From 90d0621f9c6ffad7dfe1cfd213121b61f2907a7d Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Sat, 3 Aug 2024 11:55:48 +0300 Subject: [PATCH 1/3] Enforce JKS trustore --- .../org/elasticsearch/common/ssl/KeyStoreUtil.java | 12 ++++++++++-- .../azure/RepositoryAzureClientYamlTestSuiteIT.java | 5 +++++ muted-tests.yml | 2 -- .../java/org/elasticsearch/test/TestTrustStore.java | 4 ++-- 4 files changed, 17 insertions(+), 6 deletions(-) diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/KeyStoreUtil.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/KeyStoreUtil.java index aebee89297a88..7f5b005e28470 100644 --- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/KeyStoreUtil.java +++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/KeyStoreUtil.java @@ -106,8 +106,12 @@ public static KeyStore filter(KeyStore store, Predicate filter) { * @param certificates The root certificates to trust */ public static KeyStore buildTrustStore(Iterable certificates) throws GeneralSecurityException { + return buildTrustStore(certificates, KeyStore.getDefaultType()); + } + + public static KeyStore buildTrustStore(Iterable certificates, String type) throws GeneralSecurityException { assert certificates != null : "Cannot create keystore with null certificates"; - KeyStore store = buildNewKeyStore(); + KeyStore store = buildNewKeyStore(type); int counter = 0; for (Certificate certificate : certificates) { store.setCertificateEntry("cert-" + counter, certificate); @@ -117,7 +121,11 @@ public static KeyStore buildTrustStore(Iterable certificates) throw } private static KeyStore buildNewKeyStore() throws GeneralSecurityException { - KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); + return buildNewKeyStore(KeyStore.getDefaultType()); + } + + private static KeyStore buildNewKeyStore(String type) throws GeneralSecurityException { + KeyStore keyStore = KeyStore.getInstance(type); try { keyStore.load(null, null); } catch (IOException e) { diff --git a/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java b/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java index c40a0fb4da4b1..c4942dea09755 100644 --- a/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java +++ b/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java @@ -71,6 +71,11 @@ public class RepositoryAzureClientYamlTestSuiteIT extends ESClientYamlSuiteTestC () -> trustStore.getTrustStorePath().toString(), s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false ) + .systemProperty( + "javax.net.ssl.trustStoreType", + () -> "jks", + s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false + ) .build(); @ClassRule(order = 1) diff --git a/muted-tests.yml b/muted-tests.yml index 98a9a52f85a08..4fc4a1b27d1c4 100644 --- a/muted-tests.yml +++ b/muted-tests.yml @@ -116,8 +116,6 @@ tests: issue: https://github.com/elastic/elasticsearch/issues/111396 - class: org.elasticsearch.xpack.searchablesnapshots.AzureSearchableSnapshotsIT issue: https://github.com/elastic/elasticsearch/issues/111279 -- class: org.elasticsearch.repositories.azure.RepositoryAzureClientYamlTestSuiteIT - issue: https://github.com/elastic/elasticsearch/issues/111345 - class: org.elasticsearch.repositories.blobstore.testkit.AzureSnapshotRepoTestKitIT method: testRepositoryAnalysis issue: https://github.com/elastic/elasticsearch/issues/111280 diff --git a/test/framework/src/main/java/org/elasticsearch/test/TestTrustStore.java b/test/framework/src/main/java/org/elasticsearch/test/TestTrustStore.java index e17a309dbc9c8..93a2a4a967592 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/TestTrustStore.java +++ b/test/framework/src/main/java/org/elasticsearch/test/TestTrustStore.java @@ -50,8 +50,8 @@ protected void before() { .stream() .map(i -> (Certificate) i) .toList(); - final var trustStore = KeyStoreUtil.buildTrustStore(certificates); - trustStore.store(jksStream, null); + final var trustStore = KeyStoreUtil.buildTrustStore(certificates, "jks"); + trustStore.store(jksStream, new char[0]); trustStorePath = tmpTrustStorePath; } catch (Exception e) { throw new AssertionError("unexpected", e); From b0c4a9946d3d1de1ba7edd1b494bc3aaab4cdea9 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Sat, 3 Aug 2024 12:03:26 +0300 Subject: [PATCH 2/3] Spotless --- .../azure/RepositoryAzureClientYamlTestSuiteIT.java | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java b/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java index c4942dea09755..1e6fdabd3ffea 100644 --- a/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java +++ b/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java @@ -71,11 +71,7 @@ public class RepositoryAzureClientYamlTestSuiteIT extends ESClientYamlSuiteTestC () -> trustStore.getTrustStorePath().toString(), s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false ) - .systemProperty( - "javax.net.ssl.trustStoreType", - () -> "jks", - s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false - ) + .systemProperty("javax.net.ssl.trustStoreType", () -> "jks", s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false) .build(); @ClassRule(order = 1) From 5f985a5bdca92e8d2662d56988d661e15542e9eb Mon Sep 17 00:00:00 2001 From: David Turner Date: Mon, 5 Aug 2024 09:23:46 +0100 Subject: [PATCH 3/3] Fix up other test suites too --- .../RepositoryAzureClientYamlTestSuiteIT.java | 14 +++++--------- muted-tests.yml | 10 ---------- .../azure/AzureRepositoriesMeteringIT.java | 13 +++++-------- .../AzureSearchableSnapshotsIT.java | 9 +++++---- .../recovery/AzureSnapshotBasedRecoveryIT.java | 13 +++++-------- .../testkit/AzureSnapshotRepoTestKitIT.java | 13 +++++-------- 6 files changed, 25 insertions(+), 47 deletions(-) diff --git a/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java b/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java index 1e6fdabd3ffea..a152e1fdf5ecc 100644 --- a/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java +++ b/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java @@ -26,15 +26,15 @@ public class RepositoryAzureClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { private static final boolean USE_FIXTURE = Booleans.parseBoolean(System.getProperty("test.azure.fixture", "true")); + private static final boolean USE_HTTPS_FIXTURE = USE_FIXTURE && ESTestCase.inFipsJvm() == false; + private static final String AZURE_TEST_ACCOUNT = System.getProperty("test.azure.account"); private static final String AZURE_TEST_CONTAINER = System.getProperty("test.azure.container"); private static final String AZURE_TEST_KEY = System.getProperty("test.azure.key"); private static final String AZURE_TEST_SASTOKEN = System.getProperty("test.azure.sas_token"); private static AzureHttpFixture fixture = new AzureHttpFixture( - USE_FIXTURE - ? ESTestCase.inFipsJvm() ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.HTTPS - : AzureHttpFixture.Protocol.NONE, + USE_HTTPS_FIXTURE ? AzureHttpFixture.Protocol.HTTPS : USE_FIXTURE ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.NONE, AZURE_TEST_ACCOUNT, AZURE_TEST_CONTAINER, Strings.hasText(AZURE_TEST_KEY) || Strings.hasText(AZURE_TEST_SASTOKEN) @@ -66,12 +66,8 @@ public class RepositoryAzureClientYamlTestSuiteIT extends ESClientYamlSuiteTestC ) .systemProperty("AZURE_POD_IDENTITY_AUTHORITY_HOST", () -> fixture.getMetadataAddress(), s -> USE_FIXTURE) .setting("thread_pool.repository_azure.max", () -> String.valueOf(randomIntBetween(1, 10)), s -> USE_FIXTURE) - .systemProperty( - "javax.net.ssl.trustStore", - () -> trustStore.getTrustStorePath().toString(), - s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false - ) - .systemProperty("javax.net.ssl.trustStoreType", () -> "jks", s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false) + .systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString(), s -> USE_HTTPS_FIXTURE) + .systemProperty("javax.net.ssl.trustStoreType", () -> "jks", s -> USE_HTTPS_FIXTURE) .build(); @ClassRule(order = 1) diff --git a/muted-tests.yml b/muted-tests.yml index 4fc4a1b27d1c4..96fc68cdc3b8a 100644 --- a/muted-tests.yml +++ b/muted-tests.yml @@ -114,19 +114,9 @@ tests: - class: org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthIT method: testAuthenticateWithCodeFlowAndClientPost issue: https://github.com/elastic/elasticsearch/issues/111396 -- class: org.elasticsearch.xpack.searchablesnapshots.AzureSearchableSnapshotsIT - issue: https://github.com/elastic/elasticsearch/issues/111279 -- class: org.elasticsearch.repositories.blobstore.testkit.AzureSnapshotRepoTestKitIT - method: testRepositoryAnalysis - issue: https://github.com/elastic/elasticsearch/issues/111280 -- class: org.elasticsearch.xpack.repositories.metering.azure.AzureRepositoriesMeteringIT - issue: https://github.com/elastic/elasticsearch/issues/111307 - class: org.elasticsearch.xpack.restart.FullClusterRestartIT method: testSingleDoc {cluster=UPGRADED} issue: https://github.com/elastic/elasticsearch/issues/111434 -- class: org.elasticsearch.xpack.snapshotbasedrecoveries.recovery.AzureSnapshotBasedRecoveryIT - method: testRecoveryUsingSnapshots - issue: https://github.com/elastic/elasticsearch/issues/111377 - class: org.elasticsearch.xpack.restart.FullClusterRestartIT method: testDataStreams {cluster=UPGRADED} issue: https://github.com/elastic/elasticsearch/issues/111448 diff --git a/x-pack/plugin/repositories-metering-api/qa/azure/src/javaRestTest/java/org/elasticsearch/xpack/repositories/metering/azure/AzureRepositoriesMeteringIT.java b/x-pack/plugin/repositories-metering-api/qa/azure/src/javaRestTest/java/org/elasticsearch/xpack/repositories/metering/azure/AzureRepositoriesMeteringIT.java index 3a66854191088..d38060640b47d 100644 --- a/x-pack/plugin/repositories-metering-api/qa/azure/src/javaRestTest/java/org/elasticsearch/xpack/repositories/metering/azure/AzureRepositoriesMeteringIT.java +++ b/x-pack/plugin/repositories-metering-api/qa/azure/src/javaRestTest/java/org/elasticsearch/xpack/repositories/metering/azure/AzureRepositoriesMeteringIT.java @@ -23,15 +23,15 @@ public class AzureRepositoriesMeteringIT extends AbstractRepositoriesMeteringAPIRestTestCase { private static final boolean USE_FIXTURE = Booleans.parseBoolean(System.getProperty("test.azure.fixture", "true")); + private static final boolean USE_HTTPS_FIXTURE = USE_FIXTURE && ESTestCase.inFipsJvm() == false; + private static final String AZURE_TEST_ACCOUNT = System.getProperty("test.azure.account"); private static final String AZURE_TEST_CONTAINER = System.getProperty("test.azure.container"); private static final String AZURE_TEST_KEY = System.getProperty("test.azure.key"); private static final String AZURE_TEST_SASTOKEN = System.getProperty("test.azure.sas_token"); private static AzureHttpFixture fixture = new AzureHttpFixture( - USE_FIXTURE - ? ESTestCase.inFipsJvm() ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.HTTPS - : AzureHttpFixture.Protocol.NONE, + USE_HTTPS_FIXTURE ? AzureHttpFixture.Protocol.HTTPS : USE_FIXTURE ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.NONE, AZURE_TEST_ACCOUNT, AZURE_TEST_CONTAINER, AzureHttpFixture.sharedKeyForAccountPredicate(AZURE_TEST_ACCOUNT) @@ -60,11 +60,8 @@ public class AzureRepositoriesMeteringIT extends AbstractRepositoriesMeteringAPI () -> "ignored;DefaultEndpointsProtocol=https;BlobEndpoint=" + fixture.getAddress(), s -> USE_FIXTURE ) - .systemProperty( - "javax.net.ssl.trustStore", - () -> trustStore.getTrustStorePath().toString(), - s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false - ) + .systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString(), s -> USE_HTTPS_FIXTURE) + .systemProperty("javax.net.ssl.trustStoreType", () -> "jks", s -> USE_HTTPS_FIXTURE) .build(); @ClassRule(order = 1) diff --git a/x-pack/plugin/searchable-snapshots/qa/azure/src/javaRestTest/java/org/elasticsearch/xpack/searchablesnapshots/AzureSearchableSnapshotsIT.java b/x-pack/plugin/searchable-snapshots/qa/azure/src/javaRestTest/java/org/elasticsearch/xpack/searchablesnapshots/AzureSearchableSnapshotsIT.java index d2cdef121fe40..68306cde1c65b 100644 --- a/x-pack/plugin/searchable-snapshots/qa/azure/src/javaRestTest/java/org/elasticsearch/xpack/searchablesnapshots/AzureSearchableSnapshotsIT.java +++ b/x-pack/plugin/searchable-snapshots/qa/azure/src/javaRestTest/java/org/elasticsearch/xpack/searchablesnapshots/AzureSearchableSnapshotsIT.java @@ -24,15 +24,15 @@ public class AzureSearchableSnapshotsIT extends AbstractSearchableSnapshotsRestTestCase { private static final boolean USE_FIXTURE = Booleans.parseBoolean(System.getProperty("test.azure.fixture", "true")); + private static final boolean USE_HTTPS_FIXTURE = USE_FIXTURE && ESTestCase.inFipsJvm() == false; + private static final String AZURE_TEST_ACCOUNT = System.getProperty("test.azure.account"); private static final String AZURE_TEST_CONTAINER = System.getProperty("test.azure.container"); private static final String AZURE_TEST_KEY = System.getProperty("test.azure.key"); private static final String AZURE_TEST_SASTOKEN = System.getProperty("test.azure.sas_token"); private static AzureHttpFixture fixture = new AzureHttpFixture( - USE_FIXTURE - ? ESTestCase.inFipsJvm() ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.HTTPS - : AzureHttpFixture.Protocol.NONE, + USE_HTTPS_FIXTURE ? AzureHttpFixture.Protocol.HTTPS : USE_FIXTURE ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.NONE, AZURE_TEST_ACCOUNT, AZURE_TEST_CONTAINER, AzureHttpFixture.sharedKeyForAccountPredicate(AZURE_TEST_ACCOUNT) @@ -66,7 +66,8 @@ public class AzureSearchableSnapshotsIT extends AbstractSearchableSnapshotsRestT .setting("xpack.searchable.snapshot.shared_cache.size", "16MB") .setting("xpack.searchable.snapshot.shared_cache.region_size", "256KB") .setting("xpack.searchable_snapshots.cache_fetch_async_thread_pool.keep_alive", "0ms") - .systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString(), s -> USE_FIXTURE) + .systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString(), s -> USE_HTTPS_FIXTURE) + .systemProperty("javax.net.ssl.trustStoreType", () -> "jks", s -> USE_HTTPS_FIXTURE) .build(); @ClassRule(order = 1) diff --git a/x-pack/plugin/snapshot-based-recoveries/qa/azure/src/javaRestTest/java/org/elasticsearch/xpack/snapshotbasedrecoveries/recovery/AzureSnapshotBasedRecoveryIT.java b/x-pack/plugin/snapshot-based-recoveries/qa/azure/src/javaRestTest/java/org/elasticsearch/xpack/snapshotbasedrecoveries/recovery/AzureSnapshotBasedRecoveryIT.java index bac69158a860c..feec69a0056b3 100644 --- a/x-pack/plugin/snapshot-based-recoveries/qa/azure/src/javaRestTest/java/org/elasticsearch/xpack/snapshotbasedrecoveries/recovery/AzureSnapshotBasedRecoveryIT.java +++ b/x-pack/plugin/snapshot-based-recoveries/qa/azure/src/javaRestTest/java/org/elasticsearch/xpack/snapshotbasedrecoveries/recovery/AzureSnapshotBasedRecoveryIT.java @@ -23,15 +23,15 @@ public class AzureSnapshotBasedRecoveryIT extends AbstractSnapshotBasedRecoveryRestTestCase { private static final boolean USE_FIXTURE = Booleans.parseBoolean(System.getProperty("test.azure.fixture", "true")); + private static final boolean USE_HTTPS_FIXTURE = USE_FIXTURE && ESTestCase.inFipsJvm() == false; + private static final String AZURE_TEST_ACCOUNT = System.getProperty("test.azure.account"); private static final String AZURE_TEST_CONTAINER = System.getProperty("test.azure.container"); private static final String AZURE_TEST_KEY = System.getProperty("test.azure.key"); private static final String AZURE_TEST_SASTOKEN = System.getProperty("test.azure.sas_token"); private static AzureHttpFixture fixture = new AzureHttpFixture( - USE_FIXTURE - ? ESTestCase.inFipsJvm() ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.HTTPS - : AzureHttpFixture.Protocol.NONE, + USE_HTTPS_FIXTURE ? AzureHttpFixture.Protocol.HTTPS : USE_FIXTURE ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.NONE, AZURE_TEST_ACCOUNT, AZURE_TEST_CONTAINER, AzureHttpFixture.sharedKeyForAccountPredicate(AZURE_TEST_ACCOUNT) @@ -62,11 +62,8 @@ public class AzureSnapshotBasedRecoveryIT extends AbstractSnapshotBasedRecoveryR s -> USE_FIXTURE ) .setting("xpack.license.self_generated.type", "trial") - .systemProperty( - "javax.net.ssl.trustStore", - () -> trustStore.getTrustStorePath().toString(), - s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false - ) + .systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString(), s -> USE_HTTPS_FIXTURE) + .systemProperty("javax.net.ssl.trustStoreType", () -> "jks", s -> USE_HTTPS_FIXTURE) .build(); @ClassRule(order = 1) diff --git a/x-pack/plugin/snapshot-repo-test-kit/qa/azure/src/javaRestTest/java/org/elasticsearch/repositories/blobstore/testkit/AzureSnapshotRepoTestKitIT.java b/x-pack/plugin/snapshot-repo-test-kit/qa/azure/src/javaRestTest/java/org/elasticsearch/repositories/blobstore/testkit/AzureSnapshotRepoTestKitIT.java index 2f72be9de0e07..959acd2aec213 100644 --- a/x-pack/plugin/snapshot-repo-test-kit/qa/azure/src/javaRestTest/java/org/elasticsearch/repositories/blobstore/testkit/AzureSnapshotRepoTestKitIT.java +++ b/x-pack/plugin/snapshot-repo-test-kit/qa/azure/src/javaRestTest/java/org/elasticsearch/repositories/blobstore/testkit/AzureSnapshotRepoTestKitIT.java @@ -23,15 +23,15 @@ public class AzureSnapshotRepoTestKitIT extends AbstractSnapshotRepoTestKitRestTestCase { private static final boolean USE_FIXTURE = Booleans.parseBoolean(System.getProperty("test.azure.fixture", "true")); + private static final boolean USE_HTTPS_FIXTURE = USE_FIXTURE && ESTestCase.inFipsJvm() == false; + private static final String AZURE_TEST_ACCOUNT = System.getProperty("test.azure.account"); private static final String AZURE_TEST_CONTAINER = System.getProperty("test.azure.container"); private static final String AZURE_TEST_KEY = System.getProperty("test.azure.key"); private static final String AZURE_TEST_SASTOKEN = System.getProperty("test.azure.sas_token"); private static AzureHttpFixture fixture = new AzureHttpFixture( - USE_FIXTURE - ? ESTestCase.inFipsJvm() ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.HTTPS - : AzureHttpFixture.Protocol.NONE, + USE_HTTPS_FIXTURE ? AzureHttpFixture.Protocol.HTTPS : USE_FIXTURE ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.NONE, AZURE_TEST_ACCOUNT, AZURE_TEST_CONTAINER, Strings.hasText(AZURE_TEST_KEY) || Strings.hasText(AZURE_TEST_SASTOKEN) @@ -69,11 +69,8 @@ public class AzureSnapshotRepoTestKitIT extends AbstractSnapshotRepoTestKitRestT } }) .systemProperty("AZURE_POD_IDENTITY_AUTHORITY_HOST", () -> fixture.getMetadataAddress(), s -> USE_FIXTURE) - .systemProperty( - "javax.net.ssl.trustStore", - () -> trustStore.getTrustStorePath().toString(), - s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false - ) + .systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString(), s -> USE_HTTPS_FIXTURE) + .systemProperty("javax.net.ssl.trustStoreType", () -> "jks", s -> USE_HTTPS_FIXTURE) .build(); @ClassRule(order = 1)