diff --git a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy index 0cd869ddf6a87..76ed591b864ac 100644 --- a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy +++ b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy @@ -171,8 +171,8 @@ class BuildPlugin implements Plugin { cluster.systemProperty('javax.net.ssl.trustStorePassword', 'password') cluster.systemProperty('javax.net.ssl.keyStorePassword', 'password') cluster.systemProperty('javax.net.ssl.keyStoreType', 'BCFKS') - // Can't use our DiagnosticTrustManager with SunJSSE in FIPS mode - cluster.setting 'xpack.security.ssl.diagnose.trust', 'false' + cluster.setting 'xpack.security.fips_mode.enabled', 'true' + cluster.setting 'xpack.security.authc.password_hashing.algorithm', 'PBKDF2' } } } diff --git a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java index d5657b5517b94..0aa0f64843c30 100644 --- a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java +++ b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java @@ -24,10 +24,12 @@ import java.io.InputStream; import java.nio.file.Files; import java.nio.file.Path; +import java.security.AlgorithmParameters; import java.security.Key; import java.security.KeyStore; import java.security.PrivateKey; import java.security.interfaces.ECPrivateKey; +import java.security.spec.ECGenParameterSpec; import java.security.spec.ECParameterSpec; import java.util.function.Supplier; @@ -72,8 +74,11 @@ public void testReadEcKeyCurves() throws Exception { PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/private_" + curve + ".pem"), ""::toCharArray); assertThat(privateKey, instanceOf(ECPrivateKey.class)); ECParameterSpec parameterSpec = ((ECPrivateKey) privateKey).getParams(); - // This is brittle but we can't access sun.security.util.NamedCurve - assertThat(parameterSpec.toString(), containsString(curve)); + + ECGenParameterSpec algorithmParameterSpec = new ECGenParameterSpec(curve); + AlgorithmParameters algoParameters = AlgorithmParameters.getInstance("EC"); + algoParameters.init(algorithmParameterSpec); + assertThat(parameterSpec, equalTo(algoParameters.getParameterSpec(ECParameterSpec.class))); } public void testReadPKCS8EcKey() throws Exception { diff --git a/plugins/discovery-ec2/build.gradle b/plugins/discovery-ec2/build.gradle index 7b0f412a05b49..f2178e926c576 100644 --- a/plugins/discovery-ec2/build.gradle +++ b/plugins/discovery-ec2/build.gradle @@ -64,12 +64,34 @@ task writeTestJavaPolicy { throw new GradleException("failed to create temporary directory [${tmp}]") } final File javaPolicy = file("${tmp}/java.policy") - javaPolicy.write( - [ - "grant {", - " permission java.util.PropertyPermission \"com.amazonaws.sdk.ec2MetadataServiceEndpointOverride\", \"write\";", - "};" - ].join("\n")) + if (BuildParams.inFipsJvm) { + javaPolicy.write( + [ + "grant {", + "permission java.security.SecurityPermission \"putProviderProperty.BCFIPS\";", + "permission java.security.SecurityPermission \"putProviderProperty.BCJSSE\";", + "permission java.lang.RuntimePermission \"getProtectionDomain\";", + "permission java.util.PropertyPermission \"java.runtime.name\", \"read\";", + "permission org.bouncycastle.crypto.CryptoServicesPermission \"tlsAlgorithmsEnabled\";", + "permission java.lang.RuntimePermission \"accessClassInPackage.sun.security.internal.spec\";", + "permission java.lang.RuntimePermission \"accessDeclaredMembers\";", + "permission java.util.PropertyPermission \"intellij.debug.agent\", \"read\";", + "permission java.util.PropertyPermission \"intellij.debug.agent\", \"write\";", + "permission org.bouncycastle.crypto.CryptoServicesPermission \"exportSecretKey\";", + "permission org.bouncycastle.crypto.CryptoServicesPermission \"exportPrivateKey\";", + "permission java.io.FilePermission \"\${javax.net.ssl.trustStore}\", \"read\";", + " permission java.util.PropertyPermission \"com.amazonaws.sdk.ec2MetadataServiceEndpointOverride\", \"write\";", + "};" + ].join("\n") + ) + } else { + javaPolicy.write( + [ + "grant {", + " permission java.util.PropertyPermission \"com.amazonaws.sdk.ec2MetadataServiceEndpointOverride\", \"write\";", + "};" + ].join("\n")) + } } } @@ -80,7 +102,11 @@ test { // this is needed to manipulate com.amazonaws.sdk.ec2MetadataServiceEndpointOverride system property // it is better rather disable security manager at all with `systemProperty 'tests.security.manager', 'false'` - systemProperty 'java.security.policy', "file://${buildDir}/tmp/java.policy" + if (BuildParams.inFipsJvm){ + systemProperty 'java.security.policy', "=file://${buildDir}/tmp/java.policy" + } else { + systemProperty 'java.security.policy', "file://${buildDir}/tmp/java.policy" + } } check { diff --git a/plugins/examples/security-authorization-engine/src/test/java/org/elasticsearch/example/CustomAuthorizationEngineIT.java b/plugins/examples/security-authorization-engine/src/test/java/org/elasticsearch/example/CustomAuthorizationEngineIT.java index 9daf9bd01a8bc..2ce4818c42926 100644 --- a/plugins/examples/security-authorization-engine/src/test/java/org/elasticsearch/example/CustomAuthorizationEngineIT.java +++ b/plugins/examples/security-authorization-engine/src/test/java/org/elasticsearch/example/CustomAuthorizationEngineIT.java @@ -34,6 +34,7 @@ import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.core.security.client.SecurityClient; +import org.junit.BeforeClass; import java.io.IOException; import java.nio.charset.StandardCharsets; @@ -52,6 +53,17 @@ */ public class CustomAuthorizationEngineIT extends ESIntegTestCase { + private static Hasher passwordHashingAlgorighm; + + @BeforeClass + public static void setup() { + if (inFipsJvm()) { + passwordHashingAlgorighm = Hasher.PBKDF2; + } else { + passwordHashingAlgorighm = Hasher.BCRYPT; + } + } + @Override protected Settings externalClusterClientSettings() { final String token = "Basic " + @@ -69,7 +81,8 @@ protected Collection> transportClientPlugins() { public void testClusterAction() throws IOException { SecurityClient securityClient = new SecurityClient(client()); - securityClient.preparePutUser("custom_user", "x-pack-test-password".toCharArray(), Hasher.BCRYPT, "custom_superuser").get(); + securityClient.preparePutUser("custom_user", "x-pack-test-password".toCharArray(), passwordHashingAlgorighm, "custom_superuser") + .get(); { RequestOptions.Builder options = RequestOptions.DEFAULT.toBuilder(); @@ -82,7 +95,8 @@ public void testClusterAction() throws IOException { } { - securityClient.preparePutUser("custom_user2", "x-pack-test-password".toCharArray(), Hasher.BCRYPT, "not_superuser").get(); + securityClient.preparePutUser("custom_user2", "x-pack-test-password".toCharArray(), passwordHashingAlgorighm, "not_superuser") + .get(); RequestOptions.Builder options = RequestOptions.DEFAULT.toBuilder(); options.addHeader(UsernamePasswordToken.BASIC_AUTH_HEADER, basicAuthHeaderValue("custom_user2", new SecureString("x-pack-test-password".toCharArray()))); @@ -95,7 +109,8 @@ public void testClusterAction() throws IOException { public void testIndexAction() throws IOException { SecurityClient securityClient = new SecurityClient(client()); - securityClient.preparePutUser("custom_user", "x-pack-test-password".toCharArray(), Hasher.BCRYPT, "custom_superuser").get(); + securityClient.preparePutUser("custom_user", "x-pack-test-password".toCharArray(), passwordHashingAlgorighm, "custom_superuser") + .get(); { RequestOptions.Builder options = RequestOptions.DEFAULT.toBuilder(); @@ -121,9 +136,12 @@ public void testIndexAction() throws IOException { public void testRunAs() throws IOException { SecurityClient securityClient = new SecurityClient(client()); - securityClient.preparePutUser("custom_user", "x-pack-test-password".toCharArray(), Hasher.BCRYPT, "custom_superuser").get(); - securityClient.preparePutUser("custom_user2", "x-pack-test-password".toCharArray(), Hasher.BCRYPT, "custom_superuser").get(); - securityClient.preparePutUser("custom_user3", "x-pack-test-password".toCharArray(), Hasher.BCRYPT, "not_superuser").get(); + securityClient.preparePutUser("custom_user", "x-pack-test-password".toCharArray(), passwordHashingAlgorighm, "custom_superuser") + .get(); + securityClient.preparePutUser("custom_user2", "x-pack-test-password".toCharArray(), passwordHashingAlgorighm, "custom_superuser") + .get(); + securityClient.preparePutUser("custom_user3", "x-pack-test-password".toCharArray(), passwordHashingAlgorighm, "not_superuser") + .get(); { RequestOptions.Builder options = RequestOptions.DEFAULT.toBuilder(); diff --git a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java index c6dbcc3aa97d1..34439533f4611 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java @@ -1344,11 +1344,15 @@ protected static long spinForAtLeastNMilliseconds(final long ms) { return elapsed; } + public static boolean inFipsSunJsseJvm() { + return inFipsJvm() && JavaVersion.current().getVersion().get(0) == 8; + } + /** * Creates an TestAnalysis with all the default analyzers configured. */ public static TestAnalysis createTestAnalysis(Index index, Settings settings, AnalysisPlugin... analysisPlugins) - throws IOException { + throws IOException { Settings nodeSettings = Settings.builder().put(Environment.PATH_HOME_SETTING.getKey(), createTempDir()).build(); return createTestAnalysis(index, nodeSettings, settings, analysisPlugins); } diff --git a/x-pack/plugin/build.gradle b/x-pack/plugin/build.gradle index 3d3634e993313..a9747124d0af2 100644 --- a/x-pack/plugin/build.gradle +++ b/x-pack/plugin/build.gradle @@ -124,6 +124,10 @@ integTest.runner { // private key, these tests are blacklisted in non-snapshot test runs blacklist.addAll(['xpack/15_basic/*', 'license/20_put_license/*', 'license/30_enterprise_license/*']) } + if (BuildParams.inFipsJvm) { + // We cannot install GOLD licenses or older 1.x license types on FIPS mode, as FIPS is allowed only in platinum + blacklist.add('license/20_put_license/*') + } systemProperty 'tests.rest.blacklist', blacklist.join(',') dependsOn copyKeyCerts } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java index a423ebc30ca1e..50027d6366c8d 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java @@ -94,6 +94,7 @@ import java.util.stream.Collectors; import static java.util.stream.Collectors.toList; +import static org.elasticsearch.test.ESTestCase.inFipsJvm; public class LocalStateCompositeXPackPlugin extends XPackPlugin implements ScriptPlugin, ActionPlugin, IngestPlugin, NetworkPlugin, ClusterPlugin, DiscoveryPlugin, MapperPlugin, AnalysisPlugin, PersistentTaskPlugin, EnginePlugin { @@ -257,8 +258,12 @@ public Settings additionalSettings() { Settings.Builder builder = Settings.builder(); builder.put(super.additionalSettings()); filterPlugins(Plugin.class).stream().forEach(p -> - builder.put(p.additionalSettings()) + builder.put(p.additionalSettings()) ); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + builder.put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2_1000"); + } return builder.build(); } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/TestXPackTransportClient.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/TestXPackTransportClient.java index 9d6d643593976..e6e5f68b98ae8 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/TestXPackTransportClient.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/TestXPackTransportClient.java @@ -56,7 +56,7 @@ public void close() { private static Settings possiblyDisableTlsDiagnostic(Settings settings) { Settings.Builder builder = Settings.builder().put(settings); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } return builder.build(); } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java index fd7315d7457c2..842df68144359 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java @@ -11,6 +11,7 @@ import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.SSLConfiguration; import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.core.ssl.VerificationMode; @@ -58,17 +59,22 @@ public void testGetInsecureTransportProfileConfigurations() { } private Settings.Builder getBaseSettings() { - final Path keystore = randomBoolean() - ? getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks") - : getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.p12"); + final Path keystore = inFipsJvm() + ? getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.p12") + : getDataPath(randomFrom("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", + "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.p12")); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - return Settings.builder() + Settings.Builder builder = Settings.builder() .setSecureSettings(secureSettings) .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", keystore.toString()); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + return builder; } } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/PemUtilsTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/PemUtilsTests.java index 6cc0f4763b92a..11a233803586b 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/PemUtilsTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/PemUtilsTests.java @@ -11,10 +11,12 @@ import java.io.InputStream; import java.nio.file.Files; import java.nio.file.Path; +import java.security.AlgorithmParameters; import java.security.Key; import java.security.KeyStore; import java.security.PrivateKey; import java.security.interfaces.ECPrivateKey; +import java.security.spec.ECGenParameterSpec; import java.security.spec.ECParameterSpec; import static org.hamcrest.Matchers.equalTo; @@ -70,8 +72,11 @@ public void testReadEcKeyCurves() throws Exception { ("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_" + curve + ".pem"), ""::toCharArray); assertThat(privateKey, instanceOf(ECPrivateKey.class)); ECParameterSpec parameterSpec = ((ECPrivateKey) privateKey).getParams(); - // This is brittle but we can't access sun.security.util.NamedCurve - assertThat(parameterSpec.toString(), containsString(curve)); + + ECGenParameterSpec algorithmParameterSpec = new ECGenParameterSpec(curve); + AlgorithmParameters algoParameters = AlgorithmParameters.getInstance("EC"); + algoParameters.init(algorithmParameterSpec); + assertThat(parameterSpec, equalTo(algoParameters.getParameterSpec(ECParameterSpec.class))); } public void testReadEncryptedPKCS8Key() throws Exception { diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java index 5e3c469d966d7..4cbd920f0cc77 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java @@ -35,6 +35,7 @@ import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.watcher.ResourceWatcherService; +import org.elasticsearch.xpack.core.XPackSettings; import org.junit.After; import org.junit.Before; @@ -110,7 +111,7 @@ public void testReloadingKeyStore() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"), updatedKeystorePath); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - final Settings settings = Settings.builder() + final Settings settings = getSettingsBuilder() .put("path.home", createTempDir()) .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", keystorePath) @@ -168,7 +169,7 @@ public void testPEMKeyConfigReloading() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCertPath); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - final Settings settings = Settings.builder() + final Settings settings = getSettingsBuilder() .put("path.home", createTempDir()) .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.key", keyPath) @@ -327,7 +328,7 @@ public void testReloadingKeyStoreException() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", keystorePath) .setSecureSettings(secureSettings) @@ -376,7 +377,7 @@ public void testReloadingPEMKeyConfigException() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.key", keyPath) .put("xpack.security.transport.ssl.certificate", certPath) @@ -513,7 +514,7 @@ private Settings.Builder baseKeystoreSettings(Path tempDir, MockSecureSettings s } secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - return Settings.builder() + return getSettingsBuilder() .put("xpack.security.transport.ssl.key", keyPath.toString()) .put("xpack.security.transport.ssl.certificate", certPath.toString()) .setSecureSettings(secureSettings); @@ -624,6 +625,14 @@ private static CloseableHttpClient createHttpClient(SSLContext sslContext) { .build(); } + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + return builder; + } + /** * Creates our own HttpConnectionFactory that changes how the connection is closed to prevent issues with * the MockWebServer going into an endless loop based on the way that HttpClient closes its connection. diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java index 08df2d1b65907..fc455c88fd784 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java @@ -90,14 +90,19 @@ public class SSLServiceTests extends ESTestCase { @Before public void setup() throws Exception { - // Randomise the keystore type (jks/PKCS#12) - if (randomBoolean()) { - testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"); - // The default is to use JKS. Randomly test with explicit and with the default value. - testnodeStoreType = "jks"; - } else { + // Randomise the keystore type (jks/PKCS#12) when possible + if (inFipsJvm()) { testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.p12"); testnodeStoreType = randomBoolean() ? "PKCS12" : null; + } else { + if (randomBoolean()) { + testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"); + // The default is to use JKS. Randomly test with explicit and with the default value. + testnodeStoreType = "jks"; + } else { + testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.p12"); + testnodeStoreType = randomBoolean() ? "PKCS12" : null; + } } logger.info("Using [{}] key/truststore [{}]", testnodeStoreType, testnodeStore); testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); @@ -125,7 +130,7 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception { MockSecureSettings secureCustomSettings = new MockSecureSettings(); secureCustomSettings.setString("truststore.secure_password", "testclient"); - Settings customTruststoreSettings = Settings.builder() + Settings customTruststoreSettings = getSettingsBuilder() .put("truststore.path", testClientStore) .setSecureSettings(secureCustomSettings) .build(); @@ -147,7 +152,7 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception { public void testThatSslContextCachingWorks() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -173,7 +178,7 @@ public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_key_password", "testnode1"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) .setSecureSettings(secureSettings) @@ -191,7 +196,7 @@ public void testIncorrectKeyPasswordThrowsException() throws Exception { try { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) .setSecureSettings(secureSettings) .build(); @@ -208,7 +213,7 @@ public void testIncorrectKeyPasswordThrowsException() throws Exception { public void testThatSSLv3IsNotEnabled() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -221,7 +226,7 @@ public void testThatSSLv3IsNotEnabled() throws Exception { } public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception { - SSLService sslService = new SSLService(Settings.EMPTY, env); + SSLService sslService = new SSLService(getSettingsBuilder().build(), env); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1); assertThat(sslEngine, notNullValue()); @@ -230,7 +235,7 @@ public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Except public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.http.ssl.truststore.secure_password", "testclient"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.http.ssl.enabled", true) .put("xpack.http.ssl.truststore.path", testclientStore) .setSecureSettings(secureSettings) @@ -246,7 +251,7 @@ public void testCreateWithKeystoreIsValidForServer() throws Exception { assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) @@ -261,7 +266,7 @@ public void testValidForServer() throws Exception { assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.http.ssl.truststore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.http.ssl.truststore.path", testnodeStore) .put("xpack.http.ssl.truststore.type", testnodeStoreType) .setSecureSettings(secureSettings) @@ -272,7 +277,7 @@ public void testValidForServer() throws Exception { assertFalse(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.http.ssl"))); secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode"); - settings = Settings.builder() + settings = getSettingsBuilder() .put("xpack.http.ssl.truststore.path", testnodeStore) .put("xpack.http.ssl.truststore.type", testnodeStoreType) .setSecureSettings(secureSettings) @@ -285,11 +290,11 @@ public void testValidForServer() throws Exception { public void testGetVerificationMode() throws Exception { assumeFalse("Can't run in a FIPS JVM, TrustAllConfig is not a SunJSSE TrustManagers", inFipsJvm()); - SSLService sslService = new SSLService(Settings.EMPTY, env); + SSLService sslService = new SSLService(getSettingsBuilder().build(), env); assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl").verificationMode(), is(XPackSettings.VERIFICATION_MODE_DEFAULT)); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", false) .put("xpack.security.transport.ssl.verification_mode", "certificate") .put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full") @@ -301,10 +306,10 @@ public void testGetVerificationMode() throws Exception { } public void testIsSSLClientAuthEnabled() throws Exception { - SSLService sslService = new SSLService(Settings.EMPTY, env); + SSLService sslService = new SSLService(getSettingsBuilder().build(), env); assertTrue(sslService.getSSLConfiguration("xpack.security.transport.ssl").sslClientAuth().enabled()); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", false) .put("xpack.security.transport.ssl.client_authentication", "optional") .put("transport.profiles.foo.port", "9400-9410") @@ -318,7 +323,7 @@ public void testThatHttpClientAuthDefaultsToNone() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "testnode"); - final Settings globalSettings = Settings.builder() + final Settings globalSettings = getSettingsBuilder() .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.keystore.path", testnodeStore) .put("xpack.security.http.ssl.keystore.type", testnodeStoreType) @@ -340,7 +345,7 @@ public void testThatHttpClientAuthDefaultsToNone() throws Exception { public void testThatTruststorePasswordIsRequired() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .setSecureSettings(secureSettings) @@ -354,7 +359,7 @@ public void testThatTruststorePasswordIsRequired() throws Exception { } public void testThatKeystorePasswordIsRequired() throws Exception { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .build(); @@ -370,7 +375,7 @@ public void testCiphersAndInvalidCiphersWork() throws Exception { ciphers.add("bar"); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -389,11 +394,11 @@ public void testInvalidCiphersOnlyThrowsException() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) - .putList("xpack.security.transport.ssl.cipher_suites", new String[] { "foo", "bar" }) + .putList("xpack.security.transport.ssl.cipher_suites", new String[]{"foo", "bar"}) .build(); ElasticsearchException e = expectThrows(ElasticsearchException.class, () -> new SSLService(settings, env)); @@ -404,7 +409,7 @@ public void testInvalidCiphersOnlyThrowsException() throws Exception { public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -420,7 +425,7 @@ public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception { public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -446,7 +451,7 @@ public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Except public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -467,7 +472,7 @@ public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception { public void testSSLStrategy() { // this just exhaustively verifies that the right things are called and that it uses the right parameters VerificationMode mode = randomFrom(VerificationMode.values()); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("supported_protocols", "protocols") .put("cipher_suites", "") .put("verification_mode", mode.name()) @@ -529,7 +534,7 @@ public void testGetConfigurationByContextName() throws Exception { final Iterator cipher = Arrays.asList(cipherSuites).iterator(); final MockSecureSettings secureSettings = new MockSecureSettings(); - final Settings.Builder builder = Settings.builder(); + final Settings.Builder builder = getSettingsBuilder(); for (String prefix : contextNames) { if (prefix.startsWith("xpack.security.transport") || prefix.startsWith("xpack.security.http")) { builder.put(prefix + ".enabled", true); @@ -567,7 +572,7 @@ public void testReadCertificateInformation() throws Exception { secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode"); - final Settings settings = Settings.builder() + final Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", randomBoolean()) .put("xpack.security.transport.ssl.keystore.path", jksPath) .put("xpack.security.transport.ssl.truststore.path", jksPath) @@ -757,7 +762,7 @@ public int getSessionCacheSize() { @Network public void testThatSSLContextWithoutSettingsWorks() throws Exception { - SSLService sslService = new SSLService(Settings.EMPTY, env); + SSLService sslService = new SSLService(getSettingsBuilder().build(), env); SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(Settings.EMPTY)); try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) { // Execute a GET on a site known to have a valid certificate signed by a trusted public CA @@ -771,7 +776,7 @@ public void testThatSSLContextWithoutSettingsWorks() throws Exception { public void testThatSSLContextTrustsJDKTrustedCAs() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.keystore.path", testclientStore) .setSecureSettings(secureSettings) .build(); @@ -786,7 +791,7 @@ public void testThatSSLContextTrustsJDKTrustedCAs() throws Exception { @Network public void testThatSSLIOSessionStrategyWithoutSettingsWorks() throws Exception { - SSLService sslService = new SSLService(Settings.EMPTY, env); + SSLService sslService = new SSLService(getSettingsBuilder().build(), env); SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); logger.info("SSL Configuration: {}", sslConfiguration); SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(sslConfiguration); @@ -820,7 +825,8 @@ public void testThatSSLIOSessionStrategyTrustsJDKTrustedCAs() throws Exception { } public void testWrapTrustManagerWhenDiagnosticsEnabled() { - final Settings.Builder builder = Settings.builder(); + assumeFalse("Diagnostic trust manager is not permitted in Java 8", inFipsSunJsseJvm()); + final Settings.Builder builder = getSettingsBuilder(); if (randomBoolean()) { // randomly select between default, and explicit enabled builder.put("xpack.security.ssl.diagnose.trust", true); } @@ -833,7 +839,7 @@ public void testWrapTrustManagerWhenDiagnosticsEnabled() { } public void testDontWrapTrustManagerWhenDiagnosticsDisabled() { - final Settings.Builder builder = Settings.builder(); + final Settings.Builder builder = getSettingsBuilder(); builder.put("xpack.security.ssl.diagnose.trust", false); final SSLService sslService = new SSLService(builder.build(), env); final X509ExtendedTrustManager baseTrustManager = TrustAllConfig.INSTANCE.createTrustManager(env); @@ -851,6 +857,7 @@ public void testDontWrapTrustManagerByDefaultWhenInFips(){ } public void testWrapTrustManagerWhenInFipsAndExplicitlyConfigured(){ + assumeFalse("Diagnostic trust manager is not permitted in Java 8", inFipsSunJsseJvm()); final Settings.Builder builder = Settings.builder(); builder.put("xpack.security.fips_mode.enabled", true); builder.put("xpack.security.ssl.diagnose.trust", true); @@ -862,6 +869,14 @@ public void testWrapTrustManagerWhenInFipsAndExplicitlyConfigured(){ assertThat(sslService.wrapWithDiagnostics(wrappedTrustManager, sslConfiguration), sameInstance(wrappedTrustManager)); } + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + return builder; + } + class AssertionCallback implements FutureCallback { @Override diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/ClusterPrivilegeTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/ClusterPrivilegeTests.java index 42f20c06bc6e0..c35de8e5de695 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/ClusterPrivilegeTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/ClusterPrivilegeTests.java @@ -12,7 +12,6 @@ import org.elasticsearch.common.Strings; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.hamcrest.Matchers; import org.junit.AfterClass; import org.junit.BeforeClass; @@ -79,8 +78,7 @@ protected String configRoles() { @Override protected String configUsers() { - final String usersPasswdHashed = new String(Hasher.resolve( - randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(new SecureString("passwd".toCharArray()))); + final String usersPasswdHashed = new String(getFastStoredHashAlgoForTests().hash(new SecureString("passwd".toCharArray()))); return super.configUsers() + "user_a:" + usersPasswdHashed + "\n" + "user_b:" + usersPasswdHashed + "\n" + diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/CreateDocsIndexPrivilegeTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/CreateDocsIndexPrivilegeTests.java index edc9e7e4fd94b..d2ff97d51264d 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/CreateDocsIndexPrivilegeTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/CreateDocsIndexPrivilegeTests.java @@ -8,7 +8,6 @@ import org.elasticsearch.client.Request; import org.elasticsearch.common.settings.SecureString; -import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.junit.Before; import java.io.IOException; @@ -43,8 +42,7 @@ protected String configRoles() { @Override protected String configUsers() { - final String usersPasswdHashed = new String(Hasher.resolve( - randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(new SecureString("passwd".toCharArray()))); + final String usersPasswdHashed = new String(getFastStoredHashAlgoForTests().hash(new SecureString("passwd".toCharArray()))); return super.configUsers() + "admin:" + usersPasswdHashed + "\n" + diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/IndexPrivilegeTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/IndexPrivilegeTests.java index b3e8ba56cc4a2..e138d3db89db1 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/IndexPrivilegeTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/IndexPrivilegeTests.java @@ -9,7 +9,6 @@ import org.elasticsearch.client.RequestOptions; import org.elasticsearch.client.ResponseException; import org.elasticsearch.common.settings.SecureString; -import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; import org.junit.Before; @@ -117,8 +116,7 @@ protected String configRoles() { @Override protected String configUsers() { - final String usersPasswdHashed = new String(Hasher.resolve( - randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(new SecureString("passwd".toCharArray()))); + final String usersPasswdHashed = new String(getFastStoredHashAlgoForTests().hash(new SecureString("passwd".toCharArray()))); return super.configUsers() + "admin:" + usersPasswdHashed + "\n" + diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/MultipleIndicesPermissionsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/MultipleIndicesPermissionsTests.java index da03e9ffe3d1e..c0b9ba3884de4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/MultipleIndicesPermissionsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/integration/MultipleIndicesPermissionsTests.java @@ -47,7 +47,7 @@ public class MultipleIndicesPermissionsTests extends SecurityIntegTestCase { @Before public void waitForSecurityIndexWritable() throws Exception { // adds a dummy user to the native realm to force .security index creation - securityClient().preparePutUser("dummy_user", "password".toCharArray(), Hasher.BCRYPT, "missing_role").get(); + securityClient().preparePutUser("dummy_user", "password".toCharArray(), Hasher.PBKDF2, "missing_role").get(); assertSecurityIndexActive(); } @@ -221,7 +221,7 @@ public void testMonitorRestrictedWildcards() throws Exception { assertThat(indicesRecoveryResponse.shardRecoveryStates().size(), is(3)); assertThat(indicesRecoveryResponse.shardRecoveryStates().keySet(), containsInAnyOrder("foo", "foobar", "foobarfoo")); - // test _cat/indices with wildcards that cover unauthorized indices (".security" in this case) + // test _cat/indices with wildcards that cover unauthorized indices (".security" in this case) RequestOptions.Builder optionsBuilder = RequestOptions.DEFAULT.toBuilder(); optionsBuilder.addHeader("Authorization", UsernamePasswordToken.basicAuthHeaderValue("user_monitor", USERS_PASSWD)); RequestOptions options = optionsBuilder.build(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java index fc443cf9f04c8..8736e8c9ec942 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java @@ -250,12 +250,13 @@ protected Settings nodeSettings(int nodeOrdinal) { builder.put(NetworkModule.TRANSPORT_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO); builder.put(NetworkModule.HTTP_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + builder.put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2_1000"); } Settings.Builder customBuilder = Settings.builder().put(customSettings); if (customBuilder.getSecureSettings() != null) { SecuritySettingsSource.addSecureSettings(builder, secureSettings -> - secureSettings.merge((MockSecureSettings) customBuilder.getSecureSettings())); + secureSettings.merge((MockSecureSettings) customBuilder.getSecureSettings())); } if (builder.getSecureSettings() == null) { builder.setSecureSettings(new MockSecureSettings()); @@ -539,7 +540,11 @@ protected boolean isTransportSSLEnabled() { } protected static Hasher getFastStoredHashAlgoForTests() { - return Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")); + if (inFipsJvm()) { + return Hasher.PBKDF2_1000; + } else { + return Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")); + } } protected class TestRestHighLevelClient extends RestHighLevelClient { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java index d3eb157d5f4fe..dc9fa515b52fc 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java @@ -25,6 +25,7 @@ import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.PluginInfo; import org.elasticsearch.xpack.core.XPackSettings; +import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.elasticsearch.xpack.security.LocalStateSecurity; import org.junit.AfterClass; import org.junit.Before; @@ -173,12 +174,13 @@ protected Settings nodeSettings() { builder.put("transport.type", "security4"); builder.put("path.home", customSecuritySettingsSource.nodePath(0)); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + builder.put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2_1000"); } Settings.Builder customBuilder = Settings.builder().put(customSettings); if (customBuilder.getSecureSettings() != null) { SecuritySettingsSource.addSecureSettings(builder, secureSettings -> - secureSettings.merge((MockSecureSettings) customBuilder.getSecureSettings())); + secureSettings.merge((MockSecureSettings) customBuilder.getSecureSettings())); } if (builder.getSecureSettings() == null) { builder.setSecureSettings(new MockSecureSettings()); @@ -324,4 +326,12 @@ private static RestClient createRestClient(Client client, RestClientBuilder.Http } return builder.build(); } + + protected static Hasher getFastStoredHashAlgoForTests() { + if (inFipsJvm()) { + return Hasher.PBKDF2_1000; + } else { + return Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")); + } + } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java index 66aff9abcb4d6..47c4ca2492888 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java @@ -149,7 +149,7 @@ public void testBootstrapCheckWithClosedSecuredSetting() throws Exception { private Settings.Builder getSettingsBuilder() { Settings.Builder builder = Settings.builder(); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } return builder; } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java index 465a855112a1b..21a0990fe23e5 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java @@ -103,7 +103,8 @@ private Collection createComponents(Settings testSettings, SecurityExten .put(testSettings) .put("path.home", createTempDir()); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + builder.put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2_1000"); } Settings settings = builder.build(); Environment env = TestEnvironment.newEnvironment(settings); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java index 767a9a2ad1c0f..8bbbea412ea52 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java @@ -96,7 +96,7 @@ public void setup() throws Exception { .build(); Settings.Builder sslSettingsBuilder = Settings.builder(); if (inFipsJvm()) { - sslSettingsBuilder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + sslSettingsBuilder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } final Settings sslSettings = sslSettingsBuilder .put("xpack.security.authc.realms.oidc.oidc-realm.ssl.verification_mode", "certificate") diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/PutUserRequestBuilderTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/PutUserRequestBuilderTests.java index f6b25565b4c35..b8f5df0413e7b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/PutUserRequestBuilderTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/PutUserRequestBuilderTests.java @@ -17,6 +17,7 @@ import org.elasticsearch.xpack.core.security.action.user.PutUserRequest; import org.elasticsearch.xpack.core.security.action.user.PutUserRequestBuilder; import org.elasticsearch.xpack.core.security.authc.support.Hasher; +import org.junit.BeforeClass; import java.io.IOException; import java.nio.charset.StandardCharsets; @@ -32,18 +33,29 @@ public class PutUserRequestBuilderTests extends ESTestCase { + private static Hasher passwordHashingAlgorighm; + + @BeforeClass + public static void setup() { + if (inFipsJvm()) { + passwordHashingAlgorighm = Hasher.PBKDF2; + } else { + passwordHashingAlgorighm = Hasher.BCRYPT; + } + } + public void testNullValuesForEmailAndFullName() throws IOException { final String json = "{\n" + - " \"roles\": [\n" + - " \"kibana4\"\n" + - " ],\n" + - " \"full_name\": null,\n" + - " \"email\": null,\n" + - " \"metadata\": {}\n" + - "}"; + " \"roles\": [\n" + + " \"kibana4\"\n" + + " ],\n" + + " \"full_name\": null,\n" + + " \"email\": null,\n" + + " \"metadata\": {}\n" + + "}"; PutUserRequestBuilder builder = new PutUserRequestBuilder(mock(Client.class)); - builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, Hasher.BCRYPT); + builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, passwordHashingAlgorighm); PutUserRequest request = builder.request(); assertThat(request.username(), is("kibana4")); @@ -63,7 +75,7 @@ public void testMissingEmailFullName() throws Exception { "}"; PutUserRequestBuilder builder = new PutUserRequestBuilder(mock(Client.class)); - builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, Hasher.BCRYPT); + builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, passwordHashingAlgorighm); PutUserRequest request = builder.request(); assertThat(request.username(), is("kibana4")); @@ -84,7 +96,7 @@ public void testWithFullNameAndEmail() throws IOException { "}"; PutUserRequestBuilder builder = new PutUserRequestBuilder(mock(Client.class)); - builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, Hasher.BCRYPT); + builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, passwordHashingAlgorighm); PutUserRequest request = builder.request(); assertThat(request.username(), is("kibana4")); @@ -106,7 +118,8 @@ public void testInvalidFullname() throws IOException { PutUserRequestBuilder builder = new PutUserRequestBuilder(mock(Client.class)); ElasticsearchParseException e = expectThrows(ElasticsearchParseException.class, - () -> builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, Hasher.BCRYPT)); + () -> builder + .source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, passwordHashingAlgorighm)); assertThat(e.getMessage(), containsString("expected field [full_name] to be of type string")); } @@ -122,7 +135,8 @@ public void testInvalidEmail() throws IOException { PutUserRequestBuilder builder = new PutUserRequestBuilder(mock(Client.class)); ElasticsearchParseException e = expectThrows(ElasticsearchParseException.class, - () -> builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, Hasher.BCRYPT)); + () -> builder + .source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, passwordHashingAlgorighm)); assertThat(e.getMessage(), containsString("expected field [email] to be of type string")); } @@ -139,12 +153,14 @@ public void testWithEnabled() throws IOException { PutUserRequestBuilder builder = new PutUserRequestBuilder(mock(Client.class)); PutUserRequest request = - builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, Hasher.BCRYPT).request(); + builder + .source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, passwordHashingAlgorighm) + .request(); assertFalse(request.enabled()); } public void testWithValidPasswordHash() throws IOException { - final Hasher hasher = Hasher.BCRYPT4; // this is the fastest hasher we officially support + final Hasher hasher = Hasher.PBKDF2_1000; // this is the fastest FIPS 140 approved hasher we officially support final char[] hash = hasher.hash(new SecureString("secret".toCharArray())); final String json = "{\n" + " \"password_hash\": \"" + new String(hash) + "\"," + @@ -159,8 +175,8 @@ public void testWithValidPasswordHash() throws IOException { } public void testWithMismatchedPasswordHash() throws IOException { - final Hasher systemHasher = Hasher.BCRYPT8; - final Hasher userHasher = Hasher.BCRYPT4; // this is the fastest hasher we officially support + final Hasher systemHasher = Hasher.PBKDF2_10000; + final Hasher userHasher = Hasher.PBKDF2_1000; // this is the fastest FIPS 140 approved hasher we officially support final char[] hash = userHasher.hash(new SecureString("secret".toCharArray())); final String json = "{\n" + " \"password_hash\": \"" + new String(hash) + "\"," + @@ -191,9 +207,8 @@ public void testWithPasswordHashThatsNotReallyAHash() throws IOException { } public void testWithBothPasswordAndHash() throws IOException { - final Hasher hasher = randomFrom(Hasher.BCRYPT4, Hasher.PBKDF2_1000); final String password = randomAlphaOfLength(12); - final char[] hash = hasher.hash(new SecureString(password.toCharArray())); + final char[] hash = passwordHashingAlgorighm.hash(new SecureString(password.toCharArray())); final LinkedHashMap fields = new LinkedHashMap<>(); fields.put("password", password); fields.put("password_hash", new String(hash)); @@ -203,7 +218,7 @@ public void testWithBothPasswordAndHash() throws IOException { PutUserRequestBuilder builder = new PutUserRequestBuilder(mock(Client.class)); final IllegalArgumentException ex = expectThrows(ValidationException.class, () -> { - builder.source("hash_user", json, XContentType.JSON, hasher).request(); + builder.source("hash_user", json, XContentType.JSON, passwordHashingAlgorighm).request(); }); assertThat(ex.getMessage(), containsString("password_hash has already been set")); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java index aabaa40381f69..6dea8de3e0b1a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java @@ -48,7 +48,8 @@ public class TransportChangePasswordActionTests extends ESTestCase { public void testAnonymousUser() { - final String hashingAlgorithm = randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9"); + final String hashingAlgorithm = inFipsJvm() ? + randomFrom("pbkdf2", "pbkdf2_1000") : randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9"); Settings settings = Settings.builder().put(AnonymousUser.ROLES_SETTING.getKey(), "superuser") .put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hashingAlgorithm).build(); AnonymousUser anonymousUser = new AnonymousUser(settings); @@ -83,7 +84,8 @@ public void onFailure(Exception e) { } public void testInternalUsers() { - final String hashingAlgorithm = randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9"); + final String hashingAlgorithm = inFipsJvm() ? + randomFrom("pbkdf2", "pbkdf2_1000") : randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9"); NativeUsersStore usersStore = mock(NativeUsersStore.class); Settings passwordHashingSettings = Settings.builder(). put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hashingAlgorithm).build(); @@ -117,7 +119,8 @@ public void onFailure(Exception e) { } public void testValidUser() { - final String hashingAlgorithm = randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9"); + final String hashingAlgorithm = inFipsJvm() ? + randomFrom("pbkdf2", "pbkdf2_1000") : randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9"); final User user = randomFrom(new ElasticUser(true), new KibanaUser(true), new User("joe")); NativeUsersStore usersStore = mock(NativeUsersStore.class); final Hasher hasher = Hasher.resolve(hashingAlgorithm); @@ -191,7 +194,8 @@ public void onFailure(Exception e) { } public void testException() { - final String hashingAlgorithm = randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9"); + final String hashingAlgorithm = inFipsJvm() ? + randomFrom("pbkdf2", "pbkdf2_1000") : randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9"); final User user = randomFrom(new ElasticUser(true), new KibanaUser(true), new User("joe")); NativeUsersStore usersStore = mock(NativeUsersStore.class); ChangePasswordRequest request = new ChangePasswordRequest(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportPutUserActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportPutUserActionTests.java index b6037932f8a8f..cc2d6a4defac9 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportPutUserActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportPutUserActionTests.java @@ -168,8 +168,9 @@ public void testValidUser() { final PutUserRequest request = new PutUserRequest(); request.username(user.principal()); if (isCreate) { - request.passwordHash(Hasher.resolve( - randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); + final String hashingAlgorithm = inFipsJvm() ? + randomFrom("pbkdf2", "pbkdf2_1000") : randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9"); + request.passwordHash(Hasher.resolve(hashingAlgorithm).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); } final boolean created = isCreate ? randomBoolean() : false; // updates should always return false for create doAnswer(new Answer() { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java index 9e71def6d12d6..19ddda9c69e63 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java @@ -45,6 +45,7 @@ import org.elasticsearch.xpack.security.test.SecurityMocks; import org.junit.After; import org.junit.Before; +import org.junit.BeforeClass; import org.mockito.Mockito; import java.io.IOException; @@ -85,6 +86,16 @@ public class ApiKeyServiceTests extends ESTestCase { private XPackLicenseState licenseState; private Client client; private SecurityIndexManager securityIndex; + private static Hasher[] passwordHashingAlgorighms; + + @BeforeClass + public static void setup() { + if (inFipsJvm()) { + passwordHashingAlgorighms = new Hasher[]{Hasher.PBKDF2_1000, Hasher.PBKDF2_10000, Hasher.PBKDF2_50000}; + } else { + passwordHashingAlgorighms = new Hasher[]{Hasher.PBKDF2, Hasher.BCRYPT4, Hasher.BCRYPT}; + } + } @Before public void createThreadPool() { @@ -283,7 +294,7 @@ private AuthenticationResult tryAuthenticate(ApiKeyService service, String id, S public void testValidateApiKey() throws Exception { final String apiKey = randomAlphaOfLength(16); - Hasher hasher = randomFrom(Hasher.PBKDF2, Hasher.BCRYPT4, Hasher.BCRYPT); + Hasher hasher = randomFrom(passwordHashingAlgorighms); final char[] hash = hasher.hash(new SecureString(apiKey.toCharArray())); Map sourceMap = new HashMap<>(); @@ -457,7 +468,7 @@ public void testApiKeyServiceDisabled() throws Exception { public void testApiKeyCache() { final String apiKey = randomAlphaOfLength(16); - Hasher hasher = randomFrom(Hasher.PBKDF2, Hasher.BCRYPT4, Hasher.BCRYPT); + Hasher hasher = randomFrom(passwordHashingAlgorighms); final char[] hash = hasher.hash(new SecureString(apiKey.toCharArray())); Map sourceMap = buildApiKeySourceDoc(hash); @@ -510,7 +521,7 @@ public void testApiKeyCache() { public void testAuthenticateWhileCacheBeingPopulated() throws Exception { final String apiKey = randomAlphaOfLength(16); - Hasher hasher = randomFrom(Hasher.PBKDF2, Hasher.BCRYPT4, Hasher.BCRYPT); + Hasher hasher = randomFrom(passwordHashingAlgorighms); final char[] hash = hasher.hash(new SecureString(apiKey.toCharArray())); Map sourceMap = buildApiKeySourceDoc(hash); @@ -568,7 +579,7 @@ public void testAuthenticateWhileCacheBeingPopulated() throws Exception { public void testApiKeyCacheDisabled() { final String apiKey = randomAlphaOfLength(16); - Hasher hasher = randomFrom(Hasher.PBKDF2, Hasher.BCRYPT4, Hasher.BCRYPT); + Hasher hasher = randomFrom(passwordHashingAlgorighms); final char[] hash = hasher.hash(new SecureString(apiKey.toCharArray())); final Settings settings = Settings.builder() .put(ApiKeyService.CACHE_TTL_SETTING.getKey(), "0s") diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java index 01bf3562860bd..fb7206b36bb2b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java @@ -1445,7 +1445,7 @@ public void testApiKeyAuth() { source.put("doc_type", "api_key"); source.put("creation_time", Instant.now().minus(5, ChronoUnit.MINUTES).toEpochMilli()); source.put("api_key_invalidated", false); - source.put("api_key_hash", new String(Hasher.BCRYPT4.hash(new SecureString(key.toCharArray())))); + source.put("api_key_hash", new String(Hasher.PBKDF2.hash(new SecureString(key.toCharArray())))); source.put("role_descriptors", Collections.singletonMap("api key role", Collections.singletonMap("cluster", "all"))); source.put("name", "my api key for testApiKeyAuth"); Map creatorMap = new HashMap<>(); @@ -1485,7 +1485,7 @@ public void testExpiredApiKey() { source.put("creation_time", Instant.now().minus(5L, ChronoUnit.HOURS).toEpochMilli()); source.put("expiration_time", Instant.now().minus(1L, ChronoUnit.HOURS).toEpochMilli()); source.put("api_key_invalidated", false); - source.put("api_key_hash", new String(Hasher.BCRYPT4.hash(new SecureString(key.toCharArray())))); + source.put("api_key_hash", new String(Hasher.PBKDF2.hash(new SecureString(key.toCharArray())))); source.put("role_descriptors", Collections.singletonList(Collections.singletonMap("name", "a role"))); source.put("name", "my api key for testApiKeyAuth"); Map creatorMap = new HashMap<>(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java index 40e6f7510f02e..e4e2abdc6f87b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java @@ -177,7 +177,7 @@ public void testMissingPasswordParameter() { private Settings.Builder getSettingsBuilder() { Settings.Builder builder = Settings.builder(); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } return builder; } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java index 3bc220d6a689a..6c7a6f22d597b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java @@ -28,6 +28,7 @@ import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.xpack.core.XPackFeatureSet; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.action.XPackUsageRequestBuilder; import org.elasticsearch.xpack.core.action.XPackUsageResponse; import org.elasticsearch.xpack.core.security.SecurityFeatureSetUsage; @@ -97,7 +98,7 @@ public static void init() { @Override public Settings nodeSettings(int nodeOrdinal) { Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal)) - .put("xpack.security.authc.password_hashing.algorithm", hasher.name()); + .put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hasher.name()); if (anonymousEnabled) { builder.put(AnonymousUser.ROLES_SETTING.getKey(), "native_anonymous"); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStoreTests.java index eda3cec342ff4..45ca419e06c24 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStoreTests.java @@ -236,7 +236,7 @@ private void respondToGetUserRequest(String username, SecureString password, Str // Native users store is initiated with default hashing algorithm final Map values = new HashMap<>(); values.put(User.Fields.USERNAME.getPreferredName(), username); - values.put(User.Fields.PASSWORD.getPreferredName(), String.valueOf(Hasher.BCRYPT.hash(password))); + values.put(User.Fields.PASSWORD.getPreferredName(), String.valueOf(Hasher.PBKDF2.hash(password))); values.put(User.Fields.ROLES.getPreferredName(), roles); values.put(User.Fields.ENABLED.getPreferredName(), Boolean.TRUE); values.put(User.Fields.TYPE.getPreferredName(), NativeUsersStore.USER_DOC_TYPE); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmIntegTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmIntegTests.java index 4ed27bec0de72..cab2656b54320 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmIntegTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmIntegTests.java @@ -10,6 +10,7 @@ import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.test.NativeRealmIntegTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.action.user.ChangePasswordResponse; import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.elasticsearch.xpack.core.security.client.SecurityClient; @@ -47,7 +48,7 @@ public static void setHasher() { public Settings nodeSettings(int nodeOrdinal) { Settings settings = Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put("xpack.security.authc.password_hashing.algorithm", hasher.name()) + .put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hasher.name()) .build(); return settings; } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java index 52f33087959f2..b4c955aa44b9f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java @@ -73,7 +73,7 @@ public void testCommandLineHttpClientCanExecuteAndReturnCorrectResultUsingSSLSet public void testGetDefaultURLFailsWithHelpfulMessage() { Settings.Builder builder = Settings.builder(); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } Settings settings = builder .put("network.host", "_ec2:privateIpv4_") @@ -94,7 +94,7 @@ private Settings.Builder getHttpSslSettings() { secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); Settings.Builder builder = Settings.builder(); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } return builder .put("xpack.security.http.ssl.enabled", true) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java index 5c67b1b087844..fc38916052fed 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java @@ -52,11 +52,12 @@ public class FileUserPasswdStoreTests extends ESTestCase { @Before public void init() { + final String hashingAlgorithm = inFipsJvm() ? randomFrom("pbkdf2", "pbkdf2_1000", "pbkdf2_50000") : + randomFrom("bcrypt", "bcrypt11", "pbkdf2", "pbkdf2_1000", "pbkdf2_50000"); settings = Settings.builder() .put("resource.reload.interval.high", "100ms") .put("path.home", createTempDir()) - .put("xpack.security.authc.password_hashing.algorithm", randomFrom("bcrypt", "bcrypt11", "pbkdf2", "pbkdf2_1000", - "pbkdf2_50000")) + .put("xpack.security.authc.password_hashing.algorithm", hashingAlgorithm) .build(); env = TestEnvironment.newEnvironment(settings); threadPool = new TestThreadPool("test"); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java index 83a0fb26f3d76..0291023b18186 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java @@ -145,7 +145,7 @@ public void start() throws Exception { resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool); Settings.Builder builder = Settings.builder(); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } globalSettings = builder.put("path.home", createTempDir()).build(); sslService = new SSLService(globalSettings, TestEnvironment.newEnvironment(globalSettings)); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java index 3f99571c7e74c..3fd7cf51ad120 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java @@ -102,7 +102,7 @@ public void init() throws Exception { resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool); Settings.Builder builder = Settings.builder(); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } defaultGlobalSettings = builder.put("path.home", createTempDir()).build(); sslService = new SSLService(defaultGlobalSettings, TestEnvironment.newEnvironment(defaultGlobalSettings)); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java index a9e6442248129..ef50a2897fa75 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java @@ -62,7 +62,7 @@ public void setup() throws Exception { Files.copy(origCa, ldapCaPath, StandardCopyOption.REPLACE_EXISTING); Settings.Builder builder = Settings.builder(); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } globalSettings = builder .put("path.home", createTempDir()) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java index 65eb36aeba73b..dc23275ed63e0 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java @@ -13,6 +13,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings; import org.elasticsearch.xpack.core.ssl.SSLConfiguration; import org.elasticsearch.xpack.core.ssl.SSLService; @@ -21,6 +22,8 @@ import java.nio.file.Path; +import static org.elasticsearch.test.ESTestCase.inFipsJvm; + public class LdapTestUtils { private LdapTestUtils() { @@ -31,6 +34,9 @@ public static LDAPConnection openConnection(String url, String bindDN, String bi Settings.Builder builder = Settings.builder().put("path.home", LuceneTestCase.createTempDir()); MockSecureSettings secureSettings = new MockSecureSettings(); builder.setSecureSettings(secureSettings); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } // fake realms so ssl will get loaded builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore); builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java index 0f9175f44808b..7fc9f0a85d532 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java @@ -65,7 +65,7 @@ public void init() throws Exception { */ Settings.Builder builder = Settings.builder(); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } globalSettings = builder .put("path.home", createTempDir()) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java index 52427bcc86c85..1f309a5dc9087 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java @@ -163,17 +163,17 @@ public static Settings buildLdapSettings(RealmConfig.RealmIdentifier realmId, St String groupSearchBase, LdapSearchScope scope, LdapLoadBalancing serverSetType, boolean ignoreReferralErrors) { Settings.Builder builder = Settings.builder() - .putList(getFullSettingKey(realmId, URLS_SETTING), ldapUrl) - .putList(getFullSettingKey(realmId.getName(), LdapSessionFactorySettings.USER_DN_TEMPLATES_SETTING), userTemplate) - .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_CONNECTION_SETTING), TimeValue.timeValueSeconds(1L)) - .put(getFullSettingKey(realmId, SessionFactorySettings.IGNORE_REFERRAL_ERRORS_SETTING), ignoreReferralErrors) - .put(getFullSettingKey(realmId, SearchGroupsResolverSettings.BASE_DN), groupSearchBase) - .put(getFullSettingKey(realmId, SearchGroupsResolverSettings.SCOPE), scope); + .putList(getFullSettingKey(realmId, URLS_SETTING), ldapUrl) + .putList(getFullSettingKey(realmId.getName(), LdapSessionFactorySettings.USER_DN_TEMPLATES_SETTING), userTemplate) + .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_CONNECTION_SETTING), TimeValue.timeValueSeconds(1L)) + .put(getFullSettingKey(realmId, SessionFactorySettings.IGNORE_REFERRAL_ERRORS_SETTING), ignoreReferralErrors) + .put(getFullSettingKey(realmId, SearchGroupsResolverSettings.BASE_DN), groupSearchBase) + .put(getFullSettingKey(realmId, SearchGroupsResolverSettings.SCOPE), scope); if (serverSetType != null) { builder.put(getFullSettingKey(realmId, LdapLoadBalancingSettings.LOAD_BALANCE_TYPE_SETTING), serverSetType.toString()); } if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } return builder.build(); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java index c7c8fc0926b30..f283e8c8e3e79 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java @@ -288,17 +288,17 @@ public void testFailover() throws Exception { private TestSessionFactory createSessionFactory(LdapLoadBalancing loadBalancing) throws Exception { String groupSearchBase = "cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas"; String userTemplate = "cn={0},ou=people,o=sevenSeas"; - Settings settings = buildLdapSettings(ldapUrls(), new String[] { userTemplate }, groupSearchBase, - LdapSearchScope.SUB_TREE, loadBalancing); + Settings settings = buildLdapSettings(ldapUrls(), new String[]{userTemplate}, groupSearchBase, + LdapSearchScope.SUB_TREE, loadBalancing); Settings globalSettings = Settings.builder().put("path.home", createTempDir()).put(settings).build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, globalSettings, - TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); + TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); Settings.Builder builder = Settings.builder(); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } return new TestSessionFactory(config, new SSLService(builder.build(), TestEnvironment.newEnvironment(config.settings())), - threadPool); + threadPool); } private class PortBlockingRunnable implements Runnable { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java index 55a50b6091c6b..64a8a8dc275a4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java @@ -67,10 +67,10 @@ public void testSessionFactoryWithResponseTimeout() throws Exception { final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("ldap", "response_settings"); final Path pathHome = createTempDir(); { - Settings settings = Settings.builder() - .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_RESPONSE_SETTING), "10s") - .put("path.home", pathHome) - .build(); + Settings settings = getSettingsBuilder() + .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_RESPONSE_SETTING), "10s") + .put("path.home", pathHome) + .build(); final Environment environment = TestEnvironment.newEnvironment(settings); RealmConfig realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings)); @@ -78,10 +78,10 @@ public void testSessionFactoryWithResponseTimeout() throws Exception { assertThat(options.getResponseTimeoutMillis(), is(equalTo(10000L))); } { - Settings settings = Settings.builder() - .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_READ_SETTING), "7s") - .put("path.home", pathHome) - .build(); + Settings settings = getSettingsBuilder() + .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_READ_SETTING), "7s") + .put("path.home", pathHome) + .build(); final Environment environment = TestEnvironment.newEnvironment(settings); RealmConfig realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings)); @@ -91,11 +91,11 @@ public void testSessionFactoryWithResponseTimeout() throws Exception { .getConcreteSettingForNamespace("response_settings")}); } { - Settings settings = Settings.builder() - .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_RESPONSE_SETTING), "11s") - .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_READ_SETTING), "6s") - .put("path.home", pathHome) - .build(); + Settings settings = getSettingsBuilder() + .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_RESPONSE_SETTING), "11s") + .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_READ_SETTING), "6s") + .put("path.home", pathHome) + .build(); final Environment environment = TestEnvironment.newEnvironment(settings); RealmConfig realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings)); @@ -105,10 +105,10 @@ public void testSessionFactoryWithResponseTimeout() throws Exception { ".authc.realms.ldap.response_settings.timeout.response] may not be used at the same time")); } { - Settings settings = Settings.builder() - .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_LDAP_SETTING), "750ms") - .put("path.home", pathHome) - .build(); + Settings settings = getSettingsBuilder() + .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_LDAP_SETTING), "750ms") + .put("path.home", pathHome) + .build(); final Environment environment = TestEnvironment.newEnvironment(settings); RealmConfig realmConfig = new RealmConfig(realmId, settings, environment, new ThreadContext(settings)); @@ -198,7 +198,7 @@ public void session(String user, SecureString password, ActionListener listener) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/SnapshotUserRoleIntegTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/SnapshotUserRoleIntegTests.java index 66ea23b518c29..7c61a98f7ec7e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/SnapshotUserRoleIntegTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/SnapshotUserRoleIntegTests.java @@ -55,7 +55,7 @@ public void setupClusterBeforeSnapshot() { final char[] password = new char[] {'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; final String snapshotUserToken = basicAuthHeaderValue(user, new SecureString(password)); client = client().filterWithHeader(Collections.singletonMap("Authorization", snapshotUserToken)); - securityClient().preparePutUser(user, password, Hasher.BCRYPT, "snapshot_user").get(); + securityClient().preparePutUser(user, password, Hasher.PBKDF2, "snapshot_user").get(); ensureGreen(INTERNAL_SECURITY_MAIN_INDEX_7); } @@ -127,5 +127,5 @@ public void testSnapshotUserRoleUnathorizedForDestructiveActions() { "snapshot_user"); } } - + } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java index f5fa70815bbbc..517fccecb713e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java @@ -81,11 +81,7 @@ protected SSLService createSSLService(Settings settings) { secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); // Some tests use a client profile. Put the passphrase in the secure settings for the profile (secure settings cannot be set twice) secureSettings.setString("transport.profiles.client.xpack.security.ssl.secure_key_passphrase", "testnode"); - Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); - } - Settings settings1 = builder + Settings settings1 = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.key", testnodeKey) .put("xpack.security.transport.ssl.certificate", testnodeCert) @@ -144,7 +140,7 @@ public void testRenegotiation() throws Exception { inFipsJvm()); // force TLSv1.2 since renegotiation is not supported by 1.3 SSLService sslService = - createSSLService(Settings.builder().put("xpack.security.transport.ssl.supported_protocols", "TLSv1.2").build()); + createSSLService(getSettingsBuilder().put("xpack.security.transport.ssl.supported_protocols", "TLSv1.2").build()); final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SocketFactory factory = sslService.sslSocketFactory(sslConfiguration); try (SSLSocket socket = (SSLSocket) factory.createSocket()) { @@ -237,7 +233,7 @@ public boolean matches(SNIServerName sniServerName) { InetSocketAddress serverAddress = (InetSocketAddress) SocketAccess.doPrivileged(sslServerSocket::getLocalSocketAddress); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.verification_mode", "none") .build(); try (MockTransportService serviceC = buildService("TS_C", version0, settings)) { @@ -284,7 +280,7 @@ public void testInvalidSNIServerName() throws Exception { InetSocketAddress serverAddress = (InetSocketAddress) SocketAccess.doPrivileged(sslServerSocket::getLocalSocketAddress); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.verification_mode", "none") .build(); try (MockTransportService serviceC = buildService("TS_C", version0, settings)) { @@ -316,7 +312,7 @@ public void testSecurityClientAuthenticationConfigs() throws Exception { // test required client authentication String value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT)); - Settings settings = Settings.builder().put("xpack.security.transport.ssl.client_authentication", value).build(); + Settings settings = getSettingsBuilder().put("xpack.security.transport.ssl.client_authentication", value).build(); try (MockTransportService service = buildService("TS_REQUIRED_CLIENT_AUTH", Version.CURRENT, settings)) { TcpTransport originalTransport = (TcpTransport) service.getOriginalTransport(); try (Transport.Connection connection2 = serviceA.openConnection(service.getLocalNode(), TestProfiles.LIGHT_PROFILE)) { @@ -328,7 +324,7 @@ public void testSecurityClientAuthenticationConfigs() throws Exception { // test no client authentication value = randomFrom(SSLClientAuth.NONE.name(), SSLClientAuth.NONE.name().toLowerCase(Locale.ROOT)); - settings = Settings.builder().put("xpack.security.transport.ssl.client_authentication", value).build(); + settings = getSettingsBuilder().put("xpack.security.transport.ssl.client_authentication", value).build(); try (MockTransportService service = buildService("TS_NO_CLIENT_AUTH", Version.CURRENT, settings)) { TcpTransport originalTransport = (TcpTransport) service.getOriginalTransport(); try (Transport.Connection connection2 = serviceA.openConnection(service.getLocalNode(), TestProfiles.LIGHT_PROFILE)) { @@ -340,7 +336,7 @@ public void testSecurityClientAuthenticationConfigs() throws Exception { // test optional client authentication value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT)); - settings = Settings.builder().put("xpack.security.transport.ssl.client_authentication", value).build(); + settings = getSettingsBuilder().put("xpack.security.transport.ssl.client_authentication", value).build(); try (MockTransportService service = buildService("TS_OPTIONAL_CLIENT_AUTH", Version.CURRENT, settings)) { TcpTransport originalTransport = (TcpTransport) service.getOriginalTransport(); try (Transport.Connection connection2 = serviceA.openConnection(service.getLocalNode(), TestProfiles.LIGHT_PROFILE)) { @@ -352,7 +348,7 @@ public void testSecurityClientAuthenticationConfigs() throws Exception { // test profile required client authentication value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT)); - settings = Settings.builder() + settings = getSettingsBuilder() .put("transport.profiles.client.port", "8000-9000") .put("transport.profiles.client.xpack.security.ssl.enabled", true) .put("transport.profiles.client.xpack.security.ssl.certificate", testnodeCert) @@ -373,7 +369,7 @@ public void testSecurityClientAuthenticationConfigs() throws Exception { // test profile no client authentication value = randomFrom(SSLClientAuth.NONE.name(), SSLClientAuth.NONE.name().toLowerCase(Locale.ROOT)); - settings = Settings.builder() + settings = getSettingsBuilder() .put("transport.profiles.client.port", "8000-9000") .put("transport.profiles.client.xpack.security.ssl.enabled", true) .put("transport.profiles.client.xpack.security.ssl.certificate", testnodeCert) @@ -394,7 +390,7 @@ public void testSecurityClientAuthenticationConfigs() throws Exception { // test profile optional client authentication value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT)); - settings = Settings.builder() + settings = getSettingsBuilder() .put("transport.profiles.client.port", "8000-9000") .put("transport.profiles.client.xpack.security.ssl.enabled", true) .put("transport.profiles.client.xpack.security.ssl.certificate", testnodeCert) @@ -439,4 +435,12 @@ private TcpChannel getSingleChannel(Transport.Connection connection) { TcpTransport.NodeChannels nodeChannels = (TcpTransport.NodeChannels) wrappedConnection.getConnection(); return nodeChannels.getChannels().get(0); } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + return builder; + } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java index 859c3e29a19a0..0ec120ffdad35 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java @@ -208,7 +208,8 @@ public String executor() { private Settings.Builder getSettingsBuilder() { Settings.Builder builder = Settings.builder(); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + builder.put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2_1000"); } return builder; } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java index 5ac9a024c008b..74f77b3b171d5 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java @@ -274,13 +274,14 @@ public void testThatAllAddressesAreAllowedWhenLicenseDisablesSecurity() { public void testThatNodeStartsWithIPFilterDisabled() throws Exception { Settings.Builder builder = Settings.builder(); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + builder.put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2_1000"); } Settings settings = builder - .put("path.home", createTempDir()) - .put("xpack.security.transport.filter.enabled", randomBoolean()) - .put("xpack.security.http.filter.enabled", randomBoolean()) - .build(); + .put("path.home", createTempDir()) + .put("xpack.security.transport.filter.enabled", randomBoolean()) + .put("xpack.security.http.filter.enabled", randomBoolean()) + .build(); try (Node node = new MockNode(settings, Arrays.asList(LocalStateSecurity.class))) { assertNotNull(node); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java index ccbb2537f7d74..666a68657844f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java @@ -48,11 +48,7 @@ public void createSSLService() { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); - Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); - } - Settings settings = builder + Settings settings = getSettingsBuilder() .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.key", testnodeKey) .put("xpack.security.http.ssl.certificate", testnodeCert) @@ -64,9 +60,9 @@ public void createSSLService() { } public void testDefaultClientAuth() throws Exception { - Settings settings = Settings.builder() - .put(env.settings()) - .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true).build(); + Settings settings = getSettingsBuilder() + .put(env.settings()) + .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true).build(); sslService = new SSLService(settings, env); SecurityNetty4HttpServerTransport transport = new SecurityNetty4HttpServerTransport(settings, new NetworkService(Collections.emptyList()), mock(BigArrays.class), mock(IPFilter.class), sslService, @@ -80,10 +76,10 @@ public void testDefaultClientAuth() throws Exception { public void testOptionalClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT)); - Settings settings = Settings.builder() - .put(env.settings()) - .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) - .put("xpack.security.http.ssl.client_authentication", value).build(); + Settings settings = getSettingsBuilder() + .put(env.settings()) + .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) + .put("xpack.security.http.ssl.client_authentication", value).build(); sslService = new SSLService(settings, env); SecurityNetty4HttpServerTransport transport = new SecurityNetty4HttpServerTransport(settings, new NetworkService(Collections.emptyList()), mock(BigArrays.class), mock(IPFilter.class), sslService, @@ -97,10 +93,10 @@ public void testOptionalClientAuth() throws Exception { public void testRequiredClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT)); - Settings settings = Settings.builder() - .put(env.settings()) - .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) - .put("xpack.security.http.ssl.client_authentication", value).build(); + Settings settings = getSettingsBuilder() + .put(env.settings()) + .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) + .put("xpack.security.http.ssl.client_authentication", value).build(); sslService = new SSLService(settings, env); SecurityNetty4HttpServerTransport transport = new SecurityNetty4HttpServerTransport(settings, new NetworkService(Collections.emptyList()), mock(BigArrays.class), mock(IPFilter.class), sslService, @@ -114,10 +110,10 @@ public void testRequiredClientAuth() throws Exception { public void testNoClientAuth() throws Exception { String value = randomFrom(SSLClientAuth.NONE.name(), SSLClientAuth.NONE.name().toLowerCase(Locale.ROOT)); - Settings settings = Settings.builder() - .put(env.settings()) - .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) - .put("xpack.security.http.ssl.client_authentication", value).build(); + Settings settings = getSettingsBuilder() + .put(env.settings()) + .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) + .put("xpack.security.http.ssl.client_authentication", value).build(); sslService = new SSLService(settings, env); SecurityNetty4HttpServerTransport transport = new SecurityNetty4HttpServerTransport(settings, new NetworkService(Collections.emptyList()), mock(BigArrays.class), mock(IPFilter.class), sslService, @@ -130,9 +126,9 @@ public void testNoClientAuth() throws Exception { } public void testCustomSSLConfiguration() throws Exception { - Settings settings = Settings.builder() - .put(env.settings()) - .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true).build(); + Settings settings = getSettingsBuilder() + .put(env.settings()) + .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true).build(); sslService = new SSLService(settings, env); SecurityNetty4HttpServerTransport transport = new SecurityNetty4HttpServerTransport(settings, new NetworkService(Collections.emptyList()), mock(BigArrays.class), mock(IPFilter.class), sslService, @@ -142,11 +138,11 @@ public void testCustomSSLConfiguration() throws Exception { EmbeddedChannel ch = new EmbeddedChannel(handler); SSLEngine defaultEngine = ch.pipeline().get(SslHandler.class).engine(); - settings = Settings.builder() - .put(env.settings()) - .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) - .put("xpack.security.http.ssl.supported_protocols", "TLSv1.2") - .build(); + settings = getSettingsBuilder() + .put(env.settings()) + .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) + .put("xpack.security.http.ssl.supported_protocols", "TLSv1.2") + .build(); sslService = new SSLService(settings, TestEnvironment.newEnvironment(settings)); transport = new SecurityNetty4HttpServerTransport(settings, new NetworkService(Collections.emptyList()), mock(BigArrays.class), mock(IPFilter.class), sslService, mock(ThreadPool.class), xContentRegistry(), new NullDispatcher(), @@ -161,11 +157,7 @@ public void testCustomSSLConfiguration() throws Exception { public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); - Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); - } - Settings settings = builder + Settings settings = getSettingsBuilder() .put("xpack.security.http.ssl.enabled", false) .put("xpack.security.http.ssl.key", testnodeKey) .put("xpack.security.http.ssl.certificate", testnodeCert) @@ -175,9 +167,17 @@ public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() throws Excep env = TestEnvironment.newEnvironment(settings); sslService = new SSLService(settings, env); SecurityNetty4HttpServerTransport transport = new SecurityNetty4HttpServerTransport(settings, - new NetworkService(Collections.emptyList()), mock(BigArrays.class), mock(IPFilter.class), sslService, - mock(ThreadPool.class), xContentRegistry(), new NullDispatcher(), - new ClusterSettings(Settings.EMPTY, ClusterSettings.BUILT_IN_CLUSTER_SETTINGS)); + new NetworkService(Collections.emptyList()), mock(BigArrays.class), mock(IPFilter.class), sslService, + mock(ThreadPool.class), xContentRegistry(), new NullDispatcher(), + new ClusterSettings(Settings.EMPTY, ClusterSettings.BUILT_IN_CLUSTER_SETTINGS)); assertNotNull(transport.configureServerChannelHandler()); } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + return builder; + } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioHttpServerTransportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioHttpServerTransportTests.java index 4e2e526b3d699..5270436767fc3 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioHttpServerTransportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioHttpServerTransportTests.java @@ -56,11 +56,7 @@ public void createSSLService() { Path testNodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); - Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); - } - Settings settings = builder + Settings settings = getSettingsBuilder() .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.key", testNodeKey) .put("xpack.security.http.ssl.certificate", testNodeCert) @@ -72,7 +68,7 @@ public void createSSLService() { } public void testDefaultClientAuth() throws IOException { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(env.settings()) .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true).build(); nioGroupFactory = new NioGroupFactory(settings, logger); @@ -93,7 +89,7 @@ public void testDefaultClientAuth() throws IOException { public void testOptionalClientAuth() throws IOException { String value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT)); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(env.settings()) .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) .put("xpack.security.http.ssl.client_authentication", value).build(); @@ -115,7 +111,7 @@ public void testOptionalClientAuth() throws IOException { public void testRequiredClientAuth() throws IOException { String value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT)); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(env.settings()) .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) .put("xpack.security.http.ssl.client_authentication", value).build(); @@ -137,7 +133,7 @@ public void testRequiredClientAuth() throws IOException { public void testNoClientAuth() throws IOException { String value = randomFrom(SSLClientAuth.NONE.name(), SSLClientAuth.NONE.name().toLowerCase(Locale.ROOT)); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(env.settings()) .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) .put("xpack.security.http.ssl.client_authentication", value).build(); @@ -158,7 +154,7 @@ public void testNoClientAuth() throws IOException { } public void testCustomSSLConfiguration() throws IOException { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(env.settings()) .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true).build(); sslService = new SSLService(settings, env); @@ -173,7 +169,7 @@ public void testCustomSSLConfiguration() throws IOException { NioHttpChannel channel = factory.createChannel(mock(NioSelector.class), socketChannel, mock(Config.Socket.class)); SSLEngine defaultEngine = SSLEngineUtils.getSSLEngine(channel); - settings = Settings.builder() + settings = getSettingsBuilder() .put(env.settings()) .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) .put("xpack.security.http.ssl.supported_protocols", "TLSv1.2") @@ -194,11 +190,7 @@ public void testCustomSSLConfiguration() throws IOException { public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode"); - Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); - } - Settings settings = builder + Settings settings = getSettingsBuilder() .put("xpack.security.http.ssl.enabled", false) .put("xpack.security.http.ssl.truststore.path", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks")) @@ -213,4 +205,12 @@ public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() { xContentRegistry(), new NullDispatcher(), mock(IPFilter.class), sslService, nioGroupFactory, new ClusterSettings(Settings.EMPTY, ClusterSettings.BUILT_IN_CLUSTER_SETTINGS)); } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + return builder; + } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java index ca31c5be64fe8..290d09836a1f3 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java @@ -119,7 +119,7 @@ public void testThatTransportClientUsingSSLv3ProtocolIsRejected() { public void testThatConnectionToHTTPWorks() throws Exception { Settings.Builder builder = Settings.builder().put("xpack.security.http.ssl.enabled", true); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } addSSLSettingsForPEMFiles( builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageCertificateVerificationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageCertificateVerificationTests.java index 5c24ed995138e..4a4681c236764 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageCertificateVerificationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageCertificateVerificationTests.java @@ -187,7 +187,7 @@ private Settings.Builder getPemSSLSettings(String prefix, String certificatePath .put(prefix + ".client_authentication", clientAuth.name()) .put(prefix + ".verification_mode", verificationMode.name()); if (inFipsJvm()) { - builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } if (caPath != null) { builder.putList(prefix + ".certificate_authorities", getPath(caPath)); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageFileTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageFileTests.java index d2af3aff7667c..b8f4914c31691 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageFileTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageFileTests.java @@ -383,7 +383,7 @@ private String randomSslPrefix() { private Settings.Builder getSettingsBuilder() { final Settings.Builder settings = Settings.builder(); if (inFipsJvm()) { - settings.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + settings.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); } return settings; } diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/email/EmailSslTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/email/EmailSslTests.java index 70d7f2f6dd5ee..0925d9e3a0d73 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/email/EmailSslTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/email/EmailSslTests.java @@ -12,6 +12,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.CertParsingUtils; import org.elasticsearch.xpack.core.ssl.PemUtils; import org.elasticsearch.xpack.core.ssl.SSLService; @@ -76,7 +77,7 @@ public void stopSmtpServer() { } public void testFailureSendingMessageToSmtpServerWithUntrustedCertificateAuthority() throws Exception { - final Settings.Builder settings = Settings.builder(); + final Settings.Builder settings = getSettingsBuilder(); final MockSecureSettings secureSettings = new MockSecureSettings(); final ExecutableEmailAction emailAction = buildEmailAction(settings, secureSettings); final WatchExecutionContext ctx = WatcherTestUtils.createWatchExecutionContext(); @@ -90,7 +91,7 @@ public void testCanSendMessageToSmtpServerUsingTrustStore() throws Exception { List messages = new ArrayList<>(); server.addListener(messages::add); try { - final Settings.Builder settings = Settings.builder() + final Settings.Builder settings = getSettingsBuilder() .put("xpack.notification.email.ssl.truststore.path", getDataPath("test-smtp.p12")); final MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.notification.email.ssl.truststore.secure_password", "test-smtp"); @@ -111,7 +112,7 @@ public void testCanSendMessageToSmtpServerByDisablingVerification() throws Excep List messages = new ArrayList<>(); server.addListener(messages::add); try { - final Settings.Builder settings = Settings.builder().put("xpack.notification.email.ssl.verification_mode", "none"); + final Settings.Builder settings = getSettingsBuilder().put("xpack.notification.email.ssl.verification_mode", "none"); final MockSecureSettings secureSettings = new MockSecureSettings(); ExecutableEmailAction emailAction = buildEmailAction(settings, secureSettings); @@ -156,5 +157,13 @@ private List getAllCauses(Exception exception) { return allCauses; } + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + return builder; + } + } diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookActionTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookActionTests.java index 439eb45f0159f..5cb9f3d500c1d 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookActionTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookActionTests.java @@ -16,6 +16,7 @@ import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.http.MockResponse; import org.elasticsearch.test.http.MockWebServer; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.core.watcher.actions.Action; import org.elasticsearch.xpack.core.watcher.actions.Action.Result.Status; @@ -213,7 +214,11 @@ private WebhookActionFactory webhookFactory(HttpClient client) { } public void testThatSelectingProxyWorks() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Settings.Builder settingsBuilder = Settings.builder(); + if (inFipsJvm()) { + settingsBuilder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + Environment environment = TestEnvironment.newEnvironment(settingsBuilder.put("path.home", createTempDir()).build()); try (HttpClient httpClient = new HttpClient(Settings.EMPTY, new SSLService(environment.settings(), environment), null, mockClusterService()); @@ -222,7 +227,7 @@ public void testThatSelectingProxyWorks() throws Exception { proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent")); HttpRequestTemplate.Builder builder = HttpRequestTemplate.builder("localhost", 65535) - .path("/").proxy(new HttpProxy("localhost", proxyServer.getPort())); + .path("/").proxy(new HttpProxy("localhost", proxyServer.getPort())); WebhookAction action = new WebhookAction(builder.build()); ExecutableWebhookAction executable = new ExecutableWebhookAction(action, logger, httpClient, templateEngine); diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookHttpsIntegrationTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookHttpsIntegrationTests.java index 98f2b23c2d3c4..9f4bde81bffde 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookHttpsIntegrationTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookHttpsIntegrationTests.java @@ -53,13 +53,16 @@ public class WebhookHttpsIntegrationTests extends AbstractWatcherIntegrationTest protected Settings nodeSettings(int nodeOrdinal) { Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt"); - return Settings.builder() + Settings.Builder builder = Settings.builder() .put(super.nodeSettings(nodeOrdinal)) .put("xpack.http.ssl.key", keyPath) .put("xpack.http.ssl.certificate", certPath) .put("xpack.http.ssl.keystore.password", "testnode") - .putList("xpack.http.ssl.supported_protocols", getProtocols()) - .build(); + .putList("xpack.http.ssl.supported_protocols", getProtocols()); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + return builder.build(); } @Before diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java index f80a756340b59..d97aa5e24eb36 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java @@ -77,7 +77,7 @@ public class HttpClientTests extends ESTestCase { private final MockWebServer webServer = new MockWebServer(); - private final Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + private final Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); private HttpClient httpClient; @@ -191,7 +191,7 @@ public void testHttps() throws Exception { Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.http.ssl.certificate_authorities", trustedCertPath) .setSecureSettings(secureSettings) .build(); @@ -199,7 +199,7 @@ public void testHttps() throws Exception { secureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it is only a truststore secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); - Settings settings2 = Settings.builder() + Settings settings2 = getSettingsBuilder() .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.key", keyPath) .put("xpack.security.http.ssl.certificate", certPath) @@ -216,7 +216,7 @@ public void testHttpsDisableHostnameVerification() throws Exception { Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.crt"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.pem"); Settings settings; - Settings.Builder builder = Settings.builder() + Settings.Builder builder = getSettingsBuilder() .put("xpack.http.ssl.certificate_authorities", certPath); if (inFipsJvm()) { //Can't use TrustAllConfig in FIPS mode @@ -229,7 +229,7 @@ public void testHttpsDisableHostnameVerification() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it only defines a truststore secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode-no-subjaltname"); - Settings settings2 = Settings.builder() + Settings settings2 = getSettingsBuilder() .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.key", keyPath) .put("xpack.security.http.ssl.certificate", certPath) @@ -247,7 +247,7 @@ public void testHttpsClientAuth() throws Exception { Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.http.ssl.key", keyPath) .put("xpack.http.ssl.certificate", certPath) .putList("xpack.http.ssl.supported_protocols", getProtocols()) @@ -318,14 +318,14 @@ public void testThatProxyCanBeConfigured() throws Exception { try (MockWebServer proxyServer = new MockWebServer()) { proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent")); proxyServer.start(); - Settings settings = Settings.builder() - .put(HttpSettings.PROXY_HOST.getKey(), "localhost") - .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort()) - .build(); + Settings settings = getSettingsBuilder() + .put(HttpSettings.PROXY_HOST.getKey(), "localhost") + .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort()) + .build(); HttpRequest.Builder requestBuilder = HttpRequest.builder("localhost", webServer.getPort()) - .method(HttpMethod.GET) - .path("/"); + .method(HttpMethod.GET) + .path("/"); try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) { HttpResponse response = client.execute(requestBuilder.build()); @@ -384,7 +384,7 @@ public void testProxyCanHaveDifferentSchemeThanRequest() throws Exception { MockSecureSettings serverSecureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it is only a truststore serverSecureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode"); - Settings serverSettings = Settings.builder() + Settings serverSettings = getSettingsBuilder() .put("xpack.http.ssl.key", keyPath) .put("xpack.http.ssl.certificate", certPath) .putList("xpack.http.ssl.supported_protocols", getProtocols()) @@ -398,10 +398,10 @@ public void testProxyCanHaveDifferentSchemeThanRequest() throws Exception { proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent")); proxyServer.start(); - Settings settings = Settings.builder() - .put(HttpSettings.PROXY_HOST.getKey(), "localhost") - .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort()) - .put(HttpSettings.PROXY_SCHEME.getKey(), "https") + Settings settings = getSettingsBuilder() + .put(HttpSettings.PROXY_HOST.getKey(), "localhost") + .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort()) + .put(HttpSettings.PROXY_SCHEME.getKey(), "https") .put("xpack.http.ssl.certificate_authorities", trustedCertPath) .putList("xpack.http.ssl.supported_protocols", getProtocols()) .putList("xpack.security.http.ssl.supported_protocols", getProtocols()) @@ -409,9 +409,9 @@ public void testProxyCanHaveDifferentSchemeThanRequest() throws Exception { .build(); HttpRequest.Builder requestBuilder = HttpRequest.builder("localhost", webServer.getPort()) - .method(HttpMethod.GET) - .scheme(Scheme.HTTP) - .path("/"); + .method(HttpMethod.GET) + .scheme(Scheme.HTTP) + .path("/"); try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) { HttpResponse response = client.execute(requestBuilder.build()); @@ -430,16 +430,16 @@ public void testThatProxyCanBeOverriddenByRequest() throws Exception { try (MockWebServer proxyServer = new MockWebServer()) { proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent")); proxyServer.start(); - Settings settings = Settings.builder() - .put(HttpSettings.PROXY_HOST.getKey(), "localhost") - .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort() + 1) - .put(HttpSettings.PROXY_HOST.getKey(), "https") - .build(); + Settings settings = getSettingsBuilder() + .put(HttpSettings.PROXY_HOST.getKey(), "localhost") + .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort() + 1) + .put(HttpSettings.PROXY_HOST.getKey(), "https") + .build(); HttpRequest.Builder requestBuilder = HttpRequest.builder("localhost", webServer.getPort()) - .method(HttpMethod.GET) - .proxy(new HttpProxy("localhost", proxyServer.getPort(), Scheme.HTTP)) - .path("/"); + .method(HttpMethod.GET) + .proxy(new HttpProxy("localhost", proxyServer.getPort(), Scheme.HTTP)) + .path("/"); try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null, mockClusterService())) { HttpResponse response = client.execute(requestBuilder.build()); @@ -454,7 +454,7 @@ public void testThatProxyCanBeOverriddenByRequest() throws Exception { } public void testThatProxyConfigurationRequiresHostAndPort() { - Settings.Builder settings = Settings.builder(); + Settings.Builder settings = getSettingsBuilder(); if (randomBoolean()) { settings.put(HttpSettings.PROXY_HOST.getKey(), "localhost"); } else { @@ -555,9 +555,9 @@ public void testMaxHttpResponseSize() throws Exception { String data = randomAlphaOfLength(randomBytesLength); webServer.enqueue(new MockResponse().setResponseCode(200).setBody(data)); - Settings settings = Settings.builder() - .put(HttpSettings.MAX_HTTP_RESPONSE_SIZE.getKey(), new ByteSizeValue(randomBytesLength - 1, ByteSizeUnit.BYTES)) - .build(); + Settings settings = getSettingsBuilder() + .put(HttpSettings.MAX_HTTP_RESPONSE_SIZE.getKey(), new ByteSizeValue(randomBytesLength - 1, ByteSizeUnit.BYTES)) + .build(); HttpRequest.Builder requestBuilder = HttpRequest.builder("localhost", webServer.getPort()).method(HttpMethod.GET).path("/"); @@ -634,7 +634,7 @@ public void testThatUrlDoesNotContainQuestionMarkAtTheEnd() throws Exception { public void testThatWhiteListingWorks() throws Exception { webServer.enqueue(new MockResponse().setResponseCode(200).setBody("whatever")); - Settings settings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); + Settings settings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); try (HttpClient client = new HttpClient(settings, new SSLService(environment.settings(), environment), null, mockClusterService())) { @@ -644,7 +644,7 @@ public void testThatWhiteListingWorks() throws Exception { } public void testThatWhiteListBlocksRequests() throws Exception { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()) .build(); @@ -670,7 +670,7 @@ public void testThatWhiteListBlocksRedirects() throws Exception { webServer.enqueue(new MockResponse().setResponseCode(200)); } - Settings settings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); + Settings settings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); try (HttpClient client = new HttpClient(settings, new SSLService(environment.settings(), environment), null, mockClusterService())) { @@ -691,7 +691,7 @@ public void testThatWhiteListingWorksForRedirects() throws Exception { } webServer.enqueue(new MockResponse().setResponseCode(200).setBody("shouldBeRead")); - Settings settings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri() + "*").build(); + Settings settings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri() + "*").build(); try (HttpClient client = new HttpClient(settings, new SSLService(environment.settings(), environment), null, mockClusterService())) { @@ -707,7 +707,7 @@ public void testThatWhiteListingWorksForRedirects() throws Exception { public void testThatWhiteListReloadingWorks() throws Exception { webServer.enqueue(new MockResponse().setResponseCode(200).setBody("whatever")); - Settings settings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), "example.org").build(); + Settings settings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), "example.org").build(); ClusterService clusterService = mock(ClusterService.class); ClusterSettings clusterSettings = new ClusterSettings(settings, new HashSet<>(HttpSettings.getSettings())); when(clusterService.getClusterSettings()).thenReturn(clusterSettings); @@ -722,7 +722,7 @@ public void testThatWhiteListReloadingWorks() throws Exception { ElasticsearchException e = expectThrows(ElasticsearchException.class, () -> client.execute(request)); assertThat(e.getMessage(), containsString("is not whitelisted")); - Settings newSettings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); + Settings newSettings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); clusterSettings.applySettings(newSettings); HttpResponse response = client.execute(request); @@ -793,4 +793,12 @@ private static List getProtocols() { } return XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS; } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + return builder; + } } diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpConnectionTimeoutTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpConnectionTimeoutTests.java index 3451c771e3e60..4f0ff6788a068 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpConnectionTimeoutTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpConnectionTimeoutTests.java @@ -12,6 +12,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.junit.annotations.Network; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.SSLService; import static org.elasticsearch.xpack.watcher.common.http.HttpClientTests.mockClusterService; @@ -24,7 +25,7 @@ public class HttpConnectionTimeoutTests extends ESTestCase { @Network public void testDefaultTimeout() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpClient httpClient = new HttpClient(Settings.EMPTY, new SSLService(environment.settings(), environment), null, mockClusterService()); @@ -49,9 +50,9 @@ public void testDefaultTimeout() throws Exception { @Network public void testDefaultTimeoutCustom() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpClient httpClient = new HttpClient(Settings.builder() - .put("xpack.http.default_connection_timeout", "5s").build(), new SSLService(environment.settings(), environment), null, + .put("xpack.http.default_connection_timeout", "5s").build(), new SSLService(environment.settings(), environment), null, mockClusterService()); HttpRequest request = HttpRequest.builder(UNROUTABLE_IP, 12345) @@ -75,16 +76,16 @@ public void testDefaultTimeoutCustom() throws Exception { @Network public void testTimeoutCustomPerRequest() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpClient httpClient = new HttpClient(Settings.builder() - .put("xpack.http.default_connection_timeout", "10s").build(), new SSLService(environment.settings(), environment), null, + .put("xpack.http.default_connection_timeout", "10s").build(), new SSLService(environment.settings(), environment), null, mockClusterService()); HttpRequest request = HttpRequest.builder(UNROUTABLE_IP, 12345) - .connectionTimeout(TimeValue.timeValueSeconds(5)) - .method(HttpMethod.POST) - .path("/" + randomAlphaOfLength(5)) - .build(); + .connectionTimeout(TimeValue.timeValueSeconds(5)) + .method(HttpMethod.POST) + .path("/" + randomAlphaOfLength(5)) + .build(); long start = System.nanoTime(); try { @@ -99,4 +100,12 @@ public void testTimeoutCustomPerRequest() throws Exception { // expected } } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + return builder; + } } diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpReadTimeoutTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpReadTimeoutTests.java index e534a2a90757e..0846a2a611ee7 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpReadTimeoutTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpReadTimeoutTests.java @@ -12,6 +12,7 @@ import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.http.MockResponse; import org.elasticsearch.test.http.MockWebServer; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.SSLService; import org.junit.After; import org.junit.Before; @@ -38,11 +39,11 @@ public void cleanup() throws Exception { } public void testDefaultTimeout() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpRequest request = HttpRequest.builder("localhost", webServer.getPort()) - .method(HttpMethod.POST) - .path("/") - .build(); + .method(HttpMethod.POST) + .path("/") + .build(); try (HttpClient httpClient = new HttpClient(Settings.EMPTY, new SSLService(environment.settings(), environment), null, mockClusterService())) { @@ -59,7 +60,7 @@ null, mockClusterService())) { } public void testDefaultTimeoutCustom() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpRequest request = HttpRequest.builder("localhost", webServer.getPort()) .method(HttpMethod.POST) @@ -82,7 +83,7 @@ null, mockClusterService())) { } public void testTimeoutCustomPerRequest() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpRequest request = HttpRequest.builder("localhost", webServer.getPort()) .readTimeout(TimeValue.timeValueSeconds(3)) @@ -95,7 +96,7 @@ public void testTimeoutCustomPerRequest() throws Exception { null, mockClusterService())) { long start = System.nanoTime(); - expectThrows(SocketTimeoutException.class, () -> httpClient.execute(request)); + expectThrows(SocketTimeoutException.class, () -> httpClient.execute(request)); TimeValue timeout = TimeValue.timeValueNanos(System.nanoTime() - start); logger.info("http connection timed out after {}", timeout); @@ -104,4 +105,12 @@ null, mockClusterService())) { assertThat(timeout.seconds(), lessThan(5L)); } } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + return builder; + } } diff --git a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java index b590df7062b38..64477a6fdcc0b 100644 --- a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java +++ b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java @@ -18,6 +18,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.ldap.SearchGroupsResolverSettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapMetadataResolverSettings; @@ -90,6 +91,9 @@ public void initializeSslSocketFactory() throws Exception { */ MockSecureSettings mockSecureSettings = new MockSecureSettings(); Settings.Builder builder = Settings.builder().put("path.home", createTempDir()); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } // fake realms so ssl will get loaded builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore); mockSecureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit"); diff --git a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java index de1183db19391..bcb21eed8ce90 100644 --- a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java @@ -17,6 +17,7 @@ import org.elasticsearch.test.OpenLdapTests; import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.ldap.LdapUserSearchSessionFactorySettings; import org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings; @@ -56,7 +57,7 @@ public void init() { * If we re-use an SSLContext, previously connected sessions can get re-established which breaks hostname * verification tests since a re-established connection does not perform hostname verification. */ - globalSettings = Settings.builder() + globalSettings = getSettingsBuilder() .put("path.home", createTempDir()) .put("xpack.security.authc.realms.ldap.oldap-test.ssl.certificate_authorities", caPath) .build(); @@ -140,4 +141,12 @@ private LdapSession unauthenticatedSession(SessionFactory factory, String userna factory.unauthenticatedSession(username, future); return future.actionGet(); } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + return builder; + } } diff --git a/x-pack/qa/security-client-tests/src/test/java/org/elasticsearch/xpack/security/qa/SecurityTransportClientIT.java b/x-pack/qa/security-client-tests/src/test/java/org/elasticsearch/xpack/security/qa/SecurityTransportClientIT.java index 6af48b1514dc2..82dee1401d2f3 100644 --- a/x-pack/qa/security-client-tests/src/test/java/org/elasticsearch/xpack/security/qa/SecurityTransportClientIT.java +++ b/x-pack/qa/security-client-tests/src/test/java/org/elasticsearch/xpack/security/qa/SecurityTransportClientIT.java @@ -19,6 +19,7 @@ import org.elasticsearch.transport.TransportInfo; import org.elasticsearch.xpack.core.XPackClientPlugin; import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityField; import java.util.Collection; @@ -104,12 +105,14 @@ TransportClient transportClient(Settings extraSettings) { TransportAddress publishAddress = randomFrom(nodes).getInfo(TransportInfo.class).address().publishAddress(); String clusterName = nodeInfos.getClusterName().value(); - Settings settings = Settings.builder() - .put(extraSettings) - .put("cluster.name", clusterName) - .build(); + Settings.Builder builder = Settings.builder() + .put(extraSettings) + .put("cluster.name", clusterName); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } - TransportClient client = new PreBuiltXPackTransportClient(settings); + TransportClient client = new PreBuiltXPackTransportClient(builder.build()); client.addTransportAddress(publishAddress); return client; } diff --git a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java index f33ecf7144de1..1e7a241f1d214 100644 --- a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java +++ b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java @@ -24,6 +24,7 @@ import org.elasticsearch.transport.TransportInfo; import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; import org.elasticsearch.xpack.core.XPackClientPlugin; +import org.elasticsearch.xpack.core.XPackSettings; import java.util.Collection; import java.util.Collections; @@ -80,13 +81,15 @@ public void testTransportClient() throws Exception { TransportAddress publishAddress = randomFrom(nodes).getInfo(TransportInfo.class).address().publishAddress(); String clusterName = nodeInfos.getClusterName().value(); - Settings settings = Settings.builder() - .put("cluster.name", clusterName) - .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir().toAbsolutePath().toString()) - .put(ThreadContext.PREFIX + "." + CustomRealm.USER_HEADER, CustomRealm.KNOWN_USER) - .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, CustomRealm.KNOWN_PW.toString()) - .build(); - try (TransportClient client = new PreBuiltXPackTransportClient(settings)) { + Settings.Builder builder = Settings.builder() + .put("cluster.name", clusterName) + .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir().toAbsolutePath().toString()) + .put(ThreadContext.PREFIX + "." + CustomRealm.USER_HEADER, CustomRealm.KNOWN_USER) + .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, CustomRealm.KNOWN_PW.toString()); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + try (TransportClient client = new PreBuiltXPackTransportClient(builder.build())) { client.addTransportAddress(publishAddress); ClusterHealthResponse response = client.admin().cluster().prepareHealth().execute().actionGet(); assertThat(response.isTimedOut(), is(false)); @@ -100,13 +103,15 @@ public void testTransportClientWrongAuthentication() throws Exception { TransportAddress publishAddress = randomFrom(nodes).getInfo(TransportInfo.class).address().publishAddress(); String clusterName = nodeInfos.getClusterName().value(); - Settings settings = Settings.builder() - .put("cluster.name", clusterName) - .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir().toAbsolutePath().toString()) - .put(ThreadContext.PREFIX + "." + CustomRealm.USER_HEADER, CustomRealm.KNOWN_USER + randomAlphaOfLength(1)) - .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, CustomRealm.KNOWN_PW.toString()) - .build(); - try (TransportClient client = new PreBuiltXPackTransportClient(settings)) { + Settings.Builder builder = Settings.builder() + .put("cluster.name", clusterName) + .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir().toAbsolutePath().toString()) + .put(ThreadContext.PREFIX + "." + CustomRealm.USER_HEADER, CustomRealm.KNOWN_USER + randomAlphaOfLength(1)) + .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, CustomRealm.KNOWN_PW.toString()); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + try (TransportClient client = new PreBuiltXPackTransportClient(builder.build())) { client.addTransportAddress(publishAddress); client.admin().cluster().prepareHealth().execute().actionGet(); fail("authentication failure should have resulted in a NoNodesAvailableException"); diff --git a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/role/CustomRolesProviderIT.java b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/role/CustomRolesProviderIT.java index 57a895848e3a8..4cd9699eb6730 100644 --- a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/role/CustomRolesProviderIT.java +++ b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/role/CustomRolesProviderIT.java @@ -61,7 +61,7 @@ protected Collection> transportClientPlugins() { public void setupTestUser(String role) { SecurityClient securityClient = new SecurityClient(client()); - securityClient.preparePutUser(TEST_USER, TEST_PWD.toCharArray(), Hasher.BCRYPT, role).get(); + securityClient.preparePutUser(TEST_USER, TEST_PWD.toCharArray(), Hasher.PBKDF2, role).get(); } public void testAuthorizedCustomRoleSucceeds() throws Exception { diff --git a/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolIT.java b/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolIT.java index 75e041cd09857..dcc9ac47a9f7d 100644 --- a/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolIT.java +++ b/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolIT.java @@ -47,7 +47,7 @@ public void setupUpTest() throws Exception { SecurityClient c = new SecurityClient(client); // Add an existing user so the tool will skip it - PutUserResponse pur = c.preparePutUser("existing", "s3kirt".toCharArray(), Hasher.BCRYPT, "role1", "user").get(); + PutUserResponse pur = c.preparePutUser("existing", "s3kirt".toCharArray(), Hasher.PBKDF2, "role1", "user").get(); assertTrue(pur.created()); } diff --git a/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java b/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java index 0111aeff4cca2..ad77760d39325 100644 --- a/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java +++ b/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java @@ -14,6 +14,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityField; import org.junit.After; import org.junit.AfterClass; @@ -25,6 +26,7 @@ import java.nio.file.Path; import java.util.concurrent.atomic.AtomicInteger; +import static org.elasticsearch.test.ESTestCase.FIPS_SYSPROP; import static org.hamcrest.Matchers.notNullValue; /** @@ -68,20 +70,22 @@ public abstract class MigrateToolTestCase extends LuceneTestCase { private static Client startClient(Path tempDir, TransportAddress... transportAddresses) { logger.info("--> Starting Elasticsearch Java TransportClient {}, {}", transportAddresses, tempDir); - Settings clientSettings = Settings.builder() - .put("cluster.name", "qa_migrate_tests_" + counter.getAndIncrement()) - .put("client.transport.ignore_cluster_name", true) - .put("path.home", tempDir) - .put(SecurityField.USER_SETTING.getKey(), "transport_user:x-pack-test-password") - .build(); - - TransportClient client = new PreBuiltXPackTransportClient(clientSettings).addTransportAddresses(transportAddresses); + Settings.Builder clientSettingsBuilder = Settings.builder() + .put("cluster.name", "qa_migrate_tests_" + counter.getAndIncrement()) + .put("client.transport.ignore_cluster_name", true) + .put("path.home", tempDir) + .put(SecurityField.USER_SETTING.getKey(), "transport_user:x-pack-test-password"); + // Do not replace this with `inFipsJvm(), see https://github.com/elastic/elasticsearch/issues/52391 + if (Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP))) { + clientSettingsBuilder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + TransportClient client = new PreBuiltXPackTransportClient(clientSettingsBuilder.build()).addTransportAddresses(transportAddresses); Exception clientException = null; try { logger.info("--> Elasticsearch Java TransportClient started"); ClusterHealthResponse health = client.admin().cluster().prepareHealth().get(); logger.info("--> connected to [{}] cluster which is running [{}] node(s).", - health.getClusterName(), health.getNumberOfNodes()); + health.getClusterName(), health.getNumberOfNodes()); } catch (Exception e) { clientException = e; } diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java index d2c79d8882f46..e752d5fdbfc2a 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java @@ -37,14 +37,14 @@ public class ADLdapUserSearchSessionFactoryTests extends AbstractActiveDirectory @Before public void init() throws Exception { Path certPath = getDataPath("support/smb_ca.crt"); - Environment env = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment env = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); /* * Prior to each test we reinitialize the socket factory with a new SSLService so that we get a new SSLContext. * If we re-use an SSLContext, previously connected sessions can get re-established which breaks hostname * verification tests since a re-established connection does not perform hostname verification. */ - globalSettings = Settings.builder() + globalSettings = getSettingsBuilder() .put("path.home", createTempDir()) .put("xpack.security.authc.realms.ldap.ad-as-ldap-test.ssl.certificate_authorities", certPath) .build(); @@ -135,4 +135,5 @@ private LdapSession unauthenticatedSession(SessionFactory factory, String userna factory.unauthenticatedSession(username, future); return future.actionGet(); } + } diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java index df8b23d9381a1..1f419d5c56d35 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java @@ -15,6 +15,7 @@ import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.ldap.ActiveDirectorySessionFactorySettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope; @@ -84,6 +85,9 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IO Settings.Builder builder = Settings.builder().put("path.home", createTempDir()); // fake realms so ssl will get loaded + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } builder.putList("xpack.security.authc.realms.active_directory.foo.ssl.certificate_authorities", certificatePaths); builder.put("xpack.security.authc.realms.active_directory.foo.ssl.verification_mode", VerificationMode.FULL); builder.putList("xpack.security.authc.realms.active_directory.bar.ssl.certificate_authorities", certificatePaths); @@ -148,4 +152,12 @@ private static String getFromProperty(String port) { assertNotNull("Expected the actual value for port " + port + " to be in system property " + key, value); return value; } + + protected Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsJvm()) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + return builder; + } } diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java index b122404507bc6..382733eb3d309 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java @@ -88,7 +88,7 @@ public void testAdAuth() throws Exception { private RealmConfig configureRealm(String name, String type, Settings settings) { final Environment env = TestEnvironment.newEnvironment(globalSettings); - final Settings mergedSettings = Settings.builder() + final Settings mergedSettings = getSettingsBuilder() .put(settings) .normalizePrefix("xpack.security.authc.realms." + type + "." + name + ".") .put(globalSettings) @@ -182,13 +182,13 @@ public void testAuthenticateBaseUserSearch() throws Exception { } public void testAuthenticateBaseGroupSearch() throws Exception { - Settings settings = Settings.builder() - .put(buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", - LdapSearchScope.ONE_LEVEL, false)) - .put(ActiveDirectorySessionFactorySettings.AD_GROUP_SEARCH_BASEDN_SETTING, - "CN=Avengers,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com") - .put(ActiveDirectorySessionFactorySettings.AD_GROUP_SEARCH_SCOPE_SETTING, LdapSearchScope.BASE) - .build(); + Settings settings = getSettingsBuilder() + .put(buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", + LdapSearchScope.ONE_LEVEL, false)) + .put(ActiveDirectorySessionFactorySettings.AD_GROUP_SEARCH_BASEDN_SETTING, + "CN=Avengers,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com") + .put(ActiveDirectorySessionFactorySettings.AD_GROUP_SEARCH_SCOPE_SETTING, LdapSearchScope.BASE) + .build(); RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings); try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) { @@ -244,12 +244,12 @@ public void testAuthenticateWithSAMAccountName() throws Exception { } public void testCustomUserFilter() throws Exception { - Settings settings = Settings.builder() - .put(buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", - LdapSearchScope.SUB_TREE, false)) - .put(getFullSettingKey(REALM_ID.getName(), ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_FILTER_SETTING), - "(&(objectclass=user)(userPrincipalName={0}@ad.test.elasticsearch.com))") - .build(); + Settings settings = getSettingsBuilder() + .put(buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", + LdapSearchScope.SUB_TREE, false)) + .put(getFullSettingKey(REALM_ID.getName(), ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_FILTER_SETTING), + "(&(objectclass=user)(userPrincipalName={0}@ad.test.elasticsearch.com))") + .build(); RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings); try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) { @@ -270,7 +270,7 @@ public void testStandardLdapConnection() throws Exception { String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test"); - final Settings settings = Settings.builder() + final Settings settings = getSettingsBuilder() .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase, LdapSearchScope.SUB_TREE, null, false)) .putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths) @@ -297,7 +297,7 @@ public void testHandlingLdapReferralErrors() throws Exception { String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase, LdapSearchScope.SUB_TREE, null, false)) .putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths) @@ -325,7 +325,7 @@ public void testStandardLdapWithAttributeGroups() throws Exception { String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase, LdapSearchScope.SUB_TREE, null, false)) .putList("ssl.certificate_authorities", certificatePaths) @@ -371,14 +371,14 @@ private Settings buildAdSettings(String ldapUrl, String adDomainName, boolean ho } private Settings buildAdSettings(String ldapUrl, String adDomainName, boolean hostnameVerification, boolean useBindUser) { - Settings.Builder builder = Settings.builder() - .put(getFullSettingKey(REALM_ID, SessionFactorySettings.URLS_SETTING), ldapUrl) - .put(getFullSettingKey(REALM_NAME, ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING), adDomainName) - .put(getFullSettingKey(REALM_NAME, ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT) - .put(getFullSettingKey(REALM_NAME, ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT) - .put(getFullSettingKey(REALM_NAME, ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT) - .put(getFullSettingKey(REALM_NAME, ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT) - .put(getFullSettingKey(REALM_ID, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS); + Settings.Builder builder = getSettingsBuilder() + .put(getFullSettingKey(REALM_ID, SessionFactorySettings.URLS_SETTING), ldapUrl) + .put(getFullSettingKey(REALM_NAME, ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING), adDomainName) + .put(getFullSettingKey(REALM_NAME, ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT) + .put(getFullSettingKey(REALM_NAME, ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT) + .put(getFullSettingKey(REALM_NAME, ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT) + .put(getFullSettingKey(REALM_NAME, ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT) + .put(getFullSettingKey(REALM_ID, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS); if (randomBoolean()) { builder.put(getFullSettingKey(REALM_ID, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), hostnameVerification ? VerificationMode.FULL : VerificationMode.CERTIFICATE); @@ -421,7 +421,7 @@ private List groups(LdapSession ldapSession) { } static ActiveDirectorySessionFactory getActiveDirectorySessionFactory(RealmConfig config, SSLService sslService, ThreadPool threadPool) - throws LDAPException { + throws LDAPException { ActiveDirectorySessionFactory sessionFactory = new ActiveDirectorySessionFactory(config, sslService, threadPool); if (sessionFactory.getConnectionPool() != null) { // don't use this in production diff --git a/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java b/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java index e8d886330ae04..5628db9e8277e 100644 --- a/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java +++ b/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java @@ -15,6 +15,7 @@ import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.env.Environment; import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; +import org.elasticsearch.xpack.core.XPackSettings; import org.junit.After; import org.junit.AfterClass; import org.junit.Before; @@ -29,6 +30,7 @@ import java.util.concurrent.atomic.AtomicInteger; import static com.carrotsearch.randomizedtesting.RandomizedTest.randomAsciiOfLength; +import static org.elasticsearch.test.ESTestCase.FIPS_SYSPROP; import static org.hamcrest.Matchers.notNullValue; /** @@ -63,12 +65,16 @@ public abstract class ESXPackSmokeClientTestCase extends LuceneTestCase { private static Client startClient(Path tempDir, TransportAddress... transportAddresses) { Settings.Builder builder = Settings.builder() - .put("node.name", "qa_xpack_smoke_client_" + counter.getAndIncrement()) - .put("client.transport.ignore_cluster_name", true) - .put("xpack.security.enabled", false) - .put(Environment.PATH_HOME_SETTING.getKey(), tempDir); + .put("node.name", "qa_xpack_smoke_client_" + counter.getAndIncrement()) + .put("client.transport.ignore_cluster_name", true) + .put("xpack.security.enabled", false) + .put(Environment.PATH_HOME_SETTING.getKey(), tempDir); + // Do not replace this with `inFipsJvm(), see https://github.com/elastic/elasticsearch/issues/52391 + if (Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP))) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } TransportClient client = new PreBuiltXPackTransportClient(builder.build()) - .addTransportAddresses(transportAddresses); + .addTransportAddresses(transportAddresses); logger.info("--> Elasticsearch Java TransportClient started"); @@ -76,7 +82,7 @@ private static Client startClient(Path tempDir, TransportAddress... transportAdd try { ClusterHealthResponse health = client.admin().cluster().prepareHealth().get(); logger.info("--> connected to [{}] cluster which is running [{}] node(s).", - health.getClusterName(), health.getNumberOfNodes()); + health.getClusterName(), health.getNumberOfNodes()); } catch (Exception e) { logger.error("Error getting cluster health", e); clientException = e; diff --git a/x-pack/transport-client/src/test/java/org/elasticsearch/xpack/client/PreBuiltXPackTransportClientTests.java b/x-pack/transport-client/src/test/java/org/elasticsearch/xpack/client/PreBuiltXPackTransportClientTests.java index f9808ce54faac..632f4144971c5 100644 --- a/x-pack/transport-client/src/test/java/org/elasticsearch/xpack/client/PreBuiltXPackTransportClientTests.java +++ b/x-pack/transport-client/src/test/java/org/elasticsearch/xpack/client/PreBuiltXPackTransportClientTests.java @@ -6,9 +6,11 @@ package org.elasticsearch.xpack.client; import com.carrotsearch.randomizedtesting.RandomizedTest; +import org.elasticsearch.bootstrap.JavaVersion; import org.elasticsearch.client.transport.TransportClient; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityField; import org.junit.Test; @@ -21,10 +23,14 @@ public class PreBuiltXPackTransportClientTests extends RandomizedTest { @Test public void testPluginInstalled() { - try (TransportClient client = new PreBuiltXPackTransportClient(Settings.EMPTY)) { + Settings.Builder builder = Settings.builder(); + if (Boolean.parseBoolean(System.getProperty("tests.fips.enabled")) && JavaVersion.current().getVersion().get(0) == 8) { + builder.put(XPackSettings.FIPS_MODE_ENABLED.getKey(), true); + } + try (TransportClient client = new PreBuiltXPackTransportClient(builder.build())) { Settings settings = client.settings(); assertEquals(SecurityField.NAME4, NetworkModule.TRANSPORT_TYPE_SETTING.get(settings)); } } -} \ No newline at end of file +}