Disable diagnostic trust manager in tests (#51501)
This commit sets `xpack.security.ssl.diagnose.trust` to false in all of our tests when running in FIPS 140 mode and when settings objects are used to create an instance of the SSLService. This is needed in 7.x because setting xpack.security.ssl.diagnose.trust to true wraps SunJSSE TrustManager with our own DiagnosticTrustManager and this is not allowed when SunJSSE is in FIPS mode. An alternative would be to set xpack.security.fips.enabled to true which would also implicitly disable xpack.security.ssl.diagnose.trust but would have additional effects (would require that we set PBKDF2 for password hashing algorithm in all test clusters, would prohibit using JKS keystores in nodes even if relevant tests have been muted in FIPS mode etc.) Relates: #49900 Resolves: #51268
This commit is contained in:
parent
919083decd
commit
4f3548fbd7
|
@ -158,6 +158,7 @@ import static org.elasticsearch.discovery.FileBasedSeedHostsProvider.UNICAST_HOS
|
||||||
import static org.elasticsearch.discovery.zen.ElectMasterService.DISCOVERY_ZEN_MINIMUM_MASTER_NODES_SETTING;
|
import static org.elasticsearch.discovery.zen.ElectMasterService.DISCOVERY_ZEN_MINIMUM_MASTER_NODES_SETTING;
|
||||||
import static org.elasticsearch.test.ESTestCase.assertBusy;
|
import static org.elasticsearch.test.ESTestCase.assertBusy;
|
||||||
import static org.elasticsearch.test.ESTestCase.getTestTransportType;
|
import static org.elasticsearch.test.ESTestCase.getTestTransportType;
|
||||||
|
import static org.elasticsearch.test.ESTestCase.inFipsJvm;
|
||||||
import static org.elasticsearch.test.ESTestCase.randomFrom;
|
import static org.elasticsearch.test.ESTestCase.randomFrom;
|
||||||
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
|
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
|
||||||
import static org.hamcrest.Matchers.equalTo;
|
import static org.hamcrest.Matchers.equalTo;
|
||||||
|
@ -1112,6 +1113,9 @@ public final class InternalTestCluster extends TestCluster {
|
||||||
.put("logger.prefix", nodeSettings.get("logger.prefix", ""))
|
.put("logger.prefix", nodeSettings.get("logger.prefix", ""))
|
||||||
.put("logger.level", nodeSettings.get("logger.level", "INFO"))
|
.put("logger.level", nodeSettings.get("logger.level", "INFO"))
|
||||||
.put(settings);
|
.put(settings);
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put("xpack.security.ssl.diagnose.trust", false);
|
||||||
|
}
|
||||||
if (NetworkModule.TRANSPORT_TYPE_SETTING.exists(settings)) {
|
if (NetworkModule.TRANSPORT_TYPE_SETTING.exists(settings)) {
|
||||||
builder.put(NetworkModule.TRANSPORT_TYPE_SETTING.getKey(), NetworkModule.TRANSPORT_TYPE_SETTING.get(settings));
|
builder.put(NetworkModule.TRANSPORT_TYPE_SETTING.getKey(), NetworkModule.TRANSPORT_TYPE_SETTING.get(settings));
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -277,6 +277,8 @@ public class XPackSettings {
|
||||||
settings.add(TRANSFORM_ENABLED);
|
settings.add(TRANSFORM_ENABLED);
|
||||||
settings.add(FLATTENED_ENABLED);
|
settings.add(FLATTENED_ENABLED);
|
||||||
settings.add(VECTORS_ENABLED);
|
settings.add(VECTORS_ENABLED);
|
||||||
|
settings.add(DIAGNOSE_TRUST_EXCEPTIONS_SETTING);
|
||||||
|
settings.add(FIPS_MODE_ENABLED);
|
||||||
return Collections.unmodifiableList(settings);
|
return Collections.unmodifiableList(settings);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -18,6 +18,7 @@ import java.util.Collection;
|
||||||
import java.util.concurrent.TimeUnit;
|
import java.util.concurrent.TimeUnit;
|
||||||
|
|
||||||
import static org.elasticsearch.test.ESTestCase.getTestTransportPlugin;
|
import static org.elasticsearch.test.ESTestCase.getTestTransportPlugin;
|
||||||
|
import static org.elasticsearch.test.ESTestCase.inFipsJvm;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* TransportClient.Builder that installs the XPackPlugin by default.
|
* TransportClient.Builder that installs the XPackPlugin by default.
|
||||||
|
@ -31,7 +32,7 @@ public class TestXPackTransportClient extends TransportClient {
|
||||||
}
|
}
|
||||||
|
|
||||||
public TestXPackTransportClient(Settings settings, Collection<Class<? extends Plugin>> plugins) {
|
public TestXPackTransportClient(Settings settings, Collection<Class<? extends Plugin>> plugins) {
|
||||||
super(settings, Settings.EMPTY, addPlugins(plugins, getTestTransportPlugin()), null);
|
super(possiblyDisableTlsDiagnostic(settings), Settings.EMPTY, addPlugins(plugins, getTestTransportPlugin()), null);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -51,4 +52,12 @@ public class TestXPackTransportClient extends TransportClient {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static Settings possiblyDisableTlsDiagnostic(Settings settings) {
|
||||||
|
Settings.Builder builder = Settings.builder().put(settings);
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
return builder.build();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -642,10 +642,6 @@ public class Security extends Plugin implements ActionPlugin, IngestPlugin, Netw
|
||||||
return settingsList;
|
return settingsList;
|
||||||
}
|
}
|
||||||
|
|
||||||
// The following just apply in node mode
|
|
||||||
settingsList.add(XPackSettings.FIPS_MODE_ENABLED);
|
|
||||||
|
|
||||||
settingsList.add(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING);
|
|
||||||
// IP Filter settings
|
// IP Filter settings
|
||||||
IPFilter.addSettings(settingsList);
|
IPFilter.addSettings(settingsList);
|
||||||
|
|
||||||
|
|
|
@ -246,6 +246,9 @@ public abstract class SecurityIntegTestCase extends ESIntegTestCase {
|
||||||
builder.put(LicenseService.SELF_GENERATED_LICENSE_TYPE.getKey(), "trial");
|
builder.put(LicenseService.SELF_GENERATED_LICENSE_TYPE.getKey(), "trial");
|
||||||
builder.put(NetworkModule.TRANSPORT_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO);
|
builder.put(NetworkModule.TRANSPORT_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO);
|
||||||
builder.put(NetworkModule.HTTP_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO);
|
builder.put(NetworkModule.HTTP_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO);
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
Settings.Builder customBuilder = Settings.builder().put(customSettings);
|
Settings.Builder customBuilder = Settings.builder().put(customSettings);
|
||||||
if (customBuilder.getSecureSettings() != null) {
|
if (customBuilder.getSecureSettings() != null) {
|
||||||
SecuritySettingsSource.addSecureSettings(builder, secureSettings ->
|
SecuritySettingsSource.addSecureSettings(builder, secureSettings ->
|
||||||
|
|
|
@ -147,6 +147,9 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
|
||||||
.put("xpack.security.authc.realms." + FileRealmSettings.TYPE + ".file.order", 0)
|
.put("xpack.security.authc.realms." + FileRealmSettings.TYPE + ".file.order", 0)
|
||||||
.put("xpack.security.authc.realms." + NativeRealmSettings.TYPE + ".index.order", "1")
|
.put("xpack.security.authc.realms." + NativeRealmSettings.TYPE + ".index.order", "1")
|
||||||
.put("xpack.license.self_generated.type", "trial");
|
.put("xpack.license.self_generated.type", "trial");
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put("xpack.security.ssl.diagnose.trust", false);
|
||||||
|
}
|
||||||
addNodeSSLSettings(builder);
|
addNodeSSLSettings(builder);
|
||||||
return builder.build();
|
return builder.build();
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,6 +22,7 @@ import org.elasticsearch.core.internal.io.IOUtils;
|
||||||
import org.elasticsearch.license.LicenseService;
|
import org.elasticsearch.license.LicenseService;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.plugins.Plugin;
|
||||||
import org.elasticsearch.plugins.PluginInfo;
|
import org.elasticsearch.plugins.PluginInfo;
|
||||||
|
import org.elasticsearch.xpack.core.XPackSettings;
|
||||||
import org.elasticsearch.xpack.security.LocalStateSecurity;
|
import org.elasticsearch.xpack.security.LocalStateSecurity;
|
||||||
import org.junit.AfterClass;
|
import org.junit.AfterClass;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
|
@ -167,6 +168,9 @@ public abstract class SecuritySingleNodeTestCase extends ESSingleNodeTestCase {
|
||||||
builder.put(LicenseService.SELF_GENERATED_LICENSE_TYPE.getKey(), "trial");
|
builder.put(LicenseService.SELF_GENERATED_LICENSE_TYPE.getKey(), "trial");
|
||||||
builder.put("transport.type", "security4");
|
builder.put("transport.type", "security4");
|
||||||
builder.put("path.home", customSecuritySettingsSource.nodePath(0));
|
builder.put("path.home", customSecuritySettingsSource.nodePath(0));
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
Settings.Builder customBuilder = Settings.builder().put(customSettings);
|
Settings.Builder customBuilder = Settings.builder().put(customSettings);
|
||||||
if (customBuilder.getSecureSettings() != null) {
|
if (customBuilder.getSecureSettings() != null) {
|
||||||
SecuritySettingsSource.addSecureSettings(builder, secureSettings ->
|
SecuritySettingsSource.addSecureSettings(builder, secureSettings ->
|
||||||
|
|
|
@ -11,6 +11,7 @@ import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.env.Environment;
|
import org.elasticsearch.env.Environment;
|
||||||
import org.elasticsearch.env.TestEnvironment;
|
import org.elasticsearch.env.TestEnvironment;
|
||||||
import org.elasticsearch.test.AbstractBootstrapCheckTestCase;
|
import org.elasticsearch.test.AbstractBootstrapCheckTestCase;
|
||||||
|
import org.elasticsearch.xpack.core.XPackSettings;
|
||||||
import org.elasticsearch.xpack.core.ssl.SSLService;
|
import org.elasticsearch.xpack.core.ssl.SSLService;
|
||||||
import org.hamcrest.Matchers;
|
import org.hamcrest.Matchers;
|
||||||
|
|
||||||
|
@ -19,7 +20,7 @@ import java.nio.file.Path;
|
||||||
public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase {
|
public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase {
|
||||||
|
|
||||||
public void testPkiRealmBootstrapDefault() throws Exception {
|
public void testPkiRealmBootstrapDefault() throws Exception {
|
||||||
final Settings settings = Settings.EMPTY;
|
final Settings settings = getSettingsBuilder().build();
|
||||||
final Environment env = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build());
|
final Environment env = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build());
|
||||||
assertFalse(runCheck(settings, env).isFailure());
|
assertFalse(runCheck(settings, env).isFailure());
|
||||||
}
|
}
|
||||||
|
@ -29,7 +30,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
||||||
final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
|
final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
|
||||||
|
|
||||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||||
Settings settings = Settings.builder()
|
Settings settings = getSettingsBuilder()
|
||||||
.put("xpack.security.authc.realms.pki.test_pki.order", 0)
|
.put("xpack.security.authc.realms.pki.test_pki.order", 0)
|
||||||
.put("path.home", createTempDir())
|
.put("path.home", createTempDir())
|
||||||
.setSecureSettings(secureSettings)
|
.setSecureSettings(secureSettings)
|
||||||
|
@ -39,7 +40,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
||||||
|
|
||||||
// enable transport tls
|
// enable transport tls
|
||||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||||
settings = Settings.builder().put(settings)
|
settings = getSettingsBuilder().put(settings)
|
||||||
.put("xpack.security.transport.ssl.enabled", true)
|
.put("xpack.security.transport.ssl.enabled", true)
|
||||||
.put("xpack.security.transport.ssl.certificate", certPath)
|
.put("xpack.security.transport.ssl.certificate", certPath)
|
||||||
.put("xpack.security.transport.ssl.key", keyPath)
|
.put("xpack.security.transport.ssl.key", keyPath)
|
||||||
|
@ -48,7 +49,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
||||||
|
|
||||||
// enable ssl for http
|
// enable ssl for http
|
||||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||||
settings = Settings.builder().put(settings)
|
settings = getSettingsBuilder().put(settings)
|
||||||
.put("xpack.security.transport.ssl.enabled", false)
|
.put("xpack.security.transport.ssl.enabled", false)
|
||||||
.put("xpack.security.http.ssl.enabled", true)
|
.put("xpack.security.http.ssl.enabled", true)
|
||||||
.put("xpack.security.http.ssl.certificate", certPath)
|
.put("xpack.security.http.ssl.certificate", certPath)
|
||||||
|
@ -58,28 +59,28 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
||||||
assertTrue(runCheck(settings, env).isFailure());
|
assertTrue(runCheck(settings, env).isFailure());
|
||||||
|
|
||||||
// enable client auth for http
|
// enable client auth for http
|
||||||
settings = Settings.builder().put(settings)
|
settings = getSettingsBuilder().put(settings)
|
||||||
.put("xpack.security.http.ssl.client_authentication", randomFrom("required", "optional"))
|
.put("xpack.security.http.ssl.client_authentication", randomFrom("required", "optional"))
|
||||||
.build();
|
.build();
|
||||||
env = TestEnvironment.newEnvironment(settings);
|
env = TestEnvironment.newEnvironment(settings);
|
||||||
assertFalse(runCheck(settings, env).isFailure());
|
assertFalse(runCheck(settings, env).isFailure());
|
||||||
|
|
||||||
// disable http ssl
|
// disable http ssl
|
||||||
settings = Settings.builder().put(settings)
|
settings = getSettingsBuilder().put(settings)
|
||||||
.put("xpack.security.http.ssl.enabled", false)
|
.put("xpack.security.http.ssl.enabled", false)
|
||||||
.build();
|
.build();
|
||||||
env = TestEnvironment.newEnvironment(settings);
|
env = TestEnvironment.newEnvironment(settings);
|
||||||
assertTrue(runCheck(settings, env).isFailure());
|
assertTrue(runCheck(settings, env).isFailure());
|
||||||
|
|
||||||
// set transport client auth
|
// set transport client auth
|
||||||
settings = Settings.builder().put(settings)
|
settings = getSettingsBuilder().put(settings)
|
||||||
.put("xpack.security.transport.client_authentication", randomFrom("required", "optional"))
|
.put("xpack.security.transport.client_authentication", randomFrom("required", "optional"))
|
||||||
.build();
|
.build();
|
||||||
env = TestEnvironment.newEnvironment(settings);
|
env = TestEnvironment.newEnvironment(settings);
|
||||||
assertTrue(runCheck(settings, env).isFailure());
|
assertTrue(runCheck(settings, env).isFailure());
|
||||||
|
|
||||||
// test with transport profile
|
// test with transport profile
|
||||||
settings = Settings.builder().put(settings)
|
settings = getSettingsBuilder().put(settings)
|
||||||
.put("xpack.security.transport.ssl.enabled", true)
|
.put("xpack.security.transport.ssl.enabled", true)
|
||||||
.put("xpack.security.transport.client_authentication", "none")
|
.put("xpack.security.transport.client_authentication", "none")
|
||||||
.put("transport.profiles.foo.xpack.security.ssl.client_authentication", randomFrom("required", "optional"))
|
.put("transport.profiles.foo.xpack.security.ssl.client_authentication", randomFrom("required", "optional"))
|
||||||
|
@ -93,7 +94,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testBootstrapCheckWithDisabledRealm() throws Exception {
|
public void testBootstrapCheckWithDisabledRealm() throws Exception {
|
||||||
Settings settings = Settings.builder()
|
Settings settings = getSettingsBuilder()
|
||||||
.put("xpack.security.authc.realms.pki.test_pki.enabled", false)
|
.put("xpack.security.authc.realms.pki.test_pki.enabled", false)
|
||||||
.put("xpack.security.transport.ssl.enabled", false)
|
.put("xpack.security.transport.ssl.enabled", false)
|
||||||
.put("xpack.security.transport.ssl.client_authentication", "none")
|
.put("xpack.security.transport.ssl.client_authentication", "none")
|
||||||
|
@ -109,7 +110,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
||||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||||
// enable transport tls
|
// enable transport tls
|
||||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||||
Settings settings = Settings.builder()
|
Settings settings = getSettingsBuilder()
|
||||||
.put("xpack.security.authc.realms.pki.test_pki.enabled", true)
|
.put("xpack.security.authc.realms.pki.test_pki.enabled", true)
|
||||||
.put("xpack.security.authc.realms.pki.test_pki.delegation.enabled", true)
|
.put("xpack.security.authc.realms.pki.test_pki.delegation.enabled", true)
|
||||||
.put("xpack.security.transport.ssl.enabled", randomBoolean())
|
.put("xpack.security.transport.ssl.enabled", randomBoolean())
|
||||||
|
@ -127,7 +128,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
||||||
final boolean expectFail = randomBoolean();
|
final boolean expectFail = randomBoolean();
|
||||||
final MockSecureSettings secureSettings = new MockSecureSettings();
|
final MockSecureSettings secureSettings = new MockSecureSettings();
|
||||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||||
Settings settings = Settings.builder()
|
Settings settings = getSettingsBuilder()
|
||||||
.put("xpack.security.authc.realms.pki.test_pki.order", 0)
|
.put("xpack.security.authc.realms.pki.test_pki.order", 0)
|
||||||
.put("xpack.security.http.ssl.enabled", true)
|
.put("xpack.security.http.ssl.enabled", true)
|
||||||
.put("xpack.security.http.ssl.client_authentication", expectFail ? "none" : "optional")
|
.put("xpack.security.http.ssl.client_authentication", expectFail ? "none" : "optional")
|
||||||
|
@ -144,4 +145,12 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
||||||
secureSettings.close();
|
secureSettings.close();
|
||||||
assertThat(check.check(createTestContext(settings, null)).isFailure(), Matchers.equalTo(expectFail));
|
assertThat(check.check(createTestContext(settings, null)).isFailure(), Matchers.equalTo(expectFail));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private Settings.Builder getSettingsBuilder() {
|
||||||
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
return builder;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -98,10 +98,14 @@ public class SecurityTests extends ESTestCase {
|
||||||
if (security != null) {
|
if (security != null) {
|
||||||
throw new IllegalStateException("Security object already exists (" + security + ")");
|
throw new IllegalStateException("Security object already exists (" + security + ")");
|
||||||
}
|
}
|
||||||
Settings settings = Settings.builder()
|
Settings.Builder builder = Settings.builder()
|
||||||
.put("xpack.security.enabled", true)
|
.put("xpack.security.enabled", true)
|
||||||
.put(testSettings)
|
.put(testSettings)
|
||||||
.put("path.home", createTempDir()).build();
|
.put("path.home", createTempDir());
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
Settings settings = builder.build();
|
||||||
Environment env = TestEnvironment.newEnvironment(settings);
|
Environment env = TestEnvironment.newEnvironment(settings);
|
||||||
licenseState = new TestUtils.UpdatableLicenseState(settings);
|
licenseState = new TestUtils.UpdatableLicenseState(settings);
|
||||||
SSLService sslService = new SSLService(settings, env);
|
SSLService sslService = new SSLService(settings, env);
|
||||||
|
|
|
@ -92,7 +92,11 @@ public class TransportOpenIdConnectLogoutActionTests extends OpenIdConnectTestCa
|
||||||
.put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true)
|
.put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true)
|
||||||
.put("path.home", createTempDir())
|
.put("path.home", createTempDir())
|
||||||
.build();
|
.build();
|
||||||
final Settings sslSettings = Settings.builder()
|
Settings.Builder sslSettingsBuilder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
sslSettingsBuilder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
final Settings sslSettings = sslSettingsBuilder
|
||||||
.put("xpack.security.authc.realms.oidc.oidc-realm.ssl.verification_mode", "certificate")
|
.put("xpack.security.authc.realms.oidc.oidc-realm.ssl.verification_mode", "certificate")
|
||||||
.put("path.home", createTempDir())
|
.put("path.home", createTempDir())
|
||||||
.build();
|
.build();
|
||||||
|
|
|
@ -14,6 +14,7 @@ import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.env.Environment;
|
import org.elasticsearch.env.Environment;
|
||||||
import org.elasticsearch.test.NativeRealmIntegTestCase;
|
import org.elasticsearch.test.NativeRealmIntegTestCase;
|
||||||
import org.elasticsearch.common.CharArrays;
|
import org.elasticsearch.common.CharArrays;
|
||||||
|
import org.elasticsearch.xpack.core.XPackSettings;
|
||||||
import org.elasticsearch.xpack.core.security.client.SecurityClient;
|
import org.elasticsearch.xpack.core.security.client.SecurityClient;
|
||||||
import org.elasticsearch.xpack.core.security.index.RestrictedIndicesNames;
|
import org.elasticsearch.xpack.core.security.index.RestrictedIndicesNames;
|
||||||
import org.junit.BeforeClass;
|
import org.junit.BeforeClass;
|
||||||
|
@ -93,7 +94,7 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
|
||||||
String url = getHttpURL();
|
String url = getHttpURL();
|
||||||
ESNativeRealmMigrateTool.MigrateUserOrRoles muor = new ESNativeRealmMigrateTool.MigrateUserOrRoles();
|
ESNativeRealmMigrateTool.MigrateUserOrRoles muor = new ESNativeRealmMigrateTool.MigrateUserOrRoles();
|
||||||
|
|
||||||
Settings.Builder builder = Settings.builder()
|
Settings.Builder builder = getSettingsBuilder()
|
||||||
.put("path.home", home)
|
.put("path.home", home)
|
||||||
.put("path.conf", conf.toString())
|
.put("path.conf", conf.toString())
|
||||||
.put("xpack.security.http.ssl.client_authentication", "none");
|
.put("xpack.security.http.ssl.client_authentication", "none");
|
||||||
|
@ -143,7 +144,7 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
|
||||||
String password = new String(CharArrays.toUtf8Bytes(nodeClientPassword().getChars()), StandardCharsets.UTF_8);
|
String password = new String(CharArrays.toUtf8Bytes(nodeClientPassword().getChars()), StandardCharsets.UTF_8);
|
||||||
String url = getHttpURL();
|
String url = getHttpURL();
|
||||||
ESNativeRealmMigrateTool.MigrateUserOrRoles muor = new ESNativeRealmMigrateTool.MigrateUserOrRoles();
|
ESNativeRealmMigrateTool.MigrateUserOrRoles muor = new ESNativeRealmMigrateTool.MigrateUserOrRoles();
|
||||||
Settings.Builder builder = Settings.builder()
|
Settings.Builder builder = getSettingsBuilder()
|
||||||
.put("path.home", home)
|
.put("path.home", home)
|
||||||
.put("xpack.security.http.ssl.client_authentication", "none");
|
.put("xpack.security.http.ssl.client_authentication", "none");
|
||||||
addSSLSettingsForPEMFiles(builder,
|
addSSLSettingsForPEMFiles(builder,
|
||||||
|
@ -172,4 +173,12 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
|
||||||
|
|
||||||
assertThat(ex.getMessage(), containsString("password"));
|
assertThat(ex.getMessage(), containsString("password"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private Settings.Builder getSettingsBuilder() {
|
||||||
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
return builder;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,6 +13,7 @@ import org.elasticsearch.env.TestEnvironment;
|
||||||
import org.elasticsearch.test.ESTestCase;
|
import org.elasticsearch.test.ESTestCase;
|
||||||
import org.elasticsearch.test.http.MockResponse;
|
import org.elasticsearch.test.http.MockResponse;
|
||||||
import org.elasticsearch.test.http.MockWebServer;
|
import org.elasticsearch.test.http.MockWebServer;
|
||||||
|
import org.elasticsearch.xpack.core.XPackSettings;
|
||||||
import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettingsTests;
|
import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettingsTests;
|
||||||
import org.elasticsearch.xpack.core.ssl.TestsSSLService;
|
import org.elasticsearch.xpack.core.ssl.TestsSSLService;
|
||||||
import org.elasticsearch.xpack.core.ssl.VerificationMode;
|
import org.elasticsearch.xpack.core.ssl.VerificationMode;
|
||||||
|
@ -70,7 +71,11 @@ public class CommandLineHttpClientTests extends ESTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testGetDefaultURLFailsWithHelpfulMessage() {
|
public void testGetDefaultURLFailsWithHelpfulMessage() {
|
||||||
Settings settings = Settings.builder()
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
Settings settings = builder
|
||||||
.put("network.host", "_ec2:privateIpv4_")
|
.put("network.host", "_ec2:privateIpv4_")
|
||||||
.build();
|
.build();
|
||||||
CommandLineHttpClient client = new CommandLineHttpClient(settings, environment);
|
CommandLineHttpClient client = new CommandLineHttpClient(settings, environment);
|
||||||
|
@ -87,7 +92,11 @@ public class CommandLineHttpClientTests extends ESTestCase {
|
||||||
private Settings.Builder getHttpSslSettings() {
|
private Settings.Builder getHttpSslSettings() {
|
||||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||||
return Settings.builder()
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
return builder
|
||||||
.put("xpack.security.http.ssl.enabled", true)
|
.put("xpack.security.http.ssl.enabled", true)
|
||||||
.put("xpack.security.http.ssl.key", keyPath.toString())
|
.put("xpack.security.http.ssl.key", keyPath.toString())
|
||||||
.put("xpack.security.http.ssl.certificate", certPath.toString())
|
.put("xpack.security.http.ssl.certificate", certPath.toString())
|
||||||
|
|
|
@ -33,6 +33,7 @@ import org.elasticsearch.test.ESTestCase;
|
||||||
import org.elasticsearch.threadpool.TestThreadPool;
|
import org.elasticsearch.threadpool.TestThreadPool;
|
||||||
import org.elasticsearch.threadpool.ThreadPool;
|
import org.elasticsearch.threadpool.ThreadPool;
|
||||||
import org.elasticsearch.watcher.ResourceWatcherService;
|
import org.elasticsearch.watcher.ResourceWatcherService;
|
||||||
|
import org.elasticsearch.xpack.core.XPackSettings;
|
||||||
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
|
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
|
||||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||||
import org.elasticsearch.xpack.core.security.authc.ldap.ActiveDirectorySessionFactorySettings;
|
import org.elasticsearch.xpack.core.security.authc.ldap.ActiveDirectorySessionFactorySettings;
|
||||||
|
@ -142,7 +143,11 @@ public class ActiveDirectoryRealmTests extends ESTestCase {
|
||||||
}
|
}
|
||||||
threadPool = new TestThreadPool("active directory realm tests");
|
threadPool = new TestThreadPool("active directory realm tests");
|
||||||
resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool);
|
resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool);
|
||||||
globalSettings = Settings.builder().put("path.home", createTempDir()).build();
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
globalSettings = builder.put("path.home", createTempDir()).build();
|
||||||
sslService = new SSLService(globalSettings, TestEnvironment.newEnvironment(globalSettings));
|
sslService = new SSLService(globalSettings, TestEnvironment.newEnvironment(globalSettings));
|
||||||
licenseState = new TestUtils.UpdatableLicenseState();
|
licenseState = new TestUtils.UpdatableLicenseState();
|
||||||
}
|
}
|
||||||
|
|
|
@ -25,6 +25,7 @@ import org.elasticsearch.script.mustache.MustacheScriptEngine;
|
||||||
import org.elasticsearch.threadpool.TestThreadPool;
|
import org.elasticsearch.threadpool.TestThreadPool;
|
||||||
import org.elasticsearch.threadpool.ThreadPool;
|
import org.elasticsearch.threadpool.ThreadPool;
|
||||||
import org.elasticsearch.watcher.ResourceWatcherService;
|
import org.elasticsearch.watcher.ResourceWatcherService;
|
||||||
|
import org.elasticsearch.xpack.core.XPackSettings;
|
||||||
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
|
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
|
||||||
import org.elasticsearch.xpack.core.security.authc.Realm;
|
import org.elasticsearch.xpack.core.security.authc.Realm;
|
||||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||||
|
@ -98,7 +99,11 @@ public class LdapRealmTests extends LdapTestCase {
|
||||||
public void init() throws Exception {
|
public void init() throws Exception {
|
||||||
threadPool = new TestThreadPool("ldap realm tests");
|
threadPool = new TestThreadPool("ldap realm tests");
|
||||||
resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool);
|
resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool);
|
||||||
defaultGlobalSettings = Settings.builder().put("path.home", createTempDir()).build();
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
defaultGlobalSettings = builder.put("path.home", createTempDir()).build();
|
||||||
sslService = new SSLService(defaultGlobalSettings, TestEnvironment.newEnvironment(defaultGlobalSettings));
|
sslService = new SSLService(defaultGlobalSettings, TestEnvironment.newEnvironment(defaultGlobalSettings));
|
||||||
licenseState = mock(XPackLicenseState.class);
|
licenseState = mock(XPackLicenseState.class);
|
||||||
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
|
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
|
||||||
|
|
|
@ -19,6 +19,7 @@ import org.elasticsearch.env.TestEnvironment;
|
||||||
import org.elasticsearch.threadpool.TestThreadPool;
|
import org.elasticsearch.threadpool.TestThreadPool;
|
||||||
import org.elasticsearch.threadpool.ThreadPool;
|
import org.elasticsearch.threadpool.ThreadPool;
|
||||||
import org.elasticsearch.watcher.ResourceWatcherService;
|
import org.elasticsearch.watcher.ResourceWatcherService;
|
||||||
|
import org.elasticsearch.xpack.core.XPackSettings;
|
||||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||||
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
|
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
|
||||||
import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope;
|
import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope;
|
||||||
|
@ -59,7 +60,11 @@ public class LdapSessionFactoryTests extends LdapTestCase {
|
||||||
final Path origCa = getDataPath("/org/elasticsearch/xpack/security/authc/ldap/support/ldap-ca.crt");
|
final Path origCa = getDataPath("/org/elasticsearch/xpack/security/authc/ldap/support/ldap-ca.crt");
|
||||||
ldapCaPath = createTempFile();
|
ldapCaPath = createTempFile();
|
||||||
Files.copy(origCa, ldapCaPath, StandardCopyOption.REPLACE_EXISTING);
|
Files.copy(origCa, ldapCaPath, StandardCopyOption.REPLACE_EXISTING);
|
||||||
globalSettings = Settings.builder()
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
globalSettings = builder
|
||||||
.put("path.home", createTempDir())
|
.put("path.home", createTempDir())
|
||||||
.putList(RealmSettings.realmSslPrefix(REALM_IDENTIFIER) + "certificate_authorities", ldapCaPath.toString())
|
.putList(RealmSettings.realmSslPrefix(REALM_IDENTIFIER) + "certificate_authorities", ldapCaPath.toString())
|
||||||
.build();
|
.build();
|
||||||
|
|
|
@ -25,6 +25,7 @@ import org.elasticsearch.env.Environment;
|
||||||
import org.elasticsearch.env.TestEnvironment;
|
import org.elasticsearch.env.TestEnvironment;
|
||||||
import org.elasticsearch.threadpool.TestThreadPool;
|
import org.elasticsearch.threadpool.TestThreadPool;
|
||||||
import org.elasticsearch.threadpool.ThreadPool;
|
import org.elasticsearch.threadpool.ThreadPool;
|
||||||
|
import org.elasticsearch.xpack.core.XPackSettings;
|
||||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||||
import org.elasticsearch.xpack.core.security.authc.ldap.LdapUserSearchSessionFactorySettings;
|
import org.elasticsearch.xpack.core.security.authc.ldap.LdapUserSearchSessionFactorySettings;
|
||||||
import org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings;
|
import org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings;
|
||||||
|
@ -62,8 +63,11 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
|
||||||
* If we re-use an SSLContext, previously connected sessions can get re-established which breaks hostname
|
* If we re-use an SSLContext, previously connected sessions can get re-established which breaks hostname
|
||||||
* verification tests since a re-established connection does not perform hostname verification.
|
* verification tests since a re-established connection does not perform hostname verification.
|
||||||
*/
|
*/
|
||||||
|
Settings.Builder builder = Settings.builder();
|
||||||
globalSettings = Settings.builder()
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
globalSettings = builder
|
||||||
.put("path.home", createTempDir())
|
.put("path.home", createTempDir())
|
||||||
.put("xpack.security.transport.ssl.enabled", false)
|
.put("xpack.security.transport.ssl.enabled", false)
|
||||||
.put("xpack.security.transport.ssl.certificate_authorities", certPath)
|
.put("xpack.security.transport.ssl.certificate_authorities", certPath)
|
||||||
|
|
|
@ -172,6 +172,9 @@ public abstract class LdapTestCase extends ESTestCase {
|
||||||
if (serverSetType != null) {
|
if (serverSetType != null) {
|
||||||
builder.put(getFullSettingKey(realmId, LdapLoadBalancingSettings.LOAD_BALANCE_TYPE_SETTING), serverSetType.toString());
|
builder.put(getFullSettingKey(realmId, LdapLoadBalancingSettings.LOAD_BALANCE_TYPE_SETTING), serverSetType.toString());
|
||||||
}
|
}
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
return builder.build();
|
return builder.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -22,6 +22,7 @@ import org.elasticsearch.mocksocket.MockServerSocket;
|
||||||
import org.elasticsearch.mocksocket.MockSocket;
|
import org.elasticsearch.mocksocket.MockSocket;
|
||||||
import org.elasticsearch.threadpool.TestThreadPool;
|
import org.elasticsearch.threadpool.TestThreadPool;
|
||||||
import org.elasticsearch.threadpool.ThreadPool;
|
import org.elasticsearch.threadpool.ThreadPool;
|
||||||
|
import org.elasticsearch.xpack.core.XPackSettings;
|
||||||
import org.elasticsearch.xpack.core.common.socket.SocketAccess;
|
import org.elasticsearch.xpack.core.common.socket.SocketAccess;
|
||||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||||
import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope;
|
import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope;
|
||||||
|
@ -292,7 +293,11 @@ public class SessionFactoryLoadBalancingTests extends LdapTestCase {
|
||||||
Settings globalSettings = Settings.builder().put("path.home", createTempDir()).put(settings).build();
|
Settings globalSettings = Settings.builder().put("path.home", createTempDir()).put(settings).build();
|
||||||
RealmConfig config = new RealmConfig(REALM_IDENTIFIER, globalSettings,
|
RealmConfig config = new RealmConfig(REALM_IDENTIFIER, globalSettings,
|
||||||
TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY));
|
TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY));
|
||||||
return new TestSessionFactory(config, new SSLService(Settings.EMPTY, TestEnvironment.newEnvironment(config.settings())),
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
return new TestSessionFactory(config, new SSLService(builder.build(), TestEnvironment.newEnvironment(config.settings())),
|
||||||
threadPool);
|
threadPool);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -18,6 +18,7 @@ import org.elasticsearch.env.TestEnvironment;
|
||||||
import org.elasticsearch.test.ESTestCase;
|
import org.elasticsearch.test.ESTestCase;
|
||||||
import org.elasticsearch.threadpool.TestThreadPool;
|
import org.elasticsearch.threadpool.TestThreadPool;
|
||||||
import org.elasticsearch.threadpool.ThreadPool;
|
import org.elasticsearch.threadpool.ThreadPool;
|
||||||
|
import org.elasticsearch.xpack.core.XPackSettings;
|
||||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||||
import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings;
|
import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings;
|
||||||
import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
|
import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
|
||||||
|
@ -49,7 +50,7 @@ public class SessionFactoryTests extends ESTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testConnectionFactoryReturnsCorrectLDAPConnectionOptionsWithDefaultSettings() throws Exception {
|
public void testConnectionFactoryReturnsCorrectLDAPConnectionOptionsWithDefaultSettings() throws Exception {
|
||||||
final Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build());
|
final Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build());
|
||||||
RealmConfig realmConfig = new RealmConfig(new RealmConfig.RealmIdentifier("ldap", "conn_settings"),
|
RealmConfig realmConfig = new RealmConfig(new RealmConfig.RealmIdentifier("ldap", "conn_settings"),
|
||||||
environment.settings(), environment, new ThreadContext(Settings.EMPTY));
|
environment.settings(), environment, new ThreadContext(Settings.EMPTY));
|
||||||
LDAPConnectionOptions options = SessionFactory.connectionOptions(realmConfig, new SSLService(environment.settings(), environment),
|
LDAPConnectionOptions options = SessionFactory.connectionOptions(realmConfig, new SSLService(environment.settings(), environment),
|
||||||
|
@ -64,7 +65,7 @@ public class SessionFactoryTests extends ESTestCase {
|
||||||
public void testConnectionFactoryReturnsCorrectLDAPConnectionOptions() throws Exception {
|
public void testConnectionFactoryReturnsCorrectLDAPConnectionOptions() throws Exception {
|
||||||
final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("ldap", "conn_settings");
|
final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("ldap", "conn_settings");
|
||||||
final Path pathHome = createTempDir();
|
final Path pathHome = createTempDir();
|
||||||
Settings settings = Settings.builder()
|
Settings settings = getSettingsBuilder()
|
||||||
.put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_CONNECTION_SETTING), "10ms")
|
.put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_CONNECTION_SETTING), "10ms")
|
||||||
.put(getFullSettingKey(realmId, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), "false")
|
.put(getFullSettingKey(realmId, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), "false")
|
||||||
.put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_READ_SETTING), "20ms")
|
.put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_READ_SETTING), "20ms")
|
||||||
|
@ -83,7 +84,7 @@ public class SessionFactoryTests extends ESTestCase {
|
||||||
assertWarnings("the setting [xpack.security.authc.realms.ldap.conn_settings.hostname_verification] has been deprecated and will be "
|
assertWarnings("the setting [xpack.security.authc.realms.ldap.conn_settings.hostname_verification] has been deprecated and will be "
|
||||||
+ "removed in a future version. use [xpack.security.authc.realms.ldap.conn_settings.ssl.verification_mode] instead");
|
+ "removed in a future version. use [xpack.security.authc.realms.ldap.conn_settings.ssl.verification_mode] instead");
|
||||||
|
|
||||||
settings = Settings.builder()
|
settings = getSettingsBuilder()
|
||||||
.put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.CERTIFICATE)
|
.put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.CERTIFICATE)
|
||||||
.put("path.home", pathHome)
|
.put("path.home", pathHome)
|
||||||
.build();
|
.build();
|
||||||
|
@ -102,7 +103,7 @@ public class SessionFactoryTests extends ESTestCase {
|
||||||
assertThat(options.getSSLSocketVerifier(), is(instanceOf(TrustAllSSLSocketVerifier.class)));
|
assertThat(options.getSSLSocketVerifier(), is(instanceOf(TrustAllSSLSocketVerifier.class)));
|
||||||
}
|
}
|
||||||
|
|
||||||
settings = Settings.builder()
|
settings = getSettingsBuilder()
|
||||||
.put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.FULL)
|
.put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.FULL)
|
||||||
.put("path.home", pathHome)
|
.put("path.home", pathHome)
|
||||||
.build();
|
.build();
|
||||||
|
@ -122,10 +123,10 @@ public class SessionFactoryTests extends ESTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
private SessionFactory createSessionFactory() {
|
private SessionFactory createSessionFactory() {
|
||||||
Settings global = Settings.builder().put("path.home", createTempDir()).build();
|
Settings global = getSettingsBuilder().put("path.home", createTempDir()).build();
|
||||||
final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("ldap", "_name");
|
final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("ldap", "_name");
|
||||||
final RealmConfig realmConfig = new RealmConfig(realmIdentifier,
|
final RealmConfig realmConfig = new RealmConfig(realmIdentifier,
|
||||||
Settings.builder()
|
getSettingsBuilder()
|
||||||
.put(getFullSettingKey(realmIdentifier, SessionFactorySettings.URLS_SETTING), "ldap://localhost:389")
|
.put(getFullSettingKey(realmIdentifier, SessionFactorySettings.URLS_SETTING), "ldap://localhost:389")
|
||||||
.put(global)
|
.put(global)
|
||||||
.build(),
|
.build(),
|
||||||
|
@ -138,4 +139,12 @@ public class SessionFactoryTests extends ESTestCase {
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private Settings.Builder getSettingsBuilder() {
|
||||||
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
return builder;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -50,6 +50,7 @@ import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.env.Environment;
|
import org.elasticsearch.env.Environment;
|
||||||
import org.elasticsearch.env.TestEnvironment;
|
import org.elasticsearch.env.TestEnvironment;
|
||||||
|
import org.elasticsearch.xpack.core.XPackSettings;
|
||||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||||
import org.elasticsearch.xpack.core.ssl.SSLService;
|
import org.elasticsearch.xpack.core.ssl.SSLService;
|
||||||
import org.junit.After;
|
import org.junit.After;
|
||||||
|
@ -93,7 +94,11 @@ public class OpenIdConnectAuthenticatorTests extends OpenIdConnectTestCase {
|
||||||
|
|
||||||
@Before
|
@Before
|
||||||
public void setup() {
|
public void setup() {
|
||||||
globalSettings = Settings.builder().put("path.home", createTempDir())
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
globalSettings = builder.put("path.home", createTempDir())
|
||||||
.put("xpack.security.authc.realms.oidc.oidc-realm.ssl.verification_mode", "certificate").build();
|
.put("xpack.security.authc.realms.oidc.oidc-realm.ssl.verification_mode", "certificate").build();
|
||||||
env = TestEnvironment.newEnvironment(globalSettings);
|
env = TestEnvironment.newEnvironment(globalSettings);
|
||||||
threadContext = new ThreadContext(globalSettings);
|
threadContext = new ThreadContext(globalSettings);
|
||||||
|
|
|
@ -129,7 +129,7 @@ public class SamlRealmTests extends SamlTestCase {
|
||||||
final String body = new String(Files.readAllBytes(path), StandardCharsets.UTF_8);
|
final String body = new String(Files.readAllBytes(path), StandardCharsets.UTF_8);
|
||||||
final MockSecureSettings mockSecureSettings = new MockSecureSettings();
|
final MockSecureSettings mockSecureSettings = new MockSecureSettings();
|
||||||
mockSecureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
mockSecureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||||
final Settings settings = Settings.builder()
|
final Settings.Builder builder = Settings.builder()
|
||||||
.put("xpack.security.http.ssl.enabled", true)
|
.put("xpack.security.http.ssl.enabled", true)
|
||||||
.put("xpack.security.http.ssl.key",
|
.put("xpack.security.http.ssl.key",
|
||||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
|
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
|
||||||
|
@ -139,8 +139,11 @@ public class SamlRealmTests extends SamlTestCase {
|
||||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
|
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
|
||||||
.putList("xpack.security.http.ssl.supported_protocols", getProtocols())
|
.putList("xpack.security.http.ssl.supported_protocols", getProtocols())
|
||||||
.put("path.home", createTempDir())
|
.put("path.home", createTempDir())
|
||||||
.setSecureSettings(mockSecureSettings)
|
.setSecureSettings(mockSecureSettings);
|
||||||
.build();
|
if (inFipsJvm()) {
|
||||||
|
builder.put("xpack.security.ssl.diagnose.trust", false);
|
||||||
|
}
|
||||||
|
final Settings settings = builder.build();
|
||||||
TestsSSLService sslService = new TestsSSLService(settings, TestEnvironment.newEnvironment(settings));
|
TestsSSLService sslService = new TestsSSLService(settings, TestEnvironment.newEnvironment(settings));
|
||||||
try (MockWebServer proxyServer =
|
try (MockWebServer proxyServer =
|
||||||
new MockWebServer(sslService.sslContext("xpack.security.http.ssl"), false)) {
|
new MockWebServer(sslService.sslContext("xpack.security.http.ssl"), false)) {
|
||||||
|
@ -699,7 +702,7 @@ public class SamlRealmTests extends SamlTestCase {
|
||||||
private Settings.Builder buildSettings(String idpMetaDataPath) {
|
private Settings.Builder buildSettings(String idpMetaDataPath) {
|
||||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||||
secureSettings.setString(REALM_SETTINGS_PREFIX + ".ssl.secure_key_passphrase", "testnode");
|
secureSettings.setString(REALM_SETTINGS_PREFIX + ".ssl.secure_key_passphrase", "testnode");
|
||||||
return Settings.builder()
|
Settings.Builder builder = Settings.builder()
|
||||||
.put(REALM_SETTINGS_PREFIX + ".ssl.verification_mode", "certificate")
|
.put(REALM_SETTINGS_PREFIX + ".ssl.verification_mode", "certificate")
|
||||||
.put(REALM_SETTINGS_PREFIX + ".ssl.key",
|
.put(REALM_SETTINGS_PREFIX + ".ssl.key",
|
||||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
|
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
|
||||||
|
@ -712,6 +715,10 @@ public class SamlRealmTests extends SamlTestCase {
|
||||||
.put(getFullSettingKey(REALM_NAME, SamlRealmSettings.IDP_METADATA_HTTP_REFRESH), METADATA_REFRESH + "ms")
|
.put(getFullSettingKey(REALM_NAME, SamlRealmSettings.IDP_METADATA_HTTP_REFRESH), METADATA_REFRESH + "ms")
|
||||||
.put("path.home", createTempDir())
|
.put("path.home", createTempDir())
|
||||||
.setSecureSettings(secureSettings);
|
.setSecureSettings(secureSettings);
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put("xpack.security.ssl.diagnose.trust", false);
|
||||||
|
}
|
||||||
|
return builder;
|
||||||
}
|
}
|
||||||
|
|
||||||
private RealmConfig buildConfig(Settings realmSettings) {
|
private RealmConfig buildConfig(Settings realmSettings) {
|
||||||
|
|
|
@ -81,7 +81,11 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
|
||||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||||
// Some tests use a client profile. Put the passphrase in the secure settings for the profile (secure settings cannot be set twice)
|
// Some tests use a client profile. Put the passphrase in the secure settings for the profile (secure settings cannot be set twice)
|
||||||
secureSettings.setString("transport.profiles.client.xpack.security.ssl.secure_key_passphrase", "testnode");
|
secureSettings.setString("transport.profiles.client.xpack.security.ssl.secure_key_passphrase", "testnode");
|
||||||
Settings settings1 = Settings.builder()
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
Settings settings1 = builder
|
||||||
.put("xpack.security.transport.ssl.enabled", true)
|
.put("xpack.security.transport.ssl.enabled", true)
|
||||||
.put("xpack.security.transport.ssl.key", testnodeKey)
|
.put("xpack.security.transport.ssl.key", testnodeKey)
|
||||||
.put("xpack.security.transport.ssl.certificate", testnodeCert)
|
.put("xpack.security.transport.ssl.certificate", testnodeCert)
|
||||||
|
|
|
@ -93,7 +93,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
|
||||||
String unicastHost = NetworkAddress.format(transportAddress.address());
|
String unicastHost = NetworkAddress.format(transportAddress.address());
|
||||||
|
|
||||||
// test that starting up a node works
|
// test that starting up a node works
|
||||||
Settings.Builder nodeSettings = Settings.builder()
|
Settings.Builder nodeSettings = getSettingsBuilder()
|
||||||
.put("node.name", "my-test-node")
|
.put("node.name", "my-test-node")
|
||||||
.put("network.host", "localhost")
|
.put("network.host", "localhost")
|
||||||
.put("cluster.name", internalCluster().getClusterName())
|
.put("cluster.name", internalCluster().getClusterName())
|
||||||
|
@ -131,7 +131,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
|
||||||
String unicastHost = NetworkAddress.format(transportAddress.address());
|
String unicastHost = NetworkAddress.format(transportAddress.address());
|
||||||
|
|
||||||
// test that starting up a node works
|
// test that starting up a node works
|
||||||
Settings.Builder nodeSettings = Settings.builder()
|
Settings.Builder nodeSettings = getSettingsBuilder()
|
||||||
.put("xpack.security.authc.realms.file.file.order", 0)
|
.put("xpack.security.authc.realms.file.file.order", 0)
|
||||||
.put("node.name", "my-test-node")
|
.put("node.name", "my-test-node")
|
||||||
.put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD)
|
.put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD)
|
||||||
|
@ -205,4 +205,12 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private Settings.Builder getSettingsBuilder() {
|
||||||
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
return builder;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,6 +20,7 @@ import org.elasticsearch.node.Node;
|
||||||
import org.elasticsearch.test.ESTestCase;
|
import org.elasticsearch.test.ESTestCase;
|
||||||
import org.elasticsearch.test.junit.annotations.Network;
|
import org.elasticsearch.test.junit.annotations.Network;
|
||||||
import org.elasticsearch.transport.Transport;
|
import org.elasticsearch.transport.Transport;
|
||||||
|
import org.elasticsearch.xpack.core.XPackSettings;
|
||||||
import org.elasticsearch.xpack.security.LocalStateSecurity;
|
import org.elasticsearch.xpack.security.LocalStateSecurity;
|
||||||
import org.elasticsearch.xpack.security.audit.AuditTrailService;
|
import org.elasticsearch.xpack.security.audit.AuditTrailService;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
|
@ -265,7 +266,11 @@ public class IPFilterTests extends ESTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testThatNodeStartsWithIPFilterDisabled() throws Exception {
|
public void testThatNodeStartsWithIPFilterDisabled() throws Exception {
|
||||||
Settings settings = Settings.builder()
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
Settings settings = builder
|
||||||
.put("path.home", createTempDir())
|
.put("path.home", createTempDir())
|
||||||
.put("xpack.security.transport.filter.enabled", randomBoolean())
|
.put("xpack.security.transport.filter.enabled", randomBoolean())
|
||||||
.put("xpack.security.http.filter.enabled", randomBoolean())
|
.put("xpack.security.http.filter.enabled", randomBoolean())
|
||||||
|
|
|
@ -47,7 +47,11 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
|
||||||
|
|
||||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||||
Settings settings = Settings.builder()
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
Settings settings = builder
|
||||||
.put("xpack.security.http.ssl.enabled", true)
|
.put("xpack.security.http.ssl.enabled", true)
|
||||||
.put("xpack.security.http.ssl.key", testnodeKey)
|
.put("xpack.security.http.ssl.key", testnodeKey)
|
||||||
.put("xpack.security.http.ssl.certificate", testnodeCert)
|
.put("xpack.security.http.ssl.certificate", testnodeCert)
|
||||||
|
@ -150,7 +154,11 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
|
||||||
public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() throws Exception {
|
public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() throws Exception {
|
||||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||||
Settings settings = Settings.builder()
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
Settings settings = builder
|
||||||
.put("xpack.security.http.ssl.enabled", false)
|
.put("xpack.security.http.ssl.enabled", false)
|
||||||
.put("xpack.security.http.ssl.key", testnodeKey)
|
.put("xpack.security.http.ssl.key", testnodeKey)
|
||||||
.put("xpack.security.http.ssl.certificate", testnodeCert)
|
.put("xpack.security.http.ssl.certificate", testnodeCert)
|
||||||
|
|
|
@ -55,7 +55,11 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
|
||||||
Path testNodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
|
Path testNodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
|
||||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||||
Settings settings = Settings.builder()
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
Settings settings = builder
|
||||||
.put("xpack.security.http.ssl.enabled", true)
|
.put("xpack.security.http.ssl.enabled", true)
|
||||||
.put("xpack.security.http.ssl.key", testNodeKey)
|
.put("xpack.security.http.ssl.key", testNodeKey)
|
||||||
.put("xpack.security.http.ssl.certificate", testNodeCert)
|
.put("xpack.security.http.ssl.certificate", testNodeCert)
|
||||||
|
@ -183,7 +187,11 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
|
||||||
public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() {
|
public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() {
|
||||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||||
secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
|
secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
|
||||||
Settings settings = Settings.builder()
|
Settings.Builder builder = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
Settings settings = builder
|
||||||
.put("xpack.security.http.ssl.enabled", false)
|
.put("xpack.security.http.ssl.enabled", false)
|
||||||
.put("xpack.security.http.ssl.truststore.path",
|
.put("xpack.security.http.ssl.truststore.path",
|
||||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
|
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
|
||||||
|
|
|
@ -118,6 +118,9 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
|
||||||
|
|
||||||
public void testThatConnectionToHTTPWorks() throws Exception {
|
public void testThatConnectionToHTTPWorks() throws Exception {
|
||||||
Settings.Builder builder = Settings.builder().put("xpack.security.http.ssl.enabled", true);
|
Settings.Builder builder = Settings.builder().put("xpack.security.http.ssl.enabled", true);
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
addSSLSettingsForPEMFiles(
|
addSSLSettingsForPEMFiles(
|
||||||
builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem",
|
builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem",
|
||||||
"testclient",
|
"testclient",
|
||||||
|
|
|
@ -27,6 +27,7 @@ import org.elasticsearch.test.ESTestCase;
|
||||||
import org.elasticsearch.test.MockLogAppender;
|
import org.elasticsearch.test.MockLogAppender;
|
||||||
import org.elasticsearch.test.http.MockResponse;
|
import org.elasticsearch.test.http.MockResponse;
|
||||||
import org.elasticsearch.test.http.MockWebServer;
|
import org.elasticsearch.test.http.MockWebServer;
|
||||||
|
import org.elasticsearch.xpack.core.XPackSettings;
|
||||||
import org.elasticsearch.xpack.core.common.socket.SocketAccess;
|
import org.elasticsearch.xpack.core.common.socket.SocketAccess;
|
||||||
import org.elasticsearch.xpack.core.ssl.SSLClientAuth;
|
import org.elasticsearch.xpack.core.ssl.SSLClientAuth;
|
||||||
import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
|
import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
|
||||||
|
@ -96,6 +97,7 @@ public class SSLErrorMessageCertificateVerificationTests extends ESTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testDiagnosticTrustManagerForHostnameVerificationFailure() throws Exception {
|
public void testDiagnosticTrustManagerForHostnameVerificationFailure() throws Exception {
|
||||||
|
assumeFalse("We disable Diagnostic trust manager in FIPS 140 mode", inFipsJvm());
|
||||||
final Settings settings = getPemSSLSettings(HTTP_SERVER_SSL, "not-this-host.crt", "not-this-host.key",
|
final Settings settings = getPemSSLSettings(HTTP_SERVER_SSL, "not-this-host.crt", "not-this-host.key",
|
||||||
SSLClientAuth.NONE, VerificationMode.FULL, null)
|
SSLClientAuth.NONE, VerificationMode.FULL, null)
|
||||||
.putList("xpack.http.ssl.certificate_authorities", getPath("ca1.crt"))
|
.putList("xpack.http.ssl.certificate_authorities", getPath("ca1.crt"))
|
||||||
|
@ -184,6 +186,9 @@ public class SSLErrorMessageCertificateVerificationTests extends ESTestCase {
|
||||||
.put(prefix + ".key", getPath(keyPath))
|
.put(prefix + ".key", getPath(keyPath))
|
||||||
.put(prefix + ".client_authentication", clientAuth.name())
|
.put(prefix + ".client_authentication", clientAuth.name())
|
||||||
.put(prefix + ".verification_mode", verificationMode.name());
|
.put(prefix + ".verification_mode", verificationMode.name());
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
if (caPath != null) {
|
if (caPath != null) {
|
||||||
builder.putList(prefix + ".certificate_authorities", getPath(caPath));
|
builder.putList(prefix + ".certificate_authorities", getPath(caPath));
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,6 +14,7 @@ import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.env.Environment;
|
import org.elasticsearch.env.Environment;
|
||||||
import org.elasticsearch.env.TestEnvironment;
|
import org.elasticsearch.env.TestEnvironment;
|
||||||
import org.elasticsearch.test.ESTestCase;
|
import org.elasticsearch.test.ESTestCase;
|
||||||
|
import org.elasticsearch.xpack.core.XPackSettings;
|
||||||
import org.elasticsearch.xpack.core.ssl.SSLService;
|
import org.elasticsearch.xpack.core.ssl.SSLService;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
|
|
||||||
|
@ -55,7 +56,7 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
||||||
|
|
||||||
@Before
|
@Before
|
||||||
public void setup() throws Exception {
|
public void setup() throws Exception {
|
||||||
env = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build());
|
env = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build());
|
||||||
paths = new HashMap<>();
|
paths = new HashMap<>();
|
||||||
|
|
||||||
requirePath("ca1.p12");
|
requirePath("ca1.p12");
|
||||||
|
@ -130,7 +131,7 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
||||||
|
|
||||||
public void testMessageForTransportSslEnabledWithoutKeys() throws Exception {
|
public void testMessageForTransportSslEnabledWithoutKeys() throws Exception {
|
||||||
final String prefix = "xpack.security.transport.ssl";
|
final String prefix = "xpack.security.transport.ssl";
|
||||||
final Settings.Builder settings = Settings.builder();
|
final Settings.Builder settings = getSettingsBuilder();
|
||||||
settings.put(prefix + ".enabled", true);
|
settings.put(prefix + ".enabled", true);
|
||||||
configureWorkingTruststore(prefix, settings);
|
configureWorkingTruststore(prefix, settings);
|
||||||
|
|
||||||
|
@ -142,7 +143,7 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
||||||
|
|
||||||
public void testNoErrorIfTransportSslDisabledWithoutKeys() throws Exception {
|
public void testNoErrorIfTransportSslDisabledWithoutKeys() throws Exception {
|
||||||
final String prefix = "xpack.security.transport.ssl";
|
final String prefix = "xpack.security.transport.ssl";
|
||||||
final Settings.Builder settings = Settings.builder();
|
final Settings.Builder settings = getSettingsBuilder();
|
||||||
settings.put(prefix + ".enabled", false);
|
settings.put(prefix + ".enabled", false);
|
||||||
configureWorkingTruststore(prefix, settings);
|
configureWorkingTruststore(prefix, settings);
|
||||||
expectSuccess(settings);
|
expectSuccess(settings);
|
||||||
|
@ -210,7 +211,7 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
||||||
private void checkMissingResource(String sslManagerType, String fileType, String configKey,
|
private void checkMissingResource(String sslManagerType, String fileType, String configKey,
|
||||||
BiConsumer<String, Settings.Builder> configure) {
|
BiConsumer<String, Settings.Builder> configure) {
|
||||||
final String prefix = randomSslPrefix();
|
final String prefix = randomSslPrefix();
|
||||||
final Settings.Builder settings = Settings.builder();
|
final Settings.Builder settings = getSettingsBuilder();
|
||||||
configure.accept(prefix, settings);
|
configure.accept(prefix, settings);
|
||||||
|
|
||||||
final String fileName = missingFile();
|
final String fileName = missingFile();
|
||||||
|
@ -234,7 +235,7 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
||||||
private void checkUnreadableResource(String sslManagerType, String fromResource, String fileType, String configKey,
|
private void checkUnreadableResource(String sslManagerType, String fromResource, String fileType, String configKey,
|
||||||
BiConsumer<String, Settings.Builder> configure) throws Exception {
|
BiConsumer<String, Settings.Builder> configure) throws Exception {
|
||||||
final String prefix = randomSslPrefix();
|
final String prefix = randomSslPrefix();
|
||||||
final Settings.Builder settings = Settings.builder();
|
final Settings.Builder settings =getSettingsBuilder();
|
||||||
configure.accept(prefix, settings);
|
configure.accept(prefix, settings);
|
||||||
|
|
||||||
final String fileName = unreadableFile(fromResource);
|
final String fileName = unreadableFile(fromResource);
|
||||||
|
@ -258,7 +259,7 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
||||||
private void checkBlockedResource(String sslManagerType, String fileType, String configKey,
|
private void checkBlockedResource(String sslManagerType, String fileType, String configKey,
|
||||||
BiConsumer<String, Settings.Builder> configure) throws Exception {
|
BiConsumer<String, Settings.Builder> configure) throws Exception {
|
||||||
final String prefix = randomSslPrefix();
|
final String prefix = randomSslPrefix();
|
||||||
final Settings.Builder settings = Settings.builder();
|
final Settings.Builder settings = getSettingsBuilder();
|
||||||
configure.accept(prefix, settings);
|
configure.accept(prefix, settings);
|
||||||
|
|
||||||
final String fileName = blockedFile();
|
final String fileName = blockedFile();
|
||||||
|
@ -281,7 +282,7 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
private void checkUnusedConfiguration(String prefix, String settingsConfigured, BiConsumer<String, Settings.Builder> configure) {
|
private void checkUnusedConfiguration(String prefix, String settingsConfigured, BiConsumer<String, Settings.Builder> configure) {
|
||||||
final Settings.Builder settings = Settings.builder();
|
final Settings.Builder settings = getSettingsBuilder();
|
||||||
configure.accept(prefix, settings);
|
configure.accept(prefix, settings);
|
||||||
|
|
||||||
expectSuccess(settings);
|
expectSuccess(settings);
|
||||||
|
@ -323,12 +324,12 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
||||||
|
|
||||||
private Settings.Builder withKey(String fileName) {
|
private Settings.Builder withKey(String fileName) {
|
||||||
assertThat(fileName, endsWith(".key"));
|
assertThat(fileName, endsWith(".key"));
|
||||||
return Settings.builder().put("key", resource(fileName));
|
return getSettingsBuilder().put("key", resource(fileName));
|
||||||
}
|
}
|
||||||
|
|
||||||
private Settings.Builder withCertificate(String fileName) {
|
private Settings.Builder withCertificate(String fileName) {
|
||||||
assertThat(fileName, endsWith(".crt"));
|
assertThat(fileName, endsWith(".crt"));
|
||||||
return Settings.builder().put("certificate", resource(fileName));
|
return getSettingsBuilder().put("certificate", resource(fileName));
|
||||||
}
|
}
|
||||||
|
|
||||||
private Settings.Builder configureWorkingTruststore(String prefix, Settings.Builder settings) {
|
private Settings.Builder configureWorkingTruststore(String prefix, Settings.Builder settings) {
|
||||||
|
@ -378,4 +379,12 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
||||||
"xpack.monitoring.exporters.http.ssl"
|
"xpack.monitoring.exporters.http.ssl"
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private Settings.Builder getSettingsBuilder() {
|
||||||
|
final Settings.Builder settings = Settings.builder();
|
||||||
|
if (inFipsJvm()) {
|
||||||
|
settings.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||||
|
}
|
||||||
|
return settings;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue