OpenSearch/x-pack/plugin/sql/qa/jdbc/security/with-ssl/build.gradle

import org.elasticsearch.gradle.LoggedExec
import org.elasticsearch.gradle.network.SanEvaluator
import org.elasticsearch.gradle.info.BuildParams
import org.gradle.internal.jvm.Jvm

// Tell the tests we're running with ssl enabled
integTest.runner {
    systemProperty 'tests.ssl.enabled', 'true'
}

// needed to be consistent with ssl host checking
Object san = new SanEvaluator()

// needed to be consistent with ssl host checking
String host = InetAddress.getLoopbackAddress().getHostAddress();

// location of generated keystores and certificates
File keystoreDir = new File(project.buildDir, 'keystore')

// Generate the node's keystore
File nodeKeystore = file("$keystoreDir/test-node.jks")
tasks.register("createNodeKeyStore", LoggedExec) {
    doFirst {
        if (nodeKeystore.parentFile.exists() == false) {
            nodeKeystore.parentFile.mkdirs()
        }
        if (nodeKeystore.exists()) {
            delete nodeKeystore
        }
    }
    executable = "${Jvm.current().javaHome}/bin/keytool"
    standardInput = new ByteArrayInputStream('FirstName LastName\nUnit\nOrganization\nCity\nState\nNL\nyes\n\n'.getBytes('UTF-8'))
    args '-genkey',
            '-alias', 'test-node',
            '-keystore', nodeKeystore,
            '-keyalg', 'RSA',
            '-keysize', '2048',
            '-validity', '712',
            '-dname', 'CN=' + host,
            '-keypass', 'keypass',
            '-storepass', 'keypass',
            '-ext', san.toString()
}

// Generate the client's keystore
File clientKeyStore = file("$keystoreDir/test-client.jks")
tasks.register("createClientKeyStore", LoggedExec) {
    doFirst {
        if (clientKeyStore.parentFile.exists() == false) {
            clientKeyStore.parentFile.mkdirs()
        }
        if (clientKeyStore.exists()) {
            delete clientKeyStore
        }
    }
    executable = "${BuildParams.runtimeJavaHome}/bin/keytool"
    standardInput = new ByteArrayInputStream('FirstName LastName\nUnit\nOrganization\nCity\nState\nNL\nyes\n\n'.getBytes('UTF-8'))
    args '-genkey',
            '-alias', 'test-client',
            '-keystore', clientKeyStore,
            '-keyalg', 'RSA',
            '-keysize', '2048',
            '-validity', '712',
            '-dname', 'CN=' + host,
            '-keypass', 'keypass',
            '-storepass', 'keypass',
            '-ext', san.toString()
}

// Export the node's certificate
File nodeCertificate = file("$keystoreDir/test-node.cert")
tasks.register("exportNodeCertificate", LoggedExec) {
    dependsOn "createNodeKeyStore"
    doFirst {
        if (nodeCertificate.parentFile.exists() == false) {
            nodeCertificate.parentFile.mkdirs()
        }
        if (nodeCertificate.exists()) {
            delete nodeCertificate
        }
    }
    executable = "${BuildParams.runtimeJavaHome}/bin/keytool"
    args '-export',
            '-alias', 'test-node',
            '-keystore', nodeKeystore,
            '-storepass', 'keypass',
            '-file', nodeCertificate
}

// Import the node certificate in the client's keystore
tasks.register("importNodeCertificateInClientKeyStore", LoggedExec) {
    dependsOn "createClientKeyStore", "exportNodeCertificate"
    executable = "${BuildParams.runtimeJavaHome}/bin/keytool"
    args '-import',
            '-alias', 'test-node',
            '-keystore', clientKeyStore,
            '-storepass', 'keypass',
            '-file', nodeCertificate,
            '-noprompt'
}

// Export the client's certificate
File clientCertificate = file("$keystoreDir/test-client.cert")
tasks.register("exportClientCertificate", LoggedExec) {
    dependsOn "createClientKeyStore"
    doFirst {
        if (clientCertificate.parentFile.exists() == false) {
            clientCertificate.parentFile.mkdirs()
        }
        if (clientCertificate.exists()) {
            delete clientCertificate
        }
    }
    executable = "${BuildParams.runtimeJavaHome}/bin/keytool"
    args '-export',
            '-alias', 'test-client',
            '-keystore', clientKeyStore,
            '-storepass', 'keypass',
            '-file', clientCertificate
}

// Import the client certificate in the node's keystore
tasks.register("importClientCertificateInNodeKeyStore", LoggedExec) {
    dependsOn "createNodeKeyStore", "exportClientCertificate"
    executable = "${BuildParams.runtimeJavaHome}/bin/keytool"
    args '-import',
            '-alias', 'test-client',
            '-keystore', nodeKeystore,
            '-storepass', 'keypass',
            '-file', clientCertificate,
            '-noprompt'
}

forbiddenPatterns {
    exclude '**/*.cert'
}

// Add keystores to test classpath: it expects it there
sourceSets.test.resources.srcDir(keystoreDir)
processTestResources.dependsOn("importNodeCertificateInClientKeyStore", "importClientCertificateInNodeKeyStore")

integTest.runner {
    dependsOn("importClientCertificateInNodeKeyStore")
    onlyIf {
        // Do not attempt to form a cluster in a FIPS JVM, as doing so with a JKS keystore will fail.
        // TODO Revisit this when SQL CLI client can handle key/certificate instead of only Keystores.
        // https://github.com/elastic/elasticsearch/issues/32306
        BuildParams.inFipsJvm == false
    }
}

testClusters.integTest {
    // The setup that we actually want
    setting 'xpack.license.self_generated.type', 'trial'
    setting 'xpack.security.http.ssl.enabled', 'true'
    setting 'xpack.security.transport.ssl.enabled', 'true'

    // ceremony to set up ssl
    setting 'xpack.security.transport.ssl.keystore.path', 'test-node.jks'
    setting 'xpack.security.http.ssl.keystore.path', 'test-node.jks'
    keystore 'xpack.security.transport.ssl.keystore.secure_password', 'keypass'
    keystore 'xpack.security.http.ssl.keystore.secure_password', 'keypass'


    // copy keystores into config/
    extraConfigFile nodeKeystore.name, nodeKeystore
    extraConfigFile clientKeyStore.name, clientKeyStore
}