OpenSearch/x-pack/qa/reindex-tests-with-security/build.gradle

import org.elasticsearch.gradle.http.WaitForHttpResource

apply plugin: 'elasticsearch.standalone-rest-test'
apply plugin: 'elasticsearch.rest-test'

dependencies {
  // "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here
  testCompile project(path: xpackModule('core'), configuration: 'default')
  testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')
  testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
  testCompile project(path: ':modules:reindex')
}

forbiddenPatterns {
    exclude '**/*.key'
    exclude '**/*.pem'
    exclude '**/*.p12'
    exclude '**/*.jks'
}

File caFile = project.file('src/test/resources/ssl/ca.p12')

integTestCluster {
  // Whitelist reindexing from the local node so we can test it.
  extraConfigFile 'http.key', project.projectDir.toPath().resolve('src/test/resources/ssl/http.key')
  extraConfigFile 'http.crt', project.projectDir.toPath().resolve('src/test/resources/ssl/http.crt')
  extraConfigFile 'ca.p12', caFile
  setting 'reindex.remote.whitelist', '127.0.0.1:*'
  setting 'xpack.ilm.enabled', 'false'
  setting 'xpack.security.enabled', 'true'
  setting 'xpack.ml.enabled', 'false'
  setting 'xpack.license.self_generated.type', 'trial'
  setting 'xpack.security.http.ssl.enabled', 'true'
  setting 'xpack.security.http.ssl.certificate', 'http.crt'
  setting 'xpack.security.http.ssl.key', 'http.key'
  setting 'xpack.security.http.ssl.key_passphrase', 'http-password'
  setting 'reindex.ssl.truststore.path', 'ca.p12'
  setting 'reindex.ssl.truststore.password', 'password'

  // Workaround for JDK-8212885
  if (project.ext.runtimeJavaVersion.isJava12Compatible() == false) {
    setting 'reindex.ssl.supported_protocols', 'TLSv1.2'
  }

  extraConfigFile 'roles.yml', 'roles.yml'
  [
    test_admin: 'superuser',
    powerful_user: 'superuser',
    minimal_user: 'minimal',
    minimal_with_task_user: 'minimal_with_task',
    readonly_user: 'readonly',
    dest_only_user: 'dest_only',
    can_not_see_hidden_docs_user: 'can_not_see_hidden_docs',
    can_not_see_hidden_fields_user: 'can_not_see_hidden_fields',
  ].each { String user, String role ->
    setupCommand 'setupUser#' + user,
                 'bin/elasticsearch-users', 'useradd', user, '-p', 'x-pack-test-password', '-r', role
  }
  waitCondition = { node, ant ->
    WaitForHttpResource http = new WaitForHttpResource("https", node.httpUri(), numNodes)
    http.setTrustStoreFile(caFile)
    http.setTrustStorePassword("password")
    http.setUsername("test_admin")
    http.setPassword("x-pack-test-password")
    return http.wait(5000)
  }
}
Add build utility to check cluster health over ssl (#40713) By default, in integ tests we wait for the standalone cluster to start by using the ant Get task to retrieve the cluster health endpoint. However the ant task has no facilities for customising the trusted CAs for a https resource, so if the integ test cluster has TLS enabled on the http interface (using a custom CA) we need a separate utility for that purpose. Backport of: #40573 2019-04-04 06:44:03 -04:00			`import org.elasticsearch.gradle.http.WaitForHttpResource`
Enable SSL in reindex with security QA tests (#37600) Update the x-pack/qa/reindex-tests-with-security integration tests to run with TLS enabled on the Rest interface. Relates: #37527 2019-01-31 04:59:50 -05:00
Switch from standalone-test to standalone-rest-test standalone-rest-test doesn't configure unit tests and for these integTest only projects that is what we want. Original commit: elastic/x-pack-elasticsearch@f576dfdfbbe8ddb901311ed94c03d84f9bf1bdd5 2017-01-04 14:27:53 -05:00			`apply plugin: 'elasticsearch.standalone-rest-test'`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`apply plugin: 'elasticsearch.rest-test'`

			`dependencies {`
Build: Rework shadow plugin configuration (#32409) This reworks how we configure the `shadow` plugin in the build. The major change is that we no longer bundle dependencies in the `compile` configuration, instead we bundle dependencies in the new `bundle` configuration. This feels more right because it is a little more "opt in" rather than "opt out" and the name of the `bundle` configuration is a little more obvious. As an neat side effect of this, the `runtimeElements` configuration used when one project depends on another now contains exactly the dependencies needed to run the project so you no longer need to reference projects that use the shadow plugin like this: ``` testCompile project(path: ':client:rest-high-level', configuration: 'shadow') ``` You can instead use the much more normal: ``` testCompile "org.elasticsearch.client:elasticsearch-rest-high-level-client:${version}" ``` 2018-08-21 20:03:28 -04:00			`// "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here`
			`testCompile project(path: xpackModule('core'), configuration: 'default')`
Build: Replace references to x-pack-elasticsearch paths with helper methods (elastic/x-pack-elasticsearch#3748) In order to more easily integrate xpack once it moves into the elasticsearch repo, references to the existing x-pack-elasticsearch need to be reduced. This commit introduces a few helper "methods" available to any project within xpack (through gradle project extension properties, as closures). All refeerences to project paths now use these helper methods, except for those pertaining to bwc, which will be handled in a followup. Original commit: elastic/x-pack-elasticsearch@850668744c7188f3ca8d6ff561c99fbd8995288e 2018-01-27 00:48:30 -05:00			`testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')`
			`testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')`
Security: add tests for delete and update by query Original commit: elastic/x-pack-elasticsearch@e85877d03f4ed9148cd9931e942653138e31fe48 2016-08-11 13:28:36 -04:00			`testCompile project(path: ':modules:reindex')`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`}`

Enable SSL in reindex with security QA tests (#37600) Update the x-pack/qa/reindex-tests-with-security integration tests to run with TLS enabled on the Rest interface. Relates: #37527 2019-01-31 04:59:50 -05:00			`forbiddenPatterns {`
			`exclude '*/.key'`
			`exclude '*/.pem'`
			`exclude '*/.p12'`
			`exclude '*/.jks'`
			`}`

			`File caFile = project.file('src/test/resources/ssl/ca.p12')`

Build: Convert integ test dsl to new split cluster/runner dsl This is the xpack side of elastic/elasticsearch#23304 Original commit: elastic/x-pack-elasticsearch@8eddd7fb0d5caca252a49662fc91ce5de36b15f5 2017-02-22 03:56:52 -05:00			`integTestCluster {`
			`// Whitelist reindexing from the local node so we can test it.`
Enable SSL in reindex with security QA tests (#37600) Update the x-pack/qa/reindex-tests-with-security integration tests to run with TLS enabled on the Rest interface. Relates: #37527 2019-01-31 04:59:50 -05:00			`extraConfigFile 'http.key', project.projectDir.toPath().resolve('src/test/resources/ssl/http.key')`
			`extraConfigFile 'http.crt', project.projectDir.toPath().resolve('src/test/resources/ssl/http.crt')`
			`extraConfigFile 'ca.p12', caFile`
Build: Convert integ test dsl to new split cluster/runner dsl This is the xpack side of elastic/elasticsearch#23304 Original commit: elastic/x-pack-elasticsearch@8eddd7fb0d5caca252a49662fc91ce5de36b15f5 2017-02-22 03:56:52 -05:00			`setting 'reindex.remote.whitelist', '127.0.0.1:*'`
Rename ILM, ILM endpoints and drop _xpack (#32564) This commit does the following: - renames index-lifecycle plugin to ilm - modifies the endpoints to ilm instead of index_lifecycle - drops _xpack from the endpoints - drops a few duplicate endpoints 2018-08-02 13:05:11 -04:00			`setting 'xpack.ilm.enabled', 'false'`
Disable security for trial licenses by default (elastic/x-pack-elasticsearch#4120) This change disables security for trial licenses unless security is explicitly enabled in the settings. This is done to facilitate users getting started and not having to deal with some of the complexities involved in getting security configured. In order to do this and avoid disabling security for existing users that have gold or platinum licenses, we have to disable security after cluster formation so that the license can be retrieved. relates elastic/x-pack-elasticsearch#4078 Original commit: elastic/x-pack-elasticsearch@96bdb889fc74d4871c43df71354a21549cc53a3e 2018-03-21 23:09:44 -04:00			`setting 'xpack.security.enabled', 'true'`
[TEST] Disable ml in qa modules where necessary Original commit: elastic/x-pack-elasticsearch@bb311b44d7289ec94b62a1f10d64a51c20d40b49 2017-03-02 12:01:05 -05:00			`setting 'xpack.ml.enabled', 'false'`
Default to basic license at startup (elastic/x-pack-elasticsearch#3878) This is related to elastic/x-pack-elasticsearch#3877. This commit modifies the license settings to default to self generating a basic license. Original commit: elastic/x-pack-elasticsearch@cd6ee8e06f17c213544ae1c06cfe8ebfa85b9f68 2018-02-12 14:57:04 -05:00			`setting 'xpack.license.self_generated.type', 'trial'`
Enable SSL in reindex with security QA tests (#37600) Update the x-pack/qa/reindex-tests-with-security integration tests to run with TLS enabled on the Rest interface. Relates: #37527 2019-01-31 04:59:50 -05:00			`setting 'xpack.security.http.ssl.enabled', 'true'`
			`setting 'xpack.security.http.ssl.certificate', 'http.crt'`
			`setting 'xpack.security.http.ssl.key', 'http.key'`
			`setting 'xpack.security.http.ssl.key_passphrase', 'http-password'`
			`setting 'reindex.ssl.truststore.path', 'ca.p12'`
			`setting 'reindex.ssl.truststore.password', 'password'`
Update ciphers for TLSv1.3 and JDK11 if available (#42082) This commit updates the default ciphers and TLS protocols that are used when the runtime JDK supports them. New cipher support has been introduced in JDK 11 and 12 along with performance fixes for AES GCM. The ciphers are ordered with PFS ciphers being most preferred, then AEAD ciphers, and finally those with mainstream hardware support. When available stronger encryption is preferred for a given cipher. This is a backport of #41385 and #41808. There are known JDK bugs with TLSv1.3 that have been fixed in various versions. These are: 1. The JDK's bundled HttpsServer will endless loop under JDK11 and JDK 12.0 (Fixed in 12.0.1) based on the way the Apache HttpClient performs a close (half close). 2. In all versions of JDK 11 and 12, the HttpsServer will endless loop when certificates are not trusted or another handshake error occurs. An email has been sent to the openjdk security-dev list and #38646 is open to track this. 3. In JDK 11.0.2 and prior there is a race condition with session resumption that leads to handshake errors when multiple concurrent handshakes are going on between the same client and server. This bug does not appear when client authentication is in use. This is JDK-8213202, which was fixed in 11.0.3 and 12.0. 4. In JDK 11.0.2 and prior there is a bug where resumed TLS sessions do not retain peer certificate information. This is JDK-8212885. The way these issues are addressed is that the current java version is checked and used to determine the supported protocols for tests that provoke these issues. 2019-05-20 09:45:36 -04:00
			`// Workaround for JDK-8212885`
			`if (project.ext.runtimeJavaVersion.isJava12Compatible() == false) {`
			`setting 'reindex.ssl.supported_protocols', 'TLSv1.2'`
			`}`

Build: Split distributions into oss and default This commit makes x-pack a module and adds it to the default distrubtion. It also creates distributions for zip, tar, deb and rpm which contain only oss code. 2018-02-23 11:03:17 -05:00			`extraConfigFile 'roles.yml', 'roles.yml'`
Build: Convert integ test dsl to new split cluster/runner dsl This is the xpack side of elastic/elasticsearch#23304 Original commit: elastic/x-pack-elasticsearch@8eddd7fb0d5caca252a49662fc91ce5de36b15f5 2017-02-22 03:56:52 -05:00			`[`
			`test_admin: 'superuser',`
			`powerful_user: 'superuser',`
			`minimal_user: 'minimal',`
Tasks: Only require task permissions (#35667) Right now using the `GET /_tasks/<taskid>` API and causing a task to opt in to saving its result after being completed requires permissions on the `.tasks` index. When we built this we thought that that was fine, but we've since moved towards not leaking details like "persisting task results after the task is completed is done by saving them into an index named `.tasks`." A more modern way of doing this would be to save the tasks into the index "under the hood" and to have APIs to manage the saved tasks. This is the first step down that road: it drops the requirement to have permissions to interact with the `.tasks` index when fetching task statuses and when persisting statuses beyond the lifetime of the task. In particular, this moves the concept of the "origin" of an action into a more prominent place in the Elasticsearch server. The origin of an action is ignored by the server, but the security plugin uses the origin to make requests on behalf of a user in such a way that the user need not have permissions to perform these actions. It can be made to be fairly precise. More specifically, we can create an internal user just for the tasks API that just has permission to interact with the `.tasks` index. This change doesn't do that, instead, it uses the ubiquitus "xpack" user which has most permissions because it is simpler. Adding the tasks user is something I'd like to get to in a follow up change. Instead, the majority of this change is about moving the "origin" concept from the security portion of x-pack into the server. This should allow any code to use the origin. To keep the change managable I've also opted to deprecate rather than remove the "origin" helpers in the security code. Removing them is almost entirely mechanical and I'd like to that in a follow up as well. Relates to #35573 2018-11-28 09:28:27 -05:00			`minimal_with_task_user: 'minimal_with_task',`
Build: Convert integ test dsl to new split cluster/runner dsl This is the xpack side of elastic/elasticsearch#23304 Original commit: elastic/x-pack-elasticsearch@8eddd7fb0d5caca252a49662fc91ce5de36b15f5 2017-02-22 03:56:52 -05:00			`readonly_user: 'readonly',`
			`dest_only_user: 'dest_only',`
			`can_not_see_hidden_docs_user: 'can_not_see_hidden_docs',`
			`can_not_see_hidden_fields_user: 'can_not_see_hidden_fields',`
			`].each { String user, String role ->`
			`setupCommand 'setupUser#' + user,`
Rename users This commit renames users to elasticsearch-users. 2018-04-11 11:36:12 -04:00			`'bin/elasticsearch-users', 'useradd', user, '-p', 'x-pack-test-password', '-r', role`
Build: Convert integ test dsl to new split cluster/runner dsl This is the xpack side of elastic/elasticsearch#23304 Original commit: elastic/x-pack-elasticsearch@8eddd7fb0d5caca252a49662fc91ce5de36b15f5 2017-02-22 03:56:52 -05:00			`}`
			`waitCondition = { node, ant ->`
Add build utility to check cluster health over ssl (#40713) By default, in integ tests we wait for the standalone cluster to start by using the ant Get task to retrieve the cluster health endpoint. However the ant task has no facilities for customising the trusted CAs for a https resource, so if the integ test cluster has TLS enabled on the http interface (using a custom CA) we need a separate utility for that purpose. Backport of: #40573 2019-04-04 06:44:03 -04:00			`WaitForHttpResource http = new WaitForHttpResource("https", node.httpUri(), numNodes)`
			`http.setTrustStoreFile(caFile)`
			`http.setTrustStorePassword("password")`
			`http.setUsername("test_admin")`
			`http.setPassword("x-pack-test-password")`
			`return http.wait(5000)`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`}`
			`}`