[TEST] Make SSL restrictions update atomic (#31050)

tvernum · tvernum · commit f0f16b7fcb25 · 2018-06-15T17:59:04.000+10:00
SSLTrustRestrictionsTests updates the restrictions YML file during the test run to change the set of restrictions. This update was small, but it wasn't atomic.
If the yml file is reloaded while empty or invalid, then it causes all SSL certificates to be considered invalid (until it is reloaded again), which could break the sniffing/administrative client that runs underneath the tests.
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java
@@ -28,13 +28,16 @@
 import javax.net.ssl.SSLSocketFactory;
 import java.io.IOException;
 import java.net.SocketException;
+import java.nio.file.AtomicMoveNotSupportedException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.concurrent.TimeUnit;
 
+import static java.nio.file.StandardCopyOption.ATOMIC_MOVE;
+import static java.nio.file.StandardCopyOption.REPLACE_EXISTING;
 import static org.hamcrest.Matchers.is;
 
 /**
@@ -46,11 +49,6 @@
 @TestLogging("org.elasticsearch.xpack.ssl.RestrictedTrustManager:DEBUG")
 public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
 
-    /**
-     * Use a small keysize for performance, since the keys are only used in this test, but a large enough keysize
-     * to get past the SSL algorithm checker
-     */
-
     private static final int RESOURCE_RELOAD_MILLIS = 3;
     private static final TimeValue MAX_WAIT_RELOAD = TimeValue.timeValueSeconds(1);
 
@@ -61,6 +59,7 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
     private static CertificateInfo trustedCert;
     private static CertificateInfo untrustedCert;
     private static Path restrictionsPath;
+    private static Path restrictionsTmpPath;
 
     @Override
     protected int maxNumberOfNodes() {
@@ -124,6 +123,8 @@ public Settings nodeSettings(int nodeOrdinal) {
                 .put(nodeSSL);
 
         restrictionsPath = configPath.resolve("trust_restrictions.yml");
+        restrictionsTmpPath = configPath.resolve("trust_restrictions.tmp");
+
         writeRestrictions("*.trusted");
         builder.put("xpack.ssl.trust_restrictions.path", restrictionsPath);
         builder.put("resource.reload.interval.high", RESOURCE_RELOAD_MILLIS + "ms");
@@ -133,7 +134,12 @@ public Settings nodeSettings(int nodeOrdinal) {
 
     private void writeRestrictions(String trustedPattern) {
         try {
-            Files.write(restrictionsPath, Collections.singleton("trust.subject_name: \"" + trustedPattern + "\""));
+            Files.write(restrictionsTmpPath, Collections.singleton("trust.subject_name: \"" + trustedPattern + "\""));
+            try {
+                Files.move(restrictionsTmpPath, restrictionsPath, REPLACE_EXISTING, ATOMIC_MOVE);
+            } catch (final AtomicMoveNotSupportedException e) {
+                Files.move(restrictionsTmpPath, restrictionsPath, REPLACE_EXISTING);
+            }
         } catch (IOException e) {
             throw new ElasticsearchException("failed to write restrictions", e);
         }
