From 8d84b57941c389ee15a8237e0f055c8e4b1ee8df Mon Sep 17 00:00:00 2001 From: Dale McDiarmid Date: Mon, 16 Jan 2017 15:17:18 +0000 Subject: [PATCH] Xpack tests + protection against reserved roles and users --- filter_plugins/custom.py | 9 ++++- .../elasticsearch-security-native.yml | 19 ++++----- .../helpers/serverspec/xpack_spec.rb | 39 +++++++------------ .../xpack-5x/serverspec/default_spec.rb | 2 +- 4 files changed, 30 insertions(+), 39 deletions(-) diff --git a/filter_plugins/custom.py b/filter_plugins/custom.py index 96570ec..82b0efa 100644 --- a/filter_plugins/custom.py +++ b/filter_plugins/custom.py @@ -28,10 +28,16 @@ def extract_role_users(users={}): role_users.append(role+":"+user) return role_users - def filename(filename=''): return os.path.splitext(os.path.basename(filename))[0] +def filter_reserved(user_roles={}): + not_reserved = [] + for user_role,details in user_roles.items(): + if not "metadata" in details or not "_reserved" in details["metadata"] or not details["metadata"]["_reserved"]: + not_reserved.append(user_role) + return not_reserved + class FilterModule(object): def filters(self): @@ -39,5 +45,6 @@ class FilterModule(object): 'append_to_list':append_to_list, 'array_to_str':array_to_str, 'extract_role_users':extract_role_users, + 'filter_reserved':filter_reserved, 'filename':filename} diff --git a/handlers/security/elasticsearch-security-native.yml b/handlers/security/elasticsearch-security-native.yml index df0546d..80546ce 100644 --- a/handlers/security/elasticsearch-security-native.yml +++ b/handlers/security/elasticsearch-security-native.yml @@ -28,8 +28,8 @@ register: user_list_response when: manage_native_users -#Current users not inc. the elastic user which is reserved and cannot be deleted -- set_fact: current_users={{user_list_response.json.keys() | list | difference(['elastic'] )}} +#Current users not inc. those reserved +- set_fact: current_users={{ user_list_response.json | filter_reserved }} when: manage_native_users #Identify non declared users @@ -48,11 +48,10 @@ when: manage_native_users and users_to_remove | length > 0 with_items: "{{users_to_remove}}" - #Overwrite all other users - name: Update Native Users uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/{{item.key}} + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item.key}} method: POST body_format: json body: "{{item.value | to_json}}" @@ -61,11 +60,10 @@ password: "{{es_api_basic_auth_password}}" force_basic_auth: yes when: manage_native_users and es_users.native.keys() > 0 - no_log: True + #no_log: True with_dict: "{{es_users.native}}" -#List current roles - +#List current roles not. inc those reserved - name: List Native Roles uri: url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role @@ -78,11 +76,8 @@ register: role_list_response when: manage_native_roles -#Identify undeclared roles - -- set_fact: current_roles={{role_list_response.json.keys() | list}} - when: manage_native_users - +- set_fact: current_roles={{ role_list_response.json | filter_reserved }} + when: manage_native_roles - debug: msg="{{current_roles}}" - set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys() ) }} diff --git a/test/integration/helpers/serverspec/xpack_spec.rb b/test/integration/helpers/serverspec/xpack_spec.rb index 6367702..87365b4 100644 --- a/test/integration/helpers/serverspec/xpack_spec.rb +++ b/test/integration/helpers/serverspec/xpack_spec.rb @@ -1,6 +1,6 @@ require 'spec_helper' -shared_examples 'xpack::init' do |es_version| +shared_examples 'xpack::init' do |es_version,plugins| describe user('elasticsearch') do it { should exist } @@ -19,7 +19,7 @@ shared_examples 'xpack::init' do |es_version| it { should be_owned_by 'elasticsearch' } end - describe file('/etc/elasticsearch/security_node/logging.yml') do + describe file('/etc/elasticsearch/security_node/log4j2.properties') do it { should be_file } it { should be_owned_by 'elasticsearch' } end @@ -29,7 +29,6 @@ shared_examples 'xpack::init' do |es_version| it { should contain 'cluster.name: elasticsearch' } it { should contain 'path.conf: /etc/elasticsearch/security_node' } it { should contain 'path.data: /var/lib/elasticsearch/localhost-security_node' } - it { should contain 'path.work: /tmp/elasticsearch/localhost-security_node' } it { should contain 'path.logs: /var/log/elasticsearch/localhost-security_node' } end @@ -77,17 +76,6 @@ shared_examples 'xpack::init' do |es_version| it { should be_owned_by 'elasticsearch' } end - - #Check x-pack and license plugins are installed - describe file('/usr/share/elasticsearch/plugins/license') do - it { should be_directory } - it { should be_owned_by 'elasticsearch' } - end - - describe command('curl -s localhost:9200/_nodes/plugins?pretty=true -u es_admin:changeMe | grep license') do - its(:exit_status) { should eq 0 } - end - #Test if x-pack is activated describe 'x-pack activation' do it 'should be activated and valid' do @@ -116,16 +104,17 @@ shared_examples 'xpack::init' do |es_version| it { should be_owned_by 'elasticsearch' } end - describe file('/usr/share/elasticsearch/plugins/kopf') do - it { should be_directory } - it { should be_owned_by 'elasticsearch' } - end + for plugin in plugins + describe file('/usr/share/elasticsearch/plugins/'+plugin) do + it { should be_directory } + it { should be_owned_by 'elasticsearch' } + end - describe command('curl -s localhost:9200/_nodes/plugins?pretty=true -u es_admin:changeMe | grep kopf') do - its(:exit_status) { should eq 0 } + describe command('curl -s -u es_admin:changeMe localhost:9200/_nodes/plugins?pretty=true | grep '+plugin) do + its(:exit_status) { should eq 0 } + end end - #Test users file, users_roles and roles.yml describe file('/etc/elasticsearch/security_node/x-pack/users_roles') do it { should be_owned_by 'elasticsearch' } @@ -148,19 +137,19 @@ shared_examples 'xpack::init' do |es_version| #Test native roles and users are loaded - describe command('curl -s localhost:9200/_xpack/security/user -u es_admin:changeMe | md5sum | grep 557a730df7136694131b5b7012a5ffad') do + describe command('curl -s localhost:9200/_xpack/security/user -u es_admin:changeMe | md5sum | grep 243b362bd47623c0b91a1fafbce2b6f5') do its(:exit_status) { should eq 0 } end - describe command('curl -s localhost:9200/_xpack/security/user -u es_admin:changeMe | grep "{\"kibana4_server\":{\"username\":\"kibana4_server\",\"roles\":\[\"kibana4_server\"\],\"full_name\":null,\"email\":null,\"metadata\":{}}}"') do + describe command('curl -s localhost:9200/_xpack/security/user -u es_admin:changeMe | grep "{\"elastic\":{\"username\":\"elastic\",\"roles\":\[\"superuser\"\],\"full_name\":null,\"email\":null,\"metadata\":{\"_reserved\":true},\"enabled\":true},\"kibana\":{\"username\":\"kibana\",\"roles\":\[\"kibana\"\],\"full_name\":null,\"email\":null,\"metadata\":{\"_reserved\":true},\"enabled\":true},\"kibana4_server\":{\"username\":\"kibana4_server\",\"roles\":\[\"kibana4_server\"\],\"full_name\":null,\"email\":null,\"metadata\":{},\"enabled\":true}}"') do its(:exit_status) { should eq 0 } end - describe command('curl -s localhost:9200/_xpack/security/role -u es_admin:changeMe | grep "{\"logstash\":{\"cluster\":\[\"manage_index_templates\"\],\"indices\":\[{\"names\":\[\"logstash-\*\"\],\"privileges\":\[\"write\",\"delete\",\"create_index\"\]}\],\"run_as\":\[\]}}"') do + describe command('curl -s localhost:9200/_xpack/security/role -u es_admin:changeMe | grep "{\"superuser\":{\"cluster\":\[\"all\"\],\"indices\":\[{\"names\":\[\"\*\"\],\"privileges\":\[\"all\"\]}\],\"run_as\":\[\"\*\"\],\"metadata\":{\"_reserved\":true}},\"transport_client\":{\"cluster\":\[\"transport_client\"\],\"indices\":\[\],\"run_as\":\[\],\"metadata\":{\"_reserved\":true}},\"kibana_user\":{\"cluster\":\[\"monitor\"\],\"indices\":\[{\"names\":\[\".kibana\*\"\],\"privileges\":\[\"manage\",\"read\",\"index\",\"delete\"\]}\],\"run_as\":\[\],\"metadata\":{\"_reserved\":true}},\"monitoring_user\":{\"cluster\":\[\],\"indices\":\[{\"names\":\[\"\.marvel-es-\*\",\".monitoring-\*\"\],\"privileges\":\[\"read\"\]}\],\"run_as\":\[\],\"metadata\":{\"_reserved\":true}},\"remote_monitoring_agent\":{\"cluster\":\[\"manage_index_templates\",\"manage_ingest_pipelines\",\"monitor\"\],\"indices\":\[{\"names\":\[\"\.marvel-es-\*\",\"\.monitoring-\*\"\],\"privileges\":\[\"all\"\]}\],\"run_as\":\[\],\"metadata\":{\"_reserved\":true}},\"ingest_admin\":{\"cluster\":\[\"manage_index_templates\",\"manage_pipeline\"\],\"indices\":\[\],\"run_as\":\[\],\"metadata\":{\"_reserved\":true}},\"reporting_user\":{\"cluster\":\[\],\"indices\":\[{\"names\":\[\"\.reporting-\*\"\],\"privileges\":\[\"read\",\"write\"\]}\],\"run_as\":\[\],\"metadata\":{\"_reserved\":true}},\"logstash\":{\"cluster\":\[\"manage_index_templates\"\],\"indices\":\[{\"names\":\[\"logstash-\*\"\],\"privileges\":\[\"write\",\"delete\",\"create_index\"\]}\],\"run_as\":\[\],\"metadata\":{}}}"') do its(:exit_status) { should eq 0 } end - describe command('curl -s localhost:9200/_xpack/security/role -u es_admin:changeMe | md5sum | grep 6d14f09ef1eea64adf4d4a9c04229629') do + describe command('curl -s localhost:9200/_xpack/security/role -u es_admin:changeMe | md5sum | grep 78a0696c9c9690042cec2c1f16860cfc') do its(:exit_status) { should eq 0 } end diff --git a/test/integration/xpack-5x/serverspec/default_spec.rb b/test/integration/xpack-5x/serverspec/default_spec.rb index eb9bef2..bbf646c 100644 --- a/test/integration/xpack-5x/serverspec/default_spec.rb +++ b/test/integration/xpack-5x/serverspec/default_spec.rb @@ -1,5 +1,5 @@ require 'xpack_spec' describe 'Xpack Tests v 5.x' do - include_examples 'xpack::init', "5.1.2" + include_examples 'xpack::init', "5.1.2", ["ingest-geoip"] end