From ed9d2a975ab706d2e45dfd98057e81dc846e8c27 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 19 Jan 2022 11:56:40 +0200 Subject: [PATCH 01/15] Correct file ownership on node reconfiguration When running elasticsearch-reconfigure-node to allow a node that was installed via a package(RPM/DEB) to enroll to an existing secured cluster, we should ensure that the file ownership is proper so that elasticsearch can actually read the files when it starts after reconfiguration. This commits sets the group owner of the keystore files to `elasticsearch` which is the group that we create during installation. --- ...ackagesSecurityAutoConfigurationTests.java | 75 +++++++++++++++++++ qa/os/src/test/resources/http.crt | 19 +++++ qa/os/src/test/resources/http.key | 27 +++++++ qa/os/src/test/resources/http_ca.crt | 20 +++++ qa/os/src/test/resources/http_ca.key | 27 +++++++ qa/os/src/test/resources/transport.crt | 19 +++++ qa/os/src/test/resources/transport.key | 27 +++++++ qa/os/src/test/resources/transport_ca.crt | 20 +++++ .../xpack/security/cli/AutoConfigureNode.java | 36 +++++++-- 9 files changed, 264 insertions(+), 6 deletions(-) create mode 100644 qa/os/src/test/resources/http.crt create mode 100644 qa/os/src/test/resources/http.key create mode 100644 qa/os/src/test/resources/http_ca.crt create mode 100644 qa/os/src/test/resources/http_ca.key create mode 100644 qa/os/src/test/resources/transport.crt create mode 100644 qa/os/src/test/resources/transport.key create mode 100644 qa/os/src/test/resources/transport_ca.crt diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java index 1c5ad6cc90197..cd203b859c927 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java @@ -8,18 +8,33 @@ package org.elasticsearch.packaging.test; +import org.elasticsearch.Version; import org.elasticsearch.cli.ExitCodes; +import org.elasticsearch.common.Strings; +import org.elasticsearch.common.ssl.PemKeyConfig; import org.elasticsearch.packaging.util.Installation; import org.elasticsearch.packaging.util.Packages; import org.elasticsearch.packaging.util.Shell; +import org.elasticsearch.test.http.MockResponse; +import org.elasticsearch.test.http.MockWebServer; +import org.elasticsearch.xcontent.XContentBuilder; +import org.elasticsearch.xpack.core.security.EnrollmentToken; +import org.hamcrest.CoreMatchers; import org.junit.BeforeClass; import java.nio.file.Files; import java.nio.file.Path; +import java.nio.file.Paths; import java.nio.file.StandardCopyOption; +import java.security.SecureRandom; import java.util.List; import java.util.Optional; import java.util.function.Predicate; +import java.util.stream.Collectors; + +import javax.net.ssl.KeyManager; +import javax.net.ssl.SSLContext; +import javax.net.ssl.TrustManager; import static java.nio.file.StandardOpenOption.TRUNCATE_EXISTING; import static org.elasticsearch.packaging.util.FileUtils.append; @@ -27,6 +42,7 @@ import static org.elasticsearch.packaging.util.Packages.assertRemoved; import static org.elasticsearch.packaging.util.Packages.installPackage; import static org.elasticsearch.packaging.util.Packages.verifyPackageInstallation; +import static org.elasticsearch.xcontent.XContentFactory.jsonBuilder; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasItem; @@ -235,6 +251,65 @@ public void test72ReconfigureRetainsUserSettings() throws Exception { assertThat(newConfigurationLines, hasItem("node.name: testnodename")); } + public void test73ReconfigureCreatesFilesWithCorrectPermissions() throws Exception { + cleanup(); + assertRemoved(distribution()); + installation = installPackage(sh, distribution(), successfulAutoConfiguration()); + assertInstalled(distribution()); + verifyPackageInstallation(installation, distribution(), sh); + verifySecurityAutoConfigured(installation); + assertNotNull(installation.getElasticPassword()); + final PemKeyConfig keyConfig = new PemKeyConfig( + Paths.get(getClass().getResource("http.crt").toURI()).toAbsolutePath().normalize().toString(), + Paths.get(getClass().getResource("http.key").toURI()).toAbsolutePath().normalize().toString(), + new char[0], + Paths.get(getClass().getResource("http.crt").toURI()).getParent().toAbsolutePath().normalize() + ); + final SSLContext sslContext = SSLContext.getInstance("TLS"); + sslContext.init(new KeyManager[] { keyConfig.createKeyManager() }, new TrustManager[] {}, new SecureRandom()); + // We can't run multiple nodes as package installations. We mock an initial node that would respond to the enroll node API + try (MockWebServer mockNode = new MockWebServer(sslContext, false)) { + mockNode.start(); + final String httpCaCertPemString = Files.readAllLines( + Paths.get(getClass().getResource("http_ca.crt").toURI()).toAbsolutePath().normalize() + ).stream().filter(l -> l.contains("-----") == false).collect(Collectors.joining()); + final String httpCaKeyPemString = Files.readAllLines( + Paths.get(getClass().getResource("http_ca.key").toURI()).toAbsolutePath().normalize() + ).stream().filter(l -> l.contains("-----") == false).collect(Collectors.joining()); + final String transportCaCertPemString = Files.readAllLines( + Paths.get(getClass().getResource("transport_ca.crt").toURI()).toAbsolutePath().normalize() + ).stream().filter(l -> l.contains("-----") == false).collect(Collectors.joining()); + final String transportKeyPemString = Files.readAllLines( + Paths.get(getClass().getResource("transport.key").toURI()).toAbsolutePath().normalize() + ).stream().filter(l -> l.contains("-----") == false).collect(Collectors.joining()); + final String transportCertPemString = Files.readAllLines( + Paths.get(getClass().getResource("transport.crt").toURI()).toAbsolutePath().normalize() + ).stream().filter(l -> l.contains("-----") == false).collect(Collectors.joining()); + final XContentBuilder responseBuilder = jsonBuilder().startObject() + .field("http_ca_key", httpCaCertPemString) + .field("http_ca_cert", httpCaKeyPemString) + .field("transport_ca_cert", transportCaCertPemString) + .field("transport_key", transportKeyPemString) + .field("transport_cert", transportCertPemString) + .array("nodes_addresses", "192.168.1.23:9300") // won't be used, can be anything + .endObject(); + mockNode.enqueue(new MockResponse().setResponseCode(200).setBody(Strings.toString(responseBuilder))); + final EnrollmentToken enrollmentToken = new EnrollmentToken( + "some-api-key", + "b0150fd8a29f9012207912de9a01aa1d1f0dd696c847d3a9353881f9045bf442", // fingerprint of http_ca.crt + Version.CURRENT.toString(), + List.of(mockNode.getHostName() + ":" + mockNode.getPort()) + ); + Shell.Result result = installation.executables().nodeReconfigureTool.run( + "--enrollment-token " + enrollmentToken.getEncoded(), + "y", + true + ); + assertThat(result.exitCode, CoreMatchers.equalTo(0)); + verifySecurityAutoConfigured(installation); + } + } + private Predicate successfulAutoConfiguration() { Predicate p1 = output -> output.contains("Authentication and authorization are enabled."); Predicate p2 = output -> output.contains("TLS for the transport and HTTP layers is enabled and configured."); diff --git a/qa/os/src/test/resources/http.crt b/qa/os/src/test/resources/http.crt new file mode 100644 index 0000000000000..def8c5c6fd208 --- /dev/null +++ b/qa/os/src/test/resources/http.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDIzCCAgugAwIBAgIVAIgui13Jr2lyTayGd7yA5JmHtziFMA0GCSqGSIb3DQEB +CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu +ZXJhdGVkIENBMB4XDTIyMDExOTA5MDUyMFoXDTI1MDExODA5MDUyMFowEzERMA8G +A1UEAxMIaW5zdGFuY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM +woA+gu7F0APykdZB4WJ7dJC6hhIpOtSvP0ujjlBDj1Ez3vhE4oKLPSVUFJCZ1ACZ +x2hCHxGaCsEd8RcpO9ScXqA9k6HHEtiBxX7wAzDJMmoyybVupHRrnCnBZuRhe2pR +lApTBLp89IIbIU0Kmyxc0LaE/KhuN3aWJEk9UZqOtkc0iN0dIHboiFPspfLjlrR9 +WrJ4mB0jgEU7B5wUwvOT3CUWt6zhi/GWarHd3Y1UoyZdTdydlmyN6AJVvT26odGj +zdPyiDtdRs9YFrMs4FX/LSjZOH2F1+ed1VY97vPo8QccYV5tmVU0AF+mVcd9rDEc +v98rVUWlwIdSd11fGBSvAgMBAAGjTTBLMB0GA1UdDgQWBBQgkr81OCwcUXnPEP6l +v7+9P63SuzAfBgNVHSMEGDAWgBSouO0kAGN6VSErE0jElIB7IQyvpDAJBgNVHRME +AjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAOy+szJ82fixSPv4ONbTrJyYRFO6f9SgZW +t/Ijerhi7881noSZXFUqoG7nwGuNSDkOH/Cw+2K6N+Uarh9ujtqyxqaLoQ+qDmFn +IyKmpiDA9NDNB/Y73ZyZTYAH6sokRqL03UFLEujY9bGAQdpY82mD9OOs8eA+LVZl +69fuNMHkTtJsES3Ko77IblpGeyM5RisIiB3ALF5djtYt7vLhEGjASQKxP88A0MMf +3vGfXpB+bhXz2t4QeJzX8Br8Aq1aXGpZqsLV+ZNpB4OxrfGhXw4s3X2sb4ZTBtMb +cu7d7w31P79II10tF+OR+eT+PAInNnL86YlICceI68N3IblfXEdE +-----END CERTIFICATE----- diff --git a/qa/os/src/test/resources/http.key b/qa/os/src/test/resources/http.key new file mode 100644 index 0000000000000..cdb3d808989c9 --- /dev/null +++ b/qa/os/src/test/resources/http.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAzMKAPoLuxdAD8pHWQeFie3SQuoYSKTrUrz9Lo45QQ49RM974 +ROKCiz0lVBSQmdQAmcdoQh8RmgrBHfEXKTvUnF6gPZOhxxLYgcV+8AMwyTJqMsm1 +bqR0a5wpwWbkYXtqUZQKUwS6fPSCGyFNCpssXNC2hPyobjd2liRJPVGajrZHNIjd +HSB26IhT7KXy45a0fVqyeJgdI4BFOwecFMLzk9wlFres4Yvxlmqx3d2NVKMmXU3c +nZZsjegCVb09uqHRo83T8og7XUbPWBazLOBV/y0o2Th9hdfnndVWPe7z6PEHHGFe +bZlVNABfplXHfawxHL/fK1VFpcCHUnddXxgUrwIDAQABAoIBAFZZUcbK5ZHDEt8Z +NE9NEoB4nE4kmwULG8UZvranHd8X0ck7ptw5346DhznpgD924Zf4OVXlD0G0dlM/ +qCJJ6nPVDeNZ3lf68RXs6Qajec/nNFTdrmcN8FCvJwa58ubPKntjoGT5MgHfBP0W +8ovd+3vawpXbjNYKCrbvb3lt7+1tXAtamvrHHM3kDaTLcvyWX34W2vE2Dim/O44M +DXMwQowYOZTS7BCSZg0pfxYFTWN9ViO2y/7+cVj7dZrC4l+78qeRvzG+rBDMPnw7 +7CXUoz8od0FqhoKNQ9MmpX/FkuwYISQK1jCF+h31w8msCPeJ5/c5FCA7801Ob2Cc +wpAmCvkCgYEA/U/KKr4HW8Bv4Z3b5qZncyHCss6W1MUQ5mhVtCji1mgJCtl7jfHa +YOIJoYZUg7i3SnBWUpKV7zqOUHM4wj0fsc5WRCgO4G/9Vb9IHP3kvtWiIum8/4BR +lAK7rWMkSFUWso/lk/fxnNiSuiec2lB4SpDfILClfYCXjt4yj7ntwWcCgYEAzu7N +irpV5/wAWV1RKnx7qve6gJLTLtoNaerQcNKwIW3EuGx/hcDQpmXAas1TkamkXPcF +tGdR5/y2eFQaN/MbBEujSMAIEFygmkkS58W4+fvuYZPuXrLjkRyJ3hMfYZNe5s5x +qhxSyddZ+YN8Lg1o0GvKjnVGx1UQnyH9qd5ZHXkCgYBhB/9ZABGxg7VXpzBk2bkm +0PfTpm8AcbxXhf/OUxsRJijQjx5U8R/FnNAzn1EgY9FSIlXuq1fjm3qINpq3TNKn +OXKyCOYp8rwH7I2jDV5h+1NwLDjJZk3ZdHKPqDptuqpHG/fFBmT2v770r9fViJ2L +cpMF4qSBvpBPma2kgIQiYQKBgQC7Dz442OaNVc1O+z9DA9KbI2OxlIhZAv47L+wL +ATn8jgjVmibQ1xMGSFbfdQrFUy/kZdz/TqLI7jZYodYtm5JhmKpbOlRPzhvUPJhd +cewb9rRv+tTxQA7c/4pVeL3Wa+zPAfHYD9B66zRHjKd1zeNg/P/XNYas7GWhJI30 +v62ZKQKBgQDBQba7t3oWDucf7tjYJHaliiKPDdb6djH1Jw12IOEtgtx4jYZf7Gzm +P0LdvBkHmtK9821EhSqt0biVBoARqoxklNGjk8wIz1fB6hYvZC11+hOUTKhKxSsG +idYmq4sYqioPrdXHYtYxA3S+BPZ2mMoYVDDdDVz5AzjWUNfJ9PTApQ== +-----END RSA PRIVATE KEY----- diff --git a/qa/os/src/test/resources/http_ca.crt b/qa/os/src/test/resources/http_ca.crt new file mode 100644 index 0000000000000..350fe97f9c882 --- /dev/null +++ b/qa/os/src/test/resources/http_ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIVALA5mjBbdcSBX/AX5ugQy+gbiBJwMA0GCSqGSIb3DQEB +CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu +ZXJhdGVkIENBMB4XDTIyMDExOTA5MDIzM1oXDTI1MDExODA5MDIzM1owNDEyMDAG +A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfQ7Br31QqYFaXjWYKG8Vh +FnPMnZGAT3L9xW7TdBQ1vlp3pnv77vMg0NZXLLx7FUp5HzZj/I2mUdADTxL/fWg5 +WCtPH6UzFFimk8H2v30OFGSGkdIB6tAXuesuZBihIhIb14OY4btBWoyUwOdMgRX8 +SAzFq+zpq3P49Aiv9tU7icXJyrD2wZCIS0L/nogjIFXXnmUQLFYfVlm7xFQnFTqw +sdTpKthkgQyV6hYaCInktP+X+osOrlnOqHWpRpqgqqj1OB/TqocACpgH1Wmgt0F+ +IR0acVWR1jV0EbSL15i0QTRFgw4/7AbXXf8SKtkhw+SP+epyjDsh9mA1gSiT5q1t +AgMBAAGjUzBRMB0GA1UdDgQWBBSouO0kAGN6VSErE0jElIB7IQyvpDAfBgNVHSME +GDAWgBSouO0kAGN6VSErE0jElIB7IQyvpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG +SIb3DQEBCwUAA4IBAQB1tuaFxErPbAlVojdRTFbosqoNRS4kcXhKO3Evk4h9yqkH +kplWPv+5/0PRFycYu9eZau0Gghzsd7ePcra8WLLwFPofuJad6wefWvbb0qGZmsi+ +yQW8/CGWTVVjJZPc1WMElP4eLvMhPrdS2Wioq2s4b9vYHBUHxLrDsx9dr4A4s4Yw +/dt0b15KrscNRXdM0rnvhAghh6grZ+P9lg4wyDEYr3e3ZUROPBWBT/yjveNOLj7n +7M28rgVkAvKzqtb3shLQL4UnsQJfB67sKpruIt+VjecUaTjvLyYaH4NvnlvqOIr3 +Eg+gjpSRGnatAzgwBHx5WYU4FTKfGdrmO81kngyA +-----END CERTIFICATE----- diff --git a/qa/os/src/test/resources/http_ca.key b/qa/os/src/test/resources/http_ca.key new file mode 100644 index 0000000000000..00ed9c5de672f --- /dev/null +++ b/qa/os/src/test/resources/http_ca.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAn0Owa99UKmBWl41mChvFYRZzzJ2RgE9y/cVu03QUNb5ad6Z7 +++7zINDWVyy8exVKeR82Y/yNplHQA08S/31oOVgrTx+lMxRYppPB9r99DhRkhpHS +AerQF7nrLmQYoSISG9eDmOG7QVqMlMDnTIEV/EgMxavs6atz+PQIr/bVO4nFycqw +9sGQiEtC/56IIyBV155lECxWH1ZZu8RUJxU6sLHU6SrYZIEMleoWGgiJ5LT/l/qL +Dq5Zzqh1qUaaoKqo9Tgf06qHAAqYB9VpoLdBfiEdGnFVkdY1dBG0i9eYtEE0RYMO +P+wG113/EirZIcPkj/nqcow7IfZgNYEok+atbQIDAQABAoIBABgbTE2/rkMtyt2X +WwMbr1V3QGGP1hwS/90BReRUH9JUtOfYd3rWRnnInTDxG2RmqsZI9FglEaHDpMCO +Ia+HYWpl+e7jji38SJY01k6i2cBy/hZPuyHBfkGhHsPVBdSvTgi7JyGnGqC/883O +TGm26PIt9l+d8DccVb+whyIaCAOXT/T0kQxV6OWRg2fLOGVVg2MhvZzxONgxfwx5 +P2ku8Bh7mqNXEAvnUKu92WiW0/9XkzzOmvO0y1KXH08ybL1StnYE7WEhD1ykYV9e +NPoDvTY+uUbAr1IdzhepOyBBaxfH1q1m9qAeQYVz36/6b+bLHpTb0XBHfZBCybKL +c3FWcwcCgYEAvziz4N8sYYv0wxKqpmEd/FP4d62iZonFhhSE5KJiDn2UmRJKj4Ji +l4gFK1kkLoTFAr/1JJv6YaugPrt7wf2af4UW3MP5W3pnsXe3ivbEFhzU+Wr7R+Sc +pG7dnilvaBiu1EZWU0zRXzHX8H+lIDOxvaLWr6aOyfEY76I1anTOqNMCgYEA1TeS +scWEl6IX8cphj387XlqFhlQ5e+7QeSQHgsJZDD1pCLelBI93pwuISJsqM3bdcGbI +14nn2Dz7eibhN9hWn+GeW/ElmjCLdps1EMm77aMzhfwDk5SwGK8Go26qA6WgFXXU +xoAaZKjP/FkQfTYQHu9zLiqJDYf2eB2EnN27aL8CgYBe67K+6YmKUoMJYna7aHIO +E1C/d72p0LHwQLdHFyQ9tTDSWzYPztVKCwcl4XYIcXeqScdSiOrdGOjOuxpPzaen +rVUP+WgKdNSMT7UYki38HAvMU8KwiVcIeNAh9seKkNYYIWIwr20vJ/rdMz+woHiW +fgK75p3yuG98ZLTHR3xeaQKBgBIEai7/g97UYbWa5nebxsaIW7QoNdtVKOSzuLbB ++YhhQBjue9FQ1kmVXeTUx9IlfzzaUqp0CtVpAc8mre1sKJXGGP2n+Qd4hrB1GRzc +DzdbjSULULoN3HuZfrQcy90XB9oIZPyJIrHS2hB27j/Ga8JRdag3C/HKxXcM94HR +8t49AoGBAIaWfxVq39Xml5PdQ9l22pF3gBTRDQLDYMLmx4RZRlJtE8c5GWIpq3QM +6i/ZqT5dPK/WsEdZ34JX3lvp+Lywf/cx3HoF8XSvYW8UdxEuowF9O7UF7QTzTTLB +8KroH2BfWnCqzw01ztTjhzis+P78tnL7dQVLc7wee3kHdkLV4Vwq +-----END RSA PRIVATE KEY----- diff --git a/qa/os/src/test/resources/transport.crt b/qa/os/src/test/resources/transport.crt new file mode 100644 index 0000000000000..d3fcfef93c6f6 --- /dev/null +++ b/qa/os/src/test/resources/transport.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDIjCCAgqgAwIBAgIUS83knQ28f817BNKYxsKC9S2achYwDQYJKoZIhvcNAQEL +BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l +cmF0ZWQgQ0EwHhcNMjIwMTE5MDkwNTUxWhcNMjUwMTE4MDkwNTUxWjATMREwDwYD +VQQDEwhpbnN0YW5jZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK8Z +dERaKHI8+9BOmWo6cD20bSkNTWwJI9BhqT4Cxj/zBmK06mOwqHqfw5DZMRFUOuCU +BeDlX35vr+2eEcWnXWA0zkYPFBwN2ZXtae1Cjyo+JN34onsF2BwpBbAz1BwABs+Z +W9tsrlkRvJ1Msfxr2DJOjJK5vZVF89DCzS7qqALlSlJMfvPGj+wBjf3MoS1AFIIu +UGBOKtbVEOVVchvZ5VA3wSsgaT94/T5ISFjVnSR572PJJJ7ve2K5Z8crClscDQHE +mxxHRnuqgVbBOe3K2ltMvOtpCTOSSP2u1H1EAW9IH1KSYB51E6Ob6E/R3qY7ukrr +ipZ06TVK6wC3rwaVRQMCAwEAAaNNMEswHQYDVR0OBBYEFNBu7h1/U3tr51nO9frB +NE9fsYyKMB8GA1UdIwQYMBaAFKi47SQAY3pVISsTSMSUgHshDK+kMAkGA1UdEwQC +MAAwDQYJKoZIhvcNAQELBQADggEBACV6DaVgMpfNRRMY1xM3G1fJeSXt7sZQxTUM +IwpzKvFpoUo8Qcz5ZVW0ZJ0syoPZcnDjYBCM4HfcI7T5tCNH2TFWbRjacjNfu2gz +p8NycN8proqKKnNDRr5XqRqJvzaU4OfNXIbkKY1B5MZJsJWB5CNMGBfrLfKu/rhl +kdxndwa+eTJCHcJBGauZmQ8wgqhn8UIUv9+VLVjyDMA3AgtUvwYgKKYIKF4Ev0XZ +b7RxIQ1c+h+/hkvzDP5KOTkr1Ri6tCIMaCz3Bosk8CfwNQDFGHa+vabm98wQTBmI +Ke4hGkuAX/crqzFruWkQ0Lw6r4ZjD2/I6ZKKj+BQLmiQAfQ5l/A= +-----END CERTIFICATE----- diff --git a/qa/os/src/test/resources/transport.key b/qa/os/src/test/resources/transport.key new file mode 100644 index 0000000000000..d96de95f6a463 --- /dev/null +++ b/qa/os/src/test/resources/transport.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEArxl0RFoocjz70E6ZajpwPbRtKQ1NbAkj0GGpPgLGP/MGYrTq +Y7Coep/DkNkxEVQ64JQF4OVffm+v7Z4RxaddYDTORg8UHA3Zle1p7UKPKj4k3fii +ewXYHCkFsDPUHAAGz5lb22yuWRG8nUyx/GvYMk6Mkrm9lUXz0MLNLuqoAuVKUkx+ +88aP7AGN/cyhLUAUgi5QYE4q1tUQ5VVyG9nlUDfBKyBpP3j9PkhIWNWdJHnvY8kk +nu97YrlnxysKWxwNAcSbHEdGe6qBVsE57craW0y862kJM5JI/a7UfUQBb0gfUpJg +HnUTo5voT9Hepju6SuuKlnTpNUrrALevBpVFAwIDAQABAoIBAEFLla7TjBelpCW2 +2cDiT+7CtJ5FZqSt99wCPzFvqWw5fR0b5/gK7ZjksPH3/DNBHL+Yk2SdRHIKxiku +8+OoGMsChhVcFByuEYC2SvT+CBMxn1/jEvwbXs6JgaSGf0d9vwx1XOrDaXSvh42F +By5hLPr9jbA9cXQT5OrpachgGw0Qw8vsaH6s+0ZUIQGl7W3YM96B9Vms+bgSHMu2 +ue+nul9xmUo6vLAoEYCAGJzEl8TCQlVuaZeEvrJN13gytBtdLq+wW/+AXJVkAqm4 +JHUPbIBp+fyWBXADg/4Pla4ikqzPUA3VDGYBbiVcgnnsTFuFtzCF4+wOA09E324c +APXJLWkCgYEAxTk6uTLh81w0b09LompZs6bb4ZWRcNXrHoVx4fO9MSuit6BzTYrE ++L+lAl/2kll61mqTjce3FlJfg2ymWfEI+EnQNLSENaq2Z/GmGQGG7eXVYDYRx57Y +P9MEH/3Uef7M4BaeEOO0g6QE2jTzndOEGhrBKQEOZSNvuYO2QF5iW4cCgYEA40hP +Tx9fgWg45Oysj2STazrl9Fz/P+KEWb6JPYaBpB0/+4nRJK8iDRlmianVtAjqDVwg +w7ogpUPXRTdPUMQQEEdLgOCT2owrBPX/wWNjkstF367Af7VLTcsQvCBnPBv1UyVR +EFDTL4EbeNdehyIzhxu9BFMgG/SGLk3XotM1QaUCgYEAmfhf3A3ZUIB/fxbM2XNl +rFdr+eUmsoyPDjjn+5qp7SU/11OwMK1RsVEMpZn9iavJtnNl1p5AVXDhmFzOUhFX +C1+06DC1tqAb33JMVeFXUYrI1l/f6ZQdB1baNY+YvdUqZRfDNzRNzSfTkfcc6e4j +h62zdyuX7WWI56/oLMCC0SkCgYEA38sspJkcvlx0YR2WUF9VNSm6keIcR7hwX7nY +gud1sbZHcRPkBr4XxlQzfevoDC0W4W7MqE0WpgRl7Laod7uGobDB7LW1gGWyWmEr +oy2NN1bGh5kX3OgTrRb9dHBnlm1lI6jD6E/dkpILDfLrFh6cJDYw6Rg8rqoYkXF+ +mcpkTy0CgYAuvj+Yox2eHsGhBqYM1nxYdfDGBnxUA4hRoozNX/0ZqLgdYptqV7Dh +a8znyhDVX4s4WMPckCn/vwYNLV2NEDVgqvVlUa8exmSn1GC3wCPSP7wr4kTXRzWm +51m2BNxWxtOAv5SXh7dFZYw2utVXujsartEFDnfic0X7hyEs7WTVsg== +-----END RSA PRIVATE KEY----- diff --git a/qa/os/src/test/resources/transport_ca.crt b/qa/os/src/test/resources/transport_ca.crt new file mode 100644 index 0000000000000..350fe97f9c882 --- /dev/null +++ b/qa/os/src/test/resources/transport_ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIVALA5mjBbdcSBX/AX5ugQy+gbiBJwMA0GCSqGSIb3DQEB +CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu +ZXJhdGVkIENBMB4XDTIyMDExOTA5MDIzM1oXDTI1MDExODA5MDIzM1owNDEyMDAG +A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfQ7Br31QqYFaXjWYKG8Vh +FnPMnZGAT3L9xW7TdBQ1vlp3pnv77vMg0NZXLLx7FUp5HzZj/I2mUdADTxL/fWg5 +WCtPH6UzFFimk8H2v30OFGSGkdIB6tAXuesuZBihIhIb14OY4btBWoyUwOdMgRX8 +SAzFq+zpq3P49Aiv9tU7icXJyrD2wZCIS0L/nogjIFXXnmUQLFYfVlm7xFQnFTqw +sdTpKthkgQyV6hYaCInktP+X+osOrlnOqHWpRpqgqqj1OB/TqocACpgH1Wmgt0F+ +IR0acVWR1jV0EbSL15i0QTRFgw4/7AbXXf8SKtkhw+SP+epyjDsh9mA1gSiT5q1t +AgMBAAGjUzBRMB0GA1UdDgQWBBSouO0kAGN6VSErE0jElIB7IQyvpDAfBgNVHSME +GDAWgBSouO0kAGN6VSErE0jElIB7IQyvpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG +SIb3DQEBCwUAA4IBAQB1tuaFxErPbAlVojdRTFbosqoNRS4kcXhKO3Evk4h9yqkH +kplWPv+5/0PRFycYu9eZau0Gghzsd7ePcra8WLLwFPofuJad6wefWvbb0qGZmsi+ +yQW8/CGWTVVjJZPc1WMElP4eLvMhPrdS2Wioq2s4b9vYHBUHxLrDsx9dr4A4s4Yw +/dt0b15KrscNRXdM0rnvhAghh6grZ+P9lg4wyDEYr3e3ZUROPBWBT/yjveNOLj7n +7M28rgVkAvKzqtb3shLQL4UnsQJfB67sKpruIt+VjecUaTjvLyYaH4NvnlvqOIr3 +Eg+gjpSRGnatAzgwBHx5WYU4FTKfGdrmO81kngyA +-----END CERTIFICATE----- diff --git a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java index 21248e4e0bd89..37b465b52f1bb 100644 --- a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java +++ b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java @@ -33,6 +33,8 @@ import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.core.CheckedConsumer; +import org.elasticsearch.core.Nullable; +import org.elasticsearch.core.PathUtils; import org.elasticsearch.core.SuppressForbidden; import org.elasticsearch.discovery.DiscoveryModule; import org.elasticsearch.discovery.SettingsBasedSeedHostsProvider; @@ -59,10 +61,12 @@ import java.nio.file.Path; import java.nio.file.StandardCopyOption; import java.nio.file.StandardOpenOption; +import java.nio.file.attribute.GroupPrincipal; import java.nio.file.attribute.PosixFileAttributeView; import java.nio.file.attribute.PosixFilePermission; import java.nio.file.attribute.PosixFilePermissions; import java.nio.file.attribute.UserPrincipal; +import java.nio.file.attribute.UserPrincipalLookupService; import java.security.KeyPair; import java.security.KeyStore; import java.security.PrivateKey; @@ -110,6 +114,7 @@ public class AutoConfigureNode extends EnvironmentAwareCommand { private static final String TRANSPORT_AUTOGENERATED_KEYSTORE_NAME = "transport"; private static final String TRANSPORT_KEY_KEYSTORE_ENTRY = "transport"; private static final String TRANSPORT_CA_CERT_KEYSTORE_ENTRY = "transport_ca"; + private static final String ELASTICSEARCH_GROUP_OWNER = "elasticsearch"; private static final int TRANSPORT_CERTIFICATE_DAYS = 99 * 365; private static final int TRANSPORT_CA_CERTIFICATE_DAYS = 99 * 365; private static final int TRANSPORT_KEY_SIZE = 4096; @@ -152,8 +157,9 @@ public static void main(String[] args) throws Exception { @Override protected void execute(Terminal terminal, OptionSet options, Environment env) throws Exception { final boolean inEnrollmentMode = options.has(enrollmentTokenParam); + final boolean inReconfigureMode = options.has(reconfigure); - // skipping security auto configuration because node considered as restarting. + // skipping security auto-configuration because node considered as restarting. for (Path dataPath : env.dataFiles()) { if (Files.isDirectory(dataPath) && false == isDirEmpty(dataPath)) { final String msg = "Skipping security auto configuration because it appears that the node is not starting up for the " @@ -197,11 +203,11 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th notifyOfFailure(inEnrollmentMode, terminal, Terminal.Verbosity.NORMAL, ExitCodes.NOOP, msg); } - if (options.has(reconfigure)) { + if (inReconfigureMode) { if (false == inEnrollmentMode) { throw new UserException(ExitCodes.USAGE, "enrollment-token is a mandatory parameter when reconfiguring the node"); } - env = possibleReconfigureNode(env, terminal); + env = possiblyReconfigureNode(env, terminal); } // only perform auto-configuration if the existing configuration is not conflicting (eg Security already enabled) @@ -528,6 +534,7 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th tempGeneratedTlsCertsDir, TRANSPORT_AUTOGENERATED_KEYSTORE_NAME + ".p12", false, + inReconfigureMode ? ELASTICSEARCH_GROUP_OWNER : null, stream -> transportKeystore.store(stream, transportKeystorePassword.getChars()) ); nodeKeystore.setString("xpack.security.transport.ssl.keystore.secure_password", transportKeystorePassword.getChars()); @@ -555,6 +562,7 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th tempGeneratedTlsCertsDir, HTTP_AUTOGENERATED_KEYSTORE_NAME + ".p12", false, + inReconfigureMode ? ELASTICSEARCH_GROUP_OWNER : null, stream -> httpKeystore.store(stream, httpKeystorePassword.getChars()) ); nodeKeystore.setString("xpack.security.http.ssl.keystore.secure_password", httpKeystorePassword.getChars()); @@ -838,7 +846,7 @@ protected String hostSettingValue(InetAddress[] allAddresses) { } } - private Environment possibleReconfigureNode(Environment env, Terminal terminal) throws UserException { + private Environment possiblyReconfigureNode(Environment env, Terminal terminal) throws UserException { // We remove the existing auto-configuration stanza from elasticsearch.yml, the elastisearch.keystore and // the directory with the auto-configured TLS key material, and then proceed as if elasticsearch is started // with --enrolment-token token, in the first place. @@ -1044,8 +1052,13 @@ private boolean isInitialClusterNode(Settings settings) { || ClusterBootstrapService.INITIAL_MASTER_NODES_SETTING.get(settings).equals(List.of(NODE_NAME_SETTING.get(settings))); } - private static void fullyWriteFile(Path basePath, String fileName, boolean replace, CheckedConsumer writer) - throws Exception { + private static void fullyWriteFile( + Path basePath, + String fileName, + boolean replace, + @Nullable String groupOwner, + CheckedConsumer writer + ) throws Exception { Path filePath = basePath.resolve(fileName); if (false == replace && Files.exists(filePath)) { throw new UserException( @@ -1071,17 +1084,28 @@ private static void fullyWriteFile(Path basePath, String fileName, boolean repla PosixFileAttributeView view = Files.getFileAttributeView(tmpPath, PosixFileAttributeView.class); if (view != null) { view.setPermissions(permission); + if (null != groupOwner) { + UserPrincipalLookupService lookupService = PathUtils.getDefaultFileSystem().getUserPrincipalLookupService(); + GroupPrincipal groupPrincipal = lookupService.lookupPrincipalByGroupName(groupOwner); + view.setGroup(groupPrincipal); + } } if (replace) { Files.move(tmpPath, filePath, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE); } else { Files.move(tmpPath, filePath, StandardCopyOption.ATOMIC_MOVE); } + } finally { Files.deleteIfExists(tmpPath); } } + private static void fullyWriteFile(Path basePath, String fileName, boolean replace, CheckedConsumer writer) + throws Exception { + fullyWriteFile(basePath, fileName, replace, null, writer); + } + private static boolean isDirEmpty(Path path) throws IOException { // Files.list MUST always be used in a try-with-resource construct in order to release the dir file handler try (Stream dirContentsStream = Files.list(path)) { From 2fd7f9c1ed6b0061e7a7d7f748b47fc3351d01f2 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 19 Jan 2022 17:44:31 +0200 Subject: [PATCH 02/15] move test files --- .../resources/{ => org/elasticsearch/packaging/test}/http.crt | 0 .../resources/{ => org/elasticsearch/packaging/test}/http.key | 0 .../resources/{ => org/elasticsearch/packaging/test}/http_ca.crt | 0 .../resources/{ => org/elasticsearch/packaging/test}/http_ca.key | 0 .../{ => org/elasticsearch/packaging/test}/transport.crt | 0 .../{ => org/elasticsearch/packaging/test}/transport.key | 0 .../{ => org/elasticsearch/packaging/test}/transport_ca.crt | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename qa/os/src/test/resources/{ => org/elasticsearch/packaging/test}/http.crt (100%) rename qa/os/src/test/resources/{ => org/elasticsearch/packaging/test}/http.key (100%) rename qa/os/src/test/resources/{ => org/elasticsearch/packaging/test}/http_ca.crt (100%) rename qa/os/src/test/resources/{ => org/elasticsearch/packaging/test}/http_ca.key (100%) rename qa/os/src/test/resources/{ => org/elasticsearch/packaging/test}/transport.crt (100%) rename qa/os/src/test/resources/{ => org/elasticsearch/packaging/test}/transport.key (100%) rename qa/os/src/test/resources/{ => org/elasticsearch/packaging/test}/transport_ca.crt (100%) diff --git a/qa/os/src/test/resources/http.crt b/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.crt similarity index 100% rename from qa/os/src/test/resources/http.crt rename to qa/os/src/test/resources/org/elasticsearch/packaging/test/http.crt diff --git a/qa/os/src/test/resources/http.key b/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.key similarity index 100% rename from qa/os/src/test/resources/http.key rename to qa/os/src/test/resources/org/elasticsearch/packaging/test/http.key diff --git a/qa/os/src/test/resources/http_ca.crt b/qa/os/src/test/resources/org/elasticsearch/packaging/test/http_ca.crt similarity index 100% rename from qa/os/src/test/resources/http_ca.crt rename to qa/os/src/test/resources/org/elasticsearch/packaging/test/http_ca.crt diff --git a/qa/os/src/test/resources/http_ca.key b/qa/os/src/test/resources/org/elasticsearch/packaging/test/http_ca.key similarity index 100% rename from qa/os/src/test/resources/http_ca.key rename to qa/os/src/test/resources/org/elasticsearch/packaging/test/http_ca.key diff --git a/qa/os/src/test/resources/transport.crt b/qa/os/src/test/resources/org/elasticsearch/packaging/test/transport.crt similarity index 100% rename from qa/os/src/test/resources/transport.crt rename to qa/os/src/test/resources/org/elasticsearch/packaging/test/transport.crt diff --git a/qa/os/src/test/resources/transport.key b/qa/os/src/test/resources/org/elasticsearch/packaging/test/transport.key similarity index 100% rename from qa/os/src/test/resources/transport.key rename to qa/os/src/test/resources/org/elasticsearch/packaging/test/transport.key diff --git a/qa/os/src/test/resources/transport_ca.crt b/qa/os/src/test/resources/org/elasticsearch/packaging/test/transport_ca.crt similarity index 100% rename from qa/os/src/test/resources/transport_ca.crt rename to qa/os/src/test/resources/org/elasticsearch/packaging/test/transport_ca.crt From 6f61fd6cd0c9305a6463d2dfdff2d2ae0e43f64d Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 19 Jan 2022 19:02:42 +0200 Subject: [PATCH 03/15] add ca cert to chain --- .../org/elasticsearch/packaging/test/http.crt | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.crt b/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.crt index def8c5c6fd208..f9aa6f2cc1ec0 100644 --- a/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.crt +++ b/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.crt @@ -17,3 +17,23 @@ IyKmpiDA9NDNB/Y73ZyZTYAH6sokRqL03UFLEujY9bGAQdpY82mD9OOs8eA+LVZl 3vGfXpB+bhXz2t4QeJzX8Br8Aq1aXGpZqsLV+ZNpB4OxrfGhXw4s3X2sb4ZTBtMb cu7d7w31P79II10tF+OR+eT+PAInNnL86YlICceI68N3IblfXEdE -----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIVALA5mjBbdcSBX/AX5ugQy+gbiBJwMA0GCSqGSIb3DQEB +CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu +ZXJhdGVkIENBMB4XDTIyMDExOTA5MDIzM1oXDTI1MDExODA5MDIzM1owNDEyMDAG +A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfQ7Br31QqYFaXjWYKG8Vh +FnPMnZGAT3L9xW7TdBQ1vlp3pnv77vMg0NZXLLx7FUp5HzZj/I2mUdADTxL/fWg5 +WCtPH6UzFFimk8H2v30OFGSGkdIB6tAXuesuZBihIhIb14OY4btBWoyUwOdMgRX8 +SAzFq+zpq3P49Aiv9tU7icXJyrD2wZCIS0L/nogjIFXXnmUQLFYfVlm7xFQnFTqw +sdTpKthkgQyV6hYaCInktP+X+osOrlnOqHWpRpqgqqj1OB/TqocACpgH1Wmgt0F+ +IR0acVWR1jV0EbSL15i0QTRFgw4/7AbXXf8SKtkhw+SP+epyjDsh9mA1gSiT5q1t +AgMBAAGjUzBRMB0GA1UdDgQWBBSouO0kAGN6VSErE0jElIB7IQyvpDAfBgNVHSME +GDAWgBSouO0kAGN6VSErE0jElIB7IQyvpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG +SIb3DQEBCwUAA4IBAQB1tuaFxErPbAlVojdRTFbosqoNRS4kcXhKO3Evk4h9yqkH +kplWPv+5/0PRFycYu9eZau0Gghzsd7ePcra8WLLwFPofuJad6wefWvbb0qGZmsi+ +yQW8/CGWTVVjJZPc1WMElP4eLvMhPrdS2Wioq2s4b9vYHBUHxLrDsx9dr4A4s4Yw +/dt0b15KrscNRXdM0rnvhAghh6grZ+P9lg4wyDEYr3e3ZUROPBWBT/yjveNOLj7n +7M28rgVkAvKzqtb3shLQL4UnsQJfB67sKpruIt+VjecUaTjvLyYaH4NvnlvqOIr3 +Eg+gjpSRGnatAzgwBHx5WYU4FTKfGdrmO81kngyA +-----END CERTIFICATE----- From bff91b8a32acce07af62d632221e37d8a4232988 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 19 Jan 2022 19:12:28 +0200 Subject: [PATCH 04/15] fix-compilation --- .../packaging/test/PackagesSecurityAutoConfigurationTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java index 2f569dcc3b89d..96b2c6920e309 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java @@ -305,7 +305,7 @@ public void test73ReconfigureCreatesFilesWithCorrectPermissions() throws Excepti "y", true ); - assertThat(result.exitCode, CoreMatchers.equalTo(0)); + assertThat(result.exitCode(), CoreMatchers.equalTo(0)); verifySecurityAutoConfigured(installation); } } From 4b1876bc16b1e689ca7ffddc716807fb7e84c3df Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 19 Jan 2022 19:46:57 +0200 Subject: [PATCH 05/15] proper cert with SANs --- .../org/elasticsearch/packaging/test/http.crt | 33 ++++++------ .../org/elasticsearch/packaging/test/http.key | 50 +++++++++---------- 2 files changed, 42 insertions(+), 41 deletions(-) diff --git a/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.crt b/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.crt index f9aa6f2cc1ec0..e1025dd2d2aaa 100644 --- a/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.crt +++ b/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.crt @@ -1,21 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDIzCCAgugAwIBAgIVAIgui13Jr2lyTayGd7yA5JmHtziFMA0GCSqGSIb3DQEB +MIIDPzCCAiegAwIBAgIVAPIVDR5rVSUV+dljxvdiQHFVkwipMA0GCSqGSIb3DQEB CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu -ZXJhdGVkIENBMB4XDTIyMDExOTA5MDUyMFoXDTI1MDExODA5MDUyMFowEzERMA8G -A1UEAxMIaW5zdGFuY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM -woA+gu7F0APykdZB4WJ7dJC6hhIpOtSvP0ujjlBDj1Ez3vhE4oKLPSVUFJCZ1ACZ -x2hCHxGaCsEd8RcpO9ScXqA9k6HHEtiBxX7wAzDJMmoyybVupHRrnCnBZuRhe2pR -lApTBLp89IIbIU0Kmyxc0LaE/KhuN3aWJEk9UZqOtkc0iN0dIHboiFPspfLjlrR9 -WrJ4mB0jgEU7B5wUwvOT3CUWt6zhi/GWarHd3Y1UoyZdTdydlmyN6AJVvT26odGj -zdPyiDtdRs9YFrMs4FX/LSjZOH2F1+ed1VY97vPo8QccYV5tmVU0AF+mVcd9rDEc -v98rVUWlwIdSd11fGBSvAgMBAAGjTTBLMB0GA1UdDgQWBBQgkr81OCwcUXnPEP6l -v7+9P63SuzAfBgNVHSMEGDAWgBSouO0kAGN6VSErE0jElIB7IQyvpDAJBgNVHRME -AjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAOy+szJ82fixSPv4ONbTrJyYRFO6f9SgZW -t/Ijerhi7881noSZXFUqoG7nwGuNSDkOH/Cw+2K6N+Uarh9ujtqyxqaLoQ+qDmFn -IyKmpiDA9NDNB/Y73ZyZTYAH6sokRqL03UFLEujY9bGAQdpY82mD9OOs8eA+LVZl -69fuNMHkTtJsES3Ko77IblpGeyM5RisIiB3ALF5djtYt7vLhEGjASQKxP88A0MMf -3vGfXpB+bhXz2t4QeJzX8Br8Aq1aXGpZqsLV+ZNpB4OxrfGhXw4s3X2sb4ZTBtMb -cu7d7w31P79II10tF+OR+eT+PAInNnL86YlICceI68N3IblfXEdE +ZXJhdGVkIENBMB4XDTIyMDExOTE3NDQyMloXDTI1MDExODE3NDQyMlowEzERMA8G +A1UEAxMIaW5zdGFuY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCe +79lY0Q4PQm24IBR6OAtjLSdFLFtwC8/i1Z5ujgPkkNW5QrlveGRU52V5Vp9CC8lc +ngiKwRcW5vmG9pvlKaWFImxE6Ap/2OH7sVCgHBhysmDI+naAAnFch2qB7dUr6vn7 +hN6KhdhuCBVxDGK9kBk+6Lo4eSk2lIN5tSf92pHZlcR9rkf5giDoQ3qDZHNvPSlX +kdHdag0VtoxSvHUi1AGcoW4Hq1YqayeO8s+Acm2MnnNgweK4O9YElEVqsqldQlZ/ +jRgygLAHwgmG+kVahwI//ok0c208MBq3ZZBthAuxjT5a9fqW+9OASgexGR+qmp3+ +zT94bgRGg28EEQ7lzLMpAgMBAAGjaTBnMB0GA1UdDgQWBBS4WdAtqOnzKXm60Q3O +2sEYTRwEbDAfBgNVHSMEGDAWgBSouO0kAGN6VSErE0jElIB7IQyvpDAaBgNVHREE +EzARgglsb2NhbGhvc3SHBH8AAAEwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOC +AQEAk3Fad2CkccpvjQBfs6+8rN+sVNUTiFyOJ4EFF+OlsCVSAVYgcX5wi3ddUPHL +2TKOvKmiAF/aWQ8X4wQWBPq0xBN56qwNbxGv2Fc/9dMQo+YtEt2+3yCi83tpAyjP +hAId4aHFRCjzcfb0Zwq7qmfrtorxfY59dAXWHCNhTcxETFCKxaBg7ZSWLFXSef/q +fL64iyxzb2gctCPHgAp/jANpO1vGLPBO0M1mCBp/I95jgyscZdX9TgqwXuZgsI+d +nGUsd8cUCxnA6RLiek+z7Y8gN/RITmGYuCGMfWqKFrUQ4wQZRkZJEE7nyJis/uCK +VdJyfewvRvjnLvqfgF16cBJwQw== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIVALA5mjBbdcSBX/AX5ugQy+gbiBJwMA0GCSqGSIb3DQEB diff --git a/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.key b/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.key index cdb3d808989c9..0d6538a93ea19 100644 --- a/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.key +++ b/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.key @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAzMKAPoLuxdAD8pHWQeFie3SQuoYSKTrUrz9Lo45QQ49RM974 -ROKCiz0lVBSQmdQAmcdoQh8RmgrBHfEXKTvUnF6gPZOhxxLYgcV+8AMwyTJqMsm1 -bqR0a5wpwWbkYXtqUZQKUwS6fPSCGyFNCpssXNC2hPyobjd2liRJPVGajrZHNIjd -HSB26IhT7KXy45a0fVqyeJgdI4BFOwecFMLzk9wlFres4Yvxlmqx3d2NVKMmXU3c -nZZsjegCVb09uqHRo83T8og7XUbPWBazLOBV/y0o2Th9hdfnndVWPe7z6PEHHGFe -bZlVNABfplXHfawxHL/fK1VFpcCHUnddXxgUrwIDAQABAoIBAFZZUcbK5ZHDEt8Z -NE9NEoB4nE4kmwULG8UZvranHd8X0ck7ptw5346DhznpgD924Zf4OVXlD0G0dlM/ -qCJJ6nPVDeNZ3lf68RXs6Qajec/nNFTdrmcN8FCvJwa58ubPKntjoGT5MgHfBP0W -8ovd+3vawpXbjNYKCrbvb3lt7+1tXAtamvrHHM3kDaTLcvyWX34W2vE2Dim/O44M -DXMwQowYOZTS7BCSZg0pfxYFTWN9ViO2y/7+cVj7dZrC4l+78qeRvzG+rBDMPnw7 -7CXUoz8od0FqhoKNQ9MmpX/FkuwYISQK1jCF+h31w8msCPeJ5/c5FCA7801Ob2Cc -wpAmCvkCgYEA/U/KKr4HW8Bv4Z3b5qZncyHCss6W1MUQ5mhVtCji1mgJCtl7jfHa -YOIJoYZUg7i3SnBWUpKV7zqOUHM4wj0fsc5WRCgO4G/9Vb9IHP3kvtWiIum8/4BR -lAK7rWMkSFUWso/lk/fxnNiSuiec2lB4SpDfILClfYCXjt4yj7ntwWcCgYEAzu7N -irpV5/wAWV1RKnx7qve6gJLTLtoNaerQcNKwIW3EuGx/hcDQpmXAas1TkamkXPcF -tGdR5/y2eFQaN/MbBEujSMAIEFygmkkS58W4+fvuYZPuXrLjkRyJ3hMfYZNe5s5x -qhxSyddZ+YN8Lg1o0GvKjnVGx1UQnyH9qd5ZHXkCgYBhB/9ZABGxg7VXpzBk2bkm -0PfTpm8AcbxXhf/OUxsRJijQjx5U8R/FnNAzn1EgY9FSIlXuq1fjm3qINpq3TNKn -OXKyCOYp8rwH7I2jDV5h+1NwLDjJZk3ZdHKPqDptuqpHG/fFBmT2v770r9fViJ2L -cpMF4qSBvpBPma2kgIQiYQKBgQC7Dz442OaNVc1O+z9DA9KbI2OxlIhZAv47L+wL -ATn8jgjVmibQ1xMGSFbfdQrFUy/kZdz/TqLI7jZYodYtm5JhmKpbOlRPzhvUPJhd -cewb9rRv+tTxQA7c/4pVeL3Wa+zPAfHYD9B66zRHjKd1zeNg/P/XNYas7GWhJI30 -v62ZKQKBgQDBQba7t3oWDucf7tjYJHaliiKPDdb6djH1Jw12IOEtgtx4jYZf7Gzm -P0LdvBkHmtK9821EhSqt0biVBoARqoxklNGjk8wIz1fB6hYvZC11+hOUTKhKxSsG -idYmq4sYqioPrdXHYtYxA3S+BPZ2mMoYVDDdDVz5AzjWUNfJ9PTApQ== +MIIEpAIBAAKCAQEAnu/ZWNEOD0JtuCAUejgLYy0nRSxbcAvP4tWebo4D5JDVuUK5 +b3hkVOdleVafQgvJXJ4IisEXFub5hvab5SmlhSJsROgKf9jh+7FQoBwYcrJgyPp2 +gAJxXIdqge3VK+r5+4TeioXYbggVcQxivZAZPui6OHkpNpSDebUn/dqR2ZXEfa5H ++YIg6EN6g2Rzbz0pV5HR3WoNFbaMUrx1ItQBnKFuB6tWKmsnjvLPgHJtjJ5zYMHi +uDvWBJRFarKpXUJWf40YMoCwB8IJhvpFWocCP/6JNHNtPDAat2WQbYQLsY0+WvX6 +lvvTgEoHsRkfqpqd/s0/eG4ERoNvBBEO5cyzKQIDAQABAoIBAAtsdORP3mFVZnp5 +/87LEXJ27+AmcIoMp0wIC6OpnHkEuf/fXmG3NwrtONtwUPEX1MjN6RJED6tLPbso +JYtio21+zGZlgT+wMIn9NCzV6CHyVUeMzRClXE2IxCyDkjNeZ8pewfoV5bj+5r+h +4sT6Qv5FDwF5H++22/5W+YFjAOGxJ4IUYR3AfcC4fVGU/Kz/avH4rMoJxqEUcT9r +3VWD+2nM3lvrXSI8j1fOkE5C4EIBPygOQRyYoXsc6rn6LnfSDqae5JaeHN1WHJ1l +WAaG+9WkREAught4kVNYTTGRzggnj5TPGr1ZF2pBh84zlnHii1E2n5hHJwCffkVL +LPjGV/sCgYEA2bNhN5U804cu1muUimJq2VAfu1tuDq9UsybY6rpQw7pEHsJUvAW9 +h7jwJAPhr9/3rj/el5UDcB6/1hAcBCTw6smUKG4mEUtkxHWjp/AC608n1aPlSKmg +wK2aPwQRY3wEjRYbOr2hHHDvk3BCa4gmxO4rj2EUJkZroZcJ3dD8IPMCgYEAuuXq +TjQx+1TW5qnvCXf881/AocJvm3FGW7g0sYtb3xaafs78fhFY8qrkM9MhOHM07qIF +OVHrCAcfajlOXgaW546mdEN8ska0f7UWTMXKa/WWqONreyzQQLC2jjSmcaWzUIn5 +Lk+tHhUXAa2Jr7vmpO649WpvBR1wvx372JSYAnMCgYAKhtr/lg7P56yDH8aZ/nJO +OcqfA6fJu/6rfwhkKUg4fqxGlH0GbnygsHekNi/Wkkzmtx3rVIBLDqGWF0dTh/nC +UKcCYXkjwvKHcWzNdRSfDj/N29P9dH5acsqPm4G/vsJ1lAkTCRJeTrO2/Gmpy3ac +dSvUDgysYSFZOfV3LWDTswKBgQCu5F1IhyFKbk6XFOgBdU24NJ8e/8LOs8ZCJ/Lv +PVhgP1edWHYARp10n6PiNyy8FVqv/99hjx2fqoKkNTH3XLUzxFJRM6Hpda6MXtma +R/Au7Gbqbb3zSrEqB/McyXoDmSpeMG6D/r0iDFw2Dr1sPCoNpvJffRSctbr+rMEy +H4LLrwKBgQCfQprKJdLv1qs1gSph2KEe7pGIFBunUYipM/e9VAQ6dCe0q1UON+zj +uCM7EoOEbdKzP8vhCMeTTNDy6tSimX7vk5nqT1sD3kCmD6emMAQeajbxvdAHcMgF +Gm1tt5IQ2TNLwRQb/p9aGUR6ifKKlrs3uFwhyX1J+fpZrpDU5Lpe/A== -----END RSA PRIVATE KEY----- From 1fc5b07a0b9b7c74732903efa8b7d47ac3edceae Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 19 Jan 2022 20:53:27 +0200 Subject: [PATCH 06/15] format key accordingly --- .../org/elasticsearch/packaging/test/http.key | 55 ++++++++++--------- 1 file changed, 28 insertions(+), 27 deletions(-) diff --git a/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.key b/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.key index 0d6538a93ea19..98b90407b6dae 100644 --- a/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.key +++ b/qa/os/src/test/resources/org/elasticsearch/packaging/test/http.key @@ -1,27 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAnu/ZWNEOD0JtuCAUejgLYy0nRSxbcAvP4tWebo4D5JDVuUK5 -b3hkVOdleVafQgvJXJ4IisEXFub5hvab5SmlhSJsROgKf9jh+7FQoBwYcrJgyPp2 -gAJxXIdqge3VK+r5+4TeioXYbggVcQxivZAZPui6OHkpNpSDebUn/dqR2ZXEfa5H -+YIg6EN6g2Rzbz0pV5HR3WoNFbaMUrx1ItQBnKFuB6tWKmsnjvLPgHJtjJ5zYMHi -uDvWBJRFarKpXUJWf40YMoCwB8IJhvpFWocCP/6JNHNtPDAat2WQbYQLsY0+WvX6 -lvvTgEoHsRkfqpqd/s0/eG4ERoNvBBEO5cyzKQIDAQABAoIBAAtsdORP3mFVZnp5 -/87LEXJ27+AmcIoMp0wIC6OpnHkEuf/fXmG3NwrtONtwUPEX1MjN6RJED6tLPbso -JYtio21+zGZlgT+wMIn9NCzV6CHyVUeMzRClXE2IxCyDkjNeZ8pewfoV5bj+5r+h -4sT6Qv5FDwF5H++22/5W+YFjAOGxJ4IUYR3AfcC4fVGU/Kz/avH4rMoJxqEUcT9r -3VWD+2nM3lvrXSI8j1fOkE5C4EIBPygOQRyYoXsc6rn6LnfSDqae5JaeHN1WHJ1l -WAaG+9WkREAught4kVNYTTGRzggnj5TPGr1ZF2pBh84zlnHii1E2n5hHJwCffkVL -LPjGV/sCgYEA2bNhN5U804cu1muUimJq2VAfu1tuDq9UsybY6rpQw7pEHsJUvAW9 -h7jwJAPhr9/3rj/el5UDcB6/1hAcBCTw6smUKG4mEUtkxHWjp/AC608n1aPlSKmg -wK2aPwQRY3wEjRYbOr2hHHDvk3BCa4gmxO4rj2EUJkZroZcJ3dD8IPMCgYEAuuXq -TjQx+1TW5qnvCXf881/AocJvm3FGW7g0sYtb3xaafs78fhFY8qrkM9MhOHM07qIF -OVHrCAcfajlOXgaW546mdEN8ska0f7UWTMXKa/WWqONreyzQQLC2jjSmcaWzUIn5 -Lk+tHhUXAa2Jr7vmpO649WpvBR1wvx372JSYAnMCgYAKhtr/lg7P56yDH8aZ/nJO -OcqfA6fJu/6rfwhkKUg4fqxGlH0GbnygsHekNi/Wkkzmtx3rVIBLDqGWF0dTh/nC -UKcCYXkjwvKHcWzNdRSfDj/N29P9dH5acsqPm4G/vsJ1lAkTCRJeTrO2/Gmpy3ac -dSvUDgysYSFZOfV3LWDTswKBgQCu5F1IhyFKbk6XFOgBdU24NJ8e/8LOs8ZCJ/Lv -PVhgP1edWHYARp10n6PiNyy8FVqv/99hjx2fqoKkNTH3XLUzxFJRM6Hpda6MXtma -R/Au7Gbqbb3zSrEqB/McyXoDmSpeMG6D/r0iDFw2Dr1sPCoNpvJffRSctbr+rMEy -H4LLrwKBgQCfQprKJdLv1qs1gSph2KEe7pGIFBunUYipM/e9VAQ6dCe0q1UON+zj -uCM7EoOEbdKzP8vhCMeTTNDy6tSimX7vk5nqT1sD3kCmD6emMAQeajbxvdAHcMgF -Gm1tt5IQ2TNLwRQb/p9aGUR6ifKKlrs3uFwhyX1J+fpZrpDU5Lpe/A== ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCe79lY0Q4PQm24 +IBR6OAtjLSdFLFtwC8/i1Z5ujgPkkNW5QrlveGRU52V5Vp9CC8lcngiKwRcW5vmG +9pvlKaWFImxE6Ap/2OH7sVCgHBhysmDI+naAAnFch2qB7dUr6vn7hN6KhdhuCBVx +DGK9kBk+6Lo4eSk2lIN5tSf92pHZlcR9rkf5giDoQ3qDZHNvPSlXkdHdag0VtoxS +vHUi1AGcoW4Hq1YqayeO8s+Acm2MnnNgweK4O9YElEVqsqldQlZ/jRgygLAHwgmG ++kVahwI//ok0c208MBq3ZZBthAuxjT5a9fqW+9OASgexGR+qmp3+zT94bgRGg28E +EQ7lzLMpAgMBAAECggEAC2x05E/eYVVmenn/zssRcnbv4CZwigynTAgLo6mceQS5 +/99eYbc3Cu0423BQ8RfUyM3pEkQPq0s9uygli2KjbX7MZmWBP7Awif00LNXoIfJV +R4zNEKVcTYjELIOSM15nyl7B+hXluP7mv6HixPpC/kUPAXkf77bb/lb5gWMA4bEn +ghRhHcB9wLh9UZT8rP9q8fisygnGoRRxP2vdVYP7aczeW+tdIjyPV86QTkLgQgE/ +KA5BHJihexzqufoud9IOpp7klp4c3VYcnWVYBob71aREQC6CG3iRU1hNMZHOCCeP +lM8avVkXakGHzjOWceKLUTafmEcnAJ9+RUss+MZX+wKBgQDZs2E3lTzThy7Wa5SK +YmrZUB+7W24Or1SzJtjqulDDukQewlS8Bb2HuPAkA+Gv3/euP96XlQNwHr/WEBwE +JPDqyZQobiYRS2TEdaOn8ALrTyfVo+VIqaDArZo/BBFjfASNFhs6vaEccO+TcEJr +iCbE7iuPYRQmRmuhlwnd0Pwg8wKBgQC65epONDH7VNbmqe8Jd/zzX8Chwm+bcUZb +uDSxi1vfFpp+zvx+EVjyquQz0yE4czTuogU5UesIBx9qOU5eBpbnjqZ0Q3yyRrR/ +tRZMxcpr9Zao42t7LNBAsLaONKZxpbNQifkuT60eFRcBrYmvu+ak7rj1am8FHXC/ +HfvYlJgCcwKBgAqG2v+WDs/nrIMfxpn+ck45yp8Dp8m7/qt/CGQpSDh+rEaUfQZu +fKCwd6Q2L9aSTOa3HetUgEsOoZYXR1OH+cJQpwJheSPC8odxbM11FJ8OP83b0/10 +flpyyo+bgb++wnWUCRMJEl5Os7b8aanLdpx1K9QODKxhIVk59XctYNOzAoGBAK7k +XUiHIUpuTpcU6AF1Tbg0nx7/ws6zxkIn8u89WGA/V51YdgBGnXSfo+I3LLwVWq// +32GPHZ+qgqQ1MfdctTPEUlEzoel1roxe2ZpH8C7sZuptvfNKsSoH8xzJegOZKl4w +boP+vSIMXDYOvWw8Kg2m8l99FJy1uv6swTIfgsuvAoGBAJ9Cmsol0u/WqzWBKmHY +oR7ukYgUG6dRiKkz971UBDp0J7SrVQ437OO4IzsSg4Rt0rM/y+EIx5NM0PLq1KKZ +fu+TmepPWwPeQKYPp6YwBB5qNvG90AdwyAUabW23khDZM0vBFBv+n1oZRHqJ8oqW +uze4XCHJfUn5+lmukNTkul78 +-----END PRIVATE KEY----- From 8a2f9b9ff29d6a928eea3d162265e6e9b344a23b Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 20 Jan 2022 10:50:50 +0200 Subject: [PATCH 07/15] pkcs8 ALL THE KEYS --- .../packaging/test/transport.key | 55 ++++++++++--------- 1 file changed, 28 insertions(+), 27 deletions(-) diff --git a/qa/os/src/test/resources/org/elasticsearch/packaging/test/transport.key b/qa/os/src/test/resources/org/elasticsearch/packaging/test/transport.key index d96de95f6a463..df4f08fde07c4 100644 --- a/qa/os/src/test/resources/org/elasticsearch/packaging/test/transport.key +++ b/qa/os/src/test/resources/org/elasticsearch/packaging/test/transport.key @@ -1,27 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEArxl0RFoocjz70E6ZajpwPbRtKQ1NbAkj0GGpPgLGP/MGYrTq -Y7Coep/DkNkxEVQ64JQF4OVffm+v7Z4RxaddYDTORg8UHA3Zle1p7UKPKj4k3fii -ewXYHCkFsDPUHAAGz5lb22yuWRG8nUyx/GvYMk6Mkrm9lUXz0MLNLuqoAuVKUkx+ -88aP7AGN/cyhLUAUgi5QYE4q1tUQ5VVyG9nlUDfBKyBpP3j9PkhIWNWdJHnvY8kk -nu97YrlnxysKWxwNAcSbHEdGe6qBVsE57craW0y862kJM5JI/a7UfUQBb0gfUpJg -HnUTo5voT9Hepju6SuuKlnTpNUrrALevBpVFAwIDAQABAoIBAEFLla7TjBelpCW2 -2cDiT+7CtJ5FZqSt99wCPzFvqWw5fR0b5/gK7ZjksPH3/DNBHL+Yk2SdRHIKxiku -8+OoGMsChhVcFByuEYC2SvT+CBMxn1/jEvwbXs6JgaSGf0d9vwx1XOrDaXSvh42F -By5hLPr9jbA9cXQT5OrpachgGw0Qw8vsaH6s+0ZUIQGl7W3YM96B9Vms+bgSHMu2 -ue+nul9xmUo6vLAoEYCAGJzEl8TCQlVuaZeEvrJN13gytBtdLq+wW/+AXJVkAqm4 -JHUPbIBp+fyWBXADg/4Pla4ikqzPUA3VDGYBbiVcgnnsTFuFtzCF4+wOA09E324c -APXJLWkCgYEAxTk6uTLh81w0b09LompZs6bb4ZWRcNXrHoVx4fO9MSuit6BzTYrE -+L+lAl/2kll61mqTjce3FlJfg2ymWfEI+EnQNLSENaq2Z/GmGQGG7eXVYDYRx57Y -P9MEH/3Uef7M4BaeEOO0g6QE2jTzndOEGhrBKQEOZSNvuYO2QF5iW4cCgYEA40hP -Tx9fgWg45Oysj2STazrl9Fz/P+KEWb6JPYaBpB0/+4nRJK8iDRlmianVtAjqDVwg -w7ogpUPXRTdPUMQQEEdLgOCT2owrBPX/wWNjkstF367Af7VLTcsQvCBnPBv1UyVR -EFDTL4EbeNdehyIzhxu9BFMgG/SGLk3XotM1QaUCgYEAmfhf3A3ZUIB/fxbM2XNl -rFdr+eUmsoyPDjjn+5qp7SU/11OwMK1RsVEMpZn9iavJtnNl1p5AVXDhmFzOUhFX -C1+06DC1tqAb33JMVeFXUYrI1l/f6ZQdB1baNY+YvdUqZRfDNzRNzSfTkfcc6e4j -h62zdyuX7WWI56/oLMCC0SkCgYEA38sspJkcvlx0YR2WUF9VNSm6keIcR7hwX7nY -gud1sbZHcRPkBr4XxlQzfevoDC0W4W7MqE0WpgRl7Laod7uGobDB7LW1gGWyWmEr -oy2NN1bGh5kX3OgTrRb9dHBnlm1lI6jD6E/dkpILDfLrFh6cJDYw6Rg8rqoYkXF+ -mcpkTy0CgYAuvj+Yox2eHsGhBqYM1nxYdfDGBnxUA4hRoozNX/0ZqLgdYptqV7Dh -a8znyhDVX4s4WMPckCn/vwYNLV2NEDVgqvVlUa8exmSn1GC3wCPSP7wr4kTXRzWm -51m2BNxWxtOAv5SXh7dFZYw2utVXujsartEFDnfic0X7hyEs7WTVsg== ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCvGXREWihyPPvQ +TplqOnA9tG0pDU1sCSPQYak+AsY/8wZitOpjsKh6n8OQ2TERVDrglAXg5V9+b6/t +nhHFp11gNM5GDxQcDdmV7WntQo8qPiTd+KJ7BdgcKQWwM9QcAAbPmVvbbK5ZEbyd +TLH8a9gyToySub2VRfPQws0u6qgC5UpSTH7zxo/sAY39zKEtQBSCLlBgTirW1RDl +VXIb2eVQN8ErIGk/eP0+SEhY1Z0kee9jySSe73tiuWfHKwpbHA0BxJscR0Z7qoFW +wTntytpbTLzraQkzkkj9rtR9RAFvSB9SkmAedROjm+hP0d6mO7pK64qWdOk1SusA +t68GlUUDAgMBAAECggEAQUuVrtOMF6WkJbbZwOJP7sK0nkVmpK333AI/MW+pbDl9 +HRvn+ArtmOSw8ff8M0Ecv5iTZJ1EcgrGKS7z46gYywKGFVwUHK4RgLZK9P4IEzGf +X+MS/BtezomBpIZ/R32/DHVc6sNpdK+HjYUHLmEs+v2NsD1xdBPk6ulpyGAbDRDD +y+xofqz7RlQhAaXtbdgz3oH1Waz5uBIcy7a576e6X3GZSjq8sCgRgIAYnMSXxMJC +VW5pl4S+sk3XeDK0G10ur7Bb/4BclWQCqbgkdQ9sgGn5/JYFcAOD/g+VriKSrM9Q +DdUMZgFuJVyCeexMW4W3MIXj7A4DT0TfbhwA9cktaQKBgQDFOTq5MuHzXDRvT0ui +almzptvhlZFw1esehXHh870xK6K3oHNNisT4v6UCX/aSWXrWapONx7cWUl+DbKZZ +8Qj4SdA0tIQ1qrZn8aYZAYbt5dVgNhHHntg/0wQf/dR5/szgFp4Q47SDpATaNPOd +04QaGsEpAQ5lI2+5g7ZAXmJbhwKBgQDjSE9PH1+BaDjk7KyPZJNrOuX0XP8/4oRZ +vok9hoGkHT/7idEkryINGWaJqdW0COoNXCDDuiClQ9dFN09QxBAQR0uA4JPajCsE +9f/BY2OSy0XfrsB/tUtNyxC8IGc8G/VTJVEQUNMvgRt4116HIjOHG70EUyAb9IYu +Tdei0zVBpQKBgQCZ+F/cDdlQgH9/FszZc2WsV2v55SayjI8OOOf7mqntJT/XU7Aw +rVGxUQylmf2Jq8m2c2XWnkBVcOGYXM5SEVcLX7ToMLW2oBvfckxV4VdRisjWX9/p +lB0HVto1j5i91SplF8M3NE3NJ9OR9xzp7iOHrbN3K5ftZYjnr+gswILRKQKBgQDf +yyykmRy+XHRhHZZQX1U1KbqR4hxHuHBfudiC53WxtkdxE+QGvhfGVDN96+gMLRbh +bsyoTRamBGXstqh3u4ahsMHstbWAZbJaYSujLY03VsaHmRfc6BOtFv10cGeWbWUj +qMPoT92SkgsN8usWHpwkNjDpGDyuqhiRcX6ZymRPLQKBgC6+P5ijHZ4ewaEGpgzW +fFh18MYGfFQDiFGijM1f/RmouB1im2pXsOFrzOfKENVfizhYw9yQKf+/Bg0tXY0Q +NWCq9WVRrx7GZKfUYLfAI9I/vCviRNdHNabnWbYE3FbG04C/lJeHt0VljDa61Ve6 +Oxqu0QUOd+JzRfuHISztZNWy +-----END PRIVATE KEY----- From d3ef4e5af25f905a8f2993aa2c2879297e58f1ea Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 20 Jan 2022 11:57:44 +0200 Subject: [PATCH 08/15] all keys; --- .../common/ssl/PemUtilsTests.java | 16 ++++++ .../elasticsearch/packaging/test/http_ca.key | 55 ++++++++++--------- 2 files changed, 44 insertions(+), 27 deletions(-) diff --git a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java index 85d468def0d5a..ee6b369bb018d 100644 --- a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java +++ b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java @@ -14,6 +14,7 @@ import java.io.InputStream; import java.nio.file.Files; import java.nio.file.Path; +import java.nio.file.Paths; import java.security.AlgorithmParameters; import java.security.GeneralSecurityException; import java.security.Key; @@ -23,6 +24,7 @@ import java.security.spec.ECGenParameterSpec; import java.security.spec.ECParameterSpec; import java.util.function.Supplier; +import java.util.stream.Collectors; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.instanceOf; @@ -247,6 +249,20 @@ public void testReadEmptyFile() { assertThat(e.getMessage(), containsString(path.toAbsolutePath().toString())); } + public void testParsePKCS8PemString() throws Exception{ + Key key = getKeyFromKeystore("EC"); + assertThat(key, notNullValue()); + assertThat(key, instanceOf(PrivateKey.class)); + final Path path = getDataPath("/certs/pem-utils/ec_key_pkcs8_plain.pem"); + final String transportKeyPemString = Files.readAllLines(path) + .stream() + .filter(l -> l.contains("-----") == false) + .collect(Collectors.joining()); + final PrivateKey privateKey = PemUtils.parsePKCS8PemString(transportKeyPemString); + assertThat(privateKey, notNullValue()); + assertThat(privateKey, equalTo(key)); + } + private Key getKeyFromKeystore(String algo) throws Exception { Path keystorePath = getDataPath("/certs/pem-utils/testnode.jks"); try (InputStream in = Files.newInputStream(keystorePath)) { diff --git a/qa/os/src/test/resources/org/elasticsearch/packaging/test/http_ca.key b/qa/os/src/test/resources/org/elasticsearch/packaging/test/http_ca.key index 00ed9c5de672f..9d09abebe9633 100644 --- a/qa/os/src/test/resources/org/elasticsearch/packaging/test/http_ca.key +++ b/qa/os/src/test/resources/org/elasticsearch/packaging/test/http_ca.key @@ -1,27 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAn0Owa99UKmBWl41mChvFYRZzzJ2RgE9y/cVu03QUNb5ad6Z7 -++7zINDWVyy8exVKeR82Y/yNplHQA08S/31oOVgrTx+lMxRYppPB9r99DhRkhpHS -AerQF7nrLmQYoSISG9eDmOG7QVqMlMDnTIEV/EgMxavs6atz+PQIr/bVO4nFycqw -9sGQiEtC/56IIyBV155lECxWH1ZZu8RUJxU6sLHU6SrYZIEMleoWGgiJ5LT/l/qL -Dq5Zzqh1qUaaoKqo9Tgf06qHAAqYB9VpoLdBfiEdGnFVkdY1dBG0i9eYtEE0RYMO -P+wG113/EirZIcPkj/nqcow7IfZgNYEok+atbQIDAQABAoIBABgbTE2/rkMtyt2X -WwMbr1V3QGGP1hwS/90BReRUH9JUtOfYd3rWRnnInTDxG2RmqsZI9FglEaHDpMCO -Ia+HYWpl+e7jji38SJY01k6i2cBy/hZPuyHBfkGhHsPVBdSvTgi7JyGnGqC/883O -TGm26PIt9l+d8DccVb+whyIaCAOXT/T0kQxV6OWRg2fLOGVVg2MhvZzxONgxfwx5 -P2ku8Bh7mqNXEAvnUKu92WiW0/9XkzzOmvO0y1KXH08ybL1StnYE7WEhD1ykYV9e -NPoDvTY+uUbAr1IdzhepOyBBaxfH1q1m9qAeQYVz36/6b+bLHpTb0XBHfZBCybKL -c3FWcwcCgYEAvziz4N8sYYv0wxKqpmEd/FP4d62iZonFhhSE5KJiDn2UmRJKj4Ji -l4gFK1kkLoTFAr/1JJv6YaugPrt7wf2af4UW3MP5W3pnsXe3ivbEFhzU+Wr7R+Sc -pG7dnilvaBiu1EZWU0zRXzHX8H+lIDOxvaLWr6aOyfEY76I1anTOqNMCgYEA1TeS -scWEl6IX8cphj387XlqFhlQ5e+7QeSQHgsJZDD1pCLelBI93pwuISJsqM3bdcGbI -14nn2Dz7eibhN9hWn+GeW/ElmjCLdps1EMm77aMzhfwDk5SwGK8Go26qA6WgFXXU -xoAaZKjP/FkQfTYQHu9zLiqJDYf2eB2EnN27aL8CgYBe67K+6YmKUoMJYna7aHIO -E1C/d72p0LHwQLdHFyQ9tTDSWzYPztVKCwcl4XYIcXeqScdSiOrdGOjOuxpPzaen -rVUP+WgKdNSMT7UYki38HAvMU8KwiVcIeNAh9seKkNYYIWIwr20vJ/rdMz+woHiW -fgK75p3yuG98ZLTHR3xeaQKBgBIEai7/g97UYbWa5nebxsaIW7QoNdtVKOSzuLbB -+YhhQBjue9FQ1kmVXeTUx9IlfzzaUqp0CtVpAc8mre1sKJXGGP2n+Qd4hrB1GRzc -DzdbjSULULoN3HuZfrQcy90XB9oIZPyJIrHS2hB27j/Ga8JRdag3C/HKxXcM94HR -8t49AoGBAIaWfxVq39Xml5PdQ9l22pF3gBTRDQLDYMLmx4RZRlJtE8c5GWIpq3QM -6i/ZqT5dPK/WsEdZ34JX3lvp+Lywf/cx3HoF8XSvYW8UdxEuowF9O7UF7QTzTTLB -8KroH2BfWnCqzw01ztTjhzis+P78tnL7dQVLc7wee3kHdkLV4Vwq ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCfQ7Br31QqYFaX +jWYKG8VhFnPMnZGAT3L9xW7TdBQ1vlp3pnv77vMg0NZXLLx7FUp5HzZj/I2mUdAD +TxL/fWg5WCtPH6UzFFimk8H2v30OFGSGkdIB6tAXuesuZBihIhIb14OY4btBWoyU +wOdMgRX8SAzFq+zpq3P49Aiv9tU7icXJyrD2wZCIS0L/nogjIFXXnmUQLFYfVlm7 +xFQnFTqwsdTpKthkgQyV6hYaCInktP+X+osOrlnOqHWpRpqgqqj1OB/TqocACpgH +1Wmgt0F+IR0acVWR1jV0EbSL15i0QTRFgw4/7AbXXf8SKtkhw+SP+epyjDsh9mA1 +gSiT5q1tAgMBAAECggEAGBtMTb+uQy3K3ZdbAxuvVXdAYY/WHBL/3QFF5FQf0lS0 +59h3etZGecidMPEbZGaqxkj0WCURocOkwI4hr4dhamX57uOOLfxIljTWTqLZwHL+ +Fk+7IcF+QaEew9UF1K9OCLsnIacaoL/zzc5Mabbo8i32X53wNxxVv7CHIhoIA5dP +9PSRDFXo5ZGDZ8s4ZVWDYyG9nPE42DF/DHk/aS7wGHuao1cQC+dQq73ZaJbT/1eT +PM6a87TLUpcfTzJsvVK2dgTtYSEPXKRhX140+gO9Nj65RsCvUh3OF6k7IEFrF8fW +rWb2oB5BhXPfr/pv5sselNvRcEd9kELJsotzcVZzBwKBgQC/OLPg3yxhi/TDEqqm +YR38U/h3raJmicWGFITkomIOfZSZEkqPgmKXiAUrWSQuhMUCv/Ukm/phq6A+u3vB +/Zp/hRbcw/lbemexd7eK9sQWHNT5avtH5Jykbt2eKW9oGK7URlZTTNFfMdfwf6Ug +M7G9otavpo7J8RjvojVqdM6o0wKBgQDVN5KxxYSXohfxymGPfzteWoWGVDl77tB5 +JAeCwlkMPWkIt6UEj3enC4hImyozdt1wZsjXiefYPPt6JuE32Faf4Z5b8SWaMIt2 +mzUQybvtozOF/AOTlLAYrwajbqoDpaAVddTGgBpkqM/8WRB9NhAe73MuKokNh/Z4 +HYSc3btovwKBgF7rsr7piYpSgwlidrtocg4TUL93vanQsfBAt0cXJD21MNJbNg/O +1UoLByXhdghxd6pJx1KI6t0Y6M67Gk/Np6etVQ/5aAp01IxPtRiSLfwcC8xTwrCJ +Vwh40CH2x4qQ1hghYjCvbS8n+t0zP7CgeJZ+ArvmnfK4b3xktMdHfF5pAoGAEgRq +Lv+D3tRhtZrmd5vGxohbtCg121Uo5LO4tsH5iGFAGO570VDWSZVd5NTH0iV/PNpS +qnQK1WkBzyat7WwolcYY/af5B3iGsHUZHNwPN1uNJQtQug3ce5l+tBzL3RcH2ghk +/IkisdLaEHbuP8ZrwlF1qDcL8crFdwz3gdHy3j0CgYEAhpZ/FWrf1eaXk91D2Xba +kXeAFNENAsNgwubHhFlGUm0TxzkZYimrdAzqL9mpPl08r9awR1nfglfeW+n4vLB/ +9zHcegXxdK9hbxR3ES6jAX07tQXtBPNNMsHwqugfYF9acKrPDTXO1OOHOKz4/vy2 +cvt1BUtzvB57eQd2QtXhXCo= +-----END PRIVATE KEY----- From bb879510337c23c27f92d648aa3d4e65b7ca2355 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 20 Jan 2022 12:06:06 +0200 Subject: [PATCH 09/15] checkstyle --- .../test/java/org/elasticsearch/common/ssl/PemUtilsTests.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java index ee6b369bb018d..ca795f6b13433 100644 --- a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java +++ b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java @@ -14,7 +14,6 @@ import java.io.InputStream; import java.nio.file.Files; import java.nio.file.Path; -import java.nio.file.Paths; import java.security.AlgorithmParameters; import java.security.GeneralSecurityException; import java.security.Key; @@ -249,7 +248,7 @@ public void testReadEmptyFile() { assertThat(e.getMessage(), containsString(path.toAbsolutePath().toString())); } - public void testParsePKCS8PemString() throws Exception{ + public void testParsePKCS8PemString() throws Exception { Key key = getKeyFromKeystore("EC"); assertThat(key, notNullValue()); assertThat(key, instanceOf(PrivateKey.class)); From 37044477bd5dfbc4d73f0e7a9500d6ffe396b75e Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 20 Jan 2022 14:57:35 +0200 Subject: [PATCH 10/15] verbosity for debuging --- .../packaging/test/PackagesSecurityAutoConfigurationTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java index 96b2c6920e309..92952c6c1c926 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java @@ -301,7 +301,7 @@ public void test73ReconfigureCreatesFilesWithCorrectPermissions() throws Excepti List.of(mockNode.getHostName() + ":" + mockNode.getPort()) ); Shell.Result result = installation.executables().nodeReconfigureTool.run( - "--enrollment-token " + enrollmentToken.getEncoded(), + "-v --enrollment-token " + enrollmentToken.getEncoded(), "y", true ); From 848ef82babf6d31d1dc5bb56ec56f630fa7e3294 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 20 Jan 2022 15:47:35 +0200 Subject: [PATCH 11/15] key is key and cert is cert dammit --- .../test/PackagesSecurityAutoConfigurationTests.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java index 92952c6c1c926..d4807063510c9 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java @@ -286,8 +286,8 @@ public void test73ReconfigureCreatesFilesWithCorrectPermissions() throws Excepti Paths.get(getClass().getResource("transport.crt").toURI()).toAbsolutePath().normalize() ).stream().filter(l -> l.contains("-----") == false).collect(Collectors.joining()); final XContentBuilder responseBuilder = jsonBuilder().startObject() - .field("http_ca_key", httpCaCertPemString) - .field("http_ca_cert", httpCaKeyPemString) + .field("http_ca_key", httpCaKeyPemString) + .field("http_ca_cert", httpCaCertPemString) .field("transport_ca_cert", transportCaCertPemString) .field("transport_key", transportKeyPemString) .field("transport_cert", transportCertPemString) From f31df35ebc21979de16b79aa865966500135d613 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 20 Jan 2022 16:20:37 +0200 Subject: [PATCH 12/15] store http_ca.crt with similar permissions as keystores for consistency --- .../org/elasticsearch/xpack/security/cli/AutoConfigureNode.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java index 37b465b52f1bb..8b19ced2d1647 100644 --- a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java +++ b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java @@ -464,7 +464,7 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th // the HTTP CA PEM file is provided "just in case". The node doesn't use it, but clients (configured manually, outside of the // enrollment process) might indeed need it, and it is currently impossible to retrieve it - fullyWriteFile(tempGeneratedTlsCertsDir, HTTP_AUTOGENERATED_CA_NAME + ".crt", false, stream -> { + fullyWriteFile(tempGeneratedTlsCertsDir, HTTP_AUTOGENERATED_CA_NAME + ".crt", false, "elasticsearch", stream -> { try ( JcaPEMWriter pemWriter = new JcaPEMWriter(new BufferedWriter(new OutputStreamWriter(stream, StandardCharsets.UTF_8))) ) { From 032d9b756e362bf652e69f08929810c6cf09dc01 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 20 Jan 2022 20:14:42 +0200 Subject: [PATCH 13/15] only hardcode in reconfigure mode --- .../xpack/security/cli/AutoConfigureNode.java | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java index 8b19ced2d1647..ef3901cf5b9b5 100644 --- a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java +++ b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java @@ -464,13 +464,21 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th // the HTTP CA PEM file is provided "just in case". The node doesn't use it, but clients (configured manually, outside of the // enrollment process) might indeed need it, and it is currently impossible to retrieve it - fullyWriteFile(tempGeneratedTlsCertsDir, HTTP_AUTOGENERATED_CA_NAME + ".crt", false, "elasticsearch", stream -> { - try ( - JcaPEMWriter pemWriter = new JcaPEMWriter(new BufferedWriter(new OutputStreamWriter(stream, StandardCharsets.UTF_8))) - ) { - pemWriter.writeObject(httpCaCert); + fullyWriteFile( + tempGeneratedTlsCertsDir, + HTTP_AUTOGENERATED_CA_NAME + ".crt", + false, + inReconfigureMode ? ELASTICSEARCH_GROUP_OWNER : null, + stream -> { + try ( + JcaPEMWriter pemWriter = new JcaPEMWriter( + new BufferedWriter(new OutputStreamWriter(stream, StandardCharsets.UTF_8)) + ) + ) { + pemWriter.writeObject(httpCaCert); + } } - }); + ); } catch (Throwable t) { try { deleteDirectory(tempGeneratedTlsCertsDir); From 0d4142591774fb917bea1c45cc6d830879c3a9c1 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 20 Jan 2022 21:32:18 +0200 Subject: [PATCH 14/15] test only relevant things --- .../PackagesSecurityAutoConfigurationTests.java | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java index d4807063510c9..7d6193f42cf76 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java @@ -12,6 +12,7 @@ import org.elasticsearch.cli.ExitCodes; import org.elasticsearch.common.Strings; import org.elasticsearch.common.ssl.PemKeyConfig; +import org.elasticsearch.packaging.util.FileMatcher; import org.elasticsearch.packaging.util.Installation; import org.elasticsearch.packaging.util.Packages; import org.elasticsearch.packaging.util.Shell; @@ -31,12 +32,17 @@ import java.util.Optional; import java.util.function.Predicate; import java.util.stream.Collectors; +import java.util.stream.Stream; import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import static java.nio.file.StandardOpenOption.TRUNCATE_EXISTING; +import static org.elasticsearch.packaging.util.FileMatcher.Fileness.Directory; +import static org.elasticsearch.packaging.util.FileMatcher.Fileness.File; +import static org.elasticsearch.packaging.util.FileMatcher.p660; +import static org.elasticsearch.packaging.util.FileMatcher.p750; import static org.elasticsearch.packaging.util.FileUtils.append; import static org.elasticsearch.packaging.util.Packages.assertInstalled; import static org.elasticsearch.packaging.util.Packages.assertRemoved; @@ -306,7 +312,14 @@ public void test73ReconfigureCreatesFilesWithCorrectPermissions() throws Excepti true ); assertThat(result.exitCode(), CoreMatchers.equalTo(0)); - verifySecurityAutoConfigured(installation); + assertThat(installation.config("certs"), FileMatcher.file(Directory, "root", "elasticsearch", p750)); + Stream.of("http.p12", "http_ca.crt", "transport.p12") + .forEach( + file -> assertThat( + installation.config("certs").resolve(file), + FileMatcher.file(File, "root", "elasticsearch", p660) + ) + ); } } From e282d97032a2513ef781afd4af54908bf9f37a61 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 20 Jan 2022 21:33:01 +0200 Subject: [PATCH 15/15] spotless --- .../test/PackagesSecurityAutoConfigurationTests.java | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java index 7d6193f42cf76..b84dd871157c3 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagesSecurityAutoConfigurationTests.java @@ -315,10 +315,7 @@ public void test73ReconfigureCreatesFilesWithCorrectPermissions() throws Excepti assertThat(installation.config("certs"), FileMatcher.file(Directory, "root", "elasticsearch", p750)); Stream.of("http.p12", "http_ca.crt", "transport.p12") .forEach( - file -> assertThat( - installation.config("certs").resolve(file), - FileMatcher.file(File, "root", "elasticsearch", p660) - ) + file -> assertThat(installation.config("certs").resolve(file), FileMatcher.file(File, "root", "elasticsearch", p660)) ); } }