diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java index 30bc47cbf5040..7f8fd2ebfe52f 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java @@ -41,7 +41,6 @@ public class XPackLicenseState { * Each value defines the licensed state necessary for the feature to be allowed. */ public enum Feature { - SECURITY_TOKEN_SERVICE(OperationMode.STANDARD, false), OPERATOR_PRIVILEGES(OperationMode.ENTERPRISE, true); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java index ecf8c11fc4d47..7b52832889d1c 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java @@ -8,7 +8,6 @@ import org.elasticsearch.common.util.iterable.Iterables; import org.elasticsearch.license.License.OperationMode; -import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.core.XPackField; @@ -86,55 +85,6 @@ public static OperationMode randomBasicStandardOrGold() { return randomFrom(BASIC, STANDARD, GOLD); } - public void testSecurityStandard() { - XPackLicenseState licenseState = new XPackLicenseState(() -> 0); - licenseState.update(STANDARD, true, null); - - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); - } - - public void testSecurityStandardExpired() { - XPackLicenseState licenseState = new XPackLicenseState( () -> 0); - licenseState.update(STANDARD, false, null); - - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); - } - - public void testSecurityBasic() { - XPackLicenseState licenseState = new XPackLicenseState( () -> 0); - licenseState.update(BASIC, true, null); - - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(false)); - } - - public void testSecurityGold() { - XPackLicenseState licenseState = new XPackLicenseState(() -> 0); - licenseState.update(GOLD, true, null); - - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); - } - - public void testSecurityGoldExpired() { - XPackLicenseState licenseState = new XPackLicenseState(() -> 0); - licenseState.update(GOLD, false, null); - - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); - } - - public void testSecurityPlatinum() { - XPackLicenseState licenseState = new XPackLicenseState(() -> 0); - licenseState.update(PLATINUM, true, null); - - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); - } - - public void testSecurityPlatinumExpired() { - XPackLicenseState licenseState = new XPackLicenseState(() -> 0); - licenseState.update(PLATINUM, false, null); - - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); - } - public void testSecurityAckBasicToNotGoldOrStandard() { OperationMode toMode = randomFrom(OperationMode.values(), mode -> mode != GOLD && mode != STANDARD); assertAckMessages(XPackField.SECURITY, BASIC, toMode, 0); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java index 9dc7c7065fb6a..e7d0189d48a5c 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -43,8 +43,6 @@ import org.elasticsearch.common.util.concurrent.EsExecutors; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.set.Sets; -import org.elasticsearch.xcontent.NamedXContentRegistry; -import org.elasticsearch.xcontent.XContentBuilder; import org.elasticsearch.env.Environment; import org.elasticsearch.env.NodeEnvironment; import org.elasticsearch.http.HttpServerTransport; @@ -75,13 +73,15 @@ import org.elasticsearch.threadpool.ExecutorBuilder; import org.elasticsearch.threadpool.FixedExecutorBuilder; import org.elasticsearch.threadpool.ThreadPool; -import org.elasticsearch.transport.netty4.SharedGroupFactory; import org.elasticsearch.transport.Transport; import org.elasticsearch.transport.TransportInterceptor; import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.transport.TransportRequestHandler; +import org.elasticsearch.transport.netty4.SharedGroupFactory; import org.elasticsearch.transport.nio.NioGroupFactory; import org.elasticsearch.watcher.ResourceWatcherService; +import org.elasticsearch.xcontent.NamedXContentRegistry; +import org.elasticsearch.xcontent.XContentBuilder; import org.elasticsearch.xpack.core.XPackField; import org.elasticsearch.xpack.core.XPackPlugin; import org.elasticsearch.xpack.core.XPackSettings; @@ -98,8 +98,8 @@ import org.elasticsearch.xpack.core.security.action.GrantApiKeyAction; import org.elasticsearch.xpack.core.security.action.InvalidateApiKeyAction; import org.elasticsearch.xpack.core.security.action.apikey.QueryApiKeyAction; -import org.elasticsearch.xpack.core.security.action.enrollment.NodeEnrollmentAction; import org.elasticsearch.xpack.core.security.action.enrollment.KibanaEnrollmentAction; +import org.elasticsearch.xpack.core.security.action.enrollment.NodeEnrollmentAction; import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectAuthenticateAction; import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutAction; import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectPrepareAuthenticationAction; @@ -171,8 +171,8 @@ import org.elasticsearch.xpack.security.action.TransportGrantApiKeyAction; import org.elasticsearch.xpack.security.action.TransportInvalidateApiKeyAction; import org.elasticsearch.xpack.security.action.apikey.TransportQueryApiKeyAction; -import org.elasticsearch.xpack.security.action.enrollment.TransportNodeEnrollmentAction; import org.elasticsearch.xpack.security.action.enrollment.TransportKibanaEnrollmentAction; +import org.elasticsearch.xpack.security.action.enrollment.TransportNodeEnrollmentAction; import org.elasticsearch.xpack.security.action.filter.SecurityActionFilter; import org.elasticsearch.xpack.security.action.oidc.TransportOpenIdConnectAuthenticateAction; import org.elasticsearch.xpack.security.action.oidc.TransportOpenIdConnectLogoutAction; @@ -233,8 +233,8 @@ import org.elasticsearch.xpack.security.authz.SecuritySearchOperationListener; import org.elasticsearch.xpack.security.authz.accesscontrol.OptOutQueryCache; import org.elasticsearch.xpack.security.authz.interceptor.BulkShardRequestInterceptor; -import org.elasticsearch.xpack.security.authz.interceptor.IndicesAliasesRequestInterceptor; import org.elasticsearch.xpack.security.authz.interceptor.DlsFlsLicenseRequestInterceptor; +import org.elasticsearch.xpack.security.authz.interceptor.IndicesAliasesRequestInterceptor; import org.elasticsearch.xpack.security.authz.interceptor.RequestInterceptor; import org.elasticsearch.xpack.security.authz.interceptor.ResizeRequestInterceptor; import org.elasticsearch.xpack.security.authz.interceptor.SearchRequestInterceptor; @@ -260,8 +260,8 @@ import org.elasticsearch.xpack.security.rest.action.apikey.RestGrantApiKeyAction; import org.elasticsearch.xpack.security.rest.action.apikey.RestInvalidateApiKeyAction; import org.elasticsearch.xpack.security.rest.action.apikey.RestQueryApiKeyAction; -import org.elasticsearch.xpack.security.rest.action.enrollment.RestNodeEnrollmentAction; import org.elasticsearch.xpack.security.rest.action.enrollment.RestKibanaEnrollAction; +import org.elasticsearch.xpack.security.rest.action.enrollment.RestNodeEnrollmentAction; import org.elasticsearch.xpack.security.rest.action.oauth2.RestGetTokenAction; import org.elasticsearch.xpack.security.rest.action.oauth2.RestInvalidateTokenAction; import org.elasticsearch.xpack.security.rest.action.oidc.RestOpenIdConnectAuthenticateAction; @@ -357,6 +357,8 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin, LicensedFeature.momentaryLenient(null, "security-ip-filtering", License.OperationMode.GOLD); public static final LicensedFeature.Momentary AUDITING_FEATURE = LicensedFeature.momentaryLenient(null, "security-auditing", License.OperationMode.GOLD); + public static final LicensedFeature.Momentary TOKEN_SERVICE_FEATURE = + LicensedFeature.momentaryLenient(null, "security-token-service", License.OperationMode.STANDARD); private static final String REALMS_FEATURE_FAMILY = "security-realms"; // Builtin realms (file/native) realms are Basic licensed, so don't need to be checked or tracked diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java index 190961d5e6b8d..c65d71de58275 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java @@ -93,6 +93,7 @@ import org.elasticsearch.xpack.core.security.authc.TokenMetadata; import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.elasticsearch.xpack.core.security.authc.support.TokensInvalidationResult; +import org.elasticsearch.xpack.security.Security; import org.elasticsearch.xpack.security.support.FeatureNotEnabledException; import org.elasticsearch.xpack.security.support.FeatureNotEnabledException.Feature; import org.elasticsearch.xpack.security.support.SecurityIndexManager; @@ -1586,11 +1587,11 @@ private static String getTokenIdFromDocumentId(String docId) { } private boolean isEnabled() { - return enabled && licenseState.checkFeature(XPackLicenseState.Feature.SECURITY_TOKEN_SERVICE); + return enabled && Security.TOKEN_SERVICE_FEATURE.check(licenseState); } private void ensureEnabled() { - if (licenseState.checkFeature(XPackLicenseState.Feature.SECURITY_TOKEN_SERVICE) == false) { + if (Security.TOKEN_SERVICE_FEATURE.check(licenseState) == false) { throw LicenseUtils.newComplianceException("security tokens"); } if (enabled == false) { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oauth2/TokenBaseRestHandler.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oauth2/TokenBaseRestHandler.java index 3a7cdac342a76..5fce69e7e2fc3 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oauth2/TokenBaseRestHandler.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oauth2/TokenBaseRestHandler.java @@ -12,8 +12,8 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.license.LicenseUtils; import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.rest.RestRequest; +import org.elasticsearch.xpack.security.Security; import org.elasticsearch.xpack.security.rest.action.SecurityBaseRestHandler; /** @@ -32,7 +32,7 @@ protected Exception checkFeatureAvailable(RestRequest request) { Exception failedFeature = super.checkFeatureAvailable(request); if (failedFeature != null) { return failedFeature; - } else if (licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE)) { + } else if (Security.TOKEN_SERVICE_FEATURE.check(licenseState)) { return null; } else { logger.info("Security tokens are not available under the current [{}] license", licenseState.getOperationMode().description()); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java index 778b9d069b399..87b24d0eaed9f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java @@ -7,6 +7,7 @@ package org.elasticsearch.xpack.security.action.oidc; import com.nimbusds.jwt.JWT; + import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.bulk.BulkAction; import org.elasticsearch.action.bulk.BulkItemResponse; @@ -32,8 +33,7 @@ import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.index.shard.ShardId; -import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.license.XPackLicenseState.Feature; +import org.elasticsearch.license.MockLicenseState; import org.elasticsearch.tasks.Task; import org.elasticsearch.test.ClusterServiceUtils; import org.elasticsearch.threadpool.ThreadPool; @@ -48,13 +48,14 @@ import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings; +import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper; import org.elasticsearch.xpack.core.security.user.User; import org.elasticsearch.xpack.core.ssl.SSLService; +import org.elasticsearch.xpack.security.Security; import org.elasticsearch.xpack.security.authc.Realms; import org.elasticsearch.xpack.security.authc.TokenService; import org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectRealm; import org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectTestCase; -import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper; import org.elasticsearch.xpack.security.support.SecurityIndexManager; import org.junit.After; import org.junit.Before; @@ -176,8 +177,8 @@ public void setup() throws Exception { final ClusterService clusterService = ClusterServiceUtils.createClusterService(threadPool); - final XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true); + final MockLicenseState licenseState = mock(MockLicenseState.class); + when(licenseState.isAllowed(Security.TOKEN_SERVICE_FEATURE)).thenReturn(true); tokenService = new TokenService(settings, Clock.systemUTC(), client, licenseState, new SecurityContext(settings, threadContext), securityIndex, securityIndex, clusterService); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java index 26b9cd8e8a096..294a0de17ffef 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java @@ -8,10 +8,10 @@ import org.apache.lucene.search.TotalHits; import org.elasticsearch.ExceptionsHelper; -import org.elasticsearch.action.ActionType; import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.ActionRequest; import org.elasticsearch.action.ActionResponse; +import org.elasticsearch.action.ActionType; import org.elasticsearch.action.bulk.BulkAction; import org.elasticsearch.action.bulk.BulkItemResponse; import org.elasticsearch.action.bulk.BulkRequest; @@ -35,20 +35,16 @@ import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.common.UUIDs; import org.elasticsearch.common.bytes.BytesReference; -import org.elasticsearch.core.PathUtils; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; -import org.elasticsearch.xcontent.DeprecationHandler; -import org.elasticsearch.xcontent.NamedXContentRegistry; -import org.elasticsearch.xcontent.XContentType; +import org.elasticsearch.core.PathUtils; import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.index.query.BoolQueryBuilder; import org.elasticsearch.index.query.QueryBuilder; import org.elasticsearch.index.query.TermQueryBuilder; import org.elasticsearch.index.shard.ShardId; -import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.license.XPackLicenseState.Feature; +import org.elasticsearch.license.MockLicenseState; import org.elasticsearch.search.SearchHit; import org.elasticsearch.search.SearchHits; import org.elasticsearch.tasks.Task; @@ -57,6 +53,9 @@ import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.transport.Transport; import org.elasticsearch.transport.TransportService; +import org.elasticsearch.xcontent.DeprecationHandler; +import org.elasticsearch.xcontent.NamedXContentRegistry; +import org.elasticsearch.xcontent.XContentType; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.action.saml.SamlInvalidateSessionRequest; @@ -69,6 +68,7 @@ import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings; import org.elasticsearch.xpack.core.security.authc.saml.SamlRealmSettings; import org.elasticsearch.xpack.core.security.user.User; +import org.elasticsearch.xpack.security.Security; import org.elasticsearch.xpack.security.authc.Realms; import org.elasticsearch.xpack.security.authc.TokenService; import org.elasticsearch.xpack.security.authc.saml.SamlLogoutRequestHandler; @@ -209,8 +209,8 @@ void doExecute(ActionType action, Request request, ActionListener idxReqReference; private AuthenticationService authenticationService; - private XPackLicenseState license; + private MockLicenseState license; private SecurityContext securityContext; @Before @@ -177,8 +177,8 @@ && new String((byte[]) token.credentials(), StandardCharsets.UTF_8).equals("fail this.clusterService = ClusterServiceUtils.createClusterService(threadPool); - this.license = mock(XPackLicenseState.class); - when(license.checkFeature(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true); + this.license = mock(MockLicenseState.class); + when(license.isAllowed(Security.TOKEN_SERVICE_FEATURE)).thenReturn(true); } @After diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/token/TransportInvalidateTokenActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/token/TransportInvalidateTokenActionTests.java index 154d240fff068..b845e2c0c1e9a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/token/TransportInvalidateTokenActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/token/TransportInvalidateTokenActionTests.java @@ -19,8 +19,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.index.Index; import org.elasticsearch.indices.IndexClosedException; -import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.license.XPackLicenseState.Feature; +import org.elasticsearch.license.MockLicenseState; import org.elasticsearch.node.Node; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.test.ClusterServiceUtils; @@ -32,6 +31,7 @@ import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.action.token.InvalidateTokenRequest; import org.elasticsearch.xpack.core.security.action.token.InvalidateTokenResponse; +import org.elasticsearch.xpack.security.Security; import org.elasticsearch.xpack.security.authc.TokenService; import org.elasticsearch.xpack.security.support.SecurityIndexManager; import org.junit.After; @@ -58,7 +58,7 @@ public class TransportInvalidateTokenActionTests extends ESTestCase { private Client client; private SecurityIndexManager securityIndex; private ClusterService clusterService; - private XPackLicenseState license; + private MockLicenseState license; private SecurityContext securityContext; @Before @@ -70,8 +70,8 @@ public void setup() { when(client.settings()).thenReturn(SETTINGS); securityIndex = mock(SecurityIndexManager.class); this.clusterService = ClusterServiceUtils.createClusterService(threadPool); - this.license = mock(XPackLicenseState.class); - when(license.checkFeature(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true); + this.license = mock(MockLicenseState.class); + when(license.isAllowed(Security.TOKEN_SERVICE_FEATURE)).thenReturn(true); } public void testInvalidateTokensWhenIndexUnavailable() throws Exception { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java index 9dc8c97bb898b..00eac5e47a4ac 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java @@ -32,10 +32,8 @@ import org.elasticsearch.cluster.health.ClusterHealthStatus; import org.elasticsearch.cluster.metadata.IndexMetadata; import org.elasticsearch.cluster.service.ClusterService; -import org.elasticsearch.core.SuppressForbidden; import org.elasticsearch.common.UUIDs; import org.elasticsearch.common.bytes.BytesReference; -import org.elasticsearch.core.Tuple; import org.elasticsearch.common.io.stream.BytesStreamOutput; import org.elasticsearch.common.io.stream.StreamInput; import org.elasticsearch.common.io.stream.StreamOutput; @@ -44,8 +42,8 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.common.util.concurrent.ThreadContext; -import org.elasticsearch.xcontent.NamedXContentRegistry; -import org.elasticsearch.xcontent.json.JsonXContent; +import org.elasticsearch.core.SuppressForbidden; +import org.elasticsearch.core.Tuple; import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.index.get.GetResult; @@ -55,7 +53,6 @@ import org.elasticsearch.license.LicensedFeature; import org.elasticsearch.license.MockLicenseState; import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.rest.RestRequest; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.test.ClusterServiceUtils; @@ -66,6 +63,8 @@ import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.transport.TransportRequest; +import org.elasticsearch.xcontent.NamedXContentRegistry; +import org.elasticsearch.xcontent.json.JsonXContent; import org.elasticsearch.xpack.core.XPackField; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; @@ -231,7 +230,7 @@ public void init() throws Exception { } } when(licenseState.isAllowed(Security.CUSTOM_REALMS_FEATURE)).thenReturn(true); - when(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true); + when(licenseState.isAllowed(Security.TOKEN_SERVICE_FEATURE)).thenReturn(true); when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState); when(licenseState.isAllowed(Security.AUDITING_FEATURE)).thenReturn(true); when(licenseState.getOperationMode()).thenReturn(randomFrom(License.OperationMode.ENTERPRISE, License.OperationMode.PLATINUM)); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java index 10f20a94f2ea3..f14a3b0bd3326 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java @@ -47,10 +47,7 @@ import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; -import org.elasticsearch.xcontent.ToXContent; -import org.elasticsearch.xcontent.XContentBuilder; import org.elasticsearch.common.xcontent.XContentHelper; -import org.elasticsearch.xcontent.XContentType; import org.elasticsearch.core.Nullable; import org.elasticsearch.core.TimeValue; import org.elasticsearch.core.Tuple; @@ -59,8 +56,7 @@ import org.elasticsearch.index.query.BoolQueryBuilder; import org.elasticsearch.index.query.TermQueryBuilder; import org.elasticsearch.index.shard.ShardId; -import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.license.XPackLicenseState.Feature; +import org.elasticsearch.license.MockLicenseState; import org.elasticsearch.node.Node; import org.elasticsearch.search.SearchHit; import org.elasticsearch.search.SearchHits; @@ -70,6 +66,9 @@ import org.elasticsearch.test.XContentTestUtils; import org.elasticsearch.threadpool.FixedExecutorBuilder; import org.elasticsearch.threadpool.ThreadPool; +import org.elasticsearch.xcontent.ToXContent; +import org.elasticsearch.xcontent.XContentBuilder; +import org.elasticsearch.xcontent.XContentType; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; @@ -79,6 +78,7 @@ import org.elasticsearch.xpack.core.security.authc.support.TokensInvalidationResult; import org.elasticsearch.xpack.core.security.user.User; import org.elasticsearch.xpack.core.watcher.watch.ClockMock; +import org.elasticsearch.xpack.security.Security; import org.elasticsearch.xpack.security.authc.TokenService.RefreshTokenStatus; import org.elasticsearch.xpack.security.support.FeatureNotEnabledException; import org.elasticsearch.xpack.security.support.SecurityIndexManager; @@ -136,7 +136,7 @@ public class TokenServiceTests extends ESTestCase { private DiscoveryNode oldNode; private Settings tokenServiceEnabledSettings = Settings.builder() .put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true).build(); - private XPackLicenseState licenseState; + private MockLicenseState licenseState; private SecurityContext securityContext; @Before @@ -195,8 +195,8 @@ public void setupClient() { this.clusterService = ClusterServiceUtils.createClusterService(threadPool); // License state (enabled by default) - licenseState = mock(XPackLicenseState.class); - when(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true); + licenseState = mock(MockLicenseState.class); + when(licenseState.isAllowed(Security.TOKEN_SERVICE_FEATURE)).thenReturn(true); // version 7.2 was an "inflection" point in the Token Service development (access_tokens as UUIDS, multiple concurrent refreshes, // tokens docs on a separate index), let's test the TokenService works in a mixed cluster with nodes with versions prior to these @@ -891,7 +891,7 @@ public void testSupercedingTokenEncryption() throws Exception { } public void testCannotValidateTokenIfLicenseDoesNotAllowTokens() throws Exception { - when(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true); + when(licenseState.isAllowed(Security.TOKEN_SERVICE_FEATURE)).thenReturn(true); TokenService tokenService = createTokenService(tokenServiceEnabledSettings, Clock.systemUTC()); Authentication authentication = new Authentication(new User("joe", "admin"), new RealmRef("native_realm", "native", "node1"), null); final String userTokenId = UUIDs.randomBase64UUID(); @@ -904,7 +904,7 @@ public void testCannotValidateTokenIfLicenseDoesNotAllowTokens() throws Exceptio storeTokenHeader(threadContext, tokenService.prependVersionAndEncodeAccessToken(token.getVersion(), accessToken)); PlainActionFuture authFuture = new PlainActionFuture<>(); - when(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(false); + when(licenseState.isAllowed(Security.TOKEN_SERVICE_FEATURE)).thenReturn(false); final SecureString bearerToken = Authenticator.extractBearerTokenFromHeader(threadContext); tokenService.tryAuthenticateToken(bearerToken, authFuture); UserToken authToken = authFuture.actionGet(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/test/SecurityMocks.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/test/SecurityMocks.java index 5fd697962ee17..1b31cdddb5988 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/test/SecurityMocks.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/test/SecurityMocks.java @@ -23,12 +23,12 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.index.get.GetResult; import org.elasticsearch.index.shard.ShardId; -import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.license.XPackLicenseState.Feature; +import org.elasticsearch.license.MockLicenseState; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; +import org.elasticsearch.xpack.security.Security; import org.elasticsearch.xpack.security.authc.TokenService; import org.elasticsearch.xpack.security.authc.TokenServiceMock; import org.elasticsearch.xpack.security.support.SecurityIndexManager; @@ -164,8 +164,8 @@ public static TokenServiceMock tokenService(boolean enabled, ThreadPool threadPo final Clock clock = Clock.fixed(now, ESTestCase.randomZone()); final Client client = mock(Client.class); when(client.threadPool()).thenReturn(threadPool); - final XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true); + final MockLicenseState licenseState = mock(MockLicenseState.class); + when(licenseState.isAllowed(Security.TOKEN_SERVICE_FEATURE)).thenReturn(true); final ClusterService clusterService = mock(ClusterService.class); final SecurityContext securityContext = new SecurityContext(settings, threadPool.getThreadContext());