Reinstate S3SearchableSnapshotsCredentialsReloadIT in FIPS JVMs

DaveCTurner · DaveCTurner · commit a346e276fd4d · 2025-04-02T10:06:39.000+01:00
These tests only don't work in a FIPS JVM because they use a secret key
that is unacceptably short. This commit replaces the relevant uses of
`randomIdentifier` with `randomSecretKey` so they work whether in FIPS
mode or not.
diff --git a/x-pack/plugin/searchable-snapshots/qa/s3/src/javaRestTest/java/org/elasticsearch/xpack/searchablesnapshots/s3/S3SearchableSnapshotsCredentialsReloadIT.java b/x-pack/plugin/searchable-snapshots/qa/s3/src/javaRestTest/java/org/elasticsearch/xpack/searchablesnapshots/s3/S3SearchableSnapshotsCredentialsReloadIT.java
@@ -27,7 +27,6 @@
 import org.elasticsearch.test.rest.ObjectPath;
 import org.elasticsearch.xcontent.XContentBuilder;
 import org.elasticsearch.xcontent.XContentType;
-import org.junit.Before;
 import org.junit.ClassRule;
 import org.junit.rules.RuleChain;
 import org.junit.rules.TestRule;
@@ -75,11 +74,6 @@ protected String getTestRestCluster() {
         return cluster.getHttpAddresses();
     }
 
-    @Before
-    public void skipFips() {
-        assumeFalse("getting these tests to run in a FIPS JVM is kinda fiddly and we don't really need the extra coverage", inFipsJvm());
-    }
-
     public void testReloadCredentialsFromKeystore() throws IOException {
         final TestHarness testHarness = new TestHarness();
         testHarness.putRepository();
@@ -88,7 +82,7 @@ public void testReloadCredentialsFromKeystore() throws IOException {
         final String accessKey1 = randomIdentifier();
         repositoryAccessKey = accessKey1;
         keystoreSettings.put("s3.client.default.access_key", accessKey1);
-        keystoreSettings.put("s3.client.default.secret_key", randomIdentifier());
+        keystoreSettings.put("s3.client.default.secret_key", randomSecretKey());
         cluster.updateStoredSecureSettings();
         assertOK(client().performRequest(new Request("POST", "/_nodes/reload_secure_settings")));
 
@@ -128,9 +122,9 @@ public void testReloadCredentialsFromAlternativeClient() throws IOException {
 
         repositoryAccessKey = accessKey1;
         keystoreSettings.put("s3.client.default.access_key", accessKey1);
-        keystoreSettings.put("s3.client.default.secret_key", randomIdentifier());
+        keystoreSettings.put("s3.client.default.secret_key", randomSecretKey());
         keystoreSettings.put("s3.client." + alternativeClient + ".access_key", accessKey2);
-        keystoreSettings.put("s3.client." + alternativeClient + ".secret_key", randomIdentifier());
+        keystoreSettings.put("s3.client." + alternativeClient + ".secret_key", randomSecretKey());
         cluster.updateStoredSecureSettings();
         assertOK(client().performRequest(new Request("POST", "/_nodes/reload_secure_settings")));
 
@@ -164,7 +158,7 @@ public void testReloadCredentialsFromMetadata() throws IOException {
         final String accessKey1 = randomIdentifier();
         final String accessKey2 = randomValueOtherThan(accessKey1, ESTestCase::randomIdentifier);
 
-        testHarness.putRepository(b -> b.put("access_key", accessKey1).put("secret_key", randomIdentifier()));
+        testHarness.putRepository(b -> b.put("access_key", accessKey1).put("secret_key", randomSecretKey()));
         repositoryAccessKey = accessKey1;
 
         testHarness.createFrozenSearchableSnapshotIndex();
@@ -182,7 +176,7 @@ public void testReloadCredentialsFromMetadata() throws IOException {
 
         // Adjust repository to use new client
         logger.info("--> update repository metadata");
-        testHarness.putRepository(b -> b.put("access_key", accessKey2).put("secret_key", randomIdentifier()));
+        testHarness.putRepository(b -> b.put("access_key", accessKey2).put("secret_key", randomSecretKey()));
 
         // Check access using refreshed credentials
         logger.info("--> expect success");
