Skip to content

Commit

Permalink
[Test] Increase test secret key length (elastic#117675)
Browse files Browse the repository at this point in the history
Running with FIPS approved mode requires secret keys to be at least 114
bits long.

Relates: elastic#117324 Resolves: elastic#117596 Resolves: elastic#117709 Resolves: elastic#117710
Resolves: elastic#117711 Resolves: elastic#117712
  • Loading branch information
ywangd authored Nov 29, 2024
1 parent 5663728 commit 24bc505
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 10 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
package org.elasticsearch.repositories.s3;

import fixture.s3.S3HttpFixture;
import io.netty.handler.codec.http.HttpMethod;

import org.elasticsearch.client.Request;
import org.elasticsearch.client.ResponseException;
Expand Down Expand Up @@ -61,8 +62,6 @@ protected String getTestRestCluster() {
}

public void testReloadCredentialsFromKeystore() throws IOException {
assumeFalse("doesn't work in a FIPS JVM, but that's ok", inFipsJvm());

// Register repository (?verify=false because we don't have access to the blob store yet)
final var repositoryName = randomIdentifier();
registerRepository(
Expand All @@ -77,15 +76,16 @@ public void testReloadCredentialsFromKeystore() throws IOException {
final var accessKey1 = randomIdentifier();
repositoryAccessKey = accessKey1;
keystoreSettings.put("s3.client.default.access_key", accessKey1);
keystoreSettings.put("s3.client.default.secret_key", randomIdentifier());
keystoreSettings.put("s3.client.default.secret_key", randomSecretKey());
cluster.updateStoredSecureSettings();
assertOK(client().performRequest(new Request("POST", "/_nodes/reload_secure_settings")));

assertOK(client().performRequest(createReloadSecureSettingsRequest()));

// Check access using initial credentials
assertOK(client().performRequest(verifyRequest));

// Rotate credentials in blob store
final var accessKey2 = randomValueOtherThan(accessKey1, ESTestCase::randomIdentifier);
final var accessKey2 = randomValueOtherThan(accessKey1, ESTestCase::randomSecretKey);
repositoryAccessKey = accessKey2;

// Ensure that initial credentials now invalid
Expand All @@ -99,10 +99,17 @@ public void testReloadCredentialsFromKeystore() throws IOException {
// Set up refreshed credentials
keystoreSettings.put("s3.client.default.access_key", accessKey2);
cluster.updateStoredSecureSettings();
assertOK(client().performRequest(new Request("POST", "/_nodes/reload_secure_settings")));
assertOK(client().performRequest(createReloadSecureSettingsRequest()));

// Check access using refreshed credentials
assertOK(client().performRequest(verifyRequest));
}

private Request createReloadSecureSettingsRequest() throws IOException {
return newXContentRequest(
HttpMethod.POST,
"/_nodes/reload_secure_settings",
(b, p) -> inFipsJvm() ? b.field("secure_settings_password", "keystore-password") : b
);
}
}
2 changes: 0 additions & 2 deletions muted-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -216,8 +216,6 @@ tests:
- class: org.elasticsearch.reservedstate.service.FileSettingsServiceTests
method: testStopWorksInMiddleOfProcessing
issue: https://github.com/elastic/elasticsearch/issues/117591
- class: org.elasticsearch.repositories.s3.RepositoryS3ClientYamlTestSuiteIT
issue: https://github.com/elastic/elasticsearch/issues/117596
- class: "org.elasticsearch.xpack.esql.qa.multi_node.EsqlSpecIT"
method: "test {scoring.*}"
issue: https://github.com/elastic/elasticsearch/issues/117641
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import java.util.stream.Collectors;

import static org.elasticsearch.test.ESTestCase.randomIdentifier;
import static org.elasticsearch.test.ESTestCase.randomSecretKey;

/**
* Minimal HTTP handler that emulates the AWS STS server
Expand Down Expand Up @@ -102,7 +103,7 @@ public void handle(final HttpExchange exchange) throws IOException {
ROLE_ARN,
ROLE_NAME,
sessionToken,
randomIdentifier(),
randomSecretKey(),
ZonedDateTime.now().plusDays(1L).format(DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ssZ")),
accessKey
).getBytes(StandardCharsets.UTF_8);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import java.util.function.BiConsumer;

import static org.elasticsearch.test.ESTestCase.randomIdentifier;
import static org.elasticsearch.test.ESTestCase.randomSecretKey;

/**
* Minimal HTTP handler that emulates the EC2 IMDS server
Expand Down Expand Up @@ -84,7 +85,7 @@ public void handle(final HttpExchange exchange) throws IOException {
accessKey,
ZonedDateTime.now(Clock.systemUTC()).plusDays(1L).format(DateTimeFormatter.ISO_DATE_TIME),
randomIdentifier(),
randomIdentifier(),
randomSecretKey(),
sessionToken
).getBytes(StandardCharsets.UTF_8);
exchange.getResponseHeaders().add("Content-Type", "application/json");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1358,6 +1358,13 @@ public static String randomDateFormatterPattern() {
return randomFrom(FormatNames.values()).getName();
}

/**
* Generate a random string of at least 112 bits to satisfy minimum entropy requirement when running in FIPS mode.
*/
public static String randomSecretKey() {
return randomAlphaOfLengthBetween(14, 20);
}

/**
* Randomly choose between {@link EsExecutors#DIRECT_EXECUTOR_SERVICE} (which does not fork), {@link ThreadPool#generic}, and one of the
* other named threadpool executors.
Expand Down

0 comments on commit 24bc505

Please sign in to comment.