apply plugin: 'elasticsearch.internal-es-plugin' apply plugin: 'elasticsearch.publish' apply plugin: 'elasticsearch.internal-cluster-test' apply plugin: 'elasticsearch.internal-test-artifact' esplugin { name = 'x-pack-security' description = 'Elasticsearch Expanded Pack Plugin - Security' classname = 'org.elasticsearch.xpack.security.Security' requiresKeystore =true extendedPlugins = ['x-pack-core'] } base { archivesName = 'x-pack-security' } dependencies { compileOnly project(path: xpackModule('core')) api project(path: ':modules:transport-netty4') testImplementation project(path: xpackModule('ilm')) testImplementation project(path: xpackModule('downsample')) testImplementation project(path: xpackModule('mapper-aggregate-metric')) testImplementation project(path: xpackModule('monitoring')) testImplementation project(path: xpackModule('spatial')) testImplementation project(path: xpackModule('wildcard')) testImplementation project(path: ':modules:legacy-geo') testImplementation project(path: ':modules:percolator') testImplementation project(path: xpackModule('sql:sql-action')) testImplementation project(path: ':modules:analysis-common') testImplementation project(path: ':modules:reindex') testImplementation project(':modules:data-streams') testImplementation project(':modules:lang-mustache') testImplementation project(':modules:mapper-extras') testImplementation project(':modules:parent-join') testImplementation project(':modules:rest-root') testImplementation(testArtifact(project(xpackModule('core')))) internalClusterTestImplementation(testArtifact(project(xpackModule('core')))) api 'com.unboundid:unboundid-ldapsdk:6.0.3' // the following are all SAML dependencies - might as well download the whole internet api "org.opensaml:opensaml-core:${versions.opensaml}" api "org.opensaml:opensaml-saml-api:${versions.opensaml}" api "org.opensaml:opensaml-saml-impl:${versions.opensaml}" api "org.opensaml:opensaml-messaging-api:${versions.opensaml}" api "org.opensaml:opensaml-messaging-impl:${versions.opensaml}" api project(path: ':x-pack:libs:es-opensaml-security-api', configuration: 'shadow') // api "org.opensaml:opensaml-security-api:${versions.opensaml}" api "org.opensaml:opensaml-security-impl:${versions.opensaml}" api "org.opensaml:opensaml-profile-api:${versions.opensaml}" api "org.opensaml:opensaml-profile-impl:${versions.opensaml}" api "org.opensaml:opensaml-xmlsec-api:${versions.opensaml}" api "org.opensaml:opensaml-xmlsec-impl:${versions.opensaml}" api "org.opensaml:opensaml-soap-api:${versions.opensaml}" api "org.opensaml:opensaml-soap-impl:${versions.opensaml}" api "org.opensaml:opensaml-storage-api:${versions.opensaml}" api "org.opensaml:opensaml-storage-impl:${versions.opensaml}" api "net.shibboleth.utilities:java-support:8.4.0" api "com.google.code.findbugs:jsr305:3.0.2" api "org.apache.santuario:xmlsec:2.3.4" api "io.dropwizard.metrics:metrics-core:4.1.4" api ( "org.cryptacular:cryptacular:1.2.5") { exclude group: 'org.bouncycastle' } api "org.slf4j:slf4j-api:${versions.slf4j}" runtimeOnly "org.slf4j:slf4j-nop:${versions.slf4j}" // workaround for https://github.com/elastic/elasticsearch/issues/93714 // api "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}" see above api "org.apache.httpcomponents:httpclient:${versions.httpclient}" api "org.apache.httpcomponents:httpcore:${versions.httpcore}" api "org.apache.httpcomponents:httpasyncclient:${versions.httpasyncclient}" api "org.apache.httpcomponents:httpcore-nio:${versions.httpcore}" api "org.apache.httpcomponents:httpclient-cache:${versions.httpclient}" runtimeOnly 'com.google.guava:guava:32.0.1-jre' runtimeOnly 'com.google.guava:failureaccess:1.0.1' runtimeOnly "commons-codec:commons-codec:${versions.commonscodec}" runtimeOnly "joda-time:joda-time:2.10.10" // Dependencies for oidc api "com.nimbusds:oauth2-oidc-sdk:11.22.2" runtimeOnly "com.nimbusds:content-type:2.3" api project(path: xpackModule('security:lib:nimbus-jose-jwt-modified'), configuration: 'shadow') if (isEclipse) { /* * Eclipse can't pick up the shadow dependency so we point it at the unmodified version of the library * so it can compile things. */ api "com.nimbusds:nimbus-jose-jwt:10.0.2" } api "com.nimbusds:lang-tag:1.7" api "com.sun.mail:jakarta.mail:1.6.3" api "net.jcip:jcip-annotations:1.0" api "net.minidev:json-smart:2.5.2" api "net.minidev:accessors-smart:2.5.2" api "org.ow2.asm:asm:9.7.1" testImplementation "org.elasticsearch:mocksocket:${versions.mocksocket}" // Test dependencies for Kerberos (MiniKdc) testImplementation('commons-io:commons-io:2.5') testImplementation('org.apache.kerby:kerb-simplekdc:1.1.1') testImplementation('org.apache.kerby:kerb-client:1.1.1') testImplementation('org.apache.kerby:kerby-config:1.1.1') testImplementation('org.apache.kerby:kerb-core:1.1.1') testImplementation('org.apache.kerby:kerby-pkix:1.1.1') testImplementation('org.apache.kerby:kerby-asn1:1.1.1') testImplementation('org.apache.kerby:kerby-util:1.1.1') testImplementation('org.apache.kerby:kerb-common:1.1.1') testImplementation('org.apache.kerby:kerb-crypto:1.1.1') testImplementation('org.apache.kerby:kerb-util:1.1.1') testImplementation('org.apache.kerby:token-provider:1.1.1') testImplementation('net.jcip:jcip-annotations:1.0') testImplementation('org.apache.kerby:kerb-admin:1.1.1') testImplementation('org.apache.kerby:kerb-server:1.1.1') testImplementation('org.apache.kerby:kerb-identity:1.1.1') testImplementation('org.apache.kerby:kerby-xdr:1.1.1') // LDAP backend support for SimpleKdcServer testImplementation('org.apache.kerby:kerby-backend:1.1.1') testImplementation('org.apache.kerby:ldap-backend:1.1.1') testImplementation('org.apache.kerby:kerb-identity:1.1.1') testImplementation('org.apache.directory.api:api-ldap-client-api:1.0.0') testImplementation('org.apache.directory.api:api-ldap-schema-data:1.0.0') testImplementation('org.apache.directory.api:api-ldap-codec-core:1.0.0') testImplementation('org.apache.directory.api:api-ldap-extras-aci:1.0.0') testImplementation('org.apache.directory.api:api-ldap-extras-codec:1.0.0') testImplementation('org.apache.directory.api:api-ldap-extras-codec-api:1.0.0') testImplementation('commons-pool:commons-pool:1.6') testImplementation('commons-collections:commons-collections:3.2.2') testImplementation("org.apache.mina:mina-core:${versions.apache_mina}") testImplementation('org.apache.directory.api:api-util:1.0.1') testImplementation('org.apache.directory.api:api-i18n:1.0.1') testImplementation('org.apache.directory.api:api-ldap-model:1.0.1') testImplementation('org.apache.directory.api:api-asn1-api:1.0.1') testImplementation('org.apache.directory.api:api-asn1-ber:1.0.1') testImplementation('org.apache.servicemix.bundles:org.apache.servicemix.bundles.antlr:2.7.7_5') testImplementation('org.apache.directory.server:apacheds-core-api:2.0.0-M24') testImplementation('org.apache.directory.server:apacheds-i18n:2.0.0-M24') testImplementation('org.apache.directory.api:api-ldap-extras-util:1.0.0') testImplementation('net.sf.ehcache:ehcache:2.10.4') testImplementation('org.apache.directory.server:apacheds-kerberos-codec:2.0.0-M24') testImplementation('org.apache.directory.server:apacheds-protocol-ldap:2.0.0-M24') testImplementation('org.apache.directory.server:apacheds-protocol-shared:2.0.0-M24') testImplementation('org.apache.directory.jdbm:apacheds-jdbm1:2.0.0-M3') testImplementation('org.apache.directory.server:apacheds-jdbm-partition:2.0.0-M24') testImplementation('org.apache.directory.server:apacheds-xdbm-partition:2.0.0-M24') testImplementation('org.apache.directory.api:api-ldap-extras-sp:1.0.0') testImplementation('org.apache.directory.server:apacheds-test-framework:2.0.0-M24') testImplementation('org.apache.directory.server:apacheds-core-annotations:2.0.0-M24') testImplementation('org.apache.directory.server:apacheds-ldif-partition:2.0.0-M24') testImplementation('org.apache.directory.server:apacheds-mavibot-partition:2.0.0-M24') testImplementation('org.apache.directory.server:apacheds-protocol-kerberos:2.0.0-M24') testImplementation('org.apache.directory.server:apacheds-server-annotations:2.0.0-M24') testImplementation('org.apache.directory.api:api-ldap-codec-standalone:1.0.0') testImplementation('org.apache.directory.api:api-ldap-net-mina:1.0.0') testImplementation('org.apache.directory.server:ldap-client-test:2.0.0-M24') testImplementation('org.apache.directory.server:apacheds-interceptor-kerberos:2.0.0-M24') testImplementation('org.apache.directory.mavibot:mavibot:1.0.0-M8') } tasks.named("test").configure { systemProperty 'es.insecure_network_trace_enabled', 'true' } tasks.named("processInternalClusterTestResources").configure { from(project(xpackModule('core')).file('src/main/config')) from(project(xpackModule('core')).file('src/test/resources')) } tasks.named("processTestResources").configure { from(project(xpackModule('core')).file('src/main/config')) from(project(xpackModule('core')).file('src/test/resources')) } artifacts { // normal es plugins do not publish the jar but we need to since users need it for extensions archives tasks.named("jar") } tasks.named("dependencyLicenses").configure { mapping from: /java-support|opensaml-.*/, to: 'shibboleth' mapping from: /http.*/, to: 'httpclient' mapping from: /bc.*/, to: 'bouncycastle' mapping from: /failureaccess.*/, to: 'guava' mapping from: 'content-type', to: 'nimbus' } tasks.named("forbiddenPatterns").configure { exclude '**/*.key' exclude '**/*.p12' exclude '**/*.der' exclude '**/*.zip' } tasks.named('forbiddenApisMain').configure { signaturesFiles += files( 'forbidden/ldap-signatures.txt', 'forbidden/xml-signatures.txt', 'forbidden/oidc-signatures.txt', project(':modules:transport-netty4').file('forbidden/netty-signatures.txt') ) } tasks.named('forbiddenApisTest').configure { //we are using jdk-internal instead of jdk-non-portable to allow for com.sun.net.httpserver.* usage modifyBundledSignatures { bundledSignatures -> bundledSignatures -= 'jdk-non-portable' bundledSignatures += 'jdk-internal' bundledSignatures } } // classes are missing, e.g. com.ibm.icu.lang.UCharacter tasks.named("thirdPartyAudit").configure { ignoreMissingClasses( // SAML dependencies // [missing classes] Some cli utilities that we don't use depend on these missing JCommander classes 'com.beust.jcommander.JCommander', 'com.beust.jcommander.converters.BaseConverter', // [missing classes] Shibboleth + OpenSAML have servlet support that we don't use 'javax.servlet.AsyncContext', 'javax.servlet.DispatcherType', 'javax.servlet.Filter', 'javax.servlet.FilterChain', 'javax.servlet.FilterConfig', 'javax.servlet.RequestDispatcher', 'javax.servlet.ServletContext', 'javax.servlet.ServletInputStream', 'javax.servlet.ServletOutputStream', 'javax.servlet.ServletRequest', 'javax.servlet.ServletResponse', 'javax.servlet.http.Cookie', 'javax.servlet.http.HttpServletRequest', 'javax.servlet.http.HttpServletResponse', 'javax.servlet.http.HttpServletResponseWrapper', 'javax.servlet.http.HttpSession', 'javax.servlet.http.HttpUpgradeHandler', 'javax.servlet.http.Part', 'jakarta.servlet.ServletRequest', 'jakarta.servlet.http.HttpServletRequest', 'jakarta.servlet.http.HttpServletResponse', // [missing classes] Shibboleth + OpenSAML have velocity support that we don't use 'org.apache.velocity.VelocityContext', 'org.apache.velocity.app.VelocityEngine', 'org.apache.velocity.context.Context', 'org.apache.velocity.runtime.resource.loader.StringResourceLoader', 'org.apache.velocity.runtime.resource.util.StringResourceRepository', // [missing classes] OpenSAML storage has an optional LDAP storage impl 'org.ldaptive.AttributeModification', 'org.ldaptive.AttributeModificationType', 'org.ldaptive.Connection', 'org.ldaptive.DeleteOperation', 'org.ldaptive.LdapAttribute', 'org.ldaptive.LdapEntry', 'org.ldaptive.LdapException', 'org.ldaptive.ModifyOperation', 'org.ldaptive.Response', 'org.ldaptive.ResultCode', 'org.ldaptive.SearchOperation', 'org.ldaptive.SearchRequest', 'org.ldaptive.SearchResult', 'org.ldaptive.ext.MergeOperation', 'org.ldaptive.ext.MergeRequest', 'org.ldaptive.pool.ConnectionPool', 'org.ldaptive.pool.PooledConnectionFactory', // [missing classes] OpenSAML storage has an optional JSON-backed storage impl 'javax.json.Json', 'javax.json.JsonNumber', 'javax.json.JsonObject', 'javax.json.JsonReader', 'javax.json.JsonValue$ValueType', 'javax.json.JsonValue', 'javax.json.stream.JsonGenerator', // [missing classes] OpenSAML storage has an optional JPA storage impl 'javax.persistence.EntityManager', 'javax.persistence.EntityManagerFactory', 'javax.persistence.EntityTransaction', 'javax.persistence.LockModeType', 'javax.persistence.Query', // [missing classes] OpenSAML storage and HttpClient cache have optional memcache support 'net.spy.memcached.CASResponse', 'net.spy.memcached.CASValue', 'net.spy.memcached.MemcachedClient', 'net.spy.memcached.MemcachedClientIF', 'net.spy.memcached.CachedData', 'net.spy.memcached.internal.OperationFuture', 'net.spy.memcached.transcoders.Transcoder', // [missing classes] Http Client cache has optional ehcache support 'net.sf.ehcache.Ehcache', 'net.sf.ehcache.Element', // Bouncycastle is an optional dependency for apache directory, cryptacular and opensaml packages. We // acknowledge them here instead of adding bouncy castle as a compileOnly dependency 'org.bouncycastle.asn1.ASN1Encodable', 'org.bouncycastle.asn1.ASN1InputStream', 'org.bouncycastle.asn1.ASN1Integer', 'org.bouncycastle.asn1.ASN1ObjectIdentifier', 'org.bouncycastle.asn1.ASN1OctetString', 'org.bouncycastle.asn1.ASN1Primitive', 'org.bouncycastle.asn1.ASN1Sequence', 'org.bouncycastle.asn1.ASN1TaggedObject', // 'org.bouncycastle.asn1.DEROctetString', 'org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo', 'org.bouncycastle.asn1.pkcs.EncryptionScheme', 'org.bouncycastle.asn1.pkcs.KeyDerivationFunc', 'org.bouncycastle.asn1.pkcs.PBEParameter', 'org.bouncycastle.asn1.pkcs.PBES2Parameters', 'org.bouncycastle.asn1.pkcs.PBKDF2Params', 'org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers', 'org.bouncycastle.asn1.pkcs.PrivateKeyInfo', 'org.bouncycastle.asn1.x500.AttributeTypeAndValue', 'org.bouncycastle.asn1.x500.RDN', 'org.bouncycastle.asn1.x500.X500Name', 'org.bouncycastle.asn1.x509.AccessDescription', 'org.bouncycastle.asn1.x509.AlgorithmIdentifier', 'org.bouncycastle.asn1.x509.AuthorityKeyIdentifier', 'org.bouncycastle.asn1.x509.BasicConstraints', 'org.bouncycastle.asn1.x509.DistributionPoint', 'org.bouncycastle.asn1.x509.Extension', 'org.bouncycastle.asn1.x509.GeneralName', 'org.bouncycastle.asn1.x509.GeneralNames', 'org.bouncycastle.asn1.x509.GeneralNamesBuilder', 'org.bouncycastle.asn1.x509.KeyPurposeId', 'org.bouncycastle.asn1.x509.KeyUsage', 'org.bouncycastle.asn1.x509.PolicyInformation', 'org.bouncycastle.asn1.x509.SubjectKeyIdentifier', 'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo', // 'org.bouncycastle.asn1.x9.DomainParameters', // 'org.bouncycastle.asn1.x9.ECNamedCurveTable', 'org.bouncycastle.asn1.x9.X9ECParameters', 'org.bouncycastle.cert.X509v3CertificateBuilder', 'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter', 'org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils', 'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder', 'org.bouncycastle.crypto.BlockCipher', 'org.bouncycastle.crypto.BufferedBlockCipher', 'org.bouncycastle.crypto.CipherParameters', 'org.bouncycastle.crypto.Digest', 'org.bouncycastle.crypto.PBEParametersGenerator', 'org.bouncycastle.crypto.StreamCipher', 'org.bouncycastle.crypto.agreement.kdf.ConcatenationKDFGenerator', // 'org.bouncycastle.crypto.ec.CustomNamedCurves', 'org.bouncycastle.crypto.generators.BCrypt', 'org.bouncycastle.crypto.generators.OpenSSLPBEParametersGenerator', 'org.bouncycastle.crypto.generators.PKCS5S1ParametersGenerator', 'org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator', 'org.bouncycastle.crypto.macs.HMac', 'org.bouncycastle.crypto.modes.AEADBlockCipher', 'org.bouncycastle.crypto.paddings.BlockCipherPadding', 'org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher', 'org.bouncycastle.crypto.params.AsymmetricKeyParameter', 'org.bouncycastle.crypto.params.DSAKeyParameters', 'org.bouncycastle.crypto.params.DSAParameters', 'org.bouncycastle.crypto.params.DSAPrivateKeyParameters', 'org.bouncycastle.crypto.params.DSAPublicKeyParameters', 'org.bouncycastle.crypto.params.ECDomainParameters', 'org.bouncycastle.crypto.params.ECKeyParameters', 'org.bouncycastle.crypto.params.ECPrivateKeyParameters', 'org.bouncycastle.crypto.params.ECPublicKeyParameters', // 'org.bouncycastle.crypto.params.KDFParameters', 'org.bouncycastle.crypto.params.KeyParameter', 'org.bouncycastle.crypto.params.RSAKeyParameters', 'org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters', 'org.bouncycastle.crypto.prng.EntropySource', 'org.bouncycastle.crypto.prng.SP800SecureRandom', 'org.bouncycastle.crypto.prng.SP800SecureRandomBuilder', 'org.bouncycastle.crypto.prng.drbg.SP80090DRBG', 'org.bouncycastle.crypto.signers.DSASigner', 'org.bouncycastle.crypto.signers.ECDSASigner', 'org.bouncycastle.crypto.signers.RSADigestSigner', 'org.bouncycastle.crypto.util.PrivateKeyFactory', 'org.bouncycastle.crypto.util.PrivateKeyInfoFactory', 'org.bouncycastle.crypto.util.PublicKeyFactory', 'org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory', 'org.bouncycastle.jcajce.provider.asymmetric.dsa.KeyPairGeneratorSpi', 'org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC', 'org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyPairGeneratorSpi', 'org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util', 'org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil', // 'org.bouncycastle.jce.ECNamedCurveTable', // 'org.bouncycastle.jce.spec.ECNamedCurveParameterSpec', 'org.bouncycastle.math.ec.ECFieldElement', 'org.bouncycastle.math.ec.ECPoint', 'org.bouncycastle.openssl.jcajce.JcaPEMWriter', 'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder', 'org.bouncycastle.util.Arrays', 'org.bouncycastle.util.io.Streams', 'org.bouncycastle.cert.X509CertificateHolder', ) ignoreViolations( // Guava uses internal java api: sun.misc.Unsafe 'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray', 'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$1', 'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$2', 'com.google.common.hash.Striped64', 'com.google.common.hash.Striped64$1', 'com.google.common.hash.Striped64$Cell', 'com.google.common.cache.Striped64', 'com.google.common.cache.Striped64$1', 'com.google.common.cache.Striped64$Cell', 'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator', 'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator$1', 'com.google.common.util.concurrent.AbstractFuture$UnsafeAtomicHelper', 'com.google.common.util.concurrent.AbstractFuture$UnsafeAtomicHelper$1', ) } tasks.named("thirdPartyAudit").configure { ignoreMissingClasses( 'javax.xml.bind.JAXBContext', 'javax.xml.bind.JAXBElement', 'javax.xml.bind.JAXBException', 'javax.xml.bind.Unmarshaller', 'javax.xml.bind.UnmarshallerHandler', // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE 'org.cryptomator.siv.SivMode', 'javax.activation.ActivationDataFlavor', 'javax.activation.DataContentHandler', 'javax.activation.DataHandler', 'javax.activation.DataSource', 'javax.activation.FileDataSource', 'javax.activation.FileTypeMap' ) } tasks.named("internalClusterTest").configure { /* * Some tests in this module set up a lot of transport threads so we reduce the buffer size per transport thread from the 1M default * to keep direct memory usage under control. */ systemProperty 'es.transport.buffer.size', '256k' systemProperty 'es.dlm_feature_flag_enabled', 'true' } addQaCheckDependencies(project)