fix and unmute FIPS tests #119618
Merged
fix and unmute FIPS tests #119618
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jakelandis
commented
Jan 6, 2025
| setting 'xpack.monitoring.exporters._http.auth.username', 'monitoring_agent' | ||
| setting 'xpack.monitoring.exporters._http.ssl.verification_mode', 'full' | ||
| setting 'xpack.monitoring.exporters._http.ssl.certificate_authorities', 'testnode.crt' | ||
| keystore 'xpack.monitoring.exporters._http.auth.secure_password', 'x-pack-test-password' |
There was a problem hiding this comment.
This test has been muted for 5+ years... I believe that this is needed due to the changes in secure settings and stricter validation. Should be functionally equivalent.
jakelandis
commented
Jan 6, 2025
|
|
||
| @BeforeClass | ||
| public static void getKeyStore() { | ||
| try { | ||
| keyStore = PathUtils.get(SmokeTestMonitoringWithSecurityIT.class.getResource("/testnode.jks").toURI()); | ||
| trustStore = PathUtils.get(SmokeTestMonitoringWithSecurityIT.class.getResource("/testnode.crt").toURI()); |
There was a problem hiding this comment.
to enable this to work in FIPS, I need to prefer to use PEM formatting not the java keystore. also fixed the name to call this a trust store, not a key store (so no pass needed).
jakelandis
commented
Jan 6, 2025
| public void testSettingsFilter() throws IOException { | ||
| final Request request = new Request("GET", "/_cluster/settings"); | ||
| final Response response = client().performRequest(request); | ||
| final ObjectPath path = ObjectPath.createFromResponse(response); | ||
| final Map<String, Object> settings = path.evaluate("transient.xpack.monitoring.exporters._http"); | ||
| final Map<String, Object> settings = path.evaluate("persistent.xpack.monitoring.exporters._http"); |
There was a problem hiding this comment.
I think this was just an oversite when removing the HLRC
jakelandis
commented
Jan 6, 2025
| assertThat(handshakeException, throwableWithMessage(containsStringIgnoringCase("subject alternative names"))); | ||
| assertThat(handshakeException, throwableWithMessage(containsString(webServer.getHostName()))); | ||
|
|
||
| final Exception handshakeException = expectThrows(Exception.class, () -> clientSocket.getInputStream().read()); |
There was a problem hiding this comment.
Bouncy castle throws a different exception with a different stack trace.
jakelandis
commented
Jan 6, 2025
| @@ -133,7 +132,7 @@ public void testDiagnosticTrustManagerForHostnameVerificationFailure() throws Ex | |||
| DiagnosticTrustManager.class.getName(), | |||
| Level.WARN, | |||
| "failed to establish trust with server at \\[" | |||
| + Pattern.quote(webServer.getHostName()) | |||
| + (inFipsJvm() ? "<unknown host>" : Pattern.quote(webServer.getHostName())) | |||
There was a problem hiding this comment.
BC JSSE says "unknown host" but JVM's default JSSE says "127.0.0.1"
jakelandis
added
:Security/Security
|
@elasticsearchmachine run elasticsearch-ci/part-1-fips |
|
Pinging @elastic/es-security (Team:Security) |
jakelandis
added
auto-backport
slobodanadamovic
approved these changes
Jan 8, 2025
💚 Backport successful
|
jakelandis
added a commit
to jakelandis/elasticsearch
that referenced
this pull request
Jan 8, 2025
Fixes and un-mutes tests associated with FIPS. Most of the fixes are due to differing expected exceptions or log messages when using BouncyCastle as the JCE/JSSE provider. Only test code is changed with this commit. fixes: elastic#49094
elasticsearchmachine
pushed a commit
that referenced
this pull request
Jan 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes and un-mutes tests associated with FIPS.
Most of the fixes are due to differing expected exceptions or log messages when using BouncyCastle as the JCE/JSSE provider.
Only test code is changed with this commit.
fixes: #49094