Convert auditing license object to LicensedFeature

x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java

@@ -41,7 +41,6 @@ public class XPackLicenseState {
      * Each value defines the licensed state necessary for the feature to be allowed.
      */
     public enum Feature {
-        SECURITY_AUDITING(OperationMode.GOLD, false),
         SECURITY_TOKEN_SERVICE(OperationMode.STANDARD, false),
 
         OPERATOR_PRIVILEGES(OperationMode.ENTERPRISE, true);

x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java

@@ -86,64 +86,52 @@ public static OperationMode randomBasicStandardOrGold() {
         return randomFrom(BASIC, STANDARD, GOLD);
     }
 
-    public void testSecurityDefaults() {
-        XPackLicenseState licenseState = new XPackLicenseState(() -> 0);
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
-    }
-
     public void testSecurityStandard() {
         XPackLicenseState licenseState = new XPackLicenseState(() -> 0);
         licenseState.update(STANDARD, true, null);
 
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false));
         assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
     }
 
     public void testSecurityStandardExpired() {
         XPackLicenseState licenseState = new XPackLicenseState( () -> 0);
         licenseState.update(STANDARD, false, null);
 
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false));
         assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
     }
 
     public void testSecurityBasic() {
         XPackLicenseState licenseState = new XPackLicenseState( () -> 0);
         licenseState.update(BASIC, true, null);
 
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false));
         assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(false));
     }
 
     public void testSecurityGold() {
         XPackLicenseState licenseState = new XPackLicenseState(() -> 0);
         licenseState.update(GOLD, true, null);
 
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
     }
 
     public void testSecurityGoldExpired() {
         XPackLicenseState licenseState = new XPackLicenseState(() -> 0);
         licenseState.update(GOLD, false, null);
 
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
     }
 
     public void testSecurityPlatinum() {
         XPackLicenseState licenseState = new XPackLicenseState(() -> 0);
         licenseState.update(PLATINUM, true, null);
 
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
     }
 
     public void testSecurityPlatinumExpired() {
         XPackLicenseState licenseState = new XPackLicenseState(() -> 0);
         licenseState.update(PLATINUM, false, null);
 
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
     }
 

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java

@@ -8,13 +8,12 @@
 
 import org.elasticsearch.common.UUIDs;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.common.util.concurrent.ThreadContext.StoredContext;
+import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.index.IndexService;
 import org.elasticsearch.index.shard.IndexShard;
-import org.elasticsearch.license.XPackLicenseState;
-import org.elasticsearch.license.XPackLicenseState.Feature;
+import org.elasticsearch.license.MockLicenseState;
 import org.elasticsearch.search.Scroll;
 import org.elasticsearch.search.SearchContextMissingException;
 import org.elasticsearch.search.internal.InternalScrollSearchRequest;
@@ -32,15 +31,16 @@
 import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField;
 import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
 import org.elasticsearch.xpack.core.security.user.User;
+import org.elasticsearch.xpack.security.Security;
 import org.elasticsearch.xpack.security.audit.AuditTrail;
 import org.elasticsearch.xpack.security.audit.AuditTrailService;
 import org.junit.Before;
 
 import java.util.Collections;
 
-import static org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME;
 import static org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField.AUTHORIZATION_INFO_KEY;
 import static org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField.ORIGINATING_ACTION_KEY;
+import static org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME;
 import static org.elasticsearch.xpack.security.authz.AuthorizationServiceTests.authzInfoRoles;
 import static org.elasticsearch.xpack.security.authz.SecuritySearchOperationListener.ensureAuthenticatedUserIsSame;
 import static org.hamcrest.Matchers.is;
@@ -98,8 +98,8 @@ public void testValidateSearchContext() throws Exception {
                 new Authentication(new User("test", "role"), new RealmRef("realm", "file", "node"), null));
             final IndicesAccessControl indicesAccessControl = mock(IndicesAccessControl.class);
             readerContext.putInContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl);
-            XPackLicenseState licenseState = mock(XPackLicenseState.class);
-            when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true);
+            MockLicenseState licenseState = mock(MockLicenseState.class);
+            when(licenseState.isAllowed(Security.AUDITING_FEATURE)).thenReturn(true);
             ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
             final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext);
             AuditTrail auditTrail = mock(AuditTrail.class);
@@ -191,8 +191,8 @@ public void testEnsuredAuthenticatedUserIsSame() {
         ShardSearchContextId contextId = new ShardSearchContextId(UUIDs.randomBase64UUID(), randomLong());
         final String action = randomAlphaOfLength(4);
         TransportRequest request = Empty.INSTANCE;
-        XPackLicenseState licenseState = mock(XPackLicenseState.class);
-        when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true);
+        MockLicenseState licenseState = mock(MockLicenseState.class);
+        when(licenseState.isAllowed(Security.AUDITING_FEATURE)).thenReturn(true);
         AuditTrail auditTrail = mock(AuditTrail.class);
         AuditTrailService auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState);
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -354,9 +354,9 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin,
 
     // TODO: ip filtering does not actually track license usage yet
     public static final LicensedFeature.Momentary IP_FILTERING_FEATURE =
-        LicensedFeature.momentaryLenient(null, "security_ip_filtering", License.OperationMode.GOLD);
+        LicensedFeature.momentaryLenient(null, "security-ip-filtering", License.OperationMode.GOLD);
     public static final LicensedFeature.Momentary AUDITING_FEATURE =
-        LicensedFeature.momentaryLenient(null, "security_auditing", License.OperationMode.GOLD);
+        LicensedFeature.momentaryLenient(null, "security-auditing", License.OperationMode.GOLD);
 
     private static final String REALMS_FEATURE_FAMILY = "security-realms";
     // Builtin realms (file/native) realms are Basic licensed, so don't need to be checked or tracked

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java

@@ -10,13 +10,13 @@
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.license.XPackLicenseState;
-import org.elasticsearch.license.XPackLicenseState.Feature;
 import org.elasticsearch.rest.RestRequest;
 import org.elasticsearch.transport.TransportRequest;
 import org.elasticsearch.transport.TransportResponse;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
 import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
+import org.elasticsearch.xpack.security.Security;
 import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
 
 import java.net.InetAddress;
@@ -43,7 +43,7 @@ public AuditTrailService(List<AuditTrail> auditTrails, XPackLicenseState license
 
     public AuditTrail get() {
         if (compositeAuditTrail.isEmpty() == false) {
-            if (licenseState.checkFeature(Feature.SECURITY_AUDITING)) {
+            if (Security.AUDITING_FEATURE.check(licenseState)) {
                 return compositeAuditTrail;
             } else {
                 maybeLogAuditingDisabled();

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailServiceTests.java

@@ -11,8 +11,7 @@
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.license.License;
-import org.elasticsearch.license.XPackLicenseState;
-import org.elasticsearch.license.XPackLicenseState.Feature;
+import org.elasticsearch.license.MockLicenseState;
 import org.elasticsearch.rest.RestRequest;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.MockLogAppender;
@@ -22,6 +21,7 @@
 import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
 import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
 import org.elasticsearch.xpack.core.security.user.User;
+import org.elasticsearch.xpack.security.Security;
 import org.elasticsearch.xpack.security.transport.filter.IPFilter;
 import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
 import org.junit.Before;
@@ -47,7 +47,7 @@ public class AuditTrailServiceTests extends ESTestCase {
     private AuthenticationToken token;
     private TransportRequest request;
     private RestRequest restRequest;
-    private XPackLicenseState licenseState;
+    private MockLicenseState licenseState;
     private boolean isAuditingAllowed;
 
     @Before
@@ -57,10 +57,10 @@ public void init() throws Exception {
             auditTrailsBuilder.add(mock(AuditTrail.class));
         }
         auditTrails = unmodifiableList(auditTrailsBuilder);
-        licenseState = mock(XPackLicenseState.class);
+        licenseState = mock(MockLicenseState.class);
         service = new AuditTrailService(auditTrails, licenseState);
         isAuditingAllowed = randomBoolean();
-        when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(isAuditingAllowed);
+        when(licenseState.isAllowed(Security.AUDITING_FEATURE)).thenReturn(isAuditingAllowed);
         token = mock(AuthenticationToken.class);
         request = mock(TransportRequest.class);
         restRequest = mock(RestRequest.class);
@@ -118,7 +118,7 @@ public void testNoLogRecentlyWhenLicenseProhibitsAuditing() throws Exception {
     public void testAuthenticationFailed() throws Exception {
         final String requestId = randomAlphaOfLengthBetween(6, 12);
         service.get().authenticationFailed(requestId, token, "_action", request);
-        verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
+        verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
         if (isAuditingAllowed) {
             for (AuditTrail auditTrail : auditTrails) {
                 verify(auditTrail).authenticationFailed(requestId, token, "_action", request);
@@ -131,7 +131,7 @@ public void testAuthenticationFailed() throws Exception {
     public void testAuthenticationFailedNoToken() throws Exception {
         final String requestId = randomAlphaOfLengthBetween(6, 12);
         service.get().authenticationFailed(requestId, "_action", request);
-        verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
+        verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
         if (isAuditingAllowed) {
             for (AuditTrail auditTrail : auditTrails) {
                 verify(auditTrail).authenticationFailed(requestId, "_action", request);
@@ -144,7 +144,7 @@ public void testAuthenticationFailedNoToken() throws Exception {
     public void testAuthenticationFailedRestNoToken() throws Exception {
         final String requestId = randomAlphaOfLengthBetween(6, 12);
         service.get().authenticationFailed(requestId, restRequest);
-        verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
+        verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
         if (isAuditingAllowed) {
             for (AuditTrail auditTrail : auditTrails) {
                 verify(auditTrail).authenticationFailed(requestId, restRequest);
@@ -157,7 +157,7 @@ public void testAuthenticationFailedRestNoToken() throws Exception {
     public void testAuthenticationFailedRest() throws Exception {
         final String requestId = randomAlphaOfLengthBetween(6, 12);
         service.get().authenticationFailed(requestId, token, restRequest);
-        verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
+        verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
         if (isAuditingAllowed) {
             for (AuditTrail auditTrail : auditTrails) {
                 verify(auditTrail).authenticationFailed(requestId, token, restRequest);
@@ -170,7 +170,7 @@ public void testAuthenticationFailedRest() throws Exception {
     public void testAuthenticationFailedRealm() throws Exception {
         final String requestId = randomAlphaOfLengthBetween(6, 12);
         service.get().authenticationFailed(requestId, "_realm", token, "_action", request);
-        verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
+        verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
         if (isAuditingAllowed) {
             for (AuditTrail auditTrail : auditTrails) {
                 verify(auditTrail).authenticationFailed(requestId, "_realm", token, "_action", request);
@@ -183,7 +183,7 @@ public void testAuthenticationFailedRealm() throws Exception {
     public void testAuthenticationFailedRestRealm() throws Exception {
         final String requestId = randomAlphaOfLengthBetween(6, 12);
         service.get().authenticationFailed(requestId, "_realm", token, restRequest);
-        verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
+        verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
         if (isAuditingAllowed) {
             for (AuditTrail auditTrail : auditTrails) {
                 verify(auditTrail).authenticationFailed(requestId, "_realm", token, restRequest);
@@ -196,7 +196,7 @@ public void testAuthenticationFailedRestRealm() throws Exception {
     public void testAnonymousAccess() throws Exception {
         final String requestId = randomAlphaOfLengthBetween(6, 12);
         service.get().anonymousAccessDenied(requestId, "_action", request);
-        verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
+        verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
         if (isAuditingAllowed) {
             for (AuditTrail auditTrail : auditTrails) {
                 verify(auditTrail).anonymousAccessDenied(requestId, "_action", request);
@@ -213,7 +213,7 @@ public void testAccessGranted() throws Exception {
             () -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, new String[] { randomAlphaOfLengthBetween(1, 6) });
         final String requestId = randomAlphaOfLengthBetween(6, 12);
         service.get().accessGranted(requestId, authentication, "_action", request, authzInfo);
-        verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
+        verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
         if (isAuditingAllowed) {
             for (AuditTrail auditTrail : auditTrails) {
                 verify(auditTrail).accessGranted(requestId, authentication, "_action", request, authzInfo);
@@ -230,7 +230,7 @@ public void testAccessDenied() throws Exception {
             () -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, new String[] { randomAlphaOfLengthBetween(1, 6) });
         final String requestId = randomAlphaOfLengthBetween(6, 12);
         service.get().accessDenied(requestId, authentication, "_action", request, authzInfo);
-        verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
+        verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
         if (isAuditingAllowed) {
             for (AuditTrail auditTrail : auditTrails) {
                 verify(auditTrail).accessDenied(requestId, authentication, "_action", request, authzInfo);
@@ -244,7 +244,7 @@ public void testConnectionGranted() throws Exception {
         InetAddress inetAddress = InetAddress.getLoopbackAddress();
         SecurityIpFilterRule rule = randomBoolean() ? SecurityIpFilterRule.ACCEPT_ALL : IPFilter.DEFAULT_PROFILE_ACCEPT_ALL;
         service.get().connectionGranted(inetAddress, "client", rule);
-        verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
+        verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
         if (isAuditingAllowed) {
             for (AuditTrail auditTrail : auditTrails) {
                 verify(auditTrail).connectionGranted(inetAddress, "client", rule);
@@ -258,7 +258,7 @@ public void testConnectionDenied() throws Exception {
         InetAddress inetAddress = InetAddress.getLoopbackAddress();
         SecurityIpFilterRule rule = new SecurityIpFilterRule(false, "_all");
         service.get().connectionDenied(inetAddress, "client", rule);
-        verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
+        verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
         if (isAuditingAllowed) {
             for (AuditTrail auditTrail : auditTrails) {
                 verify(auditTrail).connectionDenied(inetAddress, "client", rule);
@@ -273,7 +273,7 @@ public void testAuthenticationSuccessRest() throws Exception {
                 new RealmRef(null, null, null));
         final String requestId = randomAlphaOfLengthBetween(6, 12);
         service.get().authenticationSuccess(requestId, authentication, restRequest);
-        verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
+        verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
         if (isAuditingAllowed) {
             for (AuditTrail auditTrail : auditTrails) {
                 verify(auditTrail).authenticationSuccess(requestId, authentication, restRequest);
@@ -288,7 +288,7 @@ public void testAuthenticationSuccessTransport() throws Exception {
                 new RealmRef(null, null, null));
         final String requestId = randomAlphaOfLengthBetween(6, 12);
         service.get().authenticationSuccess(requestId, authentication, "_action", request);
-        verify(licenseState).checkFeature(Feature.SECURITY_AUDITING);
+        verify(licenseState).isAllowed(Security.AUDITING_FEATURE);
         if (isAuditingAllowed) {
             for (AuditTrail auditTrail : auditTrails) {
                 verify(auditTrail).authenticationSuccess(requestId, authentication, "_action", request);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java

@@ -233,7 +233,7 @@ public void init() throws Exception {
         when(licenseState.isAllowed(Security.CUSTOM_REALMS_FEATURE)).thenReturn(true);
         when(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
         when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
-        when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true);
+        when(licenseState.isAllowed(Security.AUDITING_FEATURE)).thenReturn(true);
         when(licenseState.getOperationMode()).thenReturn(randomFrom(License.OperationMode.ENTERPRISE, License.OperationMode.PLATINUM));
 
         ReservedRealm reservedRealm = mock(ReservedRealm.class);