private String sha256(Path p) { if(!Files.isRegularFile(p, LinkOption.NOFOLLOW_LINKS)) { return ""; } if(!Files.isReadable(p)) { log.debug("Unreadable file "+p+" found"); return ""; } try { MessageDigest digester = MessageDigest.getInstance("SHA256"); final String hash = org.bouncycastle.util.encoders.Hex.toHexString(digester.digest(Files.readAllBytes(p))); log.debug(hash +" :: "+p); return hash; } catch (Exception e) { throw new ElasticsearchSecurityException("Unable to digest file "+p, e); } }
private AuthCredentials(final String username, byte[] password, Object nativeCredentials, String... backendRoles) { super(); if (username == null || username.isEmpty()) { throw new IllegalArgumentException("username must not be null or empty"); } this.username = username; // make defensive copy this.password = password == null ? null : Arrays.copyOf(password, password.length); if(this.password != null) { try { MessageDigest digester = MessageDigest.getInstance(DIGEST_ALGORITHM); internalPasswordHash = digester.digest(this.password); } catch (NoSuchAlgorithmException e) { throw new ElasticsearchSecurityException("Unable to digest password", e); } } else { internalPasswordHash = null; } if(password != null) { Arrays.fill(password, (byte) '\0'); password = null; } this.nativeCredentials = nativeCredentials; nativeCredentials = null; if(backendRoles != null && backendRoles.length > 0) { this.backendRoles.addAll(Arrays.asList(backendRoles)); } }
@Override public void fillRoles(User user, AuthCredentials credentials) throws ElasticsearchSecurityException { final Settings cfg = getConfigSettings(); if (cfg == null) { throw new ElasticsearchSecurityException("Internal authentication backend not configured. May be Search Guard is not initialized. See http://docs.search-guard.com/v6/sgadmin"); } final List<String> roles = cfg.getAsList(credentials.getUsername() + ".roles", Collections.emptyList()); if(roles != null && !roles.isEmpty() && user != null) { user.addRoles(roles); } } }
private User impersonate(final TransportRequest tr, final User origPKIuser) throws ElasticsearchSecurityException { final String impersonatedUser = threadPool.getThreadContext().getHeader("sg_impersonate_as"); if(Strings.isNullOrEmpty(impersonatedUser)) { return null; //nothing to do } if (!isInitialized()) { throw new ElasticsearchSecurityException("Could not check for impersonation because Search Guard is not yet initialized"); } if (origPKIuser == null) { throw new ElasticsearchSecurityException("no original PKI user found"); } User aU = origPKIuser; if (adminDns.isAdminDN(impersonatedUser)) { throw new ElasticsearchSecurityException("'"+origPKIuser.getName() + "' is not allowed to impersonate as an adminuser '" + impersonatedUser+"'"); } try { if (impersonatedUser != null && !adminDns.isTransportImpersonationAllowed(new LdapName(origPKIuser.getName()), impersonatedUser)) { throw new ElasticsearchSecurityException("'"+origPKIuser.getName() + "' is not allowed to impersonate as '" + impersonatedUser+"'"); } else if (impersonatedUser != null) { aU = new User(impersonatedUser); if(log.isDebugEnabled()) { log.debug("Impersonate from '{}' to '{}'",origPKIuser.getName(), impersonatedUser); } } } catch (final InvalidNameException e1) { throw new ElasticsearchSecurityException("PKI does not have a valid name ('" + origPKIuser.getName() + "'), should never happen", e1); } return aU; }
throw new ElasticsearchSecurityException("Cannot resolve address "+isa.getHostString()); throw new ElasticsearchSecurityException("Cannot handle this request. Remote address is "+request.getRemoteAddress()+" with request class "+request.getClass());
throw new ElasticsearchSecurityException("Could not check for impersonation because Search Guard is not yet initialized"); throw new ElasticsearchSecurityException("It is not allowed to impersonate as an adminuser '" + impersonatedUserHeader + "'", RestStatus.FORBIDDEN); throw new ElasticsearchSecurityException("'" + originalUser.getName() + "' is not allowed to impersonate as '" + impersonatedUserHeader + "'", RestStatus.FORBIDDEN); } else { throw new ElasticsearchSecurityException("No such user:" + impersonatedUserHeader, RestStatus.FORBIDDEN);
throw new ElasticsearchSecurityException("Internal authentication backend not configured. May be Search Guard is not initialized. See http://docs.search-guard.com/v6/sgadmin"); throw new ElasticsearchSecurityException(credentials.getUsername() + " not found"); throw new ElasticsearchSecurityException("empty passwords not supported"); throw new ElasticsearchSecurityException("password does not match");
if (threadContext.getHeader(ConfigConstants.SG_MASKED_FIELD_HEADER) != null) { if (!maskedFieldsMap.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.SG_MASKED_FIELD_HEADER)))) { throw new ElasticsearchSecurityException(ConfigConstants.SG_MASKED_FIELD_HEADER + " does not match (SG 901D)"); } else { if (log.isDebugEnabled()) { throw new ElasticsearchSecurityException(ConfigConstants.SG_DLS_QUERY_HEADER + " does not match (SG 900D)"); throw new ElasticsearchSecurityException(ConfigConstants.SG_FLS_FIELDS_HEADER + " does not match (SG 901D)"); } else { if (log.isDebugEnabled()) {
listener.onFailure(new ElasticsearchSecurityException("Index is immutable", RestStatus.FORBIDDEN)); return true;
public PrivilegesEvaluatorResponse evaluate(final User user, String action0, final ActionRequest request, Task task) { throw new ElasticsearchSecurityException("Search Guard is not initialized.");
@Override public AuthCredentials extractCredentials(final RestRequest request, ThreadContext context) { if(context.getTransient(ConfigConstants.SG_XFF_DONE) != Boolean.TRUE) { throw new ElasticsearchSecurityException("xff not done"); } final String userHeader = settings.get("user_header"); final String rolesHeader = settings.get("roles_header"); final String rolesSeparator = settings.get("roles_separator", ","); if(log.isDebugEnabled()) { log.debug("headers {}", request.getHeaders()); log.debug("userHeader {}, value {}", userHeader, userHeader == null?null:request.header(userHeader)); log.debug("rolesHeader {}, value {}", rolesHeader, rolesHeader == null?null:request.header(rolesHeader)); } if (!Strings.isNullOrEmpty(userHeader) && !Strings.isNullOrEmpty((String) request.header(userHeader))) { String[] backendRoles = null; if (!Strings.isNullOrEmpty(rolesHeader) && !Strings.isNullOrEmpty((String) request.header(rolesHeader))) { backendRoles = ((String) request.header(rolesHeader)).split(rolesSeparator); } return new AuthCredentials((String) request.header(userHeader), backendRoles).markComplete(); } else { if(log.isTraceEnabled()) { log.trace("No '{}' header, send 401", userHeader); } return null; } }
auditLog.logMissingPrivileges(SearchScrollAction.NAME, transportRequest, context.getTask()); log.error("Wrong user {} in scroll context, expected {}", scrollUser, currentUser); throw new ElasticsearchSecurityException("Wrong user in scroll context", RestStatus.FORBIDDEN); throw new ElasticsearchSecurityException("No user in scroll context", RestStatus.FORBIDDEN);
listener.onFailure(new ElasticsearchSecurityException("No user found for "+action, RestStatus.INTERNAL_SERVER_ERROR)); return; listener.onFailure(new ElasticsearchSecurityException("Search Guard not initialized (SG11) for " + action+". See http://docs.search-guard.com/v6/sgadmin", RestStatus.SERVICE_UNAVAILABLE)); return; auditLog.logMissingPrivileges(action, request, task); log.debug("no permissions for {}", pres.getMissingPrivileges()); listener.onFailure(new ElasticsearchSecurityException("no permissions for " + pres.getMissingPrivileges()+" and "+user, RestStatus.FORBIDDEN)); return; listener.onFailure(new ElasticsearchSecurityException("Unexpected exception " + action, RestStatus.INTERNAL_SERVER_ERROR)); return;
transportChannel.sendResponse(new ElasticsearchSecurityException( "Internal or shard requests not allowed from a non-server node for transport type "+transportChannel.getChannelType())); return; Exception ex = new ElasticsearchSecurityException( "No SSL client certificates found for transport type "+transportChannel.getChannelType()+". Search Guard needs the Search Guard SSL plugin to be installed"); auditLog.logSSLException(request, ex, task.getAction(), task); transportChannel.sendResponse(new ElasticsearchSecurityException("Cannot authenticate "+getThreadContext().getTransient(ConfigConstants.SG_USER))); return; } else {
private String sha256(Path p) { if(!Files.isRegularFile(p, LinkOption.NOFOLLOW_LINKS)) { return ""; } if(!Files.isReadable(p)) { log.debug("Unreadable file "+p+" found"); return ""; } try { MessageDigest digester = MessageDigest.getInstance("SHA256"); final String hash = org.bouncycastle.util.encoders.Hex.toHexString(digester.digest(Files.readAllBytes(p))); log.debug(hash +" :: "+p); return hash; } catch (Exception e) { throw new ElasticsearchSecurityException("Unable to digest file "+p, e); } }
private AuthCredentials(final String username, byte[] password, Object nativeCredentials, String... backendRoles) { super(); if (username == null || username.isEmpty()) { throw new IllegalArgumentException("username must not be null or empty"); } this.username = username; // make defensive copy this.password = password == null ? null : Arrays.copyOf(password, password.length); if(this.password != null) { try { MessageDigest digester = MessageDigest.getInstance(DIGEST_ALGORITHM); internalPasswordHash = digester.digest(this.password); } catch (NoSuchAlgorithmException e) { throw new ElasticsearchSecurityException("Unable to digest password", e); } } else { internalPasswordHash = null; } if(password != null) { Arrays.fill(password, (byte) '\0'); password = null; } this.nativeCredentials = nativeCredentials; nativeCredentials = null; if(backendRoles != null && backendRoles.length > 0) { this.backendRoles.addAll(Arrays.asList(backendRoles)); } }
@Override public void fillRoles(User user, AuthCredentials credentials) throws ElasticsearchSecurityException { final Settings cfg = getConfigSettings(); if (cfg == null) { throw new ElasticsearchSecurityException("Internal authentication backend not configured. May be Search Guard is not initialized. See http://docs.search-guard.com/v6/sgadmin"); } final List<String> roles = cfg.getAsList(credentials.getUsername() + ".roles", Collections.emptyList()); if(roles != null && !roles.isEmpty() && user != null) { user.addRoles(roles); } } }
throw new ElasticsearchSecurityException("Cannot resolve address "+isa.getHostString()); throw new ElasticsearchSecurityException("Cannot handle this request. Remote address is "+request.getRemoteAddress()+" with request class "+request.getClass());
protected void checkRequest(final RestRequest request, final RestChannel channel) { if(SSLRequestHelper.containsBadHeader(threadContext, "_sg_ssl_")) { final ElasticsearchException exception = ExceptionUtils.createBadHeaderException(); errorHandler.logError(exception, request, 1); throw exception; } try { if(SSLRequestHelper.getSSLInfo(settings, configPath, request, null) == null) { logger.error("Not an SSL request"); throw new ElasticsearchSecurityException("Not an SSL request", RestStatus.INTERNAL_SERVER_ERROR); } } catch (SSLPeerUnverifiedException e) { logger.error("No client certificates found but such are needed (SG 8)."); errorHandler.logError(e, request, 0); throw ExceptionsHelper.convertToElastic(e); } } }
@Override public AuthCredentials extractCredentials(final RestRequest request, ThreadContext context) { if(context.getTransient(ConfigConstants.SG_XFF_DONE) != Boolean.TRUE) { throw new ElasticsearchSecurityException("xff not done"); } final String userHeader = settings.get("user_header"); final String rolesHeader = settings.get("roles_header"); final String rolesSeparator = settings.get("roles_separator", ","); if(log.isDebugEnabled()) { log.debug("headers {}", request.getHeaders()); log.debug("userHeader {}, value {}", userHeader, userHeader == null?null:request.header(userHeader)); log.debug("rolesHeader {}, value {}", rolesHeader, rolesHeader == null?null:request.header(rolesHeader)); } if (!Strings.isNullOrEmpty(userHeader) && !Strings.isNullOrEmpty((String) request.header(userHeader))) { String[] backendRoles = null; if (!Strings.isNullOrEmpty(rolesHeader) && !Strings.isNullOrEmpty((String) request.header(rolesHeader))) { backendRoles = ((String) request.header(rolesHeader)).split(rolesSeparator); } return new AuthCredentials((String) request.header(userHeader), backendRoles).markComplete(); } else { if(log.isTraceEnabled()) { log.trace("No '{}' header, send 401", userHeader); } return null; } }