Adjust reload keystore test to pass in FIPS (#57050) (#57133)

In KeystoreWrapper class we determine if the error to decrypt a
given keystore is caused by a wrong password based on the exception
that the SunJCE implementation of AES is throwing
(AEADBadTagException). Other implementations from other Security
Providers might cause decryption to fail in a different way and cause
us to throw a generic error message.
We handle this in this test by matching both possible
exception messages.

Relates: #56889
This commit is contained in:
Ioannis Kakavas 2020-05-26 11:21:50 +03:00 committed by GitHub
parent 1e03de4999
commit 6984b3ef6f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 3 deletions

View File

@ -14,6 +14,7 @@ import org.elasticsearch.common.xcontent.ObjectPath;
import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.ESRestTestCase;
import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.hamcrest.Matchers.anyOf;
import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.instanceOf; import static org.hamcrest.Matchers.instanceOf;
import static org.hamcrest.Matchers.nullValue; import static org.hamcrest.Matchers.nullValue;
@ -43,7 +44,7 @@ public class ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT extends ESR
} }
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public void testReloadSecureSettingsWithInCorrectPassword() throws Exception { public void testReloadSecureSettingsWithIncorrectPassword() throws Exception {
final Request request = new Request("POST", "_nodes/reload_secure_settings"); final Request request = new Request("POST", "_nodes/reload_secure_settings");
request.setJsonEntity("{\"secure_settings_password\":\"" + KEYSTORE_PASSWORD + randomAlphaOfLength(7) + "\"}"); request.setJsonEntity("{\"secure_settings_password\":\"" + KEYSTORE_PASSWORD + randomAlphaOfLength(7) + "\"}");
final Response response = client().performRequest(request); final Response response = client().performRequest(request);
@ -56,7 +57,9 @@ public class ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT extends ESR
assertThat(entry.getValue(), instanceOf(Map.class)); assertThat(entry.getValue(), instanceOf(Map.class));
final Map<String, Object> node = (Map<String, Object>) entry.getValue(); final Map<String, Object> node = (Map<String, Object>) entry.getValue();
assertThat(node.get("reload_exception"), instanceOf(Map.class)); assertThat(node.get("reload_exception"), instanceOf(Map.class));
assertThat(ObjectPath.eval("reload_exception.reason", node), equalTo("Provided keystore password was incorrect")); assertThat(ObjectPath.eval("reload_exception.reason", node), anyOf(
equalTo("Provided keystore password was incorrect"),
equalTo("Keystore has been corrupted or tampered with")));
assertThat(ObjectPath.eval("reload_exception.type", node), equalTo("security_exception")); assertThat(ObjectPath.eval("reload_exception.type", node), equalTo("security_exception"));
} }
} }
@ -74,7 +77,9 @@ public class ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT extends ESR
assertThat(entry.getValue(), instanceOf(Map.class)); assertThat(entry.getValue(), instanceOf(Map.class));
final Map<String, Object> node = (Map<String, Object>) entry.getValue(); final Map<String, Object> node = (Map<String, Object>) entry.getValue();
assertThat(node.get("reload_exception"), instanceOf(Map.class)); assertThat(node.get("reload_exception"), instanceOf(Map.class));
assertThat(ObjectPath.eval("reload_exception.reason", node), equalTo("Provided keystore password was incorrect")); assertThat(ObjectPath.eval("reload_exception.reason", node), anyOf(
equalTo("Provided keystore password was incorrect"),
equalTo("Keystore has been corrupted or tampered with")));
assertThat(ObjectPath.eval("reload_exception.type", node), equalTo("security_exception")); assertThat(ObjectPath.eval("reload_exception.type", node), equalTo("security_exception"));
} }
} }