首页 发现 帮助
注册 登录
lqb
/
elasticsearch
镜像自地址 https://gitee.com/mirrors/elasticsearch.git
1
0
派生 0
文件 工单管理 0 Wiki
浏览代码

Fix NPE on disabled API key auth cache (#120483) (#121008)

Currently, when `xpack.security.authc.api_key.cache.ttl` is set to `0d`
API key creation (and invalidation) fail with NPEs. This PR adds null
checks to fix this.
Nikolaj Volgushev 8 月之前
父节点
1a4ceb4711
当前提交
f146691fc3
共有 3 个文件被更改,包括 60 次插入5 次删除
分列视图 显示文件统计
  1. 5 0
      docs/changelog/120483.yaml
  2. 11 5
      x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
  3. 44 0
      x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java

+ 5 - 0
docs/changelog/120483.yaml
查看文件 

@@ -0,0 +1,5 @@
 
+pr: 120483
 
+summary: Fix NPE on disabled API auth key cache
 
+area: Authentication
 
+type: bug
 
+issues: []

+ 11 - 5
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
查看文件 

@@ -266,7 +266,9 @@ public class ApiKeyService implements Closeable {
 
                     if (apiKeyDocCache != null) {
 
                         apiKeyDocCache.invalidate(keys);
 
                     }
 
-                    keys.forEach(apiKeyAuthCache::invalidate);
 
+                    if (apiKeyAuthCache != null) {
 
+                        keys.forEach(apiKeyAuthCache::invalidate);
 
+                    }
 
                 }
 
 
                 @Override
 
@@ -274,7 +276,9 @@ public class ApiKeyService implements Closeable {
 
                     if (apiKeyDocCache != null) {
 
                         apiKeyDocCache.invalidateAll();
 
                     }
 
-                    apiKeyAuthCache.invalidateAll();
 
+                    if (apiKeyAuthCache != null) {
 
+                        apiKeyAuthCache.invalidateAll();
 
+                    }
 
                 }
 
             });
 
             cacheInvalidatorRegistry.registerCacheInvalidator("api_key_doc", new CacheInvalidatorRegistry.CacheInvalidator() {
 
@@ -589,9 +593,11 @@ public class ApiKeyService implements Closeable {
 
                                     + "])";
 
                             assert indexResponse.getResult() == DocWriteResponse.Result.CREATED
 
                                 : "Index response was [" + indexResponse.getResult() + "]";
 
-                            final ListenableFuture<CachedApiKeyHashResult> listenableFuture = new ListenableFuture<>();
 
-                            listenableFuture.onResponse(new CachedApiKeyHashResult(true, apiKey));
 
-                            apiKeyAuthCache.put(request.getId(), listenableFuture);
 
+                            if (apiKeyAuthCache != null) {
 
+                                final ListenableFuture<CachedApiKeyHashResult> listenableFuture = new ListenableFuture<>();
 
+                                listenableFuture.onResponse(new CachedApiKeyHashResult(true, apiKey));
 
+                                apiKeyAuthCache.put(request.getId(), listenableFuture);
 
+                            }
 
                             listener.onResponse(new CreateApiKeyResponse(request.getName(), request.getId(), apiKey, expiration));
 
                         }, listener::onFailure))
 
                     )

+ 44 - 0
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java
查看文件 

@@ -2367,6 +2367,50 @@ public class ApiKeyServiceTests extends ESTestCase {
 
         assertNull(service.getApiKeyAuthCache().get(docId));
 
     }
 
 
+    public void testCanCreateApiKeyWithAuthCacheDisabled() {
 
+        final ApiKeyService service = createApiKeyService(
 
+            Settings.builder()
 
+                .put(XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.getKey(), true)
 
+                .put("xpack.security.authc.api_key.cache.ttl", "0s")
 
+                .build()
 
+        );
 
+        final Authentication authentication = AuthenticationTestHelper.builder()
 
+            .user(new User(randomAlphaOfLengthBetween(8, 16), "superuser"))
 
+            .realmRef(new RealmRef(randomAlphaOfLengthBetween(3, 8), randomAlphaOfLengthBetween(3, 8), randomAlphaOfLengthBetween(3, 8)))
 
+            .build(false);
 
+        final CreateApiKeyRequest createApiKeyRequest = new CreateApiKeyRequest(randomAlphaOfLengthBetween(3, 8), null, null);
 
+        when(client.prepareIndex(anyString())).thenReturn(new IndexRequestBuilder(client));
 
+        when(client.prepareBulk()).thenReturn(new BulkRequestBuilder(client));
 
+        when(client.threadPool()).thenReturn(threadPool);
 
+        doAnswer(inv -> {
 
+            final Object[] args = inv.getArguments();
 
+            @SuppressWarnings("unchecked")
 
+            final ActionListener<BulkResponse> listener = (ActionListener<BulkResponse>) args[2];
 
+            final IndexResponse indexResponse = new IndexResponse(
 
+                new ShardId(INTERNAL_SECURITY_MAIN_INDEX_7, randomAlphaOfLength(22), randomIntBetween(0, 1)),
 
+                createApiKeyRequest.getId(),
 
+                randomLongBetween(1, 99),
 
+                randomLongBetween(1, 99),
 
+                randomIntBetween(1, 99),
 
+                true
 
+            );
 
+            listener.onResponse(
 
+                new BulkResponse(
 
+                    new BulkItemResponse[] { BulkItemResponse.success(randomInt(), DocWriteRequest.OpType.INDEX, indexResponse) },
 
+                    randomLongBetween(0, 100)
 
+                )
 
+            );
 
+            return null;
 
+        }).when(client).execute(eq(TransportBulkAction.TYPE), any(BulkRequest.class), any());
 
+
 
+        assertThat(service.getFromCache(createApiKeyRequest.getId()), is(nullValue()));
 
+        final PlainActionFuture<CreateApiKeyResponse> listener = new PlainActionFuture<>();
 
+        service.createApiKey(authentication, createApiKeyRequest, Set.of(), listener);
 
+        final CreateApiKeyResponse createApiKeyResponse = listener.actionGet();
 
+        assertThat(createApiKeyResponse.getId(), equalTo(createApiKeyRequest.getId()));
 
+        assertThat(service.getFromCache(createApiKeyResponse.getId()), is(nullValue()));
 
+    }
 
+
 
     public void testGetCreatorRealm() {
 
         final User user = AuthenticationTests.randomUser();