From 35acb5364f1505c197af9f9f7e44e180f4d4ef5a Mon Sep 17 00:00:00 2001 From: Tim Vernum Date: Fri, 29 Mar 2019 12:58:50 +1100 Subject: [PATCH 1/4] Support TLS on basic licenses - Always output "ssl" usage, even if security is not enabled - Adds a QA test for running on basic with TLS on transport and http --- .../security/SecurityFeatureSetUsage.java | 3 + x-pack/qa/security-tls-basic/build.gradle | 96 ++++++++++++++++++ ...WithBasicLicenseClientYamlTestSuiteIT.java | 60 +++++++++++ .../rest-api-spec/test/10_tls_basic.yml | 27 +++++ .../rest-api-spec/test/20_tls_trial.yml | 31 ++++++ .../src/test/resources/ssl/README.asciidoc | 48 +++++++++ .../src/test/resources/ssl/ca.crt | 20 ++++ .../src/test/resources/ssl/ca.key | 30 ++++++ .../src/test/resources/ssl/ca.p12 | Bin 0 -> 1130 bytes .../src/test/resources/ssl/http.crt | 22 ++++ .../src/test/resources/ssl/http.key | 30 ++++++ .../src/test/resources/ssl/transport.crt | 22 ++++ .../src/test/resources/ssl/transport.key | 30 ++++++ 13 files changed, 419 insertions(+) create mode 100644 x-pack/qa/security-tls-basic/build.gradle create mode 100644 x-pack/qa/security-tls-basic/src/test/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseClientYamlTestSuiteIT.java create mode 100644 x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/10_tls_basic.yml create mode 100644 x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/20_tls_trial.yml create mode 100644 x-pack/qa/security-tls-basic/src/test/resources/ssl/README.asciidoc create mode 100644 x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.crt create mode 100644 x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.key create mode 100644 x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.p12 create mode 100644 x-pack/qa/security-tls-basic/src/test/resources/ssl/http.crt create mode 100644 x-pack/qa/security-tls-basic/src/test/resources/ssl/http.key create mode 100644 x-pack/qa/security-tls-basic/src/test/resources/ssl/transport.crt create mode 100644 x-pack/qa/security-tls-basic/src/test/resources/ssl/transport.key diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityFeatureSetUsage.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityFeatureSetUsage.java index a06eacefcf81f..d7e66ddb4d0d8 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityFeatureSetUsage.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityFeatureSetUsage.java @@ -107,6 +107,9 @@ protected void innerXContent(XContentBuilder builder, Params params) throws IOEx builder.field(AUDIT_XFIELD, auditUsage); builder.field(IP_FILTER_XFIELD, ipFilterUsage); builder.field(ANONYMOUS_XFIELD, anonymousUsage); + } else { + // On a trial or basic license, it is possible to have SSL enabled without security + builder.field(SSL_XFIELD, sslUsage); } } diff --git a/x-pack/qa/security-tls-basic/build.gradle b/x-pack/qa/security-tls-basic/build.gradle new file mode 100644 index 0000000000000..b2f84789ef22f --- /dev/null +++ b/x-pack/qa/security-tls-basic/build.gradle @@ -0,0 +1,96 @@ +import javax.net.ssl.HttpsURLConnection +import javax.net.ssl.KeyManager +import javax.net.ssl.SSLContext +import javax.net.ssl.TrustManagerFactory +import java.nio.charset.StandardCharsets +import java.security.KeyStore +import java.security.SecureRandom + +apply plugin: 'elasticsearch.standalone-rest-test' +apply plugin: 'elasticsearch.rest-test' + +dependencies { + // "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here + testCompile project(path: xpackModule('core'), configuration: 'default') + testCompile project(path: xpackModule('security'), configuration: 'testArtifacts') + testCompile project(path: xpackModule('core'), configuration: 'testArtifacts') + testCompile project(path: ':modules:reindex') +} + +forbiddenPatterns { + exclude '**/*.key' + exclude '**/*.pem' + exclude '**/*.p12' + exclude '**/*.jks' +} + +File caFile = project.file('src/test/resources/ssl/ca.p12') + +integTestCluster { + numNodes=3 + + extraConfigFile 'http.key', project.projectDir.toPath().resolve('src/test/resources/ssl/http.key') + extraConfigFile 'http.crt', project.projectDir.toPath().resolve('src/test/resources/ssl/http.crt') + extraConfigFile 'transport.key', project.projectDir.toPath().resolve('src/test/resources/ssl/transport.key') + extraConfigFile 'transport.crt', project.projectDir.toPath().resolve('src/test/resources/ssl/transport.crt') + extraConfigFile 'ca.crt', project.projectDir.toPath().resolve('src/test/resources/ssl/ca.crt') + extraConfigFile 'ca.p12', caFile + + setting 'xpack.ilm.enabled', 'false' + setting 'xpack.ml.enabled', 'false' + setting 'xpack.license.self_generated.type', 'basic' + setting 'xpack.security.http.ssl.enabled', 'true' + setting 'xpack.security.http.ssl.certificate', 'http.crt' + setting 'xpack.security.http.ssl.key', 'http.key' + setting 'xpack.security.http.ssl.key_passphrase', 'http-password' + setting 'xpack.security.transport.ssl.enabled', 'true' + setting 'xpack.security.transport.ssl.certificate', 'transport.crt' + setting 'xpack.security.transport.ssl.key', 'transport.key' + setting 'xpack.security.transport.ssl.key_passphrase', 'transport-password' + setting 'xpack.security.transport.ssl.certificate_authorities', 'ca.crt' + + waitCondition = { node, ant -> + // Load the CA PKCS#12 file as a truststore + KeyStore ks = KeyStore.getInstance("PKCS12"); + ks.load(caFile.newInputStream(), 'password'.toCharArray()); + TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + tmf.init(ks); + + // Configre a SSL context for TLS1.2 using our CA trust manager + SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); + sslContext.init(new KeyManager[0], tmf.getTrustManagers(), new SecureRandom()); + + // Check whether the cluster has started + URL url = new URL("https://${node.httpUri()}/_cluster/health?wait_for_nodes=${numNodes}&wait_for_status=yellow"); + for (int i = 20; i >= 0; i--) { + // we use custom wait logic here for HTTPS + HttpsURLConnection httpURLConnection = null; + try { + logger.info("Trying ${url}"); + httpURLConnection = (HttpsURLConnection) url.openConnection(); + httpURLConnection.setSSLSocketFactory(sslContext.getSocketFactory()); + httpURLConnection.setRequestMethod("GET"); + httpURLConnection.connect(); + if (httpURLConnection.getResponseCode() == 200) { + logger.info("Cluster has started"); + return true; + } else { + logger.debug("HTTP response was [{}]", httpURLConnection.getResponseCode()); + } + } catch (IOException e) { + if (i == 0) { + logger.error("Failed to call cluster health - " + e) + } + logger.debug("Call to [{}] threw an exception", url, e) + } finally { + if (httpURLConnection != null) { + httpURLConnection.disconnect(); + } + } + // did not start, so wait a bit before trying again + Thread.sleep(750L); + } + return false; + } +} + diff --git a/x-pack/qa/security-tls-basic/src/test/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseClientYamlTestSuiteIT.java b/x-pack/qa/security-tls-basic/src/test/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseClientYamlTestSuiteIT.java new file mode 100644 index 0000000000000..f023ed9192401 --- /dev/null +++ b/x-pack/qa/security-tls-basic/src/test/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseClientYamlTestSuiteIT.java @@ -0,0 +1,60 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +package org.elasticsearch.xpack.security; + +import com.carrotsearch.randomizedtesting.annotations.Name; +import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; +import org.elasticsearch.common.io.PathUtils; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; +import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; +import org.junit.AfterClass; +import org.junit.BeforeClass; + +import java.io.FileNotFoundException; +import java.net.URL; +import java.nio.file.Path; + +public class TlsWithBasicLicenseClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { + private static Path httpTrustStore; + + public TlsWithBasicLicenseClientYamlTestSuiteIT(@Name("yaml") ClientYamlTestCandidate testCandidate) { + super(testCandidate); + } + + @ParametersFactory + public static Iterable parameters() throws Exception { + return ESClientYamlSuiteTestCase.createParameters(); + } + + @BeforeClass + public static void findTrustStore( ) throws Exception { + final URL resource = TlsWithBasicLicenseClientYamlTestSuiteIT.class.getResource("/ssl/ca.p12"); + if (resource == null) { + throw new FileNotFoundException("Cannot find classpath resource /ssl/ca.p12"); + } + httpTrustStore = PathUtils.get(resource.toURI()); + } + + @AfterClass + public static void cleanupStatics() { + httpTrustStore = null; + } + + @Override + protected String getProtocol() { + return "https"; + } + + @Override + protected Settings restClientSettings() { + return Settings.builder() + .put(TRUSTSTORE_PATH , httpTrustStore) + .put(TRUSTSTORE_PASSWORD, "password") + .build(); + } +} + diff --git a/x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/10_tls_basic.yml b/x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/10_tls_basic.yml new file mode 100644 index 0000000000000..088351ea79511 --- /dev/null +++ b/x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/10_tls_basic.yml @@ -0,0 +1,27 @@ +setup: + - skip: + features: headers + +--- +"Check license": + - do: + license.get: {} + - match: { license.type: "basic" } + +--- +"Check SSL enabled": + - do: + xpack.usage: {} + - match: { security.ssl.http.enabled: true } + - match: { security.ssl.transport.enabled: true } + +--- +"Get certificates": + + - do: + ssl.certificates: {} + + - match: { 0.format: "PEM" } + - match: { 1.format: "PEM" } + - match: { 2.format: "PEM" } + - length: { $body: 3 } diff --git a/x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/20_tls_trial.yml b/x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/20_tls_trial.yml new file mode 100644 index 0000000000000..a59cadba9a232 --- /dev/null +++ b/x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/20_tls_trial.yml @@ -0,0 +1,31 @@ +setup: + - skip: + features: headers + + - do: + license.post_start_trial: + acknowledge: true + +--- +teardown: + - do: + license.post_start_basic: + acknowledge: true + +--- +"Check setup": + - do: + license.get: {} + - match: { license.type: "trial" } + + - do: + xpack.usage: {} + - match: { security.ssl.http.enabled: true } + - match: { security.ssl.transport.enabled: true } + + - do: + ssl.certificates: {} + - match: { 0.format: "PEM" } + - match: { 1.format: "PEM" } + - match: { 2.format: "PEM" } + - length: { $body: 3 } diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/README.asciidoc b/x-pack/qa/security-tls-basic/src/test/resources/ssl/README.asciidoc new file mode 100644 index 0000000000000..9ff94bf07869d --- /dev/null +++ b/x-pack/qa/security-tls-basic/src/test/resources/ssl/README.asciidoc @@ -0,0 +1,48 @@ += Keystore Details +This document details the steps used to create the certificate and keystore files in this directory. + +== Instructions on generating certificates +The certificates in this directory have been generated using elasticsearch-certutil (7.0.0 SNAPSHOT) + +[source,shell] +----------------------------------------------------------------------------------------------------------- +elasticsearch-certutil ca --pem --out=ca.zip --pass="ca-password" --days=3500 +unzip ca.zip +mv ca/ca.* ./ + +rm ca.zip +rmdir ca +----------------------------------------------------------------------------------------------------------- + +[source,shell] +----------------------------------------------------------------------------------------------------------- +elasticsearch-certutil cert --pem --name=http --out=http.zip --pass="http-password" --days=3500 \ + --ca-cert=ca.crt --ca-key=ca.key --ca-pass="ca-password" \ + --dns=localhost --dns=localhost.localdomain --dns=localhost4 --dns=localhost4.localdomain4 --dns=localhost6 --dns=localhost6.localdomain6 \ + --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1 + +unzip http.zip +mv http/http.* ./ + +rm http.zip +rmdir http +----------------------------------------------------------------------------------------------------------- + +[source,shell] +----------------------------------------------------------------------------------------------------------- +elasticsearch-certutil cert --pem --name=transport --out=transport.zip --pass="transport-password" --days=3500 \ + --ca-cert=ca.crt --ca-key=ca.key --ca-pass="ca-password" \ + --dns=localhost --dns=localhost.localdomain --dns=localhost4 --dns=localhost4.localdomain4 --dns=localhost6 --dns=localhost6.localdomain6 \ + --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1 + +unzip transport.zip +mv transport/transport.* ./ + +rm transport.zip +rmdir transport +----------------------------------------------------------------------------------------------------------- + +[source,shell] +----------------------------------------------------------------------------------------------------------- +keytool -importcert -file ca.crt -keystore ca.p12 -storetype PKCS12 -storepass "password" -alias ca +----------------------------------------------------------------------------------------------------------- diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.crt b/x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.crt new file mode 100644 index 0000000000000..5bcb6f77bc21b --- /dev/null +++ b/x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUNsCMQBpQB3zJAC1iERdc7yADVw0wDQYJKoZIhvcNAQEL +BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l +cmF0ZWQgQ0EwHhcNMTkwMzI5MDUxMjEyWhcNMjgxMDI3MDUxMjEyWjA0MTIwMAYD +VQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBDQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJL4SrJJsQpKFuHsNnWwzM9 +2Cnmsc7WzGEskV0ncSUloMxUZaZ8CJ2iuubN6KPe75ke8SS9vlNG3MEWRBVSPY4H +EJNcyiiI1w9c/yom6Kfvep1RvvRHlp+k/bDPzzuj4B8Dyg66TVYKRm+9uRWAUvZr +djhFB3cawbM1jD9ZaBLM4Qbdg0AlMqXWpkLPVtkD8lREPkAIhYxKx7TYqB1SbMg5 +ejfoRGF5qfl4luegWRlQKkOBCcJPZamcccNjDq9eXQm3vrp0/QEp0ODG14wU3B9R +G+2/yhh5KP3WWK/uksAmEv8YzG7UaCLNJRk/FuPz8uoSGLPM1e+2HWXsR9OnlF8C +AwEAAaNTMFEwHQYDVR0OBBYEFL+GbWzP3nPfx+OqvW5CYCqHN8ZlMB8GA1UdIwQY +MBaAFL+GbWzP3nPfx+OqvW5CYCqHN8ZlMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAHZeLZ7yCvqQOJbQ3yoixYLVR33dSx/T/W5WQQGYcQ7TUZ4N +gXkV9kGD+9I/8NWgkttx4TTieWctyNPrhAqqWGuGvhCQ+WL8m67EPRiVdw7EY+61 +qlUbAdK39adDqbDeUI07dzd+wKlhwnHtd2dTcJEGluwLaU4ftuLA8DQNwzWxZVAW +EWzfTUgdc1SYTysE5C0d1Q9CbI+o0Na+CaW4DRqGh1OGyH7Fyck9WQp1nOAEQhD9 +sn4FOC4w+T92t/Ekpfcm5HHkYjGWK1EsCkRCj1m8QtyqBgByeXHCidH2pfKIuVdl +ZnaOfIkCQx49gLARjzzGp/OC/UfKVCWzpLHn7dY= +-----END CERTIFICATE----- diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.key b/x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.key new file mode 100644 index 0000000000000..418d3ed062185 --- /dev/null +++ b/x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,67376A5606FB27E9 + +v4OAjurrB7Tc2mVswSeaaYAiFomvSQmre8DlC5VNvavzT6Hlx5hIyEVIttcNeTeD +Hj4d+JOp5OO5Ew5cWgo0jtR2QIjGbrQe8t8oedJwhEiYC0IfX0rItJv1iaz4WO+8 +hz4J1lwAI9wFabmXIeHx0q3ZqqIfSOoAepO8W2SqIj0KSz3tKRoYaX7AzZ27muLN +K2Mej1EX/ftgZZNgfU62gJzGGsdQecLc+UZBDVTPZL3PLZmQV0r1sBXaq56Qk78t +DsUyYwA4zvPBIPkfydTxobylt1pSeZ7Yyni+iQk4X7T4jj3Q6wKrwjPNJ6p8Xcwn +4BN37DIYPPBEp56EUCbxl+iMkfRoCjZdaqhycw4LjKB0wloY2Zko6FaYTd0qPZ/m +2GM8MvIQ9bc4t9Bef2VAXhb8IUXJ+ro+sB7vlQRSLQ1JwHPAPiIFyRmilezAaupA +2DNLBIlmgMzh5Lh6vIcyHQVxsCoJesmVQCyyBy4lFPU9afcYLWjzgnBhW2SikTpW +/lC3VDloUjIYfC3qYhbHIomsUMCGk3xHIwLw1cNFnf7c/RX1q5bBZrJ8q6GVh/Rb +ulHcuCm5g/Jvt8TM8c2WIE5mzwkoFIe/XVY33Lyk237qCsPlVWwFpxa0UtWVpDnk +uuubgI0cb+zehN2f5sgHtdbphNNTflZyW+Uk0lCbYGNakXBILePFmURsThW3gQ44 +g+zPaiGkbB1qwE/TS3Vz17j8DkgWRsEJP7IBsZ/ljaUcs3zujH6EKN9YtwyIeoHo +VHBuF4RGew2Ps0NoLGYanpvu01ZUUr2C0ZbDjXLBy8ajOc5zgyMCBead19T+piFw +iGvA8D7eILz1xzbAcX7dry06Mc9o/CbFcRMIis3LVvdSuZDoRk/cv0mKo6rq/1MS +VeYgPjJ8QWuhulIYkmNipTRdzMsXEafEdsp+GruKnNri0u/lirfhYAXDGp2GAttJ +zKnbPkHSJRt1xWgtimU+CnnpEOp+qd2yFNgT/Nn2yjrsPqLqTkEdzbh2DoCYGPHe +HoAcs+MePKfqBh+W2MEJ/ZdDVz93lKoDTuk2cjaVVe+7YBdHW0gQzfW5ArscadUV ++mSzhUm9AIhM/Gk6t7rgVoWyO6PvkTgENKFmUUQkHnJWaaDIzji2xFR114Huw5rN +gHPn8HOKPIhVu1UV2N/MFLrjjvn8bft/vLkSxZ3c7AgYkPr8Mmd0b8ufTOlk5a+W +hkR4D7WZ7Hgkj1NIvRbjxCXTHFbHZqKJHeTTNCpCUygIH5g8h7RGVPS0XKylpbr1 +2kZU/AwlPcAPba+UcTKXOvy02NmiV5Bg6qYc8rcxv6aXKPOrxeW3Iop/ZesF7Nnu +ccR+rI78cQIGD1gAo3xLJ10/p0Rb9R/pWfHUY499Oymc926qWaj3mEl+xOJXxWOr +3Uf4yMg8mrfcm3JW7clWy3l+/++CSWBS/zqUpXKy5CbVdR8XQNS5Pg0fDgwkrcbv +7TviQ+vYD7aEI0w6mviljPkYVTXNpnRHyF7VfaEYff8032GxW99D3zeK7dd6yP4k +W/oN5IwXCvnfrteNtqSOIPOWw9gAp4x4EzmCin77s8SgMHOGsPcEhA== +-----END RSA PRIVATE KEY----- diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.p12 b/x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.p12 new file mode 100644 index 0000000000000000000000000000000000000000..e2db32e6ddc6c72d880498b90ff013a7ba161e87 GIT binary patch literal 1130 zcmV-w1eN*I72$WOzc@hNe7A0TQVdp3JAHdg+%0fb zTOXL8HC=_-tt9^IyD%ZeZW>hDEWaSh#OJqCr(j++XMymifEyCb>+af_r%9zIDj47# zDs)&&SUeKiQtVZnN@O1>XwmXR5ozv)ifHztRSgQ4*`<9F{!<71IkINM3ySBh<94+-6|q)X5#R zyrraOKG;aTCw5nwCvI-Ns0Je{Y*;6dfXDomf`OLYy_ae0d&Qrf$O<+-|8|Gv%TEvo z!oNL~h7zL7GyuvleOb5H*gtIqiG6L}Ps^|y&4$`G%YR5#Cv___pW z!A*EAVIxynAXXkfi@+^|4*^}$08w8tO1k%XibDw=dR3e_g)cMmr?@T~S5rK`x#f%wP@?W|Tj~v&zE-UXfeC$3vWL)3BlaRFc zKsL|s%tjSpqkTxE{%<4)g*A}{EpZcRO-vl}-EqhiO|6xA)$W9w&6f4g>RG18UjVri zSk;0l!zz!g?l=?QXp&FtkF*U~tt`h_%Q%#&(>kcKHnwxP9|+Sn<_#8kfxlwHBo1{% z_!F}`72g9YmbCZi#t1qQSYUd34bE8S%gZ?(#3Wzj_bPUhRus;Tg|Nz&+jS`29T~6% zQ0pqoV4a=hxH|~V(Pr`HjSwFoQ+L3II+aT}-`;r-@RYDUSW9>}HIb{Bx_-r^E3s94 z8x6#4Dce{~j6?61)^dwXTiXXRw^9I1MA}~HMAutIB1uG5%0vZJX1Qg>! w+3XFqnR3Uul@d>-^q=QkBku$h+2FsgP^>d~P>Cin8NTb@)y9P`0s{etpq_jdPXGV_ literal 0 HcmV?d00001 diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/http.crt b/x-pack/qa/security-tls-basic/src/test/resources/ssl/http.crt new file mode 100644 index 0000000000000..cd0dcb680c2ae --- /dev/null +++ b/x-pack/qa/security-tls-basic/src/test/resources/ssl/http.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDszCCApugAwIBAgIVAJX8GTm+AWIicokE5npzZ2B3qad3MA0GCSqGSIb3DQEB +CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu +ZXJhdGVkIENBMB4XDTE5MDMyOTA1MTIyNVoXDTI4MTAyNzA1MTIyNVowDzENMAsG +A1UEAxMEaHR0cDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGvsPmg +4lKfd1ie6TZQLdCxfXy6MooLHac1wUxyvHcUxlbuSchj+A2gVPBk6VaCV8OO4X7T +MslTJKw5877m28Xzw+CmUgDsXAJJy2IvM8X0IP/xktkJQ3uSUReSW2650TFj9Zcm +Z3AtMblo+cNnZMNWJBW1G1QMHHKMY5kukaB7Ia6CBec60k2HrkS6xmsMgwQPBa/k +VlbHkI7RzbmxohVJFHL34EFhifEL0qkYU5MnZ8PjH8U749VoZOYcY1MKb2sw9iYn +JTOv1gIFhd4Sw37occxDVaqZU/1X90ijZyvB/AugxRfmpLb83ZRMdVeQTiiXqMkg +1g94h7hgPpLA9AkCAwEAAaOB4DCB3TAdBgNVHQ4EFgQUc/bPDUIvgLwg9xwf9CxP +ec84o1YwHwYDVR0jBBgwFoAUv4ZtbM/ec9/H46q9bkJgKoc3xmUwgY8GA1UdEQSB +hzCBhIIJbG9jYWxob3N0ghdsb2NhbGhvc3Q2LmxvY2FsZG9tYWluNocEfwAAAYcQ +AAAAAAAAAAAAAAAAAAAAAYIKbG9jYWxob3N0NIIKbG9jYWxob3N0NoIVbG9jYWxo +b3N0LmxvY2FsZG9tYWlughdsb2NhbGhvc3Q0LmxvY2FsZG9tYWluNDAJBgNVHRME +AjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAJW7WWQkuNjDlQQ5H6bhMr2LhbC9TZWgFK +zWsIWuhd1QxiWbTp/Yegcbqs3hZ9MQtxU4egml/sMAdZSF3Kg3NeYtrHDj//oKYo +VSfTPNjQLG1/ckCM0RDfFYOV+Sb3ktau5QZGL+5ZDfcfPLSHCSHeP0tft2R03Hp4 +pOX8/xAVmv0hxE74X5qodQyNFdDa6rtRZESLzY1b+oaEhKM49MZCNZL9TvvNUkWC +hXdaVehqBVJkrlsnli6oqPBjpKNP2YkRG3eqy/Qd/sg6rwJqu/B0KBI8QBDkokSY +YORRviEmSe0+hmcBCTYZWN8WX3BrEPuGdBJXWi5G8GPGFg4rrOUE +-----END CERTIFICATE----- diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/http.key b/x-pack/qa/security-tls-basic/src/test/resources/ssl/http.key new file mode 100644 index 0000000000000..3b7571db54319 --- /dev/null +++ b/x-pack/qa/security-tls-basic/src/test/resources/ssl/http.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,A46C453D20DC86A7 + +eFBKmjJUmailcnfc1+a6lwR8G7sk4ff1De5hIYY8iNkpP6XVxZ/LrXttVF1x1SWy +YaUJL35Optzy4W+LglJgAdNo9XGaCsHuSi3z7aqYNdihSldKxDw3iIJEEuB63Lv7 +eu4pEYdOlRElEs71cmjMCSmg1pfeDRruShB9RUKy3Iw8tM6tV+t+vIaiVftb3i9O +AaTEUgAJqQjcISWy5JAxRwEwVDAhHe23vbVomxXlJKuTroezPFt5SxXQmdfNmP7B +D8iZR/Uf+7XdCFKC/7n6enYZfg5/IoaOO9sPG4bueFKmLAdXpmN1hKvJwIG1qKQT +Fz7x8FGi0S11BHDZMs5kJHBaiuXmq02mozb5XOFllQYl8+fsa4lscIFeQ/YbAjVo +g5nEVbqRUCSLy6F6JSX6SJB4ng/JMHzKLfhAUSpvotBxZbJ4IpNu06oCKjggiIoR +9z2YE6gR1pBJSyCDS8fJXtyLWN/WBdbvf1fw3t7utPFT606TYFOvt2KrSndcrTwb +EByWHJufxv8J+anrnnNM11RMTqhpi4MeXsaaA7jUCzh5QzxnT8imOyNDF8OVxEKk +Y9W9ToUchHojIJZGJhB2I1ndCUQaJF+OhLrjy2Zk/Imx3wBf3huyWAA8GNVQ04DD +mhDxWdZ30lJgxJH4xgk4l3nWBNAQ+X04lIyRi83tD/E9plX3EX2sWzBBHCSybh0C +bNHAQVMVaxEMTcCumk/USiuRcm4BL0495o4/debn9EExs95dw6pAhJoHZ8kc71GP +YOYNuQvz0Ljbu4ZO1/OgmNDtFuNV83GlDa6yUme/Di0SqmLzxUwPJIZ9I2dNtgLf +2emoUA9PSUl02Hcm5WN7AtmL/Pxz1joR/gKeNAII97PS9WFdqRS0ypwiiwp15mBU +LilEGB4V3laVJFw6sLFwPjWUYZCEhzSdAMnHfxrIZuhpfSi2W39w8Frqwx0JOUoX +HmogsyM/xqn9VelVNbWUP06IwJkcocWM1rzv3nkZOsKb5EhGOk1qrA/BKyajcazX +49x4wpIpJoz4tgStrlgxGZ0DeMT8PIrZGbZDhQ78MxnQe376CiXIOKtrZVOp6uoo +uDtYg9OiZZ2GDoSIgjAStpYbF4rkJI+3kyhR4oD8KfsC/rTG16hNCRnTIIiUECyU +1jWBLmqYWuMTiekb4asB6cWlQYwUUtSBt6ySB+zU+Cl0Wi3u+kXrsMthFnJE0GWB +EOCmHsvMqD+u0uArpJHpE0o9L3ePEkiDssU2MJdOLpb0AKW/uqAA/14a4JAr/y9Z +v+pUPDbjeoIXRNqzXkWEdHKZOnEGAE5QBLzScJqWU0YY7WP1+xpyoYapM37v9V/J +viNJW+gxvW9yZdxKzGm9P/UIjtndx2QnAa7mPgXOej/AMqpl+IkIJmvi13IEQTH2 +NuBghACrRp7YuffEroEs3P7fgCoiMHvabCiXkLhWoZqgVuiy72GuSwKEPK8bF30U +8u7lencUvnIRU9jL0kDaQL0kESw0f3dgE+ltQbgew5/rmqMgKpmDDoouLJf95wi2 +rvPGRb4QXpBO8V4/8VMPPJKT55ZDygjN45z1gwCZ2tbYtnKUOH82drx1TB2bvrso +-----END RSA PRIVATE KEY----- diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/transport.crt b/x-pack/qa/security-tls-basic/src/test/resources/ssl/transport.crt new file mode 100644 index 0000000000000..93121ed8b15ca --- /dev/null +++ b/x-pack/qa/security-tls-basic/src/test/resources/ssl/transport.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtzCCAp+gAwIBAgIUe2Oa37SVQ5G1SpWiRS+abpjuNPMwDQYJKoZIhvcNAQEL +BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l +cmF0ZWQgQ0EwHhcNMTkwMzI5MDUxMjM1WhcNMjgxMDI3MDUxMjM1WjAUMRIwEAYD +VQQDEwl0cmFuc3BvcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCN +v6vW4Bwj0eku+Ivm6d+HQwzfLqAdnM8tHAgC4qMDk7a/X5ckTesTk2VOmX775zkT +SJex5uGuEuyTgZVEXQhkpZUXURGhnQ8/exxg2m3cwTin+o1XN5xCo6FUfU2IqQrf +1Xd7RKfXv/YCUlS2xzQVnFRYAYpMMzTtUloc37PWz7TYA/ei7p06BCKLGR785ipF +MWq0S+QVmldOlp1vhZrD+KpgxFdo0Gd+e0loLO6321sXBEksy4K/5FaknDT9Fc/f +NUVmLaiRPi2nW6nIBjYyoVhIPztkVdxfj7jNdJCvshnEY29Hhd7ra9njLbyxzK2d +ACpyf54TCNU0j5qRcqe7AgMBAAGjgeAwgd0wHQYDVR0OBBYEFDSaYLY3KEm7L3jF +iW7CwCdoqcZjMB8GA1UdIwQYMBaAFL+GbWzP3nPfx+OqvW5CYCqHN8ZlMIGPBgNV +HREEgYcwgYSCCWxvY2FsaG9zdIIXbG9jYWxob3N0Ni5sb2NhbGRvbWFpbjaHBH8A +AAGHEAAAAAAAAAAAAAAAAAAAAAGCCmxvY2FsaG9zdDSCCmxvY2FsaG9zdDaCFWxv +Y2FsaG9zdC5sb2NhbGRvbWFpboIXbG9jYWxob3N0NC5sb2NhbGRvbWFpbjQwCQYD +VR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAa3T5oaPucZRx5JFxqkSTaIpcptvw +iiZLpaEooX0QVMy+PkmnzNh/xaN5qWWzKFV4ihSURtgH7gbPjBF7/pTqqO8Ekshp +36I6WTuhvps4nR4iCKaMFfyCBDKBvtTIySxE2kZJlyvgAqdB3bww79FfZt+ftxEt +E1m5nFDWCxaATY0foYpRUAJTPfmnFWDZfP4ZglSWmNSfQAdsQfwMlu09jXWXw7Yx +Cd39f9KW1aQT4RstHNWuQwgskv0vuTo2r0r+1YWTNCFQVuA8OD620CmJs85zGOnj +5L0YyLK1KvvuARfjr/skpze7F1Leir9+NiaJjXA+xfnkoGniJ2AUvPC8xg== +-----END CERTIFICATE----- diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/transport.key b/x-pack/qa/security-tls-basic/src/test/resources/ssl/transport.key new file mode 100644 index 0000000000000..eace4a2085989 --- /dev/null +++ b/x-pack/qa/security-tls-basic/src/test/resources/ssl/transport.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,EAC448D0A9AC0BE9 + +OnQAA8FLp6KDtp+AivEZB+TmTgAZ7oExMFLPL4o64i5onxLlJ15jG4MJ/YEyRZRa +T+KJLfO5BSW7EhgPQrR6UQ2yQtKGEwqq0nboIqEnEnpJQzzas2/d9rGIQFd4+519 +GNzstFVz8bn2+Z6xN0YS8/lVPUF6sxbt1DGy/BlSpUze63WNw5vxO4zmOu+8lzvT +ZkK8VGbeqv9j0YF/57NeTQ+b473f1cyGexpv7wsJD+62cmie9Z0iNoqkrV3yjNBk +gqoxWe8I42rKsNJiL/H0tyLMfICaVJs2urQjs9GHJGS/uy+MlzJCaEG5LlcTCXq3 +0d0e+OCWzHzzcQiLlzg0W/iCbMEpMvZcWlTaATRLcY96QKHMku9xaPLuO5BvL/XF +HLP0xHsc3no0HqX9/BRZFNdtc+7u3An46UEDmyjNZRkDSmhC/vVa6/+5pnp2eU2N +b88/cTmGYDdGoImcp9nIhBnyMqNmSeuho3g+w5oa03HyjlEQ5MS5VXHOnzzbH8lr +fTxVx/PPb3Ui8bs2X93JNm6atL8Yn75QkyX7iYypuzzhgq3wKETHpV4VJ2XtfbK8 +HAvMIc+IOWDA3ZYqIgkA8yn3RzVB+mTf/px0aWR53Ie90uLXsF8y2F7nuScnVDqG +9ul03RSPfeO+bUnyl5JsPnRN/0i/Ge1/SvX+j4L3ir65NEvrC2BPEfzTFXh6KMs4 +VF1USmWPAgfg7FjJjUvi/7/2+YOswFTuMdun9plV3heJ9AyCyYrPJuP7iXeF+L1Z +nsGfD4ZaZJ81zXW1VqTTSBdyreK+t9YjGVL7hEUhv6k/SOlyhcvaYubB7f3aTegU +IN+2T3hFCnBNgvqHKtAJ1FBgzatavJOk4Oo0aDKThwCrxp9MdxPRBOMrBnRHsdtN +6/u7hHObFNIIBoxdSMMdF4NZXkYSMYCM2dq+FvEzDCJ6krHxq1W71j109F+Ow0B7 +Je4jXboH3rrvnh9HtowYWFufB6GPTCmV822iC1u6DGwNTLPunMMLhASSENNR3Lk0 +xtfVAjcKA8/Xo7Is62OOa2ud2Z4Zjl2OdANZ7lgZScprfiHI6LrHAw9tPGcn9xJ2 +8dtQILCSkoHKRWlR41e9Xx+jRhOXl3GKWqFKAtH3jGQu5kH+IgN5IeUIerbKe0Yn +vk+2QqLQssnQPkQDGketuSMx/+vCbvQscmfA+bfNB+UIbwsjmyQk5W+mxz3pncvG +KCat5pCspfdj0oVHl+WEoAR3raXFwcZAWm57HtCm3kfPTSImDLT6c+sCriY48vDN +YhC3DtzKwVfmw44q/hs0QzgWmt6p22ZwNMTnVxvQSJeFfLV/nEwxtmM/WFXoyDqF +UoR/T2p+ngRyysCtmYhf6Qnq2J6CZum7MUvIVtSL7c+eazXbVTTHbLFNrcX/Zitl +Bf03Rz7ZJGSlqczdhi5gTSIC4dD9hLWbQlw3OcH45UiGw5tcBaAd86FxarPqE2/Z +NQSp88Q9peJfTxcY9QyQhDDUqyfMDoNMRRVfEMP5qNicH3Y5jkKiCJwGbqIC238/ +38wcJnIrkwMk2tttgq1Lr1QfWplOHxe51zJ7zXjnigMkt/AodqjjNQ== +-----END RSA PRIVATE KEY----- From e9959924c69aff367218513726f695060b5b6072 Mon Sep 17 00:00:00 2001 From: Tim Vernum Date: Mon, 1 Apr 2019 13:16:50 +1100 Subject: [PATCH 2/4] Switch to new "wait-for-resource" over SSL --- x-pack/qa/security-tls-basic/build.gradle | 59 +++-------------------- 1 file changed, 7 insertions(+), 52 deletions(-) diff --git a/x-pack/qa/security-tls-basic/build.gradle b/x-pack/qa/security-tls-basic/build.gradle index b2f84789ef22f..c8b3871c61c6e 100644 --- a/x-pack/qa/security-tls-basic/build.gradle +++ b/x-pack/qa/security-tls-basic/build.gradle @@ -1,10 +1,4 @@ -import javax.net.ssl.HttpsURLConnection -import javax.net.ssl.KeyManager -import javax.net.ssl.SSLContext -import javax.net.ssl.TrustManagerFactory -import java.nio.charset.StandardCharsets -import java.security.KeyStore -import java.security.SecureRandom +import org.elasticsearch.gradle.http.WaitForHttpResource apply plugin: 'elasticsearch.standalone-rest-test' apply plugin: 'elasticsearch.rest-test' @@ -24,17 +18,16 @@ forbiddenPatterns { exclude '**/*.jks' } -File caFile = project.file('src/test/resources/ssl/ca.p12') +File caFile = project.file('src/test/resources/ssl/ca.crt') integTestCluster { - numNodes=3 + numNodes=2 extraConfigFile 'http.key', project.projectDir.toPath().resolve('src/test/resources/ssl/http.key') extraConfigFile 'http.crt', project.projectDir.toPath().resolve('src/test/resources/ssl/http.crt') extraConfigFile 'transport.key', project.projectDir.toPath().resolve('src/test/resources/ssl/transport.key') extraConfigFile 'transport.crt', project.projectDir.toPath().resolve('src/test/resources/ssl/transport.crt') - extraConfigFile 'ca.crt', project.projectDir.toPath().resolve('src/test/resources/ssl/ca.crt') - extraConfigFile 'ca.p12', caFile + extraConfigFile 'ca.crt', caFile setting 'xpack.ilm.enabled', 'false' setting 'xpack.ml.enabled', 'false' @@ -50,47 +43,9 @@ integTestCluster { setting 'xpack.security.transport.ssl.certificate_authorities', 'ca.crt' waitCondition = { node, ant -> - // Load the CA PKCS#12 file as a truststore - KeyStore ks = KeyStore.getInstance("PKCS12"); - ks.load(caFile.newInputStream(), 'password'.toCharArray()); - TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - tmf.init(ks); - - // Configre a SSL context for TLS1.2 using our CA trust manager - SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); - sslContext.init(new KeyManager[0], tmf.getTrustManagers(), new SecureRandom()); - - // Check whether the cluster has started - URL url = new URL("https://${node.httpUri()}/_cluster/health?wait_for_nodes=${numNodes}&wait_for_status=yellow"); - for (int i = 20; i >= 0; i--) { - // we use custom wait logic here for HTTPS - HttpsURLConnection httpURLConnection = null; - try { - logger.info("Trying ${url}"); - httpURLConnection = (HttpsURLConnection) url.openConnection(); - httpURLConnection.setSSLSocketFactory(sslContext.getSocketFactory()); - httpURLConnection.setRequestMethod("GET"); - httpURLConnection.connect(); - if (httpURLConnection.getResponseCode() == 200) { - logger.info("Cluster has started"); - return true; - } else { - logger.debug("HTTP response was [{}]", httpURLConnection.getResponseCode()); - } - } catch (IOException e) { - if (i == 0) { - logger.error("Failed to call cluster health - " + e) - } - logger.debug("Call to [{}] threw an exception", url, e) - } finally { - if (httpURLConnection != null) { - httpURLConnection.disconnect(); - } - } - // did not start, so wait a bit before trying again - Thread.sleep(750L); - } - return false; + WaitForHttpResource http = new WaitForHttpResource("https", node.httpUri(), numNodes) + http.setCertificateAuthorities(caFile) + return http.wait(5000) } } From ce6e16f74f93214ec71b95ffe57ac61dc9b754f6 Mon Sep 17 00:00:00 2001 From: Tim Vernum Date: Thu, 4 Apr 2019 16:42:56 +1100 Subject: [PATCH 3/4] Switch to java test in security/qa --- x-pack/plugin/security/build.gradle | 10 ++ x-pack/plugin/security/qa/build.gradle | 18 +++ .../security/qa/tls-basic}/build.gradle | 0 .../xpack/security/TlsWithBasicLicenseIT.java | 122 ++++++++++++++++++ .../src/test/resources/ssl/README.asciidoc | 0 .../tls-basic}/src/test/resources/ssl/ca.crt | 0 .../tls-basic}/src/test/resources/ssl/ca.key | 0 .../tls-basic}/src/test/resources/ssl/ca.p12 | Bin .../src/test/resources/ssl/http.crt | 0 .../src/test/resources/ssl/http.key | 0 .../src/test/resources/ssl/transport.crt | 0 .../src/test/resources/ssl/transport.key | 0 ...WithBasicLicenseClientYamlTestSuiteIT.java | 60 --------- .../rest-api-spec/test/10_tls_basic.yml | 27 ---- .../rest-api-spec/test/20_tls_trial.yml | 31 ----- 15 files changed, 150 insertions(+), 118 deletions(-) create mode 100644 x-pack/plugin/security/qa/build.gradle rename x-pack/{qa/security-tls-basic => plugin/security/qa/tls-basic}/build.gradle (100%) create mode 100644 x-pack/plugin/security/qa/tls-basic/src/test/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseIT.java rename x-pack/{qa/security-tls-basic => plugin/security/qa/tls-basic}/src/test/resources/ssl/README.asciidoc (100%) rename x-pack/{qa/security-tls-basic => plugin/security/qa/tls-basic}/src/test/resources/ssl/ca.crt (100%) rename x-pack/{qa/security-tls-basic => plugin/security/qa/tls-basic}/src/test/resources/ssl/ca.key (100%) rename x-pack/{qa/security-tls-basic => plugin/security/qa/tls-basic}/src/test/resources/ssl/ca.p12 (100%) rename x-pack/{qa/security-tls-basic => plugin/security/qa/tls-basic}/src/test/resources/ssl/http.crt (100%) rename x-pack/{qa/security-tls-basic => plugin/security/qa/tls-basic}/src/test/resources/ssl/http.key (100%) rename x-pack/{qa/security-tls-basic => plugin/security/qa/tls-basic}/src/test/resources/ssl/transport.crt (100%) rename x-pack/{qa/security-tls-basic => plugin/security/qa/tls-basic}/src/test/resources/ssl/transport.key (100%) delete mode 100644 x-pack/qa/security-tls-basic/src/test/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseClientYamlTestSuiteIT.java delete mode 100644 x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/10_tls_basic.yml delete mode 100644 x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/20_tls_trial.yml diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index afc39d5df5010..cc0b7cbd9b7c3 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -298,3 +298,13 @@ unitTest { // installing them as individual plugins for integ tests doesn't make sense, // so we disable integ tests integTest.enabled = false + +// add all sub-projects of the qa sub-project +gradle.projectsEvaluated { + project.subprojects + .find { it.path == project.path + ":qa" } + .subprojects + .findAll { it.path.startsWith(project.path + ":qa") } + .each { check.dependsOn it.check } +} + diff --git a/x-pack/plugin/security/qa/build.gradle b/x-pack/plugin/security/qa/build.gradle new file mode 100644 index 0000000000000..f2f60527ec4c1 --- /dev/null +++ b/x-pack/plugin/security/qa/build.gradle @@ -0,0 +1,18 @@ +import org.elasticsearch.gradle.test.RestIntegTestTask + +apply plugin: 'elasticsearch.build' +unitTest.enabled = false + +dependencies { + compile project(':test:framework') +} + +subprojects { + project.tasks.withType(RestIntegTestTask) { + final File xPackResources = new File(xpackProject('plugin').projectDir, 'src/test/resources') + project.copyRestSpec.from(xPackResources) { + include 'rest-api-spec/api/**' + } + } +} + diff --git a/x-pack/qa/security-tls-basic/build.gradle b/x-pack/plugin/security/qa/tls-basic/build.gradle similarity index 100% rename from x-pack/qa/security-tls-basic/build.gradle rename to x-pack/plugin/security/qa/tls-basic/build.gradle diff --git a/x-pack/plugin/security/qa/tls-basic/src/test/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseIT.java b/x-pack/plugin/security/qa/tls-basic/src/test/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseIT.java new file mode 100644 index 0000000000000..3b2aea4a08d68 --- /dev/null +++ b/x-pack/plugin/security/qa/tls-basic/src/test/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseIT.java @@ -0,0 +1,122 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +package org.elasticsearch.xpack.security; + +import org.elasticsearch.client.Request; +import org.elasticsearch.client.Response; +import org.elasticsearch.common.io.PathUtils; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.test.rest.ESRestTestCase; +import org.elasticsearch.test.rest.yaml.ObjectPath; +import org.junit.AfterClass; +import org.junit.BeforeClass; + +import java.io.FileNotFoundException; +import java.io.IOException; +import java.net.URL; +import java.nio.file.Path; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.stream.Collectors; + +import static org.hamcrest.Matchers.containsInAnyOrder; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.instanceOf; +import static org.hamcrest.Matchers.iterableWithSize; +import static org.hamcrest.Matchers.notNullValue; + +public class TlsWithBasicLicenseIT extends ESRestTestCase { + private static Path httpTrustStore; + + @BeforeClass + public static void findTrustStore() throws Exception { + final URL resource = TlsWithBasicLicenseIT.class.getResource("/ssl/ca.p12"); + if (resource == null) { + throw new FileNotFoundException("Cannot find classpath resource /ssl/ca.p12"); + } + httpTrustStore = PathUtils.get(resource.toURI()); + } + + @AfterClass + public static void cleanupStatics() { + httpTrustStore = null; + } + + @Override + protected String getProtocol() { + return "https"; + } + + @Override + protected Settings restClientSettings() { + return Settings.builder() + .put(TRUSTSTORE_PATH, httpTrustStore) + .put(TRUSTSTORE_PASSWORD, "password") + .build(); + } + + public void testWithBasicLicense() throws Exception { + checkLicenseType("basic"); + checkSSLEnabled(); + checkCertificateAPI(); + } + + public void testWithTrialLicense() throws Exception { + startTrial(); + try { + checkLicenseType("trial"); + checkSSLEnabled(); + checkCertificateAPI(); + } finally { + revertTrial(); + } + } + + private void startTrial() throws IOException { + Response response = client().performRequest(new Request("POST", "/_license/start_trial?acknowledge=true")); + assertOK(response); + } + + private void revertTrial() throws IOException { + client().performRequest(new Request("POST", "/_license/start_basic?acknowledge=true")); + } + + private void checkLicenseType(String type) throws IOException { + Map license = getAsMap("/_license"); + assertThat(license, notNullValue()); + assertThat(ObjectPath.evaluate(license, "license.type"), equalTo(type)); + } + + private void checkSSLEnabled() throws IOException { + Map usage = getAsMap("/_xpack/usage"); + assertThat(usage, notNullValue()); + assertThat(ObjectPath.evaluate(usage, "security.ssl.http.enabled"), equalTo(true)); + assertThat(ObjectPath.evaluate(usage, "security.ssl.transport.enabled"), equalTo(true)); + } + + private void checkCertificateAPI() throws IOException { + Response response = client().performRequest(new Request("GET", "/_ssl/certificates")); + ObjectPath path = ObjectPath.createFromResponse(response); + final Object body = path.evaluate(""); + assertThat(body, instanceOf(List.class)); + final List certs = (List) body; + assertThat(certs, iterableWithSize(3)); + final List> certInfo = new ArrayList<>(); + for (int i = 0; i < certs.size(); i++) { + final Object element = certs.get(i); + assertThat(element, instanceOf(Map.class)); + final Map map = (Map) element; + certInfo.add(map); + assertThat(map.get("format"), equalTo("PEM")); + } + List paths = certInfo.stream().map(m -> String.valueOf(m.get("path"))).collect(Collectors.toList()); + assertThat(paths, containsInAnyOrder("http.crt", "transport.crt", "ca.crt")); + } + + +} + diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/README.asciidoc b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/README.asciidoc similarity index 100% rename from x-pack/qa/security-tls-basic/src/test/resources/ssl/README.asciidoc rename to x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/README.asciidoc diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.crt b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/ca.crt similarity index 100% rename from x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.crt rename to x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/ca.crt diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.key b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/ca.key similarity index 100% rename from x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.key rename to x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/ca.key diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.p12 b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/ca.p12 similarity index 100% rename from x-pack/qa/security-tls-basic/src/test/resources/ssl/ca.p12 rename to x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/ca.p12 diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/http.crt b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/http.crt similarity index 100% rename from x-pack/qa/security-tls-basic/src/test/resources/ssl/http.crt rename to x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/http.crt diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/http.key b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/http.key similarity index 100% rename from x-pack/qa/security-tls-basic/src/test/resources/ssl/http.key rename to x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/http.key diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/transport.crt b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/transport.crt similarity index 100% rename from x-pack/qa/security-tls-basic/src/test/resources/ssl/transport.crt rename to x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/transport.crt diff --git a/x-pack/qa/security-tls-basic/src/test/resources/ssl/transport.key b/x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/transport.key similarity index 100% rename from x-pack/qa/security-tls-basic/src/test/resources/ssl/transport.key rename to x-pack/plugin/security/qa/tls-basic/src/test/resources/ssl/transport.key diff --git a/x-pack/qa/security-tls-basic/src/test/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseClientYamlTestSuiteIT.java b/x-pack/qa/security-tls-basic/src/test/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseClientYamlTestSuiteIT.java deleted file mode 100644 index f023ed9192401..0000000000000 --- a/x-pack/qa/security-tls-basic/src/test/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseClientYamlTestSuiteIT.java +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -package org.elasticsearch.xpack.security; - -import com.carrotsearch.randomizedtesting.annotations.Name; -import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; -import org.elasticsearch.common.io.PathUtils; -import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; -import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; -import org.junit.AfterClass; -import org.junit.BeforeClass; - -import java.io.FileNotFoundException; -import java.net.URL; -import java.nio.file.Path; - -public class TlsWithBasicLicenseClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { - private static Path httpTrustStore; - - public TlsWithBasicLicenseClientYamlTestSuiteIT(@Name("yaml") ClientYamlTestCandidate testCandidate) { - super(testCandidate); - } - - @ParametersFactory - public static Iterable parameters() throws Exception { - return ESClientYamlSuiteTestCase.createParameters(); - } - - @BeforeClass - public static void findTrustStore( ) throws Exception { - final URL resource = TlsWithBasicLicenseClientYamlTestSuiteIT.class.getResource("/ssl/ca.p12"); - if (resource == null) { - throw new FileNotFoundException("Cannot find classpath resource /ssl/ca.p12"); - } - httpTrustStore = PathUtils.get(resource.toURI()); - } - - @AfterClass - public static void cleanupStatics() { - httpTrustStore = null; - } - - @Override - protected String getProtocol() { - return "https"; - } - - @Override - protected Settings restClientSettings() { - return Settings.builder() - .put(TRUSTSTORE_PATH , httpTrustStore) - .put(TRUSTSTORE_PASSWORD, "password") - .build(); - } -} - diff --git a/x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/10_tls_basic.yml b/x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/10_tls_basic.yml deleted file mode 100644 index 088351ea79511..0000000000000 --- a/x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/10_tls_basic.yml +++ /dev/null @@ -1,27 +0,0 @@ -setup: - - skip: - features: headers - ---- -"Check license": - - do: - license.get: {} - - match: { license.type: "basic" } - ---- -"Check SSL enabled": - - do: - xpack.usage: {} - - match: { security.ssl.http.enabled: true } - - match: { security.ssl.transport.enabled: true } - ---- -"Get certificates": - - - do: - ssl.certificates: {} - - - match: { 0.format: "PEM" } - - match: { 1.format: "PEM" } - - match: { 2.format: "PEM" } - - length: { $body: 3 } diff --git a/x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/20_tls_trial.yml b/x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/20_tls_trial.yml deleted file mode 100644 index a59cadba9a232..0000000000000 --- a/x-pack/qa/security-tls-basic/src/test/resources/rest-api-spec/test/20_tls_trial.yml +++ /dev/null @@ -1,31 +0,0 @@ -setup: - - skip: - features: headers - - - do: - license.post_start_trial: - acknowledge: true - ---- -teardown: - - do: - license.post_start_basic: - acknowledge: true - ---- -"Check setup": - - do: - license.get: {} - - match: { license.type: "trial" } - - - do: - xpack.usage: {} - - match: { security.ssl.http.enabled: true } - - match: { security.ssl.transport.enabled: true } - - - do: - ssl.certificates: {} - - match: { 0.format: "PEM" } - - match: { 1.format: "PEM" } - - match: { 2.format: "PEM" } - - length: { $body: 3 } From ebb2a9f58e9b6fe439bb254777d5a5421bf44f52 Mon Sep 17 00:00:00 2001 From: Tim Vernum Date: Thu, 4 Apr 2019 18:17:05 +1100 Subject: [PATCH 4/4] Address build feedback --- x-pack/plugin/security/qa/tls-basic/build.gradle | 3 --- 1 file changed, 3 deletions(-) diff --git a/x-pack/plugin/security/qa/tls-basic/build.gradle b/x-pack/plugin/security/qa/tls-basic/build.gradle index c8b3871c61c6e..9f5ef26f6e6a6 100644 --- a/x-pack/plugin/security/qa/tls-basic/build.gradle +++ b/x-pack/plugin/security/qa/tls-basic/build.gradle @@ -8,14 +8,11 @@ dependencies { testCompile project(path: xpackModule('core'), configuration: 'default') testCompile project(path: xpackModule('security'), configuration: 'testArtifacts') testCompile project(path: xpackModule('core'), configuration: 'testArtifacts') - testCompile project(path: ':modules:reindex') } forbiddenPatterns { exclude '**/*.key' - exclude '**/*.pem' exclude '**/*.p12' - exclude '**/*.jks' } File caFile = project.file('src/test/resources/ssl/ca.crt')