Reinstate S3SearchableSnapshotsCredentialsReloadIT in FIPS JVMs (#126324)

DaveCTurner · web-flow · commit b121ee2da607 · 2025-04-05T04:52:39.000+11:00
* Reinstate `S3SearchableSnapshotsCredentialsReloadIT` in FIPS JVMs These tests only don't work in a FIPS JVM because they use a secret key that is unacceptably short. This commit replaces the relevant uses of `randomIdentifier` with `randomSecretKey` so they work whether in FIPS mode or not. Backport of #126109 to `8.x` * CI poke
diff --git a/modules/repository-s3/src/javaRestTest/java/org/elasticsearch/repositories/s3/RepositoryS3RestReloadCredentialsIT.java b/modules/repository-s3/src/javaRestTest/java/org/elasticsearch/repositories/s3/RepositoryS3RestReloadCredentialsIT.java
@@ -10,7 +10,6 @@
 package org.elasticsearch.repositories.s3;
 
 import fixture.s3.S3HttpFixture;
-import io.netty.handler.codec.http.HttpMethod;
 
 import org.elasticsearch.client.Request;
 import org.elasticsearch.client.ResponseException;
@@ -106,12 +105,4 @@ public void testReloadCredentialsFromKeystore() throws IOException {
         // Check access using refreshed credentials
         assertOK(client().performRequest(verifyRequest));
     }
-
-    private Request createReloadSecureSettingsRequest() throws IOException {
-        return newXContentRequest(
-            HttpMethod.POST,
-            "/_nodes/reload_secure_settings",
-            (b, p) -> inFipsJvm() ? b.field("secure_settings_password", "keystore-password") : b
-        );
-    }
 }
diff --git a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java
@@ -2705,4 +2705,21 @@ protected static void assertResultMap(
     ) {
         assertMap(result, mapMatcher.entry("columns", columnMatcher).entry("values", valuesMatcher));
     }
+
+    public static final String FIPS_KEYSTORE_PASSWORD = "keystore-password";
+
+    /**
+     * @return a REST {@link Request} which will reload the keystore in the test cluster.
+     */
+    protected final Request createReloadSecureSettingsRequest() {
+        try {
+            return newXContentRequest(
+                HttpMethod.POST,
+                "/_nodes/reload_secure_settings",
+                (b, p) -> inFipsJvm() ? b.field("secure_settings_password", FIPS_KEYSTORE_PASSWORD) : b
+            );
+        } catch (IOException e) {
+            throw new AssertionError("impossible", e);
+        }
+    }
 }
diff --git a/x-pack/plugin/searchable-snapshots/qa/s3/src/javaRestTest/java/org/elasticsearch/xpack/searchablesnapshots/s3/S3SearchableSnapshotsCredentialsReloadIT.java b/x-pack/plugin/searchable-snapshots/qa/s3/src/javaRestTest/java/org/elasticsearch/xpack/searchablesnapshots/s3/S3SearchableSnapshotsCredentialsReloadIT.java
@@ -27,7 +27,6 @@
 import org.elasticsearch.test.rest.ObjectPath;
 import org.elasticsearch.xcontent.XContentBuilder;
 import org.elasticsearch.xcontent.XContentType;
-import org.junit.Before;
 import org.junit.ClassRule;
 import org.junit.rules.RuleChain;
 import org.junit.rules.TestRule;
@@ -76,11 +75,6 @@ protected String getTestRestCluster() {
         return cluster.getHttpAddresses();
     }
 
-    @Before
-    public void skipFips() {
-        assumeFalse("getting these tests to run in a FIPS JVM is kinda fiddly and we don't really need the extra coverage", inFipsJvm());
-    }
-
     public void testReloadCredentialsFromKeystore() throws IOException {
         final TestHarness testHarness = new TestHarness();
         testHarness.putRepository();
@@ -89,9 +83,9 @@ public void testReloadCredentialsFromKeystore() throws IOException {
         final String accessKey1 = randomIdentifier();
         repositoryAccessKey = accessKey1;
         keystoreSettings.put("s3.client.default.access_key", accessKey1);
-        keystoreSettings.put("s3.client.default.secret_key", randomIdentifier());
+        keystoreSettings.put("s3.client.default.secret_key", randomSecretKey());
         cluster.updateStoredSecureSettings();
-        assertOK(client().performRequest(new Request("POST", "/_nodes/reload_secure_settings")));
+        assertOK(client().performRequest(createReloadSecureSettingsRequest()));
 
         testHarness.createFrozenSearchableSnapshotIndex();
 
@@ -111,7 +105,7 @@ public void testReloadCredentialsFromKeystore() throws IOException {
         logger.info("--> update keystore contents");
         keystoreSettings.put("s3.client.default.access_key", accessKey2);
         cluster.updateStoredSecureSettings();
-        assertOK(client().performRequest(new Request("POST", "/_nodes/reload_secure_settings")));
+        assertOK(client().performRequest(createReloadSecureSettingsRequest()));
 
         // Check access using refreshed credentials
         logger.info("--> expect success");
@@ -129,11 +123,11 @@ public void testReloadCredentialsFromAlternativeClient() throws IOException {
 
         repositoryAccessKey = accessKey1;
         keystoreSettings.put("s3.client.default.access_key", accessKey1);
-        keystoreSettings.put("s3.client.default.secret_key", randomIdentifier());
+        keystoreSettings.put("s3.client.default.secret_key", randomSecretKey());
         keystoreSettings.put("s3.client." + alternativeClient + ".access_key", accessKey2);
-        keystoreSettings.put("s3.client." + alternativeClient + ".secret_key", randomIdentifier());
+        keystoreSettings.put("s3.client." + alternativeClient + ".secret_key", randomSecretKey());
         cluster.updateStoredSecureSettings();
-        assertOK(client().performRequest(new Request("POST", "/_nodes/reload_secure_settings")));
+        assertOK(client().performRequest(createReloadSecureSettingsRequest()));
 
         testHarness.createFrozenSearchableSnapshotIndex();
 
@@ -165,7 +159,7 @@ public void testReloadCredentialsFromMetadata() throws IOException {
         final String accessKey1 = randomIdentifier();
         final String accessKey2 = randomValueOtherThan(accessKey1, ESTestCase::randomIdentifier);
 
-        testHarness.putRepository(b -> b.put("access_key", accessKey1).put("secret_key", randomIdentifier()));
+        testHarness.putRepository(b -> b.put("access_key", accessKey1).put("secret_key", randomSecretKey()));
         repositoryAccessKey = accessKey1;
 
         testHarness.createFrozenSearchableSnapshotIndex();
@@ -183,7 +177,7 @@ public void testReloadCredentialsFromMetadata() throws IOException {
 
         // Adjust repository to use new client
         logger.info("--> update repository metadata");
-        testHarness.putRepository(b -> b.put("access_key", accessKey2).put("secret_key", randomIdentifier()));
+        testHarness.putRepository(b -> b.put("access_key", accessKey2).put("secret_key", randomSecretKey()));
 
         // Check access using refreshed credentials
         logger.info("--> expect success");
