fix mocks in 'SecurityServerTransportInterceptorTests'

Author: tvernum

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptorTests.java

@@ -21,8 +21,11 @@
 import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.ssl.DefaultJdkTrustConfig;
+import org.elasticsearch.common.ssl.EmptyKeyConfig;
 import org.elasticsearch.common.ssl.SslClientAuthenticationMode;
 import org.elasticsearch.common.ssl.SslConfiguration;
+import org.elasticsearch.common.ssl.SslConfigurationLoader;
 import org.elasticsearch.common.ssl.SslKeyConfig;
 import org.elasticsearch.common.ssl.SslTrustConfig;
 import org.elasticsearch.common.ssl.SslVerificationMode;
@@ -59,6 +62,7 @@
 import org.elasticsearch.xpack.core.security.user.SystemUser;
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 import org.elasticsearch.xpack.security.Security;
 import org.elasticsearch.xpack.security.audit.AuditUtil;
 import org.elasticsearch.xpack.security.authc.ApiKeyService;
@@ -148,7 +152,7 @@ public void testSendAsync() throws Exception {
             threadPool,
             mock(AuthenticationService.class),
             mock(AuthorizationService.class),
-            mock(SSLService.class),
+            mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
@@ -199,7 +203,7 @@ public void testSendAsyncSwitchToSystem() throws Exception {
             threadPool,
             mock(AuthenticationService.class),
             mock(AuthorizationService.class),
-            mock(SSLService.class),
+            mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
@@ -243,7 +247,7 @@ public void testSendWithoutUser() throws Exception {
             threadPool,
             mock(AuthenticationService.class),
             mock(AuthorizationService.class),
-            mock(SSLService.class),
+            mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
@@ -305,7 +309,7 @@ public void testSendToNewerVersionSetsCorrectVersion() throws Exception {
             threadPool,
             mock(AuthenticationService.class),
             mock(AuthorizationService.class),
-            mock(SSLService.class),
+            mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
@@ -373,7 +377,7 @@ public void testSendToOlderVersionSetsCorrectVersion() throws Exception {
             threadPool,
             mock(AuthenticationService.class),
             mock(AuthorizationService.class),
-            mock(SSLService.class),
+            mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
@@ -439,7 +443,7 @@ public void testSetUserBasedOnActionOrigin() {
             threadPool,
             mock(AuthenticationService.class),
             mock(AuthorizationService.class),
-            mock(SSLService.class),
+            mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
@@ -606,7 +610,7 @@ public void testSendWithCrossClusterAccessHeadersWithUnsupportedLicense() throws
             threadPool,
             mock(AuthenticationService.class),
             mock(AuthorizationService.class),
-            mock(SSLService.class),
+            mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
@@ -743,7 +747,7 @@ private void doTestSendWithCrossClusterAccessHeaders(
             threadPool,
             mock(AuthenticationService.class),
             authzService,
-            mock(SSLService.class),
+            mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
@@ -881,7 +885,7 @@ public void testSendWithUserIfCrossClusterAccessHeadersConditionNotMet() throws
             threadPool,
             mock(AuthenticationService.class),
             authzService,
-            mock(SSLService.class),
+            mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
@@ -940,7 +944,7 @@ public void testSendWithCrossClusterAccessHeadersThrowsOnOldConnection() throws
             threadPool,
             mock(AuthenticationService.class),
             mock(AuthorizationService.class),
-            mock(SSLService.class),
+            mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
@@ -1039,7 +1043,7 @@ public void testSendRemoteRequestFailsIfUserHasNoRemoteIndicesPrivileges() throw
             threadPool,
             mock(AuthenticationService.class),
             authzService,
-            mock(SSLService.class),
+            mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
@@ -1107,9 +1111,9 @@ public void testProfileFiltersCreatedDifferentlyForDifferentTransportAndRemoteCl
         if (randomBoolean()) {
             builder.put("xpack.security.remote_cluster_client.ssl.enabled", randomBoolean());  // client SSL won't be processed
         }
-        final SSLService sslService = mock(SSLService.class);
 
-        when(sslService.getSSLConfiguration("xpack.security.transport.ssl.")).thenReturn(
+        final SslProfile defaultProfile = mock(SslProfile.class);
+        when(defaultProfile.configuration()).thenReturn(
             new SslConfiguration(
                 "xpack.security.transport.ssl",
                 randomBoolean(),
@@ -1122,8 +1126,8 @@ public void testProfileFiltersCreatedDifferentlyForDifferentTransportAndRemoteCl
                 randomLongBetween(1, 100000)
             )
         );
-
-        when(sslService.getSSLConfiguration("xpack.security.remote_cluster_server.ssl.")).thenReturn(
+        final SslProfile remoteProfile = mock(SslProfile.class);
+        when(defaultProfile.configuration()).thenReturn(
             new SslConfiguration(
                 "xpack.security.remote_cluster_server.ssl",
                 randomBoolean(),
@@ -1136,8 +1140,13 @@ public void testProfileFiltersCreatedDifferentlyForDifferentTransportAndRemoteCl
                 randomLongBetween(1, 100000)
             )
         );
+
+        final SSLService sslService = mock(SSLService.class);
+        when(sslService.profile("xpack.security.transport.ssl.")).thenReturn(defaultProfile);
+
+        when(sslService.profile("xpack.security.remote_cluster_server.ssl.")).thenReturn(remoteProfile);
         doThrow(new AssertionError("profile filters should not be configured for remote cluster client")).when(sslService)
-            .getSSLConfiguration("xpack.security.remote_cluster_client.ssl.");
+            .profile("xpack.security.remote_cluster_client.ssl.");
 
         final var securityServerTransportInterceptor = new SecurityServerTransportInterceptor(
             builder.build(),
@@ -1172,9 +1181,9 @@ public void testNoProfileFilterForRemoteClusterWhenTheFeatureIsDisabled() {
         if (randomBoolean()) {
             builder.put("xpack.security.remote_cluster_client.ssl.enabled", randomBoolean());  // client SSL won't be processed
         }
-        final SSLService sslService = mock(SSLService.class);
 
-        when(sslService.getSSLConfiguration("xpack.security.transport.ssl.")).thenReturn(
+        final SslProfile profile = mock(SslProfile.class);
+        when(profile.configuration()).thenReturn(
             new SslConfiguration(
                 "xpack.security.transport.ssl",
                 randomBoolean(),
@@ -1187,11 +1196,15 @@ public void testNoProfileFilterForRemoteClusterWhenTheFeatureIsDisabled() {
                 randomLongBetween(1, 100000)
             )
         );
+
+        final SSLService sslService = mock(SSLService.class);
+        when(sslService.profile("xpack.security.transport.ssl.")).thenReturn(profile);
+
         doThrow(new AssertionError("profile filters should not be configured for remote cluster server when the port is disabled")).when(
             sslService
-        ).getSSLConfiguration("xpack.security.remote_cluster_server.ssl.");
+        ).profile("xpack.security.remote_cluster_server.ssl.");
         doThrow(new AssertionError("profile filters should not be configured for remote cluster client")).when(sslService)
-            .getSSLConfiguration("xpack.security.remote_cluster_client.ssl.");
+            .profile("xpack.security.remote_cluster_client.ssl.");
 
         final var securityServerTransportInterceptor = new SecurityServerTransportInterceptor(
             builder.build(),
@@ -1213,6 +1226,25 @@ public void testNoProfileFilterForRemoteClusterWhenTheFeatureIsDisabled() {
         assertThat(profileFilters.get("default").isExtractClientCert(), is(transportSslEnabled));
     }
 
+    private static SSLService mockSslService() {
+        final SslConfiguration defaultConfiguration = new SslConfiguration(
+            "",
+            false,
+            DefaultJdkTrustConfig.DEFAULT_INSTANCE,
+            EmptyKeyConfig.INSTANCE,
+            SslVerificationMode.FULL,
+            SslClientAuthenticationMode.NONE,
+            List.of("TLS_AES_256_GCM_SHA384"),
+            List.of("TLSv1.3"),
+            -1
+        );
+        final SslProfile defaultProfile = mock(SslProfile.class);
+        when(defaultProfile.configuration()).thenReturn(defaultConfiguration);
+        final SSLService sslService = mock(SSLService.class);
+        when(sslService.profile("xpack.security.transport.ssl")).thenReturn(defaultProfile);
+        return sslService;
+    }
+
     private String[] randomRoles() {
         return generateRandomStringArray(3, 10, false, true);
     }