Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CI] FIPS FollowIndexIT testDowngradeRemoteClusterToBasic failure to recreate SSL context #52034

Closed
albertzaharovits opened this issue Feb 7, 2020 · 5 comments
Assignees
Labels
:Security/Security Security issues without another label Team:Security Meta label for security team >test-failure Triaged test failures from CI

Comments

@albertzaharovits
Copy link
Contributor

This reproduces on master!

./gradlew ':x-pack:plugin:ccr:qa:downgrade-to-basic-license:follow-clusterRunner' --tests "org.elasticsearch.xpack.ccr.FollowIndexIT.testDowngradeRemoteClusterToBasic" \
  -Dtests.seed=FD9650072FA219B4 \
  -Dtests.security.manager=true \
  -Dtests.locale=nl \
  -Dtests.timezone=Europe/Zurich \
  -Dcompiler.java=13 \
  -Dtests.fips.enabled=true
        java.security.NoSuchAlgorithmException: Unable to invoke creator for DEFAULT: Default key/trust managers unavailable	
            at org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$BcJsseService.newInstance(BouncyCastleJsseProvider.java:388)	
            at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)	
            at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)	
            at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:184)	
            at java.base/javax.net.ssl.SSLContext.getDefault(SSLContext.java:110)	
            at org.elasticsearch.client.RestClientBuilder.createHttpClient(RestClientBuilder.java:212)	
            ... 40 more	
            Caused by:	
            java.security.KeyManagementException: Default key/trust managers unavailable	
                at org.bouncycastle.jsse.provider.DefaultSSLContextSpi.<init>(DefaultSSLContextSpi.java:88)	
                at org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$7.createInstance(BouncyCastleJsseProvider.java:217)	
                at org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$BcJsseService.newInstance(BouncyCastleJsseProvider.java:373)	
                ... 45 more	
                Caused by:	
                java.security.AccessControlException: access denied ("java.io.FilePermission" "/dev/shm/elastic+elasticsearch+master+matrix-java-periodic-fips/ES_BUILD_JAVA/openjdk13/ES_RUNTIME_JAVA/openjdk14/nodes/general-purpose/x-pack/plugin/ccr/qa/downgrade-to-basic-license/build/build-tools-exported/cacerts.bcfks" "read")	
                    at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)	
                    at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)	
                    at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)	
                    at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:747)	
                    at java.base/java.io.File.exists(File.java:818)	
                    at org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.getDefaultTrustStore(ProvTrustManagerFactorySpi.java:49)	
                    at org.bouncycastle.jsse.provider.ProvSSLContextSpi.getDefaultTrustManagers(ProvSSLContextSpi.java:302)	
                    at org.bouncycastle.jsse.provider.DefaultSSLContextSpi$LazyManagers.<clinit>(DefaultSSLContextSpi.java:57)	
                    at org.bouncycastle.jsse.provider.DefaultSSLContextSpi.<init>(DefaultSSLContextSpi.java:86)	
                    ... 47 more

Build scans:
https://gradle-enterprise.elastic.co/s/wfh66uffpg4hy
https://gradle-enterprise.elastic.co/s/ppmoxjtf2cvby
https://gradle-enterprise.elastic.co/s/b6kyaeu7kqrfy

@albertzaharovits albertzaharovits added >test-failure Triaged test failures from CI :Distributed Indexing/CCR Issues around the Cross Cluster State Replication features labels Feb 7, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-distributed (:Distributed/CCR)

@albertzaharovits albertzaharovits changed the title FollowIndexIT testDowngradeRemoteClusterToBasic failure to recreate SSL context [CI] FollowIndexIT testDowngradeRemoteClusterToBasic failure to recreate SSL context Feb 7, 2020
@albertzaharovits
Copy link
Contributor Author

Ooops, I just realized the name of the job matrix-java-periodic-fips and that the FIPS tests are not in a good mood today.

@albertzaharovits albertzaharovits added :Security/Security Security issues without another label and removed :Distributed Indexing/CCR Issues around the Cross Cluster State Replication features labels Feb 7, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Security)

@albertzaharovits
Copy link
Contributor Author

cc @jkakavas

@albertzaharovits albertzaharovits changed the title [CI] FollowIndexIT testDowngradeRemoteClusterToBasic failure to recreate SSL context [CI] FIPS FollowIndexIT testDowngradeRemoteClusterToBasic failure to recreate SSL context Feb 7, 2020
jkakavas added a commit to jkakavas/elasticsearch that referenced this issue Feb 7, 2020
Our FIPS 140 testing depends on setting the appropriate java policy
in order to configure the JVM in FIPS mode. Some tests (
discovery-ec2 and ccr qa ) also needed to set a custom policy file
to grant a specific permission, which overwrote the FIPS related
policy and tests would fail. This change ensures that when a
custom policy needs to be set in these tests, the permissions that
are necessary for FIPS are also set.

Resolves: elastic#51685, elastic#52034
jkakavas added a commit that referenced this issue Feb 8, 2020
Our FIPS 140 testing depends on setting the appropriate java policy
in order to configure the JVM in FIPS mode. Some tests (
discovery-ec2 and ccr qa ) also needed to set a custom policy file
to grant a specific permission, which overwrote the FIPS related
policy and tests would fail. This change ensures that when a
custom policy needs to be set in these tests, the permissions that
are necessary for FIPS are also set.

Resolves: #51685, #52034
@rjernst rjernst added the Team:Security Meta label for security team label May 4, 2020
jkakavas added a commit to jkakavas/elasticsearch that referenced this issue May 21, 2020
Our FIPS 140 testing depends on setting the appropriate java policy
in order to configure the JVM in FIPS mode. Some tests (
discovery-ec2 and ccr qa ) also needed to set a custom policy file
to grant a specific permission, which overwrote the FIPS related
policy and tests would fail. This change ensures that when a
custom policy needs to be set in these tests, the permissions that
are necessary for FIPS are also set.

Resolves: elastic#51685, elastic#52034
jkakavas added a commit that referenced this issue May 21, 2020
Our FIPS 140 testing depends on setting the appropriate java policy
in order to configure the JVM in FIPS mode. Some tests (
discovery-ec2 and ccr qa ) also needed to set a custom policy file
to grant a specific permission, which overwrote the FIPS related
policy and tests would fail. This change ensures that when a
custom policy needs to be set in these tests, the permissions that
are necessary for FIPS are also set.

Resolves: #51685, #52034
@jkakavas
Copy link
Member

jkakavas commented Sep 2, 2020

Resolved in #52046

@jkakavas jkakavas closed this as completed Sep 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
:Security/Security Security issues without another label Team:Security Meta label for security team >test-failure Triaged test failures from CI
Projects
None yet
Development

No branches or pull requests

4 participants