Merge pull request #9 from NihalHarish/migration_branch

Support for Elasticsearch 6.7.1

.gitignore

@@ -30,3 +30,5 @@ data/
 puppet/.vagrant
 test.sh
 .vagrant/
+.idea/
+*.iml

pom.xml

@@ -20,11 +20,11 @@
   <parent>
     <groupId>com.amazon.opendistroforelasticsearch</groupId>
     <artifactId>opendistro_security_parent</artifactId>
-    <version>0.8.0.0</version>
+    <version>0.9.0.0</version>
   </parent>
 
   <artifactId>opendistro_security_advanced_modules</artifactId>
-  <version>0.8.0.0</version>
+  <version>0.9.0.0</version>
   <packaging>jar</packaging>
 
   <name>Open Distro For Elasticsearch Advanced Modules</name>
@@ -33,8 +33,8 @@
   <inceptionYear>2016</inceptionYear>
 
   <properties>
-    <security.version>0.8.0.0</security.version>
-    <elasticsearch.version>6.6.2</elasticsearch.version>
+    <security.version>0.9.0.0</security.version>
+    <elasticsearch.version>6.7.1</elasticsearch.version>
 
     <!-- deps -->
     <log4j.version>2.11.1</log4j.version>
@@ -54,7 +54,7 @@
     <url>https://github.com/opendistro-for-elasticsearch/security-advanced-modules</url>
     <connection>scm:git:[email protected]:opendistro-for-elasticsearch/security-advanced-modules.git</connection>
     <developerConnection>scm:git:[email protected]:opendistro-for-elasticsearch/security-advanced-modules.git</developerConnection>
-    <tag>v0.8.0.0</tag>
+    <tag>v0.9.0.0</tag>
   </scm>
 
   <issueManagement>
@@ -367,8 +367,9 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-surefire-plugin</artifactId>
-        <version>3.0.0-M2</version>
+        <version>3.0.0-M3</version>
         <configuration>
+          <argLine>-Xmx3072m</argLine>
           <rerunFailingTestsCount>3</rerunFailingTestsCount>
           <forkCount>3</forkCount>
           <reuseForks>true</reuseForks>

src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java

@@ -152,7 +152,9 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
         if((index = jwtToken.toLowerCase().indexOf(BEARER)) > -1) { //detect Bearer
             jwtToken = jwtToken.substring(index+BEARER.length());
         } else {
-        	log.warn("No Bearer scheme found in header");
+            if(log.isDebugEnabled()) {
+                log.debug("No Bearer scheme found in header");
+            }
         }
 
         try {

src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java

@@ -25,6 +25,10 @@
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 import java.util.Base64;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
 
 import javax.security.auth.Subject;
 import javax.security.auth.login.LoginException;
@@ -48,6 +52,7 @@
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.GSSManager;
 import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
 
 import com.amazon.dlic.auth.http.kerberos.util.JaasKrbUtil;
 import com.amazon.dlic.auth.http.kerberos.util.KrbConstants;
@@ -58,11 +63,12 @@
 public class HTTPSpnegoAuthenticator implements HTTPAuthenticator {
 
     private static final String EMPTY_STRING = "";
+    private static final Oid[] KRB_OIDS = new Oid[] {KrbConstants.SPNEGO, KrbConstants.KRB5MECH};
 
     protected final Logger log = LogManager.getLogger(this.getClass());
 
     private boolean stripRealmFromPrincipalName;
-    private String acceptorPrincipal;
+    private Set<String> acceptorPrincipal;
     private Path acceptorKeyTabPath;
 
     public HTTPSpnegoAuthenticator(final Settings settings, final Path configPath) {
@@ -123,10 +129,10 @@ public Void run() {
                     }
 
                     stripRealmFromPrincipalName = settings.getAsBoolean("strip_realm_from_principal", true);
-                    acceptorPrincipal = settings.get("opendistro_security.kerberos.acceptor_principal");
+                    acceptorPrincipal = new HashSet<>(settings.getAsList("opendistro_security.kerberos.acceptor_principal", Collections.emptyList()));
                     final String _acceptorKeyTabPath = settings.get("opendistro_security.kerberos.acceptor_keytab_filepath");
 
-                    if(acceptorPrincipal == null || acceptorPrincipal.length() == 0) {
+                    if(acceptorPrincipal == null || acceptorPrincipal.size() == 0) {
                         log.error("acceptor_principal must not be null or empty. Kerberos authentication will not work");
                         acceptorPrincipal = null;
                     }
@@ -207,7 +213,7 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
                     final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() {
                         @Override
                         public GSSCredential run() throws GSSException {
-                            return manager.createCredential(null, credentialLifetime, KrbConstants.SPNEGO, GSSCredential.ACCEPT_ONLY);
+                            return manager.createCredential(null, credentialLifetime, KRB_OIDS, GSSCredential.ACCEPT_ONLY);
                         }
                     };
                     gssContext = manager.createContext(Subject.doAs(subject, action));

src/main/java/com/amazon/dlic/auth/http/kerberos/util/JaasKrbUtil.java

@@ -78,13 +78,17 @@ public static Subject loginUsingTicketCache(final String principal, final Path c
      return loginContext.getSubject();
  }
 
- public static Subject loginUsingKeytab(final String principal, final Path keytabPath, final boolean initiator) throws LoginException {
+ public static Subject loginUsingKeytab(final Set<String> principalAsStrings, final Path keytabPath, final boolean initiator) throws LoginException {
      final Set<Principal> principals = new HashSet<Principal>();
-     principals.add(new KerberosPrincipal(principal));
+
+     for(String p: principalAsStrings) {
+         principals.add(new KerberosPrincipal(p));
+     }
+
 
      final Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>());
 
-     final Configuration conf = useKeytab(principal, keytabPath, initiator);
+     final Configuration conf = useKeytab("*", keytabPath, initiator);
      final String confName = "KeytabConf";
      final LoginContext loginContext = new LoginContext(confName, subject, null, conf);
      loginContext.login();

src/main/java/com/amazon/dlic/auth/http/kerberos/util/KrbConstants.java

@@ -22,15 +22,19 @@ public final class KrbConstants {
 
  static {
      Oid spnegoTmp = null;
+     Oid krbTmp = null;
      try {
          spnegoTmp = new Oid("1.3.6.1.5.5.2");
+         krbTmp = new Oid("1.2.840.113554.1.2.2");
      } catch (final GSSException e) {
 
      }
      SPNEGO = spnegoTmp;
+     KRB5MECH = krbTmp;
  }
 
  public static final Oid SPNEGO;
+ public static final Oid KRB5MECH;
  public static final String KRB5_CONF_PROP = "java.security.krb5.conf";
  public static final String JAAS_LOGIN_CONF_PROP = "java.security.auth.login.config";
  public static final String USE_SUBJECT_CREDS_ONLY_PROP = "javax.security.auth.useSubjectCredsOnly";

src/main/java/com/amazon/dlic/auth/ldap/LdapUser.java

@@ -21,6 +21,7 @@
 import org.ldaptive.LdapAttribute;
 import org.ldaptive.LdapEntry;
 
+import com.amazon.dlic.auth.ldap.util.Utils;
 import com.amazon.opendistroforelasticsearch.security.support.WildcardMatcher;
 import com.amazon.opendistroforelasticsearch.security.user.AuthCredentials;
 import com.amazon.opendistroforelasticsearch.security.user.User;
@@ -43,7 +44,7 @@ public LdapUser(final String name, String originalUsername, final LdapEntry user
         if (customAttrMaxValueLen > 0) {
             for (LdapAttribute attr : userEntry.getAttributes()) {
                 if (attr != null && !attr.isBinary() && !attr.getName().toLowerCase().contains("password")) {
-                    final String val = attr.getStringValue();
+                    final String val = Utils.getSingleStringValue(attr);
                     // only consider attributes which are not binary and where its value is not
                     // longer than customAttrMaxValueLen characters
                     if (val != null && val.length() > 0 && val.length() <= customAttrMaxValueLen) {

src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthenticationBackend.java

@@ -41,6 +41,7 @@
 import org.ldaptive.LdapEntry;
 import org.ldaptive.LdapException;
 import org.ldaptive.Response;
+import org.ldaptive.SearchFilter;
 import org.ldaptive.SearchScope;
 
 import com.amazon.dlic.auth.ldap.LdapUser;
@@ -53,14 +54,10 @@
 
 public class LDAPAuthenticationBackend implements AuthenticationBackend {
 
-    static final String ZERO_PLACEHOLDER = "{0}";
+    static final int ZERO_PLACEHOLDER = 0;
     static final String DEFAULT_USERBASE = "";
     static final String DEFAULT_USERSEARCH_PATTERN = "(sAMAccountName={0})";
 
-    static {
-        Utils.init();
-    }
-
     protected static final Logger log = LogManager.getLogger(LDAPAuthenticationBackend.class);
 
     private final Settings settings;
@@ -77,7 +74,7 @@ public LDAPAuthenticationBackend(final Settings settings, final Path configPath)
     public User authenticate(final AuthCredentials credentials) throws ElasticsearchSecurityException {
 
         Connection ldapConnection = null;
-        final String user = Utils.escapeStringRfc2254(credentials.getUsername());
+        final String user =credentials.getUsername();
         byte[] password = credentials.getPassword();
 
         try {
@@ -129,7 +126,7 @@ public Response<Void> run() throws LdapException {
             String username = dn;
 
             if (usernameAttribute != null && entry.getAttribute(usernameAttribute) != null) {
-                username = entry.getAttribute(usernameAttribute).getStringValue();
+                username = Utils.getSingleStringValue(entry.getAttribute(usernameAttribute));
             }
 
             if (log.isDebugEnabled()) {
@@ -225,15 +222,18 @@ static LdapEntry exists(final String user, Connection ldapConnection, Settings s
 
     private static LdapEntry existsSearchingUntilFirstHit(final String user, Connection ldapConnection,
             List<Map.Entry<String, Settings>> userBaseSettings) throws Exception {
-        final String username = Utils.escapeStringRfc2254(user);
+        final String username = user;
 
         for (Map.Entry<String, Settings> entry : userBaseSettings) {
             Settings baseSettings = entry.getValue();
 
+            SearchFilter f = new SearchFilter();
+            f.setFilter(baseSettings.get(ConfigConstants.LDAP_AUTHCZ_SEARCH, DEFAULT_USERSEARCH_PATTERN));
+            f.setParameter(ZERO_PLACEHOLDER, username);
+
             List<LdapEntry> result = LdapHelper.search(ldapConnection,
                     baseSettings.get(ConfigConstants.LDAP_AUTHCZ_BASE, DEFAULT_USERBASE),
-                    baseSettings.get(ConfigConstants.LDAP_AUTHCZ_SEARCH, DEFAULT_USERSEARCH_PATTERN)
-                            .replace(ZERO_PLACEHOLDER, username),
+                    f,
                     SearchScope.SUBTREE);
 
             if (log.isDebugEnabled()) {
@@ -250,16 +250,19 @@ private static LdapEntry existsSearchingUntilFirstHit(final String user, Connect
 
     private static LdapEntry existsSearchingAllBases(final String user, Connection ldapConnection,
             List<Map.Entry<String, Settings>> userBaseSettings) throws Exception {
-        final String username = Utils.escapeStringRfc2254(user);
+        final String username = user;
         Set<LdapEntry> result = new HashSet<>();
 
         for (Map.Entry<String, Settings> entry : userBaseSettings) {
             Settings baseSettings = entry.getValue();
 
+            SearchFilter f = new SearchFilter();
+            f.setFilter(baseSettings.get(ConfigConstants.LDAP_AUTHCZ_SEARCH, DEFAULT_USERSEARCH_PATTERN));
+            f.setParameter(ZERO_PLACEHOLDER, username);
+
             List<LdapEntry> foundEntries = LdapHelper.search(ldapConnection,
                     baseSettings.get(ConfigConstants.LDAP_AUTHCZ_BASE, DEFAULT_USERBASE),
-                    baseSettings.get(ConfigConstants.LDAP_AUTHCZ_SEARCH, DEFAULT_USERSEARCH_PATTERN)
-                            .replace(ZERO_PLACEHOLDER, username),
+                    f,
                     SearchScope.SUBTREE);
 
             if (log.isDebugEnabled()) {