From 1d5f2aa1aa9e000fc74ad32a5ba7f8b54f96107d Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 11 Feb 2020 16:44:51 +0200 Subject: [PATCH 1/4] Test adjustments for FIPS 140 in Java 8 This commit touches many of our tests but the changes are actually few. Setting xpack.security.ssl.diagnose.trust to true wraps SunJSSE TrustManager with our own DiagnosticTrustManager and this is not allowed when SunJSSE is in FIPS mode. So when we use SunJSSE in FIPS mode ( currently only when running our tests with FIPS mode on for Java 8 runtime ), we need to make sure that the Diagnostic TrustManager is not enabled. This change ensures that whenever a new SSLService is to be created, we explicitly pass xpack.security.ssl.diagnose.trust=false in the settings used for the SSLService, when we run in FIPS mode in Java 8. --- .../elasticsearch/test/ESIntegTestCase.java | 5 ++ .../org/elasticsearch/test/ESTestCase.java | 4 + .../core/LocalStateCompositeXPackPlugin.java | 19 ++++- .../xpack/core/TestXPackTransportClient.java | 4 +- .../transport/ProfileConfigurationsTests.java | 7 +- .../ssl/SSLConfigurationReloaderTests.java | 21 +++-- .../xpack/core/ssl/SSLServiceTests.java | 80 +++++++++++-------- .../test/SecurityIntegTestCase.java | 2 +- .../test/SecuritySingleNodeTestCase.java | 2 +- .../security/PkiRealmBootstrapCheckTests.java | 2 +- .../xpack/security/SecurityTests.java | 2 +- ...ansportOpenIdConnectLogoutActionTests.java | 2 +- .../esnative/ESNativeMigrateToolTests.java | 2 +- .../tool/CommandLineHttpClientTests.java | 4 +- .../authc/ldap/ActiveDirectoryRealmTests.java | 2 +- .../security/authc/ldap/LdapRealmTests.java | 2 +- .../authc/ldap/LdapSessionFactoryTests.java | 2 +- .../security/authc/ldap/LdapTestUtils.java | 6 ++ .../LdapUserSearchSessionFactoryTests.java | 2 +- .../authc/ldap/support/LdapTestCase.java | 2 +- .../SessionFactoryLoadBalancingTests.java | 2 +- .../ldap/support/SessionFactoryTests.java | 10 +-- .../oidc/OpenIdConnectAuthenticatorTests.java | 2 +- ...stractSimpleSecurityTransportTestCase.java | 12 ++- ...ServerTransportFilterIntegrationTests.java | 2 +- .../transport/filter/IPFilterTests.java | 2 +- ...ecurityNetty4HttpServerTransportTests.java | 32 ++++---- .../SecurityNioHttpServerTransportTests.java | 32 ++++---- .../transport/ssl/SslIntegrationTests.java | 2 +- ...orMessageCertificateVerificationTests.java | 2 +- .../xpack/ssl/SSLErrorMessageFileTests.java | 2 +- .../watcher/actions/email/EmailSslTests.java | 13 ++- .../actions/webhook/WebhookActionTests.java | 7 +- .../webhook/WebhookHttpsIntegrationTests.java | 9 ++- .../watcher/common/http/HttpClientTests.java | 47 ++++++----- .../http/HttpConnectionTimeoutTests.java | 15 +++- .../common/http/HttpReadTimeoutTests.java | 15 +++- .../org/elasticsearch/test/OpenLdapTests.java | 4 + ...OpenLdapUserSearchSessionFactoryTests.java | 11 ++- .../qa/SecurityTransportClientIT.java | 11 ++- .../example/realm/CustomRealmIT.java | 21 +++-- .../xpack/security/MigrateToolTestCase.java | 12 ++- .../ADLdapUserSearchSessionFactoryTests.java | 13 ++- .../ldap/AbstractActiveDirectoryTestCase.java | 5 +- .../ActiveDirectorySessionFactoryTests.java | 21 +++-- .../xpack/ESXPackSmokeClientTestCase.java | 5 ++ .../PreBuiltXPackTransportClientTests.java | 10 ++- 47 files changed, 330 insertions(+), 161 deletions(-) diff --git a/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java index 20240b2620989..c9eec35e6c9b2 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java @@ -57,6 +57,7 @@ import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.action.support.DefaultShardOperationFailedException; import org.elasticsearch.action.support.IndicesOptions; +import org.elasticsearch.bootstrap.JavaVersion; import org.elasticsearch.client.AdminClient; import org.elasticsearch.client.Client; import org.elasticsearch.client.Requests; @@ -2256,4 +2257,8 @@ public static Index resolveIndex(String index) { public static boolean inFipsJvm() { return Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)); } + + public static boolean inFipsSunJsseJvm() { + return inFipsJvm() && JavaVersion.current().getVersion().get(0) == 8; + } } diff --git a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java index 0176bfbad65bd..f480dc23c6db1 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java @@ -1370,6 +1370,10 @@ public static boolean inFipsJvm() { return Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)); } + public static boolean inFipsSunJsseJvm() { + return inFipsJvm() && JavaVersion.current().getVersion().get(0) == 8; + } + /** * Returns a unique port range for this JVM starting from the computed base port */ diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java index e3da8a652c8fd..f505e2169d925 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java @@ -93,6 +93,7 @@ import java.util.stream.Collectors; import static java.util.stream.Collectors.toList; +import static org.elasticsearch.test.ESTestCase.inFipsSunJsseJvm; public class LocalStateCompositeXPackPlugin extends XPackPlugin implements ScriptPlugin, ActionPlugin, IngestPlugin, NetworkPlugin, ClusterPlugin, DiscoveryPlugin, MapperPlugin, AnalysisPlugin, PersistentTaskPlugin, EnginePlugin { @@ -153,12 +154,17 @@ public Collection createComponents(Client client, ClusterService cluster NamedXContentRegistry xContentRegistry, Environment environment, NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry) { List components = new ArrayList<>(); + // This is a hack, but the settings we add in #additionalSettings() are not added to the environment instance + // (in org.elasticsearch.node.Node) which is passed in `createComponents` of each of the plugins. So the environment + // we get here wouldn't have the additional setting. This is a known issue, and once it is resolved, the code here + // can be adjusted accordingly + final Environment updatedEnvironment = getUpdatedEnvironment(environment); components.addAll(super.createComponents(client, clusterService, threadPool, resourceWatcherService, scriptService, - xContentRegistry, environment, nodeEnvironment, namedWriteableRegistry)); + xContentRegistry, updatedEnvironment, nodeEnvironment, namedWriteableRegistry)); filterPlugins(Plugin.class).stream().forEach(p -> components.addAll(p.createComponents(client, clusterService, threadPool, resourceWatcherService, scriptService, - xContentRegistry, environment, nodeEnvironment, namedWriteableRegistry)) + xContentRegistry, updatedEnvironment, nodeEnvironment, namedWriteableRegistry)) ); return components; } @@ -476,4 +482,13 @@ private List filterPlugins(Class type) { .collect(Collectors.toList()); } + private Environment getUpdatedEnvironment(Environment existingEnvironment){ + Settings.Builder additionalSettingsBuilder = Settings.builder(); + additionalSettingsBuilder.put(existingEnvironment.settings()); + if (inFipsSunJsseJvm()) { + additionalSettingsBuilder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return new Environment(additionalSettingsBuilder.build(), existingEnvironment.configFile()); + } + } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/TestXPackTransportClient.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/TestXPackTransportClient.java index 9d6d643593976..00ede13a50db0 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/TestXPackTransportClient.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/TestXPackTransportClient.java @@ -18,7 +18,7 @@ import java.util.concurrent.TimeUnit; import static org.elasticsearch.test.ESTestCase.getTestTransportPlugin; -import static org.elasticsearch.test.ESTestCase.inFipsJvm; +import static org.elasticsearch.test.ESTestCase.inFipsSunJsseJvm; /** * TransportClient.Builder that installs the XPackPlugin by default. @@ -55,7 +55,7 @@ public void close() { private static Settings possiblyDisableTlsDiagnostic(Settings settings) { Settings.Builder builder = Settings.builder().put(settings); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } return builder.build(); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java index fd7315d7457c2..03893634c7c69 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java @@ -11,6 +11,7 @@ import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.SSLConfiguration; import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.core.ssl.VerificationMode; @@ -65,10 +66,14 @@ private Settings.Builder getBaseSettings() { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - return Settings.builder() + Settings.Builder builder = Settings.builder() .setSecureSettings(secureSettings) .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", keystore.toString()); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; } } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java index 99df5c641f498..217ae700a4854 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java @@ -35,6 +35,7 @@ import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.watcher.ResourceWatcherService; +import org.elasticsearch.xpack.core.XPackSettings; import org.junit.After; import org.junit.Before; @@ -108,7 +109,7 @@ public void testReloadingKeyStore() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"), updatedKeystorePath); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - final Settings settings = Settings.builder() + final Settings settings = getSettingsBuilder() .put("path.home", createTempDir()) .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", keystorePath) @@ -166,7 +167,7 @@ public void testPEMKeyConfigReloading() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCertPath); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - final Settings settings = Settings.builder() + final Settings settings = getSettingsBuilder() .put("path.home", createTempDir()) .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.key", keyPath) @@ -175,7 +176,7 @@ public void testPEMKeyConfigReloading() throws Exception { .setSecureSettings(secureSettings) .build(); final Environment env = randomBoolean() ? null : - TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); // Load HTTPClient once. Client uses a keystore containing testnode key/cert as a truststore try (CloseableHttpClient client = getSSLClient(Collections.singletonList(certPath))) { final Consumer keyMaterialPreChecks = (context) -> { @@ -325,7 +326,7 @@ public void testReloadingKeyStoreException() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", keystorePath) .setSecureSettings(secureSettings) @@ -376,7 +377,7 @@ public void testReloadingPEMKeyConfigException() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.key", keyPath) .put("xpack.security.transport.ssl.certificate", certPath) @@ -519,7 +520,7 @@ private Settings.Builder baseKeystoreSettings(Path tempDir, MockSecureSettings s } secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - return Settings.builder() + return getSettingsBuilder() .put("xpack.security.transport.ssl.key", keyPath.toString()) .put("xpack.security.transport.ssl.certificate", certPath.toString()) .setSecureSettings(secureSettings); @@ -632,6 +633,14 @@ private static CloseableHttpClient createHttpClient(SSLContext sslContext) { .build(); } + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } + /** * Creates our own HttpConnectionFactory that changes how the connection is closed to prevent issues with * the MockWebServer going into an endless loop based on the way that HttpClient closes its connection. diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java index 08df2d1b65907..2514065012da7 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java @@ -90,15 +90,21 @@ public class SSLServiceTests extends ESTestCase { @Before public void setup() throws Exception { - // Randomise the keystore type (jks/PKCS#12) - if (randomBoolean()) { - testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"); - // The default is to use JKS. Randomly test with explicit and with the default value. - testnodeStoreType = "jks"; - } else { + // Randomise the keystore type (jks/PKCS#12) when possible + if (inFipsJvm()){ testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.p12"); testnodeStoreType = randomBoolean() ? "PKCS12" : null; + } else { + if (randomBoolean()) { + testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"); + // The default is to use JKS. Randomly test with explicit and with the default value. + testnodeStoreType = "jks"; + } else { + testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.p12"); + testnodeStoreType = randomBoolean() ? "PKCS12" : null; + } } + logger.info("Using [{}] key/truststore [{}]", testnodeStoreType, testnodeStore); testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); @@ -125,7 +131,7 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception { MockSecureSettings secureCustomSettings = new MockSecureSettings(); secureCustomSettings.setString("truststore.secure_password", "testclient"); - Settings customTruststoreSettings = Settings.builder() + Settings customTruststoreSettings = getSettingsBuilder() .put("truststore.path", testClientStore) .setSecureSettings(secureCustomSettings) .build(); @@ -147,7 +153,7 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception { public void testThatSslContextCachingWorks() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -173,7 +179,7 @@ public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_key_password", "testnode1"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) .setSecureSettings(secureSettings) @@ -191,7 +197,7 @@ public void testIncorrectKeyPasswordThrowsException() throws Exception { try { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) .setSecureSettings(secureSettings) .build(); @@ -208,7 +214,7 @@ public void testIncorrectKeyPasswordThrowsException() throws Exception { public void testThatSSLv3IsNotEnabled() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -221,7 +227,7 @@ public void testThatSSLv3IsNotEnabled() throws Exception { } public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception { - SSLService sslService = new SSLService(Settings.EMPTY, env); + SSLService sslService = new SSLService(getSettingsBuilder().build(), env); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1); assertThat(sslEngine, notNullValue()); @@ -230,7 +236,7 @@ public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Except public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.http.ssl.truststore.secure_password", "testclient"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.http.ssl.enabled", true) .put("xpack.http.ssl.truststore.path", testclientStore) .setSecureSettings(secureSettings) @@ -246,7 +252,7 @@ public void testCreateWithKeystoreIsValidForServer() throws Exception { assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) @@ -261,7 +267,7 @@ public void testValidForServer() throws Exception { assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.http.ssl.truststore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.http.ssl.truststore.path", testnodeStore) .put("xpack.http.ssl.truststore.type", testnodeStoreType) .setSecureSettings(secureSettings) @@ -272,7 +278,7 @@ public void testValidForServer() throws Exception { assertFalse(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.http.ssl"))); secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode"); - settings = Settings.builder() + settings = getSettingsBuilder() .put("xpack.http.ssl.truststore.path", testnodeStore) .put("xpack.http.ssl.truststore.type", testnodeStoreType) .setSecureSettings(secureSettings) @@ -289,7 +295,7 @@ public void testGetVerificationMode() throws Exception { assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl").verificationMode(), is(XPackSettings.VERIFICATION_MODE_DEFAULT)); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", false) .put("xpack.security.transport.ssl.verification_mode", "certificate") .put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full") @@ -301,10 +307,10 @@ public void testGetVerificationMode() throws Exception { } public void testIsSSLClientAuthEnabled() throws Exception { - SSLService sslService = new SSLService(Settings.EMPTY, env); + SSLService sslService = new SSLService(getSettingsBuilder().build(), env); assertTrue(sslService.getSSLConfiguration("xpack.security.transport.ssl").sslClientAuth().enabled()); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", false) .put("xpack.security.transport.ssl.client_authentication", "optional") .put("transport.profiles.foo.port", "9400-9410") @@ -318,7 +324,7 @@ public void testThatHttpClientAuthDefaultsToNone() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "testnode"); - final Settings globalSettings = Settings.builder() + final Settings globalSettings = getSettingsBuilder() .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.keystore.path", testnodeStore) .put("xpack.security.http.ssl.keystore.type", testnodeStoreType) @@ -340,7 +346,7 @@ public void testThatHttpClientAuthDefaultsToNone() throws Exception { public void testThatTruststorePasswordIsRequired() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .setSecureSettings(secureSettings) @@ -354,7 +360,7 @@ public void testThatTruststorePasswordIsRequired() throws Exception { } public void testThatKeystorePasswordIsRequired() throws Exception { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .build(); @@ -370,7 +376,7 @@ public void testCiphersAndInvalidCiphersWork() throws Exception { ciphers.add("bar"); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -389,7 +395,7 @@ public void testInvalidCiphersOnlyThrowsException() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) @@ -404,7 +410,7 @@ public void testInvalidCiphersOnlyThrowsException() throws Exception { public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -420,7 +426,7 @@ public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception { public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -446,7 +452,7 @@ public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Except public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -504,7 +510,7 @@ public void testSSLStrategy() { } public void testGetConfigurationByContextName() throws Exception { - assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); + assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsSunJsseJvm()); final SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); sslContext.init(null, null, null); final String[] cipherSuites = sslContext.getSupportedSSLParameters().getCipherSuites(); @@ -529,7 +535,7 @@ public void testGetConfigurationByContextName() throws Exception { final Iterator cipher = Arrays.asList(cipherSuites).iterator(); final MockSecureSettings secureSettings = new MockSecureSettings(); - final Settings.Builder builder = Settings.builder(); + final Settings.Builder builder = getSettingsBuilder(); for (String prefix : contextNames) { if (prefix.startsWith("xpack.security.transport") || prefix.startsWith("xpack.security.http")) { builder.put(prefix + ".enabled", true); @@ -567,7 +573,7 @@ public void testReadCertificateInformation() throws Exception { secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode"); - final Settings settings = Settings.builder() + final Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", randomBoolean()) .put("xpack.security.transport.ssl.keystore.path", jksPath) .put("xpack.security.transport.ssl.truststore.path", jksPath) @@ -771,7 +777,7 @@ public void testThatSSLContextWithoutSettingsWorks() throws Exception { public void testThatSSLContextTrustsJDKTrustedCAs() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.keystore.path", testclientStore) .setSecureSettings(secureSettings) .build(); @@ -804,7 +810,7 @@ public void testThatSSLIOSessionStrategyWithoutSettingsWorks() throws Exception public void testThatSSLIOSessionStrategyTrustsJDKTrustedCAs() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.keystore.path", testclientStore) .setSecureSettings(secureSettings) .build(); @@ -820,6 +826,7 @@ public void testThatSSLIOSessionStrategyTrustsJDKTrustedCAs() throws Exception { } public void testWrapTrustManagerWhenDiagnosticsEnabled() { + assumeFalse("We cannot enable diagnostic trust manager in FIPS mode with SunJSSE", inFipsSunJsseJvm()); final Settings.Builder builder = Settings.builder(); if (randomBoolean()) { // randomly select between default, and explicit enabled builder.put("xpack.security.ssl.diagnose.trust", true); @@ -851,6 +858,7 @@ public void testDontWrapTrustManagerByDefaultWhenInFips(){ } public void testWrapTrustManagerWhenInFipsAndExplicitlyConfigured(){ + assumeFalse("We cannot enable diagnostic trust manager in FIPS mode with SunJSSE", inFipsSunJsseJvm()); final Settings.Builder builder = Settings.builder(); builder.put("xpack.security.fips_mode.enabled", true); builder.put("xpack.security.ssl.diagnose.trust", true); @@ -902,6 +910,14 @@ private static void privilegedConnect(CheckedRunnable runnable) throw } } + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } + private static final class MockSSLSession implements SSLSession { private final byte[] id; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java index abc468d05dc76..98523c952a811 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java @@ -246,7 +246,7 @@ protected Settings nodeSettings(int nodeOrdinal) { builder.put(LicenseService.SELF_GENERATED_LICENSE_TYPE.getKey(), "trial"); builder.put(NetworkModule.TRANSPORT_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO); builder.put(NetworkModule.HTTP_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } Settings.Builder customBuilder = Settings.builder().put(customSettings); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java index ec612a9905486..5fb2ec414bb4e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java @@ -168,7 +168,7 @@ protected Settings nodeSettings() { builder.put(LicenseService.SELF_GENERATED_LICENSE_TYPE.getKey(), "trial"); builder.put("transport.type", "security4"); builder.put("path.home", customSecuritySettingsSource.nodePath(0)); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } Settings.Builder customBuilder = Settings.builder().put(customSettings); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java index 66aff9abcb4d6..ef0a127ad5aeb 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java @@ -148,7 +148,7 @@ public void testBootstrapCheckWithClosedSecuredSetting() throws Exception { private Settings.Builder getSettingsBuilder() { Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } return builder; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java index 57f34496fc964..d7a01760e26ee 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java @@ -102,7 +102,7 @@ private Collection createComponents(Settings testSettings, SecurityExten .put("xpack.security.enabled", true) .put(testSettings) .put("path.home", createTempDir()); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } Settings settings = builder.build(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java index 91e0c4f7a24ff..87674ed7c59ec 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java @@ -93,7 +93,7 @@ public void setup() throws Exception { .put("path.home", createTempDir()) .build(); Settings.Builder sslSettingsBuilder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { sslSettingsBuilder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } final Settings sslSettings = sslSettingsBuilder diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java index 40e6f7510f02e..c8820e7add956 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java @@ -176,7 +176,7 @@ public void testMissingPasswordParameter() { private Settings.Builder getSettingsBuilder() { Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } return builder; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java index 52f33087959f2..eae4735246f37 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java @@ -72,7 +72,7 @@ public void testCommandLineHttpClientCanExecuteAndReturnCorrectResultUsingSSLSet public void testGetDefaultURLFailsWithHelpfulMessage() { Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } Settings settings = builder @@ -93,7 +93,7 @@ private Settings.Builder getHttpSslSettings() { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } return builder diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java index 997a1ed10157f..bd06aa8aef45c 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java @@ -144,7 +144,7 @@ public void start() throws Exception { threadPool = new TestThreadPool("active directory realm tests"); resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool); Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } globalSettings = builder.put("path.home", createTempDir()).build(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java index f8a958a2ad864..abb18e0503dca 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java @@ -100,7 +100,7 @@ public void init() throws Exception { threadPool = new TestThreadPool("ldap realm tests"); resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool); Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } defaultGlobalSettings = builder.put("path.home", createTempDir()).build(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java index dd6b84162f255..c5da34a478c67 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java @@ -61,7 +61,7 @@ public void setup() throws Exception { ldapCaPath = createTempFile(); Files.copy(origCa, ldapCaPath, StandardCopyOption.REPLACE_EXISTING); Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } globalSettings = builder diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java index 65eb36aeba73b..fac9e62caf800 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java @@ -13,6 +13,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings; import org.elasticsearch.xpack.core.ssl.SSLConfiguration; import org.elasticsearch.xpack.core.ssl.SSLService; @@ -21,6 +22,8 @@ import java.nio.file.Path; +import static org.elasticsearch.test.ESTestCase.inFipsSunJsseJvm; + public class LdapTestUtils { private LdapTestUtils() { @@ -31,6 +34,9 @@ public static LDAPConnection openConnection(String url, String bindDN, String bi Settings.Builder builder = Settings.builder().put("path.home", LuceneTestCase.createTempDir()); MockSecureSettings secureSettings = new MockSecureSettings(); builder.setSecureSettings(secureSettings); + if (inFipsSunJsseJvm()){ + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } // fake realms so ssl will get loaded builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore); builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java index 99eec57292ddc..93be7b8778b3a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java @@ -64,7 +64,7 @@ public void init() throws Exception { * verification tests since a re-established connection does not perform hostname verification. */ Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } globalSettings = builder diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java index 52427bcc86c85..0f6af5ae2c282 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java @@ -172,7 +172,7 @@ public static Settings buildLdapSettings(RealmConfig.RealmIdentifier realmId, St if (serverSetType != null) { builder.put(getFullSettingKey(realmId, LdapLoadBalancingSettings.LOAD_BALANCE_TYPE_SETTING), serverSetType.toString()); } - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } return builder.build(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java index c7c8fc0926b30..d639f7dd41494 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java @@ -294,7 +294,7 @@ private TestSessionFactory createSessionFactory(LdapLoadBalancing loadBalancing) RealmConfig config = new RealmConfig(REALM_IDENTIFIER, globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } return new TestSessionFactory(config, new SSLService(builder.build(), TestEnvironment.newEnvironment(config.settings())), diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java index 55a50b6091c6b..b6a4b6a9d48b5 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java @@ -67,7 +67,7 @@ public void testSessionFactoryWithResponseTimeout() throws Exception { final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("ldap", "response_settings"); final Path pathHome = createTempDir(); { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_RESPONSE_SETTING), "10s") .put("path.home", pathHome) .build(); @@ -78,7 +78,7 @@ public void testSessionFactoryWithResponseTimeout() throws Exception { assertThat(options.getResponseTimeoutMillis(), is(equalTo(10000L))); } { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_READ_SETTING), "7s") .put("path.home", pathHome) .build(); @@ -91,7 +91,7 @@ public void testSessionFactoryWithResponseTimeout() throws Exception { .getConcreteSettingForNamespace("response_settings")}); } { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_RESPONSE_SETTING), "11s") .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_READ_SETTING), "6s") .put("path.home", pathHome) @@ -105,7 +105,7 @@ public void testSessionFactoryWithResponseTimeout() throws Exception { ".authc.realms.ldap.response_settings.timeout.response] may not be used at the same time")); } { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_LDAP_SETTING), "750ms") .put("path.home", pathHome) .build(); @@ -197,7 +197,7 @@ public void session(String user, SecureString password, ActionListener messages = new ArrayList<>(); server.addListener(messages::add); try { - final Settings.Builder settings = Settings.builder() + final Settings.Builder settings = getSettingsBuilder() .put("xpack.notification.email.ssl.truststore.path", getDataPath("test-smtp.p12")); final MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.notification.email.ssl.truststore.secure_password", "test-smtp"); @@ -156,5 +157,13 @@ private List getAllCauses(Exception exception) { return allCauses; } + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } + } diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookActionTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookActionTests.java index 439eb45f0159f..dc87a0ddf29ff 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookActionTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookActionTests.java @@ -16,6 +16,7 @@ import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.http.MockResponse; import org.elasticsearch.test.http.MockWebServer; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.core.watcher.actions.Action; import org.elasticsearch.xpack.core.watcher.actions.Action.Result.Status; @@ -213,7 +214,11 @@ private WebhookActionFactory webhookFactory(HttpClient client) { } public void testThatSelectingProxyWorks() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Settings.Builder settingsBuilder = Settings.builder(); + if (inFipsSunJsseJvm()) { + settingsBuilder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + Environment environment = TestEnvironment.newEnvironment(settingsBuilder.put("path.home", createTempDir()).build()); try (HttpClient httpClient = new HttpClient(Settings.EMPTY, new SSLService(environment.settings(), environment), null, mockClusterService()); diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookHttpsIntegrationTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookHttpsIntegrationTests.java index 9d8005344e8b2..1163967be4584 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookHttpsIntegrationTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookHttpsIntegrationTests.java @@ -53,13 +53,16 @@ public class WebhookHttpsIntegrationTests extends AbstractWatcherIntegrationTest protected Settings nodeSettings(int nodeOrdinal) { Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt"); - return Settings.builder() + Settings.Builder builder = Settings.builder() .put(super.nodeSettings(nodeOrdinal)) .put("xpack.http.ssl.key", keyPath) .put("xpack.http.ssl.certificate", certPath) .put("xpack.http.ssl.keystore.password", "testnode") - .putList("xpack.http.ssl.supported_protocols", getProtocols()) - .build(); + .putList("xpack.http.ssl.supported_protocols", getProtocols()); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder.build(); } @Before diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java index 2e0c8d2df6e1f..ba843c714b6b6 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java @@ -78,7 +78,7 @@ public class HttpClientTests extends ESTestCase { private MockWebServer webServer = new MockWebServer(); private HttpClient httpClient; - private Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + private Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); @Before public void init() throws Exception { @@ -188,7 +188,7 @@ public void testHttps() throws Exception { Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.http.ssl.certificate_authorities", trustedCertPath) .setSecureSettings(secureSettings) .build(); @@ -196,7 +196,7 @@ public void testHttps() throws Exception { secureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it is only a truststore secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); - Settings settings2 = Settings.builder() + Settings settings2 = getSettingsBuilder() .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.key", keyPath) .put("xpack.security.http.ssl.certificate", certPath) @@ -213,7 +213,7 @@ public void testHttpsDisableHostnameVerification() throws Exception { Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.crt"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.pem"); Settings settings; - Settings.Builder builder = Settings.builder() + Settings.Builder builder = getSettingsBuilder() .put("xpack.http.ssl.certificate_authorities", certPath); if (inFipsJvm()) { //Can't use TrustAllConfig in FIPS mode @@ -226,7 +226,7 @@ public void testHttpsDisableHostnameVerification() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it only defines a truststore secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode-no-subjaltname"); - Settings settings2 = Settings.builder() + Settings settings2 = getSettingsBuilder() .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.key", keyPath) .put("xpack.security.http.ssl.certificate", certPath) @@ -244,7 +244,7 @@ public void testHttpsClientAuth() throws Exception { Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.http.ssl.key", keyPath) .put("xpack.http.ssl.certificate", certPath) .putList("xpack.http.ssl.supported_protocols", getProtocols()) @@ -300,7 +300,8 @@ public void testHttpResponseWithAnyStatusCodeCanReturnBody() throws Exception { @Network public void testHttpsWithoutTruststore() throws Exception { - try (HttpClient client = new HttpClient(Settings.EMPTY, new SSLService(Settings.EMPTY, environment), null, mockClusterService())) { + try (HttpClient client = new HttpClient(Settings.EMPTY, new SSLService(getSettingsBuilder().build(), environment), null, + mockClusterService())) { // Known server with a valid cert from a commercial CA HttpRequest.Builder request = HttpRequest.builder("www.elastic.co", 443).scheme(Scheme.HTTPS); HttpResponse response = client.execute(request.build()); @@ -315,7 +316,7 @@ public void testThatProxyCanBeConfigured() throws Exception { try (MockWebServer proxyServer = new MockWebServer()) { proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent")); proxyServer.start(); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(HttpSettings.PROXY_HOST.getKey(), "localhost") .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort()) .build(); @@ -381,7 +382,7 @@ public void testProxyCanHaveDifferentSchemeThanRequest() throws Exception { MockSecureSettings serverSecureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it is only a truststore serverSecureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode"); - Settings serverSettings = Settings.builder() + Settings serverSettings = getSettingsBuilder() .put("xpack.http.ssl.key", keyPath) .put("xpack.http.ssl.certificate", certPath) .putList("xpack.http.ssl.supported_protocols", getProtocols()) @@ -395,7 +396,7 @@ public void testProxyCanHaveDifferentSchemeThanRequest() throws Exception { proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent")); proxyServer.start(); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(HttpSettings.PROXY_HOST.getKey(), "localhost") .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort()) .put(HttpSettings.PROXY_SCHEME.getKey(), "https") @@ -427,7 +428,7 @@ public void testThatProxyCanBeOverriddenByRequest() throws Exception { try (MockWebServer proxyServer = new MockWebServer()) { proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent")); proxyServer.start(); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(HttpSettings.PROXY_HOST.getKey(), "localhost") .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort() + 1) .put(HttpSettings.PROXY_HOST.getKey(), "https") @@ -451,7 +452,7 @@ public void testThatProxyCanBeOverriddenByRequest() throws Exception { } public void testThatProxyConfigurationRequiresHostAndPort() { - Settings.Builder settings = Settings.builder(); + Settings.Builder settings = getSettingsBuilder(); if (randomBoolean()) { settings.put(HttpSettings.PROXY_HOST.getKey(), "localhost"); } else { @@ -552,7 +553,7 @@ public void testMaxHttpResponseSize() throws Exception { String data = randomAlphaOfLength(randomBytesLength); webServer.enqueue(new MockResponse().setResponseCode(200).setBody(data)); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(HttpSettings.MAX_HTTP_RESPONSE_SIZE.getKey(), new ByteSizeValue(randomBytesLength - 1, ByteSizeUnit.BYTES)) .build(); @@ -631,7 +632,7 @@ public void testThatUrlDoesNotContainQuestionMarkAtTheEnd() throws Exception { public void testThatWhiteListingWorks() throws Exception { webServer.enqueue(new MockResponse().setResponseCode(200).setBody("whatever")); - Settings settings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); + Settings settings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); try (HttpClient client = new HttpClient(settings, new SSLService(environment.settings(), environment), null, mockClusterService())) { @@ -641,7 +642,7 @@ public void testThatWhiteListingWorks() throws Exception { } public void testThatWhiteListBlocksRequests() throws Exception { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()) .build(); @@ -667,7 +668,7 @@ public void testThatWhiteListBlocksRedirects() throws Exception { webServer.enqueue(new MockResponse().setResponseCode(200)); } - Settings settings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); + Settings settings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); try (HttpClient client = new HttpClient(settings, new SSLService(environment.settings(), environment), null, mockClusterService())) { @@ -688,7 +689,7 @@ public void testThatWhiteListingWorksForRedirects() throws Exception { } webServer.enqueue(new MockResponse().setResponseCode(200).setBody("shouldBeRead")); - Settings settings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri() + "*").build(); + Settings settings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri() + "*").build(); try (HttpClient client = new HttpClient(settings, new SSLService(environment.settings(), environment), null, mockClusterService())) { @@ -704,7 +705,7 @@ public void testThatWhiteListingWorksForRedirects() throws Exception { public void testThatWhiteListReloadingWorks() throws Exception { webServer.enqueue(new MockResponse().setResponseCode(200).setBody("whatever")); - Settings settings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), "example.org").build(); + Settings settings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), "example.org").build(); ClusterService clusterService = mock(ClusterService.class); ClusterSettings clusterSettings = new ClusterSettings(settings, new HashSet<>(HttpSettings.getSettings())); when(clusterService.getClusterSettings()).thenReturn(clusterSettings); @@ -719,7 +720,7 @@ public void testThatWhiteListReloadingWorks() throws Exception { ElasticsearchException e = expectThrows(ElasticsearchException.class, () -> client.execute(request)); assertThat(e.getMessage(), containsString("is not whitelisted")); - Settings newSettings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); + Settings newSettings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); clusterSettings.applySettings(newSettings); HttpResponse response = client.execute(request); @@ -790,4 +791,12 @@ private static List getProtocols() { } return XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS; } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } } diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpConnectionTimeoutTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpConnectionTimeoutTests.java index 3451c771e3e60..1e46eb6ba3884 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpConnectionTimeoutTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpConnectionTimeoutTests.java @@ -12,6 +12,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.junit.annotations.Network; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.SSLService; import static org.elasticsearch.xpack.watcher.common.http.HttpClientTests.mockClusterService; @@ -24,7 +25,7 @@ public class HttpConnectionTimeoutTests extends ESTestCase { @Network public void testDefaultTimeout() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpClient httpClient = new HttpClient(Settings.EMPTY, new SSLService(environment.settings(), environment), null, mockClusterService()); @@ -49,7 +50,7 @@ public void testDefaultTimeout() throws Exception { @Network public void testDefaultTimeoutCustom() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpClient httpClient = new HttpClient(Settings.builder() .put("xpack.http.default_connection_timeout", "5s").build(), new SSLService(environment.settings(), environment), null, mockClusterService()); @@ -75,7 +76,7 @@ public void testDefaultTimeoutCustom() throws Exception { @Network public void testTimeoutCustomPerRequest() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpClient httpClient = new HttpClient(Settings.builder() .put("xpack.http.default_connection_timeout", "10s").build(), new SSLService(environment.settings(), environment), null, mockClusterService()); @@ -99,4 +100,12 @@ public void testTimeoutCustomPerRequest() throws Exception { // expected } } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } } diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpReadTimeoutTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpReadTimeoutTests.java index e534a2a90757e..4e56914deb354 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpReadTimeoutTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpReadTimeoutTests.java @@ -12,6 +12,7 @@ import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.http.MockResponse; import org.elasticsearch.test.http.MockWebServer; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.SSLService; import org.junit.After; import org.junit.Before; @@ -38,7 +39,7 @@ public void cleanup() throws Exception { } public void testDefaultTimeout() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpRequest request = HttpRequest.builder("localhost", webServer.getPort()) .method(HttpMethod.POST) .path("/") @@ -59,7 +60,7 @@ null, mockClusterService())) { } public void testDefaultTimeoutCustom() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpRequest request = HttpRequest.builder("localhost", webServer.getPort()) .method(HttpMethod.POST) @@ -82,7 +83,7 @@ null, mockClusterService())) { } public void testTimeoutCustomPerRequest() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpRequest request = HttpRequest.builder("localhost", webServer.getPort()) .readTimeout(TimeValue.timeValueSeconds(3)) @@ -104,4 +105,12 @@ null, mockClusterService())) { assertThat(timeout.seconds(), lessThan(5L)); } } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } } diff --git a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java index 22515e2d793ff..cbf8f8c0fc071 100644 --- a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java +++ b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java @@ -18,6 +18,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.ldap.SearchGroupsResolverSettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapMetaDataResolverSettings; @@ -90,6 +91,9 @@ public void initializeSslSocketFactory() throws Exception { */ MockSecureSettings mockSecureSettings = new MockSecureSettings(); Settings.Builder builder = Settings.builder().put("path.home", createTempDir()); + if (inFipsSunJsseJvm()){ + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } // fake realms so ssl will get loaded builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore); mockSecureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit"); diff --git a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java index de1183db19391..ff7980dc4b9f5 100644 --- a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java @@ -17,6 +17,7 @@ import org.elasticsearch.test.OpenLdapTests; import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.ldap.LdapUserSearchSessionFactorySettings; import org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings; @@ -56,7 +57,7 @@ public void init() { * If we re-use an SSLContext, previously connected sessions can get re-established which breaks hostname * verification tests since a re-established connection does not perform hostname verification. */ - globalSettings = Settings.builder() + globalSettings = getSettingsBuilder() .put("path.home", createTempDir()) .put("xpack.security.authc.realms.ldap.oldap-test.ssl.certificate_authorities", caPath) .build(); @@ -140,4 +141,12 @@ private LdapSession unauthenticatedSession(SessionFactory factory, String userna factory.unauthenticatedSession(username, future); return future.actionGet(); } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } } diff --git a/x-pack/qa/security-client-tests/src/test/java/org/elasticsearch/xpack/security/qa/SecurityTransportClientIT.java b/x-pack/qa/security-client-tests/src/test/java/org/elasticsearch/xpack/security/qa/SecurityTransportClientIT.java index 6892f640415c4..e2d6f4f2fd150 100644 --- a/x-pack/qa/security-client-tests/src/test/java/org/elasticsearch/xpack/security/qa/SecurityTransportClientIT.java +++ b/x-pack/qa/security-client-tests/src/test/java/org/elasticsearch/xpack/security/qa/SecurityTransportClientIT.java @@ -18,6 +18,7 @@ import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.xpack.core.XPackClientPlugin; import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityField; import java.util.Collection; @@ -103,12 +104,14 @@ TransportClient transportClient(Settings extraSettings) { TransportAddress publishAddress = randomFrom(nodes).getTransport().address().publishAddress(); String clusterName = nodeInfos.getClusterName().value(); - Settings settings = Settings.builder() + Settings.Builder builder = Settings.builder() .put(extraSettings) - .put("cluster.name", clusterName) - .build(); + .put("cluster.name", clusterName); + if (inFipsSunJsseJvm()){ + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } - TransportClient client = new PreBuiltXPackTransportClient(settings); + TransportClient client = new PreBuiltXPackTransportClient(builder.build()); client.addTransportAddress(publishAddress); return client; } diff --git a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java index 4487187a80b6d..cb944ffd9c1e0 100644 --- a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java +++ b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java @@ -23,6 +23,7 @@ import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; import org.elasticsearch.xpack.core.XPackClientPlugin; +import org.elasticsearch.xpack.core.XPackSettings; import java.util.Collection; import java.util.Collections; @@ -78,13 +79,15 @@ public void testTransportClient() throws Exception { TransportAddress publishAddress = randomFrom(nodes).getTransport().address().publishAddress(); String clusterName = nodeInfos.getClusterName().value(); - Settings settings = Settings.builder() + Settings.Builder builder = Settings.builder() .put("cluster.name", clusterName) .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir().toAbsolutePath().toString()) .put(ThreadContext.PREFIX + "." + CustomRealm.USER_HEADER, CustomRealm.KNOWN_USER) - .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, CustomRealm.KNOWN_PW.toString()) - .build(); - try (TransportClient client = new PreBuiltXPackTransportClient(settings)) { + .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, CustomRealm.KNOWN_PW.toString()); + if (inFipsSunJsseJvm()){ + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + try (TransportClient client = new PreBuiltXPackTransportClient(builder.build())) { client.addTransportAddress(publishAddress); ClusterHealthResponse response = client.admin().cluster().prepareHealth().execute().actionGet(); assertThat(response.isTimedOut(), is(false)); @@ -98,13 +101,15 @@ public void testTransportClientWrongAuthentication() throws Exception { TransportAddress publishAddress = randomFrom(nodes).getTransport().address().publishAddress(); String clusterName = nodeInfos.getClusterName().value(); - Settings settings = Settings.builder() + Settings.Builder builder = Settings.builder() .put("cluster.name", clusterName) .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir().toAbsolutePath().toString()) .put(ThreadContext.PREFIX + "." + CustomRealm.USER_HEADER, CustomRealm.KNOWN_USER + randomAlphaOfLength(1)) - .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, CustomRealm.KNOWN_PW.toString()) - .build(); - try (TransportClient client = new PreBuiltXPackTransportClient(settings)) { + .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, CustomRealm.KNOWN_PW.toString()); + if (inFipsSunJsseJvm()){ + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + try (TransportClient client = new PreBuiltXPackTransportClient(builder.build())) { client.addTransportAddress(publishAddress); client.admin().cluster().prepareHealth().execute().actionGet(); fail("authentication failure should have resulted in a NoNodesAvailableException"); diff --git a/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java b/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java index 0111aeff4cca2..b3f7ef45e713f 100644 --- a/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java +++ b/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java @@ -14,6 +14,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityField; import org.junit.After; import org.junit.AfterClass; @@ -25,6 +26,7 @@ import java.nio.file.Path; import java.util.concurrent.atomic.AtomicInteger; +import static org.elasticsearch.test.ESTestCase.inFipsSunJsseJvm; import static org.hamcrest.Matchers.notNullValue; /** @@ -68,14 +70,16 @@ public abstract class MigrateToolTestCase extends LuceneTestCase { private static Client startClient(Path tempDir, TransportAddress... transportAddresses) { logger.info("--> Starting Elasticsearch Java TransportClient {}, {}", transportAddresses, tempDir); - Settings clientSettings = Settings.builder() + Settings.Builder clientSettingsBuilder = Settings.builder() .put("cluster.name", "qa_migrate_tests_" + counter.getAndIncrement()) .put("client.transport.ignore_cluster_name", true) .put("path.home", tempDir) - .put(SecurityField.USER_SETTING.getKey(), "transport_user:x-pack-test-password") - .build(); + .put(SecurityField.USER_SETTING.getKey(), "transport_user:x-pack-test-password"); + if (inFipsSunJsseJvm()){ + clientSettingsBuilder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } - TransportClient client = new PreBuiltXPackTransportClient(clientSettings).addTransportAddresses(transportAddresses); + TransportClient client = new PreBuiltXPackTransportClient(clientSettingsBuilder.build()).addTransportAddresses(transportAddresses); Exception clientException = null; try { logger.info("--> Elasticsearch Java TransportClient started"); diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java index d2c79d8882f46..57ed673111577 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java @@ -13,6 +13,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession; @@ -37,14 +38,14 @@ public class ADLdapUserSearchSessionFactoryTests extends AbstractActiveDirectory @Before public void init() throws Exception { Path certPath = getDataPath("support/smb_ca.crt"); - Environment env = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment env = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); /* * Prior to each test we reinitialize the socket factory with a new SSLService so that we get a new SSLContext. * If we re-use an SSLContext, previously connected sessions can get re-established which breaks hostname * verification tests since a re-established connection does not perform hostname verification. */ - globalSettings = Settings.builder() + globalSettings = getSettingsBuilder() .put("path.home", createTempDir()) .put("xpack.security.authc.realms.ldap.ad-as-ldap-test.ssl.certificate_authorities", certPath) .build(); @@ -135,4 +136,12 @@ private LdapSession unauthenticatedSession(SessionFactory factory, String userna factory.unauthenticatedSession(username, future); return future.actionGet(); } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } } diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java index df8b23d9381a1..d65d46cff683f 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java @@ -15,6 +15,7 @@ import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.ldap.ActiveDirectorySessionFactorySettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope; @@ -82,7 +83,9 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IO * verification tests since a re-established connection does not perform hostname verification. */ Settings.Builder builder = Settings.builder().put("path.home", createTempDir()); - + if (inFipsSunJsseJvm()){ + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } // fake realms so ssl will get loaded builder.putList("xpack.security.authc.realms.active_directory.foo.ssl.certificate_authorities", certificatePaths); builder.put("xpack.security.authc.realms.active_directory.foo.ssl.verification_mode", VerificationMode.FULL); diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java index b122404507bc6..835897b486d64 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java @@ -16,6 +16,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.ldap.ActiveDirectorySessionFactorySettings; @@ -182,7 +183,7 @@ public void testAuthenticateBaseUserSearch() throws Exception { } public void testAuthenticateBaseGroupSearch() throws Exception { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", LdapSearchScope.ONE_LEVEL, false)) .put(ActiveDirectorySessionFactorySettings.AD_GROUP_SEARCH_BASEDN_SETTING, @@ -244,7 +245,7 @@ public void testAuthenticateWithSAMAccountName() throws Exception { } public void testCustomUserFilter() throws Exception { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", LdapSearchScope.SUB_TREE, false)) .put(getFullSettingKey(REALM_ID.getName(), ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_FILTER_SETTING), @@ -270,7 +271,7 @@ public void testStandardLdapConnection() throws Exception { String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test"); - final Settings settings = Settings.builder() + final Settings settings = getSettingsBuilder() .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase, LdapSearchScope.SUB_TREE, null, false)) .putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths) @@ -297,7 +298,7 @@ public void testHandlingLdapReferralErrors() throws Exception { String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase, LdapSearchScope.SUB_TREE, null, false)) .putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths) @@ -325,7 +326,7 @@ public void testStandardLdapWithAttributeGroups() throws Exception { String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase, LdapSearchScope.SUB_TREE, null, false)) .putList("ssl.certificate_authorities", certificatePaths) @@ -371,7 +372,7 @@ private Settings buildAdSettings(String ldapUrl, String adDomainName, boolean ho } private Settings buildAdSettings(String ldapUrl, String adDomainName, boolean hostnameVerification, boolean useBindUser) { - Settings.Builder builder = Settings.builder() + Settings.Builder builder = getSettingsBuilder() .put(getFullSettingKey(REALM_ID, SessionFactorySettings.URLS_SETTING), ldapUrl) .put(getFullSettingKey(REALM_NAME, ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING), adDomainName) .put(getFullSettingKey(REALM_NAME, ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT) @@ -430,4 +431,12 @@ static ActiveDirectorySessionFactory getActiveDirectorySessionFactory(RealmConfi } return sessionFactory; } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } } diff --git a/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java b/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java index e8d886330ae04..296478043b05a 100644 --- a/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java +++ b/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java @@ -15,6 +15,7 @@ import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.env.Environment; import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; +import org.elasticsearch.xpack.core.XPackSettings; import org.junit.After; import org.junit.AfterClass; import org.junit.Before; @@ -29,6 +30,7 @@ import java.util.concurrent.atomic.AtomicInteger; import static com.carrotsearch.randomizedtesting.RandomizedTest.randomAsciiOfLength; +import static org.elasticsearch.test.ESTestCase.inFipsSunJsseJvm; import static org.hamcrest.Matchers.notNullValue; /** @@ -67,6 +69,9 @@ private static Client startClient(Path tempDir, TransportAddress... transportAdd .put("client.transport.ignore_cluster_name", true) .put("xpack.security.enabled", false) .put(Environment.PATH_HOME_SETTING.getKey(), tempDir); + if (inFipsSunJsseJvm()){ + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } TransportClient client = new PreBuiltXPackTransportClient(builder.build()) .addTransportAddresses(transportAddresses); diff --git a/x-pack/transport-client/src/test/java/org/elasticsearch/xpack/client/PreBuiltXPackTransportClientTests.java b/x-pack/transport-client/src/test/java/org/elasticsearch/xpack/client/PreBuiltXPackTransportClientTests.java index f9808ce54faac..558483507a306 100644 --- a/x-pack/transport-client/src/test/java/org/elasticsearch/xpack/client/PreBuiltXPackTransportClientTests.java +++ b/x-pack/transport-client/src/test/java/org/elasticsearch/xpack/client/PreBuiltXPackTransportClientTests.java @@ -6,9 +6,11 @@ package org.elasticsearch.xpack.client; import com.carrotsearch.randomizedtesting.RandomizedTest; +import org.elasticsearch.bootstrap.JavaVersion; import org.elasticsearch.client.transport.TransportClient; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityField; import org.junit.Test; @@ -21,10 +23,14 @@ public class PreBuiltXPackTransportClientTests extends RandomizedTest { @Test public void testPluginInstalled() { - try (TransportClient client = new PreBuiltXPackTransportClient(Settings.EMPTY)) { + Settings.Builder builder = Settings.builder(); + if (Boolean.parseBoolean(System.getProperty("tests.fips.enabled")) && JavaVersion.current().getVersion().get(0) == 8) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + try (TransportClient client = new PreBuiltXPackTransportClient(builder.build())) { Settings settings = client.settings(); assertEquals(SecurityField.NAME4, NetworkModule.TRANSPORT_TYPE_SETTING.get(settings)); } } -} \ No newline at end of file +} From 633fb3a4ec44dd628f88b816f2feda1f0a453759 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 12 Feb 2020 08:28:36 +0200 Subject: [PATCH 2/4] Fix test --- .../elasticsearch/xpack/security/MigrateToolTestCase.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java b/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java index b3f7ef45e713f..8da13d59aa392 100644 --- a/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java +++ b/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java @@ -9,6 +9,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.lucene.util.LuceneTestCase; import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse; +import org.elasticsearch.bootstrap.JavaVersion; import org.elasticsearch.client.Client; import org.elasticsearch.client.transport.TransportClient; import org.elasticsearch.common.settings.Settings; @@ -26,7 +27,7 @@ import java.nio.file.Path; import java.util.concurrent.atomic.AtomicInteger; -import static org.elasticsearch.test.ESTestCase.inFipsSunJsseJvm; +import static org.elasticsearch.test.ESTestCase.FIPS_SYSPROP; import static org.hamcrest.Matchers.notNullValue; /** @@ -75,10 +76,9 @@ private static Client startClient(Path tempDir, TransportAddress... transportAdd .put("client.transport.ignore_cluster_name", true) .put("path.home", tempDir) .put(SecurityField.USER_SETTING.getKey(), "transport_user:x-pack-test-password"); - if (inFipsSunJsseJvm()){ + if (Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)) && JavaVersion.current().getVersion().get(0) == 8){ clientSettingsBuilder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } - TransportClient client = new PreBuiltXPackTransportClient(clientSettingsBuilder.build()).addTransportAddresses(transportAddresses); Exception clientException = null; try { From e8c278fb181f6de68d85f1630cae193ba8ff619a Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 12 Feb 2020 10:38:15 +0200 Subject: [PATCH 3/4] failing test --- .../elasticsearch/xpack/security/MigrateToolTestCase.java | 2 +- .../org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java b/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java index 8da13d59aa392..cf031016e171d 100644 --- a/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java +++ b/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java @@ -76,7 +76,7 @@ private static Client startClient(Path tempDir, TransportAddress... transportAdd .put("client.transport.ignore_cluster_name", true) .put("path.home", tempDir) .put(SecurityField.USER_SETTING.getKey(), "transport_user:x-pack-test-password"); - if (Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)) && JavaVersion.current().getVersion().get(0) == 8){ + if (Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)) && JavaVersion.current().getVersion().get(0) == 8) { clientSettingsBuilder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } TransportClient client = new PreBuiltXPackTransportClient(clientSettingsBuilder.build()).addTransportAddresses(transportAddresses); diff --git a/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java b/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java index 296478043b05a..f5008a888bff9 100644 --- a/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java +++ b/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java @@ -9,6 +9,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.lucene.util.LuceneTestCase; import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse; +import org.elasticsearch.bootstrap.JavaVersion; import org.elasticsearch.client.Client; import org.elasticsearch.client.transport.TransportClient; import org.elasticsearch.common.settings.Settings; @@ -30,7 +31,7 @@ import java.util.concurrent.atomic.AtomicInteger; import static com.carrotsearch.randomizedtesting.RandomizedTest.randomAsciiOfLength; -import static org.elasticsearch.test.ESTestCase.inFipsSunJsseJvm; +import static org.elasticsearch.test.ESTestCase.FIPS_SYSPROP; import static org.hamcrest.Matchers.notNullValue; /** @@ -69,7 +70,7 @@ private static Client startClient(Path tempDir, TransportAddress... transportAdd .put("client.transport.ignore_cluster_name", true) .put("xpack.security.enabled", false) .put(Environment.PATH_HOME_SETTING.getKey(), tempDir); - if (inFipsSunJsseJvm()){ + if (Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)) && JavaVersion.current().getVersion().get(0) == 8) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } TransportClient client = new PreBuiltXPackTransportClient(builder.build()) From 31f796f6b30b509935753bca11b2dbf8f35c81b8 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Sat, 15 Feb 2020 18:57:17 +0200 Subject: [PATCH 4/4] address feedback --- .../xpack/core/LocalStateCompositeXPackPlugin.java | 10 ++++++---- .../xpack/security/MigrateToolTestCase.java | 1 + .../xpack/ESXPackSmokeClientTestCase.java | 1 + 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java index f505e2169d925..5a613c284ac0a 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java @@ -483,12 +483,14 @@ private List filterPlugins(Class type) { } private Environment getUpdatedEnvironment(Environment existingEnvironment){ - Settings.Builder additionalSettingsBuilder = Settings.builder(); - additionalSettingsBuilder.put(existingEnvironment.settings()); if (inFipsSunJsseJvm()) { - additionalSettingsBuilder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + Settings additionalSettings = Settings.builder() + .put(existingEnvironment.settings()) + .put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false) + .build(); + return new Environment(additionalSettings, existingEnvironment.configFile()); } - return new Environment(additionalSettingsBuilder.build(), existingEnvironment.configFile()); + return existingEnvironment; } } diff --git a/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java b/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java index cf031016e171d..d4e699d7270a0 100644 --- a/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java +++ b/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java @@ -76,6 +76,7 @@ private static Client startClient(Path tempDir, TransportAddress... transportAdd .put("client.transport.ignore_cluster_name", true) .put("path.home", tempDir) .put(SecurityField.USER_SETTING.getKey(), "transport_user:x-pack-test-password"); + // Do not replace this with `inFipsSunJsseJvm(), see https://github.com/elastic/elasticsearch/issues/52391 if (Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)) && JavaVersion.current().getVersion().get(0) == 8) { clientSettingsBuilder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } diff --git a/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java b/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java index f5008a888bff9..ffb63a62c9e8a 100644 --- a/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java +++ b/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java @@ -70,6 +70,7 @@ private static Client startClient(Path tempDir, TransportAddress... transportAdd .put("client.transport.ignore_cluster_name", true) .put("xpack.security.enabled", false) .put(Environment.PATH_HOME_SETTING.getKey(), tempDir); + // Do not replace this with `inFipsSunJsseJvm(), see https://github.com/elastic/elasticsearch/issues/52391 if (Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)) && JavaVersion.current().getVersion().get(0) == 8) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); }