[TEST] QA resources should not need vagrant provision (elastic/x-pack-elasticsearch#3851)

For the idp-fixture (OpenLDAP + SAML), we have been generating the CA as part of the provisioning steps for the VM and then adding it to the test resources for the gradle project.

This meant that test-resources were dependent on vagrant provision, and as a consequence vagrant would download and provision the box during precommit. A bad thing (TM)

This change introduces a pre-generated CA, which is supplied to the VM instead so the tests only depend on fixed resources.
(The SAML integration test still uses the generated IdP Metadata file, but it copies it as part integ-test cluster setup, and doesn't treat it as a gradle "test resource")

Original commit: elastic/x-pack-elasticsearch@a352bf2a1f
This commit is contained in:
Tim Vernum 2018-02-08 11:42:25 +11:00 committed by GitHub
parent f15189c9e5
commit 256ef79cba
10 changed files with 91 additions and 50 deletions

View File

@ -10,25 +10,17 @@ dependencies {
testCompile project(path: xpackModule('core'), configuration: 'testArtifacts') testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
} }
processTestResources {
if (project.rootProject.vagrantSupported) {
dependsOn "openLdapFixture"
}
}
sourceSets {
test {
resources {
srcDirs += idpFixtureProject.file("src/main/resources/provision/generated")
}
}
}
task openLdapFixture { task openLdapFixture {
dependsOn "vagrantCheckVersion", "virtualboxCheckVersion", idpFixtureProject.up dependsOn "vagrantCheckVersion", "virtualboxCheckVersion", idpFixtureProject.up
} }
String outputDir = "generated-resources/${project.name}"
task copyIdpTrust(type: Copy) {
from idpFixtureProject.file('src/main/resources/certs/idptrust.jks');
into outputDir
}
if (project.rootProject.vagrantSupported) { if (project.rootProject.vagrantSupported) {
project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpTrust)
test.dependsOn openLdapFixture test.dependsOn openLdapFixture
test.finalizedBy idpFixtureProject.halt test.finalizedBy idpFixtureProject.halt
} else { } else {
@ -39,3 +31,4 @@ namingConventions {
// integ tests use Tests instead of IT // integ tests use Tests instead of IT
skipIntegTestInDisguise = true skipIntegTestInDisguise = true
} }

View File

@ -53,7 +53,7 @@ public class OpenLdapTests extends ESTestCase {
public static final String PASSWORD = "NickFuryHeartsES"; public static final String PASSWORD = "NickFuryHeartsES";
private static final String HAWKEYE_DN = "uid=hawkeye,ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com"; private static final String HAWKEYE_DN = "uid=hawkeye,ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com";
public static final String LDAPTRUST_PATH = "/org/elasticsearch/xpack/security/authc/ldap/support/idptrust.jks"; public static final String LDAPTRUST_PATH = "/idptrust.jks";
private static final SecureString PASSWORD_SECURE_STRING = new SecureString(PASSWORD.toCharArray()); private static final SecureString PASSWORD_SECURE_STRING = new SecureString(PASSWORD.toCharArray());
private boolean useGlobalSSL; private boolean useGlobalSSL;

View File

@ -175,6 +175,6 @@ import static org.hamcrest.Matchers.notNullValue;
@Override @Override
protected String trustPath() { protected String trustPath() {
return "/org/elasticsearch/xpack/security/authc/ldap/support/idptrust.jks"; return "/idptrust.jks";
} }
} }

View File

@ -18,8 +18,7 @@ task idpFixture {
String outputDir = "generated-resources/${project.name}" String outputDir = "generated-resources/${project.name}"
task copyIdpCertificate(type: Copy) { task copyIdpCertificate(type: Copy) {
dependsOn idpFixture from idpFixtureProject.file('src/main/resources/certs/ca.crt');
from idpFixtureProject.file('src/main/resources/provision/generated/ca_server.pem');
into outputDir into outputDir
} }
if (project.rootProject.vagrantSupported) { if (project.rootProject.vagrantSupported) {

View File

@ -551,7 +551,7 @@ public class SamlAuthenticationIT extends ESRestTestCase {
} }
private SSLContext getClientSslContext() throws Exception { private SSLContext getClientSslContext() throws Exception {
final Path pem = getDataPath("/ca_server.pem"); final Path pem = getDataPath("/ca.crt");
final Certificate[] certificates = CertUtils.readCertificates(Collections.singletonList(pem)); final Certificate[] certificates = CertUtils.readCertificates(Collections.singletonList(pem));
final X509ExtendedTrustManager trustManager = CertUtils.trustManager(certificates); final X509ExtendedTrustManager trustManager = CertUtils.trustManager(certificates);
SSLContext context = SSLContext.getInstance("TLS"); SSLContext context = SSLContext.getInstance("TLS");

View File

@ -0,0 +1,15 @@
File in this directory are:
idp-ca.crt
idp-ca.key
Description: A CA for the IdP
Generated Date: 2018-02-07
Command: bin/x-pack/certutil ca --ca-dn 'CN=idp-fixture,OU=elasticsearch,DC=elastic,DC=co' --days 5000 -keysize 1024 --out idp-ca.zip --pem
X-Pack Version: 6.2.0
idptrust.jks
Description: Java Keystore Format of CA cert
Generated Date: 2018-02-07
Command: keytool -importcert -file ca.crt -alias idp-fixture-ca -keystore idptrust.jks -noprompt -storepass changeit
Java Version: Java(TM) SE Runtime Environment (build 9.0.1+11)

View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDEDCCAnmgAwIBAgIVAOLlDV8Lvg17LwKqchYKcsog1SyKMA0GCSqGSIb3DQEB
CwUAMFsxEjAQBgoJkiaJk/IsZAEZFgJjbzEXMBUGCgmSJomT8ixkARkWB2VsYXN0
aWMxFjAUBgNVBAsTDWVsYXN0aWNzZWFyY2gxFDASBgNVBAMTC2lkcC1maXh0dXJl
MB4XDTE4MDIwNzAzMjAwNloXDTMxMTAxNzAzMjAwNlowWzESMBAGCgmSJomT8ixk
ARkWAmNvMRcwFQYKCZImiZPyLGQBGRYHZWxhc3RpYzEWMBQGA1UECxMNZWxhc3Rp
Y3NlYXJjaDEUMBIGA1UEAxMLaWRwLWZpeHR1cmUwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBALWf8R7uGnrrmuQ26khwQ/81f+x57RgE1cHQGp0sBkwsijzZPpuU
8ZkqYMNXG/LU2hNfAv4LeCsighgo4Le+TkBKncbucQcNM+dLINvhAfgYp9QAdGjk
89hxWEQ6p/Tr98TG0Qd7jZa6bu8azMf7+bmjKpHaffIMpxDnkPZsaxodAgMBAAGj
gc8wgcwwHQYDVR0OBBYEFDsd63fpzLH1G+aduhypBPctWuNNMIGZBgNVHSMEgZEw
gY6AFDsd63fpzLH1G+aduhypBPctWuNNoV+kXTBbMRQwEgYDVQQDEwtpZHAtZml4
dHVyZTEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEXMBUGCgmSJomT8ixkARkWB2Vs
YXN0aWMxEjAQBgoJkiaJk/IsZAEZFgJjb4IVAOLlDV8Lvg17LwKqchYKcsog1SyK
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAi1bfK31u7deMDLXv
Axrg1nJjEzMjkb6F/tqA2hJCokvWz2sdKPLHfrfOu2edHm4qQABAdnmRtE/1xsYm
xVuZA+O7khEkXv5ql65HIgCHL0hEvFWfKzMDCjgm+1rvNTMbgsRj2RGzEQeu/Aqg
Nv2mnc0Vjk3kaAQ0JtmCI8k6fM0=
-----END CERTIFICATE-----

View File

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC1n/Ee7hp665rkNupIcEP/NX/see0YBNXB0BqdLAZMLIo82T6b
lPGZKmDDVxvy1NoTXwL+C3grIoIYKOC3vk5ASp3G7nEHDTPnSyDb4QH4GKfUAHRo
5PPYcVhEOqf06/fExtEHe42Wum7vGszH+/m5oyqR2n3yDKcQ55D2bGsaHQIDAQAB
AoGACfOsm5xCWS/ludGEftmf8DD3RHbd1e4V5FvJyYjrA2uBW5ovwwijQFhBGxL/
1gtxs5QGLvNj70Ehzb8XqRnFYcrSUxkABCcO9vJf8wuamtPeaQzlSVSVM9myjkBu
2EhegkFXSgFiVX6A/sxm8e8bqxxouz46Upa2/YLKhcb5oiECQQDb3HhP0hIx0oDj
h1FXLACtbTlYUg8gGylD17RsWSPB765tOTt65/KztyH8BmdlTAKxIC5BHEQLYiug
u3KwPEk5AkEA03qFxj/quoH6l0y7i8kah97KCtiM0kg4oXYDuSDIzt4NqdNw/UWx
p3DGiIPpY5errR1ytyPiiuM2j+c5oUcMBQJAfC4SZkMos6tJ0Tlk3++iklHWyePP
VzsAG6mB5pCSeb9+rYJd7hWEJ62QLGERlU1RV+ntNilY5XUVXzuAk7n5QQJBANLg
31q0S9WVXRPYUT/v1kPcVi6Ah9P8bnQa4VWOqo8WABvzmz0DbUahf2eL2oQULv3e
WpDi+Lk0HylaEi6PUR0CQQDHTzjyjuTLmnPw5AvZw7oQgilZxTUhOapw3Ihcq/KA
T8oFnLwmnMs+kZOO6e2QcagXaFXufH1w/MvxhSjHj8SO
-----END RSA PRIVATE KEY-----

Binary file not shown.

View File

@ -16,12 +16,6 @@
group: ssl-cert group: ssl-cert
mode: 0777 mode: 0777
- name: Copy CA cert template
copy:
src: ca_server.conf
dest: "{{ ssl_dir_templates }}/ca_server.conf"
mode: 0666
- name: Copy server cert template - name: Copy server cert template
template: template:
src: cert_server.conf.j2 src: cert_server.conf.j2
@ -34,32 +28,18 @@
dest: "{{ ssl_dir_templates }}/keystore_server.conf" dest: "{{ ssl_dir_templates }}/keystore_server.conf"
mode: 0666 mode: 0666
- name: Create CA Key - name: Copy CA Cert
command: "certtool -p --outfile {{ ssl_dir_private }}/ca_server.key" copy:
args: src: "../certs/ca.crt"
creates: "{{ ssl_dir_private }}/ca_server.key" dest: "{{ ssl_dir_certs }}/ca_server.pem"
mode: 0666
register: copy_ca
- name: Create CA Cert - name: Copy CA Key
command: "certtool -s --load-privkey {{ ssl_dir_private }}/ca_server.key --template {{ ssl_dir_templates }}/ca_server.conf --outfile {{ ssl_dir_certs }}/ca_server.pem" copy:
args: src: "../certs/ca.key"
creates: "{{ ssl_dir_certs }}/ca_server.pem" dest: "{{ ssl_dir_private }}/ca_server.key"
mode: 0600
- name: Fetch CA Cert
fetch:
src: "{{ ssl_dir_certs }}/ca_server.pem"
dest: "generated/"
flat: yes
- name: Create CA JKS trust
command: "keytool -importcert -file {{ ssl_dir_certs }}/ca_server.pem -alias generated_ca_cert -keystore {{ ssl_dir_certs }}/idptrust.jks -noprompt -storepass changeit"
args:
creates: "{{ ssl_dir_certs }}/idptrust.jks"
- name: Fetch CA JKS trust
fetch:
src: "{{ ssl_dir_certs }}/idptrust.jks"
dest: "generated/org/elasticsearch/xpack/security/authc/ldap/support/"
flat: yes
- name: Create Key for LDAP Service - name: Create Key for LDAP Service
command: "certtool -p --sec-param high --outfile {{ ssl_dir_private }}/{{ openldap_key_name }}" command: "certtool -p --sec-param high --outfile {{ ssl_dir_private }}/{{ openldap_key_name }}"
@ -72,6 +52,12 @@
group: ssl-cert group: ssl-cert
mode: 0640 mode: 0640
- name: Delete old LDAP cert
file:
path: "{{ ssl_dir_certs }}/{{ openldap_cert_name}}"
state: absent
when: copy_ca.changed
- name: Create Cert for LDAP - name: Create Cert for LDAP
command: "certtool -c --load-privkey {{ ssl_dir_private }}/{{ openldap_key_name }} --load-ca-certificate {{ ssl_dir_certs }}/ca_server.pem --load-ca-privkey {{ ssl_dir_private }}/ca_server.key --template {{ ssl_dir_templates }}/cert_server.conf --outfile {{ ssl_dir_certs }}/{{ openldap_cert_name}}" command: "certtool -c --load-privkey {{ ssl_dir_private }}/{{ openldap_key_name }} --load-ca-certificate {{ ssl_dir_certs }}/ca_server.pem --load-ca-privkey {{ ssl_dir_private }}/ca_server.key --template {{ ssl_dir_templates }}/cert_server.conf --outfile {{ ssl_dir_certs }}/{{ openldap_cert_name}}"
args: args:
@ -88,15 +74,29 @@
group: ssl-cert group: ssl-cert
mode: 0640 mode: 0640
- name: Delete old Tomcat cert
file:
path: "{{ ssl_dir_certs }}/{{ tomcat_cert_name }}"
state: absent
when: copy_ca.changed
- name: Create Cert for Tomcat - name: Create Cert for Tomcat
command: "certtool -c --load-privkey {{ ssl_dir_private }}/{{ tomcat_key_name }} --load-ca-certificate {{ ssl_dir_certs }}/ca_server.pem --load-ca-privkey {{ ssl_dir_private }}/ca_server.key --template {{ ssl_dir_templates }}/cert_server.conf --outfile {{ ssl_dir_certs }}/{{ tomcat_cert_name}}" command: "certtool -c --load-privkey {{ ssl_dir_private }}/{{ tomcat_key_name }} --load-ca-certificate {{ ssl_dir_certs }}/ca_server.pem --load-ca-privkey {{ ssl_dir_private }}/ca_server.key --template {{ ssl_dir_templates }}/cert_server.conf --outfile {{ ssl_dir_certs }}/{{ tomcat_cert_name}}"
args: args:
creates: "{{ ssl_dir_certs }}/{{ tomcat_cert_name}}" creates: "{{ ssl_dir_certs }}/{{ tomcat_cert_name}}"
register: tomcat_cert
- name: Delete old Tomcat Keystore
file:
path: "{{ ssl_dir_private }}/{{ tomcat_keystore_name }}"
state: absent
when: tomcat_cert.changed
- name: Create Keystore for Tomcat - name: Create Keystore for Tomcat
command: "certtool --load-ca-certificate {{ ssl_dir_certs }}/ca_server.pem --load-privkey {{ ssl_dir_private }}/{{ tomcat_key_name }} --load-certificate {{ ssl_dir_certs }}/{{ tomcat_cert_name }} --template {{ ssl_dir_templates }}/keystore_server.conf --outder --to-p12 --outfile {{ ssl_dir_private }}/{{ tomcat_keystore_name }}" command: "certtool --load-ca-certificate {{ ssl_dir_certs }}/ca_server.pem --load-privkey {{ ssl_dir_private }}/{{ tomcat_key_name }} --load-certificate {{ ssl_dir_certs }}/{{ tomcat_cert_name }} --template {{ ssl_dir_templates }}/keystore_server.conf --outder --to-p12 --outfile {{ ssl_dir_private }}/{{ tomcat_keystore_name }}"
args: args:
creates: "{{ ssl_dir_private }}/{{ tomcat_keystore_name }}" creates: "{{ ssl_dir_private }}/{{ tomcat_keystore_name }}"
notify: Restart Tomcat Service
- name: Set group for Tomcat Keystore - name: Set group for Tomcat Keystore
file: file: