From 3777c70df8a475fd6fd04ad5720b485dedfa668e Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 26 May 2020 09:44:55 +0300 Subject: [PATCH] Adjust reload keystore test to pass in FIPS (#57050) In KeystoreWrapper class we determine if the error to decrypt a given keystore is caused by a wrong password based on the exception that the SunJCE implementation of AES is throwing (AEADBadTagException). Other implementations from other Security Providers might cause decryption to fail in a different way and cause us to throw a generic error message. We handle this in this test by matching both possible exception messages. Relates: #56889 --- ...reSettingsWithPasswordProtectedKeystoreRestIT.java | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/x-pack/qa/password-protected-keystore/src/test/java/org/elasticsearch/password_protected_keystore/ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT.java b/x-pack/qa/password-protected-keystore/src/test/java/org/elasticsearch/password_protected_keystore/ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT.java index a145ecbe6d5f5..f8e0db7e12d34 100644 --- a/x-pack/qa/password-protected-keystore/src/test/java/org/elasticsearch/password_protected_keystore/ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT.java +++ b/x-pack/qa/password-protected-keystore/src/test/java/org/elasticsearch/password_protected_keystore/ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT.java @@ -14,6 +14,7 @@ import org.elasticsearch.test.rest.ESRestTestCase; import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; +import static org.hamcrest.Matchers.anyOf; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.instanceOf; import static org.hamcrest.Matchers.nullValue; @@ -43,7 +44,7 @@ public void testReloadSecureSettingsWithCorrectPassword() throws Exception { } @SuppressWarnings("unchecked") - public void testReloadSecureSettingsWithInCorrectPassword() throws Exception { + public void testReloadSecureSettingsWithIncorrectPassword() throws Exception { final Request request = new Request("POST", "_nodes/reload_secure_settings"); request.setJsonEntity("{\"secure_settings_password\":\"" + KEYSTORE_PASSWORD + randomAlphaOfLength(7) + "\"}"); final Response response = client().performRequest(request); @@ -56,7 +57,9 @@ public void testReloadSecureSettingsWithInCorrectPassword() throws Exception { assertThat(entry.getValue(), instanceOf(Map.class)); final Map node = (Map) entry.getValue(); assertThat(node.get("reload_exception"), instanceOf(Map.class)); - assertThat(ObjectPath.eval("reload_exception.reason", node), equalTo("Provided keystore password was incorrect")); + assertThat(ObjectPath.eval("reload_exception.reason", node), anyOf( + equalTo("Provided keystore password was incorrect"), + equalTo("Keystore has been corrupted or tampered with"))); assertThat(ObjectPath.eval("reload_exception.type", node), equalTo("security_exception")); } } @@ -74,7 +77,9 @@ public void testReloadSecureSettingsWithEmptyPassword() throws Exception { assertThat(entry.getValue(), instanceOf(Map.class)); final Map node = (Map) entry.getValue(); assertThat(node.get("reload_exception"), instanceOf(Map.class)); - assertThat(ObjectPath.eval("reload_exception.reason", node), equalTo("Provided keystore password was incorrect")); + assertThat(ObjectPath.eval("reload_exception.reason", node), anyOf( + equalTo("Provided keystore password was incorrect"), + equalTo("Keystore has been corrupted or tampered with"))); assertThat(ObjectPath.eval("reload_exception.type", node), equalTo("security_exception")); } }