From c9008db21219aafd5a27659b97f75d74170250a2 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Fri, 6 Jul 2018 15:28:08 +0300 Subject: [PATCH 01/11] Complete changes for running IT in a fips JVM - Mute :x-pack:qa:sql:security:ssl:integTest as it cannot run in FIPS 140 JVM until the SQL CLI supports key/cert. - Set default JVM keystore/truststore password in top level build script for all integTest tasks in a FIPS 140 JVM - Changed top level x-pack build script to use keys and certificates for trust/key material when spinning up clusters for IT --- build.gradle | 14 ++ .../elasticsearch/gradle/BuildPlugin.groovy | 2 +- plugins/discovery-gce/build.gradle | 30 ---- .../action/admin/ReloadSecureSettingsIT.java | 6 +- .../test/rest/ESRestTestCase.java | 2 + x-pack/plugin/build.gradle | 47 +++--- .../rest-api-spec/test/ssl/10_basic.yml | 5 +- .../MlNativeAutodetectIntegTestCase.java | 11 +- x-pack/qa/ml-native-tests/build.gradle | 74 +++++++++ x-pack/qa/smoke-test-plugins-ssl/build.gradle | 152 +++--------------- ...keTestPluginsSslClientYamlTestSuiteIT.java | 4 +- .../qa/smoke-test-plugins-ssl/testclient.crt | 23 +++ .../qa/smoke-test-plugins-ssl/testclient.jks | Bin 0 -> 3358 bytes .../qa/smoke-test-plugins-ssl/testclient.pem | 30 ++++ x-pack/qa/smoke-test-plugins-ssl/testnode.crt | 23 +++ x-pack/qa/smoke-test-plugins-ssl/testnode.jks | Bin 0 -> 9360 bytes x-pack/qa/smoke-test-plugins-ssl/testnode.pem | 30 ++++ x-pack/qa/sql/security/ssl/build.gradle | 41 +++-- .../qa/sql/jdbc/JdbcIntegrationTestCase.java | 2 + 19 files changed, 290 insertions(+), 206 deletions(-) create mode 100644 x-pack/qa/ml-native-tests/build.gradle create mode 100644 x-pack/qa/smoke-test-plugins-ssl/testclient.crt create mode 100644 x-pack/qa/smoke-test-plugins-ssl/testclient.jks create mode 100644 x-pack/qa/smoke-test-plugins-ssl/testclient.pem create mode 100644 x-pack/qa/smoke-test-plugins-ssl/testnode.crt create mode 100644 x-pack/qa/smoke-test-plugins-ssl/testnode.jks create mode 100644 x-pack/qa/smoke-test-plugins-ssl/testnode.pem diff --git a/build.gradle b/build.gradle index 0d77f8fd59ef0..501caa2dea0a4 100644 --- a/build.gradle +++ b/build.gradle @@ -18,6 +18,7 @@ */ +import com.carrotsearch.gradle.junit4.RandomizedTestingTask import org.apache.tools.ant.taskdefs.condition.Os import org.apache.tools.ant.filters.ReplaceTokens import org.elasticsearch.gradle.BuildPlugin @@ -476,6 +477,19 @@ allprojects { tasks.eclipse.dependsOn(cleanEclipse, copyEclipseSettings) } +// Set the system keystore/truststore password if we're running tests in a FIPS-140 JVM +allprojects { + tasks.withType(RandomizedTestingTask) { + // So that this gets executed only right before the test runs + doFirst { + String inFipsJvmScript = 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));' + if (Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, inFipsJvmScript))) { + systemProperty 'javax.net.ssl.trustStorePassword', 'password' + systemProperty 'javax.net.ssl.keyStorePassword', 'password' + } + } + } +} // we need to add the same --debug-jvm option as // the real RunTask has, so we can pass it through class Run extends DefaultTask { diff --git a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy index 89e10c50ff782..a9f0e91e727c3 100644 --- a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy +++ b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy @@ -287,7 +287,7 @@ class BuildPlugin implements Plugin { } /** Runs the given javascript using jjs from the jdk, and returns the output */ - private static String runJavascript(Project project, String javaHome, String script) { + static String runJavascript(Project project, String javaHome, String script) { ByteArrayOutputStream stdout = new ByteArrayOutputStream() ByteArrayOutputStream stderr = new ByteArrayOutputStream() if (Os.isFamily(Os.FAMILY_WINDOWS)) { diff --git a/plugins/discovery-gce/build.gradle b/plugins/discovery-gce/build.gradle index 82de9ba031b25..fa8005dfa4759 100644 --- a/plugins/discovery-gce/build.gradle +++ b/plugins/discovery-gce/build.gradle @@ -22,36 +22,6 @@ dependencies { compile "commons-codec:commons-codec:${versions.commonscodec}" } - -// needed to be consistent with ssl host checking -String host = InetAddress.getLoopbackAddress().getHostAddress(); - -// location of keystore and files to generate it -File keystore = new File(project.buildDir, 'keystore/test-node.jks') - -// generate the keystore -task createKey(type: LoggedExec) { - doFirst { - project.delete(keystore.parentFile) - keystore.parentFile.mkdirs() - } - executable = new File(project.runtimeJavaHome, 'bin/keytool') - standardInput = new ByteArrayInputStream('FirstName LastName\nUnit\nOrganization\nCity\nState\nNL\nyes\n\n'.getBytes('UTF-8')) - args '-genkey', - '-alias', 'test-node', - '-keystore', keystore, - '-keyalg', 'RSA', - '-keysize', '2048', - '-validity', '712', - '-dname', 'CN=' + host, - '-keypass', 'keypass', - '-storepass', 'keypass' -} - -// add keystore to test classpath: it expects it there -sourceSets.test.resources.srcDir(keystore.parentFile) -processTestResources.dependsOn(createKey) - dependencyLicenses { mapping from: /google-.*/, to: 'google' } diff --git a/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java b/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java index 2061349e3301d..3a041ad271850 100644 --- a/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java +++ b/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java @@ -45,6 +45,7 @@ import java.util.concurrent.CountDownLatch; import java.util.concurrent.atomic.AtomicReference; +import static org.hamcrest.Matchers.anyOf; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.notNullValue; import static org.hamcrest.Matchers.nullValue; @@ -205,7 +206,10 @@ public void onResponse(NodesReloadSecureSettingsResponse nodesReloadResponse) { assertThat(nodesMap.size(), equalTo(cluster().size())); for (final NodesReloadSecureSettingsResponse.NodeResponse nodeResponse : nodesReloadResponse.getNodes()) { assertThat(nodeResponse.reloadException(), notNullValue()); - assertThat(nodeResponse.reloadException(), instanceOf(IOException.class)); + // Running in a JVM with a BouncyCastle FIPS Security Provider, decrypting the Keystore with the wrong + // password can return a SecurityException if the DataInputStream can't be fully consumed + assertThat(nodeResponse.reloadException(), + anyOf(instanceOf(IOException.class), instanceOf(SecurityException.class))); } } catch (final AssertionError e) { reloadSettingsError.set(e); diff --git a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java index 937adddf3a43d..ab5c75d1a343d 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java @@ -435,6 +435,8 @@ protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOE protected static void configureClient(RestClientBuilder builder, Settings settings) throws IOException { String keystorePath = settings.get(TRUSTSTORE_PATH); + System.out.println(settings); + System.out.println(keystorePath); if (keystorePath != null) { final String keystorePass = settings.get(TRUSTSTORE_PASSWORD); if (keystorePass == null) { diff --git a/x-pack/plugin/build.gradle b/x-pack/plugin/build.gradle index 20ae41f10dc68..9d6b65267eb3f 100644 --- a/x-pack/plugin/build.gradle +++ b/x-pack/plugin/build.gradle @@ -104,39 +104,26 @@ integTestRunner { systemProperty 'tests.rest.blacklist', blacklist.join(',') } -// location of generated keystores and certificates +// location for keys and certificates File keystoreDir = new File(project.buildDir, 'keystore') - -// Generate the node's keystore -File nodeKeystore = new File(keystoreDir, 'test-node.jks') -task createNodeKeyStore(type: LoggedExec) { - doFirst { - if (nodeKeystore.parentFile.exists() == false) { - nodeKeystore.parentFile.mkdirs() - } - if (nodeKeystore.exists()) { - delete nodeKeystore +File nodeKey = new File(keystoreDir, 'testnode.pem') +File nodeCert = new File(keystoreDir, 'testnode.crt') + +// Add key and certs to test classpath: it expects them there +// User cert and key PEM files instead of a JKS Keystore for the cluster's trust material so that +// it can run in a FIPS 140 JVM +task copyKeyCerts(type: Copy) { + from('./core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/') { + include 'testnode.crt', 'testnode.pem' } - } - executable = new File(project.runtimeJavaHome, 'bin/keytool') - standardInput = new ByteArrayInputStream('FirstName LastName\nUnit\nOrganization\nCity\nState\nNL\nyes\n\n'.getBytes('UTF-8')) - args '-genkey', - '-alias', 'test-node', - '-keystore', nodeKeystore, - '-keyalg', 'RSA', - '-keysize', '2048', - '-validity', '712', - '-dname', 'CN=smoke-test-plugins-ssl', - '-keypass', 'keypass', - '-storepass', 'keypass' + into keystoreDir } - // Add keystores to test classpath: it expects it there sourceSets.test.resources.srcDir(keystoreDir) -processTestResources.dependsOn(createNodeKeyStore) +processTestResources.dependsOn(copyKeyCerts) integTestCluster { - dependsOn createNodeKeyStore + dependsOn copyKeyCerts setting 'xpack.ml.enabled', 'true' setting 'xpack.security.enabled', 'true' setting 'logger.org.elasticsearch.xpack.ml.datafeed', 'TRACE' @@ -145,18 +132,20 @@ integTestCluster { setting 'xpack.monitoring.exporters._local.enabled', 'false' setting 'xpack.security.authc.token.enabled', 'true' setting 'xpack.security.transport.ssl.enabled', 'true' - setting 'xpack.security.transport.ssl.keystore.path', nodeKeystore.name + setting 'xpack.security.transport.ssl.key', nodeKey.name + setting 'xpack.security.transport.ssl.certificate', nodeCert.name setting 'xpack.security.transport.ssl.verification_mode', 'certificate' setting 'xpack.security.audit.enabled', 'true' setting 'xpack.license.self_generated.type', 'trial' keystoreSetting 'bootstrap.password', 'x-pack-test-password' - keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'keypass' + keystoreSetting 'xpack.security.transport.ssl.secure_key_passphrase', 'testnode' keystoreSetting 'xpack.security.ingest.hash.processor.key', 'hmackey' distribution = 'zip' // this is important since we use the reindex module in ML setupCommand 'setupTestUser', 'bin/elasticsearch-users', 'useradd', 'x_pack_rest_user', '-p', 'x-pack-test-password', '-r', 'superuser' - extraConfigFile nodeKeystore.name, nodeKeystore + extraConfigFile nodeKey.name, nodeKey + extraConfigFile nodeCert.name, nodeCert waitCondition = { NodeInfo node, AntBuilder ant -> File tmpFile = new File(node.cwd, 'wait.success') diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/ssl/10_basic.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/ssl/10_basic.yml index 7a87ef511e591..227d341b26d86 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/ssl/10_basic.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/ssl/10_basic.yml @@ -4,7 +4,6 @@ xpack.ssl.certificates: {} - length: { $body: 1 } - - match: { $body.0.path: "test-node.jks" } - - match: { $body.0.format: "jks" } - - match: { $body.0.alias: "test-node" } + - match: { $body.0.path: "testnode.crt" } + - match: { $body.0.format: "PEM" } - match: { $body.0.has_private_key: true } diff --git a/x-pack/qa/ml-native-multi-node-tests/src/test/java/org/elasticsearch/xpack/ml/integration/MlNativeAutodetectIntegTestCase.java b/x-pack/qa/ml-native-multi-node-tests/src/test/java/org/elasticsearch/xpack/ml/integration/MlNativeAutodetectIntegTestCase.java index 4e6fb03497e6a..9fad1ba040c5a 100644 --- a/x-pack/qa/ml-native-multi-node-tests/src/test/java/org/elasticsearch/xpack/ml/integration/MlNativeAutodetectIntegTestCase.java +++ b/x-pack/qa/ml-native-multi-node-tests/src/test/java/org/elasticsearch/xpack/ml/integration/MlNativeAutodetectIntegTestCase.java @@ -123,9 +123,11 @@ protected Collection> transportClientPlugins() { @Override protected Settings externalClusterClientSettings() { - Path keyStore; + Path key; + Path certificate; try { - keyStore = PathUtils.get(getClass().getResource("/test-node.jks").toURI()); + key = PathUtils.get(getClass().getResource("/testnode.pem").toURI()); + certificate = PathUtils.get(getClass().getResource("/testnode.crt").toURI()); } catch (URISyntaxException e) { throw new IllegalStateException("error trying to get keystore path", e); } @@ -134,8 +136,9 @@ protected Settings externalClusterClientSettings() { builder.put(SecurityField.USER_SETTING.getKey(), "x_pack_rest_user:" + SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING); builder.put(XPackSettings.MACHINE_LEARNING_ENABLED.getKey(), true); builder.put("xpack.security.transport.ssl.enabled", true); - builder.put("xpack.security.transport.ssl.keystore.path", keyStore.toAbsolutePath().toString()); - builder.put("xpack.security.transport.ssl.keystore.password", "keypass"); + builder.put("xpack.security.transport.ssl.key", key.toAbsolutePath().toString()); + builder.put("xpack.security.transport.ssl.certificate", certificate.toAbsolutePath().toString()); + builder.put("xpack.security.transport.ssl.key_passphrase", "testnode"); builder.put("xpack.security.transport.ssl.verification_mode", "certificate"); return builder.build(); } diff --git a/x-pack/qa/ml-native-tests/build.gradle b/x-pack/qa/ml-native-tests/build.gradle new file mode 100644 index 0000000000000..6b1859d234cc3 --- /dev/null +++ b/x-pack/qa/ml-native-tests/build.gradle @@ -0,0 +1,74 @@ +import org.elasticsearch.gradle.LoggedExec + +import java.security.Security + +apply plugin: 'elasticsearch.standalone-rest-test' +apply plugin: 'elasticsearch.rest-test' + +dependencies { + testCompile project(path: xpackModule('core'), configuration: 'runtime') + testCompile project(path: xpackModule('core'), configuration: 'testArtifacts') + testCompile project(path: xpackModule('ml'), configuration: 'runtime') + testCompile project(path: xpackModule('ml'), configuration: 'testArtifacts') +} + +integTestRunner { + /* + * We have to disable setting the number of available processors as tests in the same JVM randomize processors and will step on each + * other if we allow them to set the number of available processors as it's set-once in Netty. + */ + systemProperty 'es.set.netty.runtime.available.processors', 'false' +} + +// location for keys and certificates +File keystoreDir = new File(project.buildDir, 'keystore') +File nodeKey = new File(keystoreDir, 'testnode.pem') +File nodeCert = new File(keystoreDir, 'testnode.crt') +// Add key and certs to test classpath: it expects it there +task copyKeyCerts(type: Copy) { + from('../../plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/') { + include 'testnode.crt', 'testnode.pem' + } + into keystoreDir +} +// Add keys and cets to test classpath: it expects it there +sourceSets.test.resources.srcDir(keystoreDir) +processTestResources.dependsOn(copyKeyCerts) + +integTestCluster { + dependsOn copyKeyCerts + setting 'xpack.security.enabled', 'true' + setting 'xpack.ml.enabled', 'true' + setting 'logger.org.elasticsearch.xpack.ml.datafeed', 'TRACE' + setting 'xpack.monitoring.enabled', 'false' + setting 'xpack.security.authc.token.enabled', 'true' + setting 'xpack.security.transport.ssl.enabled', 'true' + setting 'xpack.security.transport.ssl.key', nodeKey.name + setting 'xpack.security.transport.ssl.certificate', nodeCert.name + setting 'xpack.security.transport.ssl.verification_mode', 'certificate' + setting 'xpack.security.transport.ssl.certificate_authorities', nodeCert.name + setting 'xpack.security.audit.enabled', 'true' + setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.ml.min_disk_space_off_heap', '200mb' + + keystoreSetting 'bootstrap.password', 'x-pack-test-password' + keystoreSetting 'xpack.security.transport.ssl.secure_key_passphrase', 'testnode' + + setupCommand 'setupDummyUser', + 'bin/elasticsearch-users', 'useradd', 'x_pack_rest_user', '-p', 'x-pack-test-password', '-r', 'superuser' + + extraConfigFile nodeKey.name, nodeKey + extraConfigFile nodeCert.name, nodeCert + + + waitCondition = { node, ant -> + File tmpFile = new File(node.cwd, 'wait.success') + ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow", + dest: tmpFile.toString(), + username: 'x_pack_rest_user', + password: 'x-pack-test-password', + ignoreerrors: true, + retries: 10) + return tmpFile.exists() + } +} diff --git a/x-pack/qa/smoke-test-plugins-ssl/build.gradle b/x-pack/qa/smoke-test-plugins-ssl/build.gradle index 595c562af3707..361e6320e4c40 100644 --- a/x-pack/qa/smoke-test-plugins-ssl/build.gradle +++ b/x-pack/qa/smoke-test-plugins-ssl/build.gradle @@ -4,6 +4,7 @@ import org.elasticsearch.gradle.plugin.PluginBuildPlugin import org.elasticsearch.gradle.test.NodeInfo import javax.net.ssl.HttpsURLConnection +import javax.net.ssl.KeyManager import javax.net.ssl.KeyManagerFactory import javax.net.ssl.SSLContext import javax.net.ssl.TrustManagerFactory @@ -31,130 +32,25 @@ Object san = new SanEvaluator() // location of generated keystores and certificates File keystoreDir = new File(project.buildDir, 'keystore') +File nodeKeystore = new File(keystoreDir, 'testnode.jks') +File nodeKey = new File(keystoreDir, 'testnode.pem') +File nodeCert = new File(keystoreDir, 'testnode.crt') +File clientKeyStore = new File(keystoreDir, 'testclient.jks') +File clientKey = new File(keystoreDir, 'testclient.pem') +File clientCert = new File(keystoreDir, 'testclient.crt') -// Generate the node's keystore -File nodeKeystore = new File(keystoreDir, 'test-node.jks') -task createNodeKeyStore(type: LoggedExec) { - doFirst { - if (nodeKeystore.parentFile.exists() == false) { - nodeKeystore.parentFile.mkdirs() - } - if (nodeKeystore.exists()) { - delete nodeKeystore - } - } - executable = new File(project.runtimeJavaHome, 'bin/keytool') - standardInput = new ByteArrayInputStream('FirstName LastName\nUnit\nOrganization\nCity\nState\nNL\nyes\n\n'.getBytes('UTF-8')) - args '-genkey', - '-alias', 'test-node', - '-keystore', nodeKeystore, - '-keyalg', 'RSA', - '-keysize', '2048', - '-validity', '712', - '-dname', 'CN=smoke-test-plugins-ssl', - '-keypass', 'keypass', - '-storepass', 'keypass', - '-ext', san -} - -// Generate the client's keystore -File clientKeyStore = new File(keystoreDir, 'test-client.jks') -task createClientKeyStore(type: LoggedExec) { - doFirst { - if (clientKeyStore.parentFile.exists() == false) { - clientKeyStore.parentFile.mkdirs() - } - if (clientKeyStore.exists()) { - delete clientKeyStore - } - } - executable = new File(project.runtimeJavaHome, 'bin/keytool') - standardInput = new ByteArrayInputStream('FirstName LastName\nUnit\nOrganization\nCity\nState\nNL\nyes\n\n'.getBytes('UTF-8')) - args '-genkey', - '-alias', 'test-client', - '-keystore', clientKeyStore, - '-keyalg', 'RSA', - '-keysize', '2048', - '-validity', '712', - '-dname', 'CN=smoke-test-plugins-ssl', - '-keypass', 'keypass', - '-storepass', 'keypass', - '-ext', san -} - -// Export the node's certificate -File nodeCertificate = new File(keystoreDir, 'test-node.cert') -task exportNodeCertificate(type: LoggedExec) { - dependsOn createNodeKeyStore - doFirst { - if (nodeCertificate.parentFile.exists() == false) { - nodeCertificate.parentFile.mkdirs() - } - if (nodeCertificate.exists()) { - delete nodeCertificate - } - } - executable = new File(project.runtimeJavaHome, 'bin/keytool') - args '-export', - '-alias', 'test-node', - '-keystore', nodeKeystore, - '-storepass', 'keypass', - '-file', nodeCertificate -} - -// Import the node certificate in the client's keystore -task importNodeCertificateInClientKeyStore(type: LoggedExec) { - dependsOn createClientKeyStore, exportNodeCertificate - executable = new File(project.runtimeJavaHome, 'bin/keytool') - args '-import', - '-alias', 'test-node', - '-keystore', clientKeyStore, - '-storepass', 'keypass', - '-file', nodeCertificate, - '-noprompt' -} - -// Export the client's certificate -File clientCertificate = new File(keystoreDir, 'test-client.cert') -task exportClientCertificate(type: LoggedExec) { - dependsOn createClientKeyStore - doFirst { - if (clientCertificate.parentFile.exists() == false) { - clientCertificate.parentFile.mkdirs() - } - if (clientCertificate.exists()) { - delete clientCertificate - } +// Add keystores to test classpath: it expects it there +task copyKeyCerts(type: Copy) { + from('./') { + include '*.crt', '*.pem', '*.jks' } - executable = new File(project.runtimeJavaHome, 'bin/keytool') - args '-export', - '-alias', 'test-client', - '-keystore', clientKeyStore, - '-storepass', 'keypass', - '-file', clientCertificate -} - -// Import the client certificate in the node's keystore -task importClientCertificateInNodeKeyStore(type: LoggedExec) { - dependsOn createNodeKeyStore, exportClientCertificate - executable = new File(project.runtimeJavaHome, 'bin/keytool') - args '-import', - '-alias', 'test-client', - '-keystore', nodeKeystore, - '-storepass', 'keypass', - '-file', clientCertificate, - '-noprompt' + into keystoreDir } - -forbiddenPatterns { - exclude '**/*.cert' -} - // Add keystores to test classpath: it expects it there sourceSets.test.resources.srcDir(keystoreDir) -processTestResources.dependsOn(importNodeCertificateInClientKeyStore, importClientCertificateInNodeKeyStore) +processTestResources.dependsOn(copyKeyCerts) -integTestCluster.dependsOn(importClientCertificateInNodeKeyStore, importNodeCertificateInClientKeyStore) +integTestCluster.dependsOn(copyKeyCerts) ext.pluginsCount = 0 project(':plugins').getChildProjects().each { pluginName, pluginProject -> @@ -167,8 +63,7 @@ integTestCluster { setting 'xpack.monitoring.collection.interval', '1s' setting 'xpack.monitoring.exporters._http.type', 'http' setting 'xpack.monitoring.exporters._http.enabled', 'false' - setting 'xpack.monitoring.exporters._http.ssl.truststore.path', clientKeyStore.name - setting 'xpack.monitoring.exporters._http.ssl.truststore.password', 'keypass' + setting 'xpack.ssl.certificate_authorities', 'testnode.crt' setting 'xpack.monitoring.exporters._http.auth.username', 'monitoring_agent' setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password' setting 'xpack.monitoring.exporters._http.ssl.verification_mode', 'full' @@ -176,14 +71,18 @@ integTestCluster { setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.security.enabled', 'true' setting 'xpack.security.http.ssl.enabled', 'true' - setting 'xpack.security.http.ssl.keystore.path', nodeKeystore.name - keystoreSetting 'xpack.security.http.ssl.keystore.secure_password', 'keypass' + setting 'xpack.security.http.ssl.key', 'testnode.pem' + setting 'xpack.security.http.ssl.certificate', 'testnode.crt' + keystoreSetting 'xpack.security.http.ssl.secure_key_passphrase', 'testnode' setting 'xpack.ml.enabled', 'false' - // copy keystores into config/ extraConfigFile nodeKeystore.name, nodeKeystore + extraConfigFile nodeKey.name, nodeKey + extraConfigFile nodeCert.name, nodeCert extraConfigFile clientKeyStore.name, clientKeyStore + extraConfigFile clientKey.name, clientKey + extraConfigFile clientCert.name, clientCert setupCommand 'setupTestUser', 'bin/elasticsearch-users', 'useradd', 'test_user', '-p', 'x-pack-test-password', '-r', 'superuser' @@ -193,13 +92,12 @@ integTestCluster { waitCondition = { NodeInfo node, AntBuilder ant -> File tmpFile = new File(node.cwd, 'wait.success') KeyStore keyStore = KeyStore.getInstance("JKS"); - keyStore.load(clientKeyStore.newInputStream(), 'keypass'.toCharArray()); - KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - kmf.init(keyStore, 'keypass'.toCharArray()); + keyStore.load(clientKeyStore.newInputStream(), 'testclient'.toCharArray()); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(keyStore); + // We don't need a KeyManager as there won't be client auth required so pass an empty array SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); - sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom()); + sslContext.init(new KeyManager[0], tmf.getTrustManagers(), new SecureRandom()); for (int i = 0; i < 10; i++) { // we use custom wait logic here for HTTPS HttpsURLConnection httpURLConnection = null; diff --git a/x-pack/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestPluginsSslClientYamlTestSuiteIT.java b/x-pack/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestPluginsSslClientYamlTestSuiteIT.java index 8411a7eb5a4e7..9cb45472ed39c 100644 --- a/x-pack/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestPluginsSslClientYamlTestSuiteIT.java +++ b/x-pack/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestPluginsSslClientYamlTestSuiteIT.java @@ -29,7 +29,7 @@ public class SmokeTestPluginsSslClientYamlTestSuiteIT extends ESClientYamlSuiteT private static final String USER = "test_user"; private static final String PASS = "x-pack-test-password"; - private static final String KEYSTORE_PASS = "keypass"; + private static final String KEYSTORE_PASS = "testnode"; public SmokeTestPluginsSslClientYamlTestSuiteIT(@Name("yaml") ClientYamlTestCandidate testCandidate) { super(testCandidate); @@ -45,7 +45,7 @@ public static Iterable parameters() throws Exception { @BeforeClass public static void getKeyStore() { try { - keyStore = PathUtils.get(SmokeTestPluginsSslClientYamlTestSuiteIT.class.getResource("/test-node.jks").toURI()); + keyStore = PathUtils.get(SmokeTestPluginsSslClientYamlTestSuiteIT.class.getResource("/testnode.jks").toURI()); } catch (URISyntaxException e) { throw new ElasticsearchException("exception while reading the store", e); } diff --git a/x-pack/qa/smoke-test-plugins-ssl/testclient.crt b/x-pack/qa/smoke-test-plugins-ssl/testclient.crt new file mode 100644 index 0000000000000..18221208c162e --- /dev/null +++ b/x-pack/qa/smoke-test-plugins-ssl/testclient.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID1zCCAr+gAwIBAgIJALnUl/KSS74pMA0GCSqGSIb3DQEBCwUAMEoxDDAKBgNV +BAoTA29yZzEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEiMCAGA1UEAxMZRWxhc3Rp +Y3NlYXJjaCBUZXN0IENsaWVudDAeFw0xNTA5MjMxODUyNTVaFw0xOTA5MjIxODUy +NTVaMEoxDDAKBgNVBAoTA29yZzEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEiMCAG +A1UEAxMZRWxhc3RpY3NlYXJjaCBUZXN0IENsaWVudDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMKm+P6vDAff0c6BWKGdhnYoNl9HijLIgfU3d9CQcqKt +wT+yUW3DPSVjIfaLmDIGj6Hl8jTHWPB7ZP4fzhrPi6m4qlRGclJMECBuNASZFiPD +tEDv3msoeqOKQet6n7PZvgpWM7hxYZO4P1aMKJtRsFAdvBAdZUnv0spR5G4UZTHz +SKmMeanIKFkLaD0XVKiLQu9/z9M6roDQeAEoCJ/8JsanG8ih2ymfPHIZuNyYIOrV +ekHN2zU6bnVn8/PCeZSjS6h5xYw+Jl5gzGI/n+F5CZ+THoH8pM4pGp6xRVzpiH12 +gvERGwgSIDXdn/+uZZj+4lE7n2ENRSOt5KcOGG99r60CAwEAAaOBvzCBvDAJBgNV +HRMEAjAAMB0GA1UdDgQWBBSSFhBXNp7AaNrHdlgCV0mCEzt7ajCBjwYDVR0RBIGH +MIGEgglsb2NhbGhvc3SCFWxvY2FsaG9zdC5sb2NhbGRvbWFpboIKbG9jYWxob3N0 +NIIXbG9jYWxob3N0NC5sb2NhbGRvbWFpbjSCCmxvY2FsaG9zdDaCF2xvY2FsaG9z +dDYubG9jYWxkb21haW42hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3 +DQEBCwUAA4IBAQANvAkddfLxn4/BCY4LY/1ET3d7ZRldjFTyjjHRYJ3CYBXWVahM +skLxIcFNca8YjKfXoX8mcK+NQK/dAbGHXqk76yMlkrKjh1OQiZ1YAX5ryYerGrZ9 +9N3E9wnbn72bW3iumoLlqmTWlHEpMI0Ql6J75BQLTgKHxCPupVA5sTbWkKwGjXXA +i84rUlzhDJOR8jk3/7ct0iZO8Hk6AWMcNix5Wka3IDGUXuEVevYRlxgVyCxcnZWC +7JWREpar5aIPQFkY6VCEglxwUyXbHZw5T/u6XaKKnS7gz8RiwRh68ddSQJeEHi5e +4onUD7bOCJgfsiUwdiCkDbfN9Yum8OIpmBRs +-----END CERTIFICATE----- diff --git a/x-pack/qa/smoke-test-plugins-ssl/testclient.jks b/x-pack/qa/smoke-test-plugins-ssl/testclient.jks new file mode 100644 index 0000000000000000000000000000000000000000..d6dc21c1bd5ff4a248bfba5a171518cd649e278d GIT binary patch literal 3358 zcmdUxcTiLL7RPgw&_WA@Dgpr%0Ra2t|Qzqj*?h2U!6qpaA9r02UCG0-ZeoW^;$= z+VdV+;l3t{Je2F^&mzpV-Ik55-yc4+k?XPK74>5FEv@hI#YMj$eD{OMwLP6Xrpd6| z{K$HxQI)Ou(iWbPC+jt6?CQRb5*)aEfGniRI5FqcLHiQ;p}o(jZ|7`6aNfJpe13!k zCh7E`_Y&L)^3WAuS~wb)`b`lJNt|enT>{qi$;!lIjE|g3$7jVDsW_IQptJ4P zL_KSa{2N0Jo2a72upU2=xfl{80=FZCD7r1Ku3?_azxk;M5RFzjs_ zKf_4kUTx2YVRdXErDb5s1{7=fY2m5W~TP+I*SI_eDqkVFgr^#K@jnGp8M7_5B%id!j{Rv&0zj!Yy;vdaaEXaRK z3Yps5erJTjW`WDhK5+_Bg^lZ*JhHFtL&Ev+_n=EvycTOiJoKoHrJEbqjT3Y~`9*!N zAXfTHDe>tzYbk1m>yKNp%I5EoKuh3LB4BuxdYz1-ssS1NdTU_(g8ciq+SD-2ZQ0pz z(w#ktO)m4g<{~|xKN7B%NVRFXt=($KqN6oS2-CzB{pmOM{jS05_5y;w$U#8aSND=qq=4Q)zH9-M)(krDn_0B6!A2ffDf6 zs>-_VHI(yI-Q=9Y>n%IESBnAh?e|v&FmpY#K>oA4jKNz^W>yV&92Jvgx2o1@jS5z2 zHpH;V*6Qv_xdL;$(rmY5$EH>{mBfk#%GeK$Q_oHbrQU}P@M#zQ=j zQH$*F>*;VF(7G3_WU|N;`f&97%LF)%h0ze;TWAzar`HBTqn$Y(pQx}HeoB$H)tb5c z@fDh>j{u0pR#_c|0f8W+C<^2iiUMxRfq(%pm;>}^Fm*NAtWh4t&B~z=Wg4}?4FH@> z)jW>oLcv%er=c(egyiLh7D5U9@Hi3N1fq+#k2}tr;Npe5fR;uff5agOQKQ{)q%~8F zk;i^jW0Zt2H=0>qMHQ{3uA;7P&vY?NSLJv2AFV|Jq<3$HDfSQwz{~s#05C8G06?up z-xxG5wzn@|kZp6bqx|GFoJ?X>y2)QPul6N+<(0SSR$E?fJF*`qwSFT_h4p6c%&Jf4IkWAZsz2%8Za)J4=`tyO*nm3Iw8`U~bmy|kP zn>e{l%gU4D4RCS7Ps{yJEvG#M2k+{!mA3FwGBDtpfPnX4}KT>u9) zMS{Ft@Irpi-6|u;PuD~IC@Xwo?EFaeaq3P5A&v3gQitloZ6s4ZUCbjw3Za#QApi)- zCpV$U4JZy~=fn|EFbaec|6%e#g`fh-Lhv&hcbhMabotqW&-_F|=mcFvk#GKZ&j%$( zqsWmI4k8KXLcBoo_Mr&=VJiP>;YpWW+&w6;Kf-Dh;Xm!&IcmF-G`u~%hK4cc zHyX~I;@uChyT{CNW%d{VaW`;?`>w7~Z?XS?d|B4LC%su?@El+t=JUlfoXj*{N0vz2gvs8EzQ>8JSSjHOf+kE52K`Y01 zTq#Mb7|oqprG8n9&jH#1Zm))7fW2`o5`F93JHfzpzElyxZbirJ+mwadN&I(yp2_3Y zvlIDrGLqtW<<$OB@hl8>>+#vV*lgv=-geg(k-(K#R(h$C63XY^#|-j5e8HY3S-l_S zhb-W(eg5@E(dYN_X#zy%0f9m6KW;%DBs}4_JCOR_KiOw;4;f&xU;l6R>mCs`r&ONx z{N*rFrvD@RNR-5H>2fxDP27Oh^%h8T9@ni&m9mJW&;uoeU>%0o^0cU~5ps&#;HpeGr z1)J{oIek+S1e(apV@r#QO5GvFwWC*;yUt7ZGb#=7DsoZZ1e$a{LV6RVVm`k&t5UeR z8S@w-E{>Y`N>7L908h#7A-!?&u50S{c~PIy4f2T8J8uXR z?ep@F0-mM0&6i8m(CxA%ikmnCJAG18H{xiYCpapAw^{ur0-gTx!(4v%fmh{uN81bIz2 zcKv^F-`y$dv#l|H+2d?fvUGXI!6<}_%zTluTj;RqZC7{1F>9}xh!+DKEfXmh$90y< zgbKt+Xvr3C47R~I-J$-Whrc8^&UjYtSn%Fj<37$Ts9i*8PV=&v%wtuOtQ$+_I|s|x zkzTetw4lVU7S$t}f*Es_1Th_WNoZPPhF#v_xs=UBi`k>N&d79o1;dDE60{4X=_jQV zgko%{%CLO%#(=KmbIk>F{#aoF-h!qdmlIrlw^RV1W^^QE6s_ginyl|6j z9o8)(pZvO`ueni>;*0New^Q?*Ho3G@+opogGU&Ok?WxK&erQl-B5X4cc%7(>Dy!g~ ZL>oJOr20!OUT)aV(#sM_Gi@+F_b&|~n(_bu literal 0 HcmV?d00001 diff --git a/x-pack/qa/smoke-test-plugins-ssl/testclient.pem b/x-pack/qa/smoke-test-plugins-ssl/testclient.pem new file mode 100644 index 0000000000000..7268c55dba977 --- /dev/null +++ b/x-pack/qa/smoke-test-plugins-ssl/testclient.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,C98A45E4AFC263C2 + +wLuUEXldYc54r4ryWd6jw6UMGYwn6+ibGKHp4sD92l42lmI2UrCT/Mb/E0O+KMMy +pHgc5/dBWkXgMiqDyLIhHk4kgT40rdw5W5lZkAA4Qt/Yzd+rbscTvzp09zrF6Fll +czgoE7FrvhOKiEOakerTit4pIPYosdX606cpVQE2lq9oZs9HVMcLzdAZj8A/P/4g +fo4X3+zqVYC/LH4n00bhNoeeej2o1lEJ+l9u9hptT2ATXle6pANa83Ldg4OxJyj8 +dkR9ahnAMCvYTSjEU7nwmGNPeFX0PIUjJKQivr410cYG104DC30Yy+XrIUfjTVUi +agwlMpHoBq79/ZRUJR3xPLkIGgw4g+RPt45D9eKsEsV4vqy8SFlgaoJ2mKUKleZy +i7D9ouzMKQ3sYE4eQVQ5o3K8ZPn5eozCwCVIp7jGSsuvDpLA9peZSwWPfc5y8JFD +/64usCt1J8Mv/e9NVllC8ZA+ZmDitTiwLZysczpMOaFqqeUbk9EJst38n4nBzRV2 +quxvg9W/iveQIydFyftCtNfRkpbp0NCsLz293dBYwZacHsPcY27IBCwXHiICjiAW +q7bnisXsgSaQMhMNRGW9YElZGb7ZWxoIzcyNBisGI8zxn48ObERVOmkOFxY/gs9T +YmpVMliWtmRG6hb6iCh9b7z8THRquxgTGE9ZFBwtLUKg33aubtgAfnUh/Xq2Ue5K +l+ZCqDGEi/FSIjVENUNNntAx/vXeNPbkoGLb/HSJwAh+sjpaLGQ54xixCtE9l3NY +o2QAiZ804KLPaGtbbOv7wPumxQ+8mxG5FN0hTRrsMW9t8pBXw47iMy/T2H21TD5D +E5XbM6kFeBrnsWnZJ2/ieXqDE4SX0tm3WEvZlDg7N7jV8QDM/D3Xdkb/sqJRabMG +tQRgwkLiB+mZ5MAfGLogI2/lOEayrBVz4qYdXojewxY4LtaZ5HiUIlyA9CJelMvD +nS52I6+FpaFhvuZC10qaM9Ph9TNyx+XKRUsPILuDiBRnYiHUKs1qASl5tjn2yyjM +71WSo7A7btOckzhDZdMVf1T472f0LGsRYoQebMhotqCuR7yArZHzTeWB0CjL3tOz +j3QlhKt2E1jx43bSK5tBasd9Bpmn2onvdwu1RRP8cyQBsXJSDy4/8t/g63+C3wod +8VPrlKhK+TenK9EoEqJ2mNuNq+duOjTXfK/7GM5s0BFKv+i2ckpDi1NPckd2gXjF +yUFZhmK6k0WC4jjWloMt+WQpi1rXMEXwCypgTrqWbvD0p6+X3uQmP57L4yHQcZoW +Qcs5GnihJ0DIhw9vYDhBhNo0WY1oBO20nVCN3R/JIpp3uDtg64WvfvMSXzJIPBCY +s+/GM5TtuD6mERDu3+qXxWwiy4PMQRcgjRTMEZ3A4Iv77YfQRkcd6S9qjUUuR/5D +xs+J4ryb1biz9ofW7I+Dbz4SArWSgwcuh14AV9RBv6Rh9m83rjT2K0yvbe/+7hHW +R8nzRMqJcGNGCHmRjA/cwoiv6+k2J/RbCJqnR3RmNex/85XaXBfZwRfHXVbzZQfa +SrFaaNLf1hMwGLAJjIcQRxa3yZbjFXVx1Bp4hh8rKNWaOItjavNtNg== +-----END RSA PRIVATE KEY----- diff --git a/x-pack/qa/smoke-test-plugins-ssl/testnode.crt b/x-pack/qa/smoke-test-plugins-ssl/testnode.crt new file mode 100644 index 0000000000000..08c160bcea5ff --- /dev/null +++ b/x-pack/qa/smoke-test-plugins-ssl/testnode.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIJALi5bDfjMszLMA0GCSqGSIb3DQEBCwUAMEgxDDAKBgNV +BAoTA29yZzEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEgMB4GA1UEAxMXRWxhc3Rp +Y3NlYXJjaCBUZXN0IE5vZGUwHhcNMTUwOTIzMTg1MjU3WhcNMTkwOTIyMTg1MjU3 +WjBIMQwwCgYDVQQKEwNvcmcxFjAUBgNVBAsTDWVsYXN0aWNzZWFyY2gxIDAeBgNV +BAMTF0VsYXN0aWNzZWFyY2ggVGVzdCBOb2RlMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA3rGZ1QbsW0+MuyrSLmMfDFKtLBkIFW8V0gRuurFg1PUKKNR1 +Mq2tMVwjjYETAU/UY0iKZOzjgvYPKhDTYBTte/WHR1ZK4CYVv7TQX/gtFQG/ge/c +7u0sLch9p7fbd+/HZiLS/rBEZDIohvgUvzvnA8+OIYnw4kuxKo/5iboAIS41klMg +/lATm8V71LMY68inht71/ZkQoAHKgcR9z4yNYvQ1WqKG8DG8KROXltll3sTrKbl5 +zJhn660es/1ZnR6nvwt6xnSTl/mNHMjkfv1bs4rJ/py3qPxicdoSIn/KyojUcgHV +F38fuAy2CQTdjVG5fWj9iz+mQvLm3+qsIYQdFwIDAQABo4G/MIG8MAkGA1UdEwQC +MAAwHQYDVR0OBBYEFEMMWLWQi/g83PzlHYqAVnty5L7HMIGPBgNVHREEgYcwgYSC +CWxvY2FsaG9zdIIVbG9jYWxob3N0LmxvY2FsZG9tYWluggpsb2NhbGhvc3Q0ghds +b2NhbGhvc3Q0LmxvY2FsZG9tYWluNIIKbG9jYWxob3N0NoIXbG9jYWxob3N0Ni5s +b2NhbGRvbWFpbjaHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEL +BQADggEBAMjGGXT8Nt1tbl2GkiKtmiuGE2Ej66YuZ37WSJViaRNDVHLlg87TCcHe +k2rdO+6sFqQbbzEfwQ05T7xGmVu7tm54HwKMRugoQ3wct0bQC5wEWYN+oMDvSyO6 +M28mZwWb4VtR2IRyWP+ve5DHwTM9mxWa6rBlGzsQqH6YkJpZojzqk/mQTug+Y8aE +mVoqRIPMHq9ob+S9qd5lp09+MtYpwPfTPx/NN+xMEooXWW/ARfpGhWPkg/FuCu4z +1tFmCqHgNcWirzMm3dQpF78muE9ng6OB2MXQwL4VgnVkxmlZNHbkR2v/t8MyZJxC +y4g6cTMM3S/UMt5/+aIB2JAuMKyuD+A= +-----END CERTIFICATE----- diff --git a/x-pack/qa/smoke-test-plugins-ssl/testnode.jks b/x-pack/qa/smoke-test-plugins-ssl/testnode.jks new file mode 100644 index 0000000000000000000000000000000000000000..ebe6146124e8fd607e46a1a3129bdf9b4de0370d GIT binary patch literal 9360 zcmdUV2T)YowrzLQl93!F2SGC3WF$w)IfLYGK$2vT*iDigl`N7oh@eEt83BokWI;th zKok%V_zil_#dF{N=hmxN@83^VSMRxd)mp3enq$l{$L93&>1O}{0788*FTTk=VD28y zE;cYOYe##Svj^8*Hy60QBMbllY8=Nx4**vTxdk91003Gv1c?>_L4sT!qk(`R5Eh_) zU50G!4F3%T4;_m=TrvCr4+zA$0)Q|==^?b}XnJ5Y;(s+egq9o+ikg;}4=OCcDIVy2IuGcP39Gn>U% zK!zH|Y#zr76z$THNrVtl2Hz*duE|_x{SHKW=Wy9~#x0?_!WxzreKbBd_{B!%FFc+} z#hS1iA!Ph9s*KL}5ZCWMX)1FD)R@OQManE3e-@+qd0nOC5~I@Wvv)K719(Ez^^D!& zt6;h^oFHXs|H>4zGnJ%}f+`Pp>rEdE;=+o<-25$T9lIy1B0c;S!Z_r&_k6nwupM+P z`QIj_3i+10?X14(vmJKmiZElETC3=_VBSWbe19M>na%UTgjKu!)Hb0X5AJ>=1@Lw7vcxjN}1eMG&CU^70?>@)@Jj3w6do zK=}wbX`7exBW2Hy$yVaDo$ICp=}fYb@;nQCWlEe6F`UeJ?OsbuRMGQ zgd{VQ1`}qlEo37p4u-{8N|I&os?=jM_S_F93rh*dwGvc4>^v;F@<@1%AfI?JIxoOG#d{a^ zfIt8&OKT5%FPM$J8|t~~u}>Z;{sXMDD6qapfwk=?SP2aA8Y;D$$)co!mluiHCH4RE zP$7X(VhABRHdYc#Wb!Vj4e%Nnnzf4)lmZJVJR-@b8DwGjw9y}xw)Rb-X`tOZ@L?r7m{x$tD>pf-DK8J8PK&?Rve%UmMWfn zkY1J8$6e`6OS^j3!ZBdDpQ)-!J@JJ984?Dw%90 z9h9Kf+y~ zZ;X4CM_eV}GZ5(`=K*hqpZ8TuPP9ObD5GdI!|KXQ!DE#8?8q-!J#9& z<{0CP?#6ZZ#oFo@=oP4^3J28dh2~!eXSx~~6ipLu^f&9MPd~6p^1dZo&i#yysyksD zk}_18V>Qk~vQwzp^Jc<7;yAcH?9kbl>dg;vDb^QW7vRS}huY7Q{j*f_g#JtPV*wf` zQ+Jb8TG{^cI3dbVTnP3#FtLfzT-or(bOGc4(Y5{#j-5r{Ppfe;7RN>qhPm0{UaW%Vx1xCa5qm=3uM*tyDmx^f zYB_a@Gg~w4N2l?k$LGG^P!NIepM`u@h$CVHNvqI zC)X{Bme~#(ow!*Q{K^N&ikb6+rMH->KX;ZbN6hV7!(1Bu`qVw?;aP#3&Yrekzjpej zK?ev|N zXpSYGJX7Ur@l^_!fa=P>E&WMk1O|eS+U?%te$I}MSaKjCeWH%kki*#p`IR^ zVzx|rZ=W!gg0!F0H2VQ^^Fbof!}9le_))5Y=S5|6FO7Cv zbx_><@>*LeHI$ay>|Nv}{__#cG`gqE5HI=yy!zq2=%Sr>Y-uEp7wE@yxeIf4w6R19 z0pRVhFITw##6I{Y1PK;IRe#z)WcoxH4#%|zmFAbRe+4DeU7$D@vJi|;4ARs2BfumE z$x8ph0~o}3YA&A69w?nhuWt|Yh7v%o{$vY`Up(-~NEBoI#tcxx3+_iT2BrpTtEzI+ znim8i1QFsDfC}TOWK!IHlvq*$BEG}@fH_Cm@4K8Uq-IvD*m|7@F6Jq zuwGO-ZesCM!egNa*#)E@4QIrW8I23(sbgFL z-JqdF#j`8Vy}VmdE^%g2k0bzk-aO3BahcB5rNS zxl7R4(8SoexacwQK1c1P8)rsVPYAtP{l+gAnS>z5E){N%TZk`R&*4@b12lj~mK`oDh0NG!mg`Hy?PMdCk{$fc$gg@y}Zfu}F? zSu0-A5J<7i9~u3DF0|o^$U)%UsmE_ku>)^Gq%Eedjl|h!miFi4Sf0Lza4Yh$3`(a- zlSoW|GYZ|6+ksyVU2ZqAPbBTjepxQ8f5SX?^^wnbkC^~H#@eED&|5^5(CZW?&81lp zuK(Kl>+YUJ=bsA;AOPnN zL%!JXclJ}LX4jeGrIbUTc!v*~SOh1OiRa(L7uS+&TRqzL$=2m37@-?ugp z;<967zk5`#GF$mwu!!%bjbE#w?DiH;8#?Wzm57N|0FrE zn;pF<1Q#6>WkZaJqlDvMT!`PO>8EH>M_C>hj3f*ZfC@oG_ynO46eIBqKp_y`U*T^q z#J`%u2ttgGaj`B4_-g}bKnye)0C)>_&44m!Or)#1Ut8&;!v0wFl7XiLS&Hkpf6yQ+ zS$u^RL1(ei^U17X7FKiWIm_PUG%*qPkB-&%nj|U<+I{m8br3|&CFH3AtedxB3{(XP zEn%Zcf>g8WD}%`mB@~WM zp9uG(2Oy&6>W}bkjBJFW3kT}F6e9aa)BSXsD4RZ=aNVx{s&pychT8+Y$$l_!H^FaL z3LLd5q?EMk(g;f9FP8|X)yaCx6I!~n)nmu%`$=|;KQj#O^GGWI)jJJs z7>Ac9vNah6&K&AwA1hzS{iHejdVYVmZF*^BM|8K!2)nP`sY>CxeFi~sC&l{Y_0{O- zR3w-dQMDW`5;v=7NA6>dI8VL&`0&n)2=-n!aIaAxvy^GPc>jC8J0k!|&vN;X?e2o? zwky$-nw!ods}&g=K8Qr_j^(ku%x(XbPEm^7#X#04E>m|5a#SCvn|mjcA-(GfSo!6& zwo4GA-&byR`#aIaH8CYDzQA5wsTt$tD+m|9?pO*JTVtH)G_p-^rk-c&&hGLBJ0dr& z2HYnandk_~8S)LW z{)anZ&dF##-IbO!HlOrrA1oi$i|ZKRW2P#NW12=pa%4>IZtA*obM+ zUr`Tno4i}q5^Kd+o7JSL=5rZPlc46PloNW-aFxv_(_h*;*fV`daXfEiSnv3Vr)ub+ zGvw0>%{HX26_R#m)1Q}ov&mmtWdu>LrUjHJ2jK4u9jC@di^dq=M4hG)N(@7*Ibn94fDkgeZ1{bnK4+j=-Bc-b2kbl zB2~`9MlJg3nM9CMwMj#DMNZkY^(!}d=9l~B)2~-t=jY-H@fnybqV&{T6)llgafjWi zre8Oej@qni0pGukP;yElQPyUbR0vj64{6xhQ&{gaRu9*}FbDPDrKEY?oF2X`^?(_4 zmb)GR`9|N;k_xAaOKOcB-X5VI4lS)VpXq&hy5>;c=;P=Toe{dSmZd>q!5ROshhh@8 zezz8bnn9YgLPmvb&zHYGpx{ZvsYY(jgBa_`6ML+^wSF{M8|!4r?N-PPovp{FEv z=Pcib1<|(w1v)7kIBo9?+~*w?elzPllgNPEn;f9$IlZoM!$#4pBvCIflR?r-u)c6+ z(<;2~Ya?~aow*x1$ftJceu3cv-rdSCcqt5`!-iUS;QcI~^>3#oN1~~|xtRM0-|ar2 z-}HJmdu!h-8}h(C+}L*|A=$sKNQ*=nCXxLHm$0Of+U)vQ=e8;`-id27tf^>6nRV(o zD_35LMQCiXvc;2P5C$3ZExN#sI331)j7wM4?A}WR5y0vQHB4^!9Cb#LW2-5h8Wg_W zE?(7>&&`t(tsSfKU2gO8^6pwlf#)k(@H#E`*xxz}(ZGA`$b|V!H-7Eo_a;mxUQoaG z@iUWo&dy;${A)aMi66W&;E|)TL`@ITKe|!zaenPBdhYvMi9C1z&?Zn0VDle+KtrRW z&1xm~aLZ+Za#F!ldcDg52k7y8`+5HkKBT>PLT)EHQ+wS0?)^4H3rz7L`xRQ?0#5WuV4tJA^+R{Ul!N!Swi%8vAG}bX`+Jl z{oGbt`~Cx^#3hmbhxOmzd(GpA;JlOb?eHYV$_$QhVoRotB5vEjX~hRt_QbNfZtp`z zCa^jdlJCrmZdH&KP`Nvizsp}P9;bei0LINMRZ>umh z@wu?rUddcG(Rvf=W_VWZm(bV2C!R@~vHk=`B}z~dn3j-Xlqa^He3+oVCSlzhnr_T4 z7xI#}+RkP5Md<>pSR;^knyvj{LXvJ+Xj7FairmPhUH(WR%z8ECi!=5X-}D$9J9kN- zC$E~1Wqy*4yp5$n!!{%z@uufhdn+l@)27$nh~I1VmcvD^9)+Fcjc{mRqB-6n{4VXay+HKSqK6{!h@8K($I}H)GZL zd+vn7OSEuCTdiM0|B8QpC@%zZ-qoWKv;9Igy)4Yl!yayLZRr7{*L87mq?h*eaIu9s z!`x7JZ0LU(_QDWeC`vr@i$J00%{&wp^8X4Ugiw6cLKm~5yIVS0S@NUg`v3iXT_puI zWzN=ski(8IGp7|TpM;&i+%EXYl{BUj)_2s7CuR6q-a0@K^u0%!{YEWpYsrF1XERyZ zf$tMSTink}o&$ffH!`}Es;V{6M4j$g-H?#|zQ}jW+UO?yG=&aPZ`u&)cNLS#c$E%; zP1mx?uy^0lDm~1Sxl4AS3}fIGtsrpPzu9UsUFfLaHBjFbJbOC8(^<{SnS0n!StB#g zL}+<5vF5jPm0~0Vjt%Q?>}z(+kvmw*edbY` z@SqjXB|6rfvcCz`u_)Y;_+8ajHX`pJD&kNHczrrb!=?w{fiV124cV4iCdMz&zJwqK zE{Xo+XoqLy?Bk=64cI=0e(aTjm0Xe#m-AMZ32X;}2a~{K(-z>-Z{9+k8X@v&$i>E+ zQXRR%1%i z+gZhDOYfLI95J{tK}^7qxH4qdT=iwIXI;%~<(7x#tDq?=+?_Bwkrz$Q`TdVlR))UZ zB@j7mCy|Sc;&$|B7PbW~9eY=&!EdvD*IjQ)sB0(+cInMrs1{CN7*c3cOPQ|Rp{(Mt zOjz!_eLXl-Mnq|AsoQfh;NJug*Q+l)T z8)*rHeYv|M#Ut?%U?vsg>xas%hWwvYC#0-Sur)F2=FtkgqgCA#-e%z?+T?CPv=igi zT1bbmLe@F14M@f`Vd)CEd&TVRZ9lERix`Pv&Rj93@;7`u^|14k-pNBn{fTijp&Qtp z1B1q7E%*$Cjn_4DC1sJoqaH8jlQik)F@7bhGU9K_XgO4mt1xyV1wx@8p6R>!Z=zo} zJP|z{6Si_^2=pvzAdCS%KC?wD74V_1_=k2eaRNll~ zg_)0a(KkYGbiWo&D8{^z3der9T|L|venrzv_U)qcQ^$MFo;M|wFp-P!qEO(#sfdZ1oL-r?nXuCiHy2Qq0 ziM;!sUs2F`&Az?Mh;}V|OcB@zA_b&cXvUK=;k^R`-C{MPC+tX)V!8h%5RdT?@P(Uf7yaQA1qCnw{nH+*r>*BMBG9Ld(hllZ5Ey>&8FWz*Q!dPYoj zCzFk0KZGQUrz|3zXT|9#%3tEMsddw5y@{5+yMt>KbeorB%SpCOL#uM0uGFADE&g#g#^|1;Itr9?;L0YErGBwTfC_I{Rc$*iOkJ|A4=@L50Z x`UE0joFCFX(i+qD)1h^DcPJOtN>)kRbQgMUO*p!K@AKymmi%I+{Ip*({}0#og{%Mo literal 0 HcmV?d00001 diff --git a/x-pack/qa/smoke-test-plugins-ssl/testnode.pem b/x-pack/qa/smoke-test-plugins-ssl/testnode.pem new file mode 100644 index 0000000000000..5a67e1033440d --- /dev/null +++ b/x-pack/qa/smoke-test-plugins-ssl/testnode.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,9D867F7E0C94D013 + +dVoVCjPeg1wgS7rVtOvGfQcrZyLkx393aWRnFq45tbjKBVuITtJ9vI7o4QXOV/15 +Gnb6WhXGIdWrzsxEAd46K6hIuNSISd4Emsx6c2Q5hTqWXXfexbOZBNfTtXtdJPnJ +1jAaikhtztLo3JSLTKNY5sNxd+XbaQyYVUWvueK6zOaIIMETvB+VPVFd9i1ROibk +Sgdtyj01KjkoalifqK/tA0CIYNKL0S6/eoK3UhAlpIprlpV+cnXa940C6bjLeJPt +PMAGGp5RrplxSgrSerw3I9DOWkHGtpqzIka3XneNUXJP8k4HUJ+aZkGH2ZILKS8d +4KMIb+KZSpHEGn+6uGccWLtZZmAjWJrDw56JbQtSHdRYLBRSOjLbTvQoPu/2Hpli +7HOxbotlvjptMunncq5aqK57SHA1dh0cwF7J3LUmGFJ67eoz+VV3b5qMn4MopSeI +mS16Ydd3nGpjSrln/elM0CQxqWfcOAXRZpDpFUQoXcBrLVzvz2DBl/0CrTRLhgzi +CO+5/IVcBWRlYpRNGgjjP7q0j6URID3jk5J06fYQXmBiwQT5j+GZqqzpMCJ9mIy2 +1O9SN1hebJnIcEU+E0njn/MGjlYdPywhaCy8pqElp6Q8TUEJpwLRFO/owCoBet/n +ZmCXUjfCGhc1pWHufFcDEQ6xMgEWWY/tdwCZeSU7EhErTjCbfupg+55A5fpDml0m +3wH4CFcuRjlqyx6Ywixm1ATeitDtJl5HQTw6b8OtEXwSgRmZ0eSqSRVk9QbVS7gu +IpQe09/Zimb5HzjZqZ3fdqHlcW4xax8hyJeyIvF5ZJ57eY8CBvu/wP2GDn26QnvF +xQqdfDbq1H4JmpwUHpbFwBoQK4Q6WFd1z4EA9bRQeo3H9PoqoOwMDjzajwLRF7b7 +q6tYH/n9PyHwdf1c4fFwgSmL1toXGfKlA9hjIaLsRSDD6srT5EdUk78bsnddwI51 +tu7C7P4JG+h1VdRNMNTlqtileWsIE7Nn2A1OkcUxZdF5mamENpDpJcHePLto6c8q +FKiwyFMsxhgsj6HK2HqO+UA4sX5Ni4oHwiPmb//EZLn045M5i1AN26KosJmb8++D +sgR5reWRy+UqJCTYblVg+7Dx++ggUnfxVyQEsWmw5r5f4KU5wXBkvoVMGtPNa9DE +n/uLtObD1qkNL38pRsr2OGRchYCgEoKGqEISBP4knfGXLOlWiW/246j9QzI97r1u +tvy7fKg28G7AUz9l6bpewsPHefBUeRQeieP9eJINaEpxkF/w2RpKDLpQjWxwDDOM +s+D0mrBMJve17AmJ8rMw6dIQPZYNZ88/jz1uQuUwQ2YlbmtZbCG81k9YMFGEU9XS +cyhJxj8hvYnt2PR5Z9/cJPyWOs0m/ufOeeQQ8SnU/lzmrQnpzUd2Z6p5i/B7LdRP +n1kX+l1qynuPnjvBz4nJQE0p6nzW8RyCDSniC9mtYtZmhgC8icqxgbvS7uEOBIYJ +NbK+0bEETTO34iY/JVTIqLOw3iQZYMeUpxpj6Phgx/oooxMTquMecPKNgeVtaBst +qjTNPX0ti1/HYpZqzYi8SV8YjHSJWCVMsZjKPr3W/HIcCKqYoIfgzi83Ha2KMQx6 +-----END RSA PRIVATE KEY----- diff --git a/x-pack/qa/sql/security/ssl/build.gradle b/x-pack/qa/sql/security/ssl/build.gradle index fe8aaeaff2b64..10d2d5cf19d16 100644 --- a/x-pack/qa/sql/security/ssl/build.gradle +++ b/x-pack/qa/sql/security/ssl/build.gradle @@ -1,5 +1,5 @@ +import org.elasticsearch.gradle.BuildPlugin import org.elasticsearch.gradle.LoggedExec -import org.elasticsearch.gradle.MavenFilteringHack import org.elasticsearch.gradle.test.NodeInfo import javax.net.ssl.HttpsURLConnection @@ -145,7 +145,6 @@ processTestResources.dependsOn(importNodeCertificateInClientKeyStore, importClie integTestCluster.dependsOn(importClientCertificateInNodeKeyStore) - integTestCluster { // The setup that we actually want setting 'xpack.security.http.ssl.enabled', 'true' @@ -207,8 +206,32 @@ integTestCluster { } } - - +// Do not attempt to form a cluster in a FIPS JVM, as doing so with a JKS keystore will fail. +// TODO Revisit this when SQL CLI client can handle key/certificate instead of only Keystores. +tasks.matching({ it.name == "integTestCluster#init" }).all { + onlyIf { + Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, + 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false + } +} +tasks.matching({ it.name == "integTestCluster#start" }).all { + onlyIf { + Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, + 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false + } +} +tasks.matching({ it.name == "integTestCluster#wait" }).all { + onlyIf { + Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, + 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false + } +} +tasks.matching({ it.name == "integTestRunner" }).all { + onlyIf { + Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, + 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false + } +} /** A lazy evaluator to find the san to use for certificate generation. */ class SanEvaluator { @@ -271,7 +294,7 @@ class SanEvaluator { InetAddress address = list.get(i); String hostAddress; if (address instanceof Inet6Address) { - hostAddress = compressedIPV6Address((Inet6Address)address); + hostAddress = compressedIPV6Address((Inet6Address) address); } else { hostAddress = address.getHostAddress(); } @@ -293,7 +316,7 @@ class SanEvaluator { byte[] bytes = inet6Address.getAddress(); int[] hextets = new int[8]; for (int i = 0; i < hextets.length; i++) { - hextets[i] = (bytes[2 * i] & 255) << 8 | bytes[2 * i + 1] & 255; + hextets[i] = (bytes[2 * i] & 255) << 8 | bytes[2 * i + 1] & 255; } compressLongestRunOfZeroes(hextets); return hextetsToIPv6String(hextets); @@ -342,9 +365,9 @@ class SanEvaluator { private static String hextetsToIPv6String(int[] hextets) { /* * While scanning the array, handle these state transitions: - * start->num => "num" start->gap => "::" - * num->num => ":num" num->gap => "::" - * gap->num => "num" gap->gap => "" + * start->num => "num" start->gap => "::" + * num->num => ":num" num->gap => "::" + * gap->num => "num" gap->gap => "" */ StringBuilder buf = new StringBuilder(39); boolean lastWasNumber = false; diff --git a/x-pack/qa/sql/src/main/java/org/elasticsearch/xpack/qa/sql/jdbc/JdbcIntegrationTestCase.java b/x-pack/qa/sql/src/main/java/org/elasticsearch/xpack/qa/sql/jdbc/JdbcIntegrationTestCase.java index a339222445a1a..e2fc0e605ce01 100644 --- a/x-pack/qa/sql/src/main/java/org/elasticsearch/xpack/qa/sql/jdbc/JdbcIntegrationTestCase.java +++ b/x-pack/qa/sql/src/main/java/org/elasticsearch/xpack/qa/sql/jdbc/JdbcIntegrationTestCase.java @@ -17,6 +17,8 @@ import org.elasticsearch.xpack.sql.jdbc.jdbcx.JdbcDataSource; import org.joda.time.DateTimeZone; import org.junit.After; +import org.junit.ClassRule; +import org.junit.rules.ExternalResource; import java.io.IOException; import java.sql.Connection; From 32a9b898c1a841d128f624acdb627e29c930bdc2 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 12 Jul 2018 08:21:55 +0300 Subject: [PATCH 02/11] unused import and identation --- x-pack/qa/smoke-test-plugins-ssl/build.gradle | 3 +-- .../xpack/qa/sql/jdbc/JdbcIntegrationTestCase.java | 4 +--- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/x-pack/qa/smoke-test-plugins-ssl/build.gradle b/x-pack/qa/smoke-test-plugins-ssl/build.gradle index 361e6320e4c40..16850f7ab9b23 100644 --- a/x-pack/qa/smoke-test-plugins-ssl/build.gradle +++ b/x-pack/qa/smoke-test-plugins-ssl/build.gradle @@ -5,7 +5,6 @@ import org.elasticsearch.gradle.test.NodeInfo import javax.net.ssl.HttpsURLConnection import javax.net.ssl.KeyManager -import javax.net.ssl.KeyManagerFactory import javax.net.ssl.SSLContext import javax.net.ssl.TrustManagerFactory import java.nio.charset.StandardCharsets @@ -76,7 +75,7 @@ integTestCluster { keystoreSetting 'xpack.security.http.ssl.secure_key_passphrase', 'testnode' setting 'xpack.ml.enabled', 'false' - + // copy keystores, keys and certificates into config/ extraConfigFile nodeKeystore.name, nodeKeystore extraConfigFile nodeKey.name, nodeKey extraConfigFile nodeCert.name, nodeCert diff --git a/x-pack/qa/sql/src/main/java/org/elasticsearch/xpack/qa/sql/jdbc/JdbcIntegrationTestCase.java b/x-pack/qa/sql/src/main/java/org/elasticsearch/xpack/qa/sql/jdbc/JdbcIntegrationTestCase.java index e2fc0e605ce01..301e15c8efbd5 100644 --- a/x-pack/qa/sql/src/main/java/org/elasticsearch/xpack/qa/sql/jdbc/JdbcIntegrationTestCase.java +++ b/x-pack/qa/sql/src/main/java/org/elasticsearch/xpack/qa/sql/jdbc/JdbcIntegrationTestCase.java @@ -17,8 +17,6 @@ import org.elasticsearch.xpack.sql.jdbc.jdbcx.JdbcDataSource; import org.joda.time.DateTimeZone; import org.junit.After; -import org.junit.ClassRule; -import org.junit.rules.ExternalResource; import java.io.IOException; import java.sql.Connection; @@ -86,7 +84,7 @@ protected Connection useDataSource() throws SQLException { public static void index(String index, CheckedConsumer body) throws IOException { index(index, "1", body); } - + public static void index(String index, String documentId, CheckedConsumer body) throws IOException { Request request = new Request("PUT", "/" + index + "/doc/" + documentId); request.addParameter("refresh", "true"); From 740259d66b4723f6cf1aad826e09490e7fbfdca9 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 12 Jul 2018 10:26:27 +0300 Subject: [PATCH 03/11] remove print and migrate to ml-native-multi-node-tests --- .../test/rest/ESRestTestCase.java | 2 - .../ml-native-multi-node-tests/build.gradle | 46 ++++-------- x-pack/qa/ml-native-tests/build.gradle | 74 ------------------- 3 files changed, 16 insertions(+), 106 deletions(-) delete mode 100644 x-pack/qa/ml-native-tests/build.gradle diff --git a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java index ab5c75d1a343d..937adddf3a43d 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java @@ -435,8 +435,6 @@ protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOE protected static void configureClient(RestClientBuilder builder, Settings settings) throws IOException { String keystorePath = settings.get(TRUSTSTORE_PATH); - System.out.println(settings); - System.out.println(keystorePath); if (keystorePath != null) { final String keystorePass = settings.get(TRUSTSTORE_PASSWORD); if (keystorePass == null) { diff --git a/x-pack/qa/ml-native-multi-node-tests/build.gradle b/x-pack/qa/ml-native-multi-node-tests/build.gradle index 286d4daee8aa5..7b8eebe4ea38d 100644 --- a/x-pack/qa/ml-native-multi-node-tests/build.gradle +++ b/x-pack/qa/ml-native-multi-node-tests/build.gradle @@ -18,59 +18,45 @@ integTestRunner { systemProperty 'es.set.netty.runtime.available.processors', 'false' } -// location of generated keystores and certificates +// location for keys and certificates File keystoreDir = new File(project.buildDir, 'keystore') - -// Generate the node's keystore -File nodeKeystore = new File(keystoreDir, 'test-node.jks') -task createNodeKeyStore(type: LoggedExec) { - doFirst { - if (nodeKeystore.parentFile.exists() == false) { - nodeKeystore.parentFile.mkdirs() - } - if (nodeKeystore.exists()) { - delete nodeKeystore - } +File nodeKey = new File(keystoreDir, 'testnode.pem') +File nodeCert = new File(keystoreDir, 'testnode.crt') +// Add key and certs to test classpath: it expects it there +task copyKeyCerts(type: Copy) { + from('../../plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/') { + include 'testnode.crt', 'testnode.pem' } - executable = new File(project.runtimeJavaHome, 'bin/keytool') - standardInput = new ByteArrayInputStream('FirstName LastName\nUnit\nOrganization\nCity\nState\nNL\nyes\n\n'.getBytes('UTF-8')) - args '-genkey', - '-alias', 'test-node', - '-keystore', nodeKeystore, - '-keyalg', 'RSA', - '-keysize', '2048', - '-validity', '712', - '-dname', 'CN=smoke-test-plugins-ssl', - '-keypass', 'keypass', - '-storepass', 'keypass' + into keystoreDir } - -// Add keystores to test classpath: it expects it there +// Add keys and cets to test classpath: it expects it there sourceSets.test.resources.srcDir(keystoreDir) -processTestResources.dependsOn(createNodeKeyStore) +processTestResources.dependsOn(copyKeyCerts) integTestCluster { - dependsOn createNodeKeyStore + dependsOn copyKeyCerts setting 'xpack.security.enabled', 'true' setting 'xpack.ml.enabled', 'true' setting 'logger.org.elasticsearch.xpack.ml.datafeed', 'TRACE' setting 'xpack.monitoring.enabled', 'false' setting 'xpack.security.authc.token.enabled', 'true' setting 'xpack.security.transport.ssl.enabled', 'true' - setting 'xpack.security.transport.ssl.keystore.path', nodeKeystore.name + setting 'xpack.security.transport.ssl.key', nodeKey.name + setting 'xpack.security.transport.ssl.certificate', nodeCert.name setting 'xpack.security.transport.ssl.verification_mode', 'certificate' setting 'xpack.security.audit.enabled', 'true' setting 'xpack.license.self_generated.type', 'trial' keystoreSetting 'bootstrap.password', 'x-pack-test-password' - keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'keypass' + keystoreSetting 'xpack.security.transport.ssl.secure_key_passphrase', 'testnode' numNodes = 3 setupCommand 'setupDummyUser', 'bin/elasticsearch-users', 'useradd', 'x_pack_rest_user', '-p', 'x-pack-test-password', '-r', 'superuser' - extraConfigFile nodeKeystore.name, nodeKeystore + extraConfigFile nodeKey.name, nodeKey + extraConfigFile nodeCert.name, nodeCert waitCondition = { node, ant -> File tmpFile = new File(node.cwd, 'wait.success') diff --git a/x-pack/qa/ml-native-tests/build.gradle b/x-pack/qa/ml-native-tests/build.gradle deleted file mode 100644 index 6b1859d234cc3..0000000000000 --- a/x-pack/qa/ml-native-tests/build.gradle +++ /dev/null @@ -1,74 +0,0 @@ -import org.elasticsearch.gradle.LoggedExec - -import java.security.Security - -apply plugin: 'elasticsearch.standalone-rest-test' -apply plugin: 'elasticsearch.rest-test' - -dependencies { - testCompile project(path: xpackModule('core'), configuration: 'runtime') - testCompile project(path: xpackModule('core'), configuration: 'testArtifacts') - testCompile project(path: xpackModule('ml'), configuration: 'runtime') - testCompile project(path: xpackModule('ml'), configuration: 'testArtifacts') -} - -integTestRunner { - /* - * We have to disable setting the number of available processors as tests in the same JVM randomize processors and will step on each - * other if we allow them to set the number of available processors as it's set-once in Netty. - */ - systemProperty 'es.set.netty.runtime.available.processors', 'false' -} - -// location for keys and certificates -File keystoreDir = new File(project.buildDir, 'keystore') -File nodeKey = new File(keystoreDir, 'testnode.pem') -File nodeCert = new File(keystoreDir, 'testnode.crt') -// Add key and certs to test classpath: it expects it there -task copyKeyCerts(type: Copy) { - from('../../plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/') { - include 'testnode.crt', 'testnode.pem' - } - into keystoreDir -} -// Add keys and cets to test classpath: it expects it there -sourceSets.test.resources.srcDir(keystoreDir) -processTestResources.dependsOn(copyKeyCerts) - -integTestCluster { - dependsOn copyKeyCerts - setting 'xpack.security.enabled', 'true' - setting 'xpack.ml.enabled', 'true' - setting 'logger.org.elasticsearch.xpack.ml.datafeed', 'TRACE' - setting 'xpack.monitoring.enabled', 'false' - setting 'xpack.security.authc.token.enabled', 'true' - setting 'xpack.security.transport.ssl.enabled', 'true' - setting 'xpack.security.transport.ssl.key', nodeKey.name - setting 'xpack.security.transport.ssl.certificate', nodeCert.name - setting 'xpack.security.transport.ssl.verification_mode', 'certificate' - setting 'xpack.security.transport.ssl.certificate_authorities', nodeCert.name - setting 'xpack.security.audit.enabled', 'true' - setting 'xpack.license.self_generated.type', 'trial' - setting 'xpack.ml.min_disk_space_off_heap', '200mb' - - keystoreSetting 'bootstrap.password', 'x-pack-test-password' - keystoreSetting 'xpack.security.transport.ssl.secure_key_passphrase', 'testnode' - - setupCommand 'setupDummyUser', - 'bin/elasticsearch-users', 'useradd', 'x_pack_rest_user', '-p', 'x-pack-test-password', '-r', 'superuser' - - extraConfigFile nodeKey.name, nodeKey - extraConfigFile nodeCert.name, nodeCert - - - waitCondition = { node, ant -> - File tmpFile = new File(node.cwd, 'wait.success') - ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow", - dest: tmpFile.toString(), - username: 'x_pack_rest_user', - password: 'x-pack-test-password', - ignoreerrors: true, - retries: 10) - return tmpFile.exists() - } -} From 86ba6969b58a2856bb08bedd85644f833eff3d69 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Fri, 13 Jul 2018 17:27:18 +0300 Subject: [PATCH 04/11] Address feedback - Attempt to limit arbitrary project coupling by bringing necessary certificate/key/keystore files for IT in a small separate project and - Introduce Closre checking if we run in a FIPS JVM --- settings.gradle | 3 +- test/cert-files/build.gradle | 2 ++ .../src/main/resources/testclient.crt | 23 +++++++++++++ .../src/main/resources/testclient.jks | Bin 0 -> 3358 bytes .../src/main/resources/testclient.pem | 30 ++++++++++++++++ .../src/main/resources/testnode.crt | 23 +++++++++++++ .../src/main/resources/testnode.jks | Bin 0 -> 9360 bytes .../src/main/resources/testnode.pem | 30 ++++++++++++++++ x-pack/build.gradle | 2 -- x-pack/plugin/build.gradle | 19 ++--------- x-pack/qa/full-cluster-restart/build.gradle | 3 +- .../ml-native-multi-node-tests/build.gradle | 16 ++------- x-pack/qa/rolling-upgrade/build.gradle | 4 +-- x-pack/qa/smoke-test-plugins-ssl/build.gradle | 29 +++++----------- x-pack/qa/sql/security/ssl/build.gradle | 32 +++++------------- 15 files changed, 132 insertions(+), 84 deletions(-) create mode 100644 test/cert-files/build.gradle create mode 100644 test/cert-files/src/main/resources/testclient.crt create mode 100644 test/cert-files/src/main/resources/testclient.jks create mode 100644 test/cert-files/src/main/resources/testclient.pem create mode 100644 test/cert-files/src/main/resources/testnode.crt create mode 100644 test/cert-files/src/main/resources/testnode.jks create mode 100644 test/cert-files/src/main/resources/testnode.pem diff --git a/settings.gradle b/settings.gradle index 5904cc4daf4d5..220f1c29353fd 100644 --- a/settings.gradle +++ b/settings.gradle @@ -37,7 +37,8 @@ List projects = [ 'test:fixtures:hdfs-fixture', 'test:fixtures:krb5kdc-fixture', 'test:fixtures:old-elasticsearch', - 'test:logger-usage' + 'test:logger-usage', + 'test:cert-files' ] /** diff --git a/test/cert-files/build.gradle b/test/cert-files/build.gradle new file mode 100644 index 0000000000000..8c196a09cef5f --- /dev/null +++ b/test/cert-files/build.gradle @@ -0,0 +1,2 @@ +apply plugin: 'java' +licenseHeaders.enabled = false diff --git a/test/cert-files/src/main/resources/testclient.crt b/test/cert-files/src/main/resources/testclient.crt new file mode 100644 index 0000000000000..18221208c162e --- /dev/null +++ b/test/cert-files/src/main/resources/testclient.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID1zCCAr+gAwIBAgIJALnUl/KSS74pMA0GCSqGSIb3DQEBCwUAMEoxDDAKBgNV +BAoTA29yZzEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEiMCAGA1UEAxMZRWxhc3Rp +Y3NlYXJjaCBUZXN0IENsaWVudDAeFw0xNTA5MjMxODUyNTVaFw0xOTA5MjIxODUy +NTVaMEoxDDAKBgNVBAoTA29yZzEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEiMCAG +A1UEAxMZRWxhc3RpY3NlYXJjaCBUZXN0IENsaWVudDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMKm+P6vDAff0c6BWKGdhnYoNl9HijLIgfU3d9CQcqKt +wT+yUW3DPSVjIfaLmDIGj6Hl8jTHWPB7ZP4fzhrPi6m4qlRGclJMECBuNASZFiPD +tEDv3msoeqOKQet6n7PZvgpWM7hxYZO4P1aMKJtRsFAdvBAdZUnv0spR5G4UZTHz +SKmMeanIKFkLaD0XVKiLQu9/z9M6roDQeAEoCJ/8JsanG8ih2ymfPHIZuNyYIOrV +ekHN2zU6bnVn8/PCeZSjS6h5xYw+Jl5gzGI/n+F5CZ+THoH8pM4pGp6xRVzpiH12 +gvERGwgSIDXdn/+uZZj+4lE7n2ENRSOt5KcOGG99r60CAwEAAaOBvzCBvDAJBgNV +HRMEAjAAMB0GA1UdDgQWBBSSFhBXNp7AaNrHdlgCV0mCEzt7ajCBjwYDVR0RBIGH +MIGEgglsb2NhbGhvc3SCFWxvY2FsaG9zdC5sb2NhbGRvbWFpboIKbG9jYWxob3N0 +NIIXbG9jYWxob3N0NC5sb2NhbGRvbWFpbjSCCmxvY2FsaG9zdDaCF2xvY2FsaG9z +dDYubG9jYWxkb21haW42hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3 +DQEBCwUAA4IBAQANvAkddfLxn4/BCY4LY/1ET3d7ZRldjFTyjjHRYJ3CYBXWVahM +skLxIcFNca8YjKfXoX8mcK+NQK/dAbGHXqk76yMlkrKjh1OQiZ1YAX5ryYerGrZ9 +9N3E9wnbn72bW3iumoLlqmTWlHEpMI0Ql6J75BQLTgKHxCPupVA5sTbWkKwGjXXA +i84rUlzhDJOR8jk3/7ct0iZO8Hk6AWMcNix5Wka3IDGUXuEVevYRlxgVyCxcnZWC +7JWREpar5aIPQFkY6VCEglxwUyXbHZw5T/u6XaKKnS7gz8RiwRh68ddSQJeEHi5e +4onUD7bOCJgfsiUwdiCkDbfN9Yum8OIpmBRs +-----END CERTIFICATE----- diff --git a/test/cert-files/src/main/resources/testclient.jks b/test/cert-files/src/main/resources/testclient.jks new file mode 100644 index 0000000000000000000000000000000000000000..d6dc21c1bd5ff4a248bfba5a171518cd649e278d GIT binary patch literal 3358 zcmdUxcTiLL7RPgw&_WA@Dgpr%0Ra2t|Qzqj*?h2U!6qpaA9r02UCG0-ZeoW^;$= z+VdV+;l3t{Je2F^&mzpV-Ik55-yc4+k?XPK74>5FEv@hI#YMj$eD{OMwLP6Xrpd6| z{K$HxQI)Ou(iWbPC+jt6?CQRb5*)aEfGniRI5FqcLHiQ;p}o(jZ|7`6aNfJpe13!k zCh7E`_Y&L)^3WAuS~wb)`b`lJNt|enT>{qi$;!lIjE|g3$7jVDsW_IQptJ4P zL_KSa{2N0Jo2a72upU2=xfl{80=FZCD7r1Ku3?_azxk;M5RFzjs_ zKf_4kUTx2YVRdXErDb5s1{7=fY2m5W~TP+I*SI_eDqkVFgr^#K@jnGp8M7_5B%id!j{Rv&0zj!Yy;vdaaEXaRK z3Yps5erJTjW`WDhK5+_Bg^lZ*JhHFtL&Ev+_n=EvycTOiJoKoHrJEbqjT3Y~`9*!N zAXfTHDe>tzYbk1m>yKNp%I5EoKuh3LB4BuxdYz1-ssS1NdTU_(g8ciq+SD-2ZQ0pz z(w#ktO)m4g<{~|xKN7B%NVRFXt=($KqN6oS2-CzB{pmOM{jS05_5y;w$U#8aSND=qq=4Q)zH9-M)(krDn_0B6!A2ffDf6 zs>-_VHI(yI-Q=9Y>n%IESBnAh?e|v&FmpY#K>oA4jKNz^W>yV&92Jvgx2o1@jS5z2 zHpH;V*6Qv_xdL;$(rmY5$EH>{mBfk#%GeK$Q_oHbrQU}P@M#zQ=j zQH$*F>*;VF(7G3_WU|N;`f&97%LF)%h0ze;TWAzar`HBTqn$Y(pQx}HeoB$H)tb5c z@fDh>j{u0pR#_c|0f8W+C<^2iiUMxRfq(%pm;>}^Fm*NAtWh4t&B~z=Wg4}?4FH@> z)jW>oLcv%er=c(egyiLh7D5U9@Hi3N1fq+#k2}tr;Npe5fR;uff5agOQKQ{)q%~8F zk;i^jW0Zt2H=0>qMHQ{3uA;7P&vY?NSLJv2AFV|Jq<3$HDfSQwz{~s#05C8G06?up z-xxG5wzn@|kZp6bqx|GFoJ?X>y2)QPul6N+<(0SSR$E?fJF*`qwSFT_h4p6c%&Jf4IkWAZsz2%8Za)J4=`tyO*nm3Iw8`U~bmy|kP zn>e{l%gU4D4RCS7Ps{yJEvG#M2k+{!mA3FwGBDtpfPnX4}KT>u9) zMS{Ft@Irpi-6|u;PuD~IC@Xwo?EFaeaq3P5A&v3gQitloZ6s4ZUCbjw3Za#QApi)- zCpV$U4JZy~=fn|EFbaec|6%e#g`fh-Lhv&hcbhMabotqW&-_F|=mcFvk#GKZ&j%$( zqsWmI4k8KXLcBoo_Mr&=VJiP>;YpWW+&w6;Kf-Dh;Xm!&IcmF-G`u~%hK4cc zHyX~I;@uChyT{CNW%d{VaW`;?`>w7~Z?XS?d|B4LC%su?@El+t=JUlfoXj*{N0vz2gvs8EzQ>8JSSjHOf+kE52K`Y01 zTq#Mb7|oqprG8n9&jH#1Zm))7fW2`o5`F93JHfzpzElyxZbirJ+mwadN&I(yp2_3Y zvlIDrGLqtW<<$OB@hl8>>+#vV*lgv=-geg(k-(K#R(h$C63XY^#|-j5e8HY3S-l_S zhb-W(eg5@E(dYN_X#zy%0f9m6KW;%DBs}4_JCOR_KiOw;4;f&xU;l6R>mCs`r&ONx z{N*rFrvD@RNR-5H>2fxDP27Oh^%h8T9@ni&m9mJW&;uoeU>%0o^0cU~5ps&#;HpeGr z1)J{oIek+S1e(apV@r#QO5GvFwWC*;yUt7ZGb#=7DsoZZ1e$a{LV6RVVm`k&t5UeR z8S@w-E{>Y`N>7L908h#7A-!?&u50S{c~PIy4f2T8J8uXR z?ep@F0-mM0&6i8m(CxA%ikmnCJAG18H{xiYCpapAw^{ur0-gTx!(4v%fmh{uN81bIz2 zcKv^F-`y$dv#l|H+2d?fvUGXI!6<}_%zTluTj;RqZC7{1F>9}xh!+DKEfXmh$90y< zgbKt+Xvr3C47R~I-J$-Whrc8^&UjYtSn%Fj<37$Ts9i*8PV=&v%wtuOtQ$+_I|s|x zkzTetw4lVU7S$t}f*Es_1Th_WNoZPPhF#v_xs=UBi`k>N&d79o1;dDE60{4X=_jQV zgko%{%CLO%#(=KmbIk>F{#aoF-h!qdmlIrlw^RV1W^^QE6s_ginyl|6j z9o8)(pZvO`ueni>;*0New^Q?*Ho3G@+opogGU&Ok?WxK&erQl-B5X4cc%7(>Dy!g~ ZL>oJOr20!OUT)aV(#sM_Gi@+F_b&|~n(_bu literal 0 HcmV?d00001 diff --git a/test/cert-files/src/main/resources/testclient.pem b/test/cert-files/src/main/resources/testclient.pem new file mode 100644 index 0000000000000..7268c55dba977 --- /dev/null +++ b/test/cert-files/src/main/resources/testclient.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,C98A45E4AFC263C2 + +wLuUEXldYc54r4ryWd6jw6UMGYwn6+ibGKHp4sD92l42lmI2UrCT/Mb/E0O+KMMy +pHgc5/dBWkXgMiqDyLIhHk4kgT40rdw5W5lZkAA4Qt/Yzd+rbscTvzp09zrF6Fll +czgoE7FrvhOKiEOakerTit4pIPYosdX606cpVQE2lq9oZs9HVMcLzdAZj8A/P/4g +fo4X3+zqVYC/LH4n00bhNoeeej2o1lEJ+l9u9hptT2ATXle6pANa83Ldg4OxJyj8 +dkR9ahnAMCvYTSjEU7nwmGNPeFX0PIUjJKQivr410cYG104DC30Yy+XrIUfjTVUi +agwlMpHoBq79/ZRUJR3xPLkIGgw4g+RPt45D9eKsEsV4vqy8SFlgaoJ2mKUKleZy +i7D9ouzMKQ3sYE4eQVQ5o3K8ZPn5eozCwCVIp7jGSsuvDpLA9peZSwWPfc5y8JFD +/64usCt1J8Mv/e9NVllC8ZA+ZmDitTiwLZysczpMOaFqqeUbk9EJst38n4nBzRV2 +quxvg9W/iveQIydFyftCtNfRkpbp0NCsLz293dBYwZacHsPcY27IBCwXHiICjiAW +q7bnisXsgSaQMhMNRGW9YElZGb7ZWxoIzcyNBisGI8zxn48ObERVOmkOFxY/gs9T +YmpVMliWtmRG6hb6iCh9b7z8THRquxgTGE9ZFBwtLUKg33aubtgAfnUh/Xq2Ue5K +l+ZCqDGEi/FSIjVENUNNntAx/vXeNPbkoGLb/HSJwAh+sjpaLGQ54xixCtE9l3NY +o2QAiZ804KLPaGtbbOv7wPumxQ+8mxG5FN0hTRrsMW9t8pBXw47iMy/T2H21TD5D +E5XbM6kFeBrnsWnZJ2/ieXqDE4SX0tm3WEvZlDg7N7jV8QDM/D3Xdkb/sqJRabMG +tQRgwkLiB+mZ5MAfGLogI2/lOEayrBVz4qYdXojewxY4LtaZ5HiUIlyA9CJelMvD +nS52I6+FpaFhvuZC10qaM9Ph9TNyx+XKRUsPILuDiBRnYiHUKs1qASl5tjn2yyjM +71WSo7A7btOckzhDZdMVf1T472f0LGsRYoQebMhotqCuR7yArZHzTeWB0CjL3tOz +j3QlhKt2E1jx43bSK5tBasd9Bpmn2onvdwu1RRP8cyQBsXJSDy4/8t/g63+C3wod +8VPrlKhK+TenK9EoEqJ2mNuNq+duOjTXfK/7GM5s0BFKv+i2ckpDi1NPckd2gXjF +yUFZhmK6k0WC4jjWloMt+WQpi1rXMEXwCypgTrqWbvD0p6+X3uQmP57L4yHQcZoW +Qcs5GnihJ0DIhw9vYDhBhNo0WY1oBO20nVCN3R/JIpp3uDtg64WvfvMSXzJIPBCY +s+/GM5TtuD6mERDu3+qXxWwiy4PMQRcgjRTMEZ3A4Iv77YfQRkcd6S9qjUUuR/5D +xs+J4ryb1biz9ofW7I+Dbz4SArWSgwcuh14AV9RBv6Rh9m83rjT2K0yvbe/+7hHW +R8nzRMqJcGNGCHmRjA/cwoiv6+k2J/RbCJqnR3RmNex/85XaXBfZwRfHXVbzZQfa +SrFaaNLf1hMwGLAJjIcQRxa3yZbjFXVx1Bp4hh8rKNWaOItjavNtNg== +-----END RSA PRIVATE KEY----- diff --git a/test/cert-files/src/main/resources/testnode.crt b/test/cert-files/src/main/resources/testnode.crt new file mode 100644 index 0000000000000..08c160bcea5ff --- /dev/null +++ b/test/cert-files/src/main/resources/testnode.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIJALi5bDfjMszLMA0GCSqGSIb3DQEBCwUAMEgxDDAKBgNV +BAoTA29yZzEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEgMB4GA1UEAxMXRWxhc3Rp +Y3NlYXJjaCBUZXN0IE5vZGUwHhcNMTUwOTIzMTg1MjU3WhcNMTkwOTIyMTg1MjU3 +WjBIMQwwCgYDVQQKEwNvcmcxFjAUBgNVBAsTDWVsYXN0aWNzZWFyY2gxIDAeBgNV +BAMTF0VsYXN0aWNzZWFyY2ggVGVzdCBOb2RlMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA3rGZ1QbsW0+MuyrSLmMfDFKtLBkIFW8V0gRuurFg1PUKKNR1 +Mq2tMVwjjYETAU/UY0iKZOzjgvYPKhDTYBTte/WHR1ZK4CYVv7TQX/gtFQG/ge/c +7u0sLch9p7fbd+/HZiLS/rBEZDIohvgUvzvnA8+OIYnw4kuxKo/5iboAIS41klMg +/lATm8V71LMY68inht71/ZkQoAHKgcR9z4yNYvQ1WqKG8DG8KROXltll3sTrKbl5 +zJhn660es/1ZnR6nvwt6xnSTl/mNHMjkfv1bs4rJ/py3qPxicdoSIn/KyojUcgHV +F38fuAy2CQTdjVG5fWj9iz+mQvLm3+qsIYQdFwIDAQABo4G/MIG8MAkGA1UdEwQC +MAAwHQYDVR0OBBYEFEMMWLWQi/g83PzlHYqAVnty5L7HMIGPBgNVHREEgYcwgYSC +CWxvY2FsaG9zdIIVbG9jYWxob3N0LmxvY2FsZG9tYWluggpsb2NhbGhvc3Q0ghds +b2NhbGhvc3Q0LmxvY2FsZG9tYWluNIIKbG9jYWxob3N0NoIXbG9jYWxob3N0Ni5s +b2NhbGRvbWFpbjaHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEL +BQADggEBAMjGGXT8Nt1tbl2GkiKtmiuGE2Ej66YuZ37WSJViaRNDVHLlg87TCcHe +k2rdO+6sFqQbbzEfwQ05T7xGmVu7tm54HwKMRugoQ3wct0bQC5wEWYN+oMDvSyO6 +M28mZwWb4VtR2IRyWP+ve5DHwTM9mxWa6rBlGzsQqH6YkJpZojzqk/mQTug+Y8aE +mVoqRIPMHq9ob+S9qd5lp09+MtYpwPfTPx/NN+xMEooXWW/ARfpGhWPkg/FuCu4z +1tFmCqHgNcWirzMm3dQpF78muE9ng6OB2MXQwL4VgnVkxmlZNHbkR2v/t8MyZJxC +y4g6cTMM3S/UMt5/+aIB2JAuMKyuD+A= +-----END CERTIFICATE----- diff --git a/test/cert-files/src/main/resources/testnode.jks b/test/cert-files/src/main/resources/testnode.jks new file mode 100644 index 0000000000000000000000000000000000000000..ebe6146124e8fd607e46a1a3129bdf9b4de0370d GIT binary patch literal 9360 zcmdUV2T)YowrzLQl93!F2SGC3WF$w)IfLYGK$2vT*iDigl`N7oh@eEt83BokWI;th zKok%V_zil_#dF{N=hmxN@83^VSMRxd)mp3enq$l{$L93&>1O}{0788*FTTk=VD28y zE;cYOYe##Svj^8*Hy60QBMbllY8=Nx4**vTxdk91003Gv1c?>_L4sT!qk(`R5Eh_) zU50G!4F3%T4;_m=TrvCr4+zA$0)Q|==^?b}XnJ5Y;(s+egq9o+ikg;}4=OCcDIVy2IuGcP39Gn>U% zK!zH|Y#zr76z$THNrVtl2Hz*duE|_x{SHKW=Wy9~#x0?_!WxzreKbBd_{B!%FFc+} z#hS1iA!Ph9s*KL}5ZCWMX)1FD)R@OQManE3e-@+qd0nOC5~I@Wvv)K719(Ez^^D!& zt6;h^oFHXs|H>4zGnJ%}f+`Pp>rEdE;=+o<-25$T9lIy1B0c;S!Z_r&_k6nwupM+P z`QIj_3i+10?X14(vmJKmiZElETC3=_VBSWbe19M>na%UTgjKu!)Hb0X5AJ>=1@Lw7vcxjN}1eMG&CU^70?>@)@Jj3w6do zK=}wbX`7exBW2Hy$yVaDo$ICp=}fYb@;nQCWlEe6F`UeJ?OsbuRMGQ zgd{VQ1`}qlEo37p4u-{8N|I&os?=jM_S_F93rh*dwGvc4>^v;F@<@1%AfI?JIxoOG#d{a^ zfIt8&OKT5%FPM$J8|t~~u}>Z;{sXMDD6qapfwk=?SP2aA8Y;D$$)co!mluiHCH4RE zP$7X(VhABRHdYc#Wb!Vj4e%Nnnzf4)lmZJVJR-@b8DwGjw9y}xw)Rb-X`tOZ@L?r7m{x$tD>pf-DK8J8PK&?Rve%UmMWfn zkY1J8$6e`6OS^j3!ZBdDpQ)-!J@JJ984?Dw%90 z9h9Kf+y~ zZ;X4CM_eV}GZ5(`=K*hqpZ8TuPP9ObD5GdI!|KXQ!DE#8?8q-!J#9& z<{0CP?#6ZZ#oFo@=oP4^3J28dh2~!eXSx~~6ipLu^f&9MPd~6p^1dZo&i#yysyksD zk}_18V>Qk~vQwzp^Jc<7;yAcH?9kbl>dg;vDb^QW7vRS}huY7Q{j*f_g#JtPV*wf` zQ+Jb8TG{^cI3dbVTnP3#FtLfzT-or(bOGc4(Y5{#j-5r{Ppfe;7RN>qhPm0{UaW%Vx1xCa5qm=3uM*tyDmx^f zYB_a@Gg~w4N2l?k$LGG^P!NIepM`u@h$CVHNvqI zC)X{Bme~#(ow!*Q{K^N&ikb6+rMH->KX;ZbN6hV7!(1Bu`qVw?;aP#3&Yrekzjpej zK?ev|N zXpSYGJX7Ur@l^_!fa=P>E&WMk1O|eS+U?%te$I}MSaKjCeWH%kki*#p`IR^ zVzx|rZ=W!gg0!F0H2VQ^^Fbof!}9le_))5Y=S5|6FO7Cv zbx_><@>*LeHI$ay>|Nv}{__#cG`gqE5HI=yy!zq2=%Sr>Y-uEp7wE@yxeIf4w6R19 z0pRVhFITw##6I{Y1PK;IRe#z)WcoxH4#%|zmFAbRe+4DeU7$D@vJi|;4ARs2BfumE z$x8ph0~o}3YA&A69w?nhuWt|Yh7v%o{$vY`Up(-~NEBoI#tcxx3+_iT2BrpTtEzI+ znim8i1QFsDfC}TOWK!IHlvq*$BEG}@fH_Cm@4K8Uq-IvD*m|7@F6Jq zuwGO-ZesCM!egNa*#)E@4QIrW8I23(sbgFL z-JqdF#j`8Vy}VmdE^%g2k0bzk-aO3BahcB5rNS zxl7R4(8SoexacwQK1c1P8)rsVPYAtP{l+gAnS>z5E){N%TZk`R&*4@b12lj~mK`oDh0NG!mg`Hy?PMdCk{$fc$gg@y}Zfu}F? zSu0-A5J<7i9~u3DF0|o^$U)%UsmE_ku>)^Gq%Eedjl|h!miFi4Sf0Lza4Yh$3`(a- zlSoW|GYZ|6+ksyVU2ZqAPbBTjepxQ8f5SX?^^wnbkC^~H#@eED&|5^5(CZW?&81lp zuK(Kl>+YUJ=bsA;AOPnN zL%!JXclJ}LX4jeGrIbUTc!v*~SOh1OiRa(L7uS+&TRqzL$=2m37@-?ugp z;<967zk5`#GF$mwu!!%bjbE#w?DiH;8#?Wzm57N|0FrE zn;pF<1Q#6>WkZaJqlDvMT!`PO>8EH>M_C>hj3f*ZfC@oG_ynO46eIBqKp_y`U*T^q z#J`%u2ttgGaj`B4_-g}bKnye)0C)>_&44m!Or)#1Ut8&;!v0wFl7XiLS&Hkpf6yQ+ zS$u^RL1(ei^U17X7FKiWIm_PUG%*qPkB-&%nj|U<+I{m8br3|&CFH3AtedxB3{(XP zEn%Zcf>g8WD}%`mB@~WM zp9uG(2Oy&6>W}bkjBJFW3kT}F6e9aa)BSXsD4RZ=aNVx{s&pychT8+Y$$l_!H^FaL z3LLd5q?EMk(g;f9FP8|X)yaCx6I!~n)nmu%`$=|;KQj#O^GGWI)jJJs z7>Ac9vNah6&K&AwA1hzS{iHejdVYVmZF*^BM|8K!2)nP`sY>CxeFi~sC&l{Y_0{O- zR3w-dQMDW`5;v=7NA6>dI8VL&`0&n)2=-n!aIaAxvy^GPc>jC8J0k!|&vN;X?e2o? zwky$-nw!ods}&g=K8Qr_j^(ku%x(XbPEm^7#X#04E>m|5a#SCvn|mjcA-(GfSo!6& zwo4GA-&byR`#aIaH8CYDzQA5wsTt$tD+m|9?pO*JTVtH)G_p-^rk-c&&hGLBJ0dr& z2HYnandk_~8S)LW z{)anZ&dF##-IbO!HlOrrA1oi$i|ZKRW2P#NW12=pa%4>IZtA*obM+ zUr`Tno4i}q5^Kd+o7JSL=5rZPlc46PloNW-aFxv_(_h*;*fV`daXfEiSnv3Vr)ub+ zGvw0>%{HX26_R#m)1Q}ov&mmtWdu>LrUjHJ2jK4u9jC@di^dq=M4hG)N(@7*Ibn94fDkgeZ1{bnK4+j=-Bc-b2kbl zB2~`9MlJg3nM9CMwMj#DMNZkY^(!}d=9l~B)2~-t=jY-H@fnybqV&{T6)llgafjWi zre8Oej@qni0pGukP;yElQPyUbR0vj64{6xhQ&{gaRu9*}FbDPDrKEY?oF2X`^?(_4 zmb)GR`9|N;k_xAaOKOcB-X5VI4lS)VpXq&hy5>;c=;P=Toe{dSmZd>q!5ROshhh@8 zezz8bnn9YgLPmvb&zHYGpx{ZvsYY(jgBa_`6ML+^wSF{M8|!4r?N-PPovp{FEv z=Pcib1<|(w1v)7kIBo9?+~*w?elzPllgNPEn;f9$IlZoM!$#4pBvCIflR?r-u)c6+ z(<;2~Ya?~aow*x1$ftJceu3cv-rdSCcqt5`!-iUS;QcI~^>3#oN1~~|xtRM0-|ar2 z-}HJmdu!h-8}h(C+}L*|A=$sKNQ*=nCXxLHm$0Of+U)vQ=e8;`-id27tf^>6nRV(o zD_35LMQCiXvc;2P5C$3ZExN#sI331)j7wM4?A}WR5y0vQHB4^!9Cb#LW2-5h8Wg_W zE?(7>&&`t(tsSfKU2gO8^6pwlf#)k(@H#E`*xxz}(ZGA`$b|V!H-7Eo_a;mxUQoaG z@iUWo&dy;${A)aMi66W&;E|)TL`@ITKe|!zaenPBdhYvMi9C1z&?Zn0VDle+KtrRW z&1xm~aLZ+Za#F!ldcDg52k7y8`+5HkKBT>PLT)EHQ+wS0?)^4H3rz7L`xRQ?0#5WuV4tJA^+R{Ul!N!Swi%8vAG}bX`+Jl z{oGbt`~Cx^#3hmbhxOmzd(GpA;JlOb?eHYV$_$QhVoRotB5vEjX~hRt_QbNfZtp`z zCa^jdlJCrmZdH&KP`Nvizsp}P9;bei0LINMRZ>umh z@wu?rUddcG(Rvf=W_VWZm(bV2C!R@~vHk=`B}z~dn3j-Xlqa^He3+oVCSlzhnr_T4 z7xI#}+RkP5Md<>pSR;^knyvj{LXvJ+Xj7FairmPhUH(WR%z8ECi!=5X-}D$9J9kN- zC$E~1Wqy*4yp5$n!!{%z@uufhdn+l@)27$nh~I1VmcvD^9)+Fcjc{mRqB-6n{4VXay+HKSqK6{!h@8K($I}H)GZL zd+vn7OSEuCTdiM0|B8QpC@%zZ-qoWKv;9Igy)4Yl!yayLZRr7{*L87mq?h*eaIu9s z!`x7JZ0LU(_QDWeC`vr@i$J00%{&wp^8X4Ugiw6cLKm~5yIVS0S@NUg`v3iXT_puI zWzN=ski(8IGp7|TpM;&i+%EXYl{BUj)_2s7CuR6q-a0@K^u0%!{YEWpYsrF1XERyZ zf$tMSTink}o&$ffH!`}Es;V{6M4j$g-H?#|zQ}jW+UO?yG=&aPZ`u&)cNLS#c$E%; zP1mx?uy^0lDm~1Sxl4AS3}fIGtsrpPzu9UsUFfLaHBjFbJbOC8(^<{SnS0n!StB#g zL}+<5vF5jPm0~0Vjt%Q?>}z(+kvmw*edbY` z@SqjXB|6rfvcCz`u_)Y;_+8ajHX`pJD&kNHczrrb!=?w{fiV124cV4iCdMz&zJwqK zE{Xo+XoqLy?Bk=64cI=0e(aTjm0Xe#m-AMZ32X;}2a~{K(-z>-Z{9+k8X@v&$i>E+ zQXRR%1%i z+gZhDOYfLI95J{tK}^7qxH4qdT=iwIXI;%~<(7x#tDq?=+?_Bwkrz$Q`TdVlR))UZ zB@j7mCy|Sc;&$|B7PbW~9eY=&!EdvD*IjQ)sB0(+cInMrs1{CN7*c3cOPQ|Rp{(Mt zOjz!_eLXl-Mnq|AsoQfh;NJug*Q+l)T z8)*rHeYv|M#Ut?%U?vsg>xas%hWwvYC#0-Sur)F2=FtkgqgCA#-e%z?+T?CPv=igi zT1bbmLe@F14M@f`Vd)CEd&TVRZ9lERix`Pv&Rj93@;7`u^|14k-pNBn{fTijp&Qtp z1B1q7E%*$Cjn_4DC1sJoqaH8jlQik)F@7bhGU9K_XgO4mt1xyV1wx@8p6R>!Z=zo} zJP|z{6Si_^2=pvzAdCS%KC?wD74V_1_=k2eaRNll~ zg_)0a(KkYGbiWo&D8{^z3der9T|L|venrzv_U)qcQ^$MFo;M|wFp-P!qEO(#sfdZ1oL-r?nXuCiHy2Qq0 ziM;!sUs2F`&Az?Mh;}V|OcB@zA_b&cXvUK=;k^R`-C{MPC+tX)V!8h%5RdT?@P(Uf7yaQA1qCnw{nH+*r>*BMBG9Ld(hllZ5Ey>&8FWz*Q!dPYoj zCzFk0KZGQUrz|3zXT|9#%3tEMsddw5y@{5+yMt>KbeorB%SpCOL#uM0uGFADE&g#g#^|1;Itr9?;L0YErGBwTfC_I{Rc$*iOkJ|A4=@L50Z x`UE0joFCFX(i+qD)1h^DcPJOtN>)kRbQgMUO*p!K@AKymmi%I+{Ip*({}0#og{%Mo literal 0 HcmV?d00001 diff --git a/test/cert-files/src/main/resources/testnode.pem b/test/cert-files/src/main/resources/testnode.pem new file mode 100644 index 0000000000000..5a67e1033440d --- /dev/null +++ b/test/cert-files/src/main/resources/testnode.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,9D867F7E0C94D013 + +dVoVCjPeg1wgS7rVtOvGfQcrZyLkx393aWRnFq45tbjKBVuITtJ9vI7o4QXOV/15 +Gnb6WhXGIdWrzsxEAd46K6hIuNSISd4Emsx6c2Q5hTqWXXfexbOZBNfTtXtdJPnJ +1jAaikhtztLo3JSLTKNY5sNxd+XbaQyYVUWvueK6zOaIIMETvB+VPVFd9i1ROibk +Sgdtyj01KjkoalifqK/tA0CIYNKL0S6/eoK3UhAlpIprlpV+cnXa940C6bjLeJPt +PMAGGp5RrplxSgrSerw3I9DOWkHGtpqzIka3XneNUXJP8k4HUJ+aZkGH2ZILKS8d +4KMIb+KZSpHEGn+6uGccWLtZZmAjWJrDw56JbQtSHdRYLBRSOjLbTvQoPu/2Hpli +7HOxbotlvjptMunncq5aqK57SHA1dh0cwF7J3LUmGFJ67eoz+VV3b5qMn4MopSeI +mS16Ydd3nGpjSrln/elM0CQxqWfcOAXRZpDpFUQoXcBrLVzvz2DBl/0CrTRLhgzi +CO+5/IVcBWRlYpRNGgjjP7q0j6URID3jk5J06fYQXmBiwQT5j+GZqqzpMCJ9mIy2 +1O9SN1hebJnIcEU+E0njn/MGjlYdPywhaCy8pqElp6Q8TUEJpwLRFO/owCoBet/n +ZmCXUjfCGhc1pWHufFcDEQ6xMgEWWY/tdwCZeSU7EhErTjCbfupg+55A5fpDml0m +3wH4CFcuRjlqyx6Ywixm1ATeitDtJl5HQTw6b8OtEXwSgRmZ0eSqSRVk9QbVS7gu +IpQe09/Zimb5HzjZqZ3fdqHlcW4xax8hyJeyIvF5ZJ57eY8CBvu/wP2GDn26QnvF +xQqdfDbq1H4JmpwUHpbFwBoQK4Q6WFd1z4EA9bRQeo3H9PoqoOwMDjzajwLRF7b7 +q6tYH/n9PyHwdf1c4fFwgSmL1toXGfKlA9hjIaLsRSDD6srT5EdUk78bsnddwI51 +tu7C7P4JG+h1VdRNMNTlqtileWsIE7Nn2A1OkcUxZdF5mamENpDpJcHePLto6c8q +FKiwyFMsxhgsj6HK2HqO+UA4sX5Ni4oHwiPmb//EZLn045M5i1AN26KosJmb8++D +sgR5reWRy+UqJCTYblVg+7Dx++ggUnfxVyQEsWmw5r5f4KU5wXBkvoVMGtPNa9DE +n/uLtObD1qkNL38pRsr2OGRchYCgEoKGqEISBP4knfGXLOlWiW/246j9QzI97r1u +tvy7fKg28G7AUz9l6bpewsPHefBUeRQeieP9eJINaEpxkF/w2RpKDLpQjWxwDDOM +s+D0mrBMJve17AmJ8rMw6dIQPZYNZ88/jz1uQuUwQ2YlbmtZbCG81k9YMFGEU9XS +cyhJxj8hvYnt2PR5Z9/cJPyWOs0m/ufOeeQQ8SnU/lzmrQnpzUd2Z6p5i/B7LdRP +n1kX+l1qynuPnjvBz4nJQE0p6nzW8RyCDSniC9mtYtZmhgC8icqxgbvS7uEOBIYJ +NbK+0bEETTO34iY/JVTIqLOw3iQZYMeUpxpj6Phgx/oooxMTquMecPKNgeVtaBst +qjTNPX0ti1/HYpZqzYi8SV8YjHSJWCVMsZjKPr3W/HIcCKqYoIfgzi83Ha2KMQx6 +-----END RSA PRIVATE KEY----- diff --git a/x-pack/build.gradle b/x-pack/build.gradle index 01ce465fc0938..b07afb932b673 100644 --- a/x-pack/build.gradle +++ b/x-pack/build.gradle @@ -1,6 +1,4 @@ -import org.elasticsearch.gradle.BuildPlugin import org.elasticsearch.gradle.plugin.PluginBuildPlugin -import org.elasticsearch.gradle.Version import org.elasticsearch.gradle.precommit.LicenseHeadersTask Project xpackRootProject = project diff --git a/x-pack/plugin/build.gradle b/x-pack/plugin/build.gradle index 9d6b65267eb3f..16f065834b0bd 100644 --- a/x-pack/plugin/build.gradle +++ b/x-pack/plugin/build.gradle @@ -105,25 +105,10 @@ integTestRunner { } // location for keys and certificates -File keystoreDir = new File(project.buildDir, 'keystore') -File nodeKey = new File(keystoreDir, 'testnode.pem') -File nodeCert = new File(keystoreDir, 'testnode.crt') - -// Add key and certs to test classpath: it expects them there -// User cert and key PEM files instead of a JKS Keystore for the cluster's trust material so that -// it can run in a FIPS 140 JVM -task copyKeyCerts(type: Copy) { - from('./core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/') { - include 'testnode.crt', 'testnode.pem' - } - into keystoreDir -} -// Add keystores to test classpath: it expects it there -sourceSets.test.resources.srcDir(keystoreDir) -processTestResources.dependsOn(copyKeyCerts) +File nodeKey = project(':test:cert-files').file("src/main/resources/testnode.pem") +File nodeCert = project(':test:cert-files').file("src/main/resources/testnode.crt") integTestCluster { - dependsOn copyKeyCerts setting 'xpack.ml.enabled', 'true' setting 'xpack.security.enabled', 'true' setting 'logger.org.elasticsearch.xpack.ml.datafeed', 'TRACE' diff --git a/x-pack/qa/full-cluster-restart/build.gradle b/x-pack/qa/full-cluster-restart/build.gradle index 78ac1436fd8bc..de280c613d1a1 100644 --- a/x-pack/qa/full-cluster-restart/build.gradle +++ b/x-pack/qa/full-cluster-restart/build.gradle @@ -125,8 +125,7 @@ subprojects { String output = "${buildDir}/generated-resources/${project.name}" task copyTestNodeKeystore(type: Copy) { - from project(xpackModule('core')) - .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') + from project(':test:cert-files').file("src/main/resources/testnode.jks") into outputDir } diff --git a/x-pack/qa/ml-native-multi-node-tests/build.gradle b/x-pack/qa/ml-native-multi-node-tests/build.gradle index 7b8eebe4ea38d..c5156de08183a 100644 --- a/x-pack/qa/ml-native-multi-node-tests/build.gradle +++ b/x-pack/qa/ml-native-multi-node-tests/build.gradle @@ -19,22 +19,10 @@ integTestRunner { } // location for keys and certificates -File keystoreDir = new File(project.buildDir, 'keystore') -File nodeKey = new File(keystoreDir, 'testnode.pem') -File nodeCert = new File(keystoreDir, 'testnode.crt') -// Add key and certs to test classpath: it expects it there -task copyKeyCerts(type: Copy) { - from('../../plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/') { - include 'testnode.crt', 'testnode.pem' - } - into keystoreDir -} -// Add keys and cets to test classpath: it expects it there -sourceSets.test.resources.srcDir(keystoreDir) -processTestResources.dependsOn(copyKeyCerts) +File nodeKey = project(':test:cert-files').file("src/main/resources/testnode.pem") +File nodeCert = project(':test:cert-files').file("src/main/resources/testnode.crt") integTestCluster { - dependsOn copyKeyCerts setting 'xpack.security.enabled', 'true' setting 'xpack.ml.enabled', 'true' setting 'logger.org.elasticsearch.xpack.ml.datafeed', 'TRACE' diff --git a/x-pack/qa/rolling-upgrade/build.gradle b/x-pack/qa/rolling-upgrade/build.gradle index 351f33b941227..16887b2776b14 100644 --- a/x-pack/qa/rolling-upgrade/build.gradle +++ b/x-pack/qa/rolling-upgrade/build.gradle @@ -105,10 +105,8 @@ subprojects { group = 'verification' } - String output = "${buildDir}/generated-resources/${project.name}" task copyTestNodeKeystore(type: Copy) { - from project(xpackModule('core')) - .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') + from project(':test:cert-files').file("src/main/resources/testnode.jks") into outputDir } diff --git a/x-pack/qa/smoke-test-plugins-ssl/build.gradle b/x-pack/qa/smoke-test-plugins-ssl/build.gradle index 16850f7ab9b23..40d349422fe4b 100644 --- a/x-pack/qa/smoke-test-plugins-ssl/build.gradle +++ b/x-pack/qa/smoke-test-plugins-ssl/build.gradle @@ -16,6 +16,7 @@ apply plugin: 'elasticsearch.rest-test' dependencies { testCompile project(path: xpackModule('core'), configuration: 'runtime') + testRuntime project(':test:cert-files') } String outputDir = "${buildDir}/generated-resources/${project.name}" @@ -29,27 +30,13 @@ project.sourceSets.test.output.dir(outputDir, builtBy: copyXPackPluginProps) // needed to be consistent with ssl host checking Object san = new SanEvaluator() -// location of generated keystores and certificates -File keystoreDir = new File(project.buildDir, 'keystore') -File nodeKeystore = new File(keystoreDir, 'testnode.jks') -File nodeKey = new File(keystoreDir, 'testnode.pem') -File nodeCert = new File(keystoreDir, 'testnode.crt') -File clientKeyStore = new File(keystoreDir, 'testclient.jks') -File clientKey = new File(keystoreDir, 'testclient.pem') -File clientCert = new File(keystoreDir, 'testclient.crt') - -// Add keystores to test classpath: it expects it there -task copyKeyCerts(type: Copy) { - from('./') { - include '*.crt', '*.pem', '*.jks' - } - into keystoreDir -} -// Add keystores to test classpath: it expects it there -sourceSets.test.resources.srcDir(keystoreDir) -processTestResources.dependsOn(copyKeyCerts) - -integTestCluster.dependsOn(copyKeyCerts) +// location of keystores, keys and certificates +File nodeKeystore = project(':test:cert-files').file("src/main/resources/testnode.jks") +File nodeKey = project(':test:cert-files').file("src/main/resources/testnode.pem") +File nodeCert = project(':test:cert-files').file("src/main/resources/testnode.crt") +File clientKeyStore = project(':test:cert-files').file("src/main/resources/testclient.jks") +File clientKey = project(':test:cert-files').file("src/main/resources/testclient.pem") +File clientCert = project(':test:cert-files').file("src/main/resources/testclient.crt") ext.pluginsCount = 0 project(':plugins').getChildProjects().each { pluginName, pluginProject -> diff --git a/x-pack/qa/sql/security/ssl/build.gradle b/x-pack/qa/sql/security/ssl/build.gradle index 10d2d5cf19d16..1c7acb8c2a62b 100644 --- a/x-pack/qa/sql/security/ssl/build.gradle +++ b/x-pack/qa/sql/security/ssl/build.gradle @@ -206,32 +206,16 @@ integTestCluster { } } +Closure notRunningFips = { + Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, + 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false +} // Do not attempt to form a cluster in a FIPS JVM, as doing so with a JKS keystore will fail. // TODO Revisit this when SQL CLI client can handle key/certificate instead of only Keystores. -tasks.matching({ it.name == "integTestCluster#init" }).all { - onlyIf { - Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, - 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false - } -} -tasks.matching({ it.name == "integTestCluster#start" }).all { - onlyIf { - Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, - 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false - } -} -tasks.matching({ it.name == "integTestCluster#wait" }).all { - onlyIf { - Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, - 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false - } -} -tasks.matching({ it.name == "integTestRunner" }).all { - onlyIf { - Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, - 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false - } -} +tasks.matching({ it.name == "integTestCluster#init" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "integTestCluster#start" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "integTestCluster#wait" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "integTestRunner" }).all { onlyIf notRunningFips } /** A lazy evaluator to find the san to use for certificate generation. */ class SanEvaluator { From ced0e722cff90cb1a9e012305e3fd8aaf85e7a49 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 23 Jul 2018 17:29:34 +0300 Subject: [PATCH 05/11] Revert "Address feedback" This reverts commit 86ba6969b58a2856bb08bedd85644f833eff3d69. --- settings.gradle | 3 +- test/cert-files/build.gradle | 2 -- .../src/main/resources/testclient.crt | 23 ------------- .../src/main/resources/testclient.jks | Bin 3358 -> 0 bytes .../src/main/resources/testclient.pem | 30 ---------------- .../src/main/resources/testnode.crt | 23 ------------- .../src/main/resources/testnode.jks | Bin 9360 -> 0 bytes .../src/main/resources/testnode.pem | 30 ---------------- x-pack/build.gradle | 2 ++ x-pack/plugin/build.gradle | 19 +++++++++-- x-pack/qa/full-cluster-restart/build.gradle | 3 +- .../ml-native-multi-node-tests/build.gradle | 16 +++++++-- x-pack/qa/rolling-upgrade/build.gradle | 4 ++- x-pack/qa/smoke-test-plugins-ssl/build.gradle | 29 +++++++++++----- x-pack/qa/sql/security/ssl/build.gradle | 32 +++++++++++++----- 15 files changed, 84 insertions(+), 132 deletions(-) delete mode 100644 test/cert-files/build.gradle delete mode 100644 test/cert-files/src/main/resources/testclient.crt delete mode 100644 test/cert-files/src/main/resources/testclient.jks delete mode 100644 test/cert-files/src/main/resources/testclient.pem delete mode 100644 test/cert-files/src/main/resources/testnode.crt delete mode 100644 test/cert-files/src/main/resources/testnode.jks delete mode 100644 test/cert-files/src/main/resources/testnode.pem diff --git a/settings.gradle b/settings.gradle index 220f1c29353fd..5904cc4daf4d5 100644 --- a/settings.gradle +++ b/settings.gradle @@ -37,8 +37,7 @@ List projects = [ 'test:fixtures:hdfs-fixture', 'test:fixtures:krb5kdc-fixture', 'test:fixtures:old-elasticsearch', - 'test:logger-usage', - 'test:cert-files' + 'test:logger-usage' ] /** diff --git a/test/cert-files/build.gradle b/test/cert-files/build.gradle deleted file mode 100644 index 8c196a09cef5f..0000000000000 --- a/test/cert-files/build.gradle +++ /dev/null @@ -1,2 +0,0 @@ -apply plugin: 'java' -licenseHeaders.enabled = false diff --git a/test/cert-files/src/main/resources/testclient.crt b/test/cert-files/src/main/resources/testclient.crt deleted file mode 100644 index 18221208c162e..0000000000000 --- a/test/cert-files/src/main/resources/testclient.crt +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID1zCCAr+gAwIBAgIJALnUl/KSS74pMA0GCSqGSIb3DQEBCwUAMEoxDDAKBgNV -BAoTA29yZzEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEiMCAGA1UEAxMZRWxhc3Rp -Y3NlYXJjaCBUZXN0IENsaWVudDAeFw0xNTA5MjMxODUyNTVaFw0xOTA5MjIxODUy -NTVaMEoxDDAKBgNVBAoTA29yZzEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEiMCAG -A1UEAxMZRWxhc3RpY3NlYXJjaCBUZXN0IENsaWVudDCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMKm+P6vDAff0c6BWKGdhnYoNl9HijLIgfU3d9CQcqKt -wT+yUW3DPSVjIfaLmDIGj6Hl8jTHWPB7ZP4fzhrPi6m4qlRGclJMECBuNASZFiPD -tEDv3msoeqOKQet6n7PZvgpWM7hxYZO4P1aMKJtRsFAdvBAdZUnv0spR5G4UZTHz -SKmMeanIKFkLaD0XVKiLQu9/z9M6roDQeAEoCJ/8JsanG8ih2ymfPHIZuNyYIOrV -ekHN2zU6bnVn8/PCeZSjS6h5xYw+Jl5gzGI/n+F5CZ+THoH8pM4pGp6xRVzpiH12 -gvERGwgSIDXdn/+uZZj+4lE7n2ENRSOt5KcOGG99r60CAwEAAaOBvzCBvDAJBgNV -HRMEAjAAMB0GA1UdDgQWBBSSFhBXNp7AaNrHdlgCV0mCEzt7ajCBjwYDVR0RBIGH -MIGEgglsb2NhbGhvc3SCFWxvY2FsaG9zdC5sb2NhbGRvbWFpboIKbG9jYWxob3N0 -NIIXbG9jYWxob3N0NC5sb2NhbGRvbWFpbjSCCmxvY2FsaG9zdDaCF2xvY2FsaG9z -dDYubG9jYWxkb21haW42hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3 -DQEBCwUAA4IBAQANvAkddfLxn4/BCY4LY/1ET3d7ZRldjFTyjjHRYJ3CYBXWVahM -skLxIcFNca8YjKfXoX8mcK+NQK/dAbGHXqk76yMlkrKjh1OQiZ1YAX5ryYerGrZ9 -9N3E9wnbn72bW3iumoLlqmTWlHEpMI0Ql6J75BQLTgKHxCPupVA5sTbWkKwGjXXA -i84rUlzhDJOR8jk3/7ct0iZO8Hk6AWMcNix5Wka3IDGUXuEVevYRlxgVyCxcnZWC -7JWREpar5aIPQFkY6VCEglxwUyXbHZw5T/u6XaKKnS7gz8RiwRh68ddSQJeEHi5e -4onUD7bOCJgfsiUwdiCkDbfN9Yum8OIpmBRs ------END CERTIFICATE----- diff --git a/test/cert-files/src/main/resources/testclient.jks b/test/cert-files/src/main/resources/testclient.jks deleted file mode 100644 index d6dc21c1bd5ff4a248bfba5a171518cd649e278d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3358 zcmdUxcTiLL7RPgw&_WA@Dgpr%0Ra2t|Qzqj*?h2U!6qpaA9r02UCG0-ZeoW^;$= z+VdV+;l3t{Je2F^&mzpV-Ik55-yc4+k?XPK74>5FEv@hI#YMj$eD{OMwLP6Xrpd6| z{K$HxQI)Ou(iWbPC+jt6?CQRb5*)aEfGniRI5FqcLHiQ;p}o(jZ|7`6aNfJpe13!k zCh7E`_Y&L)^3WAuS~wb)`b`lJNt|enT>{qi$;!lIjE|g3$7jVDsW_IQptJ4P zL_KSa{2N0Jo2a72upU2=xfl{80=FZCD7r1Ku3?_azxk;M5RFzjs_ zKf_4kUTx2YVRdXErDb5s1{7=fY2m5W~TP+I*SI_eDqkVFgr^#K@jnGp8M7_5B%id!j{Rv&0zj!Yy;vdaaEXaRK z3Yps5erJTjW`WDhK5+_Bg^lZ*JhHFtL&Ev+_n=EvycTOiJoKoHrJEbqjT3Y~`9*!N zAXfTHDe>tzYbk1m>yKNp%I5EoKuh3LB4BuxdYz1-ssS1NdTU_(g8ciq+SD-2ZQ0pz z(w#ktO)m4g<{~|xKN7B%NVRFXt=($KqN6oS2-CzB{pmOM{jS05_5y;w$U#8aSND=qq=4Q)zH9-M)(krDn_0B6!A2ffDf6 zs>-_VHI(yI-Q=9Y>n%IESBnAh?e|v&FmpY#K>oA4jKNz^W>yV&92Jvgx2o1@jS5z2 zHpH;V*6Qv_xdL;$(rmY5$EH>{mBfk#%GeK$Q_oHbrQU}P@M#zQ=j zQH$*F>*;VF(7G3_WU|N;`f&97%LF)%h0ze;TWAzar`HBTqn$Y(pQx}HeoB$H)tb5c z@fDh>j{u0pR#_c|0f8W+C<^2iiUMxRfq(%pm;>}^Fm*NAtWh4t&B~z=Wg4}?4FH@> z)jW>oLcv%er=c(egyiLh7D5U9@Hi3N1fq+#k2}tr;Npe5fR;uff5agOQKQ{)q%~8F zk;i^jW0Zt2H=0>qMHQ{3uA;7P&vY?NSLJv2AFV|Jq<3$HDfSQwz{~s#05C8G06?up z-xxG5wzn@|kZp6bqx|GFoJ?X>y2)QPul6N+<(0SSR$E?fJF*`qwSFT_h4p6c%&Jf4IkWAZsz2%8Za)J4=`tyO*nm3Iw8`U~bmy|kP zn>e{l%gU4D4RCS7Ps{yJEvG#M2k+{!mA3FwGBDtpfPnX4}KT>u9) zMS{Ft@Irpi-6|u;PuD~IC@Xwo?EFaeaq3P5A&v3gQitloZ6s4ZUCbjw3Za#QApi)- zCpV$U4JZy~=fn|EFbaec|6%e#g`fh-Lhv&hcbhMabotqW&-_F|=mcFvk#GKZ&j%$( zqsWmI4k8KXLcBoo_Mr&=VJiP>;YpWW+&w6;Kf-Dh;Xm!&IcmF-G`u~%hK4cc zHyX~I;@uChyT{CNW%d{VaW`;?`>w7~Z?XS?d|B4LC%su?@El+t=JUlfoXj*{N0vz2gvs8EzQ>8JSSjHOf+kE52K`Y01 zTq#Mb7|oqprG8n9&jH#1Zm))7fW2`o5`F93JHfzpzElyxZbirJ+mwadN&I(yp2_3Y zvlIDrGLqtW<<$OB@hl8>>+#vV*lgv=-geg(k-(K#R(h$C63XY^#|-j5e8HY3S-l_S zhb-W(eg5@E(dYN_X#zy%0f9m6KW;%DBs}4_JCOR_KiOw;4;f&xU;l6R>mCs`r&ONx z{N*rFrvD@RNR-5H>2fxDP27Oh^%h8T9@ni&m9mJW&;uoeU>%0o^0cU~5ps&#;HpeGr z1)J{oIek+S1e(apV@r#QO5GvFwWC*;yUt7ZGb#=7DsoZZ1e$a{LV6RVVm`k&t5UeR z8S@w-E{>Y`N>7L908h#7A-!?&u50S{c~PIy4f2T8J8uXR z?ep@F0-mM0&6i8m(CxA%ikmnCJAG18H{xiYCpapAw^{ur0-gTx!(4v%fmh{uN81bIz2 zcKv^F-`y$dv#l|H+2d?fvUGXI!6<}_%zTluTj;RqZC7{1F>9}xh!+DKEfXmh$90y< zgbKt+Xvr3C47R~I-J$-Whrc8^&UjYtSn%Fj<37$Ts9i*8PV=&v%wtuOtQ$+_I|s|x zkzTetw4lVU7S$t}f*Es_1Th_WNoZPPhF#v_xs=UBi`k>N&d79o1;dDE60{4X=_jQV zgko%{%CLO%#(=KmbIk>F{#aoF-h!qdmlIrlw^RV1W^^QE6s_ginyl|6j z9o8)(pZvO`ueni>;*0New^Q?*Ho3G@+opogGU&Ok?WxK&erQl-B5X4cc%7(>Dy!g~ ZL>oJOr20!OUT)aV(#sM_Gi@+F_b&|~n(_bu diff --git a/test/cert-files/src/main/resources/testclient.pem b/test/cert-files/src/main/resources/testclient.pem deleted file mode 100644 index 7268c55dba977..0000000000000 --- a/test/cert-files/src/main/resources/testclient.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,C98A45E4AFC263C2 - -wLuUEXldYc54r4ryWd6jw6UMGYwn6+ibGKHp4sD92l42lmI2UrCT/Mb/E0O+KMMy -pHgc5/dBWkXgMiqDyLIhHk4kgT40rdw5W5lZkAA4Qt/Yzd+rbscTvzp09zrF6Fll -czgoE7FrvhOKiEOakerTit4pIPYosdX606cpVQE2lq9oZs9HVMcLzdAZj8A/P/4g -fo4X3+zqVYC/LH4n00bhNoeeej2o1lEJ+l9u9hptT2ATXle6pANa83Ldg4OxJyj8 -dkR9ahnAMCvYTSjEU7nwmGNPeFX0PIUjJKQivr410cYG104DC30Yy+XrIUfjTVUi -agwlMpHoBq79/ZRUJR3xPLkIGgw4g+RPt45D9eKsEsV4vqy8SFlgaoJ2mKUKleZy -i7D9ouzMKQ3sYE4eQVQ5o3K8ZPn5eozCwCVIp7jGSsuvDpLA9peZSwWPfc5y8JFD -/64usCt1J8Mv/e9NVllC8ZA+ZmDitTiwLZysczpMOaFqqeUbk9EJst38n4nBzRV2 -quxvg9W/iveQIydFyftCtNfRkpbp0NCsLz293dBYwZacHsPcY27IBCwXHiICjiAW -q7bnisXsgSaQMhMNRGW9YElZGb7ZWxoIzcyNBisGI8zxn48ObERVOmkOFxY/gs9T -YmpVMliWtmRG6hb6iCh9b7z8THRquxgTGE9ZFBwtLUKg33aubtgAfnUh/Xq2Ue5K -l+ZCqDGEi/FSIjVENUNNntAx/vXeNPbkoGLb/HSJwAh+sjpaLGQ54xixCtE9l3NY -o2QAiZ804KLPaGtbbOv7wPumxQ+8mxG5FN0hTRrsMW9t8pBXw47iMy/T2H21TD5D -E5XbM6kFeBrnsWnZJ2/ieXqDE4SX0tm3WEvZlDg7N7jV8QDM/D3Xdkb/sqJRabMG -tQRgwkLiB+mZ5MAfGLogI2/lOEayrBVz4qYdXojewxY4LtaZ5HiUIlyA9CJelMvD -nS52I6+FpaFhvuZC10qaM9Ph9TNyx+XKRUsPILuDiBRnYiHUKs1qASl5tjn2yyjM -71WSo7A7btOckzhDZdMVf1T472f0LGsRYoQebMhotqCuR7yArZHzTeWB0CjL3tOz -j3QlhKt2E1jx43bSK5tBasd9Bpmn2onvdwu1RRP8cyQBsXJSDy4/8t/g63+C3wod -8VPrlKhK+TenK9EoEqJ2mNuNq+duOjTXfK/7GM5s0BFKv+i2ckpDi1NPckd2gXjF -yUFZhmK6k0WC4jjWloMt+WQpi1rXMEXwCypgTrqWbvD0p6+X3uQmP57L4yHQcZoW -Qcs5GnihJ0DIhw9vYDhBhNo0WY1oBO20nVCN3R/JIpp3uDtg64WvfvMSXzJIPBCY -s+/GM5TtuD6mERDu3+qXxWwiy4PMQRcgjRTMEZ3A4Iv77YfQRkcd6S9qjUUuR/5D -xs+J4ryb1biz9ofW7I+Dbz4SArWSgwcuh14AV9RBv6Rh9m83rjT2K0yvbe/+7hHW -R8nzRMqJcGNGCHmRjA/cwoiv6+k2J/RbCJqnR3RmNex/85XaXBfZwRfHXVbzZQfa -SrFaaNLf1hMwGLAJjIcQRxa3yZbjFXVx1Bp4hh8rKNWaOItjavNtNg== ------END RSA PRIVATE KEY----- diff --git a/test/cert-files/src/main/resources/testnode.crt b/test/cert-files/src/main/resources/testnode.crt deleted file mode 100644 index 08c160bcea5ff..0000000000000 --- a/test/cert-files/src/main/resources/testnode.crt +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID0zCCArugAwIBAgIJALi5bDfjMszLMA0GCSqGSIb3DQEBCwUAMEgxDDAKBgNV -BAoTA29yZzEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEgMB4GA1UEAxMXRWxhc3Rp -Y3NlYXJjaCBUZXN0IE5vZGUwHhcNMTUwOTIzMTg1MjU3WhcNMTkwOTIyMTg1MjU3 -WjBIMQwwCgYDVQQKEwNvcmcxFjAUBgNVBAsTDWVsYXN0aWNzZWFyY2gxIDAeBgNV -BAMTF0VsYXN0aWNzZWFyY2ggVGVzdCBOb2RlMIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEA3rGZ1QbsW0+MuyrSLmMfDFKtLBkIFW8V0gRuurFg1PUKKNR1 -Mq2tMVwjjYETAU/UY0iKZOzjgvYPKhDTYBTte/WHR1ZK4CYVv7TQX/gtFQG/ge/c -7u0sLch9p7fbd+/HZiLS/rBEZDIohvgUvzvnA8+OIYnw4kuxKo/5iboAIS41klMg -/lATm8V71LMY68inht71/ZkQoAHKgcR9z4yNYvQ1WqKG8DG8KROXltll3sTrKbl5 -zJhn660es/1ZnR6nvwt6xnSTl/mNHMjkfv1bs4rJ/py3qPxicdoSIn/KyojUcgHV -F38fuAy2CQTdjVG5fWj9iz+mQvLm3+qsIYQdFwIDAQABo4G/MIG8MAkGA1UdEwQC -MAAwHQYDVR0OBBYEFEMMWLWQi/g83PzlHYqAVnty5L7HMIGPBgNVHREEgYcwgYSC -CWxvY2FsaG9zdIIVbG9jYWxob3N0LmxvY2FsZG9tYWluggpsb2NhbGhvc3Q0ghds -b2NhbGhvc3Q0LmxvY2FsZG9tYWluNIIKbG9jYWxob3N0NoIXbG9jYWxob3N0Ni5s -b2NhbGRvbWFpbjaHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEL -BQADggEBAMjGGXT8Nt1tbl2GkiKtmiuGE2Ej66YuZ37WSJViaRNDVHLlg87TCcHe -k2rdO+6sFqQbbzEfwQ05T7xGmVu7tm54HwKMRugoQ3wct0bQC5wEWYN+oMDvSyO6 -M28mZwWb4VtR2IRyWP+ve5DHwTM9mxWa6rBlGzsQqH6YkJpZojzqk/mQTug+Y8aE -mVoqRIPMHq9ob+S9qd5lp09+MtYpwPfTPx/NN+xMEooXWW/ARfpGhWPkg/FuCu4z -1tFmCqHgNcWirzMm3dQpF78muE9ng6OB2MXQwL4VgnVkxmlZNHbkR2v/t8MyZJxC -y4g6cTMM3S/UMt5/+aIB2JAuMKyuD+A= ------END CERTIFICATE----- diff --git a/test/cert-files/src/main/resources/testnode.jks b/test/cert-files/src/main/resources/testnode.jks deleted file mode 100644 index ebe6146124e8fd607e46a1a3129bdf9b4de0370d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 9360 zcmdUV2T)YowrzLQl93!F2SGC3WF$w)IfLYGK$2vT*iDigl`N7oh@eEt83BokWI;th zKok%V_zil_#dF{N=hmxN@83^VSMRxd)mp3enq$l{$L93&>1O}{0788*FTTk=VD28y zE;cYOYe##Svj^8*Hy60QBMbllY8=Nx4**vTxdk91003Gv1c?>_L4sT!qk(`R5Eh_) zU50G!4F3%T4;_m=TrvCr4+zA$0)Q|==^?b}XnJ5Y;(s+egq9o+ikg;}4=OCcDIVy2IuGcP39Gn>U% zK!zH|Y#zr76z$THNrVtl2Hz*duE|_x{SHKW=Wy9~#x0?_!WxzreKbBd_{B!%FFc+} z#hS1iA!Ph9s*KL}5ZCWMX)1FD)R@OQManE3e-@+qd0nOC5~I@Wvv)K719(Ez^^D!& zt6;h^oFHXs|H>4zGnJ%}f+`Pp>rEdE;=+o<-25$T9lIy1B0c;S!Z_r&_k6nwupM+P z`QIj_3i+10?X14(vmJKmiZElETC3=_VBSWbe19M>na%UTgjKu!)Hb0X5AJ>=1@Lw7vcxjN}1eMG&CU^70?>@)@Jj3w6do zK=}wbX`7exBW2Hy$yVaDo$ICp=}fYb@;nQCWlEe6F`UeJ?OsbuRMGQ zgd{VQ1`}qlEo37p4u-{8N|I&os?=jM_S_F93rh*dwGvc4>^v;F@<@1%AfI?JIxoOG#d{a^ zfIt8&OKT5%FPM$J8|t~~u}>Z;{sXMDD6qapfwk=?SP2aA8Y;D$$)co!mluiHCH4RE zP$7X(VhABRHdYc#Wb!Vj4e%Nnnzf4)lmZJVJR-@b8DwGjw9y}xw)Rb-X`tOZ@L?r7m{x$tD>pf-DK8J8PK&?Rve%UmMWfn zkY1J8$6e`6OS^j3!ZBdDpQ)-!J@JJ984?Dw%90 z9h9Kf+y~ zZ;X4CM_eV}GZ5(`=K*hqpZ8TuPP9ObD5GdI!|KXQ!DE#8?8q-!J#9& z<{0CP?#6ZZ#oFo@=oP4^3J28dh2~!eXSx~~6ipLu^f&9MPd~6p^1dZo&i#yysyksD zk}_18V>Qk~vQwzp^Jc<7;yAcH?9kbl>dg;vDb^QW7vRS}huY7Q{j*f_g#JtPV*wf` zQ+Jb8TG{^cI3dbVTnP3#FtLfzT-or(bOGc4(Y5{#j-5r{Ppfe;7RN>qhPm0{UaW%Vx1xCa5qm=3uM*tyDmx^f zYB_a@Gg~w4N2l?k$LGG^P!NIepM`u@h$CVHNvqI zC)X{Bme~#(ow!*Q{K^N&ikb6+rMH->KX;ZbN6hV7!(1Bu`qVw?;aP#3&Yrekzjpej zK?ev|N zXpSYGJX7Ur@l^_!fa=P>E&WMk1O|eS+U?%te$I}MSaKjCeWH%kki*#p`IR^ zVzx|rZ=W!gg0!F0H2VQ^^Fbof!}9le_))5Y=S5|6FO7Cv zbx_><@>*LeHI$ay>|Nv}{__#cG`gqE5HI=yy!zq2=%Sr>Y-uEp7wE@yxeIf4w6R19 z0pRVhFITw##6I{Y1PK;IRe#z)WcoxH4#%|zmFAbRe+4DeU7$D@vJi|;4ARs2BfumE z$x8ph0~o}3YA&A69w?nhuWt|Yh7v%o{$vY`Up(-~NEBoI#tcxx3+_iT2BrpTtEzI+ znim8i1QFsDfC}TOWK!IHlvq*$BEG}@fH_Cm@4K8Uq-IvD*m|7@F6Jq zuwGO-ZesCM!egNa*#)E@4QIrW8I23(sbgFL z-JqdF#j`8Vy}VmdE^%g2k0bzk-aO3BahcB5rNS zxl7R4(8SoexacwQK1c1P8)rsVPYAtP{l+gAnS>z5E){N%TZk`R&*4@b12lj~mK`oDh0NG!mg`Hy?PMdCk{$fc$gg@y}Zfu}F? zSu0-A5J<7i9~u3DF0|o^$U)%UsmE_ku>)^Gq%Eedjl|h!miFi4Sf0Lza4Yh$3`(a- zlSoW|GYZ|6+ksyVU2ZqAPbBTjepxQ8f5SX?^^wnbkC^~H#@eED&|5^5(CZW?&81lp zuK(Kl>+YUJ=bsA;AOPnN zL%!JXclJ}LX4jeGrIbUTc!v*~SOh1OiRa(L7uS+&TRqzL$=2m37@-?ugp z;<967zk5`#GF$mwu!!%bjbE#w?DiH;8#?Wzm57N|0FrE zn;pF<1Q#6>WkZaJqlDvMT!`PO>8EH>M_C>hj3f*ZfC@oG_ynO46eIBqKp_y`U*T^q z#J`%u2ttgGaj`B4_-g}bKnye)0C)>_&44m!Or)#1Ut8&;!v0wFl7XiLS&Hkpf6yQ+ zS$u^RL1(ei^U17X7FKiWIm_PUG%*qPkB-&%nj|U<+I{m8br3|&CFH3AtedxB3{(XP zEn%Zcf>g8WD}%`mB@~WM zp9uG(2Oy&6>W}bkjBJFW3kT}F6e9aa)BSXsD4RZ=aNVx{s&pychT8+Y$$l_!H^FaL z3LLd5q?EMk(g;f9FP8|X)yaCx6I!~n)nmu%`$=|;KQj#O^GGWI)jJJs z7>Ac9vNah6&K&AwA1hzS{iHejdVYVmZF*^BM|8K!2)nP`sY>CxeFi~sC&l{Y_0{O- zR3w-dQMDW`5;v=7NA6>dI8VL&`0&n)2=-n!aIaAxvy^GPc>jC8J0k!|&vN;X?e2o? zwky$-nw!ods}&g=K8Qr_j^(ku%x(XbPEm^7#X#04E>m|5a#SCvn|mjcA-(GfSo!6& zwo4GA-&byR`#aIaH8CYDzQA5wsTt$tD+m|9?pO*JTVtH)G_p-^rk-c&&hGLBJ0dr& z2HYnandk_~8S)LW z{)anZ&dF##-IbO!HlOrrA1oi$i|ZKRW2P#NW12=pa%4>IZtA*obM+ zUr`Tno4i}q5^Kd+o7JSL=5rZPlc46PloNW-aFxv_(_h*;*fV`daXfEiSnv3Vr)ub+ zGvw0>%{HX26_R#m)1Q}ov&mmtWdu>LrUjHJ2jK4u9jC@di^dq=M4hG)N(@7*Ibn94fDkgeZ1{bnK4+j=-Bc-b2kbl zB2~`9MlJg3nM9CMwMj#DMNZkY^(!}d=9l~B)2~-t=jY-H@fnybqV&{T6)llgafjWi zre8Oej@qni0pGukP;yElQPyUbR0vj64{6xhQ&{gaRu9*}FbDPDrKEY?oF2X`^?(_4 zmb)GR`9|N;k_xAaOKOcB-X5VI4lS)VpXq&hy5>;c=;P=Toe{dSmZd>q!5ROshhh@8 zezz8bnn9YgLPmvb&zHYGpx{ZvsYY(jgBa_`6ML+^wSF{M8|!4r?N-PPovp{FEv z=Pcib1<|(w1v)7kIBo9?+~*w?elzPllgNPEn;f9$IlZoM!$#4pBvCIflR?r-u)c6+ z(<;2~Ya?~aow*x1$ftJceu3cv-rdSCcqt5`!-iUS;QcI~^>3#oN1~~|xtRM0-|ar2 z-}HJmdu!h-8}h(C+}L*|A=$sKNQ*=nCXxLHm$0Of+U)vQ=e8;`-id27tf^>6nRV(o zD_35LMQCiXvc;2P5C$3ZExN#sI331)j7wM4?A}WR5y0vQHB4^!9Cb#LW2-5h8Wg_W zE?(7>&&`t(tsSfKU2gO8^6pwlf#)k(@H#E`*xxz}(ZGA`$b|V!H-7Eo_a;mxUQoaG z@iUWo&dy;${A)aMi66W&;E|)TL`@ITKe|!zaenPBdhYvMi9C1z&?Zn0VDle+KtrRW z&1xm~aLZ+Za#F!ldcDg52k7y8`+5HkKBT>PLT)EHQ+wS0?)^4H3rz7L`xRQ?0#5WuV4tJA^+R{Ul!N!Swi%8vAG}bX`+Jl z{oGbt`~Cx^#3hmbhxOmzd(GpA;JlOb?eHYV$_$QhVoRotB5vEjX~hRt_QbNfZtp`z zCa^jdlJCrmZdH&KP`Nvizsp}P9;bei0LINMRZ>umh z@wu?rUddcG(Rvf=W_VWZm(bV2C!R@~vHk=`B}z~dn3j-Xlqa^He3+oVCSlzhnr_T4 z7xI#}+RkP5Md<>pSR;^knyvj{LXvJ+Xj7FairmPhUH(WR%z8ECi!=5X-}D$9J9kN- zC$E~1Wqy*4yp5$n!!{%z@uufhdn+l@)27$nh~I1VmcvD^9)+Fcjc{mRqB-6n{4VXay+HKSqK6{!h@8K($I}H)GZL zd+vn7OSEuCTdiM0|B8QpC@%zZ-qoWKv;9Igy)4Yl!yayLZRr7{*L87mq?h*eaIu9s z!`x7JZ0LU(_QDWeC`vr@i$J00%{&wp^8X4Ugiw6cLKm~5yIVS0S@NUg`v3iXT_puI zWzN=ski(8IGp7|TpM;&i+%EXYl{BUj)_2s7CuR6q-a0@K^u0%!{YEWpYsrF1XERyZ zf$tMSTink}o&$ffH!`}Es;V{6M4j$g-H?#|zQ}jW+UO?yG=&aPZ`u&)cNLS#c$E%; zP1mx?uy^0lDm~1Sxl4AS3}fIGtsrpPzu9UsUFfLaHBjFbJbOC8(^<{SnS0n!StB#g zL}+<5vF5jPm0~0Vjt%Q?>}z(+kvmw*edbY` z@SqjXB|6rfvcCz`u_)Y;_+8ajHX`pJD&kNHczrrb!=?w{fiV124cV4iCdMz&zJwqK zE{Xo+XoqLy?Bk=64cI=0e(aTjm0Xe#m-AMZ32X;}2a~{K(-z>-Z{9+k8X@v&$i>E+ zQXRR%1%i z+gZhDOYfLI95J{tK}^7qxH4qdT=iwIXI;%~<(7x#tDq?=+?_Bwkrz$Q`TdVlR))UZ zB@j7mCy|Sc;&$|B7PbW~9eY=&!EdvD*IjQ)sB0(+cInMrs1{CN7*c3cOPQ|Rp{(Mt zOjz!_eLXl-Mnq|AsoQfh;NJug*Q+l)T z8)*rHeYv|M#Ut?%U?vsg>xas%hWwvYC#0-Sur)F2=FtkgqgCA#-e%z?+T?CPv=igi zT1bbmLe@F14M@f`Vd)CEd&TVRZ9lERix`Pv&Rj93@;7`u^|14k-pNBn{fTijp&Qtp z1B1q7E%*$Cjn_4DC1sJoqaH8jlQik)F@7bhGU9K_XgO4mt1xyV1wx@8p6R>!Z=zo} zJP|z{6Si_^2=pvzAdCS%KC?wD74V_1_=k2eaRNll~ zg_)0a(KkYGbiWo&D8{^z3der9T|L|venrzv_U)qcQ^$MFo;M|wFp-P!qEO(#sfdZ1oL-r?nXuCiHy2Qq0 ziM;!sUs2F`&Az?Mh;}V|OcB@zA_b&cXvUK=;k^R`-C{MPC+tX)V!8h%5RdT?@P(Uf7yaQA1qCnw{nH+*r>*BMBG9Ld(hllZ5Ey>&8FWz*Q!dPYoj zCzFk0KZGQUrz|3zXT|9#%3tEMsddw5y@{5+yMt>KbeorB%SpCOL#uM0uGFADE&g#g#^|1;Itr9?;L0YErGBwTfC_I{Rc$*iOkJ|A4=@L50Z x`UE0joFCFX(i+qD)1h^DcPJOtN>)kRbQgMUO*p!K@AKymmi%I+{Ip*({}0#og{%Mo diff --git a/test/cert-files/src/main/resources/testnode.pem b/test/cert-files/src/main/resources/testnode.pem deleted file mode 100644 index 5a67e1033440d..0000000000000 --- a/test/cert-files/src/main/resources/testnode.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,9D867F7E0C94D013 - -dVoVCjPeg1wgS7rVtOvGfQcrZyLkx393aWRnFq45tbjKBVuITtJ9vI7o4QXOV/15 -Gnb6WhXGIdWrzsxEAd46K6hIuNSISd4Emsx6c2Q5hTqWXXfexbOZBNfTtXtdJPnJ -1jAaikhtztLo3JSLTKNY5sNxd+XbaQyYVUWvueK6zOaIIMETvB+VPVFd9i1ROibk -Sgdtyj01KjkoalifqK/tA0CIYNKL0S6/eoK3UhAlpIprlpV+cnXa940C6bjLeJPt -PMAGGp5RrplxSgrSerw3I9DOWkHGtpqzIka3XneNUXJP8k4HUJ+aZkGH2ZILKS8d -4KMIb+KZSpHEGn+6uGccWLtZZmAjWJrDw56JbQtSHdRYLBRSOjLbTvQoPu/2Hpli -7HOxbotlvjptMunncq5aqK57SHA1dh0cwF7J3LUmGFJ67eoz+VV3b5qMn4MopSeI -mS16Ydd3nGpjSrln/elM0CQxqWfcOAXRZpDpFUQoXcBrLVzvz2DBl/0CrTRLhgzi -CO+5/IVcBWRlYpRNGgjjP7q0j6URID3jk5J06fYQXmBiwQT5j+GZqqzpMCJ9mIy2 -1O9SN1hebJnIcEU+E0njn/MGjlYdPywhaCy8pqElp6Q8TUEJpwLRFO/owCoBet/n -ZmCXUjfCGhc1pWHufFcDEQ6xMgEWWY/tdwCZeSU7EhErTjCbfupg+55A5fpDml0m -3wH4CFcuRjlqyx6Ywixm1ATeitDtJl5HQTw6b8OtEXwSgRmZ0eSqSRVk9QbVS7gu -IpQe09/Zimb5HzjZqZ3fdqHlcW4xax8hyJeyIvF5ZJ57eY8CBvu/wP2GDn26QnvF -xQqdfDbq1H4JmpwUHpbFwBoQK4Q6WFd1z4EA9bRQeo3H9PoqoOwMDjzajwLRF7b7 -q6tYH/n9PyHwdf1c4fFwgSmL1toXGfKlA9hjIaLsRSDD6srT5EdUk78bsnddwI51 -tu7C7P4JG+h1VdRNMNTlqtileWsIE7Nn2A1OkcUxZdF5mamENpDpJcHePLto6c8q -FKiwyFMsxhgsj6HK2HqO+UA4sX5Ni4oHwiPmb//EZLn045M5i1AN26KosJmb8++D -sgR5reWRy+UqJCTYblVg+7Dx++ggUnfxVyQEsWmw5r5f4KU5wXBkvoVMGtPNa9DE -n/uLtObD1qkNL38pRsr2OGRchYCgEoKGqEISBP4knfGXLOlWiW/246j9QzI97r1u -tvy7fKg28G7AUz9l6bpewsPHefBUeRQeieP9eJINaEpxkF/w2RpKDLpQjWxwDDOM -s+D0mrBMJve17AmJ8rMw6dIQPZYNZ88/jz1uQuUwQ2YlbmtZbCG81k9YMFGEU9XS -cyhJxj8hvYnt2PR5Z9/cJPyWOs0m/ufOeeQQ8SnU/lzmrQnpzUd2Z6p5i/B7LdRP -n1kX+l1qynuPnjvBz4nJQE0p6nzW8RyCDSniC9mtYtZmhgC8icqxgbvS7uEOBIYJ -NbK+0bEETTO34iY/JVTIqLOw3iQZYMeUpxpj6Phgx/oooxMTquMecPKNgeVtaBst -qjTNPX0ti1/HYpZqzYi8SV8YjHSJWCVMsZjKPr3W/HIcCKqYoIfgzi83Ha2KMQx6 ------END RSA PRIVATE KEY----- diff --git a/x-pack/build.gradle b/x-pack/build.gradle index b07afb932b673..01ce465fc0938 100644 --- a/x-pack/build.gradle +++ b/x-pack/build.gradle @@ -1,4 +1,6 @@ +import org.elasticsearch.gradle.BuildPlugin import org.elasticsearch.gradle.plugin.PluginBuildPlugin +import org.elasticsearch.gradle.Version import org.elasticsearch.gradle.precommit.LicenseHeadersTask Project xpackRootProject = project diff --git a/x-pack/plugin/build.gradle b/x-pack/plugin/build.gradle index 16f065834b0bd..9d6b65267eb3f 100644 --- a/x-pack/plugin/build.gradle +++ b/x-pack/plugin/build.gradle @@ -105,10 +105,25 @@ integTestRunner { } // location for keys and certificates -File nodeKey = project(':test:cert-files').file("src/main/resources/testnode.pem") -File nodeCert = project(':test:cert-files').file("src/main/resources/testnode.crt") +File keystoreDir = new File(project.buildDir, 'keystore') +File nodeKey = new File(keystoreDir, 'testnode.pem') +File nodeCert = new File(keystoreDir, 'testnode.crt') + +// Add key and certs to test classpath: it expects them there +// User cert and key PEM files instead of a JKS Keystore for the cluster's trust material so that +// it can run in a FIPS 140 JVM +task copyKeyCerts(type: Copy) { + from('./core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/') { + include 'testnode.crt', 'testnode.pem' + } + into keystoreDir +} +// Add keystores to test classpath: it expects it there +sourceSets.test.resources.srcDir(keystoreDir) +processTestResources.dependsOn(copyKeyCerts) integTestCluster { + dependsOn copyKeyCerts setting 'xpack.ml.enabled', 'true' setting 'xpack.security.enabled', 'true' setting 'logger.org.elasticsearch.xpack.ml.datafeed', 'TRACE' diff --git a/x-pack/qa/full-cluster-restart/build.gradle b/x-pack/qa/full-cluster-restart/build.gradle index de280c613d1a1..78ac1436fd8bc 100644 --- a/x-pack/qa/full-cluster-restart/build.gradle +++ b/x-pack/qa/full-cluster-restart/build.gradle @@ -125,7 +125,8 @@ subprojects { String output = "${buildDir}/generated-resources/${project.name}" task copyTestNodeKeystore(type: Copy) { - from project(':test:cert-files').file("src/main/resources/testnode.jks") + from project(xpackModule('core')) + .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') into outputDir } diff --git a/x-pack/qa/ml-native-multi-node-tests/build.gradle b/x-pack/qa/ml-native-multi-node-tests/build.gradle index c5156de08183a..7b8eebe4ea38d 100644 --- a/x-pack/qa/ml-native-multi-node-tests/build.gradle +++ b/x-pack/qa/ml-native-multi-node-tests/build.gradle @@ -19,10 +19,22 @@ integTestRunner { } // location for keys and certificates -File nodeKey = project(':test:cert-files').file("src/main/resources/testnode.pem") -File nodeCert = project(':test:cert-files').file("src/main/resources/testnode.crt") +File keystoreDir = new File(project.buildDir, 'keystore') +File nodeKey = new File(keystoreDir, 'testnode.pem') +File nodeCert = new File(keystoreDir, 'testnode.crt') +// Add key and certs to test classpath: it expects it there +task copyKeyCerts(type: Copy) { + from('../../plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/') { + include 'testnode.crt', 'testnode.pem' + } + into keystoreDir +} +// Add keys and cets to test classpath: it expects it there +sourceSets.test.resources.srcDir(keystoreDir) +processTestResources.dependsOn(copyKeyCerts) integTestCluster { + dependsOn copyKeyCerts setting 'xpack.security.enabled', 'true' setting 'xpack.ml.enabled', 'true' setting 'logger.org.elasticsearch.xpack.ml.datafeed', 'TRACE' diff --git a/x-pack/qa/rolling-upgrade/build.gradle b/x-pack/qa/rolling-upgrade/build.gradle index 16887b2776b14..351f33b941227 100644 --- a/x-pack/qa/rolling-upgrade/build.gradle +++ b/x-pack/qa/rolling-upgrade/build.gradle @@ -105,8 +105,10 @@ subprojects { group = 'verification' } + String output = "${buildDir}/generated-resources/${project.name}" task copyTestNodeKeystore(type: Copy) { - from project(':test:cert-files').file("src/main/resources/testnode.jks") + from project(xpackModule('core')) + .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') into outputDir } diff --git a/x-pack/qa/smoke-test-plugins-ssl/build.gradle b/x-pack/qa/smoke-test-plugins-ssl/build.gradle index 40d349422fe4b..16850f7ab9b23 100644 --- a/x-pack/qa/smoke-test-plugins-ssl/build.gradle +++ b/x-pack/qa/smoke-test-plugins-ssl/build.gradle @@ -16,7 +16,6 @@ apply plugin: 'elasticsearch.rest-test' dependencies { testCompile project(path: xpackModule('core'), configuration: 'runtime') - testRuntime project(':test:cert-files') } String outputDir = "${buildDir}/generated-resources/${project.name}" @@ -30,13 +29,27 @@ project.sourceSets.test.output.dir(outputDir, builtBy: copyXPackPluginProps) // needed to be consistent with ssl host checking Object san = new SanEvaluator() -// location of keystores, keys and certificates -File nodeKeystore = project(':test:cert-files').file("src/main/resources/testnode.jks") -File nodeKey = project(':test:cert-files').file("src/main/resources/testnode.pem") -File nodeCert = project(':test:cert-files').file("src/main/resources/testnode.crt") -File clientKeyStore = project(':test:cert-files').file("src/main/resources/testclient.jks") -File clientKey = project(':test:cert-files').file("src/main/resources/testclient.pem") -File clientCert = project(':test:cert-files').file("src/main/resources/testclient.crt") +// location of generated keystores and certificates +File keystoreDir = new File(project.buildDir, 'keystore') +File nodeKeystore = new File(keystoreDir, 'testnode.jks') +File nodeKey = new File(keystoreDir, 'testnode.pem') +File nodeCert = new File(keystoreDir, 'testnode.crt') +File clientKeyStore = new File(keystoreDir, 'testclient.jks') +File clientKey = new File(keystoreDir, 'testclient.pem') +File clientCert = new File(keystoreDir, 'testclient.crt') + +// Add keystores to test classpath: it expects it there +task copyKeyCerts(type: Copy) { + from('./') { + include '*.crt', '*.pem', '*.jks' + } + into keystoreDir +} +// Add keystores to test classpath: it expects it there +sourceSets.test.resources.srcDir(keystoreDir) +processTestResources.dependsOn(copyKeyCerts) + +integTestCluster.dependsOn(copyKeyCerts) ext.pluginsCount = 0 project(':plugins').getChildProjects().each { pluginName, pluginProject -> diff --git a/x-pack/qa/sql/security/ssl/build.gradle b/x-pack/qa/sql/security/ssl/build.gradle index 1c7acb8c2a62b..10d2d5cf19d16 100644 --- a/x-pack/qa/sql/security/ssl/build.gradle +++ b/x-pack/qa/sql/security/ssl/build.gradle @@ -206,16 +206,32 @@ integTestCluster { } } -Closure notRunningFips = { - Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, - 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false -} // Do not attempt to form a cluster in a FIPS JVM, as doing so with a JKS keystore will fail. // TODO Revisit this when SQL CLI client can handle key/certificate instead of only Keystores. -tasks.matching({ it.name == "integTestCluster#init" }).all { onlyIf notRunningFips } -tasks.matching({ it.name == "integTestCluster#start" }).all { onlyIf notRunningFips } -tasks.matching({ it.name == "integTestCluster#wait" }).all { onlyIf notRunningFips } -tasks.matching({ it.name == "integTestRunner" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "integTestCluster#init" }).all { + onlyIf { + Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, + 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false + } +} +tasks.matching({ it.name == "integTestCluster#start" }).all { + onlyIf { + Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, + 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false + } +} +tasks.matching({ it.name == "integTestCluster#wait" }).all { + onlyIf { + Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, + 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false + } +} +tasks.matching({ it.name == "integTestRunner" }).all { + onlyIf { + Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, + 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false + } +} /** A lazy evaluator to find the san to use for certificate generation. */ class SanEvaluator { From 86bdddd81c3b3a3b06979f81021e8d85511a366c Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 23 Jul 2018 19:13:27 +0300 Subject: [PATCH 06/11] Partially addresses feedback --- build.gradle | 13 -- .../elasticsearch/gradle/BuildPlugin.groovy | 14 +- x-pack/plugin/build.gradle | 6 +- x-pack/qa/full-cluster-restart/build.gradle | 8 +- .../ml-native-multi-node-tests/build.gradle | 6 +- x-pack/qa/rolling-upgrade/build.gradle | 2 +- x-pack/qa/smoke-test-plugins-ssl/build.gradle | 173 +----------------- x-pack/qa/sql/security/ssl/build.gradle | 40 ++-- 8 files changed, 42 insertions(+), 220 deletions(-) diff --git a/build.gradle b/build.gradle index 501caa2dea0a4..600b0e4a2bbf1 100644 --- a/build.gradle +++ b/build.gradle @@ -477,19 +477,6 @@ allprojects { tasks.eclipse.dependsOn(cleanEclipse, copyEclipseSettings) } -// Set the system keystore/truststore password if we're running tests in a FIPS-140 JVM -allprojects { - tasks.withType(RandomizedTestingTask) { - // So that this gets executed only right before the test runs - doFirst { - String inFipsJvmScript = 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));' - if (Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, inFipsJvmScript))) { - systemProperty 'javax.net.ssl.trustStorePassword', 'password' - systemProperty 'javax.net.ssl.keyStorePassword', 'password' - } - } - } -} // we need to add the same --debug-jvm option as // the real RunTask has, so we can pass it through class Run extends DefaultTask { diff --git a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy index a9f0e91e727c3..dcc64ccceb590 100644 --- a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy +++ b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy @@ -125,6 +125,9 @@ class BuildPlugin implements Plugin { runtimeJavaVersionEnum = JavaVersion.toVersion(findJavaSpecificationVersion(project, runtimeJavaHome)) } + String inFipsJvmScript = 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));' + boolean inFipsJvm = Boolean.parseBoolean(runJavascript(project, runtimeJavaHome, inFipsJvmScript)) + // Build debugging info println '=======================================' println 'Elasticsearch Build Hamster says Hello!' @@ -143,6 +146,7 @@ class BuildPlugin implements Plugin { println " JAVA_HOME : ${gradleJavaHome}" } println " Random Testing Seed : ${project.testSeed}" + println " in FIPS MODE : ${inFipsJvm}" // enforce Gradle version final GradleVersion currentGradleVersion = GradleVersion.current(); @@ -196,6 +200,7 @@ class BuildPlugin implements Plugin { project.rootProject.ext.buildChecksDone = true project.rootProject.ext.minimumCompilerVersion = minimumCompilerVersion project.rootProject.ext.minimumRuntimeVersion = minimumRuntimeVersion + project.rootProject.ext.inFipsJvm = inFipsJvm } project.targetCompatibility = project.rootProject.ext.minimumRuntimeVersion @@ -207,6 +212,7 @@ class BuildPlugin implements Plugin { project.ext.compilerJavaVersion = project.rootProject.ext.compilerJavaVersion project.ext.runtimeJavaVersion = project.rootProject.ext.runtimeJavaVersion project.ext.javaVersions = project.rootProject.ext.javaVersions + project.ext.inFipsJvm = project.rootProject.ext.inFipsJvm } private static String findCompilerJavaHome() { @@ -287,7 +293,7 @@ class BuildPlugin implements Plugin { } /** Runs the given javascript using jjs from the jdk, and returns the output */ - static String runJavascript(Project project, String javaHome, String script) { + private static String runJavascript(Project project, String javaHome, String script) { ByteArrayOutputStream stdout = new ByteArrayOutputStream() ByteArrayOutputStream stderr = new ByteArrayOutputStream() if (Os.isFamily(Os.FAMILY_WINDOWS)) { @@ -705,7 +711,11 @@ class BuildPlugin implements Plugin { systemProperty property.getKey(), property.getValue() } } - + // Set the system keystore/truststore password if we're running tests in a FIPS-140 JVM + if (project.inFipsJvm) { + systemProperty 'javax.net.ssl.trustStorePassword', 'password' + systemProperty 'javax.net.ssl.keyStorePassword', 'password' + } boolean assertionsEnabled = Boolean.parseBoolean(System.getProperty('tests.asserts', 'true')) enableSystemAssertions assertionsEnabled enableAssertions assertionsEnabled diff --git a/x-pack/plugin/build.gradle b/x-pack/plugin/build.gradle index 9d6b65267eb3f..c3734a3b66b76 100644 --- a/x-pack/plugin/build.gradle +++ b/x-pack/plugin/build.gradle @@ -106,14 +106,14 @@ integTestRunner { // location for keys and certificates File keystoreDir = new File(project.buildDir, 'keystore') -File nodeKey = new File(keystoreDir, 'testnode.pem') -File nodeCert = new File(keystoreDir, 'testnode.crt') +File nodeKey = file("$keystoreDir/testnode.pem") +File nodeCert = file("$keystoreDir/testnode.crt") // Add key and certs to test classpath: it expects them there // User cert and key PEM files instead of a JKS Keystore for the cluster's trust material so that // it can run in a FIPS 140 JVM task copyKeyCerts(type: Copy) { - from('./core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/') { + from(project(':x-pack:plugin:core').file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/')) { include 'testnode.crt', 'testnode.pem' } into keystoreDir diff --git a/x-pack/qa/full-cluster-restart/build.gradle b/x-pack/qa/full-cluster-restart/build.gradle index 78ac1436fd8bc..8a2f5fc6405cf 100644 --- a/x-pack/qa/full-cluster-restart/build.gradle +++ b/x-pack/qa/full-cluster-restart/build.gradle @@ -124,10 +124,10 @@ subprojects { } String output = "${buildDir}/generated-resources/${project.name}" - task copyTestNodeKeystore(type: Copy) { - from project(xpackModule('core')) - .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') - into outputDir + task copyTestNodeKeystore(type: Copy) { + from project(':x-pack:plugin:core') + .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') + into outputDir } for (Version version : bwcVersions.indexCompatible) { diff --git a/x-pack/qa/ml-native-multi-node-tests/build.gradle b/x-pack/qa/ml-native-multi-node-tests/build.gradle index 7b8eebe4ea38d..b8627db3068fd 100644 --- a/x-pack/qa/ml-native-multi-node-tests/build.gradle +++ b/x-pack/qa/ml-native-multi-node-tests/build.gradle @@ -20,11 +20,11 @@ integTestRunner { // location for keys and certificates File keystoreDir = new File(project.buildDir, 'keystore') -File nodeKey = new File(keystoreDir, 'testnode.pem') -File nodeCert = new File(keystoreDir, 'testnode.crt') +File nodeKey = file("$keystoreDir/testnode.pem") +File nodeCert = file("$keystoreDir/testnode.crt") // Add key and certs to test classpath: it expects it there task copyKeyCerts(type: Copy) { - from('../../plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/') { + from(project(':x-pack:plugin:core').file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/')) { include 'testnode.crt', 'testnode.pem' } into keystoreDir diff --git a/x-pack/qa/rolling-upgrade/build.gradle b/x-pack/qa/rolling-upgrade/build.gradle index 351f33b941227..f60cbe4b34c2b 100644 --- a/x-pack/qa/rolling-upgrade/build.gradle +++ b/x-pack/qa/rolling-upgrade/build.gradle @@ -107,7 +107,7 @@ subprojects { String output = "${buildDir}/generated-resources/${project.name}" task copyTestNodeKeystore(type: Copy) { - from project(xpackModule('core')) + from project(':x-pack:plugin:core') .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') into outputDir } diff --git a/x-pack/qa/smoke-test-plugins-ssl/build.gradle b/x-pack/qa/smoke-test-plugins-ssl/build.gradle index 16850f7ab9b23..672bc3a19e834 100644 --- a/x-pack/qa/smoke-test-plugins-ssl/build.gradle +++ b/x-pack/qa/smoke-test-plugins-ssl/build.gradle @@ -26,17 +26,14 @@ task copyXPackPluginProps(type: Copy) { } project.sourceSets.test.output.dir(outputDir, builtBy: copyXPackPluginProps) -// needed to be consistent with ssl host checking -Object san = new SanEvaluator() - // location of generated keystores and certificates File keystoreDir = new File(project.buildDir, 'keystore') -File nodeKeystore = new File(keystoreDir, 'testnode.jks') -File nodeKey = new File(keystoreDir, 'testnode.pem') -File nodeCert = new File(keystoreDir, 'testnode.crt') -File clientKeyStore = new File(keystoreDir, 'testclient.jks') -File clientKey = new File(keystoreDir, 'testclient.pem') -File clientCert = new File(keystoreDir, 'testclient.crt') +File nodeKeystore = file("$keystoreDir/testnode.jks") +File nodeKey = file("$keystoreDir/testnode.pem") +File nodeCert = file("$keystoreDir/testnode.crt") +File clientKeyStore = file("$keystoreDir/testclient.jks") +File clientKey = file("$keystoreDir/testclient.pem") +File clientCert = file("$keystoreDir/testclient.crt") // Add keystores to test classpath: it expects it there task copyKeyCerts(type: Copy) { @@ -141,160 +138,4 @@ processTestResources { inputs.properties(expansions) MavenFilteringHack.filter(it, expansions) } -} - -/** A lazy evaluator to find the san to use for certificate generation. */ -class SanEvaluator { - - private static String san = null - - String toString() { - synchronized (SanEvaluator.class) { - if (san == null) { - san = getSubjectAlternativeNameString() - } - } - return san - } - - // Code stolen from NetworkUtils/InetAddresses/NetworkAddress to support SAN - /** Return all interfaces (and subinterfaces) on the system */ - private static List getInterfaces() throws SocketException { - List all = new ArrayList<>(); - addAllInterfaces(all, Collections.list(NetworkInterface.getNetworkInterfaces())); - Collections.sort(all, new Comparator() { - @Override - public int compare(NetworkInterface left, NetworkInterface right) { - return Integer.compare(left.getIndex(), right.getIndex()); - } - }); - return all; - } - - /** Helper for getInterfaces, recursively adds subinterfaces to {@code target} */ - private static void addAllInterfaces(List target, List level) { - if (!level.isEmpty()) { - target.addAll(level); - for (NetworkInterface intf : level) { - addAllInterfaces(target, Collections.list(intf.getSubInterfaces())); - } - } - } - - private static String getSubjectAlternativeNameString() { - List list = new ArrayList<>(); - for (NetworkInterface intf : getInterfaces()) { - if (intf.isUp()) { - // NOTE: some operating systems (e.g. BSD stack) assign a link local address to the loopback interface - // while technically not a loopback address, some of these treat them as one (e.g. OS X "localhost") so we must too, - // otherwise things just won't work out of box. So we include all addresses from loopback interfaces. - for (InetAddress address : Collections.list(intf.getInetAddresses())) { - if (intf.isLoopback() || address.isLoopbackAddress()) { - list.add(address); - } - } - } - } - if (list.isEmpty()) { - throw new IllegalArgumentException("no up-and-running loopback addresses found, got " + getInterfaces()); - } - - StringBuilder builder = new StringBuilder("san="); - for (int i = 0; i < list.size(); i++) { - InetAddress address = list.get(i); - String hostAddress; - if (address instanceof Inet6Address) { - hostAddress = compressedIPV6Address((Inet6Address)address); - } else { - hostAddress = address.getHostAddress(); - } - builder.append("ip:").append(hostAddress); - String hostname = address.getHostName(); - if (hostname.equals(address.getHostAddress()) == false) { - builder.append(",dns:").append(hostname); - } - - if (i != (list.size() - 1)) { - builder.append(","); - } - } - - return builder.toString(); - } - - private static String compressedIPV6Address(Inet6Address inet6Address) { - byte[] bytes = inet6Address.getAddress(); - int[] hextets = new int[8]; - for (int i = 0; i < hextets.length; i++) { - hextets[i] = (bytes[2 * i] & 255) << 8 | bytes[2 * i + 1] & 255; - } - compressLongestRunOfZeroes(hextets); - return hextetsToIPv6String(hextets); - } - - /** - * Identify and mark the longest run of zeroes in an IPv6 address. - * - *

Only runs of two or more hextets are considered. In case of a tie, the - * leftmost run wins. If a qualifying run is found, its hextets are replaced - * by the sentinel value -1. - * - * @param hextets {@code int[]} mutable array of eight 16-bit hextets - */ - private static void compressLongestRunOfZeroes(int[] hextets) { - int bestRunStart = -1; - int bestRunLength = -1; - int runStart = -1; - for (int i = 0; i < hextets.length + 1; i++) { - if (i < hextets.length && hextets[i] == 0) { - if (runStart < 0) { - runStart = i; - } - } else if (runStart >= 0) { - int runLength = i - runStart; - if (runLength > bestRunLength) { - bestRunStart = runStart; - bestRunLength = runLength; - } - runStart = -1; - } - } - if (bestRunLength >= 2) { - Arrays.fill(hextets, bestRunStart, bestRunStart + bestRunLength, -1); - } - } - - /** - * Convert a list of hextets into a human-readable IPv6 address. - * - *

In order for "::" compression to work, the input should contain negative - * sentinel values in place of the elided zeroes. - * - * @param hextets {@code int[]} array of eight 16-bit hextets, or -1s - */ - private static String hextetsToIPv6String(int[] hextets) { - /* - * While scanning the array, handle these state transitions: - * start->num => "num" start->gap => "::" - * num->num => ":num" num->gap => "::" - * gap->num => "num" gap->gap => "" - */ - StringBuilder buf = new StringBuilder(39); - boolean lastWasNumber = false; - for (int i = 0; i < hextets.length; i++) { - boolean thisIsNumber = hextets[i] >= 0; - if (thisIsNumber) { - if (lastWasNumber) { - buf.append(':'); - } - buf.append(Integer.toHexString(hextets[i])); - } else { - if (i == 0 || lastWasNumber) { - buf.append("::"); - } - } - lastWasNumber = thisIsNumber; - } - return buf.toString(); - } -} +} \ No newline at end of file diff --git a/x-pack/qa/sql/security/ssl/build.gradle b/x-pack/qa/sql/security/ssl/build.gradle index 10d2d5cf19d16..153fcf869a9f3 100644 --- a/x-pack/qa/sql/security/ssl/build.gradle +++ b/x-pack/qa/sql/security/ssl/build.gradle @@ -22,7 +22,7 @@ Object san = new SanEvaluator() File keystoreDir = new File(project.buildDir, 'keystore') // Generate the node's keystore -File nodeKeystore = new File(keystoreDir, 'test-node.jks') +File nodeKeystore = file("$keystoreDir/test-node.jks") task createNodeKeyStore(type: LoggedExec) { doFirst { if (nodeKeystore.parentFile.exists() == false) { @@ -47,7 +47,7 @@ task createNodeKeyStore(type: LoggedExec) { } // Generate the client's keystore -File clientKeyStore = new File(keystoreDir, 'test-client.jks') +File clientKeyStore = file("$keystoreDir/test-client.jks") task createClientKeyStore(type: LoggedExec) { doFirst { if (clientKeyStore.parentFile.exists() == false) { @@ -72,7 +72,7 @@ task createClientKeyStore(type: LoggedExec) { } // Export the node's certificate -File nodeCertificate = new File(keystoreDir, 'test-node.cert') +File nodeCertificate = file("$keystoreDir/test-node.cert") task exportNodeCertificate(type: LoggedExec) { dependsOn createNodeKeyStore doFirst { @@ -104,7 +104,7 @@ task importNodeCertificateInClientKeyStore(type: LoggedExec) { } // Export the client's certificate -File clientCertificate = new File(keystoreDir, 'test-client.cert') +File clientCertificate = file("$keystoreDir/test-client.cert") task exportClientCertificate(type: LoggedExec) { dependsOn createClientKeyStore doFirst { @@ -205,33 +205,17 @@ integTestCluster { return tmpFile.exists() } } +Closure notRunningFips = { + Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, + 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false +} // Do not attempt to form a cluster in a FIPS JVM, as doing so with a JKS keystore will fail. // TODO Revisit this when SQL CLI client can handle key/certificate instead of only Keystores. -tasks.matching({ it.name == "integTestCluster#init" }).all { - onlyIf { - Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, - 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false - } -} -tasks.matching({ it.name == "integTestCluster#start" }).all { - onlyIf { - Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, - 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false - } -} -tasks.matching({ it.name == "integTestCluster#wait" }).all { - onlyIf { - Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, - 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false - } -} -tasks.matching({ it.name == "integTestRunner" }).all { - onlyIf { - Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, - 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false - } -} +tasks.matching({ it.name == "integTestCluster#init" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "integTestCluster#start" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "integTestCluster#wait" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "integTestRunner" }).all { onlyIf notRunningFips } /** A lazy evaluator to find the san to use for certificate generation. */ class SanEvaluator { From dd61b4b2265c0f5ad6c7361539c2885164491cce Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 24 Jul 2018 00:28:10 +0300 Subject: [PATCH 07/11] Address feedback --- .../groovy/org/elasticsearch/gradle/BuildPlugin.groovy | 1 - .../action/admin/ReloadSecureSettingsIT.java | 10 +++++++--- .../java/org/elasticsearch/test/ESIntegTestCase.java | 4 ++++ 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy index 82e26beff2751..85216cf73368e 100644 --- a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy +++ b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy @@ -152,7 +152,6 @@ class BuildPlugin implements Plugin { println " JAVA_HOME : ${gradleJavaHome}" } println " Random Testing Seed : ${project.testSeed}" - println " in FIPS MODE : ${inFipsJvm}" // enforce Gradle version final GradleVersion currentGradleVersion = GradleVersion.current(); diff --git a/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java b/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java index 3a041ad271850..3dcde06c27c28 100644 --- a/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java +++ b/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java @@ -207,9 +207,13 @@ public void onResponse(NodesReloadSecureSettingsResponse nodesReloadResponse) { for (final NodesReloadSecureSettingsResponse.NodeResponse nodeResponse : nodesReloadResponse.getNodes()) { assertThat(nodeResponse.reloadException(), notNullValue()); // Running in a JVM with a BouncyCastle FIPS Security Provider, decrypting the Keystore with the wrong - // password can return a SecurityException if the DataInputStream can't be fully consumed - assertThat(nodeResponse.reloadException(), - anyOf(instanceOf(IOException.class), instanceOf(SecurityException.class))); + // password returns a SecurityException if the DataInputStream can't be fully consumed + if (inFipsJvm()) { + assertThat(nodeResponse.reloadException(), instanceOf(SecurityException.class)); + } else { + assertThat(nodeResponse.reloadException(), instanceOf(IOException.class)); + } + } } catch (final AssertionError e) { reloadSettingsError.set(e); diff --git a/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java index 275bca4d28dd3..3a479aad89770 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java @@ -176,6 +176,7 @@ import java.net.URL; import java.nio.file.Files; import java.nio.file.Path; +import java.security.Security; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -2364,4 +2365,7 @@ protected void assertSeqNos() throws Exception { }); } + public static boolean inFipsJvm() { + return Security.getProviders()[0].getName().toLowerCase(Locale.ROOT).contains("fips"); + } } From 8f020b18d70c998b75e64a7375b4924aad175892 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 24 Jul 2018 00:54:00 +0300 Subject: [PATCH 08/11] Remove unused import --- .../org/elasticsearch/action/admin/ReloadSecureSettingsIT.java | 1 - 1 file changed, 1 deletion(-) diff --git a/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java b/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java index 3dcde06c27c28..c8503603f665c 100644 --- a/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java +++ b/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java @@ -45,7 +45,6 @@ import java.util.concurrent.CountDownLatch; import java.util.concurrent.atomic.AtomicReference; -import static org.hamcrest.Matchers.anyOf; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.notNullValue; import static org.hamcrest.Matchers.nullValue; From 12b7ccb22891fd742b09fa71df9dcf16d2941484 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 24 Jul 2018 01:59:10 +0300 Subject: [PATCH 09/11] Address feedback --- build.gradle | 90 ++++++++++----------- x-pack/plugin/build.gradle | 2 + x-pack/qa/full-cluster-restart/build.gradle | 8 +- x-pack/qa/sql/security/ssl/build.gradle | 8 +- 4 files changed, 55 insertions(+), 53 deletions(-) diff --git a/build.gradle b/build.gradle index b7a314a7c08ee..66f34d8f445de 100644 --- a/build.gradle +++ b/build.gradle @@ -219,39 +219,39 @@ subprojects { them as external dependencies so the build plugin that we use can be used to build elasticsearch plugins outside of the elasticsearch source tree. */ ext.projectSubstitutions = [ - "org.elasticsearch.gradle:build-tools:${version}" : ':build-tools', - "org.elasticsearch:rest-api-spec:${version}" : ':rest-api-spec', - "org.elasticsearch:elasticsearch:${version}" : ':server', - "org.elasticsearch:elasticsearch-cli:${version}" : ':libs:elasticsearch-cli', - "org.elasticsearch:elasticsearch-core:${version}" : ':libs:core', - "org.elasticsearch:elasticsearch-nio:${version}" : ':libs:nio', - "org.elasticsearch:elasticsearch-x-content:${version}" : ':libs:x-content', - "org.elasticsearch:elasticsearch-secure-sm:${version}" : ':libs:secure-sm', - "org.elasticsearch.client:elasticsearch-rest-client:${version}" : ':client:rest', - "org.elasticsearch.client:elasticsearch-rest-client-sniffer:${version}" : ':client:sniffer', - "org.elasticsearch.client:elasticsearch-rest-high-level-client:${version}": ':client:rest-high-level', - "org.elasticsearch.client:test:${version}" : ':client:test', - "org.elasticsearch.client:transport:${version}" : ':client:transport', - "org.elasticsearch.test:framework:${version}" : ':test:framework', - "org.elasticsearch.distribution.integ-test-zip:elasticsearch:${version}" : ':distribution:archives:integ-test-zip', - "org.elasticsearch.distribution.zip:elasticsearch:${version}" : ':distribution:archives:zip', - "org.elasticsearch.distribution.zip:elasticsearch-oss:${version}" : ':distribution:archives:oss-zip', - "org.elasticsearch.distribution.tar:elasticsearch:${version}" : ':distribution:archives:tar', - "org.elasticsearch.distribution.tar:elasticsearch-oss:${version}" : ':distribution:archives:oss-tar', - "org.elasticsearch.distribution.rpm:elasticsearch:${version}" : ':distribution:packages:rpm', - "org.elasticsearch.distribution.rpm:elasticsearch-oss:${version}" : ':distribution:packages:oss-rpm', - "org.elasticsearch.distribution.deb:elasticsearch:${version}" : ':distribution:packages:deb', - "org.elasticsearch.distribution.deb:elasticsearch-oss:${version}" : ':distribution:packages:oss-deb', - "org.elasticsearch.test:logger-usage:${version}" : ':test:logger-usage', - "org.elasticsearch.xpack.test:feature-aware:${version}" : ':x-pack:test:feature-aware', - // for transport client - "org.elasticsearch.plugin:transport-netty4-client:${version}" : ':modules:transport-netty4', - "org.elasticsearch.plugin:reindex-client:${version}" : ':modules:reindex', - "org.elasticsearch.plugin:lang-mustache-client:${version}" : ':modules:lang-mustache', - "org.elasticsearch.plugin:parent-join-client:${version}" : ':modules:parent-join', - "org.elasticsearch.plugin:aggs-matrix-stats-client:${version}" : ':modules:aggs-matrix-stats', - "org.elasticsearch.plugin:percolator-client:${version}" : ':modules:percolator', - "org.elasticsearch.plugin:rank-eval-client:${version}" : ':modules:rank-eval', + "org.elasticsearch.gradle:build-tools:${version}": ':build-tools', + "org.elasticsearch:rest-api-spec:${version}": ':rest-api-spec', + "org.elasticsearch:elasticsearch:${version}": ':server', + "org.elasticsearch:elasticsearch-cli:${version}": ':libs:elasticsearch-cli', + "org.elasticsearch:elasticsearch-core:${version}": ':libs:core', + "org.elasticsearch:elasticsearch-nio:${version}": ':libs:nio', + "org.elasticsearch:elasticsearch-x-content:${version}": ':libs:x-content', + "org.elasticsearch:elasticsearch-secure-sm:${version}": ':libs:secure-sm', + "org.elasticsearch.client:elasticsearch-rest-client:${version}": ':client:rest', + "org.elasticsearch.client:elasticsearch-rest-client-sniffer:${version}": ':client:sniffer', + "org.elasticsearch.client:elasticsearch-rest-high-level-client:${version}": ':client:rest-high-level', + "org.elasticsearch.client:test:${version}": ':client:test', + "org.elasticsearch.client:transport:${version}": ':client:transport', + "org.elasticsearch.test:framework:${version}": ':test:framework', + "org.elasticsearch.distribution.integ-test-zip:elasticsearch:${version}": ':distribution:archives:integ-test-zip', + "org.elasticsearch.distribution.zip:elasticsearch:${version}": ':distribution:archives:zip', + "org.elasticsearch.distribution.zip:elasticsearch-oss:${version}": ':distribution:archives:oss-zip', + "org.elasticsearch.distribution.tar:elasticsearch:${version}": ':distribution:archives:tar', + "org.elasticsearch.distribution.tar:elasticsearch-oss:${version}": ':distribution:archives:oss-tar', + "org.elasticsearch.distribution.rpm:elasticsearch:${version}": ':distribution:packages:rpm', + "org.elasticsearch.distribution.rpm:elasticsearch-oss:${version}": ':distribution:packages:oss-rpm', + "org.elasticsearch.distribution.deb:elasticsearch:${version}": ':distribution:packages:deb', + "org.elasticsearch.distribution.deb:elasticsearch-oss:${version}": ':distribution:packages:oss-deb', + "org.elasticsearch.test:logger-usage:${version}": ':test:logger-usage', + "org.elasticsearch.xpack.test:feature-aware:${version}": ':x-pack:test:feature-aware', + // for transport client + "org.elasticsearch.plugin:transport-netty4-client:${version}": ':modules:transport-netty4', + "org.elasticsearch.plugin:reindex-client:${version}": ':modules:reindex', + "org.elasticsearch.plugin:lang-mustache-client:${version}": ':modules:lang-mustache', + "org.elasticsearch.plugin:parent-join-client:${version}": ':modules:parent-join', + "org.elasticsearch.plugin:aggs-matrix-stats-client:${version}": ':modules:aggs-matrix-stats', + "org.elasticsearch.plugin:percolator-client:${version}": ':modules:percolator', + "org.elasticsearch.plugin:rank-eval-client:${version}": ':modules:rank-eval', ] bwcVersions.snapshotProjectNames.each { snapshotName -> @@ -339,18 +339,18 @@ subprojects { } boolean hasShadow = project.plugins.hasPlugin(ShadowPlugin) project.configurations.compile.dependencies - .findAll() - .toSorted(sortClosure) - .each({ c -> depJavadocClosure(hasShadow, c) }) + .findAll() + .toSorted(sortClosure) + .each({ c -> depJavadocClosure(hasShadow, c) }) project.configurations.compileOnly.dependencies - .findAll() - .toSorted(sortClosure) - .each({ c -> depJavadocClosure(hasShadow, c) }) + .findAll() + .toSorted(sortClosure) + .each({ c -> depJavadocClosure(hasShadow, c) }) if (hasShadow) { project.configurations.shadow.dependencies - .findAll() - .toSorted(sortClosure) - .each({ c -> depJavadocClosure(false, c) }) + .findAll() + .toSorted(sortClosure) + .each({ c -> depJavadocClosure(false, c) }) } } } @@ -574,7 +574,7 @@ subprojects { project -> commandLine "${->new File(rootProject.compilerJavaHome, 'bin/jar')}", 'xf', "${-> jarTask.outputs.files.singleFile}", 'META-INF/LICENSE.txt', 'META-INF/NOTICE.txt' workingDir destination - onlyIf { jarTask.enabled } + onlyIf {jarTask.enabled} doFirst { project.delete(destination) Files.createDirectories(destination) @@ -583,7 +583,7 @@ subprojects { project -> final Task checkNotice = project.task("verify${jarTask.name.capitalize()}Notice") { dependsOn extract - onlyIf { jarTask.enabled } + onlyIf {jarTask.enabled} doLast { final List noticeLines = Files.readAllLines(project.noticeFile.toPath()) final Path noticePath = extract.destination.resolve('META-INF/NOTICE.txt') @@ -594,7 +594,7 @@ subprojects { project -> final Task checkLicense = project.task("verify${jarTask.name.capitalize()}License") { dependsOn extract - onlyIf { jarTask.enabled } + onlyIf {jarTask.enabled} doLast { final List licenseLines = Files.readAllLines(project.licenseFile.toPath()) final Path licensePath = extract.destination.resolve('META-INF/LICENSE.txt') diff --git a/x-pack/plugin/build.gradle b/x-pack/plugin/build.gradle index 03b6ee977cdb2..fc70443a5a711 100644 --- a/x-pack/plugin/build.gradle +++ b/x-pack/plugin/build.gradle @@ -112,6 +112,8 @@ File nodeCert = file("$keystoreDir/testnode.crt") // Add key and certs to test classpath: it expects them there // User cert and key PEM files instead of a JKS Keystore for the cluster's trust material so that // it can run in a FIPS 140 JVM +// TODO: Remove all existing uses of cross project file references when the new approach for referencing static files is available +// https://github.com/elastic/elasticsearch/pull/32201 task copyKeyCerts(type: Copy) { from(project(':x-pack:plugin:core').file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/')) { include 'testnode.crt', 'testnode.pem' diff --git a/x-pack/qa/full-cluster-restart/build.gradle b/x-pack/qa/full-cluster-restart/build.gradle index 8a2f5fc6405cf..5a6f0c9cc83de 100644 --- a/x-pack/qa/full-cluster-restart/build.gradle +++ b/x-pack/qa/full-cluster-restart/build.gradle @@ -124,10 +124,10 @@ subprojects { } String output = "${buildDir}/generated-resources/${project.name}" - task copyTestNodeKeystore(type: Copy) { - from project(':x-pack:plugin:core') - .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') - into outputDir + task copyTestNodeKeystore(type: Copy) { + from project(':x-pack:plugin:core') + .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') + into outputDir } for (Version version : bwcVersions.indexCompatible) { diff --git a/x-pack/qa/sql/security/ssl/build.gradle b/x-pack/qa/sql/security/ssl/build.gradle index 153fcf869a9f3..657c7b38f08f6 100644 --- a/x-pack/qa/sql/security/ssl/build.gradle +++ b/x-pack/qa/sql/security/ssl/build.gradle @@ -278,7 +278,7 @@ class SanEvaluator { InetAddress address = list.get(i); String hostAddress; if (address instanceof Inet6Address) { - hostAddress = compressedIPV6Address((Inet6Address) address); + hostAddress = compressedIPV6Address((Inet6Address)address); } else { hostAddress = address.getHostAddress(); } @@ -349,9 +349,9 @@ class SanEvaluator { private static String hextetsToIPv6String(int[] hextets) { /* * While scanning the array, handle these state transitions: - * start->num => "num" start->gap => "::" - * num->num => ":num" num->gap => "::" - * gap->num => "num" gap->gap => "" + * start->num => "num" start->gap => "::" + * num->num => ":num" num->gap => "::" + * gap->num => "num" gap->gap => "" */ StringBuilder buf = new StringBuilder(39); boolean lastWasNumber = false; From a44d7348073727921c963a7ffb9c0872c687ddb0 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 24 Jul 2018 02:38:14 +0300 Subject: [PATCH 10/11] add link to SSL sql cli issue --- x-pack/qa/sql/security/ssl/build.gradle | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/qa/sql/security/ssl/build.gradle b/x-pack/qa/sql/security/ssl/build.gradle index 657c7b38f08f6..cfc04f97188a4 100644 --- a/x-pack/qa/sql/security/ssl/build.gradle +++ b/x-pack/qa/sql/security/ssl/build.gradle @@ -212,6 +212,7 @@ Closure notRunningFips = { // Do not attempt to form a cluster in a FIPS JVM, as doing so with a JKS keystore will fail. // TODO Revisit this when SQL CLI client can handle key/certificate instead of only Keystores. +// https://github.com/elastic/elasticsearch/issues/32306 tasks.matching({ it.name == "integTestCluster#init" }).all { onlyIf notRunningFips } tasks.matching({ it.name == "integTestCluster#start" }).all { onlyIf notRunningFips } tasks.matching({ it.name == "integTestCluster#wait" }).all { onlyIf notRunningFips } From b5753bbb88f8d1c760ef2171dcdd152cd006ad96 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 24 Jul 2018 10:12:03 +0300 Subject: [PATCH 11/11] Fix key password parameter --- x-pack/plugin/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/build.gradle b/x-pack/plugin/build.gradle index fc70443a5a711..b9cd464241fa2 100644 --- a/x-pack/plugin/build.gradle +++ b/x-pack/plugin/build.gradle @@ -140,7 +140,7 @@ integTestCluster { setting 'xpack.security.audit.enabled', 'true' setting 'xpack.license.self_generated.type', 'trial' keystoreSetting 'bootstrap.password', 'x-pack-test-password' - keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'testnode' + keystoreSetting 'xpack.security.transport.ssl.secure_key_passphrase', 'testnode' distribution = 'zip' // this is important since we use the reindex module in ML setupCommand 'setupTestUser', 'bin/elasticsearch-users', 'useradd', 'x_pack_rest_user', '-p', 'x-pack-test-password', '-r', 'superuser'