GitLab

Introduces a new REST API which allows users to create auth tokens. These tokens can be used for authenticating the user at Search Guard without having to use the normal user credentials. This is typically used by external tools which authenticate ob behalf of the user.

Auth tokens can have restricted permissions and a restricted lifetime.

This allows providing alternative tenant permission data via the SpecialPrivilegesEvaluationContextProvider interface.

This changes the authcz process from synchronous operation to callback-based async operation. This allows to perform ES operations during the authcz process.

This introduces a new mechanism for providing privileges in other ways than standard role definitions.

This is used for the `InternalAuthTokenProvider` (used by Signals) and will be used by the new API auth token feature.

This reverts commit e0941d4c.

Revert "Merge branch 'pkcs1-support' into 'master'"

See merge request search-guard/search-guard-suite!82

This reverts merge request !73

Add support for PKCS#1 keys

See merge request search-guard/search-guard-suite!73

Bump BC to 1.67 because of issues with OpenBSDBcrypt handling nested BER data

See merge request search-guard/search-guard-suite!80

* master:
  CIDR nets were not correctly covered. Fixed.
  Bumped Guava version
  Lowered unit test log levels
  Check and disable keystore type BKS-V1
  Implemented enabled_only_for_hosts for authc domains
  Lowered log level
  Removed debug output
  Fixed test
  Let selected thread context headers pass. WIP.
  Only use single node for BksTest to avoid thread interferences
  Moved testBksUnsupported to own class to avoid multithreading inference
  Make sure that the BKS-V1 keystore format is not supported

# Conflicts:
#	security/src/test/java/com/floragunn/searchguard/ssl/SSLTest.java

CIDR nets were not correctly covered. Fixed.

See merge request search-guard/search-guard-suite!79

Make sure that the BKS-V1 keystore format is not supported

See merge request search-guard/search-guard-suite!70

This type is unsecure and should not be used for this reason

Introduced searchguard.allow_custom_headers setting

See merge request search-guard/search-guard-suite!72

Lowered log level for No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic' message

See merge request search-guard/search-guard-suite!75

Implemented enabled_only_for_hosts for authc domains

See merge request search-guard/search-guard-suite!76

- Address https://git.floragunn.com/search-guard/search-guard-suite/-/issues/3
- General cleanup of DefaultSearchGuardKeystore (var names, docs added, unused code removed)
- Add new new Parameter "show_full_server_certs" to SSLInfoAction so that the full chain can be retrieved
- General cleanup of PemKeyReader (unused code removed, parse keys with BC only)
- Tests for reading pem keys added (RSA, EC, DSA, PKCS1, PCKS8 with and without passwords)
- Tests fixed

Additionally, some minor optimizations for IP-based blocking