Skip to content

Commit

Permalink
Enforce JKS trustore for Azure IT (elastic#111569)
Browse files Browse the repository at this point in the history
  • Loading branch information
albertzaharovits authored Aug 5, 2024
1 parent 17f8192 commit f352418
Show file tree
Hide file tree
Showing 8 changed files with 37 additions and 52 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -106,8 +106,12 @@ public static KeyStore filter(KeyStore store, Predicate<KeyStoreEntry> filter) {
* @param certificates The root certificates to trust
*/
public static KeyStore buildTrustStore(Iterable<Certificate> certificates) throws GeneralSecurityException {
return buildTrustStore(certificates, KeyStore.getDefaultType());
}

public static KeyStore buildTrustStore(Iterable<Certificate> certificates, String type) throws GeneralSecurityException {
assert certificates != null : "Cannot create keystore with null certificates";
KeyStore store = buildNewKeyStore();
KeyStore store = buildNewKeyStore(type);
int counter = 0;
for (Certificate certificate : certificates) {
store.setCertificateEntry("cert-" + counter, certificate);
Expand All @@ -117,7 +121,11 @@ public static KeyStore buildTrustStore(Iterable<Certificate> certificates) throw
}

private static KeyStore buildNewKeyStore() throws GeneralSecurityException {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
return buildNewKeyStore(KeyStore.getDefaultType());
}

private static KeyStore buildNewKeyStore(String type) throws GeneralSecurityException {
KeyStore keyStore = KeyStore.getInstance(type);
try {
keyStore.load(null, null);
} catch (IOException e) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,15 @@

public class RepositoryAzureClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase {
private static final boolean USE_FIXTURE = Booleans.parseBoolean(System.getProperty("test.azure.fixture", "true"));
private static final boolean USE_HTTPS_FIXTURE = USE_FIXTURE && ESTestCase.inFipsJvm() == false;

private static final String AZURE_TEST_ACCOUNT = System.getProperty("test.azure.account");
private static final String AZURE_TEST_CONTAINER = System.getProperty("test.azure.container");
private static final String AZURE_TEST_KEY = System.getProperty("test.azure.key");
private static final String AZURE_TEST_SASTOKEN = System.getProperty("test.azure.sas_token");

private static AzureHttpFixture fixture = new AzureHttpFixture(
USE_FIXTURE
? ESTestCase.inFipsJvm() ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.HTTPS
: AzureHttpFixture.Protocol.NONE,
USE_HTTPS_FIXTURE ? AzureHttpFixture.Protocol.HTTPS : USE_FIXTURE ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.NONE,
AZURE_TEST_ACCOUNT,
AZURE_TEST_CONTAINER,
Strings.hasText(AZURE_TEST_KEY) || Strings.hasText(AZURE_TEST_SASTOKEN)
Expand Down Expand Up @@ -66,11 +66,8 @@ public class RepositoryAzureClientYamlTestSuiteIT extends ESClientYamlSuiteTestC
)
.systemProperty("AZURE_POD_IDENTITY_AUTHORITY_HOST", () -> fixture.getMetadataAddress(), s -> USE_FIXTURE)
.setting("thread_pool.repository_azure.max", () -> String.valueOf(randomIntBetween(1, 10)), s -> USE_FIXTURE)
.systemProperty(
"javax.net.ssl.trustStore",
() -> trustStore.getTrustStorePath().toString(),
s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false
)
.systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString(), s -> USE_HTTPS_FIXTURE)
.systemProperty("javax.net.ssl.trustStoreType", () -> "jks", s -> USE_HTTPS_FIXTURE)
.build();

@ClassRule(order = 1)
Expand Down
12 changes: 0 additions & 12 deletions muted-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -114,21 +114,9 @@ tests:
- class: org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthIT
method: testAuthenticateWithCodeFlowAndClientPost
issue: https://github.com/elastic/elasticsearch/issues/111396
- class: org.elasticsearch.xpack.searchablesnapshots.AzureSearchableSnapshotsIT
issue: https://github.com/elastic/elasticsearch/issues/111279
- class: org.elasticsearch.repositories.azure.RepositoryAzureClientYamlTestSuiteIT
issue: https://github.com/elastic/elasticsearch/issues/111345
- class: org.elasticsearch.repositories.blobstore.testkit.AzureSnapshotRepoTestKitIT
method: testRepositoryAnalysis
issue: https://github.com/elastic/elasticsearch/issues/111280
- class: org.elasticsearch.xpack.repositories.metering.azure.AzureRepositoriesMeteringIT
issue: https://github.com/elastic/elasticsearch/issues/111307
- class: org.elasticsearch.xpack.restart.FullClusterRestartIT
method: testSingleDoc {cluster=UPGRADED}
issue: https://github.com/elastic/elasticsearch/issues/111434
- class: org.elasticsearch.xpack.snapshotbasedrecoveries.recovery.AzureSnapshotBasedRecoveryIT
method: testRecoveryUsingSnapshots
issue: https://github.com/elastic/elasticsearch/issues/111377
- class: org.elasticsearch.xpack.restart.FullClusterRestartIT
method: testDataStreams {cluster=UPGRADED}
issue: https://github.com/elastic/elasticsearch/issues/111448
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,8 @@ protected void before() {
.stream()
.map(i -> (Certificate) i)
.toList();
final var trustStore = KeyStoreUtil.buildTrustStore(certificates);
trustStore.store(jksStream, null);
final var trustStore = KeyStoreUtil.buildTrustStore(certificates, "jks");
trustStore.store(jksStream, new char[0]);
trustStorePath = tmpTrustStorePath;
} catch (Exception e) {
throw new AssertionError("unexpected", e);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,15 @@

public class AzureRepositoriesMeteringIT extends AbstractRepositoriesMeteringAPIRestTestCase {
private static final boolean USE_FIXTURE = Booleans.parseBoolean(System.getProperty("test.azure.fixture", "true"));
private static final boolean USE_HTTPS_FIXTURE = USE_FIXTURE && ESTestCase.inFipsJvm() == false;

private static final String AZURE_TEST_ACCOUNT = System.getProperty("test.azure.account");
private static final String AZURE_TEST_CONTAINER = System.getProperty("test.azure.container");
private static final String AZURE_TEST_KEY = System.getProperty("test.azure.key");
private static final String AZURE_TEST_SASTOKEN = System.getProperty("test.azure.sas_token");

private static AzureHttpFixture fixture = new AzureHttpFixture(
USE_FIXTURE
? ESTestCase.inFipsJvm() ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.HTTPS
: AzureHttpFixture.Protocol.NONE,
USE_HTTPS_FIXTURE ? AzureHttpFixture.Protocol.HTTPS : USE_FIXTURE ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.NONE,
AZURE_TEST_ACCOUNT,
AZURE_TEST_CONTAINER,
AzureHttpFixture.sharedKeyForAccountPredicate(AZURE_TEST_ACCOUNT)
Expand Down Expand Up @@ -60,11 +60,8 @@ public class AzureRepositoriesMeteringIT extends AbstractRepositoriesMeteringAPI
() -> "ignored;DefaultEndpointsProtocol=https;BlobEndpoint=" + fixture.getAddress(),
s -> USE_FIXTURE
)
.systemProperty(
"javax.net.ssl.trustStore",
() -> trustStore.getTrustStorePath().toString(),
s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false
)
.systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString(), s -> USE_HTTPS_FIXTURE)
.systemProperty("javax.net.ssl.trustStoreType", () -> "jks", s -> USE_HTTPS_FIXTURE)
.build();

@ClassRule(order = 1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,15 +24,15 @@

public class AzureSearchableSnapshotsIT extends AbstractSearchableSnapshotsRestTestCase {
private static final boolean USE_FIXTURE = Booleans.parseBoolean(System.getProperty("test.azure.fixture", "true"));
private static final boolean USE_HTTPS_FIXTURE = USE_FIXTURE && ESTestCase.inFipsJvm() == false;

private static final String AZURE_TEST_ACCOUNT = System.getProperty("test.azure.account");
private static final String AZURE_TEST_CONTAINER = System.getProperty("test.azure.container");
private static final String AZURE_TEST_KEY = System.getProperty("test.azure.key");
private static final String AZURE_TEST_SASTOKEN = System.getProperty("test.azure.sas_token");

private static AzureHttpFixture fixture = new AzureHttpFixture(
USE_FIXTURE
? ESTestCase.inFipsJvm() ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.HTTPS
: AzureHttpFixture.Protocol.NONE,
USE_HTTPS_FIXTURE ? AzureHttpFixture.Protocol.HTTPS : USE_FIXTURE ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.NONE,
AZURE_TEST_ACCOUNT,
AZURE_TEST_CONTAINER,
AzureHttpFixture.sharedKeyForAccountPredicate(AZURE_TEST_ACCOUNT)
Expand Down Expand Up @@ -66,7 +66,8 @@ public class AzureSearchableSnapshotsIT extends AbstractSearchableSnapshotsRestT
.setting("xpack.searchable.snapshot.shared_cache.size", "16MB")
.setting("xpack.searchable.snapshot.shared_cache.region_size", "256KB")
.setting("xpack.searchable_snapshots.cache_fetch_async_thread_pool.keep_alive", "0ms")
.systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString(), s -> USE_FIXTURE)
.systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString(), s -> USE_HTTPS_FIXTURE)
.systemProperty("javax.net.ssl.trustStoreType", () -> "jks", s -> USE_HTTPS_FIXTURE)
.build();

@ClassRule(order = 1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,15 @@

public class AzureSnapshotBasedRecoveryIT extends AbstractSnapshotBasedRecoveryRestTestCase {
private static final boolean USE_FIXTURE = Booleans.parseBoolean(System.getProperty("test.azure.fixture", "true"));
private static final boolean USE_HTTPS_FIXTURE = USE_FIXTURE && ESTestCase.inFipsJvm() == false;

private static final String AZURE_TEST_ACCOUNT = System.getProperty("test.azure.account");
private static final String AZURE_TEST_CONTAINER = System.getProperty("test.azure.container");
private static final String AZURE_TEST_KEY = System.getProperty("test.azure.key");
private static final String AZURE_TEST_SASTOKEN = System.getProperty("test.azure.sas_token");

private static AzureHttpFixture fixture = new AzureHttpFixture(
USE_FIXTURE
? ESTestCase.inFipsJvm() ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.HTTPS
: AzureHttpFixture.Protocol.NONE,
USE_HTTPS_FIXTURE ? AzureHttpFixture.Protocol.HTTPS : USE_FIXTURE ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.NONE,
AZURE_TEST_ACCOUNT,
AZURE_TEST_CONTAINER,
AzureHttpFixture.sharedKeyForAccountPredicate(AZURE_TEST_ACCOUNT)
Expand Down Expand Up @@ -62,11 +62,8 @@ public class AzureSnapshotBasedRecoveryIT extends AbstractSnapshotBasedRecoveryR
s -> USE_FIXTURE
)
.setting("xpack.license.self_generated.type", "trial")
.systemProperty(
"javax.net.ssl.trustStore",
() -> trustStore.getTrustStorePath().toString(),
s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false
)
.systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString(), s -> USE_HTTPS_FIXTURE)
.systemProperty("javax.net.ssl.trustStoreType", () -> "jks", s -> USE_HTTPS_FIXTURE)
.build();

@ClassRule(order = 1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,15 @@

public class AzureSnapshotRepoTestKitIT extends AbstractSnapshotRepoTestKitRestTestCase {
private static final boolean USE_FIXTURE = Booleans.parseBoolean(System.getProperty("test.azure.fixture", "true"));
private static final boolean USE_HTTPS_FIXTURE = USE_FIXTURE && ESTestCase.inFipsJvm() == false;

private static final String AZURE_TEST_ACCOUNT = System.getProperty("test.azure.account");
private static final String AZURE_TEST_CONTAINER = System.getProperty("test.azure.container");
private static final String AZURE_TEST_KEY = System.getProperty("test.azure.key");
private static final String AZURE_TEST_SASTOKEN = System.getProperty("test.azure.sas_token");

private static AzureHttpFixture fixture = new AzureHttpFixture(
USE_FIXTURE
? ESTestCase.inFipsJvm() ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.HTTPS
: AzureHttpFixture.Protocol.NONE,
USE_HTTPS_FIXTURE ? AzureHttpFixture.Protocol.HTTPS : USE_FIXTURE ? AzureHttpFixture.Protocol.HTTP : AzureHttpFixture.Protocol.NONE,
AZURE_TEST_ACCOUNT,
AZURE_TEST_CONTAINER,
Strings.hasText(AZURE_TEST_KEY) || Strings.hasText(AZURE_TEST_SASTOKEN)
Expand Down Expand Up @@ -69,11 +69,8 @@ public class AzureSnapshotRepoTestKitIT extends AbstractSnapshotRepoTestKitRestT
}
})
.systemProperty("AZURE_POD_IDENTITY_AUTHORITY_HOST", () -> fixture.getMetadataAddress(), s -> USE_FIXTURE)
.systemProperty(
"javax.net.ssl.trustStore",
() -> trustStore.getTrustStorePath().toString(),
s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false
)
.systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString(), s -> USE_HTTPS_FIXTURE)
.systemProperty("javax.net.ssl.trustStoreType", () -> "jks", s -> USE_HTTPS_FIXTURE)
.build();

@ClassRule(order = 1)
Expand Down

0 comments on commit f352418

Please sign in to comment.