http proxy support in JWT realm#127337
Conversation
richard-dennehy
added
>enhancement
:Security/Authentication
|
Hi @richard-dennehy, I've created a changelog YAML for you. |
...gin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/jwt/JwtRealmSettings.java
Show resolved
Hide resolved
...gin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/jwt/JwtRealmSettings.java
Outdated
Show resolved
Hide resolved
...ests/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtWithOidcAuthIT.java
Show resolved
Hide resolved
|
|
||
| public static final String DOCKER_BASE_IMAGE = "nginx:latest"; | ||
| private static final Integer PORT = 8888; | ||
| private static final Integer TLS_PORT = 8889; |
There was a problem hiding this comment.
Names are hard 😞
This isn't an SSL port, but it proxies to the C2ID SSL port 🤔
There was a problem hiding this comment.
I'm blanking on a better name as well. Will have to think about it.
...idp-fixture/src/main/java/org/elasticsearch/test/fixtures/idp/OidcProviderTestContainer.java
Show resolved
Hide resolved
| FROM c2id/c2id-server-demo:16.1.1 AS c2id | ||
| FROM openjdk:21-jdk-buster |
There was a problem hiding this comment.
JDK 11 doesn't run properly on my kernel; C2ID 12 doesn't run properly on JDK 21
richard-dennehy
force-pushed
the
jwt-proxy-support
branch
from
7347efa to
9c2bafc
Compare
|
Pinging @elastic/es-security (Team:Security) |
...gin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/jwt/JwtRealmSettings.java
Show resolved
Hide resolved
...gin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/jwt/JwtRealmSettings.java
Outdated
Show resolved
Hide resolved
...gin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/jwt/JwtRealmSettings.java
Show resolved
Hide resolved
| key -> Setting.simpleString(key, "http", value -> { | ||
| if (value.equals("http") == false && value.equals("https") == false) { | ||
| throw new IllegalArgumentException("Invalid value [" + value + "] for [" + key + "]. Only `http` or `https` are allowed."); | ||
| } | ||
| }, Setting.Property.NodeScope) | ||
| ); |
There was a problem hiding this comment.
optional: This can be simplified by calling SecuritySettingsUtil#verifyNonNullNotEmpty, for example:
| key -> Setting.simpleString(key, "http", value -> { | |
| if (value.equals("http") == false && value.equals("https") == false) { | |
| throw new IllegalArgumentException("Invalid value [" + value + "] for [" + key + "]. Only `http` or `https` are allowed."); | |
| } | |
| }, Setting.Property.NodeScope) | |
| ); | |
| key -> Setting.simpleString( | |
| key, | |
| "http", | |
| value -> verifyNonNullNotEmpty(key, value, List.of("http", "https")), | |
| Setting.Property.NodeScope | |
| ) | |
| ); |
| HTTP_MAX_ENDPOINT_CONNECTIONS, | ||
| HTTP_PROXY_SCHEME, | ||
| HTTP_PROXY_HOST, | ||
| HTTP_PROXY_PORT |
There was a problem hiding this comment.
We also have to document these new settings. I'm fine if you prefer to do documentation update in a followup PR.
There was a problem hiding this comment.
Do we want to backport this? 9.0 docs are in a different repo, so I need to raise a different PR regardless
There was a problem hiding this comment.
Yes, we should backport this to 8.18 at least. Makes total sense to handle the docs in a followup. The docs for 9.x are in different repo, but docs for 8.x are still in elastricsearch repo.
...idp-fixture/src/main/java/org/elasticsearch/test/fixtures/idp/OidcProviderTestContainer.java
Show resolved
Hide resolved
|
|
||
| public static final String DOCKER_BASE_IMAGE = "nginx:latest"; | ||
| private static final Integer PORT = 8888; | ||
| private static final Integer TLS_PORT = 8889; |
There was a problem hiding this comment.
I'm blanking on a better name as well. Will have to think about it.
richard-dennehy
force-pushed
the
jwt-proxy-support
branch
from
020564a to
d06d2cd
Compare
richard-dennehy
added
auto-backport
| <scope name="Production" level="ERROR" enabled="false" /> | ||
| <scope name="Production minus fixtures" level="ERROR" enabled="true" /> | ||
| </inspection_tool> | ||
| <inspection_tool class="MalformedFormatString" enabled="true" level="WARNING" enabled_by_default="true"> |
There was a problem hiding this comment.
Was this change intentional?
There was a problem hiding this comment.
I was messing with Intellij settings; I'm used to these project files being in the .gitignore - I'll remove it
richard-dennehy
force-pushed
the
jwt-proxy-support
branch
from
9c3b8b9 to
a8b028d
Compare
slobodanadamovic
left a comment
slobodanadamovic
left a comment
There was a problem hiding this comment.
LGTM 👍
Thanks for the persistence on this one. Nice job!
http proxy support in JWT realm
http proxy support in JWT realm
http proxy support in JWT realm (cherry picked from commit e75e45b)
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
3 participants
Resolves #114956
Adds
http.proxy.*settings to JWT realm configuration, to enable JWKS lookup to use a HTTP proxy.It's worth stressing that this proxy must use HTTP rather than HTTPS, due to #100264