Commit 9d77fcaf authored by Nils Bandener's avatar Nils Bandener
Browse files

Fixed auth token revocation for non-special-privs case

parent d9692871
......@@ -39,6 +39,10 @@ public class AuthTokenAuthenticationBackend implements AuthenticationBackend {
public void authenticate(AuthCredentials credentials, Consumer<User> onSuccess, Consumer<Exception> onFailure) {
try {
authTokenService.getByClaims(credentials.getClaims(), (authToken) -> {
if (authToken.isRevoked()) {
onFailure.accept(new ElasticsearchSecurityException("Auth token " + authToken.getId() + " has been revoked"));
}
if (authToken.getBase().getConfigVersions() == null && authToken.getRequestedPrivileges().isTotalWildcard()) {
// This auth token has no restrictions and no snapshotted base. We can use the current roles. Thus, we can completely initialize the user
......
......@@ -15,10 +15,12 @@
package com.floragunn.searchguard.authtoken;
import java.io.IOException;
import java.util.Collections;
import java.util.Map;
import org.apache.http.HttpStatus;
import org.apache.http.message.BasicHeader;
import org.elasticsearch.ElasticsearchStatusException;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
......@@ -28,6 +30,7 @@ import org.elasticsearch.client.RequestOptions;
import org.elasticsearch.client.RestHighLevelClient;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.junit.Assert;
import org.junit.BeforeClass;
......@@ -445,6 +448,61 @@ public class AuthTokenIntegrationTest {
for (LocalEsCluster.Node node : cluster.nodes()) {
try (RestHighLevelClient client = node.getRestHighLevelClient(new BasicHeader("Authorization", "Bearer " + token))) {
SearchResponse searchResponse = client.search(new SearchRequest("pub_test_allow_because_from_token")
.source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
Assert.fail(searchResponse.toString());
} catch (ElasticsearchStatusException e) {
Assert.assertEquals(e.getMessage(), RestStatus.UNAUTHORIZED, e.status());
}
}
}
}
@Test
public void revocationWithoutSpecialPrivsTest() throws Exception {
TestSgConfig sgConfig = AuthTokenIntegrationTest.sgConfig.clone()
.sgConfigSettings("sg_config.dynamic.auth_token_provider.exclude_cluster_permissions", Collections.emptyList());
try (LocalCluster cluster = new LocalCluster.Builder().nodeSettings("searchguard.restapi.roles_enabled.0", "sg_admin").resources("authtoken")
.sslEnabled().sgConfig(sgConfig).build(); GenericRestClient restClient = cluster.getRestClient("spock", "spock")) {
try (Client client = cluster.getInternalNodeClient()) {
client.index(new IndexRequest("pub_test_allow_because_from_token").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source(XContentType.JSON,
"this_is", "allowed")).actionGet();
}
CreateAuthTokenRequest request = new CreateAuthTokenRequest(RequestedPrivileges.totalWildcard());
request.setTokenName("my_new_token_without_special_privs");
request.setFreezePrivileges(false);
HttpResponse response = restClient.postJson("/_searchguard/authtoken", request.toJson());
Assert.assertEquals(200, response.getStatusCode());
String token = response.toJsonNode().get("token").asText();
String id = response.toJsonNode().get("id").asText();
Assert.assertNotNull(token);
Assert.assertNotNull(id);
for (LocalEsCluster.Node node : cluster.nodes()) {
try (RestHighLevelClient client = node.getRestHighLevelClient(new BasicHeader("Authorization", "Bearer " + token))) {
SearchResponse searchResponse = client.search(new SearchRequest("pub_test_allow_because_from_token")
.source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
Assert.assertEquals(1, searchResponse.getHits().getTotalHits().value);
Assert.assertEquals("allowed", searchResponse.getHits().getAt(0).getSourceAsMap().get("this_is"));
}
}
response = restClient.delete("/_searchguard/authtoken/" + id);
Assert.assertEquals(response.getBody(), 200, response.getStatusCode());
Thread.sleep(100);
for (LocalEsCluster.Node node : cluster.nodes()) {
try (RestHighLevelClient client = node.getRestHighLevelClient(new BasicHeader("Authorization", "Bearer " + token))) {
try {
......@@ -452,11 +510,12 @@ public class AuthTokenIntegrationTest {
.source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
Assert.fail(searchResponse.toString());
} catch (Exception e) {
Assert.assertTrue(e.getMessage(), e.getMessage().contains("no permissions for [indices:data/read/search]"));
} catch (ElasticsearchStatusException e) {
Assert.assertEquals(e.getMessage(), RestStatus.UNAUTHORIZED, e.status());
}
}
}
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment