OpenSearch/x-pack/qa/reindex-tests-with-security/build.gradle

import javax.net.ssl.HttpsURLConnection
import javax.net.ssl.KeyManager
import javax.net.ssl.SSLContext
import javax.net.ssl.TrustManagerFactory
import java.nio.charset.StandardCharsets
import java.security.KeyStore
import java.security.SecureRandom

apply plugin: 'elasticsearch.standalone-rest-test'
apply plugin: 'elasticsearch.rest-test'

dependencies {
  // "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here
  testCompile project(path: xpackModule('core'), configuration: 'default')
  testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')
  testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
  testCompile project(path: ':modules:reindex')
}

forbiddenPatterns {
    exclude '**/*.key'
    exclude '**/*.pem'
    exclude '**/*.p12'
    exclude '**/*.jks'
}

File caFile = project.file('src/test/resources/ssl/ca.p12')

integTestCluster {
  // Whitelist reindexing from the local node so we can test it.
  extraConfigFile 'http.key', project.projectDir.toPath().resolve('src/test/resources/ssl/http.key')
  extraConfigFile 'http.crt', project.projectDir.toPath().resolve('src/test/resources/ssl/http.crt')
  extraConfigFile 'ca.p12', caFile
  setting 'reindex.remote.whitelist', '127.0.0.1:*'
  setting 'xpack.ilm.enabled', 'false'
  setting 'xpack.security.enabled', 'true'
  setting 'xpack.ml.enabled', 'false'
  setting 'xpack.license.self_generated.type', 'trial'
  setting 'xpack.security.http.ssl.enabled', 'true'
  setting 'xpack.security.http.ssl.certificate', 'http.crt'
  setting 'xpack.security.http.ssl.key', 'http.key'
  setting 'xpack.security.http.ssl.key_passphrase', 'http-password'
  setting 'reindex.ssl.truststore.path', 'ca.p12'
  setting 'reindex.ssl.truststore.password', 'password'
  extraConfigFile 'roles.yml', 'roles.yml'
  [
    test_admin: 'superuser',
    powerful_user: 'superuser',
    minimal_user: 'minimal',
    minimal_with_task_user: 'minimal_with_task',
    readonly_user: 'readonly',
    dest_only_user: 'dest_only',
    can_not_see_hidden_docs_user: 'can_not_see_hidden_docs',
    can_not_see_hidden_fields_user: 'can_not_see_hidden_fields',
  ].each { String user, String role ->
    setupCommand 'setupUser#' + user,
                 'bin/elasticsearch-users', 'useradd', user, '-p', 'x-pack-test-password', '-r', role
  }
  waitCondition = { node, ant ->
    // Load the CA PKCS#12 file as a truststore
    KeyStore ks = KeyStore.getInstance("PKCS12");
    ks.load(caFile.newInputStream(), 'password'.toCharArray());
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(ks);

    // Configre a SSL context for TLS1.2 using our CA trust manager
    SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
    sslContext.init(new KeyManager[0], tmf.getTrustManagers(), new SecureRandom());

    // Check whether the cluster has started
    URL url = new URL("https://${node.httpUri()}/_cluster/health?wait_for_nodes=${numNodes}&wait_for_status=yellow");
    for (int i = 20; i >= 0; i--) {
      // we use custom wait logic here for HTTPS
      HttpsURLConnection httpURLConnection = null;
      try {
        logger.info("Trying ${url}");
        httpURLConnection = (HttpsURLConnection) url.openConnection();
        httpURLConnection.setSSLSocketFactory(sslContext.getSocketFactory());
        httpURLConnection.setRequestProperty("Authorization",
          "Basic " + Base64.getEncoder().encodeToString("test_admin:x-pack-test-password".getBytes(StandardCharsets.UTF_8)));
        httpURLConnection.setRequestMethod("GET");
        httpURLConnection.connect();
        if (httpURLConnection.getResponseCode() == 200) {
          logger.info("Cluster has started");
          return true;
        } else {
          logger.debug("HTTP response was [{}]", httpURLConnection.getResponseCode());
        }
      } catch (IOException e) {
          if (i == 0) {
              logger.error("Failed to call cluster health - " + e)
          }
          logger.debug("Call to [{}] threw an exception", url, e)
      } finally {
        if (httpURLConnection != null) {
          httpURLConnection.disconnect();
        }
      }
      // did not start, so wait a bit before trying again
      Thread.sleep(750L);
    }
    return false;
  }
}
Enable SSL in reindex with security QA tests (#37600) Update the x-pack/qa/reindex-tests-with-security integration tests to run with TLS enabled on the Rest interface. Relates: #37527 2019-01-31 04:59:50 -05:00			`import javax.net.ssl.HttpsURLConnection`
			`import javax.net.ssl.KeyManager`
			`import javax.net.ssl.SSLContext`
			`import javax.net.ssl.TrustManagerFactory`
			`import java.nio.charset.StandardCharsets`
			`import java.security.KeyStore`
			`import java.security.SecureRandom`

Switch from standalone-test to standalone-rest-test standalone-rest-test doesn't configure unit tests and for these integTest only projects that is what we want. Original commit: elastic/x-pack-elasticsearch@f576dfdfbbe8ddb901311ed94c03d84f9bf1bdd5 2017-01-04 14:27:53 -05:00			`apply plugin: 'elasticsearch.standalone-rest-test'`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`apply plugin: 'elasticsearch.rest-test'`

			`dependencies {`
Build: Rework shadow plugin configuration (#32409) This reworks how we configure the `shadow` plugin in the build. The major change is that we no longer bundle dependencies in the `compile` configuration, instead we bundle dependencies in the new `bundle` configuration. This feels more right because it is a little more "opt in" rather than "opt out" and the name of the `bundle` configuration is a little more obvious. As an neat side effect of this, the `runtimeElements` configuration used when one project depends on another now contains exactly the dependencies needed to run the project so you no longer need to reference projects that use the shadow plugin like this: ``` testCompile project(path: ':client:rest-high-level', configuration: 'shadow') ``` You can instead use the much more normal: ``` testCompile "org.elasticsearch.client:elasticsearch-rest-high-level-client:${version}" ``` 2018-08-21 20:03:28 -04:00			`// "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here`
			`testCompile project(path: xpackModule('core'), configuration: 'default')`
Build: Replace references to x-pack-elasticsearch paths with helper methods (elastic/x-pack-elasticsearch#3748) In order to more easily integrate xpack once it moves into the elasticsearch repo, references to the existing x-pack-elasticsearch need to be reduced. This commit introduces a few helper "methods" available to any project within xpack (through gradle project extension properties, as closures). All refeerences to project paths now use these helper methods, except for those pertaining to bwc, which will be handled in a followup. Original commit: elastic/x-pack-elasticsearch@850668744c7188f3ca8d6ff561c99fbd8995288e 2018-01-27 00:48:30 -05:00			`testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')`
			`testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')`
Security: add tests for delete and update by query Original commit: elastic/x-pack-elasticsearch@e85877d03f4ed9148cd9931e942653138e31fe48 2016-08-11 13:28:36 -04:00			`testCompile project(path: ':modules:reindex')`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`}`

Enable SSL in reindex with security QA tests (#37600) Update the x-pack/qa/reindex-tests-with-security integration tests to run with TLS enabled on the Rest interface. Relates: #37527 2019-01-31 04:59:50 -05:00			`forbiddenPatterns {`
			`exclude '*/.key'`
			`exclude '*/.pem'`
			`exclude '*/.p12'`
			`exclude '*/.jks'`
			`}`

			`File caFile = project.file('src/test/resources/ssl/ca.p12')`

Build: Convert integ test dsl to new split cluster/runner dsl This is the xpack side of elastic/elasticsearch#23304 Original commit: elastic/x-pack-elasticsearch@8eddd7fb0d5caca252a49662fc91ce5de36b15f5 2017-02-22 03:56:52 -05:00			`integTestCluster {`
			`// Whitelist reindexing from the local node so we can test it.`
Enable SSL in reindex with security QA tests (#37600) Update the x-pack/qa/reindex-tests-with-security integration tests to run with TLS enabled on the Rest interface. Relates: #37527 2019-01-31 04:59:50 -05:00			`extraConfigFile 'http.key', project.projectDir.toPath().resolve('src/test/resources/ssl/http.key')`
			`extraConfigFile 'http.crt', project.projectDir.toPath().resolve('src/test/resources/ssl/http.crt')`
			`extraConfigFile 'ca.p12', caFile`
Build: Convert integ test dsl to new split cluster/runner dsl This is the xpack side of elastic/elasticsearch#23304 Original commit: elastic/x-pack-elasticsearch@8eddd7fb0d5caca252a49662fc91ce5de36b15f5 2017-02-22 03:56:52 -05:00			`setting 'reindex.remote.whitelist', '127.0.0.1:*'`
Rename ILM, ILM endpoints and drop _xpack (#32564) This commit does the following: - renames index-lifecycle plugin to ilm - modifies the endpoints to ilm instead of index_lifecycle - drops _xpack from the endpoints - drops a few duplicate endpoints 2018-08-02 13:05:11 -04:00			`setting 'xpack.ilm.enabled', 'false'`
Disable security for trial licenses by default (elastic/x-pack-elasticsearch#4120) This change disables security for trial licenses unless security is explicitly enabled in the settings. This is done to facilitate users getting started and not having to deal with some of the complexities involved in getting security configured. In order to do this and avoid disabling security for existing users that have gold or platinum licenses, we have to disable security after cluster formation so that the license can be retrieved. relates elastic/x-pack-elasticsearch#4078 Original commit: elastic/x-pack-elasticsearch@96bdb889fc74d4871c43df71354a21549cc53a3e 2018-03-21 23:09:44 -04:00			`setting 'xpack.security.enabled', 'true'`
[TEST] Disable ml in qa modules where necessary Original commit: elastic/x-pack-elasticsearch@bb311b44d7289ec94b62a1f10d64a51c20d40b49 2017-03-02 12:01:05 -05:00			`setting 'xpack.ml.enabled', 'false'`
Default to basic license at startup (elastic/x-pack-elasticsearch#3878) This is related to elastic/x-pack-elasticsearch#3877. This commit modifies the license settings to default to self generating a basic license. Original commit: elastic/x-pack-elasticsearch@cd6ee8e06f17c213544ae1c06cfe8ebfa85b9f68 2018-02-12 14:57:04 -05:00			`setting 'xpack.license.self_generated.type', 'trial'`
Enable SSL in reindex with security QA tests (#37600) Update the x-pack/qa/reindex-tests-with-security integration tests to run with TLS enabled on the Rest interface. Relates: #37527 2019-01-31 04:59:50 -05:00			`setting 'xpack.security.http.ssl.enabled', 'true'`
			`setting 'xpack.security.http.ssl.certificate', 'http.crt'`
			`setting 'xpack.security.http.ssl.key', 'http.key'`
			`setting 'xpack.security.http.ssl.key_passphrase', 'http-password'`
			`setting 'reindex.ssl.truststore.path', 'ca.p12'`
			`setting 'reindex.ssl.truststore.password', 'password'`
Build: Split distributions into oss and default This commit makes x-pack a module and adds it to the default distrubtion. It also creates distributions for zip, tar, deb and rpm which contain only oss code. 2018-02-23 11:03:17 -05:00			`extraConfigFile 'roles.yml', 'roles.yml'`
Build: Convert integ test dsl to new split cluster/runner dsl This is the xpack side of elastic/elasticsearch#23304 Original commit: elastic/x-pack-elasticsearch@8eddd7fb0d5caca252a49662fc91ce5de36b15f5 2017-02-22 03:56:52 -05:00			`[`
			`test_admin: 'superuser',`
			`powerful_user: 'superuser',`
			`minimal_user: 'minimal',`
Tasks: Only require task permissions (#35667) Right now using the `GET /_tasks/<taskid>` API and causing a task to opt in to saving its result after being completed requires permissions on the `.tasks` index. When we built this we thought that that was fine, but we've since moved towards not leaking details like "persisting task results after the task is completed is done by saving them into an index named `.tasks`." A more modern way of doing this would be to save the tasks into the index "under the hood" and to have APIs to manage the saved tasks. This is the first step down that road: it drops the requirement to have permissions to interact with the `.tasks` index when fetching task statuses and when persisting statuses beyond the lifetime of the task. In particular, this moves the concept of the "origin" of an action into a more prominent place in the Elasticsearch server. The origin of an action is ignored by the server, but the security plugin uses the origin to make requests on behalf of a user in such a way that the user need not have permissions to perform these actions. It can be made to be fairly precise. More specifically, we can create an internal user just for the tasks API that just has permission to interact with the `.tasks` index. This change doesn't do that, instead, it uses the ubiquitus "xpack" user which has most permissions because it is simpler. Adding the tasks user is something I'd like to get to in a follow up change. Instead, the majority of this change is about moving the "origin" concept from the security portion of x-pack into the server. This should allow any code to use the origin. To keep the change managable I've also opted to deprecate rather than remove the "origin" helpers in the security code. Removing them is almost entirely mechanical and I'd like to that in a follow up as well. Relates to #35573 2018-11-28 09:28:27 -05:00			`minimal_with_task_user: 'minimal_with_task',`
Build: Convert integ test dsl to new split cluster/runner dsl This is the xpack side of elastic/elasticsearch#23304 Original commit: elastic/x-pack-elasticsearch@8eddd7fb0d5caca252a49662fc91ce5de36b15f5 2017-02-22 03:56:52 -05:00			`readonly_user: 'readonly',`
			`dest_only_user: 'dest_only',`
			`can_not_see_hidden_docs_user: 'can_not_see_hidden_docs',`
			`can_not_see_hidden_fields_user: 'can_not_see_hidden_fields',`
			`].each { String user, String role ->`
			`setupCommand 'setupUser#' + user,`
Rename users This commit renames users to elasticsearch-users. 2018-04-11 11:36:12 -04:00			`'bin/elasticsearch-users', 'useradd', user, '-p', 'x-pack-test-password', '-r', role`
Build: Convert integ test dsl to new split cluster/runner dsl This is the xpack side of elastic/elasticsearch#23304 Original commit: elastic/x-pack-elasticsearch@8eddd7fb0d5caca252a49662fc91ce5de36b15f5 2017-02-22 03:56:52 -05:00			`}`
			`waitCondition = { node, ant ->`
Enable SSL in reindex with security QA tests (#37600) Update the x-pack/qa/reindex-tests-with-security integration tests to run with TLS enabled on the Rest interface. Relates: #37527 2019-01-31 04:59:50 -05:00			`// Load the CA PKCS#12 file as a truststore`
			`KeyStore ks = KeyStore.getInstance("PKCS12");`
			`ks.load(caFile.newInputStream(), 'password'.toCharArray());`
			`TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());`
			`tmf.init(ks);`

			`// Configre a SSL context for TLS1.2 using our CA trust manager`
			`SSLContext sslContext = SSLContext.getInstance("TLSv1.2");`
			`sslContext.init(new KeyManager[0], tmf.getTrustManagers(), new SecureRandom());`

			`// Check whether the cluster has started`
			`URL url = new URL("https://${node.httpUri()}/_cluster/health?wait_for_nodes=${numNodes}&wait_for_status=yellow");`
			`for (int i = 20; i >= 0; i--) {`
			`// we use custom wait logic here for HTTPS`
			`HttpsURLConnection httpURLConnection = null;`
			`try {`
			`logger.info("Trying ${url}");`
			`httpURLConnection = (HttpsURLConnection) url.openConnection();`
			`httpURLConnection.setSSLSocketFactory(sslContext.getSocketFactory());`
			`httpURLConnection.setRequestProperty("Authorization",`
			`"Basic " + Base64.getEncoder().encodeToString("test_admin:x-pack-test-password".getBytes(StandardCharsets.UTF_8)));`
			`httpURLConnection.setRequestMethod("GET");`
			`httpURLConnection.connect();`
			`if (httpURLConnection.getResponseCode() == 200) {`
			`logger.info("Cluster has started");`
			`return true;`
			`} else {`
			`logger.debug("HTTP response was [{}]", httpURLConnection.getResponseCode());`
			`}`
			`} catch (IOException e) {`
			`if (i == 0) {`
			`logger.error("Failed to call cluster health - " + e)`
			`}`
			`logger.debug("Call to [{}] threw an exception", url, e)`
			`} finally {`
			`if (httpURLConnection != null) {`
			`httpURLConnection.disconnect();`
			`}`
			`}`
			`// did not start, so wait a bit before trying again`
			`Thread.sleep(750L);`
			`}`
			`return false;`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`}`
			`}`