Use settings from the context in BootstrapChecks (#32908)

Use settings from the context in BootstrapChecks instead of passing them in the constructor
elastic · Aug 20, 2018 · 6905ca9 · 6905ca9
1 parent a883e7d
commit 6905ca9
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 45 deletions.
diff --git a/...rity/src/main/java/org/elasticsearch/xpack/security/FIPS140JKSKeystoreBootstrapCheck.java b/...rity/src/main/java/org/elasticsearch/xpack/security/FIPS140JKSKeystoreBootstrapCheck.java
@@ -13,12 +13,6 @@
 
 public class FIPS140JKSKeystoreBootstrapCheck implements BootstrapCheck {
 
- private final boolean fipsModeEnabled;
-
- FIPS140JKSKeystoreBootstrapCheck(Settings settings) {
- this.fipsModeEnabled = XPackSettings.FIPS_MODE_ENABLED.get(settings);
- }
-
  /**
  * Test if the node fails the check.
  *
@@ -28,7 +22,7 @@ public class FIPS140JKSKeystoreBootstrapCheck implements BootstrapCheck {
  @Override
  public BootstrapCheckResult check(BootstrapContext context) {
 
- if (fipsModeEnabled) {
+ if (XPackSettings.FIPS_MODE_ENABLED.get(context.settings)) {
  final Settings settings = context.settings;
  Settings keystoreTypeSettings = settings.filter(k -> k.endsWith("keystore.type"))
  .filter(k -> settings.get(k).equalsIgnoreCase("jks"));
@@ -50,6 +44,6 @@ public BootstrapCheckResult check(BootstrapContext context) {
 
  @Override
  public boolean alwaysEnforce() {
- return fipsModeEnabled;
+ return true;
  }
 }
diff --git a/...security/src/main/java/org/elasticsearch/xpack/security/FIPS140LicenseBootstrapCheck.java b/...security/src/main/java/org/elasticsearch/xpack/security/FIPS140LicenseBootstrapCheck.java
@@ -10,6 +10,7 @@
 import org.elasticsearch.bootstrap.BootstrapContext;
 import org.elasticsearch.license.License;
 import org.elasticsearch.license.LicenseService;
+import org.elasticsearch.xpack.core.XPackSettings;
 
 import java.util.EnumSet;
 
@@ -21,15 +22,9 @@ final class FIPS140LicenseBootstrapCheck implements BootstrapCheck {
  static final EnumSet<License.OperationMode> ALLOWED_LICENSE_OPERATION_MODES =
  EnumSet.of(License.OperationMode.PLATINUM, License.OperationMode.TRIAL);
 
- private final boolean isInFipsMode;
-
- FIPS140LicenseBootstrapCheck(boolean isInFipsMode) {
- this.isInFipsMode = isInFipsMode;
- }
-
  @Override
  public BootstrapCheckResult check(BootstrapContext context) {
- if (isInFipsMode) {
+ if (XPackSettings.FIPS_MODE_ENABLED.get(context.settings)) {
  License license = LicenseService.getLicense(context.metaData);
  if (license != null && ALLOWED_LICENSE_OPERATION_MODES.contains(license.operationMode()) == false) {
  return BootstrapCheckResult.failure("FIPS mode is only allowed with a Platinum or Trial license");

diff --git a/.../java/org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheck.java b/.../java/org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheck.java
@@ -7,19 +7,12 @@
 
 import org.elasticsearch.bootstrap.BootstrapCheck;
 import org.elasticsearch.bootstrap.BootstrapContext;
-import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.xpack.core.XPackSettings;
 
 import java.util.Locale;
 
 public class FIPS140PasswordHashingAlgorithmBootstrapCheck implements BootstrapCheck {
 
- private final boolean fipsModeEnabled;
-
- FIPS140PasswordHashingAlgorithmBootstrapCheck(final Settings settings) {
- this.fipsModeEnabled = XPackSettings.FIPS_MODE_ENABLED.get(settings);
- }
-
  /**
  * Test if the node fails the check.
  *
@@ -28,7 +21,7 @@ public class FIPS140PasswordHashingAlgorithmBootstrapCheck implements BootstrapC
  */
  @Override
  public BootstrapCheckResult check(final BootstrapContext context) {
- if (fipsModeEnabled) {
+ if (XPackSettings.FIPS_MODE_ENABLED.get(context.settings)) {
  final String selectedAlgorithm = XPackSettings.PASSWORD_HASHING_ALGORITHM.get(context.settings);
  if (selectedAlgorithm.toLowerCase(Locale.ROOT).startsWith("pbkdf2") == false) {
  return BootstrapCheckResult.failure("Only PBKDF2 is allowed for password hashing in a FIPS-140 JVM. Please set the " +

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@@ -300,9 +300,9 @@ public Security(Settings settings, final Path configPath) {
  new PkiRealmBootstrapCheck(getSslService()),
  new TLSLicenseBootstrapCheck(),
  new FIPS140SecureSettingsBootstrapCheck(settings, env),
- new FIPS140JKSKeystoreBootstrapCheck(settings),
- new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings),
- new FIPS140LicenseBootstrapCheck(XPackSettings.FIPS_MODE_ENABLED.get(settings))));
+ new FIPS140JKSKeystoreBootstrapCheck(),
+ new FIPS140PasswordHashingAlgorithmBootstrapCheck(),
+ new FIPS140LicenseBootstrapCheck()));
  checks.addAll(InternalRealms.getBootstrapChecks(settings, env));
  this.bootstrapChecks = Collections.unmodifiableList(checks);
  Automatons.updateMaxDeterminizedStates(settings);

diff --git a/...src/test/java/org/elasticsearch/xpack/security/FIPS140JKSKeystoreBootstrapCheckTests.java b/...src/test/java/org/elasticsearch/xpack/security/FIPS140JKSKeystoreBootstrapCheckTests.java
@@ -14,53 +14,53 @@ public class FIPS140JKSKeystoreBootstrapCheckTests extends ESTestCase {
  public void testNoKeystoreIsAllowed() {
  final Settings.Builder settings = Settings.builder()
  .put("xpack.security.fips_mode.enabled", "true");
- assertFalse(new FIPS140JKSKeystoreBootstrapCheck(settings.build()).check(new BootstrapContext(settings.build(), null)).isFailure());
+ assertFalse(new FIPS140JKSKeystoreBootstrapCheck().check(new BootstrapContext(settings.build(), null)).isFailure());
  }
 
  public void testSSLKeystoreTypeIsNotAllowed() {
  final Settings.Builder settings = Settings.builder()
  .put("xpack.security.fips_mode.enabled", "true")
  .put("xpack.ssl.keystore.path", "/this/is/the/path")
  .put("xpack.ssl.keystore.type", "JKS");
- assertTrue(new FIPS140JKSKeystoreBootstrapCheck(settings.build()).check(new BootstrapContext(settings.build(), null)).isFailure());
+ assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(new BootstrapContext(settings.build(), null)).isFailure());
  }
 
  public void testSSLImplicitKeystoreTypeIsNotAllowed() {
  final Settings.Builder settings = Settings.builder()
  .put("xpack.security.fips_mode.enabled", "true")
  .put("xpack.ssl.keystore.path", "/this/is/the/path")
  .put("xpack.ssl.keystore.type", "JKS");
- assertTrue(new FIPS140JKSKeystoreBootstrapCheck(settings.build()).check(new BootstrapContext(settings.build(), null)).isFailure());
+ assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(new BootstrapContext(settings.build(), null)).isFailure());
  }
 
  public void testTransportSSLKeystoreTypeIsNotAllowed() {
  final Settings.Builder settings = Settings.builder()
  .put("xpack.security.fips_mode.enabled", "true")
  .put("xpack.security.transport.ssl.keystore.path", "/this/is/the/path")
  .put("xpack.security.transport.ssl.keystore.type", "JKS");
- assertTrue(new FIPS140JKSKeystoreBootstrapCheck(settings.build()).check(new BootstrapContext(settings.build(), null)).isFailure());
+ assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(new BootstrapContext(settings.build(), null)).isFailure());
  }
 
  public void testHttpSSLKeystoreTypeIsNotAllowed() {
  final Settings.Builder settings = Settings.builder()
  .put("xpack.security.fips_mode.enabled", "true")
  .put("xpack.security.http.ssl.keystore.path", "/this/is/the/path")
  .put("xpack.security.http.ssl.keystore.type", "JKS");
- assertTrue(new FIPS140JKSKeystoreBootstrapCheck(settings.build()).check(new BootstrapContext(settings.build(), null)).isFailure());
+ assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(new BootstrapContext(settings.build(), null)).isFailure());
  }
 
  public void testRealmKeystoreTypeIsNotAllowed() {
  final Settings.Builder settings = Settings.builder()
  .put("xpack.security.fips_mode.enabled", "true")
  .put("xpack.security.authc.realms.ldap.ssl.keystore.path", "/this/is/the/path")
  .put("xpack.security.authc.realms.ldap.ssl.keystore.type", "JKS");
- assertTrue(new FIPS140JKSKeystoreBootstrapCheck(settings.build()).check(new BootstrapContext(settings.build(), null)).isFailure());
+ assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(new BootstrapContext(settings.build(), null)).isFailure());
  }
 
  public void testImplicitRealmKeystoreTypeIsNotAllowed() {
  final Settings.Builder settings = Settings.builder()
  .put("xpack.security.fips_mode.enabled", "true")
  .put("xpack.security.authc.realms.ldap.ssl.keystore.path", "/this/is/the/path");
- assertTrue(new FIPS140JKSKeystoreBootstrapCheck(settings.build()).check(new BootstrapContext(settings.build(), null)).isFailure());
+ assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(new BootstrapContext(settings.build(), null)).isFailure());
  }
 }
diff --git a/...ity/src/test/java/org/elasticsearch/xpack/security/FIPS140LicenseBootstrapCheckTests.java b/...ity/src/test/java/org/elasticsearch/xpack/security/FIPS140LicenseBootstrapCheckTests.java
@@ -17,27 +17,29 @@
 public class FIPS140LicenseBootstrapCheckTests extends ESTestCase {
 
  public void testBootstrapCheck() throws Exception {
- assertTrue(new FIPS140LicenseBootstrapCheck(false)
- .check(new BootstrapContext(Settings.EMPTY, MetaData.EMPTY_META_DATA)).isSuccess());
- assertTrue(new FIPS140LicenseBootstrapCheck(randomBoolean())
+ assertTrue(new FIPS140LicenseBootstrapCheck()
  .check(new BootstrapContext(Settings.EMPTY, MetaData.EMPTY_META_DATA)).isSuccess());
+ assertTrue(new FIPS140LicenseBootstrapCheck()
+ .check(new BootstrapContext(Settings.builder().put("xpack.security.fips_mode.enabled", randomBoolean()).build(), MetaData
+ .EMPTY_META_DATA)).isSuccess());
 
- License license = TestUtils.generateSignedLicense(TimeValue.timeValueHours(24));
  MetaData.Builder builder = MetaData.builder();
+ License license = TestUtils.generateSignedLicense(TimeValue.timeValueHours(24));
  TestUtils.putLicense(builder, license);
  MetaData metaData = builder.build();
+
  if (FIPS140LicenseBootstrapCheck.ALLOWED_LICENSE_OPERATION_MODES.contains(license.operationMode())) {
- assertTrue(new FIPS140LicenseBootstrapCheck(true).check(new BootstrapContext(
+ assertTrue(new FIPS140LicenseBootstrapCheck().check(new BootstrapContext(
  Settings.builder().put("xpack.security.fips_mode.enabled", true).build(), metaData)).isSuccess());
- assertTrue(new FIPS140LicenseBootstrapCheck(false).check(new BootstrapContext(
+ assertTrue(new FIPS140LicenseBootstrapCheck().check(new BootstrapContext(
  Settings.builder().put("xpack.security.fips_mode.enabled", false).build(), metaData)).isSuccess());
  } else {
- assertTrue(new FIPS140LicenseBootstrapCheck(false).check(new BootstrapContext(
+ assertTrue(new FIPS140LicenseBootstrapCheck().check(new BootstrapContext(
  Settings.builder().put("xpack.security.fips_mode.enabled", false).build(), metaData)).isSuccess());
- assertTrue(new FIPS140LicenseBootstrapCheck(true).check(new BootstrapContext(
+ assertTrue(new FIPS140LicenseBootstrapCheck().check(new BootstrapContext(
  Settings.builder().put("xpack.security.fips_mode.enabled", true).build(), metaData)).isFailure());
  assertEquals("FIPS mode is only allowed with a Platinum or Trial license",
- new FIPS140LicenseBootstrapCheck(true).check(new BootstrapContext(
+ new FIPS140LicenseBootstrapCheck().check(new BootstrapContext(
  Settings.builder().put("xpack.security.fips_mode.enabled", true).build(), metaData)).getMessage());
  }
  }

diff --git a/.../org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheckTests.java b/.../org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheckTests.java
@@ -25,7 +25,7 @@ public void testPBKDF2AlgorithmIsAllowed() {
  .put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2_10000")
  .build();
  final BootstrapCheck.BootstrapCheckResult result =
- new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null));
+ new FIPS140PasswordHashingAlgorithmBootstrapCheck().check(new BootstrapContext(settings, null));
  assertFalse(result.isFailure());
  }
 
@@ -35,7 +35,7 @@ public void testPBKDF2AlgorithmIsAllowed() {
  .put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2")
  .build();
  final BootstrapCheck.BootstrapCheckResult result =
- new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null));
+ new FIPS140PasswordHashingAlgorithmBootstrapCheck().check(new BootstrapContext(settings, null));
  assertFalse(result.isFailure());
  }
  }
@@ -55,7 +55,7 @@ private void runBCRYPTTest(final boolean fipsModeEnabled, final String passwordH
  }
  final Settings settings = builder.build();
  final BootstrapCheck.BootstrapCheckResult result =
- new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null));
+ new FIPS140PasswordHashingAlgorithmBootstrapCheck().check(new BootstrapContext(settings, null));
  assertThat(result.isFailure(), equalTo(fipsModeEnabled));
  }