Skip to content

Commit c593c8b

Browse files
rjernstrjernst
authored
Use boolean methods for allowed realm types in license state (#53456)
In xpack the license state contains methods to determine whether a particular feature is allowed to be used. The one exception is allowsRealmTypes() which returns an enum of the types of realms allowed. This change converts the enum values to boolean methods. There are 2 notable changes: NONE is removed as we always fall back to basic license behavior, and NATIVE is not needed because it would always return true since we should always have a basic license.
1 parent 7485b72 commit c593c8b

File tree

8 files changed

+66
-123
lines changed

8 files changed

+66
-123
lines changed

x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java

Lines changed: 5 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -402,8 +402,7 @@ public boolean isActive() {
402402
}
403403

404404
/**
405-
* @return true if authentication and authorization should be enabled. this does not indicate what realms are available
406-
* @see #allowedRealmType() for the enabled realms
405+
* @return true if authentication and authorization should be enabled.
407406
*/
408407
public boolean isAuthAllowed() {
409408
return isAllowedBySecurityAndLicense(OperationMode.BASIC, false, true);
@@ -438,38 +437,12 @@ public boolean isDocumentAndFieldLevelSecurityAllowed() {
438437
return isAllowedBySecurityAndLicense(OperationMode.PLATINUM, false, true);
439438
}
440439

441-
/** Classes of realms that may be available based on the license type. */
442-
public enum AllowedRealmType {
443-
NONE,
444-
NATIVE,
445-
DEFAULT,
446-
ALL
440+
public boolean areAllRealmsAllowed() {
441+
return isAllowedBySecurityAndLicense(OperationMode.PLATINUM, false, true);
447442
}
448443

449-
/**
450-
* @return the type of realms that are enabled based on the license {@link OperationMode}
451-
*/
452-
public AllowedRealmType allowedRealmType() {
453-
return executeAgainstStatus(status -> {
454-
final boolean isSecurityCurrentlyEnabled = isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
455-
if (isSecurityCurrentlyEnabled) {
456-
switch (status.mode) {
457-
case PLATINUM:
458-
case ENTERPRISE:
459-
case TRIAL:
460-
return AllowedRealmType.ALL;
461-
case GOLD:
462-
return AllowedRealmType.DEFAULT;
463-
case BASIC:
464-
case STANDARD:
465-
return AllowedRealmType.NATIVE;
466-
default:
467-
return AllowedRealmType.NONE;
468-
}
469-
} else {
470-
return AllowedRealmType.NONE;
471-
}
472-
});
444+
public boolean areStandardRealmsAllowed() {
445+
return isAllowedBySecurityAndLicense(OperationMode.GOLD, false, true);
473446
}
474447

475448
public boolean isCustomRoleProvidersAllowed() {

x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java

Lines changed: 5 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,7 @@ public void testSecurityDefaults() {
8282
assertThat(licenseState.isAuditingAllowed(), is(true));
8383
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
8484
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
85-
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
85+
assertThat(licenseState.areAllRealmsAllowed(), is(true));
8686
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
8787

8888
licenseState = new XPackLicenseState(Settings.EMPTY);
@@ -105,7 +105,6 @@ public void testSecurityBasicWithoutExplicitSecurityEnabled() {
105105
assertThat(licenseState.isAuditingAllowed(), is(false));
106106
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
107107
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
108-
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
109108
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
110109
assertThat(licenseState.isTokenServiceAllowed(), is(false));
111110
assertThat(licenseState.isApiKeyServiceAllowed(), is(false));
@@ -124,7 +123,6 @@ public void testSecurityBasicWithExplicitSecurityEnabled() {
124123
assertThat(licenseState.isAuditingAllowed(), is(false));
125124
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
126125
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
127-
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NATIVE));
128126
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
129127
assertThat(licenseState.isTokenServiceAllowed(), is(false));
130128
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
@@ -142,7 +140,6 @@ public void testSecurityDefaultBasicExpired() {
142140
assertThat(licenseState.isAuditingAllowed(), is(false));
143141
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
144142
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
145-
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
146143
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
147144
assertThat(licenseState.isTokenServiceAllowed(), is(false));
148145
assertThat(licenseState.isApiKeyServiceAllowed(), is(false));
@@ -158,7 +155,6 @@ public void testSecurityEnabledBasicExpired() {
158155
assertThat(licenseState.isAuditingAllowed(), is(false));
159156
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
160157
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
161-
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NATIVE));
162158
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
163159
assertThat(licenseState.isTokenServiceAllowed(), is(false));
164160
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
@@ -174,7 +170,6 @@ public void testSecurityStandard() {
174170
assertThat(licenseState.isAuditingAllowed(), is(false));
175171
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
176172
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
177-
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NATIVE));
178173
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
179174
}
180175

@@ -188,7 +183,6 @@ public void testSecurityStandardExpired() {
188183
assertThat(licenseState.isAuditingAllowed(), is(false));
189184
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
190185
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
191-
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NATIVE));
192186
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
193187
}
194188

@@ -202,7 +196,7 @@ public void testSecurityGold() {
202196
assertThat(licenseState.isAuditingAllowed(), is(true));
203197
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
204198
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
205-
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.DEFAULT));
199+
assertThat(licenseState.areStandardRealmsAllowed(), is(true));
206200
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
207201
assertThat(licenseState.isTokenServiceAllowed(), is(true));
208202
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
@@ -218,7 +212,7 @@ public void testSecurityGoldExpired() {
218212
assertThat(licenseState.isAuditingAllowed(), is(true));
219213
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
220214
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
221-
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.DEFAULT));
215+
assertThat(licenseState.areStandardRealmsAllowed(), is(true));
222216
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
223217
assertThat(licenseState.isTokenServiceAllowed(), is(true));
224218
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
@@ -234,7 +228,7 @@ public void testSecurityPlatinum() {
234228
assertThat(licenseState.isAuditingAllowed(), is(true));
235229
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
236230
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
237-
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
231+
assertThat(licenseState.areAllRealmsAllowed(), is(true));
238232
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
239233
assertThat(licenseState.isTokenServiceAllowed(), is(true));
240234
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
@@ -250,7 +244,7 @@ public void testSecurityPlatinumExpired() {
250244
assertThat(licenseState.isAuditingAllowed(), is(true));
251245
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
252246
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
253-
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
247+
assertThat(licenseState.areAllRealmsAllowed(), is(true));
254248
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
255249
assertThat(licenseState.isTokenServiceAllowed(), is(true));
256250
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
@@ -270,7 +264,6 @@ private void assertSecurityNotAllowed(XPackLicenseState licenseState) {
270264
assertThat(licenseState.isAuditingAllowed(), is(false));
271265
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
272266
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
273-
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
274267
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
275268
}
276269

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java

Lines changed: 24 additions & 48 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,6 @@
1515
import org.elasticsearch.common.util.concurrent.ThreadContext;
1616
import org.elasticsearch.env.Environment;
1717
import org.elasticsearch.license.XPackLicenseState;
18-
import org.elasticsearch.license.XPackLicenseState.AllowedRealmType;
1918
import org.elasticsearch.xpack.core.security.authc.Realm;
2019
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
2120
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
@@ -102,35 +101,21 @@ public Realms(Settings settings, Environment env, Map<String, Realm.Factory> fac
102101

103102
@Override
104103
public Iterator<Realm> iterator() {
105-
if (licenseState.isAuthAllowed() == false) {
106-
return Collections.emptyIterator();
107-
}
108-
109-
AllowedRealmType allowedRealmType = licenseState.allowedRealmType();
110-
switch (allowedRealmType) {
111-
case ALL:
112-
return realms.iterator();
113-
case DEFAULT:
114-
return standardRealmsOnly.iterator();
115-
case NATIVE:
116-
return nativeRealmsOnly.iterator();
117-
default:
118-
throw new IllegalStateException("authentication should not be enabled");
119-
}
104+
return asList().iterator();
120105
}
121106

122107
/**
123108
* Returns a list of realms that are configured, but are not permitted under the current license.
124109
*/
125110
public List<Realm> getUnlicensedRealms() {
111+
final XPackLicenseState licenseStateSnapshot = licenseState.copyCurrentLicenseState();
126112
// If auth is not allowed, then everything is unlicensed
127-
if (licenseState.isAuthAllowed() == false) {
113+
if (licenseStateSnapshot.isAuthAllowed() == false) {
128114
return Collections.unmodifiableList(realms);
129115
}
130116

131-
AllowedRealmType allowedRealmType = licenseState.allowedRealmType();
132117
// If all realms are allowed, then nothing is unlicensed
133-
if (allowedRealmType == AllowedRealmType.ALL) {
118+
if (licenseStateSnapshot.areAllRealmsAllowed()) {
134119
return Collections.emptyList();
135120
}
136121

@@ -150,20 +135,17 @@ public Stream<Realm> stream() {
150135
}
151136

152137
public List<Realm> asList() {
153-
if (licenseState.isAuthAllowed() == false) {
138+
final XPackLicenseState licenseStateSnapshot = licenseState.copyCurrentLicenseState();
139+
if (licenseStateSnapshot.isAuthAllowed() == false) {
154140
return Collections.emptyList();
155141
}
156-
157-
AllowedRealmType allowedRealmType = licenseState.allowedRealmType();
158-
switch (allowedRealmType) {
159-
case ALL:
160-
return Collections.unmodifiableList(realms);
161-
case DEFAULT:
162-
return Collections.unmodifiableList(standardRealmsOnly);
163-
case NATIVE:
164-
return Collections.unmodifiableList(nativeRealmsOnly);
165-
default:
166-
throw new IllegalStateException("authentication should not be enabled");
142+
if (licenseStateSnapshot.areAllRealmsAllowed()) {
143+
return realms;
144+
} else if (licenseStateSnapshot.areStandardRealmsAllowed()) {
145+
return standardRealmsOnly;
146+
} else {
147+
// native realms are basic licensed, and always allowed, even for an expired license
148+
return nativeRealmsOnly;
167149
}
168150
}
169151

@@ -241,35 +223,34 @@ protected List<Realm> initRealms() throws Exception {
241223
if (Strings.hasText(duplicateRealms)) {
242224
throw new IllegalArgumentException("Found multiple realms configured with the same name: " + duplicateRealms + "");
243225
}
244-
return realms;
226+
return Collections.unmodifiableList(realms);
245227
}
246228

247229
public void usageStats(ActionListener<Map<String, Object>> listener) {
230+
final XPackLicenseState licenseStateSnapshot = licenseState.copyCurrentLicenseState();
248231
Map<String, Object> realmMap = new HashMap<>();
249232
final AtomicBoolean failed = new AtomicBoolean(false);
250233
final List<Realm> realmList = asList().stream()
251234
.filter(r -> ReservedRealm.TYPE.equals(r.type()) == false)
252235
.collect(Collectors.toList());
236+
final Set<String> realmTypes = realmList.stream().map(Realm::type).collect(Collectors.toSet());
253237
final CountDown countDown = new CountDown(realmList.size());
254238
final Runnable doCountDown = () -> {
255239
if ((realmList.isEmpty() || countDown.countDown()) && failed.get() == false) {
256-
final AllowedRealmType allowedRealmType = licenseState.allowedRealmType();
257240
// iterate over the factories so we can add enabled & available info
258241
for (String type : factories.keySet()) {
259242
assert ReservedRealm.TYPE.equals(type) == false;
260243
realmMap.compute(type, (key, value) -> {
261244
if (value == null) {
262245
return MapBuilder.<String, Object>newMapBuilder()
263246
.put("enabled", false)
264-
.put("available", isRealmTypeAvailable(allowedRealmType, type))
247+
.put("available", isRealmTypeAvailable(licenseStateSnapshot, type))
265248
.map();
266249
}
267250

268251
assert value instanceof Map;
269252
Map<String, Object> realmTypeUsage = (Map<String, Object>) value;
270253
realmTypeUsage.put("enabled", true);
271-
// the realms iterator returned this type so it must be enabled
272-
assert isRealmTypeAvailable(allowedRealmType, type);
273254
realmTypeUsage.put("available", true);
274255
return value;
275256
});
@@ -363,18 +344,13 @@ private static Map<String, Object> convertToMapOfLists(Map<String, Object> map)
363344
return converted;
364345
}
365346

366-
public static boolean isRealmTypeAvailable(AllowedRealmType enabledRealmType, String type) {
367-
switch (enabledRealmType) {
368-
case ALL:
369-
return true;
370-
case NONE:
371-
return false;
372-
case NATIVE:
373-
return FileRealmSettings.TYPE.equals(type) || NativeRealmSettings.TYPE.equals(type);
374-
case DEFAULT:
375-
return InternalRealms.isStandardRealm(type) || ReservedRealm.TYPE.equals(type);
376-
default:
377-
throw new IllegalStateException("unknown enabled realm type [" + enabledRealmType + "]");
347+
public static boolean isRealmTypeAvailable(XPackLicenseState licenseState, String type) {
348+
if (licenseState.areAllRealmsAllowed()) {
349+
return true;
350+
} else if (licenseState.areStandardRealmsAllowed()) {
351+
return InternalRealms.isStandardRealm(type) || ReservedRealm.TYPE.equals(type);
352+
} else {
353+
return FileRealmSettings.TYPE.equals(type) || NativeRealmSettings.TYPE.equals(type);
378354
}
379355
}
380356

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/RestDelegatePkiAuthenticationAction.java

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,6 @@
2424
import org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationResponse;
2525
import org.elasticsearch.xpack.core.security.authc.pki.PkiRealmSettings;
2626
import org.elasticsearch.xpack.security.action.TransportDelegatePkiAuthenticationAction;
27-
import org.elasticsearch.xpack.security.authc.Realms;
2827

2928
import java.io.IOException;
3029
import java.util.List;
@@ -54,7 +53,7 @@ protected Exception checkFeatureAvailable(RestRequest request) {
5453
Exception failedFeature = super.checkFeatureAvailable(request);
5554
if (failedFeature != null) {
5655
return failedFeature;
57-
} else if (Realms.isRealmTypeAvailable(licenseState.allowedRealmType(), PkiRealmSettings.TYPE)) {
56+
} else if (licenseState.areStandardRealmsAllowed()) {
5857
return null;
5958
} else {
6059
logger.info("The '{}' realm is not available under the current license", PkiRealmSettings.TYPE);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oidc/OpenIdConnectBaseRestHandler.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ protected Exception checkFeatureAvailable(RestRequest request) {
3333
Exception failedFeature = super.checkFeatureAvailable(request);
3434
if (failedFeature != null) {
3535
return failedFeature;
36-
} else if (Realms.isRealmTypeAvailable(licenseState.allowedRealmType(), OIDC_REALM_TYPE)) {
36+
} else if (Realms.isRealmTypeAvailable(licenseState, OIDC_REALM_TYPE)) {
3737
return null;
3838
} else {
3939
logger.info("The '{}' realm is not available under the current license", OIDC_REALM_TYPE);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/SamlBaseRestHandler.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ protected Exception checkFeatureAvailable(RestRequest request) {
3232
Exception failedFeature = super.checkFeatureAvailable(request);
3333
if (failedFeature != null) {
3434
return failedFeature;
35-
} else if (Realms.isRealmTypeAvailable(licenseState.allowedRealmType(), SAML_REALM_TYPE)) {
35+
} else if (Realms.isRealmTypeAvailable(licenseState, SAML_REALM_TYPE)) {
3636
return null;
3737
} else {
3838
logger.info("The '{}' realm is not available under the current license", SAML_REALM_TYPE);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -188,10 +188,11 @@ public void init() throws Exception {
188188
.put(XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.getKey(), true)
189189
.build();
190190
XPackLicenseState licenseState = mock(XPackLicenseState.class);
191-
when(licenseState.allowedRealmType()).thenReturn(XPackLicenseState.AllowedRealmType.ALL);
191+
when(licenseState.areAllRealmsAllowed()).thenReturn(true);
192192
when(licenseState.isAuthAllowed()).thenReturn(true);
193193
when(licenseState.isApiKeyServiceAllowed()).thenReturn(true);
194194
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
195+
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
195196
when(licenseState.isAuditingAllowed()).thenReturn(true);
196197
ReservedRealm reservedRealm = mock(ReservedRealm.class);
197198
when(reservedRealm.type()).thenReturn("reserved");

0 commit comments

Comments
 (0)