Skip to content

[TEST] Make SSL restrictions update atomic #31050

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jun 7, 2018
Merged

[TEST] Make SSL restrictions update atomic #31050

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9d3a6e1
[TEST] Make SSL restrictions update atomic
tvernum Jun 4, 2018
b6e0517
Remove unused import
tvernum Jun 4, 2018
3bbf3e5
Merge branch 'master' into fix/29989-trust-restric-tests
tvernum Jun 4, 2018
12daa00
Better handling of file rename
tvernum Jun 4, 2018
926a905
Merge branch 'master' into fix/29989-trust-restric-tests
tvernum Jun 4, 2018
943761b
Merge branch 'master' into fix/29989-trust-restric-tests
tvernum Jun 5, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 12 additions & 6 deletions .../plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,16 @@
import javax.net.ssl.SSLSocketFactory;
import java.io.IOException;
import java.net.SocketException;
import java.nio.file.AtomicMoveNotSupportedException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.concurrent.TimeUnit;

import static java.nio.file.StandardCopyOption.ATOMIC_MOVE;
import static java.nio.file.StandardCopyOption.REPLACE_EXISTING;
import static org.hamcrest.Matchers.is;

/**
Expand All @@ -46,11 +49,6 @@
@TestLogging("org.elasticsearch.xpack.ssl.RestrictedTrustManager:DEBUG")
public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {

/**
* Use a small keysize for performance, since the keys are only used in this test, but a large enough keysize
* to get past the SSL algorithm checker
*/

private static final int RESOURCE_RELOAD_MILLIS = 3;
private static final TimeValue MAX_WAIT_RELOAD = TimeValue.timeValueSeconds(1);

Expand All @@ -61,6 +59,7 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
private static CertificateInfo trustedCert;
private static CertificateInfo untrustedCert;
private static Path restrictionsPath;
private static Path restrictionsTmpPath;

@Override
protected int maxNumberOfNodes() {
Expand Down Expand Up @@ -124,6 +123,8 @@ public Settings nodeSettings(int nodeOrdinal) {
.put(nodeSSL);

restrictionsPath = configPath.resolve("trust_restrictions.yml");
restrictionsTmpPath = configPath.resolve("trust_restrictions.tmp");

writeRestrictions("*.trusted");
builder.put("xpack.ssl.trust_restrictions.path", restrictionsPath);
builder.put("resource.reload.interval.high", RESOURCE_RELOAD_MILLIS + "ms");
Expand All @@ -133,7 +134,12 @@ public Settings nodeSettings(int nodeOrdinal) {

private void writeRestrictions(String trustedPattern) {
try {
Files.write(restrictionsPath, Collections.singleton("trust.subject_name: \"" + trustedPattern + "\""));
Files.write(restrictionsTmpPath, Collections.singleton("trust.subject_name: \"" + trustedPattern + "\""));
try {
Files.move(restrictionsTmpPath, restrictionsPath, REPLACE_EXISTING, ATOMIC_MOVE);
} catch (final AtomicMoveNotSupportedException e) {
Files.move(restrictionsTmpPath, restrictionsPath, REPLACE_EXISTING);
}
} catch (IOException e) {
throw new ElasticsearchException("failed to write restrictions", e);
}
Expand Down