honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[TESTS] Fix SSLTrustRestriction IntegrationTest 

- Changes the reloading test to always trust the "trusted" cert so that the health-ping works
- Adds some more logging in case we get new failures

Original commit: elastic/x-pack-elasticsearch@993bf9c721
This commit is contained in:
Tim Vernum 2017-07-14 13:08:29 +10:00
parent 6d04eacdec
commit 44a104cb26
1 changed files with 10 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java
View File

@ -28,6 +28,7 @@ import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.env.Environment; import org.elasticsearch.env.Environment;
import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.test.SecurityIntegTestCase; import org.elasticsearch.test.SecurityIntegTestCase;
import org.elasticsearch.test.junit.annotations.TestLogging;
import org.elasticsearch.transport.Transport; import org.elasticsearch.transport.Transport;
import org.junit.AfterClass; import org.junit.AfterClass;
import org.junit.Before; import org.junit.Before;
@ -42,6 +43,7 @@ import static org.hamcrest.Matchers.is;
* @see RestrictedTrustManager * @see RestrictedTrustManager
*/ */
@ESIntegTestCase.ClusterScope(numDataNodes = 1, numClientNodes = 0, supportsDedicatedMasters = false) @ESIntegTestCase.ClusterScope(numDataNodes = 1, numClientNodes = 0, supportsDedicatedMasters = false)
@TestLogging("org.elasticsearch.xpack.ssl.RestrictedTrustManager:DEBUG")
public class SSLTrustRestrictionsTests extends SecurityIntegTestCase { public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
/** /**
@ -107,23 +109,16 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
.put(nodeSSL); .put(nodeSSL);
restrictionsPath = configPath.resolve("trust_restrictions.yml"); restrictionsPath = configPath.resolve("trust_restrictions.yml");
writeRestrictions("\"*.trusted\""); writeRestrictions("*.trusted");
builder.put("xpack.ssl.trust_restrictions.path", restrictionsPath); builder.put("xpack.ssl.trust_restrictions.path", restrictionsPath);
builder.put("resource.reload.interval.high", RESOURCE_RELOAD_MILLIS + "ms"); builder.put("resource.reload.interval.high", RESOURCE_RELOAD_MILLIS + "ms");
return builder.build(); return builder.build();
} }
@Before
public void resetRestrictions() {
if (restrictionsPath != null) {
writeRestrictions("\"*.trusted\"");
}
}
private void writeRestrictions(String trustedPattern) { private void writeRestrictions(String trustedPattern) {
try { try {
Files.write(restrictionsPath, Collections.singleton("trust.subject_name: " + trustedPattern)); Files.write(restrictionsPath, Collections.singleton("trust.subject_name: \"" + trustedPattern + "\""));
} catch (IOException e) { } catch (IOException e) {
throw new ElasticsearchException("failed to write restrictions", e); throw new ElasticsearchException("failed to write restrictions", e);
} }
@ -144,6 +139,7 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
} }
public void testCertificateWithTrustedNameIsAccepted() throws Exception { public void testCertificateWithTrustedNameIsAccepted() throws Exception {
writeRestrictions("*.trusted");
try { try {
tryConnect(trustedCert); tryConnect(trustedCert);
} catch (SSLHandshakeException | SocketException ex) { } catch (SSLHandshakeException | SocketException ex) {
@ -152,6 +148,7 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
} }
public void testCertificateWithUntrustedNameFails() throws Exception { public void testCertificateWithUntrustedNameFails() throws Exception {
writeRestrictions("*.trusted");
try { try {
tryConnect(untrustedCert); tryConnect(untrustedCert);
fail("handshake should have failed, but was successful"); fail("handshake should have failed, but was successful");
@ -160,26 +157,20 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
} }
} }
public void testRestrictionsAreReloaded() throws Exception { public void testRestrictionsAreReloaded() throws Exception {
writeRestrictions("*");
try { try {
tryConnect(trustedCert); tryConnect(untrustedCert);
} catch (SSLHandshakeException | SocketException ex) { } catch (SSLHandshakeException | SocketException ex) {
fail("handshake should have been successful, but failed with " + ex); fail("handshake should have been successful, but failed with " + ex);
} }
writeRestrictions("\"nothing\""); writeRestrictions("*.trusted");
Thread.sleep(WAIT_RELOAD_MILLIS); Thread.sleep(WAIT_RELOAD_MILLIS);
try { try {
tryConnect(trustedCert); tryConnect(untrustedCert);
fail("handshake should have failed, but was successful"); fail("handshake should have failed, but was successful");
} catch (SSLHandshakeException | SocketException ex) { } catch (SSLHandshakeException | SocketException ex) {
// expected // expected
} }
writeRestrictions("\"*\"");
Thread.sleep(WAIT_RELOAD_MILLIS);
try {
tryConnect(trustedCert);
} catch (SSLHandshakeException | SocketException ex) {
fail("handshake should have been successful, but failed with " + ex);
}
} }
private void tryConnect(CertificateInfo certificate) throws Exception { private void tryConnect(CertificateInfo certificate) throws Exception {