From 9b9bff6df662127c07579a61f973c52c79488548 Mon Sep 17 00:00:00 2001 From: Tim Vernum Date: Sat, 13 Feb 2021 00:22:03 +1100 Subject: [PATCH 1/2] Add a smoke test for security realms This changes adds a new QA test that runs a smoke test on a node that has been configured with one realm of each type. Not all of the realms work, because some of them would depend on external fixtures (LDAP, SAML, etc) and this particularly test suite is intended to be as stable as possible and have no external dependencies. The primary purpose of this test is to catch any issues that prevent a node from starting with particular realms configurd (e.g. security manager or classpath issues). We don't depend on external fixtures becaused we want this to be a smoke test that clearly indicates when a (seemingly unrelated) change in Elasticsearch has unintended consequences on realms. The use of external dependencies would increase the number of things that could go wrong and move this from a smoke test to a potentially noisy integration test. Backport of: #68881 --- .../test/rest/ESRestTestCase.java | 50 ++++-- .../xpack/core/ssl/CertParsingUtils.java | 2 +- .../qa/smoke-test-all-realms/build.gradle | 85 ++++++++++ .../xpack/security/authc/FileRealmAuthIT.java | 38 +++++ .../security/authc/NativeRealmAuthIT.java | 52 ++++++ .../xpack/security/authc/PkiRealmAuthIT.java | 44 +++++ .../xpack/security/authc/RealmInfoIT.java | 36 +++++ .../security/authc/ReservedRealmAuthIT.java | 44 +++++ .../authc/SecurityRealmSmokeTestCase.java | 150 ++++++++++++++++++ .../javaRestTest/resources/kerberos.keytab | 0 .../javaRestTest/resources/oidc-jwkset.json | 35 ++++ .../src/javaRestTest/resources/roles.yml | 8 + .../javaRestTest/resources/saml-metadata.xml | 28 ++++ .../resources/ssl/README.asciidoc | 63 ++++++++ .../resources/ssl/http-client-ca.crt | 20 +++ .../resources/ssl/http-client-ca.key | 30 ++++ .../resources/ssl/http-server-ca.crt | 20 +++ .../resources/ssl/http-server-ca.key | 30 ++++ .../resources/ssl/http-server-ca.p12 | Bin 0 -> 1130 bytes .../resources/ssl/http-server.crt | 22 +++ .../resources/ssl/http-server.key | 30 ++++ .../javaRestTest/resources/ssl/pki-auth.crt | 19 +++ .../javaRestTest/resources/ssl/pki-auth.key | 30 ++++ 23 files changed, 822 insertions(+), 14 deletions(-) create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/build.gradle create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/FileRealmAuthIT.java create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/NativeRealmAuthIT.java create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/PkiRealmAuthIT.java create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/RealmInfoIT.java create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/ReservedRealmAuthIT.java create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/SecurityRealmSmokeTestCase.java create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/kerberos.keytab create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/oidc-jwkset.json create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/roles.yml create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/saml-metadata.xml create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/README.asciidoc create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-client-ca.crt create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-client-ca.key create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.crt create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.key create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.p12 create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server.crt create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server.key create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/pki-auth.crt create mode 100644 x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/pki-auth.key diff --git a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java index 74f4eb50d4c38..4824ec6488655 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java @@ -16,6 +16,7 @@ import org.apache.http.client.methods.HttpPut; import org.apache.http.message.BasicHeader; import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy; +import org.apache.http.ssl.SSLContextBuilder; import org.apache.http.ssl.SSLContexts; import org.apache.http.util.EntityUtils; import org.apache.logging.log4j.message.ParameterizedMessage; @@ -68,10 +69,12 @@ import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; +import java.security.GeneralSecurityException; import java.security.KeyManagementException; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.util.ArrayList; @@ -81,6 +84,7 @@ import java.util.HashSet; import java.util.List; import java.util.Map; +import java.util.Objects; import java.util.Set; import java.util.TreeSet; import java.util.concurrent.TimeUnit; @@ -106,7 +110,13 @@ public abstract class ESRestTestCase extends ESTestCase { public static final String TRUSTSTORE_PATH = "truststore.path"; public static final String TRUSTSTORE_PASSWORD = "truststore.password"; + public static final String CERTIFICATE_AUTHORITIES = "certificate_authorities"; + + public static final String CLIENT_CERT_PATH = "client.cert.path"; + public static final String CLIENT_KEY_PATH = "client.key.path"; + public static final String CLIENT_KEY_PASSWORD = "client.key.password"; + public static final String CLIENT_SOCKET_TIMEOUT = "client.socket.timeout"; public static final String CLIENT_PATH_PREFIX = "client.path.prefix"; @@ -1013,29 +1023,30 @@ protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOE } protected static void configureClient(RestClientBuilder builder, Settings settings) throws IOException { + String truststorePath = settings.get(TRUSTSTORE_PATH); String certificateAuthorities = settings.get(CERTIFICATE_AUTHORITIES); - String keystorePath = settings.get(TRUSTSTORE_PATH); + String clientCertificatePath = settings.get(CLIENT_CERT_PATH); - if (certificateAuthorities != null && keystorePath != null) { + if (certificateAuthorities != null && truststorePath != null) { throw new IllegalStateException("Cannot set both " + CERTIFICATE_AUTHORITIES + " and " + TRUSTSTORE_PATH + ". Please configure one of these."); } - if (keystorePath != null) { + if (truststorePath != null) { if (inFipsJvm()) { - throw new IllegalStateException("Keystore " + keystorePath + "cannot be used in FIPS 140 mode. Please configure " + throw new IllegalStateException("Keystore " + truststorePath + "cannot be used in FIPS 140 mode. Please configure " + CERTIFICATE_AUTHORITIES + " with a PEM encoded trusted CA/certificate instead"); } final String keystorePass = settings.get(TRUSTSTORE_PASSWORD); if (keystorePass == null) { throw new IllegalStateException(TRUSTSTORE_PATH + " is provided but not " + TRUSTSTORE_PASSWORD); } - Path path = PathUtils.get(keystorePath); - if (!Files.exists(path)) { + Path path = PathUtils.get(truststorePath); + if (Files.exists(path) == false) { throw new IllegalStateException(TRUSTSTORE_PATH + " is set but points to a non-existing file"); } try { - final String keyStoreType = keystorePath.endsWith(".p12") ? "PKCS12" : "jks"; + final String keyStoreType = truststorePath.endsWith(".p12") ? "PKCS12" : "jks"; KeyStore keyStore = KeyStore.getInstance(keyStoreType); try (InputStream is = Files.newInputStream(path)) { keyStore.load(is, keystorePass.toCharArray()); @@ -1048,21 +1059,34 @@ protected static void configureClient(RestClientBuilder builder, Settings settin } } if (certificateAuthorities != null) { - Path path = PathUtils.get(certificateAuthorities); - if (!Files.exists(path)) { + Path caPath = PathUtils.get(certificateAuthorities); + if (Files.exists(caPath) == false) { throw new IllegalStateException(CERTIFICATE_AUTHORITIES + " is set but points to a non-existing file"); } try { KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null, null); - Certificate cert = PemUtils.readCertificates(Collections.singletonList(path)).get(0); - keyStore.setCertificateEntry(cert.toString(), cert); - SSLContext sslcontext = SSLContexts.custom().loadTrustMaterial(keyStore, null).build(); + Certificate caCert = PemUtils.readCertificates(Collections.singletonList(caPath)).get(0); + keyStore.setCertificateEntry(caCert.toString(), caCert); + final SSLContextBuilder sslContextBuilder = SSLContexts.custom(); + if (clientCertificatePath != null) { + final Path certPath = PathUtils.get(clientCertificatePath); + final Path keyPath = PathUtils.get(Objects.requireNonNull(settings.get(CLIENT_KEY_PATH), "No key provided")); + final String password = settings.get(CLIENT_KEY_PASSWORD); + final char[] passwordChars = password == null ? null : password.toCharArray(); + final PrivateKey key = PemUtils.readPrivateKey(keyPath, () -> passwordChars); + final Certificate[] clientCertChain = PemUtils.readCertificates(Collections.singletonList(certPath)).toArray(new Certificate[1]); + keyStore.setKeyEntry("client", key, passwordChars, clientCertChain); + sslContextBuilder.loadKeyMaterial(keyStore, passwordChars); + } + SSLContext sslcontext = sslContextBuilder.loadTrustMaterial(keyStore, null).build(); SSLIOSessionStrategy sessionStrategy = new SSLIOSessionStrategy(sslcontext); builder.setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder.setSSLStrategy(sessionStrategy)); - } catch (KeyStoreException | NoSuchAlgorithmException | KeyManagementException | CertificateException e) { + } catch (GeneralSecurityException e) { throw new RuntimeException("Error setting up ssl", e); } + } else if (clientCertificatePath != null) { + throw new IllegalStateException("Client certificates are currently only supported when using a custom CA"); } Map headers = ThreadContext.buildDefaultHeaders(settings); Header[] defaultHeaders = new Header[headers.size()]; diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java index 93244dd70e5b8..3aaa4ac143f5c 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java @@ -258,7 +258,7 @@ public static X509ExtendedTrustManager trustManager(Certificate[] certificates) return trustManager(store, TrustManagerFactory.getDefaultAlgorithm()); } - static KeyStore trustStore(Certificate[] certificates) + public static KeyStore trustStore(Certificate[] certificates) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException { assert certificates != null : "Cannot create trust store with null certificates"; KeyStore store = KeyStore.getInstance(KeyStore.getDefaultType()); diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/build.gradle b/x-pack/plugin/security/qa/smoke-test-all-realms/build.gradle new file mode 100644 index 0000000000000..d7aff4e58432c --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/build.gradle @@ -0,0 +1,85 @@ +/* + * This QA test is intended to smoke test all security realms with minimal dependencies. + * That is, it makes sure a node that has every realm configured can start, and tests those realms that can be tested without needing external services. + * This tradeoff is intentional because we want this set of tests to be very stable - failures in this QA suite should be an indicator that + * something is broken in Elasticsearch (and not that an external docker fixture broke) + * This test is also intended to work correctly on FIPS mode because we also want to know if a realm breaks on FIPS. + */ + +apply plugin: 'elasticsearch.java-rest-test' + +dependencies { + javaRestTestImplementation project(path: xpackModule('core')) + javaRestTestImplementation project(path: xpackModule('security'), configuration: 'testArtifacts') + javaRestTestImplementation project(path: xpackModule('core'), configuration: 'testArtifacts') +} + +testClusters.javaRestTest { + testDistribution = 'DEFAULT' + numberOfNodes = 2 + + extraConfigFile 'http-server.key', file('src/javaRestTest/resources/ssl/http-server.key') + extraConfigFile 'http-server.crt', file('src/javaRestTest/resources/ssl/http-server.crt') + extraConfigFile 'http-client-ca.crt', file('src/javaRestTest/resources/ssl/http-client-ca.crt') + extraConfigFile 'saml-metadata.xml', file('src/javaRestTest/resources/saml-metadata.xml') + extraConfigFile 'kerberos.keytab', file('src/javaRestTest/resources/kerberos.keytab') + extraConfigFile 'oidc-jwkset.json', file('src/javaRestTest/resources/oidc-jwkset.json') + + setting 'xpack.ml.enabled', 'false' + setting 'xpack.security.enabled', 'true' + setting 'xpack.security.authc.token.enabled', 'true' + setting 'xpack.security.authc.api_key.enabled', 'true' + + // Need a trial license (not basic) to enable all realms + setting 'xpack.license.self_generated.type', 'trial' + // Need SSL to enable PKI realms + setting 'xpack.security.http.ssl.enabled', 'true' + setting 'xpack.security.http.ssl.certificate', 'http-server.crt' + setting 'xpack.security.http.ssl.key', 'http-server.key' + setting 'xpack.security.http.ssl.key_passphrase', 'http-password' + setting 'xpack.security.http.ssl.client_authentication', 'optional' + setting 'xpack.security.http.ssl.certificate_authorities', 'http-client-ca.crt' + + // Don't need transport SSL, so leave it out + setting 'xpack.security.transport.ssl.enabled', 'false' + + // Configure every realm type + // - File + setting 'xpack.security.authc.realms.file.file0.order', '0' + // - Native + setting 'xpack.security.authc.realms.native.native1.order', '1' + // - LDAP (configured but won't work because we don't want external fixtures in this test suite) + setting 'xpack.security.authc.realms.ldap.ldap2.order', '2' + setting 'xpack.security.authc.realms.ldap.ldap2.url', 'ldap://localhost:7777' + setting 'xpack.security.authc.realms.ldap.ldap2.user_search.base_dn', 'OU=users,DC=example,DC=com' + // - AD (configured but won't work because we don't want external fixtures in this test suite) + setting 'xpack.security.authc.realms.active_directory.ad3.order', '3' + setting 'xpack.security.authc.realms.active_directory.ad3.domain_name', 'localhost' + // - PKI (works) + setting 'xpack.security.authc.realms.pki.pki4.order', '4' + // - SAML (configured but won't work because we don't want external fixtures in this test suite) + setting 'xpack.security.authc.realms.saml.saml5.order', '5' + setting 'xpack.security.authc.realms.saml.saml5.idp.metadata.path', 'saml-metadata.xml' + setting 'xpack.security.authc.realms.saml.saml5.idp.entity_id', 'http://idp.example.com/' + setting 'xpack.security.authc.realms.saml.saml5.sp.entity_id', 'http://kibana.example.net/' + setting 'xpack.security.authc.realms.saml.saml5.sp.acs', 'http://kibana.example.net/api/security/v1/saml' + setting 'xpack.security.authc.realms.saml.saml5.attributes.principal', 'uid' + // - Kerberos (configured but won't work because we don't want external fixtures in this test suite) + setting 'xpack.security.authc.realms.kerberos.kerb6.order', '6' + setting 'xpack.security.authc.realms.kerberos.kerb6.keytab.path', 'kerberos.keytab' + // - OIDC (configured but won't work because we don't want external fixtures in this test suite) + setting 'xpack.security.authc.realms.oidc.openid7.order', '7' + setting 'xpack.security.authc.realms.oidc.openid7.rp.client_id', 'http://rp.example.net' + setting 'xpack.security.authc.realms.oidc.openid7.rp.response_type', 'id_token' + setting 'xpack.security.authc.realms.oidc.openid7.rp.redirect_uri', 'https://kibana.example.net/api/security/v1/oidc' + setting 'xpack.security.authc.realms.oidc.openid7.op.issuer', 'https://op.example.com/' + setting 'xpack.security.authc.realms.oidc.openid7.op.authorization_endpoint', 'https://op.example.com/auth' + setting 'xpack.security.authc.realms.oidc.openid7.op.jwkset_path', 'oidc-jwkset.json' + setting 'xpack.security.authc.realms.oidc.openid7.claims.principal', 'sub' + keystore 'xpack.security.authc.realms.oidc.openid7.rp.client_secret', 'this-is-my-secret' + + extraConfigFile 'roles.yml', file('src/javaRestTest/resources/roles.yml') + user username: "admin_user", password: "admin-password" + user username: "security_test_user", password: "security-test-password", role: "security_test_role" +} + diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/FileRealmAuthIT.java b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/FileRealmAuthIT.java new file mode 100644 index 0000000000000..b610f9db2064f --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/FileRealmAuthIT.java @@ -0,0 +1,38 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package org.elasticsearch.xpack.security.authc; + +import org.elasticsearch.client.RequestOptions; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; + +import java.io.IOException; +import java.util.Map; + +/** + * Integration Rest Test for testing authentication when all possible realms are configured + */ +public class FileRealmAuthIT extends SecurityRealmSmokeTestCase { + + // Declared in build.gradle + private static final String USERNAME = "security_test_user"; + private static final SecureString PASSWORD = new SecureString("security-test-password".toCharArray()); + private static final String ROLE_NAME = "security_test_role"; + + public void testAuthenticationUsingFileRealm() throws IOException { + Map authenticate = super.authenticate( + RequestOptions.DEFAULT.toBuilder().addHeader("Authorization", + UsernamePasswordToken.basicAuthHeaderValue(USERNAME, PASSWORD)) + ); + + assertUsername(authenticate, USERNAME); + assertRealm(authenticate, "file", "file0"); + assertRoles(authenticate, ROLE_NAME); + } + +} diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/NativeRealmAuthIT.java b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/NativeRealmAuthIT.java new file mode 100644 index 0000000000000..5431455cb66d8 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/NativeRealmAuthIT.java @@ -0,0 +1,52 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package org.elasticsearch.xpack.security.authc; + +import org.elasticsearch.client.RequestOptions; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; +import org.junit.After; +import org.junit.Before; + +import java.io.IOException; +import java.util.Collections; +import java.util.Map; + +/** + * Integration Rest Test for testing authentication when all possible realms are configured + */ +public class NativeRealmAuthIT extends SecurityRealmSmokeTestCase { + + private static final String USERNAME = "test_native_user"; + private static final SecureString PASSWORD = new SecureString("native-user-password".toCharArray()); + private static final String ROLE_NAME = "native_role"; + + @Before + public void createUsersAndRoles() throws IOException { + createUser(USERNAME, PASSWORD, Collections.singletonList(ROLE_NAME)); + createRole("native_role", Collections.singleton("monitor")); + } + + @After + public void cleanUp() throws IOException { + deleteUser(USERNAME); + deleteRole(ROLE_NAME); + } + + public void testAuthenticationUsingNativeRealm() throws IOException { + Map authenticate = super.authenticate( + RequestOptions.DEFAULT.toBuilder().addHeader("Authorization", + UsernamePasswordToken.basicAuthHeaderValue(USERNAME, PASSWORD)) + ); + + assertUsername(authenticate, USERNAME); + assertRealm(authenticate, "native", "native1"); + assertRoles(authenticate, ROLE_NAME); + } + +} diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/PkiRealmAuthIT.java b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/PkiRealmAuthIT.java new file mode 100644 index 0000000000000..fa502f9800427 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/PkiRealmAuthIT.java @@ -0,0 +1,44 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package org.elasticsearch.xpack.security.authc; + +import org.elasticsearch.client.RequestOptions; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; + +import java.io.IOException; +import java.util.Map; + +/** + * Integration Rest Test for testing authentication when all possible realms are configured + */ +public class PkiRealmAuthIT extends SecurityRealmSmokeTestCase { + + // Derived from certificate attributes (pki-auth.crt) + private static final String USERNAME = "pki-auth"; + + @Override + protected Settings restClientSettings() { + Settings.Builder builder = Settings.builder() + .put(super.restClientSettings()) + .put(CLIENT_CERT_PATH, getDataPath("/ssl/pki-auth.crt")) + .put(CLIENT_KEY_PATH, getDataPath("/ssl/pki-auth.key")) + .put(CLIENT_KEY_PASSWORD, "http-password"); + builder.remove(ThreadContext.PREFIX + ".Authorization"); + return builder.build(); + } + + public void testAuthenticationUsingFileRealm() throws IOException { + Map authenticate = super.authenticate(RequestOptions.DEFAULT.toBuilder()); + + assertUsername(authenticate, USERNAME); + assertRealm(authenticate, "pki", "pki4"); + assertRoles(authenticate, new String[0]); + } + +} diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/RealmInfoIT.java b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/RealmInfoIT.java new file mode 100644 index 0000000000000..9a66236a72cc3 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/RealmInfoIT.java @@ -0,0 +1,36 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package org.elasticsearch.xpack.security.authc; + +import org.elasticsearch.client.Request; +import org.elasticsearch.client.Response; +import org.elasticsearch.test.rest.yaml.ObjectPath; +import org.hamcrest.Matchers; + +import java.io.IOException; +import java.util.Map; + +/** + * Integration Rest Test for testing authentication when all possible realms are configured + */ +public class RealmInfoIT extends SecurityRealmSmokeTestCase { + + public void testThatAllRealmTypesAreEnabled() throws IOException { + final Request request = new Request("GET", "_xpack/usage"); + final Response response = client().performRequest(request); + Map usage = entityAsMap(response); + + Map realms = ObjectPath.evaluate(usage, "security.realms"); + realms.forEach((type, config) -> { + assertThat(config, Matchers.instanceOf(Map.class)); + assertThat("Realm type [" + type + "] is not enabled", + ((Map) config).get("enabled"), Matchers.equalTo(true)); + }); + } + +} diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/ReservedRealmAuthIT.java b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/ReservedRealmAuthIT.java new file mode 100644 index 0000000000000..7c99b7c31eba6 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/ReservedRealmAuthIT.java @@ -0,0 +1,44 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package org.elasticsearch.xpack.security.authc; + +import org.elasticsearch.client.RequestOptions; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; +import org.junit.Before; + +import java.io.IOException; +import java.util.Map; + +/** + * Integration Rest Test for testing authentication when all possible realms are configured + */ +public class ReservedRealmAuthIT extends SecurityRealmSmokeTestCase { + + private static final String USERNAME = "kibana_system"; + private static final String ROLE_NAME = "kibana_system"; + + private SecureString password; + + @Before + public void setUserPassword() throws IOException { + this.password = new SecureString(randomAlphaOfLengthBetween(14, 20).toCharArray()); + changePassword(USERNAME, password); + } + + public void testAuthenticationUsingReservedRealm() throws IOException { + Map authenticate = super.authenticate( + RequestOptions.DEFAULT.toBuilder().addHeader("Authorization", UsernamePasswordToken.basicAuthHeaderValue(USERNAME, password)) + ); + + assertUsername(authenticate, USERNAME); + assertRealm(authenticate, "reserved", "reserved"); + assertRoles(authenticate, ROLE_NAME); + } + +} diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/SecurityRealmSmokeTestCase.java b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/SecurityRealmSmokeTestCase.java new file mode 100644 index 0000000000000..4e5a3dfbad059 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/SecurityRealmSmokeTestCase.java @@ -0,0 +1,150 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package org.elasticsearch.xpack.security.authc; + +import org.elasticsearch.client.Request; +import org.elasticsearch.client.RequestOptions; +import org.elasticsearch.client.Response; +import org.elasticsearch.client.RestHighLevelClient; +import org.elasticsearch.client.security.ChangePasswordRequest; +import org.elasticsearch.client.security.DeleteRoleRequest; +import org.elasticsearch.client.security.DeleteUserRequest; +import org.elasticsearch.client.security.PutRoleRequest; +import org.elasticsearch.client.security.PutUserRequest; +import org.elasticsearch.client.security.RefreshPolicy; +import org.elasticsearch.client.security.user.User; +import org.elasticsearch.client.security.user.privileges.Role; +import org.elasticsearch.common.Strings; +import org.elasticsearch.common.io.PathUtils; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; +import org.elasticsearch.test.rest.ESRestTestCase; +import org.junit.BeforeClass; + +import java.io.FileNotFoundException; +import java.io.IOException; +import java.net.URL; +import java.nio.file.Path; +import java.util.Collection; +import java.util.Collections; +import java.util.List; +import java.util.Map; + +import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; +import static org.hamcrest.Matchers.arrayContainingInAnyOrder; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasEntry; +import static org.hamcrest.Matchers.instanceOf; + +public abstract class SecurityRealmSmokeTestCase extends ESRestTestCase { + + private static Path httpCAPath; + private RestHighLevelClient highLevelAdminClient; + + @BeforeClass + public static void findHttpCertificateAuthority() throws Exception { + final URL resource = SecurityRealmSmokeTestCase.class.getResource("/ssl/http-server-ca.crt"); + if (resource == null) { + throw new FileNotFoundException("Cannot find classpath resource /ssl/http-server-ca.crt"); + } + httpCAPath = PathUtils.get(resource.toURI()); + } + + @Override + protected Settings restAdminSettings() { + String token = basicAuthHeaderValue("admin_user", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .put(CERTIFICATE_AUTHORITIES, httpCAPath) + .build(); + } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("security_test_user", new SecureString("security-test-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .put(CERTIFICATE_AUTHORITIES, httpCAPath) + .build(); + } + + @Override + protected String getProtocol() { + // Because http.ssl.enabled = true + return "https"; + } + + protected Map authenticate(RequestOptions.Builder options) throws IOException { + final Request request = new Request("GET", "_security/_authenticate"); + request.setOptions(options); + final Response response = client().performRequest(request); + return entityAsMap(response); + } + + protected void assertUsername(Map authenticateResponse, String username) { + assertThat(authenticateResponse, hasEntry("username", username)); + } + + protected void assertRealm(Map authenticateResponse, String realmType, String realmName) { + assertThat(authenticateResponse, hasEntry(equalTo("authentication_realm"), instanceOf(Map.class))); + Map realmObj = (Map) authenticateResponse.get("authentication_realm"); + assertThat(realmObj, hasEntry("type", realmType)); + assertThat(realmObj, hasEntry("name", realmName)); + } + + protected void assertRoles(Map authenticateResponse, String... roles) { + assertThat(authenticateResponse, hasEntry(equalTo("roles"), instanceOf(List.class))); + String[] roleJson = ((List) authenticateResponse.get("roles")).toArray(new String[roles.length]); + assertThat("Server returned unexpected roles list [" + Strings.arrayToCommaDelimitedString(roleJson) + "]", + roleJson, + arrayContainingInAnyOrder(roles) + ); + } + + protected void createUser(String username, SecureString password, List roles) throws IOException { + final RestHighLevelClient client = getHighLevelAdminClient(); + client.security().putUser( + PutUserRequest.withPassword(new User(username, roles), password.getChars(), true, RefreshPolicy.WAIT_UNTIL), + RequestOptions.DEFAULT); + } + + protected void changePassword(String username, SecureString password) throws IOException { + final RestHighLevelClient client = getHighLevelAdminClient(); + client.security().changePassword(new ChangePasswordRequest(username, password.getChars(), RefreshPolicy.WAIT_UNTIL), + RequestOptions.DEFAULT); + } + + protected void createRole(String name, Collection clusterPrivileges) throws IOException { + final RestHighLevelClient client = getHighLevelAdminClient(); + final Role role = Role.builder().name(name).clusterPrivileges(clusterPrivileges).build(); + client.security().putRole(new PutRoleRequest(role, RefreshPolicy.WAIT_UNTIL), RequestOptions.DEFAULT); + } + + protected void deleteUser(String username) throws IOException { + final RestHighLevelClient client = getHighLevelAdminClient(); + client.security().deleteUser(new DeleteUserRequest(username), RequestOptions.DEFAULT); + } + + protected void deleteRole(String name) throws IOException { + final RestHighLevelClient client = getHighLevelAdminClient(); + client.security().deleteRole(new DeleteRoleRequest(name), RequestOptions.DEFAULT); + } + + private RestHighLevelClient getHighLevelAdminClient() { + if (highLevelAdminClient == null) { + highLevelAdminClient = new RestHighLevelClient( + adminClient(), + ignore -> { + }, + Collections.emptyList()) { + }; + } + return highLevelAdminClient; + } +} diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/kerberos.keytab b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/kerberos.keytab new file mode 100644 index 0000000000000..e69de29bb2d1d diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/oidc-jwkset.json b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/oidc-jwkset.json new file mode 100644 index 0000000000000..4dc970f924105 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/oidc-jwkset.json @@ -0,0 +1,35 @@ +{ + "keys": [ + { + "kty": "RSA", + "e": "AQAB", + "use": "sig", + "kid": "CXup", + "n": "hrwD-lc-IwzwidCANmy4qsiZk11yp9kHykOuP0yOnwi36VomYTQVEzZXgh2sDJpGgAutdQudgwLoV8tVSsTG9SQHgJjH9Pd_9V4Ab6PANyZNG6DSeiq1QfiFlEP6Obt0JbRB3W7X2vkxOVaNoWrYskZodxU2V0ogeVL_LkcCGAyNu2jdx3j0DjJatNVk7ystNxb9RfHhJGgpiIkO5S3QiSIVhbBKaJHcZHPF1vq9g0JMGuUCI-OTSVg6XBkTLEGw1C_R73WD_oVEBfdXbXnLukoLHBS11p3OxU7f4rfxA_f_72_UwmWGJnsqS3iahbms3FkvqoL9x_Vj3GhuJSf97Q" + }, + { + "kty": "EC", + "use": "sig", + "crv": "P-256", + "kid": "yGvt", + "x": "pvgdqM3RCshljmuCF1D2Ez1w5ei5k7-bpimWLPNeEHI", + "y": "JSmUhbUTqiFclVLEdw6dz038F7Whw4URobjXbAReDuM" + }, + { + "kty": "EC", + "use": "sig", + "crv": "P-384", + "kid": "9nHY", + "x": "JPKhjhE0Bj579Mgj3Cn3ERGA8fKVYoGOaV9BPKhtnEobphf8w4GSeigMesL-038W", + "y": "UbJa1QRX7fo9LxSlh7FOH5ABT5lEtiQeQUcX9BW0bpJFlEVGqwec80tYLdOIl59M" + }, + { + "kty": "EC", + "use": "sig", + "crv": "P-521", + "kid": "tVzS", + "x": "AZgkRHlIyNQJlPIwTWdHqouw41k9dS3GJO04BDEnJnd_Dd1owlCn9SMXA-JuXINn4slwbG4wcECbctXb2cvdGtmn", + "y": "AdBC6N9lpupzfzcIY3JLIuc8y8MnzV-ItmzHQcC5lYWMTbuM9NU_FlvINeVo8g6i4YZms2xFB-B0VVdaoF9kUswC" + } + ] +} diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/roles.yml b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/roles.yml new file mode 100644 index 0000000000000..9b2171257fc61 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/roles.yml @@ -0,0 +1,8 @@ +# A basic role that is used to test security +security_test_role: + cluster: + - monitor + - "cluster:admin/xpack/license/*" + indices: + - names: [ "index_allowed" ] + privileges: [ "read", "write", "create_index" ] diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/saml-metadata.xml b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/saml-metadata.xml new file mode 100644 index 0000000000000..ee78a039c21f4 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/saml-metadata.xml @@ -0,0 +1,28 @@ + + + + + MIIDTDCCAjSgAwIBAgIVALwU/Fbhg4ZK7tJxlGbCJGHe3Ly6MA0GCSqGSIb3DQEB + CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu + ZXJhdGVkIENBMB4XDTIxMDIxMTAxMTkwNVoXDTI0MDIxMTAxMTkwNVowPDETMBEG + CgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxDDAKBgNV + BAMTA2lkcDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXkYQY+N+eu + GuxEG2kId1AcMPI2TZTuDFskD1NzTDXUH4gN7brR5g2TVNqpRutObc9Ymovyxw91 + g//57zL44ev9EytWVc0She4NKQRsJAMI3aczccboxWwNLzNW3llkY9pu1Fq17Jib + k0zZ9jg0okc1Xj0F5mXgQElsalspJ2ythG8jeahwa08UfHgN6yJKIx8wLZgVetlc + j90Iy8vNimyphopQP+r7t86A9i2HP9OsRiRrNR4lDxd5BcrbRQhb9Dse2HNHHHkk + YEdSRV1QxhzI2tinFrz/fL+gW4SLiLJYGr9ZTPitFuSyWmmlROp288LFJghmAI5G + S1x0NL0aMm0CAwEAAaNNMEswHQYDVR0OBBYEFDDo2pEmEcsxiABqCfceSc6VRowg + MB8GA1UdIwQYMBaAFLtcLb9C2CnCSYhMigKmvQN2i0kbMAkGA1UdEwQCMAAwDQYJ + KoZIhvcNAQELBQADggEBAA5pHuamEc6yB6vaUlwcKFWFI4QY2CJJwmeYJG1V8Wl/ + IoFevTvBdYAKBwPMaoVySY+4BB314J0MmfhWQ9CxFoWzYpoT1L41NlADWrEOjwXt + wrMjphkZnimnB/xXpPjYydZTXo1y0b08CUSp0ua9kwySzgfyaIpeZl5dkNZPqvUf + vxl8tR19LpqB4/J9XvDqgK+aFFZUIYlPGGB5N7YR/o4fS9kLqFKy9FPiJOufN/rq + t3gzItYNtO/RWagX1cngqDsflyovlOVvxv4D3IRZ0gzlCZwx05PeB7LYvjG2nIS2 + 9LBd3nyFanAcHajurMupyOuY9ug0VSuC4zQzMfSNMv4= + + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/README.asciidoc b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/README.asciidoc new file mode 100644 index 0000000000000..c57d448ade77c --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/README.asciidoc @@ -0,0 +1,63 @@ += Keystore Details +This document details the steps used to create the certificate and keystore files in this directory. + +== Instructions on generating certificates + +The certificates in this directory have been generated using elasticsearch-certutil (8.0.0 SNAPSHOT) + +=== Certificates for security the HTTP server +[source,shell] +----------------------------------------------------------------------------------------------------------- +elasticsearch-certutil ca --pem --out=${PWD}/http-server-ca.zip --pass="ca-password" --days=3500 +unzip http-server-ca.zip +mv ca/ca.crt ./http-server-ca.crt +mv ca/ca.key ./http-server-ca.key + +rm http-server-ca.zip +rmdir ca +----------------------------------------------------------------------------------------------------------- + +[source,shell] +----------------------------------------------------------------------------------------------------------- +elasticsearch-certutil cert --pem --name=http-server --out=${PWD}/http-server.zip --pass="http-password" --days=3500 \ + --ca-cert=${PWD}/http-server-ca.crt --ca-key=${PWD}/http-server-ca.key --ca-pass="ca-password" \ + --dns=localhost --dns=localhost.localdomain --dns=localhost4 --dns=localhost4.localdomain4 --dns=localhost6 --dns=localhost6.localdomain6 \ + --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1 + +unzip http-server.zip +mv http-server/http-server.* ./ + +rm http-server.zip +rmdir http-server +----------------------------------------------------------------------------------------------------------- + +[source,shell] +----------------------------------------------------------------------------------------------------------- +keytool -importcert -file http-server-ca.crt -keystore http-server-ca.p12 -storetype PKCS12 -storepass "password" -alias ca +----------------------------------------------------------------------------------------------------------- + +=== Certificates to support PKI auth + +[source,shell] +----------------------------------------------------------------------------------------------------------- +elasticsearch-certutil ca --pem --out=${PWD}/http-client-ca.zip --pass="ca-password" --days=3500 +unzip http-client-ca.zip +mv ca/ca.crt ./http-client-ca.crt +mv ca/ca.key ./http-client-ca.key + +rm http-client-ca.zip +rmdir ca +----------------------------------------------------------------------------------------------------------- + +[source,shell] +----------------------------------------------------------------------------------------------------------- +elasticsearch-certutil cert --pem --name=pki-auth --out=${PWD}/pki-auth.zip --pass="http-password" --days=3500 \ + --ca-cert=${PWD}/http-client-ca.crt --ca-key=${PWD}/http-client-ca.key --ca-pass="ca-password" + +unzip pki-auth.zip +mv pki-auth/pki-auth.* ./ + +rm pki-auth.zip +rmdir pki-auth +----------------------------------------------------------------------------------------------------------- + diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-client-ca.crt b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-client-ca.crt new file mode 100644 index 0000000000000..f4e55e77681a0 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-client-ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUSCwIIISvC5WpMRS4+FZNH+oAQR8wDQYJKoZIhvcNAQEL +BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l +cmF0ZWQgQ0EwHhcNMjEwMjEwMjM1NDQ4WhcNMzAwOTExMjM1NDQ4WjA0MTIwMAYD +VQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBDQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIKhZWJK8cFpze76MqjTtCZH +I5pHeNQw+1J9KHlfgLn17IdQ0RljMfuF+EOkk8bf0q1CFa6/rs5A7zbHptUZlZ0J +wTSntd9WHNIIzwFQoCcy9HjWWrkJx+lHJVhf4cCrAlxDg+ltBcEGOosQLm8kEddV +toK9mVnyYytM7vFVjF5VDdE/J9BnQbXMR3r1JVzNtq0q5V2eb4Ne+hYos+smA5Ma +g0c/JGO0vhxwUKMrc1hacW1WyIGhs6F5UQtr2MSg/Lo/GXl1sLk8Vkuu1ZSAooZr +6mlNZqJBXNFUkVastFhIIG3ckSDHlqIlbaYbdrhVSf9CjjeBQ+0Lc66Qw30FEG8C +AwEAAaNTMFEwHQYDVR0OBBYEFH3YuTqhORMmuMFn0qggxldoRSXVMB8GA1UdIwQY +MBaAFH3YuTqhORMmuMFn0qggxldoRSXVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAFxE2OB/wrGzNxNyEW0xHCj/hGBFAbBwDXu6wLtkNjyuXqXO +zHwcc85dD6pj2EWVKbiyFFEIjHpQeJtaG74dPko+K7CfhbLACmIHSZpxlB+X4lDR +ApuUjde6Dp2ohEO6xqB8kuy0fIm2qhOIwdy8DqqwqeXFntlfKombWnbpBWKDmZ36 +f5U7hMVLkAlgqb5/wRBqrAqTxQtFqe/R1iSpB859p+sL4R/IPBs90RNs9/LuJads +ieqGj59bzUEE/Bb7weVvgOzp25MITCQ2i76hWVMPHBCBQZSxrQdNzMPeAZs1mDaK +0LDvajtnbKq8bSzkCke+/FW9wV8LLgyCCOoGQGM= +-----END CERTIFICATE----- diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-client-ca.key b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-client-ca.key new file mode 100644 index 0000000000000..7e97989b84723 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-client-ca.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,E5EC395FEA95C5846466B295767AD501 + +PeWr8qXpE6lta4orHb1UL4ktuDAfch9IFynU/0C8ZYcZd7riHwhoKnHlox6Njg6+ +sbpxiQcGvhruGDjkSNjw0eHO+cTD8/K8er8q6bv2DJ6egm9bsbs8VOz604c8BGQS +HIl5alpee2AtmHfJkSaDQWb3pRguo2o7KDxcqxIC6To3GS1dgux1hlYFaiM6cX9V +0c6XH6EwBK0eo9SbxWuaTR0rB6r1GXJd1kutFVC5a04KjkLSCujpMoxKdyP+W+gM +baWIFb98Aozyly753149t+C81C9J7U5aDlVmtOwm/8wIHDskhuk9tdHl05LCtv7/ +FDbzwHN8XsSdVY2Ax4kk3GfVOI80YUfram5FTfmwZRO9XK4wwEtdCSvgkYzeu8Np +ku9gV2r9OiuDSOI1TRXjObk/JWM8fItakyIu1P+v+SmL9s8gDMfMDDtbruqvTh2z +H6bk8xtLDGz7zWFcomJPUnRcMWhtW4xL15jJiAcaYgijioUty9UJd22Jv5oa/C7+ +bCvmW+sQAa4gpryfGwDEXFZv+S6lNjRqdOnobCDnew6pJsiHY/3neLjFUtBXqkum +ixAVVyKcazeS3koiv4fpkYD1CcrSVYxf4fotvBx86eB/9O+bwdLb8pbdivIEWISl +3wsAcqYC8eJp29RYt+RS8r7dfJ2n8kWcq6XwFY0EclFHCnDtbwHNZrLiM2XPf1dO +r1wkcUYTKB/KEEL0Td0mAFvfs5yb3UeSq4qe3ZuSZaTafhstPt9HolcKCROE1rXx +cO36zcoUp3JzaKJPorsA4YdF2jro8Y8psdKQXB3kb4s3JEuEL+oh/T3gSLi73R0F +mAYHDicwNHPvySVrA9oxczC7v7OrjmmrGnVcz8mwdhZaQeCULvuWGotUWTT2Vkie +2qpRAfSC0+mzBIz95FZEaQUcZFQZ9aab19w7LxhMO5PAe8k0ogwG8mJuXqUd3pcf +9DDWon6yO3JgB9CtmJCCu0YZXNyP/z9tZSjJxUI002M/exw+C8THebUCkVSHrB/C +Op+NPq1oLyVcJ8bnTEsK0ysGylfmBkQapvtnDRiypVRBv3YCKua4e6U0T8GxHLMM +AItzKx+HG7gx2mwPlWoDmq4nhFp3ME1GE1VqDquzo8f2aR08BKCdOOgxgjntXJRM +8QR6yH3k+3rZ/7aY/sXUgRK/l2b0/+vbk1xtioRq/u0BxkhDqiXZ2cG/BJWXayDg +GbaMbciRqfCcViWCH8mB+BDzp91OWMDYRDQtqYngA4hWgxeBbH45bju8ygjQONbK +Lz8Z1j/Htpi8cvim7Fc2SEQ83/SO64Q5MwzpmbeNOtvtmUVkut2/kKjMzT20niUP +y++M6gcBYgBeLhA5dEGyTQtA2Dmh1PQnEfe7Pfb10i9HpmcTHUun1e7LVJKfk8ul +z49dp0OxQiD4ExK+u6zhXMmOVi3NJz+G8OINTgIcWG+6fj78UuybuBO3sQpkQyHk ++ub2ituXxcQBLOfLHHK9PXnun4h2UovrudHX9PduPwgQ7pOVmad9hecQrrd08oyT +uBMyygUye67DQuZft4lVPJimWdQgB7TmDhk2bXqT510mVKIZHWiHVTmSLiGl50zs +-----END RSA PRIVATE KEY----- diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.crt b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.crt new file mode 100644 index 0000000000000..362fa1d700b78 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIVAMuHthk+o2IHB9u8nysBdt6iWcG8MA0GCSqGSIb3DQEB +CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu +ZXJhdGVkIENBMB4XDTIxMDIxMDIzNTE1NloXDTMwMDkxMTIzNTE1NlowNDEyMDAG +A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCT/nfuBZM+o9lWmt58nZn9 +SN9/ken8kbLb01ZoHG2ssPivSj+HjispJjK2C+5k/3MPqP4ngCgJzR8jrW2C3yG2 +G8/RhrB96f6hw6vbZZSt/LqY1nO6hR3rLoUUY3+wNv8EaaMOuwhOJKqwccoCsTsE +EK1ztUEpszbkMgJEZ+HJ1Cb/SUjFeXvOUtmtE/W339AHEQWAkhomCtgrsq6XJ/8P +Hxa8rPnaIgh0nmUXvqsHNw/UAmtOqUkmzJYiCuqJCpXTZvzFEl3QMjKwClAuTXry +pW2pEdmk4QGWdoOCNgx7DfEyRzc6/x2GfZPLN3H89Ob9KD9/OKCRCxeZd2Ell9IN +AgMBAAGjUzBRMB0GA1UdDgQWBBS8ifqU0tXT9s9Sf+xl+BJEfc5LRDAfBgNVHSME +GDAWgBS8ifqU0tXT9s9Sf+xl+BJEfc5LRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG +SIb3DQEBCwUAA4IBAQAWV997kl+MVMscfzY9PED9yA9/VZJyBhVFRp7z7EA7RrxK +pIdaKb6uuOxlZSFysQgzN7o68FMgrU7aTml1FFgmh4d9smHiV9y5WMVH+mrg3t+V +i4SZbdzJLXFkUer2rnXE8oCISRrdC9jq0Lfd70dW9BzLZrlRFNwDD4XaYIEkLUu3 +IFnFPXbQOwbDhlzRiBbYBbDpFEX3/eSS3fDi2fF44WbYEJtlnMAdCSCpu//KSg71 +28OxzCfYvGS3G3S1HKDnuja+zBHfnKwxA8Fl/O/6RKY1DKZs3XldOwJcIgrgnm86 +0JHkAZdE2nFUHWS2D7BTOCM+55J6cbfis/ZNjk1y +-----END CERTIFICATE----- diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.key b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.key new file mode 100644 index 0000000000000..a8412d2278b13 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,890A9BAC12DD7E772BB95D396FF96C76 + +5Wrk2AtWFxnf4yeZjpTEJ0K84PEWSo6aQvxo5V/fVTIdEhpsEiDTVmRUAf096lxz +sIH3/dHpDyQLuJxLfkgp1v57crlB+2NTxWO3aBmC9x+zwMgJFjjnTnaoOF14HYSd +goZezx7EN0AyJuAAVZUfeHvrDac8m/C7d4UafFbvT7RixsJgFhH8Yv/uevyRfp6p +A+ZyZPKtqKrU4taDu0ln8f2sWnc+t7e7K/CwkNmzCx2Jptbt6mM85ik+6tASobrZ +tkHjmzrfqyjVNBZz2IUHuCeaOeJatHyxeZhOg9o/kEQKw0ERx6CIyIeNiROexd1g +K9532RmAdALXxcMtAzN/YvIzFqRf8ipRPTuaHDJ7R7VastNl4I5LD0rMOR3U6hnR +hNVYDMHm7M52KJInvgCyO10mpEqL0XI09xOdE9uvRvmaopH89jceZi42hPIyNj8n +MjTAclFbvUhMZRrivEZGbEpBSO4prGzDz9qj78rAt3sOIgVkMOCKnhUURuRyHLuH +pbOVyCC5pfLhfMpl7vf7ShxieQnrC8HlMeYBChfT9xLNP3gxf96PNY/Fs+DESgb2 +NppSkAuOImWLtG1dnVffBBlH0xBQGNp7OXoXY3+Ibk/+FLGAWsxtJ6NlJvE18jXa +Lp9Hd1k+R9b1qTvAIQnqhYSaPJUEbRtV270e1GDLGrfsbQBrgzGcHDZKFJtw85IN +9AidTJNzHPGJHMFHcanc0wMqvjhjg0CHvRMb39ko6QQg2u/XIB+vcYy3n67KT24e +D8TH6CDTnkdbrp3ejM7XhM4/weFHjfuwgxF6pqoA0Pd0LbnbH8C5bmfPbs0nLQHJ +vrBdYPJNtCB7B2IQd+BxqEuKKglpushEYN9KFvfVQuLrKqaTdE8/GgmuwlNzGvPD +jc5SAjCWImryftzIakU8SXsQWCaOCaMOvqr8l/rO3JvTTdUzfUYMb+xd4ohAFmwE +6l4gm01XOJ+hmJkOYwOtnPfaIeDbZczz52mOLPbXkQBc29HzcjprdVyxtHcEfBR6 +sLKXUpuwrarJvrFSBqmY6WVarhjO06gNv77fhCchGA7On8pJpOU+VL7sUW+Jk/vg +vMDaayNkNKBr/2QHd5YUYvopWm7a7pL1Z9Y8nz01TJDegj2JVjc65xAE//r8oEyU +aF2pPp0jSWKEkRB1P8JqQis9bfxLYxbsbF5HO3ADaBZVkkGjqVh+6o8S/VxIQgwr +tRRTPxG2tU19xGE2F756E8v+IaYKG4/PwE1Vb/A9NcTXyR0QZO1L0C3/Rp7AssuL +jARJqtMJtaEvMEzcnWtPGoJbLLLkFUADQdunx2vIcdjQL0iB6iyYISV9R6Gyc8ou +biWGMwUeYBSTAlwBGTGgM8apcRSlUiic1u0K5WmSyee1RjvXJWR5Ct/wvfGHVbu4 +Ha79dJjcJGLSUinWKYh3RLaJvSV1r/j/thqbtspWnR72cUdG6EFmrls7g7oxOWD7 +F4m0S2bbakxfcSZpQE+lqnKLkEPrYXqNkoA7QNzBemqBVYLg3whUyqGS0z+LaZW0 +vKyi5U6mmcvfMNdWEKswHQe7RciAQrSGXgIiqYVM1ipSo4uo9NB84XDIKVb98+0X +-----END RSA PRIVATE KEY----- diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.p12 b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.p12 new file mode 100644 index 0000000000000000000000000000000000000000..089a9bfba4f1ed1e268167ab8ddc4d5d93e7b3c4 GIT binary patch literal 1130 zcmV-w1eNnZgViTH z*BagAG16ffI+|DB+UIZ_?)_tCQWc7*1HA5k#qY5^WBjc#M-Z$hn;U=YoW16!V4oWWCAk^6jH}G-Dhf}}QsJ;b9|JTHE ze!(xcoqUggtC@!_C6whPjf<}~aYw||Y)O3gKJ!NLnpM?@|AzsNKpAfGH8aqbzHSrR zGI?V;bHnnaj9e0K#AB!bxKKi^r0sPP9-PH*2%jouxylbkw*siWY=sp3mTi)va9A(N zNO1Ga)ze`7N|%6Q2Y@sNcv;ngS09zu`^+J~_@1Zs!CM3CaXxYLEY zfqJ=1d?)0e{*G|tVsQV*(lzUVo~O*oW$bUzzkd?nWXTQ~tCDSy&|}4LL5tVh_s4fG zl4jo{o!_^P6oVUzD)Q!wwJR`|f-u37F=i6zKWW%q7LG$j=8M3afTA|l(f~w0L6MjW z)|D8l`FAL2zl_cA*lIzyJ>+$9)|0k=yt-I@ahk6gg_EY9;yhVKGm)#0nOWMggcfWV z7yP}PzvI9*4IN0)dVcsU<6bZithzrwY_L30vu#$|h+J(Q@^5KzKEQ2ujNX25fg857 z9yS$m=Hp!>t(y#HkqF)|9KQl%0I3q+{TTig}Wo)A)f?Y$cNKNXl^kLQ#|n9y^$Y`fiUc^A&; zPZ@%CTX|Ps#??HDn-;vG|U-R zjH+mMpRsHk-74t637dnbgT%vf>GZ(O^B&o@?N&GBN!c9p+sz9r#Xaiob$y?^EDqpz zFK3K7$}jm9$6&@WN_0^K#}jqU0s{etptt`MtN;K2 literal 0 HcmV?d00001 diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server.crt b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server.crt new file mode 100644 index 0000000000000..0b7956400e023 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuTCCAqGgAwIBAgIUCcrR2XFErsgYaTXPqKO9TiEBG0QwDQYJKoZIhvcNAQEL +BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l +cmF0ZWQgQ0EwHhcNMjEwMjEwMjM1MzU0WhcNMzAwOTExMjM1MzU0WjAWMRQwEgYD +VQQDEwtodHRwLXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AIRJbttYRqopVNwlLQ+OmQZ6cXDILSXOn2JlePpgYHS03NMgeNAI5JY7Q0pBX/7C +GQnUvXAw7+1eJA4v/6SBui0FyFlWTzNDsEfjt/00CjsgAxYXb/SSxb1f0pcJSOHh +y4nKM9/hPzHZxGSm7YTTPBt+69KsuTbz6w+aUkZa+/Ll/PuXa4hwbuUO1IeMr99m +wtq4KIhbSU2tNe4LoCbhfhvv1QNsw2WbsDAuk2BXrwTsAKrjy3f2iyJiOz4eBTLq +G1lg6uf2Na2VTYPSl+0SleTxnYgQS0xE4U4Al8bxbuTI9L5GOMVGqscNHEtOz9nI +EbFwskMmLc6WAz0SPQksHT0CAwEAAaOB4DCB3TAdBgNVHQ4EFgQUC0RHPPXYUCOm +kvXdsenszNiw/AowHwYDVR0jBBgwFoAUvIn6lNLV0/bPUn/sZfgSRH3OS0QwgY8G +A1UdEQSBhzCBhIIJbG9jYWxob3N0ghdsb2NhbGhvc3Q2LmxvY2FsZG9tYWluNocE +fwAAAYcQAAAAAAAAAAAAAAAAAAAAAYIKbG9jYWxob3N0NIIKbG9jYWxob3N0NoIV +bG9jYWxob3N0LmxvY2FsZG9tYWlughdsb2NhbGhvc3Q0LmxvY2FsZG9tYWluNDAJ +BgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAQrGXc0BGPgTAn2AGtuq4aefX6 +61DlYTI/13hmuUrXoSYV3KjnyZ35b7air765Jnze533TYyc3LTG2ATZTid7ypOlF +8+MxOfEg5QmvkcBiP1npYe46gWnaLr2MPwA2h1UTomLkPtr+BkaTGITiGHJde+6A +F9SPqPX9ntRuARwUWXhBfYoRWCcUbKscdQLG7THfg4lUb+jQJ+3Hfmz0p/ffGpz6 +7culVn9PnveC0gRTnVm1rzU45anD/BB2ufyLLO2j2qEj/K4XJNTd9O8in+m+9baT +/bzQkHK/kcyLma3cOsGNdsV8C+slDt6eDpC8FU86YdwIrWlc98WNLPKEFLnE +-----END CERTIFICATE----- diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server.key b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server.key new file mode 100644 index 0000000000000..4cab0e8825297 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,ABFB4CA48E6FDE2FB61D22D1DBD62ECC + +uzUgIXivx1+QIXBGukekWhS2ETnixqB7YKJ8bDkCBWU1Mx9rTFTHfu0Nh9YmRJLA +EsPLgF74TOCJ2R482bFNPi8TB3oVxvWAHDXcRcpuNyKxGIOhJUWofIKeLkV0l6W5 +w55Yq94BOhEjx/bLv9MIUV8w++296R9NNewU03C0KYygYr0QkPLsqKsW6uTSOyi4 +zQX/8ZoQsV85miEQeRc5iv24wqEVEzNVucohd/0dxZ4CfE9bT9SQ5BmDjMqRbsVV +rhQqR9fSkM4M0f3iaEqO8TyG0Zx3CUqluXI4ARVOR33rw5ImV3ig0dXzndoM6PJl +wT1tlsKUWYTfXcgM93n0w6qP9PpV0gYBZo+bNnLqlEl+SvWxtfdnAw2OuOa7frUq +51k0NuSgokA1WF/njD3J7XSLqBuUi/0PetgWoY3IydbcUZK6OUwYk/s0YkDLEPoN +f+9arh334/yY5oZGlqRfK3d0ng10452Y/7fMZ9DOgD3z2Azz49nQhPovdgS23BKk +5kSmQg+GOkp8no1wlkggVYQLgsJaVkIAAKTmXRmJBiZS7d6M+MrvfURpcWRodlRS +V6vPZTAlR5cdPJ29pHscsL60F78njNf2LrhaBx2QbPB6h4hAN1cBMw04oLJRHF6z +GJl+ONf++00E9A5vVMZSf4nOFRw5HqIR5GmouV1KzMhG7uIJySOnIWt1+FPjNlZc +AmHQ0/Y4xPjyLkzAbjU/wHtvuQrLJWwcFbCy6s16Qhl+P+6CFsFPVMM1BLKiuqxV +WYRkfUrgu+J6JVZ0LeKFFrF8cyJ2FqnDT/qBJGn8+stMjUg5KYOQLE3ebIlE46+t +iDUfAcdxRcy4ekAZZs+4mDVmFVo24tw+YDU+7sPYJ1zTOHOE1yHzh3dkjShOI8zj +osoiqrQuJVw93GaR8g3BWtkpSHJvPpwrcZdc3n3125ENtgvuYxAqTqXEYT9p1mTl +6818nj9dx2l+jtCVEnwP7DOp6bfzeSUaGHgN0S2sO4w4eIrD6p3vlEd8fiUScwjz +2wblk0CqaT87SFrsVBunpfvV7pJrGUFy3MWCv9jxQdn0vsvzgB7TKjJOXxBNPA0K +m+P73rlxzyr7a0MhNk+dyqjIe4rd8ZzmkKsY1PeHAXF0TMAl3Lu+2T6WW/0CLsYC +oG+Xc9W791NWUuFyZNyxMhvJ7A6QV9bQGC6rdKs8vRNdkm5EYJ8M7Jw5Nox0QWRX +YRkEWOM4EwySKvQOnshERdHIY3L4lYHT2IjLWkcHX3NbHWOEJdA53/I2Zi+2CFJJ +jwxzebJ9HSfNm0yu7PVBoX1ov4fq1hz4PnBGjBVNgiDVBlvw4drXxuReTDCXYfpy +09AMABl4EBfwoUkctBd/7KIJNuVk/bV3tbFgmCLHtg9hVeRpDHYiQBGRMh/lsuyD +6ITAlPk3M2gEGTwWfeiyhfKo74eClWQiwt2kaSneUG9flIsME7ViDiwGYQxqWgnB +GfL8X3PtB2IoPrGugUyQxYSuW0onBT45/8DLsstYdijMmy7edBQS4skni4zNzeaB +3AY3kEz6DnBVHMCqdfFjTIQJ2Ot2Zt+Vbp0XMUY3EDJENgb0FhZdT7IQTyXDmFOE +-----END RSA PRIVATE KEY----- diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/pki-auth.crt b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/pki-auth.crt new file mode 100644 index 0000000000000..49f212897b8ed --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/pki-auth.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDIjCCAgqgAwIBAgIURUBzIrSMO+65o3KZ5ZAMNqisXCQwDQYJKoZIhvcNAQEL +BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l +cmF0ZWQgQ0EwHhcNMjEwMjEwMjM1NTQ1WhcNMzAwOTExMjM1NTQ1WjATMREwDwYD +VQQDEwhwa2ktYXV0aDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALOa +ec6hHxn6VlSDCHEQJmeuqWsSW2vF/Hy4QdUDDK4iUJ0MZEecrmbALdKY1PtvINUk +OAgc/9q1abQsXkvU155QmKDxBpd1jXY7HaVlhhOjEj+qhV9xSL7uYv0v5DMT1cPf +en+ZNf9aI0x5EKoMmyVb+W30cu+k75isBPE3LcZQLwG54U1g20l54xmKWD29jqJ6 +Q8AA+2NorFlp3NJsyW0U746sUogDXJE7Dtf4hsmIhw0VkJF89QwobccFIwXiZmVT +NhniRc/0/MocnEEGFTd6QSjh76qmChUMwpjNxSbfT4C2s969O0HOXekdooIPLypZ +a73reiVk3DAy1yQ0ZSkCAwEAAaNNMEswHQYDVR0OBBYEFCh5MVXAUNd4nk36dVY2 +EGFuh9w1MB8GA1UdIwQYMBaAFH3YuTqhORMmuMFn0qggxldoRSXVMAkGA1UdEwQC +MAAwDQYJKoZIhvcNAQELBQADggEBAHYCbDQA/q2V9rAPFWUOfO6sT8VAmVVrYzdo +4JONnOsPf3dp8jUhmz4xInSjYlcQdjyEByFhxLEXrT1Bed7GGS0RU60SPHe9YOjr +ovD9kZutqvEeQDcfYoun2qxF0n1tfvbV3mbuydw9h9Pgaa0d7pbK1fJiyr5o8myO +XtE/b0oZMqEiOF3MHo28A10W7ikdo5iB+wTpjpRqjBxLIXQY+q9NWmgp9WmDoNeR +SFgPmFOYqGjf1TcvHSyRKsCIEGmZrjjQl1NYqPfJCDFsxlF4Qt5mUf1s3gW7Aevw +jQA9QCPvN1C3z9r4/qIo+U07Ol1deb6/9v5NWmomR6GUM0l/0ZE= +-----END CERTIFICATE----- diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/pki-auth.key b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/pki-auth.key new file mode 100644 index 0000000000000..925a41bb78378 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/pki-auth.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,AA42F98B16A0D8ADA8C387861B419850 + +Ax/A9kbNOHvgbskJLdOw4lD/hw4kCIhm3f203xXUC4KVWcnctvAMB4u015RnKoRn +Z9HAZYDY3SqqjjBPm7ljytz4BAdiAOINUhMk60Pq82RyyMZMeHftB6dPIbAsJMH8 +DJVOvc8UPoraSIe22D8UJAOnXJJioMWsQDrTpibIVKGzw5xU2EJLrQWCTdZ+ZKGp +IJArpCI/FIKTFatwANjs8CR9wZouVjqC3VFj3wbnVieNnyUpcuDXyWkdkOTIQf+h +zQwnBgzezJxR8Ul/F/0luaMqQs338ow7i8Cnwc2ZrjOLiTybvzXD0G2Bh7cfVt+7 +GzvbRoYTxlQOGeKv+9UFen4//s6Hd28akFoI8sLq0UKLWpfrmXSEESgMqXAeEA4j +/6vrzYMlO18q9mhIEX+KhbfApDelaWyvDAIqLMeTr2TnL2a1wcCJh6BrSB36Kvyt +3Y4zRg/ZEDLsbewTXirvjPr9unTjTIhrUOngwTpcIqjeU4f9YGCWuJrAdoYCSV1r +fsaVY9Kx8K7M32MeVREvcMZ1DK4oJ7f6ioi1DWco//+o52IdZPAx9lHGzhCSYed3 +007IFRIY7r5/srTlNZyKNGF89RNwPfg+95/3jRAWC/NJn9QEcNh5j7XpL8exvMhu +UQwuj+VuLl8miakM6BG5Zq0Mg82RNtMRDmnHC/PMN1xGtZSi+VdFP7L2OkQqqI0X +FrStV8+91gDsWN/RisdC44c912z+9i/dZ1rWEUAgfDkJQZgEVQf/NFBdh9jZdCMc +Jo3lTjB554tGOMwq/OWK7hxXw2n9BpVRUDzvnSq7K7bcRAmrPBAHA+q+xqWZxKh+ +Tni2Ppa2UXE4j05hIa2120XHm+ASYAkV9tzbOuz+MbSMuCqEEP1zNk2sWrOIIcYE +eTTmEbbZDR5YWPSOFvF+Dau9RoFInCqKve42V90v+UIqEe35dHa7FahX/2tkZ2x5 +XJ/aTEjZWMpcOCg/gQIfOm0Z6qqOegK3WxFIDvBntaQCGs80+kxQV+WaQuqqq+BS +YD3djGpUdXjOgd0xH1GEjSKuadC9PRx4H+S0appa2NAkWeV84134bOC4FTJZrGuO +2ZXITN6Yca/YtEfHo2NAO86XBzpBDJY7X5nydV0ORPgyvXJl3rqT62ykBv3iD/He +p8W7rxg/1FK2cpNRLp7FCGL37Sz036jx6BBidz2t4/+zu33lw07VPELrn8GE1SKh +bQipdeJAA4+89Qreg1ZZ8L1HGbnPuzctg+hlTC7A38//imYHasGchyh6/gCuGkCn +oREvW82XcoDRZ9OW0z07cL31afjTAqZW6xhu00GAl+Bv+XJ9thfBv2C4IBfWuu0t +ccMFGpmLL8fjPJF9yMEE2nsUU3w5jXqJ507uCxwpzU634s7IQhmpHtiwPs4KGxkR +xL5TxYmhfZnT5VayVgkR10wDfLeoeKuuzMHy4RyGYpwVVj0647+OcYLpbd16w62s +fOERLjxHKwCijWHOog8kTtffL63EnrSWLrkun/L5DI1dpEUoYknqHPgMNcESdrOv +CFiWpub1Y/brUYPuf/X48lsD4G/cJOyxZPFpAkS5ea6MlpaMMsuPDmvi8dQckqcb +-----END RSA PRIVATE KEY----- From cbd0198002e287928d8d30815232dc69d7826486 Mon Sep 17 00:00:00 2001 From: Tim Vernum Date: Sat, 13 Feb 2021 00:58:53 +1100 Subject: [PATCH 2/2] Fix checkstyle on test framework --- .../main/java/org/elasticsearch/test/rest/ESRestTestCase.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java index 4824ec6488655..a2ffcb68c05f9 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java @@ -1075,7 +1075,8 @@ protected static void configureClient(RestClientBuilder builder, Settings settin final String password = settings.get(CLIENT_KEY_PASSWORD); final char[] passwordChars = password == null ? null : password.toCharArray(); final PrivateKey key = PemUtils.readPrivateKey(keyPath, () -> passwordChars); - final Certificate[] clientCertChain = PemUtils.readCertificates(Collections.singletonList(certPath)).toArray(new Certificate[1]); + final Certificate[] clientCertChain + = PemUtils.readCertificates(Collections.singletonList(certPath)).toArray(new Certificate[1]); keyStore.setKeyEntry("client", key, passwordChars, clientCertChain); sslContextBuilder.loadKeyMaterial(keyStore, passwordChars); }