From db1512b9fb35b21615ba76ed17bff7c26fc5c08b Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Fri, 15 Feb 2019 11:38:29 +0200 Subject: [PATCH 1/4] Disable specific locales for tests in fips mode The Bouncy Castle FIPS provider that we use for running our tests in fips mode has an issue with locale sensitive handling of Dates as described in https://github.com/bcgit/bc-java/issues/405 This causes certificate validation to fail if any given test that includes some form of certificate validation happens to run in one of the locales. This manifested earlier in #33081 which was handled insufficiently in #33299 This change ensures that the problematic 3 locales * th-TH * ja-JP-u-ca-japanese-x-lvariant-JP * th-TH-u-nu-thai-x-lvariant-TH will not be used when running our tests in a FIPS 140 JVM. It also reverts #33299 --- .../org/elasticsearch/test/ESTestCase.java | 28 ++++++++++++++++ .../core/ssl/RestrictedTrustManagerTests.java | 33 ------------------- 2 files changed, 28 insertions(+), 33 deletions(-) diff --git a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java index a36018921e9f4..15ff387c61e66 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java @@ -193,6 +193,8 @@ public abstract class ESTestCase extends LuceneTestCase { private static final Collection nettyLoggedLeaks = new ArrayList<>(); + private static Locale restoreLocale; + @AfterClass public static void resetPortCounter() { portGenerator.set(0); @@ -327,6 +329,26 @@ public static void restoreContentType() { Requests.INDEX_CONTENT_TYPE = XContentType.JSON; } + @BeforeClass + public static void ensureSupportedLocale() { + if (isUnusableLocale()) { + // See: https://github.com/bcgit/bc-java/issues/405 + Logger logger = LogManager.getLogger(ESTestCase.class); + logger.warn("Attempting to run tests in an unusable locale in a FIPS JVM. Certificate expiration validation will fail, " + + "switching to English"); + restoreLocale = Locale.getDefault(); + Locale.setDefault(Locale.ENGLISH); + } + } + + @AfterClass + public static void restoreLocale() { + if (restoreLocale != null) { + Locale.setDefault(restoreLocale); + restoreLocale = null; + } + } + @Before public final void before() { logger.info("{}before test", getTestParamsForLogging()); @@ -1419,6 +1441,12 @@ public TestAnalysis(IndexAnalyzers indexAnalyzers, } } + private static boolean isUnusableLocale() { + return inFipsJvm() && (Locale.getDefault().toLanguageTag().equals("th-TH") + || Locale.getDefault().toLanguageTag().equals("ja-JP-u-ca-japanese-x-lvariant-JP") + || Locale.getDefault().toLanguageTag().equals("th-TH-u-nu-thai-x-lvariant-TH")); + } + public static boolean inFipsJvm() { return Security.getProviders()[0].getName().toLowerCase(Locale.ROOT).contains("fips"); } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java index 32f75f56da2a9..109722c37c086 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java @@ -5,15 +5,11 @@ */ package org.elasticsearch.xpack.core.ssl; -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; import org.elasticsearch.test.ESTestCase; import org.hamcrest.Description; import org.hamcrest.TypeSafeMatcher; -import org.junit.AfterClass; import org.junit.Assert; import org.junit.Before; -import org.junit.BeforeClass; import javax.net.ssl.X509ExtendedTrustManager; @@ -32,7 +28,6 @@ import java.util.Collections; import java.util.HashMap; import java.util.List; -import java.util.Locale; import java.util.Map; import java.util.Objects; import java.util.regex.Pattern; @@ -45,34 +40,6 @@ public class RestrictedTrustManagerTests extends ESTestCase { private int numberOfClusters; private int numberOfNodes; - private static Locale restoreLocale; - - @BeforeClass - public static void ensureSupportedLocale() throws Exception { - Logger logger = LogManager.getLogger(RestrictedTrustManagerTests.class); - if (isUnusableLocale()) { - // See: https://github.com/elastic/elasticsearch/issues/33081 - logger.warn("Attempting to run RestrictedTrustManagerTests tests in an unusable locale in a FIPS JVM. Certificate expiration " + - "validation will fail, switching to English"); - restoreLocale = Locale.getDefault(); - Locale.setDefault(Locale.ENGLISH); - } - } - - private static boolean isUnusableLocale() { - return inFipsJvm() && (Locale.getDefault().toLanguageTag().equals("th-TH") - || Locale.getDefault().toLanguageTag().equals("ja-JP-u-ca-japanese-x-lvariant-JP") - || Locale.getDefault().toLanguageTag().equals("th-TH-u-nu-thai-x-lvariant-TH")); - } - - @AfterClass - public static void restoreLocale() throws Exception { - if (restoreLocale != null) { - Locale.setDefault(restoreLocale); - restoreLocale = null; - } - } - @Before public void readCertificates() throws GeneralSecurityException, IOException { From 0148b947b5ba9278f6c17973fb96cf056ed0ab73 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Fri, 15 Feb 2019 12:16:01 +0200 Subject: [PATCH 2/4] fix overrides --- .../elasticsearch/xpack/security/authc/saml/SamlTestCase.java | 2 +- .../xpack/security/authc/kerberos/KerberosTestCase.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java index 7bf13e8be265c..c35561102020b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java @@ -53,7 +53,7 @@ private static boolean isTurkishLocale() { } @AfterClass - public static void restoreLocale() throws Exception { + public static void restoreLocale() { if (restoreLocale != null) { Locale.setDefault(restoreLocale); restoreLocale = null; diff --git a/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTestCase.java b/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTestCase.java index ecaf67205ac80..6754b1acb9347 100644 --- a/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTestCase.java +++ b/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTestCase.java @@ -98,7 +98,7 @@ public static void setupKerberos() throws Exception { } @AfterClass - public static void restoreLocale() throws Exception { + public static void restoreLocale() { if (restoreLocale != null) { Locale.setDefault(restoreLocale); restoreLocale = null; From 7d068cfe7e930dab367e27f9b1a61a733dd21941 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Fri, 15 Feb 2019 12:21:29 +0200 Subject: [PATCH 3/4] address feedback --- .../src/main/java/org/elasticsearch/test/ESTestCase.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java index 15ff387c61e66..ca9a5f945c989 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java @@ -332,10 +332,9 @@ public static void restoreContentType() { @BeforeClass public static void ensureSupportedLocale() { if (isUnusableLocale()) { - // See: https://github.com/bcgit/bc-java/issues/405 Logger logger = LogManager.getLogger(ESTestCase.class); logger.warn("Attempting to run tests in an unusable locale in a FIPS JVM. Certificate expiration validation will fail, " + - "switching to English"); + "switching to English. See: https://github.com/bcgit/bc-java/issues/405"); restoreLocale = Locale.getDefault(); Locale.setDefault(Locale.ENGLISH); } From 59ee5cba68f58ac7caee60c352afde768c2c5d4f Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 18 Feb 2019 18:41:38 +0200 Subject: [PATCH 4/4] Do not restore locale to the unusable one --- .../main/java/org/elasticsearch/test/ESTestCase.java | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java index ca9a5f945c989..7ce82163d7224 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java @@ -193,8 +193,6 @@ public abstract class ESTestCase extends LuceneTestCase { private static final Collection nettyLoggedLeaks = new ArrayList<>(); - private static Locale restoreLocale; - @AfterClass public static void resetPortCounter() { portGenerator.set(0); @@ -335,19 +333,10 @@ public static void ensureSupportedLocale() { Logger logger = LogManager.getLogger(ESTestCase.class); logger.warn("Attempting to run tests in an unusable locale in a FIPS JVM. Certificate expiration validation will fail, " + "switching to English. See: https://github.com/bcgit/bc-java/issues/405"); - restoreLocale = Locale.getDefault(); Locale.setDefault(Locale.ENGLISH); } } - @AfterClass - public static void restoreLocale() { - if (restoreLocale != null) { - Locale.setDefault(restoreLocale); - restoreLocale = null; - } - } - @Before public final void before() { logger.info("{}before test", getTestParamsForLogging());