From b6a83ca0eea300592acea80a9d0b2ac359bf5ba9 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 24 Jul 2018 12:48:14 +0300 Subject: [PATCH] Allow Integ Tests to run in a FIPS-140 JVM (#31989) * Complete changes for running IT in a fips JVM - Mute :x-pack:qa:sql:security:ssl:integTest as it cannot run in FIPS 140 JVM until the SQL CLI supports key/cert. - Set default JVM keystore/truststore password in top level build script for all integTest tasks in a FIPS 140 JVM - Changed top level x-pack build script to use keys and certificates for trust/key material when spinning up clusters for IT --- .../elasticsearch/gradle/BuildPlugin.groovy | 11 +- plugins/discovery-gce/build.gradle | 30 -- .../action/admin/ReloadSecureSettingsIT.java | 9 +- .../elasticsearch/test/ESIntegTestCase.java | 4 + x-pack/plugin/build.gradle | 49 ++- .../rest-api-spec/test/ssl/10_basic.yml | 5 +- x-pack/qa/full-cluster-restart/build.gradle | 4 +- .../ml-native-multi-node-tests/build.gradle | 46 +-- .../MlNativeAutodetectIntegTestCase.java | 11 +- x-pack/qa/rolling-upgrade/build.gradle | 2 +- x-pack/qa/smoke-test-plugins-ssl/build.gradle | 316 ++---------------- ...keTestPluginsSslClientYamlTestSuiteIT.java | 4 +- .../qa/smoke-test-plugins-ssl/testclient.crt | 23 ++ .../qa/smoke-test-plugins-ssl/testclient.jks | Bin 0 -> 3358 bytes .../qa/smoke-test-plugins-ssl/testclient.pem | 30 ++ x-pack/qa/smoke-test-plugins-ssl/testnode.crt | 23 ++ x-pack/qa/smoke-test-plugins-ssl/testnode.jks | Bin 0 -> 9360 bytes x-pack/qa/smoke-test-plugins-ssl/testnode.pem | 30 ++ x-pack/qa/sql/security/ssl/build.gradle | 26 +- .../qa/sql/jdbc/JdbcIntegrationTestCase.java | 2 +- 20 files changed, 223 insertions(+), 402 deletions(-) create mode 100644 x-pack/qa/smoke-test-plugins-ssl/testclient.crt create mode 100644 x-pack/qa/smoke-test-plugins-ssl/testclient.jks create mode 100644 x-pack/qa/smoke-test-plugins-ssl/testclient.pem create mode 100644 x-pack/qa/smoke-test-plugins-ssl/testnode.crt create mode 100644 x-pack/qa/smoke-test-plugins-ssl/testnode.jks create mode 100644 x-pack/qa/smoke-test-plugins-ssl/testnode.pem diff --git a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy index 6b4d448579829..2c7641d596baa 100644 --- a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy +++ b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy @@ -131,6 +131,9 @@ class BuildPlugin implements Plugin { runtimeJavaVersionEnum = JavaVersion.toVersion(findJavaSpecificationVersion(project, runtimeJavaHome)) } + String inFipsJvmScript = 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));' + boolean inFipsJvm = Boolean.parseBoolean(runJavascript(project, runtimeJavaHome, inFipsJvmScript)) + // Build debugging info println '=======================================' println 'Elasticsearch Build Hamster says Hello!' @@ -202,6 +205,7 @@ class BuildPlugin implements Plugin { project.rootProject.ext.buildChecksDone = true project.rootProject.ext.minimumCompilerVersion = minimumCompilerVersion project.rootProject.ext.minimumRuntimeVersion = minimumRuntimeVersion + project.rootProject.ext.inFipsJvm = inFipsJvm } project.targetCompatibility = project.rootProject.ext.minimumRuntimeVersion @@ -213,6 +217,7 @@ class BuildPlugin implements Plugin { project.ext.compilerJavaVersion = project.rootProject.ext.compilerJavaVersion project.ext.runtimeJavaVersion = project.rootProject.ext.runtimeJavaVersion project.ext.javaVersions = project.rootProject.ext.javaVersions + project.ext.inFipsJvm = project.rootProject.ext.inFipsJvm } private static String findCompilerJavaHome() { @@ -771,7 +776,11 @@ class BuildPlugin implements Plugin { systemProperty property.getKey(), property.getValue() } } - + // Set the system keystore/truststore password if we're running tests in a FIPS-140 JVM + if (project.inFipsJvm) { + systemProperty 'javax.net.ssl.trustStorePassword', 'password' + systemProperty 'javax.net.ssl.keyStorePassword', 'password' + } boolean assertionsEnabled = Boolean.parseBoolean(System.getProperty('tests.asserts', 'true')) enableSystemAssertions assertionsEnabled enableAssertions assertionsEnabled diff --git a/plugins/discovery-gce/build.gradle b/plugins/discovery-gce/build.gradle index 82de9ba031b25..fa8005dfa4759 100644 --- a/plugins/discovery-gce/build.gradle +++ b/plugins/discovery-gce/build.gradle @@ -22,36 +22,6 @@ dependencies { compile "commons-codec:commons-codec:${versions.commonscodec}" } - -// needed to be consistent with ssl host checking -String host = InetAddress.getLoopbackAddress().getHostAddress(); - -// location of keystore and files to generate it -File keystore = new File(project.buildDir, 'keystore/test-node.jks') - -// generate the keystore -task createKey(type: LoggedExec) { - doFirst { - project.delete(keystore.parentFile) - keystore.parentFile.mkdirs() - } - executable = new File(project.runtimeJavaHome, 'bin/keytool') - standardInput = new ByteArrayInputStream('FirstName LastName\nUnit\nOrganization\nCity\nState\nNL\nyes\n\n'.getBytes('UTF-8')) - args '-genkey', - '-alias', 'test-node', - '-keystore', keystore, - '-keyalg', 'RSA', - '-keysize', '2048', - '-validity', '712', - '-dname', 'CN=' + host, - '-keypass', 'keypass', - '-storepass', 'keypass' -} - -// add keystore to test classpath: it expects it there -sourceSets.test.resources.srcDir(keystore.parentFile) -processTestResources.dependsOn(createKey) - dependencyLicenses { mapping from: /google-.*/, to: 'google' } diff --git a/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java b/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java index 2061349e3301d..c8503603f665c 100644 --- a/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java +++ b/server/src/test/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java @@ -205,7 +205,14 @@ public void onResponse(NodesReloadSecureSettingsResponse nodesReloadResponse) { assertThat(nodesMap.size(), equalTo(cluster().size())); for (final NodesReloadSecureSettingsResponse.NodeResponse nodeResponse : nodesReloadResponse.getNodes()) { assertThat(nodeResponse.reloadException(), notNullValue()); - assertThat(nodeResponse.reloadException(), instanceOf(IOException.class)); + // Running in a JVM with a BouncyCastle FIPS Security Provider, decrypting the Keystore with the wrong + // password returns a SecurityException if the DataInputStream can't be fully consumed + if (inFipsJvm()) { + assertThat(nodeResponse.reloadException(), instanceOf(SecurityException.class)); + } else { + assertThat(nodeResponse.reloadException(), instanceOf(IOException.class)); + } + } } catch (final AssertionError e) { reloadSettingsError.set(e); diff --git a/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java index 2197b09988042..c42887ee07f32 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java @@ -176,6 +176,7 @@ import java.net.URL; import java.nio.file.Files; import java.nio.file.Path; +import java.security.Security; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -2358,4 +2359,7 @@ protected void assertSeqNos() throws Exception { }); } + public static boolean inFipsJvm() { + return Security.getProviders()[0].getName().toLowerCase(Locale.ROOT).contains("fips"); + } } diff --git a/x-pack/plugin/build.gradle b/x-pack/plugin/build.gradle index 415ff72aef7cf..dbb4e86dc197b 100644 --- a/x-pack/plugin/build.gradle +++ b/x-pack/plugin/build.gradle @@ -104,39 +104,28 @@ integTestRunner { systemProperty 'tests.rest.blacklist', blacklist.join(',') } -// location of generated keystores and certificates +// location for keys and certificates File keystoreDir = new File(project.buildDir, 'keystore') - -// Generate the node's keystore -File nodeKeystore = new File(keystoreDir, 'test-node.jks') -task createNodeKeyStore(type: LoggedExec) { - doFirst { - if (nodeKeystore.parentFile.exists() == false) { - nodeKeystore.parentFile.mkdirs() - } - if (nodeKeystore.exists()) { - delete nodeKeystore +File nodeKey = file("$keystoreDir/testnode.pem") +File nodeCert = file("$keystoreDir/testnode.crt") + +// Add key and certs to test classpath: it expects them there +// User cert and key PEM files instead of a JKS Keystore for the cluster's trust material so that +// it can run in a FIPS 140 JVM +// TODO: Remove all existing uses of cross project file references when the new approach for referencing static files is available +// https://github.com/elastic/elasticsearch/pull/32201 +task copyKeyCerts(type: Copy) { + from(project(':x-pack:plugin:core').file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/')) { + include 'testnode.crt', 'testnode.pem' } - } - executable = new File(project.runtimeJavaHome, 'bin/keytool') - standardInput = new ByteArrayInputStream('FirstName LastName\nUnit\nOrganization\nCity\nState\nNL\nyes\n\n'.getBytes('UTF-8')) - args '-genkey', - '-alias', 'test-node', - '-keystore', nodeKeystore, - '-keyalg', 'RSA', - '-keysize', '2048', - '-validity', '712', - '-dname', 'CN=smoke-test-plugins-ssl', - '-keypass', 'keypass', - '-storepass', 'keypass' + into keystoreDir } - // Add keystores to test classpath: it expects it there sourceSets.test.resources.srcDir(keystoreDir) -processTestResources.dependsOn(createNodeKeyStore) +processTestResources.dependsOn(copyKeyCerts) integTestCluster { - dependsOn createNodeKeyStore + dependsOn copyKeyCerts setting 'xpack.ml.enabled', 'true' setting 'xpack.security.enabled', 'true' setting 'logger.org.elasticsearch.xpack.ml.datafeed', 'TRACE' @@ -145,18 +134,20 @@ integTestCluster { setting 'xpack.monitoring.exporters._local.enabled', 'false' setting 'xpack.security.authc.token.enabled', 'true' setting 'xpack.security.transport.ssl.enabled', 'true' - setting 'xpack.security.transport.ssl.keystore.path', nodeKeystore.name + setting 'xpack.security.transport.ssl.key', nodeKey.name + setting 'xpack.security.transport.ssl.certificate', nodeCert.name setting 'xpack.security.transport.ssl.verification_mode', 'certificate' setting 'xpack.security.audit.enabled', 'true' setting 'xpack.license.self_generated.type', 'trial' keystoreSetting 'bootstrap.password', 'x-pack-test-password' keystoreSetting 'xpack.security.authc.token.passphrase', 'x-pack-token-service-password' - keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'keypass' + keystoreSetting 'xpack.security.transport.ssl.secure_key_passphrase', 'testnode' distribution = 'zip' // this is important since we use the reindex module in ML setupCommand 'setupTestUser', 'bin/elasticsearch-users', 'useradd', 'x_pack_rest_user', '-p', 'x-pack-test-password', '-r', 'superuser' - extraConfigFile nodeKeystore.name, nodeKeystore + extraConfigFile nodeKey.name, nodeKey + extraConfigFile nodeCert.name, nodeCert waitCondition = { NodeInfo node, AntBuilder ant -> File tmpFile = new File(node.cwd, 'wait.success') diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/ssl/10_basic.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/ssl/10_basic.yml index 7a87ef511e591..227d341b26d86 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/ssl/10_basic.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/ssl/10_basic.yml @@ -4,7 +4,6 @@ xpack.ssl.certificates: {} - length: { $body: 1 } - - match: { $body.0.path: "test-node.jks" } - - match: { $body.0.format: "jks" } - - match: { $body.0.alias: "test-node" } + - match: { $body.0.path: "testnode.crt" } + - match: { $body.0.format: "PEM" } - match: { $body.0.has_private_key: true } diff --git a/x-pack/qa/full-cluster-restart/build.gradle b/x-pack/qa/full-cluster-restart/build.gradle index b17cbb332502d..7887a6462eb33 100644 --- a/x-pack/qa/full-cluster-restart/build.gradle +++ b/x-pack/qa/full-cluster-restart/build.gradle @@ -125,8 +125,8 @@ subprojects { String output = "${buildDir}/generated-resources/${project.name}" task copyTestNodeKeystore(type: Copy) { - from project(xpackModule('core')) - .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') + from project(':x-pack:plugin:core') + .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') into outputDir } diff --git a/x-pack/qa/ml-native-multi-node-tests/build.gradle b/x-pack/qa/ml-native-multi-node-tests/build.gradle index 286d4daee8aa5..b8627db3068fd 100644 --- a/x-pack/qa/ml-native-multi-node-tests/build.gradle +++ b/x-pack/qa/ml-native-multi-node-tests/build.gradle @@ -18,59 +18,45 @@ integTestRunner { systemProperty 'es.set.netty.runtime.available.processors', 'false' } -// location of generated keystores and certificates +// location for keys and certificates File keystoreDir = new File(project.buildDir, 'keystore') - -// Generate the node's keystore -File nodeKeystore = new File(keystoreDir, 'test-node.jks') -task createNodeKeyStore(type: LoggedExec) { - doFirst { - if (nodeKeystore.parentFile.exists() == false) { - nodeKeystore.parentFile.mkdirs() - } - if (nodeKeystore.exists()) { - delete nodeKeystore - } +File nodeKey = file("$keystoreDir/testnode.pem") +File nodeCert = file("$keystoreDir/testnode.crt") +// Add key and certs to test classpath: it expects it there +task copyKeyCerts(type: Copy) { + from(project(':x-pack:plugin:core').file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/')) { + include 'testnode.crt', 'testnode.pem' } - executable = new File(project.runtimeJavaHome, 'bin/keytool') - standardInput = new ByteArrayInputStream('FirstName LastName\nUnit\nOrganization\nCity\nState\nNL\nyes\n\n'.getBytes('UTF-8')) - args '-genkey', - '-alias', 'test-node', - '-keystore', nodeKeystore, - '-keyalg', 'RSA', - '-keysize', '2048', - '-validity', '712', - '-dname', 'CN=smoke-test-plugins-ssl', - '-keypass', 'keypass', - '-storepass', 'keypass' + into keystoreDir } - -// Add keystores to test classpath: it expects it there +// Add keys and cets to test classpath: it expects it there sourceSets.test.resources.srcDir(keystoreDir) -processTestResources.dependsOn(createNodeKeyStore) +processTestResources.dependsOn(copyKeyCerts) integTestCluster { - dependsOn createNodeKeyStore + dependsOn copyKeyCerts setting 'xpack.security.enabled', 'true' setting 'xpack.ml.enabled', 'true' setting 'logger.org.elasticsearch.xpack.ml.datafeed', 'TRACE' setting 'xpack.monitoring.enabled', 'false' setting 'xpack.security.authc.token.enabled', 'true' setting 'xpack.security.transport.ssl.enabled', 'true' - setting 'xpack.security.transport.ssl.keystore.path', nodeKeystore.name + setting 'xpack.security.transport.ssl.key', nodeKey.name + setting 'xpack.security.transport.ssl.certificate', nodeCert.name setting 'xpack.security.transport.ssl.verification_mode', 'certificate' setting 'xpack.security.audit.enabled', 'true' setting 'xpack.license.self_generated.type', 'trial' keystoreSetting 'bootstrap.password', 'x-pack-test-password' - keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'keypass' + keystoreSetting 'xpack.security.transport.ssl.secure_key_passphrase', 'testnode' numNodes = 3 setupCommand 'setupDummyUser', 'bin/elasticsearch-users', 'useradd', 'x_pack_rest_user', '-p', 'x-pack-test-password', '-r', 'superuser' - extraConfigFile nodeKeystore.name, nodeKeystore + extraConfigFile nodeKey.name, nodeKey + extraConfigFile nodeCert.name, nodeCert waitCondition = { node, ant -> File tmpFile = new File(node.cwd, 'wait.success') diff --git a/x-pack/qa/ml-native-multi-node-tests/src/test/java/org/elasticsearch/xpack/ml/integration/MlNativeAutodetectIntegTestCase.java b/x-pack/qa/ml-native-multi-node-tests/src/test/java/org/elasticsearch/xpack/ml/integration/MlNativeAutodetectIntegTestCase.java index c9956e6092fc5..74a026ed5adb4 100644 --- a/x-pack/qa/ml-native-multi-node-tests/src/test/java/org/elasticsearch/xpack/ml/integration/MlNativeAutodetectIntegTestCase.java +++ b/x-pack/qa/ml-native-multi-node-tests/src/test/java/org/elasticsearch/xpack/ml/integration/MlNativeAutodetectIntegTestCase.java @@ -124,9 +124,11 @@ protected Collection> transportClientPlugins() { @Override protected Settings externalClusterClientSettings() { - Path keyStore; + Path key; + Path certificate; try { - keyStore = PathUtils.get(getClass().getResource("/test-node.jks").toURI()); + key = PathUtils.get(getClass().getResource("/testnode.pem").toURI()); + certificate = PathUtils.get(getClass().getResource("/testnode.crt").toURI()); } catch (URISyntaxException e) { throw new IllegalStateException("error trying to get keystore path", e); } @@ -135,8 +137,9 @@ protected Settings externalClusterClientSettings() { builder.put(SecurityField.USER_SETTING.getKey(), "x_pack_rest_user:" + SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING); builder.put(XPackSettings.MACHINE_LEARNING_ENABLED.getKey(), true); builder.put("xpack.security.transport.ssl.enabled", true); - builder.put("xpack.security.transport.ssl.keystore.path", keyStore.toAbsolutePath().toString()); - builder.put("xpack.security.transport.ssl.keystore.password", "keypass"); + builder.put("xpack.security.transport.ssl.key", key.toAbsolutePath().toString()); + builder.put("xpack.security.transport.ssl.certificate", certificate.toAbsolutePath().toString()); + builder.put("xpack.security.transport.ssl.key_passphrase", "testnode"); builder.put("xpack.security.transport.ssl.verification_mode", "certificate"); return builder.build(); } diff --git a/x-pack/qa/rolling-upgrade/build.gradle b/x-pack/qa/rolling-upgrade/build.gradle index 54033b0422c72..f38dee88dbbc8 100644 --- a/x-pack/qa/rolling-upgrade/build.gradle +++ b/x-pack/qa/rolling-upgrade/build.gradle @@ -103,7 +103,7 @@ subprojects { String output = "${buildDir}/generated-resources/${project.name}" task copyTestNodeKeystore(type: Copy) { - from project(xpackModule('core')) + from project(':x-pack:plugin:core') .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') into outputDir } diff --git a/x-pack/qa/smoke-test-plugins-ssl/build.gradle b/x-pack/qa/smoke-test-plugins-ssl/build.gradle index 595c562af3707..672bc3a19e834 100644 --- a/x-pack/qa/smoke-test-plugins-ssl/build.gradle +++ b/x-pack/qa/smoke-test-plugins-ssl/build.gradle @@ -4,7 +4,7 @@ import org.elasticsearch.gradle.plugin.PluginBuildPlugin import org.elasticsearch.gradle.test.NodeInfo import javax.net.ssl.HttpsURLConnection -import javax.net.ssl.KeyManagerFactory +import javax.net.ssl.KeyManager import javax.net.ssl.SSLContext import javax.net.ssl.TrustManagerFactory import java.nio.charset.StandardCharsets @@ -26,135 +26,27 @@ task copyXPackPluginProps(type: Copy) { } project.sourceSets.test.output.dir(outputDir, builtBy: copyXPackPluginProps) -// needed to be consistent with ssl host checking -Object san = new SanEvaluator() - // location of generated keystores and certificates File keystoreDir = new File(project.buildDir, 'keystore') +File nodeKeystore = file("$keystoreDir/testnode.jks") +File nodeKey = file("$keystoreDir/testnode.pem") +File nodeCert = file("$keystoreDir/testnode.crt") +File clientKeyStore = file("$keystoreDir/testclient.jks") +File clientKey = file("$keystoreDir/testclient.pem") +File clientCert = file("$keystoreDir/testclient.crt") -// Generate the node's keystore -File nodeKeystore = new File(keystoreDir, 'test-node.jks') -task createNodeKeyStore(type: LoggedExec) { - doFirst { - if (nodeKeystore.parentFile.exists() == false) { - nodeKeystore.parentFile.mkdirs() - } - if (nodeKeystore.exists()) { - delete nodeKeystore - } - } - executable = new File(project.runtimeJavaHome, 'bin/keytool') - standardInput = new ByteArrayInputStream('FirstName LastName\nUnit\nOrganization\nCity\nState\nNL\nyes\n\n'.getBytes('UTF-8')) - args '-genkey', - '-alias', 'test-node', - '-keystore', nodeKeystore, - '-keyalg', 'RSA', - '-keysize', '2048', - '-validity', '712', - '-dname', 'CN=smoke-test-plugins-ssl', - '-keypass', 'keypass', - '-storepass', 'keypass', - '-ext', san -} - -// Generate the client's keystore -File clientKeyStore = new File(keystoreDir, 'test-client.jks') -task createClientKeyStore(type: LoggedExec) { - doFirst { - if (clientKeyStore.parentFile.exists() == false) { - clientKeyStore.parentFile.mkdirs() - } - if (clientKeyStore.exists()) { - delete clientKeyStore - } - } - executable = new File(project.runtimeJavaHome, 'bin/keytool') - standardInput = new ByteArrayInputStream('FirstName LastName\nUnit\nOrganization\nCity\nState\nNL\nyes\n\n'.getBytes('UTF-8')) - args '-genkey', - '-alias', 'test-client', - '-keystore', clientKeyStore, - '-keyalg', 'RSA', - '-keysize', '2048', - '-validity', '712', - '-dname', 'CN=smoke-test-plugins-ssl', - '-keypass', 'keypass', - '-storepass', 'keypass', - '-ext', san -} - -// Export the node's certificate -File nodeCertificate = new File(keystoreDir, 'test-node.cert') -task exportNodeCertificate(type: LoggedExec) { - dependsOn createNodeKeyStore - doFirst { - if (nodeCertificate.parentFile.exists() == false) { - nodeCertificate.parentFile.mkdirs() - } - if (nodeCertificate.exists()) { - delete nodeCertificate - } - } - executable = new File(project.runtimeJavaHome, 'bin/keytool') - args '-export', - '-alias', 'test-node', - '-keystore', nodeKeystore, - '-storepass', 'keypass', - '-file', nodeCertificate -} - -// Import the node certificate in the client's keystore -task importNodeCertificateInClientKeyStore(type: LoggedExec) { - dependsOn createClientKeyStore, exportNodeCertificate - executable = new File(project.runtimeJavaHome, 'bin/keytool') - args '-import', - '-alias', 'test-node', - '-keystore', clientKeyStore, - '-storepass', 'keypass', - '-file', nodeCertificate, - '-noprompt' -} - -// Export the client's certificate -File clientCertificate = new File(keystoreDir, 'test-client.cert') -task exportClientCertificate(type: LoggedExec) { - dependsOn createClientKeyStore - doFirst { - if (clientCertificate.parentFile.exists() == false) { - clientCertificate.parentFile.mkdirs() - } - if (clientCertificate.exists()) { - delete clientCertificate - } +// Add keystores to test classpath: it expects it there +task copyKeyCerts(type: Copy) { + from('./') { + include '*.crt', '*.pem', '*.jks' } - executable = new File(project.runtimeJavaHome, 'bin/keytool') - args '-export', - '-alias', 'test-client', - '-keystore', clientKeyStore, - '-storepass', 'keypass', - '-file', clientCertificate -} - -// Import the client certificate in the node's keystore -task importClientCertificateInNodeKeyStore(type: LoggedExec) { - dependsOn createNodeKeyStore, exportClientCertificate - executable = new File(project.runtimeJavaHome, 'bin/keytool') - args '-import', - '-alias', 'test-client', - '-keystore', nodeKeystore, - '-storepass', 'keypass', - '-file', clientCertificate, - '-noprompt' + into keystoreDir } - -forbiddenPatterns { - exclude '**/*.cert' -} - // Add keystores to test classpath: it expects it there sourceSets.test.resources.srcDir(keystoreDir) -processTestResources.dependsOn(importNodeCertificateInClientKeyStore, importClientCertificateInNodeKeyStore) +processTestResources.dependsOn(copyKeyCerts) -integTestCluster.dependsOn(importClientCertificateInNodeKeyStore, importNodeCertificateInClientKeyStore) +integTestCluster.dependsOn(copyKeyCerts) ext.pluginsCount = 0 project(':plugins').getChildProjects().each { pluginName, pluginProject -> @@ -167,8 +59,7 @@ integTestCluster { setting 'xpack.monitoring.collection.interval', '1s' setting 'xpack.monitoring.exporters._http.type', 'http' setting 'xpack.monitoring.exporters._http.enabled', 'false' - setting 'xpack.monitoring.exporters._http.ssl.truststore.path', clientKeyStore.name - setting 'xpack.monitoring.exporters._http.ssl.truststore.password', 'keypass' + setting 'xpack.ssl.certificate_authorities', 'testnode.crt' setting 'xpack.monitoring.exporters._http.auth.username', 'monitoring_agent' setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password' setting 'xpack.monitoring.exporters._http.ssl.verification_mode', 'full' @@ -176,14 +67,18 @@ integTestCluster { setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.security.enabled', 'true' setting 'xpack.security.http.ssl.enabled', 'true' - setting 'xpack.security.http.ssl.keystore.path', nodeKeystore.name - keystoreSetting 'xpack.security.http.ssl.keystore.secure_password', 'keypass' + setting 'xpack.security.http.ssl.key', 'testnode.pem' + setting 'xpack.security.http.ssl.certificate', 'testnode.crt' + keystoreSetting 'xpack.security.http.ssl.secure_key_passphrase', 'testnode' setting 'xpack.ml.enabled', 'false' - - // copy keystores into config/ + // copy keystores, keys and certificates into config/ extraConfigFile nodeKeystore.name, nodeKeystore + extraConfigFile nodeKey.name, nodeKey + extraConfigFile nodeCert.name, nodeCert extraConfigFile clientKeyStore.name, clientKeyStore + extraConfigFile clientKey.name, clientKey + extraConfigFile clientCert.name, clientCert setupCommand 'setupTestUser', 'bin/elasticsearch-users', 'useradd', 'test_user', '-p', 'x-pack-test-password', '-r', 'superuser' @@ -193,13 +88,12 @@ integTestCluster { waitCondition = { NodeInfo node, AntBuilder ant -> File tmpFile = new File(node.cwd, 'wait.success') KeyStore keyStore = KeyStore.getInstance("JKS"); - keyStore.load(clientKeyStore.newInputStream(), 'keypass'.toCharArray()); - KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - kmf.init(keyStore, 'keypass'.toCharArray()); + keyStore.load(clientKeyStore.newInputStream(), 'testclient'.toCharArray()); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(keyStore); + // We don't need a KeyManager as there won't be client auth required so pass an empty array SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); - sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom()); + sslContext.init(new KeyManager[0], tmf.getTrustManagers(), new SecureRandom()); for (int i = 0; i < 10; i++) { // we use custom wait logic here for HTTPS HttpsURLConnection httpURLConnection = null; @@ -244,160 +138,4 @@ processTestResources { inputs.properties(expansions) MavenFilteringHack.filter(it, expansions) } -} - -/** A lazy evaluator to find the san to use for certificate generation. */ -class SanEvaluator { - - private static String san = null - - String toString() { - synchronized (SanEvaluator.class) { - if (san == null) { - san = getSubjectAlternativeNameString() - } - } - return san - } - - // Code stolen from NetworkUtils/InetAddresses/NetworkAddress to support SAN - /** Return all interfaces (and subinterfaces) on the system */ - private static List getInterfaces() throws SocketException { - List all = new ArrayList<>(); - addAllInterfaces(all, Collections.list(NetworkInterface.getNetworkInterfaces())); - Collections.sort(all, new Comparator() { - @Override - public int compare(NetworkInterface left, NetworkInterface right) { - return Integer.compare(left.getIndex(), right.getIndex()); - } - }); - return all; - } - - /** Helper for getInterfaces, recursively adds subinterfaces to {@code target} */ - private static void addAllInterfaces(List target, List level) { - if (!level.isEmpty()) { - target.addAll(level); - for (NetworkInterface intf : level) { - addAllInterfaces(target, Collections.list(intf.getSubInterfaces())); - } - } - } - - private static String getSubjectAlternativeNameString() { - List list = new ArrayList<>(); - for (NetworkInterface intf : getInterfaces()) { - if (intf.isUp()) { - // NOTE: some operating systems (e.g. BSD stack) assign a link local address to the loopback interface - // while technically not a loopback address, some of these treat them as one (e.g. OS X "localhost") so we must too, - // otherwise things just won't work out of box. So we include all addresses from loopback interfaces. - for (InetAddress address : Collections.list(intf.getInetAddresses())) { - if (intf.isLoopback() || address.isLoopbackAddress()) { - list.add(address); - } - } - } - } - if (list.isEmpty()) { - throw new IllegalArgumentException("no up-and-running loopback addresses found, got " + getInterfaces()); - } - - StringBuilder builder = new StringBuilder("san="); - for (int i = 0; i < list.size(); i++) { - InetAddress address = list.get(i); - String hostAddress; - if (address instanceof Inet6Address) { - hostAddress = compressedIPV6Address((Inet6Address)address); - } else { - hostAddress = address.getHostAddress(); - } - builder.append("ip:").append(hostAddress); - String hostname = address.getHostName(); - if (hostname.equals(address.getHostAddress()) == false) { - builder.append(",dns:").append(hostname); - } - - if (i != (list.size() - 1)) { - builder.append(","); - } - } - - return builder.toString(); - } - - private static String compressedIPV6Address(Inet6Address inet6Address) { - byte[] bytes = inet6Address.getAddress(); - int[] hextets = new int[8]; - for (int i = 0; i < hextets.length; i++) { - hextets[i] = (bytes[2 * i] & 255) << 8 | bytes[2 * i + 1] & 255; - } - compressLongestRunOfZeroes(hextets); - return hextetsToIPv6String(hextets); - } - - /** - * Identify and mark the longest run of zeroes in an IPv6 address. - * - *

Only runs of two or more hextets are considered. In case of a tie, the - * leftmost run wins. If a qualifying run is found, its hextets are replaced - * by the sentinel value -1. - * - * @param hextets {@code int[]} mutable array of eight 16-bit hextets - */ - private static void compressLongestRunOfZeroes(int[] hextets) { - int bestRunStart = -1; - int bestRunLength = -1; - int runStart = -1; - for (int i = 0; i < hextets.length + 1; i++) { - if (i < hextets.length && hextets[i] == 0) { - if (runStart < 0) { - runStart = i; - } - } else if (runStart >= 0) { - int runLength = i - runStart; - if (runLength > bestRunLength) { - bestRunStart = runStart; - bestRunLength = runLength; - } - runStart = -1; - } - } - if (bestRunLength >= 2) { - Arrays.fill(hextets, bestRunStart, bestRunStart + bestRunLength, -1); - } - } - - /** - * Convert a list of hextets into a human-readable IPv6 address. - * - *

In order for "::" compression to work, the input should contain negative - * sentinel values in place of the elided zeroes. - * - * @param hextets {@code int[]} array of eight 16-bit hextets, or -1s - */ - private static String hextetsToIPv6String(int[] hextets) { - /* - * While scanning the array, handle these state transitions: - * start->num => "num" start->gap => "::" - * num->num => ":num" num->gap => "::" - * gap->num => "num" gap->gap => "" - */ - StringBuilder buf = new StringBuilder(39); - boolean lastWasNumber = false; - for (int i = 0; i < hextets.length; i++) { - boolean thisIsNumber = hextets[i] >= 0; - if (thisIsNumber) { - if (lastWasNumber) { - buf.append(':'); - } - buf.append(Integer.toHexString(hextets[i])); - } else { - if (i == 0 || lastWasNumber) { - buf.append("::"); - } - } - lastWasNumber = thisIsNumber; - } - return buf.toString(); - } -} +} \ No newline at end of file diff --git a/x-pack/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestPluginsSslClientYamlTestSuiteIT.java b/x-pack/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestPluginsSslClientYamlTestSuiteIT.java index 8411a7eb5a4e7..9cb45472ed39c 100644 --- a/x-pack/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestPluginsSslClientYamlTestSuiteIT.java +++ b/x-pack/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestPluginsSslClientYamlTestSuiteIT.java @@ -29,7 +29,7 @@ public class SmokeTestPluginsSslClientYamlTestSuiteIT extends ESClientYamlSuiteT private static final String USER = "test_user"; private static final String PASS = "x-pack-test-password"; - private static final String KEYSTORE_PASS = "keypass"; + private static final String KEYSTORE_PASS = "testnode"; public SmokeTestPluginsSslClientYamlTestSuiteIT(@Name("yaml") ClientYamlTestCandidate testCandidate) { super(testCandidate); @@ -45,7 +45,7 @@ public static Iterable parameters() throws Exception { @BeforeClass public static void getKeyStore() { try { - keyStore = PathUtils.get(SmokeTestPluginsSslClientYamlTestSuiteIT.class.getResource("/test-node.jks").toURI()); + keyStore = PathUtils.get(SmokeTestPluginsSslClientYamlTestSuiteIT.class.getResource("/testnode.jks").toURI()); } catch (URISyntaxException e) { throw new ElasticsearchException("exception while reading the store", e); } diff --git a/x-pack/qa/smoke-test-plugins-ssl/testclient.crt b/x-pack/qa/smoke-test-plugins-ssl/testclient.crt new file mode 100644 index 0000000000000..18221208c162e --- /dev/null +++ b/x-pack/qa/smoke-test-plugins-ssl/testclient.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID1zCCAr+gAwIBAgIJALnUl/KSS74pMA0GCSqGSIb3DQEBCwUAMEoxDDAKBgNV +BAoTA29yZzEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEiMCAGA1UEAxMZRWxhc3Rp +Y3NlYXJjaCBUZXN0IENsaWVudDAeFw0xNTA5MjMxODUyNTVaFw0xOTA5MjIxODUy +NTVaMEoxDDAKBgNVBAoTA29yZzEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEiMCAG +A1UEAxMZRWxhc3RpY3NlYXJjaCBUZXN0IENsaWVudDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMKm+P6vDAff0c6BWKGdhnYoNl9HijLIgfU3d9CQcqKt +wT+yUW3DPSVjIfaLmDIGj6Hl8jTHWPB7ZP4fzhrPi6m4qlRGclJMECBuNASZFiPD +tEDv3msoeqOKQet6n7PZvgpWM7hxYZO4P1aMKJtRsFAdvBAdZUnv0spR5G4UZTHz +SKmMeanIKFkLaD0XVKiLQu9/z9M6roDQeAEoCJ/8JsanG8ih2ymfPHIZuNyYIOrV +ekHN2zU6bnVn8/PCeZSjS6h5xYw+Jl5gzGI/n+F5CZ+THoH8pM4pGp6xRVzpiH12 +gvERGwgSIDXdn/+uZZj+4lE7n2ENRSOt5KcOGG99r60CAwEAAaOBvzCBvDAJBgNV +HRMEAjAAMB0GA1UdDgQWBBSSFhBXNp7AaNrHdlgCV0mCEzt7ajCBjwYDVR0RBIGH +MIGEgglsb2NhbGhvc3SCFWxvY2FsaG9zdC5sb2NhbGRvbWFpboIKbG9jYWxob3N0 +NIIXbG9jYWxob3N0NC5sb2NhbGRvbWFpbjSCCmxvY2FsaG9zdDaCF2xvY2FsaG9z +dDYubG9jYWxkb21haW42hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3 +DQEBCwUAA4IBAQANvAkddfLxn4/BCY4LY/1ET3d7ZRldjFTyjjHRYJ3CYBXWVahM +skLxIcFNca8YjKfXoX8mcK+NQK/dAbGHXqk76yMlkrKjh1OQiZ1YAX5ryYerGrZ9 +9N3E9wnbn72bW3iumoLlqmTWlHEpMI0Ql6J75BQLTgKHxCPupVA5sTbWkKwGjXXA +i84rUlzhDJOR8jk3/7ct0iZO8Hk6AWMcNix5Wka3IDGUXuEVevYRlxgVyCxcnZWC +7JWREpar5aIPQFkY6VCEglxwUyXbHZw5T/u6XaKKnS7gz8RiwRh68ddSQJeEHi5e +4onUD7bOCJgfsiUwdiCkDbfN9Yum8OIpmBRs +-----END CERTIFICATE----- diff --git a/x-pack/qa/smoke-test-plugins-ssl/testclient.jks b/x-pack/qa/smoke-test-plugins-ssl/testclient.jks new file mode 100644 index 0000000000000000000000000000000000000000..d6dc21c1bd5ff4a248bfba5a171518cd649e278d GIT binary patch literal 3358 zcmdUxcTiLL7RPgw&_WA@Dgpr%0Ra2t|Qzqj*?h2U!6qpaA9r02UCG0-ZeoW^;$= z+VdV+;l3t{Je2F^&mzpV-Ik55-yc4+k?XPK74>5FEv@hI#YMj$eD{OMwLP6Xrpd6| z{K$HxQI)Ou(iWbPC+jt6?CQRb5*)aEfGniRI5FqcLHiQ;p}o(jZ|7`6aNfJpe13!k zCh7E`_Y&L)^3WAuS~wb)`b`lJNt|enT>{qi$;!lIjE|g3$7jVDsW_IQptJ4P zL_KSa{2N0Jo2a72upU2=xfl{80=FZCD7r1Ku3?_azxk;M5RFzjs_ zKf_4kUTx2YVRdXErDb5s1{7=fY2m5W~TP+I*SI_eDqkVFgr^#K@jnGp8M7_5B%id!j{Rv&0zj!Yy;vdaaEXaRK z3Yps5erJTjW`WDhK5+_Bg^lZ*JhHFtL&Ev+_n=EvycTOiJoKoHrJEbqjT3Y~`9*!N zAXfTHDe>tzYbk1m>yKNp%I5EoKuh3LB4BuxdYz1-ssS1NdTU_(g8ciq+SD-2ZQ0pz z(w#ktO)m4g<{~|xKN7B%NVRFXt=($KqN6oS2-CzB{pmOM{jS05_5y;w$U#8aSND=qq=4Q)zH9-M)(krDn_0B6!A2ffDf6 zs>-_VHI(yI-Q=9Y>n%IESBnAh?e|v&FmpY#K>oA4jKNz^W>yV&92Jvgx2o1@jS5z2 zHpH;V*6Qv_xdL;$(rmY5$EH>{mBfk#%GeK$Q_oHbrQU}P@M#zQ=j zQH$*F>*;VF(7G3_WU|N;`f&97%LF)%h0ze;TWAzar`HBTqn$Y(pQx}HeoB$H)tb5c z@fDh>j{u0pR#_c|0f8W+C<^2iiUMxRfq(%pm;>}^Fm*NAtWh4t&B~z=Wg4}?4FH@> z)jW>oLcv%er=c(egyiLh7D5U9@Hi3N1fq+#k2}tr;Npe5fR;uff5agOQKQ{)q%~8F zk;i^jW0Zt2H=0>qMHQ{3uA;7P&vY?NSLJv2AFV|Jq<3$HDfSQwz{~s#05C8G06?up z-xxG5wzn@|kZp6bqx|GFoJ?X>y2)QPul6N+<(0SSR$E?fJF*`qwSFT_h4p6c%&Jf4IkWAZsz2%8Za)J4=`tyO*nm3Iw8`U~bmy|kP zn>e{l%gU4D4RCS7Ps{yJEvG#M2k+{!mA3FwGBDtpfPnX4}KT>u9) zMS{Ft@Irpi-6|u;PuD~IC@Xwo?EFaeaq3P5A&v3gQitloZ6s4ZUCbjw3Za#QApi)- zCpV$U4JZy~=fn|EFbaec|6%e#g`fh-Lhv&hcbhMabotqW&-_F|=mcFvk#GKZ&j%$( zqsWmI4k8KXLcBoo_Mr&=VJiP>;YpWW+&w6;Kf-Dh;Xm!&IcmF-G`u~%hK4cc zHyX~I;@uChyT{CNW%d{VaW`;?`>w7~Z?XS?d|B4LC%su?@El+t=JUlfoXj*{N0vz2gvs8EzQ>8JSSjHOf+kE52K`Y01 zTq#Mb7|oqprG8n9&jH#1Zm))7fW2`o5`F93JHfzpzElyxZbirJ+mwadN&I(yp2_3Y zvlIDrGLqtW<<$OB@hl8>>+#vV*lgv=-geg(k-(K#R(h$C63XY^#|-j5e8HY3S-l_S zhb-W(eg5@E(dYN_X#zy%0f9m6KW;%DBs}4_JCOR_KiOw;4;f&xU;l6R>mCs`r&ONx z{N*rFrvD@RNR-5H>2fxDP27Oh^%h8T9@ni&m9mJW&;uoeU>%0o^0cU~5ps&#;HpeGr z1)J{oIek+S1e(apV@r#QO5GvFwWC*;yUt7ZGb#=7DsoZZ1e$a{LV6RVVm`k&t5UeR z8S@w-E{>Y`N>7L908h#7A-!?&u50S{c~PIy4f2T8J8uXR z?ep@F0-mM0&6i8m(CxA%ikmnCJAG18H{xiYCpapAw^{ur0-gTx!(4v%fmh{uN81bIz2 zcKv^F-`y$dv#l|H+2d?fvUGXI!6<}_%zTluTj;RqZC7{1F>9}xh!+DKEfXmh$90y< zgbKt+Xvr3C47R~I-J$-Whrc8^&UjYtSn%Fj<37$Ts9i*8PV=&v%wtuOtQ$+_I|s|x zkzTetw4lVU7S$t}f*Es_1Th_WNoZPPhF#v_xs=UBi`k>N&d79o1;dDE60{4X=_jQV zgko%{%CLO%#(=KmbIk>F{#aoF-h!qdmlIrlw^RV1W^^QE6s_ginyl|6j z9o8)(pZvO`ueni>;*0New^Q?*Ho3G@+opogGU&Ok?WxK&erQl-B5X4cc%7(>Dy!g~ ZL>oJOr20!OUT)aV(#sM_Gi@+F_b&|~n(_bu literal 0 HcmV?d00001 diff --git a/x-pack/qa/smoke-test-plugins-ssl/testclient.pem b/x-pack/qa/smoke-test-plugins-ssl/testclient.pem new file mode 100644 index 0000000000000..7268c55dba977 --- /dev/null +++ b/x-pack/qa/smoke-test-plugins-ssl/testclient.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,C98A45E4AFC263C2 + +wLuUEXldYc54r4ryWd6jw6UMGYwn6+ibGKHp4sD92l42lmI2UrCT/Mb/E0O+KMMy +pHgc5/dBWkXgMiqDyLIhHk4kgT40rdw5W5lZkAA4Qt/Yzd+rbscTvzp09zrF6Fll +czgoE7FrvhOKiEOakerTit4pIPYosdX606cpVQE2lq9oZs9HVMcLzdAZj8A/P/4g +fo4X3+zqVYC/LH4n00bhNoeeej2o1lEJ+l9u9hptT2ATXle6pANa83Ldg4OxJyj8 +dkR9ahnAMCvYTSjEU7nwmGNPeFX0PIUjJKQivr410cYG104DC30Yy+XrIUfjTVUi +agwlMpHoBq79/ZRUJR3xPLkIGgw4g+RPt45D9eKsEsV4vqy8SFlgaoJ2mKUKleZy +i7D9ouzMKQ3sYE4eQVQ5o3K8ZPn5eozCwCVIp7jGSsuvDpLA9peZSwWPfc5y8JFD +/64usCt1J8Mv/e9NVllC8ZA+ZmDitTiwLZysczpMOaFqqeUbk9EJst38n4nBzRV2 +quxvg9W/iveQIydFyftCtNfRkpbp0NCsLz293dBYwZacHsPcY27IBCwXHiICjiAW +q7bnisXsgSaQMhMNRGW9YElZGb7ZWxoIzcyNBisGI8zxn48ObERVOmkOFxY/gs9T +YmpVMliWtmRG6hb6iCh9b7z8THRquxgTGE9ZFBwtLUKg33aubtgAfnUh/Xq2Ue5K +l+ZCqDGEi/FSIjVENUNNntAx/vXeNPbkoGLb/HSJwAh+sjpaLGQ54xixCtE9l3NY +o2QAiZ804KLPaGtbbOv7wPumxQ+8mxG5FN0hTRrsMW9t8pBXw47iMy/T2H21TD5D +E5XbM6kFeBrnsWnZJ2/ieXqDE4SX0tm3WEvZlDg7N7jV8QDM/D3Xdkb/sqJRabMG +tQRgwkLiB+mZ5MAfGLogI2/lOEayrBVz4qYdXojewxY4LtaZ5HiUIlyA9CJelMvD +nS52I6+FpaFhvuZC10qaM9Ph9TNyx+XKRUsPILuDiBRnYiHUKs1qASl5tjn2yyjM +71WSo7A7btOckzhDZdMVf1T472f0LGsRYoQebMhotqCuR7yArZHzTeWB0CjL3tOz +j3QlhKt2E1jx43bSK5tBasd9Bpmn2onvdwu1RRP8cyQBsXJSDy4/8t/g63+C3wod +8VPrlKhK+TenK9EoEqJ2mNuNq+duOjTXfK/7GM5s0BFKv+i2ckpDi1NPckd2gXjF +yUFZhmK6k0WC4jjWloMt+WQpi1rXMEXwCypgTrqWbvD0p6+X3uQmP57L4yHQcZoW +Qcs5GnihJ0DIhw9vYDhBhNo0WY1oBO20nVCN3R/JIpp3uDtg64WvfvMSXzJIPBCY +s+/GM5TtuD6mERDu3+qXxWwiy4PMQRcgjRTMEZ3A4Iv77YfQRkcd6S9qjUUuR/5D +xs+J4ryb1biz9ofW7I+Dbz4SArWSgwcuh14AV9RBv6Rh9m83rjT2K0yvbe/+7hHW +R8nzRMqJcGNGCHmRjA/cwoiv6+k2J/RbCJqnR3RmNex/85XaXBfZwRfHXVbzZQfa +SrFaaNLf1hMwGLAJjIcQRxa3yZbjFXVx1Bp4hh8rKNWaOItjavNtNg== +-----END RSA PRIVATE KEY----- diff --git a/x-pack/qa/smoke-test-plugins-ssl/testnode.crt b/x-pack/qa/smoke-test-plugins-ssl/testnode.crt new file mode 100644 index 0000000000000..08c160bcea5ff --- /dev/null +++ b/x-pack/qa/smoke-test-plugins-ssl/testnode.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIJALi5bDfjMszLMA0GCSqGSIb3DQEBCwUAMEgxDDAKBgNV +BAoTA29yZzEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEgMB4GA1UEAxMXRWxhc3Rp +Y3NlYXJjaCBUZXN0IE5vZGUwHhcNMTUwOTIzMTg1MjU3WhcNMTkwOTIyMTg1MjU3 +WjBIMQwwCgYDVQQKEwNvcmcxFjAUBgNVBAsTDWVsYXN0aWNzZWFyY2gxIDAeBgNV +BAMTF0VsYXN0aWNzZWFyY2ggVGVzdCBOb2RlMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA3rGZ1QbsW0+MuyrSLmMfDFKtLBkIFW8V0gRuurFg1PUKKNR1 +Mq2tMVwjjYETAU/UY0iKZOzjgvYPKhDTYBTte/WHR1ZK4CYVv7TQX/gtFQG/ge/c +7u0sLch9p7fbd+/HZiLS/rBEZDIohvgUvzvnA8+OIYnw4kuxKo/5iboAIS41klMg +/lATm8V71LMY68inht71/ZkQoAHKgcR9z4yNYvQ1WqKG8DG8KROXltll3sTrKbl5 +zJhn660es/1ZnR6nvwt6xnSTl/mNHMjkfv1bs4rJ/py3qPxicdoSIn/KyojUcgHV +F38fuAy2CQTdjVG5fWj9iz+mQvLm3+qsIYQdFwIDAQABo4G/MIG8MAkGA1UdEwQC +MAAwHQYDVR0OBBYEFEMMWLWQi/g83PzlHYqAVnty5L7HMIGPBgNVHREEgYcwgYSC +CWxvY2FsaG9zdIIVbG9jYWxob3N0LmxvY2FsZG9tYWluggpsb2NhbGhvc3Q0ghds +b2NhbGhvc3Q0LmxvY2FsZG9tYWluNIIKbG9jYWxob3N0NoIXbG9jYWxob3N0Ni5s +b2NhbGRvbWFpbjaHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEL +BQADggEBAMjGGXT8Nt1tbl2GkiKtmiuGE2Ej66YuZ37WSJViaRNDVHLlg87TCcHe +k2rdO+6sFqQbbzEfwQ05T7xGmVu7tm54HwKMRugoQ3wct0bQC5wEWYN+oMDvSyO6 +M28mZwWb4VtR2IRyWP+ve5DHwTM9mxWa6rBlGzsQqH6YkJpZojzqk/mQTug+Y8aE +mVoqRIPMHq9ob+S9qd5lp09+MtYpwPfTPx/NN+xMEooXWW/ARfpGhWPkg/FuCu4z +1tFmCqHgNcWirzMm3dQpF78muE9ng6OB2MXQwL4VgnVkxmlZNHbkR2v/t8MyZJxC +y4g6cTMM3S/UMt5/+aIB2JAuMKyuD+A= +-----END CERTIFICATE----- diff --git a/x-pack/qa/smoke-test-plugins-ssl/testnode.jks b/x-pack/qa/smoke-test-plugins-ssl/testnode.jks new file mode 100644 index 0000000000000000000000000000000000000000..ebe6146124e8fd607e46a1a3129bdf9b4de0370d GIT binary patch literal 9360 zcmdUV2T)YowrzLQl93!F2SGC3WF$w)IfLYGK$2vT*iDigl`N7oh@eEt83BokWI;th zKok%V_zil_#dF{N=hmxN@83^VSMRxd)mp3enq$l{$L93&>1O}{0788*FTTk=VD28y zE;cYOYe##Svj^8*Hy60QBMbllY8=Nx4**vTxdk91003Gv1c?>_L4sT!qk(`R5Eh_) zU50G!4F3%T4;_m=TrvCr4+zA$0)Q|==^?b}XnJ5Y;(s+egq9o+ikg;}4=OCcDIVy2IuGcP39Gn>U% zK!zH|Y#zr76z$THNrVtl2Hz*duE|_x{SHKW=Wy9~#x0?_!WxzreKbBd_{B!%FFc+} z#hS1iA!Ph9s*KL}5ZCWMX)1FD)R@OQManE3e-@+qd0nOC5~I@Wvv)K719(Ez^^D!& zt6;h^oFHXs|H>4zGnJ%}f+`Pp>rEdE;=+o<-25$T9lIy1B0c;S!Z_r&_k6nwupM+P z`QIj_3i+10?X14(vmJKmiZElETC3=_VBSWbe19M>na%UTgjKu!)Hb0X5AJ>=1@Lw7vcxjN}1eMG&CU^70?>@)@Jj3w6do zK=}wbX`7exBW2Hy$yVaDo$ICp=}fYb@;nQCWlEe6F`UeJ?OsbuRMGQ zgd{VQ1`}qlEo37p4u-{8N|I&os?=jM_S_F93rh*dwGvc4>^v;F@<@1%AfI?JIxoOG#d{a^ zfIt8&OKT5%FPM$J8|t~~u}>Z;{sXMDD6qapfwk=?SP2aA8Y;D$$)co!mluiHCH4RE zP$7X(VhABRHdYc#Wb!Vj4e%Nnnzf4)lmZJVJR-@b8DwGjw9y}xw)Rb-X`tOZ@L?r7m{x$tD>pf-DK8J8PK&?Rve%UmMWfn zkY1J8$6e`6OS^j3!ZBdDpQ)-!J@JJ984?Dw%90 z9h9Kf+y~ zZ;X4CM_eV}GZ5(`=K*hqpZ8TuPP9ObD5GdI!|KXQ!DE#8?8q-!J#9& z<{0CP?#6ZZ#oFo@=oP4^3J28dh2~!eXSx~~6ipLu^f&9MPd~6p^1dZo&i#yysyksD zk}_18V>Qk~vQwzp^Jc<7;yAcH?9kbl>dg;vDb^QW7vRS}huY7Q{j*f_g#JtPV*wf` zQ+Jb8TG{^cI3dbVTnP3#FtLfzT-or(bOGc4(Y5{#j-5r{Ppfe;7RN>qhPm0{UaW%Vx1xCa5qm=3uM*tyDmx^f zYB_a@Gg~w4N2l?k$LGG^P!NIepM`u@h$CVHNvqI zC)X{Bme~#(ow!*Q{K^N&ikb6+rMH->KX;ZbN6hV7!(1Bu`qVw?;aP#3&Yrekzjpej zK?ev|N zXpSYGJX7Ur@l^_!fa=P>E&WMk1O|eS+U?%te$I}MSaKjCeWH%kki*#p`IR^ zVzx|rZ=W!gg0!F0H2VQ^^Fbof!}9le_))5Y=S5|6FO7Cv zbx_><@>*LeHI$ay>|Nv}{__#cG`gqE5HI=yy!zq2=%Sr>Y-uEp7wE@yxeIf4w6R19 z0pRVhFITw##6I{Y1PK;IRe#z)WcoxH4#%|zmFAbRe+4DeU7$D@vJi|;4ARs2BfumE z$x8ph0~o}3YA&A69w?nhuWt|Yh7v%o{$vY`Up(-~NEBoI#tcxx3+_iT2BrpTtEzI+ znim8i1QFsDfC}TOWK!IHlvq*$BEG}@fH_Cm@4K8Uq-IvD*m|7@F6Jq zuwGO-ZesCM!egNa*#)E@4QIrW8I23(sbgFL z-JqdF#j`8Vy}VmdE^%g2k0bzk-aO3BahcB5rNS zxl7R4(8SoexacwQK1c1P8)rsVPYAtP{l+gAnS>z5E){N%TZk`R&*4@b12lj~mK`oDh0NG!mg`Hy?PMdCk{$fc$gg@y}Zfu}F? zSu0-A5J<7i9~u3DF0|o^$U)%UsmE_ku>)^Gq%Eedjl|h!miFi4Sf0Lza4Yh$3`(a- zlSoW|GYZ|6+ksyVU2ZqAPbBTjepxQ8f5SX?^^wnbkC^~H#@eED&|5^5(CZW?&81lp zuK(Kl>+YUJ=bsA;AOPnN zL%!JXclJ}LX4jeGrIbUTc!v*~SOh1OiRa(L7uS+&TRqzL$=2m37@-?ugp z;<967zk5`#GF$mwu!!%bjbE#w?DiH;8#?Wzm57N|0FrE zn;pF<1Q#6>WkZaJqlDvMT!`PO>8EH>M_C>hj3f*ZfC@oG_ynO46eIBqKp_y`U*T^q z#J`%u2ttgGaj`B4_-g}bKnye)0C)>_&44m!Or)#1Ut8&;!v0wFl7XiLS&Hkpf6yQ+ zS$u^RL1(ei^U17X7FKiWIm_PUG%*qPkB-&%nj|U<+I{m8br3|&CFH3AtedxB3{(XP zEn%Zcf>g8WD}%`mB@~WM zp9uG(2Oy&6>W}bkjBJFW3kT}F6e9aa)BSXsD4RZ=aNVx{s&pychT8+Y$$l_!H^FaL z3LLd5q?EMk(g;f9FP8|X)yaCx6I!~n)nmu%`$=|;KQj#O^GGWI)jJJs z7>Ac9vNah6&K&AwA1hzS{iHejdVYVmZF*^BM|8K!2)nP`sY>CxeFi~sC&l{Y_0{O- zR3w-dQMDW`5;v=7NA6>dI8VL&`0&n)2=-n!aIaAxvy^GPc>jC8J0k!|&vN;X?e2o? zwky$-nw!ods}&g=K8Qr_j^(ku%x(XbPEm^7#X#04E>m|5a#SCvn|mjcA-(GfSo!6& zwo4GA-&byR`#aIaH8CYDzQA5wsTt$tD+m|9?pO*JTVtH)G_p-^rk-c&&hGLBJ0dr& z2HYnandk_~8S)LW z{)anZ&dF##-IbO!HlOrrA1oi$i|ZKRW2P#NW12=pa%4>IZtA*obM+ zUr`Tno4i}q5^Kd+o7JSL=5rZPlc46PloNW-aFxv_(_h*;*fV`daXfEiSnv3Vr)ub+ zGvw0>%{HX26_R#m)1Q}ov&mmtWdu>LrUjHJ2jK4u9jC@di^dq=M4hG)N(@7*Ibn94fDkgeZ1{bnK4+j=-Bc-b2kbl zB2~`9MlJg3nM9CMwMj#DMNZkY^(!}d=9l~B)2~-t=jY-H@fnybqV&{T6)llgafjWi zre8Oej@qni0pGukP;yElQPyUbR0vj64{6xhQ&{gaRu9*}FbDPDrKEY?oF2X`^?(_4 zmb)GR`9|N;k_xAaOKOcB-X5VI4lS)VpXq&hy5>;c=;P=Toe{dSmZd>q!5ROshhh@8 zezz8bnn9YgLPmvb&zHYGpx{ZvsYY(jgBa_`6ML+^wSF{M8|!4r?N-PPovp{FEv z=Pcib1<|(w1v)7kIBo9?+~*w?elzPllgNPEn;f9$IlZoM!$#4pBvCIflR?r-u)c6+ z(<;2~Ya?~aow*x1$ftJceu3cv-rdSCcqt5`!-iUS;QcI~^>3#oN1~~|xtRM0-|ar2 z-}HJmdu!h-8}h(C+}L*|A=$sKNQ*=nCXxLHm$0Of+U)vQ=e8;`-id27tf^>6nRV(o zD_35LMQCiXvc;2P5C$3ZExN#sI331)j7wM4?A}WR5y0vQHB4^!9Cb#LW2-5h8Wg_W zE?(7>&&`t(tsSfKU2gO8^6pwlf#)k(@H#E`*xxz}(ZGA`$b|V!H-7Eo_a;mxUQoaG z@iUWo&dy;${A)aMi66W&;E|)TL`@ITKe|!zaenPBdhYvMi9C1z&?Zn0VDle+KtrRW z&1xm~aLZ+Za#F!ldcDg52k7y8`+5HkKBT>PLT)EHQ+wS0?)^4H3rz7L`xRQ?0#5WuV4tJA^+R{Ul!N!Swi%8vAG}bX`+Jl z{oGbt`~Cx^#3hmbhxOmzd(GpA;JlOb?eHYV$_$QhVoRotB5vEjX~hRt_QbNfZtp`z zCa^jdlJCrmZdH&KP`Nvizsp}P9;bei0LINMRZ>umh z@wu?rUddcG(Rvf=W_VWZm(bV2C!R@~vHk=`B}z~dn3j-Xlqa^He3+oVCSlzhnr_T4 z7xI#}+RkP5Md<>pSR;^knyvj{LXvJ+Xj7FairmPhUH(WR%z8ECi!=5X-}D$9J9kN- zC$E~1Wqy*4yp5$n!!{%z@uufhdn+l@)27$nh~I1VmcvD^9)+Fcjc{mRqB-6n{4VXay+HKSqK6{!h@8K($I}H)GZL zd+vn7OSEuCTdiM0|B8QpC@%zZ-qoWKv;9Igy)4Yl!yayLZRr7{*L87mq?h*eaIu9s z!`x7JZ0LU(_QDWeC`vr@i$J00%{&wp^8X4Ugiw6cLKm~5yIVS0S@NUg`v3iXT_puI zWzN=ski(8IGp7|TpM;&i+%EXYl{BUj)_2s7CuR6q-a0@K^u0%!{YEWpYsrF1XERyZ zf$tMSTink}o&$ffH!`}Es;V{6M4j$g-H?#|zQ}jW+UO?yG=&aPZ`u&)cNLS#c$E%; zP1mx?uy^0lDm~1Sxl4AS3}fIGtsrpPzu9UsUFfLaHBjFbJbOC8(^<{SnS0n!StB#g zL}+<5vF5jPm0~0Vjt%Q?>}z(+kvmw*edbY` z@SqjXB|6rfvcCz`u_)Y;_+8ajHX`pJD&kNHczrrb!=?w{fiV124cV4iCdMz&zJwqK zE{Xo+XoqLy?Bk=64cI=0e(aTjm0Xe#m-AMZ32X;}2a~{K(-z>-Z{9+k8X@v&$i>E+ zQXRR%1%i z+gZhDOYfLI95J{tK}^7qxH4qdT=iwIXI;%~<(7x#tDq?=+?_Bwkrz$Q`TdVlR))UZ zB@j7mCy|Sc;&$|B7PbW~9eY=&!EdvD*IjQ)sB0(+cInMrs1{CN7*c3cOPQ|Rp{(Mt zOjz!_eLXl-Mnq|AsoQfh;NJug*Q+l)T z8)*rHeYv|M#Ut?%U?vsg>xas%hWwvYC#0-Sur)F2=FtkgqgCA#-e%z?+T?CPv=igi zT1bbmLe@F14M@f`Vd)CEd&TVRZ9lERix`Pv&Rj93@;7`u^|14k-pNBn{fTijp&Qtp z1B1q7E%*$Cjn_4DC1sJoqaH8jlQik)F@7bhGU9K_XgO4mt1xyV1wx@8p6R>!Z=zo} zJP|z{6Si_^2=pvzAdCS%KC?wD74V_1_=k2eaRNll~ zg_)0a(KkYGbiWo&D8{^z3der9T|L|venrzv_U)qcQ^$MFo;M|wFp-P!qEO(#sfdZ1oL-r?nXuCiHy2Qq0 ziM;!sUs2F`&Az?Mh;}V|OcB@zA_b&cXvUK=;k^R`-C{MPC+tX)V!8h%5RdT?@P(Uf7yaQA1qCnw{nH+*r>*BMBG9Ld(hllZ5Ey>&8FWz*Q!dPYoj zCzFk0KZGQUrz|3zXT|9#%3tEMsddw5y@{5+yMt>KbeorB%SpCOL#uM0uGFADE&g#g#^|1;Itr9?;L0YErGBwTfC_I{Rc$*iOkJ|A4=@L50Z x`UE0joFCFX(i+qD)1h^DcPJOtN>)kRbQgMUO*p!K@AKymmi%I+{Ip*({}0#og{%Mo literal 0 HcmV?d00001 diff --git a/x-pack/qa/smoke-test-plugins-ssl/testnode.pem b/x-pack/qa/smoke-test-plugins-ssl/testnode.pem new file mode 100644 index 0000000000000..5a67e1033440d --- /dev/null +++ b/x-pack/qa/smoke-test-plugins-ssl/testnode.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,9D867F7E0C94D013 + +dVoVCjPeg1wgS7rVtOvGfQcrZyLkx393aWRnFq45tbjKBVuITtJ9vI7o4QXOV/15 +Gnb6WhXGIdWrzsxEAd46K6hIuNSISd4Emsx6c2Q5hTqWXXfexbOZBNfTtXtdJPnJ +1jAaikhtztLo3JSLTKNY5sNxd+XbaQyYVUWvueK6zOaIIMETvB+VPVFd9i1ROibk +Sgdtyj01KjkoalifqK/tA0CIYNKL0S6/eoK3UhAlpIprlpV+cnXa940C6bjLeJPt +PMAGGp5RrplxSgrSerw3I9DOWkHGtpqzIka3XneNUXJP8k4HUJ+aZkGH2ZILKS8d +4KMIb+KZSpHEGn+6uGccWLtZZmAjWJrDw56JbQtSHdRYLBRSOjLbTvQoPu/2Hpli +7HOxbotlvjptMunncq5aqK57SHA1dh0cwF7J3LUmGFJ67eoz+VV3b5qMn4MopSeI +mS16Ydd3nGpjSrln/elM0CQxqWfcOAXRZpDpFUQoXcBrLVzvz2DBl/0CrTRLhgzi +CO+5/IVcBWRlYpRNGgjjP7q0j6URID3jk5J06fYQXmBiwQT5j+GZqqzpMCJ9mIy2 +1O9SN1hebJnIcEU+E0njn/MGjlYdPywhaCy8pqElp6Q8TUEJpwLRFO/owCoBet/n +ZmCXUjfCGhc1pWHufFcDEQ6xMgEWWY/tdwCZeSU7EhErTjCbfupg+55A5fpDml0m +3wH4CFcuRjlqyx6Ywixm1ATeitDtJl5HQTw6b8OtEXwSgRmZ0eSqSRVk9QbVS7gu +IpQe09/Zimb5HzjZqZ3fdqHlcW4xax8hyJeyIvF5ZJ57eY8CBvu/wP2GDn26QnvF +xQqdfDbq1H4JmpwUHpbFwBoQK4Q6WFd1z4EA9bRQeo3H9PoqoOwMDjzajwLRF7b7 +q6tYH/n9PyHwdf1c4fFwgSmL1toXGfKlA9hjIaLsRSDD6srT5EdUk78bsnddwI51 +tu7C7P4JG+h1VdRNMNTlqtileWsIE7Nn2A1OkcUxZdF5mamENpDpJcHePLto6c8q +FKiwyFMsxhgsj6HK2HqO+UA4sX5Ni4oHwiPmb//EZLn045M5i1AN26KosJmb8++D +sgR5reWRy+UqJCTYblVg+7Dx++ggUnfxVyQEsWmw5r5f4KU5wXBkvoVMGtPNa9DE +n/uLtObD1qkNL38pRsr2OGRchYCgEoKGqEISBP4knfGXLOlWiW/246j9QzI97r1u +tvy7fKg28G7AUz9l6bpewsPHefBUeRQeieP9eJINaEpxkF/w2RpKDLpQjWxwDDOM +s+D0mrBMJve17AmJ8rMw6dIQPZYNZ88/jz1uQuUwQ2YlbmtZbCG81k9YMFGEU9XS +cyhJxj8hvYnt2PR5Z9/cJPyWOs0m/ufOeeQQ8SnU/lzmrQnpzUd2Z6p5i/B7LdRP +n1kX+l1qynuPnjvBz4nJQE0p6nzW8RyCDSniC9mtYtZmhgC8icqxgbvS7uEOBIYJ +NbK+0bEETTO34iY/JVTIqLOw3iQZYMeUpxpj6Phgx/oooxMTquMecPKNgeVtaBst +qjTNPX0ti1/HYpZqzYi8SV8YjHSJWCVMsZjKPr3W/HIcCKqYoIfgzi83Ha2KMQx6 +-----END RSA PRIVATE KEY----- diff --git a/x-pack/qa/sql/security/ssl/build.gradle b/x-pack/qa/sql/security/ssl/build.gradle index fe8aaeaff2b64..cfc04f97188a4 100644 --- a/x-pack/qa/sql/security/ssl/build.gradle +++ b/x-pack/qa/sql/security/ssl/build.gradle @@ -1,5 +1,5 @@ +import org.elasticsearch.gradle.BuildPlugin import org.elasticsearch.gradle.LoggedExec -import org.elasticsearch.gradle.MavenFilteringHack import org.elasticsearch.gradle.test.NodeInfo import javax.net.ssl.HttpsURLConnection @@ -22,7 +22,7 @@ Object san = new SanEvaluator() File keystoreDir = new File(project.buildDir, 'keystore') // Generate the node's keystore -File nodeKeystore = new File(keystoreDir, 'test-node.jks') +File nodeKeystore = file("$keystoreDir/test-node.jks") task createNodeKeyStore(type: LoggedExec) { doFirst { if (nodeKeystore.parentFile.exists() == false) { @@ -47,7 +47,7 @@ task createNodeKeyStore(type: LoggedExec) { } // Generate the client's keystore -File clientKeyStore = new File(keystoreDir, 'test-client.jks') +File clientKeyStore = file("$keystoreDir/test-client.jks") task createClientKeyStore(type: LoggedExec) { doFirst { if (clientKeyStore.parentFile.exists() == false) { @@ -72,7 +72,7 @@ task createClientKeyStore(type: LoggedExec) { } // Export the node's certificate -File nodeCertificate = new File(keystoreDir, 'test-node.cert') +File nodeCertificate = file("$keystoreDir/test-node.cert") task exportNodeCertificate(type: LoggedExec) { dependsOn createNodeKeyStore doFirst { @@ -104,7 +104,7 @@ task importNodeCertificateInClientKeyStore(type: LoggedExec) { } // Export the client's certificate -File clientCertificate = new File(keystoreDir, 'test-client.cert') +File clientCertificate = file("$keystoreDir/test-client.cert") task exportClientCertificate(type: LoggedExec) { dependsOn createClientKeyStore doFirst { @@ -145,7 +145,6 @@ processTestResources.dependsOn(importNodeCertificateInClientKeyStore, importClie integTestCluster.dependsOn(importClientCertificateInNodeKeyStore) - integTestCluster { // The setup that we actually want setting 'xpack.security.http.ssl.enabled', 'true' @@ -206,9 +205,18 @@ integTestCluster { return tmpFile.exists() } } +Closure notRunningFips = { + Boolean.parseBoolean(BuildPlugin.runJavascript(project, project.runtimeJavaHome, + 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false +} - - +// Do not attempt to form a cluster in a FIPS JVM, as doing so with a JKS keystore will fail. +// TODO Revisit this when SQL CLI client can handle key/certificate instead of only Keystores. +// https://github.com/elastic/elasticsearch/issues/32306 +tasks.matching({ it.name == "integTestCluster#init" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "integTestCluster#start" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "integTestCluster#wait" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "integTestRunner" }).all { onlyIf notRunningFips } /** A lazy evaluator to find the san to use for certificate generation. */ class SanEvaluator { @@ -293,7 +301,7 @@ class SanEvaluator { byte[] bytes = inet6Address.getAddress(); int[] hextets = new int[8]; for (int i = 0; i < hextets.length; i++) { - hextets[i] = (bytes[2 * i] & 255) << 8 | bytes[2 * i + 1] & 255; + hextets[i] = (bytes[2 * i] & 255) << 8 | bytes[2 * i + 1] & 255; } compressLongestRunOfZeroes(hextets); return hextetsToIPv6String(hextets); diff --git a/x-pack/qa/sql/src/main/java/org/elasticsearch/xpack/qa/sql/jdbc/JdbcIntegrationTestCase.java b/x-pack/qa/sql/src/main/java/org/elasticsearch/xpack/qa/sql/jdbc/JdbcIntegrationTestCase.java index a339222445a1a..301e15c8efbd5 100644 --- a/x-pack/qa/sql/src/main/java/org/elasticsearch/xpack/qa/sql/jdbc/JdbcIntegrationTestCase.java +++ b/x-pack/qa/sql/src/main/java/org/elasticsearch/xpack/qa/sql/jdbc/JdbcIntegrationTestCase.java @@ -84,7 +84,7 @@ protected Connection useDataSource() throws SQLException { public static void index(String index, CheckedConsumer body) throws IOException { index(index, "1", body); } - + public static void index(String index, String documentId, CheckedConsumer body) throws IOException { Request request = new Request("PUT", "/" + index + "/doc/" + documentId); request.addParameter("refresh", "true");