Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] OIDC Realm JWT+JWS related functionality #37272

Closed

Conversation

jkakavas
Copy link
Member

@jkakavas jkakavas commented Jan 9, 2019

This is smaller than it looks as it contains the changes from #37009 , it will be easier to review this one once 37009 is merged.

Introduces necessary functionality for parsing JSON Web Tokens and validating their signatures. This is heavily geared towards parsing OpenID Connect ID Tokens

  • Supports all signing algorithms defined in JWA apart from PS384 and PS512 that require JDK11 or the use of BouncyCastle Security Provider.
  • Offers functionality for signing JWT with the aforementioned algorithms mainly for testing purposes, as an OpenID connect RP doesn't usually need to sign any JWT
  • Adds functionality to PemUtils for reading public key files from disk
  • Encryption ( decryption ) - JWE is not handled in this PR

Depends on: #37009
Relates: #35339

@jkakavas jkakavas added >feature v7.0.0 :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Jan 9, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@albertzaharovits
Copy link
Contributor

Why aren't we using https://connect2id.com/products/nimbus-jose-jwt I noticed it is already pulled in as a transitive dependency prob for kerberos ./gradlew :x-pack:plugin:security:dependencies

@jkakavas
Copy link
Member Author

Why aren't we using https://connect2id.com/products/nimbus-jose-jwt

To be honest, I don't have a perfectly valid excuse. I didn't come across it in the beginning when looking through candidate libraries and as such evaluated only jjwt which lacks support for JDK9+ and java-jwt whis is only tested with java 8. Also, we have been traditionally reluctant to bringing in dependencies and the scope of this work seemed to be just not large enough to justify the effort. Finally, there will not be any need to implement cryptographic primitives here, so I evaluated the risk of a significant implementation error to be low enough.

Still, I will not object too much if we feel like nimbus-jose-jwt is a better option. I've come across the implementation lately, when looking into JWE implementations and I think it's a solid one. The only "issue" I see is that it depends on json-smart which we would need to bring in also. Can I elicit additional opinions here: @jaymode , @tvernum ?

I noticed it is already pulled in as a transitive dependency prob for kerberos ./gradlew :x-pack:plugin:security:dependencies

We use it as a test dependency only, for Kerberos tests, we don't ship it with Elasticsearch.

pgomulka and others added 3 commits January 17, 2019 09:10
…ic#37523)

Adding the migration guide and removing the deprecated in 6.x
constructor

relates elastic#35560
relates elastic#34488
* SQL: Rename SQL data type DATE to DATETIME

SQL data type DATE has only the date part (e.g.: 2019-01-14)
without any time information. Previously the SQL type DATE was
referring to the ES DATE which contains also the time part along
with TZ information. To conform with SQL data types the data type
`DATE` is renamed to `DATETIME`, since it includes also the time,
as a new runtime SQL `DATE` data type will be introduced down the road,
which only contains the date part and meets the SQL standard.

Closes: elastic#36440

* Address comments
ywelsch and others added 23 commits January 18, 2019 16:36
Some tests (e.g. testRestoreIndexWithShardsMissingInLocalGateway) were split-braining since
being switched to Zen2 because the bootstrap setting was left around when nodes got restarted
with data folders wiped.

The test in question here was starting one node (which autobootstrapped to that single node), then
another node. The first node was then shut down (after excluding it from the voting configuration),
its data folder wiped, and restarted. After restart, the node had an empty data folder yet
initial_master_nodes set to itself (i.e. same name). This made the node sometimes form a cluster of
its own, and not rejoin the existing cluster with the other node.
* Add ccr follow info api

This api returns all follower indices and per follower index
the provided parameters at put follow / resume follow time and
whether index following is paused or active.

Closes elastic#37127

* iter

* [DOCS] Edits the get follower info API

* [DOCS] Fixes link to remote cluster

* [DOCS] Clarifies descriptions for configured parameters
This adds deprecation to _type in the script contexts for ingest and update. 
This adds a DeprecationMap that wraps the ctx Map containing _type for these 
specific contexts.
Fixes ``./gradlew eclipse` failure introduced in 6d99e79
Throws an exception if hit extractor tries to retrieve unsupported
object. For example, selecting "a" from `{"a": {"b": "c"}}` now throws
an exception instead of returning null.

Relates to elastic#37364
This commit updates the contribution docs to include java11 as a requirement for building and testing Elasticsearch.
This change fixes the setup of the SSL configuration for the test
openldap realm. The configuration was missing the realm identifier so
the SSL settings being used were just the default JDK ones that do not
trust the certificate of the idp fixture.

See elastic#37591
This commit updates the file docker's entrypoint script looks for when
deciding to process the ELASTIC_PASSWORD env var. The x-pack subdir
of bin no longer exists in 7.0, where the backcompat layer for x-pack
script locations was removed.

closes elastic#37240
This change adds the unfollow action for CCR follower indices.

This is needed for the shrink action in case an index is a follower index.
This will give the follower index the opportunity to fully catch up with
the leader index, pause index following and unfollow the leader index.
After this the shrink action can safely perform the ilm shrink.

The unfollow action needs to be added to the hot phase and acts as
barrier for going to the next phase (warm or delete phases), so that
follower indices are being unfollowed properly before indices are expected
to go in read-only mode. This allows the force merge action to execute
its steps safely.

The unfollow action has three steps:
* `wait-for-indexing-complete` step: waits for the index in question
  to get the `index.lifecycle.indexing_complete` setting be set to `true`
* `wait-for-follow-shard-tasks` step: waits for all the shard follow tasks
  for the index being handled to report that the leader shard global checkpoint
  is equal to the follower shard global checkpoint.
* `pause-follower-index` step: Pauses index following, necessary to unfollow
* `close-follower-index` step: Closes the index, necessary to unfollow
* `unfollow-follower-index` step: Actually unfollows the index using 
  the CCR Unfollow API
* `open-follower-index` step: Reopens the index now that it is a normal index
* `wait-for-yellow` step: Waits for primary shards to be allocated after
  reopening the index to ensure the index is ready for the next step

In the case of the last two steps, if the index in being handled is
a regular index then the steps acts as a no-op.

Relates to elastic#34648

Co-authored-by: Martijn van Groningen <martijn.v.groningen@gmail.com>
Co-authored-by: Gordon Brown <gordon.brown@elastic.co>
From elastic#29453 and elastic#37285, the `include_type_name` parameter was already present and defaulted to false. This PR makes the following updates:
- Add deprecation warnings to `RestPutMappingAction`, plus tests in `RestPutMappingActionTests`.
- Add a typeless 'put mappings' method to the Java HLRC, and deprecate the old typed version. To do this cleanly, I opted to create a new `PutMappingRequest` object that differs from the existing server one.
…37483)

* ML: creating ML State write alias and pointing writes there

* Moving alias check to openJob method

* adjusting concrete index lookup for ml-state
Single bucket aggs are now supported in datafeed aggregation configurations.
* Remove obsolete deprecation checks

This also updates the old-indices check to be appropriate for the 7.x
series of releases, and leaves it as the only deprecation check in
place.

* Add toString to DeprecationIssue

* Bring filterChecks across from 6.x

* License headers
To make further refactoring of GeoGrid aggregations
easier (related: elastic#30320), splitting out these inner
class dependencies into their own files makes it
easier to map the relationship between classes
This commit optimizes some of the performance issues from using
deprecation logging:
 - we optimize encoding the deprecation value
 - we optimize formatting the deprecation string
 - we optimize away getting the current time (by using cached startup
   time)
This is related to elastic#35975. This commit adds timeout functionality to
the local session on a leader node. When a session is started, a timeout
is scheduled using a repeatable runnable. If the session is not accessed
in between two runs the session is closed. When the sssion is closed,
the repeating task is cancelled.

Additionally, this commit moves session uuid generation to the leader
cluster. And renames the PutCcrRestoreSessionRequest to
StartCcrRestoreSessionRequest to reflect that change.
Currently we add the CcrRestoreSourceService as a index event
listener. However, if ccr is disabled, this service is null and we
attempt to add a null listener throwing an exception. This commit only
adds the listener if ccr is enabled.
The subparser in get users allows for unknown fields. This commit sets
the value to true for the parser and modifies the test such that it
accurately tests it.

Relates elastic#36938
With the release of 11.0.2, the old URLs no longer work. This exposed a
few small bugs in the gradle config. One was that --no-cache was not
present in the docker build command, so it was not failing at
first. Then once only the ext.expansions was changed and the docker
build task was not, it was not executing it.
The ML subproject of xpack has a cache for the cpp artifact snapshots
which is checked on each build. The cache is outside of the build dir so
that it is not wiped on a typical clean, as the artifacts can be large
and do not change often. This commit adds a cleanCache task which will
wipe the cache dir, as over time the size of the directory can become
bloated.
Removes all sensitive settings (passwords, auth tokens, urls, etc...) for
watcher notifications accounts. These settings were deprecated (and
herein removed) in favor of their secure sibling that is set inside the
elasticsearch keystore. For example:
`xpack.notification.email.account.<id>.smtp.password`
is no longer a valid setting, and it is replaced by
`xpack.notification.email.account.<id>.smtp.secure_password`
@jkakavas jkakavas changed the title OIDC Realm JWT+JWS related functionality [WIP] OIDC Realm JWT+JWS related functionality Jan 20, 2019
@jkakavas jkakavas added the WIP label Jan 20, 2019
This commit adds

* An OpenID Connect Realm definition
* Necessary OpenID Connect Realm settings to support Authorization code
 grant and Implicit grant flows
* Rest and Transport Action and Request/Response objects for initiating and
 completing the authentication flow
* Functionality for generating OIDC Authentication Request URIs Unit tests

Notably missing (to be handled in subsequent PRs):
* The actual implementation of the authentication flows
* Necessary JW{T,S,E} functionality

Relates: elastic#35339
@jkakavas
Copy link
Member Author

Closing in favor of #37787

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>feature :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v7.0.0-beta1 WIP
Projects
None yet
Development

Successfully merging this pull request may close these issues.