Feature/ldap support (#180)

LDAP support
sscarduzio · Feb 22, 2017 · 68a5f63 · 68a5f63
1 parent a8fc1c0
commit 68a5f63
Show file tree

Hide file tree

Showing 96 changed files with 3,354 additions and 1,403 deletions.
diff --git a/.gitignore b/.gitignore
@@ -30,3 +30,4 @@ eclipse-build
 docker/*
 src/test/eshome/plugins/readonlyrest/plugin-descriptor.properties
 src/main/resources/plugin-descriptor.properties
+src/test/eshome/*
diff --git a/.travis.yml b/.travis.yml
@@ -1,5 +1,10 @@
 language: java
 
+sudo: required
+
+services:
+  - docker
+
 jdk:
 - oraclejdk8
 

diff --git a/LICENSE.md b/LICENSE.md
@@ -606,7 +606,7 @@ pointer to where the full notice is found.
 	GNU General Public License for more details.
 
 	You should have received a copy of the GNU General Public License
-	along with this program.  If not, see <http://www.gnu.org/licenses/>.
+	along with this program.  If not, see http://www.gnu.org/licenses/
 
 Also add information on how to contact you by electronic and paper mail.
 

diff --git a/README.md b/README.md
@@ -166,6 +166,59 @@ readonlyrest:
 
 ```
 
+### USE CASE 4: LDAP authentication and group-based authorization
+```yml
+readonlyrest:
+    enable: true
+    response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
+
+    access_control_rules:
+
+    - name: Accept requests from users in group team1 on index1
+      type: allow
+      ldap_auth:
+          - name: "ldap1"                                       # ldap name from 'ldaps' section
+            groups: ["g1", "g2"]                                # group within 'ou=Groups,dc=example,dc=com'
+          - name: "ldap2"
+            groups: ["g3", "g4"]
+      uri_re: ^/index1/.*
+
+    - name: Accept requests from users in group team2 on index2
+      type: allow
+      ldap_auth:
+          - name: "ldap2"
+            groups: ["g3"]
+      uri_re: ^/index2/.*
+
+    ldaps:
+
+    - name: ldap1
+      host: "ldap1.example.com"
+      port: 389                                                 # default 389
+      ssl_enabled: false                                        # default true
+      ssl_trust_all_certs: true                                 # default false
+      bind_dn: "cn=admin,dc=example,dc=com"                     # skip for anonymous bind
+      bind_password: "password"                                 # skip for anonymous bind
+      search_user_base_DN: "ou=People,dc=example,dc=com"
+      search_groups_base_DN: "ou=Groups,dc=example,dc=com"
+      connection_pool_size: 10                                  # default 30
+      connection_timeout_in_sec: 10                             # default 1
+      request_timeout_in_sec: 10                                # default 1
+      cache_ttl_in_sec: 60                                      # default 0 - cache disabled
+
+    - name: ldap2
+      host: "ldap2.example2.com"
+      port: 636
+      search_user_base_DN: "ou=People,dc=example2,dc=com"
+      search_groups_base_DN: "ou=Groups,dc=example2,dc=com"
+```
+
+LDAP configuration requirements:
+- user from `search_user_base_DN` should have `uid` attribute
+- groups from `search_groups_base_DN` should have `uniqueMember` attribute
+
+(example LDAP config can be found in test /resources/test_example.ldif)
+
 ### 3. Restart Elasticsearch
 
 **For other use cases and finer access control** have a look at [the full list of supported rules](https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin/wiki/Supported-Rules)

diff --git a/ReadonlyRESTLicenceHeader.txt b/ReadonlyRESTLicenceHeader.txt
@@ -0,0 +1,14 @@
+   This file is part of ReadonlyREST.
+
+   ReadonlyREST is free software: you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   ReadonlyREST is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with ReadonlyREST.  If not, see http://www.gnu.org/licenses/
diff --git a/bin/build.sh b/bin/build.sh
@@ -1,2 +1,3 @@
-./gradlew updateSHAs check assemble 
+#!/bin/sh
+./gradlew updateSHAs assemble
 # -x test 
diff --git a/build.gradle b/build.gradle
@@ -1,20 +1,4 @@
-/*
- * This file is part of ReadonlyREST.
- *
- *     ReadonlyREST is free software: you can redistribute it and/or modify
- *     it under the terms of the GNU General Public License as published by
- *     the Free Software Foundation, either version 3 of the License, or
- *     (at your option) any later version.
- *
- *     ReadonlyREST is distributed in the hope that it will be useful,
- *     but WITHOUT ANY WARRANTY; without even the implied warranty of
- *     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *     GNU General Public License for more details.
- *
- *     You should have received a copy of the GNU General Public License
- *     along with ReadonlyREST.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
+
 
 buildscript {
     ext {
@@ -30,6 +14,7 @@ buildscript {
 
     dependencies {
         classpath 'org.elasticsearch.gradle:build-tools:' + esVersion
+        classpath 'nl.javadude.gradle.plugins:license-gradle-plugin:0.10.0'
     }
 }
 
@@ -40,16 +25,47 @@ apply plugin: 'java'
 apply plugin: 'elasticsearch.esplugin'
 apply plugin: 'idea'
 apply plugin: 'maven'
+apply plugin: 'license'
 
 esplugin {
     name 'readonlyrest'
     description 'Safely expose Elasticsearch REST API'
     classname 'org.elasticsearch.plugin.readonlyrest.wiring.ReadonlyRestPlugin'
 }
 
+license {
+    header rootProject.file('ReadonlyRESTLicenceHeader.txt')
+    skipExistingHeaders true
+    useDefaultMappings = false
+    mapping {
+        java='SLASHSTAR_STYLE'
+    }
+}
+
+configurations.getByName("testRuntime") {
+    resolutionStrategy {
+        force "commons-logging:commons-logging:1.1.3"
+        force "junit:junit:4.12"
+        force "org.slf4j:slf4j-api:1.7.21"
+        force "commons-io:commons-io:2.5"
+    }
+}
+configurations {
+    all*.exclude group: "org.elasticsearch.test", module: "framework"
+}
+
 dependencies {
-    compile 'com.google.guava:guava:20.0'
+    compile 'com.google.guava:guava:21.0'
     compile 'org.elasticsearch.plugin:transport-netty4-client:' + esVersion
+    compile 'com.unboundid:unboundid-ldapsdk:3.2.0'
+    testCompile 'org.mockito:mockito-all:1.10.19'
+    testCompile 'junit:junit:4.12'
+    testCompile('org.testcontainers:testcontainers:1.1.9')
+    testRuntime('org.testcontainers:testcontainers:1.1.9')
+}
+
+task showFiles << {
+    configurations.compile.each { println it.name }
 }
 
 run {

diff --git a/classes/test/readonlyrest/plugin-security.policy b/classes/test/readonlyrest/plugin-security.policy
@@ -1,4 +1,5 @@
 grant {
   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
   permission java.lang.RuntimePermission "accessDeclaredMembers";
+  permission java.util.PropertyPermission "*", "read,write";
 };
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,23 +1,6 @@
-#
-# This file is part of ReadonlyREST.
-#
-#     ReadonlyREST is free software: you can redistribute it and/or modify
-#     it under the terms of the GNU General Public License as published by
-#     the Free Software Foundation, either version 3 of the License, or
-#     (at your option) any later version.
-#
-#     ReadonlyREST is distributed in the hope that it will be useful,
-#     but WITHOUT ANY WARRANTY; without even the implied warranty of
-#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#     GNU General Public License for more details.
-#
-#     You should have received a copy of the GNU General Public License
-#     along with ReadonlyREST.  If not, see <http://www.gnu.org/licenses/>.
-#
-#
-#Sun Nov 27 14:21:00 WITA 2016
+#Wed Feb 15 12:57:26 CET 2017
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-2.13-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-2.13-all.zip
diff --git a/licenses/guava-20.0.jar.sha1 b/licenses/guava-20.0.jar.sha1
diff --git a/licenses/guava-21.0.jar.sha1 b/licenses/guava-21.0.jar.sha1
@@ -0,0 +1 @@
+3a3d111be1be1b745edfa7d91678a12d7ed38709
diff --git a/licenses/unboundid-ldapsdk-3.2.0.jar.sha1 b/licenses/unboundid-ldapsdk-3.2.0.jar.sha1
@@ -0,0 +1 @@
+f76725e5a215ea468ecda06a8d66a809281e685f
diff --git a/src/test/eshome/data/nodes/0/node.lock → licenses/unboundid-ldapsdk-LICENSE.txt b/src/test/eshome/data/nodes/0/node.lock → licenses/unboundid-ldapsdk-LICENSE.txt
diff --git a/licenses/unboundid-ldapsdk-NOTICE.txt b/licenses/unboundid-ldapsdk-NOTICE.txt
diff --git a/settings.gradle b/settings.gradle
@@ -1,19 +1,3 @@
-/*
- * This file is part of ReadonlyREST.
- *
- *     ReadonlyREST is free software: you can redistribute it and/or modify
- *     it under the terms of the GNU General Public License as published by
- *     the Free Software Foundation, either version 3 of the License, or
- *     (at your option) any later version.
- *
- *     ReadonlyREST is distributed in the hope that it will be useful,
- *     but WITHOUT ANY WARRANTY; without even the implied warranty of
- *     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *     GNU General Public License for more details.
- *
- *     You should have received a copy of the GNU General Public License
- *     along with ReadonlyREST.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
+
 
 rootProject.name = 'readonlyrest'
diff --git a/src/main/java/org/elasticsearch/plugin/readonlyrest/ConfigurationHelper.java b/src/main/java/org/elasticsearch/plugin/readonlyrest/ConfigurationHelper.java
@@ -1,19 +1,18 @@
 /*
- * This file is part of ReadonlyREST.
+ *    This file is part of ReadonlyREST.
  *
- *     ReadonlyREST is free software: you can redistribute it and/or modify
- *     it under the terms of the GNU General Public License as published by
- *     the Free Software Foundation, either version 3 of the License, or
- *     (at your option) any later version.
+ *    ReadonlyREST is free software: you can redistribute it and/or modify
+ *    it under the terms of the GNU General Public License as published by
+ *    the Free Software Foundation, either version 3 of the License, or
+ *    (at your option) any later version.
  *
- *     ReadonlyREST is distributed in the hope that it will be useful,
- *     but WITHOUT ANY WARRANTY; without even the implied warranty of
- *     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *     GNU General Public License for more details.
- *
- *     You should have received a copy of the GNU General Public License
- *     along with ReadonlyREST.  If not, see <http://www.gnu.org/licenses/>.
+ *    ReadonlyREST is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    GNU General Public License for more details.
  *
+ *    You should have received a copy of the GNU General Public License
+ *    along with ReadonlyREST.  If not, see http://www.gnu.org/licenses/
  */
 
 package org.elasticsearch.plugin.readonlyrest;
@@ -120,6 +119,7 @@ public static List<Setting<?>> allowedSettings() {
     String prefix = "readonlyrest.";
     String rule_prefix = prefix + "access_control_rules.";
     String users_prefix = prefix + "users.";
+    String ldaps_prefix = prefix + "ldaps.";
 
     return Arrays.asList(
       bool(prefix + "enable"),
@@ -135,7 +135,8 @@ public static List<Setting<?>> allowedSettings() {
       str(prefix + "ssl.certchain_pem"),
 
       grp(rule_prefix),
-      grp(users_prefix)
+      grp(users_prefix),
+      grp(ldaps_prefix)
       // Rules
 //        str(rule_prefix + "name"),
 //        str(rule_prefix + "accept_x-forwarded-for_header"),