Skip to content

Commit f52b8c6

Browse files
ywangdywangd
authored
[Test] Increase test secret key length (#117675) (#117738)
Running with FIPS approved mode requires secret keys to be at least 114 bits long. Relates: #117324 Resolves: #117596 Resolves: #117709 Resolves: #117710 Resolves: #117711 Resolves: #117712 (cherry picked from commit 24bc505) # Conflicts: # modules/repository-s3/src/javaRestTest/java/org/elasticsearch/repositories/s3/RepositoryS3RestReloadCredentialsIT.java # muted-tests.yml # test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithSTS.java
1 parent 5170cae commit f52b8c6

File tree

3 files changed

+22
-7
lines changed

3 files changed

+22
-7
lines changed

modules/repository-s3/src/javaRestTest/java/org/elasticsearch/repositories/s3/RepositoryS3RestReloadCredentialsIT.java

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010
package org.elasticsearch.repositories.s3;
1111

1212
import fixture.s3.S3HttpFixture;
13+
import io.netty.handler.codec.http.HttpMethod;
1314

1415
import org.elasticsearch.client.Request;
1516
import org.elasticsearch.client.ResponseException;
@@ -54,8 +55,6 @@ protected String getTestRestCluster() {
5455
}
5556

5657
public void testReloadCredentialsFromKeystore() throws IOException {
57-
assumeFalse("doesn't work in a FIPS JVM, but that's ok", inFipsJvm());
58-
5958
// Register repository (?verify=false because we don't have access to the blob store yet)
6059
final var repositoryName = randomIdentifier();
6160
registerRepository(
@@ -70,15 +69,16 @@ public void testReloadCredentialsFromKeystore() throws IOException {
7069
final var accessKey1 = randomIdentifier();
7170
s3Fixture.setAccessKey(accessKey1);
7271
keystoreSettings.put("s3.client.default.access_key", accessKey1);
73-
keystoreSettings.put("s3.client.default.secret_key", randomIdentifier());
72+
keystoreSettings.put("s3.client.default.secret_key", randomSecretKey());
7473
cluster.updateStoredSecureSettings();
75-
assertOK(client().performRequest(new Request("POST", "/_nodes/reload_secure_settings")));
74+
75+
assertOK(client().performRequest(createReloadSecureSettingsRequest()));
7676

7777
// Check access using initial credentials
7878
assertOK(client().performRequest(verifyRequest));
7979

8080
// Rotate credentials in blob store
81-
final var accessKey2 = randomValueOtherThan(accessKey1, ESTestCase::randomIdentifier);
81+
final var accessKey2 = randomValueOtherThan(accessKey1, ESTestCase::randomSecretKey);
8282
s3Fixture.setAccessKey(accessKey2);
8383

8484
// Ensure that initial credentials now invalid
@@ -92,10 +92,17 @@ public void testReloadCredentialsFromKeystore() throws IOException {
9292
// Set up refreshed credentials
9393
keystoreSettings.put("s3.client.default.access_key", accessKey2);
9494
cluster.updateStoredSecureSettings();
95-
assertOK(client().performRequest(new Request("POST", "/_nodes/reload_secure_settings")));
95+
assertOK(client().performRequest(createReloadSecureSettingsRequest()));
9696

9797
// Check access using refreshed credentials
9898
assertOK(client().performRequest(verifyRequest));
9999
}
100100

101+
private Request createReloadSecureSettingsRequest() throws IOException {
102+
return newXContentRequest(
103+
HttpMethod.POST,
104+
"/_nodes/reload_secure_settings",
105+
(b, p) -> inFipsJvm() ? b.field("secure_settings_password", "keystore-password") : b
106+
);
107+
}
101108
}

test/fixtures/ec2-imds-fixture/src/main/java/fixture/aws/imds/Ec2ImdsHttpHandler.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@
2727
import java.util.Set;
2828

2929
import static org.elasticsearch.test.ESTestCase.randomIdentifier;
30+
import static org.elasticsearch.test.ESTestCase.randomSecretKey;
3031

3132
/**
3233
* Minimal HTTP handler that emulates the EC2 IMDS server
@@ -82,7 +83,7 @@ public void handle(final HttpExchange exchange) throws IOException {
8283
accessKey,
8384
ZonedDateTime.now(Clock.systemUTC()).plusDays(1L).format(DateTimeFormatter.ISO_DATE_TIME),
8485
randomIdentifier(),
85-
randomIdentifier(),
86+
randomSecretKey(),
8687
sessionToken
8788
).getBytes(StandardCharsets.UTF_8);
8889
exchange.getResponseHeaders().add("Content-Type", "application/json");

test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1353,6 +1353,13 @@ public static String randomDateFormatterPattern() {
13531353
return randomFrom(FormatNames.values()).getName();
13541354
}
13551355

1356+
/**
1357+
* Generate a random string of at least 112 bits to satisfy minimum entropy requirement when running in FIPS mode.
1358+
*/
1359+
public static String randomSecretKey() {
1360+
return randomAlphaOfLengthBetween(14, 20);
1361+
}
1362+
13561363
/**
13571364
* Randomly choose between {@link EsExecutors#DIRECT_EXECUTOR_SERVICE} (which does not fork), {@link ThreadPool#generic}, and one of the
13581365
* other named threadpool executors.

0 commit comments

Comments
 (0)