From 5eb7c377444586c65a78d0cd71f65aabd41d2d32 Mon Sep 17 00:00:00 2001 From: David Turner Date: Fri, 4 Apr 2025 08:42:09 +0100 Subject: [PATCH 1/2] Reinstate `S3SearchableSnapshotsCredentialsReloadIT` in FIPS JVMs These tests only don't work in a FIPS JVM because they use a secret key that is unacceptably short. This commit replaces the relevant uses of `randomIdentifier` with `randomSecretKey` so they work whether in FIPS mode or not. Backport of #126109 to `8.x` --- .../RepositoryS3RestReloadCredentialsIT.java | 9 -------- .../test/rest/ESRestTestCase.java | 17 ++++++++++++++ ...earchableSnapshotsCredentialsReloadIT.java | 22 +++++++------------ 3 files changed, 25 insertions(+), 23 deletions(-) diff --git a/modules/repository-s3/src/javaRestTest/java/org/elasticsearch/repositories/s3/RepositoryS3RestReloadCredentialsIT.java b/modules/repository-s3/src/javaRestTest/java/org/elasticsearch/repositories/s3/RepositoryS3RestReloadCredentialsIT.java index 0d133b30b5e39..609661af4cc71 100644 --- a/modules/repository-s3/src/javaRestTest/java/org/elasticsearch/repositories/s3/RepositoryS3RestReloadCredentialsIT.java +++ b/modules/repository-s3/src/javaRestTest/java/org/elasticsearch/repositories/s3/RepositoryS3RestReloadCredentialsIT.java @@ -10,7 +10,6 @@ package org.elasticsearch.repositories.s3; import fixture.s3.S3HttpFixture; -import io.netty.handler.codec.http.HttpMethod; import org.elasticsearch.client.Request; import org.elasticsearch.client.ResponseException; @@ -105,12 +104,4 @@ public void testReloadCredentialsFromKeystore() throws IOException { // Check access using refreshed credentials assertOK(client().performRequest(verifyRequest)); } - - private Request createReloadSecureSettingsRequest() throws IOException { - return newXContentRequest( - HttpMethod.POST, - "/_nodes/reload_secure_settings", - (b, p) -> inFipsJvm() ? b.field("secure_settings_password", "keystore-password") : b - ); - } } diff --git a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java index 3e936b60993d9..0c2b2bf4a9195 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java @@ -2705,4 +2705,21 @@ protected static void assertResultMap( ) { assertMap(result, mapMatcher.entry("columns", columnMatcher).entry("values", valuesMatcher)); } + + public static final String FIPS_KEYSTORE_PASSWORD = "keystore-password"; + + /** + * @return a REST {@link Request} which will reload the keystore in the test cluster. + */ + protected final Request createReloadSecureSettingsRequest() { + try { + return newXContentRequest( + HttpMethod.POST, + "/_nodes/reload_secure_settings", + (b, p) -> inFipsJvm() ? b.field("secure_settings_password", FIPS_KEYSTORE_PASSWORD) : b + ); + } catch (IOException e) { + throw new AssertionError("impossible", e); + } + } } diff --git a/x-pack/plugin/searchable-snapshots/qa/s3/src/javaRestTest/java/org/elasticsearch/xpack/searchablesnapshots/s3/S3SearchableSnapshotsCredentialsReloadIT.java b/x-pack/plugin/searchable-snapshots/qa/s3/src/javaRestTest/java/org/elasticsearch/xpack/searchablesnapshots/s3/S3SearchableSnapshotsCredentialsReloadIT.java index 5889140bf2bab..2756900cfbf73 100644 --- a/x-pack/plugin/searchable-snapshots/qa/s3/src/javaRestTest/java/org/elasticsearch/xpack/searchablesnapshots/s3/S3SearchableSnapshotsCredentialsReloadIT.java +++ b/x-pack/plugin/searchable-snapshots/qa/s3/src/javaRestTest/java/org/elasticsearch/xpack/searchablesnapshots/s3/S3SearchableSnapshotsCredentialsReloadIT.java @@ -27,7 +27,6 @@ import org.elasticsearch.test.rest.ObjectPath; import org.elasticsearch.xcontent.XContentBuilder; import org.elasticsearch.xcontent.XContentType; -import org.junit.Before; import org.junit.ClassRule; import org.junit.rules.RuleChain; import org.junit.rules.TestRule; @@ -75,11 +74,6 @@ protected String getTestRestCluster() { return cluster.getHttpAddresses(); } - @Before - public void skipFips() { - assumeFalse("getting these tests to run in a FIPS JVM is kinda fiddly and we don't really need the extra coverage", inFipsJvm()); - } - public void testReloadCredentialsFromKeystore() throws IOException { final TestHarness testHarness = new TestHarness(); testHarness.putRepository(); @@ -88,9 +82,9 @@ public void testReloadCredentialsFromKeystore() throws IOException { final String accessKey1 = randomIdentifier(); repositoryAccessKey = accessKey1; keystoreSettings.put("s3.client.default.access_key", accessKey1); - keystoreSettings.put("s3.client.default.secret_key", randomIdentifier()); + keystoreSettings.put("s3.client.default.secret_key", randomSecretKey()); cluster.updateStoredSecureSettings(); - assertOK(client().performRequest(new Request("POST", "/_nodes/reload_secure_settings"))); + assertOK(client().performRequest(createReloadSecureSettingsRequest())); testHarness.createFrozenSearchableSnapshotIndex(); @@ -110,7 +104,7 @@ public void testReloadCredentialsFromKeystore() throws IOException { logger.info("--> update keystore contents"); keystoreSettings.put("s3.client.default.access_key", accessKey2); cluster.updateStoredSecureSettings(); - assertOK(client().performRequest(new Request("POST", "/_nodes/reload_secure_settings"))); + assertOK(client().performRequest(createReloadSecureSettingsRequest())); // Check access using refreshed credentials logger.info("--> expect success"); @@ -128,11 +122,11 @@ public void testReloadCredentialsFromAlternativeClient() throws IOException { repositoryAccessKey = accessKey1; keystoreSettings.put("s3.client.default.access_key", accessKey1); - keystoreSettings.put("s3.client.default.secret_key", randomIdentifier()); + keystoreSettings.put("s3.client.default.secret_key", randomSecretKey()); keystoreSettings.put("s3.client." + alternativeClient + ".access_key", accessKey2); - keystoreSettings.put("s3.client." + alternativeClient + ".secret_key", randomIdentifier()); + keystoreSettings.put("s3.client." + alternativeClient + ".secret_key", randomSecretKey()); cluster.updateStoredSecureSettings(); - assertOK(client().performRequest(new Request("POST", "/_nodes/reload_secure_settings"))); + assertOK(client().performRequest(createReloadSecureSettingsRequest())); testHarness.createFrozenSearchableSnapshotIndex(); @@ -164,7 +158,7 @@ public void testReloadCredentialsFromMetadata() throws IOException { final String accessKey1 = randomIdentifier(); final String accessKey2 = randomValueOtherThan(accessKey1, ESTestCase::randomIdentifier); - testHarness.putRepository(b -> b.put("access_key", accessKey1).put("secret_key", randomIdentifier())); + testHarness.putRepository(b -> b.put("access_key", accessKey1).put("secret_key", randomSecretKey())); repositoryAccessKey = accessKey1; testHarness.createFrozenSearchableSnapshotIndex(); @@ -182,7 +176,7 @@ public void testReloadCredentialsFromMetadata() throws IOException { // Adjust repository to use new client logger.info("--> update repository metadata"); - testHarness.putRepository(b -> b.put("access_key", accessKey2).put("secret_key", randomIdentifier())); + testHarness.putRepository(b -> b.put("access_key", accessKey2).put("secret_key", randomSecretKey())); // Check access using refreshed credentials logger.info("--> expect success"); From cd592f57cc8b78b3f268c6681b3d952b952461a0 Mon Sep 17 00:00:00 2001 From: David Turner Date: Fri, 4 Apr 2025 17:04:27 +0100 Subject: [PATCH 2/2] CI poke