Skip to content

Commit

Permalink
Consistently use loopback address for ssl profile (#37487)
Browse files Browse the repository at this point in the history 
This change fixes failures in the SslMultiPortTests where we attempt to
connect to a profile on a port it is listening on but the connection
fails. The failure is due to the profile being bound to multiple
addresses and randomization will pick one of these addresses to
determine the listening port. However, the address we get the port for
may not be the address we are actually connecting to. In order to
resolve this, the test now sets the bind host for profiles to the
loopback address and uses the same address for connecting.

Closes #37481
  • Loading branch information
@jaymode
jaymode authored Jan 15, 2019
1 parent 0a3bff2 commit 987576b
Showing 1 changed file with 24 additions and 16 deletions.
40 changes: 24 additions & 16 deletions ...urity/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

import org.elasticsearch.client.transport.NoNodeAvailableException;
import org.elasticsearch.client.transport.TransportClient;
import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.test.SecurityIntegTestCase;
Expand Down Expand Up @@ -34,11 +35,13 @@ public class SslMultiPortTests extends SecurityIntegTestCase {

private static int randomClientPort;
private static int randomNoClientAuthPort;
private static InetAddress localAddress;

@BeforeClass
public static void getRandomPort() {
randomClientPort = randomIntBetween(49000, 65500); // ephemeral port
randomNoClientAuthPort = randomIntBetween(49000, 65500);
localAddress = InetAddress.getLoopbackAddress();
}

/**
Expand All @@ -65,12 +68,11 @@ protected Settings nodeSettings(int nodeOrdinal) {
Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
addSSLSettingsForNodePEMFiles(builder, "transport.profiles.client.xpack.security.", true);
builder.put("transport.profiles.client.port", randomClientPortRange)
// make sure this is "localhost", no matter if ipv4 or ipv6, but be consistent
.put("transport.profiles.client.bind_host", "localhost")
.put("transport.profiles.client.bind_host", NetworkAddress.format(localAddress))
.put("transport.profiles.client.xpack.security.ssl.certificate_authorities", trustCert.toAbsolutePath());
addSSLSettingsForNodePEMFiles(builder, "transport.profiles.no_client_auth.xpack.security.", true);
builder.put("transport.profiles.no_client_auth.port", randomNoClientAuthPortRange)
.put("transport.profiles.no_client_auth.bind_host", "localhost")
.put("transport.profiles.no_client_auth.bind_host", NetworkAddress.format(localAddress))
.put("transport.profiles.no_client_auth.xpack.security.ssl.client_authentication", SSLClientAuth.NONE);
final Settings settings = builder.build();
logger.info("node {} settings:\n{}", nodeOrdinal, settings);
Expand Down Expand Up @@ -117,7 +119,7 @@ public void testThatStandardTransportClientCanConnectToNoClientAuthProfile() thr
.put("node.name", "programmatic_transport_client")
.put("cluster.name", internalCluster().getClusterName())
.build(), LocalStateSecurity.class)) {
transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(),
transportClient.addTransportAddress(new TransportAddress(localAddress,
getProfilePort("no_client_auth")));
assertGreenClusterState(transportClient);
}
Expand All @@ -132,7 +134,7 @@ public void testThatStandardTransportClientCanConnectToNoClientAuthProfile() thr
*/
public void testThatStandardTransportClientCannotConnectToClientProfile() throws Exception {
try (TransportClient transportClient = createTransportClient(Settings.EMPTY)) {
transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(), getProfilePort("client")));
transportClient.addTransportAddress(new TransportAddress(localAddress, getProfilePort("client")));
transportClient.admin().cluster().prepareHealth().get();
fail("Expected NoNodeAvailableException");
} catch (NoNodeAvailableException e) {
Expand All @@ -154,7 +156,7 @@ public void testThatProfileTransportClientCanConnectToClientProfile() throws Exc
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient-client-profile.crt",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
try (TransportClient transportClient = createTransportClient(builder.build())) {
transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(), getProfilePort("client")));
transportClient.addTransportAddress(new TransportAddress(localAddress, getProfilePort("client")));
assertGreenClusterState(transportClient);
}
}
Expand All @@ -174,7 +176,7 @@ public void testThatProfileTransportClientCanConnectToNoClientAuthProfile() thro
"/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient-client-profile.crt",
Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
try (TransportClient transportClient = createTransportClient(builder.build())) {
transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(),
transportClient.addTransportAddress(new TransportAddress(localAddress,
getProfilePort("no_client_auth")));
assertGreenClusterState(transportClient);
}
Expand Down Expand Up @@ -234,7 +236,7 @@ public void testThatTransportClientCannotConnectToClientProfile() throws Excepti
.build();
try (TransportClient transportClient = new TestXPackTransportClient(settings,
Collections.singletonList(LocalStateSecurity.class))) {
transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(), getProfilePort("client")));
transportClient.addTransportAddress(new TransportAddress(localAddress, getProfilePort("client")));
assertGreenClusterState(transportClient);
fail("Expected NoNodeAvailableException");
} catch (NoNodeAvailableException e) {
Expand All @@ -253,7 +255,7 @@ public void testThatTransportClientCannotConnectToNoClientAuthProfile() throws E
.build();
try (TransportClient transportClient = new TestXPackTransportClient(settings,
Collections.singletonList(LocalStateSecurity.class))) {
transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(),
transportClient.addTransportAddress(new TransportAddress(localAddress,
getProfilePort("no_client_auth")));
assertGreenClusterState(transportClient);
fail("Expected NoNodeAvailableException");
Expand All @@ -276,7 +278,7 @@ public void testThatTransportClientWithOnlyTruststoreCanConnectToNoClientAuthPro
.build();
try (TransportClient transportClient = new TestXPackTransportClient(settings,
Collections.singletonList(LocalStateSecurity.class))) {
transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(),
transportClient.addTransportAddress(new TransportAddress(localAddress,
getProfilePort("no_client_auth")));
}
}
Expand All @@ -297,7 +299,7 @@ public void testThatTransportClientWithOnlyTruststoreCannotConnectToClientProfil
.build();
try (TransportClient transportClient = new TestXPackTransportClient(settings,
Collections.singletonList(LocalStateSecurity.class))) {
transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(), getProfilePort("client")));
transportClient.addTransportAddress(new TransportAddress(localAddress, getProfilePort("client")));
assertGreenClusterState(transportClient);
fail("Expected NoNodeAvailableException");
} catch (NoNodeAvailableException e) {
Expand Down Expand Up @@ -365,7 +367,7 @@ public void testThatSSLTransportClientWithNoTruststoreCannotConnectToClientProfi
.build();
try (TransportClient transportClient = new TestXPackTransportClient(settings,
Collections.singletonList(LocalStateSecurity.class))) {
transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(), getProfilePort("client")));
transportClient.addTransportAddress(new TransportAddress(localAddress, getProfilePort("client")));
assertGreenClusterState(transportClient);
fail("Expected NoNodeAvailableException");
} catch (NoNodeAvailableException e) {
Expand All @@ -387,7 +389,7 @@ public void testThatSSLTransportClientWithNoTruststoreCannotConnectToNoClientAut
.build();
try (TransportClient transportClient = new TestXPackTransportClient(settings,
Collections.singletonList(LocalStateSecurity.class))) {
transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(),
transportClient.addTransportAddress(new TransportAddress(localAddress,
getProfilePort("no_client_auth")));
assertGreenClusterState(transportClient);
fail("Expected NoNodeAvailableException");
Expand All @@ -397,8 +399,14 @@ public void testThatSSLTransportClientWithNoTruststoreCannotConnectToNoClientAut
}

private static int getProfilePort(String profile) {
TransportAddress transportAddress =
randomFrom(internalCluster().getInstance(Transport.class).profileBoundAddresses().get(profile).boundAddresses());
return transportAddress.address().getPort();
TransportAddress[] transportAddresses =
internalCluster().getInstance(Transport.class).profileBoundAddresses().get(profile).boundAddresses();
for (TransportAddress address : transportAddresses) {
if (address.address().getAddress().equals(localAddress)) {
return address.address().getPort();
}
}
throw new IllegalStateException("failed to find transport address equal to [" + NetworkAddress.format(localAddress) + "] " +
" in the following bound addresses " + Arrays.toString(transportAddresses));
}
}

0 comments on commit 987576b

Please sign in to comment.