[TEST] QA resources should not need vagrant provision (elastic/x-pack-elasticsearch#3851)

For the idp-fixture (OpenLDAP + SAML), we have been generating the CA as part of the provisioning steps for the VM and then adding it to the test resources for the gradle project. This meant that test-resources were dependent on vagrant provision, and as a consequence vagrant would download and provision the box during precommit. A bad thing (TM) This change introduces a pre-generated CA, which is supplied to the VM instead so the tests only depend on fixed resources. (The SAML integration test still uses the generated IdP Metadata file, but it copies it as part integ-test cluster setup, and doesn't treat it as a gradle "test resource") Original commit: elastic/x-pack-elasticsearch@a352bf2a1f
2018-02-08 11:42:25 +11:00 · 2018-02-08 11:42:25 +11:00 · 256ef79cba
parent f15189c9e5
commit 256ef79cba
10 changed files with 91 additions and 50 deletions
--- a/qa/openldap-tests/build.gradle
+++ b/qa/openldap-tests/build.gradle
@ -10,25 +10,17 @@ dependencies {
    testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
 }

-processTestResources {
-    if (project.rootProject.vagrantSupported) {
-        dependsOn "openLdapFixture"
-    }
-}
-
-sourceSets {
-    test {
-        resources {
-            srcDirs += idpFixtureProject.file("src/main/resources/provision/generated")
-        }
-    }
-}
-
 task openLdapFixture {
    dependsOn "vagrantCheckVersion", "virtualboxCheckVersion", idpFixtureProject.up
 }

+String outputDir = "generated-resources/${project.name}"
+task copyIdpTrust(type: Copy) {
+    from idpFixtureProject.file('src/main/resources/certs/idptrust.jks');
+    into outputDir
+}
 if (project.rootProject.vagrantSupported) {
+  project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpTrust)
  test.dependsOn openLdapFixture
  test.finalizedBy idpFixtureProject.halt
 } else {
@ -39,3 +31,4 @@ namingConventions {
    // integ tests use Tests instead of IT
    skipIntegTestInDisguise = true
 }
+
--- a/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java
+++ b/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java
@ -53,7 +53,7 @@ public class OpenLdapTests extends ESTestCase {

    public static final String PASSWORD = "NickFuryHeartsES";
    private static final String HAWKEYE_DN = "uid=hawkeye,ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com";
-    public static final String LDAPTRUST_PATH = "/org/elasticsearch/xpack/security/authc/ldap/support/idptrust.jks";
+    public static final String LDAPTRUST_PATH = "/idptrust.jks";
    private static final SecureString PASSWORD_SECURE_STRING = new SecureString(PASSWORD.toCharArray());

    private boolean useGlobalSSL;
--- a/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverTests.java
+++ b/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverTests.java
@ -175,6 +175,6 @@ import static org.hamcrest.Matchers.notNullValue;

    @Override
    protected String trustPath() {
-        return "/org/elasticsearch/xpack/security/authc/ldap/support/idptrust.jks";
+        return "/idptrust.jks";
    }
 }
--- a/qa/saml-idp-tests/build.gradle
+++ b/qa/saml-idp-tests/build.gradle
@ -18,8 +18,7 @@ task idpFixture {

 String outputDir = "generated-resources/${project.name}"
 task copyIdpCertificate(type: Copy) {
-    dependsOn idpFixture
-    from idpFixtureProject.file('src/main/resources/provision/generated/ca_server.pem');
+    from idpFixtureProject.file('src/main/resources/certs/ca.crt');
    into outputDir
 }
 if (project.rootProject.vagrantSupported) {
--- a/qa/saml-idp-tests/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java
+++ b/qa/saml-idp-tests/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java
@ -551,7 +551,7 @@ public class SamlAuthenticationIT extends ESRestTestCase {
    }

    private SSLContext getClientSslContext() throws Exception {
-        final Path pem = getDataPath("/ca_server.pem");
+        final Path pem = getDataPath("/ca.crt");
        final Certificate[] certificates = CertUtils.readCertificates(Collections.singletonList(pem));
        final X509ExtendedTrustManager trustManager = CertUtils.trustManager(certificates);
        SSLContext context = SSLContext.getInstance("TLS");
--- a/test/idp-fixture/src/main/resources/certs/README.txt
+++ b/test/idp-fixture/src/main/resources/certs/README.txt
@ -0,0 +1,15 @@
+File in this directory are:
+
+idp-ca.crt
+idp-ca.key
+    Description: A CA for the IdP
+    Generated Date: 2018-02-07
+    Command: bin/x-pack/certutil ca --ca-dn 'CN=idp-fixture,OU=elasticsearch,DC=elastic,DC=co' --days 5000 -keysize 1024 --out idp-ca.zip --pem
+    X-Pack Version: 6.2.0
+
+idptrust.jks
+    Description: Java Keystore Format of CA cert
+    Generated Date: 2018-02-07
+    Command: keytool -importcert -file ca.crt -alias idp-fixture-ca  -keystore idptrust.jks -noprompt -storepass changeit
+    Java Version: Java(TM) SE Runtime Environment (build 9.0.1+11)
+    
--- a/test/idp-fixture/src/main/resources/certs/ca.crt
+++ b/test/idp-fixture/src/main/resources/certs/ca.crt
@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEDCCAnmgAwIBAgIVAOLlDV8Lvg17LwKqchYKcsog1SyKMA0GCSqGSIb3DQEB
+CwUAMFsxEjAQBgoJkiaJk/IsZAEZFgJjbzEXMBUGCgmSJomT8ixkARkWB2VsYXN0
+aWMxFjAUBgNVBAsTDWVsYXN0aWNzZWFyY2gxFDASBgNVBAMTC2lkcC1maXh0dXJl
+MB4XDTE4MDIwNzAzMjAwNloXDTMxMTAxNzAzMjAwNlowWzESMBAGCgmSJomT8ixk
+ARkWAmNvMRcwFQYKCZImiZPyLGQBGRYHZWxhc3RpYzEWMBQGA1UECxMNZWxhc3Rp
+Y3NlYXJjaDEUMBIGA1UEAxMLaWRwLWZpeHR1cmUwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBALWf8R7uGnrrmuQ26khwQ/81f+x57RgE1cHQGp0sBkwsijzZPpuU
+8ZkqYMNXG/LU2hNfAv4LeCsighgo4Le+TkBKncbucQcNM+dLINvhAfgYp9QAdGjk
+89hxWEQ6p/Tr98TG0Qd7jZa6bu8azMf7+bmjKpHaffIMpxDnkPZsaxodAgMBAAGj
+gc8wgcwwHQYDVR0OBBYEFDsd63fpzLH1G+aduhypBPctWuNNMIGZBgNVHSMEgZEw
+gY6AFDsd63fpzLH1G+aduhypBPctWuNNoV+kXTBbMRQwEgYDVQQDEwtpZHAtZml4
+dHVyZTEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEXMBUGCgmSJomT8ixkARkWB2Vs
+YXN0aWMxEjAQBgoJkiaJk/IsZAEZFgJjb4IVAOLlDV8Lvg17LwKqchYKcsog1SyK
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAi1bfK31u7deMDLXv
+Axrg1nJjEzMjkb6F/tqA2hJCokvWz2sdKPLHfrfOu2edHm4qQABAdnmRtE/1xsYm
+xVuZA+O7khEkXv5ql65HIgCHL0hEvFWfKzMDCjgm+1rvNTMbgsRj2RGzEQeu/Aqg
+Nv2mnc0Vjk3kaAQ0JtmCI8k6fM0=
+-----END CERTIFICATE-----
--- a/test/idp-fixture/src/main/resources/certs/ca.key
+++ b/test/idp-fixture/src/main/resources/certs/ca.key
@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC1n/Ee7hp665rkNupIcEP/NX/see0YBNXB0BqdLAZMLIo82T6b
+lPGZKmDDVxvy1NoTXwL+C3grIoIYKOC3vk5ASp3G7nEHDTPnSyDb4QH4GKfUAHRo
+5PPYcVhEOqf06/fExtEHe42Wum7vGszH+/m5oyqR2n3yDKcQ55D2bGsaHQIDAQAB
+AoGACfOsm5xCWS/ludGEftmf8DD3RHbd1e4V5FvJyYjrA2uBW5ovwwijQFhBGxL/
+1gtxs5QGLvNj70Ehzb8XqRnFYcrSUxkABCcO9vJf8wuamtPeaQzlSVSVM9myjkBu
+2EhegkFXSgFiVX6A/sxm8e8bqxxouz46Upa2/YLKhcb5oiECQQDb3HhP0hIx0oDj
+h1FXLACtbTlYUg8gGylD17RsWSPB765tOTt65/KztyH8BmdlTAKxIC5BHEQLYiug
+u3KwPEk5AkEA03qFxj/quoH6l0y7i8kah97KCtiM0kg4oXYDuSDIzt4NqdNw/UWx
+p3DGiIPpY5errR1ytyPiiuM2j+c5oUcMBQJAfC4SZkMos6tJ0Tlk3++iklHWyePP
+VzsAG6mB5pCSeb9+rYJd7hWEJ62QLGERlU1RV+ntNilY5XUVXzuAk7n5QQJBANLg
+31q0S9WVXRPYUT/v1kPcVi6Ah9P8bnQa4VWOqo8WABvzmz0DbUahf2eL2oQULv3e
+WpDi+Lk0HylaEi6PUR0CQQDHTzjyjuTLmnPw5AvZw7oQgilZxTUhOapw3Ihcq/KA
+T8oFnLwmnMs+kZOO6e2QcagXaFXufH1w/MvxhSjHj8SO
+-----END RSA PRIVATE KEY-----
--- a/test/idp-fixture/src/main/resources/certs/idptrust.jks
+++ b/test/idp-fixture/src/main/resources/certs/idptrust.jks
--- a/test/idp-fixture/src/main/resources/provision/roles/certs/tasks/main.yml
+++ b/test/idp-fixture/src/main/resources/provision/roles/certs/tasks/main.yml
@ -16,12 +16,6 @@
    group: ssl-cert
    mode: 0777

- name: Copy CA cert template
-  copy:
-    src: ca_server.conf
-    dest: "{{ ssl_dir_templates }}/ca_server.conf"
-    mode: 0666
-
 - name: Copy server cert template
  template:
    src: cert_server.conf.j2
@ -34,32 +28,18 @@
    dest: "{{ ssl_dir_templates }}/keystore_server.conf"
    mode: 0666

- name: Create CA Key
-  command: "certtool -p --outfile {{ ssl_dir_private }}/ca_server.key"
-  args:
-    creates: "{{ ssl_dir_private }}/ca_server.key"
+- name: Copy CA Cert
+  copy:
+    src: "../certs/ca.crt"
+    dest: "{{ ssl_dir_certs }}/ca_server.pem"
+    mode: 0666
+  register: copy_ca

- name: Create CA Cert
-  command: "certtool -s --load-privkey {{ ssl_dir_private }}/ca_server.key --template {{ ssl_dir_templates }}/ca_server.conf --outfile {{ ssl_dir_certs }}/ca_server.pem"
-  args:
-    creates: "{{ ssl_dir_certs }}/ca_server.pem"
-
- name: Fetch CA Cert
-  fetch:
-    src: "{{ ssl_dir_certs }}/ca_server.pem"
-    dest: "generated/"
-    flat: yes
-
- name: Create CA JKS trust
-  command: "keytool -importcert -file {{ ssl_dir_certs }}/ca_server.pem -alias generated_ca_cert -keystore {{ ssl_dir_certs }}/idptrust.jks -noprompt -storepass changeit"
-  args:
-    creates: "{{ ssl_dir_certs }}/idptrust.jks"
-
- name: Fetch CA JKS trust
-  fetch:
-    src: "{{ ssl_dir_certs }}/idptrust.jks"
-    dest: "generated/org/elasticsearch/xpack/security/authc/ldap/support/"
-    flat: yes
+- name: Copy CA Key
+  copy:
+    src: "../certs/ca.key"
+    dest: "{{ ssl_dir_private }}/ca_server.key"
+    mode: 0600

 - name: Create Key for LDAP Service
  command: "certtool -p --sec-param high --outfile {{ ssl_dir_private }}/{{ openldap_key_name }}"
@ -72,6 +52,12 @@
    group: ssl-cert
    mode: 0640

+- name: Delete old LDAP cert
+  file:
+    path: "{{ ssl_dir_certs }}/{{ openldap_cert_name}}"
+    state: absent
+  when: copy_ca.changed
+
 - name: Create Cert for LDAP
  command: "certtool -c --load-privkey {{ ssl_dir_private }}/{{ openldap_key_name }} --load-ca-certificate {{ ssl_dir_certs }}/ca_server.pem --load-ca-privkey {{ ssl_dir_private }}/ca_server.key --template {{ ssl_dir_templates }}/cert_server.conf --outfile {{ ssl_dir_certs }}/{{ openldap_cert_name}}"
  args:
@ -88,15 +74,29 @@
    group: ssl-cert
    mode: 0640

+- name: Delete old Tomcat cert
+  file:
+    path: "{{ ssl_dir_certs }}/{{ tomcat_cert_name }}"
+    state: absent
+  when: copy_ca.changed
+
 - name: Create Cert for Tomcat
  command: "certtool -c --load-privkey {{ ssl_dir_private }}/{{ tomcat_key_name }} --load-ca-certificate {{ ssl_dir_certs }}/ca_server.pem --load-ca-privkey {{ ssl_dir_private }}/ca_server.key --template {{ ssl_dir_templates }}/cert_server.conf --outfile {{ ssl_dir_certs }}/{{ tomcat_cert_name}}"
  args:
    creates: "{{ ssl_dir_certs }}/{{ tomcat_cert_name}}"
+  register: tomcat_cert
+
+- name: Delete old Tomcat Keystore
+  file:
+    path: "{{ ssl_dir_private }}/{{ tomcat_keystore_name }}"
+    state: absent
+  when: tomcat_cert.changed

 - name: Create Keystore for Tomcat
  command: "certtool --load-ca-certificate {{ ssl_dir_certs }}/ca_server.pem --load-privkey {{ ssl_dir_private }}/{{ tomcat_key_name }} --load-certificate {{ ssl_dir_certs }}/{{ tomcat_cert_name }} --template {{ ssl_dir_templates }}/keystore_server.conf --outder --to-p12 --outfile {{ ssl_dir_private }}/{{ tomcat_keystore_name }}"
  args:
    creates: "{{ ssl_dir_private }}/{{ tomcat_keystore_name }}"
+  notify: Restart Tomcat Service

 - name: Set group for Tomcat Keystore
  file: