Revert "Fix Active Directory tests (#47266)"

This reverts commit b917b57dfe45148917232fe13dd2b6c791f34c3f.

x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/samba4.crt

@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDoDCCAoigAwIBAgIUMVGoHuyNTjTFaoRmqFELz75jzDEwDQYJKoZIhvcNAQEL
-BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
-cmF0ZWQgQ0EwHhcNMTgwMjE1MTc0OTExWhcNMjEwMjE0MTc0OTExWjARMQ8wDQYD
-VQQDEwZzYW1iYTQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtGBwa
-n+7JN2vweSUsYh4zPmh8RPIE+nEVjK1lx/rADUBY7UVjfTYC+MVKKiezZe7gYCNT
-7JNKazPpgVI9e3ZFKw/UxomLqRuuvn5bTh+1tMs3afY5+GGzi7oPmEbBO3ceg0Hi
-rNSTDa1rfroZnRYK8uIeSZacQnAW90plITI7rBBt9jq+W9albFbDybfDgNv+yS/C
-rzIsofm4rbFC3SMRYfrT6HvwDhjOmmYKZci5x7tsn0T+3tSiR44Bw5/DgiN5kX3m
-/kl9qg1eoYWbCUy1dKmQlb4Nb4uNcxrIugLB3zjBkfhMZ0OHoveKh/lJASTWik9k
-xQ9rEYbpsRbuXpsHAgMBAAGjgcwwgckwHQYDVR0OBBYEFJOLa7UXKtLPibgKeFh7
-Kq1+rS0/MG8GA1UdIwRoMGaAFGaNmN5mi9jaMW25MEWYgt+5OkDBoTikNjA0MTIw
-MAYDVQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBD
-QYIUdwsnIxjgSneHNVKT6JNCCsrQ3T0wLAYDVR0RBCUwI4IJbG9jYWxob3N0hwR/
-AAABhxAAAAAAAAAAAAAAAAAAAAABMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQAD
-ggEBAEHqT1WHkcF8DuOgyIBx7wKcUVQ5H1qYYlJ1xgMGrKFFZLUzouLcON7oadEu
-HLIJ4Z3AKD3bqWpcls5XJ9MTECGR48tou67x9cXqTV7jR3Rh0H/VGwzwhR85vbpu
-o8ielOPL8XAQOfnAFESJii5sfCU4ZwLg+3evmGZdKfhU6rqQtLimgG/Gm96vOJne
-y0a/TZTWrfAarithkOHHXSSAhEI5SdW5SlZAytF4AmYqFvafwxe1+NyFwfCRy0Xl
-H40WgVsq+z84psU+WyORb3THX5rgB4au9nuMXOqFKAtrJSI/uApncYraaqU28rqB
-gYd8XrtjhKOLw+6viqAKu8l7/cs=
------END CERTIFICATE-----

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java

@@ -6,6 +6,7 @@
 package org.elasticsearch.xpack.security.authc.ldap;
 
 import org.elasticsearch.action.support.PlainActionFuture;
+import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
@@ -14,8 +15,10 @@ import org.elasticsearch.env.TestEnvironment;
 import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
+import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope;
 import org.elasticsearch.xpack.core.ssl.SSLService;
 import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
+import org.elasticsearch.xpack.security.authc.ldap.support.LdapTestCase;
 import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory;
 import org.junit.After;
 import org.junit.Before;
@@ -46,7 +49,7 @@ public class ADLdapUserSearchSessionFactoryTests extends AbstractActiveDirectory
 
         globalSettings = Settings.builder()
             .put("path.home", createTempDir())
-            .put("xpack.security.authc.realms.ldap.ad-as-ldap-test.ssl.certificate_authorities", certPath)
+            .put("xpack.security.authc.realms.active_directory.ad.ssl.certificate_authorities", certPath)
             .build();
         sslService = new SSLService(globalSettings, env);
         threadPool = new TestThreadPool("ADLdapUserSearchSessionFactoryTests");
@@ -57,12 +60,15 @@ public class ADLdapUserSearchSessionFactoryTests extends AbstractActiveDirectory
         terminate(threadPool);
     }
 
+    @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
     public void testUserSearchWithActiveDirectory() throws Exception {
         String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
         String userSearchBase = "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
         Settings settings = Settings.builder()
-                .put("url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL)
-                .put("group_search.base_dn", groupSearchBase)
+                .put(LdapTestCase.buildLdapSettings(
+                        new String[] { ActiveDirectorySessionFactoryTests.AD_LDAP_URL },
+                        Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE, null,
+                        true))
                 .put("user_search.base_dn", userSearchBase)
                 .put("bind_dn", "ironman@ad.test.elasticsearch.com")
                 .put("bind_password", ActiveDirectorySessionFactoryTests.PASSWORD)
@@ -73,13 +79,13 @@ public class ADLdapUserSearchSessionFactoryTests extends AbstractActiveDirectory
         Settings.Builder builder = Settings.builder()
                 .put(globalSettings);
         settings.keySet().forEach(k -> {
-            builder.copy("xpack.security.authc.realms.ldap.ad-as-ldap-test." + k, k, settings);
+            builder.copy("xpack.security.authc.realms.ad-as-ldap-test." + k, k, settings);
 
         });
         Settings fullSettings = builder.build();
         sslService = new SSLService(fullSettings, TestEnvironment.newEnvironment(fullSettings));
-        RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("ldap", "ad-as-ldap-test"), fullSettings,
-                TestEnvironment.newEnvironment(fullSettings), new ThreadContext(fullSettings));
+        RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("ad", "ad-as-ldap-test"), globalSettings,
+                TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings));
         LdapUserSearchSessionFactory sessionFactory = getLdapUserSearchSessionFactory(config, sslService, threadPool);
 
         String user = "Bruce Banner";

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java

@@ -84,10 +84,10 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
         Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
 
         // fake realms so ssl will get loaded
-        builder.putList("xpack.security.authc.realms.active_directory.foo.ssl.certificate_authorities", certificatePaths);
-        builder.put("xpack.security.authc.realms.active_directory.foo.ssl.verification_mode", VerificationMode.FULL);
-        builder.putList("xpack.security.authc.realms.active_directory.bar.ssl.certificate_authorities", certificatePaths);
-        builder.put("xpack.security.authc.realms.active_directory.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
+        builder.putList("xpack.security.authc.realms.foo.ssl.certificate_authorities", certificatePaths);
+        builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL);
+        builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths);
+        builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
         globalSettings = builder.build();
         Environment environment = TestEnvironment.newEnvironment(globalSettings);
         sslService = new SSLService(globalSettings, environment);

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractAdLdapRealmTestCase.java

@@ -24,6 +24,7 @@ import org.elasticsearch.test.SecurityIntegTestCase;
 import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingRequestBuilder;
 import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingResponse;
 import org.elasticsearch.xpack.core.security.authc.ldap.ActiveDirectorySessionFactorySettings;
+import org.elasticsearch.xpack.core.security.authc.ldap.LdapRealmSettings;
 import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
 import org.elasticsearch.xpack.security.support.SecurityIndexManager;
 import org.junit.After;
@@ -48,7 +49,6 @@ import java.util.function.Supplier;
 import java.util.stream.Collectors;
 
 import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
-import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey;
 import static org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope.ONE_LEVEL;
 import static org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope.SUB_TREE;
 import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
@@ -65,8 +65,7 @@ import static org.hamcrest.Matchers.equalTo;
  */
 public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase {
 
-    public static final String XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL = "xpack.security.authc.realms.active_directory.external";
-    public static final String XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL = "xpack.security.authc.realms.ldap.external";
+    public static final String XPACK_SECURITY_AUTHC_REALMS_EXTERNAL = "xpack.security.authc.realms.external";
     public static final String PASSWORD = AbstractActiveDirectoryTestCase.PASSWORD;
     public static final String ASGARDIAN_INDEX = "gods";
     public static final String PHILANTHROPISTS_INDEX = "philanthropists";
@@ -126,13 +125,13 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
         Settings.Builder builder = Settings.builder();
         // don't use filter since it returns a prefixed secure setting instead of mock!
         Settings settingsToAdd = super.nodeSettings(nodeOrdinal);
-        builder.put(settingsToAdd.filter(k -> k.startsWith("xpack.security.transport.ssl.") == false), false);
+        builder.put(settingsToAdd.filter(k -> k.startsWith("xpack.transport.security.ssl.") == false), false);
         MockSecureSettings mockSecureSettings = (MockSecureSettings) Settings.builder().put(settingsToAdd).getSecureSettings();
         if (mockSecureSettings != null) {
             MockSecureSettings filteredSecureSettings = new MockSecureSettings();
             builder.setSecureSettings(filteredSecureSettings);
             for (String secureSetting : mockSecureSettings.getSettingNames()) {
-                if (secureSetting.startsWith("xpack.security.transport.ssl.") == false) {
+                if (secureSetting.startsWith("xpack.transport.security.ssl.") == false) {
                     SecureString secureString = mockSecureSettings.getString(secureSetting);
                     if (secureString == null) {
                         final byte[] fileBytes;
@@ -165,7 +164,7 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
         certificateAuthorities) {
         Settings.Builder builder = Settings.builder();
         builder.put(realm.buildSettings(certificateAuthorities));
-        configureFileRoleMappings(builder, realm.type, roleMappingEntries);
+        configureFileRoleMappings(builder, roleMappingEntries);
         return builder.build();
     }
 
@@ -213,11 +212,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
                 .collect(Collectors.toList());
     }
 
-    protected final void configureFileRoleMappings(Settings.Builder builder, String realmType, List<RoleMappingEntry> mappings) {
+    protected final void configureFileRoleMappings(Settings.Builder builder, List<RoleMappingEntry> mappings) {
         String content = getRoleMappingContent(RoleMappingEntry::getFileContent, mappings).stream().collect(Collectors.joining("\n"));
         Path nodeFiles = createTempDir();
         String file = writeFile(nodeFiles, "role_mapping.yml", content);
-        builder.put("xpack.security.authc.realms." + realmType + ".external.files.role_mapping", file);
+        builder.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".files.role_mapping", file);
     }
 
     @Override
@@ -288,11 +287,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
 
     private void addSslSettingsForKeyPair(Settings.Builder builder, Path key, String keyPassphrase, Path cert,
                                           List<String> certificateAuthorities) {
-        builder.put("xpack.security.transport.ssl.key", key)
-            .put("xpack.security.transport.ssl.key_passphrase", keyPassphrase)
-            .put("xpack.security.transport.ssl.verification_mode", "certificate")
-            .put("xpack.security.transport.ssl.certificate", cert)
-            .putList("xpack.security.transport.ssl.certificate_authorities", certificateAuthorities);
+        builder.put("xpack.transport.security.ssl.key", key)
+            .put("xpack.transport.security.ssl.key_passphrase", keyPassphrase)
+            .put("xpack.transport.security.ssl.verification_mode", "certificate")
+            .put("xpack.transport.security.ssl.certificate", cert)
+            .putList("xpack.transport.security.ssl.certificate_authorities", certificateAuthorities);
     }
 
     /**
@@ -377,55 +376,57 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
 
         AD(false, AD_ROLE_MAPPING,
                 Settings.builder()
-                    .put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".domain_name", ActiveDirectorySessionFactoryTests.AD_DOMAIN)
-                    .put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".type", LdapRealmSettings.AD_TYPE)
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".domain_name", ActiveDirectorySessionFactoryTests.AD_DOMAIN)
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL
                                 + ".group_search.base_dn", "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com")
-                    .put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".group_search.scope", randomBoolean() ? SUB_TREE : ONE_LEVEL)
-                    .put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL)
-                    .put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".follow_referrals",
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".group_search.scope", randomBoolean() ? SUB_TREE : ONE_LEVEL)
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL)
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".follow_referrals",
                                 ActiveDirectorySessionFactoryTests.FOLLOW_REFERRALS)
-                    .put(getFullSettingKey("external",ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT)
-                    .put(getFullSettingKey("external",ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT)
-                    .put(getFullSettingKey("external",ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT)
-                    .put(getFullSettingKey("external",ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT)
-                    .build(),
-            "active_directory"),
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "." +
+                                ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING.getKey(), AD_LDAP_PORT)
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "." +
+                                ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING.getKey(), AD_LDAPS_PORT)
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "." +
+                                ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING.getKey(), AD_GC_LDAP_PORT)
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "." +
+                                ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING.getKey(), AD_GC_LDAPS_PORT)
+                        .build()),
 
         AD_LDAP_GROUPS_FROM_SEARCH(true, AD_ROLE_MAPPING,
                 Settings.builder()
-                    .put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL)
-                    .put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".type", LdapRealmSettings.LDAP_TYPE)
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL)
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL
                                 + ".group_search.base_dn", "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com")
-                    .put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".group_search.scope", randomBoolean() ? SUB_TREE : ONE_LEVEL)
-                    .putList(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".user_dn_templates",
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".group_search.scope", randomBoolean() ? SUB_TREE : ONE_LEVEL)
+                        .putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".user_dn_templates",
                                 "cn={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com")
-                    .put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".follow_referrals",
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".follow_referrals",
                                 ActiveDirectorySessionFactoryTests.FOLLOW_REFERRALS)
-                    .build(),
-            "ldap"),
+                        .build()),
 
         AD_LDAP_GROUPS_FROM_ATTRIBUTE(true, AD_ROLE_MAPPING,
                 Settings.builder()
-                    .put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL)
-                    .putList(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".user_dn_templates",
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".type", LdapRealmSettings.LDAP_TYPE)
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL)
+                        .putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".user_dn_templates",
                                 "cn={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com")
-                    .put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".follow_referrals",
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".follow_referrals",
                                 ActiveDirectorySessionFactoryTests.FOLLOW_REFERRALS)
-                    .build(),
-            "ldap");
+                        .build());
 
-        final String type;
         final boolean mapGroupsAsRoles;
         final boolean loginWithCommonName;
         private final RoleMappingEntry[] roleMappings;
         final Settings settings;
 
-        RealmConfig(boolean loginWithCommonName, RoleMappingEntry[] roleMappings, Settings settings, String type) {
+        RealmConfig(boolean loginWithCommonName, RoleMappingEntry[] roleMappings, Settings settings) {
             this.settings = settings;
             this.loginWithCommonName = loginWithCommonName;
             this.roleMappings = roleMappings;
             this.mapGroupsAsRoles = randomBoolean();
-            this.type = type;
         }
 
         public Settings buildSettings(List<String> certificateAuthorities) {
@@ -435,11 +436,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
 
         protected Settings buildSettings(List<String> certificateAuthorities, int order) {
             Settings.Builder builder = Settings.builder()
-                .put("xpack.security.authc.realms." + type + ".external.order", order)
-                .put("xpack.security.authc.realms." + type + ".external.hostname_verification", false)
-                .put("xpack.security.authc.realms." + type + ".external.unmapped_groups_as_roles", mapGroupsAsRoles)
+                .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".order", order)
+                .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".hostname_verification", false)
+                .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".unmapped_groups_as_roles", mapGroupsAsRoles)
                 .put(this.settings)
-                .putList("xpack.security.authc.realms." + type + ".external.ssl.certificate_authorities", certificateAuthorities);
+                .putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.certificate_authorities", certificateAuthorities);
             return builder.build();
         }
 

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryGroupsResolverTests.java

@@ -34,6 +34,7 @@ public class ActiveDirectoryGroupsResolverTests extends GroupsResolverTestCase {
         ldapConnection.getConnectionOptions().setFollowReferrals(AbstractActiveDirectoryTestCase.FOLLOW_REFERRALS);
     }
 
+    @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
     public void testResolveSubTree() throws Exception {
         Settings settings = Settings.builder()
                 .put("xpack.security.authc.realms.active_directory.ad.group_search.scope", LdapSearchScope.SUB_TREE)

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRunAsIT.java

@@ -43,13 +43,13 @@ public class ActiveDirectoryRunAsIT extends AbstractAdLdapRealmTestCase {
         final Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
         switch (realmConfig) {
             case AD:
-                builder.put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".bind_dn", "ironman@ad.test.elasticsearch.com")
-                        .put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".user_search.pool.enabled", false);
+                builder.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".bind_dn", "ironman@ad.test.elasticsearch.com")
+                        .put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".user_search.pool.enabled", false);
                 if (useLegacyBindPassword) {
-                    builder.put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".bind_password", ActiveDirectorySessionFactoryTests.PASSWORD);
+                    builder.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".bind_password", ActiveDirectorySessionFactoryTests.PASSWORD);
                 } else {
                     SecuritySettingsSource.addSecureSettings(builder, secureSettings -> {
-                        secureSettings.setString(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".secure_bind_password",
+                        secureSettings.setString(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".secure_bind_password",
                                 ActiveDirectorySessionFactoryTests.PASSWORD);
                     });
                 }
@@ -60,6 +60,7 @@ public class ActiveDirectoryRunAsIT extends AbstractAdLdapRealmTestCase {
         return builder.build();
     }
 
+    @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
     public void testRunAs() throws Exception {
         String avenger = realmConfig.loginWithCommonName ? "Natasha Romanoff" : "blackwidow";
         final AuthenticateRequest request = new AuthenticateRequest(avenger);

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java

@@ -7,6 +7,7 @@ package org.elasticsearch.xpack.security.authc.ldap;
 
 import com.unboundid.ldap.sdk.LDAPException;
 import com.unboundid.ldap.sdk.ResultCode;
+import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.action.support.PlainActionFuture;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
@@ -42,10 +43,11 @@ import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
 
+@LuceneTestCase.AwaitsFix(bugUrl = "ActiveDirectorySessionFactoryTests")
 public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryTestCase {
 
     private static final String REALM_NAME = "ad-test";
-    private static final RealmConfig.RealmIdentifier REALM_ID = new RealmConfig.RealmIdentifier("active_directory", REALM_NAME);
+    private static final RealmConfig.RealmIdentifier REALM_ID = new RealmConfig.RealmIdentifier("ad", REALM_NAME);
     private final SecureString SECURED_PASSWORD = new SecureString(PASSWORD);
     private ThreadPool threadPool;
 
@@ -65,7 +67,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
     }
 
     public void testAdAuth() throws Exception {
-        RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false));
+        RealmConfig config = configureRealm("ad-test", buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false));
         try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
 
             String userName = "ironman";
@@ -86,21 +88,21 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
         }
     }
 
-    private RealmConfig configureRealm(String name, String type, Settings settings) {
+    private RealmConfig configureRealm(String name, Settings settings) {
         final Environment env = TestEnvironment.newEnvironment(globalSettings);
         final Settings mergedSettings = Settings.builder()
             .put(settings)
-            .normalizePrefix("xpack.security.authc.realms." + type + "." + name + ".")
+            .normalizePrefix("xpack.security.authc.realms." + name + ".")
             .put(globalSettings)
             .build();
         this.sslService = new SSLService(mergedSettings, env);
-        final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier(type, name);
+        final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier(LdapRealmSettings.AD_TYPE, name);
         return new RealmConfig(identifier, mergedSettings, env, new ThreadContext(globalSettings));
     }
 
     public void testNetbiosAuth() throws Exception {
         final String adUrl = randomFrom(AD_LDAP_URL, AD_LDAP_GC_URL);
-        RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, buildAdSettings(adUrl, AD_DOMAIN, false));
+        RealmConfig config = configureRealm("ad-test", buildAdSettings(adUrl, AD_DOMAIN, false));
         try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
 
             String userName = "ades\\ironman";
@@ -122,7 +124,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
     }
 
     public void testAdAuthAvengers() throws Exception {
-        RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false));
+        RealmConfig config = configureRealm("ad-test", buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false));
         try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
 
             String[] users = new String[]{"cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow"};
@@ -138,7 +140,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
     public void testAuthenticate() throws Exception {
         Settings settings = buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com",
                 LdapSearchScope.ONE_LEVEL, false);
-        RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings);
+        RealmConfig config = configureRealm("ad-test", settings);
         try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
 
             String userName = "hulk";
@@ -161,7 +163,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
     public void testAuthenticateBaseUserSearch() throws Exception {
         Settings settings = buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN,
                 "CN=Bruce Banner, CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", LdapSearchScope.BASE, false);
-        RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings);
+        RealmConfig config = configureRealm("ad-test", settings);
         try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
 
             String userName = "hulk";
@@ -189,7 +191,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
                         "CN=Avengers,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com")
                 .put(ActiveDirectorySessionFactorySettings.AD_GROUP_SEARCH_SCOPE_SETTING, LdapSearchScope.BASE)
                 .build();
-        RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings);
+        RealmConfig config = configureRealm("ad-test", settings);
         try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
 
             String userName = "hulk";
@@ -205,7 +207,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
     public void testAuthenticateWithUserPrincipalName() throws Exception {
         Settings settings = buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com",
                 LdapSearchScope.ONE_LEVEL, false);
-        RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings);
+        RealmConfig config = configureRealm("ad-test", settings);
         try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
 
             //Login with the UserPrincipalName
@@ -225,7 +227,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
     public void testAuthenticateWithSAMAccountName() throws Exception {
         Settings settings = buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com",
                 LdapSearchScope.ONE_LEVEL, false);
-        RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings);
+        RealmConfig config = configureRealm("ad-test", settings);
         try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
 
             //login with sAMAccountName
@@ -250,7 +252,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
                 .put(getFullSettingKey(REALM_ID.getName(), ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_FILTER_SETTING),
                         "(&(objectclass=user)(userPrincipalName={0}@ad.test.elasticsearch.com))")
                 .build();
-        RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings);
+        RealmConfig config = configureRealm("ad-test", settings);
         try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
 
             //Login with the UserPrincipalName
@@ -269,14 +271,18 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
     public void testStandardLdapConnection() throws Exception {
         String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
         String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
-        final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test");
-        final Settings settings = Settings.builder()
-            .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase,
-                LdapSearchScope.SUB_TREE, null, false))
-            .putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths)
-            .put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS)
+        Settings settings = Settings.builder()
+            .put(LdapTestCase.buildLdapSettings(
+                    new String[]{AD_LDAP_URL},
+                    new String[]{userTemplate},
+                    groupSearchBase,
+                    LdapSearchScope.SUB_TREE,
+                    null,
+                    true))
+            .put("follow_referrals", FOLLOW_REFERRALS)
+            .putList("ssl.certificate_authorities", certificatePaths)
             .build();
-        RealmConfig config = configureRealm("ad-as-ldap-test", LdapRealmSettings.LDAP_TYPE, settings);
+        RealmConfig config = configureRealm("ad-as-ldap-test", settings);
         LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
 
         String user = "Bruce Banner";
@@ -296,15 +302,21 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
     public void testHandlingLdapReferralErrors() throws Exception {
         String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
         String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
-        final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test");
-        Settings settings = Settings.builder()
-            .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase,
-                LdapSearchScope.SUB_TREE, null, false))
-            .putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths)
-            .put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS)
-            .build();
-
-        RealmConfig config = configureRealm("ad-as-ldap-test", LdapRealmSettings.LDAP_TYPE, settings);
+        final boolean ignoreReferralErrors = false;
+        final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("ad", "ad-as-ldap-test");
+        Settings settings = LdapTestCase.buildLdapSettings(realmId,
+            new String[]{AD_LDAP_URL},
+            new String[]{userTemplate},
+            groupSearchBase,
+            LdapSearchScope.SUB_TREE,
+            null,
+            ignoreReferralErrors);
+        final Settings.Builder builder = Settings.builder().put(settings).put(globalSettings);
+        builder.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths);
+        settings = builder.build();
+        RealmConfig config = new RealmConfig(realmId,
+                settings, TestEnvironment.newEnvironment(globalSettings),
+                new ThreadContext(globalSettings));
         LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
 
         String user = "Bruce Banner";
@@ -323,16 +335,12 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
 
     public void testStandardLdapWithAttributeGroups() throws Exception {
         String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
-        String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
-        final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test");
-        Settings settings = Settings.builder()
-            .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase,
-                LdapSearchScope.SUB_TREE, null, false))
+        Settings settings = LdapTestCase.buildLdapSettings(new String[]{AD_LDAP_URL}, userTemplate, false);
+        settings = Settings.builder()
+            .put(settings)
             .putList("ssl.certificate_authorities", certificatePaths)
-            .putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths)
-            .put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS)
             .build();
-        RealmConfig config = configureRealm("ad-as-ldap-test", LdapRealmSettings.LDAP_TYPE, settings);
+        RealmConfig config = configureRealm("ad-as-ldap-test", settings);
         LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
 
         String user = "Bruce Banner";
@@ -349,7 +357,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
     }
 
     public void testADLookup() throws Exception {
-        RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false, true));
+        RealmConfig config = configureRealm("ad-test", buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false, true));
         try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
 
             List<String> users = randomSubsetOf(Arrays.asList("cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow",

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/GroupMappingIT.java

@@ -5,12 +5,15 @@
  */
 package org.elasticsearch.xpack.security.authc.ldap;
 
+import org.apache.lucene.util.LuceneTestCase;
+
 import java.io.IOException;
 
 /**
  * This tests the group to role mappings from LDAP sources provided by the super class - available from super.realmConfig.
  * The super class will provide appropriate group mappings via configGroupMappings()
  */
+@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
 public class GroupMappingIT extends AbstractAdLdapRealmTestCase {
 
     public void testAuthcAuthz() throws IOException {

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/MultiGroupMappingIT.java

@@ -41,6 +41,7 @@ public class MultiGroupMappingIT extends AbstractAdLdapRealmTestCase {
                 "      privileges: [ all ]\n";
     }
 
+    @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
     public void testGroupMapping() throws IOException {
         String asgardian = "odin";
         String securityPhilanthropist = realmConfig.loginWithCommonName ? "Bruce Banner" : "hulk";

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/MultipleAdRealmIT.java

@@ -49,7 +49,7 @@ public class MultipleAdRealmIT extends AbstractAdLdapRealmTestCase {
         final Settings secondarySettings = super.buildRealmSettings(secondaryRealmConfig, secondaryRoleMappings,
             getNodeTrustedCertificates());
         secondarySettings.keySet().forEach(name -> {
-            String newName = name.replace(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL, XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + "2");
+            String newName = name.replace(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL, XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "2");
             builder.copy(newName, name, secondarySettings);
         });
 
@@ -62,6 +62,7 @@ public class MultipleAdRealmIT extends AbstractAdLdapRealmTestCase {
      * Because one realm is using "common name" (cn) for login, and the other uses the "userid" (sAMAccountName) [see
      * {@link #setupSecondaryRealm()}], this is simply a matter of checking that we can authenticate with both identifiers.
      */
+    @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
     public void testCanAuthenticateAgainstBothRealms() throws IOException {
         assertAccessAllowed("Natasha Romanoff", "avengers");
         assertAccessAllowed("blackwidow", "avengers");

x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/UserAttributeGroupsResolverTests.java

@@ -8,22 +8,22 @@ package org.elasticsearch.xpack.security.authc.ldap;
 import com.unboundid.ldap.sdk.Attribute;
 import com.unboundid.ldap.sdk.SearchRequest;
 import com.unboundid.ldap.sdk.SearchScope;
+import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
-import org.elasticsearch.xpack.core.security.authc.ldap.UserAttributeGroupsResolverSettings;
 import org.elasticsearch.xpack.core.security.support.NoOpLogger;
 import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;
 
 import java.util.Collection;
 import java.util.List;
 
-import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey;
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.empty;
-import static org.hamcrest.Matchers.hasSize;
+import static org.hamcrest.Matchers.hasItems;
 
+@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
 public class UserAttributeGroupsResolverTests extends GroupsResolverTestCase {
 
     public static final String BRUCE_BANNER_DN = "cn=Bruce Banner,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
@@ -57,19 +57,18 @@ public class UserAttributeGroupsResolverTests extends GroupsResolverTestCase {
 
     public void testResolveCustomGroupAttribute() throws Exception {
         Settings settings = Settings.builder()
-            .put(getFullSettingKey("realm1", UserAttributeGroupsResolverSettings.ATTRIBUTE), "seeAlso")
-            .build();
+                .put("user_group_attribute", "seeAlso")
+                .build();
         UserAttributeGroupsResolver resolver = new UserAttributeGroupsResolver(config(REALM_ID, settings));
         List<String> groups =
                 resolveBlocking(resolver, ldapConnection, BRUCE_BANNER_DN, TimeValue.timeValueSeconds(20), NoOpLogger.INSTANCE, null);
-        assertThat(groups, hasSize(1));
-        assertThat(groups.get(0), containsString("Avengers"));  //seeAlso only has Avengers
+        assertThat(groups, hasItems(containsString("Avengers")));  //seeAlso only has Avengers
     }
 
     public void testResolveInvalidGroupAttribute() throws Exception {
         Settings settings = Settings.builder()
-            .put(getFullSettingKey("realm1", UserAttributeGroupsResolverSettings.ATTRIBUTE), "doesntExist")
-            .build();
+                .put("user_group_attribute", "doesntExist")
+                .build();
         UserAttributeGroupsResolver resolver = new UserAttributeGroupsResolver(config(REALM_ID, settings));
         List<String> groups =
                 resolveBlocking(resolver, ldapConnection, BRUCE_BANNER_DN, TimeValue.timeValueSeconds(20), NoOpLogger.INSTANCE, null);