diff --git a/qa/vagrant/src/test/resources/packaging/tests/10_basic.bats b/qa/vagrant/src/test/resources/packaging/tests/10_basic.bats index 3eb919b3666..853ec23d796 100644 --- a/qa/vagrant/src/test/resources/packaging/tests/10_basic.bats +++ b/qa/vagrant/src/test/resources/packaging/tests/10_basic.bats @@ -14,6 +14,7 @@ load $BATS_UTILS/utils.bash load $BATS_UTILS/tar.bash load $BATS_UTILS/plugins.bash +load $BATS_UTILS/xpack.bash setup() { skip_not_tar_gz @@ -36,21 +37,7 @@ setup() { } @test "[X-PACK] verify x-pack installation" { - assert_file "$ESHOME/bin/x-pack" d elasticsearch elasticsearch 755 - assert_file "$ESHOME/bin/x-pack/certgen" f elasticsearch elasticsearch 755 - assert_file "$ESHOME/bin/x-pack/croneval" f elasticsearch elasticsearch 755 - assert_file "$ESHOME/bin/x-pack/extension" f elasticsearch elasticsearch 755 - assert_file "$ESHOME/bin/x-pack/migrate" f elasticsearch elasticsearch 755 - assert_file "$ESHOME/bin/x-pack/setup-passwords" f elasticsearch elasticsearch 755 - assert_file "$ESHOME/bin/x-pack/syskeygen" f elasticsearch elasticsearch 755 - assert_file "$ESHOME/bin/x-pack/users" f elasticsearch elasticsearch 755 - assert_file "$ESHOME/bin/x-pack/x-pack-env" f elasticsearch elasticsearch 755 - assert_file "$ESCONFIG/x-pack" d elasticsearch elasticsearch 750 - assert_file "$ESCONFIG/x-pack/users" f elasticsearch elasticsearch 660 - assert_file "$ESCONFIG/x-pack/users_roles" f elasticsearch elasticsearch 660 - assert_file "$ESCONFIG/x-pack/roles.yml" f elasticsearch elasticsearch 660 - assert_file "$ESCONFIG/x-pack/role_mapping.yml" f elasticsearch elasticsearch 660 - assert_file "$ESCONFIG/x-pack/log4j2.properties" f elasticsearch elasticsearch 660 + verify_xpack_installation } @test "[X-PACK] verify croneval works" { diff --git a/qa/vagrant/src/test/resources/packaging/tests/40_tar_bootstrap_password.bats b/qa/vagrant/src/test/resources/packaging/tests/40_tar_bootstrap_password.bats new file mode 120000 index 00000000000..58a968aa3e1 --- /dev/null +++ b/qa/vagrant/src/test/resources/packaging/tests/40_tar_bootstrap_password.bats @@ -0,0 +1 @@ +bootstrap_password.bash \ No newline at end of file diff --git a/qa/vagrant/src/test/resources/packaging/tests/45_package_bootstrap_password.bats b/qa/vagrant/src/test/resources/packaging/tests/45_package_bootstrap_password.bats new file mode 120000 index 00000000000..58a968aa3e1 --- /dev/null +++ b/qa/vagrant/src/test/resources/packaging/tests/45_package_bootstrap_password.bats @@ -0,0 +1 @@ +bootstrap_password.bash \ No newline at end of file diff --git a/qa/vagrant/src/test/resources/packaging/tests/50_tar_setup_passwords.bats b/qa/vagrant/src/test/resources/packaging/tests/50_tar_setup_passwords.bats new file mode 120000 index 00000000000..74d1204b3f9 --- /dev/null +++ b/qa/vagrant/src/test/resources/packaging/tests/50_tar_setup_passwords.bats @@ -0,0 +1 @@ +setup_passwords.bash \ No newline at end of file diff --git a/qa/vagrant/src/test/resources/packaging/tests/55_package_setup_passwords.bats b/qa/vagrant/src/test/resources/packaging/tests/55_package_setup_passwords.bats new file mode 120000 index 00000000000..74d1204b3f9 --- /dev/null +++ b/qa/vagrant/src/test/resources/packaging/tests/55_package_setup_passwords.bats @@ -0,0 +1 @@ +setup_passwords.bash \ No newline at end of file diff --git a/qa/vagrant/src/test/resources/packaging/tests/bootstrap_password.bash b/qa/vagrant/src/test/resources/packaging/tests/bootstrap_password.bash new file mode 100644 index 00000000000..8b09be48245 --- /dev/null +++ b/qa/vagrant/src/test/resources/packaging/tests/bootstrap_password.bash @@ -0,0 +1,101 @@ +#!/usr/bin/env bats + +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License; +# you may not use this file except in compliance with the Elastic License. + +load $BATS_UTILS/utils.bash +load $BATS_UTILS/plugins.bash +load $BATS_UTILS/xpack.bash + +setup() { + if [ $BATS_TEST_NUMBER == 1 ]; then + clean_before_test + install + + install_and_check_plugin x pack x-pack-*.jar + verify_xpack_installation + fi +} + +if [[ "$BATS_TEST_FILENAME" =~ 40_tar_bootstrap_password.bats$ ]]; then + load $BATS_UTILS/tar.bash + GROUP='TAR BOOTSTRAP PASSWORD' + install() { + install_archive + verify_archive_installation + } + export ESHOME=/tmp/elasticsearch + export_elasticsearch_paths + export ESPLUGIN_COMMAND_USER=elasticsearch +else + load $BATS_UTILS/packages.bash + if is_rpm; then + GROUP='RPM BOOTSTRAP PASSWORD' + elif is_dpkg; then + GROUP='DEB BOOTSTRAP PASSWORD' + fi + export_elasticsearch_paths + export ESPLUGIN_COMMAND_USER=root + install() { + install_package + verify_package_installation + } +fi + +@test "[$GROUP] add bootstrap.password setting" { + run sudo -E -u $ESPLUGIN_COMMAND_USER sh <<"NEW_PASS" +cat /dev/urandom | tr -dc "[a-zA-Z0-9]" | fold -w 20 | head -n 1 > /tmp/bootstrap.password +cat /tmp/bootstrap.password | $ESHOME/bin/elasticsearch-keystore add --stdin bootstrap.password +NEW_PASS + [ "$status" -eq 0 ] || { + echo "Expected elasticsearch-keystore tool exit code to be zero" + echo "$output" + false + } +} + +@test "[$GROUP] test bootstrap.password is in setting list" { + run_elasticsearch_service 0 + wait_for_xpack + + sudo -E -u $ESPLUGIN_COMMAND_USER "$ESHOME/bin/elasticsearch-keystore" list | grep "bootstrap.password" + + password=$(cat /tmp/bootstrap.password) + curl -u "elastic:$password" -XGET localhost:9200 | grep "You Know, for Search" +} + +@test "[$GROUP] test auto generated passwords with modified bootstrap.password" { + run sudo -E -u $ESPLUGIN_COMMAND_USER sh <<"SETUP_OK" +echo 'y' | $ESHOME/bin/x-pack/setup-passwords auto +SETUP_OK + echo "$output" > /tmp/setup-passwords-output-with-bootstrap + [ "$status" -eq 0 ] || { + echo "Expected x-pack setup-passwords tool exit code to be zero" + cat /tmp/setup-passwords-output-with-bootstrap + false + } + + curl -s -XGET localhost:9200 | grep "missing authentication token for REST" + + # Disable bash history expansion because passwords can contain "!" + set +H + + users=( elastic kibana logstash_system ) + for user in "${users[@]}"; do + grep "Changed password for user $user" /tmp/setup-passwords-output-with-bootstrap || { + echo "Expected x-pack setup-passwords tool to change password for user [$user]:" + cat /tmp/setup-passwords-output-with-bootstrap + false + } + + password=$(grep "PASSWORD $user = " /tmp/setup-passwords-output-with-bootstrap | sed "s/PASSWORD $user = //") + curl -u "$user:$password" -XGET localhost:9200 | grep "You Know, for Search" + + basic=$(echo -n "$user:$password" | base64) + curl -H "Authorization: Basic $basic" -XGET localhost:9200 | grep "You Know, for Search" + done + set -H + + stop_elasticsearch_service +} diff --git a/qa/vagrant/src/test/resources/packaging/tests/keystore.bash b/qa/vagrant/src/test/resources/packaging/tests/keystore.bash index ed73cad9d8c..25a2768edb7 100644 --- a/qa/vagrant/src/test/resources/packaging/tests/keystore.bash +++ b/qa/vagrant/src/test/resources/packaging/tests/keystore.bash @@ -6,6 +6,7 @@ load $BATS_UTILS/utils.bash load $BATS_UTILS/plugins.bash +load $BATS_UTILS/xpack.bash setup() { if [ $BATS_TEST_NUMBER == 1 ]; then @@ -45,9 +46,5 @@ fi @test "[$GROUP] keystore exists after install" { install_and_check_plugin x pack x-pack-*.jar - if [[ "$BATS_TEST_FILENAME" =~ 20_tar_keystore.bats$ ]]; then - assert_file "$ESCONFIG/elasticsearch.keystore" f elasticsearch elasticsearch 660 - else - assert_file "$ESCONFIG/elasticsearch.keystore" f root elasticsearch 660 - fi + verify_xpack_installation } diff --git a/qa/vagrant/src/test/resources/packaging/tests/setup_passwords.bash b/qa/vagrant/src/test/resources/packaging/tests/setup_passwords.bash new file mode 100644 index 00000000000..49e8d0d9430 --- /dev/null +++ b/qa/vagrant/src/test/resources/packaging/tests/setup_passwords.bash @@ -0,0 +1,84 @@ +#!/usr/bin/env bats + +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License; +# you may not use this file except in compliance with the Elastic License. + +load $BATS_UTILS/utils.bash +load $BATS_UTILS/plugins.bash +load $BATS_UTILS/xpack.bash + +setup() { + if [ $BATS_TEST_NUMBER == 1 ]; then + clean_before_test + install + + install_and_check_plugin x pack x-pack-*.jar + verify_xpack_installation + fi +} + + +if [[ "$BATS_TEST_FILENAME" =~ 50_tar_setup_passwords.bats$ ]]; then + load $BATS_UTILS/tar.bash + GROUP='TAR SETUP PASSWORD' + install() { + install_archive + verify_archive_installation + } + export ESHOME=/tmp/elasticsearch + export_elasticsearch_paths + export ESPLUGIN_COMMAND_USER=elasticsearch +else + load $BATS_UTILS/packages.bash + if is_rpm; then + GROUP='RPM SETUP PASSWORD' + elif is_dpkg; then + GROUP='DEB SETUP PASSWORD' + fi + export_elasticsearch_paths + export ESPLUGIN_COMMAND_USER=root + install() { + install_package + verify_package_installation + } +fi + +@test "[$GROUP] test auto generated passwords" { + run_elasticsearch_service 0 + wait_for_xpack + + run sudo -E -u $ESPLUGIN_COMMAND_USER sh <<"SETUP_AUTO" +echo 'y' | $ESHOME/bin/x-pack/setup-passwords auto +SETUP_AUTO + echo "$output" > /tmp/setup-passwords-output + [ "$status" -eq 0 ] || { + echo "Expected x-pack setup-passwords tool exit code to be zero" + cat /tmp/setup-passwords-output + false + } + + curl -s -XGET localhost:9200 | grep "missing authentication token for REST" + + # Disable bash history expansion because passwords can contain "!" + set +H + + users=( elastic kibana logstash_system ) + for user in "${users[@]}"; do + grep "Changed password for user $user" /tmp/setup-passwords-output || { + echo "Expected x-pack setup-passwords tool to change password for user [$user]:" + cat /tmp/setup-passwords-output + false + } + + password=$(grep "PASSWORD $user = " /tmp/setup-passwords-output | sed "s/PASSWORD $user = //") + curl -u "$user:$password" -XGET localhost:9200 | grep "You Know, for Search" + + basic=$(echo -n "$user:$password" | base64) + curl -H "Authorization: Basic $basic" -XGET localhost:9200 | grep "You Know, for Search" + done + set -H + + stop_elasticsearch_service +} + diff --git a/qa/vagrant/src/test/resources/packaging/utils/xpack.bash b/qa/vagrant/src/test/resources/packaging/utils/xpack.bash new file mode 100644 index 00000000000..54ee946e48d --- /dev/null +++ b/qa/vagrant/src/test/resources/packaging/utils/xpack.bash @@ -0,0 +1,48 @@ +#!/bin/bash + +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License; +# you may not use this file except in compliance with the Elastic License. + +verify_xpack_installation() { + local user="$ESPLUGIN_COMMAND_USER" + local group="$ESPLUGIN_COMMAND_USER" + + assert_file "$ESHOME/bin/x-pack" d $user $group 755 + assert_file "$ESHOME/bin/x-pack/certgen" f $user $group 755 + assert_file "$ESHOME/bin/x-pack/croneval" f $user $group 755 + assert_file "$ESHOME/bin/x-pack/extension" f $user $group 755 + assert_file "$ESHOME/bin/x-pack/migrate" f $user $group 755 + assert_file "$ESHOME/bin/x-pack/setup-passwords" f $user $group 755 + assert_file "$ESHOME/bin/x-pack/syskeygen" f $user $group 755 + assert_file "$ESHOME/bin/x-pack/users" f $user $group 755 + assert_file "$ESHOME/bin/x-pack/x-pack-env" f $user $group 755 + assert_number_of_files "$ESHOME/bin/x-pack/" 16 + + assert_file "$ESCONFIG/x-pack" d $user elasticsearch 750 + assert_file "$ESCONFIG/x-pack/users" f $user elasticsearch 660 + assert_file "$ESCONFIG/x-pack/users_roles" f $user elasticsearch 660 + assert_file "$ESCONFIG/x-pack/roles.yml" f $user elasticsearch 660 + assert_file "$ESCONFIG/x-pack/role_mapping.yml" f $user elasticsearch 660 + assert_file "$ESCONFIG/x-pack/log4j2.properties" f $user elasticsearch 660 + assert_number_of_files "$ESCONFIG/x-pack" 5 + + assert_file "$ESCONFIG/elasticsearch.keystore" f $user elasticsearch 660 +} + +assert_number_of_files() { + local directory=$1 + local expected=$2 + + local count=$(ls "$directory" | wc -l) + [ "$count" -eq "$expected" ] || { + echo "Expected $expected files in $directory but found: $count" + false + } +} + +wait_for_xpack() { + for i in {1..30}; do + echo "GET / HTTP/1.0" > /dev/tcp/localhost/9200 && break || sleep 1; + done +} \ No newline at end of file