OpenSearch/qa/smoke-test-plugins-ssl/build.gradle

186 lines
6.4 KiB
Groovy

import org.elasticsearch.gradle.LoggedExec
apply plugin: 'elasticsearch.rest-test'
dependencies {
testCompile project(path: ':x-plugins:shield', configuration: 'runtime')
}
// location of keystore and files to generate it
File ca = new File(project.buildDir, 'ca')
File caConfig = new File(ca, 'conf/caconfig.cnf')
File cert = new File(project.buildDir, 'cert/test-node.csr')
File signedCert = new File(project.buildDir, 'cert/test-node-signed.csr')
File keystore = new File(project.buildDir, 'keystore/test-node.jks')
String caConfigData = """
[ ca ]
default_ca = CA_default
[ CA_default ]
copy_extensions = copy
serial = ${ca}/serial
database = ${ca}/index.txt
new_certs_dir = ${ca}/certs
certificate = ${ca}/certs/cacert.pem
private_key = ${ca}/private/cakey.pem
default_days = 712
default_md = sha256
preserve = no
email_in_dn = no
x509_extensions = v3_ca
name_opt = ca_default
cert_opt = ca_default
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = sha256 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = Elasticsearch Test Org
localityName_default = Amsterdam
stateOrProvinceName_default = Amsterdam
countryName_default = NL
emailAddress_default = cacerttest@YOUR.COMPANY.TLD
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
"""
// generate the keystore
task createKey(type: LoggedExec) {
doFirst {
project.delete(keystore.parentFile)
keystore.parentFile.mkdirs()
}
executable = 'keytool'
standardInput = new ByteArrayInputStream('FirstName LastName\nUnit\nOrganization\nCity\nState\nNL\nyes\n\n'.getBytes('UTF-8'))
args '-genkey',
'-alias', 'test-node',
'-keystore', keystore,
'-keyalg', 'RSA',
'-keysize', '2048',
'-validity', '712',
'-ext', 'san=dns:localhost,ip:127.0.0.1',
'-storepass', 'keypass'
}
task createCertificate(type: LoggedExec, dependsOn: createKey) {
doFirst {
project.delete(cert.parentFile)
cert.parentFile.mkdirs()
}
executable = 'keytool'
standardInput = new ByteArrayInputStream('keypass\n'.getBytes('UTF-8'))
args '-certreq',
'-alias', 'test-node',
'-keystore', keystore,
'-file', cert,
'-keyalg', 'RSA',
'-ext', 'san=dns:localhost,ip:127.0.0.1'
}
task createCertificateAuthority(type: LoggedExec) {
doFirst {
project.delete(ca)
ca.mkdirs()
for (String dir : ['private', 'certs', 'conf']) {
new File(ca, dir).mkdirs()
}
caConfig.setText(caConfigData, 'UTF-8')
new File(ca, 'serial').setText('01', 'UTF-8')
new File(ca, 'index.txt').setText('', 'UTF-8')
}
executable = 'openssl'
args 'req', '-new', '-x509', '-extensions', 'v3_ca',
'-keyout', new File(ca, 'private/cakey.pem'),
'-out', new File(ca, 'certs/cacert.pem'),
'-days', '1460',
'-config', caConfig,
'-subj', '/OU=XPlugins QA',
'-passout', 'pass:capass'
}
task signCertificate(type: LoggedExec, dependsOn: [createCertificate, createCertificateAuthority]) {
executable = 'openssl'
standardInput = new ByteArrayInputStream('y\ny\n'.getBytes('UTF-8'))
args 'ca', '-in', cert, '-notext', '-out', signedCert, '-config', caConfig,
'-extensions', 'v3_req', '-passin', 'pass:capass'
}
task importCertificate(type: LoggedExec, dependsOn: signCertificate) {
executable = 'keytool'
standardInput = new ByteArrayInputStream('keypass\nyes\n'.getBytes('UTF-8'))
args '-importcert', '-keystore', keystore, '-file', signedCert, '-trustcacerts'
}
// add keystore to test classpath: it expects it there
sourceSets.test.resources.srcDir(keystore.parentFile)
processTestResources.dependsOn(importCertificate)
// add ES plugins, this loop must be outside of a configuration closure, otherwise it may get executed multiple times
for (Project subproj : project.rootProject.subprojects) {
if (subproj.path.startsWith(':plugins:')) {
// need to get a non-decorated project object, so must re-lookup the project by path
integTest.clusterConfig.plugin(subproj.name, project(subproj.path))
}
}
integTest {
cluster {
// TODO: use some variable here for port number
systemProperty 'es.marvel.agent.exporter.es.hosts', 'https://marvel_export:changeme@localhost:9400'
systemProperty 'es.marvel.agent.exporter.es.ssl.truststore.path', keystore.name
systemProperty 'es.marvel.agent.exporter.es.ssl.truststore.password', 'keypass'
systemProperty 'es.shield.transport.ssl', 'true'
systemProperty 'es.shield.http.ssl', 'true'
systemProperty 'es.shield.ssl.keystore.path', keystore.name
systemProperty 'es.shield.ssl.keystore.password', 'keypass'
plugin 'licence', project(':x-plugins:license:plugin')
plugin 'shield', project(':x-plugins:shield')
plugin 'watcher', project(':x-plugins:watcher')
plugin 'marvel-agent', project(':x-plugins:marvel')
// copy keystore into config/
extraConfigFile keystore.name, keystore
setupCommand 'setupTestUser',
'bin/shield/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
setupCommand 'setupMarvelUser',
'bin/shield/esusers', 'useradd', 'marvel_export', '-p', 'changeme', '-r', 'marvel_agent'
waitCondition = { node, ant ->
// we just return true, doing an https check is tricky here
return true
}
}
}