9
9
10
10
import org .elasticsearch .common .settings .MockSecureSettings ;
11
11
import org .elasticsearch .common .settings .Settings ;
12
+ import org .elasticsearch .common .ssl .DiagnosticTrustManager ;
12
13
import org .elasticsearch .common .ssl .PemKeyConfig ;
13
14
import org .elasticsearch .test .SecurityIntegTestCase ;
14
15
15
- import static org .elasticsearch .xpack .security .transport .CrossClusterApiKeySignerSettings .SIGNING_CERT_PATH ;
16
- import static org .elasticsearch .xpack .security .transport .CrossClusterApiKeySignerSettings .SIGNING_KEYSTORE_ALIAS ;
17
- import static org .elasticsearch .xpack .security .transport .CrossClusterApiKeySignerSettings .SIGNING_KEYSTORE_PATH ;
18
- import static org .elasticsearch .xpack .security .transport .CrossClusterApiKeySignerSettings .SIGNING_KEYSTORE_SECURE_PASSWORD ;
19
- import static org .elasticsearch .xpack .security .transport .CrossClusterApiKeySignerSettings .SIGNING_KEYSTORE_TYPE ;
20
- import static org .elasticsearch .xpack .security .transport .CrossClusterApiKeySignerSettings .SIGNING_KEY_PATH ;
16
+ import static org .elasticsearch .xpack .security .transport .CrossClusterApiKeySigningSettings .DIAGNOSE_TRUST_EXCEPTIONS ;
17
+ import static org .elasticsearch .xpack .security .transport .CrossClusterApiKeySigningSettings .SIGNING_CERTIFICATE_AUTHORITIES ;
18
+ import static org .elasticsearch .xpack .security .transport .CrossClusterApiKeySigningSettings .SIGNING_CERT_PATH ;
19
+ import static org .elasticsearch .xpack .security .transport .CrossClusterApiKeySigningSettings .SIGNING_KEYSTORE_ALIAS ;
20
+ import static org .elasticsearch .xpack .security .transport .CrossClusterApiKeySigningSettings .SIGNING_KEYSTORE_PATH ;
21
+ import static org .elasticsearch .xpack .security .transport .CrossClusterApiKeySigningSettings .SIGNING_KEYSTORE_SECURE_PASSWORD ;
22
+ import static org .elasticsearch .xpack .security .transport .CrossClusterApiKeySigningSettings .SIGNING_KEYSTORE_TYPE ;
23
+ import static org .elasticsearch .xpack .security .transport .CrossClusterApiKeySigningSettings .SIGNING_KEY_PATH ;
21
24
import static org .hamcrest .Matchers .equalToIgnoringCase ;
22
25
23
- public class CrossClusterApiKeySignerIntegTests extends SecurityIntegTestCase {
26
+ public class CrossClusterApiKeySignatureManagerIntegTests extends SecurityIntegTestCase {
24
27
25
28
private static final String DYNAMIC_TEST_CLUSTER_ALIAS = "dynamic_test_cluster" ;
26
29
private static final String STATIC_TEST_CLUSTER_ALIAS = "static_test_cluster" ;
27
30
28
31
public void testSignWithPemKeyConfig () {
29
- final CrossClusterApiKeySigner signer = getCrossClusterApiKeySignerInstance ();
32
+ final CrossClusterApiKeySignatureManager manager = getCrossClusterApiKeySignatureManagerInstance ();
30
33
final String [] testHeaders = randomArray (5 , String []::new , () -> randomAlphanumericOfLength (randomInt (20 )));
31
34
32
- X509CertificateSignature signature = signer .sign (STATIC_TEST_CLUSTER_ALIAS , testHeaders );
33
- signature .certificate ().getPublicKey ();
34
-
35
+ X509CertificateSignature signature = manager .signerForClusterAlias (STATIC_TEST_CLUSTER_ALIAS ).sign (testHeaders );
35
36
var keyConfig = new PemKeyConfig (
36
37
"signing_rsa.crt" ,
37
38
"signing_rsa.key" ,
38
39
new char [0 ],
39
40
getDataPath ("/org/elasticsearch/xpack/security/signature/signing_rsa.crt" ).getParent ()
40
41
);
41
42
43
+ var verifier = manager .verifier ();
44
+
42
45
assertThat (signature .algorithm (), equalToIgnoringCase (keyConfig .getKeys ().getFirst ().v2 ().getSigAlgName ()));
43
- assertEquals (signature .certificate (), keyConfig .getKeys ().getFirst ().v2 ());
46
+ assertEquals (signature .certificates ()[0 ], keyConfig .getKeys ().getFirst ().v2 ());
47
+ assertTrue (verifier .verify (signature , testHeaders ));
44
48
}
45
49
46
50
public void testSignUnknownClusterAlias () {
47
- final CrossClusterApiKeySigner signer = getCrossClusterApiKeySignerInstance ();
51
+ final CrossClusterApiKeySignatureManager manager = getCrossClusterApiKeySignatureManagerInstance ();
48
52
final String [] testHeaders = randomArray (5 , String []::new , () -> randomAlphanumericOfLength (randomInt (20 )));
49
-
50
- X509CertificateSignature signature = signer .sign ("unknowncluster" , testHeaders );
53
+ X509CertificateSignature signature = manager .signerForClusterAlias ("unknowncluster" ).sign (testHeaders );
51
54
assertNull (signature );
52
55
}
53
56
54
57
public void testSeveralKeyStoreAliases () {
55
- final CrossClusterApiKeySigner signer = getCrossClusterApiKeySignerInstance ();
56
-
58
+ final CrossClusterApiKeySignatureManager manager = getCrossClusterApiKeySignatureManagerInstance ();
57
59
try {
58
60
// Create a new config without an alias. Since there are several aliases in the keystore, no signature should be generated
59
61
updateClusterSettings (
@@ -69,7 +71,8 @@ public void testSeveralKeyStoreAliases() {
69
71
);
70
72
71
73
{
72
- X509CertificateSignature signature = signer .sign (DYNAMIC_TEST_CLUSTER_ALIAS , "test" , "test" );
74
+ var signer = manager .signerForClusterAlias (DYNAMIC_TEST_CLUSTER_ALIAS );
75
+ X509CertificateSignature signature = signer .sign ("test" , "test" );
73
76
assertNull (signature );
74
77
}
75
78
@@ -79,7 +82,8 @@ public void testSeveralKeyStoreAliases() {
79
82
.put (SIGNING_KEYSTORE_ALIAS .getConcreteSettingForNamespace (DYNAMIC_TEST_CLUSTER_ALIAS ).getKey (), "wholelottakey" )
80
83
);
81
84
{
82
- X509CertificateSignature signature = signer .sign (DYNAMIC_TEST_CLUSTER_ALIAS , "test" , "test" );
85
+ var signer = manager .signerForClusterAlias (DYNAMIC_TEST_CLUSTER_ALIAS );
86
+ X509CertificateSignature signature = signer .sign ("test" , "test" );
83
87
assertNotNull (signature );
84
88
}
85
89
@@ -89,7 +93,8 @@ public void testSeveralKeyStoreAliases() {
89
93
.put (SIGNING_KEYSTORE_ALIAS .getConcreteSettingForNamespace (DYNAMIC_TEST_CLUSTER_ALIAS ).getKey (), "idonotexist" )
90
94
);
91
95
{
92
- X509CertificateSignature signature = signer .sign (DYNAMIC_TEST_CLUSTER_ALIAS , "test" , "test" );
96
+ var signer = manager .signerForClusterAlias (DYNAMIC_TEST_CLUSTER_ALIAS );
97
+ X509CertificateSignature signature = signer .sign ("test" , "test" );
93
98
assertNotNull (signature );
94
99
}
95
100
} finally {
@@ -103,10 +108,28 @@ public void testSeveralKeyStoreAliases() {
103
108
}
104
109
}
105
110
111
+ public void testVerifyDiagnosticTrustManagerDisabled () {
112
+ final CrossClusterApiKeySignatureManager manager = getCrossClusterApiKeySignatureManagerInstance ();
113
+
114
+ try {
115
+ updateClusterSettings (Settings .builder ().put (DIAGNOSE_TRUST_EXCEPTIONS .getKey (), false ));
116
+ assertFalse (manager .getTrustManager () instanceof DiagnosticTrustManager );
117
+ } finally {
118
+ updateClusterSettings (Settings .builder ().putNull (DIAGNOSE_TRUST_EXCEPTIONS .getKey ()));
119
+ }
120
+ }
121
+
122
+ public void testVerifyDiagnosticTrustManagerEnabledDefault () {
123
+ final CrossClusterApiKeySignatureManager manager = getCrossClusterApiKeySignatureManagerInstance ();
124
+
125
+ assertTrue (manager .getTrustManager () instanceof DiagnosticTrustManager );
126
+ }
127
+
106
128
@ Override
107
129
protected Settings nodeSettings (int nodeOrdinal , Settings otherSettings ) {
108
130
var builder = Settings .builder ();
109
131
MockSecureSettings secureSettings = (MockSecureSettings ) builder .put (super .nodeSettings (nodeOrdinal , otherSettings ))
132
+ .put (SIGNING_CERTIFICATE_AUTHORITIES .getKey (), getDataPath ("/org" + "/elasticsearch/xpack/security/signature/root.crt" ))
110
133
.put (
111
134
SIGNING_CERT_PATH .getConcreteSettingForNamespace (STATIC_TEST_CLUSTER_ALIAS ).getKey (),
112
135
getDataPath ("/org/elasticsearch/xpack/security/signature/signing_rsa.crt" )
@@ -123,8 +146,8 @@ protected Settings nodeSettings(int nodeOrdinal, Settings otherSettings) {
123
146
return builder .build ();
124
147
}
125
148
126
- private static CrossClusterApiKeySigner getCrossClusterApiKeySignerInstance () {
127
- return CrossClusterTestHelper .getCrossClusterApiKeySigner (internalCluster ());
149
+ private static CrossClusterApiKeySignatureManager getCrossClusterApiKeySignatureManagerInstance () {
150
+ return CrossClusterTestHelper .getCrossClusterApiKeySignatureManager (internalCluster ());
128
151
}
129
152
130
153
}
0 commit comments