From fab2ec5911dfcd211aeda0cb2a38a8a515c7e282 Mon Sep 17 00:00:00 2001 From: Tim Vernum Date: Tue, 19 Nov 2019 17:12:02 +1100 Subject: [PATCH] Deprecate misconfigured SSL server config This commit adds a deprecation warning when starting a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration. Backport of: #45892 --- client/rest-high-level/build.gradle | 2 + .../xpack/core/ssl/SSLService.java | 37 +++++++++++- .../transport/ProfileConfigurationsTests.java | 22 ++++++- .../ssl/SSLConfigurationReloaderTests.java | 32 +++++++++-- .../xpack/core/ssl/SSLServiceTests.java | 55 +++++++++++++----- .../test/SettingsFilterTests.java | 1 + .../security/PkiRealmBootstrapCheckTests.java | 23 ++++++++ .../tool/CommandLineHttpClientTests.java | 24 +++++--- .../LdapUserSearchSessionFactoryTests.java | 1 + .../security/authc/saml/SamlRealmTests.java | 1 + ...ecurityNetty4HttpServerTransportTests.java | 17 +----- .../SecurityNioHttpServerTransportTests.java | 24 +------- .../transport/ssl/SslIntegrationTests.java | 2 +- .../xpack/ssl/SSLErrorMessageTests.java | 57 +++++++++++++++++++ .../xpack/ssl/SSLReloadIntegTests.java | 1 + .../xpack/ssl/SSLTrustRestrictionsTests.java | 1 + .../watcher/common/http/HttpClientTests.java | 8 ++- 17 files changed, 237 insertions(+), 71 deletions(-) diff --git a/client/rest-high-level/build.gradle b/client/rest-high-level/build.gradle index d6817493a7894..82c15c0c54414 100644 --- a/client/rest-high-level/build.gradle +++ b/client/rest-high-level/build.gradle @@ -123,6 +123,8 @@ testClusters.all { setting 'xpack.security.enabled', 'true' setting 'xpack.security.authc.token.enabled', 'true' setting 'xpack.security.authc.api_key.enabled', 'true' + setting 'xpack.security.http.ssl.enabled', 'false' + setting 'xpack.security.transport.ssl.enabled', 'false' // Truststore settings are not used since TLS is not enabled. Included for testing the get certificates API setting 'xpack.security.http.ssl.certificate_authorities', 'testnode.crt' setting 'xpack.security.transport.ssl.truststore.path', 'testnode.jks' diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java index 21ac0f228aedd..1e890d7e9eb7d 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java @@ -14,6 +14,7 @@ import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.common.CheckedSupplier; import org.elasticsearch.common.Strings; +import org.elasticsearch.common.logging.DeprecationLogger; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.xpack.core.XPackSettings; @@ -33,14 +34,13 @@ import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509ExtendedKeyManager; import javax.net.ssl.X509ExtendedTrustManager; - import java.io.IOException; import java.net.InetAddress; import java.net.Socket; import java.security.GeneralSecurityException; import java.security.KeyManagementException; -import java.security.NoSuchAlgorithmException; import java.security.KeyStore; +import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -68,6 +68,8 @@ public class SSLService { private static final Logger logger = LogManager.getLogger(SSLService.class); + private static final DeprecationLogger deprecationLogger = new DeprecationLogger(logger); + /** * An ordered map of protocol algorithms to SSLContext algorithms. The map is ordered from most * secure to least secure. The names in this map are taken from the @@ -432,6 +434,10 @@ Map loadSSLConfigurations() { Map profileSettings = getTransportProfileSSLSettings(settings); profileSettings.forEach((key, profileSetting) -> loadConfiguration(key, profileSetting, sslContextHolders)); + for (String context : Arrays.asList("xpack.security.transport.ssl", "xpack.security.http.ssl")) { + validateServerConfiguration(context); + } + return Collections.unmodifiableMap(sslContextHolders); } @@ -450,6 +456,33 @@ private SSLConfiguration loadConfiguration(String key, Settings settings, Map sslSettingNames = settings.keySet().stream() + .filter(s -> s.startsWith(prefix)) + .sorted() + .collect(Collectors.toList()); + if (sslSettingNames.isEmpty() == false) { + deprecationLogger.deprecated("invalid configuration for " + prefix + " - [" + enabledSetting + + "] is not set, but the following settings have been configured in elasticsearch.yml : [" + + Strings.collectionToCommaDelimitedString(sslSettingNames) + "]"); + } + } + } + private void storeSslConfiguration(String key, SSLConfiguration configuration) { if (key.endsWith(".")) { key = key.substring(0, key.length() - 1); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java index 02cb1d70c7f62..fd7315d7457c2 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java @@ -6,6 +6,7 @@ package org.elasticsearch.xpack.core.security.transport; +import org.elasticsearch.common.settings.MockSecureSettings; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; @@ -15,14 +16,16 @@ import org.elasticsearch.xpack.core.ssl.VerificationMode; import org.hamcrest.Matchers; +import java.nio.file.Path; import java.util.Map; public class ProfileConfigurationsTests extends ESTestCase { public void testGetSecureTransportProfileConfigurations() { - final Settings settings = Settings.builder() + final Settings settings = getBaseSettings() .put("path.home", createTempDir()) .put("xpack.security.transport.ssl.verification_mode", VerificationMode.CERTIFICATE.name()) + .put("xpack.security.transport.ssl.verification_mode", VerificationMode.CERTIFICATE.name()) .put("transport.profiles.full.xpack.security.ssl.verification_mode", VerificationMode.FULL.name()) .put("transport.profiles.cert.xpack.security.ssl.verification_mode", VerificationMode.CERTIFICATE.name()) .build(); @@ -39,7 +42,7 @@ public void testGetSecureTransportProfileConfigurations() { public void testGetInsecureTransportProfileConfigurations() { assumeFalse("Can't run in a FIPS JVM with verification mode None", inFipsJvm()); - final Settings settings = Settings.builder() + final Settings settings = getBaseSettings() .put("path.home", createTempDir()) .put("xpack.security.transport.ssl.verification_mode", VerificationMode.CERTIFICATE.name()) .put("transport.profiles.none.xpack.security.ssl.verification_mode", VerificationMode.NONE.name()) @@ -53,4 +56,19 @@ public void testGetInsecureTransportProfileConfigurations() { assertThat(profileConfigurations.get("none").verificationMode(), Matchers.equalTo(VerificationMode.NONE)); assertThat(profileConfigurations.get("default"), Matchers.sameInstance(defaultConfig)); } + + private Settings.Builder getBaseSettings() { + final Path keystore = randomBoolean() + ? getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks") + : getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.p12"); + + MockSecureSettings secureSettings = new MockSecureSettings(); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + + return Settings.builder() + .setSecureSettings(secureSettings) + .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.keystore.path", keystore.toString()); + } + } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java index 1bb7159db491e..6a4ba77f76fdf 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java @@ -110,6 +110,7 @@ public void testReloadingKeyStore() throws Exception { secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); final Settings settings = Settings.builder() .put("path.home", createTempDir()) + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", keystorePath) .setSecureSettings(secureSettings) .build(); @@ -166,6 +167,7 @@ public void testPEMKeyConfigReloading() throws Exception { secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); final Settings settings = Settings.builder() .put("path.home", createTempDir()) + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.key", keyPath) .put("xpack.security.transport.ssl.certificate", certPath) .putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString()) @@ -223,10 +225,10 @@ public void testReloadingTrustStore() throws Exception { updatedTruststorePath); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); - Settings settings = Settings.builder() + final Settings settings = baseKeystoreSettings(tempDir, secureSettings) + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.truststore.path", trustStorePath) .put("path.home", createTempDir()) - .setSecureSettings(secureSettings) .build(); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); // Create the MockWebServer once for both pre and post checks @@ -274,7 +276,8 @@ public void testReloadingPEMTrustConfig() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"), serverCertPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"), serverKeyPath); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCert); - Settings settings = Settings.builder() + Settings settings = baseKeystoreSettings(tempDir, null) + .put("xpack.security.transport.ssl.enabled", true) .putList("xpack.security.transport.ssl.certificate_authorities", serverCertPath.toString()) .put("path.home", createTempDir()) .build(); @@ -323,6 +326,7 @@ public void testReloadingKeyStoreException() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", keystorePath) .setSecureSettings(secureSettings) .put("path.home", createTempDir()) @@ -373,6 +377,7 @@ public void testReloadingPEMKeyConfigException() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.key", keyPath) .put("xpack.security.transport.ssl.certificate", certPath) .putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString()) @@ -420,10 +425,10 @@ public void testTrustStoreReloadException() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), trustStorePath); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = baseKeystoreSettings(tempDir, secureSettings) + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.truststore.path", trustStorePath) .put("path.home", createTempDir()) - .setSecureSettings(secureSettings) .build(); Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings); final SSLService sslService = new SSLService(settings, env); @@ -464,7 +469,8 @@ public void testPEMTrustReloadException() throws Exception { Path tempDir = createTempDir(); Path clientCertPath = tempDir.resolve("testclient.crt"); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath); - Settings settings = Settings.builder() + Settings settings = baseKeystoreSettings(tempDir, null) + .put("xpack.security.transport.ssl.enabled", true) .putList("xpack.security.transport.ssl.certificate_authorities", clientCertPath.toString()) .put("path.home", createTempDir()) .build(); @@ -502,6 +508,20 @@ void reloadSSLContext(SSLConfiguration configuration) { assertThat(sslService.sslContextHolder(config).sslContext(), sameInstance(context)); } + private Settings.Builder baseKeystoreSettings(Path tempDir, MockSecureSettings secureSettings) throws IOException { + final Path keystorePath = tempDir.resolve("testclient.jks"); + Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath); + + if (secureSettings == null) { + secureSettings = new MockSecureSettings(); + } + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + + return Settings.builder() + .put("xpack.security.transport.ssl.keystore.path", keystorePath.toString()) + .setSecureSettings(secureSettings); + } + private void validateSSLConfigurationIsReloaded(Settings settings, Environment env, Consumer preChecks, Runnable modificationFunction, Consumer postChecks) throws Exception { final CountDownLatch reloadLatch = new CountDownLatch(1); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java index ffdc8dace5028..3f741f9bd80cd 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java @@ -111,8 +111,11 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception { Path testClientStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks"); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); secureSettings.setString("transport.profiles.foo.xpack.security.ssl.truststore.secure_password", "testclient"); Settings settings = Settings.builder() + .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.truststore.path", testnodeStore) .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) .setSecureSettings(secureSettings) @@ -145,6 +148,7 @@ public void testThatSslContextCachingWorks() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) @@ -170,6 +174,7 @@ public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception { secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_key_password", "testnode1"); Settings settings = Settings.builder() + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) .setSecureSettings(secureSettings) .build(); @@ -204,6 +209,7 @@ public void testThatSSLv3IsNotEnabled() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) @@ -223,13 +229,14 @@ public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Except public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testclient"); + secureSettings.setString("xpack.http.ssl.truststore.secure_password", "testclient"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.truststore.path", testclientStore) + .put("xpack.http.ssl.enabled", true) + .put("xpack.http.ssl.truststore.path", testclientStore) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); - SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); + SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.http.ssl"); SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1); assertThat(sslEngine, notNullValue()); } @@ -240,6 +247,7 @@ public void testCreateWithKeystoreIsValidForServer() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .setSecureSettings(secureSettings) @@ -252,25 +260,27 @@ public void testCreateWithKeystoreIsValidForServer() throws Exception { public void testValidForServer() throws Exception { assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); + secureSettings.setString("xpack.http.ssl.truststore.secure_password", "testnode"); Settings settings = Settings.builder() - .put("xpack.security.transport.ssl.truststore.path", testnodeStore) - .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) + .put("xpack.http.ssl.truststore.path", testnodeStore) + .put("xpack.http.ssl.truststore.type", testnodeStoreType) .setSecureSettings(secureSettings) .build(); SSLService sslService = new SSLService(settings, env); - assertFalse(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl"))); + // Technically, we don't care whether xpack.http.ssl is valid for server - it's a client context, but we validate both of the + // server contexts (http & transport) during construction, so this is the only way to make a non-server-valid context. + assertFalse(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.http.ssl"))); - secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode"); settings = Settings.builder() - .put("xpack.security.transport.ssl.truststore.path", testnodeStore) - .put("xpack.security.transport.ssl.truststore.type", testnodeStoreType) + .put("xpack.http.ssl.truststore.path", testnodeStore) + .put("xpack.http.ssl.truststore.type", testnodeStoreType) .setSecureSettings(secureSettings) - .put("xpack.security.transport.ssl.keystore.path", testnodeStore) - .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) + .put("xpack.http.ssl.keystore.path", testnodeStore) + .put("xpack.http.ssl.keystore.type", testnodeStoreType) .build(); sslService = new SSLService(settings, env); - assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.security.transport.ssl"))); + assertTrue(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.http.ssl"))); } public void testGetVerificationMode() throws Exception { @@ -280,6 +290,7 @@ public void testGetVerificationMode() throws Exception { is(XPackSettings.VERIFICATION_MODE_DEFAULT)); Settings settings = Settings.builder() + .put("xpack.security.transport.ssl.enabled", false) .put("xpack.security.transport.ssl.verification_mode", "certificate") .put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full") .build(); @@ -294,6 +305,7 @@ public void testIsSSLClientAuthEnabled() throws Exception { assertTrue(sslService.getSSLConfiguration("xpack.security.transport.ssl").sslClientAuth().enabled()); Settings settings = Settings.builder() + .put("xpack.security.transport.ssl.enabled", false) .put("xpack.security.transport.ssl.client_authentication", "optional") .put("transport.profiles.foo.port", "9400-9410") .build(); @@ -303,9 +315,18 @@ public void testIsSSLClientAuthEnabled() throws Exception { } public void testThatHttpClientAuthDefaultsToNone() throws Exception { + MockSecureSettings secureSettings = new MockSecureSettings(); + secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); + secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "testnode"); final Settings globalSettings = Settings.builder() .put("xpack.security.http.ssl.enabled", true) + .put("xpack.security.http.ssl.keystore.path", testnodeStore) + .put("xpack.security.http.ssl.keystore.type", testnodeStoreType) + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.OPTIONAL.name()) + .put("xpack.security.transport.ssl.keystore.path", testnodeStore) + .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) + .setSecureSettings(secureSettings) .build(); final SSLService sslService = new SSLService(globalSettings, env); @@ -350,6 +371,7 @@ public void testCiphersAndInvalidCiphersWork() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) @@ -383,6 +405,7 @@ public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) @@ -398,6 +421,7 @@ public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Except MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) @@ -423,6 +447,7 @@ public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) @@ -514,6 +539,9 @@ public void testGetConfigurationByContextName() throws Exception { final MockSecureSettings secureSettings = new MockSecureSettings(); final Settings.Builder builder = Settings.builder(); for (String prefix : contextNames) { + if (prefix.startsWith("xpack.security.transport") || prefix.startsWith("xpack.security.http")) { + builder.put(prefix + ".enabled", true); + } secureSettings.setString(prefix + ".keystore.secure_password", "testnode"); builder.put(prefix + ".keystore.path", testnodeStore) .putList(prefix + ".cipher_suites", cipher.next()); @@ -548,6 +576,7 @@ public void testReadCertificateInformation() throws Exception { secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode"); final Settings settings = Settings.builder() + .put("xpack.security.transport.ssl.enabled", randomBoolean()) .put("xpack.security.transport.ssl.keystore.path", jksPath) .put("xpack.security.transport.ssl.truststore.path", jksPath) .put("xpack.http.ssl.keystore.path", p12Path) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SettingsFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SettingsFilterTests.java index 014ebc72a982b..e669d41eab5be 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SettingsFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SettingsFilterTests.java @@ -71,6 +71,7 @@ public void testFiltering() throws Exception { configureFilteredSetting("xpack.security.authc.realms.pki.pki1.truststore.algorithm", "SunX509"); + configureUnfilteredSetting("xpack.security.transport.ssl.enabled", "true"); configureFilteredSetting("xpack.security.transport.ssl.cipher_suites", Strings.arrayToCommaDelimitedString(XPackSettings.DEFAULT_CIPHERS.toArray())); configureFilteredSetting("xpack.security.transport.ssl.supported_protocols", randomFrom("TLSv1", "TLSv1.1", "TLSv1.2")); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java index 4e770e1376bcb..24036f7862c2f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java @@ -14,6 +14,8 @@ import org.elasticsearch.xpack.core.ssl.SSLService; import org.hamcrest.Matchers; +import java.nio.file.Path; + public class PkiRealmBootstrapCheckTests extends AbstractBootstrapCheckTestCase { public void testPkiRealmBootstrapDefault() throws Exception { @@ -23,23 +25,34 @@ public void testPkiRealmBootstrapDefault() throws Exception { } public void testBootstrapCheckWithPkiRealm() throws Exception { + final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); + final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); + + MockSecureSettings secureSettings = new MockSecureSettings(); Settings settings = Settings.builder() .put("xpack.security.authc.realms.pki.test_pki.order", 0) .put("path.home", createTempDir()) + .setSecureSettings(secureSettings) .build(); Environment env = TestEnvironment.newEnvironment(settings); assertTrue(runCheck(settings, env).isFailure()); // enable transport tls + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); settings = Settings.builder().put(settings) .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.certificate", certPath) + .put("xpack.security.transport.ssl.key", keyPath) .build(); assertFalse(runCheck(settings, env).isFailure()); // enable ssl for http + secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); settings = Settings.builder().put(settings) .put("xpack.security.transport.ssl.enabled", false) .put("xpack.security.http.ssl.enabled", true) + .put("xpack.security.http.ssl.certificate", certPath) + .put("xpack.security.http.ssl.key", keyPath) .build(); env = TestEnvironment.newEnvironment(settings); assertTrue(runCheck(settings, env).isFailure()); @@ -82,6 +95,7 @@ private BootstrapCheck.BootstrapCheckResult runCheck(Settings settings, Environm public void testBootstrapCheckWithDisabledRealm() throws Exception { Settings settings = Settings.builder() .put("xpack.security.authc.realms.pki.test_pki.enabled", false) + .put("xpack.security.transport.ssl.enabled", false) .put("xpack.security.transport.ssl.client_authentication", "none") .put("path.home", createTempDir()) .build(); @@ -90,11 +104,20 @@ public void testBootstrapCheckWithDisabledRealm() throws Exception { } public void testBootstrapCheckWithDelegationEnabled() throws Exception { + final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); + final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); + MockSecureSettings secureSettings = new MockSecureSettings(); + // enable transport tls + secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() .put("xpack.security.authc.realms.pki.test_pki.enabled", true) .put("xpack.security.authc.realms.pki.test_pki.delegation.enabled", true) + .put("xpack.security.transport.ssl.enabled", randomBoolean()) .put("xpack.security.transport.ssl.client_authentication", "none") + .put("xpack.security.transport.ssl.certificate", certPath.toString()) + .put("xpack.security.transport.ssl.key", keyPath.toString()) .put("path.home", createTempDir()) + .setSecureSettings(secureSettings) .build(); Environment env = TestEnvironment.newEnvironment(settings); assertFalse(runCheck(settings, env).isFailure()); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java index 1e77dfc6b16e4..4f2484d193116 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java @@ -37,9 +37,14 @@ public class CommandLineHttpClientTests extends ESTestCase { private MockWebServer webServer; private Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + private Path certPath; + private Path keyPath; @Before public void setup() throws Exception { + certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); + keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); + webServer = createMockWebServer(); webServer.enqueue(new MockResponse().setResponseCode(200).setBody("{\"test\": \"complete\"}")); webServer.start(); @@ -51,8 +56,7 @@ public void shutdown() { } public void testCommandLineHttpClientCanExecuteAndReturnCorrectResultUsingSSLSettings() throws Exception { - Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); - Settings settings = Settings.builder() + Settings settings = getHttpSslSettings() .put("xpack.security.http.ssl.certificate_authorities", certPath.toString()) .put("xpack.security.http.ssl.verification_mode", VerificationMode.CERTIFICATE) .build(); @@ -75,17 +79,19 @@ public void testGetDefaultURLFailsWithHelpfulMessage() { } private MockWebServer createMockWebServer() { - Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); - Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); + Settings settings = getHttpSslSettings().build(); + TestsSSLService sslService = new TestsSSLService(settings, environment); + return new MockWebServer(sslService.sslContext("xpack.security.http.ssl."), false); + } + + private Settings.Builder getHttpSslSettings() { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + return Settings.builder() + .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.key", keyPath.toString()) .put("xpack.security.http.ssl.certificate", certPath.toString()) - .setSecureSettings(secureSettings) - .build(); - TestsSSLService sslService = new TestsSSLService(settings, environment); - return new MockWebServer(sslService.sslContext("xpack.security.http.ssl."), false); + .setSecureSettings(secureSettings); } private HttpResponseBuilder responseBuilder(final InputStream is) throws IOException { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java index 44498e0ae9762..d6a370d9d3464 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java @@ -65,6 +65,7 @@ public void init() throws Exception { globalSettings = Settings.builder() .put("path.home", createTempDir()) + .put("xpack.security.transport.ssl.enabled", false) .put("xpack.security.transport.ssl.certificate_authorities", certPath) .build(); sslService = new SSLService(globalSettings, env); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java index 1e873e302367e..5a7a64e9d764f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java @@ -130,6 +130,7 @@ public void testReadIdpMetadataFromHttps() throws Exception { final MockSecureSettings mockSecureSettings = new MockSecureSettings(); mockSecureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); final Settings settings = Settings.builder() + .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.key", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem")) .put("xpack.security.http.ssl.certificate", diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java index 20ceee5d52e92..8efa61ebe40b6 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java @@ -29,7 +29,6 @@ import java.util.Locale; import static org.hamcrest.Matchers.arrayContaining; -import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.not; @@ -49,6 +48,7 @@ public void createSSLService() { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() + .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.key", testnodeKey) .put("xpack.security.http.ssl.certificate", testnodeCert) .put("path.home", createTempDir()) @@ -147,24 +147,11 @@ public void testCustomSSLConfiguration() throws Exception { assertThat(customEngine.getEnabledProtocols(), not(equalTo(defaultEngine.getEnabledProtocols()))); } - public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() throws Exception { - Settings settings = Settings.builder() - .put("xpack.security.http.ssl.certificate_authorities", testnodeCert) - .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) - .put("path.home", createTempDir()) - .build(); - env = TestEnvironment.newEnvironment(settings); - sslService = new SSLService(settings, env); - IllegalArgumentException e = expectThrows(IllegalArgumentException.class, - () -> new SecurityNetty4HttpServerTransport(settings, new NetworkService(Collections.emptyList()), mock(BigArrays.class), - mock(IPFilter.class), sslService, mock(ThreadPool.class), xContentRegistry(), new NullDispatcher())); - assertThat(e.getMessage(), containsString("key must be provided")); - } - public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() + .put("xpack.security.http.ssl.enabled", false) .put("xpack.security.http.ssl.key", testnodeKey) .put("xpack.security.http.ssl.certificate", testnodeCert) .setSecureSettings(secureSettings) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioHttpServerTransportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioHttpServerTransportTests.java index 7acef50ed4eb8..14addd0620b43 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioHttpServerTransportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SecurityNioHttpServerTransportTests.java @@ -36,7 +36,6 @@ import java.util.Locale; import static org.hamcrest.Matchers.arrayContaining; -import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.not; @@ -57,6 +56,7 @@ public void createSSLService() { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() + .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.key", testNodeKey) .put("xpack.security.http.ssl.certificate", testNodeCert) .put("path.home", createTempDir()) @@ -180,31 +180,11 @@ public void testCustomSSLConfiguration() throws IOException { assertThat(customEngine.getEnabledProtocols(), not(equalTo(defaultEngine.getEnabledProtocols()))); } - public void testThatExceptionIsThrownWhenConfiguredWithoutSslKey() { - MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode"); - Settings settings = Settings.builder() - .put("xpack.security.http.ssl.truststore.path", - getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks")) - .setSecureSettings(secureSettings) - .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true) - .put("path.home", createTempDir()) - .build(); - env = TestEnvironment.newEnvironment(settings); - sslService = new SSLService(settings, env); - nioGroupFactory = new NioGroupFactory(settings, logger); - - IllegalArgumentException e = expectThrows(IllegalArgumentException.class, - () -> new SecurityNioHttpServerTransport(settings, - new NetworkService(Collections.emptyList()), mock(BigArrays.class), mock(PageCacheRecycler.class), mock(ThreadPool.class), - xContentRegistry(), new NullDispatcher(), mock(IPFilter.class), sslService, nioGroupFactory)); - assertThat(e.getMessage(), containsString("key must be provided")); - } - public void testNoExceptionWhenConfiguredWithoutSslKeySSLDisabled() { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.http.ssl.truststore.secure_password", "testnode"); Settings settings = Settings.builder() + .put("xpack.security.http.ssl.enabled", false) .put("xpack.security.http.ssl.truststore.path", getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks")) .setSecureSettings(secureSettings) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java index 5f25213beefa1..bbb44f869fa4a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java @@ -117,7 +117,7 @@ public void testThatTransportClientUsingSSLv3ProtocolIsRejected() { } public void testThatConnectionToHTTPWorks() throws Exception { - Settings.Builder builder = Settings.builder(); + Settings.Builder builder = Settings.builder().put("xpack.security.http.ssl.enabled", true); addSSLSettingsForPEMFiles( builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", "testclient", diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageTests.java index 672e0bbb0467f..2637cc1e12585 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageTests.java @@ -127,6 +127,50 @@ public void testMessageForCertificateAuthoritiesOutsideConfigDir() throws Except checkBlockedTrustManagerResource("certificate_authorities", "certificate_authorities"); } + public void testMessageForTransportSslEnabledWithoutKeys() throws Exception { + final String prefix = "xpack.security.transport.ssl"; + final Settings.Builder settings = Settings.builder(); + settings.put(prefix + ".enabled", true); + configureWorkingTruststore(prefix, settings); + + expectSuccess(settings); + assertWarnings("invalid SSL configuration for " + prefix + + " - server ssl configuration requires a key and certificate, but these have not been configured;" + + " you must set either [" + prefix + ".keystore.path], or both [" + prefix + ".key] and [" + prefix + ".certificate]"); + } + + public void testNoErrorIfTransportSslDisabledWithoutKeys() throws Exception { + final String prefix = "xpack.security.transport.ssl"; + final Settings.Builder settings = Settings.builder(); + settings.put(prefix + ".enabled", false); + configureWorkingTruststore(prefix, settings); + expectSuccess(settings); + } + + public void testMessageForTransportNotEnabledButKeystoreConfigured() throws Exception { + final String prefix = "xpack.security.transport.ssl"; + checkUnusedConfiguration(prefix, prefix + ".keystore.path," + prefix + ".keystore.secure_password", + this::configureWorkingKeystore); + } + + public void testMessageForTransportNotEnabledButTruststoreConfigured() throws Exception { + final String prefix = "xpack.security.transport.ssl"; + checkUnusedConfiguration(prefix, prefix + ".truststore.path," + prefix + ".truststore.secure_password", + this::configureWorkingTruststore); + } + + public void testMessageForHttpsNotEnabledButKeystoreConfigured() throws Exception { + final String prefix = "xpack.security.http.ssl"; + checkUnusedConfiguration(prefix, prefix + ".keystore.path," + prefix + ".keystore.secure_password", + this::configureWorkingKeystore); + } + + public void testMessageForHttpsNotEnabledButTruststoreConfigured() throws Exception { + final String prefix = "xpack.security.http.ssl"; + checkUnusedConfiguration(prefix, prefix + ".truststore.path," + prefix + ".truststore.secure_password", + this::configureWorkingTruststore); + } + private void checkMissingKeyManagerResource(String fileType, String configKey, @Nullable Settings.Builder additionalSettings) { checkMissingResource("KeyManager", fileType, configKey, (prefix, builder) -> buildKeyConfigSettings(additionalSettings, prefix, builder)); @@ -235,6 +279,15 @@ private void checkBlockedResource(String sslManagerType, String fileType, String assertThat(exception, throwableWithMessage(containsString(fileName))); } + private void checkUnusedConfiguration(String prefix, String settingsConfigured, BiConsumer configure) { + final Settings.Builder settings = Settings.builder(); + configure.accept(prefix, settings); + + expectSuccess(settings); + assertWarnings("invalid configuration for " + prefix + " - [" + prefix + ".enabled] is not set," + + " but the following settings have been configured in elasticsearch.yml : [" + settingsConfigured + "]"); + } + private String missingFile() { return resource("cert1a.p12").replace("cert1a.p12", "file.dne"); } @@ -293,6 +346,10 @@ private ElasticsearchException expectFailure(Settings.Builder settings) { return expectThrows(ElasticsearchException.class, () -> new SSLService(settings.build(), env)); } + private SSLService expectSuccess(Settings.Builder settings) { + return new SSLService(settings.build(), env); + } + private String resource(String fileName) { final Path path = this.paths.get(fileName); if (path == null) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java index 3eeaca1a3f114..25f3215a4841b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java @@ -99,6 +99,7 @@ public void testThatSSLConfigurationReloadsOnModification() throws Exception { secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); Settings settings = Settings.builder() .put("path.home", createTempDir()) + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.key", keyPath) .put("xpack.security.transport.ssl.certificate", certPath) .putList("xpack.security.transport.ssl.certificate_authorities", diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java index 0eaae0bf7f814..b73492a77d487 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java @@ -223,6 +223,7 @@ private void runResourceWatcher() { private void tryConnect(CertificateInfo certificate, boolean shouldFail) throws Exception { Settings settings = Settings.builder() .put("path.home", createTempDir()) + .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.key", certificate.getKeyPath()) .put("xpack.security.transport.ssl.certificate", certificate.getCertPath()) .putList("xpack.security.transport.ssl.certificate_authorities", ca.getCertPath().toString()) diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java index 75e551b58e56b..2e0c8d2df6e1f 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java @@ -197,6 +197,7 @@ public void testHttps() throws Exception { // We can't use the client created above for the server since it is only a truststore secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); Settings settings2 = Settings.builder() + .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.key", keyPath) .put("xpack.security.http.ssl.certificate", certPath) .putList("xpack.security.http.ssl.supported_protocols", getProtocols()) @@ -226,6 +227,7 @@ public void testHttpsDisableHostnameVerification() throws Exception { // We can't use the client created above for the server since it only defines a truststore secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode-no-subjaltname"); Settings settings2 = Settings.builder() + .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.key", keyPath) .put("xpack.security.http.ssl.certificate", certPath) .putList("xpack.security.http.ssl.supported_protocols", getProtocols()) @@ -383,6 +385,8 @@ public void testProxyCanHaveDifferentSchemeThanRequest() throws Exception { .put("xpack.http.ssl.key", keyPath) .put("xpack.http.ssl.certificate", certPath) .putList("xpack.http.ssl.supported_protocols", getProtocols()) + .put("xpack.security.http.ssl.enabled", false) + .putList("xpack.security.http.ssl.supported_protocols", getProtocols()) .setSecureSettings(serverSecureSettings) .build(); TestsSSLService sslService = new TestsSSLService(serverSettings, environment); @@ -397,7 +401,9 @@ public void testProxyCanHaveDifferentSchemeThanRequest() throws Exception { .put(HttpSettings.PROXY_SCHEME.getKey(), "https") .put("xpack.http.ssl.certificate_authorities", trustedCertPath) .putList("xpack.http.ssl.supported_protocols", getProtocols()) - .build(); + .putList("xpack.security.http.ssl.supported_protocols", getProtocols()) + .put("xpack.security.http.ssl.enabled", false) + .build(); HttpRequest.Builder requestBuilder = HttpRequest.builder("localhost", webServer.getPort()) .method(HttpMethod.GET)