elastic · elasticsearchmachine · Oct 19, 2021 · Oct 18, 2021 · Oct 19, 2021
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
@@ -41,7 +41,6 @@ public class XPackLicenseState {
      * Each value defines the licensed state necessary for the feature to be allowed.
      */
     public enum Feature {
-        SECURITY_AUDITING(OperationMode.GOLD, false),
         SECURITY_TOKEN_SERVICE(OperationMode.STANDARD, false),
 
         MACHINE_LEARNING(OperationMode.PLATINUM, true),

diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java
@@ -9,10 +9,8 @@
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.iterable.Iterables;
 import org.elasticsearch.license.License.OperationMode;
-import org.elasticsearch.license.XPackLicenseState.Feature;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.XPackField;
-import org.elasticsearch.xpack.core.XPackSettings;
 
 import java.util.Arrays;
 import java.util.Map;
@@ -88,110 +86,6 @@ public static OperationMode randomBasicStandardOrGold() {
         return randomFrom(BASIC, STANDARD, GOLD);
     }
 
-    public void testSecurityDefaults() {
-        Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build();
-        XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0);
-        assertThat(licenseState.isSecurityEnabled(), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
-
-        licenseState = TestUtils.newTestLicenseState();
-        assertSecurityNotAllowed(licenseState);
-    }
-
-    public void testTransportSslDoesNotAutomaticallyEnableSecurityOnTrialLicense() {
-        Settings settings = Settings.builder().put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), true).build();
-        final XPackLicenseState licenseState= new XPackLicenseState(settings, () -> 0);
-        assertSecurityNotAllowed(licenseState);
-    }
-
-    public void testSecurityBasicWithoutExplicitSecurityEnabled() {
-        XPackLicenseState licenseState = TestUtils.newTestLicenseState();
-        licenseState.update(BASIC, true, null);
-
-        assertThat(licenseState.isSecurityEnabled(), is(false));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(false));
-
-        assertThat(licenseState.isSecurityEnabled(), is(false));
-    }
-
-    public void testSecurityBasicWithExplicitSecurityEnabled() {
-        final Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build();
-        XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0);
-        licenseState.update(BASIC, true, null);
-        assertThat(licenseState.isSecurityEnabled(), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(false));
-
-        assertThat(licenseState.isSecurityEnabled(), is(true));
-    }
-
-    public void testSecurityStandard() {
-        Settings settings = randomFrom(Settings.EMPTY,
-            Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build());
-        XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0);
-        licenseState.update(STANDARD, true, null);
-
-        assertThat(licenseState.isSecurityEnabled(), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
-    }
-
-    public void testSecurityStandardExpired() {
-        Settings settings = randomFrom(Settings.EMPTY,
-            Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build());
-        XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0);
-        licenseState.update(STANDARD, false, null);
-
-        assertThat(licenseState.isSecurityEnabled(), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
-    }
-
-    public void testSecurityGold() {
-        Settings settings = randomFrom(Settings.EMPTY,
-            Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build());
-        XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0);
-        licenseState.update(GOLD, true, null);
-
-        assertThat(licenseState.isSecurityEnabled(), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
-    }
-
-    public void testSecurityGoldExpired() {
-        Settings settings = randomFrom(Settings.EMPTY,
-            Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build());
-        XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0);
-        licenseState.update(GOLD, false, null);
-
-        assertThat(licenseState.isSecurityEnabled(), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
-    }
-
-    public void testSecurityPlatinum() {
-        Settings settings = randomFrom(Settings.EMPTY,
-            Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build());
-        XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0);
-        licenseState.update(PLATINUM, true, null);
-
-        assertThat(licenseState.isSecurityEnabled(), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
-    }
-
-    public void testSecurityPlatinumExpired() {
-        Settings settings = randomFrom(Settings.EMPTY,
-            Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build());
-        XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0);
-        licenseState.update(PLATINUM, false, null);
-
-        assertThat(licenseState.isSecurityEnabled(), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
-    }
-
     public void testNewTrialDefaultsSecurityOff() {
         XPackLicenseState licenseState = TestUtils.newTestLicenseState();
         licenseState.update(TRIAL, true, null);

diff --git a/...est/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java b/...est/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java
@@ -8,13 +8,12 @@
 
 import org.elasticsearch.common.UUIDs;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.common.util.concurrent.ThreadContext.StoredContext;
+import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.index.IndexService;
 import org.elasticsearch.index.shard.IndexShard;
-import org.elasticsearch.license.XPackLicenseState;
-import org.elasticsearch.license.XPackLicenseState.Feature;
+import org.elasticsearch.license.MockLicenseState;
 import org.elasticsearch.search.Scroll;
 import org.elasticsearch.search.SearchContextMissingException;
 import org.elasticsearch.search.internal.InternalScrollSearchRequest;
@@ -33,16 +32,17 @@
 import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField;
 import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
 import org.elasticsearch.xpack.core.security.user.User;
+import org.elasticsearch.xpack.security.Security;
 import org.elasticsearch.xpack.security.audit.AuditTrail;
 import org.elasticsearch.xpack.security.audit.AuditTrailService;
 import org.junit.Before;
 import org.mockito.Mockito;
 
 import java.util.Collections;
 
-import static org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME;
 import static org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField.AUTHORIZATION_INFO_KEY;
 import static org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField.ORIGINATING_ACTION_KEY;
+import static org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME;
 import static org.elasticsearch.xpack.security.authz.AuthorizationServiceTests.authzInfoRoles;
 import static org.elasticsearch.xpack.security.authz.SecuritySearchOperationListener.ensureAuthenticatedUserIsSame;
 import static org.hamcrest.Matchers.is;
@@ -71,7 +71,7 @@ public void testUnlicensed() {
         try (LegacyReaderContext readerContext =
                  new LegacyReaderContext(new ShardSearchContextId(UUIDs.randomBase64UUID(), 0L), indexService, shard,
                      shard.acquireSearcherSupplier(), shardSearchRequest, Long.MAX_VALUE)) {
-            XPackLicenseState licenseState = mock(XPackLicenseState.class);
+            MockLicenseState licenseState = mock(MockLicenseState.class);
             when(licenseState.isSecurityEnabled()).thenReturn(false);
             ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
             final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext);
@@ -93,7 +93,7 @@ public void testOnNewContextSetsAuthentication() throws Exception {
         try (LegacyReaderContext readerContext =
                  new LegacyReaderContext(new ShardSearchContextId(UUIDs.randomBase64UUID(), 0L),
                      indexService, shard, shard.acquireSearcherSupplier(), shardSearchRequest, Long.MAX_VALUE)) {
-            XPackLicenseState licenseState = mock(XPackLicenseState.class);
+            MockLicenseState licenseState = mock(MockLicenseState.class);
             when(licenseState.isSecurityEnabled()).thenReturn(true);
             ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
             final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext);
@@ -126,9 +126,9 @@ public void testValidateSearchContext() throws Exception {
                 new Authentication(new User("test", "role"), new RealmRef("realm", "file", "node"), null));
             final IndicesAccessControl indicesAccessControl = mock(IndicesAccessControl.class);
             readerContext.putInContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl);
-            XPackLicenseState licenseState = mock(XPackLicenseState.class);
+            MockLicenseState licenseState = mock(MockLicenseState.class);
             when(licenseState.isSecurityEnabled()).thenReturn(true);
-            when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true);
+            when(licenseState.isAllowed(Security.AUDITING_FEATURE)).thenReturn(true);
             ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
             final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext);
             AuditTrail auditTrail = mock(AuditTrail.class);
@@ -225,9 +225,9 @@ public void testEnsuredAuthenticatedUserIsSame() {
         ShardSearchContextId contextId = new ShardSearchContextId(UUIDs.randomBase64UUID(), randomLong());
         final String action = randomAlphaOfLength(4);
         TransportRequest request = Empty.INSTANCE;
-        XPackLicenseState licenseState = mock(XPackLicenseState.class);
+        MockLicenseState licenseState = mock(MockLicenseState.class);
         when(licenseState.isSecurityEnabled()).thenReturn(true);
-        when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true);
+        when(licenseState.isAllowed(Security.AUDITING_FEATURE)).thenReturn(true);
         AuditTrail auditTrail = mock(AuditTrail.class);
         AuditTrailService auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState);
 

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@@ -349,9 +349,9 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin,
 
     // TODO: ip filtering does not actually track license usage yet
     public static final LicensedFeature.Momentary IP_FILTERING_FEATURE =
-        LicensedFeature.momentaryLenient(null, "security_ip_filtering", License.OperationMode.GOLD);
+        LicensedFeature.momentaryLenient(null, "security-ip-filtering", License.OperationMode.GOLD);
     public static final LicensedFeature.Momentary AUDITING_FEATURE =
-        LicensedFeature.momentaryLenient(null, "security_auditing", License.OperationMode.GOLD);
+        LicensedFeature.momentaryLenient(null, "security-auditing", License.OperationMode.GOLD);
 
     private static final String REALMS_FEATURE_FAMILY = "security-realms";
     // Builtin realms (file/native) realms are Basic licensed, so don't need to be checked or tracked

diff --git a/...ugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java b/...ugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
@@ -10,13 +10,13 @@
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.license.XPackLicenseState;
-import org.elasticsearch.license.XPackLicenseState.Feature;
 import org.elasticsearch.rest.RestRequest;
 import org.elasticsearch.transport.TransportRequest;
 import org.elasticsearch.transport.TransportResponse;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
 import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
+import org.elasticsearch.xpack.security.Security;
 import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
 
 import java.net.InetAddress;
@@ -43,7 +43,7 @@ public AuditTrailService(List<AuditTrail> auditTrails, XPackLicenseState license
 
     public AuditTrail get() {
         if (compositeAuditTrail.isEmpty() == false && licenseState.isSecurityEnabled()) {
-            if (licenseState.checkFeature(Feature.SECURITY_AUDITING)) {
+            if (Security.AUDITING_FEATURE.check(licenseState)) {
                 return compositeAuditTrail;
             } else {
                 maybeLogAuditingDisabled();