 1,Ou=2,O=3,c=4")); 45 | 46 | //same components, different order 47 | Assert.assertNotEquals(new LdapName("CN=1,OU=2,C=4,O=3"),new LdapName("CN=1,OU=2,O=3,C=4")); 48 | 49 | //last component missing 50 | Assert.assertNotEquals(new LdapName("CN=1,OU=2,O=3"),new LdapName("CN=1,OU=2,O=3,C=4")); 51 | 52 | //first component missing 53 | Assert.assertNotEquals(new LdapName("OU=2,O=3,C=4"),new LdapName("CN=1,OU=2,O=3,C=4")); 54 | 55 | //parse exception 56 | try { 57 | new LdapName("OU2,O=3,C=4"); 58 | Assert.fail(); 59 | } catch (InvalidNameException e) { 60 | //expected 61 | } 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/dlic/auth/ldap/srv/EmbeddedLDAPServer.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.dlic.auth.ldap.srv; 17 | 18 | 19 | public class EmbeddedLDAPServer { 20 | 21 | LdapServer s = new LdapServer(); 22 | 23 | public int applyLdif(final String... ldifFile) throws Exception { 24 | return s.start(ldifFile); 25 | } 26 | 27 | public void start() throws Exception { 28 | 29 | } 30 | 31 | public void stop() throws Exception { 32 | s.stop(); 33 | } 34 | 35 | public int getLdapPort() { 36 | return s.getLdapPort(); 37 | } 38 | 39 | public int getLdapsPort() { 40 | return s.getLdapsPort(); 41 | } 42 | } -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/helper/ErroneousHttpHandler.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.helper; 17 | 18 | import java.io.IOException; 19 | 20 | import org.apache.http.HttpException; 21 | import org.apache.http.HttpRequest; 22 | import org.apache.http.HttpResponse; 23 | import org.apache.http.protocol.HttpContext; 24 | import org.apache.http.protocol.HttpRequestHandler; 25 | 26 | public class ErroneousHttpHandler implements HttpRequestHandler{ 27 | 28 | @Override 29 | public void handle(HttpRequest request, HttpResponse response, HttpContext context) throws HttpException, IOException { 30 | response.setStatusCode(404); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/helper/FailingSink.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.helper; 17 | 18 | import org.elasticsearch.common.settings.Settings; 19 | 20 | import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditMessage; 21 | import com.amazon.opendistroforelasticsearch.security.auditlog.sink.AuditLogSink; 22 | 23 | public class FailingSink extends AuditLogSink{ 24 | 25 | public FailingSink(String name, Settings settings, String sinkPrefix, AuditLogSink fallbackSink) { 26 | super(name, settings, null, fallbackSink); 27 | } 28 | 29 | @Override 30 | protected boolean doStore(AuditMessage msg) { 31 | return false; 32 | } 33 | 34 | @Override 35 | public boolean isHandlingBackpressure() { 36 | return true; 37 | } 38 | 39 | } 40 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/helper/LoggingSink.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.helper; 17 | 18 | import java.util.ArrayList; 19 | import java.util.List; 20 | 21 | import org.elasticsearch.common.settings.Settings; 22 | 23 | import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditMessage; 24 | import com.amazon.opendistroforelasticsearch.security.auditlog.sink.AuditLogSink; 25 | 26 | public class LoggingSink extends AuditLogSink { 27 | 28 | public List messages = new ArrayList(100); 29 | public StringBuffer sb = new StringBuffer(); 30 | 31 | public LoggingSink(String name, Settings settings, String settingsPrefix, AuditLogSink fallbackSink) { 32 | super(name, settings, null, fallbackSink); 33 | } 34 | 35 | 36 | public boolean doStore(AuditMessage msg) { 37 | sb.append(msg.toPrettyString()+System.lineSeparator()); 38 | messages.add(msg); 39 | return true; 40 | } 41 | 42 | public synchronized void clear() { 43 | sb.setLength(0); 44 | messages.clear(); 45 | } 46 | 47 | @Override 48 | public boolean isHandlingBackpressure() { 49 | return true; 50 | } 51 | 52 | } 53 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/helper/MockAuditMessageFactory.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.helper; 17 | 18 | import static org.mockito.Mockito.mock; 19 | import static org.mockito.Mockito.when; 20 | 21 | import java.net.InetSocketAddress; 22 | 23 | import org.elasticsearch.cluster.ClusterName; 24 | import org.elasticsearch.cluster.node.DiscoveryNode; 25 | import org.elasticsearch.cluster.service.ClusterService; 26 | import org.elasticsearch.common.transport.TransportAddress; 27 | 28 | import com.amazon.opendistroforelasticsearch.security.auditlog.AuditLog.Origin; 29 | import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditMessage; 30 | import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditMessage.Category; 31 | 32 | public class MockAuditMessageFactory { 33 | 34 | public static AuditMessage validAuditMessage() { 35 | return validAuditMessage(Category.FAILED_LOGIN); 36 | } 37 | 38 | public static AuditMessage validAuditMessage(Category category) { 39 | 40 | ClusterService cs = mock(ClusterService.class); 41 | DiscoveryNode dn = mock(DiscoveryNode.class); 42 | 43 | when(dn.getHostAddress()).thenReturn("hostaddress"); 44 | when(dn.getId()).thenReturn("hostaddress"); 45 | when(dn.getHostName()).thenReturn("hostaddress"); 46 | when(cs.localNode()).thenReturn(dn); 47 | when(cs.getClusterName()).thenReturn(new ClusterName("testcluster")); 48 | 49 | TransportAddress ta = new TransportAddress(new InetSocketAddress("8.8.8.8",80)); 50 | 51 | AuditMessage msg = new AuditMessage(category, cs, Origin.TRANSPORT, Origin.TRANSPORT); 52 | msg.addEffectiveUser("John Doe"); 53 | msg.addRemoteAddress(ta); 54 | msg.addRequestType("IndexRequest"); 55 | return msg; 56 | } 57 | 58 | } 59 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/helper/MockRestRequest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.helper; 17 | 18 | import java.util.Collections; 19 | 20 | import org.elasticsearch.common.bytes.BytesReference; 21 | import org.elasticsearch.common.xcontent.NamedXContentRegistry; 22 | import org.elasticsearch.rest.RestRequest; 23 | 24 | public class MockRestRequest extends RestRequest { 25 | 26 | public MockRestRequest() { 27 | //NamedXContentRegistry xContentRegistry, Map params, String path, 28 | //Map> headers, HttpRequest httpRequest, HttpChannel httpChannel 29 | super(NamedXContentRegistry.EMPTY, Collections.emptyMap(), "", Collections.emptyMap(), null, null); 30 | } 31 | 32 | @Override 33 | public Method method() { 34 | return Method.GET; 35 | } 36 | 37 | @Override 38 | public String uri() { 39 | return ""; 40 | } 41 | 42 | @Override 43 | public boolean hasContent() { 44 | return false; 45 | } 46 | 47 | @Override 48 | public BytesReference content() { 49 | return null; 50 | } 51 | } -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/helper/MyOwnAuditLog.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.helper; 17 | 18 | import java.io.IOException; 19 | import java.nio.file.Path; 20 | 21 | import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver; 22 | import org.elasticsearch.cluster.service.ClusterService; 23 | import org.elasticsearch.common.settings.Settings; 24 | import org.elasticsearch.threadpool.ThreadPool; 25 | 26 | import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditMessage; 27 | import com.amazon.opendistroforelasticsearch.security.auditlog.sink.AuditLogSink; 28 | 29 | public class MyOwnAuditLog extends AuditLogSink { 30 | 31 | public MyOwnAuditLog(final String name, final Settings settings, final String settingsPrefix, final Path configPath, final ThreadPool threadPool, 32 | final IndexNameExpressionResolver resolver, final ClusterService clusterService, AuditLogSink fallbackSink) { 33 | super(name, settings, settingsPrefix, fallbackSink); 34 | } 35 | 36 | @Override 37 | public void close() throws IOException { 38 | 39 | } 40 | 41 | 42 | public boolean doStore(AuditMessage msg) { 43 | return true; 44 | } 45 | 46 | } 47 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/helper/RetrySink.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.helper; 17 | 18 | import org.elasticsearch.common.settings.Settings; 19 | 20 | import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditMessage; 21 | import com.amazon.opendistroforelasticsearch.security.auditlog.sink.AuditLogSink; 22 | 23 | public class RetrySink extends AuditLogSink{ 24 | 25 | private static int failCount = 0; 26 | private static AuditMessage msg = null; 27 | 28 | public RetrySink(String name, Settings settings, String sinkPrefix, AuditLogSink fallbackSink) { 29 | super(name, settings, null, new FailingSink("", settings, "", null)); 30 | failCount = 0; 31 | log.debug("init"); 32 | } 33 | 34 | @Override 35 | protected synchronized boolean doStore(AuditMessage msg) { 36 | if(failCount++ < 5) { 37 | log.debug("Fail "+failCount); 38 | return false; 39 | } 40 | log.debug("doStore ok"); 41 | RetrySink.msg = msg; 42 | return true; 43 | } 44 | 45 | @Override 46 | public boolean isHandlingBackpressure() { 47 | return true; 48 | } 49 | 50 | public static void init() { 51 | RetrySink.failCount = 0; 52 | msg = null; 53 | } 54 | 55 | public static AuditMessage getMsg() { 56 | return msg; 57 | } 58 | 59 | } 60 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/helper/SlowSink.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.helper; 17 | 18 | import org.elasticsearch.common.settings.Settings; 19 | 20 | import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditMessage; 21 | import com.amazon.opendistroforelasticsearch.security.auditlog.sink.AuditLogSink; 22 | 23 | public class SlowSink extends AuditLogSink{ 24 | 25 | public SlowSink(String name, Settings settings, Settings sinkSetting, AuditLogSink fallbackSink) { 26 | super(name, settings, null, fallbackSink); 27 | } 28 | 29 | 30 | public boolean doStore(AuditMessage msg) { 31 | try { 32 | Thread.sleep(3000); 33 | } catch (InterruptedException e) { 34 | e.printStackTrace(); 35 | } 36 | 37 | return true; 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/helper/TestHttpHandler.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.helper; 17 | 18 | import java.io.IOException; 19 | import java.nio.charset.StandardCharsets; 20 | 21 | import org.apache.http.HttpEntity; 22 | import org.apache.http.HttpEntityEnclosingRequest; 23 | import org.apache.http.HttpException; 24 | import org.apache.http.HttpRequest; 25 | import org.apache.http.HttpResponse; 26 | import org.apache.http.RequestLine; 27 | import org.apache.http.protocol.HttpContext; 28 | import org.apache.http.protocol.HttpRequestHandler; 29 | import org.apache.http.util.EntityUtils; 30 | 31 | public class TestHttpHandler implements HttpRequestHandler { 32 | public String method; 33 | public String uri; 34 | public String body; 35 | 36 | @Override 37 | public void handle(HttpRequest request, HttpResponse response, HttpContext context) throws HttpException, IOException { 38 | RequestLine requestLine = request.getRequestLine(); 39 | this.method = requestLine.getMethod(); 40 | this.uri = requestLine.getUri(); 41 | 42 | HttpEntity entity = null; 43 | if (request instanceof HttpEntityEnclosingRequest) { 44 | entity = ((HttpEntityEnclosingRequest) request).getEntity(); 45 | body = EntityUtils.toString(entity, StandardCharsets.UTF_8); 46 | } 47 | } 48 | 49 | public void reset() { 50 | this.body = null; 51 | this.uri = null; 52 | this.method = null; 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/impl/DelegateTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.impl; 17 | 18 | import org.elasticsearch.common.settings.Settings; 19 | import org.elasticsearch.common.settings.Settings.Builder; 20 | import org.junit.Assert; 21 | import org.junit.Test; 22 | 23 | import com.amazon.opendistroforelasticsearch.security.auditlog.helper.MyOwnAuditLog; 24 | import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditLogImpl; 25 | import com.amazon.opendistroforelasticsearch.security.auditlog.sink.AuditLogSink; 26 | import com.amazon.opendistroforelasticsearch.security.auditlog.sink.DebugSink; 27 | import com.amazon.opendistroforelasticsearch.security.auditlog.sink.ExternalESSink; 28 | import com.amazon.opendistroforelasticsearch.security.auditlog.sink.InternalESSink; 29 | 30 | public class DelegateTest { 31 | @Test 32 | public void auditLogTypeTest() throws Exception{ 33 | testAuditType("DeBUg", DebugSink.class); 34 | testAuditType("intERnal_Elasticsearch", InternalESSink.class); 35 | testAuditType("EXTERnal_Elasticsearch", ExternalESSink.class); 36 | testAuditType("com.amazon.opendistroforelasticsearch.security.auditlog.sink.MyOwnAuditLog", MyOwnAuditLog.class); 37 | testAuditType("com.amazon.opendistroforelasticsearch.security.auditlog.sink.MyOwnAuditLog", null); 38 | testAuditType("idonotexist", null); 39 | } 40 | 41 | private void testAuditType(String type, Class expectedClass) throws Exception { 42 | Builder settingsBuilder = Settings.builder(); 43 | settingsBuilder.put("opendistro_security.audit.type", type); 44 | settingsBuilder.put("path.home", "."); 45 | AuditLogImpl auditLog = new AuditLogImpl(settingsBuilder.build(), null, null, null, null, null); 46 | auditLog.close(); 47 | // if (expectedClass != null) { 48 | // Assert.assertNotNull("delegate is null for type: "+type,auditLog.delegate); 49 | // Assert.assertEquals(expectedClass, auditLog.delegate.getClass()); 50 | // } else { 51 | // Assert.assertNull(auditLog.delegate); 52 | // } 53 | 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/integration/TestAuditlogImpl.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.integration; 17 | 18 | import java.util.ArrayList; 19 | import java.util.List; 20 | 21 | import org.elasticsearch.common.settings.Settings; 22 | 23 | import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditMessage; 24 | import com.amazon.opendistroforelasticsearch.security.auditlog.sink.AuditLogSink; 25 | 26 | public class TestAuditlogImpl extends AuditLogSink { 27 | 28 | public static List messages = new ArrayList(100); 29 | public static StringBuffer sb = new StringBuffer(); 30 | 31 | public TestAuditlogImpl(String name, Settings settings, String settingsPrefix, AuditLogSink fallbackSink) { 32 | super(name, settings, null, fallbackSink); 33 | } 34 | 35 | 36 | public synchronized boolean doStore(AuditMessage msg) { 37 | sb.append(msg.toPrettyString()+System.lineSeparator()); 38 | messages.add(msg); 39 | return true; 40 | } 41 | 42 | public static synchronized void clear() { 43 | sb.setLength(0); 44 | messages.clear(); 45 | } 46 | 47 | @Override 48 | public boolean isHandlingBackpressure() { 49 | return true; 50 | } 51 | 52 | 53 | } 54 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/routing/PerfTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.routing; 17 | 18 | import org.elasticsearch.common.settings.Settings; 19 | import org.junit.Assert; 20 | import org.junit.Ignore; 21 | import org.junit.Test; 22 | 23 | import com.amazon.opendistroforelasticsearch.security.auditlog.AbstractAuditlogiUnitTest; 24 | import com.amazon.opendistroforelasticsearch.security.auditlog.helper.LoggingSink; 25 | import com.amazon.opendistroforelasticsearch.security.auditlog.helper.MockAuditMessageFactory; 26 | import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditMessage; 27 | import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditMessage.Category; 28 | import com.amazon.opendistroforelasticsearch.security.auditlog.routing.AuditMessageRouter; 29 | import com.amazon.opendistroforelasticsearch.security.support.ConfigConstants; 30 | import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; 31 | 32 | 33 | 34 | public class PerfTest extends AbstractAuditlogiUnitTest { 35 | 36 | @Test 37 | @Ignore(value="jvm crash on cci") 38 | public void testPerf() throws Exception { 39 | Settings.Builder settingsBuilder = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/perftest.yml")); 40 | 41 | Settings settings = settingsBuilder.put("path.home", ".") 42 | .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") 43 | .put("opendistro_security.audit.threadpool.size", 0) 44 | .build(); 45 | 46 | AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); 47 | int limit = 150000; 48 | while(limit > 0) { 49 | AuditMessage msg = MockAuditMessageFactory.validAuditMessage(Category.MISSING_PRIVILEGES); 50 | router.route(msg); 51 | limit--; 52 | } 53 | LoggingSink loggingSink = (LoggingSink)router.defaultSink.getFallbackSink(); 54 | int currentSize = loggingSink.messages.size(); 55 | Assert.assertTrue(currentSize > 0); 56 | } 57 | 58 | } 59 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/routing/ThreadPoolSettingsTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.routing; 17 | 18 | import org.elasticsearch.common.settings.Settings; 19 | import org.junit.Assert; 20 | import org.junit.Test; 21 | 22 | import com.amazon.opendistroforelasticsearch.security.auditlog.AbstractAuditlogiUnitTest; 23 | import com.amazon.opendistroforelasticsearch.security.auditlog.routing.AuditMessageRouter; 24 | import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; 25 | 26 | public class ThreadPoolSettingsTest extends AbstractAuditlogiUnitTest { 27 | 28 | @Test 29 | public void testNoMultipleEndpointsConfiguration() throws Exception { 30 | Settings settings = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/sink/configuration_no_multiple_endpoints.yml")).build(); 31 | AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); 32 | Assert.assertEquals(5, router.storagePool.threadPoolSize); 33 | Assert.assertEquals(200000, router.storagePool.threadPoolMaxQueueLen); 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/sink/MockWebhookAuditLog.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.auditlog.sink; 17 | 18 | import org.elasticsearch.common.settings.Settings; 19 | 20 | import com.amazon.opendistroforelasticsearch.security.auditlog.sink.AuditLogSink; 21 | import com.amazon.opendistroforelasticsearch.security.auditlog.sink.WebhookSink; 22 | 23 | public class MockWebhookAuditLog extends WebhookSink { 24 | 25 | public String payload = null; 26 | public String url = null; 27 | 28 | public MockWebhookAuditLog(Settings settings, String settingsPrefix, AuditLogSink fallback) throws Exception { 29 | super("test", settings, settingsPrefix, null, fallback); 30 | } 31 | 32 | @Override 33 | protected boolean doPost(String url, String payload) { 34 | this.payload = payload; 35 | return true; 36 | } 37 | 38 | 39 | @Override 40 | protected boolean doGet(String url) { 41 | this.url = url; 42 | return true; 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/cache/DummyAuthenticationBackend.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.cache; 17 | 18 | import java.nio.file.Path; 19 | 20 | import org.elasticsearch.ElasticsearchSecurityException; 21 | import org.elasticsearch.common.settings.Settings; 22 | 23 | import com.amazon.opendistroforelasticsearch.security.auth.AuthenticationBackend; 24 | import com.amazon.opendistroforelasticsearch.security.auth.AuthorizationBackend; 25 | import com.amazon.opendistroforelasticsearch.security.user.AuthCredentials; 26 | import com.amazon.opendistroforelasticsearch.security.user.User; 27 | 28 | 29 | public class DummyAuthenticationBackend implements AuthenticationBackend { 30 | 31 | private static volatile long authCount; 32 | private static volatile long existsCount; 33 | 34 | public DummyAuthenticationBackend(final Settings settings, final Path configPath) { 35 | } 36 | 37 | @Override 38 | public String getType() { 39 | return "dummy"; 40 | } 41 | 42 | @Override 43 | public User authenticate(AuthCredentials credentials) throws ElasticsearchSecurityException { 44 | authCount++; 45 | return new User(credentials.getUsername()); 46 | } 47 | 48 | @Override 49 | public boolean exists(User user) { 50 | existsCount++; 51 | return true; 52 | } 53 | 54 | public static long getAuthCount() { 55 | return authCount; 56 | } 57 | 58 | public static long getExistsCount() { 59 | return existsCount; 60 | } 61 | 62 | public static void reset() { 63 | authCount=0; 64 | existsCount=0; 65 | } 66 | } -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/cache/DummyAuthorizer.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.cache; 17 | 18 | import java.nio.file.Path; 19 | 20 | import org.elasticsearch.ElasticsearchSecurityException; 21 | import org.elasticsearch.common.settings.Settings; 22 | 23 | import com.amazon.opendistroforelasticsearch.security.auth.AuthorizationBackend; 24 | import com.amazon.opendistroforelasticsearch.security.user.AuthCredentials; 25 | import com.amazon.opendistroforelasticsearch.security.user.User; 26 | 27 | 28 | public class DummyAuthorizer implements AuthorizationBackend { 29 | 30 | private static volatile long count; 31 | 32 | public DummyAuthorizer(final Settings settings, final Path configPath) { 33 | } 34 | 35 | @Override 36 | public String getType() { 37 | return "dummy"; 38 | } 39 | 40 | @Override 41 | public void fillRoles(User user, AuthCredentials credentials) throws ElasticsearchSecurityException { 42 | count++; 43 | user.addRole("role_" + user.getName() + "_" + System.currentTimeMillis() + "_" + count); 44 | 45 | } 46 | 47 | public static long getCount() { 48 | return count; 49 | } 50 | 51 | public static void reset() { 52 | count=0; 53 | } 54 | 55 | } 56 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/cache/DummyHTTPAuthenticator.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.cache; 17 | 18 | import java.nio.file.Path; 19 | 20 | import org.elasticsearch.ElasticsearchSecurityException; 21 | import org.elasticsearch.common.settings.Settings; 22 | import org.elasticsearch.common.util.concurrent.ThreadContext; 23 | import org.elasticsearch.rest.RestChannel; 24 | import org.elasticsearch.rest.RestRequest; 25 | 26 | import com.amazon.opendistroforelasticsearch.security.auth.HTTPAuthenticator; 27 | import com.amazon.opendistroforelasticsearch.security.user.AuthCredentials; 28 | 29 | public class DummyHTTPAuthenticator implements HTTPAuthenticator { 30 | 31 | private static volatile long count; 32 | 33 | public DummyHTTPAuthenticator(final Settings settings, final Path configPath) { 34 | } 35 | 36 | @Override 37 | public String getType() { 38 | return "dummy"; 39 | } 40 | 41 | @Override 42 | public AuthCredentials extractCredentials(RestRequest request, ThreadContext context) throws ElasticsearchSecurityException { 43 | count++; 44 | return new AuthCredentials("dummy").markComplete(); 45 | } 46 | 47 | @Override 48 | public boolean reRequestAuthentication(RestChannel channel, AuthCredentials credentials) { 49 | return false; 50 | } 51 | 52 | public static long getCount() { 53 | return count; 54 | } 55 | 56 | public static void reset() { 57 | count=0; 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/dlic/dlsfls/AbstractDlsFlsTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.dlic.dlsfls; 17 | 18 | import com.amazon.opendistroforelasticsearch.security.action.configupdate.ConfigUpdateAction; 19 | import com.amazon.opendistroforelasticsearch.security.action.configupdate.ConfigUpdateRequest; 20 | import com.amazon.opendistroforelasticsearch.security.action.configupdate.ConfigUpdateResponse; 21 | import org.elasticsearch.client.transport.TransportClient; 22 | import org.elasticsearch.common.settings.Settings; 23 | 24 | import com.amazon.opendistroforelasticsearch.security.support.ConfigConstants; 25 | import com.amazon.opendistroforelasticsearch.security.test.DynamicSecurityConfig; 26 | import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest; 27 | import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; 28 | import org.junit.Assert; 29 | 30 | public abstract class AbstractDlsFlsTest extends SingleClusterTest { 31 | 32 | protected RestHelper rh = null; 33 | 34 | @Override 35 | protected String getResourceFolder() { 36 | return "dlsfls"; 37 | } 38 | 39 | protected final void setup() throws Exception { 40 | setup(Settings.EMPTY); 41 | } 42 | 43 | protected final void setup(Settings override) throws Exception { 44 | setup(override, new DynamicSecurityConfig()); 45 | } 46 | 47 | protected final void setup(DynamicSecurityConfig dynamicSecurityConfig) throws Exception { 48 | setup(Settings.EMPTY, dynamicSecurityConfig); 49 | } 50 | 51 | protected final void setup(Settings override, DynamicSecurityConfig dynamicSecurityConfig) throws Exception { 52 | Settings settings = Settings.builder().put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT, "debug").put(override).build(); 53 | setup(Settings.EMPTY, dynamicSecurityConfig, settings, true); 54 | 55 | try(TransportClient tc = getInternalTransportClient(this.clusterInfo, Settings.EMPTY)) { 56 | populateData(tc); 57 | } 58 | 59 | rh = nonSslRestHelper(); 60 | } 61 | 62 | abstract void populateData(TransportClient tc); 63 | } -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/dlic/dlsfls/Fls983Test.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.dlic.dlsfls; 17 | 18 | import org.apache.http.HttpStatus; 19 | import org.elasticsearch.action.index.IndexRequest; 20 | import org.elasticsearch.action.support.WriteRequest.RefreshPolicy; 21 | import org.elasticsearch.client.transport.TransportClient; 22 | import org.elasticsearch.common.xcontent.XContentType; 23 | import org.junit.Assert; 24 | import org.junit.Test; 25 | 26 | import com.amazon.opendistroforelasticsearch.security.test.DynamicSecurityConfig; 27 | import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; 28 | 29 | public class Fls983Test extends AbstractDlsFlsTest{ 30 | 31 | 32 | protected void populateData(TransportClient tc) { 33 | 34 | tc.index(new IndexRequest(".kibana").type("config").id("0").setRefreshPolicy(RefreshPolicy.IMMEDIATE) 35 | .source("{}", XContentType.JSON)).actionGet(); 36 | } 37 | 38 | @Test 39 | public void test() throws Exception { 40 | 41 | setup(new DynamicSecurityConfig().setSecurityRoles("roles_983.yml")); 42 | 43 | HttpResponse res; 44 | 45 | String doc = "{\"doc\" : {"+ 46 | "\"x\" : \"y\""+ 47 | "}}"; 48 | 49 | Assert.assertEquals(HttpStatus.SC_OK, (res = rh.executePostRequest("/.kibana/config/0/_update?pretty", doc, encodeBasicHeader("human_resources_trainee", "password"))).getStatusCode()); 50 | System.out.println(res.getBody()); 51 | Assert.assertTrue(res.getBody().contains("updated")); 52 | Assert.assertTrue(res.getBody().contains("\"failed\" : 0")); 53 | } 54 | } -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/FlushCacheApiTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.dlic.rest.api; 17 | 18 | import org.apache.http.Header; 19 | import org.apache.http.HttpStatus; 20 | import org.elasticsearch.common.settings.Settings; 21 | import org.elasticsearch.common.xcontent.XContentType; 22 | import org.junit.Assert; 23 | import org.junit.Test; 24 | 25 | import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; 26 | 27 | public class FlushCacheApiTest extends AbstractRestApiUnitTest { 28 | 29 | @Test 30 | public void testFlushCache() throws Exception { 31 | 32 | setup(); 33 | 34 | // Only DELETE is allowed for flush cache 35 | rh.keystore = "restapi/kirk-keystore.jks"; 36 | rh.sendHTTPClientCertificate = true; 37 | 38 | // GET 39 | HttpResponse response = rh.executeGetRequest("/_opendistro/_security/api/cache"); 40 | Assert.assertEquals(HttpStatus.SC_NOT_IMPLEMENTED, response.getStatusCode()); 41 | Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); 42 | Assert.assertEquals(settings.get("message"), "Method GET not supported for this action."); 43 | 44 | // PUT 45 | response = rh.executePutRequest("/_opendistro/_security/api/cache", "{}", new Header[0]); 46 | Assert.assertEquals(HttpStatus.SC_NOT_IMPLEMENTED, response.getStatusCode()); 47 | settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); 48 | Assert.assertEquals(settings.get("message"), "Method PUT not supported for this action."); 49 | 50 | // POST 51 | response = rh.executePostRequest("/_opendistro/_security/api/cache", "{}", new Header[0]); 52 | Assert.assertEquals(HttpStatus.SC_NOT_IMPLEMENTED, response.getStatusCode()); 53 | settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); 54 | Assert.assertEquals(settings.get("message"), "Method POST not supported for this action."); 55 | 56 | // DELETE 57 | response = rh.executeDeleteRequest("/_opendistro/_security/api/cache", new Header[0]); 58 | Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); 59 | settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); 60 | Assert.assertEquals(settings.get("message"), "Cache flushed successfully."); 61 | 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /src/test/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/OpenDistroSecurityApiAccessTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * A copy of the License is located at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * or in the "license" file accompanying this file. This file is distributed 11 | * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 | * express or implied. See the License for the specific language governing 13 | * permissions and limitations under the License. 14 | */ 15 | 16 | package com.amazon.opendistroforelasticsearch.security.dlic.rest.api; 17 | 18 | import org.apache.http.HttpStatus; 19 | import org.junit.Assert; 20 | import org.junit.Test; 21 | 22 | public class OpenDistroSecurityApiAccessTest extends AbstractRestApiUnitTest { 23 | 24 | @Test 25 | public void testRestApi() throws Exception { 26 | 27 | setup(); 28 | 29 | // test with no cert, must fail 30 | Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, 31 | rh.executeGetRequest("_opendistro/_security/api/internalusers").getStatusCode()); 32 | Assert.assertEquals(HttpStatus.SC_FORBIDDEN, 33 | rh.executeGetRequest("_opendistro/_security/api/internalusers", 34 | encodeBasicHeader("admin", "admin")) 35 | .getStatusCode()); 36 | 37 | // test with non-admin cert, must fail 38 | rh.keystore = "restapi/node-0-keystore.jks"; 39 | rh.sendHTTPClientCertificate = true; 40 | Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, 41 | rh.executeGetRequest("_opendistro/_security/api/internalusers").getStatusCode()); 42 | Assert.assertEquals(HttpStatus.SC_FORBIDDEN, 43 | rh.executeGetRequest("_opendistro/_security/api/internalusers", 44 | encodeBasicHeader("admin", "admin")) 45 | .getStatusCode()); 46 | 47 | } 48 | 49 | } 50 | -------------------------------------------------------------------------------- /src/test/resources/auditlog/config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "config" 4 | config_version: 2 5 | config: 6 | dynamic: 7 | filtered_alias_mode: "warn" 8 | disable_rest_auth: false 9 | disable_intertransport_auth: false 10 | respect_request_indices_options: false 11 | license: null 12 | kibana: 13 | multitenancy_enabled: true 14 | server_username: "kibanaserver" 15 | index: ".kibana" 16 | http: 17 | anonymous_auth_enabled: false 18 | xff: 19 | enabled: false 20 | internalProxies: "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\\ 21 | .\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\\ 22 | d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\\ 23 | .\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}" 24 | remoteIpHeader: "X-Forwarded-For" 25 | authc: 26 | authentication_domain_clientcert: 27 | http_enabled: true 28 | transport_enabled: true 29 | order: 1 30 | http_authenticator: 31 | challenge: true 32 | type: "clientcert" 33 | config: {} 34 | authentication_backend: 35 | type: "noop" 36 | config: {} 37 | description: "Migrated from v6" 38 | authentication_domain_basic_internal: 39 | http_enabled: true 40 | transport_enabled: true 41 | order: 2 42 | http_authenticator: 43 | challenge: true 44 | type: "basic" 45 | config: {} 46 | authentication_backend: 47 | type: "intern" 48 | config: {} 49 | description: "Migrated from v6" 50 | authz: {} 51 | do_not_fail_on_forbidden: false 52 | multi_rolespan_enabled: false 53 | hosts_resolver_mode: "ip-only" 54 | transport_userrname_attribute: null -------------------------------------------------------------------------------- /src/test/resources/auditlog/data1.json: -------------------------------------------------------------------------------- 1 | { 2 | "title": "title value", 3 | "name": "name value", 4 | "age": 121, 5 | "created": "2017-11-11", 6 | "session_data": "session data value", 7 | "manager": { 8 | "age": 77, 9 | "name": "manager name value", 10 | "inner": { 11 | "a": 1, 12 | "b": "b value" 13 | } 14 | }, 15 | "employees": [ 16 | { 17 | "age": 1, 18 | "name": "emp1 name value" 19 | }, 20 | { 21 | "age": 2, 22 | "name": "emp2 name value" 23 | } 24 | ] 25 | } -------------------------------------------------------------------------------- /src/test/resources/auditlog/data1mod.json: -------------------------------------------------------------------------------- 1 | { 2 | "title": "title value", 3 | "name": "name value", 4 | "age": 121, 5 | "created": "2017-11-11", 6 | "session_data": "session data value", 7 | "manager": { 8 | "age": 77, 9 | "name": "manager name value" 10 | }, 11 | "employees": [ 12 | { 13 | "age": 1, 14 | "name": "emp1 name value" 15 | }, 16 | { 17 | "age": 2, 18 | "name": "emp2 name value" 19 | }, 20 | { 21 | "age": 3, 22 | "name": "emp3 name value" 23 | } 24 | ], 25 | "city": "city value" 26 | } -------------------------------------------------------------------------------- /src/test/resources/auditlog/data2.json: -------------------------------------------------------------------------------- 1 | { 2 | "text": "text question value", 3 | "joinfield": { 4 | "name": "question" 5 | } 6 | } -------------------------------------------------------------------------------- /src/test/resources/auditlog/data3.json: -------------------------------------------------------------------------------- 1 | { 2 | "text": "text answer value", 3 | "joinfield": { 4 | "name": "answer", 5 | "parent": "1" 6 | } 7 | } -------------------------------------------------------------------------------- /src/test/resources/auditlog/endpoints/configuration_wrong_endpoint_names.yml: -------------------------------------------------------------------------------- 1 | opendistro_security: 2 | audit: 3 | endpoints: 4 | endpoint1: 5 | type: internal_elasticsearch 6 | endpoint2: 7 | type: external_elasticsearch 8 | config: 9 | http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] 10 | index: auditlog 11 | username: auditloguser 12 | password: auditlogpassword 13 | enable_ssl: false 14 | verify_hostnames: false 15 | enable_ssl_client_auth: false 16 | endpoint3: 17 | type: debug 18 | routes: 19 | MISSING_PRIVILEGEs: 20 | endpoints: 21 | - default 22 | COMPLIANCE_DOC_READ: 23 | endpoints: 24 | - endpoint3 -------------------------------------------------------------------------------- /src/test/resources/auditlog/endpoints/routing/configuration_no_default.yml: -------------------------------------------------------------------------------- 1 | opendistro_security: 2 | audit: 3 | endpoints: 4 | endpoint1: 5 | type: internal_elasticsearch 6 | endpoint2: 7 | type: external_elasticsearch 8 | endpoint3: 9 | type: debug 10 | routes: 11 | MISSING_PRIVILEGEs: 12 | endpoints: 13 | - default 14 | - endpoint1 15 | - endpoint2 16 | COMPLIANCE_DOC_READ: 17 | endpoints: 18 | - endpoint3 19 | - default -------------------------------------------------------------------------------- /src/test/resources/auditlog/endpoints/routing/configuration_valid.yml: -------------------------------------------------------------------------------- 1 | opendistro_security: 2 | audit: 3 | type: external_elasticsearch 4 | config: 5 | http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] 6 | index: auditlog 7 | username: auditloguser 8 | password: auditlogpassword 9 | enable_ssl: false 10 | verify_hostnames: false 11 | enable_ssl_client_auth: false 12 | endpoints: 13 | endpoint1: 14 | type: internal_elasticsearch 15 | endpoint2: 16 | type: external_elasticsearch 17 | config: 18 | http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] 19 | index: auditlog 20 | username: auditloguser 21 | password: auditlogpassword 22 | enable_ssl: false 23 | verify_hostnames: false 24 | enable_ssl_client_auth: false 25 | endpoint3: 26 | type: debug 27 | routes: 28 | MISSING_PRIVILEGEs: 29 | endpoints: 30 | - endpoint1 31 | - endpoint2 32 | - default 33 | COMPLIANCE_DOC_READ: 34 | endpoints: 35 | - endpoint3 -------------------------------------------------------------------------------- /src/test/resources/auditlog/endpoints/routing/configuration_wrong_categories.yml: -------------------------------------------------------------------------------- 1 | opendistro_security: 2 | audit: 3 | type: debug 4 | endpoints: 5 | ENDPOINT1: 6 | type: internal_elasticsearch 7 | endpoint2: 8 | type: external_elasticsearch 9 | endPoint3: 10 | type: debug 11 | routes: 12 | MissIng_PrIVILEGEs: 13 | endpoints: 14 | - default 15 | - endpoint1 16 | - endpoint2 17 | COMPLIANCE: 18 | endpoints: 19 | - endpoint3 20 | - default 21 | WRONG: 22 | endpoints: 23 | - endpoint3 24 | - default 25 | granted_PrIVILEGEs: 26 | endpoints: 27 | - EndPoint1 28 | - Endpoint3 29 | - DeFault 30 | authenticated: 31 | endpoints: 32 | - EndPoint1 33 | BAD_HEADERS: 34 | endpoints: 35 | - endpoint4 -------------------------------------------------------------------------------- /src/test/resources/auditlog/endpoints/routing/configuration_wrong_endpoint_names.yml: -------------------------------------------------------------------------------- 1 | opendistro_security: 2 | audit: 3 | type: internal_elasticsearch 4 | endpoints: 5 | endpoint1: 6 | type: internal_elasticsearch 7 | endpoint2: 8 | type: external_elasticsearch 9 | config: 10 | http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] 11 | index: auditlog 12 | username: auditloguser 13 | password: auditlogpassword 14 | enable_ssl: false 15 | verify_hostnames: false 16 | enable_ssl_client_auth: false 17 | endpoint3: 18 | type: debug 19 | routes: 20 | MISSING_PRIVILEGEs: 21 | endpoints: 22 | - endpoint1 23 | - nonexisting 24 | - endpoint1 25 | - endpoint1 26 | - wrong 27 | - endpoint3 28 | COMPLIANCE_DOC_READ: 29 | endpoints: 30 | - nothinghere 31 | COMPLIANCE_DOC_WRITE: 32 | endpoints: 33 | - default -------------------------------------------------------------------------------- /src/test/resources/auditlog/endpoints/routing/configuration_wrong_endpoint_types.yml: -------------------------------------------------------------------------------- 1 | opendistro_security: 2 | audit: 3 | type: debug 4 | endpoints: 5 | endpoint1: 6 | type: interrrrnal_elasticsearch 7 | endpoint2: 8 | type: external_elasticsearch 9 | config: 10 | http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] 11 | index: auditlog 12 | username: auditloguser 13 | password: auditlogpassword 14 | enable_ssl: false 15 | verify_hostnames: false 16 | enable_ssl_client_auth: false 17 | endpoint3: 18 | type: debug 19 | routes: 20 | MISSInG_PRIVILEGEs: 21 | endpoints: 22 | - endpoint1 23 | - endpoint2 24 | - endpoint3 25 | - default 26 | COMPLIANCE_DOC_READ: 27 | endpoints: 28 | - nothinghere 29 | COMPLIANCE_DOC_WRITE: 30 | endpoints: 31 | - default -------------------------------------------------------------------------------- /src/test/resources/auditlog/endpoints/routing/fallback.yml: -------------------------------------------------------------------------------- 1 | opendistro_security: 2 | audit: 3 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.LoggingSink 4 | endpoints: 5 | endpoint1: 6 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.FailingSink 7 | endpoint2: 8 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.LoggingSink 9 | endpoint3: 10 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.FailingSink 11 | endpoint4: 12 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.LoggingSink 13 | endpoint5: 14 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.LoggingSink 15 | fallback: 16 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.LoggingSink 17 | routes: 18 | MISSING_PRIVILEGEs: 19 | endpoints: 20 | - endpoint1 21 | - endpoint2 22 | - default 23 | COMPLIANCE_DOC_READ: 24 | endpoints: 25 | - endpoint3 26 | COMPLIANCE_DOC_WRITE: 27 | endpoints: 28 | - default 29 | bad_Headers: 30 | endpoints: 31 | - endpoint4 32 | - endpoint5 33 | fallback: 34 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.LoggingSink -------------------------------------------------------------------------------- /src/test/resources/auditlog/endpoints/routing/perftest.yml: -------------------------------------------------------------------------------- 1 | opendistro_security: 2 | audit: 3 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.SlowSink 4 | endpoints: 5 | endpoint1: 6 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.SlowSink 7 | routes: 8 | MISSING_PRIVILEGEs: 9 | endpoints: 10 | - endpoint1 11 | fallback: 12 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.LoggingSink -------------------------------------------------------------------------------- /src/test/resources/auditlog/endpoints/routing/routing.yml: -------------------------------------------------------------------------------- 1 | opendistro_security: 2 | audit: 3 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.LoggingSink 4 | endpoints: 5 | endpoint1: 6 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.LoggingSink 7 | endpoint2: 8 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.LoggingSink 9 | endpoint3: 10 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.LoggingSink 11 | routes: 12 | MISSING_PRIVILEGEs: 13 | endpoints: 14 | - endpoint1 15 | - endpoint2 16 | - default 17 | COMPLIANCE_DOC_READ: 18 | endpoints: 19 | - endpoint3 20 | COMPLIANCE_DOC_WRITE: 21 | endpoints: 22 | - default -------------------------------------------------------------------------------- /src/test/resources/auditlog/endpoints/sink/configuration_all_variants.yml: -------------------------------------------------------------------------------- 1 | opendistro_security: 2 | audit: 3 | type: debug 4 | endpoints: 5 | eNDpoint1: 6 | type: internal_elasticsearch 7 | config: 8 | key: value 9 | wedontneed: anyconfigforinternal 10 | endpoint2: 11 | type: external_elasticsearch 12 | endPOINT3: 13 | type: debug 14 | endpoint4: 15 | type: idonotexist 16 | endpoint5: 17 | type: external_elasticsearch 18 | something: 19 | key: value 20 | endpoint6: 21 | something: 22 | key: value 23 | endpoint7: 24 | config: 25 | key: value 26 | endpoint8: 27 | type: DeBug 28 | config: 29 | key: value 30 | endpoint9: 31 | type: external_elasticsearch 32 | config: 33 | endpoints: stringhere 34 | endpoint10: 35 | type: log4j 36 | config: 37 | log4j.logger_name: loggername 38 | log4j.level: WaRn 39 | endpoint11: 40 | type: log4j 41 | config: 42 | log4j.logger_name: loggername 43 | endpoint12: 44 | type: log4j 45 | config: 46 | log4j.logger_name: loggername 47 | log4j.level: invalid 48 | -------------------------------------------------------------------------------- /src/test/resources/auditlog/endpoints/sink/configuration_kafka.yml: -------------------------------------------------------------------------------- 1 | opendistro_security: 2 | audit: 3 | type: kafka 4 | config: 5 | bootstrap_servers: _RPLC_BOOTSTRAP_SERVERS_ 6 | topic_name: compliance 7 | client_id: elasticsearch_cluster_1 -------------------------------------------------------------------------------- /src/test/resources/auditlog/endpoints/sink/configuration_no_default.yml: -------------------------------------------------------------------------------- 1 | opendistro_security: 2 | audit: 3 | endpoints: 4 | eNDpoint1: 5 | type: iNternaL_elasticsearch 6 | config: 7 | key: value 8 | wedontneed: anyconfigforinternal 9 | endpoint2: 10 | type: external_elasticsearch 11 | endPOINT3: 12 | type: debug 13 | endpoint4: 14 | type: idonotexist 15 | endpoint5: 16 | type: external_elasticsearch 17 | something: 18 | key: value 19 | endpoint6: 20 | something: 21 | key: value 22 | endpoint7: 23 | config: 24 | key: value 25 | endpoint8: 26 | type: DeBug 27 | config: 28 | key: value 29 | endpoint9: 30 | type: external_elasticsearch 31 | config: 32 | endpoints: stringhere -------------------------------------------------------------------------------- /src/test/resources/auditlog/endpoints/sink/configuration_no_multiple_endpoints.yml: -------------------------------------------------------------------------------- 1 | opendistro_security.audit.type: internal_elasticsearch 2 | opendistro_security.audit.config.index: "myownindex" 3 | opendistro_security.audit.config.type: "auditevents" 4 | opendistro_security.audit.threadpool.size: 5 5 | opendistro_security.audit.threadpool.max_queue_len: 200000 -------------------------------------------------------------------------------- /src/test/resources/auditlog/endpoints/sink/configuration_tls.yml: -------------------------------------------------------------------------------- 1 | opendistro_security.ssl.transport.enabled: true 2 | opendistro_security.ssl.transport.keystore_filepath: "transport.keystore_filepath" 3 | opendistro_security.ssl.transport.truststore_filepath: "transport.truststore_filepath" 4 | opendistro_security.ssl.transport.enforce_hostname_verification: true 5 | opendistro_security.ssl.transport.resolve_hostname: true 6 | opendistro_security.ssl.transport.enable_openssl_if_available: true 7 | opendistro_security.ssl.http.enabled: true 8 | opendistro_security.ssl.http.keystore_filepath: "http.keystore_filepath" 9 | opendistro_security.ssl.http.truststore_filepath: "http.truststore_filepath" 10 | opendistro_security.ssl.http.enable_openssl_if_available: true 11 | opendistro_security.ssl.http.clientauth_mode: OPTIONAL 12 | 13 | opendistro_security: 14 | audit: 15 | type: webhook 16 | config: 17 | webhook: 18 | url: https://localhost:8083 19 | format: JSON 20 | ssl: 21 | verify: true 22 | pemtrustedcas_filepath: dyn 23 | endpoints: 24 | endpoint1: 25 | type: webhook 26 | config: 27 | webhook: 28 | url: https://localhost:8083 29 | format: JSON 30 | ssl: 31 | verify: true 32 | pemtrustedcas_filepath: dyn 33 | endpoint2: 34 | type: webhook 35 | config: 36 | webhook: 37 | url: https://localhost:8083 38 | format: JSON 39 | ssl: 40 | verify: true 41 | pemtrustedcas_content: dyn 42 | fallback: 43 | type: com.amazon.opendistroforelasticsearch.security.auditlog.helper.LoggingSink 44 | -------------------------------------------------------------------------------- /src/test/resources/auditlog/internal_users.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "internalusers" 4 | config_version: 2 5 | admin: 6 | hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" 7 | reserved: false 8 | hidden: false 9 | backend_roles: [] 10 | attributes: {} 11 | description: "Migrated from v6" 12 | admin2: 13 | hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" 14 | reserved: false 15 | hidden: false 16 | backend_roles: [] 17 | attributes: {} 18 | description: "Migrated from v6" 19 | worf: 20 | hash: "$2a$12$A41IxPXV1/Dx46C6i1ufGubv.p3qYX7xVcY46q33sylYbIqQVwTMu" 21 | reserved: false 22 | hidden: false 23 | backend_roles: [] 24 | attributes: {} 25 | description: "Migrated from v6" -------------------------------------------------------------------------------- /src/test/resources/auditlog/kirk-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/auditlog/kirk-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/auditlog/kirk-keystore.p12: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/auditlog/kirk-keystore.p12 -------------------------------------------------------------------------------- /src/test/resources/auditlog/kirk.crt.pem: -------------------------------------------------------------------------------- 1 | Bag Attributes 2 | friendlyName: kirk 3 | localKeyID: 54 69 6D 65 20 31 35 32 35 35 33 31 30 33 36 39 34 34 4 | subject=/C=DE/L=Test/O=client/OU=client/CN=kirk 5 | issuer=/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Signing CA/CN=Example Com Inc. Signing CA 6 | -----BEGIN CERTIFICATE----- 7 | MIIEQDCCAyigAwIBAgIBCDANBgkqhkiG9w0BAQsFADCBlTETMBEGCgmSJomT8ixk 8 | ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w 9 | bGUgQ29tIEluYy4xJDAiBgNVBAsMG0V4YW1wbGUgQ29tIEluYy4gU2lnbmluZyBD 10 | QTEkMCIGA1UEAwwbRXhhbXBsZSBDb20gSW5jLiBTaWduaW5nIENBMB4XDTE4MDUw 11 | NTE0MzcxNloXDTI4MDUwMjE0MzcxNlowTTELMAkGA1UEBhMCREUxDTALBgNVBAcT 12 | BFRlc3QxDzANBgNVBAoTBmNsaWVudDEPMA0GA1UECxMGY2xpZW50MQ0wCwYDVQQD 13 | EwRraXJrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt7iBnBLbkmCK 14 | MEkc9meRsLmtrYeKKbkPL/CNogjP5fhIH5vSWd2+vSzgENAXtaHkhLrDiqi6vnny 15 | +r0KaluCsuYGZkisMMcPku3sODGtHakuWts4YYLqHtZWvsR4F8ioHJ1E+gdG+ACj 16 | df4MvWR+MkG5tswceqwfltpZti0xzUOTCowFdtZ6NaCoWPMgmg85T3hjWGe7SSSI 17 | gJDAWpJAETCb4RIKrSS26dlESdgU6zj4QowEV+/gKdLKO9pVo5mOKKuDNYLMzN6m 18 | 1Q7abUQFeTAgIq6MX9YSJ40Qj7fWWq2OB/hJNTHN9LfTra9/ZMKPt5ecyBCTRpr+ 19 | KmXlMEg+BwIDAQABo4HhMIHeMA4GA1UdDwEB/wQEAwIFoDAJBgNVHRMEAjAAMB0G 20 | A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUOXz2tftJLgWX 21 | +hwbtJmItC0nJ8cwHwYDVR0jBBgwFoAUlHfikzELP7bny+WOakSkxOMEweAwYgYD 22 | VR0fBFswWTBXoFWgU4ZRaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29t 23 | L2Zsb3JhZ3VubmNvbS91bml0dGVzdC1hc3NldHMvbWFzdGVyL3Jldm9rZWQuY3Js 24 | MA0GCSqGSIb3DQEBCwUAA4IBAQAORNkM6q4j1ELFStU3CVI0AJIepZQ4JoBPLOUN 25 | K0tvnnzRuTEM57kaydg2PmbG1YUY6XS3S/IFyUZic95rPMxUUL8gGGCs1lJLq3i9 26 | Kt7aN0oyrnL00N2h8EDgi1WFjTYF0l/L52zKrxIOc7fAo1M0HLOHiPUq21A6hCrS 27 | VsBOeXB8GBgpKIqMLtx0wYDIwK3ItadGZ8B/rwH8rimMZHSSXvjd2RUQtaEHw5yj 28 | 7zSE+0CogoMWuBjiSWl5WzQ0RWHnYQVunzuCnMZVRTk04yO4L2ctPWqlRVUlXM7A 29 | y/YZiBL/k1uu28QVRcP1XzH63XE4MAQMcShvTbAZAoSWAJkV 30 | -----END CERTIFICATE----- 31 | -------------------------------------------------------------------------------- /src/test/resources/auditlog/kirk.key.pem: -------------------------------------------------------------------------------- 1 | Bag Attributes 2 | friendlyName: kirk 3 | localKeyID: 54 69 6D 65 20 31 35 32 35 35 33 31 30 33 36 39 34 34 4 | Key Attributes: 5 | -----BEGIN PRIVATE KEY----- 6 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3uIGcEtuSYIow 7 | SRz2Z5Gwua2th4opuQ8v8I2iCM/l+Egfm9JZ3b69LOAQ0Be1oeSEusOKqLq+efL6 8 | vQpqW4Ky5gZmSKwwxw+S7ew4Ma0dqS5a2zhhguoe1la+xHgXyKgcnUT6B0b4AKN1 9 | /gy9ZH4yQbm2zBx6rB+W2lm2LTHNQ5MKjAV21no1oKhY8yCaDzlPeGNYZ7tJJIiA 10 | kMBakkARMJvhEgqtJLbp2URJ2BTrOPhCjARX7+Ap0so72lWjmY4oq4M1gszM3qbV 11 | DtptRAV5MCAiroxf1hInjRCPt9ZarY4H+Ek1Mc30t9Otr39kwo+3l5zIEJNGmv4q 12 | ZeUwSD4HAgMBAAECggEBAKvAJhKVIoW2EJnRT+0ep3mSK8YlBsm4gnUrqgyHtmtj 13 | 73D1R/HRNiY+FH5DO1cGsM5QlstCr8mv0bIMFfeV8xpxphvq5mZ3QZz3JbTm49Lt 14 | vTMc65llPJ91ewS+QRLi+B4//CLNuM/SMP32cUyA7OTowsgcCqe3z5RELkf7+inL 15 | 4b4VhB2xI3f/g7QaZgVI2felL0g/kXZuZTycoYVcmHeuPeYqUiJoO9ctB3MGwHwj 16 | y0cYYTy5czXKn4QhJRGXYk3gzoL2RK0K/8TsopqrWhcAMyJD6jjPwhhcihM1n+tx 17 | vGCxH6HsFaPwz6Uko8cLjpvbAumltsstkusliSU86UkCgYEA8HG8PxI3NKANO6qo 18 | PnBh58q0DajEaMN4mIwsVZKSPonmySBcNWePXOFNd5sUk4Ccxtym/uRj46ee+Q/G 19 | wMhYbxU1yGlX+h0L9TR14Zl6Lqa2jueUpkgZC2m1PlKHS1E4XqUpOVkGd5TWwWYj 20 | 89PNOteQeGHXhmLL7SOJd1B2+A0CgYEAw5tPKop08H+QYCJ06NukIypKa8AlyFZU 21 | oWACIaihzc6Czmjg9AjZLdyJA5uhO12QW58dkQ53ubT98GgwVz4OQf1p/JVvVpgs 22 | qRQd8bbeo/Ce/SDqK7POnR5g/1I4jorYJuoc29v4S6X8udsOGtRL6g5ShJRzTeCi 23 | yYoHS2USVWMCgYAtMGL9w5GmjVIPXbKDEaIE6z7NtmM7gUk/+lA2wPZFVKuQL0nF 24 | K7Jw9VMW4ImMc0aDxWKJUylG1vD0xDdJch3UurrB8LJ9KkpeCj8BaFPjQqfa0cFJ 25 | QxGZ6IMMtHwC9r/OYeIOiiHCBbIa5PRq1eqjXXIkfdcAxb6n0d77Ep9ZXQKBgDlM 26 | v64YjRT+aU6gCVtFLBnZA5/405iSIYx8UWOGwI9HVW4drvgNt4EFv2U9K8f2KpmM 27 | TN73O/88k77e5npIBWkzUN7a75iQT1TgPb1W8nVXwVspTy+qJnZENenVLhgjeBo+ 28 | LmIBWAThBN102/bkBbD0rRuFWRmRGl6rfmOJogs9AoGAJU68m2cC+mPTljUwFWlA 29 | CKf8iNkgrDkD9U2iFbnidVcXYzMsktTNvgJQsQFUxZKTW88jN5HLSZP5arO6vUBL 30 | IaOcCgDlA8y86+3ENAb+ZOyXKyDOGnKD7sBxip9zxR0p9Tc2zIyFzydnP7hxw2aw 31 | sXgy1G9RBFM0QDKAv7bxdBE= 32 | -----END PRIVATE KEY----- 33 | -------------------------------------------------------------------------------- /src/test/resources/auditlog/mapping1.json: -------------------------------------------------------------------------------- 1 | { 2 | "dynamic": "strict", 3 | "properties":{ 4 | "title":{ 5 | "type":"text", 6 | "term_vector":"with_positions_offsets", 7 | "store":true 8 | }, 9 | "name":{ 10 | "type":"text", 11 | "term_vector":"with_positions_offsets" 12 | }, 13 | "age":{ 14 | "type":"integer" 15 | }, 16 | "created":{ 17 | "type":"date", 18 | "format":"strict_date_optional_time||epoch_millis" 19 | }, 20 | "session_data":{ 21 | "enabled":false 22 | }, 23 | "manager":{ 24 | "properties":{ 25 | "age":{ 26 | "type":"integer", 27 | "store":true 28 | }, 29 | "name":{ 30 | "type":"text", 31 | "store":true 32 | }, 33 | "inner":{ 34 | "properties":{ 35 | "a":{ 36 | "type":"integer", 37 | "store":true 38 | }, 39 | "b":{ 40 | "type":"text", 41 | "store":true 42 | } 43 | } 44 | } 45 | } 46 | }, 47 | "employees":{ 48 | "type":"nested", 49 | "properties":{ 50 | "age":{ 51 | "type":"integer" 52 | }, 53 | "name":{ 54 | "type":"text", 55 | "store": true 56 | } 57 | } 58 | }, 59 | "city":{ 60 | "type":"text", 61 | "fields":{ 62 | "raw":{ 63 | "type":"keyword" 64 | }, 65 | "stored":{ 66 | "type":"keyword", 67 | "store":true 68 | }, 69 | "disa":{ 70 | "type":"text", 71 | "term_vector":"with_positions_offsets" 72 | } 73 | } 74 | } 75 | } 76 | } -------------------------------------------------------------------------------- /src/test/resources/auditlog/mapping2.json: -------------------------------------------------------------------------------- 1 | { 2 | "_source":{ 3 | "enabled":false 4 | }, 5 | "dynamic": "strict", 6 | "properties":{ 7 | "title":{ 8 | "type":"text", 9 | "term_vector":"with_positions_offsets", 10 | "store":true 11 | }, 12 | "name":{ 13 | "type":"text", 14 | "term_vector":"with_positions_offsets" 15 | }, 16 | "age":{ 17 | "type":"integer" 18 | }, 19 | "created":{ 20 | "type":"date", 21 | "format":"strict_date_optional_time||epoch_millis" 22 | }, 23 | "session_data":{ 24 | "enabled":false 25 | }, 26 | "manager":{ 27 | "properties":{ 28 | "age":{ 29 | "type":"integer", 30 | "store":true 31 | }, 32 | "name":{ 33 | "type":"text", 34 | "store":true 35 | }, 36 | "inner":{ 37 | "properties":{ 38 | "a":{ 39 | "type":"integer", 40 | "store":true 41 | }, 42 | "b":{ 43 | "type":"text", 44 | "store":true 45 | } 46 | } 47 | } 48 | } 49 | }, 50 | "employees":{ 51 | "type":"nested", 52 | "properties":{ 53 | "age":{ 54 | "type":"integer" 55 | }, 56 | "name":{ 57 | "type":"text", 58 | "store": true 59 | } 60 | } 61 | }, 62 | "city":{ 63 | "type":"text", 64 | "fields":{ 65 | "raw":{ 66 | "type":"keyword" 67 | }, 68 | "stored":{ 69 | "type":"keyword", 70 | "store":true 71 | }, 72 | "disa":{ 73 | "type":"text", 74 | "term_vector":"with_positions_offsets" 75 | } 76 | } 77 | } 78 | } 79 | } -------------------------------------------------------------------------------- /src/test/resources/auditlog/mapping3.json: -------------------------------------------------------------------------------- 1 | { 2 | "dynamic":"strict", 3 | "properties":{ 4 | "joinfield":{ 5 | "type":"join", 6 | "relations":{ 7 | "question":"answer" 8 | } 9 | }, 10 | "text":{ 11 | "type":"text", 12 | "term_vector":"with_positions_offsets", 13 | "store":true 14 | } 15 | } 16 | } -------------------------------------------------------------------------------- /src/test/resources/auditlog/mapping4.json: -------------------------------------------------------------------------------- 1 | { 2 | "_source":{ 3 | "enabled":false 4 | }, 5 | "dynamic":"strict", 6 | "properties":{ 7 | "joinfield":{ 8 | "type":"join", 9 | "relations":{ 10 | "question":"answer" 11 | } 12 | }, 13 | "text":{ 14 | "type":"text", 15 | "term_vector":"with_positions_offsets", 16 | "store":true 17 | } 18 | } 19 | } -------------------------------------------------------------------------------- /src/test/resources/auditlog/messageasjson.json: -------------------------------------------------------------------------------- 1 | { 2 | "Headers": "[]", 3 | "Request User": "John Doe", 4 | "Category": "FAILED_LOGIN", 5 | "Context": "[_opendistro_security_user=>User [name=John Doe, roles=[]], _opendistro_security_ssl_transport_principal=>CN=kirk,OU=client,O=client,L=test,C=DE, _opendistro_security_remote_address=>8.8.8.8]", 6 | "Date": "Sat Nov 19 11:30:26 EET 2016", 7 | "Request class": "class org.elasticsearch.common.ContextAndHeaderHolder", 8 | "Details": "Details", 9 | "Remote Address": "8.8.8.8", 10 | "TLS Principal": "CN=kirk,OU=client,O=client,L=test,C=DE", 11 | "Reason": "Forbidden" 12 | } -------------------------------------------------------------------------------- /src/test/resources/auditlog/node-0-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/auditlog/node-0-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/auditlog/node-0-keystore.p12: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/auditlog/node-0-keystore.p12 -------------------------------------------------------------------------------- /src/test/resources/auditlog/node-0.key.pem: -------------------------------------------------------------------------------- 1 | Bag Attributes 2 | friendlyName: node-0 3 | localKeyID: 54 69 6D 65 20 31 35 32 35 35 33 31 30 33 30 31 36 38 4 | Key Attributes: 5 | -----BEGIN PRIVATE KEY----- 6 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCHmPoPLQepo/kx 7 | l74ouRvLjalQmfs5pB9nsBgclezxdDRoH7d4d+Xnu5sYOWxvFlz2zzwu6E+jVjcW 8 | uCPtJsf8pV4PSdzTi5JYO+EWXFsvbtz5Oik+DvlhMLwpxfLiYr4G3Wh3bzLGejrP 9 | Xxeug6ioER/vTzoxjszIOd264un8HWfAaKNgzfaT4o/0cltG70kwy3XoZBiZtC0Y 10 | kSqjkTxYA/92hOIfV/9wBJJKhqIBHgvOOGNt/oES+0RArnUEW+qEb+o3bb2OjKI4 11 | 57GItlv9sJ1F0Z5s46k5v24GOojUWVVzhOAh/IIqb9ABOKdkwsJxKXo1xRMWBwmR 12 | TFmf0NoTAgMBAAECggEARFPRrdQDCHiYGWVdbSfZ2biImRT+gw0wxg72F3F09Daa 13 | Md3JlerU7vCaNpq5CUE7lyLWMMzfVG8dU1V2xQnFvImX3BxcKj0qgUurIJlpWX2D 14 | 3BJytdLV1yO3rVUSDwGyv8LR4V0nONxexiAkzsuJMSdv8Cb8K/zJNBv0nze4sFFd 15 | 9Mb3rlHTm+gVXk6Qa+2j5hQkfwCQ0HQnyyXnFb99YZIBVMaBkn6oUkdbbwn2BdH+ 16 | BxypwbDRgB/FoRhwMIah9CBLyuqZt26KiVKUnscemvuI/H3sH1H1veH2shpqWIeD 17 | JcNWs2IbS8kbGW7wDc5lrzRpTLSiVs6g7gIk7KRQAQKBgQD1uIT8+3QnWZpr1i+1 18 | coYJzgFWlghJVEj9SqVVFsC82aLDYaTd2S84anCYV9yDnO85se5qA7z+DE+jBF6S 19 | uy1u5iFsUOyrEXeSXK46Os0sg8V93ez4mcCfDamrXTq95QZxWVeIcWjB9mwzoCj9 20 | gLtFkd74tVHBgLhYqYE4x1a5yQKBgQCNRR9WG1rJanBw98e+LriBN7A97ti11j+W 21 | geh30PsEMtmFtBHztUoO1BeXSy5L6ZQADjDKDEhPDLzzFt6iN2RqynG3nKf7ZzBV 22 | YXTE0C0suzRFLE4B4IwOBLUa0I50teIOav67+o4t/KmCzx93T7M+YRLAATXuRQ1E 23 | R8UHLjwi+wKBgDd/b3n8CSYCFOCaRbhDn4aDYsX9qO12/e1HeMQZGXsN5LcgTK5W 24 | qVWipL+jyIhpX5a2W1TSd1Mh0LLO/9VANWjAzXe7Z1jT3x/NkwRP15tgP7DH+QfF 25 | Ij5KRbIQon3VRnk/ZofIpZJ5Z8LZP6jR9HooEiY2PbroqbpMvoTmcO4RAoGAIW/y 26 | 8taWroXbB2IejQ1R7oPX21DlSmTjuCQXegSk5WGDyvnMJfsLBGd/DfhlhOJMfZbe 27 | RXSSyOMi9ga7u3mQ8xXnxKX3vLG35v2iPdNoXeYRgS3zaM5VWBwVIburfERwtSju 28 | EmBDtu7O0H9l2z+qFWG0pm2i7jq54Sd7oy92XHECgYEAs+ke0hR19C0bGPrcGr9U 29 | o5JSsMIcqESYtrkJ3YR62k+guzDc6t3KRIFDzLv9I4s4Dpssn46QKnMYW/KUBxv7 30 | pHkdZUtJagYPqeMIKPWR+UnwsmDDFJ9R/9U7Pf/9MMaQf7U64ffh3Qxdod/MEyI8 31 | uUwbul3fmSa4OAjHhSNPoSk= 32 | -----END PRIVATE KEY----- 33 | -------------------------------------------------------------------------------- /src/test/resources/auditlog/roles.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "roles" 4 | config_version: 2 5 | opendistro_security_all_access: 6 | reserved: false 7 | hidden: false 8 | description: "Migrated from v6 (all types mapped)" 9 | cluster_permissions: 10 | - "*" 11 | index_permissions: 12 | - index_patterns: 13 | - "*" 14 | dls: null 15 | fls: null 16 | masked_fields: null 17 | allowed_actions: 18 | - "*" 19 | tenant_permissions: [] 20 | opendistro_security_worf: 21 | reserved: false 22 | hidden: false 23 | description: "Migrated from v6 (all types mapped)" 24 | cluster_permissions: 25 | - "*" 26 | index_permissions: 27 | - index_patterns: 28 | - "worf*" 29 | dls: null 30 | fls: null 31 | masked_fields: null 32 | allowed_actions: 33 | - "*" 34 | tenant_permissions: [] 35 | opendistro_security_dls_without_field_perm: 36 | reserved: false 37 | hidden: false 38 | description: "Migrated from v6 (all types mapped)" 39 | cluster_permissions: 40 | - "*" 41 | index_permissions: 42 | - index_patterns: 43 | - "deals" 44 | dls: "{\n \"range\" : {\n \"amount\" : {\n \"gte\" : 1000,\n \ 45 | \ \"lte\" : 20000\n }\n }\n}\n" 46 | fls: 47 | - "customer.*" 48 | - "zip" 49 | masked_fields: null 50 | allowed_actions: 51 | - "OPENDISTRO_SECURITY_READ" 52 | tenant_permissions: [] 53 | opendistro_security_dls_without_field_perm3: 54 | reserved: false 55 | hidden: false 56 | description: "Migrated from v6 (all types mapped)" 57 | cluster_permissions: 58 | - "*" 59 | index_permissions: 60 | - index_patterns: 61 | - "deals" 62 | dls: "{\"term\" : {\"msgid\" : \"12\"}}" 63 | fls: 64 | - "customer.*" 65 | - "zip" 66 | masked_fields: null 67 | allowed_actions: 68 | - "OPENDISTRO_SECURITY_READ" 69 | tenant_permissions: [] 70 | -------------------------------------------------------------------------------- /src/test/resources/auditlog/roles_2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "roles" 4 | config_version: 2 5 | opendistro_security_all_access: 6 | reserved: false 7 | hidden: false 8 | description: "Migrated from v6 (all types mapped)" 9 | cluster_permissions: 10 | - "*" 11 | index_permissions: 12 | - index_patterns: 13 | - "*" 14 | dls: null 15 | fls: null 16 | masked_fields: null 17 | allowed_actions: 18 | - "OPENDISTRO_SECURITY_READ" 19 | tenant_permissions: [] 20 | opendistro_security_dls_without_field_perm: 21 | reserved: false 22 | hidden: false 23 | description: "Migrated from v6 (all types mapped)" 24 | cluster_permissions: 25 | - "*" 26 | index_permissions: 27 | - index_patterns: 28 | - "deals" 29 | dls: "{\n \"range\" : {\n \"amount\" : {\n \"gte\" : 1000,\n \ 30 | \ \"lte\" : 20000\n }\n }\n}\n" 31 | fls: 32 | - "customer.*" 33 | - "zip" 34 | masked_fields: null 35 | allowed_actions: 36 | - "OPENDISTRO_SECURITY_READ" 37 | tenant_permissions: [] 38 | opendistro_security_dls_without_field_perm3: 39 | reserved: false 40 | hidden: false 41 | description: "Migrated from v6 (all types mapped)" 42 | cluster_permissions: 43 | - "*" 44 | index_permissions: 45 | - index_patterns: 46 | - "deals" 47 | dls: "{\"term\" : {\"msgid\" : \"12\"}}" 48 | fls: 49 | - "customer.*" 50 | - "zip" 51 | masked_fields: null 52 | allowed_actions: 53 | - "OPENDISTRO_SECURITY_READ" 54 | tenant_permissions: [] 55 | opendistro_security_picard: 56 | reserved: false 57 | hidden: false 58 | description: "Migrated from v6 (all types mapped)" 59 | cluster_permissions: 60 | - "**" 61 | index_permissions: 62 | - index_patterns: 63 | - "pica*" 64 | dls: null 65 | fls: null 66 | masked_fields: null 67 | allowed_actions: 68 | - "OPENDISTRO_SECURITY_READ" 69 | tenant_permissions: [] 70 | -------------------------------------------------------------------------------- /src/test/resources/auditlog/roles_2_tenants.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "tenants" 4 | config_version: 2 -------------------------------------------------------------------------------- /src/test/resources/auditlog/roles_mapping.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "rolesmapping" 4 | config_version: 2 5 | opendistro_security_all_access: 6 | reserved: false 7 | hidden: false 8 | backend_roles: [] 9 | hosts: [] 10 | users: 11 | - "admin" 12 | - "admin2" 13 | - "CN=spock,OU=client,O=client,L=Test,C=DE" 14 | and_backend_roles: [] 15 | description: "Migrated from v6" 16 | opendistro_security_public: 17 | reserved: false 18 | hidden: false 19 | backend_roles: [] 20 | hosts: [] 21 | users: 22 | - "*" 23 | and_backend_roles: [] 24 | description: "Migrated from v6" 25 | opendistro_security_worf: 26 | reserved: false 27 | hidden: false 28 | backend_roles: [] 29 | hosts: [] 30 | users: 31 | - "worf" 32 | and_backend_roles: [] 33 | description: "Migrated from v6" -------------------------------------------------------------------------------- /src/test/resources/auditlog/roles_tenants.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "tenants" 4 | config_version: 2 -------------------------------------------------------------------------------- /src/test/resources/auditlog/root-ca.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIID/jCCAuagAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjzETMBEGCgmSJomT8ixk 3 | ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w 4 | bGUgQ29tIEluYy4xITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEh 5 | MB8GA1UEAwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENBMB4XDTE4MDUwNTE0Mzcw 6 | OFoXDTI4MDUwNDE0MzcwOFowgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJ 7 | kiaJk/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEw 8 | HwYDVQQLDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1w 9 | bGUgQ29tIEluYy4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC 10 | ggEBAKYR4V2qdDbh2EMyNxQrXj4ucmA7b058s1zqiNwYQYRmQuZSp2hCmNcZuOa2 11 | 4yt0fXHSDLYNDdVKgC0K9nm25Tyw/ZxScKdiGyYAmzK+0mhaT5gZsovpHMSc8tco 12 | 10r6floxCkazLHaUgCAFv1uaNvIKK88KKHjXm5i0NPmx/4VW9IkJuYmi/ECdea5R 13 | 76LAB21ih8kroVI0eRhHB1VzbYE9izneMJ5UBfLHF2iMR/RTilgs5IAkpdlj6guh 14 | CvSJsbOj0fmmcESUrPwKAEfhGVGfiE7b15Ho5ECQR6yn1CDiulpOLmthp7zcZ2jx 15 | BzevtTNeWzPom021hKG0nryoH5UCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8G 16 | A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFvHubBG7v/2QuZe5M8S+FdMajAVMB8G 17 | A1UdIwQYMBaAFFvHubBG7v/2QuZe5M8S+FdMajAVMA0GCSqGSIb3DQEBCwUAA4IB 18 | AQAqW6C1XKJZH6GQydHFcUToLpm4YSypqZvD0Wf39dXNygih8szydtxtKEYjFivx 19 | O3oOa4v3J/52y4oNc2ksFyhXRAJhKEE58NHDGtb6eqUWWt9k2YrnsvD8k0hibjzt 20 | TmAWTYxYIMdF+4E0hfNUxkFmXXtThOoMhdcEqUYVXrVdrUOF9tVm49BCsQrrCkQw 21 | Q0vWvgTaik0sgsz4yaKI+iORt9qF74/Wf7KjLPpZR3OkkE1srfWhCszNzUB0CMD4 22 | 34v9bIRWtjzvVQTCNNm9PaB2tMkQmeK+jOR7ywItO0+mij0vDSK3bWGqTrfgAXUn 23 | pTIIfrQcZ1vrDg0lYzVgQ1iT 24 | -----END CERTIFICATE----- 25 | -------------------------------------------------------------------------------- /src/test/resources/auditlog/signing-ca.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEBzCCAu+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBjzETMBEGCgmSJomT8ixk 3 | ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w 4 | bGUgQ29tIEluYy4xITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEh 5 | MB8GA1UEAwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENBMB4XDTE4MDUwNTE0Mzcw 6 | OFoXDTI4MDUwNDE0MzcwOFowgZUxEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJ 7 | kiaJk/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSQw 8 | IgYDVQQLDBtFeGFtcGxlIENvbSBJbmMuIFNpZ25pbmcgQ0ExJDAiBgNVBAMMG0V4 9 | YW1wbGUgQ29tIEluYy4gU2lnbmluZyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP 10 | ADCCAQoCggEBANWsMh2EWiqH2eZmaiHreWG4NlhLZGcUbwzRIZT0HmeeBolQygGq 11 | cJE1MpzCMYdezjTRaws/FVA2dkrtcox2xGT6YG7sKqr+4VlIt3Pd0Sah/5dEdRJv 12 | RsN2mj8V8xNUZdduD6NnrIGW/wAoF4isDNJ3QlGFhPM0f0Of5TVFIyholgrevNLT 13 | 7D5rdUupIW192zQbOOuOxOmeXkunl8u35wq/VI/ZyJ4/mutCLR5sqd6/kOSDKQTU 14 | gQ+xIrs7LiuF1xZbCtRT3/PWnnD/GJulUsuJ0xOeEHkQaJuwRwYzqFkyVrEea2Wf 15 | U6XmSRZK9L0q5jy8TpCgzULlxb92POZd9ssCAwEAAaNmMGQwDgYDVR0PAQH/BAQD 16 | AgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJR34pMxCz+258vljmpE 17 | pMTjBMHgMB8GA1UdIwQYMBaAFFvHubBG7v/2QuZe5M8S+FdMajAVMA0GCSqGSIb3 18 | DQEBCwUAA4IBAQAY22ahhmYBdYUpPwQEyEUexyTWal29sbV+R44qVKM6FDEEd/8Q 19 | cFe5cnguDqmLBwHDLey4eSsAHI5tBUtslPJMqobWbwzswxdZ9WCOaLBWlvZdK4XU 20 | hkrq919wENMT6DVagNdpNRmDA47G4eRha4oD1ZO2YCFM0H8rEWDRSlaAHsGHLR59 21 | cJ5AgPqAVrEMfP6WzxXW2ThY6HD1LsE69T20/CfR8/k826BkcYVHKR/MQ/YZOWXb 22 | ccfb7D5o/oMop0E4+huCdF7ZDOt7/f5+BAfJZ08GCMLy5GSxU9gf8WiT/yNBYETS 23 | DAj+BAKhzlzvsaC3E2lAeyUepIMN0B8YHjqV 24 | -----END CERTIFICATE----- 25 | -------------------------------------------------------------------------------- /src/test/resources/auditlog/spock-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/auditlog/spock-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/auditlog/spock-keystore.p12: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/auditlog/spock-keystore.p12 -------------------------------------------------------------------------------- /src/test/resources/auditlog/spock.crt.pem: -------------------------------------------------------------------------------- 1 | Bag Attributes 2 | friendlyName: spock 3 | localKeyID: 54 69 6D 65 20 31 35 32 35 35 33 31 30 33 35 36 38 39 4 | subject=/C=DE/L=Test/O=client/OU=client/CN=spock 5 | issuer=/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Signing CA/CN=Example Com Inc. Signing CA 6 | -----BEGIN CERTIFICATE----- 7 | MIIEQTCCAymgAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBlTETMBEGCgmSJomT8ixk 8 | ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w 9 | bGUgQ29tIEluYy4xJDAiBgNVBAsMG0V4YW1wbGUgQ29tIEluYy4gU2lnbmluZyBD 10 | QTEkMCIGA1UEAwwbRXhhbXBsZSBDb20gSW5jLiBTaWduaW5nIENBMB4XDTE4MDUw 11 | NTE0MzcxNVoXDTI4MDUwMjE0MzcxNVowTjELMAkGA1UEBhMCREUxDTALBgNVBAcT 12 | BFRlc3QxDzANBgNVBAoTBmNsaWVudDEPMA0GA1UECxMGY2xpZW50MQ4wDAYDVQQD 13 | EwVzcG9jazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOtJCa7B8MJ3 14 | 5PjnZ6OQbXtwt8bWHQgHiGKoIEqKGKRHzZZeTLvA/u++ihuHWQlSSeGF5flRiLW3 15 | 5wZlSykcyabIC1rxV32SuJ/6ebxOHLnGhLagJ+ZS1+ehd9ksDu+y3bWQnJFLec6n 16 | 4dThQAdNT6blqDcq5m/p7p/q/tJfNFLt6YMSrvxhopn5kC1tc5k5t6MbyLraXe7b 17 | u4ZaNNPsxho6ArJc5IktSwxgW1iqVxR2zC/5BghKFt3RKmZltVInX8IOZcWxSWvZ 18 | zdhBJonw/RGvBnvsXFW3NQ7v4yfAce4gWnZwvzKW6kXg1BZAh5vWcPnNzTkkl48n 19 | rMdfGP5tpF8CAwEAAaOB4TCB3jAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAd 20 | BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFPUR3m9eT6lZ 21 | 4rz7qj8hhxVe2VibMB8GA1UdIwQYMBaAFJR34pMxCz+258vljmpEpMTjBMHgMGIG 22 | A1UdHwRbMFkwV6BVoFOGUWh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNv 23 | bS9mbG9yYWd1bm5jb20vdW5pdHRlc3QtYXNzZXRzL21hc3Rlci9yZXZva2VkLmNy 24 | bDANBgkqhkiG9w0BAQsFAAOCAQEAL3COeHo9Dg1x78vhFmio0Nmfk46SmQz8n4vI 25 | qxWp0e+OoKdIZXpbVPV7SU4TEoXRG0tzOTd37kvDcMv95YUiYCuXbM23c7Y44JL2 26 | LHF0jIdUAuWFR/lchBB0rQiJshs6n0EqonAE/48zzSt7Vq6q+y8Q5sh4Eh1uyWMw 27 | vgH85r4+iRVQdnadPc3dv3clSkFhDgbAqyYPr27z9z92leqsyoP3Um4C3vX3bNXP 28 | /DxQE9YgT8E9AjAKoogyFGovG7RMZK9eh9FtnbwvGYGTBG6DE32l1xqrUfnMdSCs 29 | OzXIwhyhXaB/vafIZrOpFxZWRkyAsmsqlhTVHNf/QJy3CaEG4w== 30 | -----END CERTIFICATE----- 31 | -------------------------------------------------------------------------------- /src/test/resources/auditlog/spock.key.pem: -------------------------------------------------------------------------------- 1 | Bag Attributes 2 | friendlyName: spock 3 | localKeyID: 54 69 6D 65 20 31 35 32 35 35 33 31 30 33 35 36 38 39 4 | Key Attributes: 5 | -----BEGIN PRIVATE KEY----- 6 | MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDrSQmuwfDCd+T4 7 | 52ejkG17cLfG1h0IB4hiqCBKihikR82WXky7wP7vvoobh1kJUknhheX5UYi1t+cG 8 | ZUspHMmmyAta8Vd9krif+nm8Thy5xoS2oCfmUtfnoXfZLA7vst21kJyRS3nOp+HU 9 | 4UAHTU+m5ag3KuZv6e6f6v7SXzRS7emDEq78YaKZ+ZAtbXOZObejG8i62l3u27uG 10 | WjTT7MYaOgKyXOSJLUsMYFtYqlcUdswv+QYIShbd0SpmZbVSJ1/CDmXFsUlr2c3Y 11 | QSaJ8P0RrwZ77FxVtzUO7+MnwHHuIFp2cL8ylupF4NQWQIeb1nD5zc05JJePJ6zH 12 | Xxj+baRfAgMBAAECggEAWqD7ldEmiAHetPGNvjc3tMCqSXDYJeug4T+ZkJy4+S6f 13 | Rjh0ni2tBXQDhq8P4MNNqg0FlI+PdU+tMY168g8grZmIpjMoXDpT22uD0MDV18lb 14 | /WybceCfQZ20qHaMGlBvjixx4pWMCcoo9vL80tM4xzTXIsjnklwtinPeS/JYGUjF 15 | /DNhlEaZsIPd44CNDE7V9J8dTvqzQ1D6MRhjKGFYGDh+/CKT9wjOYXfBuUlqkDqj 16 | i7slfRIjfkg2qTWpd+EXZPRYci9vSBA5hCR+c2UmWJBJ8I8rrnjQwTnNNGdURsuD 17 | Uhnxwa/cDwnSS6kdSFKfrTbmgQaeU9u5Ks4i7nOSYQKBgQD5tRiLiGh57QLCR5zU 18 | q42Gobya3ujh30ErCtyRRB8+ZGOKhxJnxstIAx0jo1Mhae/sibeAGO7GLx9Zza6l 19 | TnrHl+q+HnegNZj5B9C0h6I5PKknb8hn0DEy1GOEyrHstuWwzI15HvbUOEWtHp+/ 20 | mEgCML0SYr8lWDveN0i1nB1lIwKBgQDxNucOKQyw27f8l+g5ObtCIQA9VVn+3BW+ 21 | A8zwbEN8ViQd/Rz5MY+sNLnBDDzYMJQ4tEOJ/TvAJfS8a/g4zmM4p+5hShdelD7J 22 | fjxqdxiDW8AI+2qyTeex5B7xTgrnPNRB7MPg6d5VlnNDoY6ZWcGLJC/OBmmr3x6f 23 | kGDjCIUNlQKBgQDxvYZTnu02DGO9XcLQiHxsuCt06xQdhxr55nv+DisJJfrP40/I 24 | M8YcoxcUp0sVcA+buP9y/bA7IOeC8wJ+emmWzNWu1KQO75R2kkBUZXKBYt6HlUo4 25 | Zm8avE7UAb8aYT4gWQclGPrwHMInhRw2SeB8bl68a+iM6Mycpny3hLlYbQKBgE+G 26 | wWDaydNZbWx7DNYpIYLo7HJMPJKZLxXpnNy7ZPiOUfQNKktCOtMUwxVRmpHQWl3j 27 | mMzaz6NHIEwq8LiR2wan3yD2U4QcLiMyWmrjfxJ34nVTptbIdpYg1s7J4zBfzr85 28 | d08k6+ed5byrfB81B2l/cb9kP9ypgCgtarQPcAaNAoGBAPP1QmafOEN60Zhdyqns 29 | IuagWpFtfVMBfqOMa06wUeJFqOdtXfwV46GabgeY1hccQ+82TpFJoJwyNb4Izs44 30 | EpMQ/UEU1BNj9SVjzsdIS5aA76bY8MPXQkabFPFueldS1rNfbETeugc36zZ+HRKe 31 | lYXJKjzIt3/carpCqctqPflH 32 | -----END PRIVATE KEY----- 33 | -------------------------------------------------------------------------------- /src/test/resources/auditlog/truststore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/auditlog/truststore.jks -------------------------------------------------------------------------------- /src/test/resources/auditlog/truststore_fail.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/auditlog/truststore_fail.jks -------------------------------------------------------------------------------- /src/test/resources/cache/config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "config" 4 | config_version: 2 5 | config: 6 | dynamic: 7 | filtered_alias_mode: "warn" 8 | disable_rest_auth: false 9 | disable_intertransport_auth: false 10 | respect_request_indices_options: false 11 | license: null 12 | kibana: 13 | multitenancy_enabled: true 14 | server_username: "kibanaserver" 15 | index: ".kibana" 16 | http: 17 | anonymous_auth_enabled: false 18 | xff: 19 | enabled: false 20 | internalProxies: "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\\ 21 | .\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\\ 22 | d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\\ 23 | .\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}" 24 | remoteIpHeader: "X-Forwarded-For" 25 | authc: 26 | dummy_c_domain: 27 | http_enabled: true 28 | transport_enabled: true 29 | order: 0 30 | http_authenticator: 31 | challenge: false 32 | type: "com.amazon.opendistroforelasticsearch.security.cache.DummyHTTPAuthenticator" 33 | config: {} 34 | authentication_backend: 35 | type: "com.amazon.opendistroforelasticsearch.security.cache.DummyAuthenticationBackend" 36 | config: {} 37 | description: "Migrated from v6" 38 | authz: 39 | dummy_z_domain: 40 | http_enabled: true 41 | transport_enabled: true 42 | authorization_backend: 43 | type: "com.amazon.opendistroforelasticsearch.security.cache.DummyAuthorizer" 44 | config: {} 45 | description: "Migrated from v6" 46 | do_not_fail_on_forbidden: false 47 | multi_rolespan_enabled: false 48 | hosts_resolver_mode: "ip-only" 49 | transport_userrname_attribute: null 50 | 51 | -------------------------------------------------------------------------------- /src/test/resources/cache/kirk-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/cache/kirk-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/cache/node-0-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/cache/node-0-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/cache/roles_tenants.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "tenants" 4 | config_version: 2 5 | performance_data: 6 | reserved: false 7 | hidden: false 8 | description: "Migrated from v6" 9 | enterprise_tenant: 10 | reserved: false 11 | hidden: false 12 | description: "Migrated from v6" 13 | adm_tenant: 14 | reserved: false 15 | hidden: false 16 | description: "Migrated from v6" 17 | PerFormance ___Reviews/&%%/&&/: 18 | reserved: false 19 | hidden: false 20 | description: "Migrated from v6" 21 | business_intelligence: 22 | reserved: false 23 | hidden: false 24 | description: "Migrated from v6" 25 | command_tenant: 26 | reserved: false 27 | hidden: false 28 | description: "Migrated from v6" 29 | test_tenant_ro: 30 | reserved: false 31 | hidden: false 32 | description: "Migrated from v6" 33 | management: 34 | reserved: false 35 | hidden: false 36 | description: "Migrated from v6" 37 | finance_management: 38 | reserved: false 39 | hidden: false 40 | description: "Migrated from v6" 41 | test_tenant_rw: 42 | reserved: false 43 | hidden: false 44 | description: "Migrated from v6" 45 | PerFormance ___Reviews%%%!!!: 46 | reserved: false 47 | hidden: false 48 | description: "Migrated from v6" 49 | finance: 50 | reserved: false 51 | hidden: false 52 | description: "Migrated from v6" 53 | human_resources: 54 | reserved: false 55 | hidden: false 56 | description: "Migrated from v6" 57 | -------------------------------------------------------------------------------- /src/test/resources/cache/spock-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/cache/spock-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/cache/truststore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/cache/truststore.jks -------------------------------------------------------------------------------- /src/test/resources/dlsfls/doc1.json: -------------------------------------------------------------------------------- 1 | { 2 | 3 | "customer": { 4 | "name": "", 5 | "type": "normal", 6 | "xnum": 2000, 7 | "employees": , 8 | "address": { 9 | "street": "street1", 10 | "zip": "12345", 11 | "city": "mycity" 12 | 13 | } 14 | }, 15 | 16 | "secret": "a secret value", 17 | "num": 0, 18 | "field1": "field1val", 19 | "field2": "field2val", 20 | "field3": "field3val", 21 | "field4": "field4val", 22 | "field5": "field5val", 23 | "field6": "field6val", 24 | "numfield1": 1, 25 | "numfield2": 2, 26 | "numfield3": 3, 27 | "numfield4": 4, 28 | "numfield5": 5, 29 | "numfield6": 6, 30 | "boolfield1": true, 31 | "boolfield2": true, 32 | "boolfield3": false, 33 | "boolfield4": true, 34 | "boolfield5": true, 35 | "boolfield6": false, 36 | "nullfield": null, 37 | 38 | "@timestamp": "", 39 | "timestamp": "" 40 | 41 | 42 | } -------------------------------------------------------------------------------- /src/test/resources/dlsfls/flsquery.json: -------------------------------------------------------------------------------- 1 | { 2 | "size":500, 3 | "sort":[ 4 | { 5 | "@timestamp":{ 6 | "order":"desc", 7 | "unmapped_type":"boolean" 8 | } 9 | } 10 | ], 11 | "highlight":{ 12 | "pre_tags":[ 13 | "@kibana-highlighted-field@" 14 | ], 15 | "post_tags":[ 16 | "@/kibana-highlighted-field@" 17 | ], 18 | "fields":{ 19 | "*":{ 20 | 21 | } 22 | }, 23 | "require_field_match":false, 24 | "fragment_size":2147483647 25 | }, 26 | "aggs":{ 27 | "2":{ 28 | "date_histogram":{ 29 | "field":"@timestamp", 30 | "interval":"30s", 31 | "time_zone":"America/New_York", 32 | "min_doc_count":0 33 | } 34 | } 35 | }, 36 | "query":{ 37 | 38 | 39 | 40 | "bool":{ 41 | "must":[ 42 | { 43 | "range":{ 44 | "@timestamp":{ 45 | "gte":0, 46 | "lte":1481310993204, 47 | "format":"epoch_millis" 48 | } 49 | } 50 | } 51 | ], 52 | "must_not":[ 53 | 54 | ] 55 | } 56 | 57 | 58 | }, 59 | "stored_fields":[ 60 | "*", 61 | "_source" 62 | ], 63 | "script_fields":{ 64 | 65 | } 66 | } -------------------------------------------------------------------------------- /src/test/resources/dlsfls/flsquery2.json: -------------------------------------------------------------------------------- 1 | { 2 | "size":500, 3 | "sort":[ 4 | { 5 | "@timestamp":{ 6 | "order":"desc", 7 | "unmapped_type":"boolean" 8 | } 9 | } 10 | ], 11 | "highlight":{ 12 | "pre_tags":[ 13 | "@kibana-highlighted-field@" 14 | ], 15 | "post_tags":[ 16 | "@/kibana-highlighted-field@" 17 | ], 18 | "fields":{ 19 | "*":{ 20 | 21 | } 22 | }, 23 | "require_field_match":false, 24 | "fragment_size":2147483647 25 | }, 26 | "aggs":{ 27 | "2":{ 28 | "date_histogram":{ 29 | "field":"@timestamp", 30 | "interval":"30s", 31 | "time_zone":"America/New_York", 32 | "min_doc_count":0 33 | } 34 | } 35 | }, 36 | "query":{ 37 | 38 | 39 | "match_all":{ 40 | 41 | 42 | 43 | } 44 | }, 45 | "stored_fields":[ 46 | "*", 47 | "_source" 48 | ], 49 | "script_fields":{ 50 | 51 | } 52 | } -------------------------------------------------------------------------------- /src/test/resources/dlsfls/kirk-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/dlsfls/kirk-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/dlsfls/node-0-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/dlsfls/node-0-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/dlsfls/roles_983.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "roles" 4 | config_version: 2 5 | opendistro_security_human_resources_trainee: 6 | reserved: false 7 | hidden: false 8 | description: "Migrated from v6 (all types mapped)" 9 | cluster_permissions: 10 | - "*" 11 | index_permissions: 12 | - index_patterns: 13 | - "humanresources" 14 | dls: "{ \"bool\": { \"must_not\": { \"match\": { \"Designation\": \"CEO\" }}}}" 15 | fls: 16 | - "Designation" 17 | - "FirstName" 18 | - "LastName" 19 | - "Salary" 20 | - "LocalRules" 21 | masked_fields: null 22 | allowed_actions: 23 | - "OPENDISTRO_SECURITY_READ" 24 | - "indices:admin/shards/search_shards" 25 | - index_patterns: 26 | - "?kibana" 27 | dls: null 28 | fls: null 29 | masked_fields: null 30 | allowed_actions: 31 | - "ALL" 32 | - index_patterns: 33 | - "*" 34 | dls: null 35 | fls: null 36 | masked_fields: null 37 | allowed_actions: 38 | - "indices:data/read/field_caps" 39 | tenant_permissions: 40 | - tenant_patterns: 41 | - "human_resources" 42 | - "performance_data" 43 | allowed_actions: 44 | - "kibana_all_read" 45 | - tenant_patterns: 46 | - "gl*al_te*ant" 47 | allowed_actions: 48 | - "kibana_all_write" 49 | -------------------------------------------------------------------------------- /src/test/resources/dlsfls/roles_983_tenants.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "tenants" 4 | config_version: 2 5 | performance_data: 6 | reserved: false 7 | hidden: false 8 | description: "Migrated from v6" 9 | human_resources: 10 | reserved: false 11 | hidden: false 12 | description: "Migrated from v6" -------------------------------------------------------------------------------- /src/test/resources/dlsfls/roles_ccs2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "roles" 4 | config_version: 2 5 | opendistro_security_human_resources_trainee: 6 | reserved: false 7 | hidden: false 8 | description: "Migrated from v6 (all types mapped)" 9 | cluster_permissions: 10 | - "*" 11 | index_permissions: 12 | - index_patterns: 13 | - "humanresources" 14 | dls: "{ \"bool\": { \"must_not\": { \"match\": { \"Salary\": \"salary1\" }}}}" 15 | fls: 16 | - "FirstName" 17 | - "LastName*" 18 | - "Salary*" 19 | - "XXX" 20 | - "CCSRules" 21 | masked_fields: null 22 | allowed_actions: 23 | - "OPENDISTRO_SECURITY_READ" 24 | - "indices:admin/shards/search_shards" 25 | - index_patterns: 26 | - "?kibana" 27 | dls: null 28 | fls: null 29 | masked_fields: null 30 | allowed_actions: 31 | - "ALL" 32 | - index_patterns: 33 | - "*" 34 | dls: null 35 | fls: null 36 | masked_fields: null 37 | allowed_actions: 38 | - "indices:data/read/field_caps" 39 | tenant_permissions: 40 | - tenant_patterns: 41 | - "human_resources" 42 | - "performance_data" 43 | allowed_actions: 44 | - "kibana_all_read" 45 | -------------------------------------------------------------------------------- /src/test/resources/dlsfls/roles_ccs2_tenants.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "tenants" 4 | config_version: 2 5 | performance_data: 6 | reserved: false 7 | hidden: false 8 | description: "Migrated from v6" 9 | human_resources: 10 | reserved: false 11 | hidden: false 12 | description: "Migrated from v6" -------------------------------------------------------------------------------- /src/test/resources/dlsfls/roles_tenants.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "tenants" 4 | config_version: 2 -------------------------------------------------------------------------------- /src/test/resources/dlsfls/scenarios.txt: -------------------------------------------------------------------------------- 1 | Marketing 2 | 3 | Finance 4 | 5 | Logfiles 6 | 7 | Own Documents 8 | -------------------------------------------------------------------------------- /src/test/resources/dlsfls/spock-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/dlsfls/spock-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/dlsfls/truststore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/dlsfls/truststore.jks -------------------------------------------------------------------------------- /src/test/resources/jwt/kirk-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/jwt/kirk-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/jwt/node-0-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/jwt/node-0-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/jwt/spock-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/jwt/spock-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/jwt/truststore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/jwt/truststore.jks -------------------------------------------------------------------------------- /src/test/resources/ldap/base2.ldif: -------------------------------------------------------------------------------- 1 | #dc=TEST 2 | 3 | dn: ou=people2,o=TEST 4 | objectclass: organizationalUnit 5 | objectclass: top 6 | ou: people2 7 | 8 | dn: ou=groups2,o=TEST 9 | objectclass: organizationalUnit 10 | objectclass: top 11 | ou: groups2 12 | 13 | dn: cn=Michael Jackson2,ou=people2,o=TEST 14 | objectclass: inetOrgPerson 15 | cn: Michael Jackson 16 | sn: jackson 17 | uid: jacksonm 18 | userpassword: secret 19 | mail: jacksonm@example.com 20 | ou: Human Resources 21 | 22 | dn: cn=Elvis Presley,ou=people2,o=TEST 23 | objectclass: inetOrgPerson 24 | cn: Elvis Presley 25 | sn: presley 26 | uid: presleye 27 | userpassword: secret 28 | mail: presleye@example.com 29 | ou: Human Resources 30 | 31 | dn: cn=Freddy Mercury,ou=people2,o=TEST 32 | objectclass: inetOrgPerson 33 | cn: Freddy Mercury 34 | sn: mercury 35 | uid: mercuryf 36 | userpassword: secret 37 | mail: mercuryf@example.com 38 | ou: Human Resources 39 | 40 | dn: cn=king,ou=groups2,o=TEST 41 | objectClass: groupOfUniqueNames 42 | cn: king 43 | uniqueMember: cn=Michael Jackson,ou=people,o=TEST 44 | uniqueMember: cn=Elvis Presley,ou=people,o=TEST 45 | 46 | dn: cn=crossnested1,ou=groups,o=TEST 47 | objectClass: groupOfUniqueNames 48 | cn: crossnested1 49 | uniqueMember: cn=crossnested2,ou=groups2,o=TEST 50 | 51 | dn: cn=crossnested2,ou=groups2,o=TEST 52 | objectClass: groupOfUniqueNames 53 | cn: crossnested2 54 | uniqueMember: cn=Freddy Mercury,ou=people2,o=TEST -------------------------------------------------------------------------------- /src/test/resources/ldap/config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "config" 4 | config_version: 2 5 | config: 6 | dynamic: 7 | filtered_alias_mode: "warn" 8 | disable_rest_auth: false 9 | disable_intertransport_auth: false 10 | respect_request_indices_options: false 11 | license: null 12 | kibana: 13 | multitenancy_enabled: true 14 | server_username: "kibanaserver" 15 | index: ".kibana" 16 | http: 17 | anonymous_auth_enabled: false 18 | xff: 19 | enabled: false 20 | internalProxies: "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\\ 21 | .\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\\ 22 | d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\\ 23 | .\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}" 24 | remoteIpHeader: "X-Forwarded-For" 25 | authc: 26 | authentication_ldap: 27 | http_enabled: true 28 | transport_enabled: true 29 | order: 0 30 | http_authenticator: 31 | challenge: true 32 | type: "basic" 33 | config: {} 34 | authentication_backend: 35 | type: "ldap" 36 | config: 37 | hosts: "localhost:${ldapsPort}" 38 | usersearch: "(uid={0})" 39 | enable_ssl: true 40 | verify_hostnames: false 41 | description: "Migrated from v6" 42 | authz: {} 43 | do_not_fail_on_forbidden: false 44 | multi_rolespan_enabled: false 45 | hosts_resolver_mode: "ip-only" 46 | transport_userrname_attribute: null -------------------------------------------------------------------------------- /src/test/resources/ldap/config_ldap2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "config" 4 | config_version: 2 5 | config: 6 | dynamic: 7 | filtered_alias_mode: "warn" 8 | disable_rest_auth: false 9 | disable_intertransport_auth: false 10 | respect_request_indices_options: false 11 | license: null 12 | kibana: 13 | multitenancy_enabled: true 14 | server_username: "kibanaserver" 15 | index: ".kibana" 16 | http: 17 | anonymous_auth_enabled: false 18 | xff: 19 | enabled: false 20 | internalProxies: "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\\ 21 | .\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\\ 22 | d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\\ 23 | .\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}" 24 | remoteIpHeader: "X-Forwarded-For" 25 | authc: 26 | authentication_ldap: 27 | http_enabled: true 28 | transport_enabled: true 29 | order: 0 30 | http_authenticator: 31 | challenge: true 32 | type: "basic" 33 | config: {} 34 | authentication_backend: 35 | type: "com.amazon.dlic.auth.ldap2.LDAPAuthenticationBackend2" 36 | config: 37 | hosts: "localhost:${ldapsPort}" 38 | usersearch: "(uid={0})" 39 | enable_ssl: true 40 | verify_hostnames: false 41 | description: "Migrated from v6" 42 | authz: {} 43 | do_not_fail_on_forbidden: false 44 | multi_rolespan_enabled: false 45 | hosts_resolver_mode: "ip-only" 46 | transport_userrname_attribute: null -------------------------------------------------------------------------------- /src/test/resources/ldap/internal_users.yml: -------------------------------------------------------------------------------- 1 | admin: 2 | hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG 3 | #password is: admin -------------------------------------------------------------------------------- /src/test/resources/ldap/kirk-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/ldap/kirk-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/ldap/kirk.key.pem: -------------------------------------------------------------------------------- 1 | Bag Attributes 2 | friendlyName: kirk 3 | localKeyID: 54 69 6D 65 20 31 35 32 35 35 33 31 30 33 36 39 34 34 4 | Key Attributes: 5 | -----BEGIN PRIVATE KEY----- 6 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3uIGcEtuSYIow 7 | SRz2Z5Gwua2th4opuQ8v8I2iCM/l+Egfm9JZ3b69LOAQ0Be1oeSEusOKqLq+efL6 8 | vQpqW4Ky5gZmSKwwxw+S7ew4Ma0dqS5a2zhhguoe1la+xHgXyKgcnUT6B0b4AKN1 9 | /gy9ZH4yQbm2zBx6rB+W2lm2LTHNQ5MKjAV21no1oKhY8yCaDzlPeGNYZ7tJJIiA 10 | kMBakkARMJvhEgqtJLbp2URJ2BTrOPhCjARX7+Ap0so72lWjmY4oq4M1gszM3qbV 11 | DtptRAV5MCAiroxf1hInjRCPt9ZarY4H+Ek1Mc30t9Otr39kwo+3l5zIEJNGmv4q 12 | ZeUwSD4HAgMBAAECggEBAKvAJhKVIoW2EJnRT+0ep3mSK8YlBsm4gnUrqgyHtmtj 13 | 73D1R/HRNiY+FH5DO1cGsM5QlstCr8mv0bIMFfeV8xpxphvq5mZ3QZz3JbTm49Lt 14 | vTMc65llPJ91ewS+QRLi+B4//CLNuM/SMP32cUyA7OTowsgcCqe3z5RELkf7+inL 15 | 4b4VhB2xI3f/g7QaZgVI2felL0g/kXZuZTycoYVcmHeuPeYqUiJoO9ctB3MGwHwj 16 | y0cYYTy5czXKn4QhJRGXYk3gzoL2RK0K/8TsopqrWhcAMyJD6jjPwhhcihM1n+tx 17 | vGCxH6HsFaPwz6Uko8cLjpvbAumltsstkusliSU86UkCgYEA8HG8PxI3NKANO6qo 18 | PnBh58q0DajEaMN4mIwsVZKSPonmySBcNWePXOFNd5sUk4Ccxtym/uRj46ee+Q/G 19 | wMhYbxU1yGlX+h0L9TR14Zl6Lqa2jueUpkgZC2m1PlKHS1E4XqUpOVkGd5TWwWYj 20 | 89PNOteQeGHXhmLL7SOJd1B2+A0CgYEAw5tPKop08H+QYCJ06NukIypKa8AlyFZU 21 | oWACIaihzc6Czmjg9AjZLdyJA5uhO12QW58dkQ53ubT98GgwVz4OQf1p/JVvVpgs 22 | qRQd8bbeo/Ce/SDqK7POnR5g/1I4jorYJuoc29v4S6X8udsOGtRL6g5ShJRzTeCi 23 | yYoHS2USVWMCgYAtMGL9w5GmjVIPXbKDEaIE6z7NtmM7gUk/+lA2wPZFVKuQL0nF 24 | K7Jw9VMW4ImMc0aDxWKJUylG1vD0xDdJch3UurrB8LJ9KkpeCj8BaFPjQqfa0cFJ 25 | QxGZ6IMMtHwC9r/OYeIOiiHCBbIa5PRq1eqjXXIkfdcAxb6n0d77Ep9ZXQKBgDlM 26 | v64YjRT+aU6gCVtFLBnZA5/405iSIYx8UWOGwI9HVW4drvgNt4EFv2U9K8f2KpmM 27 | TN73O/88k77e5npIBWkzUN7a75iQT1TgPb1W8nVXwVspTy+qJnZENenVLhgjeBo+ 28 | LmIBWAThBN102/bkBbD0rRuFWRmRGl6rfmOJogs9AoGAJU68m2cC+mPTljUwFWlA 29 | CKf8iNkgrDkD9U2iFbnidVcXYzMsktTNvgJQsQFUxZKTW88jN5HLSZP5arO6vUBL 30 | IaOcCgDlA8y86+3ENAb+ZOyXKyDOGnKD7sBxip9zxR0p9Tc2zIyFzydnP7hxw2aw 31 | sXgy1G9RBFM0QDKAv7bxdBE= 32 | -----END PRIVATE KEY----- 33 | -------------------------------------------------------------------------------- /src/test/resources/ldap/node-0-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/ldap/node-0-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/ldap/node-0.key.pem: -------------------------------------------------------------------------------- 1 | Bag Attributes 2 | friendlyName: node-0 3 | localKeyID: 54 69 6D 65 20 31 35 32 35 35 33 31 30 33 30 31 36 38 4 | Key Attributes: 5 | -----BEGIN PRIVATE KEY----- 6 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCHmPoPLQepo/kx 7 | l74ouRvLjalQmfs5pB9nsBgclezxdDRoH7d4d+Xnu5sYOWxvFlz2zzwu6E+jVjcW 8 | uCPtJsf8pV4PSdzTi5JYO+EWXFsvbtz5Oik+DvlhMLwpxfLiYr4G3Wh3bzLGejrP 9 | Xxeug6ioER/vTzoxjszIOd264un8HWfAaKNgzfaT4o/0cltG70kwy3XoZBiZtC0Y 10 | kSqjkTxYA/92hOIfV/9wBJJKhqIBHgvOOGNt/oES+0RArnUEW+qEb+o3bb2OjKI4 11 | 57GItlv9sJ1F0Z5s46k5v24GOojUWVVzhOAh/IIqb9ABOKdkwsJxKXo1xRMWBwmR 12 | TFmf0NoTAgMBAAECggEARFPRrdQDCHiYGWVdbSfZ2biImRT+gw0wxg72F3F09Daa 13 | Md3JlerU7vCaNpq5CUE7lyLWMMzfVG8dU1V2xQnFvImX3BxcKj0qgUurIJlpWX2D 14 | 3BJytdLV1yO3rVUSDwGyv8LR4V0nONxexiAkzsuJMSdv8Cb8K/zJNBv0nze4sFFd 15 | 9Mb3rlHTm+gVXk6Qa+2j5hQkfwCQ0HQnyyXnFb99YZIBVMaBkn6oUkdbbwn2BdH+ 16 | BxypwbDRgB/FoRhwMIah9CBLyuqZt26KiVKUnscemvuI/H3sH1H1veH2shpqWIeD 17 | JcNWs2IbS8kbGW7wDc5lrzRpTLSiVs6g7gIk7KRQAQKBgQD1uIT8+3QnWZpr1i+1 18 | coYJzgFWlghJVEj9SqVVFsC82aLDYaTd2S84anCYV9yDnO85se5qA7z+DE+jBF6S 19 | uy1u5iFsUOyrEXeSXK46Os0sg8V93ez4mcCfDamrXTq95QZxWVeIcWjB9mwzoCj9 20 | gLtFkd74tVHBgLhYqYE4x1a5yQKBgQCNRR9WG1rJanBw98e+LriBN7A97ti11j+W 21 | geh30PsEMtmFtBHztUoO1BeXSy5L6ZQADjDKDEhPDLzzFt6iN2RqynG3nKf7ZzBV 22 | YXTE0C0suzRFLE4B4IwOBLUa0I50teIOav67+o4t/KmCzx93T7M+YRLAATXuRQ1E 23 | R8UHLjwi+wKBgDd/b3n8CSYCFOCaRbhDn4aDYsX9qO12/e1HeMQZGXsN5LcgTK5W 24 | qVWipL+jyIhpX5a2W1TSd1Mh0LLO/9VANWjAzXe7Z1jT3x/NkwRP15tgP7DH+QfF 25 | Ij5KRbIQon3VRnk/ZofIpZJ5Z8LZP6jR9HooEiY2PbroqbpMvoTmcO4RAoGAIW/y 26 | 8taWroXbB2IejQ1R7oPX21DlSmTjuCQXegSk5WGDyvnMJfsLBGd/DfhlhOJMfZbe 27 | RXSSyOMi9ga7u3mQ8xXnxKX3vLG35v2iPdNoXeYRgS3zaM5VWBwVIburfERwtSju 28 | EmBDtu7O0H9l2z+qFWG0pm2i7jq54Sd7oy92XHECgYEAs+ke0hR19C0bGPrcGr9U 29 | o5JSsMIcqESYtrkJ3YR62k+guzDc6t3KRIFDzLv9I4s4Dpssn46QKnMYW/KUBxv7 30 | pHkdZUtJagYPqeMIKPWR+UnwsmDDFJ9R/9U7Pf/9MMaQf7U64ffh3Qxdod/MEyI8 31 | uUwbul3fmSa4OAjHhSNPoSk= 32 | -----END PRIVATE KEY----- 33 | -------------------------------------------------------------------------------- /src/test/resources/ldap/roles.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "roles" 4 | config_version: 2 5 | opendistro_security_all_access: 6 | reserved: false 7 | hidden: false 8 | description: "Migrated from v6 (all types mapped)" 9 | cluster_permissions: 10 | - "*" 11 | index_permissions: 12 | - index_patterns: 13 | - "*" 14 | dls: null 15 | fls: null 16 | masked_fields: null 17 | allowed_actions: 18 | - "*" 19 | tenant_permissions: [] -------------------------------------------------------------------------------- /src/test/resources/ldap/roles_mapping.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "rolesmapping" 4 | config_version: 2 5 | opendistro_security_all_access: 6 | reserved: false 7 | hidden: false 8 | backend_roles: [] 9 | hosts: [] 10 | users: 11 | - "admin" 12 | - "cn=Michael Jackson,ou=people,o=TEST" 13 | and_backend_roles: [] 14 | description: "Migrated from v6" 15 | -------------------------------------------------------------------------------- /src/test/resources/ldap/roles_tenants.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "tenants" 4 | config_version: 2 -------------------------------------------------------------------------------- /src/test/resources/ldap/root-ca.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIID/jCCAuagAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjzETMBEGCgmSJomT8ixk 3 | ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w 4 | bGUgQ29tIEluYy4xITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEh 5 | MB8GA1UEAwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENBMB4XDTE4MDUwNTE0Mzcw 6 | OFoXDTI4MDUwNDE0MzcwOFowgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJ 7 | kiaJk/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEw 8 | HwYDVQQLDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1w 9 | bGUgQ29tIEluYy4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC 10 | ggEBAKYR4V2qdDbh2EMyNxQrXj4ucmA7b058s1zqiNwYQYRmQuZSp2hCmNcZuOa2 11 | 4yt0fXHSDLYNDdVKgC0K9nm25Tyw/ZxScKdiGyYAmzK+0mhaT5gZsovpHMSc8tco 12 | 10r6floxCkazLHaUgCAFv1uaNvIKK88KKHjXm5i0NPmx/4VW9IkJuYmi/ECdea5R 13 | 76LAB21ih8kroVI0eRhHB1VzbYE9izneMJ5UBfLHF2iMR/RTilgs5IAkpdlj6guh 14 | CvSJsbOj0fmmcESUrPwKAEfhGVGfiE7b15Ho5ECQR6yn1CDiulpOLmthp7zcZ2jx 15 | BzevtTNeWzPom021hKG0nryoH5UCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8G 16 | A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFvHubBG7v/2QuZe5M8S+FdMajAVMB8G 17 | A1UdIwQYMBaAFFvHubBG7v/2QuZe5M8S+FdMajAVMA0GCSqGSIb3DQEBCwUAA4IB 18 | AQAqW6C1XKJZH6GQydHFcUToLpm4YSypqZvD0Wf39dXNygih8szydtxtKEYjFivx 19 | O3oOa4v3J/52y4oNc2ksFyhXRAJhKEE58NHDGtb6eqUWWt9k2YrnsvD8k0hibjzt 20 | TmAWTYxYIMdF+4E0hfNUxkFmXXtThOoMhdcEqUYVXrVdrUOF9tVm49BCsQrrCkQw 21 | Q0vWvgTaik0sgsz4yaKI+iORt9qF74/Wf7KjLPpZR3OkkE1srfWhCszNzUB0CMD4 22 | 34v9bIRWtjzvVQTCNNm9PaB2tMkQmeK+jOR7ywItO0+mij0vDSK3bWGqTrfgAXUn 23 | pTIIfrQcZ1vrDg0lYzVgQ1iT 24 | -----END CERTIFICATE----- 25 | -------------------------------------------------------------------------------- /src/test/resources/ldap/spock-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/ldap/spock-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/ldap/spock.crt.pem: -------------------------------------------------------------------------------- 1 | Bag Attributes 2 | friendlyName: spock 3 | localKeyID: 54 69 6D 65 20 31 35 32 35 35 33 31 30 33 35 36 38 39 4 | subject=/C=DE/L=Test/O=client/OU=client/CN=spock 5 | issuer=/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Signing CA/CN=Example Com Inc. Signing CA 6 | -----BEGIN CERTIFICATE----- 7 | MIIEQTCCAymgAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBlTETMBEGCgmSJomT8ixk 8 | ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w 9 | bGUgQ29tIEluYy4xJDAiBgNVBAsMG0V4YW1wbGUgQ29tIEluYy4gU2lnbmluZyBD 10 | QTEkMCIGA1UEAwwbRXhhbXBsZSBDb20gSW5jLiBTaWduaW5nIENBMB4XDTE4MDUw 11 | NTE0MzcxNVoXDTI4MDUwMjE0MzcxNVowTjELMAkGA1UEBhMCREUxDTALBgNVBAcT 12 | BFRlc3QxDzANBgNVBAoTBmNsaWVudDEPMA0GA1UECxMGY2xpZW50MQ4wDAYDVQQD 13 | EwVzcG9jazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOtJCa7B8MJ3 14 | 5PjnZ6OQbXtwt8bWHQgHiGKoIEqKGKRHzZZeTLvA/u++ihuHWQlSSeGF5flRiLW3 15 | 5wZlSykcyabIC1rxV32SuJ/6ebxOHLnGhLagJ+ZS1+ehd9ksDu+y3bWQnJFLec6n 16 | 4dThQAdNT6blqDcq5m/p7p/q/tJfNFLt6YMSrvxhopn5kC1tc5k5t6MbyLraXe7b 17 | u4ZaNNPsxho6ArJc5IktSwxgW1iqVxR2zC/5BghKFt3RKmZltVInX8IOZcWxSWvZ 18 | zdhBJonw/RGvBnvsXFW3NQ7v4yfAce4gWnZwvzKW6kXg1BZAh5vWcPnNzTkkl48n 19 | rMdfGP5tpF8CAwEAAaOB4TCB3jAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAd 20 | BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFPUR3m9eT6lZ 21 | 4rz7qj8hhxVe2VibMB8GA1UdIwQYMBaAFJR34pMxCz+258vljmpEpMTjBMHgMGIG 22 | A1UdHwRbMFkwV6BVoFOGUWh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNv 23 | bS9mbG9yYWd1bm5jb20vdW5pdHRlc3QtYXNzZXRzL21hc3Rlci9yZXZva2VkLmNy 24 | bDANBgkqhkiG9w0BAQsFAAOCAQEAL3COeHo9Dg1x78vhFmio0Nmfk46SmQz8n4vI 25 | qxWp0e+OoKdIZXpbVPV7SU4TEoXRG0tzOTd37kvDcMv95YUiYCuXbM23c7Y44JL2 26 | LHF0jIdUAuWFR/lchBB0rQiJshs6n0EqonAE/48zzSt7Vq6q+y8Q5sh4Eh1uyWMw 27 | vgH85r4+iRVQdnadPc3dv3clSkFhDgbAqyYPr27z9z92leqsyoP3Um4C3vX3bNXP 28 | /DxQE9YgT8E9AjAKoogyFGovG7RMZK9eh9FtnbwvGYGTBG6DE32l1xqrUfnMdSCs 29 | OzXIwhyhXaB/vafIZrOpFxZWRkyAsmsqlhTVHNf/QJy3CaEG4w== 30 | -----END CERTIFICATE----- 31 | -------------------------------------------------------------------------------- /src/test/resources/ldap/spock.key.pem: -------------------------------------------------------------------------------- 1 | Bag Attributes 2 | friendlyName: spock 3 | localKeyID: 54 69 6D 65 20 31 35 32 35 35 33 31 30 33 35 36 38 39 4 | Key Attributes: 5 | -----BEGIN PRIVATE KEY----- 6 | MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDrSQmuwfDCd+T4 7 | 52ejkG17cLfG1h0IB4hiqCBKihikR82WXky7wP7vvoobh1kJUknhheX5UYi1t+cG 8 | ZUspHMmmyAta8Vd9krif+nm8Thy5xoS2oCfmUtfnoXfZLA7vst21kJyRS3nOp+HU 9 | 4UAHTU+m5ag3KuZv6e6f6v7SXzRS7emDEq78YaKZ+ZAtbXOZObejG8i62l3u27uG 10 | WjTT7MYaOgKyXOSJLUsMYFtYqlcUdswv+QYIShbd0SpmZbVSJ1/CDmXFsUlr2c3Y 11 | QSaJ8P0RrwZ77FxVtzUO7+MnwHHuIFp2cL8ylupF4NQWQIeb1nD5zc05JJePJ6zH 12 | Xxj+baRfAgMBAAECggEAWqD7ldEmiAHetPGNvjc3tMCqSXDYJeug4T+ZkJy4+S6f 13 | Rjh0ni2tBXQDhq8P4MNNqg0FlI+PdU+tMY168g8grZmIpjMoXDpT22uD0MDV18lb 14 | /WybceCfQZ20qHaMGlBvjixx4pWMCcoo9vL80tM4xzTXIsjnklwtinPeS/JYGUjF 15 | /DNhlEaZsIPd44CNDE7V9J8dTvqzQ1D6MRhjKGFYGDh+/CKT9wjOYXfBuUlqkDqj 16 | i7slfRIjfkg2qTWpd+EXZPRYci9vSBA5hCR+c2UmWJBJ8I8rrnjQwTnNNGdURsuD 17 | Uhnxwa/cDwnSS6kdSFKfrTbmgQaeU9u5Ks4i7nOSYQKBgQD5tRiLiGh57QLCR5zU 18 | q42Gobya3ujh30ErCtyRRB8+ZGOKhxJnxstIAx0jo1Mhae/sibeAGO7GLx9Zza6l 19 | TnrHl+q+HnegNZj5B9C0h6I5PKknb8hn0DEy1GOEyrHstuWwzI15HvbUOEWtHp+/ 20 | mEgCML0SYr8lWDveN0i1nB1lIwKBgQDxNucOKQyw27f8l+g5ObtCIQA9VVn+3BW+ 21 | A8zwbEN8ViQd/Rz5MY+sNLnBDDzYMJQ4tEOJ/TvAJfS8a/g4zmM4p+5hShdelD7J 22 | fjxqdxiDW8AI+2qyTeex5B7xTgrnPNRB7MPg6d5VlnNDoY6ZWcGLJC/OBmmr3x6f 23 | kGDjCIUNlQKBgQDxvYZTnu02DGO9XcLQiHxsuCt06xQdhxr55nv+DisJJfrP40/I 24 | M8YcoxcUp0sVcA+buP9y/bA7IOeC8wJ+emmWzNWu1KQO75R2kkBUZXKBYt6HlUo4 25 | Zm8avE7UAb8aYT4gWQclGPrwHMInhRw2SeB8bl68a+iM6Mycpny3hLlYbQKBgE+G 26 | wWDaydNZbWx7DNYpIYLo7HJMPJKZLxXpnNy7ZPiOUfQNKktCOtMUwxVRmpHQWl3j 27 | mMzaz6NHIEwq8LiR2wan3yD2U4QcLiMyWmrjfxJ34nVTptbIdpYg1s7J4zBfzr85 28 | d08k6+ed5byrfB81B2l/cb9kP9ypgCgtarQPcAaNAoGBAPP1QmafOEN60Zhdyqns 29 | IuagWpFtfVMBfqOMa06wUeJFqOdtXfwV46GabgeY1hccQ+82TpFJoJwyNb4Izs44 30 | EpMQ/UEU1BNj9SVjzsdIS5aA76bY8MPXQkabFPFueldS1rNfbETeugc36zZ+HRKe 31 | lYXJKjzIt3/carpCqctqPflH 32 | -----END PRIVATE KEY----- 33 | -------------------------------------------------------------------------------- /src/test/resources/ldap/truststore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/ldap/truststore.jks -------------------------------------------------------------------------------- /src/test/resources/log4j2-test.properties: -------------------------------------------------------------------------------- 1 | status = error 2 | 3 | appender.console.type = Console 4 | appender.console.name = console 5 | appender.console.layout.type = PatternLayout 6 | appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n 7 | 8 | rootLogger.level = warn 9 | rootLogger.appenderRef.console.ref = console 10 | 11 | #logger.resolver.name = com.amazon.opendistroforelasticsearch.security.resolver 12 | #logger.resolver.level = trace 13 | 14 | #logger.pe.name = com.amazon.opendistroforelasticsearch.security.configuration.PrivilegesEvaluator 15 | #logger.pe.level = trace 16 | 17 | #logger.comp.name = com.amazon.opendistroforelasticsearch.security.compliance 18 | #logger.comp.level = trace 19 | 20 | logger.zen.name = org.elasticsearch.discovery 21 | logger.zen.level = off 22 | 23 | logger.ncs.name = org.elasticsearch.cluster.NodeConnectionsService 24 | logger.ncs.level = off 25 | logger.ssl.name = com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSecuritySSLNettyTransport 26 | logger.ssl.level = off 27 | 28 | logger.ld.name = org.ldaptive 29 | logger.ld.level = info 30 | 31 | logger.cas.name = org.elasticsearch.cluster.service.ClusterApplierService 32 | logger.cas.level = error -------------------------------------------------------------------------------- /src/test/resources/multitenancy/config_basic_auth.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "config" 4 | config_version: 2 5 | config: 6 | dynamic: 7 | filtered_alias_mode: "warn" 8 | disable_rest_auth: false 9 | disable_intertransport_auth: false 10 | respect_request_indices_options: false 11 | license: null 12 | kibana: 13 | multitenancy_enabled: true 14 | server_username: "kibanaserver" 15 | index: ".kibana" 16 | http: 17 | anonymous_auth_enabled: false 18 | xff: 19 | enabled: true 20 | internalProxies: ".*" 21 | remoteIpHeader: "x-forwarded-for" 22 | authc: 23 | basic_internal_auth_domain: 24 | http_enabled: true 25 | transport_enabled: true 26 | order: 0 27 | http_authenticator: 28 | challenge: true 29 | type: "basic" 30 | config: {} 31 | authentication_backend: 32 | type: "intern" 33 | config: {} 34 | description: "Migrated from v6" 35 | authz: {} 36 | do_not_fail_on_forbidden: true 37 | multi_rolespan_enabled: false 38 | hosts_resolver_mode: "ip-only" 39 | transport_userrname_attribute: null 40 | -------------------------------------------------------------------------------- /src/test/resources/multitenancy/kirk-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/multitenancy/kirk-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/multitenancy/node-0-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/multitenancy/node-0-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/multitenancy/roles_tenants.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "tenants" 4 | config_version: 2 5 | performance_data: 6 | reserved: false 7 | hidden: false 8 | description: "Migrated from v6" 9 | enterprise_tenant: 10 | reserved: false 11 | hidden: false 12 | description: "Migrated from v6" 13 | adm_tenant: 14 | reserved: false 15 | hidden: false 16 | description: "Migrated from v6" 17 | PerFormance ___Reviews/&%%/&&/: 18 | reserved: false 19 | hidden: false 20 | description: "Migrated from v6" 21 | business_intelligence: 22 | reserved: false 23 | hidden: false 24 | description: "Migrated from v6" 25 | command_tenant: 26 | reserved: false 27 | hidden: false 28 | description: "Migrated from v6" 29 | test_tenant_ro: 30 | reserved: false 31 | hidden: false 32 | description: "Migrated from v6" 33 | management: 34 | reserved: false 35 | hidden: false 36 | description: "Migrated from v6" 37 | finance_management: 38 | reserved: false 39 | hidden: false 40 | description: "Migrated from v6" 41 | test_tenant_rw: 42 | reserved: false 43 | hidden: false 44 | description: "Migrated from v6" 45 | PerFormance ___Reviews%%%!!!: 46 | reserved: false 47 | hidden: false 48 | description: "Migrated from v6" 49 | finance: 50 | reserved: false 51 | hidden: false 52 | description: "Migrated from v6" 53 | human_resources: 54 | reserved: false 55 | hidden: false 56 | description: "Migrated from v6" 57 | -------------------------------------------------------------------------------- /src/test/resources/multitenancy/spock-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/multitenancy/spock-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/multitenancy/truststore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/multitenancy/truststore.jks -------------------------------------------------------------------------------- /src/test/resources/restapi/actiongroup_crud.json: -------------------------------------------------------------------------------- 1 | { 2 | "allowed_actions": ["READ_UT", "OPENDISTRO_SECURITY_WRITE"] 3 | } 4 | -------------------------------------------------------------------------------- /src/test/resources/restapi/actiongroup_not_parseable.json: -------------------------------------------------------------------------------- 1 | { 2 | ["OPENDISTRO_SECURITY_READ", "OPENDISTRO_SECURITY_WRITE"] 3 | } 4 | -------------------------------------------------------------------------------- /src/test/resources/restapi/actiongroup_read.json: -------------------------------------------------------------------------------- 1 | { 2 | "allowed_actions": ["indices:data/read*"] 3 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/actiongroup_readonly.json: -------------------------------------------------------------------------------- 1 | { 2 | "allowed_actions": ["READ_UT", "OPENDISTRO_SECURITY_WRITE"], 3 | "reserved": "true" 4 | } 5 | -------------------------------------------------------------------------------- /src/test/resources/restapi/config.yml: -------------------------------------------------------------------------------- 1 | _meta: 2 | type: "config" 3 | config_version: 2 4 | config: 5 | dynamic: 6 | filtered_alias_mode: "warn" 7 | disable_rest_auth: false 8 | disable_intertransport_auth: false 9 | respect_request_indices_options: false 10 | license: null 11 | kibana: 12 | multitenancy_enabled: true 13 | server_username: "kibanaserver" 14 | index: ".kibana" 15 | http: 16 | anonymous_auth_enabled: false 17 | xff: 18 | enabled: false 19 | internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11" 20 | remoteIpHeader: "x-forwarded-for" 21 | authc: 22 | authentication_domain_kerb: 23 | http_enabled: false 24 | transport_enabled: false 25 | order: 3 26 | http_authenticator: 27 | challenge: true 28 | type: "kerberos" 29 | config: {} 30 | authentication_backend: 31 | type: "noop" 32 | config: {} 33 | description: "Migrated from v6" 34 | authentication_domain_proxy: 35 | http_enabled: false 36 | transport_enabled: false 37 | order: 2 38 | http_authenticator: 39 | challenge: true 40 | type: "proxy" 41 | config: 42 | user_header: "x-proxy-user" 43 | roles_header: "x-proxy-roles" 44 | authentication_backend: 45 | type: "noop" 46 | config: {} 47 | description: "Migrated from v6" 48 | authentication_domain_clientcert: 49 | http_enabled: false 50 | transport_enabled: false 51 | order: 1 52 | http_authenticator: 53 | challenge: true 54 | type: "clientcert" 55 | config: {} 56 | authentication_backend: 57 | type: "noop" 58 | config: {} 59 | description: "Migrated from v6" 60 | authentication_domain_basic_internal: 61 | http_enabled: true 62 | transport_enabled: true 63 | order: 0 64 | http_authenticator: 65 | challenge: true 66 | type: "basic" 67 | config: {} 68 | authentication_backend: 69 | type: "intern" 70 | config: {} 71 | description: "Migrated from v6" 72 | authz: 73 | roles_from_xxx: 74 | http_enabled: false 75 | transport_enabled: false 76 | authorization_backend: 77 | type: "xxx" 78 | config: {} 79 | description: "Migrated from v6" 80 | roles_from_myldap: 81 | http_enabled: false 82 | transport_enabled: false 83 | authorization_backend: 84 | type: "ldap" 85 | config: 86 | rolesearch: "(uniqueMember={0})" 87 | resolve_nested_roles: true 88 | rolebase: "ou=groups,o=TEST" 89 | rolename: "cn" 90 | description: "Migrated from v6" 91 | do_not_fail_on_forbidden: false 92 | multi_rolespan_enabled: false 93 | hosts_resolver_mode: "ip-only" 94 | transport_userrname_attribute: null 95 | -------------------------------------------------------------------------------- /src/test/resources/restapi/internal_users.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "internalusers" 4 | config_version: 2 5 | q: 6 | hash: "$2a$12$Ioo1uXmH.Nq/lS5dUVBEsePSmZ5pSIpVO/xKHaquU/Jvq97I7nAgG" 7 | reserved: false 8 | hidden: true 9 | backend_roles: [] 10 | attributes: {} 11 | description: "Migrated from v6" 12 | other: 13 | hash: "someotherhash" 14 | reserved: false 15 | hidden: false 16 | backend_roles: [] 17 | attributes: {} 18 | description: "Migrated from v6" 19 | test: 20 | hash: "$2a$12$1HqHxm3QTfzwkse7vwzhFOV4gDv787cZ8BwmCwNEyJhn0CZoo8VVu" 21 | reserved: false 22 | hidden: false 23 | backend_roles: [] 24 | attributes: {} 25 | description: "Migrated from v6" 26 | sarek: 27 | hash: "$2a$12$Ioo1uXmH.Nq/lS5dUVBEsePSmZ5pSIpVO/xKHaquU/Jvq97I7nAgG" 28 | reserved: true 29 | hidden: false 30 | backend_roles: 31 | - "vulcan" 32 | attributes: {} 33 | description: "Migrated from v6" 34 | admin: 35 | hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" 36 | reserved: false 37 | hidden: false 38 | backend_roles: [] 39 | attributes: {} 40 | description: "Migrated from v6" 41 | worf: 42 | hash: "$2a$12$A41IxPXV1/Dx46C6i1ufGubv.p3qYX7xVcY46q33sylYbIqQVwTMu" 43 | reserved: false 44 | hidden: false 45 | backend_roles: 46 | - "klingon" 47 | attributes: {} 48 | description: "Migrated from v6" 49 | -------------------------------------------------------------------------------- /src/test/resources/restapi/kirk-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/restapi/kirk-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/restapi/kirk.key.pem: -------------------------------------------------------------------------------- 1 | Bag Attributes 2 | friendlyName: kirk 3 | localKeyID: 54 69 6D 65 20 31 35 32 35 35 33 31 30 33 36 39 34 34 4 | Key Attributes: 5 | -----BEGIN PRIVATE KEY----- 6 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3uIGcEtuSYIow 7 | SRz2Z5Gwua2th4opuQ8v8I2iCM/l+Egfm9JZ3b69LOAQ0Be1oeSEusOKqLq+efL6 8 | vQpqW4Ky5gZmSKwwxw+S7ew4Ma0dqS5a2zhhguoe1la+xHgXyKgcnUT6B0b4AKN1 9 | /gy9ZH4yQbm2zBx6rB+W2lm2LTHNQ5MKjAV21no1oKhY8yCaDzlPeGNYZ7tJJIiA 10 | kMBakkARMJvhEgqtJLbp2URJ2BTrOPhCjARX7+Ap0so72lWjmY4oq4M1gszM3qbV 11 | DtptRAV5MCAiroxf1hInjRCPt9ZarY4H+Ek1Mc30t9Otr39kwo+3l5zIEJNGmv4q 12 | ZeUwSD4HAgMBAAECggEBAKvAJhKVIoW2EJnRT+0ep3mSK8YlBsm4gnUrqgyHtmtj 13 | 73D1R/HRNiY+FH5DO1cGsM5QlstCr8mv0bIMFfeV8xpxphvq5mZ3QZz3JbTm49Lt 14 | vTMc65llPJ91ewS+QRLi+B4//CLNuM/SMP32cUyA7OTowsgcCqe3z5RELkf7+inL 15 | 4b4VhB2xI3f/g7QaZgVI2felL0g/kXZuZTycoYVcmHeuPeYqUiJoO9ctB3MGwHwj 16 | y0cYYTy5czXKn4QhJRGXYk3gzoL2RK0K/8TsopqrWhcAMyJD6jjPwhhcihM1n+tx 17 | vGCxH6HsFaPwz6Uko8cLjpvbAumltsstkusliSU86UkCgYEA8HG8PxI3NKANO6qo 18 | PnBh58q0DajEaMN4mIwsVZKSPonmySBcNWePXOFNd5sUk4Ccxtym/uRj46ee+Q/G 19 | wMhYbxU1yGlX+h0L9TR14Zl6Lqa2jueUpkgZC2m1PlKHS1E4XqUpOVkGd5TWwWYj 20 | 89PNOteQeGHXhmLL7SOJd1B2+A0CgYEAw5tPKop08H+QYCJ06NukIypKa8AlyFZU 21 | oWACIaihzc6Czmjg9AjZLdyJA5uhO12QW58dkQ53ubT98GgwVz4OQf1p/JVvVpgs 22 | qRQd8bbeo/Ce/SDqK7POnR5g/1I4jorYJuoc29v4S6X8udsOGtRL6g5ShJRzTeCi 23 | yYoHS2USVWMCgYAtMGL9w5GmjVIPXbKDEaIE6z7NtmM7gUk/+lA2wPZFVKuQL0nF 24 | K7Jw9VMW4ImMc0aDxWKJUylG1vD0xDdJch3UurrB8LJ9KkpeCj8BaFPjQqfa0cFJ 25 | QxGZ6IMMtHwC9r/OYeIOiiHCBbIa5PRq1eqjXXIkfdcAxb6n0d77Ep9ZXQKBgDlM 26 | v64YjRT+aU6gCVtFLBnZA5/405iSIYx8UWOGwI9HVW4drvgNt4EFv2U9K8f2KpmM 27 | TN73O/88k77e5npIBWkzUN7a75iQT1TgPb1W8nVXwVspTy+qJnZENenVLhgjeBo+ 28 | LmIBWAThBN102/bkBbD0rRuFWRmRGl6rfmOJogs9AoGAJU68m2cC+mPTljUwFWlA 29 | CKf8iNkgrDkD9U2iFbnidVcXYzMsktTNvgJQsQFUxZKTW88jN5HLSZP5arO6vUBL 30 | IaOcCgDlA8y86+3ENAb+ZOyXKyDOGnKD7sBxip9zxR0p9Tc2zIyFzydnP7hxw2aw 31 | sXgy1G9RBFM0QDKAv7bxdBE= 32 | -----END PRIVATE KEY----- 33 | -------------------------------------------------------------------------------- /src/test/resources/restapi/node-0-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/restapi/node-0-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_captains.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_permissions" : [ "cluster:monitor*" ], 3 | "index_permissions" : [ { 4 | "index_patterns" : [ "sf" ], 5 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 6 | }, { 7 | "index_patterns" : [ "pub" ], 8 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 9 | } ], 10 | "tenant_permissions" : [ ] 11 | } 12 | -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_captains_different_content.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_permissions" : [ "cluster:monitor*" ], 3 | "index_permissions" : [ { 4 | "index_patterns" : [ "hulla" ], 5 | "allowed_actions" : [ "blafasel" ] 6 | }, { 7 | "index_patterns" : [ "pub" ], 8 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 9 | } ], 10 | "tenant_permissions" : [ { 11 | "tenant_patterns" : [ "tenant2" ], 12 | "allowed_actions" : [ "kibana_all_write" ] 13 | }, { 14 | "tenant_patterns" : [ "tenant1" ], 15 | "allowed_actions" : [ "kibana_all_write" ] 16 | } ] 17 | } 18 | -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_captains_no_tenants.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_permissions" : [ "cluster:monitor*" ], 3 | "index_permissions" : [ { 4 | "index_patterns" : [ "sf" ], 5 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 6 | }, { 7 | "index_patterns" : [ "pub" ], 8 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 9 | } ], 10 | "tenant_permissions" : [ ] 11 | } 12 | -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_captains_tenants.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_permissions" : [ "cluster:monitor*" ], 3 | "index_permissions" : [ { 4 | "index_patterns" : [ "sf" ], 5 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 6 | }, { 7 | "index_patterns" : [ "pub" ], 8 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 9 | } ], 10 | "tenant_permissions" : [ { 11 | "tenant_patterns" : [ "tenant2" ], 12 | "allowed_actions" : [ "kibana_all_write" ] 13 | }, { 14 | "tenant_patterns" : [ "tenant1" ], 15 | "allowed_actions" : [ "kibana_all_read" ] 16 | } ] 17 | } 18 | -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_captains_tenants2.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_permissions" : [ "cluster:monitor*" ], 3 | "index_permissions" : [ { 4 | "index_patterns" : [ "sf" ], 5 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 6 | }, { 7 | "index_patterns" : [ "pub" ], 8 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 9 | } ], 10 | "tenant_permissions" : [ { 11 | "tenant_patterns" : [ "tenant2", "tenant4" ], 12 | "allowed_actions" : [ "kibana_all_write" ] 13 | }, { 14 | "tenant_patterns" : [ "tenant1", "tenant3" ], 15 | "allowed_actions" : [ "kibana_all_read" ] 16 | } ] 17 | } 18 | -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_captains_tenants_malformed.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_permissions" : [ "cluster:monitor*" ], 3 | "index_permissions" : [ { 4 | "index_patterns" : [ "sf" ], 5 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 6 | }, { 7 | "index_patterns" : [ "pub" ], 8 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 9 | } ], 10 | "tenantz_permissions" : [ { 11 | "tenant_patterns" : [ "tenant2", "tenant4" ], 12 | "allowed_actions" : [ "kibana_all_write" ] 13 | }, { 14 | "tenant_patterns" : [ "tenant1", "tenant3" ], 15 | "allowed_actions" : [ "kibana_all_read" ] 16 | } ] 17 | } 18 | -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_complete_invalid.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_permissions" : [ "cluster:monitor*" ], 3 | "index_permissions" : [ { 4 | "index_patterns" : [ "sf" ], 5 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 6 | }, { 7 | "index_patterns" : [ "pub" ], 8 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 9 | } ], 10 | "tenant_permissions" : [ ] 11 | {[} 12 | -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_field_masks_invalid.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster": [ 3 | "*" 4 | ], 5 | "indices": { 6 | "*": { 7 | "*": [ 8 | "indices:data/read/*" 9 | ], 10 | "_masked_fields_": [ 11 | "abvfg", 12 | "*ip_dest*::[0-9]{1,3::XXX", 13 | "*ip_source*::[0-9]{1,3}$::XXX::/^[0-9]{1,3}/::***", 14 | "customer.name::SHA-513", 15 | "abc::" 16 | ], 17 | "abc": [ 18 | 123 19 | ] 20 | } 21 | } 22 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_field_masks_valid.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_permissions" : [ "*" ], 3 | "index_permissions" : [ { 4 | "index_patterns" : [ "*" ], 5 | "masked_fields" : [ "abvfg", "*ip_dest*::/[0-9]{1,3}$/::XXX", "*ip_source*::/[0-9]{1,3}$/::XXX::/^[0-9]{1,3}/::***", "customer.name::SHA-512", "/[0-9]{1,3}/::SHA-512" ], 6 | "allowed_actions" : [ "123", "indices:data/read/*" ] 7 | } ], 8 | "tenant_permissions" : [ ] 9 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_invalid_keys.json: -------------------------------------------------------------------------------- 1 | { 2 | "kluster_permissions" : [ "cluster:monitor*", "indices:data/read/scroll" ], 3 | "indexx_permissions" : [ { 4 | "index_patterns" : [ "sf" ], 5 | "allowed_actions" : [ "OPENDISTRO_SECURITY_READ", "indices:*" ] 6 | }, { 7 | "index_patterns" : [ "pub" ], 8 | "allowed_actions" : [ "OPENDISTRO_SECURITY_READ" ] 9 | } ], 10 | "tenant_permissions" : [ ] 11 | } 12 | -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_multiple.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_permissions" : [ "cluster:monitor1*" ], 3 | "index_permissions" : [ { 4 | "index_patterns" : [ "sf1" ], 5 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 6 | }, { 7 | "index_patterns" : [ "pub1" ], 8 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 9 | } ], 10 | "tenant_permissions" : [ ] 11 | } 12 | { 13 | "cluster_permissions" : [ "cluster:monitor2*" ], 14 | "index_permissions" : [ { 15 | "index_patterns" : [ "sf2" ], 16 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 17 | }, { 18 | "index_patterns" : [ "pub2" ], 19 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 20 | } ], 21 | "tenant_permissions" : [ ] 22 | } 23 | -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_multiple_2.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_permissions" : [ "cluster:monitor*" ], 3 | "cluster_permissions" : [ "cluster:monitor*" ], 4 | "index_permissions" : [ { 5 | "index_patterns" : [ "sf" ], 6 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 7 | }, { 8 | "index_patterns" : [ "pub" ], 9 | "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] 10 | } ], 11 | "tenant_permissions" : [ ] 12 | } 13 | -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_not_parseable.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_permissions" : [ "*" ], 3 | "index_permissions" : [ , 4 | "index_patterns" : [ "*" ], 5 | "masked_fields" : [ "abvfg", "*ip_dest*::/[0-9]{1,3}$/::XXX", "*ip_source*::/[0-9]{1,3}$/::XXX::/^[0-9]{1,3}/::***", "customer.name::SHA-512", "/[0-9]{1,3}/::SHA-512" ], 6 | "allowed_actions" [ "123", "indices:data/read/*" ] 7 | } ], 8 | "tenant_permissions" : [ ] 9 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_starfleet.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_permissions" : [ "cluster:monitor*", "indices:data/read/scroll", "*bulk*" ], 3 | "index_permissions" : [ { 4 | "index_patterns" : [ "sf" ], 5 | "allowed_actions" : [ "OPENDISTRO_SECURITY_READ", "indices:*", "*bulk*" ] 6 | }, { 7 | "index_patterns" : [ "pub" ], 8 | "allowed_actions" : [ "OPENDISTRO_SECURITY_READ" ] 9 | } ], 10 | "tenant_permissions" : [ ] 11 | } 12 | -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_tenants.yml: -------------------------------------------------------------------------------- 1 | --- 2 | _meta: 3 | type: "tenants" 4 | config_version: 2 5 | -------------------------------------------------------------------------------- /src/test/resources/restapi/roles_wrong_datatype.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_permissions" : 123, 3 | "index_permissions" : [ { 4 | "index_patterns" : [ "*" ], 5 | "masked_fields" : [ "abvfg", "*ip_dest*::/[0-9]{1,3}$/::XXX", "*ip_source*::/[0-9]{1,3}$/::XXX::/^[0-9]{1,3}/::***", "customer.name::SHA-512", "/[0-9]{1,3}/::SHA-512" ], 6 | "allowed_actions" : [ "123", "indices:data/read/*" ] 7 | } ], 8 | "tenant_permissions" : [ ] 9 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/rolesmapping_all_access.json: -------------------------------------------------------------------------------- 1 | { 2 | "users": [ 3 | "sisko", 4 | "janeway", 5 | "kirk" 6 | ], 7 | "backend_roles": [ 8 | "captains", 9 | "role2", 10 | "role3" 11 | ], 12 | "hosts": [ 13 | "8.8.8.8", 14 | "8.8.4.4" 15 | ] 16 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/rolesmapping_all_noaccess.json: -------------------------------------------------------------------------------- 1 | { 2 | "users": [ 3 | "sisko", 4 | "janeway", 5 | "kirk" 6 | ], 7 | "backend_roles": [ 8 | "role1", 9 | "role2", 10 | "role3" 11 | ], 12 | "hosts": [ 13 | "8.8.8.8", 14 | "8.8.4.4" 15 | ] 16 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/rolesmapping_backendroles_captains_list.json: -------------------------------------------------------------------------------- 1 | { 2 | "backend_roles": [ 3 | "captains", 4 | "otherrole" 5 | ] 6 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/rolesmapping_backendroles_captains_single.json: -------------------------------------------------------------------------------- 1 | { 2 | "backend_roles": [ 3 | "captains" 4 | ] 5 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/rolesmapping_backendroles_captains_single_wrong_datatype.json: -------------------------------------------------------------------------------- 1 | { 2 | "backend_roles": "captains" 3 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/rolesmapping_hosts_list.json: -------------------------------------------------------------------------------- 1 | { 2 | "hosts": [ 3 | "127.0.0.1", 4 | "127.0.0.2", 5 | "localhost" 6 | ] 7 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/rolesmapping_hosts_single.json: -------------------------------------------------------------------------------- 1 | { 2 | "hosts": [ 3 | "127.0.0.1" 4 | ] 5 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/rolesmapping_hosts_single_wrong_datatype.json: -------------------------------------------------------------------------------- 1 | { 2 | "hosts": "127.0.0.1", 3 | "backend_roles": [ 4 | "a", 5 | "b" 6 | ], 7 | "users": [ 8 | "a", 9 | "b" 10 | ] 11 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/rolesmapping_invalid_keys.json: -------------------------------------------------------------------------------- 1 | { 2 | "theusers": [ 3 | "sisko", 4 | "janeway", 5 | "kirk" 6 | ], 7 | "thebackendroles": [ 8 | "captains", 9 | "role2", 10 | "role3" 11 | ], 12 | "thehosts": [ 13 | "8.8.8.8", 14 | "8.8.4.4" 15 | ] 16 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/rolesmapping_not_parseable.json: -------------------------------------------------------------------------------- 1 | { 2 | "users": [ 3 | "sisko", 4 | "janeway", 5 | "kirk" 6 | ] 7 | "backend_roles": [ 8 | "captains", 9 | "role2", 10 | "role3" 11 | ] 12 | "hosts": [ 13 | "8.8.8.8", 14 | "8.8.4.4" 15 | ] 16 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/rolesmapping_users_picard_list.json: -------------------------------------------------------------------------------- 1 | { 2 | "users": [ 3 | "picard", 4 | "sisko" 5 | ] 6 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/rolesmapping_users_picard_single.json: -------------------------------------------------------------------------------- 1 | { 2 | "users": [ 3 | "picard" 4 | ] 5 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/rolesmapping_users_picard_single_wrong_datatype.json: -------------------------------------------------------------------------------- 1 | { 2 | "users": "picard", 3 | "hosts": "1.2.3.4", 4 | "backend_roles": "role" 5 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/simple_role.json: -------------------------------------------------------------------------------- 1 | { 2 | "cluster_permissions": [ 3 | "OPENDISTRO_SECURITY_UNLIMITED" 4 | ], 5 | "index_permissions": [{ 6 | "index_patterns": [ 7 | "*" 8 | ], 9 | "fls": [], 10 | "masked_fields": [], 11 | "allowed_actions": [ 12 | "OPENDISTRO_SECURITY_UNLIMITED" 13 | ] 14 | }], 15 | "tenant_permissions": [{ 16 | "tenant_patterns": [ 17 | "admin_tenant" 18 | ], 19 | "allowed_actions": [ 20 | "kibana_all_write" 21 | ] 22 | }] 23 | } 24 | -------------------------------------------------------------------------------- /src/test/resources/restapi/spock-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/restapi/spock-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/restapi/truststore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/restapi/truststore.jks -------------------------------------------------------------------------------- /src/test/resources/restapi/users_key_not_quoted.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/restapi/users_key_not_quoted.json -------------------------------------------------------------------------------- /src/test/resources/restapi/users_wrong_datatypes.json: -------------------------------------------------------------------------------- 1 | { 2 | "password": "password", 3 | "backend_roles": "role" 4 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/users_wrong_datatypes2.json: -------------------------------------------------------------------------------- 1 | { 2 | "password": 123, 3 | "backend_roles": [ 4 | "role1", 5 | "role2" 6 | ] 7 | } -------------------------------------------------------------------------------- /src/test/resources/restapi/users_wrong_datatypes3.json: -------------------------------------------------------------------------------- 1 | { 2 | "password": "password", 3 | "backend_roles": true 4 | } -------------------------------------------------------------------------------- /src/test/resources/saml/kirk-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/saml/kirk-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/saml/spock-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/saml/spock-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/jks/node1-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/sslConfigurator/jks/node1-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/jks/other-root-ca.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/sslConfigurator/jks/other-root-ca.jks -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/jks/other-root-ca.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDyDCCArCgAwIBAgIBATANBgkqhkiG9w0BAQsFADB1MRMwEQYKCZImiZPyLGQB 3 | GRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEaMBgGA1UECgwRRXhhbXBs 4 | ZSBDb20sIEluYy4xCzAJBgNVBAsMAkNBMRwwGgYDVQQDDBNyb290LmNhLmV4YW1w 5 | bGUuY29tMB4XDTE4MDIyMDEyMTQ1OFoXDTI4MDIxODEyMTQ1OFowdTETMBEGCgmS 6 | JomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGjAYBgNVBAoM 7 | EUV4YW1wbGUgQ29tLCBJbmMuMQswCQYDVQQLDAJDQTEcMBoGA1UEAwwTcm9vdC5j 8 | YS5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJON 9 | BjXK6+4FEgQN9L/FXjIYv9G/ZCEv9JpFTugURGdPY3lY7jRdejCyPgkFf8Dl8KIO 10 | h1XGrxYOgsWbpmG6Mvfwhf5zL7S+WTJRcKLHkzgGpylOWkH4c1AtJz65F8LRzWiM 11 | YCWii8+8fQZ0Hi7BEFGGXBgdJACaa7252wb3/HJSQICzsbFh1WtTDzxwhhW+SbbO 12 | l8zYqyZN7/gtX6NpmtGEztjEorhop9MWUJG531k8d7Udml6lqwFH7PP7GfVcOoUj 13 | WYHMebVrRKa/M+mPKUgyCbb3SvNshAIUz9Q8jBsYknHFBgt3hIRYXHEfmCMEESI6 14 | J7StMHDfaQUt7DFvdpkCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME 15 | GDAWgBQuBXn0bHZ5r/GlVGjbPoLYiv1GJDAdBgNVHQ4EFgQULgV59Gx2ea/xpVRo 16 | 2z6C2Ir9RiQwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQB95yPb 17 | NlpxvmTZL/8kyUAXRJyGO+8hMwBz60Dav2IHlqnt534a/eMtaoafkkPxRqZp1NQX 18 | g1+oVnRZhv7s/NJChmZ/oby8s8aZaHRoK+vCiPNPrwnOxjbAIQFi8bv3C3b8qXt3 19 | dGccYB/NIlhvQKKSosLKcvYm4M06O3snfbyHEVhYUo2anKUPB0YZmy/BBVaMv7/p 20 | sj6BhrBOqOMqq36pO+svlM9Ng2v+5RlTjR/33gG7wU/25xmQ7f03O7ohfqm1Tb84 21 | 8QwWYhSslr2sUmOWmiRKQsd29kSZ3V57NBzEaOjj3bHORxhG2+xuFxu/z8TBQimG 22 | O02+zOIl/+HPvhQN 23 | -----END CERTIFICATE----- 24 | -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/jks/truststore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/sslConfigurator/jks/truststore.jks -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/pem/kirk.key: -------------------------------------------------------------------------------- 1 | -----BEGIN ENCRYPTED PRIVATE KEY----- 2 | MIIE9jAoBgoqhkiG9w0BDAEDMBoEFJXPhgGfl3qpK2ps9gqNUx35uHCaAgIIAASC 3 | BMjmI3bvVJNwKmLDaj2z4MRqn4h99ktK8mAd3rFH65QRHP0VrbTJ7ymLTsWCEwXr 4 | QUjR87tDsgtsEFoazXv0HATPVLkAwQzHwDkps1WSaphh2MG/05QSpdMYqP8yxKVg 5 | HdSOabKlwh8IQIA3QDCefCYwM+jRx1hw1B1hMXabUtqN1EENdNp6bZ76qxoiPyFm 6 | zq3yruaBS0CjexYbdF1wOjIAtoTkD2v/B+kiVUlz+k12nK9Wk3uf4OHL26gMI/o5 7 | J2tRJ5xCGHfOQaz/VCp8QV3qnpjUp/sBMNRL6O64flmbamwN5/8y1D1xP900ZSWS 8 | LjrfvQAaSh52O8orcaFXSoPNRYyOsLMZ4/L7ysJP6RPLGI/MwQE/XF5p/JNcFM0X 9 | n1DR6UJGWl7KfJy7LT2EEM3ztiH87OvSsnrYeoBTJUE5MSmhxeiWHoPus8OsxA8v 10 | DNHKAMMiiaxL2Wmt+et4zpZJM7wRyRNVGqHKgCYudpCB2Del8RKm4zjF1i60EVc3 11 | Nm9ngw3veZRhiNUrIwNqJ2dx/ZUzPQ13wUAJ9H+GKSl5SrL4JXxs1yQYClbL5TBU 12 | luPUhzlgSHVMzl9UCevI6j6AbGCi1DkppUelR5LN7lTgiBcCMc8XoFGzhriepobX 13 | tZeUM+HJtjLGcq1yGLApM775JIl8LgrpkpuACMPs6dFSqwp5612hFtbaOqFmQn2P 14 | SC6Kk4LcV7UahCehXtLr/S5QMoJvE7HfW92/+7Ln4tc1KCBE0+7KDq5PtjQgFybo 15 | UoGUvXtva0m0Ff6gt1fdyoK2/y+V91fwMc/sCrlfNIA8bz9Lk98mrppOs4vfbKlq 16 | 9BFoZwuAebO/nuXOqn4U4gKxDabDkcxuMqgxquqtpePEH583FDNKxBvVVuZpDAbb 17 | KTEOxXEDZvvMJeD0P99C1L6XPhpj0olCLgiC51P8/2aoLQC9YLm5I0ne+j/La7qN 18 | i89+0FvnaoS75VtIlIj+kbrYOzWrnGIWHsB4k1kiSfwjdOBgbb4fc3tq9xpO9Vya 19 | VWecagNlNvIz6Oqi8HXX9HT73kZ0GL95DB+FZsKKy03Bvys3tPEnl/R5mJlZslfr 20 | 0rsknLRM39Kty2W577IhRY/OypLIUppfa/R1x+yE/zN3cAAiMFyQi9BQpcEF/66x 21 | zjGoYanv6unKojMQJ1KOgxWRgdhZfRcUomZJdgoU6/+ZzvftHQ2/KmaGOHiVdk6E 22 | ARnYUTwTBHoIpS8d7SfZYAjj0I51ICHWpNU2ecZ7bCJEFjRdwbOHqQOV25rpAjM9 23 | JdUwfi/yuw+LwjmRFFe4wqn/Je15/DM+3fNIYYwSZ2tYMjeDJFvFDcqX7m/j0DLf 24 | G1Q65pz3hiOedkxKobHvmEygbqaAXX7gxUXKQf7NuooBfIgGiiMv0RMYZxqxYAwy 25 | MVG2C1+SjlhdQgkUgFfXikku4A+3b2I+UEaJ/Jot03WCzIpJ7KIFJo5Q/56dhK7e 26 | lRWBjhGupivqlvgWdUYGwsfd0OVpSaUChOKnO2mGPZmnyoig2F2VaE9yX8KopWkk 27 | k+4D/wGJWWkW0NJN/7bGVkq5nXORzCMvN3r/UcovhEbDKAiMfIZz4eGw76xpqCmR 28 | puulRd0958X0/eOUE8jLSHCJsdGmwfOoJ0U= 29 | -----END ENCRYPTED PRIVATE KEY----- 30 | -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/pem/node-wrong-hostname-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/sslConfigurator/pem/node-wrong-hostname-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/pem/node-wrong-hostname.key: -------------------------------------------------------------------------------- 1 | -----BEGIN ENCRYPTED PRIVATE KEY----- 2 | MIIE9jAoBgoqhkiG9w0BDAEDMBoEFDRTWJyprJG1K9vLRXlXhi5PZOn1AgIIAASC 3 | BMja61zKBRP8A2BF5N2AZtv+t/Ml0sRxM7lPRYzJG0PYI65jg6PYzOBH9CR21iY9 4 | fo7iYkmSX1r5SPxt8x1Hck2fDva1Xlf8+SrEzACoiBCjDNkQMr/CVKrSdzRiHG5M 5 | KuYM7cxbxMs5tLBWEz9++TaMQS9gD2Q7NhZg4MWt11tjm0qAVHQuBSmYCqu8WCpL 6 | GMEKRbUHpgpMzj2FWtLq53QvMxvG4sZnOUSmUcglYl3apLa22MBaJZIfQe8UdZDz 7 | /jc0Le3NJit6Hu8+s/hILHY0wSZzocLgNUUlkPk7clE/iZJjQ2hBTC8auKHqOgN/ 8 | 8bAN3CAShlaBkg2gF88oufwJSDyOSvABYUBlhR4Ivyiy/0pW33JM5YgEKwQek7E3 9 | rBjqfa3NltCVPTQ+QXd7JzIRuMKEF+hdO9T83G6yFgWRqtNfNdY+Pqn09FygQcCV 10 | PTOs+OIrb5mCe1cVmxEaLVgHpNsZqe6YFWdbkmD0VGV1LDL6haR3VS2RSzlsZVzm 11 | VmfuRIYm2H3IjdkqXZIPyZDwRkTHomhXy7HbEEK9T8AAZy4510ASHV8ms9sXL84H 12 | R8dVEDme63w/UkwAI9TT0TObCjlL2ltpeLuhfPSE4qBrBHKvBFjNlTDXdT7fyVyN 13 | pS3uU6tbndL04bhKn1OPtGp8995PX7CxD/AZOdWKLvqV3ra/JfsmMUkYRiYufkUm 14 | 1Rmzrapv1W34MMLMNm6dLhsv6cwcvStizB8QJ85d2v7QODv0uaA+83+V94gtHSIZ 15 | dEkNsWePQoJO/rUFRp06XPYAlk9As7eMyCbkEmrsF1ATJG1/nawKHiNu/rlZrZxP 16 | K+mQ8YXuPlxzkO1EzwF6rlN/g+1B6hzoHjNvpvzB3hDeN7DjLFWf0ATcB+vGORhR 17 | ODly/LUpn+ZVxR7hkCLIQvIwFmdQmPRc3i+C8QITC36KVMiDGttLqhwNCW9ZKssc 18 | m+F4pKq1KuZRzWxaJIpppkNxvr6IQJLm9ItCTRasoA2NQEhXX2ufSfYAX4ed3qxW 19 | acW4OS/Oh8rqkXj2ek+9cQFGVQXcHSF5kmSY3kNCbHvFJ1a5XwMP/cyhgAtwZmDi 20 | WQoAK6lqtLKCY8SkE3i+vPXguzLB7SMoM4pw1CBITKWSF2BY9n68/WWAj1ZBIXif 21 | HrYAcmjz6Qm31pLFlerqp36CSpBNCM7zXPQHNUYd/qKOXS5p1gyLqhMF3NYpYc9V 22 | Fs+j77R3YDhZU41LY9CbkSmGszN87JVeuWPZ0MasahKkSBmPa7IDAzr6pkgRJLfh 23 | R2QDxS3CJ9pMjoiS0gS4DBQ6pnic2HywfR1Ir+EjAqXfFl3g9aOVXsI5Kt3Cn4jU 24 | Bk5wspLR6YSoHTIgbfDDxeA8pOwvXTdo7wBB+Tqyw29Y73oEeAYO2xtW/TUue0nY 25 | iBFcGLwQsysi1J0s95mE/XHkHbAkWkRUrl5JgovjxzIsndwRd/kjqFHW1iQ2FAeE 26 | ToF8Hd8MDgPv7KJg6s+cSWwcnxdHTlitadcLZ62uf8U+4l02es2cQcHJg+tE1/aY 27 | oH5yGX49JF9LoL/8xR6uzpK4Mi+Q073dgiXqKVU05ATNWdyUVScYiUgjlmPho78x 28 | cRaiXXMda/sM3IQ1NyCDGrzoOl/eZfk1VtA= 29 | -----END ENCRYPTED PRIVATE KEY----- 30 | -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/pem/node1-keystore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/sslConfigurator/pem/node1-keystore.jks -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/pem/node1.key: -------------------------------------------------------------------------------- 1 | -----BEGIN ENCRYPTED PRIVATE KEY----- 2 | MIIE9jAoBgoqhkiG9w0BDAEDMBoEFJ6p9dY7jHTojOnY9leCGwDCQ3fqAgIIAASC 3 | BMgZG2tOZSJ6E3Y0u54xoPHHpx6RrTuoqPP50jNt8ldVhRc2PKsBrkwZdqGG79wi 4 | yBncw51zqBFFrYqTBCBe957UodJjfP1SKPRlNXn61TxcS7wHJ6PngcY1dLKGQn5Q 5 | kH5XC3LefYdr1vS4TYi5uzO192cKVy8G3OOg612SmbKKsxDntBE9LUFm+VREqqPC 6 | 3KmzV4mR+iW11OvdGJ2ZnoqVQahaWkFG93MAoDLINqiP0nTsUQncoUmL+qvGv5oP 7 | 8O+e8TR2N/Yvaw/gykfaiyFYuU4WMuTuRirbCbOfRYUR/lqh5y/5rCF6qKYXfdPz 8 | +RtwLvgz9wofV5wlCAwYRjYyvS4e5K559ZHE83QX5OTj66swo25L0sAiccfkfHWt 9 | GmQOAqUPeo1aMjyZbtogTAVes1DWXlqUdl1mL5ykfbYsCbFqBoZtKtd14GBOhfLt 10 | 86ovuWVq8udWUF/ByLEfHNb0e+fi1TUpjvXl3LpN5b2DXJFXbB0iiN2pnvT81Cq6 11 | QemmDW1IHCxOQZOzryK/JsBtiat0QkwiJgioWquPajzdqXfgUv417Yy90wU1g5yl 12 | XKoKmkroSAX01M79CTdxLz8puQOuAw8UecGP3hJizTbYXs56pKjcqrChyZ8/Sf1x 13 | 5qrA6+NMvhs/F0qMlERxWfctNgxM1HfIXVwmGM0TvvuVnCQSdQ00iELNK1EiRWLx 14 | brAMXSZgF3zp9lrVx660Zmbj4SmN6SVBRoAGw1RDB7J05/dGgKD8YM8BU7v/5HFC 15 | moJe0E7iiZVmN+LAchVVkL4trTcMlmBJd+deTmaUN9oLcyDWfMA/2xbYg0XoNy8U 16 | vFCEZag0jnUchvxw5yyxEULGbqLk13m/JxbBLpkjC1rm5ZFns31ncctDywONLo37 17 | BK0dA0vUPHjzDY8GmKaq4GpDN1ByQwpmSwTpCulgZD9qhI0AKrPRPLWq18vwwx7/ 18 | QWphvq+1aiGW2wygC+wNQqHr+hb+KFli9mAX+kNNmo3LWfJhKGtLOYJKsCU8Tmf2 19 | fcZ+Dh+e6dZeXFLlM2JkY65YWyeB8XivKj5eR+StCSB4fgl/etW3ikz/7eTlC99e 20 | bKT1tbCJQ1X/rVDtBTqKbGhn5p2yuNbQKUwidk/w3Fdo1CFxLMKvk6xZszUKCmIz 21 | iA4uRuyROk+/uLcLo2EIxg4BJ3hMf/QgiUvUk3B1b5VT/34bFbB2ChPmUUCZTfBn 22 | NG1LHHMQqzlF+39dd5WkPhyw00fA6/s/J5nobn8aaj4LOMYRwsaZOvYSDNgKxY4F 23 | CpUZCNum5rFPY8zzlwybJ+6riL2YQIV1Osu+0DjBmzhKyxFUm4yDudEafiMNKfbH 24 | atLfk8wSSKtv3NID4shMgRdLFp0+ens9Jma8St30Imd/6sUefwVfa6S+bUXXYwey 25 | WSlMqco8eay0AVP+tmqif7zfX8ZYobeuyCF5/VpqFRwTM+CeWuXGChsGiK9cS3Qn 26 | 51nYfS6Polize9JuvouIU3gt0eiIVkuL3oIJFivXuMuUeb8nU4XYOv5n9La85JKn 27 | YI5OIT96u+jdNcAbEF0mBKPI35hG3jmSmiYziCApiOJXuMVGXJ5qXQOWmByElHzs 28 | V74y8ChX1+Ne/V/lkz5U0Jb7EIZyy4lqBSk= 29 | -----END ENCRYPTED PRIVATE KEY----- 30 | -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/pem/other-root-ca.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDyDCCArCgAwIBAgIBATANBgkqhkiG9w0BAQsFADB1MRMwEQYKCZImiZPyLGQB 3 | GRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEaMBgGA1UECgwRRXhhbXBs 4 | ZSBDb20sIEluYy4xCzAJBgNVBAsMAkNBMRwwGgYDVQQDDBNyb290LmNhLmV4YW1w 5 | bGUuY29tMB4XDTE4MDIyMDEyMTQ1OFoXDTI4MDIxODEyMTQ1OFowdTETMBEGCgmS 6 | JomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGjAYBgNVBAoM 7 | EUV4YW1wbGUgQ29tLCBJbmMuMQswCQYDVQQLDAJDQTEcMBoGA1UEAwwTcm9vdC5j 8 | YS5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJON 9 | BjXK6+4FEgQN9L/FXjIYv9G/ZCEv9JpFTugURGdPY3lY7jRdejCyPgkFf8Dl8KIO 10 | h1XGrxYOgsWbpmG6Mvfwhf5zL7S+WTJRcKLHkzgGpylOWkH4c1AtJz65F8LRzWiM 11 | YCWii8+8fQZ0Hi7BEFGGXBgdJACaa7252wb3/HJSQICzsbFh1WtTDzxwhhW+SbbO 12 | l8zYqyZN7/gtX6NpmtGEztjEorhop9MWUJG531k8d7Udml6lqwFH7PP7GfVcOoUj 13 | WYHMebVrRKa/M+mPKUgyCbb3SvNshAIUz9Q8jBsYknHFBgt3hIRYXHEfmCMEESI6 14 | J7StMHDfaQUt7DFvdpkCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME 15 | GDAWgBQuBXn0bHZ5r/GlVGjbPoLYiv1GJDAdBgNVHQ4EFgQULgV59Gx2ea/xpVRo 16 | 2z6C2Ir9RiQwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQB95yPb 17 | NlpxvmTZL/8kyUAXRJyGO+8hMwBz60Dav2IHlqnt534a/eMtaoafkkPxRqZp1NQX 18 | g1+oVnRZhv7s/NJChmZ/oby8s8aZaHRoK+vCiPNPrwnOxjbAIQFi8bv3C3b8qXt3 19 | dGccYB/NIlhvQKKSosLKcvYm4M06O3snfbyHEVhYUo2anKUPB0YZmy/BBVaMv7/p 20 | sj6BhrBOqOMqq36pO+svlM9Ng2v+5RlTjR/33gG7wU/25xmQ7f03O7ohfqm1Tb84 21 | 8QwWYhSslr2sUmOWmiRKQsd29kSZ3V57NBzEaOjj3bHORxhG2+xuFxu/z8TBQimG 22 | O02+zOIl/+HPvhQN 23 | -----END CERTIFICATE----- 24 | -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/pem/root-ca.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDyDCCArCgAwIBAgIBATANBgkqhkiG9w0BAQsFADB1MRMwEQYKCZImiZPyLGQB 3 | GRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEaMBgGA1UECgwRRXhhbXBs 4 | ZSBDb20sIEluYy4xCzAJBgNVBAsMAkNBMRwwGgYDVQQDDBNyb290LmNhLmV4YW1w 5 | bGUuY29tMB4XDTE4MDcyMjA4MzIxNloXDTI4MDcxOTA4MzIxNlowdTETMBEGCgmS 6 | JomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGjAYBgNVBAoM 7 | EUV4YW1wbGUgQ29tLCBJbmMuMQswCQYDVQQLDAJDQTEcMBoGA1UEAwwTcm9vdC5j 8 | YS5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJC0 9 | QIvdszKl5IMDurJdaFnWTW7Kcmoos91dDjrD3WxdnEnDTgXskX7UuW7VPc1uuXyU 10 | cK1eqYq0XJWqqxtU+ufW/BUb8wZr5I5gm0RdnQQUfBj+qDR4ACKE3XbG2hC/G+iN 11 | Lz70EHQFukGMQkdMtnday9t5K2FN0rEs1H/B1G3C6ynlR9437gYRvwsS9WrJJ+Yj 12 | D8pN277oQ23px9R3OjCVstV0cCmlVkjHncI4b6NGrscG4baOcGOlmzVuTf9orzFs 13 | eg81B2ZiGE4uTyMnbbO3uYKhP/8bw4001Tx1VdDEHwTIDIYzkgGR+RWZFcKRKwSk 14 | Vfvm8oRb+VakdpTeniECAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME 15 | GDAWgBQ2TT9qHHGaxBJWtwnEixPl+xE7SzAdBgNVHQ4EFgQUNk0/ahxxmsQSVrcJ 16 | xIsT5fsRO0swDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQB3JoH4 17 | PPM/49C5PuyUR6lh9+L7T38cEW5fOzwj3qFTD5P3N9ZpM87ivMgykOKYEVTnqFyL 18 | RG5KIlEUQ0/6oSRKgdBa9G+ahaW3dbJ0Z7INkk4PJKnwG8+XDJIr3Gi8zDPrsYy/ 19 | WwCSQMlZ7bc04PDkvl8c4cETQWcVYJGWH0Fd/y35ATvO43V9KcXv8Fs4Pzx6S/Ma 20 | zA0bO/sKwCb1ZI1wUHdGyk83k/ONgcdBMlta37piVdeLXv02w+gWhg0kvZY5UZjm 21 | kS+ZGrFX+2Txu4N/JWHTBIEOD768G0aWR9pspgAEg+eiLRxY/qHqorCMmfHuXKz7 22 | H7j2LXdTXQ6Aduk6 23 | -----END CERTIFICATE----- 24 | -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/pem/signing-ca.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEUTCCAzmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADB1MRMwEQYKCZImiZPyLGQB 3 | GRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEaMBgGA1UECgwRRXhhbXBs 4 | ZSBDb20sIEluYy4xCzAJBgNVBAsMAkNBMRwwGgYDVQQDDBNyb290LmNhLmV4YW1w 5 | bGUuY29tMB4XDTE4MDcyMjA4MzIxNloXDTI4MDcxOTA4MzIxNloweDETMBEGCgmS 6 | JomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGjAYBgNVBAoM 7 | EUV4YW1wbGUgQ29tLCBJbmMuMQswCQYDVQQLDAJDQTEfMB0GA1UEAwwWc2lnbmlu 8 | Zy5jYS5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB 9 | AK7YSOq+e6VdPmfh7CH4PoJ1Oy4bhtAwLReuT+BEzOfo5FGUoGhJ3TAhG//92BwL 10 | sDem89BfxDnpUmkL2mO/lO969yjVGfd+wb5/PjIao0v5B+9tFTwZnezf5RISjJc8 11 | qR55HeATt+xaRYmj7Wcdhe361p4GcnVgtNdslxzULW7+aRUZz7dkGtuxUHWALZWd 12 | Um4owpZPcVbC0CF642CuxkGYLh8uolFPowrGuL39KdtWohiQOUi0nfoYWFpzhUn/ 13 | etLnyLmjEq41a2rykgiFC7qDW6wtvSbUbXg/DqPKiq5AIMR/R4HJ6bNEQJixsGqf 14 | VC9NG2v5+hCeTJdRTyFOBNcCAwEAAaOB6DCB5TASBgNVHRMBAf8ECDAGAQH/AgEA 15 | MIGfBgNVHSMEgZcwgZSAFDZNP2occZrEEla3CcSLE+X7ETtLoXmkdzB1MRMwEQYK 16 | CZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEaMBgGA1UE 17 | CgwRRXhhbXBsZSBDb20sIEluYy4xCzAJBgNVBAsMAkNBMRwwGgYDVQQDDBNyb290 18 | LmNhLmV4YW1wbGUuY29tggEBMB0GA1UdDgQWBBQF4IV2bYTghGOHzsbkqwZcTWu/ 19 | vDAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBADfPaMOnKpTLQPGW 20 | vCvuAXvXnKUS2sI1l59mcVuMcVQnwND2viKQ92irL0jxyNLvnqC7S8ad135GvGVs 21 | iFUWKEANg7EsSjKREuAKQYD2GmsYwIJjw2GMp0gpIJxocrzUfCDgXyDy2fZouvvw 22 | M4UWds3G6zwWJWtCksRrzUTe8FoUdLW/+1HA4aaK3Y+6cQfYcgMvJZvJa9hGPuqm 23 | uXvw6qfsmzNM+7EFEfJW70BoyuWWbo+/ft7wsZnOhQzVnbsMHHdOHnT4Ylr+fcvf 24 | ONKfJy8w2D+YGQXdHXdDGZlcGfwykoTLjjS+SnOShqoCUiAngFNCoIOzxct9ViW5 25 | pDGaM90= 26 | -----END CERTIFICATE----- 27 | -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/pem/spock.key: -------------------------------------------------------------------------------- 1 | -----BEGIN ENCRYPTED PRIVATE KEY----- 2 | MIIE9jAoBgoqhkiG9w0BDAEDMBoEFI6iRRqz22ZL+Dn/Z1b6FwkD3VH+AgIIAASC 3 | BMgfz0clDkniI0jAFMfni4yzjxHiW0bkMR78Ct0gY8mSJIpnfMQyzkh0gghRI6rP 4 | zPNRebTpy2cVugMmMby+ceDYl3vn/WzTEMpMKLi/nEktRpzgnZeUn2HxMT4yH39z 5 | WJGMKGeIu8u1wYAdNBuCJce4AEsrywkeGkSwA2/CJS2ps/8zoRT2a3O3jPNw5Q+J 6 | Rb8jlc7ioQLWkjqIMeXEuRsRA6NO1yM9N8szRPGRO7tGxeR/+0V+PB5pX0fTn9w1 7 | nalc8MEbGttGTOKiA893XQcFCC14W6jkEyu3U/QO9/0w1kQHp3wOHQA4PtVzNPsI 8 | Mwb32J/xU9b1pl7LT7Q5g9gytWTRbBI/jpTt4NFSQy2EVFpgYpJ1uf2qmWxTnvBf 9 | 14Cle2LKkFJQX8X5iatOYsMqxHQKKlgQ+LeaPJJOEEUAmlbihQK9BZPvRi9GoG1I 10 | krzxaOwwlglA6Cwa+ktHTsxKzC6Kr9NGO+WJaerbNanTzixspoww9iusWjR9FnSl 11 | J0vXa3eiNSXzsKMBvo1WTf7+7PftCZSjbhtbUP34VxYdSnrCwBnmBBclK33Ybw+H 12 | fSjNQD3QOZChNtMUU8sELIi3WwWSbYSNLUQgHx7AwN0c6jsKrlOdCWfn2x3c5smI 13 | yTHMw8QT/Mcf+PMm5rU/flBlJYnLZf4U1oBUb5HW+RMmeR5rgnxaeGnB2tKlj2SA 14 | 10Ht1DhparsJeyYpadnRNFd7fq7tCulhUsuLRx8vWA6gg0jCddBQ0eMC7svlj3y5 15 | aZek+nqajDK1Ur/Du6pSidkR4NXUa/oyN0AXEgUze1ffI8BjLwkkI6JExa8Z62iy 16 | pPmfk0zmHDvuU5x6hnCgsfZ4Xo7r8s+rLtoxUOVRsBQ4/el6b7FkEmp0pQHuKy4V 17 | jhpR419emxfSIfba1PwHmlt/pW34DVTnlYOgJcl+ft9+tpeDyLgyrkhifiBBg73S 18 | YtfmV0rXpL73rGT5+zhoKT131MCPQR/1zrb2ULPv5+9ySLfQdqnM06Xysb/r22Zh 19 | XUIVcTZ0u+xgfMzQdrqSCP3z0bdyfP4wahOPrzgFbLIoq18kGNd+StkwcUeGMGvA 20 | nIEwVggMC9+cMsC6HYcuve4giCGzV7BA4v+YYufMfJkRriK7+ENLJYGaN/WJVuzC 21 | oiknEGEe+EXNxH562sFqLZMf8gLm4aFoPC3J5h/m01Su9ppeVmupeBHysW9Kc8ah 22 | tTLMpCEs27Yi7ptJuXNaXfU5maN8YUZk8N1evaQvL4QWVjR8MsX3eCogi+vWOBGC 23 | DzYLYfXZhAeueZCaToupMMcJkiAX84A0liToE3h9Re83M4yCjslFxCCoPnSnaIQj 24 | h8MgAcHW3KOL+xpVIFmwQu+tOoi8Cjuc7K/s90aC3xkL4ksz6Tuw3Xavt/sthLFt 25 | mteI5EtGtRKNIt2ERCL8vTbrtrpWQAOgR2vqiRZZ7SESV5aa+sVxd8gYrMlDzIN3 26 | mXJ2LBrwJKKM2Prm5skLS16cp0Id8ghj0RMHFGoV3xSMJkWCF2QYeENBFKfyG4rk 27 | hxHy1Cp0xQAedQ9dNC0L8DrBe6nbd9D2MkNl6YnTvTRncnU9QjL/QtELsizMWLrN 28 | et9PP3tdETdLKpMnoZTmMF4fxJctf++E0u8= 29 | -----END ENCRYPTED PRIVATE KEY----- 30 | -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/pem/truststore.jks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opendistro-for-elasticsearch/deprecated-security-advanced-modules/040bd24e1d99070abad1394a4166aa9a215514ec/src/test/resources/sslConfigurator/pem/truststore.jks -------------------------------------------------------------------------------- /src/test/resources/sslConfigurator/pem/wrong-kirk.key: -------------------------------------------------------------------------------- 1 | -----BEGIN ENCRYPTED PRIVATE KEY----- 2 | MIIE9jAoBgoqhkiG9w0BDAEDMBoEFB6EqCstahSd0lALqXY+Qe32U/FtAgIIAASC 3 | BMjcdNjt9qQnTvwlnI0OudBSnY1vOnMVXlZGKAzDkkOeVciDGiyq3N/dch7ICKRU 4 | /IrJa4z81YbZGalGDjqSEwhR0PNAmmmKRRi7pXnQ2VPDKNPQ7At8FQ4pPwPc2W4w 5 | 6NE54P9IaU+EBphG7Yln2s0h75p7tGuX8Lr6VBiNIgaOhAzEIupvOgJoSQvAv6QS 6 | 0Oe+n4a/oR99eOizKijN+YrxWvP+ejRexV9ABsHbEMtm4rU031lOt9wQybJmdsqO 7 | Jh9UoGRPYeYTToum/jgfhXu0QkY5hwK1IOQjinERarjHbvsMRiyS3UlY5hz/F0Gy 8 | 7qpep6kNNJ6zHb+2Hup9QIdt0Fl2nN+kTqmvEBXdZ/ldfCxjqU97vq92M0uP5GH/ 9 | KV3XN8neYwr/i0W4o5mJPiHho8/azBHdkefaEOPzLGfwwoj0W+1E0FZUj8DAU2r/ 10 | QQNQ4E+iTVDvBQefIHcJM80voeOk0ZhWDBXNo2lblSjat3L5PHjThav0sHPpyreN 11 | 3+4caP0SxinBLn3PzKxbuMv7fnPjKntCBuF7WsL8gx5Y8tTpNvtu/PYo/LowgX89 12 | SZN2kS7F/zV7PaNpDXMhe/h7Ribv1zpAliy6DYRW8GE2kYSz06zaabGfHrTwowuO 13 | tFla4z4xh8N0bBiK7pUN085uOV5UsNogv2pWOYh0mo7MAzXatW+zdwsFx79R9gBT 14 | sMeImSRqYuyBvczfbRyebJAU6er3+IXITj+Ii/Z0LHCZ8p+ZXy9iVwb2+bfjr21r 15 | t/9nGYVC4XQvzO+HQ4N8teFsUhCvG/3tgAMOeOBKwsIs+5V8ae52PwnrW0IzTtmj 16 | S2OLc7IkYLlKtPZRYPft5+XOXvNUWUPjV3Ky9miN3eCi4kM3082sZk1wCphd3gjg 17 | fYtUX7qQQmaq90Aep9b6AH+u5lP1a5Oh9leLayh+w7gA/hqKBA5b9j3PmPVkZM4J 18 | NHe9owsuReenFHID0kS1h+X6fbEYqjNNv6xDHxe8FpWDfm5kXpozl4N5J8/7syDa 19 | ntRO5SzVSCOO8zCIsKATE9C7ZP82mukyiRPfQFLKaeQf4BGJ65pFTGb+2Msc4ZXw 20 | 1P5yFGIOVhLYbzhF9tlSTucuOPf9E5IFiIJJjgA/d2McU90+wYXMP2GCUNH6d2H/ 21 | /M/dB8g3dj393wMrQwGEyQ5Dwch8iCkmTVl5i7GgNVdAY3KXA6m16nHH5NXjtFa9 22 | 0YFIV+RT6fMCGBpoYdAEA8Pvu7DLah3aX8kWNXlg95Z09LriyBzkcm1lcTZWgP1k 23 | uwFF1F2/y0zSY+Xbl+A8PqkdJIL8ox1qsERYU2fEaDAK5xKPhVjnDU/s+KkXmb0w 24 | OBcVt2HNwAHDRyIzslG9JCQdThr/ygaK1+vtFAktLcnHApBouHo/OV74ufQqJq6m 25 | XHdTIs5gwfhFLuVRtGLKYcqUaiF1L2QkMBDwWW3cbXaut7RgfjIFatQe5SdcG8ap 26 | 7Bnx25MCqxNVghMVV9NRE88MWhEgrK0bHxD3yRiIcVEB/HOxbb8W68LaQLw0Q7sl 27 | ijIjz7z/im/N9owgkiFvHI4qg3ubbLaIE4MoazU+as8knKcROuLTIsDY91UPywaa 28 | /dD4xRqAsSmqEbD26z34vtstE5mBnqL4ha4= 29 | -----END ENCRYPTED PRIVATE KEY----- 30 | --------------------------------------------------------------------------------