Use PEM files for PkiOptionalClientAuthTests (#37683)

Use PEM files for the key/cert for TLS on the http layer of the
node instead of a JKS keystore so that the tests can also run
in a FIPS 140 JVM .

Resolves: #37682
This commit is contained in:
Ioannis Kakavas 2019-01-22 17:26:36 +02:00 committed by GitHub
parent 3f2723366e
commit 5c1a1f7ac1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 18 deletions

View File

@ -49,27 +49,30 @@ public class PkiOptionalClientAuthTests extends SecuritySingleNodeTestCase {
String randomClientPortRange = randomClientPort + "-" + (randomClientPort+100); String randomClientPortRange = randomClientPort + "-" + (randomClientPort+100);
Settings.Builder builder = Settings.builder() Settings.Builder builder = Settings.builder()
.put(super.nodeSettings()) .put(super.nodeSettings())
.put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.enabled", true)
.put("xpack.security.http.ssl.client_authentication", SSLClientAuth.OPTIONAL) .put("xpack.security.http.ssl.client_authentication", SSLClientAuth.OPTIONAL)
.put("xpack.security.http.ssl.keystore.path", .put("xpack.security.http.ssl.key",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks")) getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
.put("xpack.security.http.ssl.keystore.password", "testnode") .put("xpack.security.http.ssl.certificate",
.put("xpack.security.authc.realms.file.file.order", "0") getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.put("xpack.security.authc.realms.pki.pki1.order", "1") .put("xpack.security.authc.realms.file.file.order", "0")
.put("xpack.security.authc.realms.pki.pki1.truststore.path", .put("xpack.security.authc.realms.pki.pki1.order", "1")
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/truststore-testnode-only.jks")) .put("xpack.security.authc.realms.pki.pki1.truststore.path",
.put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml")) getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/truststore-testnode-only.jks"))
.put("transport.profiles.want_client_auth.port", randomClientPortRange) .put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml"))
.put("transport.profiles.want_client_auth.bind_host", "localhost") .put("transport.profiles.want_client_auth.port", randomClientPortRange)
.put("transport.profiles.want_client_auth.xpack.security.ssl.keystore.path", .put("transport.profiles.want_client_auth.bind_host", "localhost")
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks")) .put("transport.profiles.want_client_auth.xpack.security.ssl.key",
.put("transport.profiles.want_client_auth.xpack.security.ssl.keystore.password", "testnode") getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"))
.put("transport.profiles.want_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.OPTIONAL); .put("transport.profiles.want_client_auth.xpack.security.ssl.certificate",
getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
.put("transport.profiles.want_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.OPTIONAL);
SecuritySettingsSource.addSecureSettings(builder, secureSettings -> { SecuritySettingsSource.addSecureSettings(builder, secureSettings -> {
secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only"); secureSettings.setString("xpack.security.authc.realms.pki.pki1.truststore.secure_password", "truststore-testnode-only");
secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
secureSettings.setString("transport.profiles.want_client_auth.xpack.security.ssl.secure_key_passphrase", "testnode");
}); });
return builder.build(); return builder.build();