Skip to content

Disable specific locales for tests in fips mode #38938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Feb 19, 2019
Merged

Disable specific locales for tests in fips mode #38938

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
db1512b
Disable specific locales for tests in fips mode
jkakavas Feb 15, 2019
0148b94
fix overrides
jkakavas Feb 15, 2019
7d068cf
address feedback
jkakavas Feb 15, 2019
59ee5cb
Do not restore locale to the unusable one
jkakavas Feb 18, 2019
7a27f26
Merge remote-tracking branch 'origin/master' into forbid-locale-fips
jkakavas Feb 18, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,16 @@ public static void restoreContentType() {
Requests.INDEX_CONTENT_TYPE = XContentType.JSON;
}

@BeforeClass
Copy link
Contributor Author

@jkakavas jkakavas Feb 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It feels a little too much of a blanket approach to do this in ESTestCase, but failing tests could be anywhere from classes implementing ESRestTestCase, or security related ones implementing ESTestCase. Doing this here, also protects us from future tests inadvertently causing this. I'm definitely open to suggestions to limit the scope if necessary but given the fact that the upstream bug makes using BCFipsProvider unusable in these 3 locales for users when dealing with certificates, I believe it's ok to not run the tests using these.

public static void ensureSupportedLocale() {
if (isUnusableLocale()) {
Logger logger = LogManager.getLogger(ESTestCase.class);
logger.warn("Attempting to run tests in an unusable locale in a FIPS JVM. Certificate expiration validation will fail, " +
Copy link
Contributor

@alpar-t alpar-t Feb 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it would be good to provide a link to the upstream bug so it's easier to check if this is still relevant ?

Copy link
Contributor Author

@jkakavas jkakavas Feb 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the log message you mean ? Sure thing

Copy link
Contributor

@alpar-t alpar-t Feb 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, move it to the log message rather than the comment.

"switching to English. See: https://github.com/bcgit/bc-java/issues/405");
Locale.setDefault(Locale.ENGLISH);
}
}

@Before
public final void before() {
logger.info("{}before test", getTestParamsForLogging());
Expand Down Expand Up @@ -1419,6 +1429,12 @@ public TestAnalysis(IndexAnalyzers indexAnalyzers,
}
}

private static boolean isUnusableLocale() {
return inFipsJvm() && (Locale.getDefault().toLanguageTag().equals("th-TH")
|| Locale.getDefault().toLanguageTag().equals("ja-JP-u-ca-japanese-x-lvariant-JP")
|| Locale.getDefault().toLanguageTag().equals("th-TH-u-nu-thai-x-lvariant-TH"));
}

public static boolean inFipsJvm() {
return Security.getProviders()[0].getName().toLowerCase(Locale.ROOT).contains("fips");
}
Expand Down
33 changes: 0 additions & 33 deletions ...ugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,11 @@
*/
package org.elasticsearch.xpack.core.ssl;

import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.LogManager;
import org.elasticsearch.test.ESTestCase;
import org.hamcrest.Description;
import org.hamcrest.TypeSafeMatcher;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;

import javax.net.ssl.X509ExtendedTrustManager;

Expand All @@ -32,7 +28,6 @@
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.regex.Pattern;
Expand All @@ -45,34 +40,6 @@ public class RestrictedTrustManagerTests extends ESTestCase {
private int numberOfClusters;
private int numberOfNodes;

private static Locale restoreLocale;

@BeforeClass
public static void ensureSupportedLocale() throws Exception {
Logger logger = LogManager.getLogger(RestrictedTrustManagerTests.class);
if (isUnusableLocale()) {
// See: https://github.com/elastic/elasticsearch/issues/33081
logger.warn("Attempting to run RestrictedTrustManagerTests tests in an unusable locale in a FIPS JVM. Certificate expiration " +
"validation will fail, switching to English");
restoreLocale = Locale.getDefault();
Locale.setDefault(Locale.ENGLISH);
}
}

private static boolean isUnusableLocale() {
return inFipsJvm() && (Locale.getDefault().toLanguageTag().equals("th-TH")
|| Locale.getDefault().toLanguageTag().equals("ja-JP-u-ca-japanese-x-lvariant-JP")
|| Locale.getDefault().toLanguageTag().equals("th-TH-u-nu-thai-x-lvariant-TH"));
}

@AfterClass
public static void restoreLocale() throws Exception {
if (restoreLocale != null) {
Locale.setDefault(restoreLocale);
restoreLocale = null;
}
}

@Before
public void readCertificates() throws GeneralSecurityException, IOException {

Expand Down
2 changes: 1 addition & 1 deletion ...ugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ private static boolean isTurkishLocale() {
}

@AfterClass
public static void restoreLocale() throws Exception {
public static void restoreLocale() {
if (restoreLocale != null) {
Locale.setDefault(restoreLocale);
restoreLocale = null;
Expand Down
2 changes: 1 addition & 1 deletion ...tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTestCase.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ public static void setupKerberos() throws Exception {
}

@AfterClass
public static void restoreLocale() throws Exception {
public static void restoreLocale() {
if (restoreLocale != null) {
Locale.setDefault(restoreLocale);
restoreLocale = null;
Expand Down