Skip to content

Commit 6161b72

Browse files
rjernstrjernst
authored
Convert auditing license object to LicensedFeature (#79280)
This commit moves the auditing license checks to use the new LicensedFeature class.
1 parent 906e163 commit 6161b72

File tree

10 files changed

+48
-62
lines changed

10 files changed

+48
-62
lines changed

x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,6 @@ public class XPackLicenseState {
4141
* Each value defines the licensed state necessary for the feature to be allowed.
4242
*/
4343
public enum Feature {
44-
SECURITY_AUDITING(OperationMode.GOLD, false),
4544
SECURITY_TOKEN_SERVICE(OperationMode.STANDARD, false),
4645

4746
OPERATOR_PRIVILEGES(OperationMode.ENTERPRISE, true);

x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java

Lines changed: 0 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -86,64 +86,52 @@ public static OperationMode randomBasicStandardOrGold() {
8686
return randomFrom(BASIC, STANDARD, GOLD);
8787
}
8888

89-
public void testSecurityDefaults() {
90-
XPackLicenseState licenseState = new XPackLicenseState(() -> 0);
91-
assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
92-
}
93-
9489
public void testSecurityStandard() {
9590
XPackLicenseState licenseState = new XPackLicenseState(() -> 0);
9691
licenseState.update(STANDARD, true, null);
9792

98-
assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false));
9993
assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
10094
}
10195

10296
public void testSecurityStandardExpired() {
10397
XPackLicenseState licenseState = new XPackLicenseState( () -> 0);
10498
licenseState.update(STANDARD, false, null);
10599

106-
assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false));
107100
assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
108101
}
109102

110103
public void testSecurityBasic() {
111104
XPackLicenseState licenseState = new XPackLicenseState( () -> 0);
112105
licenseState.update(BASIC, true, null);
113106

114-
assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false));
115107
assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(false));
116108
}
117109

118110
public void testSecurityGold() {
119111
XPackLicenseState licenseState = new XPackLicenseState(() -> 0);
120112
licenseState.update(GOLD, true, null);
121113

122-
assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
123114
assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
124115
}
125116

126117
public void testSecurityGoldExpired() {
127118
XPackLicenseState licenseState = new XPackLicenseState(() -> 0);
128119
licenseState.update(GOLD, false, null);
129120

130-
assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
131121
assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
132122
}
133123

134124
public void testSecurityPlatinum() {
135125
XPackLicenseState licenseState = new XPackLicenseState(() -> 0);
136126
licenseState.update(PLATINUM, true, null);
137127

138-
assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
139128
assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
140129
}
141130

142131
public void testSecurityPlatinumExpired() {
143132
XPackLicenseState licenseState = new XPackLicenseState(() -> 0);
144133
licenseState.update(PLATINUM, false, null);
145134

146-
assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
147135
assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
148136
}
149137

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,12 @@
88

99
import org.elasticsearch.common.UUIDs;
1010
import org.elasticsearch.common.settings.Settings;
11-
import org.elasticsearch.core.TimeValue;
1211
import org.elasticsearch.common.util.concurrent.ThreadContext;
1312
import org.elasticsearch.common.util.concurrent.ThreadContext.StoredContext;
13+
import org.elasticsearch.core.TimeValue;
1414
import org.elasticsearch.index.IndexService;
1515
import org.elasticsearch.index.shard.IndexShard;
16-
import org.elasticsearch.license.XPackLicenseState;
17-
import org.elasticsearch.license.XPackLicenseState.Feature;
16+
import org.elasticsearch.license.MockLicenseState;
1817
import org.elasticsearch.search.Scroll;
1918
import org.elasticsearch.search.SearchContextMissingException;
2019
import org.elasticsearch.search.internal.InternalScrollSearchRequest;
@@ -32,15 +31,16 @@
3231
import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField;
3332
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
3433
import org.elasticsearch.xpack.core.security.user.User;
34+
import org.elasticsearch.xpack.security.Security;
3535
import org.elasticsearch.xpack.security.audit.AuditTrail;
3636
import org.elasticsearch.xpack.security.audit.AuditTrailService;
3737
import org.junit.Before;
3838

3939
import java.util.Collections;
4040

41-
import static org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME;
4241
import static org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField.AUTHORIZATION_INFO_KEY;
4342
import static org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField.ORIGINATING_ACTION_KEY;
43+
import static org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME;
4444
import static org.elasticsearch.xpack.security.authz.AuthorizationServiceTests.authzInfoRoles;
4545
import static org.elasticsearch.xpack.security.authz.SecuritySearchOperationListener.ensureAuthenticatedUserIsSame;
4646
import static org.hamcrest.Matchers.is;
@@ -98,8 +98,8 @@ public void testValidateSearchContext() throws Exception {
9898
new Authentication(new User("test", "role"), new RealmRef("realm", "file", "node"), null));
9999
final IndicesAccessControl indicesAccessControl = mock(IndicesAccessControl.class);
100100
readerContext.putInContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl);
101-
XPackLicenseState licenseState = mock(XPackLicenseState.class);
102-
when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true);
101+
MockLicenseState licenseState = mock(MockLicenseState.class);
102+
when(licenseState.isAllowed(Security.AUDITING_FEATURE)).thenReturn(true);
103103
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
104104
final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext);
105105
AuditTrail auditTrail = mock(AuditTrail.class);
@@ -191,8 +191,8 @@ public void testEnsuredAuthenticatedUserIsSame() {
191191
ShardSearchContextId contextId = new ShardSearchContextId(UUIDs.randomBase64UUID(), randomLong());
192192
final String action = randomAlphaOfLength(4);
193193
TransportRequest request = Empty.INSTANCE;
194-
XPackLicenseState licenseState = mock(XPackLicenseState.class);
195-
when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true);
194+
MockLicenseState licenseState = mock(MockLicenseState.class);
195+
when(licenseState.isAllowed(Security.AUDITING_FEATURE)).thenReturn(true);
196196
AuditTrail auditTrail = mock(AuditTrail.class);
197197
AuditTrailService auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState);
198198

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -354,9 +354,9 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin,
354354

355355
// TODO: ip filtering does not actually track license usage yet
356356
public static final LicensedFeature.Momentary IP_FILTERING_FEATURE =
357-
LicensedFeature.momentaryLenient(null, "security_ip_filtering", License.OperationMode.GOLD);
357+
LicensedFeature.momentaryLenient(null, "security-ip-filtering", License.OperationMode.GOLD);
358358
public static final LicensedFeature.Momentary AUDITING_FEATURE =
359-
LicensedFeature.momentaryLenient(null, "security_auditing", License.OperationMode.GOLD);
359+
LicensedFeature.momentaryLenient(null, "security-auditing", License.OperationMode.GOLD);
360360

361361
private static final String REALMS_FEATURE_FAMILY = "security-realms";
362362
// Builtin realms (file/native) realms are Basic licensed, so don't need to be checked or tracked

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,13 +10,13 @@
1010
import org.apache.logging.log4j.Logger;
1111
import org.elasticsearch.common.transport.TransportAddress;
1212
import org.elasticsearch.license.XPackLicenseState;
13-
import org.elasticsearch.license.XPackLicenseState.Feature;
1413
import org.elasticsearch.rest.RestRequest;
1514
import org.elasticsearch.transport.TransportRequest;
1615
import org.elasticsearch.transport.TransportResponse;
1716
import org.elasticsearch.xpack.core.security.authc.Authentication;
1817
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
1918
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
19+
import org.elasticsearch.xpack.security.Security;
2020
import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
2121

2222
import java.net.InetAddress;
@@ -43,7 +43,7 @@ public AuditTrailService(List<AuditTrail> auditTrails, XPackLicenseState license
4343

4444
public AuditTrail get() {
4545
if (compositeAuditTrail.isEmpty() == false) {
46-
if (licenseState.checkFeature(Feature.SECURITY_AUDITING)) {
46+
if (Security.AUDITING_FEATURE.check(licenseState)) {
4747
return compositeAuditTrail;
4848
} else {
4949
maybeLogAuditingDisabled();

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailServiceTests.java

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,7 @@
1111
import org.apache.logging.log4j.Logger;
1212
import org.elasticsearch.common.logging.Loggers;
1313
import org.elasticsearch.license.License;
14-
import org.elasticsearch.license.XPackLicenseState;
15-
import org.elasticsearch.license.XPackLicenseState.Feature;
14+
import org.elasticsearch.license.MockLicenseState;
1615
import org.elasticsearch.rest.RestRequest;
1716
import org.elasticsearch.test.ESTestCase;
1817
import org.elasticsearch.test.MockLogAppender;
@@ -22,6 +21,7 @@
2221
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
2322
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
2423
import org.elasticsearch.xpack.core.security.user.User;
24+
import org.elasticsearch.xpack.security.Security;
2525
import org.elasticsearch.xpack.security.transport.filter.IPFilter;
2626
import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
2727
import org.junit.Before;
@@ -47,7 +47,7 @@ public class AuditTrailServiceTests extends ESTestCase {
4747
private AuthenticationToken token;
4848
private TransportRequest request;
4949
private RestRequest restRequest;
50-
private XPackLicenseState licenseState;
50+
private MockLicenseState licenseState;
5151
private boolean isAuditingAllowed;
5252

5353
@Before
@@ -57,10 +57,10 @@ public void init() throws Exception {
5757
auditTrailsBuilder.add(mock(AuditTrail.class));
5858
}
5959
auditTrails = unmodifiableList(auditTrailsBuilder);
60-
licenseState = mock(XPackLicenseState.class);
60+
licenseState = mock(MockLicenseState.class);
6161
service = new AuditTrailService(auditTrails, licenseState);
6262
isAuditingAllowed = randomBoolean();
63-
when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(isAuditingAllowed);
63+
when(licenseState.isAllowed(Security.AUDITING_FEATURE)).thenReturn(isAuditingAllowed);
6464
token = mock(AuthenticationToken.class);
6565
request = mock(TransportRequest.class);
6666
restRequest = mock(RestRequest.class);
@@ -118,7 +118,7 @@ public void testNoLogRecentlyWhenLicenseProhibitsAuditing() throws Exception {
118118
public void testAuthenticationFailed() throws Exception {
119119
final String requestId = randomAlphaOfLengthBetween(6, 12);
120120
service.get().authenticationFailed(requestId, token, "_action", request);
121-
verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
121+
verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
122122
if (isAuditingAllowed) {
123123
for (AuditTrail auditTrail : auditTrails) {
124124
verify(auditTrail).authenticationFailed(requestId, token, "_action", request);
@@ -131,7 +131,7 @@ public void testAuthenticationFailed() throws Exception {
131131
public void testAuthenticationFailedNoToken() throws Exception {
132132
final String requestId = randomAlphaOfLengthBetween(6, 12);
133133
service.get().authenticationFailed(requestId, "_action", request);
134-
verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
134+
verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
135135
if (isAuditingAllowed) {
136136
for (AuditTrail auditTrail : auditTrails) {
137137
verify(auditTrail).authenticationFailed(requestId, "_action", request);
@@ -144,7 +144,7 @@ public void testAuthenticationFailedNoToken() throws Exception {
144144
public void testAuthenticationFailedRestNoToken() throws Exception {
145145
final String requestId = randomAlphaOfLengthBetween(6, 12);
146146
service.get().authenticationFailed(requestId, restRequest);
147-
verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
147+
verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
148148
if (isAuditingAllowed) {
149149
for (AuditTrail auditTrail : auditTrails) {
150150
verify(auditTrail).authenticationFailed(requestId, restRequest);
@@ -157,7 +157,7 @@ public void testAuthenticationFailedRestNoToken() throws Exception {
157157
public void testAuthenticationFailedRest() throws Exception {
158158
final String requestId = randomAlphaOfLengthBetween(6, 12);
159159
service.get().authenticationFailed(requestId, token, restRequest);
160-
verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
160+
verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
161161
if (isAuditingAllowed) {
162162
for (AuditTrail auditTrail : auditTrails) {
163163
verify(auditTrail).authenticationFailed(requestId, token, restRequest);
@@ -170,7 +170,7 @@ public void testAuthenticationFailedRest() throws Exception {
170170
public void testAuthenticationFailedRealm() throws Exception {
171171
final String requestId = randomAlphaOfLengthBetween(6, 12);
172172
service.get().authenticationFailed(requestId, "_realm", token, "_action", request);
173-
verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
173+
verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
174174
if (isAuditingAllowed) {
175175
for (AuditTrail auditTrail : auditTrails) {
176176
verify(auditTrail).authenticationFailed(requestId, "_realm", token, "_action", request);
@@ -183,7 +183,7 @@ public void testAuthenticationFailedRealm() throws Exception {
183183
public void testAuthenticationFailedRestRealm() throws Exception {
184184
final String requestId = randomAlphaOfLengthBetween(6, 12);
185185
service.get().authenticationFailed(requestId, "_realm", token, restRequest);
186-
verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
186+
verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
187187
if (isAuditingAllowed) {
188188
for (AuditTrail auditTrail : auditTrails) {
189189
verify(auditTrail).authenticationFailed(requestId, "_realm", token, restRequest);
@@ -196,7 +196,7 @@ public void testAuthenticationFailedRestRealm() throws Exception {
196196
public void testAnonymousAccess() throws Exception {
197197
final String requestId = randomAlphaOfLengthBetween(6, 12);
198198
service.get().anonymousAccessDenied(requestId, "_action", request);
199-
verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
199+
verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
200200
if (isAuditingAllowed) {
201201
for (AuditTrail auditTrail : auditTrails) {
202202
verify(auditTrail).anonymousAccessDenied(requestId, "_action", request);
@@ -213,7 +213,7 @@ public void testAccessGranted() throws Exception {
213213
() -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, new String[] { randomAlphaOfLengthBetween(1, 6) });
214214
final String requestId = randomAlphaOfLengthBetween(6, 12);
215215
service.get().accessGranted(requestId, authentication, "_action", request, authzInfo);
216-
verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
216+
verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
217217
if (isAuditingAllowed) {
218218
for (AuditTrail auditTrail : auditTrails) {
219219
verify(auditTrail).accessGranted(requestId, authentication, "_action", request, authzInfo);
@@ -230,7 +230,7 @@ public void testAccessDenied() throws Exception {
230230
() -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, new String[] { randomAlphaOfLengthBetween(1, 6) });
231231
final String requestId = randomAlphaOfLengthBetween(6, 12);
232232
service.get().accessDenied(requestId, authentication, "_action", request, authzInfo);
233-
verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
233+
verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
234234
if (isAuditingAllowed) {
235235
for (AuditTrail auditTrail : auditTrails) {
236236
verify(auditTrail).accessDenied(requestId, authentication, "_action", request, authzInfo);
@@ -244,7 +244,7 @@ public void testConnectionGranted() throws Exception {
244244
InetAddress inetAddress = InetAddress.getLoopbackAddress();
245245
SecurityIpFilterRule rule = randomBoolean() ? SecurityIpFilterRule.ACCEPT_ALL : IPFilter.DEFAULT_PROFILE_ACCEPT_ALL;
246246
service.get().connectionGranted(inetAddress, "client", rule);
247-
verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
247+
verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
248248
if (isAuditingAllowed) {
249249
for (AuditTrail auditTrail : auditTrails) {
250250
verify(auditTrail).connectionGranted(inetAddress, "client", rule);
@@ -258,7 +258,7 @@ public void testConnectionDenied() throws Exception {
258258
InetAddress inetAddress = InetAddress.getLoopbackAddress();
259259
SecurityIpFilterRule rule = new SecurityIpFilterRule(false, "_all");
260260
service.get().connectionDenied(inetAddress, "client", rule);
261-
verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
261+
verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
262262
if (isAuditingAllowed) {
263263
for (AuditTrail auditTrail : auditTrails) {
264264
verify(auditTrail).connectionDenied(inetAddress, "client", rule);
@@ -273,7 +273,7 @@ public void testAuthenticationSuccessRest() throws Exception {
273273
new RealmRef(null, null, null));
274274
final String requestId = randomAlphaOfLengthBetween(6, 12);
275275
service.get().authenticationSuccess(requestId, authentication, restRequest);
276-
verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
276+
verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
277277
if (isAuditingAllowed) {
278278
for (AuditTrail auditTrail : auditTrails) {
279279
verify(auditTrail).authenticationSuccess(requestId, authentication, restRequest);
@@ -288,7 +288,7 @@ public void testAuthenticationSuccessTransport() throws Exception {
288288
new RealmRef(null, null, null));
289289
final String requestId = randomAlphaOfLengthBetween(6, 12);
290290
service.get().authenticationSuccess(requestId, authentication, "_action", request);
291-
verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
291+
verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
292292
if (isAuditingAllowed) {
293293
for (AuditTrail auditTrail : auditTrails) {
294294
verify(auditTrail).authenticationSuccess(requestId, authentication, "_action", request);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -233,7 +233,7 @@ public void init() throws Exception {
233233
when(licenseState.isAllowed(Security.CUSTOM_REALMS_FEATURE)).thenReturn(true);
234234
when(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
235235
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
236-
when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true);
236+
when(licenseState.isAllowed(Security.AUDITING_FEATURE)).thenReturn(true);
237237
when(licenseState.getOperationMode()).thenReturn(randomFrom(License.OperationMode.ENTERPRISE, License.OperationMode.PLATINUM));
238238

239239
ReservedRealm reservedRealm = mock(ReservedRealm.class);

0 commit comments

Comments
 (0)