Make order setting mandatory for Realm config

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java

@@ -24,11 +24,24 @@ public class RealmConfig {
     private final ThreadContext threadContext;
 
     public RealmConfig(RealmIdentifier identifier, Settings settings, Environment env, ThreadContext threadContext) {
+        this(identifier, settings, env, threadContext, null);
+    }
+
+    public RealmConfig(RealmIdentifier identifier, Settings settings, Environment env, ThreadContext threadContext, Integer order) {
         this.identifier = identifier;
         this.settings = settings;
         this.env = env;
         this.enabled = getSetting(RealmSettings.ENABLED_SETTING);
-        this.order = getSetting(RealmSettings.ORDER_SETTING);
+        if (order != null) {
+            this.order = order;
+        } else if (order == null && hasSetting(RealmSettings.ORDER_SETTING.apply(type())) == false) {
+            throw new IllegalArgumentException("'order' is a mandatory parameter for realm config. " +
+                "Found invalid realm config: '" + identifier.name + "'\n" +
+                "Please see the breaking changes documentation."
+            );
+        } else {
+            this.order = getSetting(RealmSettings.ORDER_SETTING);
+        }
         this.threadContext = threadContext;
     }
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java

@@ -307,13 +307,13 @@ private void addNativeRealms(List<Realm> realms) throws Exception {
         if (fileRealm != null) {
             realms.add(fileRealm.create(new RealmConfig(
                     new RealmConfig.RealmIdentifier(FileRealmSettings.TYPE, "default_" + FileRealmSettings.TYPE),
-                    settings, env, threadContext)));
+                    settings, env, threadContext, Integer.MIN_VALUE)));
         }
         Realm.Factory indexRealmFactory = factories.get(NativeRealmSettings.TYPE);
         if (indexRealmFactory != null) {
             realms.add(indexRealmFactory.create(new RealmConfig(
                     new RealmConfig.RealmIdentifier(NativeRealmSettings.TYPE, "default_" + NativeRealmSettings.TYPE),
-                    settings, env, threadContext)));
+                    settings, env, threadContext, Integer.MIN_VALUE)));
         }
     }
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java

@@ -63,7 +63,8 @@ public class ReservedRealm extends CachingUsernamePasswordRealm {
 
     public ReservedRealm(Environment env, Settings settings, NativeUsersStore nativeUsersStore, AnonymousUser anonymousUser,
                          SecurityIndexManager securityIndex, ThreadPool threadPool) {
-        super(new RealmConfig(new RealmConfig.RealmIdentifier(TYPE, TYPE), settings, env, threadPool.getThreadContext()), threadPool);
+        super(new RealmConfig(new RealmConfig.RealmIdentifier(TYPE, TYPE), settings, env, threadPool.getThreadContext(),
+            Integer.MIN_VALUE), threadPool);
         this.nativeUsersStore = nativeUsersStore;
         this.realmEnabled = XPackSettings.RESERVED_REALM_ENABLED_SETTING.get(settings);
         this.anonymousUser = anonymousUser;

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java

@@ -181,7 +181,7 @@ public void setup() throws Exception {
 
         final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("oidc", REALM_NAME);
 
-        final RealmConfig realmConfig = new RealmConfig(realmIdentifier, settings, env, threadContext);
+        final RealmConfig realmConfig = new RealmConfig(realmIdentifier, settings, env, threadContext, Integer.MAX_VALUE);
         oidcRealm = new OpenIdConnectRealm(realmConfig, new SSLService(TestEnvironment.newEnvironment(sslSettings)),
             mock(UserRoleMapper.class), mock(ResourceWatcherService.class));
         when(realms.realm(realmConfig.name())).thenReturn(oidcRealm);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java

@@ -219,7 +219,7 @@ void doExecute(ActionType<Response> action, Request request, ActionListener<Resp
         final RealmConfig realmConfig = new RealmConfig(
                 realmId,
             settings,
-                env, threadContext);
+                env, threadContext, Integer.MAX_VALUE);
         samlRealm = SamlRealmTestHelper.buildRealm(realmConfig, null);
         when(realms.realm(realmConfig.name())).thenReturn(samlRealm);
         when(realms.stream()).thenAnswer(i -> Stream.of(samlRealm));

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlLogoutActionTests.java

@@ -214,7 +214,7 @@ public void setup() throws Exception {
 
         final RealmIdentifier realmIdentifier = new RealmIdentifier("saml", REALM_NAME);
 
-        final RealmConfig realmConfig = new RealmConfig(realmIdentifier, settings, env, threadContext);
+        final RealmConfig realmConfig = new RealmConfig(realmIdentifier, settings, env, threadContext, Integer.MAX_VALUE);
         samlRealm = SamlRealm.create(realmConfig, mock(SSLService.class), mock(ResourceWatcherService.class), mock(UserRoleMapper.class));
         when(realms.realm(realmConfig.name())).thenReturn(samlRealm);
     }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/InternalRealmsTests.java

@@ -51,10 +51,10 @@ public void testNativeRealmRegistersIndexHealthChangeListener() throws Exception
         final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(NativeRealmSettings.TYPE, "test");
         final Environment env = TestEnvironment.newEnvironment(settings);
         final ThreadContext threadContext = new ThreadContext(settings);
-        factories.get(NativeRealmSettings.TYPE).create(new RealmConfig(realmId, settings, env, threadContext));
+        factories.get(NativeRealmSettings.TYPE).create(new RealmConfig(realmId, settings, env, threadContext, Integer.MAX_VALUE));
         verify(securityIndex).addIndexStateListener(isA(BiConsumer.class));
 
-        factories.get(NativeRealmSettings.TYPE).create(new RealmConfig(realmId, settings, env, threadContext));
+        factories.get(NativeRealmSettings.TYPE).create(new RealmConfig(realmId, settings, env, threadContext, Integer.MAX_VALUE));
         verify(securityIndex, times(2)).addIndexStateListener(isA(BiConsumer.class));
     }
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmTests.java

@@ -13,6 +13,7 @@
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
+import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.index.RestrictedIndicesNames;
 import org.elasticsearch.xpack.security.support.SecurityIndexManager;
 
@@ -38,8 +39,9 @@ public void testCacheClearOnIndexHealthChange() {
         when(threadPool.getThreadContext()).thenReturn(threadContext);
         final AtomicInteger numInvalidation = new AtomicInteger(0);
         int expectedInvalidation = 0;
-        Settings settings = Settings.builder().put("path.home", createTempDir()).build();
         RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("native", "native");
+        Settings settings = Settings.builder().put("path.home", createTempDir())
+            .put(RealmSettings.realmSettingPrefix(realmId) + "order", 0).build();
         RealmConfig config = new RealmConfig(realmId, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings));
         final NativeRealm nativeRealm = new NativeRealm(config, mock(NativeUsersStore.class), threadPool) {
             @Override

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileRealmTests.java

@@ -61,7 +61,8 @@ public void init() throws Exception {
         userPasswdStore = mock(FileUserPasswdStore.class);
         userRolesStore = mock(FileUserRolesStore.class);
         globalSettings = Settings.builder().put("path.home", createTempDir()).put("xpack.security.authc.password_hashing.algorithm",
-            randomFrom("bcrypt9", "pbkdf2")).build();
+            randomFrom("bcrypt9", "pbkdf2")).
+            put(RealmSettings.realmSettingPrefix(REALM_IDENTIFIER) + "order", 0).build();
         threadPool = mock(ThreadPool.class);
         threadContext = new ThreadContext(globalSettings);
         when(threadPool.getThreadContext()).thenReturn(threadContext);
@@ -243,8 +244,8 @@ public void testUsageStats() throws Exception {
 
         final int order = randomIntBetween(0, 10);
         Settings settings = Settings.builder()
-            .put(RealmSettings.realmSettingPrefix(REALM_IDENTIFIER) + "order", order)
             .put(globalSettings)
+            .put(RealmSettings.realmSettingPrefix(REALM_IDENTIFIER) + "order", order)
             .build();
 
         RealmConfig config = getRealmConfig(settings);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java

@@ -134,7 +134,7 @@ public void testStore_AutoReload() throws Exception {
 
     private RealmConfig getRealmConfig() {
         final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier("file", "file-test");
-        return new RealmConfig(identifier, settings, env, threadPool.getThreadContext());
+        return new RealmConfig(identifier, settings, env, threadPool.getThreadContext(), Integer.MAX_VALUE);
     }
 
     public void testStore_AutoReload_WithParseFailures() throws Exception {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStoreTests.java

@@ -75,7 +75,7 @@ public void testStore_ConfiguredWithUnreadableFile() throws Exception {
         Files.write(file, lines, StandardCharsets.UTF_16);
 
         RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("file", "file-test");
-        RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE);
         ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool);
         FileUserRolesStore store = new FileUserRolesStore(config, watcherService);
         assertThat(store.entriesCount(), is(0));
@@ -88,7 +88,7 @@ public void testStoreAutoReload() throws Exception {
 
 
         final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("file", "file-test");
-        RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE);
         ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool);
         final CountDownLatch latch = new CountDownLatch(1);
 
@@ -134,7 +134,7 @@ public void testStoreAutoReloadWithParseFailure() throws Exception {
         Files.copy(users, tmp, StandardCopyOption.REPLACE_EXISTING);
 
         final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("file", "file-test");
-        RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE);
         ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool);
         final CountDownLatch latch = new CountDownLatch(1);
 
@@ -224,7 +224,7 @@ public void testParseFileEmptyRolesDoesNotCauseNPE() throws Exception {
 
             Environment env = TestEnvironment.newEnvironment(settings);
             final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("file", "file-test");
-            RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY));
+            RealmConfig config = new RealmConfig(realmId, settings, env, new ThreadContext(Settings.EMPTY), Integer.MAX_VALUE);
             ResourceWatcherService watcherService = new ResourceWatcherService(settings, threadPool);
             FileUserRolesStore store = new FileUserRolesStore(config, watcherService);
             assertThat(store.roles("user"), equalTo(Strings.EMPTY_ARRAY));

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java

@@ -122,7 +122,7 @@ public void testAuthenticateDifferentFailureScenarios() throws LoginException, G
     public void testDelegatedAuthorizationFailedToResolve() throws Exception {
         final String username = randomPrincipalName();
         final MockLookupRealm otherRealm = new MockLookupRealm(new RealmConfig(new RealmConfig.RealmIdentifier("mock", "other_realm"),
-            globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings)));
+            globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE));
         final User lookupUser = new User(randomAlphaOfLength(5));
         otherRealm.registerUser(lookupUser);
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmSettingsTests.java

@@ -40,7 +40,7 @@ public void testKerberosRealmSettings() throws IOException {
             keytabPathConfig, maxUsers, cacheTTL, enableDebugLogs, removeRealmName);
         final RealmIdentifier identifier = new RealmIdentifier(KerberosRealmSettings.TYPE, KerberosRealmTestCase.REALM_NAME);
         final RealmConfig config = new RealmConfig(identifier,
-            settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings));
+            settings, TestEnvironment.newEnvironment(settings), new ThreadContext(settings), Integer.MAX_VALUE);
 
         assertThat(config.getSetting(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH), equalTo(keytabPathConfig));
         assertThat(config.getSetting(KerberosRealmSettings.CACHE_TTL_SETTING),

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java

@@ -123,7 +123,7 @@ protected KerberosRealm createKerberosRealm(final String... userForRoleMapping)
     protected KerberosRealm createKerberosRealm(final List<Realm> delegatedRealms, final String... userForRoleMapping) {
         final RealmConfig.RealmIdentifier id = new RealmConfig.RealmIdentifier(KerberosRealmSettings.TYPE, REALM_NAME);
         config = new RealmConfig(id, merge(id, settings, globalSettings),
-            TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings));
+            TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE);
         mockNativeRoleMappingStore = roleMappingStore(Arrays.asList(userForRoleMapping));
         mockKerberosTicketValidator = mock(KerberosTicketValidator.class);
         final KerberosRealm kerberosRealm =

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTests.java

@@ -163,7 +163,7 @@ private void assertKerberosRealmConstructorFails(final String keytabPath, final
         final String realmName = "test-kerb-realm";
         settings = buildKerberosRealmSettings(realmName, keytabPath, 100, "10m", true, randomBoolean(), globalSettings);
         config = new RealmConfig(new RealmConfig.RealmIdentifier(KerberosRealmSettings.TYPE, realmName), settings,
-            TestEnvironment.newEnvironment(settings), new ThreadContext(settings));
+            TestEnvironment.newEnvironment(settings), new ThreadContext(settings), Integer.MAX_VALUE);
         mockNativeRoleMappingStore = roleMappingStore(Arrays.asList("user"));
         mockKerberosTicketValidator = mock(KerberosTicketValidator.class);
         final IllegalArgumentException iae = expectThrows(IllegalArgumentException.class,
@@ -175,7 +175,7 @@ public void testDelegatedAuthorization() throws Exception {
         final String username = randomPrincipalName();
         final String expectedUsername = maybeRemoveRealmName(username);
         final MockLookupRealm otherRealm = spy(new MockLookupRealm(new RealmConfig(new RealmConfig.RealmIdentifier("mock", "other_realm"),
-            globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings))));
+            globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings), Integer.MAX_VALUE)));
         final User lookupUser = new User(expectedUsername, new String[] { "admin-role" }, expectedUsername,
                 expectedUsername + "@example.com", Collections.singletonMap("k1", "v1"), true);
         otherRealm.registerUser(lookupUser);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java

@@ -172,7 +172,8 @@ private RealmConfig setupRealm(RealmConfig.RealmIdentifier realmIdentifier, Sett
         return new RealmConfig(
             realmIdentifier,
             mergedSettings,
-            env, new ThreadContext(mergedSettings)
+            env, new ThreadContext(mergedSettings),
+            Integer.MAX_VALUE
         );
     }
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/GroupsResolverTestCase.java

@@ -32,7 +32,8 @@ protected static RealmConfig config(RealmConfig.RealmIdentifier realmId, Setting
         if (settings.hasValue("path.home") == false) {
             settings = Settings.builder().put(settings).put("path.home", createTempDir()).build();
         }
-        return new RealmConfig(realmId, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY));
+        return new RealmConfig(realmId, settings, TestEnvironment.newEnvironment(settings), new ThreadContext(Settings.EMPTY),
+            Integer.MAX_VALUE);
     }
 
     protected abstract String ldapUrl();

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java

@@ -138,7 +138,7 @@ public void testAuthenticateSubTreeGroupSearch() throws Exception {
 
     private RealmConfig getRealmConfig(RealmConfig.RealmIdentifier identifier, Settings settings) {
         final Environment env = TestEnvironment.newEnvironment(settings);
-        return new RealmConfig(identifier, settings, env, new ThreadContext(settings));
+        return new RealmConfig(identifier, settings, env, new ThreadContext(settings), Integer.MAX_VALUE);
     }
 
     public void testAuthenticateOneLevelGroupSearch() throws Exception {
@@ -271,14 +271,14 @@ public void testDelegatedAuthorization() throws Exception {
 
         final Settings realmSettings = builder.build();
         final Environment env = TestEnvironment.newEnvironment(defaultGlobalSettings);
-        RealmConfig config = new RealmConfig(REALM_IDENTIFIER, realmSettings, env, threadPool.getThreadContext());
+        RealmConfig config = new RealmConfig(REALM_IDENTIFIER, realmSettings, env, threadPool.getThreadContext(), Integer.MAX_VALUE);
 
         final LdapSessionFactory ldapFactory = new LdapSessionFactory(config, sslService, threadPool);
         final DnRoleMapper roleMapper = buildGroupAsRoleMapper(resourceWatcherService);
         final LdapRealm ldap = new LdapRealm(config, ldapFactory, roleMapper, threadPool);
 
         final MockLookupRealm mockLookup = new MockLookupRealm(new RealmConfig(new RealmConfig.RealmIdentifier("mock", "mock_lookup"),
-            defaultGlobalSettings, env, threadPool.getThreadContext()));
+            defaultGlobalSettings, env, threadPool.getThreadContext(), Integer.MAX_VALUE));
 
         ldap.initialize(Arrays.asList(ldap, mockLookup), licenseState);
         mockLookup.initialize(Arrays.asList(ldap, mockLookup), licenseState);