Replace Vagrant with Docker for idp-fixture (elastic#39948)

The change replaces the Vagrant box based fixture with a fixture
based on docker compose and 2 docker images, one for an openldap
server and one for a Shibboleth SAML Identity Provider.

The configuration of both openldap and shibboleth is identical to
the previous one, in order to minimize required changes in the
tests

Author: jkakavas

x-pack/qa/openldap-tests/build.gradle

@@ -1,8 +1,5 @@
-Project idpFixtureProject = xpackProject("test:idp-fixture")
-evaluationDependsOn(idpFixtureProject.path)
-
 apply plugin: 'elasticsearch.standalone-test'
-apply plugin: 'elasticsearch.vagrantsupport'
+apply plugin: 'elasticsearch.test.fixtures'
 
 dependencies {
     // "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here
@@ -11,21 +8,13 @@ dependencies {
     testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
 }
 
-task openLdapFixture {
-    dependsOn "vagrantCheckVersion", "virtualboxCheckVersion", idpFixtureProject.up
-}
+testFixtures.useFixture ":x-pack:test:idp-fixture"
 
+Project idpFixtureProject = xpackProject("test:idp-fixture")
 String outputDir = "${project.buildDir}/generated-resources/${project.name}"
 task copyIdpTrust(type: Copy) {
-    from idpFixtureProject.file('src/main/resources/certs/idptrust.jks');
-    from idpFixtureProject.file('src/main/resources/certs/ca.crt');
+    from idpFixtureProject.file('openldap/certs/ca.jks');
+    from idpFixtureProject.file('openldap/certs/ca_server.pem');
     into outputDir
 }
-if (project.rootProject.vagrantSupported) {
-  project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpTrust)
-  unitTest.dependsOn openLdapFixture
-  unitTest.finalizedBy idpFixtureProject.halt
-} else {
-    unitTest.enabled = false
-  testingConventions.enabled = false
-}
+project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpTrust)

x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java

@@ -56,7 +56,7 @@ public class OpenLdapTests extends ESTestCase {
 
     public static final String PASSWORD = "NickFuryHeartsES";
     private static final String HAWKEYE_DN = "uid=hawkeye,ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com";
-    public static final String LDAPTRUST_PATH = "/idptrust.jks";
+    public static final String LDAPTRUST_PATH = "/ca.jks";
     private static final SecureString PASSWORD_SECURE_STRING = new SecureString(PASSWORD.toCharArray());
     public static final String REALM_NAME = "oldap-test";
 

x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java

@@ -48,7 +48,7 @@ public class OpenLdapUserSearchSessionFactoryTests extends ESTestCase {
 
     private Settings globalSettings;
     private ThreadPool threadPool;
-    private static final String LDAPCACERT_PATH = "/ca.crt";
+    private static final String LDAPCACERT_PATH = "/ca_server.pem";
 
     @Before
     public void init() {

x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverTests.java

@@ -181,6 +181,6 @@ protected String bindPassword() {
 
     @Override
     protected String trustPath() {
-        return "/idptrust.jks";
+        return "/ca.jks";
     }
 }

x-pack/qa/saml-idp-tests/build.gradle

@@ -1,9 +1,9 @@
 Project idpFixtureProject = xpackProject("test:idp-fixture")
 evaluationDependsOn(idpFixtureProject.path)
 
-apply plugin: 'elasticsearch.vagrantsupport'
 apply plugin: 'elasticsearch.standalone-rest-test'
 apply plugin: 'elasticsearch.rest-test'
+apply plugin: 'elasticsearch.test.fixtures'
 
 dependencies {
     // "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here
@@ -12,24 +12,16 @@ dependencies {
     testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')
     testCompile 'com.google.jimfs:jimfs:1.1'
 }
+testFixtures.useFixture ":x-pack:test:idp-fixture"
 
-task idpFixture {
-    dependsOn "vagrantCheckVersion", "virtualboxCheckVersion", idpFixtureProject.up
-}
 
 String outputDir = "${project.buildDir}/generated-resources/${project.name}"
 task copyIdpCertificate(type: Copy) {
-    from idpFixtureProject.file('src/main/resources/certs/ca.crt');
+    from idpFixtureProject.file('idp/shibboleth-idp/credentials/idp-browser.pem');
     into outputDir
 }
-if (project.rootProject.vagrantSupported) {
-  project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpCertificate)
-  integTestCluster.dependsOn idpFixture, copyIdpCertificate
-  integTest.finalizedBy idpFixtureProject.halt
-} else {
-  integTest.enabled = false
-  testingConventions.enabled = false
-}
+project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpCertificate)
+integTestCluster.dependsOn copyIdpCertificate
 
 integTestCluster {
   setting 'xpack.license.self_generated.type', 'trial'
@@ -60,7 +52,7 @@ integTestCluster {
 
   setting 'xpack.ml.enabled', 'false'
 
-  extraConfigFile 'idp-metadata.xml', idpFixtureProject.file("src/main/resources/provision/generated/idp-metadata.xml")
+  extraConfigFile 'idp-metadata.xml', idpFixtureProject.file("idp/shibboleth-idp/metadata/idp-metadata.xml")
 
   setupCommand 'setupTestAdmin',
             'bin/elasticsearch-users', 'useradd', "test_admin", '-p', 'x-pack-test-password', '-r', "superuser"

x-pack/qa/saml-idp-tests/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java

@@ -367,7 +367,7 @@ private URI goToLoginPage(CloseableHttpClient client, BasicHttpContext context)
     private URI submitLoginForm(CloseableHttpClient client, BasicHttpContext context, URI formUri) throws IOException {
         final HttpPost form = new HttpPost(formUri);
         List<NameValuePair> params = new ArrayList<>();
-        params.add(new BasicNameValuePair("j_username", "Thor"));
+        params.add(new BasicNameValuePair("j_username", "thor"));
         params.add(new BasicNameValuePair("j_password", "NickFuryHeartsES"));
         params.add(new BasicNameValuePair("_eventId_proceed", ""));
         form.setEntity(new UrlEncodedFormEntity(params));
@@ -376,7 +376,6 @@ private URI submitLoginForm(CloseableHttpClient client, BasicHttpContext context
             assertThat(response.getStatusLine().getStatusCode(), equalTo(302));
             return response.getFirstHeader("Location").getValue();
         });
-        assertThat(redirect, startsWith("/"));
 
         String target = execute(client, new HttpGet(formUri.resolve(redirect)), context, response -> {
             assertHttpOk(response.getStatusLine());
@@ -620,7 +619,7 @@ private CloseableHttpClient getHttpClient() throws Exception {
     }
 
     private SSLContext getClientSslContext() throws Exception {
-        final Path pem = getDataPath("/ca.crt");
+        final Path pem = getDataPath("/idp-browser.pem");
         final Certificate[] certificates = CertParsingUtils.readCertificates(Collections.singletonList(pem));
         final X509ExtendedTrustManager trustManager = CertParsingUtils.trustManager(certificates);
         SSLContext context = SSLContext.getInstance("TLS");

x-pack/test/idp-fixture/README.txt

@@ -1,6 +1 @@
-Provisions OpenLDAP + shibboleth IDP 3.3.1 .
-Uses ansible on the guest.
-
-Run: `vagrant up --provision`
-
-Any issues: [email protected]
+Provisions OpenLDAP + shibboleth IDP 3.4.2 using docker compose

x-pack/test/idp-fixture/Vagrantfile

@@ -1,42 +1,4 @@
 apply plugin: 'elasticsearch.build'
+apply plugin: 'elasticsearch.test.fixtures'
 
-Map<String, String> vagrantEnvVars = [
-        'VAGRANT_CWD'           : "${project.projectDir.absolutePath}",
-        'VAGRANT_VAGRANTFILE'   : 'Vagrantfile',
-        'VAGRANT_PROJECT_DIR'   : "${project.projectDir.absolutePath}"
-]
-
-String box = "test.shibboleth.elastic.local"
-
-task update(type: org.elasticsearch.gradle.vagrant.VagrantCommandTask) {
-    command 'box'
-    subcommand 'update'
-    boxName box
-    environmentVars vagrantEnvVars
-}
-
-task up(type: org.elasticsearch.gradle.vagrant.VagrantCommandTask) {
-    command 'up'
-    args '--provision', '--provider', 'virtualbox'
-    boxName box
-    environmentVars vagrantEnvVars
-    dependsOn update
-}
-
-task halt(type: org.elasticsearch.gradle.vagrant.VagrantCommandTask) {
-    command 'halt'
-    boxName box
-    environmentVars vagrantEnvVars
-}
-
-task destroy(type: org.elasticsearch.gradle.vagrant.VagrantCommandTask) {
-    command 'destroy'
-    args '-f'
-    boxName box
-    environmentVars vagrantEnvVars
-    dependsOn halt
-}
-
-thirdPartyAudit.enabled = false
-unitTest.enabled = false
-jarHell.enabled = false
+unitTest.enabled = false

x-pack/test/idp-fixture/build.gradle

@@ -0,0 +1,40 @@
+version: '3.1'
+services:
+  openldap:
+    command: --copy-service --loglevel debug
+    image: "osixia/openldap:1.2.3"
+    ports:
+      - "30389:389"
+      - "60636:636"
+    environment:
+      LDAP_ADMIN_PASSWORD: "NickFuryHeartsES"
+      LDAP_DOMAIN: "oldap.test.elasticsearch.com"
+      LDAP_BASE_DN: "DC=oldap,DC=test,DC=elasticsearch,DC=com"
+      LDAP_TLS: "true"
+      LDAP_TLS_CRT_FILENAME: "ldap_server.pem"
+      LDAP_TLS_CA_CRT_FILENAME: "ca_server.pem"
+      LDAP_TLS_KEY_FILENAME: "ldap_server.key"
+      LDAP_TLS_VERIFY_CLIENT: "never"
+      LDAP_TLS_CIPHER_SUITE: "NORMAL"
+      LDAP_LOG_LEVEL: 256
+    volumes:
+      - ./openldap/ldif/users.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/20-bootstrap-users.ldif
+      - ./openldap/ldif/config.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/10-bootstrap-config.ldif
+      - ./openldap/certs:/container/service/slapd/assets/certs
+
+  shibboleth-idp:
+    image: "unicon/shibboleth-idp:3.4.2"
+    depends_on:
+      - openldap
+    environment:
+      - JETTY_MAX_HEAP=64m
+      - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=secret
+      - JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=secret
+    ports:
+      - "4443:4443"
+    links:
+      - openldap:openldap
+    volumes:
+      - ./idp/shibboleth-idp/conf:/opt/shibboleth-idp/conf
+      - ./idp/shibboleth-idp/credentials:/opt/shibboleth-idp/credentials
+      - ./idp/shib-jetty-base/start.d/ssl.ini:/opt/shib-jetty-base/start.d/ssl.ini

x-pack/test/idp-fixture/docker-compose.yml

@@ -0,0 +1,4 @@
+--module=ssl
+jetty.ssl.port=4443
+jetty.sslContext.keyStorePath=/opt/shibboleth-idp/credentials/idp-browser.p12
+jetty.sslContext.keyStoreType=PKCS12

x-pack/test/idp-fixture/idp/shib-jetty-base/start.d/ssl.ini

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Map of access control policies used to limit access to administrative functions.
+    The purpose of the map is to label policies with a key/name so they can be reused.
+    -->
+
+    <!--
+    Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control.
+    The ranges provided MUST be CIDR network expressions. To specify a single address,
+    add "/32" or "/128" for IPv4 or IPv6 respectively.
+
+    The additional examples below demonstrate how to control access by username
+    and by attribute(s), in the case of authenticated access to admin functions.
+    -->
+
+    <util:map id="shibboleth.AccessControlPolicies">
+    
+        <entry key="AccessByIPAddress">
+            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
+                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
+        </entry>
+        
+        <!--
+        <entry key="AccessByUser">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+        
+        <!--
+        <entry key="AccessByAttribute">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+                        <property name="attributeValueMap">
+                            <map>
+                                <entry key="eduPersonEntitlement">
+                                    <list>
+                                        <value>https://example.org/entitlement/idpadmin</value>
+                                    </list>
+                                </entry>
+                            </map>
+                        </property>
+                    </bean>
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+    
+    </util:map>
+
+</beans>