elastic · rjernst · May 14, 2019 · May 11, 2019 · May 12, 2019
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/TestXPackTransportClient.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/TestXPackTransportClient.java
diff --git a/x-pack/plugin/ml/src/test/java/org/elasticsearch/license/MachineLearningLicensingTests.java b/x-pack/plugin/ml/src/test/java/org/elasticsearch/license/MachineLearningLicensingTests.java
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/license/LicensingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/license/LicensingTests.java
@@ -19,11 +19,8 @@
 import org.elasticsearch.client.RequestOptions;
 import org.elasticsearch.client.Response;
 import org.elasticsearch.client.ResponseException;
-import org.elasticsearch.client.transport.NoNodeAvailableException;
-import org.elasticsearch.client.transport.TransportClient;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.discovery.DiscoveryModule;
 import org.elasticsearch.license.License.OperationMode;
 import org.elasticsearch.node.MockNode;
@@ -36,14 +33,8 @@
 import org.elasticsearch.test.SecuritySettingsSourceField;
 import org.elasticsearch.test.junit.annotations.TestLogging;
 import org.elasticsearch.transport.Netty4Plugin;
-import org.elasticsearch.transport.Transport;
-import org.elasticsearch.xpack.core.TestXPackTransportClient;
 import org.elasticsearch.xpack.core.XPackField;
-import org.elasticsearch.xpack.core.security.SecurityField;
-import org.elasticsearch.xpack.core.security.action.user.PutUserResponse;
-import org.elasticsearch.xpack.core.security.authc.support.Hasher;
 import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
-import org.elasticsearch.xpack.core.security.client.SecurityClient;
 import org.elasticsearch.xpack.security.LocalStateSecurity;
 import org.junit.After;
 import org.junit.Before;
@@ -60,7 +51,6 @@
 import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
 import static org.elasticsearch.discovery.SettingsBasedSeedHostsProvider.DISCOVERY_SEED_HOSTS_SETTING;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoFailures;
-import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.greaterThanOrEqualTo;
 import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.is;
@@ -156,7 +146,7 @@ public void testEnableDisableBehaviour() throws Exception {
         assertEquals(DocWriteResponse.Result.CREATED, indexResponse.getResult());
 
         refresh();
-        final Client client = internalCluster().transportClient();
+        final Client client = internalCluster().client();
 
         disableLicensing();
 
@@ -216,57 +206,6 @@ public void testRestAuthenticationByLicenseType() throws Exception {
         assertThat(authorizedAuthenticateResponse.getStatusLine().getStatusCode(), is(200));
     }
 
-    public void testSecurityActionsByLicenseType() throws Exception {
-        // security actions should not work!
-        Settings settings = internalCluster().transportClient().settings();
-        try (TransportClient client = new TestXPackTransportClient(settings, LocalStateSecurity.class)) {
-            client.addTransportAddress(internalCluster().getDataNodeInstance(Transport.class).boundAddress().publishAddress());
-            new SecurityClient(client).preparePutUser("john", "password".toCharArray(), Hasher.BCRYPT).get();
-            fail("security actions should not be enabled!");
-        } catch (ElasticsearchSecurityException e) {
-            assertThat(e.status(), is(RestStatus.FORBIDDEN));
-            assertThat(e.getMessage(), containsString("non-compliant"));
-        }
-
-        // enable a license that enables security
-        License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.TRIAL,
-                License.OperationMode.PLATINUM, License.OperationMode.STANDARD, OperationMode.BASIC);
-        enableLicensing(mode);
-        // security actions should work!
-        try (TransportClient client = new TestXPackTransportClient(settings, LocalStateSecurity.class)) {
-            client.addTransportAddress(internalCluster().getDataNodeInstance(Transport.class).boundAddress().publishAddress());
-            PutUserResponse response = new SecurityClient(client).preparePutUser("john", "password".toCharArray(), Hasher.BCRYPT).get();
-            assertNotNull(response);
-        }
-    }
-
-    public void testTransportClientAuthenticationByLicenseType() throws Exception {
-        Settings.Builder builder = Settings.builder()
-                .put(internalCluster().transportClient().settings());
-        // remove user info
-        builder.remove(SecurityField.USER_SETTING.getKey());
-        builder.remove(ThreadContext.PREFIX + "." + UsernamePasswordToken.BASIC_AUTH_HEADER);
-
-        // basic has no auth
-        try (TransportClient client = new TestXPackTransportClient(builder.build(), LocalStateSecurity.class)) {
-            client.addTransportAddress(internalCluster().getDataNodeInstance(Transport.class).boundAddress().publishAddress());
-            assertGreenClusterState(client);
-        }
-
-        // enable a license that enables security
-        License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.TRIAL,
-                License.OperationMode.PLATINUM, License.OperationMode.STANDARD);
-        enableLicensing(mode);
-
-        try (TransportClient client = new TestXPackTransportClient(builder.build(), LocalStateSecurity.class)) {
-            client.addTransportAddress(internalCluster().getDataNodeInstance(Transport.class).boundAddress().publishAddress());
-            client.admin().cluster().prepareHealth().get();
-            fail("should not have been able to connect to a node!");
-        } catch (NoNodeAvailableException e) {
-            // expected
-        }
-    }
-
     public void testNodeJoinWithoutSecurityExplicitlyEnabled() throws Exception {
         License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.PLATINUM, License.OperationMode.STANDARD);
         enableLicensing(mode);

diff --git a/...plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RunAsIntegTests.java b/...plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RunAsIntegTests.java
@@ -5,35 +5,16 @@
  */
 package org.elasticsearch.xpack.security.authc;
 
-import org.elasticsearch.ElasticsearchSecurityException;
-import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
-import org.elasticsearch.action.admin.cluster.node.info.NodeInfo;
-import org.elasticsearch.action.admin.cluster.node.info.NodesInfoResponse;
 import org.elasticsearch.client.Request;
 import org.elasticsearch.client.RequestOptions;
 import org.elasticsearch.client.ResponseException;
-import org.elasticsearch.client.transport.TransportClient;
-import org.elasticsearch.common.settings.SecureString;
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.test.SecurityIntegTestCase;
 import org.elasticsearch.test.SecuritySettingsSource;
-import org.elasticsearch.test.SecuritySettingsSourceField;
-import org.elasticsearch.xpack.core.TestXPackTransportClient;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationServiceField;
-import org.elasticsearch.xpack.security.LocalStateSecurity;
-import org.elasticsearch.xpack.core.security.SecurityField;
 import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
 import org.junit.BeforeClass;
 
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
 import static org.elasticsearch.test.SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING;
-import static org.hamcrest.Matchers.containsString;
-import static org.hamcrest.Matchers.greaterThan;
 import static org.hamcrest.Matchers.is;
 
 public class RunAsIntegTests extends SecurityIntegTestCase {
@@ -86,43 +67,6 @@ protected boolean transportSSLEnabled() {
         return false;
     }
 
-    public void testUserImpersonation() throws Exception {
-        try (TransportClient client = getTransportClient(Settings.builder()
-                .put(SecurityField.USER_SETTING.getKey(), TRANSPORT_CLIENT_USER + ":" +
-                     SecuritySettingsSourceField.TEST_PASSWORD).build())) {
-            //ensure the client can connect
-            assertBusy(() -> assertThat(client.connectedNodes().size(), greaterThan(0)));
-
-            // make sure the client can't get health
-            try {
-                client.admin().cluster().prepareHealth().get();
-                fail("the client user should not have privileges to get the health");
-            } catch (ElasticsearchSecurityException e) {
-                assertThat(e.getMessage(), containsString("unauthorized"));
-            }
-
-            // let's run as without authorization
-            try {
-                Map<String, String> headers = Collections.singletonMap(AuthenticationServiceField.RUN_AS_USER_HEADER,
-                        SecuritySettingsSource.TEST_USER_NAME);
-                client.filterWithHeader(headers)
-                        .admin().cluster().prepareHealth().get();
-                fail("run as should be unauthorized for the transport client user");
-            } catch (ElasticsearchSecurityException e) {
-                assertThat(e.getMessage(), containsString("unauthorized"));
-                assertThat(e.getMessage(), containsString("run as"));
-            }
-
-            Map<String, String> headers = new HashMap<>();
-            headers.put("Authorization", UsernamePasswordToken.basicAuthHeaderValue(RUN_AS_USER,
-                    new SecureString(SecuritySettingsSourceField.TEST_PASSWORD.toCharArray())));
-            headers.put(AuthenticationServiceField.RUN_AS_USER_HEADER, SecuritySettingsSource.TEST_USER_NAME);
-            // lets set the user
-            ClusterHealthResponse response = client.filterWithHeader(headers).admin().cluster().prepareHealth().get();
-            assertThat(response.isTimedOut(), is(false));
-        }
-    }
-
     public void testUserImpersonationUsingHttp() throws Exception {
         // use the transport client user and try to run as
         try {
@@ -156,29 +100,6 @@ public void testUserImpersonationUsingHttp() throws Exception {
         getRestClient().performRequest(requestForUserRunAsUser(SecuritySettingsSource.TEST_USER_NAME));
     }
 
-    public void testEmptyUserImpersonationHeader() throws Exception {
-        try (TransportClient client = getTransportClient(Settings.builder()
-                .put(SecurityField.USER_SETTING.getKey(), TRANSPORT_CLIENT_USER + ":"
-                     + SecuritySettingsSourceField.TEST_PASSWORD).build())) {
-            //ensure the client can connect
-            awaitBusy(() -> {
-                return client.connectedNodes().size() > 0;
-            });
-
-            try {
-                Map<String, String> headers = new HashMap<>();
-                headers.put("Authorization", UsernamePasswordToken.basicAuthHeaderValue(RUN_AS_USER,
-                        new SecureString(SecuritySettingsSourceField.TEST_PASSWORD.toCharArray())));
-                headers.put(AuthenticationServiceField.RUN_AS_USER_HEADER, "");
-
-                client.filterWithHeader(headers).admin().cluster().prepareHealth().get();
-                fail("run as header should not be allowed to be empty");
-            } catch (ElasticsearchSecurityException e) {
-                assertThat(e.getMessage(), containsString("unable to authenticate"));
-            }
-        }
-    }
-
     public void testEmptyHeaderUsingHttp() throws Exception {
         try {
             getRestClient().performRequest(requestForUserRunAsUser(""));
@@ -188,29 +109,6 @@ public void testEmptyHeaderUsingHttp() throws Exception {
         }
     }
 
-    public void testNonExistentRunAsUser() throws Exception {
-        try (TransportClient client = getTransportClient(Settings.builder()
-                .put(SecurityField.USER_SETTING.getKey(), TRANSPORT_CLIENT_USER + ":" +
-                     SecuritySettingsSourceField.TEST_PASSWORD).build())) {
-            //ensure the client can connect
-            awaitBusy(() -> {
-                return client.connectedNodes().size() > 0;
-            });
-
-            try {
-                Map<String, String> headers = new HashMap<>();
-                headers.put("Authorization", UsernamePasswordToken.basicAuthHeaderValue(RUN_AS_USER,
-                        new SecureString(SecuritySettingsSourceField.TEST_PASSWORD.toCharArray())));
-                headers.put(AuthenticationServiceField.RUN_AS_USER_HEADER, "idontexist");
-
-                client.filterWithHeader(headers).admin().cluster().prepareHealth().get();
-                fail("run as header should not accept non-existent users");
-            } catch (ElasticsearchSecurityException e) {
-                assertThat(e.getMessage(), containsString("unauthorized"));
-            }
-        }
-    }
-
     public void testNonExistentRunAsUserUsingHttp() throws Exception {
         try {
             getRestClient().performRequest(requestForUserRunAsUser("idontexist"));
@@ -228,21 +126,4 @@ private static Request requestForUserRunAsUser(String user) {
         request.setOptions(options);
         return request;
     }
-
-    // build our own here to better mimic an actual client...
-    TransportClient getTransportClient(Settings extraSettings) {
-        NodesInfoResponse nodeInfos = client().admin().cluster().prepareNodesInfo().get();
-        List<NodeInfo> nodes = nodeInfos.getNodes();
-        assertTrue(nodes.isEmpty() == false);
-        TransportAddress publishAddress = randomFrom(nodes).getTransport().address().publishAddress();
-        String clusterName = nodeInfos.getClusterName().value();
-
-        Settings settings = Settings.builder()
-                .put(extraSettings)
-                .put("cluster.name", clusterName)
-                .build();
-
-        return new TestXPackTransportClient(settings, LocalStateSecurity.class)
-                .addTransportAddress(publishAddress);
-    }
 }