Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

consistent test failures with :x-pack:qa:openldap-tests:unitTest #37591

Closed
jakelandis opened this issue Jan 17, 2019 · 2 comments
Closed

consistent test failures with :x-pack:qa:openldap-tests:unitTest #37591

jakelandis opened this issue Jan 17, 2019 · 2 comments
Assignees
@jaymode
Labels
:Security/Security Security issues without another label >test-failure Triaged test failures from CI

Comments

@jakelandis
Copy link
Contributor

The following will reliable fail on both 6.x and master.

./gradlew clean :x-pack:qa:openldap-tests:unitTest

It reproduces irregardless of seed.

6.x

  1> [2019-01-18T01:23:17,040][INFO ][o.e.x.s.a.l.OpenLdapUserSearchSessionFactoryTests] [testUserSearchWithBindUserOpenLDAP] before test
  1> [2019-01-18T01:23:17,439][DEBUG][o.e.x.c.s.SSLService     ] [testUserSearchWithBindUserOpenLDAP] using ssl settings [SSLConfiguration{keyConfig=[NONE], trustConfig=ca=[/home/jake/workspace/elasticsearch/x-pack/qa/openldap-tests/build/generated-resources/openldap-tests/ca.crt]], cipherSuites=[[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA]], supportedProtocols=[[TLSv1.2, TLSv1.1, TLSv1]], sslClientAuth=[REQUIRED], verificationMode=[FULL]}]
  1> [2019-01-18T01:23:17,628][WARN ][o.e.d.x.c.s.SSLService   ] [testUserSearchWithBindUserOpenLDAP] SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [trust configuration], which is deprecated.
  1> [2019-01-18T01:23:17,678][INFO ][o.e.x.s.a.l.LdapUserSearchSessionFactory] [testUserSearchWithBindUserOpenLDAP] Realm [oldap-test] is in user-search mode - base_dn=[ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com], search filter=[(uid={0})]
  2> REPRODUCE WITH: ./gradlew :x-pack:qa:openldap-tests:unitTest -Dtests.seed=A9B1920977D5FDA2 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.OpenLdapUserSearchSessionFactoryTests -Dtests.method="testUserSearchWithBindUserOpenLDAP" -Dtests.security.manager=true -Dtests.locale=el-CY -Dtests.timezone=Africa/Kampala -Dcompiler.java=11 -Druntime.java=8
FAILURE 1.45s J1 | OpenLdapUserSearchSessionFactoryTests.testUserSearchWithBindUserOpenLDAP <<< FAILURES!
   > Throwable #1: java.lang.AssertionError: unexpected warning headers expected null, but was:<[299 Elasticsearch-6.7.0-SNAPSHOT-faa5aca "SSL configuration [xpack.http.ssl] relies upon fallback to another configuration for [trust configuration], which is deprecated." "Thu, 17 Jan 2019 22:23:17 GMT"]>
   >    at __randomizedtesting.SeedInfo.seed([A9B1920977D5FDA2:66D5D5F4682AF1AC]:0)
   >    at org.elasticsearch.test.ESTestCase.ensureNoWarnings(ESTestCase.java:378)
   >    at org.elasticsearch.test.ESTestCase.after(ESTestCase.java:356)
   >    at java.lang.Thread.run(Thread.java:748)
  2> NOTE: leaving temporary files on disk at: /home/jake/workspace/elasticsearch/x-pack/qa/openldap-tests/build/testrun/unitTest/J1/temp/org.elasticsearch.xpack.security.authc.ldap.OpenLdapUserSearchSessionFactoryTests_A9B1920977D5FDA2-001
  2> NOTE: test params are: codec=Asserting(Lucene70): {}, docValues:{}, maxPointsInLeafNode=1631, maxMBSortInHeap=7.811575863060436, sim=RandomSimilarity(queryNorm=false): {}, locale=el-CY, timezone=Africa/Kampala
  2> NOTE: Linux 4.19.13-200.fc28.x86_64 amd64/Oracle Corporation 1.8.0_171 (64-bit)/cpus=8,threads=1,free=443516472,total=514850816
  2> NOTE: All tests run in this JVM: [OpenLdapUserSearchSessionFactoryTests]
Completed [1/3] on J1 in 3.44s, 1 test, 1 failure <<< FAILURES!

Master (this might be a local setup issue)

  2> REPRODUCE WITH: ./gradlew :x-pack:qa:openldap-tests:unitTest -Dtests.seed=9C31A8FBC6D9742 -Dtests.class=org.elasticsearch.xpack.security.authc.ldap.OpenLdapUserSearchSessionFactoryTests -Dtests.method="testUserSearchWithBindUserOpenLDAP" -Dtests.security.manager=true -Dtests.locale=en-IN -Dtests.timezone=Pacific/Pohnpei -Dcompiler.java=11 -Druntime.java=8
ERROR   0.89s J1 | OpenLdapUserSearchSessionFactoryTests.testUserSearchWithBindUserOpenLDAP <<< FAILURES!
   > Throwable #1: UncategorizedExecutionException[Failed execution]; nested: ExecutionException[LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server localhost:60636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'localhost:60636' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))')]; nested: LDAPException[An error occurred while attempting to connect to server localhost:60636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'localhost:60636' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))]; nested: IOException[LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'localhost:60636' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812')]; nested: LDAPException[Unable to verify an attempt to to establish a secure connection to 'localhost:60636' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812]; nested: SSLPeerUnverifiedException[peer not authenticated];
   >    at __randomizedtesting.SeedInfo.seed([9C31A8FBC6D9742:C6A75D72A3929B4C]:0)
   >    at org.elasticsearch.common.util.concurrent.FutureUtils.rethrowExecutionException(FutureUtils.java:101)
   >    at org.elasticsearch.common.util.concurrent.FutureUtils.get(FutureUtils.java:62)
   >    at org.elasticsearch.action.support.AdapterActionFuture.actionGet(AdapterActionFuture.java:34)
   >    at org.elasticsearch.xpack.security.authc.ldap.OpenLdapUserSearchSessionFactoryTests.session(OpenLdapUserSearchSessionFactoryTests.java:130)
   >    at org.elasticsearch.xpack.security.authc.ldap.OpenLdapUserSearchSessionFactoryTests.testUserSearchWithBindUserOpenLDAP(OpenLdapUserSearchSessionFactoryTests.java:105)
   >    at java.lang.Thread.run(Thread.java:748)
   > Caused by: java.util.concurrent.ExecutionException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server localhost:60636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'localhost:60636' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))')
   >    at org.elasticsearch.common.util.concurrent.BaseFuture$Sync.getValue(BaseFuture.java:266)
   >    at org.elasticsearch.common.util.concurrent.BaseFuture$Sync.get(BaseFuture.java:253)
   >    at org.elasticsearch.common.util.concurrent.BaseFuture.get(BaseFuture.java:87)
   >    at org.elasticsearch.common.util.concurrent.FutureUtils.get(FutureUtils.java:57)
   >    ... 40 more
   > Caused by: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server localhost:60636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'localhost:60636' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))')
   >    at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:870)
   >    at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:760)
   >    at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:710)
   >    at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:534)
   >    at com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:307)
   >    at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:653)
   >    at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:567)
   >    at java.security.AccessController.doPrivileged(Native Method)
   >    at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.privilegedConnect(LdapUtils.java:74)
   >    at org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.getSessionWithoutPool(LdapUserSearchSessionFactory.java:112)
   >    at org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory.session(PoolingSessionFactory.java:102)
   >    at org.elasticsearch.xpack.security.authc.ldap.OpenLdapUserSearchSessionFactoryTests.session(OpenLdapUserSearchSessionFactoryTests.java:129)
   >    ... 38 more
   > Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'localhost:60636' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812')
   >    at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:178)
   >    at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860)
   >    ... 49 more
   > Caused by: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'localhost:60636' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812')
   >    at com.unboundid.util.ssl.HostNameSSLSocketVerifier.verifySSLSocket(HostNameSSLSocketVerifier.java:146)
   >    at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:166)
   >    ... 50 more
   > Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
   >    at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:440)
   >    at com.unboundid.util.ssl.HostNameSSLSocketVerifier.verifySSLSocket(HostNameSSLSocketVerifier.java:113)
   >    ... 51 more
  2> NOTE: leaving temporary files on disk at: /home/jake/workspace/elasticsearch/x-pack/qa/openldap-tests/build/testrun/unitTest/J1/temp/org.elasticsearch.xpack.security.authc.ldap.OpenLdapUserSearchSessionFactoryTests_9C31A8FBC6D9742-001
  2> NOTE: test params are: codec=Asserting(Lucene80): {}, docValues:{}, maxPointsInLeafNode=2025, maxMBSortInHeap=6.9218108535077105, sim=Asserting(org.apache.lucene.search.similarities.AssertingSimilarity@11da7e90), locale=en-IN, timezone=Pacific/Pohnpei
  2> NOTE: Linux 4.19.13-200.fc28.x86_64 amd64/Oracle Corporation 1.8.0_171 (64-bit)/cpus=8,threads=1,free=452836240,total=514850816
  2> NOTE: All tests run in this JVM: [OpenLdapUserSearchSessionFactoryTests]
Completed [1/3] on J1 in 2.74s, 1 test, 1 error <<< FAILURES!
@jakelandis jakelandis added >test-failure Triaged test failures from CI :Security/Security Security issues without another label labels Jan 17, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@jaymode jaymode self-assigned this Jan 18, 2019
jaymode added a commit that referenced this issue Jan 18, 2019
@jaymode
Fix setting openldap realm ssl config
642e45e 
This change fixes the setup of the SSL configuration for the test
openldap realm. The configuration was missing the realm identifier so
the SSL settings being used were just the default JDK ones that do not
trust the certificate of the idp fixture.

See #37591
jaymode added a commit that referenced this issue Jan 18, 2019
@jaymode
Fix ssl configuration in openldap test
a50cc56 
This commit fixes the ssl configuration in the openldap tests to not
use the deprecated global configuration and instead properly define the
realm settings so that the session factory can retrieve the correct
ssl configuration.

See #37591
@jaymode
Copy link
Member

jaymode commented Jan 18, 2019

The master issue was not a local setup issue but a real issue in the test, fixed by 642e45e. The 6.x issue has been fixed by a50cc56.

@jaymode jaymode closed this as completed Jan 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jaymode jaymode

Labels
:Security/Security Security issues without another label >test-failure Triaged test failures from CI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jakelandis @jaymode @elasticmachine