Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LdapSessionFactoryTests fails on master #37013

Closed
javanna opened this issue Dec 28, 2018 · 3 comments
Closed

LdapSessionFactoryTests fails on master #37013

javanna opened this issue Dec 28, 2018 · 3 comments
Labels
:Security/Security Security issues without another label >test-failure Triaged test failures from CI

Comments

@javanna
Copy link
Member

javanna commented Dec 28, 2018

https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+master+matrix-java-periodic/ES_BUILD_JAVA=java11,ES_RUNTIME_JAVA=java8fips,nodes=virtual&&linux/145/

07:02:56   2> REPRODUCE WITH: ./gradlew :x-pack:plugin:security:unitTest -Dtests.seed=2AC4384D3530AF3 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactoryTests -Dtests.method="testBindWithReadTimeout" -Dtests.security.manager=true -Dtests.locale=mk -Dtests.timezone=Africa/Harare -Dcompiler.java=11 -Druntime.java=8FIPS -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password
07:02:56   2> REPRODUCE WITH: ./gradlew :x-pack:plugin:security:unitTest -Dtests.seed=2AC4384D3530AF3 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactoryTests -Dtests.method="testBindWithReadTimeout" -Dtests.security.manager=true -Dtests.locale=mk -Dtests.timezone=Africa/Harare -Dcompiler.java=11 -Druntime.java=8FIPS -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password
07:02:56   1> [2018-12-28T08:02:55,729][INFO ][o.e.x.s.a.l.LdapSessionFactoryTests] [testBindWithReadTimeout] after test
07:02:56 ERROR   0.10s J5 | LdapSessionFactoryTests.testBindWithReadTimeout <<< FAILURES!
07:02:56    > Throwable #1: LDAPException(resultCode=82 (local error), errorMessage='An error occurred while attempting to create an SSL client socket factory:  KeyManagementException(FIPS mode: only SunJSSE TrustManagers may be used), ldapSDKVersion=4.0.8, revision=28812')
07:02:56    > 	at com.unboundid.ldap.listener.InMemoryListenerConfig.createLDAPSConfig(InMemoryListenerConfig.java:346)
07:02:56    > 	at com.unboundid.ldap.listener.InMemoryListenerConfig.createLDAPSConfig(InMemoryListenerConfig.java:258)
07:02:56   2> REPRODUCE WITH: ./gradlew :x-pack:plugin:security:unitTest -Dtests.seed=2AC4384D3530AF3 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactoryTests -Dtests.method="testBindWithTemplates" -Dtests.security.manager=true -Dtests.locale=mk -Dtests.timezone=Africa/Harare -Dcompiler.java=11 -Druntime.java=8FIPS -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password
07:02:56   2> REPRODUCE WITH: ./gradlew :x-pack:plugin:security:unitTest -Dtests.seed=2AC4384D3530AF3 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactoryTests -Dtests.method="testBindWithTemplates" -Dtests.security.manager=true -Dtests.locale=mk -Dtests.timezone=Africa/Harare -Dcompiler.java=11 -Druntime.java=8FIPS -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password
07:02:56   2> REPRODUCE WITH: ./gradlew :x-pack:plugin:security:unitTest -Dtests.seed=2AC4384D3530AF3 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactoryTests -Dtests.method="testGroupLookupBase" -Dtests.security.manager=true -Dtests.locale=mk -Dtests.timezone=Africa/Harare -Dcompiler.java=11 -Druntime.java=8FIPS -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password
07:02:56    > 	at org.elasticsearch.xpack.security.authc.ldap.support.LdapTestCase.startLdap(LdapTestCase.java:90)
07:02:56   2> REPRODUCE WITH: ./gradlew :x-pack:plugin:security:unitTest -Dtests.seed=2AC4384D3530AF3 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactoryTests -Dtests.method="testGroupLookupBase" -Dtests.security.manager=true -Dtests.locale=mk -Dtests.timezone=Africa/Harare -Dcompiler.java=11 -Druntime.java=8FIPS -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password
07:02:56   2> REPRODUCE WITH: ./gradlew :x-pack:plugin:security:unitTest -Dtests.seed=2AC4384D3530AF3 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactoryTests -Dtests.method="testGroupLookupSubtree" -Dtests.security.manager=true -Dtests.locale=mk -Dtests.timezone=Africa/Harare -Dcompiler.java=11 -Druntime.java=8FIPS -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password
07:02:56   2> REPRODUCE WITH: ./gradlew :x-pack:plugin:security:unitTest -Dtests.seed=2AC4384D3530AF3 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactoryTests -Dtests.method="testGroupLookupSubtree" -Dtests.security.manager=true -Dtests.locale=mk -Dtests.timezone=Africa/Harare -Dcompiler.java=11 -Druntime.java=8FIPS -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password
07:02:56   2> REPRODUCE WITH: ./gradlew :x-pack:plugin:security:unitTest -Dtests.seed=2AC4384D3530AF3 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactoryTests -Dtests.method="testBindWithBogusTemplates" -Dtests.security.manager=true -Dtests.locale=mk -Dtests.timezone=Africa/Harare -Dcompiler.java=11 -Druntime.java=8FIPS -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password
07:02:56    > 	at java.lang.Thread.run(Thread.java:748)
07:02:56   2> REPRODUCE WITH: ./gradlew :x-pack:plugin:security:unitTest -Dtests.seed=2AC4384D3530AF3 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactoryTests -Dtests.method="testBindWithBogusTemplates" -Dtests.security.manager=true -Dtests.locale=mk -Dtests.timezone=Africa/Harare -Dcompiler.java=11 -Druntime.java=8FIPS -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password
07:02:56    > Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
07:02:56   2> REPRODUCE WITH: ./gradlew :x-pack:plugin:security:unitTest -Dtests.seed=2AC4384D3530AF3 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactoryTests -Dtests.method="testSslTrustIsReloaded" -Dtests.security.manager=true -Dtests.locale=mk -Dtests.timezone=Africa/Harare -Dcompiler.java=11 -Druntime.java=8FIPS -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password
07:02:56    > 	at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:120)
07:02:56    > 	at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:83)
07:02:56    > 	at javax.net.ssl.SSLContext.init(SSLContext.java:282)
07:02:56   2> REPRODUCE WITH: ./gradlew :x-pack:plugin:security:unitTest -Dtests.seed=2AC4384D3530AF3 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactoryTests -Dtests.method="testSslTrustIsReloaded" -Dtests.security.manager=true -Dtests.locale=mk -Dtests.timezone=Africa/Harare -Dcompiler.java=11 -Druntime.java=8FIPS -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password
07:02:56    > 	at com.unboundid.util.ssl.SSLUtil.createSSLContext(SSLUtil.java:394)
07:02:56    > 	at com.unboundid.util.ssl.SSLUtil.createSSLContext(SSLUtil.java:367)
07:02:56    > 	at com.unboundid.util.ssl.SSLUtil.createSSLSocketFactory(SSLUtil.java:443)
07:02:56   2> REPRODUCE WITH: ./gradlew :x-pack:plugin:security:unitTest -Dtests.seed=2AC4384D3530AF3 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactoryTests -Dtests.method="testGroupLookupOneLevel" -Dtests.security.manager=true -Dtests.locale=mk -Dtests.timezone=Africa/Harare -Dcompiler.java=11 -Druntime.java=8FIPS -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password
07:02:56   2> REPRODUCE WITH: ./gradlew :x-pack:plugin:security:unitTest -Dtests.seed=2AC4384D3530AF3 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactoryTests -Dtests.method="testGroupLookupOneLevel" -Dtests.security.manager=true -Dtests.locale=mk -Dtests.timezone=Africa/Harare -Dcompiler.java=11 -Druntime.java=8FIPS -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password

07:02:56 ERROR   0.06s J5 | LdapSessionFactoryTests.testBindWithTemplates <<< FAILURES!
07:02:56    > Throwable #1: LDAPException(resultCode=82 (local error), errorMessage='An error occurred while attempting to create an SSL client socket factory:  KeyManagementException(FIPS mode: only SunJSSE TrustManagers may be used), ldapSDKVersion=4.0.8, revision=28812')
07:02:56    > 	at com.unboundid.ldap.listener.InMemoryListenerConfig.createLDAPSConfig(InMemoryListenerConfig.java:346)
07:02:56    > 	at com.unboundid.ldap.listener.InMemoryListenerConfig.createLDAPSConfig(InMemoryListenerConfig.java:258)
07:02:56    > 	at org.elasticsearch.xpack.security.authc.ldap.support.LdapTestCase.startLdap(LdapTestCase.java:90)
07:02:56    > 	at java.lang.Thread.run(Thread.java:748)
07:02:56    > Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
07:02:56    > 	at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:120)
07:02:56    > 	at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:83)
07:02:56    > 	at javax.net.ssl.SSLContext.init(SSLContext.java:282)
07:02:56    > 	at com.unboundid.util.ssl.SSLUtil.createSSLContext(SSLUtil.java:394)
07:02:56    > 	at com.unboundid.util.ssl.SSLUtil.createSSLContext(SSLUtil.java:367)
07:02:56    > 	at com.unboundid.util.ssl.SSLUtil.createSSLSocketFactory(SSLUtil.java:443)
07:02:56    > 	at com.unboundid.ldap.listener.InMemoryListenerConfig.createLDAPSConfig(InMemoryListenerConfig.java:341)
07:02:56    > 	... 38 moreThrowable #2: java.lang.NullPointerException
07:02:56    > 	at org.elasticsearch.xpack.security.authc.ldap.support.LdapTestCase.stopLdap(LdapTestCase.java:114)
07:02:56    > 	at java.lang.Thread.run(Thread.java:748)
@javanna javanna added >test-failure Triaged test failures from CI :Security/Security Security issues without another label labels Dec 28, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@jkakavas
Copy link
Member

jkakavas commented Dec 28, 2018
edited
Loading

Note: It looks like it only fails in FIPS 140 enabled JVMs.
Probably related to #36937. It's already late for Tim, I'll take a look shortly and address this or at least mute the offending tests

Update:
The issue is with com.unboundid.ldap.listener.InMemoryListenerConfig.createLDAPSConfig as we do not pass a clientSocketFactory SSLSocketFactory ( but only a serverSocketFactory SSLSocketFactory) so it results to attempting to create an com.unboundid.util.ssl.TrustAllTrustManager which is not allowed in a FIPS 140 JVM.

I'll push a fix shortly

jkakavas added a commit that referenced this issue Dec 28, 2018
@jkakavas
[TEST] Pass a clientSSLContext in LdapTestCase
44bd7db 
If we don't explicitly sett the client SSLSocketFactory when
creating an InMemoryDirectoryServer and setting its SSL config, it
will result in using a TrustAllTrustManager(that extends
X509TrustManager) which is not allowed in a FIPS 140 JVM.
Instead, we get the SSLSocketFactory from the existing SSLContext
and pass that to be used.

Resolves #37013
@javanna
Copy link
Member Author

javanna commented Dec 28, 2018

thanks @jkakavas !!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Security/Security Security issues without another label >test-failure Triaged test failures from CI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@javanna @jkakavas @elasticmachine