Disable diagnostic trust manager in tests (#51501)
This commit sets `xpack.security.ssl.diagnose.trust` to false in all of our tests when running in FIPS 140 mode and when settings objects are used to create an instance of the SSLService. This is needed in 7.x because setting xpack.security.ssl.diagnose.trust to true wraps SunJSSE TrustManager with our own DiagnosticTrustManager and this is not allowed when SunJSSE is in FIPS mode. An alternative would be to set xpack.security.fips.enabled to true which would also implicitly disable xpack.security.ssl.diagnose.trust but would have additional effects (would require that we set PBKDF2 for password hashing algorithm in all test clusters, would prohibit using JKS keystores in nodes even if relevant tests have been muted in FIPS mode etc.) Relates: #49900 Resolves: #51268
This commit is contained in:
parent
919083decd
commit
4f3548fbd7
|
@ -158,6 +158,7 @@ import static org.elasticsearch.discovery.FileBasedSeedHostsProvider.UNICAST_HOS
|
|||
import static org.elasticsearch.discovery.zen.ElectMasterService.DISCOVERY_ZEN_MINIMUM_MASTER_NODES_SETTING;
|
||||
import static org.elasticsearch.test.ESTestCase.assertBusy;
|
||||
import static org.elasticsearch.test.ESTestCase.getTestTransportType;
|
||||
import static org.elasticsearch.test.ESTestCase.inFipsJvm;
|
||||
import static org.elasticsearch.test.ESTestCase.randomFrom;
|
||||
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
|
||||
import static org.hamcrest.Matchers.equalTo;
|
||||
|
@ -1112,6 +1113,9 @@ public final class InternalTestCluster extends TestCluster {
|
|||
.put("logger.prefix", nodeSettings.get("logger.prefix", ""))
|
||||
.put("logger.level", nodeSettings.get("logger.level", "INFO"))
|
||||
.put(settings);
|
||||
if (inFipsJvm()) {
|
||||
builder.put("xpack.security.ssl.diagnose.trust", false);
|
||||
}
|
||||
if (NetworkModule.TRANSPORT_TYPE_SETTING.exists(settings)) {
|
||||
builder.put(NetworkModule.TRANSPORT_TYPE_SETTING.getKey(), NetworkModule.TRANSPORT_TYPE_SETTING.get(settings));
|
||||
} else {
|
||||
|
|
|
@ -277,6 +277,8 @@ public class XPackSettings {
|
|||
settings.add(TRANSFORM_ENABLED);
|
||||
settings.add(FLATTENED_ENABLED);
|
||||
settings.add(VECTORS_ENABLED);
|
||||
settings.add(DIAGNOSE_TRUST_EXCEPTIONS_SETTING);
|
||||
settings.add(FIPS_MODE_ENABLED);
|
||||
return Collections.unmodifiableList(settings);
|
||||
}
|
||||
|
||||
|
|
|
@ -18,6 +18,7 @@ import java.util.Collection;
|
|||
import java.util.concurrent.TimeUnit;
|
||||
|
||||
import static org.elasticsearch.test.ESTestCase.getTestTransportPlugin;
|
||||
import static org.elasticsearch.test.ESTestCase.inFipsJvm;
|
||||
|
||||
/**
|
||||
* TransportClient.Builder that installs the XPackPlugin by default.
|
||||
|
@ -31,7 +32,7 @@ public class TestXPackTransportClient extends TransportClient {
|
|||
}
|
||||
|
||||
public TestXPackTransportClient(Settings settings, Collection<Class<? extends Plugin>> plugins) {
|
||||
super(settings, Settings.EMPTY, addPlugins(plugins, getTestTransportPlugin()), null);
|
||||
super(possiblyDisableTlsDiagnostic(settings), Settings.EMPTY, addPlugins(plugins, getTestTransportPlugin()), null);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -51,4 +52,12 @@ public class TestXPackTransportClient extends TransportClient {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static Settings possiblyDisableTlsDiagnostic(Settings settings) {
|
||||
Settings.Builder builder = Settings.builder().put(settings);
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
return builder.build();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -642,10 +642,6 @@ public class Security extends Plugin implements ActionPlugin, IngestPlugin, Netw
|
|||
return settingsList;
|
||||
}
|
||||
|
||||
// The following just apply in node mode
|
||||
settingsList.add(XPackSettings.FIPS_MODE_ENABLED);
|
||||
|
||||
settingsList.add(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING);
|
||||
// IP Filter settings
|
||||
IPFilter.addSettings(settingsList);
|
||||
|
||||
|
|
|
@ -246,6 +246,9 @@ public abstract class SecurityIntegTestCase extends ESIntegTestCase {
|
|||
builder.put(LicenseService.SELF_GENERATED_LICENSE_TYPE.getKey(), "trial");
|
||||
builder.put(NetworkModule.TRANSPORT_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO);
|
||||
builder.put(NetworkModule.HTTP_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO);
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
Settings.Builder customBuilder = Settings.builder().put(customSettings);
|
||||
if (customBuilder.getSecureSettings() != null) {
|
||||
SecuritySettingsSource.addSecureSettings(builder, secureSettings ->
|
||||
|
|
|
@ -147,6 +147,9 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
|
|||
.put("xpack.security.authc.realms." + FileRealmSettings.TYPE + ".file.order", 0)
|
||||
.put("xpack.security.authc.realms." + NativeRealmSettings.TYPE + ".index.order", "1")
|
||||
.put("xpack.license.self_generated.type", "trial");
|
||||
if (inFipsJvm()) {
|
||||
builder.put("xpack.security.ssl.diagnose.trust", false);
|
||||
}
|
||||
addNodeSSLSettings(builder);
|
||||
return builder.build();
|
||||
}
|
||||
|
|
|
@ -22,6 +22,7 @@ import org.elasticsearch.core.internal.io.IOUtils;
|
|||
import org.elasticsearch.license.LicenseService;
|
||||
import org.elasticsearch.plugins.Plugin;
|
||||
import org.elasticsearch.plugins.PluginInfo;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.security.LocalStateSecurity;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.Before;
|
||||
|
@ -167,6 +168,9 @@ public abstract class SecuritySingleNodeTestCase extends ESSingleNodeTestCase {
|
|||
builder.put(LicenseService.SELF_GENERATED_LICENSE_TYPE.getKey(), "trial");
|
||||
builder.put("transport.type", "security4");
|
||||
builder.put("path.home", customSecuritySettingsSource.nodePath(0));
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
Settings.Builder customBuilder = Settings.builder().put(customSettings);
|
||||
if (customBuilder.getSecureSettings() != null) {
|
||||
SecuritySettingsSource.addSecureSettings(builder, secureSettings ->
|
||||
|
|
|
@ -11,6 +11,7 @@ import org.elasticsearch.common.settings.Settings;
|
|||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.env.TestEnvironment;
|
||||
import org.elasticsearch.test.AbstractBootstrapCheckTestCase;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLService;
|
||||
import org.hamcrest.Matchers;
|
||||
|
||||
|
@ -19,7 +20,7 @@ import java.nio.file.Path;
|
|||
public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase {
|
||||
|
||||
public void testPkiRealmBootstrapDefault() throws Exception {
|
||||
final Settings settings = Settings.EMPTY;
|
||||
final Settings settings = getSettingsBuilder().build();
|
||||
final Environment env = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build());
|
||||
assertFalse(runCheck(settings, env).isFailure());
|
||||
}
|
||||
|
@ -29,7 +30,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
|||
final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
|
||||
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
Settings settings = Settings.builder()
|
||||
Settings settings = getSettingsBuilder()
|
||||
.put("xpack.security.authc.realms.pki.test_pki.order", 0)
|
||||
.put("path.home", createTempDir())
|
||||
.setSecureSettings(secureSettings)
|
||||
|
@ -39,7 +40,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
|||
|
||||
// enable transport tls
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
settings = Settings.builder().put(settings)
|
||||
settings = getSettingsBuilder().put(settings)
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.security.transport.ssl.certificate", certPath)
|
||||
.put("xpack.security.transport.ssl.key", keyPath)
|
||||
|
@ -48,7 +49,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
|||
|
||||
// enable ssl for http
|
||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||
settings = Settings.builder().put(settings)
|
||||
settings = getSettingsBuilder().put(settings)
|
||||
.put("xpack.security.transport.ssl.enabled", false)
|
||||
.put("xpack.security.http.ssl.enabled", true)
|
||||
.put("xpack.security.http.ssl.certificate", certPath)
|
||||
|
@ -58,28 +59,28 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
|||
assertTrue(runCheck(settings, env).isFailure());
|
||||
|
||||
// enable client auth for http
|
||||
settings = Settings.builder().put(settings)
|
||||
settings = getSettingsBuilder().put(settings)
|
||||
.put("xpack.security.http.ssl.client_authentication", randomFrom("required", "optional"))
|
||||
.build();
|
||||
env = TestEnvironment.newEnvironment(settings);
|
||||
assertFalse(runCheck(settings, env).isFailure());
|
||||
|
||||
// disable http ssl
|
||||
settings = Settings.builder().put(settings)
|
||||
settings = getSettingsBuilder().put(settings)
|
||||
.put("xpack.security.http.ssl.enabled", false)
|
||||
.build();
|
||||
env = TestEnvironment.newEnvironment(settings);
|
||||
assertTrue(runCheck(settings, env).isFailure());
|
||||
|
||||
// set transport client auth
|
||||
settings = Settings.builder().put(settings)
|
||||
settings = getSettingsBuilder().put(settings)
|
||||
.put("xpack.security.transport.client_authentication", randomFrom("required", "optional"))
|
||||
.build();
|
||||
env = TestEnvironment.newEnvironment(settings);
|
||||
assertTrue(runCheck(settings, env).isFailure());
|
||||
|
||||
// test with transport profile
|
||||
settings = Settings.builder().put(settings)
|
||||
settings = getSettingsBuilder().put(settings)
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.security.transport.client_authentication", "none")
|
||||
.put("transport.profiles.foo.xpack.security.ssl.client_authentication", randomFrom("required", "optional"))
|
||||
|
@ -93,7 +94,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
|||
}
|
||||
|
||||
public void testBootstrapCheckWithDisabledRealm() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
Settings settings = getSettingsBuilder()
|
||||
.put("xpack.security.authc.realms.pki.test_pki.enabled", false)
|
||||
.put("xpack.security.transport.ssl.enabled", false)
|
||||
.put("xpack.security.transport.ssl.client_authentication", "none")
|
||||
|
@ -109,7 +110,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
|||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
// enable transport tls
|
||||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
Settings settings = getSettingsBuilder()
|
||||
.put("xpack.security.authc.realms.pki.test_pki.enabled", true)
|
||||
.put("xpack.security.authc.realms.pki.test_pki.delegation.enabled", true)
|
||||
.put("xpack.security.transport.ssl.enabled", randomBoolean())
|
||||
|
@ -127,7 +128,7 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
|||
final boolean expectFail = randomBoolean();
|
||||
final MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
Settings settings = getSettingsBuilder()
|
||||
.put("xpack.security.authc.realms.pki.test_pki.order", 0)
|
||||
.put("xpack.security.http.ssl.enabled", true)
|
||||
.put("xpack.security.http.ssl.client_authentication", expectFail ? "none" : "optional")
|
||||
|
@ -144,4 +145,12 @@ public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase
|
|||
secureSettings.close();
|
||||
assertThat(check.check(createTestContext(settings, null)).isFailure(), Matchers.equalTo(expectFail));
|
||||
}
|
||||
|
||||
private Settings.Builder getSettingsBuilder() {
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
return builder;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -98,10 +98,14 @@ public class SecurityTests extends ESTestCase {
|
|||
if (security != null) {
|
||||
throw new IllegalStateException("Security object already exists (" + security + ")");
|
||||
}
|
||||
Settings settings = Settings.builder()
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put("xpack.security.enabled", true)
|
||||
.put(testSettings)
|
||||
.put("path.home", createTempDir()).build();
|
||||
.put("path.home", createTempDir());
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
Settings settings = builder.build();
|
||||
Environment env = TestEnvironment.newEnvironment(settings);
|
||||
licenseState = new TestUtils.UpdatableLicenseState(settings);
|
||||
SSLService sslService = new SSLService(settings, env);
|
||||
|
|
|
@ -92,7 +92,11 @@ public class TransportOpenIdConnectLogoutActionTests extends OpenIdConnectTestCa
|
|||
.put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true)
|
||||
.put("path.home", createTempDir())
|
||||
.build();
|
||||
final Settings sslSettings = Settings.builder()
|
||||
Settings.Builder sslSettingsBuilder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
sslSettingsBuilder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
final Settings sslSettings = sslSettingsBuilder
|
||||
.put("xpack.security.authc.realms.oidc.oidc-realm.ssl.verification_mode", "certificate")
|
||||
.put("path.home", createTempDir())
|
||||
.build();
|
||||
|
|
|
@ -14,6 +14,7 @@ import org.elasticsearch.common.settings.Settings;
|
|||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.test.NativeRealmIntegTestCase;
|
||||
import org.elasticsearch.common.CharArrays;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.security.client.SecurityClient;
|
||||
import org.elasticsearch.xpack.core.security.index.RestrictedIndicesNames;
|
||||
import org.junit.BeforeClass;
|
||||
|
@ -93,7 +94,7 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
|
|||
String url = getHttpURL();
|
||||
ESNativeRealmMigrateTool.MigrateUserOrRoles muor = new ESNativeRealmMigrateTool.MigrateUserOrRoles();
|
||||
|
||||
Settings.Builder builder = Settings.builder()
|
||||
Settings.Builder builder = getSettingsBuilder()
|
||||
.put("path.home", home)
|
||||
.put("path.conf", conf.toString())
|
||||
.put("xpack.security.http.ssl.client_authentication", "none");
|
||||
|
@ -143,7 +144,7 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
|
|||
String password = new String(CharArrays.toUtf8Bytes(nodeClientPassword().getChars()), StandardCharsets.UTF_8);
|
||||
String url = getHttpURL();
|
||||
ESNativeRealmMigrateTool.MigrateUserOrRoles muor = new ESNativeRealmMigrateTool.MigrateUserOrRoles();
|
||||
Settings.Builder builder = Settings.builder()
|
||||
Settings.Builder builder = getSettingsBuilder()
|
||||
.put("path.home", home)
|
||||
.put("xpack.security.http.ssl.client_authentication", "none");
|
||||
addSSLSettingsForPEMFiles(builder,
|
||||
|
@ -172,4 +173,12 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
|
|||
|
||||
assertThat(ex.getMessage(), containsString("password"));
|
||||
}
|
||||
|
||||
private Settings.Builder getSettingsBuilder() {
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
return builder;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -13,6 +13,7 @@ import org.elasticsearch.env.TestEnvironment;
|
|||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.test.http.MockResponse;
|
||||
import org.elasticsearch.test.http.MockWebServer;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettingsTests;
|
||||
import org.elasticsearch.xpack.core.ssl.TestsSSLService;
|
||||
import org.elasticsearch.xpack.core.ssl.VerificationMode;
|
||||
|
@ -70,7 +71,11 @@ public class CommandLineHttpClientTests extends ESTestCase {
|
|||
}
|
||||
|
||||
public void testGetDefaultURLFailsWithHelpfulMessage() {
|
||||
Settings settings = Settings.builder()
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
Settings settings = builder
|
||||
.put("network.host", "_ec2:privateIpv4_")
|
||||
.build();
|
||||
CommandLineHttpClient client = new CommandLineHttpClient(settings, environment);
|
||||
|
@ -87,7 +92,11 @@ public class CommandLineHttpClientTests extends ESTestCase {
|
|||
private Settings.Builder getHttpSslSettings() {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||
return Settings.builder()
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
return builder
|
||||
.put("xpack.security.http.ssl.enabled", true)
|
||||
.put("xpack.security.http.ssl.key", keyPath.toString())
|
||||
.put("xpack.security.http.ssl.certificate", certPath.toString())
|
||||
|
|
|
@ -33,6 +33,7 @@ import org.elasticsearch.test.ESTestCase;
|
|||
import org.elasticsearch.threadpool.TestThreadPool;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.watcher.ResourceWatcherService;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||
import org.elasticsearch.xpack.core.security.authc.ldap.ActiveDirectorySessionFactorySettings;
|
||||
|
@ -142,7 +143,11 @@ public class ActiveDirectoryRealmTests extends ESTestCase {
|
|||
}
|
||||
threadPool = new TestThreadPool("active directory realm tests");
|
||||
resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool);
|
||||
globalSettings = Settings.builder().put("path.home", createTempDir()).build();
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
globalSettings = builder.put("path.home", createTempDir()).build();
|
||||
sslService = new SSLService(globalSettings, TestEnvironment.newEnvironment(globalSettings));
|
||||
licenseState = new TestUtils.UpdatableLicenseState();
|
||||
}
|
||||
|
|
|
@ -25,6 +25,7 @@ import org.elasticsearch.script.mustache.MustacheScriptEngine;
|
|||
import org.elasticsearch.threadpool.TestThreadPool;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.watcher.ResourceWatcherService;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
|
||||
import org.elasticsearch.xpack.core.security.authc.Realm;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||
|
@ -98,7 +99,11 @@ public class LdapRealmTests extends LdapTestCase {
|
|||
public void init() throws Exception {
|
||||
threadPool = new TestThreadPool("ldap realm tests");
|
||||
resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool);
|
||||
defaultGlobalSettings = Settings.builder().put("path.home", createTempDir()).build();
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
defaultGlobalSettings = builder.put("path.home", createTempDir()).build();
|
||||
sslService = new SSLService(defaultGlobalSettings, TestEnvironment.newEnvironment(defaultGlobalSettings));
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
|
||||
|
|
|
@ -19,6 +19,7 @@ import org.elasticsearch.env.TestEnvironment;
|
|||
import org.elasticsearch.threadpool.TestThreadPool;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.watcher.ResourceWatcherService;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
|
||||
import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope;
|
||||
|
@ -59,7 +60,11 @@ public class LdapSessionFactoryTests extends LdapTestCase {
|
|||
final Path origCa = getDataPath("/org/elasticsearch/xpack/security/authc/ldap/support/ldap-ca.crt");
|
||||
ldapCaPath = createTempFile();
|
||||
Files.copy(origCa, ldapCaPath, StandardCopyOption.REPLACE_EXISTING);
|
||||
globalSettings = Settings.builder()
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
globalSettings = builder
|
||||
.put("path.home", createTempDir())
|
||||
.putList(RealmSettings.realmSslPrefix(REALM_IDENTIFIER) + "certificate_authorities", ldapCaPath.toString())
|
||||
.build();
|
||||
|
|
|
@ -25,6 +25,7 @@ import org.elasticsearch.env.Environment;
|
|||
import org.elasticsearch.env.TestEnvironment;
|
||||
import org.elasticsearch.threadpool.TestThreadPool;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||
import org.elasticsearch.xpack.core.security.authc.ldap.LdapUserSearchSessionFactorySettings;
|
||||
import org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings;
|
||||
|
@ -62,8 +63,11 @@ public class LdapUserSearchSessionFactoryTests extends LdapTestCase {
|
|||
* If we re-use an SSLContext, previously connected sessions can get re-established which breaks hostname
|
||||
* verification tests since a re-established connection does not perform hostname verification.
|
||||
*/
|
||||
|
||||
globalSettings = Settings.builder()
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
globalSettings = builder
|
||||
.put("path.home", createTempDir())
|
||||
.put("xpack.security.transport.ssl.enabled", false)
|
||||
.put("xpack.security.transport.ssl.certificate_authorities", certPath)
|
||||
|
|
|
@ -172,6 +172,9 @@ public abstract class LdapTestCase extends ESTestCase {
|
|||
if (serverSetType != null) {
|
||||
builder.put(getFullSettingKey(realmId, LdapLoadBalancingSettings.LOAD_BALANCE_TYPE_SETTING), serverSetType.toString());
|
||||
}
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
return builder.build();
|
||||
}
|
||||
|
||||
|
|
|
@ -22,6 +22,7 @@ import org.elasticsearch.mocksocket.MockServerSocket;
|
|||
import org.elasticsearch.mocksocket.MockSocket;
|
||||
import org.elasticsearch.threadpool.TestThreadPool;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.common.socket.SocketAccess;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||
import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope;
|
||||
|
@ -292,7 +293,11 @@ public class SessionFactoryLoadBalancingTests extends LdapTestCase {
|
|||
Settings globalSettings = Settings.builder().put("path.home", createTempDir()).put(settings).build();
|
||||
RealmConfig config = new RealmConfig(REALM_IDENTIFIER, globalSettings,
|
||||
TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY));
|
||||
return new TestSessionFactory(config, new SSLService(Settings.EMPTY, TestEnvironment.newEnvironment(config.settings())),
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
return new TestSessionFactory(config, new SSLService(builder.build(), TestEnvironment.newEnvironment(config.settings())),
|
||||
threadPool);
|
||||
}
|
||||
|
||||
|
|
|
@ -18,6 +18,7 @@ import org.elasticsearch.env.TestEnvironment;
|
|||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.threadpool.TestThreadPool;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||
import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
|
||||
|
@ -49,7 +50,7 @@ public class SessionFactoryTests extends ESTestCase {
|
|||
}
|
||||
|
||||
public void testConnectionFactoryReturnsCorrectLDAPConnectionOptionsWithDefaultSettings() throws Exception {
|
||||
final Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build());
|
||||
final Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build());
|
||||
RealmConfig realmConfig = new RealmConfig(new RealmConfig.RealmIdentifier("ldap", "conn_settings"),
|
||||
environment.settings(), environment, new ThreadContext(Settings.EMPTY));
|
||||
LDAPConnectionOptions options = SessionFactory.connectionOptions(realmConfig, new SSLService(environment.settings(), environment),
|
||||
|
@ -64,7 +65,7 @@ public class SessionFactoryTests extends ESTestCase {
|
|||
public void testConnectionFactoryReturnsCorrectLDAPConnectionOptions() throws Exception {
|
||||
final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("ldap", "conn_settings");
|
||||
final Path pathHome = createTempDir();
|
||||
Settings settings = Settings.builder()
|
||||
Settings settings = getSettingsBuilder()
|
||||
.put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_CONNECTION_SETTING), "10ms")
|
||||
.put(getFullSettingKey(realmId, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING), "false")
|
||||
.put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_READ_SETTING), "20ms")
|
||||
|
@ -83,7 +84,7 @@ public class SessionFactoryTests extends ESTestCase {
|
|||
assertWarnings("the setting [xpack.security.authc.realms.ldap.conn_settings.hostname_verification] has been deprecated and will be "
|
||||
+ "removed in a future version. use [xpack.security.authc.realms.ldap.conn_settings.ssl.verification_mode] instead");
|
||||
|
||||
settings = Settings.builder()
|
||||
settings = getSettingsBuilder()
|
||||
.put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.CERTIFICATE)
|
||||
.put("path.home", pathHome)
|
||||
.build();
|
||||
|
@ -102,7 +103,7 @@ public class SessionFactoryTests extends ESTestCase {
|
|||
assertThat(options.getSSLSocketVerifier(), is(instanceOf(TrustAllSSLSocketVerifier.class)));
|
||||
}
|
||||
|
||||
settings = Settings.builder()
|
||||
settings = getSettingsBuilder()
|
||||
.put(getFullSettingKey(realmId, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.FULL)
|
||||
.put("path.home", pathHome)
|
||||
.build();
|
||||
|
@ -122,10 +123,10 @@ public class SessionFactoryTests extends ESTestCase {
|
|||
}
|
||||
|
||||
private SessionFactory createSessionFactory() {
|
||||
Settings global = Settings.builder().put("path.home", createTempDir()).build();
|
||||
Settings global = getSettingsBuilder().put("path.home", createTempDir()).build();
|
||||
final RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("ldap", "_name");
|
||||
final RealmConfig realmConfig = new RealmConfig(realmIdentifier,
|
||||
Settings.builder()
|
||||
getSettingsBuilder()
|
||||
.put(getFullSettingKey(realmIdentifier, SessionFactorySettings.URLS_SETTING), "ldap://localhost:389")
|
||||
.put(global)
|
||||
.build(),
|
||||
|
@ -138,4 +139,12 @@ public class SessionFactoryTests extends ESTestCase {
|
|||
}
|
||||
};
|
||||
}
|
||||
|
||||
private Settings.Builder getSettingsBuilder() {
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
return builder;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -50,6 +50,7 @@ import org.elasticsearch.common.settings.Settings;
|
|||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.env.TestEnvironment;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLService;
|
||||
import org.junit.After;
|
||||
|
@ -93,7 +94,11 @@ public class OpenIdConnectAuthenticatorTests extends OpenIdConnectTestCase {
|
|||
|
||||
@Before
|
||||
public void setup() {
|
||||
globalSettings = Settings.builder().put("path.home", createTempDir())
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
globalSettings = builder.put("path.home", createTempDir())
|
||||
.put("xpack.security.authc.realms.oidc.oidc-realm.ssl.verification_mode", "certificate").build();
|
||||
env = TestEnvironment.newEnvironment(globalSettings);
|
||||
threadContext = new ThreadContext(globalSettings);
|
||||
|
|
|
@ -129,7 +129,7 @@ public class SamlRealmTests extends SamlTestCase {
|
|||
final String body = new String(Files.readAllBytes(path), StandardCharsets.UTF_8);
|
||||
final MockSecureSettings mockSecureSettings = new MockSecureSettings();
|
||||
mockSecureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||
final Settings settings = Settings.builder()
|
||||
final Settings.Builder builder = Settings.builder()
|
||||
.put("xpack.security.http.ssl.enabled", true)
|
||||
.put("xpack.security.http.ssl.key",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
|
||||
|
@ -139,8 +139,11 @@ public class SamlRealmTests extends SamlTestCase {
|
|||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
|
||||
.putList("xpack.security.http.ssl.supported_protocols", getProtocols())
|
||||
.put("path.home", createTempDir())
|
||||
.setSecureSettings(mockSecureSettings)
|
||||
.build();
|
||||
.setSecureSettings(mockSecureSettings);
|
||||
if (inFipsJvm()) {
|
||||
builder.put("xpack.security.ssl.diagnose.trust", false);
|
||||
}
|
||||
final Settings settings = builder.build();
|
||||
TestsSSLService sslService = new TestsSSLService(settings, TestEnvironment.newEnvironment(settings));
|
||||
try (MockWebServer proxyServer =
|
||||
new MockWebServer(sslService.sslContext("xpack.security.http.ssl"), false)) {
|
||||
|
@ -699,7 +702,7 @@ public class SamlRealmTests extends SamlTestCase {
|
|||
private Settings.Builder buildSettings(String idpMetaDataPath) {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString(REALM_SETTINGS_PREFIX + ".ssl.secure_key_passphrase", "testnode");
|
||||
return Settings.builder()
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put(REALM_SETTINGS_PREFIX + ".ssl.verification_mode", "certificate")
|
||||
.put(REALM_SETTINGS_PREFIX + ".ssl.key",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
|
||||
|
@ -712,6 +715,10 @@ public class SamlRealmTests extends SamlTestCase {
|
|||
.put(getFullSettingKey(REALM_NAME, SamlRealmSettings.IDP_METADATA_HTTP_REFRESH), METADATA_REFRESH + "ms")
|
||||
.put("path.home", createTempDir())
|
||||
.setSecureSettings(secureSettings);
|
||||
if (inFipsJvm()) {
|
||||
builder.put("xpack.security.ssl.diagnose.trust", false);
|
||||
}
|
||||
return builder;
|
||||
}
|
||||
|
||||
private RealmConfig buildConfig(Settings realmSettings) {
|
||||
|
|
|
@ -81,7 +81,11 @@ public abstract class AbstractSimpleSecurityTransportTestCase extends AbstractSi
|
|||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode");
|
||||
// Some tests use a client profile. Put the passphrase in the secure settings for the profile (secure settings cannot be set twice)
|
||||
secureSettings.setString("transport.profiles.client.xpack.security.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings1 = Settings.builder()
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
Settings settings1 = builder
|
||||
.put("xpack.security.transport.ssl.enabled", true)
|
||||
.put("xpack.security.transport.ssl.key", testnodeKey)
|
||||
.put("xpack.security.transport.ssl.certificate", testnodeCert)
|
||||
|
|
|
@ -93,7 +93,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
|
|||
String unicastHost = NetworkAddress.format(transportAddress.address());
|
||||
|
||||
// test that starting up a node works
|
||||
Settings.Builder nodeSettings = Settings.builder()
|
||||
Settings.Builder nodeSettings = getSettingsBuilder()
|
||||
.put("node.name", "my-test-node")
|
||||
.put("network.host", "localhost")
|
||||
.put("cluster.name", internalCluster().getClusterName())
|
||||
|
@ -131,7 +131,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
|
|||
String unicastHost = NetworkAddress.format(transportAddress.address());
|
||||
|
||||
// test that starting up a node works
|
||||
Settings.Builder nodeSettings = Settings.builder()
|
||||
Settings.Builder nodeSettings = getSettingsBuilder()
|
||||
.put("xpack.security.authc.realms.file.file.order", 0)
|
||||
.put("node.name", "my-test-node")
|
||||
.put(SecurityField.USER_SETTING.getKey(), "test_user:" + SecuritySettingsSourceField.TEST_PASSWORD)
|
||||
|
@ -205,4 +205,12 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
|
|||
}
|
||||
}
|
||||
|
||||
private Settings.Builder getSettingsBuilder() {
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
return builder;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -20,6 +20,7 @@ import org.elasticsearch.node.Node;
|
|||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.test.junit.annotations.Network;
|
||||
import org.elasticsearch.transport.Transport;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.security.LocalStateSecurity;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrailService;
|
||||
import org.junit.Before;
|
||||
|
@ -265,7 +266,11 @@ public class IPFilterTests extends ESTestCase {
|
|||
}
|
||||
|
||||
public void testThatNodeStartsWithIPFilterDisabled() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
Settings settings = builder
|
||||
.put("path.home", createTempDir())
|
||||
.put("xpack.security.transport.filter.enabled", randomBoolean())
|
||||
.put("xpack.security.http.filter.enabled", randomBoolean())
|
||||
|
|
|
@ -47,7 +47,11 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
|
|||
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
Settings settings = builder
|
||||
.put("xpack.security.http.ssl.enabled", true)
|
||||
.put("xpack.security.http.ssl.key", testnodeKey)
|
||||
.put("xpack.security.http.ssl.certificate", testnodeCert)
|
||||
|
@ -150,7 +154,11 @@ public class SecurityNetty4HttpServerTransportTests extends ESTestCase {
|
|||
public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() throws Exception {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
Settings settings = builder
|
||||
.put("xpack.security.http.ssl.enabled", false)
|
||||
.put("xpack.security.http.ssl.key", testnodeKey)
|
||||
.put("xpack.security.http.ssl.certificate", testnodeCert)
|
||||
|
|
|
@ -55,7 +55,11 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
|
|||
Path testNodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
Settings settings = builder
|
||||
.put("xpack.security.http.ssl.enabled", true)
|
||||
.put("xpack.security.http.ssl.key", testNodeKey)
|
||||
.put("xpack.security.http.ssl.certificate", testNodeCert)
|
||||
|
@ -183,7 +187,11 @@ public class SecurityNioHttpServerTransportTests extends ESTestCase {
|
|||
public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() {
|
||||
MockSecureSettings secureSettings = new MockSecureSettings();
|
||||
secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode");
|
||||
Settings settings = Settings.builder()
|
||||
Settings.Builder builder = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
Settings settings = builder
|
||||
.put("xpack.security.http.ssl.enabled", false)
|
||||
.put("xpack.security.http.ssl.truststore.path",
|
||||
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
|
||||
|
|
|
@ -118,6 +118,9 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
|
|||
|
||||
public void testThatConnectionToHTTPWorks() throws Exception {
|
||||
Settings.Builder builder = Settings.builder().put("xpack.security.http.ssl.enabled", true);
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
addSSLSettingsForPEMFiles(
|
||||
builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem",
|
||||
"testclient",
|
||||
|
|
|
@ -27,6 +27,7 @@ import org.elasticsearch.test.ESTestCase;
|
|||
import org.elasticsearch.test.MockLogAppender;
|
||||
import org.elasticsearch.test.http.MockResponse;
|
||||
import org.elasticsearch.test.http.MockWebServer;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.common.socket.SocketAccess;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLClientAuth;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
|
||||
|
@ -96,6 +97,7 @@ public class SSLErrorMessageCertificateVerificationTests extends ESTestCase {
|
|||
}
|
||||
|
||||
public void testDiagnosticTrustManagerForHostnameVerificationFailure() throws Exception {
|
||||
assumeFalse("We disable Diagnostic trust manager in FIPS 140 mode", inFipsJvm());
|
||||
final Settings settings = getPemSSLSettings(HTTP_SERVER_SSL, "not-this-host.crt", "not-this-host.key",
|
||||
SSLClientAuth.NONE, VerificationMode.FULL, null)
|
||||
.putList("xpack.http.ssl.certificate_authorities", getPath("ca1.crt"))
|
||||
|
@ -184,6 +186,9 @@ public class SSLErrorMessageCertificateVerificationTests extends ESTestCase {
|
|||
.put(prefix + ".key", getPath(keyPath))
|
||||
.put(prefix + ".client_authentication", clientAuth.name())
|
||||
.put(prefix + ".verification_mode", verificationMode.name());
|
||||
if (inFipsJvm()) {
|
||||
builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
if (caPath != null) {
|
||||
builder.putList(prefix + ".certificate_authorities", getPath(caPath));
|
||||
}
|
||||
|
|
|
@ -14,6 +14,7 @@ import org.elasticsearch.common.settings.Settings;
|
|||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.env.TestEnvironment;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLService;
|
||||
import org.junit.Before;
|
||||
|
||||
|
@ -55,7 +56,7 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
|||
|
||||
@Before
|
||||
public void setup() throws Exception {
|
||||
env = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build());
|
||||
env = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build());
|
||||
paths = new HashMap<>();
|
||||
|
||||
requirePath("ca1.p12");
|
||||
|
@ -130,7 +131,7 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
|||
|
||||
public void testMessageForTransportSslEnabledWithoutKeys() throws Exception {
|
||||
final String prefix = "xpack.security.transport.ssl";
|
||||
final Settings.Builder settings = Settings.builder();
|
||||
final Settings.Builder settings = getSettingsBuilder();
|
||||
settings.put(prefix + ".enabled", true);
|
||||
configureWorkingTruststore(prefix, settings);
|
||||
|
||||
|
@ -142,7 +143,7 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
|||
|
||||
public void testNoErrorIfTransportSslDisabledWithoutKeys() throws Exception {
|
||||
final String prefix = "xpack.security.transport.ssl";
|
||||
final Settings.Builder settings = Settings.builder();
|
||||
final Settings.Builder settings = getSettingsBuilder();
|
||||
settings.put(prefix + ".enabled", false);
|
||||
configureWorkingTruststore(prefix, settings);
|
||||
expectSuccess(settings);
|
||||
|
@ -210,7 +211,7 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
|||
private void checkMissingResource(String sslManagerType, String fileType, String configKey,
|
||||
BiConsumer<String, Settings.Builder> configure) {
|
||||
final String prefix = randomSslPrefix();
|
||||
final Settings.Builder settings = Settings.builder();
|
||||
final Settings.Builder settings = getSettingsBuilder();
|
||||
configure.accept(prefix, settings);
|
||||
|
||||
final String fileName = missingFile();
|
||||
|
@ -234,7 +235,7 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
|||
private void checkUnreadableResource(String sslManagerType, String fromResource, String fileType, String configKey,
|
||||
BiConsumer<String, Settings.Builder> configure) throws Exception {
|
||||
final String prefix = randomSslPrefix();
|
||||
final Settings.Builder settings = Settings.builder();
|
||||
final Settings.Builder settings =getSettingsBuilder();
|
||||
configure.accept(prefix, settings);
|
||||
|
||||
final String fileName = unreadableFile(fromResource);
|
||||
|
@ -258,7 +259,7 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
|||
private void checkBlockedResource(String sslManagerType, String fileType, String configKey,
|
||||
BiConsumer<String, Settings.Builder> configure) throws Exception {
|
||||
final String prefix = randomSslPrefix();
|
||||
final Settings.Builder settings = Settings.builder();
|
||||
final Settings.Builder settings = getSettingsBuilder();
|
||||
configure.accept(prefix, settings);
|
||||
|
||||
final String fileName = blockedFile();
|
||||
|
@ -281,7 +282,7 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
|||
}
|
||||
|
||||
private void checkUnusedConfiguration(String prefix, String settingsConfigured, BiConsumer<String, Settings.Builder> configure) {
|
||||
final Settings.Builder settings = Settings.builder();
|
||||
final Settings.Builder settings = getSettingsBuilder();
|
||||
configure.accept(prefix, settings);
|
||||
|
||||
expectSuccess(settings);
|
||||
|
@ -323,12 +324,12 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
|||
|
||||
private Settings.Builder withKey(String fileName) {
|
||||
assertThat(fileName, endsWith(".key"));
|
||||
return Settings.builder().put("key", resource(fileName));
|
||||
return getSettingsBuilder().put("key", resource(fileName));
|
||||
}
|
||||
|
||||
private Settings.Builder withCertificate(String fileName) {
|
||||
assertThat(fileName, endsWith(".crt"));
|
||||
return Settings.builder().put("certificate", resource(fileName));
|
||||
return getSettingsBuilder().put("certificate", resource(fileName));
|
||||
}
|
||||
|
||||
private Settings.Builder configureWorkingTruststore(String prefix, Settings.Builder settings) {
|
||||
|
@ -378,4 +379,12 @@ public class SSLErrorMessageFileTests extends ESTestCase {
|
|||
"xpack.monitoring.exporters.http.ssl"
|
||||
);
|
||||
}
|
||||
|
||||
private Settings.Builder getSettingsBuilder() {
|
||||
final Settings.Builder settings = Settings.builder();
|
||||
if (inFipsJvm()) {
|
||||
settings.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false);
|
||||
}
|
||||
return settings;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue