diff --git a/TESTING.asciidoc b/TESTING.asciidoc index ff0d4d47a940..3c4613e62b76 100644 --- a/TESTING.asciidoc +++ b/TESTING.asciidoc @@ -584,6 +584,81 @@ repository without fetching latest. For these use cases, you can set the system property `tests.bwc.git_fetch_latest` to `false` and the BWC builds will skip fetching the latest from the remote. +== Testing in FIPS 140-2 mode + +We have a CI matrix job that periodically runs all our tests with the JVM configured +to be FIPS 140-2 compliant with the use of the BouncyCastle FIPS approved Security Provider. +FIPS 140-2 imposes certain requirements that affect how our tests should be set up or what +can be tested. This section summarizes what one needs to take into consideration so that +tests won't fail when run in fips mode. + +=== Muting tests in FIPS 140-2 mode + +If the following limitations cannot be observed, or there is a need to actually test some use +case that is not available/allowed in fips mode, the test can be muted. For unit tests or Java +rest tests one can use + +------------------------------------------------ +assumeFalse("Justification why this cannot be run in FIPS mode", inFipsJvm()); +------------------------------------------------ + +For specific YAML rest tests one can use + +------------------------------------------------ +- skip: + features: fips_140 + reason: "Justification why this cannot be run in FIPS mode" +------------------------------------------------ + +For disabling entire types of tests for subprojects, one can use for example: + +------------------------------------------------ +if (BuildParams.inFipsJvm){ + // This test cluster is using a BASIC license and FIPS 140 mode is not supported in BASIC + tasks.named("javaRestTest").configure{enabled = false } +} +------------------------------------------------ + +in `build.gradle`. + +=== Limitations + +The following should be taken into consideration when writing new tests or adjusting existing ones: + +==== TLS + +`JKS` and `PKCS#12` keystores cannot be used in FIPS mode. If the test depends on being able to use +a keystore, it can be muted when needed ( see `ESTestCase#inFipsJvm` ). Alternatively, one can use +PEM encoded files for keys and certificates for the tests or for setting up TLS in a test cluster. +Also, when in FIPS 140 mode, hostname verification for TLS cannot be turned off so if you are using +`*.verification_mode: none` , you'd need to mute the test in fips mode. + +When using TLS, ensure that private keys used are longer than 2048 bits, or mute the test in fips mode. + +==== Password hashing algorithm + +Test clusters are configured with `xpack.security.fips_mode.enabled` set to true. This means that +FIPS 140-2 related bootstrap checks are enabled and the test cluster will fail to form if the +password hashing algorithm is set to something else than a PBKDF2 based one. You can delegate the choice +of algorithm to i.e. `SecurityIntegTestCase#getFastStoredHashAlgoForTests` if you don't mind the +actual algorithm used, or depend on default values for the test cluster nodes. + +==== Password length + +While using `pbkdf2` as the password hashing algorithm, FIPS 140-2 imposes a requirement that +passwords are longer than 14 characters. You can either ensure that all test user passwords in +your test are longer than 14 characters and use i.e. `SecurityIntegTestCase#getFastStoredHashAlgoForTests` +to randomly select a hashing algorithm, or use `pbkdf2_stretch` that doesn't have the same +limitation. + +==== Keystore Password + +In FIPS 140-2 mode, the elasticsearch keystore needs to be password protected with a password +of appropriate length. This is handled automatically in `fips.gradle` and the keystore is unlocked +on startup by the test clusters tooling in order to have secure settings available. However, you +might need to take into consideration that the keystore is password-protected with `keystore-password` +if you need to interact with it in a test. + == How to write good tests? === Base classes for test cases diff --git a/build.gradle b/build.gradle index 6506ada28279..8fd4e8eeb207 100644 --- a/build.gradle +++ b/build.gradle @@ -184,7 +184,17 @@ tasks.register("verifyVersions") { */ boolean bwc_tests_enabled = true -final String bwc_tests_disabled_issue = "" /* place a PR link here when committing bwc changes */ +String bwc_tests_disabled_issue = "" /* place a PR link here when committing bwc changes */ +/* + * FIPS 140-2 behavior was fixed in 7.11.0. Before that there is no way to run elasticsearch in a + * JVM that is properly configured to be in fips mode with BCFIPS. For now we need to disable + * all bwc testing in fips mode. + */ + +if ( BuildParams.inFipsJvm ) { + bwc_tests_enabled = false + bwc_tests_disabled_issue = "https://github.com/elastic/elasticsearch/issues/66772" +} if (bwc_tests_enabled == false) { if (bwc_tests_disabled_issue.isEmpty()) { throw new GradleException("bwc_tests_disabled_issue must be set when bwc_tests_enabled == false") diff --git a/buildSrc/src/main/java/org/elasticsearch/gradle/testclusters/ElasticsearchNode.java b/buildSrc/src/main/java/org/elasticsearch/gradle/testclusters/ElasticsearchNode.java index 208c3aa5c253..138766820f41 100644 --- a/buildSrc/src/main/java/org/elasticsearch/gradle/testclusters/ElasticsearchNode.java +++ b/buildSrc/src/main/java/org/elasticsearch/gradle/testclusters/ElasticsearchNode.java @@ -523,7 +523,7 @@ public class ElasticsearchNode implements TestClusterConfiguration { if (keystoreSettings.isEmpty() == false || keystoreFiles.isEmpty() == false) { logToProcessStdout("Adding " + keystoreSettings.size() + " keystore settings and " + keystoreFiles.size() + " keystore files"); - keystoreSettings.forEach((key, value) -> runKeystoreCommandWithPassword(keystorePassword, value.toString(), "add", "-x", key)); + keystoreSettings.forEach((key, value) -> runKeystoreCommandWithPassword(keystorePassword, value.toString(), "add", key)); for (Map.Entry entry : keystoreFiles.entrySet()) { File file = entry.getValue(); diff --git a/client/rest-high-level/build.gradle b/client/rest-high-level/build.gradle index 3090e79bb58c..359ba394c2a7 100644 --- a/client/rest-high-level/build.gradle +++ b/client/rest-high-level/build.gradle @@ -72,14 +72,14 @@ File pkiTrustCert = file("./src/test/resources/org/elasticsearch/client/security tasks.named("integTest").configure { systemProperty 'tests.rest.async', 'false' systemProperty 'tests.rest.cluster.username', System.getProperty('tests.rest.cluster.username', 'test_user') - systemProperty 'tests.rest.cluster.password', System.getProperty('tests.rest.cluster.password', 'test-password') + systemProperty 'tests.rest.cluster.password', System.getProperty('tests.rest.cluster.password', 'test-user-password') } // Requires https://github.com/elastic/elasticsearch/pull/64403 to have this moved to task avoidance api. TaskProvider asyncIntegTest = tasks.register("asyncIntegTest", RestIntegTestTask) { systemProperty 'tests.rest.async', 'true' systemProperty 'tests.rest.cluster.username', System.getProperty('tests.rest.cluster.username', 'test_user') - systemProperty 'tests.rest.cluster.password', System.getProperty('tests.rest.cluster.password', 'test-password') + systemProperty 'tests.rest.cluster.password', System.getProperty('tests.rest.cluster.password', 'test-user-password') } tasks.named("check").configure { @@ -110,7 +110,7 @@ testClusters.all { keystore 'xpack.security.transport.ssl.truststore.secure_password', 'testnode' extraConfigFile 'roles.yml', file('roles.yml') user username: System.getProperty('tests.rest.cluster.username', 'test_user'), - password: System.getProperty('tests.rest.cluster.password', 'test-password'), + password: System.getProperty('tests.rest.cluster.password', 'test-user-password'), role: System.getProperty('tests.rest.cluster.role', 'admin') user username: 'admin_user', password: 'admin-password' diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/SecurityIT.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/SecurityIT.java index 44a840e7b1bf..5751d7662b3d 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/SecurityIT.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/SecurityIT.java @@ -222,7 +222,7 @@ public class SecurityIT extends ESRestHighLevelClientTestCase { } private static PutUserRequest randomPutUserRequest(User user, boolean enabled) { - final char[] password = randomAlphaOfLengthBetween(6, 10).toCharArray(); + final char[] password = randomAlphaOfLengthBetween(14, 19).toCharArray(); return new PutUserRequest(user, password, enabled, RefreshPolicy.IMMEDIATE); } diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/CRUDDocumentationIT.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/CRUDDocumentationIT.java index 9d1f7f3cff50..e407db93e6a3 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/CRUDDocumentationIT.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/CRUDDocumentationIT.java @@ -845,7 +845,7 @@ public class CRUDDocumentationIT extends ESRestHighLevelClientTestCase { Integer remotePort = host.getPort(); String remoteHost = host.getHostName(); String user = "test_user"; - String password = "test-password"; + String password = "test-user-password"; // tag::reindex-request-remote request.setRemoteInfo( diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java index 6cbe5893a4ba..46d2b13ef759 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java @@ -157,9 +157,9 @@ public class SecurityDocumentationIT extends ESRestHighLevelClientTestCase { public void testGetUsers() throws Exception { final RestHighLevelClient client = highLevelClient(); String[] usernames = new String[] {"user1", "user2", "user3"}; - addUser(client, usernames[0], randomAlphaOfLengthBetween(6, 10)); - addUser(client, usernames[1], randomAlphaOfLengthBetween(6, 10)); - addUser(client, usernames[2], randomAlphaOfLengthBetween(6, 10)); + addUser(client, usernames[0], randomAlphaOfLengthBetween(14, 18)); + addUser(client, usernames[1], randomAlphaOfLengthBetween(14, 18)); + addUser(client, usernames[2], randomAlphaOfLengthBetween(14, 18)); { //tag::get-users-request GetUsersRequest request = new GetUsersRequest(usernames[0]); @@ -251,7 +251,7 @@ public class SecurityDocumentationIT extends ESRestHighLevelClientTestCase { { //tag::put-user-password-request - char[] password = new char[]{'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; + char[] password = new char[]{'t', 'e', 's', 't', '-', 'u','s','e','r','-','p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; User user = new User("example", Collections.singletonList("superuser")); PutUserRequest request = PutUserRequest.withPassword(user, password, true, RefreshPolicy.NONE); //end::put-user-password-request @@ -270,7 +270,7 @@ public class SecurityDocumentationIT extends ESRestHighLevelClientTestCase { byte[] salt = new byte[32]; // no need for secure random in a test; it could block and would not be reproducible anyway random().nextBytes(salt); - char[] password = new char[]{'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; + char[] password = new char[]{'t', 'e', 's', 't', '-', 'u','s','e','r','-','p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; User user = new User("example2", Collections.singletonList("superuser")); //tag::put-user-hash-request @@ -326,7 +326,7 @@ public class SecurityDocumentationIT extends ESRestHighLevelClientTestCase { public void testDeleteUser() throws Exception { RestHighLevelClient client = highLevelClient(); - addUser(client, "testUser", "testPassword"); + addUser(client, "testUser", "testUserPassword"); { // tag::delete-user-request @@ -566,7 +566,7 @@ public class SecurityDocumentationIT extends ESRestHighLevelClientTestCase { public void testEnableUser() throws Exception { RestHighLevelClient client = highLevelClient(); - char[] password = new char[]{'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; + char[] password = new char[]{'t', 'e', 's', 't', '-', 'u','s','e','r','-','p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; User enable_user = new User("enable_user", Collections.singletonList("superuser")); PutUserRequest putUserRequest = PutUserRequest.withPassword(enable_user, password, true, RefreshPolicy.IMMEDIATE); PutUserResponse putUserResponse = client.security().putUser(putUserRequest, RequestOptions.DEFAULT); @@ -611,7 +611,7 @@ public class SecurityDocumentationIT extends ESRestHighLevelClientTestCase { public void testDisableUser() throws Exception { RestHighLevelClient client = highLevelClient(); - char[] password = new char[]{'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; + char[] password = new char[]{'t', 'e', 's', 't', '-', 'u','s','e','r','-','p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; User disable_user = new User("disable_user", Collections.singletonList("superuser")); PutUserRequest putUserRequest = PutUserRequest.withPassword(disable_user, password, true, RefreshPolicy.IMMEDIATE); PutUserResponse putUserResponse = client.security().putUser(putUserRequest, RequestOptions.DEFAULT); @@ -1183,8 +1183,9 @@ public class SecurityDocumentationIT extends ESRestHighLevelClientTestCase { public void testChangePassword() throws Exception { RestHighLevelClient client = highLevelClient(); - char[] password = new char[]{'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; - char[] newPassword = new char[]{'n', 'e', 'w', 'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; + char[] password = new char[]{'t', 'e', 's', 't', '-', 'u','s','e','r','-','p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; + char[] newPassword = + new char[]{'n', 'e', 'w', '-', 't', 'e', 's', 't', '-', 'u','s','e','r','-','p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; User user = new User("change_password_user", Collections.singletonList("superuser"), Collections.emptyMap(), null, null); PutUserRequest putUserRequest = PutUserRequest.withPassword(user, password, true, RefreshPolicy.NONE); PutUserResponse putUserResponse = client.security().putUser(putUserRequest, RequestOptions.DEFAULT); @@ -1403,14 +1404,14 @@ public class SecurityDocumentationIT extends ESRestHighLevelClientTestCase { { // Setup user User token_user = new User("token_user", Collections.singletonList("kibana_user")); - PutUserRequest putUserRequest = PutUserRequest.withPassword(token_user, "password".toCharArray(), true, + PutUserRequest putUserRequest = PutUserRequest.withPassword(token_user, "test-user-password".toCharArray(), true, RefreshPolicy.IMMEDIATE); PutUserResponse putUserResponse = client.security().putUser(putUserRequest, RequestOptions.DEFAULT); assertTrue(putUserResponse.isCreated()); } { // tag::create-token-password-request - final char[] password = new char[]{'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; + final char[] password = new char[]{'t', 'e', 's', 't', '-', 'u','s','e','r','-','p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; CreateTokenRequest createTokenRequest = CreateTokenRequest.passwordGrant("token_user", password); // end::create-token-password-request @@ -1480,7 +1481,7 @@ public class SecurityDocumentationIT extends ESRestHighLevelClientTestCase { String refreshToken; { // Setup users - final char[] password = "password".toCharArray(); + final char[] password = "test-user-password".toCharArray(); User user = new User("user", Collections.singletonList("kibana_user")); PutUserRequest putUserRequest = PutUserRequest.withPassword(user, password, true, RefreshPolicy.IMMEDIATE); PutUserResponse putUserResponse = client.security().putUser(putUserRequest, RequestOptions.DEFAULT); diff --git a/client/rest/src/test/java/org/elasticsearch/client/documentation/RestClientDocumentation.java b/client/rest/src/test/java/org/elasticsearch/client/documentation/RestClientDocumentation.java index 11c81d2ae24b..36506b655564 100644 --- a/client/rest/src/test/java/org/elasticsearch/client/documentation/RestClientDocumentation.java +++ b/client/rest/src/test/java/org/elasticsearch/client/documentation/RestClientDocumentation.java @@ -359,7 +359,7 @@ public class RestClientDocumentation { final CredentialsProvider credentialsProvider = new BasicCredentialsProvider(); credentialsProvider.setCredentials(AuthScope.ANY, - new UsernamePasswordCredentials("user", "password")); + new UsernamePasswordCredentials("user", "test-user-password")); RestClientBuilder builder = RestClient.builder( new HttpHost("localhost", 9200)) @@ -378,7 +378,7 @@ public class RestClientDocumentation { final CredentialsProvider credentialsProvider = new BasicCredentialsProvider(); credentialsProvider.setCredentials(AuthScope.ANY, - new UsernamePasswordCredentials("user", "password")); + new UsernamePasswordCredentials("user", "test-user-password")); RestClientBuilder builder = RestClient.builder( new HttpHost("localhost", 9200)) diff --git a/distribution/docker/build.gradle b/distribution/docker/build.gradle index dd5de465819c..17b9f2e0856d 100644 --- a/distribution/docker/build.gradle +++ b/distribution/docker/build.gradle @@ -215,13 +215,17 @@ def createAndSetWritable(Object... locations) { } } -tasks.register("copyKeystore", Sync) { +tasks.register("copyNodeKeyMaterial", Sync) { from project(':x-pack:plugin:core') - .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') + .files( + 'src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem', + 'src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt' + ) into "${buildDir}/certs" doLast { file("${buildDir}/certs").setReadable(true, false) - file("${buildDir}/certs/testnode.jks").setReadable(true, false) + file("${buildDir}/certs/testnode.pem").setReadable(true, false) + file("${buildDir}/certs/testnode.crt").setReadable(true, false) } } @@ -241,7 +245,7 @@ elasticsearch_distributions { tasks.named("preProcessFixture").configure { dependsOn elasticsearch_distributions.docker_default, elasticsearch_distributions.docker_oss - dependsOn "copyKeystore" + dependsOn "copyNodeKeyMaterial" doLast { // tests expect to have an empty repo project.delete( @@ -261,7 +265,10 @@ tasks.named("preProcessFixture").configure { tasks.named("processTestResources").configure { from project(':x-pack:plugin:core') - .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') + .files( + 'src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem', + 'src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt' + ) } tasks.register("integTest", Test) { diff --git a/distribution/docker/docker-compose.yml b/distribution/docker/docker-compose.yml index 87d1309f5d45..2e98d5145090 100644 --- a/distribution/docker/docker-compose.yml +++ b/distribution/docker/docker-compose.yml @@ -3,10 +3,10 @@ version: '3' services: elasticsearch-default-1: image: elasticsearch:test - environment: - - node.name=elasticsearch-default-1 + environment: + - node.name=elasticsearch-default-1 - cluster.initial_master_nodes=elasticsearch-default-1,elasticsearch-default-2 - - discovery.seed_hosts=elasticsearch-default-2:9300 + - discovery.seed_hosts=elasticsearch-default-2:9300 - cluster.name=elasticsearch-default - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms512m -Xmx512m" @@ -15,22 +15,25 @@ services: - cluster.routing.allocation.disk.watermark.low=1b - cluster.routing.allocation.disk.watermark.high=1b - cluster.routing.allocation.disk.watermark.flood_stage=1b - - node.store.allow_mmap=false + - node.store.allow_mmap=false - xpack.security.enabled=true - xpack.security.transport.ssl.enabled=true - xpack.security.http.ssl.enabled=true - xpack.security.authc.token.enabled=true - xpack.security.audit.enabled=true - - xpack.security.authc.realms.file.file1.order=0 + - xpack.security.authc.realms.file.file1.order=0 - xpack.security.authc.realms.native.native1.order=1 - - xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/testnode.jks - - xpack.security.http.ssl.keystore.path=/usr/share/elasticsearch/config/testnode.jks - - xpack.http.ssl.verification_mode=certificate - - xpack.security.transport.ssl.verification_mode=certificate + - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/testnode.pem + - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/testnode.crt + - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/testnode.pem + - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/testnode.crt + - xpack.http.ssl.verification_mode=certificate + - xpack.security.transport.ssl.verification_mode=certificate - xpack.license.self_generated.type=trial - volumes: + volumes: - ./build/repo:/tmp/es-repo - - ./build/certs/testnode.jks:/usr/share/elasticsearch/config/testnode.jks + - ./build/certs/testnode.pem:/usr/share/elasticsearch/config/testnode.pem + - ./build/certs/testnode.crt:/usr/share/elasticsearch/config/testnode.crt - ./build/logs/default-1:/usr/share/elasticsearch/logs - ./docker-test-entrypoint.sh:/docker-test-entrypoint.sh ports: @@ -42,10 +45,10 @@ services: entrypoint: /docker-test-entrypoint.sh elasticsearch-default-2: image: elasticsearch:test - environment: + environment: - node.name=elasticsearch-default-2 - cluster.initial_master_nodes=elasticsearch-default-1,elasticsearch-default-2 - - discovery.seed_hosts=elasticsearch-default-1:9300 + - discovery.seed_hosts=elasticsearch-default-1:9300 - cluster.name=elasticsearch-default - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms512m -Xmx512m" @@ -54,22 +57,25 @@ services: - cluster.routing.allocation.disk.watermark.low=1b - cluster.routing.allocation.disk.watermark.high=1b - cluster.routing.allocation.disk.watermark.flood_stage=1b - - node.store.allow_mmap=false + - node.store.allow_mmap=false - xpack.security.enabled=true - xpack.security.transport.ssl.enabled=true - xpack.security.http.ssl.enabled=true - xpack.security.authc.token.enabled=true - xpack.security.audit.enabled=true - - xpack.security.authc.realms.file.file1.order=0 - - xpack.security.authc.realms.native.native1.order=1 - - xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/testnode.jks - - xpack.security.http.ssl.keystore.path=/usr/share/elasticsearch/config/testnode.jks - - xpack.http.ssl.verification_mode=certificate - - xpack.security.transport.ssl.verification_mode=certificate + - xpack.security.authc.realms.file.file1.order=0 + - xpack.security.authc.realms.native.native1.order=1 + - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/testnode.pem + - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/testnode.crt + - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/testnode.pem + - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/testnode.crt + - xpack.http.ssl.verification_mode=certificate + - xpack.security.transport.ssl.verification_mode=certificate - xpack.license.self_generated.type=trial - volumes: + volumes: - ./build/repo:/tmp/es-repo - - ./build/certs/testnode.jks:/usr/share/elasticsearch/config/testnode.jks + - ./build/certs/testnode.pem:/usr/share/elasticsearch/config/testnode.pem + - ./build/certs/testnode.crt:/usr/share/elasticsearch/config/testnode.crt - ./build/logs/default-2:/usr/share/elasticsearch/logs - ./docker-test-entrypoint.sh:/docker-test-entrypoint.sh ports: @@ -81,10 +87,10 @@ services: entrypoint: /docker-test-entrypoint.sh elasticsearch-oss-1: image: elasticsearch:test - environment: - - node.name=elasticsearch-oss-1 + environment: + - node.name=elasticsearch-oss-1 - cluster.initial_master_nodes=elasticsearch-oss-1,elasticsearch-oss-2 - - discovery.seed_hosts=elasticsearch-oss-2:9300 + - discovery.seed_hosts=elasticsearch-oss-2:9300 - cluster.name=elasticsearch-oss - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms512m -Xmx512m" @@ -93,8 +99,8 @@ services: - cluster.routing.allocation.disk.watermark.low=1b - cluster.routing.allocation.disk.watermark.high=1b - cluster.routing.allocation.disk.watermark.flood_stage=1b - - node.store.allow_mmap=false - volumes: + - node.store.allow_mmap=false + volumes: - ./build/oss-repo:/tmp/es-repo - ./build/logs/oss-1:/usr/share/elasticsearch/logs ports: @@ -105,10 +111,10 @@ services: hard: -1 elasticsearch-oss-2: image: elasticsearch:test - environment: + environment: - node.name=elasticsearch-oss-2 - cluster.initial_master_nodes=elasticsearch-oss-1,elasticsearch-oss-2 - - discovery.seed_hosts=elasticsearch-oss-1:9300 + - discovery.seed_hosts=elasticsearch-oss-1:9300 - cluster.name=elasticsearch-oss - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms512m -Xmx512m" @@ -117,8 +123,8 @@ services: - cluster.routing.allocation.disk.watermark.low=1b - cluster.routing.allocation.disk.watermark.high=1b - cluster.routing.allocation.disk.watermark.flood_stage=1b - - node.store.allow_mmap=false - volumes: + - node.store.allow_mmap=false + volumes: - ./build/oss-repo:/tmp/es-repo - ./build/logs/oss-2:/usr/share/elasticsearch/logs ports: diff --git a/distribution/docker/docker-test-entrypoint.sh b/distribution/docker/docker-test-entrypoint.sh index 1dca4b6a35e7..32d6e992892d 100755 --- a/distribution/docker/docker-test-entrypoint.sh +++ b/distribution/docker/docker-test-entrypoint.sh @@ -2,6 +2,6 @@ cd /usr/share/elasticsearch/bin/ ./elasticsearch-users useradd x_pack_rest_user -p x-pack-test-password -r superuser || true echo "testnode" > /tmp/password -cat /tmp/password | ./elasticsearch-keystore add -x -f -v 'xpack.security.transport.ssl.keystore.secure_password' -cat /tmp/password | ./elasticsearch-keystore add -x -f -v 'xpack.security.http.ssl.keystore.secure_password' -/usr/local/bin/docker-entrypoint.sh | tee > /usr/share/elasticsearch/logs/console.log +cat /tmp/password | ./elasticsearch-keystore add -x -f -v 'xpack.security.transport.ssl.secure_key_passphrase' +cat /tmp/password | ./elasticsearch-keystore add -x -f -v 'xpack.security.http.ssl.secure_key_passphrase' +/usr/local/bin/docker-entrypoint.sh | tee /usr/share/elasticsearch/logs/console.log diff --git a/distribution/docker/src/test/java/org/elasticsearch/docker/test/DockerYmlTestSuiteIT.java b/distribution/docker/src/test/java/org/elasticsearch/docker/test/DockerYmlTestSuiteIT.java index 3a8830182809..59980dd361fa 100644 --- a/distribution/docker/src/test/java/org/elasticsearch/docker/test/DockerYmlTestSuiteIT.java +++ b/distribution/docker/src/test/java/org/elasticsearch/docker/test/DockerYmlTestSuiteIT.java @@ -45,7 +45,6 @@ public class DockerYmlTestSuiteIT extends ESClientYamlSuiteTestCase { private static final String USER = "x_pack_rest_user"; private static final String PASS = "x-pack-test-password"; - private static final String KEYSTORE_PASS = "testnode"; public DockerYmlTestSuiteIT(ClientYamlTestCandidate testCandidate) { super(testCandidate); @@ -103,23 +102,24 @@ public class DockerYmlTestSuiteIT extends ESClientYamlSuiteTestCase { client().performRequest(health); } - static Path keyStore; + static Path trustedCertFile; @BeforeClass - public static void getKeyStore() { + public static void getTrustedCert() { try { - keyStore = PathUtils.get(DockerYmlTestSuiteIT.class.getResource("/testnode.jks").toURI()); + trustedCertFile = PathUtils.get(DockerYmlTestSuiteIT.class.getResource("/testnode.crt").toURI()); } catch (URISyntaxException e) { - throw new ElasticsearchException("exception while reading the store", e); + throw new ElasticsearchException("exception while reading the certificate", e); } - if (Files.exists(keyStore) == false) { - throw new IllegalStateException("Keystore file [" + keyStore + "] does not exist."); + + if (Files.exists(trustedCertFile) == false) { + throw new IllegalStateException("Certificate file [" + trustedCertFile + "] does not exist."); } } @AfterClass - public static void clearKeyStore() { - keyStore = null; + public static void clearTrustedCert() { + trustedCertFile = null; } @Override @@ -130,8 +130,7 @@ public class DockerYmlTestSuiteIT extends ESClientYamlSuiteTestCase { String token = basicAuthHeaderValue(USER, new SecureString(PASS.toCharArray())); return Settings.builder() .put(ThreadContext.PREFIX + ".Authorization", token) - .put(ESRestTestCase.TRUSTSTORE_PATH, keyStore) - .put(ESRestTestCase.TRUSTSTORE_PASSWORD, KEYSTORE_PASS) + .put(ESRestTestCase.CERTIFICATE_AUTHORITIES, trustedCertFile) .build(); } diff --git a/distribution/tools/keystore-cli/src/test/java/org/elasticsearch/common/settings/HasPasswordKeyStoreCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/elasticsearch/common/settings/HasPasswordKeyStoreCommandTests.java index 93e6b0cae209..1575bc483686 100644 --- a/distribution/tools/keystore-cli/src/test/java/org/elasticsearch/common/settings/HasPasswordKeyStoreCommandTests.java +++ b/distribution/tools/keystore-cli/src/test/java/org/elasticsearch/common/settings/HasPasswordKeyStoreCommandTests.java @@ -55,13 +55,13 @@ public class HasPasswordKeyStoreCommandTests extends KeyStoreCommandTestCase { } public void testSucceedsWhenKeystoreHasPassword() throws Exception { - createKeystore("password"); + createKeystore("keystore-password"); String output = execute(); assertThat(output, containsString("Keystore is password-protected")); } public void testSilentSucceedsWhenKeystoreHasPassword() throws Exception { - createKeystore("password"); + createKeystore("keystre-password"); String output = execute("--silent"); assertThat(output, is(emptyString())); } diff --git a/docs/build.gradle b/docs/build.gradle index e59ffa118a52..e5793a6d18e2 100644 --- a/docs/build.gradle +++ b/docs/build.gradle @@ -55,7 +55,7 @@ testClusters.integTest { setting 'xpack.license.self_generated.type', 'trial' setting 'indices.lifecycle.history_index_enabled', 'false' systemProperty 'es.rollup_v2_feature_flag_enabled', 'true' - keystorePassword 's3cr3t' + keystorePassword 'keystore-password' } // enable regexes in painless so our tests don't complain about example snippets that use them @@ -104,7 +104,7 @@ ext.docsFileTree = fileTree(projectDir) { exclude 'README.asciidoc' // Broken code snippet tests exclude 'reference/graph/explore.asciidoc' - if (Boolean.parseBoolean(System.getProperty("tests.fips.enabled"))) { + if (BuildParams.inFipsJvm) { // We don't install/support this plugin in FIPS 140 exclude 'plugins/ingest-attachment.asciidoc' // We can't conditionally control output, this would be missing the ingest-attachment plugin diff --git a/docs/reference/cluster/nodes-reload-secure-settings.asciidoc b/docs/reference/cluster/nodes-reload-secure-settings.asciidoc index f9fbc7059635..bd143670a266 100644 --- a/docs/reference/cluster/nodes-reload-secure-settings.asciidoc +++ b/docs/reference/cluster/nodes-reload-secure-settings.asciidoc @@ -57,11 +57,11 @@ node of the cluster: -------------------------------------------------- POST _nodes/reload_secure_settings { - "secure_settings_password":"s3cr3t" + "secure_settings_password":"keystore-password" } POST _nodes/nodeId1,nodeId2/reload_secure_settings { - "secure_settings_password":"s3cr3t" + "secure_settings_password":"keystore-password" } -------------------------------------------------- // TEST[setup:node] diff --git a/docs/reference/setup/secure-settings.asciidoc b/docs/reference/setup/secure-settings.asciidoc index a9eead0c0c9e..019208f42d00 100644 --- a/docs/reference/setup/secure-settings.asciidoc +++ b/docs/reference/setup/secure-settings.asciidoc @@ -35,7 +35,7 @@ using the `bin/elasticsearch-keystore add` command, call: ---- POST _nodes/reload_secure_settings { - "secure_settings_password": "s3cr3t" <1> + "secure_settings_password": "keystore-password" <1> } ---- // NOTCONSOLE diff --git a/gradle/fips.gradle b/gradle/fips.gradle index 384d38bc3926..c46a206e0145 100644 --- a/gradle/fips.gradle +++ b/gradle/fips.gradle @@ -1,5 +1,6 @@ import org.elasticsearch.gradle.ExportElasticsearchBuildResourcesTask import org.elasticsearch.gradle.info.BuildParams +import org.elasticsearch.gradle.testclusters.TestDistribution import org.elasticsearch.gradle.testclusters.ElasticsearchCluster // Common config when running with a FIPS-140 runtime JVM @@ -58,6 +59,7 @@ if (BuildParams.inFipsJvm) { } } testClusters.all { + setTestDistribution(TestDistribution.DEFAULT) extraConfigFile "fips_java.security", fipsSecurity extraConfigFile "fips_java.policy", fipsPolicy extraConfigFile "cacerts.bcfks", fipsTrustStore @@ -67,6 +69,10 @@ if (BuildParams.inFipsJvm) { systemProperty 'javax.net.ssl.trustStorePassword', 'password' systemProperty 'javax.net.ssl.keyStorePassword', 'password' systemProperty 'javax.net.ssl.keyStoreType', 'BCFKS' + systemProperty 'org.bouncycastle.fips.approved_only', 'true' + setting 'xpack.security.fips_mode.enabled', 'true' + setting 'xpack.license.self_generated.type', 'trial' + keystorePassword 'keystore-password' } } project.tasks.withType(Test).configureEach { Test task -> @@ -79,6 +85,7 @@ if (BuildParams.inFipsJvm) { task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", fipsSecurity)) task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", fipsPolicy)) task.systemProperty('javax.net.ssl.trustStore', fipsTrustStore) + task.systemProperty('org.bouncycastle.fips.approved_only', 'true') } } } diff --git a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/SslConfigurationLoaderTests.java b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/SslConfigurationLoaderTests.java index 20a161b78fd5..dfc7ffa93682 100644 --- a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/SslConfigurationLoaderTests.java +++ b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/SslConfigurationLoaderTests.java @@ -100,6 +100,7 @@ public class SslConfigurationLoaderTests extends ESTestCase { } public void testLoadTrustFromPkcs12() { + assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm()); final Settings.Builder builder = Settings.builder().put("test.ssl.truststore.path", "ca-all/ca.p12"); if (randomBoolean()) { builder.put("test.ssl.truststore.password", "p12-pass"); @@ -122,6 +123,7 @@ public class SslConfigurationLoaderTests extends ESTestCase { } public void testLoadTrustFromJKS() { + assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm()); final Settings.Builder builder = Settings.builder().put("test.ssl.truststore.path", "ca-all/ca.jks"); if (randomBoolean()) { builder.put("test.ssl.truststore.password", "jks-pass"); @@ -167,6 +169,7 @@ public class SslConfigurationLoaderTests extends ESTestCase { } public void testLoadKeysFromPKCS12() { + assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm()); final Settings.Builder builder = Settings.builder() .put("test.ssl.keystore.path", "cert-all/certs.p12"); if (randomBoolean()) { diff --git a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/StoreTrustConfigTests.java b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/StoreTrustConfigTests.java index 207bf9179415..2ed1016a22ba 100644 --- a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/StoreTrustConfigTests.java +++ b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/StoreTrustConfigTests.java @@ -78,6 +78,7 @@ public class StoreTrustConfigTests extends ESTestCase { } public void testIncorrectPasswordFailsWithMeaningfulMessage() throws Exception { + assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm()); final Path ks = getDataPath("/certs/ca1/ca.p12"); final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, new char[0], "PKCS12", DEFAULT_ALGORITHM); assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks)); diff --git a/modules/geo/build.gradle b/modules/geo/build.gradle index 6842575365a2..8357f07a1978 100644 --- a/modules/geo/build.gradle +++ b/modules/geo/build.gradle @@ -18,6 +18,8 @@ */ apply plugin: 'elasticsearch.yaml-rest-test' +import org.elasticsearch.gradle.info.BuildParams + esplugin { description 'Placeholder plugin for geospatial features in ES. only registers geo_shape field mapper for now' classname 'org.elasticsearch.geo.GeoPlugin' @@ -32,3 +34,9 @@ artifacts { restTests(project.file('src/yamlRestTest/resources/rest-api-spec/test')) } tasks.named("test").configure { enabled = false } + +if (BuildParams.inFipsJvm){ + // The geo module is replaced by spatial in the default distribution and in FIPS 140 mode, we set the testclusters to + // use the default distribution, so there is no need to run these tests + tasks.named("yamlRestTest").configure{enabled = false } +} diff --git a/modules/lang-painless/src/yamlRestTest/resources/rest-api-spec/test/painless/71_context_api.yml b/modules/lang-painless/src/yamlRestTest/resources/rest-api-spec/test/painless/71_context_api.yml index 0413661fc586..a5ed09d0f27c 100644 --- a/modules/lang-painless/src/yamlRestTest/resources/rest-api-spec/test/painless/71_context_api.yml +++ b/modules/lang-painless/src/yamlRestTest/resources/rest-api-spec/test/painless/71_context_api.yml @@ -1,4 +1,7 @@ "Action to list contexts": + - skip: + features: fips_140 + reason: "The tests expect to be run with OSS distribution" - do: scripts_painless_context: {} - match: { contexts.0: aggregation_selector} @@ -6,6 +9,9 @@ --- "Action to get all API values for score context": + - skip: + features: fips_140 + reason: "The tests expect to be run with OSS distribution" - do: scripts_painless_context: context: score diff --git a/modules/transport-netty4/src/javaRestTest/java/org/elasticsearch/rest/Netty4HeadBodyIsEmptyIT.java b/modules/transport-netty4/src/javaRestTest/java/org/elasticsearch/rest/Netty4HeadBodyIsEmptyIT.java index 3f7f8d7739de..b91ab46f7533 100644 --- a/modules/transport-netty4/src/javaRestTest/java/org/elasticsearch/rest/Netty4HeadBodyIsEmptyIT.java +++ b/modules/transport-netty4/src/javaRestTest/java/org/elasticsearch/rest/Netty4HeadBodyIsEmptyIT.java @@ -139,6 +139,16 @@ public class Netty4HeadBodyIsEmptyIT extends ESRestTestCase { builder.endObject(); Request request = new Request("PUT", "/_template/template"); + if (inFipsJvm()) { + request.setOptions(expectWarnings( + "legacy template [template] has index patterns [*] matching patterns from existing composable templates " + + "[ilm-history,.triggered_watches,.watch-history-14,.slm-history,synthetics,metrics,.deprecation-indexing-template," + + ".watches,logs] with patterns (ilm-history => [ilm-history-5*],.triggered_watches => [.triggered_watches*]," + + ".watch-history-14 => [.watcher-history-14*],.slm-history => [.slm-history-5*],synthetics => [synthetics-*-*]" + + ",metrics => [metrics-*-*],.deprecation-indexing-template => [.logs-deprecation-elasticsearch]," + + ".watches => [.watches*],logs => [logs-*-*]); this template [template] may be ignored in favor " + + "of a composable template at index creation time")); + } request.setJsonEntity(Strings.toString(builder)); client().performRequest(request); headTestCase("/_template/template", emptyMap(), greaterThan(0)); diff --git a/plugins/discovery-ec2/qa/amazon-ec2/src/yamlRestTest/java/org/elasticsearch/discovery/ec2/AmazonEC2Fixture.java b/plugins/discovery-ec2/qa/amazon-ec2/src/yamlRestTest/java/org/elasticsearch/discovery/ec2/AmazonEC2Fixture.java index 1345b806226d..ab7e94413955 100644 --- a/plugins/discovery-ec2/qa/amazon-ec2/src/yamlRestTest/java/org/elasticsearch/discovery/ec2/AmazonEC2Fixture.java +++ b/plugins/discovery-ec2/qa/amazon-ec2/src/yamlRestTest/java/org/elasticsearch/discovery/ec2/AmazonEC2Fixture.java @@ -124,7 +124,7 @@ public class AmazonEC2Fixture extends AbstractHttpFixture { + "\"AccessKeyId\": \"" + "ec2_integration_test_access_key" + "\"," + "\"Expiration\": \"" + DateUtils.formatISO8601Date(expiration) + "\"," + "\"RoleArn\": \"" + "test" + "\"," - + "\"SecretAccessKey\": \"" + "test" + "\"," + + "\"SecretAccessKey\": \"" + "ec2_integration_test_secret_key" + "\"," + "\"Token\": \"" + "test" + "\"" + "}"; diff --git a/plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/AbstractEC2MockAPITestCase.java b/plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/AbstractEC2MockAPITestCase.java index 8f1e73f388f0..7f2aa858170d 100644 --- a/plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/AbstractEC2MockAPITestCase.java +++ b/plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/AbstractEC2MockAPITestCase.java @@ -75,7 +75,7 @@ public abstract class AbstractEC2MockAPITestCase extends ESTestCase { final String endpoint = "http://" + InetAddresses.toUriString(address.getAddress()) + ":" + address.getPort(); final MockSecureSettings mockSecure = new MockSecureSettings(); mockSecure.setString(Ec2ClientSettings.ACCESS_KEY_SETTING.getKey(), accessKey); - mockSecure.setString(Ec2ClientSettings.SECRET_KEY_SETTING.getKey(), "ec2_secret"); + mockSecure.setString(Ec2ClientSettings.SECRET_KEY_SETTING.getKey(), "ec2_secret_key"); return Settings.builder().put(Ec2ClientSettings.ENDPOINT_SETTING.getKey(), endpoint).setSecureSettings(mockSecure).build(); } diff --git a/plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/Ec2DiscoveryPluginTests.java b/plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/Ec2DiscoveryPluginTests.java index 2e53a5f61410..9d3141c4e657 100644 --- a/plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/Ec2DiscoveryPluginTests.java +++ b/plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/Ec2DiscoveryPluginTests.java @@ -110,7 +110,7 @@ public class Ec2DiscoveryPluginTests extends ESTestCase { public void testClientSettingsReInit() throws IOException { final MockSecureSettings mockSecure1 = new MockSecureSettings(); mockSecure1.setString(Ec2ClientSettings.ACCESS_KEY_SETTING.getKey(), "ec2_access_1"); - mockSecure1.setString(Ec2ClientSettings.SECRET_KEY_SETTING.getKey(), "ec2_secret_1"); + mockSecure1.setString(Ec2ClientSettings.SECRET_KEY_SETTING.getKey(), "ec2_secret_key_1"); final boolean mockSecure1HasSessionToken = randomBoolean(); if (mockSecure1HasSessionToken) { mockSecure1.setString(Ec2ClientSettings.SESSION_TOKEN_SETTING.getKey(), "ec2_session_token_1"); @@ -125,7 +125,7 @@ public class Ec2DiscoveryPluginTests extends ESTestCase { .build(); final MockSecureSettings mockSecure2 = new MockSecureSettings(); mockSecure2.setString(Ec2ClientSettings.ACCESS_KEY_SETTING.getKey(), "ec2_access_2"); - mockSecure2.setString(Ec2ClientSettings.SECRET_KEY_SETTING.getKey(), "ec2_secret_2"); + mockSecure2.setString(Ec2ClientSettings.SECRET_KEY_SETTING.getKey(), "ec2_secret_key_2"); final boolean mockSecure2HasSessionToken = randomBoolean(); if (mockSecure2HasSessionToken) { mockSecure2.setString(Ec2ClientSettings.SESSION_TOKEN_SETTING.getKey(), "ec2_session_token_2"); @@ -143,7 +143,7 @@ public class Ec2DiscoveryPluginTests extends ESTestCase { { final AWSCredentials credentials = ((AmazonEC2Mock) clientReference.client()).credentials.getCredentials(); assertThat(credentials.getAWSAccessKeyId(), is("ec2_access_1")); - assertThat(credentials.getAWSSecretKey(), is("ec2_secret_1")); + assertThat(credentials.getAWSSecretKey(), is("ec2_secret_key_1")); if (mockSecure1HasSessionToken) { assertThat(credentials, instanceOf(BasicSessionCredentials.class)); assertThat(((BasicSessionCredentials)credentials).getSessionToken(), is("ec2_session_token_1")); @@ -177,7 +177,7 @@ public class Ec2DiscoveryPluginTests extends ESTestCase { try (AmazonEc2Reference clientReference = plugin.ec2Service.client()) { final AWSCredentials credentials = ((AmazonEC2Mock) clientReference.client()).credentials.getCredentials(); assertThat(credentials.getAWSAccessKeyId(), is("ec2_access_2")); - assertThat(credentials.getAWSSecretKey(), is("ec2_secret_2")); + assertThat(credentials.getAWSSecretKey(), is("ec2_secret_key_2")); if (mockSecure2HasSessionToken) { assertThat(credentials, instanceOf(BasicSessionCredentials.class)); assertThat(((BasicSessionCredentials)credentials).getSessionToken(), is("ec2_session_token_2")); diff --git a/plugins/examples/build.gradle b/plugins/examples/build.gradle index 9c0a2bcde147..5b5a81271549 100644 --- a/plugins/examples/build.gradle +++ b/plugins/examples/build.gradle @@ -6,7 +6,6 @@ gradle.projectsEvaluated { project.tasks.matching { it.name.equals('assemble') }.configureEach { enabled = false } - // Disable example project testing with FIPS JVM tasks.withType(Test) { onlyIf { diff --git a/plugins/repository-azure/src/internalClusterTest/java/org/elasticsearch/repositories/azure/AzureBlobStoreRepositoryTests.java b/plugins/repository-azure/src/internalClusterTest/java/org/elasticsearch/repositories/azure/AzureBlobStoreRepositoryTests.java index a67ed0c03a50..47d0952eb4c7 100644 --- a/plugins/repository-azure/src/internalClusterTest/java/org/elasticsearch/repositories/azure/AzureBlobStoreRepositoryTests.java +++ b/plugins/repository-azure/src/internalClusterTest/java/org/elasticsearch/repositories/azure/AzureBlobStoreRepositoryTests.java @@ -84,7 +84,7 @@ public class AzureBlobStoreRepositoryTests extends ESMockAPIBasedRepositoryInteg @Override protected Settings nodeSettings(int nodeOrdinal) { - final String key = Base64.getEncoder().encodeToString(randomAlphaOfLength(10).getBytes(StandardCharsets.UTF_8)); + final String key = Base64.getEncoder().encodeToString(randomAlphaOfLength(14).getBytes(StandardCharsets.UTF_8)); final MockSecureSettings secureSettings = new MockSecureSettings(); String accountName = DEFAULT_ACCOUNT_NAME; secureSettings.setString(AzureStorageSettings.ACCOUNT_SETTING.getConcreteSettingForNamespace("test").getKey(), accountName); diff --git a/plugins/repository-azure/src/test/java/org/elasticsearch/repositories/azure/AzureBlobContainerRetriesTests.java b/plugins/repository-azure/src/test/java/org/elasticsearch/repositories/azure/AzureBlobContainerRetriesTests.java index dac2d16b3ea7..ace0fc40424b 100644 --- a/plugins/repository-azure/src/test/java/org/elasticsearch/repositories/azure/AzureBlobContainerRetriesTests.java +++ b/plugins/repository-azure/src/test/java/org/elasticsearch/repositories/azure/AzureBlobContainerRetriesTests.java @@ -144,7 +144,7 @@ public class AzureBlobContainerRetriesTests extends ESTestCase { final MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString(ACCOUNT_SETTING.getConcreteSettingForNamespace(clientName).getKey(), "account"); - final String key = Base64.getEncoder().encodeToString(randomAlphaOfLength(10).getBytes(UTF_8)); + final String key = Base64.getEncoder().encodeToString(randomAlphaOfLength(14).getBytes(UTF_8)); secureSettings.setString(KEY_SETTING.getConcreteSettingForNamespace(clientName).getKey(), key); clientSettings.setSecureSettings(secureSettings); diff --git a/plugins/repository-gcs/build.gradle b/plugins/repository-gcs/build.gradle index 5ec1ea519a6d..3436f5af7aa3 100644 --- a/plugins/repository-gcs/build.gradle +++ b/plugins/repository-gcs/build.gradle @@ -236,7 +236,7 @@ def encodedCredentials = { tasks.register("createServiceAccountFile") { doLast { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA") - keyPairGenerator.initialize(1024) + keyPairGenerator.initialize(2048) KeyPair keyPair = keyPairGenerator.generateKeyPair() String encodedKey = Base64.getEncoder().encodeToString(keyPair.private.getEncoded()) @@ -333,4 +333,4 @@ def gcsThirdPartyTest = tasks.register("gcsThirdPartyTest", Test) { tasks.named("check").configure { dependsOn(largeBlobYamlRestTest, gcsThirdPartyTest) -} \ No newline at end of file +} diff --git a/plugins/repository-gcs/src/test/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageServiceTests.java b/plugins/repository-gcs/src/test/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageServiceTests.java index 1043a8c0b5e8..bcd25df6fece 100644 --- a/plugins/repository-gcs/src/test/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageServiceTests.java +++ b/plugins/repository-gcs/src/test/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageServiceTests.java @@ -143,7 +143,7 @@ public class GoogleCloudStorageServiceTests extends ESTestCase { private byte[] serviceAccountFileContent(String projectId) throws Exception { final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); - keyPairGenerator.initialize(1024); + keyPairGenerator.initialize(2048); final KeyPair keyPair = keyPairGenerator.generateKeyPair(); final String encodedKey = Base64.getEncoder().encodeToString(keyPair.getPrivate().getEncoded()); final XContentBuilder serviceAccountBuilder = jsonBuilder().startObject() diff --git a/plugins/repository-gcs/src/test/java/org/elasticsearch/repositories/gcs/TestUtils.java b/plugins/repository-gcs/src/test/java/org/elasticsearch/repositories/gcs/TestUtils.java index 993e55e93d12..c60ea3066a03 100644 --- a/plugins/repository-gcs/src/test/java/org/elasticsearch/repositories/gcs/TestUtils.java +++ b/plugins/repository-gcs/src/test/java/org/elasticsearch/repositories/gcs/TestUtils.java @@ -37,7 +37,7 @@ final class TestUtils { static byte[] createServiceAccount(final Random random) { try { final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); - keyPairGenerator.initialize(1024); + keyPairGenerator.initialize(2048); final String privateKey = Base64.getEncoder().encodeToString(keyPairGenerator.generateKeyPair().getPrivate().getEncoded()); final ByteArrayOutputStream out = new ByteArrayOutputStream(); diff --git a/plugins/repository-s3/build.gradle b/plugins/repository-s3/build.gradle index ad2d0abb1a48..02da20c7f119 100644 --- a/plugins/repository-s3/build.gradle +++ b/plugins/repository-s3/build.gradle @@ -124,8 +124,8 @@ boolean s3DisableChunkedEncoding = (new Random(Long.parseUnsignedLong(BuildParam // credentials hard-coded in. if (!s3PermanentAccessKey && !s3PermanentSecretKey && !s3PermanentBucket && !s3PermanentBasePath) { - s3PermanentAccessKey = 'access_key' - s3PermanentSecretKey = 'secret_key' + s3PermanentAccessKey = 's3_test_access_key' + s3PermanentSecretKey = 's3_test_secret_key' s3PermanentBucket = 'bucket' s3PermanentBasePath = 'base_path' diff --git a/plugins/repository-s3/src/internalClusterTest/java/org/elasticsearch/repositories/s3/S3BlobStoreRepositoryTests.java b/plugins/repository-s3/src/internalClusterTest/java/org/elasticsearch/repositories/s3/S3BlobStoreRepositoryTests.java index 947971edccb7..6dcef8ddf554 100644 --- a/plugins/repository-s3/src/internalClusterTest/java/org/elasticsearch/repositories/s3/S3BlobStoreRepositoryTests.java +++ b/plugins/repository-s3/src/internalClusterTest/java/org/elasticsearch/repositories/s3/S3BlobStoreRepositoryTests.java @@ -122,8 +122,8 @@ public class S3BlobStoreRepositoryTests extends ESMockAPIBasedRepositoryIntegTes @Override protected Settings nodeSettings(int nodeOrdinal) { final MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString(S3ClientSettings.ACCESS_KEY_SETTING.getConcreteSettingForNamespace("test").getKey(), "access"); - secureSettings.setString(S3ClientSettings.SECRET_KEY_SETTING.getConcreteSettingForNamespace("test").getKey(), "secret"); + secureSettings.setString(S3ClientSettings.ACCESS_KEY_SETTING.getConcreteSettingForNamespace("test").getKey(), "test_access_key"); + secureSettings.setString(S3ClientSettings.SECRET_KEY_SETTING.getConcreteSettingForNamespace("test").getKey(), "test_secret_key"); final Settings.Builder builder = Settings.builder() .put(ThreadPool.ESTIMATED_TIME_INTERVAL_SETTING.getKey(), 0) // We have tests that verify an exact wait time diff --git a/plugins/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3BlobContainerRetriesTests.java b/plugins/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3BlobContainerRetriesTests.java index 0cffa85a7f29..c586b3d8d5d1 100644 --- a/plugins/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3BlobContainerRetriesTests.java +++ b/plugins/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3BlobContainerRetriesTests.java @@ -122,8 +122,10 @@ public class S3BlobContainerRetriesTests extends AbstractBlobContainerRetriesTes } final MockSecureSettings secureSettings = new MockSecureSettings(); - secureSettings.setString(S3ClientSettings.ACCESS_KEY_SETTING.getConcreteSettingForNamespace(clientName).getKey(), "access"); - secureSettings.setString(S3ClientSettings.SECRET_KEY_SETTING.getConcreteSettingForNamespace(clientName).getKey(), "secret"); + secureSettings.setString(S3ClientSettings.ACCESS_KEY_SETTING.getConcreteSettingForNamespace(clientName).getKey(), + "test_access_key"); + secureSettings.setString(S3ClientSettings.SECRET_KEY_SETTING.getConcreteSettingForNamespace(clientName).getKey(), + "test_secret_key"); clientSettings.setSecureSettings(secureSettings); service.refreshAndClearCache(S3ClientSettings.load(clientSettings.build())); diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java index cf6d63ced7f9..4e73dac1deb4 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java @@ -304,7 +304,7 @@ public class KeystoreManagementTests extends PackagingTestCase { */ public void test60DockerEnvironmentVariablePassword() throws Exception { assumeTrue(distribution().isDocker()); - String password = "password"; + String password = "keystore-password"; Path dockerKeystore = installation.config("elasticsearch.keystore"); Path localKeystoreFile = getKeystoreFileFromDockerContainer(password, dockerKeystore); @@ -328,7 +328,7 @@ public class KeystoreManagementTests extends PackagingTestCase { try { tempDir = createTempDir(DockerTests.class.getSimpleName()); - String password = "password"; + String password = "keystore-password"; String passwordFilename = "password.txt"; Files.write(tempDir.resolve(passwordFilename), singletonList(password)); Files.setPosixFilePermissions(tempDir.resolve(passwordFilename), p600); @@ -362,7 +362,7 @@ public class KeystoreManagementTests extends PackagingTestCase { */ public void test62DockerEnvironmentVariableBadPassword() throws Exception { assumeTrue(distribution().isDocker()); - String password = "password"; + String password = "keystore-password"; Path dockerKeystore = installation.config("elasticsearch.keystore"); Path localKeystoreFile = getKeystoreFileFromDockerContainer(password, dockerKeystore); diff --git a/qa/remote-clusters/build.gradle b/qa/remote-clusters/build.gradle index 010879b79ac6..81a563baf6a9 100644 --- a/qa/remote-clusters/build.gradle +++ b/qa/remote-clusters/build.gradle @@ -31,13 +31,17 @@ dependencies { testImplementation project(':client:rest-high-level') } -tasks.register("copyKeystore", Sync) { +tasks.register("copyNodeKeyMaterial", Sync) { from project(':x-pack:plugin:core') - .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') + .files( + 'src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem', + 'src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt' + ) into "${buildDir}/certs" doLast { file("${buildDir}/certs").setReadable(true, false) - file("${buildDir}/certs/testnode.jks").setReadable(true, false) + file("${buildDir}/certs/testnode.pem").setReadable(true, false) + file("${buildDir}/certs/testnode.crt").setReadable(true, false) } } @@ -52,7 +56,7 @@ elasticsearch_distributions { } tasks.named("preProcessFixture").configure { - dependsOn "copyKeystore", elasticsearch_distributions.docker + dependsOn "copyNodeKeyMaterial", elasticsearch_distributions.docker doLast { // tests expect to have an empty repo project.delete( @@ -89,7 +93,10 @@ def createAndSetWritable(Object... locations) { tasks.named("processTestResources").configure { from project(':x-pack:plugin:core') - .file('src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks') + .files( + 'src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem', + 'src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt' + ) } tasks.register("integTest", Test) { diff --git a/qa/remote-clusters/docker-compose.yml b/qa/remote-clusters/docker-compose.yml index 51bf9c8d050b..debf863c5806 100644 --- a/qa/remote-clusters/docker-compose.yml +++ b/qa/remote-clusters/docker-compose.yml @@ -23,14 +23,17 @@ services: - xpack.security.audit.enabled=true - xpack.security.authc.realms.file.file1.order=0 - xpack.security.authc.realms.native.native1.order=1 - - xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/testnode.jks - - xpack.security.http.ssl.keystore.path=/usr/share/elasticsearch/config/testnode.jks + - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/testnode.pem + - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/testnode.crt + - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/testnode.pem + - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/testnode.crt - xpack.http.ssl.verification_mode=certificate - xpack.security.transport.ssl.verification_mode=certificate - xpack.license.self_generated.type=trial volumes: - ./build/repo:/tmp/es-repo - - ./build/certs/testnode.jks:/usr/share/elasticsearch/config/testnode.jks + - ./build/certs/testnode.pem:/usr/share/elasticsearch/config/testnode.pem + - ./build/certs/testnode.crt:/usr/share/elasticsearch/config/testnode.crt - ./build/logs/default-1:/usr/share/elasticsearch/logs - ./docker-test-entrypoint.sh:/docker-test-entrypoint.sh ports: @@ -72,14 +75,17 @@ services: - xpack.security.audit.enabled=true - xpack.security.authc.realms.file.file1.order=0 - xpack.security.authc.realms.native.native1.order=1 - - xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/testnode.jks - - xpack.security.http.ssl.keystore.path=/usr/share/elasticsearch/config/testnode.jks + - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/testnode.pem + - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/testnode.crt + - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/testnode.pem + - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/testnode.crt - xpack.http.ssl.verification_mode=certificate - xpack.security.transport.ssl.verification_mode=certificate - xpack.license.self_generated.type=trial volumes: - ./build/repo:/tmp/es-repo - - ./build/certs/testnode.jks:/usr/share/elasticsearch/config/testnode.jks + - ./build/certs/testnode.pem:/usr/share/elasticsearch/config/testnode.pem + - ./build/certs/testnode.crt:/usr/share/elasticsearch/config/testnode.crt - ./build/logs/default-2:/usr/share/elasticsearch/logs - ./docker-test-entrypoint.sh:/docker-test-entrypoint.sh ports: diff --git a/qa/remote-clusters/docker-test-entrypoint.sh b/qa/remote-clusters/docker-test-entrypoint.sh index 1dca4b6a35e7..32d6e992892d 100755 --- a/qa/remote-clusters/docker-test-entrypoint.sh +++ b/qa/remote-clusters/docker-test-entrypoint.sh @@ -2,6 +2,6 @@ cd /usr/share/elasticsearch/bin/ ./elasticsearch-users useradd x_pack_rest_user -p x-pack-test-password -r superuser || true echo "testnode" > /tmp/password -cat /tmp/password | ./elasticsearch-keystore add -x -f -v 'xpack.security.transport.ssl.keystore.secure_password' -cat /tmp/password | ./elasticsearch-keystore add -x -f -v 'xpack.security.http.ssl.keystore.secure_password' -/usr/local/bin/docker-entrypoint.sh | tee > /usr/share/elasticsearch/logs/console.log +cat /tmp/password | ./elasticsearch-keystore add -x -f -v 'xpack.security.transport.ssl.secure_key_passphrase' +cat /tmp/password | ./elasticsearch-keystore add -x -f -v 'xpack.security.http.ssl.secure_key_passphrase' +/usr/local/bin/docker-entrypoint.sh | tee /usr/share/elasticsearch/logs/console.log diff --git a/qa/remote-clusters/src/test/java/org/elasticsearch/cluster/remote/test/AbstractMultiClusterRemoteTestCase.java b/qa/remote-clusters/src/test/java/org/elasticsearch/cluster/remote/test/AbstractMultiClusterRemoteTestCase.java index 65ae26bcd4d1..cdf6cdcc2ed1 100644 --- a/qa/remote-clusters/src/test/java/org/elasticsearch/cluster/remote/test/AbstractMultiClusterRemoteTestCase.java +++ b/qa/remote-clusters/src/test/java/org/elasticsearch/cluster/remote/test/AbstractMultiClusterRemoteTestCase.java @@ -48,7 +48,6 @@ public abstract class AbstractMultiClusterRemoteTestCase extends ESRestTestCase private static final String USER = "x_pack_rest_user"; private static final String PASS = "x-pack-test-password"; - private static final String KEYSTORE_PASS = "testnode"; @Override protected boolean preserveClusterUponCompletion() { @@ -123,23 +122,23 @@ public abstract class AbstractMultiClusterRemoteTestCase extends ESRestTestCase return getDistribution().equals("oss"); } - static Path keyStore; + static Path trustedCertFile; @BeforeClass - public static void getKeyStore() { + public static void getTrustedCert() { try { - keyStore = PathUtils.get(AbstractMultiClusterRemoteTestCase.class.getResource("/testnode.jks").toURI()); + trustedCertFile = PathUtils.get(AbstractMultiClusterRemoteTestCase.class.getResource("/testnode.crt").toURI()); } catch (URISyntaxException e) { - throw new ElasticsearchException("exception while reading the store", e); + throw new ElasticsearchException("exception while reading the certificate file", e); } - if (Files.exists(keyStore) == false) { - throw new IllegalStateException("Keystore file [" + keyStore + "] does not exist."); + if (Files.exists(trustedCertFile) == false) { + throw new IllegalStateException("Certificate file [" + trustedCertFile + "] does not exist."); } } @AfterClass - public static void clearKeyStore() { - keyStore = null; + public static void clearTrustedCert() { + trustedCertFile = null; } @Override @@ -150,8 +149,7 @@ public abstract class AbstractMultiClusterRemoteTestCase extends ESRestTestCase String token = basicAuthHeaderValue(USER, new SecureString(PASS.toCharArray())); return Settings.builder() .put(ThreadContext.PREFIX + ".Authorization", token) - .put(ESRestTestCase.TRUSTSTORE_PATH, keyStore) - .put(ESRestTestCase.TRUSTSTORE_PASSWORD, KEYSTORE_PASS) + .put(ESRestTestCase.CERTIFICATE_AUTHORITIES, trustedCertFile) .build(); } diff --git a/rest-api-spec/src/main/resources/rest-api-spec/test/nodes.reload_secure_settings/10_basic.yml b/rest-api-spec/src/main/resources/rest-api-spec/test/nodes.reload_secure_settings/10_basic.yml index 0866c71b87e1..e96df35d5714 100644 --- a/rest-api-spec/src/main/resources/rest-api-spec/test/nodes.reload_secure_settings/10_basic.yml +++ b/rest-api-spec/src/main/resources/rest-api-spec/test/nodes.reload_secure_settings/10_basic.yml @@ -24,7 +24,9 @@ setup: --- "node_reload_secure_settings test correct(empty) password": - + - skip: + features: fips_140 + reason: "In FIPS 140 mode, we use a password protected elasticsearch keystore" - do: nodes.reload_secure_settings: {} diff --git a/server/src/internalClusterTest/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java b/server/src/internalClusterTest/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java index 8366bd15e118..97ad55ff4b35 100644 --- a/server/src/internalClusterTest/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java +++ b/server/src/internalClusterTest/java/org/elasticsearch/action/admin/ReloadSecureSettingsIT.java @@ -33,6 +33,7 @@ import org.elasticsearch.plugins.PluginsService; import org.elasticsearch.plugins.ReloadablePlugin; import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.transport.RemoteTransportException; +import org.junit.BeforeClass; import java.io.InputStream; import java.nio.file.Files; @@ -55,6 +56,13 @@ import static org.hamcrest.Matchers.nullValue; @ESIntegTestCase.ClusterScope(minNumDataNodes = 2) public class ReloadSecureSettingsIT extends ESIntegTestCase { + @BeforeClass + public static void disableInFips() { + // Reload secure settings with a password protected keystore is tested in ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT + assumeFalse("Cannot run in FIPS mode since the keystore will be password protected and sending a password in the reload" + + "settings api call, require TLS to be configured for the transport layer", inFipsJvm()); + } + public void testMissingKeystoreFile() throws Exception { final PluginsService pluginsService = internalCluster().getInstance(PluginsService.class); final MockReloadablePlugin mockReloadablePlugin = pluginsService.filterPlugins(MockReloadablePlugin.class) diff --git a/test/fixtures/krb5kdc-fixture/src/main/resources/provision/kdc.conf.template b/test/fixtures/krb5kdc-fixture/src/main/resources/provision/kdc.conf.template index 22909ddf6001..2e65eacf6958 100644 --- a/test/fixtures/krb5kdc-fixture/src/main/resources/provision/kdc.conf.template +++ b/test/fixtures/krb5kdc-fixture/src/main/resources/provision/kdc.conf.template @@ -24,9 +24,9 @@ kadmind_port = 749 max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s - master_key_type = aes256-cts - # remove aes256-cts:normal since unlimited strength policy needs installed for java to use it. - supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal + master_key_type = des3-cbc-sha1-kd + # This is the only supported enctype for fips 140-2 + supported_enctypes = des3-cbc-sha1-kd:normal } [logging] diff --git a/test/fixtures/krb5kdc-fixture/src/main/resources/provision/krb5.conf.template b/test/fixtures/krb5kdc-fixture/src/main/resources/provision/krb5.conf.template index e09c8fc1ab72..e3f3974df70a 100644 --- a/test/fixtures/krb5kdc-fixture/src/main/resources/provision/krb5.conf.template +++ b/test/fixtures/krb5kdc-fixture/src/main/resources/provision/krb5.conf.template @@ -24,12 +24,14 @@ forwardable = true ignore_acceptor_hostname = true rdns = false - default_tgs_enctypes = rc4-hmac - default_tkt_enctypes = rc4-hmac - permitted_enctypes = rc4-hmac + # des3-cbc-sha1-kd is the only enctype available in fips 140-2 + default_tgs_enctypes = des3-cbc-sha1-kd + default_tkt_enctypes = des3-cbc-sha1-kd + permitted_enctypes = des3-cbc-sha1-kd # udp_preference_limit = 1 kdc_timeout = 3000 canonicalize = true + allow_weak_enctypes = false [realms] ${REALM_NAME} = { diff --git a/test/fixtures/minio-fixture/docker-compose.yml b/test/fixtures/minio-fixture/docker-compose.yml index 7b66f04152b4..c4291a2e73ba 100644 --- a/test/fixtures/minio-fixture/docker-compose.yml +++ b/test/fixtures/minio-fixture/docker-compose.yml @@ -5,8 +5,8 @@ services: context: . args: bucket: "bucket" - accessKey: "access_key" - secretKey: "secret_key" + accessKey: "s3_test_access_key" + secretKey: "s3_test_secret_key" dockerfile: Dockerfile ports: - "9000" @@ -16,8 +16,8 @@ services: context: . args: bucket: "bucket" - accessKey: "access_key" - secretKey: "secret_key" + accessKey: "s3_test_access_key" + secretKey: "s3_test_secret_key" dockerfile: Dockerfile ports: - "9000" diff --git a/test/fixtures/s3-fixture/docker-compose.yml b/test/fixtures/s3-fixture/docker-compose.yml index 22d101f41c31..5eedb4862b23 100644 --- a/test/fixtures/s3-fixture/docker-compose.yml +++ b/test/fixtures/s3-fixture/docker-compose.yml @@ -8,7 +8,7 @@ services: port: 80 bucket: "bucket" basePath: "base_path_integration_tests" - accessKey: "access_key" + accessKey: "s3_test_access_key" dockerfile: Dockerfile volumes: - ./testfixtures_shared/shared:/fixture/shared @@ -23,7 +23,7 @@ services: port: 80 bucket: "bucket" basePath: "base_path" - accessKey: "access_key" + accessKey: "s3_test_access_key" dockerfile: Dockerfile volumes: - ./testfixtures_shared/shared:/fixture/shared @@ -38,7 +38,7 @@ services: port: 80 bucket: "bucket" basePath: "base_path" - accessKey: "access_key" + accessKey: "s3_test_access_key" dockerfile: Dockerfile volumes: - ./testfixtures_shared/shared:/fixture/shared diff --git a/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java b/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java index 796b53fa5aea..7f94af066ae7 100644 --- a/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java +++ b/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java @@ -79,7 +79,7 @@ public class S3HttpFixtureWithEC2 extends S3HttpFixtureWithSessionToken { + "\"AccessKeyId\": \"" + ec2AccessKey + "\"," + "\"Expiration\": \"" + ZonedDateTime.now().plusDays(1L).format(DateTimeFormatter.ISO_DATE_TIME) + "\"," + "\"RoleArn\": \"arn\"," - + "\"SecretAccessKey\": \"secret\"," + + "\"SecretAccessKey\": \"secret_access_key\"," + "\"Token\": \"" + ec2SessionToken + "\"" + "}"; } diff --git a/x-pack/docs/build.gradle b/x-pack/docs/build.gradle index 26b089c56628..cc379f312708 100644 --- a/x-pack/docs/build.gradle +++ b/x-pack/docs/build.gradle @@ -706,7 +706,7 @@ tasks.named("buildRestTests").configure { buildRestTests -> username: "jacknich" body: > { - "password" : "test-password", + "password" : "l0ng-r4nd0m-p@ssw0rd", "roles" : [ "admin", "other_role1" ], "full_name" : "Jack Nicholson", "email" : "jacknich@example.com", diff --git a/x-pack/docs/en/rest-api/security/change-password.asciidoc b/x-pack/docs/en/rest-api/security/change-password.asciidoc index 05644b872474..bb2e9bf449ec 100644 --- a/x-pack/docs/en/rest-api/security/change-password.asciidoc +++ b/x-pack/docs/en/rest-api/security/change-password.asciidoc @@ -24,11 +24,11 @@ privilege can change passwords of other users. [[security-api-change-password-desc]] ==== {api-description-title} -You can use the <> to update everything +You can use the <> to update everything but a user's `username` and `password`. This API changes a user's password. -For more information about the native realm, see -<> and <>. +For more information about the native realm, see +<> and <>. [[security-api-change-password-path-params]] @@ -55,7 +55,7 @@ The following example updates the password for the `jacknich` user: -------------------------------------------------- POST /_security/user/jacknich/_password { - "password" : "s3cr3t" + "password" : "new-test-password" } -------------------------------------------------- // TEST[setup:jacknich_user] diff --git a/x-pack/docs/en/rest-api/security/create-users.asciidoc b/x-pack/docs/en/rest-api/security/create-users.asciidoc index 781ba82dc5b6..c74e45f787ab 100644 --- a/x-pack/docs/en/rest-api/security/create-users.asciidoc +++ b/x-pack/docs/en/rest-api/security/create-users.asciidoc @@ -112,7 +112,7 @@ The following example creates a user `jacknich`: -------------------------------------------------- POST /_security/user/jacknich { - "password" : "j@rV1s", + "password" : "l0ng-r4nd0m-p@ssw0rd", "roles" : [ "admin", "other_role1" ], "full_name" : "Jack Nicholson", "email" : "jacknich@example.com", @@ -138,6 +138,6 @@ After you add a user, requests from that user can be authenticated. For example: [source,shell] -------------------------------------------------- -curl -u jacknich:j@rV1s http://localhost:9200/_cluster/health +curl -u jacknich:l0ng-r4nd0m-p@ssw0rd http://localhost:9200/_cluster/health -------------------------------------------------- // NOTCONSOLE diff --git a/x-pack/docs/en/security/ccs-clients-integrations/cross-cluster.asciidoc b/x-pack/docs/en/security/ccs-clients-integrations/cross-cluster.asciidoc index b18142176e46..8606831a36cd 100644 --- a/x-pack/docs/en/security/ccs-clients-integrations/cross-cluster.asciidoc +++ b/x-pack/docs/en/security/ccs-clients-integrations/cross-cluster.asciidoc @@ -131,7 +131,7 @@ Finally, create a user on cluster `one` and apply the `cluster_two_logs` role: ----------------------------------------------------------- POST /_security/user/alice { - "password" : "somepassword", + "password" : "somepasswordhere", "roles" : [ "cluster_two_logs" ], "full_name" : "Alice", "email" : "alice@example.com", diff --git a/x-pack/plugin/async-search/qa/rest/build.gradle b/x-pack/plugin/async-search/qa/rest/build.gradle index 5aa480c0e1b4..860a0cf05e1f 100644 --- a/x-pack/plugin/async-search/qa/rest/build.gradle +++ b/x-pack/plugin/async-search/qa/rest/build.gradle @@ -1,3 +1,5 @@ +import org.elasticsearch.gradle.info.BuildParams + apply plugin: 'elasticsearch.esplugin' apply plugin: 'elasticsearch.yaml-rest-test' @@ -20,3 +22,8 @@ testClusters.all { } tasks.named("test").configure { enabled = false } + +if (BuildParams.inFipsJvm){ + // Test clusters run with security disabled + tasks.named("yamlRestTest").configure{enabled = false } +} diff --git a/x-pack/plugin/ccr/qa/build.gradle b/x-pack/plugin/ccr/qa/build.gradle index 72cd4bba9116..dbb83e1b61f4 100644 --- a/x-pack/plugin/ccr/qa/build.gradle +++ b/x-pack/plugin/ccr/qa/build.gradle @@ -1,6 +1,17 @@ +import org.elasticsearch.gradle.info.BuildParams + apply plugin: 'elasticsearch.build' tasks.named("test").configure { enabled = false } dependencies { api project(':test:framework') } +gradle.projectsEvaluated { + subprojects { + tasks.withType(Test).configureEach { + // These fail in CI but only when run as part of checkPart2 and not individually. + // Tracked in : https://github.com/elastic/elasticsearch/issues/66661 + onlyIf { BuildParams.inFipsJvm == false} + } + } +} diff --git a/x-pack/plugin/ccr/qa/downgrade-to-basic-license/build.gradle b/x-pack/plugin/ccr/qa/downgrade-to-basic-license/build.gradle index 72499e0ae86c..77f7fc0e585d 100644 --- a/x-pack/plugin/ccr/qa/downgrade-to-basic-license/build.gradle +++ b/x-pack/plugin/ccr/qa/downgrade-to-basic-license/build.gradle @@ -25,46 +25,20 @@ tasks.register("writeJavaPolicy") { if (policyFile.parentFile.exists() == false && policyFile.parentFile.mkdirs() == false) { throw new GradleException("failed to create temporary directory [${tmp}]") } - if (BuildParams.inFipsJvm) { - policyFile.write( - [ - "grant {", - "permission java.security.SecurityPermission \"putProviderProperty.BCFIPS\";", - "permission java.security.SecurityPermission \"putProviderProperty.BCJSSE\";", - "permission java.lang.RuntimePermission \"getProtectionDomain\";", - "permission java.util.PropertyPermission \"java.runtime.name\", \"read\";", - "permission org.bouncycastle.crypto.CryptoServicesPermission \"tlsAlgorithmsEnabled\";", - "permission java.lang.RuntimePermission \"accessClassInPackage.sun.security.internal.spec\";", - "permission java.lang.RuntimePermission \"accessDeclaredMembers\";", - "permission java.util.PropertyPermission \"intellij.debug.agent\", \"read\";", - "permission java.util.PropertyPermission \"intellij.debug.agent\", \"write\";", - "permission org.bouncycastle.crypto.CryptoServicesPermission \"exportSecretKey\";", - "permission org.bouncycastle.crypto.CryptoServicesPermission \"exportPrivateKey\";", - "permission java.io.FilePermission \"\${javax.net.ssl.trustStore}\", \"read\";", - "permission java.io.FilePermission \"${-> testClusters."follow-cluster".getFirstNode().getServerLog()}\", \"read\";", - "};" - ].join("\n") - ) - } else { - policyFile.write( - [ - "grant {", - " permission java.io.FilePermission \"${-> testClusters."follow-cluster".getFirstNode().getServerLog()}\", \"read\";", - "};" - ].join("\n") - ) - } + policyFile.write( + [ + "grant {", + " permission java.io.FilePermission \"${-> testClusters."follow-cluster".getFirstNode().getServerLog()}\", \"read\";", + "};" + ].join("\n") + ) } } task "follow-cluster"(type: RestIntegTestTask) { dependsOn 'writeJavaPolicy', "leader-cluster" useCluster testClusters."leader-cluster" - if (BuildParams.inFipsJvm){ - systemProperty 'java.security.policy', "=file://${policyFile}" - } else { - systemProperty 'java.security.policy', "file://${policyFile}" - } + systemProperty 'java.security.policy', "file://${policyFile}" systemProperty 'tests.target_cluster', 'follow' nonInputProperties.systemProperty 'tests.leader_host', "${-> testClusters."leader-cluster".getAllHttpSocketURI().get(0)}" nonInputProperties.systemProperty 'log', "${-> testClusters."follow-cluster".getFirstNode().getServerLog()}" @@ -80,4 +54,9 @@ testClusters."follow-cluster" { tasks.named("check").configure { dependsOn "follow-cluster" } // no unit tests for multi-cluster-search, only the rest integration test -tasks.named("test").configure { enabled = false } \ No newline at end of file +tasks.named("test").configure { enabled = false } + +// We can't run in FIPS mode with a basic license +tasks.withType(Test).configureEach { + onlyIf { BuildParams.inFipsJvm == false} +} diff --git a/x-pack/plugin/core/build.gradle b/x-pack/plugin/core/build.gradle index bb5afb11b635..eb6e7dd9ff59 100644 --- a/x-pack/plugin/core/build.gradle +++ b/x-pack/plugin/core/build.gradle @@ -53,6 +53,8 @@ dependencies { testImplementation project(path: ':modules:lang-mustache') testImplementation project(path: ':modules:analysis-common') testImplementation project(":client:rest-high-level") + // Needed for Fips140ProviderVerificationTests + testCompileOnly('org.bouncycastle:bc-fips:1.0.2') testImplementation(project(':x-pack:license-tools')) { transitive = false diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/Fips140ProviderVerificationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/Fips140ProviderVerificationTests.java new file mode 100644 index 000000000000..be06204ecea9 --- /dev/null +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/Fips140ProviderVerificationTests.java @@ -0,0 +1,32 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.core; + +import org.bouncycastle.crypto.CryptoServicesRegistrar; +import org.elasticsearch.test.ESTestCase; + +import java.security.Security; + +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; + +public class Fips140ProviderVerificationTests extends ESTestCase { + + public void testBcFipsProviderInUse() { + if (inFipsJvm()) { + assertThat(Security.getProviders().length > 0, equalTo(true)); + assertThat(Security.getProviders()[0].getName(), containsString("BCFIPS")); + } + } + + public void testInApprovedOnlyMode() { + if (inFipsJvm()) { + assertThat(CryptoServicesRegistrar.isInApprovedOnlyMode(), equalTo(true)); + } + } + +} diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java index 14f12914dca5..83f403459c4f 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java @@ -22,6 +22,7 @@ import java.util.Map; public class ProfileConfigurationsTests extends ESTestCase { public void testGetSecureTransportProfileConfigurations() { + assumeFalse("Can't run in a FIPS JVM, uses JKS/PKCS12 keystores", inFipsJvm()); final Settings settings = getBaseSettings() .put("path.home", createTempDir()) .put("xpack.security.transport.ssl.verification_mode", VerificationMode.CERTIFICATE.name()) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java index 316cf2a88a3e..0f642dd3b822 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java @@ -35,7 +35,6 @@ import java.util.Objects; import java.util.regex.Pattern; import java.util.stream.Collectors; -import static org.elasticsearch.test.ESIntegTestCase.inFipsJvm; public class RestrictedTrustManagerTests extends ESTestCase { diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java index f131de78150d..e0f081ea67f0 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java @@ -321,6 +321,7 @@ public class SSLServiceTests extends ESTestCase { } public void testThatHttpClientAuthDefaultsToNone() throws Exception { + assumeFalse("Can't run in a FIPS JVM, uses JKS/PKCS12 keystores", inFipsJvm()); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "testnode"); @@ -344,6 +345,7 @@ public class SSLServiceTests extends ESTestCase { } public void testThatTruststorePasswordIsRequired() throws Exception { + assumeFalse("Can't run in a FIPS JVM, uses JKS/PKCS12 keystores", inFipsJvm()); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder() @@ -360,6 +362,7 @@ public class SSLServiceTests extends ESTestCase { } public void testThatKeystorePasswordIsRequired() throws Exception { + assumeFalse("Can't run in a FIPS JVM, uses JKS/PKCS12 keystores", inFipsJvm()); Settings settings = Settings.builder() .put("xpack.security.transport.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) diff --git a/x-pack/plugin/data-streams/qa/multi-node/build.gradle b/x-pack/plugin/data-streams/qa/multi-node/build.gradle index 7fe5f9b4961f..c83e2d623b05 100644 --- a/x-pack/plugin/data-streams/qa/multi-node/build.gradle +++ b/x-pack/plugin/data-streams/qa/multi-node/build.gradle @@ -1,3 +1,5 @@ +import org.elasticsearch.gradle.info.BuildParams + apply plugin: 'elasticsearch.java-rest-test' File repoDir = file("$buildDir/testclusters/repo") @@ -19,3 +21,8 @@ testClusters.matching { it.name == "javaRestTest" }.configureEach { //disabling ILM history as it disturbs testDSXpackUsage test setting 'indices.lifecycle.history_index_enabled', 'false' } + +if (BuildParams.inFipsJvm){ + // Test clusters run with security disabled + tasks.named("javaRestTest").configure{enabled = false } +} diff --git a/x-pack/plugin/data-streams/qa/rest/build.gradle b/x-pack/plugin/data-streams/qa/rest/build.gradle index 9ddc0858b59e..5f45157f1f6a 100644 --- a/x-pack/plugin/data-streams/qa/rest/build.gradle +++ b/x-pack/plugin/data-streams/qa/rest/build.gradle @@ -1,3 +1,5 @@ +import org.elasticsearch.gradle.info.BuildParams + apply plugin: 'elasticsearch.yaml-rest-test' apply plugin: 'elasticsearch.java-rest-test' @@ -18,3 +20,9 @@ testClusters.all { // disable ILM history, since it disturbs tests using _all setting 'indices.lifecycle.history_index_enabled', 'false' } +if (BuildParams.inFipsJvm){ + // These fail in CI but only when run as part of checkPart2 and not individually. + // Tracked in : + tasks.named("javaRestTest").configure{enabled = false } + tasks.named("yamlRestTest").configure{enabled = false } +} diff --git a/x-pack/plugin/deprecation/qa/rest/build.gradle b/x-pack/plugin/deprecation/qa/rest/build.gradle index 49916b1cfbfa..ae13923ef18a 100644 --- a/x-pack/plugin/deprecation/qa/rest/build.gradle +++ b/x-pack/plugin/deprecation/qa/rest/build.gradle @@ -1,4 +1,5 @@ import org.elasticsearch.gradle.util.GradleUtils +import org.elasticsearch.gradle.info.BuildParams apply plugin: 'elasticsearch.esplugin' apply plugin: 'elasticsearch.java-rest-test' @@ -30,3 +31,8 @@ testClusters.all { } tasks.named("test").configure { enabled = false } + +if (BuildParams.inFipsJvm){ + // Test clusters run with security disabled + tasks.named("javaRestTest").configure{enabled = false } +} diff --git a/x-pack/plugin/enrich/qa/rest-with-security/build.gradle b/x-pack/plugin/enrich/qa/rest-with-security/build.gradle index 6b091d3fa64a..47e98b6550c0 100644 --- a/x-pack/plugin/enrich/qa/rest-with-security/build.gradle +++ b/x-pack/plugin/enrich/qa/rest-with-security/build.gradle @@ -1,9 +1,15 @@ apply plugin: 'elasticsearch.java-rest-test' +import org.elasticsearch.gradle.info.BuildParams + dependencies { javaRestTestImplementation project(path: xpackModule('core')) javaRestTestImplementation project(path: xpackModule('enrich:qa:common')) } +if (BuildParams.inFipsJvm){ + // This test cluster is using a BASIC license and FIPS 140 mode is not supported in BASIC + tasks.named("javaRestTest").configure{enabled = false } +} testClusters.all { testDistribution = 'DEFAULT' diff --git a/x-pack/plugin/enrich/qa/rest/build.gradle b/x-pack/plugin/enrich/qa/rest/build.gradle index cac82efd4300..702e6a9896cf 100644 --- a/x-pack/plugin/enrich/qa/rest/build.gradle +++ b/x-pack/plugin/enrich/qa/rest/build.gradle @@ -1,6 +1,8 @@ apply plugin: 'elasticsearch.java-rest-test' apply plugin: 'elasticsearch.yaml-rest-test' +import org.elasticsearch.gradle.info.BuildParams + restResources { restApi { includeCore '_common', 'indices', 'index' @@ -12,6 +14,12 @@ dependencies { javaRestTestImplementation project(path: xpackModule('enrich:qa:common')) } +if (BuildParams.inFipsJvm){ + // This test cluster is using a BASIC license and FIPS 140 mode is not supported in BASIC + tasks.named("javaRestTest").configure{enabled = false } + tasks.named("yamlRestTest").configure{enabled = false } +} + testClusters.all { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'basic' diff --git a/x-pack/plugin/eql/qa/correctness/build.gradle b/x-pack/plugin/eql/qa/correctness/build.gradle index e618265b2638..b436391ac2c5 100644 --- a/x-pack/plugin/eql/qa/correctness/build.gradle +++ b/x-pack/plugin/eql/qa/correctness/build.gradle @@ -4,6 +4,7 @@ apply plugin: 'elasticsearch.testclusters' tasks.named("test").configure { enabled = false } import org.elasticsearch.gradle.testclusters.RunTask +import org.elasticsearch.gradle.info.BuildParams restResources { restApi { @@ -31,6 +32,10 @@ Boolean preserveData = providers.systemProperty('eql.test.preserve.data') .map { s -> Boolean.parseBoolean(s) } .getOrElse(false) +if (BuildParams.inFipsJvm){ + // This test cluster is using a BASIC license and FIPS 140 mode is not supported in BASIC + tasks.named("javaRestTest").configure{enabled = false } +} testClusters { all { plugin ':plugins:repository-gcs' diff --git a/x-pack/plugin/eql/qa/rest/build.gradle b/x-pack/plugin/eql/qa/rest/build.gradle index 779c7ccedf5e..b5247e710990 100644 --- a/x-pack/plugin/eql/qa/rest/build.gradle +++ b/x-pack/plugin/eql/qa/rest/build.gradle @@ -1,6 +1,8 @@ apply plugin: 'elasticsearch.java-rest-test' apply plugin: 'elasticsearch.yaml-rest-test' +import org.elasticsearch.gradle.info.BuildParams + restResources { restApi { includeCore '_common', 'bulk', 'indices' @@ -12,6 +14,11 @@ dependencies { javaRestTestImplementation project(path: xpackModule('eql:qa:common')) } +if (BuildParams.inFipsJvm){ + // This test cluster is using a BASIC license and FIPS 140 mode is not supported in BASIC + tasks.named("javaRestTest").configure{enabled = false } + tasks.named("yamlRestTest").configure{enabled = false } +} testClusters.all { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'basic' diff --git a/x-pack/plugin/eql/qa/security/build.gradle b/x-pack/plugin/eql/qa/security/build.gradle index f17c458b6728..253665b340d5 100644 --- a/x-pack/plugin/eql/qa/security/build.gradle +++ b/x-pack/plugin/eql/qa/security/build.gradle @@ -1,9 +1,16 @@ apply plugin: 'elasticsearch.java-rest-test' +import org.elasticsearch.gradle.info.BuildParams + dependencies { javaRestTestImplementation project(path: xpackModule('eql:qa:common')) } +if (BuildParams.inFipsJvm){ + // This test cluster is using a BASIC license and FIPS 140 mode is not supported in BASIC + tasks.named("javaRestTest").configure{enabled = false } +} + testClusters.all { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'basic' diff --git a/x-pack/plugin/identity-provider/qa/idp-rest-tests/build.gradle b/x-pack/plugin/identity-provider/qa/idp-rest-tests/build.gradle index ab1d3c497174..e05ac56050e2 100644 --- a/x-pack/plugin/identity-provider/qa/idp-rest-tests/build.gradle +++ b/x-pack/plugin/identity-provider/qa/idp-rest-tests/build.gradle @@ -1,3 +1,4 @@ +import org.elasticsearch.gradle.info.BuildParams apply plugin: 'elasticsearch.java-rest-test' dependencies { @@ -45,3 +46,9 @@ testClusters.all { user username: "idp_admin", password: "idp-password", role: "idp_admin" user username: "idp_user", password: "idp-password", role: "idp_user" } + +// We don't support the IDP in FIPS-140 mode, so no need to run java rest tests +tasks.named("javaRestTest").configure { + onlyIf { BuildParams.inFipsJvm == false } +} + diff --git a/x-pack/plugin/ilm/qa/multi-cluster/build.gradle b/x-pack/plugin/ilm/qa/multi-cluster/build.gradle index 2125c2768eab..a3d576e43090 100644 --- a/x-pack/plugin/ilm/qa/multi-cluster/build.gradle +++ b/x-pack/plugin/ilm/qa/multi-cluster/build.gradle @@ -1,4 +1,5 @@ import org.elasticsearch.gradle.test.RestIntegTestTask +import org.elasticsearch.gradle.info.BuildParams apply plugin: 'elasticsearch.testclusters' apply plugin: 'elasticsearch.standalone-test' @@ -11,14 +12,14 @@ dependencies { File repoDir = file("$buildDir/testclusters/repo") -task 'leader-cluster'(type: RestIntegTestTask) { +tasks.register('leader-cluster', RestIntegTestTask) { mustRunAfter("precommit") systemProperty 'tests.target_cluster', 'leader' /* To support taking index snapshots, we have to set path.repo setting */ systemProperty 'tests.path.repo', repoDir.absolutePath } -testClusters.'leader-cluster' { +testClusters.matching { it.name == 'leader-cluster' }.configureEach { testDistribution = 'DEFAULT' setting 'path.repo', repoDir.absolutePath setting 'xpack.ccr.enabled', 'true' @@ -29,19 +30,19 @@ testClusters.'leader-cluster' { setting 'indices.lifecycle.poll_interval', '1000ms' } -task 'follow-cluster'(type: RestIntegTestTask) { - dependsOn 'leader-cluster' - useCluster testClusters.'leader-cluster' - systemProperty 'tests.target_cluster', 'follow' - nonInputProperties.systemProperty 'tests.leader_host', - "${-> testClusters."leader-cluster".getAllHttpSocketURI().get(0)}" - nonInputProperties.systemProperty 'tests.leader_remote_cluster_seed', - "${-> testClusters.'leader-cluster'.getAllTransportPortURI().get(0)}" - /* To support taking index snapshots, we have to set path.repo setting */ - systemProperty 'tests.path.repo', repoDir.absolutePath +tasks.register('follow-cluster', RestIntegTestTask) { + dependsOn tasks.findByName('leader-cluster') + useCluster testClusters.'leader-cluster' + systemProperty 'tests.target_cluster', 'follow' + nonInputProperties.systemProperty 'tests.leader_host', + "${-> testClusters."leader-cluster".getAllHttpSocketURI().get(0)}" + nonInputProperties.systemProperty 'tests.leader_remote_cluster_seed', + "${-> testClusters.'leader-cluster'.getAllTransportPortURI().get(0)}" + /* To support taking index snapshots, we have to set path.repo setting */ + systemProperty 'tests.path.repo', repoDir.absolutePath } -testClusters.'follow-cluster' { +testClusters.matching{ it.name == 'follow-cluster' }.configureEach { testDistribution = 'DEFAULT' setting 'path.repo', repoDir.absolutePath setting 'xpack.ccr.enabled', 'true' @@ -54,5 +55,11 @@ testClusters.'follow-cluster' { { "\"${testClusters.'leader-cluster'.getAllTransportPortURI().get(0)}\"" } } -check.dependsOn 'follow-cluster' -test.enabled = false // no unit tests for this module, only the rest integration test +tasks.named("check").configure { dependsOn 'follow-cluster' } +// no unit tests for this module, only the rest integration test +tasks.named("test").configure { enabled = false } +// Security is explicitly disabled for follow-cluster and leader-cluster, do not run these in FIPS mode +tasks.withType(Test).configureEach { + onlyIf { BuildParams.inFipsJvm == false} +} + diff --git a/x-pack/plugin/ilm/qa/multi-node/build.gradle b/x-pack/plugin/ilm/qa/multi-node/build.gradle index b70f334d62cb..95458f366dfa 100644 --- a/x-pack/plugin/ilm/qa/multi-node/build.gradle +++ b/x-pack/plugin/ilm/qa/multi-node/build.gradle @@ -1,4 +1,5 @@ import org.elasticsearch.gradle.util.GradleUtils +import org.elasticsearch.gradle.info.BuildParams apply plugin: 'elasticsearch.java-rest-test' @@ -30,3 +31,8 @@ testClusters.all { setting 'logger.org.elasticsearch.xpack.core.ilm', 'TRACE' setting 'logger.org.elasticsearch.xpack.ilm', 'TRACE' } + +if (BuildParams.inFipsJvm){ + // Test clusters run with security disabled + tasks.named("javaRestTest").configure{enabled = false } +} diff --git a/x-pack/plugin/ilm/qa/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java b/x-pack/plugin/ilm/qa/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java index 8ffc5f4711fe..3ec7ea39f661 100644 --- a/x-pack/plugin/ilm/qa/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java +++ b/x-pack/plugin/ilm/qa/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java @@ -161,14 +161,14 @@ public class PermissionsIT extends ESRestTestCase { "\"indices\": [{ \"names\": [\".slm-history*\"],\"privileges\": [\"all\"] }] }"); assertOK(adminClient().performRequest(roleRequest)); - createUser("slm_admin", "slm-pass", "slm-manage"); - createUser("slm_user", "slm-user-pass", "slm-read"); + createUser("slm_admin", "slm-admin-password", "slm-manage"); + createUser("slm_user", "slm-user-password", "slm-read"); final HighLevelClient hlAdminClient = new HighLevelClient(adminClient()); // Build two high level clients, each using a different user final RestClientBuilder adminBuilder = RestClient.builder(adminClient().getNodes().toArray(new Node[0])); - final String adminToken = basicAuthHeaderValue("slm_admin", new SecureString("slm-pass".toCharArray())); + final String adminToken = basicAuthHeaderValue("slm_admin", new SecureString("slm-admin-password".toCharArray())); configureClient(adminBuilder, Settings.builder() .put(ThreadContext.PREFIX + ".Authorization", adminToken) .build()); @@ -176,7 +176,7 @@ public class PermissionsIT extends ESRestTestCase { final RestHighLevelClient adminHLRC = new RestHighLevelClient(adminBuilder); final RestClientBuilder userBuilder = RestClient.builder(adminClient().getNodes().toArray(new Node[0])); - final String userToken = basicAuthHeaderValue("slm_user", new SecureString("slm-user-pass".toCharArray())); + final String userToken = basicAuthHeaderValue("slm_user", new SecureString("slm-user-password".toCharArray())); configureClient(userBuilder, Settings.builder() .put(ThreadContext.PREFIX + ".Authorization", userToken) .build()); diff --git a/x-pack/plugin/ml/qa/basic-multi-node/build.gradle b/x-pack/plugin/ml/qa/basic-multi-node/build.gradle index 7e30c27d721f..d690f1e408f2 100644 --- a/x-pack/plugin/ml/qa/basic-multi-node/build.gradle +++ b/x-pack/plugin/ml/qa/basic-multi-node/build.gradle @@ -1,3 +1,5 @@ +import org.elasticsearch.gradle.info.BuildParams + apply plugin: 'elasticsearch.java-rest-test' testClusters.all { @@ -11,3 +13,8 @@ testClusters.all { setting 'indices.lifecycle.history_index_enabled', 'false' setting 'slm.history_index_enabled', 'false' } + +if (BuildParams.inFipsJvm){ + // Test clusters run with security disabled + tasks.named("javaRestTest").configure{enabled = false } +} diff --git a/x-pack/plugin/ml/qa/disabled/build.gradle b/x-pack/plugin/ml/qa/disabled/build.gradle index 7ad18743ca88..f9b697fb0d0a 100644 --- a/x-pack/plugin/ml/qa/disabled/build.gradle +++ b/x-pack/plugin/ml/qa/disabled/build.gradle @@ -1,3 +1,5 @@ +import org.elasticsearch.gradle.info.BuildParams + apply plugin: 'elasticsearch.java-rest-test' //dependencies { @@ -10,3 +12,8 @@ testClusters.all { setting 'xpack.security.enabled', 'false' setting 'xpack.ml.enabled', 'false' } + +if (BuildParams.inFipsJvm){ + // Test clusters run with security disabled + tasks.named("javaRestTest").configure{enabled = false } +} diff --git a/x-pack/plugin/ml/qa/single-node-tests/build.gradle b/x-pack/plugin/ml/qa/single-node-tests/build.gradle index f3610bfa9867..a3b7646a0851 100644 --- a/x-pack/plugin/ml/qa/single-node-tests/build.gradle +++ b/x-pack/plugin/ml/qa/single-node-tests/build.gradle @@ -1,3 +1,5 @@ +import org.elasticsearch.gradle.info.BuildParams + apply plugin: 'elasticsearch.java-rest-test' testClusters.all { @@ -5,3 +7,8 @@ testClusters.all { setting 'xpack.security.enabled', 'false' setting 'xpack.license.self_generated.type', 'trial' } + +if (BuildParams.inFipsJvm){ + // Test clusters run with security disabled + tasks.named("javaRestTest").configure{enabled = false } +} diff --git a/x-pack/plugin/repositories-metering-api/qa/gcs/build.gradle b/x-pack/plugin/repositories-metering-api/qa/gcs/build.gradle index e3284ce5c68b..4aa5418de905 100644 --- a/x-pack/plugin/repositories-metering-api/qa/gcs/build.gradle +++ b/x-pack/plugin/repositories-metering-api/qa/gcs/build.gradle @@ -66,7 +66,7 @@ if (!gcsServiceAccount && !gcsBucket && !gcsBasePath) { tasks.register("createServiceAccountFile") { doLast { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA") - keyPairGenerator.initialize(1024) + keyPairGenerator.initialize(2048) KeyPair keyPair = keyPairGenerator.generateKeyPair() String encodedKey = Base64.getEncoder().encodeToString(keyPair.private.getEncoded()) diff --git a/x-pack/plugin/repositories-metering-api/qa/s3/build.gradle b/x-pack/plugin/repositories-metering-api/qa/s3/build.gradle index 26b9a88f7a4c..12ccfe728d78 100644 --- a/x-pack/plugin/repositories-metering-api/qa/s3/build.gradle +++ b/x-pack/plugin/repositories-metering-api/qa/s3/build.gradle @@ -27,8 +27,8 @@ String s3Bucket = System.getenv("amazon_s3_bucket") String s3BasePath = System.getenv("amazon_s3_base_path") if (!s3AccessKey && !s3SecretKey && !s3Bucket && !s3BasePath) { - s3AccessKey = 'access_key' - s3SecretKey = 'secret_key' + s3AccessKey = 's3_test_access_key' + s3SecretKey = 's3_test_secret_key' s3Bucket = 'bucket' s3BasePath = null useFixture = true @@ -72,4 +72,4 @@ testClusters.integTest { tasks.register("s3ThirdPartyTest").configure { dependsOn "integTest" -} \ No newline at end of file +} diff --git a/x-pack/plugin/rollup/qa/rest/build.gradle b/x-pack/plugin/rollup/qa/rest/build.gradle index dc909f0e0a35..a3750479eb5d 100644 --- a/x-pack/plugin/rollup/qa/rest/build.gradle +++ b/x-pack/plugin/rollup/qa/rest/build.gradle @@ -9,20 +9,25 @@ apply plugin: 'elasticsearch.standalone-rest-test' apply plugin: 'elasticsearch.rest-test' apply plugin: 'elasticsearch.rest-resources' +import org.elasticsearch.gradle.info.BuildParams + dependencies { - testImplementation project(path: xpackModule('rollup')) + testImplementation project(path: xpackModule('rollup')) } restResources { - restApi { - includeCore '_common', 'bulk', 'cluster', 'indices', 'search' - includeXpack 'rollup' - } + restApi { + includeCore '_common', 'bulk', 'cluster', 'indices', 'search' + includeXpack 'rollup' + } } - -testClusters.integTest { - testDistribution = 'DEFAULT' - setting 'xpack.license.self_generated.type', 'basic' - systemProperty 'es.rollup_v2_feature_flag_enabled', 'true' +if (BuildParams.inFipsJvm){ + // This test cluster is using a BASIC license and FIPS 140 mode is not supported in BASIC + tasks.named("integTest").configure{enabled = false } + tasks.named("testingConventions").configure{enabled = false } +} +testClusters.matching { it.name == "integTest" }.configureEach { + testDistribution = 'DEFAULT' + setting 'xpack.license.self_generated.type', 'basic' + systemProperty 'es.rollup_v2_feature_flag_enabled', 'true' } - diff --git a/x-pack/plugin/searchable-snapshots/qa/gcs/build.gradle b/x-pack/plugin/searchable-snapshots/qa/gcs/build.gradle index 7e0c961a720c..ab39bc33c9ec 100644 --- a/x-pack/plugin/searchable-snapshots/qa/gcs/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/gcs/build.gradle @@ -48,7 +48,7 @@ if (!gcsServiceAccount && !gcsBucket && !gcsBasePath) { tasks.register("createServiceAccountFile") { doLast { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA") - keyPairGenerator.initialize(1024) + keyPairGenerator.initialize(2048) KeyPair keyPair = keyPairGenerator.generateKeyPair() String encodedKey = Base64.getEncoder().encodeToString(keyPair.private.getEncoded()) diff --git a/x-pack/plugin/searchable-snapshots/qa/minio/build.gradle b/x-pack/plugin/searchable-snapshots/qa/minio/build.gradle index f41cff55fbdd..df5873720018 100644 --- a/x-pack/plugin/searchable-snapshots/qa/minio/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/minio/build.gradle @@ -36,8 +36,8 @@ testClusters.integTest { testDistribution = 'DEFAULT' plugin repositoryPlugin.path - keystore 's3.client.searchable_snapshots.access_key', 'access_key' - keystore 's3.client.searchable_snapshots.secret_key', 'secret_key' + keystore 's3.client.searchable_snapshots.access_key', 's3_test_access_key' + keystore 's3.client.searchable_snapshots.secret_key', 's3_test_secret_key' setting 'xpack.license.self_generated.type', 'trial' setting 's3.client.searchable_snapshots.protocol', 'http' setting 's3.client.searchable_snapshots.endpoint', { "${-> fixtureAddress()}" }, IGNORE_VALUE diff --git a/x-pack/plugin/searchable-snapshots/qa/s3/build.gradle b/x-pack/plugin/searchable-snapshots/qa/s3/build.gradle index 2f3478316805..5c3db37f2bd2 100644 --- a/x-pack/plugin/searchable-snapshots/qa/s3/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/s3/build.gradle @@ -27,8 +27,8 @@ String s3Bucket = System.getenv("amazon_s3_bucket") String s3BasePath = System.getenv("amazon_s3_base_path") if (!s3AccessKey && !s3SecretKey && !s3Bucket && !s3BasePath) { - s3AccessKey = 'access_key' - s3SecretKey = 'secret_key' + s3AccessKey = 's3_test_access_key' + s3SecretKey = 's3_test_secret_key' s3Bucket = 'bucket' s3BasePath = null useFixture = true diff --git a/x-pack/plugin/security/qa/basic-enable-security/build.gradle b/x-pack/plugin/security/qa/basic-enable-security/build.gradle index 49a345922054..39b40d10c198 100644 --- a/x-pack/plugin/security/qa/basic-enable-security/build.gradle +++ b/x-pack/plugin/security/qa/basic-enable-security/build.gradle @@ -1,5 +1,6 @@ import org.elasticsearch.gradle.testclusters.StandaloneRestIntegTestTask import org.elasticsearch.gradle.test.rest.JavaRestTestPlugin +import org.elasticsearch.gradle.info.BuildParams apply plugin: 'elasticsearch.java-rest-test' @@ -14,6 +15,11 @@ tasks.named("javaRestTest").configure { systemProperty 'tests.has_security', 'false' } +if (BuildParams.inFipsJvm){ + // This test cluster is using a BASIC license and FIPS 140 mode is not supported in BASIC + tasks.named("javaRestTest").configure{enabled = false } +} + testClusters { javaRestTest { testDistribution = 'DEFAULT' @@ -31,6 +37,9 @@ tasks.register("javaRestTestWithSecurity", StandaloneRestIntegTestTask) { systemProperty 'tests.has_security', 'true' testClassesDirs = sourceSets.javaRestTest.output.classesDirs classpath = sourceSets.javaRestTest.runtimeClasspath + onlyIf { + BuildParams.inFipsJvm == false + } doFirst { testClusters.javaRestTest { // TODO Rene: revisit if using dedicated new cluster definitions would be more efficient. diff --git a/x-pack/plugin/security/qa/security-basic/build.gradle b/x-pack/plugin/security/qa/security-basic/build.gradle index cc7aae881094..bff408bfc11d 100644 --- a/x-pack/plugin/security/qa/security-basic/build.gradle +++ b/x-pack/plugin/security/qa/security-basic/build.gradle @@ -1,12 +1,19 @@ apply plugin: 'elasticsearch.java-rest-test' +import org.elasticsearch.gradle.info.BuildParams + dependencies { javaRestTestImplementation project(path: xpackModule('core'), configuration: 'default') javaRestTestImplementation project(path: xpackModule('security'), configuration: 'testArtifacts') javaRestTestImplementation project(path: xpackModule('core'), configuration: 'testArtifacts') } +if (BuildParams.inFipsJvm){ + // This test cluster is using a BASIC license and FIPS 140 mode is not supported in BASIC + tasks.named("javaRestTest").configure{enabled = false } +} + testClusters.all { testDistribution = 'DEFAULT' numberOfNodes = 2 diff --git a/x-pack/plugin/security/qa/security-disabled/build.gradle b/x-pack/plugin/security/qa/security-disabled/build.gradle index ff25b3667c49..417345e0e21d 100644 --- a/x-pack/plugin/security/qa/security-disabled/build.gradle +++ b/x-pack/plugin/security/qa/security-disabled/build.gradle @@ -5,6 +5,7 @@ * For example: If a cluster has a pipeline with the set_security_user processor * defined, it should be not fail */ +import org.elasticsearch.gradle.info.BuildParams apply plugin: 'elasticsearch.java-rest-test' @@ -24,3 +25,8 @@ testClusters.all { setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.security.enabled', 'false' } + +if (BuildParams.inFipsJvm){ + // Test clusters run with security disabled + tasks.named("javaRestTest").configure{enabled = false } +} diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/apikey/ApiKeyRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/apikey/ApiKeyRestIT.java index 11b88338c43f..3a14a5ed83a8 100644 --- a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/apikey/ApiKeyRestIT.java +++ b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/apikey/ApiKeyRestIT.java @@ -42,9 +42,9 @@ import static org.hamcrest.Matchers.notNullValue; public class ApiKeyRestIT extends SecurityOnTrialLicenseRestTestCase { private static final String SYSTEM_USER = "system_user"; - private static final SecureString SYSTEM_USER_PASSWORD = new SecureString("sys-pass".toCharArray()); + private static final SecureString SYSTEM_USER_PASSWORD = new SecureString("system-user-password".toCharArray()); private static final String END_USER = "end_user"; - private static final SecureString END_USER_PASSWORD = new SecureString("user-pass".toCharArray()); + private static final SecureString END_USER_PASSWORD = new SecureString("end-user-password".toCharArray()); @Before public void createUsers() throws IOException { diff --git a/x-pack/plugin/security/qa/tls-basic/build.gradle b/x-pack/plugin/security/qa/tls-basic/build.gradle index 7da9798194e1..5acbe0696be5 100644 --- a/x-pack/plugin/security/qa/tls-basic/build.gradle +++ b/x-pack/plugin/security/qa/tls-basic/build.gradle @@ -1,11 +1,18 @@ apply plugin: 'elasticsearch.java-rest-test' +import org.elasticsearch.gradle.info.BuildParams + dependencies { testImplementation project(path: xpackModule('core'), configuration: 'default') testImplementation project(path: xpackModule('security'), configuration: 'testArtifacts') testImplementation project(path: xpackModule('core'), configuration: 'testArtifacts') } +if (BuildParams.inFipsJvm){ + // This test cluster is using a BASIC license and FIPS 140 mode is not supported in BASIC + tasks.named("javaRestTest").configure{enabled = false } +} + testClusters.javaRestTest { testDistribution = 'DEFAULT' numberOfNodes = 2 diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/AbstractPrivilegeTestCase.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/AbstractPrivilegeTestCase.java index 35cc53a8e143..1aa0a23af73c 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/AbstractPrivilegeTestCase.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/AbstractPrivilegeTestCase.java @@ -12,7 +12,7 @@ import org.elasticsearch.client.Request; import org.elasticsearch.client.RequestOptions; import org.elasticsearch.client.Response; import org.elasticsearch.client.ResponseException; -import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.test.SecuritySingleNodeTestCase; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; @@ -94,7 +94,8 @@ public abstract class AbstractPrivilegeTestCase extends SecuritySingleNodeTestCa private void setUser(Request request, String user) { RequestOptions.Builder options = RequestOptions.DEFAULT.toBuilder(); - options.addHeader("Authorization", UsernamePasswordToken.basicAuthHeaderValue(user, new SecureString("passwd".toCharArray()))); + options.addHeader("Authorization", + UsernamePasswordToken.basicAuthHeaderValue(user, SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); request.setOptions(options); } } diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/ClearRealmsCacheTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/ClearRealmsCacheTests.java index 145213094d1d..e74aed0de892 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/ClearRealmsCacheTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/ClearRealmsCacheTests.java @@ -190,8 +190,8 @@ public class ClearRealmsCacheTests extends SecurityIntegTestCase { @Override protected String configUsers() { StringBuilder builder = new StringBuilder(SecuritySettingsSource.CONFIG_STANDARD_USER); - final String usersPasswdHashed = new String(getFastStoredHashAlgoForTests().hash(new SecureString - ("passwd".toCharArray()))); + final String usersPasswdHashed = + new String(getFastStoredHashAlgoForTests().hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); for (String username : usernames) { builder.append(username).append(":").append(usersPasswdHashed).append("\n"); } @@ -223,7 +223,7 @@ public class ClearRealmsCacheTests extends SecurityIntegTestCase { private void testScenario(Scenario scenario) throws Exception { Map tokens = new HashMap<>(); for (String user : usernames) { - tokens.put(user, new UsernamePasswordToken(user, new SecureString("passwd"))); + tokens.put(user, new UsernamePasswordToken(user, SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); } List realms = new ArrayList<>(); diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/ClusterPrivilegeIntegrationTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/ClusterPrivilegeIntegrationTests.java index b0935a89f269..4818a3a729e4 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/ClusterPrivilegeIntegrationTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/ClusterPrivilegeIntegrationTests.java @@ -10,8 +10,8 @@ import org.elasticsearch.action.admin.cluster.state.ClusterStateRequest; import org.elasticsearch.client.Request; import org.elasticsearch.cluster.SnapshotsInProgress; import org.elasticsearch.common.Strings; -import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.hamcrest.Matchers; import org.junit.AfterClass; @@ -79,8 +79,8 @@ public class ClusterPrivilegeIntegrationTests extends AbstractPrivilegeTestCase @Override protected String configUsers() { - final String usersPasswdHashed = new String(Hasher.resolve( - randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(new SecureString("passwd".toCharArray()))); + final Hasher passwdHasher = getFastStoredHashAlgoForTests(); + final String usersPasswdHashed = new String(passwdHasher.hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); return super.configUsers() + "user_a:" + usersPasswdHashed + "\n" + "user_b:" + usersPasswdHashed + "\n" + diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/CreateDocsIndexPrivilegeTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/CreateDocsIndexPrivilegeTests.java index edc9e7e4fd94..96fba29be3b0 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/CreateDocsIndexPrivilegeTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/CreateDocsIndexPrivilegeTests.java @@ -7,7 +7,7 @@ package org.elasticsearch.integration; import org.elasticsearch.client.Request; -import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.junit.Before; @@ -22,7 +22,7 @@ public class CreateDocsIndexPrivilegeTests extends AbstractPrivilegeTestCase { " indices:\n" + " - names: '*'\n" + " privileges: [ all ]\n" + - "create_doc_role:\n" + + "create_doc_role:\n" + " indices:\n" + " - names: '*'\n" + " privileges: [ create_doc ]\n"; @@ -43,8 +43,8 @@ public class CreateDocsIndexPrivilegeTests extends AbstractPrivilegeTestCase { @Override protected String configUsers() { - final String usersPasswdHashed = new String(Hasher.resolve( - randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(new SecureString("passwd".toCharArray()))); + final Hasher passwdHasher = getFastStoredHashAlgoForTests(); + final String usersPasswdHashed = new String(passwdHasher.hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); return super.configUsers() + "admin:" + usersPasswdHashed + "\n" + diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DateMathExpressionIntegTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DateMathExpressionIntegTests.java index e119247a83d8..a57d6554e8d3 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DateMathExpressionIntegTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DateMathExpressionIntegTests.java @@ -22,6 +22,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.index.query.QueryBuilders; import org.elasticsearch.test.SecurityIntegTestCase; +import org.elasticsearch.test.SecuritySettingsSourceField; import java.util.Collections; @@ -33,7 +34,7 @@ import static org.hamcrest.Matchers.is; public class DateMathExpressionIntegTests extends SecurityIntegTestCase { - protected static final SecureString USERS_PASSWD = new SecureString("change_me".toCharArray()); + protected static final SecureString USERS_PASSWD = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; @Override protected String configUsers() { diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java index ccced824ed2a..902d1cfbea96 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java @@ -24,6 +24,7 @@ import org.elasticsearch.index.query.QueryBuilders; import org.elasticsearch.indices.IndicesModule; import org.elasticsearch.search.sort.SortOrder; import org.elasticsearch.test.SecurityIntegTestCase; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.xpack.core.XPackSettings; import java.util.Arrays; @@ -44,7 +45,7 @@ import static org.hamcrest.Matchers.is; public class DocumentAndFieldLevelSecurityTests extends SecurityIntegTestCase { - protected static final SecureString USERS_PASSWD = new SecureString("change_me".toCharArray()); + protected static final SecureString USERS_PASSWD = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; @Override protected String configUsers() { diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java index beb54f59631e..8de35f47d2db 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java @@ -11,6 +11,7 @@ import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.index.query.QueryBuilders; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.test.SecurityIntegTestCase; @@ -25,7 +26,7 @@ import static org.hamcrest.Matchers.equalTo; public class DocumentLevelSecurityRandomTests extends SecurityIntegTestCase { - protected static final SecureString USERS_PASSWD = new SecureString("change_me".toCharArray()); + protected static final SecureString USERS_PASSWD = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; // can't add a second test method, because each test run creates a new instance of this class and that will will result // in a new random value: diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java index 37e0a502f29b..fe17530a452c 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java @@ -60,6 +60,7 @@ import org.elasticsearch.search.suggest.term.TermSuggestion; import org.elasticsearch.search.suggest.term.TermSuggestionBuilder; import org.elasticsearch.test.InternalSettingsPlugin; import org.elasticsearch.test.SecurityIntegTestCase; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.search.action.ClosePointInTimeAction; import org.elasticsearch.xpack.core.search.action.ClosePointInTimeRequest; @@ -97,7 +98,7 @@ import static org.hamcrest.Matchers.notNullValue; @LuceneTestCase.SuppressCodecs("*") // suppress test codecs otherwise test using completion suggester fails public class DocumentLevelSecurityTests extends SecurityIntegTestCase { - protected static final SecureString USERS_PASSWD = new SecureString("change_me".toCharArray()); + protected static final SecureString USERS_PASSWD = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; @Override protected Collection> nodePlugins() { diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java index f0ec7a4515de..684390800ddd 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java @@ -11,6 +11,7 @@ import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.index.query.QueryBuilders; import org.elasticsearch.search.sort.SortOrder; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.test.SecurityIntegTestCase; @@ -32,7 +33,7 @@ import static org.hamcrest.Matchers.equalTo; public class FieldLevelSecurityRandomTests extends SecurityIntegTestCase { - protected static final SecureString USERS_PASSWD = new SecureString("change_me".toCharArray()); + protected static final SecureString USERS_PASSWD = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; private static Set allowedFields; private static Set disAllowedFields; diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/FieldLevelSecurityTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/FieldLevelSecurityTests.java index 82b076ae4b77..e8c55dbdc3da 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/FieldLevelSecurityTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/FieldLevelSecurityTests.java @@ -47,6 +47,7 @@ import org.elasticsearch.search.sort.SortOrder; import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.test.InternalSettingsPlugin; import org.elasticsearch.test.SecurityIntegTestCase; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.search.action.ClosePointInTimeAction; import org.elasticsearch.xpack.core.search.action.ClosePointInTimeRequest; @@ -87,7 +88,7 @@ import static org.hamcrest.Matchers.nullValue; @ESIntegTestCase.ClusterScope public class FieldLevelSecurityTests extends SecurityIntegTestCase { - protected static final SecureString USERS_PASSWD = new SecureString("change_me".toCharArray()); + protected static final SecureString USERS_PASSWD = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; @Override protected Collection> nodePlugins() { diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/IndexPrivilegeTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/IndexPrivilegeTests.java index 132110b6aaaf..3d03eab6130f 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/IndexPrivilegeTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/IndexPrivilegeTests.java @@ -11,6 +11,7 @@ import org.elasticsearch.client.Response; import org.elasticsearch.client.ResponseException; import org.elasticsearch.common.UUIDs; import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; import org.junit.Before; @@ -120,8 +121,8 @@ public class IndexPrivilegeTests extends AbstractPrivilegeTestCase { @Override protected String configUsers() { - final String usersPasswdHashed = new String(Hasher.resolve( - randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(new SecureString("passwd".toCharArray()))); + final Hasher passwdHasher = getFastStoredHashAlgoForTests(); + final String usersPasswdHashed = new String(passwdHasher.hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); return super.configUsers() + "admin:" + usersPasswdHashed + "\n" + diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java index b20c1adb9b99..19ae2aa2ed98 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java @@ -9,6 +9,7 @@ import org.elasticsearch.action.admin.indices.alias.Alias; import org.elasticsearch.action.get.GetResponse; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.test.SecurityIntegTestCase; @@ -22,7 +23,7 @@ import static org.hamcrest.Matchers.equalTo; public class IndicesPermissionsWithAliasesWildcardsAndRegexsTests extends SecurityIntegTestCase { - protected static final SecureString USERS_PASSWD = new SecureString("change_me".toCharArray()); + protected static final SecureString USERS_PASSWD = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; @Override protected String configUsers() { diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/KibanaSystemRoleIntegTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/KibanaSystemRoleIntegTests.java index 96590b73b139..859822cb71b9 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/KibanaSystemRoleIntegTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/KibanaSystemRoleIntegTests.java @@ -11,6 +11,7 @@ import org.elasticsearch.action.delete.DeleteResponse; import org.elasticsearch.action.index.IndexResponse; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.test.SecurityIntegTestCase; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; import java.util.Locale; @@ -21,7 +22,7 @@ import static org.hamcrest.Matchers.is; public class KibanaSystemRoleIntegTests extends SecurityIntegTestCase { - protected static final SecureString USERS_PASSWD = new SecureString("change_me".toCharArray()); + protected static final SecureString USERS_PASSWD = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; @Override public String configUsers() { diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/KibanaUserRoleIntegTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/KibanaUserRoleIntegTests.java index bb26a95eaf50..ec5d06b4c107 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/KibanaUserRoleIntegTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/KibanaUserRoleIntegTests.java @@ -17,6 +17,7 @@ import org.elasticsearch.common.collect.ImmutableOpenMap; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.index.query.QueryBuilders; import org.elasticsearch.test.NativeRealmIntegTestCase; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; import java.util.Map; @@ -32,7 +33,7 @@ import static org.hamcrest.Matchers.notNullValue; public class KibanaUserRoleIntegTests extends NativeRealmIntegTestCase { - protected static final SecureString USERS_PASSWD = new SecureString("change_me".toCharArray()); + protected static final SecureString USERS_PASSWD = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; @Override public String configRoles() { diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/MultipleIndicesPermissionsTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/MultipleIndicesPermissionsTests.java index da03e9ffe3d1..bc05f8bab89b 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/MultipleIndicesPermissionsTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/MultipleIndicesPermissionsTests.java @@ -24,6 +24,7 @@ import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.test.SecurityIntegTestCase; import org.elasticsearch.test.SecuritySettingsSource; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; import org.junit.After; @@ -42,12 +43,12 @@ import static org.hamcrest.Matchers.containsInAnyOrder; public class MultipleIndicesPermissionsTests extends SecurityIntegTestCase { - protected static final SecureString USERS_PASSWD = new SecureString("passwd".toCharArray()); + protected static final SecureString USERS_PASSWD = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; @Before public void waitForSecurityIndexWritable() throws Exception { // adds a dummy user to the native realm to force .security index creation - securityClient().preparePutUser("dummy_user", "password".toCharArray(), Hasher.BCRYPT, "missing_role").get(); + securityClient().preparePutUser("dummy_user", "dummy_user_password".toCharArray(), Hasher.BCRYPT, "missing_role").get(); assertSecurityIndexActive(); } @@ -221,7 +222,7 @@ public class MultipleIndicesPermissionsTests extends SecurityIntegTestCase { assertThat(indicesRecoveryResponse.shardRecoveryStates().size(), is(3)); assertThat(indicesRecoveryResponse.shardRecoveryStates().keySet(), containsInAnyOrder("foo", "foobar", "foobarfoo")); - // test _cat/indices with wildcards that cover unauthorized indices (".security" in this case) + // test _cat/indices with wildcards that cover unauthorized indices (".security" in this case) RequestOptions.Builder optionsBuilder = RequestOptions.DEFAULT.toBuilder(); optionsBuilder.addHeader("Authorization", UsernamePasswordToken.basicAuthHeaderValue("user_monitor", USERS_PASSWD)); RequestOptions options = optionsBuilder.build(); diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/PermissionPrecedenceTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/PermissionPrecedenceTests.java index 58816abe1b32..8524848dc5fb 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/PermissionPrecedenceTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/PermissionPrecedenceTests.java @@ -13,6 +13,7 @@ import org.elasticsearch.client.Client; import org.elasticsearch.cluster.metadata.IndexTemplateMetadata; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.test.SecurityIntegTestCase; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; import java.util.Collections; @@ -49,7 +50,8 @@ public class PermissionPrecedenceTests extends SecurityIntegTestCase { @Override protected String configUsers() { - final String usersPasswdHashed = new String(getFastStoredHashAlgoForTests().hash(new SecureString("test123".toCharArray()))); + final String usersPasswdHashed = + new String(getFastStoredHashAlgoForTests().hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); return "admin:" + usersPasswdHashed + "\n" + "client:" + usersPasswdHashed + "\n" + "user:" + usersPasswdHashed + "\n"; @@ -69,7 +71,7 @@ public class PermissionPrecedenceTests extends SecurityIntegTestCase { @Override protected SecureString nodeClientPassword() { - return new SecureString("test123".toCharArray()); + return SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; } @Override @@ -79,7 +81,7 @@ public class PermissionPrecedenceTests extends SecurityIntegTestCase { @Override protected SecureString transportClientPassword() { - return new SecureString("test123".toCharArray()); + return SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; } public void testDifferentCombinationsOfIndices() throws Exception { @@ -108,7 +110,7 @@ public class PermissionPrecedenceTests extends SecurityIntegTestCase { .setPatterns(Collections.singletonList("test_*"))::get, PutIndexTemplateAction.NAME, "user"); Map headers = Collections.singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, basicAuthHeaderValue("user", - new SecureString("test123"))); + SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); assertThrowsAuthorizationException(client.filterWithHeader(headers).admin().indices().prepareGetTemplates("template1")::get, GetIndexTemplatesAction.NAME, "user"); } diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/SecurityClearScrollTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/SecurityClearScrollTests.java index b1fed52b6e3e..dd1a836ea76e 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/SecurityClearScrollTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/SecurityClearScrollTests.java @@ -12,10 +12,10 @@ import org.elasticsearch.action.search.ClearScrollResponse; import org.elasticsearch.action.search.MultiSearchRequestBuilder; import org.elasticsearch.action.search.MultiSearchResponse; import org.elasticsearch.action.search.SearchPhaseExecutionException; -import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.xcontent.XContentType; -import org.elasticsearch.xpack.core.security.SecurityField; import org.elasticsearch.test.SecurityIntegTestCase; +import org.elasticsearch.test.SecuritySettingsSourceField; +import org.elasticsearch.xpack.core.security.SecurityField; import org.junit.After; import org.junit.Before; @@ -37,7 +37,8 @@ public class SecurityClearScrollTests extends SecurityIntegTestCase { @Override protected String configUsers() { - final String usersPasswdHashed = new String(getFastStoredHashAlgoForTests().hash(new SecureString("change_me".toCharArray()))); + final String usersPasswdHashed = + new String(getFastStoredHashAlgoForTests().hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); return super.configUsers() + "allowed_user:" + usersPasswdHashed + "\n" + "denied_user:" + usersPasswdHashed + "\n"; @@ -88,8 +89,8 @@ public class SecurityClearScrollTests extends SecurityIntegTestCase { } public void testThatClearingAllScrollIdsWorks() throws Exception { - String user = "allowed_user:change_me"; - String basicAuth = basicAuthHeaderValue("allowed_user", new SecureString("change_me".toCharArray())); + String user = "allowed_user:"+SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; + String basicAuth = basicAuthHeaderValue("allowed_user", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING); Map headers = new HashMap<>(); headers.put(SecurityField.USER_SETTING.getKey(), user); headers.put(BASIC_AUTH_HEADER, basicAuth); @@ -102,8 +103,8 @@ public class SecurityClearScrollTests extends SecurityIntegTestCase { } public void testThatClearingAllScrollIdsRequirePermissions() throws Exception { - String user = "denied_user:change_me"; - String basicAuth = basicAuthHeaderValue("denied_user", new SecureString("change_me".toCharArray())); + String user = "denied_user:"+SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; + String basicAuth = basicAuthHeaderValue("denied_user", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING); Map headers = new HashMap<>(); headers.put(SecurityField.USER_SETTING.getKey(), user); headers.put(BASIC_AUTH_HEADER, basicAuth); diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java index 662f9bb0d8a0..d60ba78b2824 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java @@ -24,6 +24,7 @@ import org.elasticsearch.http.HttpInfo; import org.elasticsearch.license.LicenseService; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.PluginInfo; +import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.security.LocalStateSecurity; import org.junit.AfterClass; @@ -310,6 +311,11 @@ public abstract class SecuritySingleNodeTestCase extends ESSingleNodeTestCase { return createRestClient(client(), httpClientConfigCallback, protocol); } + protected static Hasher getFastStoredHashAlgoForTests() { + return inFipsJvm() ? Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "pbkdf2_stretch_1000", "pbkdf2_stretch")) + : Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "pbkdf2_stretch_1000", "pbkdf2_stretch", "bcrypt", "bcrypt9")); + } + private static synchronized RestClient getRestClient(Client client) { if (restClient == null) { restClient = createRestClient(client, null, "http"); diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java index b8713f9bdd48..1530aed7820b 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java @@ -125,7 +125,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { public void testDeletingNonexistingUserAndRole() throws Exception { SecurityClient c = securityClient(); // first create the index so it exists - c.preparePutUser("joe", new SecureString("s3krit".toCharArray()), hasher, "role1", "user").get(); + c.preparePutUser("joe", new SecureString("s3krit-password".toCharArray()), hasher, "role1", "user").get(); DeleteUserResponse resp = c.prepareDeleteUser("missing").get(); assertFalse("user shouldn't be found", resp.found()); DeleteRoleResponse resp2 = c.prepareDeleteRole("role").get(); @@ -145,7 +145,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { final List existingUsers = Arrays.asList(c.prepareGetUsers().get().users()); final int existing = existingUsers.size(); logger.error("--> creating user"); - c.preparePutUser("joe", new SecureString("s3kirt".toCharArray()), hasher, "role1", "user").get(); + c.preparePutUser("joe", new SecureString("s3krit-password".toCharArray()), hasher, "role1", "user").get(); logger.error("--> waiting for .security index"); ensureGreen(SECURITY_MAIN_ALIAS); logger.info("--> retrieving user"); @@ -156,8 +156,8 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { assertArrayEquals(joe.roles(), new String[]{"role1", "user"}); logger.info("--> adding two more users"); - c.preparePutUser("joe2", new SecureString("s3kirt2".toCharArray()), hasher, "role2", "user").get(); - c.preparePutUser("joe3", new SecureString("s3kirt3".toCharArray()), hasher, "role3", "user").get(); + c.preparePutUser("joe2", new SecureString("s3krit-password2".toCharArray()), hasher, "role2", "user").get(); + c.preparePutUser("joe3", new SecureString("s3krit-password3".toCharArray()), hasher, "role3", "user").get(); GetUsersResponse allUsersResp = c.prepareGetUsers().get(); assertTrue("users should exist", allUsersResp.hasUsers()); assertEquals("should be " + (3 + existing) + " users total", 3 + existing, allUsersResp.users().length); @@ -251,7 +251,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { new BytesArray("{\"match_all\": {}}"), randomBoolean()) .get(); logger.error("--> creating user"); - c.preparePutUser("joe", new SecureString("s3krit".toCharArray()), hasher, "test_role").get(); + c.preparePutUser("joe", new SecureString("s3krit-password".toCharArray()), hasher, "test_role").get(); logger.error("--> waiting for .security index"); ensureGreen(SECURITY_MAIN_ALIAS); logger.info("--> retrieving user"); @@ -263,7 +263,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { // Index a document with the default test user client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefreshPolicy(IMMEDIATE).get(); - String token = basicAuthHeaderValue("joe", new SecureString("s3krit")); + String token = basicAuthHeaderValue("joe", new SecureString("s3krit-password")); SearchResponse searchResp = client().filterWithHeader(Collections.singletonMap("Authorization", token)).prepareSearch("idx").get(); assertEquals(1L, searchResp.getHits().getTotalHits().value); @@ -272,7 +272,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { public void testUpdatingUserAndAuthentication() throws Exception { SecurityClient c = securityClient(); logger.error("--> creating user"); - c.preparePutUser("joe", new SecureString("s3krit".toCharArray()), hasher, SecuritySettingsSource.TEST_ROLE).get(); + c.preparePutUser("joe", new SecureString("s3krit-password".toCharArray()), hasher, SecuritySettingsSource.TEST_ROLE).get(); logger.error("--> waiting for .security index"); ensureGreen(SECURITY_MAIN_ALIAS); logger.info("--> retrieving user"); @@ -284,12 +284,12 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { ensureGreen("idx"); // Index a document with the default test user client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefreshPolicy(IMMEDIATE).get(); - String token = basicAuthHeaderValue("joe", new SecureString("s3krit")); + String token = basicAuthHeaderValue("joe", new SecureString("s3krit-password")); SearchResponse searchResp = client().filterWithHeader(Collections.singletonMap("Authorization", token)).prepareSearch("idx").get(); assertEquals(1L, searchResp.getHits().getTotalHits().value); - c.preparePutUser("joe", new SecureString("s3krit2".toCharArray()), hasher, SecuritySettingsSource.TEST_ROLE).get(); + c.preparePutUser("joe", new SecureString("s3krit-password2".toCharArray()), hasher, SecuritySettingsSource.TEST_ROLE).get(); try { client().filterWithHeader(Collections.singletonMap("Authorization", token)).prepareSearch("idx").get(); @@ -299,7 +299,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { assertThat(e.status(), is(RestStatus.UNAUTHORIZED)); } - token = basicAuthHeaderValue("joe", new SecureString("s3krit2")); + token = basicAuthHeaderValue("joe", new SecureString("s3krit-password2")); searchResp = client().filterWithHeader(Collections.singletonMap("Authorization", token)).prepareSearch("idx").get(); assertEquals(1L, searchResp.getHits().getTotalHits().value); } @@ -307,7 +307,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { public void testCreateDeleteAuthenticate() { SecurityClient c = securityClient(); logger.error("--> creating user"); - c.preparePutUser("joe", new SecureString("s3krit".toCharArray()), hasher, + c.preparePutUser("joe", new SecureString("s3krit-password".toCharArray()), hasher, SecuritySettingsSource.TEST_ROLE).get(); logger.error("--> waiting for .security index"); ensureGreen(SECURITY_MAIN_ALIAS); @@ -320,7 +320,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { ensureGreen("idx"); // Index a document with the default test user client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefreshPolicy(IMMEDIATE).get(); - String token = basicAuthHeaderValue("joe", new SecureString("s3krit")); + String token = basicAuthHeaderValue("joe", new SecureString("s3krit-password")); SearchResponse searchResp = client().filterWithHeader(Collections.singletonMap("Authorization", token)).prepareSearch("idx").get(); assertEquals(1L, searchResp.getHits().getTotalHits().value); @@ -346,12 +346,12 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { new BytesArray("{\"match_all\": {}}"), randomBoolean()) .get(); logger.error("--> creating user"); - c.preparePutUser("joe", new SecureString("s3krit".toCharArray()), hasher, "test_role").get(); + c.preparePutUser("joe", new SecureString("s3krit-password".toCharArray()), hasher, "test_role").get(); logger.error("--> waiting for .security index"); ensureGreen(SECURITY_MAIN_ALIAS); if (authenticate) { - final String token = basicAuthHeaderValue("joe", new SecureString("s3krit")); + final String token = basicAuthHeaderValue("joe", new SecureString("s3krit-password")); ClusterHealthResponse response = client().filterWithHeader(Collections.singletonMap("Authorization", token)).admin().cluster() .prepareHealth().get(); assertFalse(response.isTimedOut()); @@ -396,7 +396,8 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { .addIndices(new String[]{"*"}, new String[]{"create_index"}, null, null, null, true) .get(); logger.error("--> creating user"); - securityClient().preparePutUser("joe", new SecureString("s3krit".toCharArray()), hasher, "test_role", "snapshot_user").get(); + securityClient() + .preparePutUser("joe", new SecureString("s3krit-password".toCharArray()), hasher, "test_role", "snapshot_user").get(); logger.error("--> waiting for .security index"); ensureGreen(SECURITY_MAIN_ALIAS); logger.info("--> creating repository"); @@ -406,7 +407,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { .put("location", randomRepoPath()) .put("compress", randomBoolean()) .put("chunk_size", randomIntBetween(100, 1000), ByteSizeUnit.BYTES))); - final String token = basicAuthHeaderValue("joe", new SecureString("s3krit")); + final String token = basicAuthHeaderValue("joe", new SecureString("s3krit-password")); // joe can snapshot all indices, including '.security' SnapshotInfo snapshotInfo = client().filterWithHeader(Collections.singletonMap("Authorization", token)).admin().cluster() .prepareCreateSnapshot("test-repo", "test-snap-1") @@ -460,11 +461,11 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { .addIndices(new String[]{"*"}, new String[]{"read"}, new String[]{"body", "title"}, null, new BytesArray("{\"match_all\": {}}"), randomBoolean()) .get(); - c.preparePutUser("joe", new SecureString("s3krit".toCharArray()), hasher, "test_role").get(); + c.preparePutUser("joe", new SecureString("s3krit-password".toCharArray()), hasher, "test_role").get(); logger.error("--> waiting for .security index"); ensureGreen(SECURITY_MAIN_ALIAS); - final String token = basicAuthHeaderValue("joe", new SecureString("s3krit")); + final String token = basicAuthHeaderValue("joe", new SecureString("s3krit-password")); ClusterHealthResponse response = client().filterWithHeader(Collections.singletonMap("Authorization", token)).admin().cluster() .prepareHealth().get(); assertFalse(response.isTimedOut()); @@ -581,7 +582,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { SecurityClient client = securityClient(); if (randomBoolean()) { - client.preparePutUser("joe", new SecureString("s3krit".toCharArray()), hasher, + client.preparePutUser("joe", new SecureString("s3krit-password".toCharArray()), hasher, SecuritySettingsSource.TEST_ROLE).get(); } else { client.preparePutRole("read_role") @@ -613,7 +614,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { () -> securityClient().prepareDeleteUser(AnonymousUser.DEFAULT_ANONYMOUS_USERNAME).get()); assertThat(exception.getMessage(), containsString("user [" + AnonymousUser.DEFAULT_ANONYMOUS_USERNAME + "] is anonymous")); - final char[] foobar = "foobar".toCharArray(); + final char[] foobar = "foobar-password".toCharArray(); exception = expectThrows(IllegalArgumentException.class, () -> securityClient().prepareChangePassword(AnonymousUser.DEFAULT_ANONYMOUS_USERNAME, foobar, hasher).get()); assertThat(exception.getMessage(), containsString("user [" + AnonymousUser.DEFAULT_ANONYMOUS_USERNAME + "] is anonymous")); @@ -668,9 +669,9 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { } public void testCreateAndChangePassword() throws Exception { - securityClient().preparePutUser("joe", new SecureString("s3krit".toCharArray()), hasher, + securityClient().preparePutUser("joe", new SecureString("s3krit-password".toCharArray()), hasher, SecuritySettingsSource.TEST_ROLE).get(); - final String token = basicAuthHeaderValue("joe", new SecureString("s3krit")); + final String token = basicAuthHeaderValue("joe", new SecureString("s3krit-password")); ClusterHealthResponse response = client().filterWithHeader(Collections.singletonMap("Authorization", token)) .admin().cluster().prepareHealth().get(); assertThat(response.isTimedOut(), is(false)); @@ -758,7 +759,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { final int numNativeUsers = scaledRandomIntBetween(1, 32); SecurityClient securityClient = new SecurityClient(client()); for (int i = 0; i < numNativeUsers; i++) { - securityClient.preparePutUser("joe" + i, new SecureString("s3krit".toCharArray()), hasher, "superuser").get(); + securityClient.preparePutUser("joe" + i, new SecureString("s3krit-password".toCharArray()), hasher, "superuser").get(); } XPackUsageResponse response = new XPackUsageRequestBuilder(client()).get(); @@ -777,9 +778,9 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { } public void testSetEnabled() throws Exception { - securityClient().preparePutUser("joe", new SecureString("s3krit".toCharArray()), hasher, + securityClient().preparePutUser("joe", new SecureString("s3krit-password".toCharArray()), hasher, SecuritySettingsSource.TEST_ROLE).get(); - final String token = basicAuthHeaderValue("joe", new SecureString("s3krit")); + final String token = basicAuthHeaderValue("joe", new SecureString("s3krit-password")); ClusterHealthResponse response = client().filterWithHeader(Collections.singletonMap("Authorization", token)) .admin().cluster().prepareHealth().get(); assertThat(response.isTimedOut(), is(false)); @@ -802,20 +803,20 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { public void testNegativeLookupsThenCreateRole() throws Exception { SecurityClient securityClient = new SecurityClient(client()); - securityClient.preparePutUser("joe", new SecureString("s3krit".toCharArray()), hasher, "unknown_role").get(); + securityClient.preparePutUser("joe", new SecureString("s3krit-password".toCharArray()), hasher, "unknown_role").get(); final int negativeLookups = scaledRandomIntBetween(1, 10); for (int i = 0; i < negativeLookups; i++) { if (anonymousEnabled && roleExists) { ClusterHealthResponse response = client() .filterWithHeader(Collections.singletonMap("Authorization", - basicAuthHeaderValue("joe", new SecureString("s3krit")))) + basicAuthHeaderValue("joe", new SecureString("s3krit-password")))) .admin().cluster().prepareHealth().get(); assertNoTimeout(response); } else { ElasticsearchSecurityException e = expectThrows(ElasticsearchSecurityException.class, () -> client() .filterWithHeader(Collections.singletonMap("Authorization", - basicAuthHeaderValue("joe", new SecureString("s3krit")))) + basicAuthHeaderValue("joe", new SecureString("s3krit-password")))) .admin().cluster().prepareHealth().get()); assertThat(e.status(), is(RestStatus.FORBIDDEN)); } @@ -824,7 +825,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { securityClient.preparePutRole("unknown_role").cluster("all").get(); ClusterHealthResponse response = client() .filterWithHeader(Collections.singletonMap("Authorization", - basicAuthHeaderValue("joe", new SecureString("s3krit")))) + basicAuthHeaderValue("joe", new SecureString("s3krit-password")))) .admin().cluster().prepareHealth().get(); assertNoTimeout(response); } @@ -838,9 +839,10 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase { * the loader returned a null value, while the other caller(s) would get a null value unexpectedly */ public void testConcurrentRunAs() throws Exception { - securityClient().preparePutUser("joe", new SecureString("s3krit".toCharArray()), hasher, SecuritySettingsSource.TEST_ROLE).get(); - securityClient().preparePutUser("executor", new SecureString("s3krit".toCharArray()), hasher, "superuser").get(); - final String token = basicAuthHeaderValue("executor", new SecureString("s3krit")); + securityClient() + .preparePutUser("joe", new SecureString("s3krit-password".toCharArray()), hasher, SecuritySettingsSource.TEST_ROLE).get(); + securityClient().preparePutUser("executor", new SecureString("s3krit-password".toCharArray()), hasher, "superuser").get(); + final String token = basicAuthHeaderValue("executor", new SecureString("s3krit-password")); final Client client = client().filterWithHeader(MapBuilder.newMapBuilder() .put("Authorization", token) .put("es-security-runas-user", "joe") diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthDelegationIntegTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthDelegationIntegTests.java index 6ab5371030ca..8bd60db5688e 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthDelegationIntegTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthDelegationIntegTests.java @@ -76,8 +76,8 @@ public class PkiAuthDelegationIntegTests extends SecurityIntegTestCase { @Override protected String configUsers() { - final String usersPasswdHashed = new String(Hasher.resolve( - randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); + final Hasher passwdHasher = getFastStoredHashAlgoForTests(); + final String usersPasswdHashed = new String(passwdHasher.hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); return super.configUsers() + "user_manage:" + usersPasswdHashed + "\n" + "user_manage_security:" + usersPasswdHashed + "\n" + diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/AnalyzeTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/AnalyzeTests.java index 3c3574704ac9..61d9560783da 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/AnalyzeTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/AnalyzeTests.java @@ -8,6 +8,7 @@ package org.elasticsearch.xpack.security.authz; import org.elasticsearch.action.admin.indices.analyze.AnalyzeAction; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.test.SecurityIntegTestCase; +import org.elasticsearch.test.SecuritySettingsSourceField; import java.util.Collections; @@ -19,8 +20,8 @@ public class AnalyzeTests extends SecurityIntegTestCase { @Override protected String configUsers() { - final String usersPasswdHashed = new String(getFastStoredHashAlgoForTests().hash(new SecureString - ("test123".toCharArray()))); + final String usersPasswdHashed = + new String(getFastStoredHashAlgoForTests().hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); return super.configUsers() + "analyze_indices:" + usersPasswdHashed + "\n" + "analyze_cluster:" + usersPasswdHashed + "\n"; @@ -54,7 +55,7 @@ public class AnalyzeTests extends SecurityIntegTestCase { ensureGreen(); //ok: user has permissions for analyze on test_* - SecureString passwd = new SecureString("test123".toCharArray()); + SecureString passwd = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_indices", passwd))) .admin().indices().prepareAnalyze("this is my text").setIndex("test_1").setAnalyzer("standard").get(); @@ -74,7 +75,7 @@ public class AnalyzeTests extends SecurityIntegTestCase { public void testAnalyzeWithoutIndices() { //this test tries to execute different analyze api variants from a user that has analyze privileges only at cluster level - SecureString passwd = new SecureString("test123".toCharArray()); + SecureString passwd = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; //fails: user doesn't have permissions for analyze on index test_1 assertThrowsAuthorizationException(client().filterWithHeader( Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("analyze_cluster", passwd))) diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/IndexAliasesTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/IndexAliasesTests.java index 58a9b72a3304..c7a7165ae264 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/IndexAliasesTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/IndexAliasesTests.java @@ -14,11 +14,11 @@ import org.elasticsearch.action.admin.indices.alias.get.GetAliasesResponse; import org.elasticsearch.action.admin.indices.create.CreateIndexAction; import org.elasticsearch.action.support.IndicesOptions; import org.elasticsearch.client.Client; -import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.rest.action.admin.indices.AliasesNotFoundException; import org.elasticsearch.test.SecurityIntegTestCase; +import org.elasticsearch.test.SecuritySettingsSourceField; import org.hamcrest.Matchers; import org.junit.Before; @@ -38,8 +38,8 @@ public class IndexAliasesTests extends SecurityIntegTestCase { @Override protected String configUsers() { - final String usersPasswdHashed = new String(getFastStoredHashAlgoForTests().hash(new SecureString - ("test123".toCharArray()))); + final String usersPasswdHashed = + new String(getFastStoredHashAlgoForTests().hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); return super.configUsers() + "create_only:" + usersPasswdHashed + "\n" + "all_on_test:" + usersPasswdHashed + "\n" + @@ -108,7 +108,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testCreateIndexThenAliasesCreateOnlyPermission() { //user has create permission only: allows to create indices, manage_aliases is required to add/remove aliases Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only", - new SecureString("test123".toCharArray()))); + SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client().filterWithHeader(headers); assertAcked(client.admin().indices().prepareCreate("test_1").get()); @@ -124,7 +124,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { //user has create permission only: allows to create indices, manage_aliases is required to add aliases although they are part of // the same create index request Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only", - new SecureString("test123".toCharArray()))); + SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); assertThrowsAuthorizationException( client(headers).admin().indices().prepareCreate("test_1").addAlias(new Alias("test_2"))::get, @@ -134,7 +134,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testDeleteAliasesCreateOnlyPermission() { //user has create permission only: allows to create indices, manage_aliases is required to add/remove aliases Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only", - new SecureString("test123".toCharArray()))); + SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client().filterWithHeader(headers); assertThrowsAuthorizationException( @@ -151,7 +151,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testGetAliasesCreateOnlyPermissionStrict() { //user has create permission only: allows to create indices, manage_aliases is required to retrieve aliases though Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only", - new SecureString("test123".toCharArray()))); + SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client().filterWithHeader(headers); assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases("test_1") @@ -177,7 +177,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testGetAliasesCreateOnlyPermissionIgnoreUnavailable() { //user has create permission only: allows to create indices, manage_aliases is required to retrieve aliases though Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only", - new SecureString("test123".toCharArray()))); + SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client().filterWithHeader(headers); assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases("test_1") @@ -209,7 +209,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { //user has create and manage_aliases permission on test_*. manage_aliases is required to add/remove aliases on both aliases and // indices Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, - basicAuthHeaderValue("create_test_aliases_test", new SecureString("test123".toCharArray()))); + basicAuthHeaderValue("create_test_aliases_test", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client().filterWithHeader(headers); assertAcked(client.admin().indices().prepareCreate("test_1").get()); @@ -231,7 +231,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { // indices //ok: user has manage_aliases on test_* Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_test_aliases_test", - new SecureString("test123".toCharArray()))); + SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client(headers); assertAcked(client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).get()); @@ -247,7 +247,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { // indices //ok: user has manage_aliases on test_* Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_test_aliases_test", - new SecureString("test123".toCharArray()))); + SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client(headers); assertAcked(client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias_1")) @@ -297,7 +297,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { //user has create and manage_aliases permission on test_*. manage_aliases is required to retrieve aliases on both aliases and // indices Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, - basicAuthHeaderValue("create_test_aliases_test", new SecureString("test123".toCharArray()))); + basicAuthHeaderValue("create_test_aliases_test", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client(headers); assertAcked(client.admin().indices().prepareCreate("test_1").addAlias(new Alias("test_alias")).get()); @@ -348,7 +348,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testCreateIndexThenAliasesCreateAndAliasesPermission2() { Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, - basicAuthHeaderValue("create_test_aliases_alias", new SecureString("test123".toCharArray()))); + basicAuthHeaderValue("create_test_aliases_alias", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client(headers); //user has create permission on test_* and manage_aliases permission on alias_*. manage_aliases is required to add/remove aliases @@ -371,8 +371,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testCreateIndexAndAliasesCreateAndAliasesPermission2() { Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, - basicAuthHeaderValue("create_test_aliases_alias", new - SecureString("test123".toCharArray()))); + basicAuthHeaderValue("create_test_aliases_alias", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client(headers); //user has create permission on test_* and manage_aliases permission on alias_*. manage_aliases is required to add/remove aliases @@ -385,7 +384,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testDeleteAliasesCreateAndAliasesPermission2() { Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, - basicAuthHeaderValue("create_test_aliases_alias", new SecureString("test123".toCharArray()))); + basicAuthHeaderValue("create_test_aliases_alias", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client(headers); //user has create permission on test_* and manage_aliases permission on alias_*. manage_aliases is required to add/remove aliases @@ -401,7 +400,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testGetAliasesCreateAndAliasesPermission2() { Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, - basicAuthHeaderValue("create_test_aliases_alias", new SecureString("test123".toCharArray()))); + basicAuthHeaderValue("create_test_aliases_alias", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client(headers); //user has create permission on test_* and manage_aliases permission on alias_*. manage_aliases is required to retrieve aliases @@ -446,7 +445,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testCreateIndexThenAliasesCreateAndAliasesPermission3() { Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, - basicAuthHeaderValue("create_test_aliases_test_alias", new SecureString("test123".toCharArray()))); + basicAuthHeaderValue("create_test_aliases_test_alias", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client(headers); //user has create permission on test_* and manage_aliases permission on test_*,alias_*. All good. @@ -461,7 +460,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testCreateIndexAndAliasesCreateAndAliasesPermission3() { Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, - basicAuthHeaderValue("create_test_aliases_test_alias", new SecureString("test123".toCharArray()))); + basicAuthHeaderValue("create_test_aliases_test_alias", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client(headers); //user has create permission on test_* and manage_aliases permission on test_*,alias_*. All good. @@ -472,7 +471,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testDeleteAliasesCreateAndAliasesPermission3() { Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, - basicAuthHeaderValue("create_test_aliases_test_alias", new SecureString("test123".toCharArray()))); + basicAuthHeaderValue("create_test_aliases_test_alias", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client(headers); //user has create permission on test_* and manage_aliases permission on test_*,alias_*. All good. @@ -495,7 +494,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testGetAliasesCreateAndAliasesPermission3() { Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, - basicAuthHeaderValue("create_test_aliases_test_alias", new SecureString("test123".toCharArray()))); + basicAuthHeaderValue("create_test_aliases_test_alias", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client(headers); //user has create permission on test_* and manage_aliases permission on test_*,alias_*. All good. @@ -530,13 +529,13 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testCreateIndexAliasesOnlyPermission() { assertThrowsAuthorizationException(client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, - basicAuthHeaderValue("aliases_only", new SecureString("test123".toCharArray())))) + basicAuthHeaderValue("aliases_only", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING))) .admin().indices().prepareCreate("test_1")::get, CreateIndexAction.NAME, "aliases_only"); } public void testGetAliasesAliasesOnlyPermissionStrict() { Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, - basicAuthHeaderValue("aliases_only", new SecureString("test123".toCharArray()))); + basicAuthHeaderValue("aliases_only", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client(headers); //user has manage_aliases only permissions on both alias_* and test_* @@ -556,7 +555,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testGetAliasesAliasesOnlyPermissionIgnoreUnavailable() { Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, - basicAuthHeaderValue("aliases_only", new SecureString("test123".toCharArray()))); + basicAuthHeaderValue("aliases_only", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client(headers); //user has manage_aliases only permissions on both alias_* and test_* @@ -579,7 +578,7 @@ public class IndexAliasesTests extends SecurityIntegTestCase { public void testRemoveIndex() { final Map headers = Collections.singletonMap( BASIC_AUTH_HEADER, - basicAuthHeaderValue("all_on_test", new SecureString("test123".toCharArray()))); + basicAuthHeaderValue("all_on_test", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client client = client(headers); assertAcked(client.admin().indices().prepareCreate("test_delete_1").get()); @@ -601,11 +600,11 @@ public class IndexAliasesTests extends SecurityIntegTestCase { final String hiddenAlias = "alias_hidden"; final Map createHeaders = Collections.singletonMap( - BASIC_AUTH_HEADER, basicAuthHeaderValue("all_on_test", new SecureString("test123".toCharArray()))); + BASIC_AUTH_HEADER, basicAuthHeaderValue("all_on_test", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client createClient = client(createHeaders); final Map aliasHeaders = Collections.singletonMap( - BASIC_AUTH_HEADER, basicAuthHeaderValue("aliases_only", new SecureString("test123".toCharArray()))); + BASIC_AUTH_HEADER, basicAuthHeaderValue("aliases_only", SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Client aliasesClient = client(aliasHeaders); assertAcked(createClient.admin().indices().prepareCreate(hiddenIndex) diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/store/NativePrivilegeStoreCacheTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/store/NativePrivilegeStoreCacheTests.java index 5933c560504c..40cb519752e2 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/store/NativePrivilegeStoreCacheTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/store/NativePrivilegeStoreCacheTests.java @@ -266,18 +266,17 @@ public class NativePrivilegeStoreCacheTests extends SecuritySingleNodeTestCase { .addIndices(new String[] { "*" }, new String[] { "read" }, null, null, null, false) .get(); assertTrue(putRoleResponse.isCreated()); - + final Hasher hasher = getFastStoredHashAlgoForTests(); final PutUserResponse putUserResponse = new PutUserRequestBuilder(client) .username(testRoleCacheUser) .roles(testRole) - .password(new SecureString("password".toCharArray()), - Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt9", "bcrypt8", "bcrypt"))) + .password(new SecureString("longerpassword".toCharArray()), hasher) .get(); assertTrue(putUserResponse.created()); // The created user can access cluster health because its role grants access final Client testRoleCacheUserClient = client.filterWithHeader(singletonMap("Authorization", - "Basic " + Base64.getEncoder().encodeToString((testRoleCacheUser + ":password").getBytes(StandardCharsets.UTF_8)))); + "Basic " + Base64.getEncoder().encodeToString((testRoleCacheUser + ":longerpassword").getBytes(StandardCharsets.UTF_8)))); new ClusterHealthRequestBuilder(testRoleCacheUserClient, ClusterHealthAction.INSTANCE).get(); // Directly deleted the role document diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/support/SecurityIndexManagerIntegTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/support/SecurityIndexManagerIntegTests.java index 10a796f489cc..48ee5daf7f91 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/support/SecurityIndexManagerIntegTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/support/SecurityIndexManagerIntegTests.java @@ -46,7 +46,7 @@ public class SecurityIndexManagerIntegTests extends SecurityIntegTestCase { @Override protected void doRun() throws Exception { final List requests = new ArrayList<>(numRequests); - final SecureString password = new SecureString("password".toCharArray()); + final SecureString password = new SecureString("test-user-password".toCharArray()); for (int i = 0; i < numRequests; i++) { requests.add(securityClient() .preparePutUser("user" + userNumber.getAndIncrement(), password, diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java index fc443cf9f04c..901716bc6a45 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java @@ -538,8 +538,9 @@ public abstract class SecurityIntegTestCase extends ESIntegTestCase { return customSecuritySettingsSource.isSslEnabled(); } - protected static Hasher getFastStoredHashAlgoForTests() { - return Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")); + public static Hasher getFastStoredHashAlgoForTests() { + return inFipsJvm() ? Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "pbkdf2_stretch_1000", "pbkdf2_stretch")) + : Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "pbkdf2_stretch_1000", "pbkdf2_stretch", "bcrypt", "bcrypt9")); } protected class TestRestHighLevelClient extends RestHighLevelClient { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java index 389c0abd9681..b0be29b729d2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java @@ -46,7 +46,8 @@ import java.util.function.Consumer; import static com.carrotsearch.randomizedtesting.RandomizedTest.randomBoolean; import static org.apache.lucene.util.LuceneTestCase.createTempFile; import static org.elasticsearch.test.ESTestCase.inFipsJvm; -import static org.elasticsearch.test.ESTestCase.randomFrom; +import static org.elasticsearch.test.SecurityIntegTestCase.getFastStoredHashAlgoForTests; +import static org.elasticsearch.test.SecuritySettingsSourceField.TEST_PASSWORD; import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.test.SecurityTestUtils.writeFile; @@ -58,9 +59,9 @@ import static org.elasticsearch.xpack.security.test.SecurityTestUtils.writeFile; public class SecuritySettingsSource extends NodeConfigurationSource { public static final String TEST_USER_NAME = "test_user"; + public static final Hasher HASHER = getFastStoredHashAlgoForTests(); public static final String TEST_PASSWORD_HASHED = - new String(Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt9", "bcrypt8", "bcrypt")). - hash(new SecureString(SecuritySettingsSourceField.TEST_PASSWORD.toCharArray()))); + new String(HASHER.hash(new SecureString(TEST_PASSWORD.toCharArray()))); public static final RequestOptions SECURITY_REQUEST_OPTIONS = RequestOptions.DEFAULT.toBuilder() .addHeader("Authorization", "Basic " + Base64.getEncoder().encodeToString( diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/PutUserRequestBuilderTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/PutUserRequestBuilderTests.java index f6b25565b4c3..b9c0e9ed3371 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/PutUserRequestBuilderTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/PutUserRequestBuilderTests.java @@ -23,6 +23,7 @@ import java.nio.charset.StandardCharsets; import java.util.Collections; import java.util.LinkedHashMap; +import static org.elasticsearch.test.SecurityIntegTestCase.getFastStoredHashAlgoForTests; import static org.hamcrest.Matchers.arrayContaining; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; @@ -144,8 +145,8 @@ public class PutUserRequestBuilderTests extends ESTestCase { } public void testWithValidPasswordHash() throws IOException { - final Hasher hasher = Hasher.BCRYPT4; // this is the fastest hasher we officially support - final char[] hash = hasher.hash(new SecureString("secret".toCharArray())); + final Hasher hasher = getFastStoredHashAlgoForTests(); + final char[] hash = hasher.hash(new SecureString("secretpassword".toCharArray())); final String json = "{\n" + " \"password_hash\": \"" + new String(hash) + "\"," + " \"roles\": []\n" + @@ -158,10 +159,13 @@ public class PutUserRequestBuilderTests extends ESTestCase { assertThat(request.username(), equalTo("hash_user")); } - public void testWithMismatchedPasswordHash() throws IOException { - final Hasher systemHasher = Hasher.BCRYPT8; - final Hasher userHasher = Hasher.BCRYPT4; // this is the fastest hasher we officially support - final char[] hash = userHasher.hash(new SecureString("secret".toCharArray())); + public void testWithMismatchedPasswordHashingAlgorithm() throws IOException { + final Hasher systemHasher = getFastStoredHashAlgoForTests(); + Hasher userHasher = getFastStoredHashAlgoForTests(); + while (userHasher.name().equals(systemHasher.name())){ + userHasher = getFastStoredHashAlgoForTests(); + } + final char[] hash = userHasher.hash(new SecureString("secretpassword".toCharArray())); final String json = "{\n" + " \"password_hash\": \"" + new String(hash) + "\"," + " \"roles\": []\n" + @@ -191,8 +195,8 @@ public class PutUserRequestBuilderTests extends ESTestCase { } public void testWithBothPasswordAndHash() throws IOException { - final Hasher hasher = randomFrom(Hasher.BCRYPT4, Hasher.PBKDF2_1000); - final String password = randomAlphaOfLength(12); + final Hasher hasher = getFastStoredHashAlgoForTests(); + final String password = randomAlphaOfLength(14); final char[] hash = hasher.hash(new SecureString(password.toCharArray())); final LinkedHashMap fields = new LinkedHashMap<>(); fields.put("password", password); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java index ed11c83bf7a6..fe91e730c80b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java @@ -31,6 +31,7 @@ import org.mockito.stubbing.Answer; import java.util.Collections; import java.util.concurrent.atomic.AtomicReference; +import static org.elasticsearch.test.SecurityIntegTestCase.getFastStoredHashAlgoForTests; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.instanceOf; import static org.hamcrest.Matchers.is; @@ -48,9 +49,9 @@ import static org.mockito.Mockito.verifyZeroInteractions; public class TransportChangePasswordActionTests extends ESTestCase { public void testAnonymousUser() { - final String hashingAlgorithm = randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9"); + final Hasher hasher = getFastStoredHashAlgoForTests(); Settings settings = Settings.builder().put(AnonymousUser.ROLES_SETTING.getKey(), "superuser") - .put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hashingAlgorithm).build(); + .put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hasher.name()).build(); AnonymousUser anonymousUser = new AnonymousUser(settings); NativeUsersStore usersStore = mock(NativeUsersStore.class); TransportService transportService = new TransportService(Settings.EMPTY, mock(Transport.class), null, @@ -60,7 +61,7 @@ public class TransportChangePasswordActionTests extends ESTestCase { // Request will fail before the request hashing algorithm is checked, but we use the same algorithm as in settings for consistency ChangePasswordRequest request = new ChangePasswordRequest(); request.username(anonymousUser.principal()); - request.passwordHash(Hasher.resolve(hashingAlgorithm).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); + request.passwordHash(hasher.hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final AtomicReference throwableRef = new AtomicReference<>(); final AtomicReference responseRef = new AtomicReference<>(); @@ -83,10 +84,10 @@ public class TransportChangePasswordActionTests extends ESTestCase { } public void testInternalUsers() { - final String hashingAlgorithm = randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9"); + final Hasher hasher = getFastStoredHashAlgoForTests(); NativeUsersStore usersStore = mock(NativeUsersStore.class); Settings passwordHashingSettings = Settings.builder(). - put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hashingAlgorithm).build(); + put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hasher.name()).build(); TransportService transportService = new TransportService(Settings.EMPTY, mock(Transport.class), null, TransportService.NOOP_TRANSPORT_INTERCEPTOR, x -> null, null, Collections.emptySet()); TransportChangePasswordAction action = new TransportChangePasswordAction(passwordHashingSettings, transportService, @@ -94,7 +95,7 @@ public class TransportChangePasswordActionTests extends ESTestCase { // Request will fail before the request hashing algorithm is checked, but we use the same algorithm as in settings for consistency ChangePasswordRequest request = new ChangePasswordRequest(); request.username(randomFrom(SystemUser.INSTANCE.principal(), XPackUser.INSTANCE.principal())); - request.passwordHash(Hasher.resolve(hashingAlgorithm).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); + request.passwordHash(hasher.hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final AtomicReference throwableRef = new AtomicReference<>(); final AtomicReference responseRef = new AtomicReference<>(); @@ -117,10 +118,9 @@ public class TransportChangePasswordActionTests extends ESTestCase { } public void testValidUser() { - final String hashingAlgorithm = randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9"); + final Hasher hasher = getFastStoredHashAlgoForTests(); final User user = randomFrom(new ElasticUser(true), new KibanaUser(true), new User("joe")); NativeUsersStore usersStore = mock(NativeUsersStore.class); - final Hasher hasher = Hasher.resolve(hashingAlgorithm); ChangePasswordRequest request = new ChangePasswordRequest(); request.username(user.principal()); request.passwordHash(hasher.hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); @@ -134,7 +134,7 @@ public class TransportChangePasswordActionTests extends ESTestCase { TransportService transportService = new TransportService(Settings.EMPTY, mock(Transport.class), null, TransportService.NOOP_TRANSPORT_INTERCEPTOR, x -> null, null, Collections.emptySet()); Settings passwordHashingSettings = Settings.builder(). - put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hashingAlgorithm).build(); + put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hasher.name()).build(); TransportChangePasswordAction action = new TransportChangePasswordAction(passwordHashingSettings, transportService, mock(ActionFilters.class), usersStore); final AtomicReference throwableRef = new AtomicReference<>(); @@ -159,7 +159,7 @@ public class TransportChangePasswordActionTests extends ESTestCase { public void testIncorrectPasswordHashingAlgorithm() { final User user = randomFrom(new ElasticUser(true), new KibanaUser(true), new User("joe")); - final Hasher hasher = Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt9", "bcrypt5")); + final Hasher hasher = getFastStoredHashAlgoForTests(); NativeUsersStore usersStore = mock(NativeUsersStore.class); ChangePasswordRequest request = new ChangePasswordRequest(); request.username(user.principal()); @@ -191,12 +191,12 @@ public class TransportChangePasswordActionTests extends ESTestCase { } public void testException() { - final String hashingAlgorithm = randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9"); + final Hasher hasher = getFastStoredHashAlgoForTests(); final User user = randomFrom(new ElasticUser(true), new KibanaUser(true), new User("joe")); NativeUsersStore usersStore = mock(NativeUsersStore.class); ChangePasswordRequest request = new ChangePasswordRequest(); request.username(user.principal()); - request.passwordHash(Hasher.resolve(hashingAlgorithm).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); + request.passwordHash(hasher.hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); final Exception e = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException(), new RuntimeException()); doAnswer(new Answer() { public Void answer(InvocationOnMock invocation) { @@ -210,7 +210,7 @@ public class TransportChangePasswordActionTests extends ESTestCase { TransportService transportService = new TransportService(Settings.EMPTY, mock(Transport.class), null, TransportService.NOOP_TRANSPORT_INTERCEPTOR, x -> null, null, Collections.emptySet()); Settings passwordHashingSettings = Settings.builder(). - put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hashingAlgorithm).build(); + put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hasher.name()).build(); TransportChangePasswordAction action = new TransportChangePasswordAction(passwordHashingSettings, transportService, mock(ActionFilters.class), usersStore); final AtomicReference throwableRef = new AtomicReference<>(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportPutUserActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportPutUserActionTests.java index b6037932f8a8..08b84991b006 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportPutUserActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportPutUserActionTests.java @@ -38,6 +38,7 @@ import java.util.Collection; import java.util.Collections; import java.util.concurrent.atomic.AtomicReference; +import static org.elasticsearch.test.SecurityIntegTestCase.getFastStoredHashAlgoForTests; import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.instanceOf; @@ -167,9 +168,9 @@ public class TransportPutUserActionTests extends ESTestCase { final boolean isCreate = randomBoolean(); final PutUserRequest request = new PutUserRequest(); request.username(user.principal()); + final Hasher hasher = getFastStoredHashAlgoForTests(); if (isCreate) { - request.passwordHash(Hasher.resolve( - randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); + request.passwordHash(hasher.hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)); } final boolean created = isCreate ? randomBoolean() : false; // updates should always return false for create doAnswer(new Answer() { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java index e789ed063bd7..ef9838980709 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java @@ -85,6 +85,7 @@ import java.util.concurrent.Semaphore; import java.util.concurrent.atomic.AtomicInteger; import java.util.stream.Collectors; +import static org.elasticsearch.test.SecurityIntegTestCase.getFastStoredHashAlgoForTests; import static org.elasticsearch.test.TestMatchers.throwableWithMessage; import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY; import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY; @@ -386,7 +387,7 @@ public class ApiKeyServiceTests extends ESTestCase { public void testValidateApiKey() throws Exception { final String apiKey = randomAlphaOfLength(16); - Hasher hasher = randomFrom(Hasher.PBKDF2, Hasher.BCRYPT4, Hasher.BCRYPT); + Hasher hasher = getFastStoredHashAlgoForTests(); final char[] hash = hasher.hash(new SecureString(apiKey.toCharArray())); ApiKeyDoc apiKeyDoc = buildApiKeyDoc(hash, -1, false); @@ -595,7 +596,7 @@ public class ApiKeyServiceTests extends ESTestCase { public void testApiKeyCache() { final String apiKey = randomAlphaOfLength(16); - Hasher hasher = randomFrom(Hasher.PBKDF2, Hasher.BCRYPT4, Hasher.BCRYPT); + Hasher hasher = getFastStoredHashAlgoForTests(); final char[] hash = hasher.hash(new SecureString(apiKey.toCharArray())); ApiKeyDoc apiKeyDoc = buildApiKeyDoc(hash, -1, false); @@ -610,7 +611,7 @@ public class ApiKeyServiceTests extends ESTestCase { assertNotNull(cachedApiKeyHashResult); assertThat(cachedApiKeyHashResult.success, is(true)); - creds = new ApiKeyCredentials(creds.getId(), new SecureString("foobar".toCharArray())); + creds = new ApiKeyCredentials(creds.getId(), new SecureString("somelongenoughrandomstring".toCharArray())); future = new PlainActionFuture<>(); service.validateApiKeyCredentials(creds.getId(), apiKeyDoc, creds, Clock.systemUTC(), future); result = future.actionGet(); @@ -619,8 +620,8 @@ public class ApiKeyServiceTests extends ESTestCase { assertNotNull(shouldBeSame); assertThat(shouldBeSame, sameInstance(cachedApiKeyHashResult)); - apiKeyDoc = buildApiKeyDoc(hasher.hash(new SecureString("foobar".toCharArray())), -1, false); - creds = new ApiKeyCredentials(randomAlphaOfLength(12), new SecureString("foobar1".toCharArray())); + apiKeyDoc = buildApiKeyDoc(hasher.hash(new SecureString("somelongenoughrandomstring".toCharArray())), -1, false); + creds = new ApiKeyCredentials(randomAlphaOfLength(12), new SecureString("otherlongenoughrandomstring".toCharArray())); future = new PlainActionFuture<>(); service.validateApiKeyCredentials(creds.getId(), apiKeyDoc, creds, Clock.systemUTC(), future); result = future.actionGet(); @@ -629,7 +630,7 @@ public class ApiKeyServiceTests extends ESTestCase { assertNotNull(cachedApiKeyHashResult); assertThat(cachedApiKeyHashResult.success, is(false)); - creds = new ApiKeyCredentials(creds.getId(), new SecureString("foobar2".toCharArray())); + creds = new ApiKeyCredentials(creds.getId(), new SecureString("otherlongenoughrandomstring2".toCharArray())); future = new PlainActionFuture<>(); service.validateApiKeyCredentials(creds.getId(), apiKeyDoc, creds, Clock.systemUTC(), future); result = future.actionGet(); @@ -637,7 +638,7 @@ public class ApiKeyServiceTests extends ESTestCase { assertThat(service.getFromCache(creds.getId()), not(sameInstance(cachedApiKeyHashResult))); assertThat(service.getFromCache(creds.getId()).success, is(false)); - creds = new ApiKeyCredentials(creds.getId(), new SecureString("foobar".toCharArray())); + creds = new ApiKeyCredentials(creds.getId(), new SecureString("somelongenoughrandomstring".toCharArray())); future = new PlainActionFuture<>(); service.validateApiKeyCredentials(creds.getId(), apiKeyDoc, creds, Clock.systemUTC(), future); result = future.actionGet(); @@ -648,7 +649,7 @@ public class ApiKeyServiceTests extends ESTestCase { public void testAuthenticateWhileCacheBeingPopulated() throws Exception { final String apiKey = randomAlphaOfLength(16); - Hasher hasher = randomFrom(Hasher.PBKDF2, Hasher.BCRYPT4, Hasher.BCRYPT); + Hasher hasher = getFastStoredHashAlgoForTests(); final char[] hash = hasher.hash(new SecureString(apiKey.toCharArray())); Map sourceMap = buildApiKeySourceDoc(hash); @@ -706,7 +707,7 @@ public class ApiKeyServiceTests extends ESTestCase { public void testApiKeyCacheDisabled() { final String apiKey = randomAlphaOfLength(16); - Hasher hasher = randomFrom(Hasher.PBKDF2, Hasher.BCRYPT4, Hasher.BCRYPT); + Hasher hasher = getFastStoredHashAlgoForTests(); final char[] hash = hasher.hash(new SecureString(apiKey.toCharArray())); final Settings settings = Settings.builder() .put(ApiKeyService.CACHE_TTL_SETTING.getKey(), "0s") @@ -728,7 +729,7 @@ public class ApiKeyServiceTests extends ESTestCase { public void testApiKeyDocCacheCanBeDisabledSeparately() { final String apiKey = randomAlphaOfLength(16); - Hasher hasher = randomFrom(Hasher.PBKDF2, Hasher.BCRYPT4, Hasher.BCRYPT); + Hasher hasher = getFastStoredHashAlgoForTests(); final char[] hash = hasher.hash(new SecureString(apiKey.toCharArray())); final Settings settings = Settings.builder() .put(ApiKeyService.DOC_CACHE_TTL_SETTING.getKey(), "0s") @@ -866,7 +867,7 @@ public class ApiKeyServiceTests extends ESTestCase { final ApiKeyCredentials creds = new ApiKeyCredentials(randomAlphaOfLength(12), new SecureString(apiKey.toCharArray())); writeCredentialsToThreadContext(creds); - Hasher hasher = randomFrom(Hasher.PBKDF2, Hasher.BCRYPT4, Hasher.BCRYPT); + Hasher hasher = getFastStoredHashAlgoForTests(); final char[] hash = hasher.hash(new SecureString(apiKey.toCharArray())); Map sourceMap = buildApiKeySourceDoc(hash); mockSourceDocument(creds.getId(), sourceMap); @@ -891,7 +892,7 @@ public class ApiKeyServiceTests extends ESTestCase { final ApiKeyCredentials creds = new ApiKeyCredentials(randomAlphaOfLength(12), new SecureString(apiKey1.toCharArray())); writeCredentialsToThreadContext(creds); - Hasher hasher = randomFrom(Hasher.PBKDF2, Hasher.BCRYPT4, Hasher.BCRYPT); + Hasher hasher = getFastStoredHashAlgoForTests(); final char[] hash = hasher.hash(new SecureString(apiKey1.toCharArray())); Map sourceMap = buildApiKeySourceDoc(hash); mockSourceDocument(creds.getId(), sourceMap); @@ -988,15 +989,16 @@ public class ApiKeyServiceTests extends ESTestCase { Set userRoles, List keyRoles, Version version) throws Exception { - XContentBuilder keyDocSource = apiKeyService.newDocument(new SecureString("secret".toCharArray()), "test", authentication, - userRoles, Instant.now(), Instant.now().plus(Duration.ofSeconds(3600)), keyRoles, Version.CURRENT); + XContentBuilder keyDocSource = apiKeyService.newDocument( + new SecureString(randomAlphaOfLength(16).toCharArray()), "test", authentication, + userRoles, Instant.now(), Instant.now().plus(Duration.ofSeconds(3600)), keyRoles, Version.CURRENT); final ApiKeyDoc apiKeyDoc = ApiKeyDoc.fromXContent( XContentHelper.createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, BytesReference.bytes(keyDocSource), XContentType.JSON)); PlainActionFuture authenticationResultFuture = PlainActionFuture.newFuture(); apiKeyService.validateApiKeyExpiration(apiKeyDoc, new ApiKeyService.ApiKeyCredentials("id", - new SecureString("pass".toCharArray())), - Clock.systemUTC(), authenticationResultFuture); + new SecureString(randomAlphaOfLength(16).toCharArray())), + Clock.systemUTC(), authenticationResultFuture); AuthenticationResult authenticationResult = authenticationResultFuture.get(); if (randomBoolean()) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileRealmTests.java index d2ab879d4d4f..f69325083707 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileRealmTests.java @@ -25,6 +25,7 @@ import org.mockito.stubbing.Answer; import java.util.Map; import java.util.function.Supplier; +import static org.elasticsearch.test.SecurityIntegTestCase.getFastStoredHashAlgoForTests; import static org.hamcrest.Matchers.arrayContaining; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasEntry; @@ -60,21 +61,23 @@ public class FileRealmTests extends ESTestCase { public void init() throws Exception { userPasswdStore = mock(FileUserPasswdStore.class); userRolesStore = mock(FileUserRolesStore.class); - globalSettings = Settings.builder().put("path.home", createTempDir()).put("xpack.security.authc.password_hashing.algorithm", - randomFrom("bcrypt9", "pbkdf2")).build(); + globalSettings = Settings.builder() + .put("path.home", createTempDir()) + .put("xpack.security.authc.password_hashing.algorithm", getFastStoredHashAlgoForTests().name()) + .build(); threadPool = mock(ThreadPool.class); threadContext = new ThreadContext(globalSettings); when(threadPool.getThreadContext()).thenReturn(threadContext); } public void testAuthenticate() throws Exception { - when(userPasswdStore.verifyPassword(eq("user1"), eq(new SecureString("test123")), any(Supplier.class))) + when(userPasswdStore.verifyPassword(eq("user1"), eq(new SecureString("longtestpassword")), any(Supplier.class))) .thenAnswer(VERIFY_PASSWORD_ANSWER); when(userRolesStore.roles("user1")).thenReturn(new String[] { "role1", "role2" }); RealmConfig config = getRealmConfig(globalSettings); FileRealm realm = new FileRealm(config, userPasswdStore, userRolesStore, threadPool); PlainActionFuture future = new PlainActionFuture<>(); - realm.authenticate(new UsernamePasswordToken("user1", new SecureString("test123")), future); + realm.authenticate(new UsernamePasswordToken("user1", new SecureString("longtestpassword")), future); final AuthenticationResult result = future.actionGet(); assertThat(result.getStatus(), is(AuthenticationResult.Status.SUCCESS)); User user = result.getUser(); @@ -96,15 +99,15 @@ public class FileRealmTests extends ESTestCase { .put(globalSettings) .build(); RealmConfig config = getRealmConfig(settings); - when(userPasswdStore.verifyPassword(eq("user1"), eq(new SecureString("test123")), any(Supplier.class))) + when(userPasswdStore.verifyPassword(eq("user1"), eq(new SecureString("longtestpassword")), any(Supplier.class))) .thenAnswer(VERIFY_PASSWORD_ANSWER); when(userRolesStore.roles("user1")).thenReturn(new String[]{"role1", "role2"}); FileRealm realm = new FileRealm(config, userPasswdStore, userRolesStore, threadPool); PlainActionFuture future = new PlainActionFuture<>(); - realm.authenticate(new UsernamePasswordToken("user1", new SecureString("test123")), future); + realm.authenticate(new UsernamePasswordToken("user1", new SecureString("longtestpassword")), future); User user1 = future.actionGet().getUser(); future = new PlainActionFuture<>(); - realm.authenticate(new UsernamePasswordToken("user1", new SecureString("test123")), future); + realm.authenticate(new UsernamePasswordToken("user1", new SecureString("longtestpassword")), future); User user2 = future.actionGet().getUser(); assertThat(user1, sameInstance(user2)); } @@ -113,56 +116,57 @@ public class FileRealmTests extends ESTestCase { RealmConfig config = getRealmConfig(globalSettings); userPasswdStore = spy(new UserPasswdStore(config)); userRolesStore = spy(new UserRolesStore(config)); - when(userPasswdStore.verifyPassword(eq("user1"), eq(new SecureString("test123")), any(Supplier.class))) + when(userPasswdStore.verifyPassword(eq("user1"), eq(new SecureString("longtestpassword")), any(Supplier.class))) .thenAnswer(VERIFY_PASSWORD_ANSWER); doReturn(new String[] { "role1", "role2" }).when(userRolesStore).roles("user1"); FileRealm realm = new FileRealm(config, userPasswdStore, userRolesStore, threadPool); PlainActionFuture future = new PlainActionFuture<>(); - realm.authenticate(new UsernamePasswordToken("user1", new SecureString("test123")), future); + realm.authenticate(new UsernamePasswordToken("user1", new SecureString("longtestpassword")), future); User user1 = future.actionGet().getUser(); future = new PlainActionFuture<>(); - realm.authenticate(new UsernamePasswordToken("user1", new SecureString("test123")), future); + realm.authenticate(new UsernamePasswordToken("user1", new SecureString("longtestpassword")), future); User user2 = future.actionGet().getUser(); assertThat(user1, sameInstance(user2)); userPasswdStore.notifyRefresh(); future = new PlainActionFuture<>(); - realm.authenticate(new UsernamePasswordToken("user1", new SecureString("test123")), future); + realm.authenticate(new UsernamePasswordToken("user1", new SecureString("longtestpassword")), future); User user3 = future.actionGet().getUser(); assertThat(user2, not(sameInstance(user3))); future = new PlainActionFuture<>(); - realm.authenticate(new UsernamePasswordToken("user1", new SecureString("test123")), future); + realm.authenticate(new UsernamePasswordToken("user1", new SecureString("longtestpassword")), future); User user4 = future.actionGet().getUser(); assertThat(user3, sameInstance(user4)); userRolesStore.notifyRefresh(); future = new PlainActionFuture<>(); - realm.authenticate(new UsernamePasswordToken("user1", new SecureString("test123")), future); + realm.authenticate(new UsernamePasswordToken("user1", new SecureString("longtestpassword")), future); User user5 = future.actionGet().getUser(); assertThat(user4, not(sameInstance(user5))); future = new PlainActionFuture<>(); - realm.authenticate(new UsernamePasswordToken("user1", new SecureString("test123")), future); + realm.authenticate(new UsernamePasswordToken("user1", new SecureString("longtestpassword")), future); User user6 = future.actionGet().getUser(); assertThat(user5, sameInstance(user6)); } public void testToken() throws Exception { RealmConfig config = getRealmConfig(globalSettings); - when(userPasswdStore.verifyPassword(eq("user1"), eq(new SecureString("test123")), any(Supplier.class))) - .thenAnswer(VERIFY_PASSWORD_ANSWER); + when(userPasswdStore.verifyPassword(eq("user1"), eq(new SecureString("longtestpassword")), any(Supplier.class))) + .thenAnswer(VERIFY_PASSWORD_ANSWER); when(userRolesStore.roles("user1")).thenReturn(new String[]{"role1", "role2"}); FileRealm realm = new FileRealm(config, userPasswdStore, userRolesStore, threadPool); ThreadContext threadContext = new ThreadContext(Settings.EMPTY); - UsernamePasswordToken.putTokenHeader(threadContext, new UsernamePasswordToken("user1", new SecureString("test123"))); + UsernamePasswordToken.putTokenHeader(threadContext, + new UsernamePasswordToken("user1", new SecureString("longtestpassword"))); UsernamePasswordToken token = realm.token(threadContext); assertThat(token, notNullValue()); assertThat(token.principal(), equalTo("user1")); assertThat(token.credentials(), notNullValue()); - assertThat(new String(token.credentials().getChars()), equalTo("test123")); + assertThat(new String(token.credentials().getChars()), equalTo("longtestpassword")); } public void testLookup() throws Exception { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java index 5c67b1b08784..3f832fce17e4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java @@ -52,11 +52,12 @@ public class FileUserPasswdStoreTests extends ESTestCase { @Before public void init() { + final String hashingAlgorithm = inFipsJvm() ? randomFrom("pbkdf2", "pbkdf2_1000", "pbkdf2_50000", "pbkdf2_stretch") : + randomFrom("bcrypt", "bcrypt11", "pbkdf2", "pbkdf2_1000", "pbkdf2_50000", "pbkdf2_stretch"); settings = Settings.builder() .put("resource.reload.interval.high", "100ms") .put("path.home", createTempDir()) - .put("xpack.security.authc.password_hashing.algorithm", randomFrom("bcrypt", "bcrypt11", "pbkdf2", "pbkdf2_1000", - "pbkdf2_50000")) + .put("xpack.security.authc.password_hashing.algorithm", hashingAlgorithm) .build(); env = TestEnvironment.newEnvironment(settings); threadPool = new TestThreadPool("test"); @@ -98,7 +99,8 @@ public class FileUserPasswdStoreTests extends ESTestCase { String username = settings.get("xpack.security.authc.password_hashing.algorithm"); User user = new User(username); assertThat(store.userExists(username), is(true)); - AuthenticationResult result = store.verifyPassword(username, new SecureString("test123"), () -> user); + final String password = username.startsWith("pbkdf2") ? "longertestpassword" : "test123"; + AuthenticationResult result = store.verifyPassword(username, new SecureString(password), () -> user); assertThat(result.getStatus(), is(AuthenticationResult.Status.SUCCESS)); assertThat(result.getUser(), is(user)); @@ -112,13 +114,13 @@ public class FileUserPasswdStoreTests extends ESTestCase { } assertThat(store.userExists(username), is(true)); - result = store.verifyPassword(username, new SecureString("test123"), () -> user); + result = store.verifyPassword(username, new SecureString(password), () -> user); assertThat(result.getStatus(), is(AuthenticationResult.Status.SUCCESS)); assertThat(result.getUser(), is(user)); try (BufferedWriter writer = Files.newBufferedWriter(file, StandardCharsets.UTF_8, StandardOpenOption.APPEND)) { writer.newLine(); - writer.append("foobar:").append(new String(hasher.hash(new SecureString("barfoo")))); + writer.append("foobar:").append(new String(hasher.hash(new SecureString("longtestpassword")))); } if (!latch.await(5, TimeUnit.SECONDS)) { @@ -126,7 +128,7 @@ public class FileUserPasswdStoreTests extends ESTestCase { } assertThat(store.userExists("foobar"), is(true)); - result = store.verifyPassword("foobar", new SecureString("barfoo"), () -> user); + result = store.verifyPassword("foobar", new SecureString("longtestpassword"), () -> user); assertThat(result.getStatus(), is(AuthenticationResult.Status.SUCCESS)); assertThat(result.getUser(), is(user)); } @@ -152,7 +154,8 @@ public class FileUserPasswdStoreTests extends ESTestCase { //Test users share the hashing algorithm name for convenience String username = settings.get("xpack.security.authc.password_hashing.algorithm"); User user = new User(username); - final AuthenticationResult result = store.verifyPassword(username, new SecureString("test123"), () -> user); + final String password = username.startsWith("pbkdf2") ? "longertestpassword" : "test123"; + final AuthenticationResult result = store.verifyPassword(username, new SecureString(password), () -> user); assertThat(result.getStatus(), is(AuthenticationResult.Status.SUCCESS)); assertThat(result.getUser(), is(user)); @@ -171,7 +174,7 @@ public class FileUserPasswdStoreTests extends ESTestCase { Path path = getDataPath("users"); Map users = FileUserPasswdStore.parseFile(path, null, Settings.EMPTY); assertThat(users, notNullValue()); - assertThat(users.size(), is(11)); + assertThat(users.size(), is(12)); assertThat(users.get("bcrypt"), notNullValue()); assertThat(new String(users.get("bcrypt")), equalTo("$2a$05$zxnP0vdREMxnEpkLCDI2OuSaSk/QEKA2.A42iOpI6U2u.RLLOWm1e")); assertThat(users.get("bcrypt10"), notNullValue()); @@ -186,13 +189,15 @@ public class FileUserPasswdStoreTests extends ESTestCase { assertThat(new String(users.get("sha")), equalTo("{SHA}cojt0Pw//L6ToM8G41aOKFIWh7w=")); assertThat(users.get("pbkdf2"), notNullValue()); assertThat(new String(users.get("pbkdf2")), - equalTo("{PBKDF2}10000$ekcItXk4jtK2bBjbVk0rZuWRjT0DoQqQJOIfyMeLIxg=$RA2/Nn1jRi8QskRS5IVotCV0FBO6M8DlNXC37GKa/8c=")); + equalTo("{PBKDF2}10000$NB6kwTrIPrwJJTu+KXiPUkW5bMf1oG2BMzDJLA479Bk=$CvCgHb5UkalUiNPicqMDOzIsnh3ppyz3SZOp+Gjv+hc=")); assertThat(users.get("pbkdf2_1000"), notNullValue()); assertThat(new String(users.get("pbkdf2_1000")), - equalTo("{PBKDF2}1000$32yPZSShxuKYAl47ip0g6VwbFrD8tvFJuQCoRPGhXC8=$cXAE1BkBXRmkv7pQA7fw4TZ1+rFWS2/nZGeA3kL1Eu8=")); + equalTo("{PBKDF2}1000$cofpEhehEObS+tNtS8/t9Zpf6UgwqkgkQFct2hhmGWA=$9Qb0S04fkF+Ebz1sGIaB9S6huZAXDihopPc6Z748f3E=")); assertThat(users.get("pbkdf2_50000"), notNullValue()); assertThat(new String(users.get("pbkdf2_50000")), - equalTo("{PBKDF2}50000$z1CLJt0MEFjkIK5iEfgvfnA6xq7lF25uasspsTKSo5Q=$XxCVLbaKDimOdyWgLCLJiyoiWpA/XDMe/xtVgn1r5Sg=")); + equalTo("{PBKDF2}50000$riPhBgfrNIpsN91QmF5mQNCwxHfJm0q2XtGt0x5+PRM=$v2j/DD+aFIRrusEeSDUO+eX3IrBPiG+ysgc9y0RDmhs=")); + assertThat(new String(users.get("pbkdf2_stretch")), + equalTo("{PBKDF2_STRETCH}10000$s1y/xv1T1iJxS9BKQ1FkZpSO19dSs6vsGgOb14d+KkU=$PtdgZoRGCSaim033lz/RcEoyhXQ/3WU4E6hfeKGsGes=")); } public void testParseFile_Empty() throws Exception { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java index 11705f59343d..e70c44589206 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java @@ -565,6 +565,7 @@ public class SamlMetadataCommandTests extends SamlTestCase { } public void testDefaultOptionsWithSigningAndMultipleEncryptionKeys() throws Exception { + assumeFalse("Can't run in a FIPS JVM, PKCS12 keystores are not usable", inFipsJvm()); final KeyStoreWrapper usedKeyStore = randomFrom(keyStore, passwordProtectedKeystore); final Path dir = createTempDir(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java index 7d4c4d64e2f5..78207fd6ece8 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java @@ -433,6 +433,7 @@ public class SamlRealmTests extends SamlTestCase { } public void testCreateEncryptionCredentialFromKeyStore() throws Exception { + assumeFalse("Can't run in a FIPS JVM, PKCS12 keystores are not usable", inFipsJvm()); final Path dir = createTempDir(); final Settings.Builder builder = Settings.builder() .put(REALM_SETTINGS_PREFIX + ".type", "saml") @@ -481,6 +482,7 @@ public class SamlRealmTests extends SamlTestCase { } public void testCreateSigningCredentialFromKeyStoreSuccessScenarios() throws Exception { + assumeFalse("Can't run in a FIPS JVM, PKCS12 keystores are not usable", inFipsJvm()); final Path dir = createTempDir(); final Settings.Builder builder = Settings.builder().put(REALM_SETTINGS_PREFIX + ".type", "saml").put("path.home", dir); final Path ksFile = dir.resolve("cred.p12"); @@ -520,6 +522,7 @@ public class SamlRealmTests extends SamlTestCase { } public void testCreateSigningCredentialFromKeyStoreFailureScenarios() throws Exception { + assumeFalse("Can't run in a FIPS JVM, PKCS12 keystores are not usable", inFipsJvm()); final Path dir = createTempDir(); final Settings.Builder builder = Settings.builder().put(REALM_SETTINGS_PREFIX + ".type", "saml").put("path.home", dir); final Path ksFile = dir.resolve("cred.p12"); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java index cf281e404e53..34fd294932ae 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java @@ -85,13 +85,21 @@ public abstract class SamlTestCase extends ESTestCase { keySize = randomFrom(256, 384); break; case "RSA": - keySize = randomFrom(1024, 2048, 4096); + if (inFipsJvm()) { + keySize = randomFrom(2048, 4096); + } else { + keySize = randomFrom(1024, 2048, 4096); + } break; case "DSA": - keySize = randomFrom(1024, 2048, 3072); + if (inFipsJvm()) { + keySize = randomFrom(2048, 3072); + } else { + keySize = randomFrom(1024, 2048, 3072); + } break; default: - keySize = randomFrom(1024, 2048); + keySize = 2048; } Path keyPath = PathUtils.get(SamlTestCase.class.getResource ("/org/elasticsearch/xpack/security/authc/saml/saml_" + algorithm + "_" + keySize + ".key").toURI()); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java index 91a0fc9d94e2..df82416cdc72 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java @@ -33,8 +33,10 @@ import java.util.List; import java.util.concurrent.CountDownLatch; import java.util.concurrent.atomic.AtomicInteger; import java.util.concurrent.atomic.AtomicReference; +import java.util.stream.Collectors; import static java.util.Collections.emptyMap; +import static org.elasticsearch.test.SecurityIntegTestCase.getFastStoredHashAlgoForTests; import static org.hamcrest.Matchers.arrayContaining; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; @@ -64,7 +66,11 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase { } public void testCacheSettings() { - String cachingHashAlgo = randomFrom(Hasher.getAvailableAlgoCacheHash()); + List availableCacheAlgos = Hasher.getAvailableAlgoCacheHash(); + if (inFipsJvm()) { + availableCacheAlgos = availableCacheAlgos.stream().filter(name -> (name.startsWith("pbkdf2"))).collect(Collectors.toList()); + } + String cachingHashAlgo = randomFrom(availableCacheAlgos); int maxUsers = randomIntBetween(10, 100); TimeValue ttl = TimeValue.timeValueMinutes(randomIntBetween(10, 20)); final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier("caching", "test_realm"); @@ -410,7 +416,7 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase { final String username = "username"; final SecureString password = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; final AtomicInteger authCounter = new AtomicInteger(0); - final Hasher pwdHasher = Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")); + final Hasher pwdHasher = getFastStoredHashAlgoForTests(); final String passwordHash = new String(pwdHasher.hash(password)); RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("caching", "test_realm"), globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); @@ -476,7 +482,7 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase { final String username = "username"; final SecureString password = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; final AtomicInteger authCounter = new AtomicInteger(0); - final Hasher pwdHasher = Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")); + final Hasher pwdHasher = getFastStoredHashAlgoForTests(); final String passwordHash = new String(pwdHasher.hash(password)); RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("caching", "test_realm"), globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); @@ -484,7 +490,7 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase { final int numberOfProcessors = Runtime.getRuntime().availableProcessors(); final int numberOfThreads = scaledRandomIntBetween((numberOfProcessors + 1) / 2, numberOfProcessors * 3); List threads = new ArrayList<>(numberOfThreads); - final SecureString credsToUse = new SecureString(randomAlphaOfLength(12).toCharArray()); + final SecureString credsToUse = new SecureString(randomAlphaOfLength(14).toCharArray()); // we use a bunch of different latches here, the first `latch` is used to ensure all threads have been started // before they start to execute. The `authWaitLatch` is there to ensure we have all threads waiting on the @@ -559,7 +565,7 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase { final String username = "username"; final SecureString password = SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING; final SecureString randomPassword = new SecureString(randomAlphaOfLength(password.length()).toCharArray()); - final Hasher localHasher = Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")); + final Hasher localHasher = getFastStoredHashAlgoForTests(); final String passwordHash = new String(localHasher.hash(password)); RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("caching", "test_realm"), globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/HasherTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/HasherTests.java index a0a931130ea6..26340bafeedc 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/HasherTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/HasherTests.java @@ -174,7 +174,8 @@ public class HasherTests extends ESTestCase { } private static void testHasherSelfGenerated(Hasher hasher) { - SecureString passwd = new SecureString(randomAlphaOfLength(between(6, 15)).toCharArray()); + //In FIPS 140 mode, passwords for PBKDF2 need to be at least 14 chars + SecureString passwd = new SecureString(randomAlphaOfLength(between(14, 18)).toCharArray()); char[] hash = hasher.hash(passwd); assertTrue(hasher.verify(passwd, hash)); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageFileTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageFileTests.java index d2af3aff7667..807955d6c123 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageFileTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageFileTests.java @@ -133,7 +133,11 @@ public class SSLErrorMessageFileTests extends ESTestCase { final String prefix = "xpack.security.transport.ssl"; final Settings.Builder settings = getSettingsBuilder(); settings.put(prefix + ".enabled", true); - configureWorkingTruststore(prefix, settings); + if (inFipsJvm()) { + configureWorkingTrustedAuthorities(prefix, settings); + } else { + configureWorkingTruststore(prefix, settings); + } expectSuccess(settings); assertWarnings("invalid SSL configuration for " + prefix + @@ -145,29 +149,37 @@ public class SSLErrorMessageFileTests extends ESTestCase { final String prefix = "xpack.security.transport.ssl"; final Settings.Builder settings = getSettingsBuilder(); settings.put(prefix + ".enabled", false); - configureWorkingTruststore(prefix, settings); + if (inFipsJvm()) { + configureWorkingTrustedAuthorities(prefix, settings); + } else { + configureWorkingTruststore(prefix, settings); + } expectSuccess(settings); } public void testMessageForTransportNotEnabledButKeystoreConfigured() throws Exception { + assumeFalse("Cannot run in a FIPS JVM since it uses a PKCS12 keystore", inFipsJvm()); final String prefix = "xpack.security.transport.ssl"; checkUnusedConfiguration(prefix, prefix + ".keystore.path," + prefix + ".keystore.secure_password", this::configureWorkingKeystore); } public void testMessageForTransportNotEnabledButTruststoreConfigured() throws Exception { + assumeFalse("Cannot run in a FIPS JVM since it uses a PKCS12 keystore", inFipsJvm()); final String prefix = "xpack.security.transport.ssl"; checkUnusedConfiguration(prefix, prefix + ".truststore.path," + prefix + ".truststore.secure_password", this::configureWorkingTruststore); } public void testMessageForHttpsNotEnabledButKeystoreConfigured() throws Exception { + assumeFalse("Cannot run in a FIPS JVM since it uses a PKCS12 keystore", inFipsJvm()); final String prefix = "xpack.security.http.ssl"; checkUnusedConfiguration(prefix, prefix + ".keystore.path," + prefix + ".keystore.secure_password", this::configureWorkingKeystore); } public void testMessageForHttpsNotEnabledButTruststoreConfigured() throws Exception { + assumeFalse("Cannot run in a FIPS JVM since it uses a PKCS12 keystore", inFipsJvm()); final String prefix = "xpack.security.http.ssl"; checkUnusedConfiguration(prefix, prefix + ".truststore.path," + prefix + ".truststore.secure_password", this::configureWorkingTruststore); @@ -179,7 +191,11 @@ public class SSLErrorMessageFileTests extends ESTestCase { } private void buildKeyConfigSettings(@Nullable Settings.Builder additionalSettings, String prefix, Settings.Builder builder) { - configureWorkingTruststore(prefix, builder); + if (inFipsJvm()) { + configureWorkingTrustedAuthorities(prefix, builder); + } else { + configureWorkingTruststore(prefix, builder); + } if (additionalSettings != null) { builder.put(additionalSettings.normalizePrefix(prefix + ".").build()); } @@ -338,6 +354,11 @@ public class SSLErrorMessageFileTests extends ESTestCase { return settings; } + private Settings.Builder configureWorkingTrustedAuthorities(String prefix, Settings.Builder settings) { + settings.putList(prefix + ".certificate_authorities", resource("ca1.crt")); + return settings; + } + private Settings.Builder configureWorkingKeystore(String prefix, Settings.Builder settings) { settings.put(prefix + ".keystore.path", resource("cert1a.p12")); addSecureSettings(settings, secure -> secure.setString(prefix + ".keystore.secure_password", "cert1a-p12-password")); diff --git a/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/file/users b/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/file/users index 435c3fc5ed9e..9681e3227202 100644 --- a/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/file/users +++ b/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/authc/file/users @@ -5,9 +5,10 @@ plain:{plain}test123 sha:{SHA}cojt0Pw//L6ToM8G41aOKFIWh7w= # this is a comment line # another comment line -pbkdf2:{PBKDF2}10000$ekcItXk4jtK2bBjbVk0rZuWRjT0DoQqQJOIfyMeLIxg=$RA2/Nn1jRi8QskRS5IVotCV0FBO6M8DlNXC37GKa/8c= -pbkdf2_1000:{PBKDF2}1000$32yPZSShxuKYAl47ip0g6VwbFrD8tvFJuQCoRPGhXC8=$cXAE1BkBXRmkv7pQA7fw4TZ1+rFWS2/nZGeA3kL1Eu8= -pbkdf2_50000:{PBKDF2}50000$z1CLJt0MEFjkIK5iEfgvfnA6xq7lF25uasspsTKSo5Q=$XxCVLbaKDimOdyWgLCLJiyoiWpA/XDMe/xtVgn1r5Sg= +pbkdf2:{PBKDF2}10000$NB6kwTrIPrwJJTu+KXiPUkW5bMf1oG2BMzDJLA479Bk=$CvCgHb5UkalUiNPicqMDOzIsnh3ppyz3SZOp+Gjv+hc= +pbkdf2_1000:{PBKDF2}1000$cofpEhehEObS+tNtS8/t9Zpf6UgwqkgkQFct2hhmGWA=$9Qb0S04fkF+Ebz1sGIaB9S6huZAXDihopPc6Z748f3E= +pbkdf2_50000:{PBKDF2}50000$riPhBgfrNIpsN91QmF5mQNCwxHfJm0q2XtGt0x5+PRM=$v2j/DD+aFIRrusEeSDUO+eX3IrBPiG+ysgc9y0RDmhs= +pbkdf2_stretch:{PBKDF2_STRETCH}10000$s1y/xv1T1iJxS9BKQ1FkZpSO19dSs6vsGgOb14d+KkU=$PtdgZoRGCSaim033lz/RcEoyhXQ/3WU4E6hfeKGsGes= bcrypt9:$2a$09$YhstxoAjO7M5MtAIFv7dVO70/pElJAYrzyumeCpLpZV2Gcz4J2/F. bcrypt10:$2a$10$cFxpMx6YDrH/PXwLpTlux.KVykN1TG2Pgdl5oJX5/G/KYp3G6jbFG -bcrypt11:$2a$11$uxr7b0qgCrLV9VIz9XS7M.Eoc0gJRR60oV48UK5DKfLOp.9HjfYF2 \ No newline at end of file +bcrypt11:$2a$11$uxr7b0qgCrLV9VIz9XS7M.Eoc0gJRR60oV48UK5DKfLOp.9HjfYF2 diff --git a/x-pack/plugin/sql/build.gradle b/x-pack/plugin/sql/build.gradle index 8917fb09a579..f282796cec83 100644 --- a/x-pack/plugin/sql/build.gradle +++ b/x-pack/plugin/sql/build.gradle @@ -1,5 +1,8 @@ apply plugin: 'elasticsearch.esplugin' apply plugin: 'elasticsearch.internal-cluster-test' + +import org.elasticsearch.gradle.info.BuildParams + esplugin { name 'x-pack-sql' description 'The Elasticsearch plugin that powers SQL for Elasticsearch' @@ -131,3 +134,8 @@ allprojects { dependsOn tasks.withType(Test).matching { it.name.contains('bwc') == false } } } + +if (BuildParams.inFipsJvm){ + // Test clusters run with security disabled + tasks.named("internalClusterTest").configure{enabled = false } +} diff --git a/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/CliSecurityIT.java b/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/CliSecurityIT.java index 498a858897ee..fd4057cea712 100644 --- a/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/CliSecurityIT.java +++ b/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/CliSecurityIT.java @@ -61,7 +61,13 @@ public class CliSecurityIT extends SqlSecurityTestCase { if (user == null) { return admin; } - return new SecurityConfig(RestSqlIT.SSL_ENABLED, user, "testpass", admin.keystoreLocation(), admin.keystorePassword()); + return new SecurityConfig( + RestSqlIT.SSL_ENABLED, + user, + "test-user-password", + admin.keystoreLocation(), + admin.keystorePassword() + ); } @Override diff --git a/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/JdbcSecurityIT.java b/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/JdbcSecurityIT.java index 2c7513f08ce1..11e409f97ff5 100644 --- a/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/JdbcSecurityIT.java +++ b/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/JdbcSecurityIT.java @@ -55,7 +55,7 @@ public class JdbcSecurityIT extends SqlSecurityTestCase { } Properties prop = new Properties(); prop.put("user", user); - prop.put("password", "testpass"); + prop.put("password", "test-user-password"); addSslPropertiesIfNeeded(prop); return prop; } diff --git a/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/SqlSecurityTestCase.java b/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/SqlSecurityTestCase.java index 0c046a2aaace..56b73d0e0fc2 100644 --- a/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/SqlSecurityTestCase.java +++ b/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/SqlSecurityTestCase.java @@ -483,7 +483,7 @@ public abstract class SqlSecurityTestCase extends ESRestTestCase { XContentBuilder user = JsonXContent.contentBuilder().prettyPrint(); user.startObject(); { - user.field("password", "testpass"); + user.field("password", "test-user-password"); user.field("roles", role); } user.endObject(); diff --git a/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/UserFunctionIT.java b/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/UserFunctionIT.java index fca0ef3248dc..dd8891b75a41 100644 --- a/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/UserFunctionIT.java +++ b/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/UserFunctionIT.java @@ -143,7 +143,7 @@ public class UserFunctionIT extends ESRestTestCase { XContentBuilder user = JsonXContent.contentBuilder().prettyPrint(); user.startObject(); { - user.field("password", "testpass"); + user.field("password", "test-user-password"); user.field("roles", role); } user.endObject(); diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/change_password/10_basic.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/change_password/10_basic.yml index 7b465426350c..022ec669d670 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/change_password/10_basic.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/change_password/10_basic.yml @@ -10,7 +10,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "superuser" ] } - do: @@ -31,7 +31,7 @@ setup: username: "unprivileged_user" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "user" ] } @@ -56,7 +56,7 @@ teardown: features: catch_unauthorized - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } @@ -66,20 +66,20 @@ teardown: username: "joe" body: > { - "password" : "s3krit2" + "password" : "s3krit-password2" } # attempt to login with invalid credentials - do: catch: unauthorized headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} # login with new credentials - do: headers: - Authorization: "Basic am9lOnMza3JpdDI=" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZDI=" cluster.health: {} - match: { timed_out: false } @@ -90,31 +90,31 @@ teardown: # test that the role actually works - do: headers: - Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0" + Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0LXBhc3N3b3Jk" cluster.health: {} - match: { timed_out: false } # change password as the current user. the user role only grants the ability to change their own password - do: headers: - Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0" + Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0LXBhc3N3b3Jk" security.change_password: body: > { - "password" : "s3krit2" + "password" : "s3krit-password2" } # attempt to login with invalid credentials - do: catch: unauthorized headers: - Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0" + Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0LXBhc3N3b3Jk" cluster.health: {} # login with new credentials - do: headers: - Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0Mg==" + Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0LXBhc3N3b3JkMg==" cluster.health: {} - match: { timed_out: false } @@ -123,18 +123,18 @@ teardown: # test that the role actually works - do: headers: - Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0" + Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0LXBhc3N3b3Jk" cluster.health: {} - match: { timed_out: false } # attempt to change another users password - do: headers: - Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0" + Authorization: "Basic dW5wcml2aWxlZ2VkX3VzZXI6czNrcml0LXBhc3N3b3Jk" catch: forbidden security.change_password: username: "anotheruser" body: > { - "password" : "s3krit2" + "password" : "s3krit-password2" } diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/change_password/11_token.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/change_password/11_token.yml index fcbbb1c257bb..702a9089a881 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/change_password/11_token.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/change_password/11_token.yml @@ -10,7 +10,7 @@ setup: username: "token_joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "token_admin" ] } - do: @@ -42,12 +42,12 @@ teardown: - do: headers: - Authorization: "Basic dG9rZW5fam9lOnMza3JpdA==" + Authorization: "Basic dG9rZW5fam9lOnMza3JpdC1wYXNzd29yZA==" security.get_token: body: grant_type: "password" username: "token_joe" - password: "s3krit" + password: "s3krit-password" - match: { type: "Bearer" } - is_true: access_token @@ -63,5 +63,5 @@ teardown: username: "joe" body: > { - "password" : "s3krit2" + "password" : "s3krit-password2" } diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/license/20_put_license.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/license/20_put_license.yml index 28f21b3ad5c8..0f2666cad764 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/license/20_put_license.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/license/20_put_license.yml @@ -7,7 +7,9 @@ teardown: {"licenses":[{"uid":"3aa62ffe-36e1-4fad-bfdc-9dff8301eb22","type":"trial","issue_date_in_millis":1523456691721,"expiry_date_in_millis":1838816691721,"max_nodes":5,"issued_to":"customer","issuer":"elasticsearch","signature":"AAAABAAAAA2kWNcuc+DT0lrlmYZKAAAAIAo5/x6hrsGh1GqqrJmy4qgmEC7gK0U4zQ6q5ZEMhm4jAAABAEn6fG9y2VxKBu2T3D5hffh56kzOQODCOdhr0y2d17ZSIJMZRqO7ZywPCWNS1aR33GhfIHkTER0ysML0xMH/gXavhyRvMBndJj0UBKzuwpTawSlnxYtcqN8mSBIvJC7Ki+uJ1SpAILC2ZP9fnkRlqwXqBlTwfYn7xnZgu9DKrOWru/ipTPObo7jcePl8VTK6nWFen7/hCFDQTUFZ0jQvd+nq7A1PAcHGNxGfdbMVmAXCXgGWkRfT3clo9/vadgo+isNyh1sPq9mN7gwsvBAKtA1FrpH2EXYYbfOsSpBvUmhYMgErLg1k3/CbS0pCWLKOaX1xTMayosdZOjagU3auZXY=","start_date_in_millis":-1}]} --- "Installing and getting license works": - + - skip: + features: fips_140 + reason: "Cannot install a GOLD license in a cluster in FIPS 140 mode" ## current license version - do: license.post: @@ -86,7 +88,9 @@ teardown: --- "Should install a feature type license": - + - skip: + features: fips_140 + reason: "Cannot install a GOLD license in a cluster in FIPS 140 mode" # VERSION_NO_FEATURE_TYPE license version - do: license.post: diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/monitoring/bulk/20_privileges.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/monitoring/bulk/20_privileges.yml index c9e69fc0c764..5d4a702ddeee 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/monitoring/bulk/20_privileges.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/monitoring/bulk/20_privileges.yml @@ -26,7 +26,7 @@ setup: username: "logstash_agent" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "logstash_agent_role" ] } @@ -50,7 +50,7 @@ setup: username: "unknown_agent" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "unknown_agent_role" ] } @@ -83,7 +83,7 @@ teardown: - do: headers: # Authorization: logstash_agent - Authorization: "Basic bG9nc3Rhc2hfYWdlbnQ6czNrcml0" + Authorization: "Basic bG9nc3Rhc2hfYWdlbnQ6czNrcml0LXBhc3N3b3Jk" monitoring.bulk: system_id: "logstash" system_api_version: "6" @@ -121,7 +121,7 @@ teardown: catch: forbidden headers: # Authorization: unknown_agent - Authorization: "Basic dW5rbm93bl9hZ2VudDpzM2tyaXQ=" + Authorization: "Basic dW5rbm93bl9hZ2VudDpzM2tyaXQtcGFzc3dvcmQ=" monitoring.bulk: system_id: "logstash" system_api_version: "6" diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/20_has_application_privs.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/20_has_application_privs.yml index b23862c5553d..c763e191a349 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/20_has_application_privs.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/20_has_application_privs.yml @@ -136,7 +136,7 @@ setup: username: "eng_read" body: > { - "password": "p@ssw0rd", + "password": "s3cr3t-p@ssw0rd", "roles" : [ "myapp_engineering_read" ] } - do: @@ -144,7 +144,7 @@ setup: username: "eng_write" body: > { - "password": "p@ssw0rd", + "password": "s3cr3t-p@ssw0rd", "roles" : [ "myapp_engineering_write" ] } - do: @@ -152,7 +152,7 @@ setup: username: "your_read" body: > { - "password": "p@ssw0rd", + "password": "s3cr3t-p@ssw0rd", "roles" : [ "yourapp_read_config" ] } - do: @@ -160,7 +160,7 @@ setup: username: "myapp_yourapp_wildard_role_user" body: > { - "password": "p@ssw0rd", + "password": "s3cr3t-p@ssw0rd", "roles" : [ "role_containing_wildcard_app_name_and_plain_app_name" ] } @@ -225,7 +225,7 @@ teardown: --- "Test has_privileges with application-privileges": - do: - headers: { Authorization: "Basic ZW5nX3JlYWQ6cEBzc3cwcmQ=" } # eng_read + headers: { Authorization: "Basic ZW5nX3JlYWQ6czNjcjN0LXBAc3N3MHJk" } # eng_read security.has_privileges: user: null body: > @@ -282,7 +282,7 @@ teardown: } } - do: - headers: { Authorization: "Basic eW91cl9yZWFkOnBAc3N3MHJk" } # your_read + headers: { Authorization: "Basic eW91cl9yZWFkOnMzY3IzdC1wQHNzdzByZA==" } # your_read security.has_privileges: user: null body: > @@ -333,7 +333,7 @@ teardown: } } - do: - headers: { Authorization: "Basic bXlhcHBfeW91cmFwcF93aWxkYXJkX3JvbGVfdXNlcjpwQHNzdzByZA==" } # myapp_yourapp_wildard_role_user + headers: { Authorization: "Basic bXlhcHBfeW91cmFwcF93aWxkYXJkX3JvbGVfdXNlcjpzM2NyM3QtcEBzc3cwcmQ=" } # myapp_yourapp_wildard_role_user security.has_privileges: user: null body: > diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/30_superuser.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/30_superuser.yml index f51c045f6c61..94b38d3c919c 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/30_superuser.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/30_superuser.yml @@ -54,7 +54,7 @@ setup: username: "my_admin" body: > { - "password": "admin01", + "password": "admin01-password", "roles" : [ "superuser" ] } - do: @@ -62,7 +62,7 @@ setup: username: "eng_write" body: > { - "password": "p@ssw0rd", + "password": "s3cr3t-p@ssw0rd", "roles" : [ "myapp_engineering_write" ] } @@ -87,7 +87,7 @@ teardown: --- "Test superuser has all application-privileges": - do: - headers: { Authorization: "Basic bXlfYWRtaW46YWRtaW4wMQ==" } # my_admin + headers: { Authorization: "Basic bXlfYWRtaW46YWRtaW4wMS1wYXNzd29yZA==" } # my_admin security.has_privileges: user: null body: > diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/40_get_user_privs.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/40_get_user_privs.yml index 430bbdb5f292..d90f4129e269 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/40_get_user_privs.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/40_get_user_privs.yml @@ -146,7 +146,7 @@ setup: username: "test-1" body: > { - "password": "12345678", + "password": "test-user-password", "roles" : [ "test-role-1" ] } - do: @@ -154,7 +154,7 @@ setup: username: "test-2" body: > { - "password": "12345678", + "password": "test-user-password", "roles" : [ "test-role-2" ] } - do: @@ -162,7 +162,7 @@ setup: username: "test-3" body: > { - "password": "12345678", + "password": "test-user-password", "roles" : [ "test-role-1", "test-role-2" ] } @@ -206,7 +206,7 @@ teardown: reason: "contains is a newly added assertion" features: contains - do: - headers: { Authorization: "Basic dGVzdC0xOjEyMzQ1Njc4" } # test-1 + headers: { Authorization: "Basic dGVzdC0xOnRlc3QtdXNlci1wYXNzd29yZA==" } # test-1 security.get_user_privileges: {} - match: { "cluster" : [ "monitor" ] } @@ -234,7 +234,7 @@ teardown: - match: { "run_as" : [ "test-*" ] } - do: - headers: { Authorization: "Basic dGVzdC0yOjEyMzQ1Njc4" } # test-2 + headers: { Authorization: "Basic dGVzdC0yOnRlc3QtdXNlci1wYXNzd29yZA==" } # test-2 security.get_user_privileges: username: null @@ -268,7 +268,7 @@ teardown: reason: "contains is a newly added assertion" features: contains - do: - headers: { Authorization: "Basic dGVzdC0zOjEyMzQ1Njc4" } # test-3 + headers: { Authorization: "Basic dGVzdC0zOnRlc3QtdXNlci1wYXNzd29yZA==" } # test-3 security.get_user_privileges: {} - match: { "cluster" : [ "manage", "manage_security", "monitor" ] } diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/10_basic.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/10_basic.yml index f34546c7cda4..ff812a6e2cb9 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/10_basic.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/10_basic.yml @@ -11,7 +11,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "admin_role" ] } @@ -68,7 +68,7 @@ teardown: - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/11_idx_arrays.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/11_idx_arrays.yml index 1046be6a1b6e..80548c4a8bad 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/11_idx_arrays.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/11_idx_arrays.yml @@ -48,7 +48,7 @@ teardown: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "admin_role2" ] } - match: { created: true } @@ -62,7 +62,7 @@ teardown: - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" get: index: foo type: doc @@ -75,7 +75,7 @@ teardown: # test that the role works on the cluster level - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/40_global_privileges.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/40_global_privileges.yml index 570f23930f1e..fec95b2dbfd2 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/40_global_privileges.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/roles/40_global_privileges.yml @@ -11,7 +11,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "with_global" ] } diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/14_cat_indices.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/14_cat_indices.yml index 3cf1b4a09bf6..ca9e536c41eb 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/14_cat_indices.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/14_cat_indices.yml @@ -23,7 +23,7 @@ setup: username: "cat_user" body: > { - "password" : "cat_password", + "password" : "cat_secret_password", "roles" : [ "cat_some_indices_role" ], "full_name" : "Meow" } @@ -77,7 +77,7 @@ teardown: "Test empty request while no-authorized index": - do: - headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3Bhc3N3b3Jk" } # cat_user + headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3NlY3JldF9wYXNzd29yZA==" } # cat_user cat.indices: {} - match: @@ -96,7 +96,7 @@ teardown: number_of_replicas: "0" - do: - headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3Bhc3N3b3Jk" } # cat_user + headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3NlY3JldF9wYXNzd29yZA==" } # cat_user cat.indices: {} - match: @@ -152,7 +152,7 @@ teardown: index: index_to_monitor - do: - headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3Bhc3N3b3Jk" } # cat_user + headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3NlY3JldF9wYXNzd29yZA==" } # cat_user cat.indices: {} - match: @@ -190,7 +190,7 @@ teardown: number_of_replicas: "0" - do: - headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3Bhc3N3b3Jk" } # cat_user + headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3NlY3JldF9wYXNzd29yZA==" } # cat_user cat.indices: index: "this_index,index_to_monitor" v: false @@ -203,13 +203,13 @@ teardown: - do: catch: forbidden - headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3Bhc3N3b3Jk" } # cat_user + headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3NlY3JldF9wYXNzd29yZA==" } # cat_user cat.indices: index: "index1,index_to_monitor" - do: catch: forbidden - headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3Bhc3N3b3Jk" } # cat_user + headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3NlY3JldF9wYXNzd29yZA==" } # cat_user cat.indices: index: "this_*,index2" @@ -241,7 +241,7 @@ teardown: number_of_replicas: "0" - do: - headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3Bhc3N3b3Jk" } # cat_user + headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3NlY3JldF9wYXNzd29yZA==" } # cat_user cat.indices: index: "this_index,index_to_monitor,this_index_is_closed" v: false @@ -258,19 +258,19 @@ teardown: - do: catch: forbidden - headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3Bhc3N3b3Jk" } # cat_user + headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3NlY3JldF9wYXNzd29yZA==" } # cat_user cat.indices: index: "index1,index_to_monitor" - do: catch: forbidden - headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3Bhc3N3b3Jk" } # cat_user + headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3NlY3JldF9wYXNzd29yZA==" } # cat_user cat.indices: index: "this_*,index2" - do: catch: forbidden - headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3Bhc3N3b3Jk" } # cat_user + headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3NlY3JldF9wYXNzd29yZA==" } # cat_user cat.indices: index: "this_index_is_closed,index2" @@ -310,7 +310,7 @@ teardown: number_of_replicas: "0" - do: - headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3Bhc3N3b3Jk" } # cat_user + headers: { Authorization: "Basic Y2F0X3VzZXI6Y2F0X3NlY3JldF9wYXNzd29yZA==" } # cat_user cat.indices: index: "t*,i*" v: false diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/users/10_basic.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/users/10_basic.yml index dcee957b6c3f..23bfecca449e 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/users/10_basic.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/users/10_basic.yml @@ -25,7 +25,7 @@ teardown: username: "joe" body: > { - "password" : "s3krit", + "password" : "s3krit-password", "roles" : [ "superuser" ], "full_name" : "Bazooka Joe", "email" : "joe@bazooka.gum", @@ -38,7 +38,7 @@ teardown: - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } @@ -60,7 +60,7 @@ teardown: body: > { "username": "joe", - "password" : "s3krit", + "password" : "s3krit-password", "roles" : [ "superuser" ], "full_name" : "Bazooka Joe", "email" : "joe@bazooka.gum", @@ -73,7 +73,7 @@ teardown: - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } @@ -96,7 +96,7 @@ teardown: body: > { "username": "joey", - "password" : "s3krit", + "password" : "s3krit-password", "roles" : [ "superuser" ], "full_name" : "Bazooka Joe", "email" : "joe@bazooka.gum", @@ -150,5 +150,5 @@ teardown: - do: catch: unauthorized headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" security.authenticate: {} diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/users/15_overwrite_user.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/users/15_overwrite_user.yml index 38fc162be5c0..2332232ae416 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/users/15_overwrite_user.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/users/15_overwrite_user.yml @@ -12,7 +12,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "superuser" ] } @@ -33,7 +33,7 @@ teardown: - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } @@ -42,7 +42,7 @@ teardown: username: "joe" body: > { - "password" : "s3krit2", + "password" : "s3krit-password2", "roles" : [ "superuser", "foo" ], "full_name" : "Bazooka Joe", "email" : "joe@bazooka.gum", @@ -66,6 +66,6 @@ teardown: - do: headers: - Authorization: "Basic am9lOnMza3JpdDI=" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZDI=" cluster.health: {} - match: { timed_out: false } diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/users/16_update_user.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/users/16_update_user.yml index 41a238766d0f..57e374b02616 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/users/16_update_user.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/users/16_update_user.yml @@ -9,7 +9,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "superuser" ] } @@ -39,7 +39,7 @@ teardown: - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } @@ -71,7 +71,7 @@ teardown: # validate existing password works - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } @@ -93,7 +93,7 @@ teardown: username: "joe" body: > { - "password" : "s3krit2", + "password" : "s3krit-password2", "roles" : [ "superuser" ], "full_name" : "Bazooka Joe", "email" : "joe@bazooka.gum", @@ -109,13 +109,13 @@ teardown: - do: catch: unauthorized headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} # validate new password works - do: headers: - Authorization: "Basic am9lOnMza3JpdDI=" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZDI=" cluster.health: {} - match: { timed_out: false } diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/users/30_enable_disable.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/users/30_enable_disable.yml index 0ffeeb60ed84..ef8e73c3adfe 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/users/30_enable_disable.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/users/30_enable_disable.yml @@ -11,7 +11,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "superuser" ] } @@ -26,7 +26,7 @@ teardown: "Test disable then enable user": - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } @@ -39,7 +39,7 @@ teardown: - do: catch: unauthorized headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} # enable the user @@ -50,7 +50,7 @@ teardown: # validate that the user can login again - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } @@ -59,7 +59,7 @@ teardown: # check that the user works - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } @@ -71,7 +71,7 @@ teardown: # validate that the user still works - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } @@ -80,7 +80,7 @@ teardown: # check that the user works - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } @@ -93,7 +93,7 @@ teardown: - do: catch: unauthorized headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} # disable again @@ -110,7 +110,7 @@ teardown: # check that the user works - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } @@ -118,6 +118,6 @@ teardown: - do: catch: '/users may not update the enabled status of their own account/' headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" security.disable_user: username: "joe" diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/users/31_create_disabled.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/users/31_create_disabled.yml index 716508e590d3..404300d97aee 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/users/31_create_disabled.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/users/31_create_disabled.yml @@ -11,7 +11,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "superuser" ], "enabled": false } @@ -27,7 +27,7 @@ teardown: - do: catch: unauthorized headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} # enable @@ -38,6 +38,6 @@ teardown: # validate user can login - do: headers: - Authorization: "Basic am9lOnMza3JpdA==" + Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" cluster.health: {} - match: { timed_out: false } diff --git a/x-pack/plugin/watcher/qa/rest/build.gradle b/x-pack/plugin/watcher/qa/rest/build.gradle index 00a7d1925ab3..a37b96ee9e2c 100644 --- a/x-pack/plugin/watcher/qa/rest/build.gradle +++ b/x-pack/plugin/watcher/qa/rest/build.gradle @@ -1,3 +1,5 @@ +import org.elasticsearch.gradle.info.BuildParams + apply plugin: 'elasticsearch.yaml-rest-test' apply plugin: 'elasticsearch.java-rest-test' @@ -26,3 +28,9 @@ testClusters.all { setting 'xpack.license.self_generated.type', 'trial' setting 'logger.org.elasticsearch.xpack.watcher', 'DEBUG' } + +if (BuildParams.inFipsJvm){ + // Test clusters run with security disabled + tasks.named("javaRestTest").configure{enabled = false } + tasks.named("yamlRestTest").configure{enabled = false } +} diff --git a/x-pack/plugin/watcher/qa/with-monitoring/build.gradle b/x-pack/plugin/watcher/qa/with-monitoring/build.gradle index 9442aab06a0d..39705cc684ed 100644 --- a/x-pack/plugin/watcher/qa/with-monitoring/build.gradle +++ b/x-pack/plugin/watcher/qa/with-monitoring/build.gradle @@ -1,3 +1,5 @@ +import org.elasticsearch.gradle.info.BuildParams + apply plugin: 'elasticsearch.java-rest-test' dependencies { @@ -14,3 +16,8 @@ testClusters.all { setting 'xpack.ml.enabled', 'false' setting 'xpack.license.self_generated.type', 'trial' } + +if (BuildParams.inFipsJvm){ + // Test clusters run with security disabled + tasks.named("javaRestTest").configure{enabled = false } +} diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/email/EmailSslTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/email/EmailSslTests.java index c80fc1dbdfe7..9fcfa1e7e262 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/email/EmailSslTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/email/EmailSslTests.java @@ -88,6 +88,7 @@ public class EmailSslTests extends ESTestCase { } public void testCanSendMessageToSmtpServerUsingTrustStore() throws Exception { + assumeFalse("Can't use PKCS12 keystores in fips mode", inFipsJvm()); List messages = new ArrayList<>(); server.addListener(messages::add); try { diff --git a/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTestCase.java b/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTestCase.java index 6754b1acb934..71fac8f78e0d 100644 --- a/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTestCase.java +++ b/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTestCase.java @@ -128,7 +128,7 @@ public abstract class KerberosTestCase extends ESTestCase { String clientUserName = "client-" + randomAlphaOfLength(8); clientUserNames.add(clientUserName); try { - createPrincipal(clientUserName, "pwd".toCharArray()); + createPrincipal(clientUserName, "spnego-test-password".toCharArray()); } catch (Exception e) { throw ExceptionsHelper.convertToRuntime(e); } diff --git a/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidatorTests.java b/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidatorTests.java index c0886f953fee..f6ecbf48f1ad 100644 --- a/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidatorTests.java +++ b/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidatorTests.java @@ -37,8 +37,9 @@ public class KerberosTicketValidatorTests extends KerberosTestCase { // Client login and init token preparation final String clientUserName = randomFrom(clientUserNames); - try (SpnegoClient spnegoClient = new SpnegoClient(principalName(clientUserName), new SecureString("pwd".toCharArray()), - principalName("differentServer"), randomFrom(KerberosTicketValidator.SUPPORTED_OIDS))) { + try (SpnegoClient spnegoClient = new SpnegoClient(principalName(clientUserName), + new SecureString("spnego-test-password".toCharArray()), principalName("differentServer"), + randomFrom(KerberosTicketValidator.SUPPORTED_OIDS))) { final String base64KerbToken = spnegoClient.getBase64EncodedTokenForSpnegoHeader(); assertThat(base64KerbToken, is(notNullValue())); @@ -79,8 +80,9 @@ public class KerberosTicketValidatorTests extends KerberosTestCase { throws LoginException, GSSException, IOException, PrivilegedActionException { // Client login and init token preparation final String clientUserName = randomFrom(clientUserNames); - try (SpnegoClient spnegoClient = new SpnegoClient(principalName(clientUserName), new SecureString("pwd".toCharArray()), - principalName(randomFrom(serviceUserNames)), randomFrom(KerberosTicketValidator.SUPPORTED_OIDS));) { + try (SpnegoClient spnegoClient = new SpnegoClient(principalName(clientUserName), + new SecureString("spnego-test-password".toCharArray()), principalName(randomFrom(serviceUserNames)), + randomFrom(KerberosTicketValidator.SUPPORTED_OIDS));) { final String base64KerbToken = spnegoClient.getBase64EncodedTokenForSpnegoHeader(); assertThat(base64KerbToken, is(notNullValue())); @@ -98,7 +100,7 @@ public class KerberosTicketValidatorTests extends KerberosTestCase { public void testValidKebrerosTicket() throws PrivilegedActionException, GSSException, LoginException { // Client login and init token preparation final String clientUserName = randomFrom(clientUserNames); - final SecureString password = new SecureString("pwd".toCharArray()); + final SecureString password = new SecureString("spnego-test-password".toCharArray()); final String servicePrincipalName = principalName(randomFrom(serviceUserNames)); try (SpnegoClient spnegoClient = new SpnegoClient(principalName(clientUserName), password, servicePrincipalName, randomFrom(KerberosTicketValidator.SUPPORTED_OIDS))) { diff --git a/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/SimpleKdcLdapServerTests.java b/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/SimpleKdcLdapServerTests.java index c1b2ff6808d7..692cb92a5ed6 100644 --- a/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/SimpleKdcLdapServerTests.java +++ b/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/SimpleKdcLdapServerTests.java @@ -50,8 +50,9 @@ public class SimpleKdcLdapServerTests extends KerberosTestCase { final String serviceUserName = randomFrom(serviceUserNames); // Client login and init token preparation final String clientUserName = randomFrom(clientUserNames); - try (SpnegoClient spnegoClient = new SpnegoClient(principalName(clientUserName), new SecureString("pwd".toCharArray()), - principalName(serviceUserName), randomFrom(KerberosTicketValidator.SUPPORTED_OIDS));) { + try (SpnegoClient spnegoClient = new SpnegoClient(principalName(clientUserName), + new SecureString("spnego-test-password".toCharArray()), principalName(serviceUserName), + randomFrom(KerberosTicketValidator.SUPPORTED_OIDS));) { final String base64KerbToken = spnegoClient.getBase64EncodedTokenForSpnegoHeader(); assertThat(base64KerbToken, is(notNullValue())); final KerberosAuthenticationToken kerbAuthnToken = new KerberosAuthenticationToken(Base64.getDecoder().decode(base64KerbToken)); diff --git a/x-pack/qa/full-cluster-restart/src/test/java/org/elasticsearch/xpack/restart/FullClusterRestartIT.java b/x-pack/qa/full-cluster-restart/src/test/java/org/elasticsearch/xpack/restart/FullClusterRestartIT.java index 46b21c397a30..1b404f9b01de 100644 --- a/x-pack/qa/full-cluster-restart/src/test/java/org/elasticsearch/xpack/restart/FullClusterRestartIT.java +++ b/x-pack/qa/full-cluster-restart/src/test/java/org/elasticsearch/xpack/restart/FullClusterRestartIT.java @@ -739,7 +739,7 @@ public class FullClusterRestartIT extends AbstractFullClusterRestartTestCase { Request request = new Request("PUT", getSecurityEndpoint() + "/user/" + id); request.setJsonEntity( "{\n" + - " \"password\" : \"j@rV1s\",\n" + + " \"password\" : \"l0ng-r4nd0m-p@ssw0rd\",\n" + " \"roles\" : [ \"admin\", \"other_role1\" ],\n" + " \"full_name\" : \"" + randomAlphaOfLength(5) + "\",\n" + " \"email\" : \"" + id + "@example.com\",\n" + diff --git a/x-pack/qa/mixed-tier-cluster/build.gradle b/x-pack/qa/mixed-tier-cluster/build.gradle index 9af29c21d574..552a5693e181 100644 --- a/x-pack/qa/mixed-tier-cluster/build.gradle +++ b/x-pack/qa/mixed-tier-cluster/build.gradle @@ -59,3 +59,9 @@ for (Version bwcVersion : BuildParams.bwcVersions.wireCompatible.findAll { it.on dependsOn "${baseName}#mixedClusterTest" } } + + +// Security is explicitly disabled, do not run tests in FIPS mode +tasks.withType(Test).configureEach { + onlyIf { BuildParams.inFipsJvm == false} +} diff --git a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/10_basic.yml b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/10_basic.yml index 083b41ba5c4e..e7688734d809 100644 --- a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/10_basic.yml +++ b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/10_basic.yml @@ -11,7 +11,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "x_cluster_role" ] } - do: @@ -33,7 +33,7 @@ setup: username: "remote" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "remote_ccs" ] } - do: @@ -80,7 +80,7 @@ teardown: - '{"f1": "local_cluster", "filter_field": 0}' - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: local_index,my_remote_cluster:test_index @@ -99,7 +99,7 @@ teardown: - match: { aggregations.cluster.buckets.1.doc_count: 5 } - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: local_index,my_remote_cluster:test_index @@ -123,7 +123,7 @@ teardown: - match: { aggregations.cluster.buckets.0.doc_count: 6 } - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } async_search.submit: index: local_index,my_remote_cluster:test_index wait_for_completion_timeout: 10s @@ -151,7 +151,7 @@ teardown: - match: { response.aggregations.cluster.buckets.0.doc_count: 6 } - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } async_search.get: id: "$id" @@ -168,14 +168,14 @@ teardown: - match: { response.aggregations.cluster.buckets.0.doc_count: 6 } - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } async_search.delete: id: "$id" - match: { acknowledged: true } - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: my_remote_cluster:test_index @@ -197,7 +197,7 @@ teardown: # Test wildcard in cluster name - do: - headers: { Authorization: "Basic cmVtb3RlOnMza3JpdA==" } + headers: { Authorization: "Basic cmVtb3RlOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: "my_*:test_index" @@ -218,7 +218,7 @@ teardown: - match: { aggregations.cluster.buckets.0.doc_count: 6 } - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: local_index @@ -254,7 +254,7 @@ teardown: - match: {transient: {cluster.remote.test_remote_cluster.seeds: $remote_ip}} - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: test_remote_cluster:test_index @@ -268,7 +268,7 @@ teardown: # Test wildcard that matches multiple (two) cluster names - do: - headers: { Authorization: "Basic cmVtb3RlOnMza3JpdA==" } + headers: { Authorization: "Basic cmVtb3RlOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: "*_remote_cluster:test_ind*" @@ -283,7 +283,7 @@ teardown: "Search an filtered alias on the remote cluster": - do: - headers: { Authorization: "Basic cmVtb3RlOnMza3JpdA==" } + headers: { Authorization: "Basic cmVtb3RlOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: my_remote_cluster:aliased_test_index @@ -300,7 +300,7 @@ teardown: "Search across clusters via a secured alias": - do: - headers: { Authorization: "Basic cmVtb3RlOnMza3JpdA==" } + headers: { Authorization: "Basic cmVtb3RlOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: my_remote_cluster:secure_alias # TODO make this a wildcard once @@ -317,7 +317,7 @@ teardown: "Async search against filtered alias on the remote cluster": - do: - headers: { Authorization: "Basic cmVtb3RlOnMza3JpdA==" } + headers: { Authorization: "Basic cmVtb3RlOnMza3JpdC1wYXNzd29yZA==" } async_search.submit: index: my_remote_cluster:aliased_test_index wait_for_completion_timeout: 10s @@ -333,7 +333,7 @@ teardown: - match: { response.hits.hits.0._index: "my_remote_cluster:test_index" } - do: - headers: { Authorization: "Basic cmVtb3RlOnMza3JpdA==" } + headers: { Authorization: "Basic cmVtb3RlOnMza3JpdC1wYXNzd29yZA==" } async_search.get: id: "$id" @@ -345,7 +345,7 @@ teardown: - match: { response.hits.hits.0._index: "my_remote_cluster:test_index" } - do: - headers: { Authorization: "Basic cmVtb3RlOnMza3JpdA==" } + headers: { Authorization: "Basic cmVtb3RlOnMza3JpdC1wYXNzd29yZA==" } async_search.delete: id: "$id" diff --git a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/20_info.yml b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/20_info.yml index b2323587325c..7ee92405b5ff 100644 --- a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/20_info.yml +++ b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/20_info.yml @@ -11,7 +11,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "x_cluster_role" ] } - do: @@ -35,7 +35,7 @@ teardown: "Fetch remote cluster info for existing cluster": - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } cluster.remote_info: {} - match: { my_remote_cluster.connected: true } - match: { my_remote_cluster.num_nodes_connected: 1} @@ -67,7 +67,7 @@ teardown: index: test_remote_cluster:test_index - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } cluster.remote_info: {} - match: { test_remote_cluster.connected: true } - match: { my_remote_cluster.connected: true } diff --git a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/30_field_caps.yml b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/30_field_caps.yml index d4d83937654f..37c204beb0bd 100644 --- a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/30_field_caps.yml +++ b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/30_field_caps.yml @@ -11,7 +11,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "x_cluster_role" ] } - do: @@ -64,7 +64,7 @@ teardown: doc_values: true - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } field_caps: index: 'field_caps_index_2,my_remote_cluster:field_caps_index_1,my_remote_cluster:field_caps_index_3' fields: [text, keyword, number, geo] diff --git a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/40_scroll.yml b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/40_scroll.yml index 1d67742a5d2a..c0c534fc3d63 100644 --- a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/40_scroll.yml +++ b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/40_scroll.yml @@ -11,7 +11,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "x_cluster_role" ] } - do: # Remote indices only CCS does not require any privileges on the local cluster @@ -36,7 +36,7 @@ teardown: "Scroll on the mixed cluster": - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: my_remote_cluster:test_index @@ -59,7 +59,7 @@ teardown: - match: {hits.hits.3._source.filter_field: 0 } - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } scroll: rest_total_hits_as_int: true body: { "scroll_id": "$scroll_id", "scroll": "1m"} @@ -71,7 +71,7 @@ teardown: - match: {hits.hits.1._source.filter_field: 1 } - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } scroll: rest_total_hits_as_int: true scroll_id: $scroll_id @@ -81,14 +81,14 @@ teardown: - length: {hits.hits: 0 } - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } clear_scroll: scroll_id: $scroll_id --- "Steal Scroll ID on the mixed cluster": - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: my_remote_cluster:test_index @@ -117,7 +117,7 @@ teardown: body: { "scroll_id": "$scroll_id", "scroll": "1m"} - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } catch: missing clear_scroll: scroll_id: $scroll_id diff --git a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/50_missing.yml b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/50_missing.yml index e2a05f3326a9..3b16e3023423 100644 --- a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/50_missing.yml +++ b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/50_missing.yml @@ -11,7 +11,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "x_cluster_role" ] } - do: @@ -40,7 +40,7 @@ teardown: --- "Search with missing remote index pattern": - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: "*:foo-*" @@ -49,7 +49,7 @@ teardown: - match: { hits.total: 0 } - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: "my_remote_cluster:foo-*" @@ -59,14 +59,14 @@ teardown: - do: catch: "forbidden" - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: "*:foo-bar" - do: catch: "forbidden" - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: "my_remote_cluster:foo-bar" diff --git a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/60_skip_shards.yml b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/60_skip_shards.yml index 832b7deb8ec7..6e534cedac59 100644 --- a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/60_skip_shards.yml +++ b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/60_skip_shards.yml @@ -11,7 +11,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "x_cluster_role" ] } - do: @@ -63,7 +63,7 @@ teardown: # check that we skip the remote shard - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: ccs_minimize_roundtrips: false rest_total_hits_as_int: true @@ -81,7 +81,7 @@ teardown: # check that we skip the local shard - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: ccs_minimize_roundtrips: false rest_total_hits_as_int: true diff --git a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/80_point_in_time.yml b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/80_point_in_time.yml index 6edbaef62a94..c0cee51ac36b 100644 --- a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/80_point_in_time.yml +++ b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/80_point_in_time.yml @@ -11,7 +11,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "x_cluster_role" ] } - do: @@ -33,7 +33,7 @@ setup: username: "remote" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "remote_ccs" ] } - do: @@ -78,14 +78,14 @@ teardown: - '{"f": "l2", "created_at" : "2021-01-02"}' - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } open_point_in_time: index: my_remote_cluster:point_in_time_index,local_pit keep_alive: 5m - set: {id: pit_id} - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true sort: created_at @@ -107,7 +107,7 @@ teardown: - match: { hits.hits.2._source.f: "l2" } - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } close_point_in_time: body: id: "$pit_id" @@ -116,14 +116,14 @@ teardown: "Point in time CCS with only remote indices requires no privileges on local cluster": - do: - headers: { Authorization: "Basic cmVtb3RlOnMza3JpdA==" } + headers: { Authorization: "Basic cmVtb3RlOnMza3JpdC1wYXNzd29yZA==" } open_point_in_time: index: "my_*:point_in_time_index" keep_alive: 5m - set: {id: pit_id} - do: - headers: { Authorization: "Basic cmVtb3RlOnMza3JpdA==" } + headers: { Authorization: "Basic cmVtb3RlOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true sort: created_at @@ -143,7 +143,7 @@ teardown: - match: { hits.hits.1._source.f: "r4" } - do: - headers: { Authorization: "Basic cmVtb3RlOnMza3JpdA==" } + headers: { Authorization: "Basic cmVtb3RlOnMza3JpdC1wYXNzd29yZA==" } close_point_in_time: body: id: "$pit_id" diff --git a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/remote_cluster/10_basic.yml b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/remote_cluster/10_basic.yml index 46ffe7407941..4bdf52477035 100644 --- a/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/remote_cluster/10_basic.yml +++ b/x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/remote_cluster/10_basic.yml @@ -11,7 +11,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "x_cluster_role" ] } - do: @@ -34,7 +34,7 @@ setup: username: "remote" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ "remote_ccs" ] } - do: @@ -220,7 +220,7 @@ setup: - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: test_index @@ -237,7 +237,7 @@ setup: - match: { aggregations.cluster.buckets.0.doc_count: 6 } - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: aliased_test_index @@ -248,7 +248,7 @@ setup: - match: { hits.hits.0._index: "test_index" } - do: - headers: { Authorization: "Basic am9lOnMza3JpdA==" } + headers: { Authorization: "Basic am9lOnMza3JpdC1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: secure_alias @@ -268,7 +268,7 @@ setup: username: "joe" body: > { - "password": "s3krit", + "password": "s3krit-password", "roles" : [ ] } - match: { created: false } diff --git a/x-pack/qa/multi-cluster-tests-with-security/src/test/resources/rest-api-spec/test/multi_cluster/80_transform.yml b/x-pack/qa/multi-cluster-tests-with-security/src/test/resources/rest-api-spec/test/multi_cluster/80_transform.yml index fb1cbda58fa9..499edd3699fd 100644 --- a/x-pack/qa/multi-cluster-tests-with-security/src/test/resources/rest-api-spec/test/multi_cluster/80_transform.yml +++ b/x-pack/qa/multi-cluster-tests-with-security/src/test/resources/rest-api-spec/test/multi_cluster/80_transform.yml @@ -12,7 +12,7 @@ setup: username: "joe" body: > { - "password": "transform", + "password": "transform-password", "roles" : [ "transform_admin", "x_cluster_role" ] } - do: @@ -42,7 +42,7 @@ teardown: --- "Search remote cluster": - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: my_remote_cluster:test_index @@ -61,7 +61,7 @@ teardown: --- "Batch transform from remote cluster": - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } transform.put_transform: transform_id: "simple-remote-transform" body: > @@ -76,7 +76,7 @@ teardown: - match: { acknowledged: true } - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } transform.start_transform: transform_id: "simple-remote-transform" - match: { acknowledged: true } @@ -89,7 +89,7 @@ teardown: - match: { transforms.0.state: "/started|indexing|stopping|stopped/" } - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } transform.stop_transform: transform_id: "simple-remote-transform" wait_for_completion: true @@ -97,7 +97,7 @@ teardown: - match: { acknowledged: true } - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } transform.get_transform_stats: transform_id: "simple-remote-transform" - match: { count: 1 } @@ -107,12 +107,12 @@ teardown: # workaround: refresh dest index, to be removed, see gh #51154 - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } indices.refresh: index: simple-remote-transform - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: simple-remote-transform @@ -126,7 +126,7 @@ teardown: - match: { hits.hits.1._source.user: b } - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } transform.update_transform: transform_id: "simple-remote-transform" body: > @@ -134,7 +134,7 @@ teardown: "source": { "index": ["my_remote_cluster:test_index", "my_remote_cluster:test_index_2"] } } - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } transform.get_transform_stats: transform_id: "simple-remote-transform" - match: { count: 1 } @@ -190,7 +190,7 @@ teardown: - '{"user": "c", "stars": 4, "date" : "2018-11-29T12:35:12.123456789Z"}' - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } transform.put_transform: transform_id: "simple-local-remote-transform" body: > @@ -208,7 +208,7 @@ teardown: - match: { acknowledged: true } - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } transform.start_transform: transform_id: "simple-local-remote-transform" - match: { acknowledged: true } @@ -221,7 +221,7 @@ teardown: - match: { transforms.0.state: "/started|indexing|stopping|stopped/" } - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } transform.stop_transform: transform_id: "simple-local-remote-transform" wait_for_completion: true @@ -229,7 +229,7 @@ teardown: - match: { acknowledged: true } - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } transform.get_transform_stats: transform_id: "simple-local-remote-transform" - match: { count: 1 } @@ -239,12 +239,12 @@ teardown: # workaround: refresh dest index, to be removed, see gh #51154 - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } indices.refresh: index: simple-local-remote-transform - do: - headers: { Authorization: "Basic am9lOnRyYW5zZm9ybQ==" } + headers: { Authorization: "Basic am9lOnRyYW5zZm9ybS1wYXNzd29yZA==" } search: rest_total_hits_as_int: true index: simple-local-remote-transform diff --git a/x-pack/qa/multi-cluster-tests-with-security/src/test/resources/rest-api-spec/test/remote_cluster/80_transform.yml b/x-pack/qa/multi-cluster-tests-with-security/src/test/resources/rest-api-spec/test/remote_cluster/80_transform.yml index 46d15c05c019..a116e83813e2 100644 --- a/x-pack/qa/multi-cluster-tests-with-security/src/test/resources/rest-api-spec/test/remote_cluster/80_transform.yml +++ b/x-pack/qa/multi-cluster-tests-with-security/src/test/resources/rest-api-spec/test/remote_cluster/80_transform.yml @@ -11,7 +11,7 @@ setup: username: "joe" body: > { - "password": "transform", + "password": "transform-password", "roles" : [ "x_cluster_role" ] } - do: diff --git a/x-pack/qa/password-protected-keystore/build.gradle b/x-pack/qa/password-protected-keystore/build.gradle index f4a1f41a4a3c..ec564b6a89fd 100644 --- a/x-pack/qa/password-protected-keystore/build.gradle +++ b/x-pack/qa/password-protected-keystore/build.gradle @@ -13,7 +13,7 @@ dependencies { testClusters.integTest { testDistribution = 'DEFAULT' numberOfNodes = 2 - keystorePassword 's3cr3t' + keystorePassword 'keystore-password' setting 'xpack.security.enabled', 'true' setting 'xpack.security.authc.anonymous.roles', 'anonymous' @@ -29,5 +29,5 @@ testClusters.integTest { extraConfigFile 'roles.yml', file('src/test/resources/roles.yml') user username: 'admin_user', password: 'admin-password' - user username:'test-user' ,password: 'test-password', role: 'user_role' + user username:'test-user' ,password: 'test-user-password', role: 'user_role' } diff --git a/x-pack/qa/password-protected-keystore/src/test/java/org/elasticsearch/password_protected_keystore/ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT.java b/x-pack/qa/password-protected-keystore/src/test/java/org/elasticsearch/password_protected_keystore/ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT.java index f8e0db7e12d3..d6f6e97ae0bb 100644 --- a/x-pack/qa/password-protected-keystore/src/test/java/org/elasticsearch/password_protected_keystore/ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT.java +++ b/x-pack/qa/password-protected-keystore/src/test/java/org/elasticsearch/password_protected_keystore/ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT.java @@ -23,7 +23,7 @@ import java.util.Map; public class ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT extends ESRestTestCase { // From build.gradle - private final String KEYSTORE_PASSWORD = "s3cr3t"; + private final String KEYSTORE_PASSWORD = "keystore-password"; private final int NUM_NODES = 2; @SuppressWarnings("unchecked") @@ -86,7 +86,7 @@ public class ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT extends ESR @Override protected Settings restClientSettings() { - String token = basicAuthHeaderValue("test-user", new SecureString("test-password".toCharArray())); + String token = basicAuthHeaderValue("test-user", new SecureString("test-user-password".toCharArray())); return Settings.builder() .put(ThreadContext.PREFIX + ".Authorization", token) .build(); diff --git a/x-pack/qa/reindex-tests-with-security/build.gradle b/x-pack/qa/reindex-tests-with-security/build.gradle index 30bdf322794c..f577be2f2ccd 100644 --- a/x-pack/qa/reindex-tests-with-security/build.gradle +++ b/x-pack/qa/reindex-tests-with-security/build.gradle @@ -19,14 +19,14 @@ tasks.named("forbiddenPatterns").configure { exclude '**/*.jks' } -File caFile = project.file('src/test/resources/ssl/ca.p12') +File caFile = project.file('src/test/resources/ssl/ca.crt') testClusters.integTest { testDistribution = 'DEFAULT' // Whitelist reindexing from the local node so we can test it. extraConfigFile 'http.key', file('src/test/resources/ssl/http.key') extraConfigFile 'http.crt', file('src/test/resources/ssl/http.crt') - extraConfigFile 'ca.p12', caFile + extraConfigFile 'ca.crt', caFile setting 'reindex.remote.whitelist', '127.0.0.1:*' setting 'xpack.security.enabled', 'true' setting 'xpack.ml.enabled', 'false' @@ -35,8 +35,7 @@ testClusters.integTest { setting 'xpack.security.http.ssl.certificate', 'http.crt' setting 'xpack.security.http.ssl.key', 'http.key' setting 'xpack.security.http.ssl.key_passphrase', 'http-password' - setting 'reindex.ssl.truststore.path', 'ca.p12' - setting 'reindex.ssl.truststore.password', 'password' + setting 'reindex.ssl.certificate_authorities', 'ca.crt' // Workaround for JDK-8212885 if (BuildParams.runtimeJavaVersion.isJava12Compatible() == false) { diff --git a/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityClientYamlTestSuiteIT.java b/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityClientYamlTestSuiteIT.java index 76715613e3c3..475055186751 100644 --- a/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityClientYamlTestSuiteIT.java +++ b/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityClientYamlTestSuiteIT.java @@ -26,7 +26,7 @@ public class ReindexWithSecurityClientYamlTestSuiteIT extends ESClientYamlSuiteT private static final String USER = "test_admin"; private static final String PASS = "x-pack-test-password"; - private static Path httpTrustStore; + private static Path httpCertificateAuthority; public ReindexWithSecurityClientYamlTestSuiteIT(@Name("yaml") ClientYamlTestCandidate testCandidate) { super(testCandidate); @@ -38,17 +38,17 @@ public class ReindexWithSecurityClientYamlTestSuiteIT extends ESClientYamlSuiteT } @BeforeClass - public static void findTrustStore( ) throws Exception { - final URL resource = ReindexWithSecurityClientYamlTestSuiteIT.class.getResource("/ssl/ca.p12"); + public static void findTrustedCaCertificate( ) throws Exception { + final URL resource = ReindexWithSecurityClientYamlTestSuiteIT.class.getResource("/ssl/ca.crt"); if (resource == null) { - throw new FileNotFoundException("Cannot find classpath resource /ssl/ca.p12"); + throw new FileNotFoundException("Cannot find classpath resource /ssl/ca.crt"); } - httpTrustStore = PathUtils.get(resource.toURI()); + httpCertificateAuthority = PathUtils.get(resource.toURI()); } @AfterClass public static void cleanupStatics() { - httpTrustStore = null; + httpCertificateAuthority = null; } @Override @@ -64,8 +64,7 @@ public class ReindexWithSecurityClientYamlTestSuiteIT extends ESClientYamlSuiteT String token = basicAuthHeaderValue(USER, new SecureString(PASS.toCharArray())); return Settings.builder() .put(ThreadContext.PREFIX + ".Authorization", token) - .put(TRUSTSTORE_PATH , httpTrustStore) - .put(TRUSTSTORE_PASSWORD, "password") + .put(CERTIFICATE_AUTHORITIES , httpCertificateAuthority) .build(); } } diff --git a/x-pack/qa/reindex-tests-with-security/src/test/resources/rest-api-spec/test/15_reindex_from_remote.yml b/x-pack/qa/reindex-tests-with-security/src/test/resources/rest-api-spec/test/15_reindex_from_remote.yml index e41fba0d7a55..85f74e20f60c 100644 --- a/x-pack/qa/reindex-tests-with-security/src/test/resources/rest-api-spec/test/15_reindex_from_remote.yml +++ b/x-pack/qa/reindex-tests-with-security/src/test/resources/rest-api-spec/test/15_reindex_from_remote.yml @@ -388,7 +388,7 @@ remote: host: https://${host} username: test_admin - password: badpass + password: bad-x-pack-test-password index: source dest: index: dest diff --git a/x-pack/qa/rolling-upgrade-basic/build.gradle b/x-pack/qa/rolling-upgrade-basic/build.gradle index 1e2e212d237f..8123a28e8a49 100644 --- a/x-pack/qa/rolling-upgrade-basic/build.gradle +++ b/x-pack/qa/rolling-upgrade-basic/build.gradle @@ -9,6 +9,10 @@ apply from : "$rootDir/gradle/bwc-test.gradle" dependencies { testImplementation project(':x-pack:qa') } +if (BuildParams.inFipsJvm){ + // This test is testing rolling upgrades with a BASIC license and FIPS 140 mode is not available in BASIC + tasks.withType(Test).configureEach{ enabled = false } +} for (Version bwcVersion : BuildParams.bwcVersions.wireCompatible) { String baseName = "v${bwcVersion}" @@ -79,3 +83,12 @@ for (Version bwcVersion : BuildParams.bwcVersions.wireCompatible) { dependsOn "${baseName}#upgradedClusterTest" } } + + +// Security is explicitly disabled, do not run tests in FIPS mode +tasks.withType(Test).configureEach { + onlyIf { BuildParams.inFipsJvm == false} +} +tasks.getByName("testingConventions") { + onlyIf { BuildParams.inFipsJvm == false } +} diff --git a/x-pack/qa/rolling-upgrade-multi-cluster/build.gradle b/x-pack/qa/rolling-upgrade-multi-cluster/build.gradle index 5574552d4687..da3db50509de 100644 --- a/x-pack/qa/rolling-upgrade-multi-cluster/build.gradle +++ b/x-pack/qa/rolling-upgrade-multi-cluster/build.gradle @@ -94,3 +94,8 @@ for (Version bwcVersion : BuildParams.bwcVersions.wireCompatible) { dependsOn "${baseName}#leader#upgradedClusterTest" } } + +// Security is explicitly disabled, do not run tests in FIPS mode +tasks.withType(Test).configureEach { + onlyIf { BuildParams.inFipsJvm == false} +} diff --git a/x-pack/qa/rolling-upgrade/src/test/resources/rest-api-spec/test/old_cluster/20_security.yml b/x-pack/qa/rolling-upgrade/src/test/resources/rest-api-spec/test/old_cluster/20_security.yml index 1cd4ead9db08..bb8434b3d88d 100644 --- a/x-pack/qa/rolling-upgrade/src/test/resources/rest-api-spec/test/old_cluster/20_security.yml +++ b/x-pack/qa/rolling-upgrade/src/test/resources/rest-api-spec/test/old_cluster/20_security.yml @@ -64,7 +64,7 @@ username: "logstash_system" body: > { - "password" : "changed-it" + "password" : "changed-password" } - do: diff --git a/x-pack/qa/security-example-spi-extension/src/javaRestTest/java/org/elasticsearch/example/role/CustomRolesProviderIT.java b/x-pack/qa/security-example-spi-extension/src/javaRestTest/java/org/elasticsearch/example/role/CustomRolesProviderIT.java index fbe003e3060b..0f157c8a6261 100644 --- a/x-pack/qa/security-example-spi-extension/src/javaRestTest/java/org/elasticsearch/example/role/CustomRolesProviderIT.java +++ b/x-pack/qa/security-example-spi-extension/src/javaRestTest/java/org/elasticsearch/example/role/CustomRolesProviderIT.java @@ -35,7 +35,7 @@ import static org.hamcrest.Matchers.is; */ public class CustomRolesProviderIT extends ESIntegTestCase { private static final String TEST_USER = "test_user"; - private static final String TEST_PWD = "change_me"; + private static final String TEST_PWD = "test-user-password"; private static final RequestOptions AUTH_OPTIONS; static { diff --git a/x-pack/qa/security-setup-password-tests/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordToolIT.java b/x-pack/qa/security-setup-password-tests/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordToolIT.java index a5c1a9391ccf..5ad23384114e 100644 --- a/x-pack/qa/security-setup-password-tests/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordToolIT.java +++ b/x-pack/qa/security-setup-password-tests/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordToolIT.java @@ -80,8 +80,10 @@ public class SetupPasswordToolIT extends ESRestTestCase { final int status; if (randomBoolean()) { mockTerminal.addTextInput("y"); // answer yes to continue prompt + possiblyDecryptKeystore(mockTerminal); status = tool.main(new String[] { "auto" }, mockTerminal); } else { + possiblyDecryptKeystore(mockTerminal); status = tool.main(new String[] { "auto", "--batch" }, mockTerminal); } assertEquals(0, status); @@ -120,6 +122,13 @@ public class SetupPasswordToolIT extends ESRestTestCase { }); } + private void possiblyDecryptKeystore(MockTerminal mockTerminal) { + if (inFipsJvm()) { + // In our FIPS 140-2 tests, we set the keystore password to `keystore-password` + mockTerminal.addSecretInput("keystore-password"); + } + } + @SuppressForbidden(reason = "need to set sys props for CLI tool") private void setSystemPropsForTool(Path configPath) { System.setProperty("es.path.conf", configPath.toString()); diff --git a/x-pack/qa/security-tools-tests/src/test/java/org/elasticsearch/xpack/security/authc/file/tool/UsersToolTests.java b/x-pack/qa/security-tools-tests/src/test/java/org/elasticsearch/xpack/security/authc/file/tool/UsersToolTests.java index d0258d8494d7..edbc979a48ad 100644 --- a/x-pack/qa/security-tools-tests/src/test/java/org/elasticsearch/xpack/security/authc/file/tool/UsersToolTests.java +++ b/x-pack/qa/security-tools-tests/src/test/java/org/elasticsearch/xpack/security/authc/file/tool/UsersToolTests.java @@ -39,6 +39,7 @@ import java.util.List; import java.util.Map; import java.util.Objects; +import static org.elasticsearch.test.SecurityIntegTestCase.getFastStoredHashAlgoForTests; import static org.hamcrest.Matchers.containsString; public class UsersToolTests extends CommandTestCase { @@ -70,8 +71,7 @@ public class UsersToolTests extends CommandTestCase { IOUtils.rm(homeDir); confDir = homeDir.resolve("config"); Files.createDirectories(confDir); - hasher = inFipsJvm() ? randomFrom(Hasher.PBKDF2, Hasher.PBKDF2_1000, Hasher.PBKDF2_STRETCH) - : randomFrom(Hasher.PBKDF2_1000, Hasher.PBKDF2, Hasher.BCRYPT, Hasher.BCRYPT9); + hasher = getFastStoredHashAlgoForTests(); String defaultPassword = SecuritySettingsSourceField.TEST_PASSWORD; Files.write(confDir.resolve("users"), Arrays.asList( "existing_user:" + new String(hasher.hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)), @@ -402,16 +402,16 @@ public class UsersToolTests extends CommandTestCase { } public void testPasswdNoPasswordOption() throws Exception { - terminal.addSecretInput("newpassword"); - terminal.addSecretInput("newpassword"); + terminal.addSecretInput("new-test-user-password"); + terminal.addSecretInput("new-test-user-password"); execute("passwd", pathHomeParameter, fileOrderParameter, "existing_user"); - assertUser("existing_user", "newpassword"); + assertUser("existing_user", "new-test-user-password"); assertRole("test_admin", "existing_user", "existing_user2"); // roles unchanged } public void testPasswd() throws Exception { - execute("passwd", pathHomeParameter, fileOrderParameter, "existing_user", "-p", "newpassword"); - assertUser("existing_user", "newpassword"); + execute("passwd", pathHomeParameter, fileOrderParameter, "existing_user", "-p", "new-test-user-password"); + assertUser("existing_user", "new-test-user-password"); assertRole("test_admin", "existing_user"); // roles unchanged } @@ -423,7 +423,7 @@ public class UsersToolTests extends CommandTestCase { .put("xpack.security.fips_mode.enabled", true) .build(); UserException e = expectThrows(UserException.class, () -> { - execute("passwd", pathHomeParameter, fileOrderParameter, "existing_user", "-p", "newpassword"); + execute("passwd", pathHomeParameter, fileOrderParameter, "existing_user", "-p", "new-test-user-password"); }); assertEquals(ExitCodes.CONFIG, e.exitCode); assertEquals("Only PBKDF2 is allowed for password hashing in a FIPS 140 JVM. " + diff --git a/x-pack/qa/third-party/jira/build.gradle b/x-pack/qa/third-party/jira/build.gradle index a24a8c690215..6f1b6766c6ae 100644 --- a/x-pack/qa/third-party/jira/build.gradle +++ b/x-pack/qa/third-party/jira/build.gradle @@ -3,6 +3,8 @@ import groovy.json.JsonSlurper import javax.net.ssl.HttpsURLConnection import java.nio.charset.StandardCharsets +import org.elasticsearch.gradle.info.BuildParams + apply plugin: 'elasticsearch.testclusters' apply plugin: 'elasticsearch.standalone-rest-test' apply plugin: 'elasticsearch.rest-test' @@ -57,6 +59,11 @@ if (!jiraUrl && !jiraUser && !jiraPassword && !jiraProject) { integTest.finalizedBy "cleanJira" } +if (BuildParams.inFipsJvm){ + // Test clusters run with security disabled + tasks.named("integTest").configure{enabled = false } +} + /** List all issues associated to a given Jira project **/ def jiraIssues(projectKey) { // See https://docs.atlassian.com/jira/REST/cloud/#api/2/search-search diff --git a/x-pack/qa/third-party/pagerduty/build.gradle b/x-pack/qa/third-party/pagerduty/build.gradle index 1e7f11aa3d6a..abfde6eca792 100644 --- a/x-pack/qa/third-party/pagerduty/build.gradle +++ b/x-pack/qa/third-party/pagerduty/build.gradle @@ -1,3 +1,5 @@ +import org.elasticsearch.gradle.info.BuildParams + apply plugin: 'elasticsearch.testclusters' apply plugin: 'elasticsearch.standalone-rest-test' apply plugin: 'elasticsearch.rest-test' @@ -29,3 +31,8 @@ if (!pagerDutyServiceKey) { keystore 'xpack.notification.pagerduty.account.test_account.secure_service_api_key', pagerDutyServiceKey } } + +if (BuildParams.inFipsJvm){ + // Test clusters run with security disabled + tasks.named("integTest").configure{enabled = false } +} diff --git a/x-pack/qa/third-party/slack/build.gradle b/x-pack/qa/third-party/slack/build.gradle index 1430d1b8a4c0..b7c62be21a15 100644 --- a/x-pack/qa/third-party/slack/build.gradle +++ b/x-pack/qa/third-party/slack/build.gradle @@ -1,3 +1,5 @@ +import org.elasticsearch.gradle.info.BuildParams + apply plugin: 'elasticsearch.testclusters' apply plugin: 'elasticsearch.standalone-rest-test' apply plugin: 'elasticsearch.rest-test' @@ -29,3 +31,8 @@ if (!slackUrl) { keystore 'xpack.notification.slack.account.test_account.secure_url', slackUrl } } + +if (BuildParams.inFipsJvm){ + // Test clusters run with security disabled + tasks.named("integTest").configure{enabled = false } +}