From 336db1748fd02f7338c2b85f6266a6647a2dd849 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 20 Dec 2018 21:11:21 +0200 Subject: [PATCH 1/4] Done! --- .../xpack/deprecation/DeprecationChecks.java | 3 +- .../deprecation/NodeDeprecationChecks.java | 64 +++++++++++++++++++ .../NodeDeprecationChecksTests.java | 38 +++++++++++ 3 files changed, 104 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java index 4ba5e5a2b58e2..7d6fde8a1d816 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java @@ -47,7 +47,8 @@ private DeprecationChecks() { NodeDeprecationChecks::discoveryConfigurationCheck, NodeDeprecationChecks::azureRepositoryChanges, NodeDeprecationChecks::gcsRepositoryChanges, - NodeDeprecationChecks::fileDiscoveryPluginRemoved + NodeDeprecationChecks::fileDiscoveryPluginRemoved, + NodeDeprecationChecks::watcherNotificationsSecureSettingsCheck )); static List> INDEX_SETTINGS_CHECKS = diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index ab0b4329d50d3..d09580307e05e 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -134,6 +134,70 @@ static DeprecationIssue discoveryConfigurationCheck(List nodeInfos, Li return null; } + static DeprecationIssue watcherNotificationsSecureSettingsCheck(List nodeInfos, List nodeStats) { + List nodesFound = nodeInfos.stream() + .filter(nodeInfo -> false == nodeInfo.getSettings().getByPrefix("xpack.notification.email.account.") + .filter(s -> s.endsWith(".smtp.password")).isEmpty()) + .map(nodeInfo -> nodeInfo.getNode().getName()) + .collect(Collectors.toList()); + if (nodesFound.size() > 0) { + return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "Watcher email notifications' password settings has to be defined securely", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + + "#watcher-notifications-account-settings", + "nodes which have the un-secure setting are: " + nodesFound); + } + nodesFound = nodeInfos.stream() + .filter(nodeInfo -> false == nodeInfo.getSettings().getByPrefix("xpack.notification.hipchat.account.") + .filter(s -> s.endsWith(".auth_token")).isEmpty()) + .map(nodeInfo -> nodeInfo.getNode().getName()) + .collect(Collectors.toList()); + if (nodesFound.size() > 0) { + return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "Watcher hipchat notifications' auth token settings has to be defined securely", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + + "#watcher-notifications-account-settings", + "nodes which have the un-secure setting are: " + nodesFound); + } + nodesFound = nodeInfos.stream() + .filter(nodeInfo -> false == nodeInfo.getSettings().getByPrefix("xpack.notification.jira.account.") + .filter(s -> s.endsWith(".url") || s.endsWith(".user") || s.endsWith(".password")).isEmpty()) + .map(nodeInfo -> nodeInfo.getNode().getName()) + .collect(Collectors.toList()); + if (nodesFound.size() > 0) { + return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "Watcher jira notifications' url, user and password settings have to be defined securely", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + + "#watcher-notifications-account-settings", + "nodes which have the un-secure settings are: " + nodesFound); + } + nodesFound = nodeInfos.stream() + .filter(nodeInfo -> false == nodeInfo.getSettings().getByPrefix("xpack.notification.pagerduty.account.") + .filter(s -> s.endsWith(".service_api_key")).isEmpty()) + .map(nodeInfo -> nodeInfo.getNode().getName()) + .collect(Collectors.toList()); + if (nodesFound.size() > 0) { + return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "Watcher pagerduty notifications' service api key setting has to be defined securely", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + + "#watcher-notifications-account-settings", + "nodes which have the un-secure setting are: " + nodesFound); + } + nodesFound = nodeInfos.stream() + .filter(nodeInfo -> false == nodeInfo.getSettings().getByPrefix("xpack.notification.slack.account.") + .filter(s -> s.endsWith(".url")).isEmpty()) + .map(nodeInfo -> nodeInfo.getNode().getName()) + .collect(Collectors.toList()); + if (nodesFound.size() > 0) { + return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "Watcher slack notifications' url setting has to be defined securely", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + + "#watcher-notifications-account-settings", + "nodes which have the un-secure setting are: " + nodesFound); + } + return null; + } + static DeprecationIssue azureRepositoryChanges(List nodeInfos, List nodeStats) { List nodesFound = nodeInfos.stream() .filter(nodeInfo -> diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index 05ee019bac3cb..346006567dcb2 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -104,6 +104,44 @@ public void testBulkThreadPoolCheck() { assertSettingsAndIssue("thread_pool.bulk.queue_size", Integer.toString(randomIntBetween(1, 20000)), expected); } + public void testWatcherNotificationsSecureSettings() { + DeprecationIssue expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "Watcher email notifications' password settings has to be defined securely", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + + "#watcher-notifications-account-settings", + "nodes which have the un-secure setting are: [node_check]"); + assertSettingsAndIssue("xpack.notification.email.account." + randomAlphaOfLength(4) + ".smtp.password", randomAlphaOfLength(4), + expected); + expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "Watcher hipchat notifications' auth token settings has to be defined securely", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + + "#watcher-notifications-account-settings", + "nodes which have the un-secure setting are: [node_check]"); + assertSettingsAndIssue("xpack.notification.hipchat.account." + randomAlphaOfLength(4) + ".auth_token", randomAlphaOfLength(4), + expected); + expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "Watcher jira notifications' url, user and password settings have to be defined securely", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + + "#watcher-notifications-account-settings", + "nodes which have the un-secure settings are: [node_check]"); + assertSettingsAndIssue("xpack.notification.jira.account." + randomAlphaOfLength(4) + ".url", randomAlphaOfLength(4), expected); + assertSettingsAndIssue("xpack.notification.jira.account." + randomAlphaOfLength(4) + ".user", randomAlphaOfLength(4), expected); + assertSettingsAndIssue("xpack.notification.jira.account." + randomAlphaOfLength(4) + ".password", randomAlphaOfLength(4), expected); + expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "Watcher pagerduty notifications' service api key setting has to be defined securely", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + + "#watcher-notifications-account-settings", + "nodes which have the un-secure setting are: [node_check]"); + assertSettingsAndIssue("xpack.notification.pagerduty.account." + randomAlphaOfLength(4) + ".service_api_key", + randomAlphaOfLength(4), expected); + expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "Watcher slack notifications' url setting has to be defined securely", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + + "#watcher-notifications-account-settings", + "nodes which have the un-secure setting are: [node_check]"); + assertSettingsAndIssue("xpack.notification.slack.account." + randomAlphaOfLength(4) + ".url", randomAlphaOfLength(4), expected); + } + public void testTribeNodeCheck() { String tribeSetting = "tribe." + randomAlphaOfLengthBetween(1, 20) + ".cluster.name"; DeprecationIssue expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, From 41080fd37fa073cba385b0822eda46e371c626a6 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Fri, 18 Jan 2019 20:09:08 +0200 Subject: [PATCH 2/4] Address feedback --- .../deprecation/NodeDeprecationChecks.java | 69 ++++--------------- 1 file changed, 14 insertions(+), 55 deletions(-) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index 22897fcf01750..4d66609b1fcf4 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -151,65 +151,24 @@ static DeprecationIssue discoveryConfigurationCheck(List nodeInfos, Li } static DeprecationIssue watcherNotificationsSecureSettingsCheck(List nodeInfos, List nodeStats) { - List nodesFound = nodeInfos.stream() - .filter(nodeInfo -> false == nodeInfo.getSettings().getByPrefix("xpack.notification.email.account.") - .filter(s -> s.endsWith(".smtp.password")).isEmpty()) - .map(nodeInfo -> nodeInfo.getNode().getName()) - .collect(Collectors.toList()); - if (nodesFound.size() > 0) { - return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, - "Watcher email notifications' password settings has to be defined securely", - "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + - "#watcher-notifications-account-settings", - "nodes which have the un-secure setting are: " + nodesFound); - } - nodesFound = nodeInfos.stream() - .filter(nodeInfo -> false == nodeInfo.getSettings().getByPrefix("xpack.notification.hipchat.account.") - .filter(s -> s.endsWith(".auth_token")).isEmpty()) - .map(nodeInfo -> nodeInfo.getNode().getName()) - .collect(Collectors.toList()); - if (nodesFound.size() > 0) { - return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, - "Watcher hipchat notifications' auth token settings has to be defined securely", - "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + - "#watcher-notifications-account-settings", - "nodes which have the un-secure setting are: " + nodesFound); - } - nodesFound = nodeInfos.stream() - .filter(nodeInfo -> false == nodeInfo.getSettings().getByPrefix("xpack.notification.jira.account.") - .filter(s -> s.endsWith(".url") || s.endsWith(".user") || s.endsWith(".password")).isEmpty()) - .map(nodeInfo -> nodeInfo.getNode().getName()) - .collect(Collectors.toList()); - if (nodesFound.size() > 0) { - return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, - "Watcher jira notifications' url, user and password settings have to be defined securely", - "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + - "#watcher-notifications-account-settings", - "nodes which have the un-secure settings are: " + nodesFound); - } - nodesFound = nodeInfos.stream() - .filter(nodeInfo -> false == nodeInfo.getSettings().getByPrefix("xpack.notification.pagerduty.account.") - .filter(s -> s.endsWith(".service_api_key")).isEmpty()) - .map(nodeInfo -> nodeInfo.getNode().getName()) - .collect(Collectors.toList()); - if (nodesFound.size() > 0) { - return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, - "Watcher pagerduty notifications' service api key setting has to be defined securely", - "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + - "#watcher-notifications-account-settings", - "nodes which have the un-secure setting are: " + nodesFound); - } - nodesFound = nodeInfos.stream() - .filter(nodeInfo -> false == nodeInfo.getSettings().getByPrefix("xpack.notification.slack.account.") - .filter(s -> s.endsWith(".url")).isEmpty()) - .map(nodeInfo -> nodeInfo.getNode().getName()) - .collect(Collectors.toList()); + List nodesFound = nodeInfos.stream().filter(nodeInfo -> + (false == nodeInfo.getSettings().getByPrefix("xpack.notification.email.account.") + .filter(s -> s.endsWith(".smtp.password")).isEmpty()) + || (false == nodeInfo.getSettings().getByPrefix("xpack.notification.hipchat.account.") + .filter(s -> s.endsWith(".auth_token")).isEmpty()) + || (false == nodeInfo.getSettings().getByPrefix("xpack.notification.jira.account.") + .filter(s -> s.endsWith(".url") || s.endsWith(".user") || s.endsWith(".password")).isEmpty()) + || (false == nodeInfo.getSettings().getByPrefix("xpack.notification.pagerduty.account.") + .filter(s -> s.endsWith(".service_api_key")).isEmpty()) + || (false == nodeInfo.getSettings().getByPrefix("xpack.notification.slack.account.").filter(s -> s.endsWith(".url")) + .isEmpty())) + .map(nodeInfo -> nodeInfo.getNode().getName()).collect(Collectors.toList()); if (nodesFound.size() > 0) { return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, - "Watcher slack notifications' url setting has to be defined securely", + "Watcher notification accounts' authentication settings must be defined securely", "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + "#watcher-notifications-account-settings", - "nodes which have the un-secure setting are: " + nodesFound); + "nodes which have insecure notification account settings are: " + nodesFound); } return null; } From dbaad167a11e768f2312ff38fea25cc9dab86e36 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Sun, 20 Jan 2019 01:18:14 +0200 Subject: [PATCH 3/4] Missing comma --- .../org/elasticsearch/xpack/deprecation/DeprecationChecks.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java index a4e5dc7d84f54..84515fb84d235 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java @@ -49,7 +49,7 @@ private DeprecationChecks() { NodeDeprecationChecks::azureRepositoryChanges, NodeDeprecationChecks::gcsRepositoryChanges, NodeDeprecationChecks::fileDiscoveryPluginRemoved, - NodeDeprecationChecks::defaultSSLSettingsRemoved + NodeDeprecationChecks::defaultSSLSettingsRemoved, NodeDeprecationChecks::watcherNotificationsSecureSettingsCheck )); From 622708bebdca1030c641276f6f625cb4f82dc912 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Sun, 20 Jan 2019 11:16:33 +0200 Subject: [PATCH 4/4] NodeDeprecationChecksTests --- .../NodeDeprecationChecksTests.java | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index 0869e7d9a451b..3d40489ad0b85 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -107,39 +107,39 @@ public void testBulkThreadPoolCheck() { public void testWatcherNotificationsSecureSettings() { DeprecationIssue expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, - "Watcher email notifications' password settings has to be defined securely", + "Watcher notification accounts' authentication settings must be defined securely", "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + "#watcher-notifications-account-settings", - "nodes which have the un-secure setting are: [node_check]"); + "nodes which have insecure notification account settings are: [node_check]"); assertSettingsAndIssue("xpack.notification.email.account." + randomAlphaOfLength(4) + ".smtp.password", randomAlphaOfLength(4), expected); expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, - "Watcher hipchat notifications' auth token settings has to be defined securely", + "Watcher notification accounts' authentication settings must be defined securely", "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + "#watcher-notifications-account-settings", - "nodes which have the un-secure setting are: [node_check]"); + "nodes which have insecure notification account settings are: [node_check]"); assertSettingsAndIssue("xpack.notification.hipchat.account." + randomAlphaOfLength(4) + ".auth_token", randomAlphaOfLength(4), expected); expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, - "Watcher jira notifications' url, user and password settings have to be defined securely", + "Watcher notification accounts' authentication settings must be defined securely", "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + "#watcher-notifications-account-settings", - "nodes which have the un-secure settings are: [node_check]"); + "nodes which have insecure notification account settings are: [node_check]"); assertSettingsAndIssue("xpack.notification.jira.account." + randomAlphaOfLength(4) + ".url", randomAlphaOfLength(4), expected); assertSettingsAndIssue("xpack.notification.jira.account." + randomAlphaOfLength(4) + ".user", randomAlphaOfLength(4), expected); assertSettingsAndIssue("xpack.notification.jira.account." + randomAlphaOfLength(4) + ".password", randomAlphaOfLength(4), expected); expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, - "Watcher pagerduty notifications' service api key setting has to be defined securely", + "Watcher notification accounts' authentication settings must be defined securely", "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + "#watcher-notifications-account-settings", - "nodes which have the un-secure setting are: [node_check]"); + "nodes which have insecure notification account settings are: [node_check]"); assertSettingsAndIssue("xpack.notification.pagerduty.account." + randomAlphaOfLength(4) + ".service_api_key", randomAlphaOfLength(4), expected); expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, - "Watcher slack notifications' url setting has to be defined securely", + "Watcher notification accounts' authentication settings must be defined securely", "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + "#watcher-notifications-account-settings", - "nodes which have the un-secure setting are: [node_check]"); + "nodes which have insecure notification account settings are: [node_check]"); assertSettingsAndIssue("xpack.notification.slack.account." + randomAlphaOfLength(4) + ".url", randomAlphaOfLength(4), expected); }