github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-06-28 09:28:55 -04:00
Code Issues Projects Releases Packages Wiki Activity

Fix SamlAuthenticationIT flakyness (#103867)

Browse source
This commit is contained in:
Rene Groeschke 2024-01-24 19:44:31 +01:00 committed by GitHub
parent 83634375f9
commit ab8ee60bba
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 108 additions and 170 deletions
Download patch file Download diff file Expand all files Collapse all files

9
.buildkite/scripts/fixture-deploy.sh Executable file
View file

@ -0,0 +1,9 @@
#!/bin/bash
set -euo pipefail
echo "$DOCKER_REGISTRY_PASSWORD" | docker login -u "$DOCKER_REGISTRY_USERNAME" --password-stdin docker.elastic.co
unset DOCKER_REGISTRY_USERNAME DOCKER_REGISTRY_PASSWORD
docker buildx create --use
.ci/scripts/run-gradle.sh deployFixtureDockerImages

42
build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/docker/DockerBuildTask.java
View file

@ -20,8 +20,10 @@ import org.gradle.api.model.ObjectFactory;
import org.gradle.api.provider.ListProperty; import org.gradle.api.provider.ListProperty;
import org.gradle.api.provider.MapProperty; import org.gradle.api.provider.MapProperty;
import org.gradle.api.provider.Property; import org.gradle.api.provider.Property;
import org.gradle.api.provider.SetProperty;
import org.gradle.api.tasks.Input; import org.gradle.api.tasks.Input;
import org.gradle.api.tasks.InputDirectory; import org.gradle.api.tasks.InputDirectory;
import org.gradle.api.tasks.Optional;
import org.gradle.api.tasks.OutputFile; import org.gradle.api.tasks.OutputFile;
import org.gradle.api.tasks.PathSensitive; import org.gradle.api.tasks.PathSensitive;
import org.gradle.api.tasks.PathSensitivity; import org.gradle.api.tasks.PathSensitivity;
@ -36,6 +38,7 @@ import java.io.IOException;
import java.nio.file.Files; import java.nio.file.Files;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
import java.util.stream.Collectors;
import javax.inject.Inject; import javax.inject.Inject;
@ -43,7 +46,7 @@ import javax.inject.Inject;
* This task wraps up the details of building a Docker image, including adding a pull * This task wraps up the details of building a Docker image, including adding a pull
* mechanism that can retry, and emitting the image SHA as a task output. * mechanism that can retry, and emitting the image SHA as a task output.
*/ */
public class DockerBuildTask extends DefaultTask { public abstract class DockerBuildTask extends DefaultTask {
private static final Logger LOGGER = Logging.getLogger(DockerBuildTask.class); private static final Logger LOGGER = Logging.getLogger(DockerBuildTask.class);
private final WorkerExecutor workerExecutor; private final WorkerExecutor workerExecutor;
@ -55,7 +58,6 @@ public class DockerBuildTask extends DefaultTask {
private boolean noCache = true; private boolean noCache = true;
private String[] baseImages; private String[] baseImages;
private MapProperty<String, String> buildArgs; private MapProperty<String, String> buildArgs;
private Property<String> platform;
@Inject @Inject
public DockerBuildTask(WorkerExecutor workerExecutor, ObjectFactory objectFactory, ProjectLayout projectLayout) { public DockerBuildTask(WorkerExecutor workerExecutor, ObjectFactory objectFactory, ProjectLayout projectLayout) {
@ -63,7 +65,6 @@ public class DockerBuildTask extends DefaultTask {
this.markerFile = objectFactory.fileProperty(); this.markerFile = objectFactory.fileProperty();
this.dockerContext = objectFactory.directoryProperty(); this.dockerContext = objectFactory.directoryProperty();
this.buildArgs = objectFactory.mapProperty(String.class, String.class); this.buildArgs = objectFactory.mapProperty(String.class, String.class);
this.platform = objectFactory.property(String.class).convention(Architecture.current().dockerPlatform);
this.markerFile.set(projectLayout.getBuildDirectory().file("markers/" + this.getName() + ".marker")); this.markerFile.set(projectLayout.getBuildDirectory().file("markers/" + this.getName() + ".marker"));
} }
@ -75,9 +76,10 @@ public class DockerBuildTask extends DefaultTask {
params.getTags().set(Arrays.asList(tags)); params.getTags().set(Arrays.asList(tags));
params.getPull().set(pull); params.getPull().set(pull);
params.getNoCache().set(noCache); params.getNoCache().set(noCache);
params.getPush().set(getPush().getOrElse(false));
params.getBaseImages().set(Arrays.asList(baseImages)); params.getBaseImages().set(Arrays.asList(baseImages));
params.getBuildArgs().set(buildArgs); params.getBuildArgs().set(buildArgs);
params.getPlatform().set(platform); params.getPlatforms().set(getPlatforms());
}); });
} }
@ -129,9 +131,11 @@ public class DockerBuildTask extends DefaultTask {
} }
@Input @Input
public Property<String> getPlatform() { public abstract SetProperty<String> getPlatforms();
return platform;
} @Input
@Optional
public abstract Property<Boolean> getPush();
@OutputFile @OutputFile
public RegularFileProperty getMarkerFile() { public RegularFileProperty getMarkerFile() {
@ -181,7 +185,7 @@ public class DockerBuildTask extends DefaultTask {
} }
final List<String> tags = parameters.getTags().get(); final List<String> tags = parameters.getTags().get();
final boolean isCrossPlatform = parameters.getPlatform().get().equals(Architecture.current().dockerPlatform) == false; final boolean isCrossPlatform = isCrossPlatform();
LoggedExec.exec(execOperations, spec -> { LoggedExec.exec(execOperations, spec -> {
spec.executable("docker"); spec.executable("docker");
@ -193,7 +197,7 @@ public class DockerBuildTask extends DefaultTask {
spec.args("build", parameters.getDockerContext().get().getAsFile().getAbsolutePath()); spec.args("build", parameters.getDockerContext().get().getAsFile().getAbsolutePath());
if (isCrossPlatform) { if (isCrossPlatform) {
spec.args("--platform", parameters.getPlatform().get()); spec.args("--platform", parameters.getPlatforms().get().stream().collect(Collectors.joining(",")));
} }
if (parameters.getNoCache().get()) { if (parameters.getNoCache().get()) {
@ -203,11 +207,20 @@ public class DockerBuildTask extends DefaultTask {
tags.forEach(tag -> spec.args("--tag", tag)); tags.forEach(tag -> spec.args("--tag", tag));
parameters.getBuildArgs().get().forEach((k, v) -> spec.args("--build-arg", k + "=" + v)); parameters.getBuildArgs().get().forEach((k, v) -> spec.args("--build-arg", k + "=" + v));
if (parameters.getPush().getOrElse(false)) {
spec.args("--push");
}
}); });
// Fetch the Docker image's hash, and write it to desk as the task's output. Doing this allows us // Fetch the Docker image's hash, and write it to desk as the task's output. Doing this allows us
// to do proper up-to-date checks in Gradle. // to do proper up-to-date checks in Gradle.
try { try {
// multi-platform image builds do not end up in local registry, so we need to pull the just build image
// first to get the checksum and also serves as a test for the image being pushed correctly
if (parameters.getPlatforms().get().size() > 1 && parameters.getPush().getOrElse(false)) {
pullBaseImage(tags.get(0));
}
final String checksum = getImageChecksum(tags.get(0)); final String checksum = getImageChecksum(tags.get(0));
Files.writeString(parameters.getMarkerFile().getAsFile().get().toPath(), checksum + "\n"); Files.writeString(parameters.getMarkerFile().getAsFile().get().toPath(), checksum + "\n");
} catch (IOException e) { } catch (IOException e) {
@ -215,6 +228,13 @@ public class DockerBuildTask extends DefaultTask {
} }
} }
private boolean isCrossPlatform() {
return getParameters().getPlatforms()
.get()
.stream()
.anyMatch(any -> any.equals(Architecture.current().dockerPlatform) == false);
}
private String getImageChecksum(String imageTag) { private String getImageChecksum(String imageTag) {
final ByteArrayOutputStream stdout = new ByteArrayOutputStream(); final ByteArrayOutputStream stdout = new ByteArrayOutputStream();
@ -243,6 +263,8 @@ public class DockerBuildTask extends DefaultTask {
MapProperty<String, String> getBuildArgs(); MapProperty<String, String> getBuildArgs();
Property<String> getPlatform(); SetProperty<String> getPlatforms();
Property<Boolean> getPush();
} }
} }

4
distribution/docker/build.gradle
View file

@ -398,7 +398,7 @@ void addBuildDockerImageTask(Architecture architecture, DockerBase base) {
noCache = BuildParams.isCi noCache = BuildParams.isCi
tags = generateTags(base, architecture) tags = generateTags(base, architecture)
platform = architecture.dockerPlatform platforms.add(architecture.dockerPlatform)
// We don't build the Iron Bank image when we release Elasticsearch, as there's // We don't build the Iron Bank image when we release Elasticsearch, as there's
// separate process for submitting new releases. However, for testing we do a // separate process for submitting new releases. However, for testing we do a
@ -468,7 +468,7 @@ void addBuildEssDockerImageTask(Architecture architecture) {
noCache = BuildParams.isCi noCache = BuildParams.isCi
baseImages = [] baseImages = []
tags = generateTags(base, architecture) tags = generateTags(base, architecture)
platform = architecture.dockerPlatform platforms.add(architecture.dockerPlatform)
onlyIf("$architecture supported") { isArchitectureSupported(architecture) } onlyIf("$architecture supported") { isArchitectureSupported(architecture) }
} }

6
test/fixtures/testcontainer-utils/src/main/java/org/elasticsearch/test/fixtures/testcontainers/DockerEnvironmentAwareTestContainer.java vendored
View file

@ -16,7 +16,6 @@ import org.slf4j.LoggerFactory;
import org.testcontainers.DockerClientFactory; import org.testcontainers.DockerClientFactory;
import org.testcontainers.containers.GenericContainer; import org.testcontainers.containers.GenericContainer;
import org.testcontainers.containers.output.Slf4jLogConsumer; import org.testcontainers.containers.output.Slf4jLogConsumer;
import org.testcontainers.images.builder.ImageFromDockerfile;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
@ -27,6 +26,7 @@ import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.concurrent.Future;
import java.util.stream.Collectors; import java.util.stream.Collectors;
public abstract class DockerEnvironmentAwareTestContainer extends GenericContainer<DockerEnvironmentAwareTestContainer> public abstract class DockerEnvironmentAwareTestContainer extends GenericContainer<DockerEnvironmentAwareTestContainer>
@ -56,8 +56,8 @@ public abstract class DockerEnvironmentAwareTestContainer extends GenericContain
} }
} }
public DockerEnvironmentAwareTestContainer(ImageFromDockerfile imageFromDockerfile) { public DockerEnvironmentAwareTestContainer(Future<String> image) {
super(imageFromDockerfile); super(image);
} }
@Override @Override

2
x-pack/qa/saml-idp-tests/build.gradle
View file

@ -5,9 +5,9 @@ dependencies {
javaRestTestImplementation "com.google.jimfs:jimfs:${versions.jimfs}" javaRestTestImplementation "com.google.jimfs:jimfs:${versions.jimfs}"
javaRestTestImplementation "com.google.guava:guava:${versions.jimfs_guava}" javaRestTestImplementation "com.google.guava:guava:${versions.jimfs_guava}"
javaRestTestImplementation project(":x-pack:test:idp-fixture") javaRestTestImplementation project(":x-pack:test:idp-fixture")
javaRestTestRuntimeOnly "org.slf4j:slf4j-simple:${versions.slf4j}"
} }
tasks.named("javaRestTest").configure { tasks.named("javaRestTest").configure {
usesDefaultDistribution() usesDefaultDistribution()
} }

2
x-pack/qa/saml-idp-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java
View file

@ -28,7 +28,6 @@ import org.apache.http.protocol.BasicHttpContext;
import org.apache.http.protocol.HttpContext; import org.apache.http.protocol.HttpContext;
import org.apache.http.protocol.HttpCoreContext; import org.apache.http.protocol.HttpCoreContext;
import org.apache.http.util.EntityUtils; import org.apache.http.util.EntityUtils;
import org.apache.lucene.tests.util.LuceneTestCase;
import org.elasticsearch.client.Request; import org.elasticsearch.client.Request;
import org.elasticsearch.client.RequestOptions; import org.elasticsearch.client.RequestOptions;
import org.elasticsearch.client.Response; import org.elasticsearch.client.Response;
@ -92,7 +91,6 @@ import static org.hamcrest.Matchers.startsWith;
/** /**
* An integration test for validating SAML authentication against a real Identity Provider (Shibboleth) * An integration test for validating SAML authentication against a real Identity Provider (Shibboleth)
*/ */
@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/103717")
@ThreadLeakFilters(filters = { TestContainersThreadFilter.class }) @ThreadLeakFilters(filters = { TestContainersThreadFilter.class })
public class SamlAuthenticationIT extends ESRestTestCase { public class SamlAuthenticationIT extends ESRestTestCase {

27
x-pack/test/idp-fixture/build.gradle
View file

@ -1,3 +1,7 @@
import org.elasticsearch.gradle.Architecture
import org.elasticsearch.gradle.internal.docker.DockerBuildTask
import org.elasticsearch.gradle.internal.info.BuildParams
apply plugin: 'elasticsearch.java' apply plugin: 'elasticsearch.java'
apply plugin: 'elasticsearch.cache-test-fixtures' apply plugin: 'elasticsearch.cache-test-fixtures'
@ -7,3 +11,26 @@ dependencies {
api project(':test:fixtures:testcontainer-utils') api project(':test:fixtures:testcontainer-utils')
api "junit:junit:${versions.junit}" api "junit:junit:${versions.junit}"
} }
tasks.register("deployIdpFixtureDockerImages", DockerBuildTask) {
dockerContext.fileValue(file("src/main/resources/idp"))
baseImages = ["openjdk:11.0.16-jre"]
noCache = BuildParams.isCi
tags = ["docker.elastic.co/elasticsearch-dev/idp-fixture:1.0"]
push = BuildParams.isCI
getPlatforms().addAll( Architecture.values().collect{ it.dockerPlatform } )
}
tasks.register("deployOpenLdapFixtureDockerImages", DockerBuildTask) {
dockerContext.fileValue(file("src/main/resources/openldap"))
baseImages = ["osixia/openldap:1.4.0"]
noCache = BuildParams.isCi
tags = ["docker.elastic.co/elasticsearch-dev/openldap-fixture:1.0"]
push = BuildParams.isCI
getPlatforms().addAll( Architecture.values().collect{ it.dockerPlatform } )
}
tasks.register("deployFixtureDockerImages") {
dependsOn tasks.withType(DockerBuildTask)
}

117
x-pack/test/idp-fixture/src/main/java/org/elasticsearch/test/fixtures/idp/IdpTestContainer.java vendored
View file

@ -11,8 +11,7 @@ import org.elasticsearch.test.fixtures.testcontainers.DockerEnvironmentAwareTest
import org.junit.rules.TemporaryFolder; import org.junit.rules.TemporaryFolder;
import org.testcontainers.containers.Network; import org.testcontainers.containers.Network;
import org.testcontainers.containers.wait.strategy.Wait; import org.testcontainers.containers.wait.strategy.Wait;
import org.testcontainers.images.builder.ImageFromDockerfile; import org.testcontainers.images.RemoteDockerImage;
import org.testcontainers.images.builder.dockerfile.statement.SingleArgumentStatement;
import java.io.IOException; import java.io.IOException;
import java.nio.file.Path; import java.nio.file.Path;
@ -21,8 +20,7 @@ import static org.elasticsearch.test.fixtures.ResourceUtils.copyResourceToFile;
public final class IdpTestContainer extends DockerEnvironmentAwareTestContainer { public final class IdpTestContainer extends DockerEnvironmentAwareTestContainer {
public static final String DOCKER_BASE_IMAGE = "openjdk:11.0.16-jre"; private static final String DOCKER_BASE_IMAGE = "docker.elastic.co/elasticsearch-dev/idp-fixture:1.0";
private final TemporaryFolder temporaryFolder = new TemporaryFolder(); private final TemporaryFolder temporaryFolder = new TemporaryFolder();
private Path certsPath; private Path certsPath;
@ -34,117 +32,10 @@ public final class IdpTestContainer extends DockerEnvironmentAwareTestContainer
} }
public IdpTestContainer(Network network) { public IdpTestContainer(Network network) {
super( super(new RemoteDockerImage(DOCKER_BASE_IMAGE));
new ImageFromDockerfile("es-idp-testfixture").withDockerfileFromBuilder(
builder -> builder.from(DOCKER_BASE_IMAGE)
.env("jetty_version", "9.3.27.v20190418")
.env("jetty_hash", "7c7c80dd1c9f921771e2b1a05deeeec652d5fcaa")
.env("idp_version", "3.4.3")
.env("idp_hash", "eb86bc7b6366ce2a44f97cae1b014d307b84257e3149469b22b2d091007309db")
.env("dta_hash", "2f547074b06952b94c35631398f36746820a7697")
.env("slf4j_version", "1.7.25")
.env("slf4j_hash", "da76ca59f6a57ee3102f8f9bd9cee742973efa8a")
.env("logback_version", "1.2.3")
.env("logback_classic_hash", "7c4f3c474fb2c041d8028740440937705ebb473a")
.env("logback_core_hash", "864344400c3d4d92dfeb0a305dc87d953677c03c")
.env("logback_access_hash", "e8a841cb796f6423c7afd8738df6e0e4052bf24a")
.env("JETTY_HOME", "/opt/jetty-home")
.env("JETTY_BASE", "/opt/shib-jetty-base")
.env("PATH", "$PATH:$JAVA_HOME/bin")
.env("JETTY_BROWSER_SSL_KEYSTORE_PASSWORD", "secret")
.env("JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD", "secret")
.env("JETTY_MAX_HEAP", "64m")
// Manually override the jetty keystore otherwise it will attempt to download and fail
.run("mkdir -p /opt/shib-jetty-base/modules")
.copy("idp/jetty-custom/ssl.mod", "/opt/shib-jetty-base/modules/ssl.mod")
.copy("idp/jetty-custom/keystore", "/opt/shib-jetty-base/etc/keystore")
// Download Jetty, verify the hash, and install, initialize a new base
.run(
"wget -q https://repo.maven.apache.org/maven2/org/eclipse/jetty/jetty-distribution/$jetty_version/jetty-distribution-$jetty_version.tar.gz"
+ " && echo \"$jetty_hash jetty-distribution-$jetty_version.tar.gz\" | sha1sum -c -"
+ " && tar -zxvf jetty-distribution-$jetty_version.tar.gz -C /opt"
+ " && ln -s /opt/jetty-distribution-$jetty_version/ /opt/jetty-home"
)
// Config Jetty
.run(
"mkdir -p /opt/shib-jetty-base/modules /opt/shib-jetty-base/lib/ext /opt/shib-jetty-base/lib/logging /opt/shib-jetty-base/resources"
+ " && cd /opt/shib-jetty-base"
+ " && touch start.ini"
+ " && java -jar ../jetty-home/start.jar --add-to-startd=http,https,deploy,ext,annotations,jstl,rewrite"
)
// Download Shibboleth IdP, verify the hash, and install
.run(
"wget -q https://shibboleth.net/downloads/identity-provider/archive/$idp_version/shibboleth-identity-provider-$idp_version.tar.gz"
+ " && echo \"$idp_hash shibboleth-identity-provider-$idp_version.tar.gz\" | sha256sum -c -"
+ " && tar -zxvf shibboleth-identity-provider-$idp_version.tar.gz -C /opt"
+ " && ln -s /opt/shibboleth-identity-provider-$idp_version/ /opt/shibboleth-idp"
)
// Download the library to allow SOAP Endpoints, verify the hash, and place
.run(
"wget -q https://build.shibboleth.net/nexus/content/repositories/releases/net/shibboleth/utilities/jetty9/jetty9-dta-ssl/1.0.0/jetty9-dta-ssl-1.0.0.jar"
+ " && echo \"$dta_hash jetty9-dta-ssl-1.0.0.jar\" | sha1sum -c -"
+ " && mv jetty9-dta-ssl-1.0.0.jar /opt/shib-jetty-base/lib/ext/"
)
// Download the slf4j library for Jetty logging, verify the hash, and place
.run(
"wget -q https://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/$slf4j_version/slf4j-api-$slf4j_version.jar"
+ " && echo \"$slf4j_hash slf4j-api-$slf4j_version.jar\" | sha1sum -c -"
+ " && mv slf4j-api-$slf4j_version.jar /opt/shib-jetty-base/lib/logging/"
)
// Download the logback_classic library for Jetty logging, verify the hash, and place
.run(
"wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-classic/$logback_version/logback-classic-$logback_version.jar"
+ " && echo \"$logback_classic_hash logback-classic-$logback_version.jar\" | sha1sum -c -"
+ " && mv logback-classic-$logback_version.jar /opt/shib-jetty-base/lib/logging/"
)
// Download the logback-core library for Jetty logging, verify the hash, and place
.run(
"wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-core/$logback_version/logback-core-$logback_version.jar"
+ " && echo \"$logback_core_hash logback-core-$logback_version.jar\" | sha1sum -c -"
+ " && mv logback-core-$logback_version.jar /opt/shib-jetty-base/lib/logging/"
)
// Download the logback-access library for Jetty logging, verify the hash, and place
.run(
"wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-access/$logback_version/logback-access-$logback_version.jar"
+ " && echo \"$logback_access_hash logback-access-$logback_version.jar\" | sha1sum -c -"
+ " && mv logback-access-$logback_version.jar /opt/shib-jetty-base/lib/logging/"
)
// ## Copy local files
.copy("idp/shib-jetty-base/", "/opt/shib-jetty-base/")
.copy("idp/shibboleth-idp/", "/opt/shibboleth-idp/")
.copy("idp/bin/", "/usr/local/bin/")
// Setting owner ownership and permissions
.run(
"useradd jetty -U -s /bin/false"
+ " && chown -R root:jetty /opt"
+ " && chmod -R 640 /opt"
+ " && chown -R root:jetty /opt/shib-jetty-base"
+ " && chmod -R 640 /opt/shib-jetty-base"
+ " && chmod -R 750 /opt/shibboleth-idp/bin"
)
.run("chmod 750 /usr/local/bin/run-jetty.sh /usr/local/bin/init-idp.sh")
.run("chmod +x /opt/jetty-home/bin/jetty.sh")
// Opening 4443 (browser TLS), 8443 (mutual auth TLS)
.cmd("run-jetty.sh")
.withStatement(
new SingleArgumentStatement(
"HEALTHCHECK",
"CMD curl -f -s --http0.9 http://localhost:4443 " + "--connect-timeout 10 --max-time 10 --output - > /dev/null"
)
)
// .expose(4443)
.build()
)
.withFileFromClasspath("idp/jetty-custom/ssl.mod", "/idp/jetty-custom/ssl.mod")
.withFileFromClasspath("idp/jetty-custom/keystore", "/idp/jetty-custom/keystore")
.withFileFromClasspath("idp/shib-jetty-base/", "/idp/shib-jetty-base/")
.withFileFromClasspath("idp/shibboleth-idp/", "/idp/shibboleth-idp/")
.withFileFromClasspath("idp/bin/", "/idp/bin/")
);
withNetworkAliases("idp"); withNetworkAliases("idp");
withNetwork(network); withNetwork(network);
waitingFor(Wait.forHealthcheck()); waitingFor(Wait.forListeningPorts(4443));
addExposedPorts(4443, 8443); addExposedPorts(4443, 8443);
} }

35
x-pack/test/idp-fixture/src/main/java/org/elasticsearch/test/fixtures/idp/OpenLdapTestContainer.java vendored
View file

@ -10,7 +10,7 @@ package org.elasticsearch.test.fixtures.idp;
import org.elasticsearch.test.fixtures.testcontainers.DockerEnvironmentAwareTestContainer; import org.elasticsearch.test.fixtures.testcontainers.DockerEnvironmentAwareTestContainer;
import org.junit.rules.TemporaryFolder; import org.junit.rules.TemporaryFolder;
import org.testcontainers.containers.Network; import org.testcontainers.containers.Network;
import org.testcontainers.images.builder.ImageFromDockerfile; import org.testcontainers.images.RemoteDockerImage;
import java.io.IOException; import java.io.IOException;
import java.nio.file.Path; import java.nio.file.Path;
@ -19,7 +19,7 @@ import static org.elasticsearch.test.fixtures.ResourceUtils.copyResourceToFile;
public final class OpenLdapTestContainer extends DockerEnvironmentAwareTestContainer { public final class OpenLdapTestContainer extends DockerEnvironmentAwareTestContainer {
public static final String DOCKER_BASE_IMAGE = "osixia/openldap:1.4.0"; private static final String DOCKER_BASE_IMAGE = "docker.elastic.co/elasticsearch-dev/openldap-fixture:1.0";
private final TemporaryFolder temporaryFolder = new TemporaryFolder(); private final TemporaryFolder temporaryFolder = new TemporaryFolder();
private Path certsPath; private Path certsPath;
@ -29,36 +29,7 @@ public final class OpenLdapTestContainer extends DockerEnvironmentAwareTestConta
} }
public OpenLdapTestContainer(Network network) { public OpenLdapTestContainer(Network network) {
super( super(new RemoteDockerImage(DOCKER_BASE_IMAGE));
new ImageFromDockerfile("es-openldap-testfixture").withDockerfileFromBuilder(
builder -> builder.from(DOCKER_BASE_IMAGE)
.env("LDAP_ADMIN_PASSWORD", "NickFuryHeartsES")
.env("LDAP_DOMAIN", "oldap.test.elasticsearch.com")
.env("LDAP_BASE_DN", "DC=oldap,DC=test,DC=elasticsearch,DC=com")
.env("LDAP_TLS", "true")
.env("LDAP_TLS_CRT_FILENAME", "ldap_server.pem")
.env("LDAP_TLS_CA_CRT_FILENAME", "ca_server.pem")
.env("LDAP_TLS_KEY_FILENAME", "ldap_server.key")
.env("LDAP_TLS_VERIFY_CLIENT", "never")
.env("LDAP_TLS_CIPHER_SUITE", "NORMAL")
.env("LDAP_LOG_LEVEL", "256")
.copy(
"openldap/ldif/users.ldif",
"/container/service/slapd/assets/config/bootstrap/ldif/custom/20-bootstrap-users.ldif"
)
.copy(
"openldap/ldif/config.ldif",
"/container/service/slapd/assets/config/bootstrap/ldif/custom/10-bootstrap-config.ldif"
)
.copy("openldap/certs", "/container/service/slapd/assets/certs")
.build()
)
.withFileFromClasspath("openldap/certs", "/openldap/certs/")
.withFileFromClasspath("openldap/ldif/users.ldif", "/openldap/ldif/users.ldif")
.withFileFromClasspath("openldap/ldif/config.ldif", "/openldap/ldif/config.ldif")
);
// withLogConsumer(new Slf4jLogConsumer(logger()));
withNetworkAliases("openldap"); withNetworkAliases("openldap");
withNetwork(network); withNetwork(network);
withExposedPorts(389, 636); withExposedPorts(389, 636);

15
x-pack/test/idp-fixture/src/main/resources/idp/Dockerfile
View file

@ -20,12 +20,13 @@ ENV JETTY_HOME=/opt/jetty-home \
JETTY_BASE=/opt/shib-jetty-base \ JETTY_BASE=/opt/shib-jetty-base \
PATH=$PATH:$JAVA_HOME/bin \ PATH=$PATH:$JAVA_HOME/bin \
JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=secret \ JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=secret \
JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=secret JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=secret \
JETTY_MAX_HEAP=64m
# Manually override the jetty keystore otherwise it will attempt to download and fail # Manually override the jetty keystore otherwise it will attempt to download and fail
RUN mkdir -p /opt/shib-jetty-base/modules RUN mkdir -p /opt/shib-jetty-base/modules
COPY ./idp/jetty-custom/ssl.mod /opt/shib-jetty-base/modules/ssl.mod COPY ./jetty-custom/ssl.mod /opt/shib-jetty-base/modules/ssl.mod
COPY ./idp/jetty-custom/keystore /opt/shib-jetty-base/etc/keystore COPY ./jetty-custom/keystore /opt/shib-jetty-base/etc/keystore
# Download Jetty, verify the hash, and install, initialize a new base # Download Jetty, verify the hash, and install, initialize a new base
RUN wget -q https://repo.maven.apache.org/maven2/org/eclipse/jetty/jetty-distribution/$jetty_version/jetty-distribution-$jetty_version.tar.gz \ RUN wget -q https://repo.maven.apache.org/maven2/org/eclipse/jetty/jetty-distribution/$jetty_version/jetty-distribution-$jetty_version.tar.gz \
@ -71,9 +72,9 @@ RUN wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-access/$
&& mv logback-access-$logback_version.jar /opt/shib-jetty-base/lib/logging/ && mv logback-access-$logback_version.jar /opt/shib-jetty-base/lib/logging/
## Copy local files ## Copy local files
COPY idp/shib-jetty-base/ /opt/shib-jetty-base/ COPY shib-jetty-base/ /opt/shib-jetty-base/
COPY idp/shibboleth-idp/ /opt/shibboleth-idp/ COPY shibboleth-idp/ /opt/shibboleth-idp/
COPY idp/bin/ /usr/local/bin/ COPY bin/ /usr/local/bin/
# Setting owner ownership and permissions # Setting owner ownership and permissions
RUN useradd jetty -U -s /bin/false \ RUN useradd jetty -U -s /bin/false \
@ -86,6 +87,8 @@ RUN useradd jetty -U -s /bin/false \
RUN chmod 750 /usr/local/bin/run-jetty.sh /usr/local/bin/init-idp.sh RUN chmod 750 /usr/local/bin/run-jetty.sh /usr/local/bin/init-idp.sh
RUN chmod +x /opt/jetty-home/bin/jetty.sh RUN chmod +x /opt/jetty-home/bin/jetty.sh
RUN apt-get update && apt-get install -y netcat
# Opening 4443 (browser TLS), 8443 (mutual auth TLS) # Opening 4443 (browser TLS), 8443 (mutual auth TLS)
EXPOSE 4443 8443 EXPOSE 4443 8443

17
x-pack/test/idp-fixture/src/main/resources/openldap/Dockerfile Normal file
View file

@ -0,0 +1,17 @@
FROM osixia/openldap:1.4.0
ENV LDAP_ADMIN_PASSWORD=NickFuryHeartsES
ENV LDAP_DOMAIN=oldap.test.elasticsearch.com
ENV LDAP_BASE_DN=DC=oldap,DC=test,DC=elasticsearch,DC=com
ENV LDAP_TLS=true
ENV LDAP_TLS_CRT_FILENAME=ldap_server.pem
ENV LDAP_TLS_CA_CRT_FILENAME=ca_server.pem
ENV LDAP_TLS_KEY_FILENAME=ldap_server.key
ENV LDAP_TLS_VERIFY_CLIENT=never
ENV LDAP_TLS_CIPHER_SUITE=NORMAL
ENV LDAP_LOG_LEVEL=256
COPY ./ldif/users.ldif /container/service/slapd/assets/config/bootstrap/ldif/custom/20-bootstrap-users.ldif
COPY ./ldif/config.ldif /container/service/slapd/assets/config/bootstrap/ldif/custom/10-bootstrap-config.ldif
COPY ./certs /container/service/slapd/assets/certs