diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java index ef60764d26de5..8bb9890151ff0 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java @@ -374,7 +374,7 @@ public void testFailWhenAssertionsCannotBeDecrypted() throws Exception { final String xml = getSimpleResponse(now); // Encrypting with different cert instead of sp cert will mean that the SP cannot decrypt - final String encrypted = encryptAssertions(xml, readKeyPair("RSA_1024")); + final String encrypted = encryptAssertions(xml, readKeyPair("RSA_4096_updated")); assertThat(encrypted, not(equalTo(xml))); final String signed = signDoc(encrypted); @@ -896,7 +896,6 @@ public void testIdpInitiatedLoginIsAllowed() throws Exception { assertThat(attributes.attributes(), iterableWithSize(1)); } - @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/30970") public void testIncorrectSigningKeyIsRejected() throws Exception { final CryptoTransform signer = randomBoolean() ? this::signDoc : this::signAssertions; Instant now = clock.instant(); @@ -938,7 +937,7 @@ public void testIncorrectSigningKeyIsRejected() throws Exception { assertThat(authenticator.authenticate(token(signer.transform(xml, idpSigningCertificatePair))), notNullValue()); // check is rejected when signed by a different key-pair - final Tuple wrongKey = readRandomKeyPair(randomSigningAlgorithm()); + final Tuple wrongKey = readKeyPair("RSA_4096_updated"); final ElasticsearchSecurityException exception = expectThrows(ElasticsearchSecurityException.class, () -> authenticator.authenticate(token(signer.transform(xml, wrongKey)))); assertThat(exception.getMessage(), containsString("SAML Signature")); @@ -954,10 +953,12 @@ public void testSigningKeyIsReloadedForEachRequest() throws Exception { assertThat(authenticator.authenticate(token(signer.transform(xml, idpSigningCertificatePair))), notNullValue()); final Tuple oldKeyPair = idpSigningCertificatePair; - //Ensure we won't read any of the ones we could have picked randomly before + // Ensure we won't read any of the ones we could have picked randomly before idpSigningCertificatePair = readKeyPair("RSA_4096_updated"); assertThat(idpSigningCertificatePair.v2(), not(equalTo(oldKeyPair.v2()))); assertThat(authenticator.authenticate(token(signer.transform(xml, idpSigningCertificatePair))), notNullValue()); + // Restore the keypair to one from the keypair pool of all algorithms and keys + idpSigningCertificatePair = readRandomKeyPair(randomSigningAlgorithm()); } public void testParsingRejectsTamperedContent() throws Exception { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java index bbd98445295d5..51a6d8732a5b3 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java @@ -71,7 +71,7 @@ protected static Tuple readRandomKeyPair() throws E } /** - * Generates key pair for given algorithm and then associates with a certificate. + * Reads a key pair and associated certificate for given algorithm and key length * For testing, for "EC" algorithm 256 key size is used, others use 2048 as default. * @param algorithm * @return X509Certificate a signed certificate, it's PrivateKey {@link Tuple}