From 35531f73ca6623a9f233459b1b80dbe6837915c2 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 2 Oct 2019 15:50:25 +0300 Subject: [PATCH] Fix Active Directory tests (#47358) Fixes multiple Active Directory related tests that run against the samba fixture. Some were failing since we changed the realm settings format in 7.0 and a few were slightly broken in other ways. We can move to cleanup the tests in a follow up but this work fits better to be done with or after we move the tests from a Samba based fixture to a real(-ish) Microsoft Active Directory based fixture. Resolves: #33425, #35738 --- .../transport/ssl/certs/simple/samba4.crt | 22 +++ .../ADLdapUserSearchSessionFactoryTests.java | 18 +-- .../ldap/AbstractActiveDirectoryTestCase.java | 8 +- .../ldap/AbstractAdLdapRealmTestCase.java | 125 ++++++------------ .../ActiveDirectoryGroupsResolverTests.java | 1 - .../authc/ldap/ActiveDirectoryRunAsIT.java | 9 +- .../ActiveDirectorySessionFactoryTests.java | 84 ++++++------ .../security/authc/ldap/GroupMappingIT.java | 3 - .../authc/ldap/MultiGroupMappingIT.java | 1 - .../authc/ldap/MultipleAdRealmIT.java | 11 +- .../UserAttributeGroupsResolverTests.java | 17 +-- 11 files changed, 129 insertions(+), 170 deletions(-) create mode 100644 x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/samba4.crt diff --git a/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/samba4.crt b/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/samba4.crt new file mode 100644 index 0000000000000..59ecbd22e8b23 --- /dev/null +++ b/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/samba4.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDoDCCAoigAwIBAgIUMVGoHuyNTjTFaoRmqFELz75jzDEwDQYJKoZIhvcNAQEL +BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l +cmF0ZWQgQ0EwHhcNMTgwMjE1MTc0OTExWhcNMjEwMjE0MTc0OTExWjARMQ8wDQYD +VQQDEwZzYW1iYTQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtGBwa +n+7JN2vweSUsYh4zPmh8RPIE+nEVjK1lx/rADUBY7UVjfTYC+MVKKiezZe7gYCNT +7JNKazPpgVI9e3ZFKw/UxomLqRuuvn5bTh+1tMs3afY5+GGzi7oPmEbBO3ceg0Hi +rNSTDa1rfroZnRYK8uIeSZacQnAW90plITI7rBBt9jq+W9albFbDybfDgNv+yS/C +rzIsofm4rbFC3SMRYfrT6HvwDhjOmmYKZci5x7tsn0T+3tSiR44Bw5/DgiN5kX3m +/kl9qg1eoYWbCUy1dKmQlb4Nb4uNcxrIugLB3zjBkfhMZ0OHoveKh/lJASTWik9k +xQ9rEYbpsRbuXpsHAgMBAAGjgcwwgckwHQYDVR0OBBYEFJOLa7UXKtLPibgKeFh7 +Kq1+rS0/MG8GA1UdIwRoMGaAFGaNmN5mi9jaMW25MEWYgt+5OkDBoTikNjA0MTIw +MAYDVQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBD +QYIUdwsnIxjgSneHNVKT6JNCCsrQ3T0wLAYDVR0RBCUwI4IJbG9jYWxob3N0hwR/ +AAABhxAAAAAAAAAAAAAAAAAAAAABMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQAD +ggEBAEHqT1WHkcF8DuOgyIBx7wKcUVQ5H1qYYlJ1xgMGrKFFZLUzouLcON7oadEu +HLIJ4Z3AKD3bqWpcls5XJ9MTECGR48tou67x9cXqTV7jR3Rh0H/VGwzwhR85vbpu +o8ielOPL8XAQOfnAFESJii5sfCU4ZwLg+3evmGZdKfhU6rqQtLimgG/Gm96vOJne +y0a/TZTWrfAarithkOHHXSSAhEI5SdW5SlZAytF4AmYqFvafwxe1+NyFwfCRy0Xl +H40WgVsq+z84psU+WyORb3THX5rgB4au9nuMXOqFKAtrJSI/uApncYraaqU28rqB +gYd8XrtjhKOLw+6viqAKu8l7/cs= +-----END CERTIFICATE----- diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java index c9306eaf8477f..d2c79d8882f46 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java @@ -6,7 +6,6 @@ package org.elasticsearch.xpack.security.authc.ldap; import org.elasticsearch.action.support.PlainActionFuture; -import org.elasticsearch.common.Strings; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; @@ -15,10 +14,8 @@ import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.xpack.core.security.authc.RealmConfig; -import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope; import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession; -import org.elasticsearch.xpack.security.authc.ldap.support.LdapTestCase; import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory; import org.junit.After; import org.junit.Before; @@ -49,7 +46,7 @@ public void init() throws Exception { globalSettings = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.security.authc.realms.active_directory.ad.ssl.certificate_authorities", certPath) + .put("xpack.security.authc.realms.ldap.ad-as-ldap-test.ssl.certificate_authorities", certPath) .build(); sslService = new SSLService(globalSettings, env); threadPool = new TestThreadPool("ADLdapUserSearchSessionFactoryTests"); @@ -60,15 +57,12 @@ public void shutdown() { terminate(threadPool); } - @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738") public void testUserSearchWithActiveDirectory() throws Exception { String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; String userSearchBase = "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; Settings settings = Settings.builder() - .put(LdapTestCase.buildLdapSettings( - new String[] { ActiveDirectorySessionFactoryTests.AD_LDAP_URL }, - Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE, null, - true)) + .put("url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL) + .put("group_search.base_dn", groupSearchBase) .put("user_search.base_dn", userSearchBase) .put("bind_dn", "ironman@ad.test.elasticsearch.com") .put("bind_password", ActiveDirectorySessionFactoryTests.PASSWORD) @@ -79,13 +73,13 @@ public void testUserSearchWithActiveDirectory() throws Exception { Settings.Builder builder = Settings.builder() .put(globalSettings); settings.keySet().forEach(k -> { - builder.copy("xpack.security.authc.realms.ad-as-ldap-test." + k, k, settings); + builder.copy("xpack.security.authc.realms.ldap.ad-as-ldap-test." + k, k, settings); }); Settings fullSettings = builder.build(); sslService = new SSLService(fullSettings, TestEnvironment.newEnvironment(fullSettings)); - RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("ad", "ad-as-ldap-test"), globalSettings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)); + RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("ldap", "ad-as-ldap-test"), fullSettings, + TestEnvironment.newEnvironment(fullSettings), new ThreadContext(fullSettings)); LdapUserSearchSessionFactory sessionFactory = getLdapUserSearchSessionFactory(config, sslService, threadPool); String user = "Bruce Banner"; diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java index b3e470a05fcd2..df8b23d9381a1 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java @@ -84,10 +84,10 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IO Settings.Builder builder = Settings.builder().put("path.home", createTempDir()); // fake realms so ssl will get loaded - builder.putList("xpack.security.authc.realms.foo.ssl.certificate_authorities", certificatePaths); - builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL); - builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths); - builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); + builder.putList("xpack.security.authc.realms.active_directory.foo.ssl.certificate_authorities", certificatePaths); + builder.put("xpack.security.authc.realms.active_directory.foo.ssl.verification_mode", VerificationMode.FULL); + builder.putList("xpack.security.authc.realms.active_directory.bar.ssl.certificate_authorities", certificatePaths); + builder.put("xpack.security.authc.realms.active_directory.bar.ssl.verification_mode", VerificationMode.CERTIFICATE); globalSettings = builder.build(); Environment environment = TestEnvironment.newEnvironment(globalSettings); sslService = new SSLService(globalSettings, environment); diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java index 86d411053afe9..e879c227aaa5d 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java @@ -14,7 +14,6 @@ import org.elasticsearch.client.Client; import org.elasticsearch.common.Nullable; import org.elasticsearch.common.bytes.BytesArray; -import org.elasticsearch.common.settings.MockSecureSettings; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.set.Sets; @@ -24,19 +23,16 @@ import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingRequestBuilder; import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingResponse; import org.elasticsearch.xpack.core.security.authc.ldap.ActiveDirectorySessionFactorySettings; -import org.elasticsearch.xpack.core.security.authc.ldap.LdapRealmSettings; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.core.security.client.SecurityClient; +import org.elasticsearch.xpack.core.ssl.VerificationMode; import org.elasticsearch.xpack.security.support.SecurityIndexManager; import org.junit.After; import org.junit.AfterClass; import org.junit.Before; import org.junit.BeforeClass; -import java.io.ByteArrayOutputStream; import java.io.IOException; -import java.io.InputStream; -import java.io.UncheckedIOException; import java.nio.file.Path; import java.util.Arrays; import java.util.Collections; @@ -50,6 +46,7 @@ import java.util.stream.Collectors; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; +import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey; import static org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope.ONE_LEVEL; import static org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope.SUB_TREE; import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER; @@ -66,7 +63,8 @@ */ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase { - public static final String XPACK_SECURITY_AUTHC_REALMS_EXTERNAL = "xpack.security.authc.realms.external"; + public static final String XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL = "xpack.security.authc.realms.active_directory.external"; + public static final String XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL = "xpack.security.authc.realms.ldap.external"; public static final String PASSWORD = AbstractActiveDirectoryTestCase.PASSWORD; public static final String ASGARDIAN_INDEX = "gods"; public static final String PHILANTHROPISTS_INDEX = "philanthropists"; @@ -99,8 +97,6 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase ) }; - protected static final String TESTNODE_KEY = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"; - protected static final String TESTNODE_CERT = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"; protected static RealmConfig realmConfig; protected static List roleMappings; @@ -121,42 +117,8 @@ public static void cleanupRealm() { @Override protected Settings nodeSettings(int nodeOrdinal) { final RealmConfig realm = AbstractAdLdapRealmTestCase.realmConfig; - final Path nodeCert = getDataPath(TESTNODE_CERT); - final Path nodeKey = getDataPath(TESTNODE_KEY); Settings.Builder builder = Settings.builder(); - // don't use filter since it returns a prefixed secure setting instead of mock! - Settings settingsToAdd = super.nodeSettings(nodeOrdinal); - builder.put(settingsToAdd.filter(k -> k.startsWith("xpack.transport.security.ssl.") == false), false); - MockSecureSettings mockSecureSettings = (MockSecureSettings) Settings.builder().put(settingsToAdd).getSecureSettings(); - if (mockSecureSettings != null) { - MockSecureSettings filteredSecureSettings = new MockSecureSettings(); - builder.setSecureSettings(filteredSecureSettings); - for (String secureSetting : mockSecureSettings.getSettingNames()) { - if (secureSetting.startsWith("xpack.transport.security.ssl.") == false) { - SecureString secureString = mockSecureSettings.getString(secureSetting); - if (secureString == null) { - final byte[] fileBytes; - try (InputStream in = mockSecureSettings.getFile(secureSetting); - ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream()) { - int numRead; - byte[] bytes = new byte[1024]; - while ((numRead = in.read(bytes)) != -1) { - byteArrayOutputStream.write(bytes, 0, numRead); - } - byteArrayOutputStream.flush(); - fileBytes = byteArrayOutputStream.toByteArray(); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - - filteredSecureSettings.setFile(secureSetting, fileBytes); - } else { - filteredSecureSettings.setString(secureSetting, new String(secureString.getChars())); - } - } - } - } - addSslSettingsForKeyPair(builder, nodeKey, "testnode", nodeCert, getNodeTrustedCertificates()); + builder.put(super.nodeSettings(nodeOrdinal), true); builder.put(buildRealmSettings(realm, roleMappings, getNodeTrustedCertificates())); return builder.build(); } @@ -165,7 +127,7 @@ protected Settings buildRealmSettings(RealmConfig realm, List certificateAuthorities) { Settings.Builder builder = Settings.builder(); builder.put(realm.buildSettings(certificateAuthorities)); - configureFileRoleMappings(builder, roleMappingEntries); + configureFileRoleMappings(builder, realm.type, roleMappingEntries); return builder.build(); } @@ -214,11 +176,11 @@ private List getRoleMappingContent(Function co .collect(Collectors.toList()); } - protected final void configureFileRoleMappings(Settings.Builder builder, List mappings) { + protected final void configureFileRoleMappings(Settings.Builder builder, String realmType, List mappings) { String content = getRoleMappingContent(RoleMappingEntry::getFileContent, mappings).stream().collect(Collectors.joining("\n")); Path nodeFiles = createTempDir(); String file = writeFile(nodeFiles, "role_mapping.yml", content); - builder.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".files.role_mapping", file); + builder.put("xpack.security.authc.realms." + realmType + ".external.files.role_mapping", file); } @Override @@ -287,15 +249,6 @@ protected static String userHeader(String username, String password) { return UsernamePasswordToken.basicAuthHeaderValue(username, new SecureString(password.toCharArray())); } - private void addSslSettingsForKeyPair(Settings.Builder builder, Path key, String keyPassphrase, Path cert, - List certificateAuthorities) { - builder.put("xpack.transport.security.ssl.key", key) - .put("xpack.transport.security.ssl.key_passphrase", keyPassphrase) - .put("xpack.transport.security.ssl.verification_mode", "certificate") - .put("xpack.transport.security.ssl.certificate", cert) - .putList("xpack.transport.security.ssl.certificate_authorities", certificateAuthorities); - } - /** * Collects all the certificates that are normally trusted by the node ( contained in testnode.jks ) */ @@ -378,57 +331,55 @@ enum RealmConfig { AD(false, AD_ROLE_MAPPING, Settings.builder() - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".type", LdapRealmSettings.AD_TYPE) - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".domain_name", ActiveDirectorySessionFactoryTests.AD_DOMAIN) - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + .put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".domain_name", ActiveDirectorySessionFactoryTests.AD_DOMAIN) + .put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".group_search.base_dn", "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com") - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".group_search.scope", randomBoolean() ? SUB_TREE : ONE_LEVEL) - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL) - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".follow_referrals", + .put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".group_search.scope", randomBoolean() ? SUB_TREE : ONE_LEVEL) + .put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL) + .put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".follow_referrals", ActiveDirectorySessionFactoryTests.FOLLOW_REFERRALS) - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "." + - ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING.getKey(), AD_LDAP_PORT) - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "." + - ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING.getKey(), AD_LDAPS_PORT) - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "." + - ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING.getKey(), AD_GC_LDAP_PORT) - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "." + - ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING.getKey(), AD_GC_LDAPS_PORT) - .build()), + .put(getFullSettingKey("external",ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT) + .put(getFullSettingKey("external",ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT) + .put(getFullSettingKey("external",ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT) + .put(getFullSettingKey("external",ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT) + .build(), + "active_directory"), AD_LDAP_GROUPS_FROM_SEARCH(true, AD_ROLE_MAPPING, Settings.builder() - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".type", LdapRealmSettings.LDAP_TYPE) - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL) - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + .put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL) + .put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".group_search.base_dn", "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com") - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".group_search.scope", randomBoolean() ? SUB_TREE : ONE_LEVEL) - .putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".user_dn_templates", + .put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".group_search.scope", randomBoolean() ? SUB_TREE : ONE_LEVEL) + .putList(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".user_dn_templates", "cn={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com") - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".follow_referrals", + .put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".follow_referrals", ActiveDirectorySessionFactoryTests.FOLLOW_REFERRALS) - .build()), + .build(), + "ldap"), AD_LDAP_GROUPS_FROM_ATTRIBUTE(true, AD_ROLE_MAPPING, Settings.builder() - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".type", LdapRealmSettings.LDAP_TYPE) - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL) - .putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".user_dn_templates", + .put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL) + .putList(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".user_dn_templates", "cn={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com") - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".follow_referrals", + .put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".follow_referrals", ActiveDirectorySessionFactoryTests.FOLLOW_REFERRALS) - .build()); + .build(), + "ldap"); + final String type; final boolean mapGroupsAsRoles; final boolean loginWithCommonName; private final RoleMappingEntry[] roleMappings; final Settings settings; - RealmConfig(boolean loginWithCommonName, RoleMappingEntry[] roleMappings, Settings settings) { + RealmConfig(boolean loginWithCommonName, RoleMappingEntry[] roleMappings, Settings settings, String type) { this.settings = settings; this.loginWithCommonName = loginWithCommonName; this.roleMappings = roleMappings; this.mapGroupsAsRoles = randomBoolean(); + this.type = type; } public Settings buildSettings(List certificateAuthorities) { @@ -438,11 +389,11 @@ public Settings buildSettings(List certificateAuthorities) { protected Settings buildSettings(List certificateAuthorities, int order) { Settings.Builder builder = Settings.builder() - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".order", order) - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".hostname_verification", false) - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".unmapped_groups_as_roles", mapGroupsAsRoles) + .put("xpack.security.authc.realms." + type + ".external.order", order) + .put("xpack.security.authc.realms." + type + ".external.ssl.verification_mode", VerificationMode.CERTIFICATE) + .put("xpack.security.authc.realms." + type + ".external.unmapped_groups_as_roles", mapGroupsAsRoles) .put(this.settings) - .putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.certificate_authorities", certificateAuthorities); + .putList("xpack.security.authc.realms." + type + ".external.ssl.certificate_authorities", certificateAuthorities); return builder.build(); } diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryGroupsResolverTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryGroupsResolverTests.java index 7fbbd217ae90b..73b929a705da9 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryGroupsResolverTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryGroupsResolverTests.java @@ -34,7 +34,6 @@ public void setReferralFollowing() { ldapConnection.getConnectionOptions().setFollowReferrals(AbstractActiveDirectoryTestCase.FOLLOW_REFERRALS); } - @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738") public void testResolveSubTree() throws Exception { Settings settings = Settings.builder() .put("xpack.security.authc.realms.active_directory.ad.group_search.scope", LdapSearchScope.SUB_TREE) diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRunAsIT.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRunAsIT.java index 68b8ee4bb5765..01afac5da5bf4 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRunAsIT.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRunAsIT.java @@ -43,13 +43,13 @@ protected Settings nodeSettings(int nodeOrdinal) { final Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal)); switch (realmConfig) { case AD: - builder.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".bind_dn", "ironman@ad.test.elasticsearch.com") - .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".user_search.pool.enabled", false); + builder.put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".bind_dn", "ironman@ad.test.elasticsearch.com") + .put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".user_search.pool.enabled", false); if (useLegacyBindPassword) { - builder.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".bind_password", ActiveDirectorySessionFactoryTests.PASSWORD); + builder.put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".bind_password", ActiveDirectorySessionFactoryTests.PASSWORD); } else { SecuritySettingsSource.addSecureSettings(builder, secureSettings -> { - secureSettings.setString(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".secure_bind_password", + secureSettings.setString(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".secure_bind_password", ActiveDirectorySessionFactoryTests.PASSWORD); }); } @@ -60,7 +60,6 @@ protected Settings nodeSettings(int nodeOrdinal) { return builder.build(); } - @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738") public void testRunAs() throws Exception { String avenger = realmConfig.loginWithCommonName ? "Natasha Romanoff" : "blackwidow"; final AuthenticateRequest request = new AuthenticateRequest(avenger); diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java index 3dc432b482bd6..b122404507bc6 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java @@ -7,7 +7,6 @@ import com.unboundid.ldap.sdk.LDAPException; import com.unboundid.ldap.sdk.ResultCode; -import org.apache.lucene.util.LuceneTestCase; import org.elasticsearch.action.support.PlainActionFuture; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; @@ -43,11 +42,10 @@ import static org.hamcrest.Matchers.instanceOf; import static org.hamcrest.Matchers.is; -@LuceneTestCase.AwaitsFix(bugUrl = "ActiveDirectorySessionFactoryTests") public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryTestCase { private static final String REALM_NAME = "ad-test"; - private static final RealmConfig.RealmIdentifier REALM_ID = new RealmConfig.RealmIdentifier("ad", REALM_NAME); + private static final RealmConfig.RealmIdentifier REALM_ID = new RealmConfig.RealmIdentifier("active_directory", REALM_NAME); private final SecureString SECURED_PASSWORD = new SecureString(PASSWORD); private ThreadPool threadPool; @@ -67,7 +65,7 @@ public boolean enableWarningsCheck() { } public void testAdAuth() throws Exception { - RealmConfig config = configureRealm("ad-test", buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false)); + RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false)); try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) { String userName = "ironman"; @@ -88,21 +86,21 @@ public void testAdAuth() throws Exception { } } - private RealmConfig configureRealm(String name, Settings settings) { + private RealmConfig configureRealm(String name, String type, Settings settings) { final Environment env = TestEnvironment.newEnvironment(globalSettings); final Settings mergedSettings = Settings.builder() .put(settings) - .normalizePrefix("xpack.security.authc.realms." + name + ".") + .normalizePrefix("xpack.security.authc.realms." + type + "." + name + ".") .put(globalSettings) .build(); this.sslService = new SSLService(mergedSettings, env); - final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier(LdapRealmSettings.AD_TYPE, name); + final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier(type, name); return new RealmConfig(identifier, mergedSettings, env, new ThreadContext(globalSettings)); } public void testNetbiosAuth() throws Exception { final String adUrl = randomFrom(AD_LDAP_URL, AD_LDAP_GC_URL); - RealmConfig config = configureRealm("ad-test", buildAdSettings(adUrl, AD_DOMAIN, false)); + RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, buildAdSettings(adUrl, AD_DOMAIN, false)); try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) { String userName = "ades\\ironman"; @@ -124,7 +122,7 @@ public void testNetbiosAuth() throws Exception { } public void testAdAuthAvengers() throws Exception { - RealmConfig config = configureRealm("ad-test", buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false)); + RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false)); try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) { String[] users = new String[]{"cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow"}; @@ -140,7 +138,7 @@ public void testAdAuthAvengers() throws Exception { public void testAuthenticate() throws Exception { Settings settings = buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", LdapSearchScope.ONE_LEVEL, false); - RealmConfig config = configureRealm("ad-test", settings); + RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings); try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) { String userName = "hulk"; @@ -163,7 +161,7 @@ public void testAuthenticate() throws Exception { public void testAuthenticateBaseUserSearch() throws Exception { Settings settings = buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Bruce Banner, CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", LdapSearchScope.BASE, false); - RealmConfig config = configureRealm("ad-test", settings); + RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings); try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) { String userName = "hulk"; @@ -191,7 +189,7 @@ public void testAuthenticateBaseGroupSearch() throws Exception { "CN=Avengers,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com") .put(ActiveDirectorySessionFactorySettings.AD_GROUP_SEARCH_SCOPE_SETTING, LdapSearchScope.BASE) .build(); - RealmConfig config = configureRealm("ad-test", settings); + RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings); try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) { String userName = "hulk"; @@ -207,7 +205,7 @@ public void testAuthenticateBaseGroupSearch() throws Exception { public void testAuthenticateWithUserPrincipalName() throws Exception { Settings settings = buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", LdapSearchScope.ONE_LEVEL, false); - RealmConfig config = configureRealm("ad-test", settings); + RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings); try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) { //Login with the UserPrincipalName @@ -227,7 +225,7 @@ public void testAuthenticateWithUserPrincipalName() throws Exception { public void testAuthenticateWithSAMAccountName() throws Exception { Settings settings = buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", LdapSearchScope.ONE_LEVEL, false); - RealmConfig config = configureRealm("ad-test", settings); + RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings); try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) { //login with sAMAccountName @@ -252,7 +250,7 @@ public void testCustomUserFilter() throws Exception { .put(getFullSettingKey(REALM_ID.getName(), ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_FILTER_SETTING), "(&(objectclass=user)(userPrincipalName={0}@ad.test.elasticsearch.com))") .build(); - RealmConfig config = configureRealm("ad-test", settings); + RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings); try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) { //Login with the UserPrincipalName @@ -271,18 +269,14 @@ public void testCustomUserFilter() throws Exception { public void testStandardLdapConnection() throws Exception { String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; - Settings settings = Settings.builder() - .put(LdapTestCase.buildLdapSettings( - new String[]{AD_LDAP_URL}, - new String[]{userTemplate}, - groupSearchBase, - LdapSearchScope.SUB_TREE, - null, - true)) - .put("follow_referrals", FOLLOW_REFERRALS) - .putList("ssl.certificate_authorities", certificatePaths) + final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test"); + final Settings settings = Settings.builder() + .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase, + LdapSearchScope.SUB_TREE, null, false)) + .putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths) + .put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS) .build(); - RealmConfig config = configureRealm("ad-as-ldap-test", settings); + RealmConfig config = configureRealm("ad-as-ldap-test", LdapRealmSettings.LDAP_TYPE, settings); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); String user = "Bruce Banner"; @@ -302,21 +296,15 @@ public void testStandardLdapConnection() throws Exception { public void testHandlingLdapReferralErrors() throws Exception { String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; - final boolean ignoreReferralErrors = false; - final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("ad", "ad-as-ldap-test"); - Settings settings = LdapTestCase.buildLdapSettings(realmId, - new String[]{AD_LDAP_URL}, - new String[]{userTemplate}, - groupSearchBase, - LdapSearchScope.SUB_TREE, - null, - ignoreReferralErrors); - final Settings.Builder builder = Settings.builder().put(settings).put(globalSettings); - builder.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths); - settings = builder.build(); - RealmConfig config = new RealmConfig(realmId, - settings, TestEnvironment.newEnvironment(globalSettings), - new ThreadContext(globalSettings)); + final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test"); + Settings settings = Settings.builder() + .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase, + LdapSearchScope.SUB_TREE, null, false)) + .putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths) + .put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS) + .build(); + + RealmConfig config = configureRealm("ad-as-ldap-test", LdapRealmSettings.LDAP_TYPE, settings); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); String user = "Bruce Banner"; @@ -335,12 +323,16 @@ public void testHandlingLdapReferralErrors() throws Exception { public void testStandardLdapWithAttributeGroups() throws Exception { String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; - Settings settings = LdapTestCase.buildLdapSettings(new String[]{AD_LDAP_URL}, userTemplate, false); - settings = Settings.builder() - .put(settings) + String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; + final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test"); + Settings settings = Settings.builder() + .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase, + LdapSearchScope.SUB_TREE, null, false)) .putList("ssl.certificate_authorities", certificatePaths) + .putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths) + .put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS) .build(); - RealmConfig config = configureRealm("ad-as-ldap-test", settings); + RealmConfig config = configureRealm("ad-as-ldap-test", LdapRealmSettings.LDAP_TYPE, settings); LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool); String user = "Bruce Banner"; @@ -357,7 +349,7 @@ public void testStandardLdapWithAttributeGroups() throws Exception { } public void testADLookup() throws Exception { - RealmConfig config = configureRealm("ad-test", buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false, true)); + RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false, true)); try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) { List users = randomSubsetOf(Arrays.asList("cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow", diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/GroupMappingIT.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/GroupMappingIT.java index 22d3734742085..6a90f1c8d82b1 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/GroupMappingIT.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/GroupMappingIT.java @@ -5,15 +5,12 @@ */ package org.elasticsearch.xpack.security.authc.ldap; -import org.apache.lucene.util.LuceneTestCase; - import java.io.IOException; /** * This tests the group to role mappings from LDAP sources provided by the super class - available from super.realmConfig. * The super class will provide appropriate group mappings via configGroupMappings() */ -@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738") public class GroupMappingIT extends AbstractAdLdapRealmTestCase { public void testAuthcAuthz() throws IOException { diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/MultiGroupMappingIT.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/MultiGroupMappingIT.java index 120ed26b714f8..5e0dda8fe2da5 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/MultiGroupMappingIT.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/MultiGroupMappingIT.java @@ -41,7 +41,6 @@ protected String configRoles() { " privileges: [ all ]\n"; } - @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738") public void testGroupMapping() throws IOException { String asgardian = "odin"; String securityPhilanthropist = realmConfig.loginWithCommonName ? "Bruce Banner" : "hulk"; diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/MultipleAdRealmIT.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/MultipleAdRealmIT.java index 90a64d5794d31..5e43c0d6b9b52 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/MultipleAdRealmIT.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/MultipleAdRealmIT.java @@ -7,6 +7,7 @@ import org.apache.logging.log4j.LogManager; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.xpack.core.security.authc.ldap.LdapRealmSettings; import org.junit.BeforeClass; import java.io.IOException; @@ -49,8 +50,13 @@ protected Settings nodeSettings(int nodeOrdinal) { final Settings secondarySettings = super.buildRealmSettings(secondaryRealmConfig, secondaryRoleMappings, getNodeTrustedCertificates()); secondarySettings.keySet().forEach(name -> { - String newName = name.replace(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL, XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "2"); - builder.copy(newName, name, secondarySettings); + final String newname; + if (name.contains(LdapRealmSettings.AD_TYPE)) { + newname = name.replace(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL, XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + "2"); + } else { + newname = name.replace(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL, XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + "2"); + } + builder.copy(newname, name, secondarySettings); }); return builder.build(); @@ -62,7 +68,6 @@ protected Settings nodeSettings(int nodeOrdinal) { * Because one realm is using "common name" (cn) for login, and the other uses the "userid" (sAMAccountName) [see * {@link #setupSecondaryRealm()}], this is simply a matter of checking that we can authenticate with both identifiers. */ - @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738") public void testCanAuthenticateAgainstBothRealms() throws IOException { assertAccessAllowed("Natasha Romanoff", "avengers"); assertAccessAllowed("blackwidow", "avengers"); diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/UserAttributeGroupsResolverTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/UserAttributeGroupsResolverTests.java index 38adbbe019048..34e43f26b4b40 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/UserAttributeGroupsResolverTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/UserAttributeGroupsResolverTests.java @@ -8,22 +8,22 @@ import com.unboundid.ldap.sdk.Attribute; import com.unboundid.ldap.sdk.SearchRequest; import com.unboundid.ldap.sdk.SearchScope; -import org.apache.lucene.util.LuceneTestCase; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.unit.TimeValue; import org.elasticsearch.xpack.core.security.authc.RealmConfig; +import org.elasticsearch.xpack.core.security.authc.ldap.UserAttributeGroupsResolverSettings; import org.elasticsearch.xpack.core.security.support.NoOpLogger; import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils; import java.util.Collection; import java.util.List; +import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey; import static org.hamcrest.Matchers.containsInAnyOrder; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.empty; -import static org.hamcrest.Matchers.hasItems; +import static org.hamcrest.Matchers.hasSize; -@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738") public class UserAttributeGroupsResolverTests extends GroupsResolverTestCase { public static final String BRUCE_BANNER_DN = "cn=Bruce Banner,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; @@ -57,18 +57,19 @@ public void testResolveFromPreloadedAttributes() throws Exception { public void testResolveCustomGroupAttribute() throws Exception { Settings settings = Settings.builder() - .put("user_group_attribute", "seeAlso") - .build(); + .put(getFullSettingKey("realm1", UserAttributeGroupsResolverSettings.ATTRIBUTE), "seeAlso") + .build(); UserAttributeGroupsResolver resolver = new UserAttributeGroupsResolver(config(REALM_ID, settings)); List groups = resolveBlocking(resolver, ldapConnection, BRUCE_BANNER_DN, TimeValue.timeValueSeconds(20), NoOpLogger.INSTANCE, null); - assertThat(groups, hasItems(containsString("Avengers"))); //seeAlso only has Avengers + assertThat(groups, hasSize(1)); + assertThat(groups.get(0), containsString("Avengers")); //seeAlso only has Avengers } public void testResolveInvalidGroupAttribute() throws Exception { Settings settings = Settings.builder() - .put("user_group_attribute", "doesntExist") - .build(); + .put(getFullSettingKey("realm1", UserAttributeGroupsResolverSettings.ATTRIBUTE), "doesntExist") + .build(); UserAttributeGroupsResolver resolver = new UserAttributeGroupsResolver(config(REALM_ID, settings)); List groups = resolveBlocking(resolver, ldapConnection, BRUCE_BANNER_DN, TimeValue.timeValueSeconds(20), NoOpLogger.INSTANCE, null);