honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adjust reload keystore test to pass in FIPS (#57050) (#57133) 

In KeystoreWrapper class we determine if the error to decrypt a
given keystore is caused by a wrong password based on the exception
that the SunJCE implementation of AES is throwing
(AEADBadTagException). Other implementations from other Security
Providers might cause decryption to fail in a different way and cause
us to throw a generic error message.
We handle this in this test by matching both possible
exception messages.

Relates: #56889
This commit is contained in:
Ioannis Kakavas 2020-05-26 11:21:50 +03:00 committed by GitHub
parent 1e03de4999
commit 6984b3ef6f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
x-pack/qa/password-protected-keystore/src/test/java/org/elasticsearch/password_protected_keystore/ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT.java
View File

@ -14,6 +14,7 @@ import org.elasticsearch.common.xcontent.ObjectPath;
import org.elasticsearch.test.rest.ESRestTestCase;
import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.hamcrest.Matchers.anyOf;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.instanceOf;
import static org.hamcrest.Matchers.nullValue;
@ -43,7 +44,7 @@ public class ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT extends ESR
}
@SuppressWarnings("unchecked")
public void testReloadSecureSettingsWithInCorrectPassword() throws Exception {
public void testReloadSecureSettingsWithIncorrectPassword() throws Exception {
final Request request = new Request("POST", "_nodes/reload_secure_settings");
request.setJsonEntity("{\"secure_settings_password\":\"" + KEYSTORE_PASSWORD + randomAlphaOfLength(7) + "\"}");
final Response response = client().performRequest(request);
@ -56,7 +57,9 @@ public class ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT extends ESR
assertThat(entry.getValue(), instanceOf(Map.class));
final Map<String, Object> node = (Map<String, Object>) entry.getValue();
assertThat(node.get("reload_exception"), instanceOf(Map.class));
assertThat(ObjectPath.eval("reload_exception.reason", node), equalTo("Provided keystore password was incorrect"));
assertThat(ObjectPath.eval("reload_exception.reason", node), anyOf(
equalTo("Provided keystore password was incorrect"),
equalTo("Keystore has been corrupted or tampered with")));
assertThat(ObjectPath.eval("reload_exception.type", node), equalTo("security_exception"));
}
}
@ -74,7 +77,9 @@ public class ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT extends ESR
assertThat(entry.getValue(), instanceOf(Map.class));
final Map<String, Object> node = (Map<String, Object>) entry.getValue();
assertThat(node.get("reload_exception"), instanceOf(Map.class));
assertThat(ObjectPath.eval("reload_exception.reason", node), equalTo("Provided keystore password was incorrect"));
assertThat(ObjectPath.eval("reload_exception.reason", node), anyOf(
equalTo("Provided keystore password was incorrect"),
equalTo("Keystore has been corrupted or tampered with")));
assertThat(ObjectPath.eval("reload_exception.type", node), equalTo("security_exception"));
}
}