diff --git a/client/rest-high-level/build.gradle b/client/rest-high-level/build.gradle index 2317bbd72496a..bc42dfa228a49 100644 --- a/client/rest-high-level/build.gradle +++ b/client/rest-high-level/build.gradle @@ -14,6 +14,7 @@ apply plugin: 'elasticsearch.rest-test' apply plugin: 'elasticsearch.publish' apply plugin: 'com.github.johnrengelman.shadow' apply plugin: 'elasticsearch.rest-resources' +apply plugin: 'elasticsearch.internal-test-artifact' group = 'org.elasticsearch.client' archivesBaseName = 'elasticsearch-rest-high-level-client' @@ -67,8 +68,6 @@ tasks.named('forbiddenApisMain').configure { File nodeCert = file("./testnode.crt") File nodeTrustStore = file("./testnode.jks") File pkiTrustCert = file("./src/test/resources/org/elasticsearch/client/security/delegate_pki/testRootCA.crt") -File httpCaKeystore = file("./httpCa.p12"); -File transportKeystore = file("./transport.p12"); tasks.named("integTest").configure { systemProperty 'tests.rest.async', 'false' @@ -118,8 +117,6 @@ testClusters.all { extraConfigFile nodeCert.name, nodeCert extraConfigFile nodeTrustStore.name, nodeTrustStore extraConfigFile pkiTrustCert.name, pkiTrustCert - extraConfigFile httpCaKeystore.name, httpCaKeystore - extraConfigFile transportKeystore.name, transportKeystore setting 'xpack.searchable.snapshot.shared_cache.size', '1mb' setting 'xpack.searchable.snapshot.shared_cache.region_size', '16kb' diff --git a/client/rest-high-level/qa/ssl-enabled/build.gradle b/client/rest-high-level/qa/ssl-enabled/build.gradle new file mode 100644 index 0000000000000..7149402b5053c --- /dev/null +++ b/client/rest-high-level/qa/ssl-enabled/build.gradle @@ -0,0 +1,45 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import org.elasticsearch.gradle.internal.test.RestIntegTestTask +import org.elasticsearch.gradle.internal.info.BuildParams + +apply plugin: 'elasticsearch.java-rest-test' +dependencies { + javaRestTestImplementation(testArtifact(project(':client:rest-high-level'))) +} + +tasks.matching{ it.name == "javaRestTest" }.configureEach { + onlyIf { BuildParams.inFipsJvm == false} + systemProperty 'tests.rest.cluster.username', System.getProperty('tests.rest.cluster.username', 'test_user') + systemProperty 'tests.rest.cluster.password', System.getProperty('tests.rest.cluster.password', 'test-user-password') +} + +testClusters.matching { it.name == 'javaRestTest' }.configureEach { + testDistribution = 'DEFAULT' + numberOfNodes = 2 + setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + setting 'xpack.security.authc.token.enabled', 'true' + setting 'xpack.security.authc.api_key.enabled', 'true' + + extraConfigFile 'httpCa.p12', file('./src/javaRestTest/resources/httpCa.p12') + extraConfigFile 'transport.p12', file('./src/javaRestTest/resources/transport.p12') + + // TBD: sync these settings (which options are set) with the ones we will be generating in #74868 + setting 'xpack.security.http.ssl.enabled', 'true' + setting 'xpack.security.transport.ssl.enabled', 'true' + setting 'xpack.security.http.ssl.keystore.path', 'httpCa.p12' + setting 'xpack.security.transport.ssl.keystore.path', 'transport.p12' + setting 'xpack.security.transport.ssl.verification_mode', 'certificate' + + + keystore 'xpack.security.http.ssl.keystore.secure_password', 'password' + keystore 'xpack.security.transport.ssl.keystore.secure_password', 'password' + user username: 'admin_user', password: 'admin-password', role: 'superuser' +} diff --git a/client/rest-high-level/qa/ssl-enabled/src/javaRestTest/java/org/elasticsearch/client/EnrollmentIT.java b/client/rest-high-level/qa/ssl-enabled/src/javaRestTest/java/org/elasticsearch/client/EnrollmentIT.java new file mode 100644 index 0000000000000..d3942670920a2 --- /dev/null +++ b/client/rest-high-level/qa/ssl-enabled/src/javaRestTest/java/org/elasticsearch/client/EnrollmentIT.java @@ -0,0 +1,82 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +package org.elasticsearch.client; + +import org.elasticsearch.client.security.KibanaEnrollmentResponse; +import org.elasticsearch.client.security.NodeEnrollmentResponse; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; +import org.elasticsearch.core.PathUtils; +import org.junit.AfterClass; +import org.junit.BeforeClass; + +import java.io.FileNotFoundException; +import java.net.URL; +import java.nio.file.Path; +import java.util.List; + +import static org.hamcrest.Matchers.endsWith; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.notNullValue; + +public class EnrollmentIT extends ESRestHighLevelClientTestCase { + private static Path httpTrustStore; + + @BeforeClass + public static void findTrustStore() throws Exception { + final URL resource = EnrollmentIT.class.getResource("/httpCa.p12"); + if (resource == null) { + throw new FileNotFoundException("Cannot find classpath resource /httpCa.p12"); + } + httpTrustStore = PathUtils.get(resource.toURI()); + } + + @AfterClass + public static void cleanupStatics() { + httpTrustStore = null; + } + + @Override + protected String getProtocol() { + return "https"; + } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin_user", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .put(TRUSTSTORE_PATH, httpTrustStore) + .put(TRUSTSTORE_PASSWORD, "password") + .build(); + } + + public void testEnrollNode() throws Exception { + final NodeEnrollmentResponse nodeEnrollmentResponse = + execute(highLevelClient().security()::enrollNode, highLevelClient().security()::enrollNodeAsync, RequestOptions.DEFAULT); + assertThat(nodeEnrollmentResponse, notNullValue()); + assertThat(nodeEnrollmentResponse.getHttpCaKey(), endsWith("K2S3vidA=")); + assertThat(nodeEnrollmentResponse.getHttpCaCert(), endsWith("LfkRjirc=")); + assertThat(nodeEnrollmentResponse.getTransportKey(), endsWith("1I-r8vOQ==")); + assertThat(nodeEnrollmentResponse.getTransportCert(), endsWith("OpTdtgJo=")); + List nodesAddresses = nodeEnrollmentResponse.getNodesAddresses(); + assertThat(nodesAddresses.size(), equalTo(2)); + } + + public void testEnrollKibana() throws Exception { + KibanaEnrollmentResponse kibanaResponse = + execute(highLevelClient().security()::enrollKibana, highLevelClient().security()::enrollKibanaAsync, RequestOptions.DEFAULT); + assertThat(kibanaResponse, notNullValue()); + assertThat(kibanaResponse.getHttpCa() + , endsWith("brcNC5xq6YE7C4_06nH7F6le4kE4Uo6c9fpkl4ehOxQxndNLn462tFF-8VBA8IftJ1PPWzqGxLsCTzM6p6w8sa-XhgNYglLfkRjirc=")); + assertNotNull(kibanaResponse.getPassword()); + assertThat(kibanaResponse.getPassword().toString().length(), equalTo(14)); + } +} diff --git a/client/rest-high-level/httpCa.p12 b/client/rest-high-level/qa/ssl-enabled/src/javaRestTest/resources/httpCa.p12 similarity index 100% rename from client/rest-high-level/httpCa.p12 rename to client/rest-high-level/qa/ssl-enabled/src/javaRestTest/resources/httpCa.p12 diff --git a/client/rest-high-level/transport.p12 b/client/rest-high-level/qa/ssl-enabled/src/javaRestTest/resources/transport.p12 similarity index 100% rename from client/rest-high-level/transport.p12 rename to client/rest-high-level/qa/ssl-enabled/src/javaRestTest/resources/transport.p12 diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/SecurityIT.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/SecurityIT.java index 38c2afa15090f..8cdb2fafe204b 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/SecurityIT.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/SecurityIT.java @@ -21,7 +21,6 @@ import org.elasticsearch.client.security.GetRolesResponse; import org.elasticsearch.client.security.GetUsersRequest; import org.elasticsearch.client.security.GetUsersResponse; -import org.elasticsearch.client.security.NodeEnrollmentResponse; import org.elasticsearch.client.security.PutRoleRequest; import org.elasticsearch.client.security.PutRoleResponse; import org.elasticsearch.client.security.PutUserRequest; @@ -34,7 +33,6 @@ import org.elasticsearch.client.security.user.privileges.IndicesPrivileges; import org.elasticsearch.client.security.user.privileges.IndicesPrivilegesTests; import org.elasticsearch.client.security.user.privileges.Role; -import org.elasticsearch.client.security.KibanaEnrollmentResponse; import org.elasticsearch.core.CharArrays; import java.io.IOException; @@ -47,12 +45,10 @@ import java.util.Map; import static org.hamcrest.Matchers.empty; -import static org.hamcrest.Matchers.endsWith; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.contains; -import static org.hamcrest.Matchers.notNullValue; import static org.hamcrest.Matchers.nullValue; public class SecurityIT extends ESRestHighLevelClientTestCase { @@ -196,30 +192,6 @@ public void testPutRole() throws Exception { assertThat(deleteRoleResponse.isFound(), is(true)); } - @AwaitsFix(bugUrl = "Determine behavior for keystore with multiple keys") - public void testEnrollNode() throws Exception { - final NodeEnrollmentResponse nodeEnrollmentResponse = - execute(highLevelClient().security()::enrollNode, highLevelClient().security()::enrollNodeAsync, RequestOptions.DEFAULT); - assertThat(nodeEnrollmentResponse, notNullValue()); - assertThat(nodeEnrollmentResponse.getHttpCaKey(), endsWith("ECAwGGoA==")); - assertThat(nodeEnrollmentResponse.getHttpCaCert(), endsWith("ECAwGGoA==")); - assertThat(nodeEnrollmentResponse.getTransportKey(), endsWith("fSI09on8AgMBhqA=")); - assertThat(nodeEnrollmentResponse.getTransportCert(), endsWith("fSI09on8AgMBhqA=")); - List nodesAddresses = nodeEnrollmentResponse.getNodesAddresses(); - assertThat(nodesAddresses.size(), equalTo(1)); - } - - @AwaitsFix(bugUrl = "Determine behavior for keystores with multiple keys") - public void testEnrollKibana() throws Exception { - KibanaEnrollmentResponse kibanaResponse = - execute(highLevelClient().security()::enrollKibana, highLevelClient().security()::enrollKibanaAsync, RequestOptions.DEFAULT); - assertThat(kibanaResponse, notNullValue()); - assertThat(kibanaResponse.getHttpCa() - , endsWith("OWFyeGNmcwovSDJReE1tSG1leXJRaWxYbXJPdk9PUDFTNGRrSTFXbFJLOFdaN3c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K")); - assertNotNull(kibanaResponse.getPassword()); - assertThat(kibanaResponse.getPassword().toString().length(), equalTo(14)); - } - private void deleteUser(User user) throws IOException { final Request deleteUserRequest = new Request(HttpDelete.METHOD_NAME, "/_security/user/" + user.getUsername()); highLevelClient().getLowLevelClient().performRequest(deleteUserRequest); diff --git a/settings.gradle b/settings.gradle index e7edfd600f8bf..a625a7ea1052a 100644 --- a/settings.gradle +++ b/settings.gradle @@ -13,6 +13,7 @@ List projects = [ 'docs', 'client:rest', 'client:rest-high-level', + 'client:rest-high-level:qa:ssl-enabled', 'client:sniffer', 'client:transport', 'client:test', diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java index 222e1e09d6657..3652bbc6795aa 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java @@ -231,6 +231,7 @@ public static List> getAllSettings() { settings.add(API_KEY_SERVICE_ENABLED_SETTING); settings.add(USER_SETTING); settings.add(PASSWORD_HASHING_ALGORITHM); + settings.add(ENROLLMENT_ENABLED); return Collections.unmodifiableList(settings); } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfig.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfig.java index 1c64e3e772796..4ef43f2fa515b 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfig.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfig.java @@ -77,6 +77,23 @@ X509ExtendedKeyManager createKeyManager(@Nullable Environment environment) { try { KeyStore ks = getStore(ksPath, keyStoreType, keyStorePassword); checkKeyStore(ks); + // TBD: filter out only http.ssl.keystore + List aliases = new ArrayList<>(); + for (String s : Collections.list(ks.aliases())) { + if (ks.isKeyEntry(s)) { + aliases.add(s); + } + } + if (aliases.size() > 1) { + for (String alias : aliases) { + Certificate certificate = ks.getCertificate(alias); + if (certificate instanceof X509Certificate) { + if (((X509Certificate) certificate).getBasicConstraints() != -1) { + ks.deleteEntry(alias); + } + } + } + } return CertParsingUtils.keyManager(ks, keyPassword.getChars(), keyStoreAlgorithm); } catch (FileNotFoundException | NoSuchFileException e) { throw missingKeyConfigFile(e, KEYSTORE_FILE, ksPath); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfigTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfigTests.java index 951988a9e2e61..ec98f2d410da9 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfigTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfigTests.java @@ -16,7 +16,15 @@ import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509ExtendedKeyManager; +import java.io.InputStream; +import java.nio.file.Files; +import java.nio.file.Path; +import java.security.KeyStore; import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; import static org.elasticsearch.test.TestMatchers.throwableWithMessage; import static org.hamcrest.Matchers.containsString; @@ -52,6 +60,52 @@ public void testKeyStorePathCanBeEmptyForPkcs11() throws Exception { assertThat(ee.getCause().getMessage(), containsString("PKCS11 not found")); } + public void testCreateKeyManagerFromPKCS12ContainingCA() throws Exception { + assumeFalse("Can't run in a FIPS JVM", inFipsJvm()); + final Settings settings = Settings.builder().put("path.home", createTempDir()).build(); + final Path path = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/httpCa.p12"); + final SecureString keyStorePassword = new SecureString("password".toCharArray()); + final StoreKeyConfig keyConfig = new StoreKeyConfig(path.toString(), "PKCS12", keyStorePassword, keyStorePassword, + KeyManagerFactory.getDefaultAlgorithm(), TrustManagerFactory.getDefaultAlgorithm()); + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + try (InputStream in = Files.newInputStream(path)) { + keyStore.load(in, keyStorePassword.getChars()); + } + List aliases = new ArrayList<>(); + for (String s : Collections.list(keyStore.aliases())) { + if (keyStore.isKeyEntry(s)) { + aliases.add(s); + } + } + assertThat(aliases.size(), equalTo(2)); + final X509ExtendedKeyManager keyManager = keyConfig.createKeyManager(TestEnvironment.newEnvironment(settings)); + for (String alias : aliases) { + PrivateKey key = keyManager.getPrivateKey(alias); + assertTrue(key == null || alias.equals("http")); + } + final String[] new_aliases = keyManager.getServerAliases("RSA", null); + final X509Certificate[] certificates = keyManager.getCertificateChain("http"); + assertThat(new_aliases.length, equalTo(1)); + assertThat(certificates.length, equalTo(2)); + } + + public void testCreateKeyManagerFromPKCS12ContainingCAOnly() throws Exception { + assumeFalse("Can't run in a FIPS JVM", inFipsJvm()); + final Settings settings = Settings.builder().put("path.home", createTempDir()).build(); + final String path = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/ca.p12").toString(); + final SecureString keyStorePassword = new SecureString("password".toCharArray()); + final StoreKeyConfig keyConfig = new StoreKeyConfig(path, "PKCS12", keyStorePassword, keyStorePassword, + KeyManagerFactory.getDefaultAlgorithm(), TrustManagerFactory.getDefaultAlgorithm()); + final X509ExtendedKeyManager keyManager = keyConfig.createKeyManager(TestEnvironment.newEnvironment(settings)); + final PrivateKey ca_key = keyManager.getPrivateKey("ca"); + final String[] aliases = keyManager.getServerAliases("RSA", null); + final X509Certificate[] certificates = keyManager.getCertificateChain("ca"); + assertThat(ca_key, notNullValue()); + assertThat(aliases.length, equalTo(1)); + assertThat(aliases[0], equalTo("ca")); + assertThat(certificates.length, equalTo(1)); + } + private void tryReadPrivateKeyFromKeyStore(String type, String extension) { final Settings settings = Settings.builder().put("path.home", createTempDir()).build(); final String path = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode" + extension).toString(); diff --git a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/ca.p12 b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/ca.p12 new file mode 100644 index 0000000000000..c7fc6a8d156c7 Binary files /dev/null and b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/ca.p12 differ diff --git a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/httpCa.p12 b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/httpCa.p12 new file mode 100644 index 0000000000000..b588f1c55205c Binary files /dev/null and b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/httpCa.p12 differ diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportKibanaEnrollmentAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportKibanaEnrollmentAction.java index 652e411dd3eee..b882a7a80a5ec 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportKibanaEnrollmentAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportKibanaEnrollmentAction.java @@ -101,7 +101,7 @@ public class TransportKibanaEnrollmentAction extends HandledTransportAction { logger.debug("Successfully set the password for user [kibana_system] during kibana enrollment"); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportNodeEnrollmentAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportNodeEnrollmentAction.java index 8a4cecd960466..25bec9d15406b 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportNodeEnrollmentAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportNodeEnrollmentAction.java @@ -101,20 +101,22 @@ protected void doExecute(Task task, NodeEnrollmentRequest request, ActionListene for (NodeInfo nodeInfo : response.getNodes()) { nodeList.add(nodeInfo.getInfo(TransportInfo.class).getAddress().publishAddress().toString()); } + try { + final String httpCaKey = Base64.getUrlEncoder().encodeToString(httpCaKeysAndCertificates.get(0).v1().getEncoded()); + final String httpCaCert = Base64.getUrlEncoder().encodeToString(httpCaKeysAndCertificates.get(0).v2().getEncoded()); + final String transportKey = + Base64.getUrlEncoder().encodeToString(transportKeysAndCertificates.get(0).v1().getEncoded()); + final String transportCert = + Base64.getUrlEncoder().encodeToString(transportKeysAndCertificates.get(0).v2().getEncoded()); + listener.onResponse(new NodeEnrollmentResponse(httpCaKey, + httpCaCert, + transportKey, + transportCert, + nodeList)); + } catch (CertificateEncodingException e) { + listener.onFailure(new ElasticsearchException("Unable to enroll node", e)); + } }, listener::onFailure )); - try { - final String httpCaKey = Base64.getUrlEncoder().encodeToString(httpCaKeysAndCertificates.get(0).v1().getEncoded()); - final String httpCaCert = Base64.getUrlEncoder().encodeToString(httpCaKeysAndCertificates.get(0).v2().getEncoded()); - final String transportKey = Base64.getUrlEncoder().encodeToString(transportKeysAndCertificates.get(0).v1().getEncoded()); - final String transportCert = Base64.getUrlEncoder().encodeToString(transportKeysAndCertificates.get(0).v2().getEncoded()); - listener.onResponse(new NodeEnrollmentResponse(httpCaKey, - httpCaCert, - transportKey, - transportCert, - nodeList)); - } catch (CertificateEncodingException e) { - listener.onFailure(new ElasticsearchException("Unable to enroll node", e)); - } } } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/enrollment/RestKibanaEnrollAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/enrollment/RestKibanaEnrollAction.java index 64de046e320a0..0d3facc7cf236 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/enrollment/RestKibanaEnrollAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/enrollment/RestKibanaEnrollAction.java @@ -10,7 +10,6 @@ import org.elasticsearch.client.node.NodeClient; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.xcontent.XContentBuilder; -import org.elasticsearch.common.xcontent.XContentParser; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.rest.BytesRestResponse; import org.elasticsearch.rest.RestRequest; @@ -43,19 +42,15 @@ public RestKibanaEnrollAction(Settings settings, XPackLicenseState licenseState) return List.of(new Route(RestRequest.Method.GET, "/_security/enroll/kibana")); } - @Override protected RestChannelConsumer innerPrepareRequest( - RestRequest request, NodeClient client) throws IOException { - try (XContentParser parser = request.contentParser()) { - return restChannel -> client.execute( - KibanaEnrollmentAction.INSTANCE, new KibanaEnrollmentRequest(), - new RestBuilderListener<>(restChannel) { - @Override public RestResponse buildResponse( - KibanaEnrollmentResponse kibanaEnrollmentResponse, XContentBuilder builder) throws Exception { - kibanaEnrollmentResponse.toXContent(builder, channel.request()); - return new BytesRestResponse(RestStatus.OK, builder); - } - }); - } + @Override protected RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClient client) throws IOException { + return restChannel -> client.execute(KibanaEnrollmentAction.INSTANCE, + new KibanaEnrollmentRequest(), + new RestBuilderListener(restChannel) { + @Override public RestResponse buildResponse( + KibanaEnrollmentResponse kibanaEnrollmentResponse, XContentBuilder builder) throws Exception { + kibanaEnrollmentResponse.toXContent(builder, channel.request()); + return new BytesRestResponse(RestStatus.OK, builder); + } + }); } - } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java index 9bbb207353c0d..b5797d22d7ff8 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java @@ -569,6 +569,7 @@ public void testSigningMetadataWithPasswordProtectedPemInTerminal() throws Excep assertThat(validateSignature(descriptor.getSignature()), equalTo(true)); } + @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/75097") public void testDefaultOptionsWithSigningAndMultipleEncryptionKeys() throws Exception { assumeFalse("Can't run in a FIPS JVM, PKCS12 keystores are not usable", inFipsJvm()); final KeyStoreWrapper usedKeyStore = randomFrom(keyStore, passwordProtectedKeystore); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java index 3d0481c867906..4f39e44941a87 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java @@ -433,6 +433,7 @@ public void testCreateCredentialFromPemFiles() throws Exception { assertThat(credential.getPublicKey(), equalTo(encryptionCert.getPublicKey())); } + @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/75097") public void testCreateEncryptionCredentialFromKeyStore() throws Exception { assumeFalse("Can't run in a FIPS JVM, PKCS12 keystores are not usable", inFipsJvm()); final Path dir = createTempDir(); @@ -482,6 +483,7 @@ public void testCreateEncryptionCredentialFromKeyStore() throws Exception { }); } + @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/75097") public void testCreateSigningCredentialFromKeyStoreSuccessScenarios() throws Exception { assumeFalse("Can't run in a FIPS JVM, PKCS12 keystores are not usable", inFipsJvm()); final Path dir = createTempDir(); @@ -522,6 +524,7 @@ public void testCreateSigningCredentialFromKeyStoreSuccessScenarios() throws Exc assertThat(credential.getPublicKey(), equalTo(certKeyPair1.v1().getPublicKey())); } + @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/75097") public void testCreateSigningCredentialFromKeyStoreFailureScenarios() throws Exception { assumeFalse("Can't run in a FIPS JVM, PKCS12 keystores are not usable", inFipsJvm()); final Path dir = createTempDir();