diff --git a/src/integrationTest/java/org/opensearch/test/framework/cluster/OpenSearchClientProvider.java b/src/integrationTest/java/org/opensearch/test/framework/cluster/OpenSearchClientProvider.java index 5c3340ff2a..ec54a121f6 100644 --- a/src/integrationTest/java/org/opensearch/test/framework/cluster/OpenSearchClientProvider.java +++ b/src/integrationTest/java/org/opensearch/test/framework/cluster/OpenSearchClientProvider.java @@ -69,6 +69,7 @@ import org.opensearch.test.framework.certificate.CertificateData; import org.opensearch.test.framework.certificate.TestCertificates; +import static org.opensearch.security.ssl.util.SSLConfigConstants.DEFAULT_STORE_TYPE; import static org.opensearch.test.framework.cluster.TestRestClientConfiguration.getBasicAuthHeader; /** @@ -273,7 +274,7 @@ private SSLContext getSSLContext(CertificateData useCertificateData) { trustCertificates = PemKeyReader.loadCertificatesFromFile(getTestCertificates().getRootCertificate()); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); + KeyStore ks = KeyStore.getInstance(DEFAULT_STORE_TYPE); ks.load(null); diff --git a/src/integrationTest/java/org/opensearch/test/framework/ldap/LdapServer.java b/src/integrationTest/java/org/opensearch/test/framework/ldap/LdapServer.java index a4666dda46..614ee6fbbc 100644 --- a/src/integrationTest/java/org/opensearch/test/framework/ldap/LdapServer.java +++ b/src/integrationTest/java/org/opensearch/test/framework/ldap/LdapServer.java @@ -48,6 +48,8 @@ import com.unboundid.ldif.LDIFReader; import com.unboundid.util.ssl.SSLUtil; +import static org.opensearch.security.ssl.util.SSLConfigConstants.DEFAULT_STORE_TYPE; + /** * Based on class org.opensearch.security.auth.ldap.srv.LdapServer from older tests */ @@ -154,7 +156,7 @@ private void addLdapCertificatesToKeystore(KeyStore keyStore) throws KeyStoreExc } private static KeyStore createEmptyKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException { - KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); + KeyStore keyStore = KeyStore.getInstance(DEFAULT_STORE_TYPE); keyStore.load(null); return keyStore; } diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java index 7c421c4803..867a40f3b4 100644 --- a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java +++ b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java @@ -25,18 +25,14 @@ import java.nio.file.Paths; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; -import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; -import java.util.Collection; import java.util.Collections; -import java.util.Comparator; import java.util.Date; import java.util.List; import java.util.Objects; import java.util.Set; -import java.util.TreeSet; import java.util.function.Function; import java.util.stream.Collectors; import java.util.stream.Stream; @@ -51,13 +47,6 @@ import com.google.common.collect.ImmutableSet; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.ASN1Object; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.ASN1Sequence; -import org.bouncycastle.asn1.ASN1String; -import org.bouncycastle.asn1.ASN1TaggedObject; import org.opensearch.OpenSearchException; import org.opensearch.OpenSearchSecurityException; @@ -65,6 +54,7 @@ import org.opensearch.env.Environment; import org.opensearch.secure_sm.AccessController; import org.opensearch.security.ssl.config.CertType; +import org.opensearch.security.ssl.config.SanParser; import org.opensearch.security.ssl.util.CertFileProps; import org.opensearch.security.ssl.util.CertFromFile; import org.opensearch.security.ssl.util.CertFromKeystore; @@ -1026,59 +1016,6 @@ private static void checkPath(String keystoreFilePath, String fileNameLogOnly) { @Override public String getSubjectAlternativeNames(X509Certificate cert) { - String san = ""; - try { - Collection> altNames = cert != null && cert.getSubjectAlternativeNames() != null - ? cert.getSubjectAlternativeNames() - : null; - if (altNames != null) { - Comparator> comparator = Comparator.comparing((List altName) -> (Integer) altName.get(0)) - .thenComparing((List altName) -> (String) altName.get(1)); - - Set> sans = new TreeSet<>(comparator); - for (List altName : altNames) { - Integer type = (Integer) altName.get(0); - // otherName requires parsing to string - if (type == 0) { - List otherName = getOtherName(altName); - if (otherName != null) { - sans.add(Arrays.asList(type, otherName)); - } - } else { - sans.add(altName); - } - } - san = sans.toString(); - } - } catch (CertificateParsingException e) { - log.error("Issue parsing SubjectAlternativeName:", e); - } - - return san; - } - - private List getOtherName(List altName) { - if (altName.size() < 2) { - log.warn("Couldn't parse subject alternative names"); - return null; - } - try (final ASN1InputStream in = new ASN1InputStream((byte[]) altName.get(1))) { - final ASN1Primitive asn1Primitive = in.readObject(); - final ASN1Sequence sequence = ASN1Sequence.getInstance(asn1Primitive); - final ASN1ObjectIdentifier asn1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(sequence.getObjectAt(0)); - final ASN1TaggedObject asn1TaggedObject = ASN1TaggedObject.getInstance(sequence.getObjectAt(1)); - ASN1Object maybeTaggedAsn1Primitive = asn1TaggedObject.getObject(); - if (maybeTaggedAsn1Primitive instanceof ASN1TaggedObject) { - maybeTaggedAsn1Primitive = ASN1TaggedObject.getInstance(maybeTaggedAsn1Primitive).getObject(); - } - if (maybeTaggedAsn1Primitive instanceof ASN1String) { - return ImmutableList.of(asn1ObjectIdentifier.getId(), maybeTaggedAsn1Primitive.toString()); - } else { - log.warn("Couldn't parse subject alternative names"); - return null; - } - } catch (final Exception ioe) { // catch all exception here since BC throws diff exceptions - throw new RuntimeException("Couldn't parse subject alternative names", ioe); - } + return SanParser.parse(cert); } } diff --git a/src/main/java/org/opensearch/security/ssl/config/Certificate.java b/src/main/java/org/opensearch/security/ssl/config/Certificate.java index de451f66f5..c666d99ff8 100644 --- a/src/main/java/org/opensearch/security/ssl/config/Certificate.java +++ b/src/main/java/org/opensearch/security/ssl/config/Certificate.java @@ -11,31 +11,11 @@ package org.opensearch.security.ssl.config; -import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; -import java.util.Arrays; -import java.util.Collection; -import java.util.Comparator; -import java.util.List; import java.util.Objects; -import java.util.Set; -import java.util.TreeSet; - -import com.google.common.collect.ImmutableList; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.ASN1Object; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.ASN1Sequence; -import org.bouncycastle.asn1.ASN1String; -import org.bouncycastle.asn1.ASN1TaggedObject; public class Certificate { - private final static Logger LOGGER = LogManager.getLogger(Certificate.class); - private final X509Certificate certificate; private final String format; @@ -72,72 +52,13 @@ public boolean hasPrivateKey() { } public String subjectAlternativeNames() { - return loadSubjectAlternativeNames(); + return SanParser.parse(certificate); } public byte[] signature() { return certificate.getSignature(); } - @Deprecated(since = "since JDK 21", forRemoval = true) - public String loadSubjectAlternativeNames() { - String san = ""; - try { - Collection> altNames = certificate != null && certificate.getSubjectAlternativeNames() != null - ? certificate.getSubjectAlternativeNames() - : null; - if (altNames != null) { - Comparator> comparator = Comparator.comparing((List altName) -> (Integer) altName.get(0)) - .thenComparing((List altName) -> (String) altName.get(1)); - - Set> sans = new TreeSet<>(comparator); - for (List altName : altNames) { - Integer type = (Integer) altName.get(0); - // otherName requires parsing to string - if (type == 0) { - List otherName = parseOtherName(altName); - if (otherName != null) { - sans.add(Arrays.asList(type, otherName)); - } - } else { - sans.add(altName); - } - } - san = sans.toString(); - } - } catch (CertificateParsingException e) { - LOGGER.error("Issue parsing SubjectAlternativeName:", e); - } - - return san; - } - - @Deprecated(since = "since JDK 21", forRemoval = true) - private List parseOtherName(List altName) { - if (altName.size() < 2) { - LOGGER.warn("Couldn't parse subject alternative names"); - return null; - } - try (final ASN1InputStream in = new ASN1InputStream((byte[]) altName.get(1))) { - final ASN1Primitive asn1Primitive = in.readObject(); - final ASN1Sequence sequence = ASN1Sequence.getInstance(asn1Primitive); - final ASN1ObjectIdentifier asn1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(sequence.getObjectAt(0)); - final ASN1TaggedObject asn1TaggedObject = ASN1TaggedObject.getInstance(sequence.getObjectAt(1)); - ASN1Object maybeTaggedAsn1Primitive = asn1TaggedObject.getObject(); - if (maybeTaggedAsn1Primitive instanceof ASN1TaggedObject) { - maybeTaggedAsn1Primitive = ASN1TaggedObject.getInstance(maybeTaggedAsn1Primitive).getObject(); - } - if (maybeTaggedAsn1Primitive instanceof ASN1String) { - return ImmutableList.of(asn1ObjectIdentifier.getId(), maybeTaggedAsn1Primitive.toString()); - } else { - LOGGER.warn("Couldn't parse subject alternative names"); - return null; - } - } catch (final Exception ioe) { // catch all exception here since BC throws diff exceptions - throw new RuntimeException("Couldn't parse subject alternative names", ioe); - } - } - public String serialNumber() { return certificate.getSerialNumber().toString(); } diff --git a/src/main/java/org/opensearch/security/ssl/config/KeyStoreUtils.java b/src/main/java/org/opensearch/security/ssl/config/KeyStoreUtils.java index f6915c08ec..5f7e6c0fe8 100644 --- a/src/main/java/org/opensearch/security/ssl/config/KeyStoreUtils.java +++ b/src/main/java/org/opensearch/security/ssl/config/KeyStoreUtils.java @@ -41,6 +41,8 @@ import io.netty.handler.ssl.ApplicationProtocolNegotiator; import io.netty.handler.ssl.SslContext; +import static org.opensearch.security.ssl.util.SSLConfigConstants.DEFAULT_STORE_TYPE; + final class KeyStoreUtils { private final static Logger log = LogManager.getLogger(KeyStoreUtils.class); @@ -113,7 +115,7 @@ public static KeyStore loadTrustStore(final Path path, final String type, final if (aliasCertificate == null) { throw new OpenSearchException("Couldn't find SSL certificate for alias " + alias); } - keyStore = newKeyStore(); + keyStore = newKeyStore(type); keyStore.setCertificateEntry(alias, aliasCertificate); } return keyStore; @@ -137,7 +139,11 @@ public static KeyStore newTrustStoreFromPem(final Path pemFile) { } private static KeyStore newKeyStore() throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException { - final var keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); + return newKeyStore(DEFAULT_STORE_TYPE); + } + + private static KeyStore newKeyStore(String type) throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException { + final var keyStore = KeyStore.getInstance(type); keyStore.load(null, null); return keyStore; } @@ -235,7 +241,7 @@ public static KeyStore newKeyStore( throw new CertificateException("Couldn't find certificate chain for alias " + alias); } final var key = keyStore.getKey(alias, keyPassword); - keyStore = newKeyStore(); + keyStore = newKeyStore(type); keyStore.setKeyEntry(alias, key, keyPassword, certificateChain); } return keyStore; diff --git a/src/main/java/org/opensearch/security/ssl/config/SanParser.java b/src/main/java/org/opensearch/security/ssl/config/SanParser.java new file mode 100644 index 0000000000..00c02ad37e --- /dev/null +++ b/src/main/java/org/opensearch/security/ssl/config/SanParser.java @@ -0,0 +1,78 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +package org.opensearch.security.ssl.config; + +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; +import java.util.Comparator; +import java.util.List; +import java.util.Set; +import java.util.TreeSet; + +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.ASN1String; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.asn1.x509.OtherName; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; +import org.bouncycastle.crypto.CryptoServicesRegistrar; + +public class SanParser { + + private static final Logger LOGGER = LogManager.getLogger(SanParser.class); + + private SanParser() {} + + public static String parse(X509Certificate certificate) { + try { + X509CertificateHolder holder = new JcaX509CertificateHolder(certificate); + GeneralNames generalNames = GeneralNames.fromExtensions(holder.getExtensions(), Extension.subjectAlternativeName); + if (generalNames == null) return ""; + + Comparator> comparator = Comparator.comparing((List n) -> (Integer) n.get(0)) + .thenComparing((List n) -> n.get(1).toString()); + Set> sans = new TreeSet<>(comparator); + + for (GeneralName gn : generalNames.getNames()) { + int type = gn.getTagNo(); + if (type == GeneralName.otherName) { + OtherName on = OtherName.getInstance(gn.getName()); + ASN1Encodable value = on.getValue(); + if (value instanceof ASN1String) { + sans.add(List.of(type, List.of(on.getTypeID().getId(), value.toString()))); + } else { + LOGGER.warn("Couldn't parse OtherName SAN value"); + } + } else if (type == GeneralName.iPAddress) { + byte[] octets = ASN1OctetString.getInstance(gn.getName()).getOctets(); + sans.add(List.of(type, InetAddress.getByAddress(octets).getHostAddress())); + } else { + sans.add(List.of(type, gn.getName().toString())); + } + } + return sans.isEmpty() ? "" : sans.toString(); + } catch (final CertificateEncodingException | UnknownHostException e) { + LOGGER.error("Couldn't parse subject alternative names", e); + if (CryptoServicesRegistrar.isInApprovedOnlyMode()) { + throw new RuntimeException("Couldn't parse subject alternative names", e); + } + return ""; + } + } +} diff --git a/src/main/java/org/opensearch/security/ssl/config/SslCertificatesLoader.java b/src/main/java/org/opensearch/security/ssl/config/SslCertificatesLoader.java index 40de2f93f1..1f9315bfd3 100644 --- a/src/main/java/org/opensearch/security/ssl/config/SslCertificatesLoader.java +++ b/src/main/java/org/opensearch/security/ssl/config/SslCertificatesLoader.java @@ -23,10 +23,10 @@ import org.opensearch.common.settings.SecureSetting; import org.opensearch.common.settings.Settings; import org.opensearch.env.Environment; +import org.opensearch.security.support.PemKeyReader; import static org.opensearch.security.ssl.SecureSSLSettings.SECURE_SUFFIX; import static org.opensearch.security.ssl.util.SSLConfigConstants.DEFAULT_STORE_PASSWORD; -import static org.opensearch.security.ssl.util.SSLConfigConstants.DEFAULT_STORE_TYPE; import static org.opensearch.security.ssl.util.SSLConfigConstants.KEYSTORE_ALIAS; import static org.opensearch.security.ssl.util.SSLConfigConstants.KEYSTORE_FILEPATH; import static org.opensearch.security.ssl.util.SSLConfigConstants.KEYSTORE_KEY_PASSWORD; @@ -126,9 +126,12 @@ private KeyStoreConfiguration.JdkKeyStoreConfiguration buildJdkKeyStoreConfigura final char[] keyStorePassword, final char[] keyPassword ) { + final Path path = resolvePath(environment.settings().get(sslConfigSuffix + KEYSTORE_FILEPATH), environment); + final String explicitType = environment.settings().get(sslConfigSuffix + KEYSTORE_TYPE); + final String resolvedType = PemKeyReader.extractStoreType(path.toString(), explicitType); return new KeyStoreConfiguration.JdkKeyStoreConfiguration( - resolvePath(environment.settings().get(sslConfigSuffix + KEYSTORE_FILEPATH), environment), - environment.settings().get(sslConfigSuffix + KEYSTORE_TYPE, DEFAULT_STORE_TYPE), + path, + resolvedType, settings.get(KEYSTORE_ALIAS, null), keyStorePassword, keyPassword @@ -140,9 +143,12 @@ private TrustStoreConfiguration.JdkTrustStoreConfiguration buildJdkTrustStoreCon final Environment environment, final char[] trustStorePassword ) { + final Path path = resolvePath(environment.settings().get(sslConfigSuffix + TRUSTSTORE_FILEPATH), environment); + final String explicitType = environment.settings().get(sslConfigSuffix + TRUSTSTORE_TYPE); + final String resolvedType = PemKeyReader.extractStoreType(path.toString(), explicitType); return new TrustStoreConfiguration.JdkTrustStoreConfiguration( - resolvePath(environment.settings().get(sslConfigSuffix + TRUSTSTORE_FILEPATH), environment), - environment.settings().get(sslConfigSuffix + TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE), + path, + resolvedType, settings.get(TRUSTSTORE_ALIAS, null), trustStorePassword ); diff --git a/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java b/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java index 64ff1f8165..689c41238e 100644 --- a/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java +++ b/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java @@ -17,11 +17,15 @@ package org.opensearch.security.ssl.util; +import java.security.KeyStore; import java.util.Arrays; import java.util.Collections; import java.util.List; +import java.util.Locale; import java.util.function.Function; +import org.bouncycastle.crypto.CryptoServicesRegistrar; + import org.opensearch.common.settings.Setting; import org.opensearch.common.settings.Settings; import org.opensearch.security.ssl.config.CertType; @@ -42,7 +46,9 @@ public final class SSLConfigConstants { public static final String ENABLED = "enabled"; public static final String CLIENT_AUTH_MODE = "clientauth_mode"; public static final String ENFORCE_CERT_RELOAD_DN_VERIFICATION = "enforce_cert_reload_dn_verification"; - public static final String DEFAULT_STORE_TYPE = "JKS"; + public static final String DEFAULT_STORE_TYPE = CryptoServicesRegistrar.isInApprovedOnlyMode() + ? "BCFKS" + : KeyStore.getDefaultType().toUpperCase(Locale.ROOT); public static final String SSL_PREFIX = "plugins.security.ssl."; public static final String KEYSTORE_TYPE = "keystore_type"; diff --git a/src/main/java/org/opensearch/security/support/PemKeyReader.java b/src/main/java/org/opensearch/security/support/PemKeyReader.java index 230fb29a4a..e99ee5161c 100644 --- a/src/main/java/org/opensearch/security/support/PemKeyReader.java +++ b/src/main/java/org/opensearch/security/support/PemKeyReader.java @@ -26,12 +26,14 @@ package org.opensearch.security.support; +import java.io.BufferedInputStream; import java.io.ByteArrayInputStream; import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; +import java.io.UncheckedIOException; import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.LinkOption; @@ -51,6 +53,7 @@ import java.security.spec.InvalidKeySpecException; import java.security.spec.PKCS8EncodedKeySpec; import java.util.Collection; +import java.util.Locale; import javax.crypto.Cipher; import javax.crypto.EncryptedPrivateKeyInfo; import javax.crypto.NoSuchPaddingException; @@ -60,6 +63,11 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.crypto.CryptoServicesRegistrar; import org.bouncycastle.util.io.pem.PemObject; import org.bouncycastle.util.io.pem.PemReader; @@ -67,11 +75,15 @@ import org.opensearch.common.settings.Settings; import org.opensearch.env.Environment; +import static org.opensearch.security.ssl.util.SSLConfigConstants.DEFAULT_STORE_TYPE; + public final class PemKeyReader { private static final Logger log = LogManager.getLogger(PemKeyReader.class); - static final String JKS = "JKS"; - static final String PKCS12 = "PKCS12"; + + public static final String JKS = "JKS"; + public static final String PKCS12 = "PKCS12"; + public static final String BCFKS = "BCFKS"; private static byte[] readPrivateKey(File file) throws KeyException { try (final InputStream in = new FileInputStream(file)) { @@ -173,16 +185,13 @@ public static X509Certificate loadCertificateFromStream(InputStream in) throws E return (X509Certificate) fact.generateCertificate(in); } - public static KeyStore loadKeyStore(String storePath, String keyStorePassword, String type) throws Exception { + public static KeyStore loadKeyStore(final String storePath, final String keyStorePassword, final String type) throws Exception { if (storePath == null) { return null; } + String storeType = extractStoreType(storePath, type); - if (type == null || !type.toUpperCase().equals(JKS) || !type.toUpperCase().equals(PKCS12)) { - type = JKS; - } - - final KeyStore store = KeyStore.getInstance(type.toUpperCase()); + final KeyStore store = KeyStore.getInstance(storeType); store.load(new FileInputStream(storePath), keyStorePassword == null ? null : keyStorePassword.toCharArray()); return store; } @@ -308,8 +317,7 @@ public static KeyStore toTruststore(final String trustCertificatesAliasPrefix, f return null; } - KeyStore ks = KeyStore.getInstance(JKS); - ks.load(null); + KeyStore ks = newEmptyStore(); if (trustCertificates != null && trustCertificates.length > 0) { for (int i = 0; i < trustCertificates.length; i++) { @@ -328,8 +336,7 @@ public static KeyStore toKeystore( ) throws Exception { if (authenticationCertificateAlias != null && authenticationCertificate != null && authenticationKey != null) { - KeyStore ks = KeyStore.getInstance(JKS); - ks.load(null, null); + KeyStore ks = newEmptyStore(); ks.setKeyEntry(authenticationCertificateAlias, authenticationKey, password, authenticationCertificate); return ks; } else { @@ -347,5 +354,56 @@ public static char[] randomChars(int len) { return ret; } + public static String extractStoreType(String storePath, String storeType) { + if (null == storeType) { + storeType = detectStoreType(storePath); + } + if (CryptoServicesRegistrar.isInApprovedOnlyMode() && !PemKeyReader.BCFKS.equalsIgnoreCase(storeType)) { + throw new IllegalArgumentException( + storeType.toUpperCase(Locale.ROOT) + " keystores / truststores are not supported in FIPS mode - use BCFKS." + ); + } + return storeType; + } + + private static String detectStoreType(String path) { + try (InputStream raw = new BufferedInputStream(new FileInputStream(path))) { + raw.mark(32); + byte[] magic = new byte[4]; + if (raw.read(magic) < 4) { + throw new IllegalArgumentException("Cannot detect keystore type: file too short: " + path); + } + // JKS: 0xFEEDFEED + if ((magic[0] & 0xFF) == 0xFE // + && (magic[1] & 0xFF) == 0xED // + && (magic[2] & 0xFF) == 0xFE // + && (magic[3] & 0xFF) == 0xED // + ) { + return PemKeyReader.JKS; + } + // ASN.1: distinguish BCFKS from PKCS12 by outer structure + // PKCS12 (RFC 7292): outer SEQUENCE starts with INTEGER (version = 3) + // BCFKS: outer SEQUENCE starts with SEQUENCE (encrypted content envelope) + if ((magic[0] & 0xFF) == 0x30) { + raw.reset(); + try (ASN1InputStream asn1In = new ASN1InputStream(raw)) { + ASN1Sequence outer = (ASN1Sequence) asn1In.readObject(); + ASN1Encodable first = outer.getObjectAt(0); + if (first instanceof ASN1Integer) return PemKeyReader.PKCS12; + if (first instanceof ASN1Sequence) return PemKeyReader.BCFKS; + } catch (Exception ignored) {} + } + throw new IllegalArgumentException("Cannot detect keystore type for: " + path + ". Specify explicitly with -kst/-tst."); + } catch (IOException e) { + throw new UncheckedIOException(e); + } + } + + static KeyStore newEmptyStore() throws Exception { + var ks = KeyStore.getInstance(DEFAULT_STORE_TYPE); + ks.load(null, null); + return ks; + } + private PemKeyReader() {} } diff --git a/src/main/java/org/opensearch/security/tools/SecurityAdmin.java b/src/main/java/org/opensearch/security/tools/SecurityAdmin.java index f21135c9df..63f3db976e 100644 --- a/src/main/java/org/opensearch/security/tools/SecurityAdmin.java +++ b/src/main/java/org/opensearch/security/tools/SecurityAdmin.java @@ -502,14 +502,14 @@ public static int execute(final String[] args) throws Exception { System.out.println(" ... done"); if (ks != null) { - kst = kst == null ? (ks.endsWith(".jks") ? "JKS" : "PKCS12") : kst; + kst = PemKeyReader.extractStoreType(ks, kst); if (kspass == null && promptForPassword) { kspass = promptForPassword("Keystore", "kspass", OPENDISTRO_SECURITY_KS_PASS); } } if (ts != null) { - tst = tst == null ? (ts.endsWith(".jks") ? "JKS" : "PKCS12") : tst; + tst = PemKeyReader.extractStoreType(ts, tst); if (tspass == null && promptForPassword) { tspass = promptForPassword("Truststore", "tspass", OPENDISTRO_SECURITY_TS_PASS); } diff --git a/src/test/java/org/opensearch/security/HttpIntegrationTests.java b/src/test/java/org/opensearch/security/HttpIntegrationTests.java index d76dfa3909..ef2583d3c6 100644 --- a/src/test/java/org/opensearch/security/HttpIntegrationTests.java +++ b/src/test/java/org/opensearch/security/HttpIntegrationTests.java @@ -413,8 +413,8 @@ public void testHTTPBasic() throws Exception { public void testHTTPSCompressionEnabled() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .put("http.compression", true) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true); @@ -434,8 +434,8 @@ public void testHTTPSCompressionEnabled() throws Exception { public void testHTTPSCompression() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true); final RestHelper rh = restHelper(); // ssl resthelper @@ -504,8 +504,8 @@ public void testHTTPClientCert() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1.1", "TLSv1.2") .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.1", "TLSv1.2") @@ -532,11 +532,11 @@ public void testHTTPClientCert() throws Exception { rh.enableHTTPClientSSL = true; rh.trustHTTPServerCertificate = true; rh.sendAdminCertificate = true; - rh.keystore = "spock-keystore.jks"; + rh.keystore = "spock-keystore"; assertThat(rh.executeGetRequest("_search").getStatusCode(), is(HttpStatus.SC_OK)); assertThat(rh.executePutRequest(".opendistro_security/_doc/x", "{}").getStatusCode(), is(HttpStatus.SC_FORBIDDEN)); - rh.keystore = "kirk-keystore.jks"; + rh.keystore = "kirk-keystore"; assertThat(rh.executePutRequest(".opendistro_security/_doc/y", "{}").getStatusCode(), is(HttpStatus.SC_CREATED)); assertThat(rh.executeGetRequest("_opendistro/_security/authinfo").getStatusCode(), is(HttpStatus.SC_OK)); } @@ -547,8 +547,8 @@ public void testHTTPPlaintextErrMsg() throws Exception { try { final Settings settings = Settings.builder() - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .put("plugins.security.ssl.http.enabled", true) .build(); setup(settings); diff --git a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java index 306833ad61..2d533d6f55 100644 --- a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java +++ b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java @@ -72,8 +72,8 @@ public void testEnsureInitViaRestDoesWork() throws Exception { final Settings settings = Settings.builder() .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .build(); setup(Settings.EMPTY, null, settings, false); final RestHelper rh = restHelper(); // ssl resthelper @@ -90,7 +90,7 @@ public void testEnsureInitViaRestDoesWork() throws Exception { is(rh.executePutRequest(".opendistro_security/_doc/config", "{}", encodeBasicHeader("___", "")).getStatusCode()) ); - rh.keystore = "kirk-keystore.jks"; + rh.keystore = "kirk-keystore"; assertThat( HttpStatus.SC_CREATED, is(rh.executePutRequest(".opendistro_security/_doc/config", "{}", encodeBasicHeader("___", "")).getStatusCode()) @@ -130,8 +130,8 @@ public void testInitWithInjectedUser() throws Exception { public void testWhoAmI() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .build(); setup( Settings.EMPTY, @@ -140,7 +140,7 @@ public void testWhoAmI() throws Exception { true ); - try (RestHighLevelClient restHighLevelClient = getRestClient(clusterInfo, "spock-keystore.jks", "truststore.jks")) { + try (RestHighLevelClient restHighLevelClient = getRestClient(clusterInfo, "spock-keystore", "truststore")) { Response whoAmIRes = restHighLevelClient.getLowLevelClient().performRequest(new Request("GET", "/_plugins/_security/whoami")); assertThat(200, is(whoAmIRes.getStatusLine().getStatusCode())); // Should be using HTTP/2 by default @@ -157,8 +157,8 @@ public void testWhoAmI() throws Exception { public void testWhoAmIForceHttp1() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .build(); setup( Settings.EMPTY, @@ -170,8 +170,8 @@ public void testWhoAmIForceHttp1() throws Exception { try ( RestHighLevelClient restHighLevelClient = getRestClient( clusterInfo, - "spock-keystore.jks", - "truststore.jks", + "spock-keystore", + "truststore", HttpVersionPolicy.FORCE_HTTP_1 ) ) { diff --git a/src/test/java/org/opensearch/security/IntegrationTests.java b/src/test/java/org/opensearch/security/IntegrationTests.java index df7eff7090..e53fd613eb 100644 --- a/src/test/java/org/opensearch/security/IntegrationTests.java +++ b/src/test/java/org/opensearch/security/IntegrationTests.java @@ -308,13 +308,11 @@ public String toString() { @Test public void testDNSpecials() throws Exception { + var ksPathSpec5 = FileHelper.resolveStore("node-untspec5-keystore"); final Settings settings = Settings.builder() - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, ksPathSpec5.path()) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, ksPathSpec5.type()) .putList( ConfigConstants.SECURITY_NODES_DN, "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE" @@ -326,12 +324,10 @@ public void testDNSpecials() throws Exception { .put(ConfigConstants.SECURITY_CERT_OID, "1.2.3.4.5.6") .build(); + var ksPathSpec6a = FileHelper.resolveStore("node-untspec6-keystore"); Settings tcSettings = Settings.builder() - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12") - ) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, ksPathSpec6a.path()) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, ksPathSpec6a.type()) .build(); setup(tcSettings, new DynamicSecurityConfig(), settings, true); @@ -345,13 +341,11 @@ public void testDNSpecials() throws Exception { @Test public void testDNSpecials1() throws Exception { + var ksPathSpec5b = FileHelper.resolveStore("node-untspec5-keystore"); final Settings settings = Settings.builder() - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, ksPathSpec5b.path()) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, ksPathSpec5b.type()) .putList("plugins.security.nodes_dn", "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") .putList( "plugins.security.authcz.admin_dn", @@ -360,12 +354,10 @@ public void testDNSpecials1() throws Exception { .put("plugins.security.cert.oid", "1.2.3.4.5.6") .build(); + var ksPathSpec6b = FileHelper.resolveStore("node-untspec6-keystore"); Settings tcSettings = Settings.builder() - .put( - "plugins.security.ssl.transport.keystore_filepath", - FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12") - ) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") + .put("plugins.security.ssl.transport.keystore_filepath", ksPathSpec6b.path()) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, ksPathSpec6b.type()) .build(); setup(tcSettings, new DynamicSecurityConfig(), settings, true); diff --git a/src/test/java/org/opensearch/security/SecurityAdminIEndpointsTests.java b/src/test/java/org/opensearch/security/SecurityAdminIEndpointsTests.java index dc47c90949..97f9372693 100644 --- a/src/test/java/org/opensearch/security/SecurityAdminIEndpointsTests.java +++ b/src/test/java/org/opensearch/security/SecurityAdminIEndpointsTests.java @@ -52,8 +52,8 @@ public void testNoSSL() throws Exception { public void testEndpoints() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .putList("plugins.security.nodes_dn", "CN=node-*.example.com,OU=SSL,O=Test,L=Test,C=DE") .build(); setup(settings); @@ -107,7 +107,7 @@ public void testEndpoints() throws Exception { ) ); - rh.keystore = "spock-keystore.jks"; + rh.keystore = "spock-keystore"; assertThat((res = rh.executeGetRequest("_plugins/_security/whoami")).getStatusCode(), is(HttpStatus.SC_OK)); @@ -131,7 +131,7 @@ public void testEndpoints() throws Exception { ) ); - rh.keystore = "kirk-keystore.jks"; + rh.keystore = "kirk-keystore"; assertThat((res = rh.executeGetRequest("_plugins/_security/whoami")).getStatusCode(), is(HttpStatus.SC_OK)); diff --git a/src/test/java/org/opensearch/security/SecurityAdminInvalidConfigsTests.java b/src/test/java/org/opensearch/security/SecurityAdminInvalidConfigsTests.java index 90af959830..f4d12c12da 100644 --- a/src/test/java/org/opensearch/security/SecurityAdminInvalidConfigsTests.java +++ b/src/test/java/org/opensearch/security/SecurityAdminInvalidConfigsTests.java @@ -49,8 +49,8 @@ public class SecurityAdminInvalidConfigsTests extends SingleClusterTest { public void testSecurityAdminDuplicateKey() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .build(); setup(settings); @@ -58,9 +58,9 @@ public void testSecurityAdminDuplicateKey() throws Exception { List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.resolveStore(prefix + "kirk-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -90,9 +90,9 @@ public void testSecurityAdminDuplicateKeyReload() throws Exception { List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.resolveStore(prefix + "kirk-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -117,8 +117,8 @@ public void testSecurityAdminDuplicateKeyReload() throws Exception { public void testSecurityAdminDuplicateKeySingleFile() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .build(); setup(settings); @@ -126,9 +126,9 @@ public void testSecurityAdminDuplicateKeySingleFile() throws Exception { List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.resolveStore(prefix + "kirk-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -160,9 +160,9 @@ public void testSecurityAdminDuplicateKeyReloadSingleFile() throws Exception { List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks").toFile().getAbsolutePath()); + argsAsList.add(FileHelper.resolveStore(prefix + "kirk-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); diff --git a/src/test/java/org/opensearch/security/SecurityAdminTests.java b/src/test/java/org/opensearch/security/SecurityAdminTests.java index 45c5c0e2a1..442ec16ddd 100644 --- a/src/test/java/org/opensearch/security/SecurityAdminTests.java +++ b/src/test/java/org/opensearch/security/SecurityAdminTests.java @@ -23,7 +23,6 @@ import java.io.PrintStream; import java.util.ArrayList; import java.util.List; -import java.util.Objects; import org.apache.http.HttpStatus; import org.junit.Assert; @@ -50,8 +49,8 @@ public class SecurityAdminTests extends SingleClusterTest { public void testSecurityAdmin() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .build(); setup(Settings.EMPTY, null, settings, false); @@ -59,13 +58,9 @@ public void testSecurityAdmin() throws Exception { List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "kirk-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -99,17 +94,11 @@ public void testSecurityAdminHostnameVerificationEnforced() throws Exception { List argsAsList = new ArrayList<>(); argsAsList.add("-cacert"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "root-ca.pem")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "root-ca.pem").toFile().getAbsolutePath()); argsAsList.add("-cert"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk.crt.pem")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk.crt.pem").toFile().getAbsolutePath()); argsAsList.add("-key"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk.key.pem")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk.key.pem").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-icl"); @@ -142,17 +131,11 @@ public void testSecurityAdminHostnameVerificationNotEnforced() throws Exception List argsAsList = new ArrayList<>(); argsAsList.add("-cacert"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "root-ca.pem")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "root-ca.pem").toFile().getAbsolutePath()); argsAsList.add("-cert"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk.crt.pem")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk.crt.pem").toFile().getAbsolutePath()); argsAsList.add("-key"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk.key.pem")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk.key.pem").toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-icl"); @@ -167,8 +150,8 @@ public void testSecurityAdminHostnameVerificationNotEnforced() throws Exception public void testSecurityAdminInvalidCert() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .build(); setup(Settings.EMPTY, null, settings, false); @@ -176,13 +159,9 @@ public void testSecurityAdminInvalidCert() throws Exception { List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "kirk-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -199,13 +178,9 @@ public void testSecurityAdminInvalidCert() throws Exception { argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "spock-keystore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "spock-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -221,13 +196,9 @@ public void testSecurityAdminInvalidCert() throws Exception { argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "node-0-keystore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "node-0-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -245,8 +216,8 @@ public void testSecurityAdminInvalidCert() throws Exception { public void testSecurityAdminRegularUpdate() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .build(); setup(Settings.EMPTY, null, settings, true); @@ -254,13 +225,9 @@ public void testSecurityAdminRegularUpdate() throws Exception { List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "kirk-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -284,8 +251,8 @@ public void testSecurityAdminRegularUpdate() throws Exception { public void testSecurityAdminSingularV7Updates() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true); @@ -293,13 +260,9 @@ public void testSecurityAdminSingularV7Updates() throws Exception { List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "kirk-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -315,13 +278,9 @@ public void testSecurityAdminSingularV7Updates() throws Exception { argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "kirk-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -337,13 +296,9 @@ public void testSecurityAdminSingularV7Updates() throws Exception { argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "kirk-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -370,8 +325,8 @@ public void testSecurityAdminSingularV7Updates() throws Exception { public void testSecurityAdminInvalidYml() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true); @@ -379,23 +334,15 @@ public void testSecurityAdminInvalidYml() throws Exception { List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "kirk-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); argsAsList.add(clusterInfo.clustername); argsAsList.add("-f"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "roles_invalidxcontent.yml")) - .toFile() - .getAbsolutePath() - ); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "roles_invalidxcontent.yml").toFile().getAbsolutePath()); argsAsList.add("-t"); argsAsList.add("roles"); argsAsList.add("-nhnv"); @@ -417,8 +364,8 @@ public void testSecurityAdminReloadInvalidConfig() throws Exception { final Settings settings = Settings.builder() .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true); final RestHelper rh = restHelper(); // ssl resthelper @@ -426,7 +373,7 @@ public void testSecurityAdminReloadInvalidConfig() throws Exception { rh.enableHTTPClientSSL = true; rh.trustHTTPServerCertificate = true; rh.sendAdminCertificate = true; - rh.keystore = "kirk-keystore.jks"; + rh.keystore = "kirk-keystore"; rh.executePutRequest(".opendistro_security/_doc/roles", FileHelper.loadFile("roles_invalidxcontent.yml")); assertThat(HttpStatus.SC_OK, is(rh.executePutRequest(".opendistro_security/_doc/roles", "{\"roles\":\"dummy\"}").getStatusCode())); @@ -435,13 +382,9 @@ public void testSecurityAdminReloadInvalidConfig() throws Exception { List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "kirk-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); @@ -534,8 +477,8 @@ public void testSecurityAdminValidateConfig() throws Exception { public void testIsLegacySecurityIndexOnV7Index() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .build(); setup(Settings.EMPTY, null, settings, false); @@ -543,13 +486,9 @@ public void testIsLegacySecurityIndexOnV7Index() throws Exception { List argsAsList = new ArrayList<>(); argsAsList.add("-ts"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "truststore").path().toFile().getAbsolutePath()); argsAsList.add("-ks"); - argsAsList.add( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath(prefix + "kirk-keystore.jks")).toFile().getAbsolutePath() - ); + argsAsList.add(FileHelper.resolveStore(prefix + "kirk-keystore").path().toFile().getAbsolutePath()); argsAsList.add("-p"); argsAsList.add(String.valueOf(clusterInfo.httpPort)); argsAsList.add("-cn"); diff --git a/src/test/java/org/opensearch/security/SlowIntegrationTests.java b/src/test/java/org/opensearch/security/SlowIntegrationTests.java index 74e3bfa9e4..8e68a80293 100644 --- a/src/test/java/org/opensearch/security/SlowIntegrationTests.java +++ b/src/test/java/org/opensearch/security/SlowIntegrationTests.java @@ -167,7 +167,7 @@ public void testNodeClientDisallowedWithNonServerCertificate() throws Exception .put("node.name", "transportclient") .put("discovery.initial_state_timeout", "8s") .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) - .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("kirk-keystore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.resolveStore("kirk-keystore").path()) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "kirk") .build(); @@ -214,7 +214,7 @@ public void testNodeClientDisallowedWithNonServerCertificate2() throws Exception .put("node.name", "transportclient") .put("discovery.initial_state_timeout", "8s") .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) - .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.resolveStore("spock-keystore").path()) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "spock") .build(); diff --git a/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogUnitTest.java b/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogUnitTest.java index 549fbf76b2..5d699ccbd6 100644 --- a/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogUnitTest.java +++ b/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogUnitTest.java @@ -69,8 +69,8 @@ protected Settings defaultNodeSettings(Settings additionalSettings) { Settings.Builder builder = Settings.builder(); builder.put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")); + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("auditlog/node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("auditlog/truststore").path()); return builder.put(additionalSettings).build(); } @@ -79,7 +79,7 @@ protected void setupStarfleetIndex() { final boolean sendAdminCertificate = rh.sendAdminCertificate; final String keystore = rh.keystore; rh.sendAdminCertificate = true; - rh.keystore = "auditlog/kirk-keystore.jks"; + rh.keystore = "auditlog/kirk-keystore"; rh.executePutRequest("sf", null); rh.executePutRequest("sf/public/0?refresh", "{\"number\" : \"NCC-1701-D\"}"); rh.executePutRequest("sf/public/0?refresh", "{\"some\" : \"value\"}"); @@ -127,7 +127,7 @@ protected void updateAuditConfig(final String payload) { final boolean sendAdminCertificate = rh.sendAdminCertificate; final String keystore = rh.keystore; rh.sendAdminCertificate = true; - rh.keystore = "auditlog/kirk-keystore.jks"; + rh.keystore = "auditlog/kirk-keystore"; rh.executePutRequest("_opendistro/_security/api/audit/config", payload); rh.sendAdminCertificate = sendAdminCertificate; rh.keystore = keystore; diff --git a/src/test/java/org/opensearch/security/auditlog/AuditTestUtils.java b/src/test/java/org/opensearch/security/auditlog/AuditTestUtils.java index e634627109..e9e5d352bd 100644 --- a/src/test/java/org/opensearch/security/auditlog/AuditTestUtils.java +++ b/src/test/java/org/opensearch/security/auditlog/AuditTestUtils.java @@ -39,7 +39,7 @@ public static void updateAuditConfig(final RestHelper rh, final String payload) final boolean sendAdminCertificate = rh.sendAdminCertificate; final String keystore = rh.keystore; rh.sendAdminCertificate = true; - rh.keystore = "auditlog/kirk-keystore.jks"; + rh.keystore = "auditlog/kirk-keystore"; RestHelper.HttpResponse response = rh.executePutRequest("_opendistro/_security/api/audit/config", payload); assertThat(response.getStatusCode(), is(HttpStatus.SC_OK)); rh.sendAdminCertificate = sendAdminCertificate; diff --git a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java index c25b18cbb8..8d59031947 100644 --- a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java @@ -70,7 +70,7 @@ public void testSourceFilter() throws Exception { final boolean sendAdminCertificate = rh.sendAdminCertificate; final String keystore = rh.keystore; rh.sendAdminCertificate = true; - rh.keystore = "auditlog/kirk-keystore.jks"; + rh.keystore = "auditlog/kirk-keystore"; rh.executePutRequest("emp/_doc/0?refresh", "{\"Designation\" : \"CEO\", \"Gender\" : \"female\", \"Salary\" : 100}", new Header[0]); rh.executePutRequest("emp/_doc/1?refresh", "{\"Designation\" : \"IT\", \"Gender\" : \"male\", \"Salary\" : 200}", new Header[0]); rh.executePutRequest("emp/_doc/2?refresh", "{\"Designation\" : \"IT\", \"Gender\" : \"female\", \"Salary\" : 300}", new Header[0]); @@ -110,7 +110,7 @@ public void testComplianceEnable() throws Exception { setup(additionalSettings); rh.sendAdminCertificate = true; - rh.keystore = "auditlog/kirk-keystore.jks"; + rh.keystore = "auditlog/kirk-keystore"; // watch emp for write AuditConfig auditConfig = new AuditConfig( @@ -189,7 +189,7 @@ public void testSourceFilterMsearch() throws Exception { final boolean sendAdminCertificate = rh.sendAdminCertificate; final String keystore = rh.keystore; rh.sendAdminCertificate = true; - rh.keystore = "auditlog/kirk-keystore.jks"; + rh.keystore = "auditlog/kirk-keystore"; rh.executePutRequest("emp/_doc/0?refresh", "{\"Designation\" : \"CEO\", \"Gender\" : \"female\", \"Salary\" : 100}", new Header[0]); rh.executePutRequest("emp/_doc/1?refresh", "{\"Designation\" : \"IT\", \"Gender\" : \"male\", \"Salary\" : 200}", new Header[0]); rh.executePutRequest("emp/_doc/2?refresh", "{\"Designation\" : \"IT\", \"Gender\" : \"female\", \"Salary\" : 300}", new Header[0]); @@ -278,7 +278,7 @@ public void testInternalConfig() throws Exception { "audit" ); final List messages = TestAuditlogImpl.doThenWaitForMessages(() -> { - try (RestHighLevelClient restHighLevelClient = getRestClient(clusterInfo, "kirk-keystore.jks", "truststore.jks")) { + try (RestHighLevelClient restHighLevelClient = getRestClient(clusterInfo, "kirk-keystore", "truststore")) { for (IndexRequest ir : new DynamicSecurityConfig().setSecurityRoles("roles_2.yml").getDynamicConfig(getResourceFolder())) { restHighLevelClient.index(ir, RequestOptions.DEFAULT); GetResponse getDocumentResponse = restHighLevelClient.get(new GetRequest(ir.index(), ir.id()), RequestOptions.DEFAULT); @@ -459,7 +459,7 @@ public void testWriteLogDiffsEnabledAndLogRequestBodyDisabled() throws Exception setup(additionalSettings); rh.sendAdminCertificate = true; - rh.keystore = "auditlog/kirk-keystore.jks"; + rh.keystore = "auditlog/kirk-keystore"; // watch emp for write AuditConfig auditConfig = new AuditConfig( @@ -524,7 +524,7 @@ public void testDeleteLogDiffs() throws Exception { setup(additionalSettings); rh.sendAdminCertificate = true; - rh.keystore = "auditlog/kirk-keystore.jks"; + rh.keystore = "auditlog/kirk-keystore"; // Enable write diff logging for movies index AuditConfig auditConfig = new AuditConfig( diff --git a/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java index 9f9b4a3cef..386f92b24e 100644 --- a/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java @@ -84,7 +84,7 @@ public void testRestApiRolesDisabled() throws Exception { rh.enableHTTPClientSSL = true; rh.trustHTTPServerCertificate = true; rh.sendAdminCertificate = true; - rh.keystore = "kirk-keystore.jks"; + rh.keystore = "kirk-keystore"; final AuditMessage message = TestAuditlogImpl.doThenWaitForMessage(() -> { HttpResponse response = rh.executePutRequest("_opendistro/_security/api/internalusers/compuser?pretty", body); @@ -113,7 +113,7 @@ public void testRestApiRolesDisabledGet() throws Exception { rh.enableHTTPClientSSL = true; rh.trustHTTPServerCertificate = true; rh.sendAdminCertificate = true; - rh.keystore = "kirk-keystore.jks"; + rh.keystore = "kirk-keystore"; final AuditMessage message = TestAuditlogImpl.doThenWaitForMessage(() -> { HttpResponse response = rh.executeGetRequest("_opendistro/_security/api/rolesmapping/opendistro_security_all_access?pretty"); assertThat(response.getStatusCode(), is(HttpStatus.SC_OK)); @@ -195,7 +195,7 @@ public void testRestInternalConfigRead() throws Exception { rh.enableHTTPClientSSL = true; rh.trustHTTPServerCertificate = true; rh.sendAdminCertificate = true; - rh.keystore = "kirk-keystore.jks"; + rh.keystore = "kirk-keystore"; final AuditMessage message = TestAuditlogImpl.doThenWaitForMessage(() -> { HttpResponse response = rh.executeGetRequest("_opendistro/_security/api/internalusers/admin?pretty"); @@ -219,7 +219,7 @@ public void testBCryptHashRedaction() throws Exception { .build(); setupAndReturnAuditMessages(settings); rh.sendAdminCertificate = true; - rh.keystore = "kirk-keystore.jks"; + rh.keystore = "kirk-keystore"; // read internal users and verify no BCrypt hash is present in audit logs final AuditMessage message1 = TestAuditlogImpl.doThenWaitForMessage(() -> { @@ -260,7 +260,7 @@ public void testPBKDF2HashRedaction() { final DynamicSecurityConfig securityConfig = new DynamicSecurityConfig().setSecurityInternalUsers("internal_users_pbkdf2.yml"); setupAndReturnAuditMessages(settings, securityConfig); rh.sendAdminCertificate = true; - rh.keystore = "kirk-keystore.jks"; + rh.keystore = "kirk-keystore"; // read internal users and verify no PBKDF2 hash is present in audit logs final AuditMessage message1 = TestAuditlogImpl.doThenWaitForMessage(() -> { @@ -391,7 +391,7 @@ public void testArgon2HashRedaction() { final DynamicSecurityConfig securityConfig = new DynamicSecurityConfig().setSecurityInternalUsers("internal_users_argon2.yml"); setupAndReturnAuditMessages(settings, securityConfig); rh.sendAdminCertificate = true; - rh.keystore = "kirk-keystore.jks"; + rh.keystore = "kirk-keystore"; // read internal users and verify no Argon2 hash is present in audit logs final AuditMessage message1 = TestAuditlogImpl.doThenWaitForMessage(() -> { diff --git a/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java index 750df2d78c..7a2e8c10c6 100644 --- a/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java @@ -129,8 +129,8 @@ public void testSSLPlainText() throws Exception { Settings additionalSettings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("auditlog/node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("auditlog/truststore").path()) .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") @@ -544,7 +544,7 @@ public void testIndexPattern() throws Exception { final boolean sendAdminCertificate = rh.sendAdminCertificate; final String keystore = rh.keystore; rh.sendAdminCertificate = true; - rh.keystore = "auditlog/kirk-keystore.jks"; + rh.keystore = "auditlog/kirk-keystore"; HttpResponse res = rh.executeGetRequest("_cat/indices", new Header[0]); rh.sendAdminCertificate = sendAdminCertificate; rh.keystore = keystore; diff --git a/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTLSTest.java b/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTLSTest.java index b8ae9318d5..63d9da9a6c 100644 --- a/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTLSTest.java +++ b/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTLSTest.java @@ -128,14 +128,16 @@ public void testTlsConfigurationNoFallback() throws Exception { // for TLS support on our in-memory server private SSLContext createSSLContext() throws Exception { final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - final KeyStore trustStore = KeyStore.getInstance("JKS"); - InputStream trustStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks").toFile()); + var typedTrustStore = FileHelper.resolveStore("auditlog/truststore"); + final KeyStore trustStore = KeyStore.getInstance(typedTrustStore.type()); + InputStream trustStream = new FileInputStream(typedTrustStore.path().toFile()); trustStore.load(trustStream, "changeit".toCharArray()); tmf.init(trustStore); final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - final KeyStore keyStore = KeyStore.getInstance("JKS"); - InputStream keyStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks").toFile()); + var typedKeyStore = FileHelper.resolveStore("auditlog/node-0-keystore"); + final KeyStore keyStore = KeyStore.getInstance(typedKeyStore.type()); + InputStream keyStream = new FileInputStream(typedKeyStore.path().toFile()); keyStore.load(keyStream, "changeit".toCharArray()); kmf.init(keyStore, "changeit".toCharArray()); diff --git a/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java b/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java index 5109769674..d35222d7a3 100644 --- a/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java @@ -18,7 +18,6 @@ import java.net.URLDecoder; import java.nio.charset.StandardCharsets; import java.security.KeyStore; -import java.util.Objects; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManagerFactory; @@ -70,10 +69,7 @@ public void invalidConfFallbackTest() throws Exception { // provide no settings, fallback must be used Settings settings = Settings.builder() .put("path.home", ".") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, fallback); @@ -96,10 +92,7 @@ public void formatsTest() throws Exception { Settings settings = Settings.builder() .put("plugins.security.audit.config.webhook.url", url) .put("path.home", ".") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .put("transport.ssl.enforce_hostname_verification", false) .build(); @@ -113,10 +106,7 @@ public void formatsTest() throws Exception { settings = Settings.builder() .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "idonotexist") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .put("path.home", ".") .build(); auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); @@ -130,10 +120,7 @@ public void formatsTest() throws Exception { settings = Settings.builder() .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "text") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .put("path.home", ".") .build(); auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); @@ -148,10 +135,7 @@ public void formatsTest() throws Exception { settings = Settings.builder() .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "json") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .put("path.home", ".") .build(); auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); @@ -166,10 +150,7 @@ public void formatsTest() throws Exception { settings = Settings.builder() .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "slack") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .put("path.home", ".") .build(); auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); @@ -189,10 +170,7 @@ public void invalidUrlTest() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "slack") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .put("path.home", ".") .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); @@ -214,10 +192,7 @@ public void noServerRunningHttpTest() throws Exception { Settings settings = Settings.builder() .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "slack") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .put("path.home", ".") .build(); @@ -252,10 +227,7 @@ public void postGetHttpTest() throws Exception { .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "slack") .put("path.home", ".") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); @@ -274,10 +246,7 @@ public void postGetHttpTest() throws Exception { settings = Settings.builder() .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "texT") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .put("path.home", ".") .build(); @@ -293,10 +262,7 @@ public void postGetHttpTest() throws Exception { settings = Settings.builder() .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "JSon") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .put("path.home", ".") .build(); @@ -313,10 +279,7 @@ public void postGetHttpTest() throws Exception { .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "URL_PARAMETER_POST") .put("path.home", ".") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); @@ -332,10 +295,7 @@ public void postGetHttpTest() throws Exception { .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "URL_PARAMETER_GET") .put("path.home", ".") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); @@ -366,10 +326,7 @@ public void httpsTestWithoutTLSServer() throws Exception { .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "slack") .put("path.home", ".") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); @@ -439,10 +396,7 @@ public void httpsTest() throws Exception { settings = Settings.builder() .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "jSoN") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .put("plugins.security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); @@ -458,10 +412,7 @@ public void httpsTest() throws Exception { settings = Settings.builder() .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "jSoN") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore_fail").path()) .put("plugins.security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); @@ -515,10 +466,7 @@ public void httpsTestPemDefault() throws Exception { settings = Settings.builder() .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "jSoN") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .put("plugins.security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); @@ -535,10 +483,7 @@ public void httpsTestPemDefault() throws Exception { .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "jSoN") .put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", "wrong") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore_fail").path()) .put("plugins.security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); @@ -583,10 +528,7 @@ public void httpsTestPemDefault() throws Exception { settings = Settings.builder() .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "jSoN") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .put( "plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crt.pem") @@ -645,10 +587,7 @@ public void httpsTestPemEndpoint() throws Exception { .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .put("path.home", ".") .build(); auditlog = new WebhookSink("name", settings, "plugins.security.audit.endpoints.endpoint1.config", null, fallback); @@ -664,10 +603,7 @@ public void httpsTestPemEndpoint() throws Exception { .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore_fail").path()) .put("path.home", ".") .build(); auditlog = new WebhookSink("name", settings, "plugins.security.audit.endpoints.endpoint1.config", null, fallback); @@ -753,18 +689,16 @@ public void httpsTestPemContentEndpoint() throws Exception { // for TLS support on our in-memory server private SSLContext createSSLContext() throws Exception { final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - final KeyStore trustStore = KeyStore.getInstance("JKS"); - InputStream trustStream = new FileInputStream( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")).toFile() - ); + var typedTrustStore = FileHelper.resolveStore("auditlog/truststore"); + final KeyStore trustStore = KeyStore.getInstance(typedTrustStore.type()); + InputStream trustStream = new FileInputStream(typedTrustStore.path().toFile()); trustStore.load(trustStream, "changeit".toCharArray()); tmf.init(trustStore); final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - final KeyStore keyStore = KeyStore.getInstance("JKS"); - InputStream keyStream = new FileInputStream( - Objects.requireNonNull(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")).toFile() - ); + var typedKeyStore = FileHelper.resolveStore("auditlog/node-0-keystore"); + final KeyStore keyStore = KeyStore.getInstance(typedKeyStore.type()); + InputStream keyStream = new FileInputStream(typedKeyStore.path().toFile()); keyStore.load(keyStream, "changeit".toCharArray()); kmf.init(keyStore, "changeit".toCharArray()); @@ -798,10 +732,7 @@ public void basicAuthPostTest() throws Exception { .put("plugins.security.audit.config.username", username) .put("plugins.security.audit.config.password", password) .put("path.home", ".") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); @@ -856,10 +787,7 @@ public void basicAuthGetTest() throws Exception { .put("plugins.security.audit.config.username", username) .put("plugins.security.audit.config.password", password) .put("path.home", ".") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); @@ -905,10 +833,7 @@ public void webhookWithoutAuthTest() throws Exception { .put("plugins.security.audit.config.webhook.url", url) .put("plugins.security.audit.config.webhook.format", "json") .put("path.home", ".") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("auditlog/truststore").path()) .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); diff --git a/src/test/java/org/opensearch/security/auth/http/jwt/keybyoidc/KeySetRetrieverTest.java b/src/test/java/org/opensearch/security/auth/http/jwt/keybyoidc/KeySetRetrieverTest.java index 3aa9f3d64f..0859890cb8 100644 --- a/src/test/java/org/opensearch/security/auth/http/jwt/keybyoidc/KeySetRetrieverTest.java +++ b/src/test/java/org/opensearch/security/auth/http/jwt/keybyoidc/KeySetRetrieverTest.java @@ -113,12 +113,14 @@ protected void handleDiscoverRequest(HttpRequest request, ClassicHttpResponse re }) { SSLContextBuilder sslContextBuilder = SSLContexts.custom(); - KeyStore trustStore = KeyStore.getInstance("JKS"); - InputStream trustStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("jwt/truststore.jks").toFile()); + var typedTrustStore = FileHelper.resolveStore("jwt/truststore"); + KeyStore trustStore = KeyStore.getInstance(typedTrustStore.type()); + InputStream trustStream = new FileInputStream(typedTrustStore.path().toFile()); trustStore.load(trustStream, "changeit".toCharArray()); - KeyStore keyStore = KeyStore.getInstance("JKS"); - InputStream keyStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("jwt/spock-keystore.jks").toFile()); + var typedKeyStore = FileHelper.resolveStore("jwt/spock-keystore"); + KeyStore keyStore = KeyStore.getInstance(typedKeyStore.type()); + InputStream keyStream = new FileInputStream(typedKeyStore.path().toFile()); keyStore.load(keyStream, "changeit".toCharArray()); diff --git a/src/test/java/org/opensearch/security/auth/http/jwt/keybyoidc/MockIpdServer.java b/src/test/java/org/opensearch/security/auth/http/jwt/keybyoidc/MockIpdServer.java index f082c3ee3a..2091f95f54 100644 --- a/src/test/java/org/opensearch/security/auth/http/jwt/keybyoidc/MockIpdServer.java +++ b/src/test/java/org/opensearch/security/auth/http/jwt/keybyoidc/MockIpdServer.java @@ -154,14 +154,16 @@ private SSLContext createSSLContext() { try { final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - final KeyStore trustStore = KeyStore.getInstance("JKS"); - InputStream trustStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("jwt/truststore.jks").toFile()); + var typedTrustStore = FileHelper.resolveStore("jwt/truststore"); + final KeyStore trustStore = KeyStore.getInstance(typedTrustStore.type()); + InputStream trustStream = new FileInputStream(typedTrustStore.path().toFile()); trustStore.load(trustStream, "changeit".toCharArray()); tmf.init(trustStore); final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - final KeyStore keyStore = KeyStore.getInstance("JKS"); - InputStream keyStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("jwt/node-0-keystore.jks").toFile()); + var typedKeyStore = FileHelper.resolveStore("jwt/node-0-keystore"); + final KeyStore keyStore = KeyStore.getInstance(typedKeyStore.type()); + InputStream keyStream = new FileInputStream(typedKeyStore.path().toFile()); keyStore.load(keyStream, "changeit".toCharArray()); kmf.init(keyStore, "changeit".toCharArray()); diff --git a/src/test/java/org/opensearch/security/auth/http/jwt/keybyoidc/MockJwksServer.java b/src/test/java/org/opensearch/security/auth/http/jwt/keybyoidc/MockJwksServer.java index a6e7d16426..5bdc47878b 100644 --- a/src/test/java/org/opensearch/security/auth/http/jwt/keybyoidc/MockJwksServer.java +++ b/src/test/java/org/opensearch/security/auth/http/jwt/keybyoidc/MockJwksServer.java @@ -135,14 +135,16 @@ private SSLContext createSSLContext() { try { final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - final KeyStore trustStore = KeyStore.getInstance("JKS"); - InputStream trustStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("jwt/truststore.jks").toFile()); + var typedTrustStore = FileHelper.resolveStore("jwt/truststore"); + final KeyStore trustStore = KeyStore.getInstance(typedTrustStore.type()); + InputStream trustStream = new FileInputStream(typedTrustStore.path().toFile()); trustStore.load(trustStream, "changeit".toCharArray()); tmf.init(trustStore); final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - final KeyStore keyStore = KeyStore.getInstance("JKS"); - InputStream keyStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("jwt/node-0-keystore.jks").toFile()); + var typedKeyStore = FileHelper.resolveStore("jwt/node-0-keystore"); + final KeyStore keyStore = KeyStore.getInstance(typedKeyStore.type()); + InputStream keyStream = new FileInputStream(typedKeyStore.path().toFile()); keyStore.load(keyStream, "changeit".toCharArray()); kmf.init(keyStore, "changeit".toCharArray()); diff --git a/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTest.java b/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTest.java index d5fa5f9a30..0b7d5eec42 100755 --- a/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTest.java +++ b/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTest.java @@ -173,10 +173,7 @@ public void testLdapAuthenticationSSL() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .put("path.home", ".") .build(); @@ -224,10 +221,7 @@ public void testLdapAuthenticationSSLSSLv3() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .putList("enabled_ssl_protocols", "SSLv3") .put("path.home", ".") @@ -249,10 +243,7 @@ public void testLdapAuthenticationSSLUnknowCipher() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .putList("enabled_ssl_ciphers", "AAA") .put("path.home", ".") @@ -274,10 +265,7 @@ public void testLdapAuthenticationSpecialCipherProtocol() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .putList("enabled_ssl_protocols", "TLSv1.2") .putList("enabled_ssl_ciphers", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA") @@ -297,10 +285,7 @@ public void testLdapAuthenticationSSLNoKeystore() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .put("path.home", ".") .build(); @@ -735,10 +720,7 @@ public void testLdapAuthenticationStartTLS() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_START_TLS, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .put("path.home", ".") .build(); diff --git a/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestClientCert.java b/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestClientCert.java index b082238e21..c92339cfa0 100644 --- a/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestClientCert.java +++ b/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestClientCert.java @@ -11,10 +11,6 @@ package org.opensearch.security.auth.ldap; -import java.io.File; -import java.io.UnsupportedEncodingException; -import java.net.URL; -import java.net.URLDecoder; import java.nio.charset.StandardCharsets; import org.junit.Assert; @@ -274,28 +270,6 @@ public void testLdapAuthenticationSSL() throws Exception { assertThat(user.getName(), is("ldap_hr_employee")); } - public static File getAbsoluteFilePathFromClassPath(final String fileNameFromClasspath) { - File file = null; - final URL fileUrl = LdapBackendTestClientCert.class.getClassLoader().getResource(fileNameFromClasspath); - if (fileUrl != null) { - try { - file = new File(URLDecoder.decode(fileUrl.getFile(), "UTF-8")); - } catch (final UnsupportedEncodingException e) { - return null; - } - - if (file.exists() && file.canRead()) { - return file; - } else { - System.err.println("Cannot read from {}, maybe the file does not exists? " + file.getAbsolutePath()); - } - - } else { - System.err.println("Failed to load " + fileNameFromClasspath); - } - return null; - } - static AuthenticationContext ctx(String userName, String password) { return new AuthenticationContext(new AuthCredentials(userName, password.getBytes(StandardCharsets.UTF_8))); } diff --git a/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestNewStyleConfig.java b/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestNewStyleConfig.java index 38ccb35cf0..5fb7b945e5 100644 --- a/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestNewStyleConfig.java +++ b/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestNewStyleConfig.java @@ -172,10 +172,7 @@ public void testLdapAuthenticationSSL() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .put("path.home", ".") .build(); @@ -224,10 +221,7 @@ public void testLdapAuthenticationSSLSSLv3() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .putList("enabled_ssl_protocols", "SSLv3") .put("path.home", ".") @@ -249,10 +243,7 @@ public void testLdapAuthenticationSSLUnknownCipher() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .putList("enabled_ssl_ciphers", "AAA") .put("path.home", ".") @@ -274,10 +265,7 @@ public void testLdapAuthenticationSpecialCipherProtocol() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .putList("enabled_ssl_protocols", "TLSv1.2") .putList("enabled_ssl_ciphers", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA") @@ -297,10 +285,7 @@ public void testLdapAuthenticationSSLNoKeystore() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .put("path.home", ".") .build(); @@ -584,10 +569,7 @@ public void testLdapAuthenticationStartTLS() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapPort) .put("users.u1.search", "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_START_TLS, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .put("path.home", ".") .build(); diff --git a/src/test/java/org/opensearch/security/auth/ldap/srv/LdapServer.java b/src/test/java/org/opensearch/security/auth/ldap/srv/LdapServer.java index a68d1aa511..adeec6b06f 100644 --- a/src/test/java/org/opensearch/security/auth/ldap/srv/LdapServer.java +++ b/src/test/java/org/opensearch/security/auth/ldap/srv/LdapServer.java @@ -114,7 +114,7 @@ private int doStart(String... ldifFiles) throws Exception { private Collection getInMemoryListenerConfigs() throws Exception { Collection listenerConfigs = new ArrayList(); - String serverKeyStorePath = FileHelper.getAbsoluteFilePathFromClassPath("ldap/node-0-keystore.jks").toFile().getAbsolutePath(); + String serverKeyStorePath = FileHelper.resolveStore("ldap/node-0-keystore").path().toFile().getAbsolutePath(); final SSLUtil serverSSLUtil = new SSLUtil( new KeyStoreKeyManager(serverKeyStorePath, "changeit".toCharArray()), new TrustStoreTrustManager(serverKeyStorePath) diff --git a/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestClientCert2.java b/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestClientCert2.java index d9686ad2e6..489c760008 100644 --- a/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestClientCert2.java +++ b/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestClientCert2.java @@ -11,10 +11,6 @@ package org.opensearch.security.auth.ldap2; -import java.io.File; -import java.io.UnsupportedEncodingException; -import java.net.URL; -import java.net.URLDecoder; import java.nio.charset.StandardCharsets; import org.junit.Assert; @@ -276,28 +272,6 @@ public void testLdapAuthenticationSSL() throws Exception { assertThat(user.getName(), is("ldap_hr_employee")); } - public static File getAbsoluteFilePathFromClassPath(final String fileNameFromClasspath) { - File file = null; - final URL fileUrl = LdapBackendTestClientCert2.class.getClassLoader().getResource(fileNameFromClasspath); - if (fileUrl != null) { - try { - file = new File(URLDecoder.decode(fileUrl.getFile(), "UTF-8")); - } catch (final UnsupportedEncodingException e) { - return null; - } - - if (file.exists() && file.canRead()) { - return file; - } else { - System.err.println("Cannot read from {}, maybe the file does not exists? " + file.getAbsolutePath()); - } - - } else { - System.err.println("Failed to load " + fileNameFromClasspath); - } - return null; - } - static AuthenticationContext ctx(String userName, String password) { return new AuthenticationContext(new AuthCredentials(userName, password.getBytes(StandardCharsets.UTF_8))); } diff --git a/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestNewStyleConfig2.java b/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestNewStyleConfig2.java index a04ebe955d..1127fd80e8 100644 --- a/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestNewStyleConfig2.java +++ b/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestNewStyleConfig2.java @@ -194,10 +194,7 @@ public void testLdapAuthenticationSSL() throws Exception { final Settings settings = createBaseSettings().putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .put("path.home", ".") .build(); @@ -244,10 +241,7 @@ public void testLdapAuthenticationSSLSSLv3() throws Exception { final Settings settings = createBaseSettings().putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .putList("enabled_ssl_protocols", "SSLv3") .put("path.home", ".") @@ -269,10 +263,7 @@ public void testLdapAuthenticationSSLUnknownCipher() throws Exception { final Settings settings = createBaseSettings().putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .putList("enabled_ssl_ciphers", "AAA") .put("path.home", ".") @@ -297,10 +288,7 @@ public void testLdapAuthenticationSpecialCipherProtocol() throws Exception { final Settings settings = createBaseSettings().putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .putList("enabled_ssl_protocols", "TLSv1.2") .putList("enabled_ssl_ciphers", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA") @@ -319,10 +307,7 @@ public void testLdapAuthenticationSSLNoKeystore() throws Exception { final Settings settings = createBaseSettings().putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .put("path.home", ".") .build(); @@ -626,10 +611,7 @@ public void testLdapAuthenticationStartTLS() throws Exception { final Settings settings = createBaseSettings().putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapPort) .put("users.u1.search", "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_START_TLS, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .put("path.home", ".") .build(); diff --git a/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestOldStyleConfig2.java b/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestOldStyleConfig2.java index 10abeeac75..f25c20b19a 100755 --- a/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestOldStyleConfig2.java +++ b/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestOldStyleConfig2.java @@ -218,10 +218,7 @@ public void testLdapAuthenticationSSL() throws Exception { final Settings settings = createBaseSettings().putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .put("path.home", ".") .build(); @@ -238,10 +235,7 @@ public void testLdapAuthenticationSSLPooled() throws Exception { .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) .put(ConfigConstants.LDAP_POOL_ENABLED, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .put("path.home", ".") .build(); @@ -288,10 +282,7 @@ public void testLdapAuthenticationSSLSSLv3() throws Exception { final Settings settings = createBaseSettings().putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .putList("enabled_ssl_protocols", "SSLv3") .put("path.home", ".") @@ -313,10 +304,7 @@ public void testLdapAuthenticationSSLUnknowCipher() throws Exception { final Settings settings = createBaseSettings().putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .putList("enabled_ssl_ciphers", "AAA") .put("path.home", ".") @@ -338,10 +326,7 @@ public void testLdapAuthenticationSpecialCipherProtocol() throws Exception { final Settings settings = createBaseSettings().putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .putList("enabled_ssl_protocols", "TLSv1.2") .putList("enabled_ssl_ciphers", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA") @@ -360,10 +345,7 @@ public void testLdapAuthenticationSSLNoKeystore() throws Exception { final Settings settings = createBaseSettings().putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .put("path.home", ".") .build(); @@ -663,10 +645,7 @@ public void testLdapAuthenticationStartTLS() throws Exception { final Settings settings = createBaseSettings().putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_START_TLS, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ldap/truststore").path()) .put("verify_hostnames", false) .put("path.home", ".") .build(); diff --git a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java index 22dd99b011..83bfd239a4 100644 --- a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java +++ b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java @@ -146,7 +146,7 @@ private Tuple setupCluster( boolean httpsEnabled = settings.get(0).getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, false); RestHelper rh = new RestHelper(clusterInfo, httpsEnabled, httpsEnabled, getResourceFolder()); rh.sendAdminCertificate = httpsEnabled; - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; return new Tuple<>(clusterInfo, rh); } @@ -1283,23 +1283,15 @@ public void testCcsAggregationsDnfof() throws Exception { } private ClusterTransportClientSettings getBaseSettingsWithDifferentCert() { + var ccsTransportKs = FileHelper.resolveStore("node-untspec5-keystore"); Settings cluster = Settings.builder() .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("restapi/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("restapi/truststore").path()) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, ccsTransportKs.path()) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") .put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, ccsTransportKs.type()) .putList( ConfigConstants.SECURITY_NODES_DN, "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE" @@ -1312,10 +1304,7 @@ private ClusterTransportClientSettings getBaseSettingsWithDifferentCert() { .put(ConfigConstants.SECURITY_CERT_OID, "1.2.3.4.5.6") .build(); Settings transport = Settings.builder() - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.resolveStore("node-untspec6-keystore").path()) .build(); return new ClusterTransportClientSettings(cluster, transport); } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java index 989e9933e9..7a5559c954 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java @@ -52,12 +52,12 @@ protected final void setup() throws Exception { builder.put("plugins.security.ssl.http.enabled", true) .put(SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH, PasswordValidator.ScoreStrength.FAIR.name()) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")); + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("restapi/node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("restapi/truststore").path()); setup(Settings.EMPTY, new DynamicSecurityConfig(), builder.build(), init); rh = restHelper(); - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; } @Override @@ -65,13 +65,13 @@ protected final void setup(Settings nodeOverride) throws Exception { Settings.Builder builder = Settings.builder(); builder.put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("restapi/node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("restapi/truststore").path()) .put(nodeOverride); setup(Settings.EMPTY, new DynamicSecurityConfig(), builder.build(), init); rh = restHelper(); - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; } protected final void setupWithRestRoles() throws Exception { @@ -83,8 +83,8 @@ protected final void setupWithRestRoles(Settings nodeOverride) throws Exception builder.put("plugins.security.ssl.http.enabled", true) .put(SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH, PasswordValidator.ScoreStrength.FAIR.name()) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")); + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("restapi/node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("restapi/truststore").path()); builder.put(rolesSettings()); @@ -94,7 +94,7 @@ protected final void setupWithRestRoles(Settings nodeOverride) throws Exception setup(Settings.EMPTY, new DynamicSecurityConfig(), builder.build(), init); rh = restHelper(); - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; AuditTestUtils.updateAuditConfig(rh, nodeOverride != null ? nodeOverride : Settings.EMPTY); } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java index 39f1918f76..bdc75f5722 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java @@ -81,7 +81,7 @@ public void tearDown() { public void testInvalidPath() throws Exception { setup(); - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; RestHelper.HttpResponse response; @@ -377,7 +377,7 @@ private void testReadonlyCategories(final ObjectNode json, final String config, @Test public void testBadRequest() throws Exception { setupWithRestRoles(); - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; // test bad patch request @@ -408,7 +408,7 @@ public void testBadRequest() throws Exception { @Test public void testApi() throws Exception { setupWithRestRoles(); - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; // No creds, no admin certificate - UNAUTHORIZED testActions(HttpStatus.SC_UNAUTHORIZED, false); @@ -623,7 +623,7 @@ private void testMap( @Test public void testPatchRequest() throws Exception { setupWithRestRoles(); - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; // update with non-default configuration diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/FlushCacheApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/FlushCacheApiTest.java index fe6fea6ed4..9895bf24dd 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/FlushCacheApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/FlushCacheApiTest.java @@ -39,7 +39,7 @@ public void testFlushCache() throws Exception { setup(); // Only DELETE is allowed for flush cache - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; // Username to test cache invalidation diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/GetConfigurationApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/GetConfigurationApiTest.java index 6b5678d822..3c81710bbf 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/GetConfigurationApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/GetConfigurationApiTest.java @@ -40,7 +40,7 @@ public GetConfigurationApiTest() { public void testGetConfiguration() throws Exception { setup(); - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; // wrong config name -> bad request diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/IndexMissingTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/IndexMissingTest.java index fc09ffdae2..b59bb1d57e 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/IndexMissingTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/IndexMissingTest.java @@ -48,7 +48,7 @@ public void testGetConfiguration() throws Exception { protected void testHttpOperations() throws Exception { - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; // GET configuration diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiTest.java index 752335b802..b1356b9278 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiTest.java @@ -99,7 +99,7 @@ private void verifyTenantUpdate(final Header... header) throws Exception { @Test public void testUpdateSuperAdmin() throws Exception { setupWithRestRoles(); - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; verifyTenantUpdate(); } @@ -214,7 +214,7 @@ private void verifyTenantUpdateFailed(final Header... header) throws Exception { @Test public void testDefaultTenantUpdateFailedSuperAdmin() throws Exception { setupWithRestRoles(); - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; verifyTenantUpdateFailed(); } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java index 51da1ff00a..b7f5d2d00e 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java @@ -130,7 +130,7 @@ private void checkNullElementsInArray(final Header headers) throws Exception { @Test public void testNodesDnApiWithDynamicConfigDisabled() throws Exception { setup(); - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; testCrudScenarios(HttpStatus.SC_BAD_REQUEST); @@ -149,34 +149,34 @@ public void testNodesDnApi() throws Exception { { // No creds, no admin certificate - UNAUTHORIZED - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = false; testCrudScenarios(HttpStatus.SC_UNAUTHORIZED); } { // admin creds, no admin certificate - FORBIDDEN - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = false; testCrudScenarios(HttpStatus.SC_FORBIDDEN, adminCredsHeader); } { // any creds, admin certificate - OK - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; testCrudScenarios(HttpStatus.SC_OK, nonAdminCredsHeader); } { - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; checkNullElementsInArray(nonAdminCredsHeader); } { // any creds, admin certificate, disallowed key - FORBIDDEN - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; final int expectedStatus = HttpStatus.SC_FORBIDDEN; @@ -298,7 +298,7 @@ public void testNodesDnApiAuditComplianceLogging() throws Exception { { // any creds, admin certificate - OK - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; testCrudScenarios(HttpStatus.SC_OK, nonAdminCredsHeader); } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityApiAccessTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityApiAccessTest.java index 173a0866ac..06e4e214c8 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityApiAccessTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityApiAccessTest.java @@ -39,7 +39,7 @@ public void testRestApi() throws Exception { assertThat(rh.executeGetRequest(ENDPOINT, encodeBasicHeader("admin", "admin")).getStatusCode(), is(HttpStatus.SC_FORBIDDEN)); // test with non-admin cert, must fail - rh.keystore = "restapi/node-0-keystore.jks"; + rh.keystore = "restapi/node-0-keystore"; rh.sendAdminCertificate = true; assertThat(rh.executeGetRequest(ENDPOINT).getStatusCode(), is(HttpStatus.SC_UNAUTHORIZED)); assertThat(rh.executeGetRequest(ENDPOINT, encodeBasicHeader("admin", "admin")).getStatusCode(), is(HttpStatus.SC_FORBIDDEN)); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/TenantInfoActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/TenantInfoActionTest.java index 2448ad0778..cf79439e32 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/TenantInfoActionTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/TenantInfoActionTest.java @@ -46,7 +46,7 @@ public void testTenantInfoAPIAccess() throws Exception { .build(); setup(settings); - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; RestHelper.HttpResponse response = rh.executeGetRequest(ENDPOINT); assertThat(response.getStatusCode(), is(HttpStatus.SC_OK)); @@ -67,7 +67,7 @@ public void testTenantInfoAPIUpdate() throws Exception { .build(); setup(settings); - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendHTTPClientCredentials = true; rh.sendAdminCertificate = true; diff --git a/src/test/java/org/opensearch/security/filter/SecurityRestFilterTests.java b/src/test/java/org/opensearch/security/filter/SecurityRestFilterTests.java index 45d6349f89..0cfcb2a105 100644 --- a/src/test/java/org/opensearch/security/filter/SecurityRestFilterTests.java +++ b/src/test/java/org/opensearch/security/filter/SecurityRestFilterTests.java @@ -50,7 +50,7 @@ public void checkAllowlistedApisAreAccessible() throws Exception { setup(); // ADD SOME ALLOWLISTED APIs - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; response = rh.executePutRequest( "_plugins/_security/api/allowlist", @@ -87,7 +87,7 @@ public void checkNonAllowlistedApisAccessibleOnlyBySuperAdmin() throws Exception setup(); // ADD SOME ALLOWLISTED APIs - /_cat/nodes and /_cat/indices - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; response = rh.executePutRequest( "_plugins/_security/api/allowlist", @@ -119,7 +119,7 @@ public void checkAllApisWhenAllowlistingNotEnabled() throws Exception { setup(); // DISABLE ALLOWLISTED BUT ADD SOME ALLOWLISTED APIs - /_cat/nodes and /_cat/plugins - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; response = rh.executePutRequest( "_plugins/_security/api/allowlist", @@ -163,7 +163,7 @@ public void checkSpecificRequestMethodAllowlisting() throws Exception { setup(); // ALLOWLIST GET /_cluster/settings - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; response = rh.executePutRequest( "_plugins/_security/api/allowlist", @@ -220,7 +220,7 @@ public void testAllowlistedApiWithExtraSlash() throws Exception { setup(); // ALLOWLIST GET /_cluster/settings/ - extra / in the request - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; response = rh.executePutRequest( "_plugins/_security/api/allowlist", @@ -269,7 +269,7 @@ public void testAllowlistedApiWithoutExtraSlash() throws Exception { setup(); // ALLOWLIST GET /_cluster/settings (no extra / in request) - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; response = rh.executePutRequest( "_plugins/_security/api/allowlist", @@ -314,7 +314,7 @@ public void testAllowlistedApiWithoutExtraSlash() throws Exception { public void testHasPermissionCheckParam_AccessAllowedCase() throws Exception { setup(); - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; response = rh.executeGetRequest("_cluster/health?perform_permission_check=true", nonAdminCredsHeader); rh.sendAdminCertificate = false; @@ -342,7 +342,7 @@ public void testHasPermissionCheckParam_AccessNotAllowedCase() throws Exception setup(); // Create a new user with no permissions - rh.keystore = "restapi/kirk-keystore.jks"; + rh.keystore = "restapi/kirk-keystore"; rh.sendAdminCertificate = true; String createUserBody = "{" + "\"password\": \"test-pass\"," + "\"backend_roles\": []" + "}"; diff --git a/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java b/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java index 1f95dc53a2..59051e9a02 100644 --- a/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java +++ b/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java @@ -57,7 +57,7 @@ public void testPlainConnection() throws Exception { try ( final HttpClient httpClient = HttpClient.builder("unknownhost:6654", clusterInfo.httpHost + ":" + clusterInfo.httpPort) - .enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore.jks", "changeit"), false) + .enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore", "changeit"), false) .setBasicCredentials("admin", "admin") .build() ) { @@ -84,8 +84,8 @@ public void testSslConnection() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("auditlog/node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("auditlog/truststore").path()) .loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/configuration_valid.yml")) .build(); @@ -95,7 +95,7 @@ public void testSslConnection() throws Exception { try ( final HttpClient httpClient = HttpClient.builder(clusterInfo.httpHost + ":" + clusterInfo.httpPort) - .enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore.jks", "changeit"), false) + .enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore", "changeit"), false) .setBasicCredentials("admin", "admin") .build() ) { @@ -123,8 +123,8 @@ public void testSslConnectionPKIAuth() throws Exception { .put("plugins.security.ssl.http.enabled", true) .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("auditlog/node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("auditlog/truststore").path()) .loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/configuration_valid.yml")) .build(); @@ -134,9 +134,9 @@ public void testSslConnectionPKIAuth() throws Exception { try ( final HttpClient httpClient = HttpClient.builder(clusterInfo.httpHost + ":" + clusterInfo.httpPort) - .enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore.jks", "changeit"), false) + .enableSsl(FileHelper.getKeystoreFromClassPath("auditlog/truststore", "changeit"), false) .setPkiCredentials( - FileHelper.getKeystoreFromClassPath("auditlog/spock-keystore.jks", "changeit"), + FileHelper.getKeystoreFromClassPath("auditlog/spock-keystore", "changeit"), "changeit".toCharArray(), null ) diff --git a/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java b/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java index 0511afc5da..ca239baca3 100644 --- a/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java +++ b/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java @@ -26,6 +26,7 @@ import org.opensearch.common.io.PathUtils; import org.opensearch.common.settings.Settings; import org.opensearch.commons.rest.SecureRestClientBuilder; +import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.test.rest.OpenSearchRestTestCase; import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD; @@ -65,7 +66,7 @@ protected Settings restAdminSettings() { .put(SECURITY_SSL_HTTP_ENABLED, isHttps()) // this is incorrect on common-utils side. It should be using `pemtrustedcas_filepath` .put(SECURITY_SSL_HTTP_PEMCERT_FILEPATH, CERT_FILE_DIRECTORY + "root-ca.pem") - .put(SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, CERT_FILE_DIRECTORY + "kirk-keystore.jks") + .put(SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore(CERT_FILE_DIRECTORY + "kirk-keystore").path()) .put(SECURITY_SSL_HTTP_KEYSTORE_PASSWORD.insecurePropertyName, "changeit") .put(SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD.insecurePropertyName, "changeit") .build(); diff --git a/src/test/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPluginTest.java b/src/test/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPluginTest.java index da9b0619f7..d5820e6621 100644 --- a/src/test/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPluginTest.java +++ b/src/test/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPluginTest.java @@ -62,25 +62,13 @@ public class OpenSearchSecuritySSLPluginTest extends AbstractSecurityUnitTest { @Before public void setUp() { - osPathHome = FileHelper.getAbsoluteFilePathFromClassPath("ssl/kirk-keystore.jks").getParent().getParent(); + osPathHome = FileHelper.resolveStore("ssl/kirk-keystore").path().getParent().getParent(); settings = Settings.builder() .put(Environment.PATH_HOME_SETTING.getKey(), osPathHome) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/kirk-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/kirk-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/kirk-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/kirk-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) .put(OpenSearchSecuritySSLPlugin.CLIENT_TYPE, "node") .build(); diff --git a/src/test/java/org/opensearch/security/ssl/SSLTest.java b/src/test/java/org/opensearch/security/ssl/SSLTest.java index e29e8cc4f1..bab075e196 100644 --- a/src/test/java/org/opensearch/security/ssl/SSLTest.java +++ b/src/test/java/org/opensearch/security/ssl/SSLTest.java @@ -89,14 +89,8 @@ public void testHttps() throws Exception { .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.1", "TLSv1.2") .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .build(); setupSslOnlyMode(settings); @@ -105,7 +99,7 @@ public void testHttps() throws Exception { rh.enableHTTPClientSSL = true; rh.trustHTTPServerCertificate = true; rh.sendAdminCertificate = true; - rh.keystore = "node-untspec5-keystore.p12"; + rh.keystore = "node-untspec5-keystore"; String res = rh.executeSimpleRequest("_opendistro/_security/sslinfo?pretty&show_dn=true"); Assert.assertTrue(res.contains("EMAILADDRESS=unt@tst.com")); @@ -129,14 +123,8 @@ public void testHttpsWithTrustStoreContainingValidCertsNotInChain() throws Excep final Settings settings = Settings.builder() .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore_valid.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore_valid").path()) .build(); setupSslOnlyMode(settings); @@ -145,7 +133,7 @@ public void testHttpsWithTrustStoreContainingValidCertsNotInChain() throws Excep rh.enableHTTPClientSSL = true; rh.trustHTTPServerCertificate = true; rh.sendAdminCertificate = true; - rh.keystore = "node-untspec5-keystore.p12"; + rh.keystore = "node-untspec5-keystore"; String res = rh.executeSimpleRequest("_opendistro/_security/sslinfo?pretty&show_dn=true"); Assert.assertTrue(res.contains("EMAILADDRESS=unt@tst.com")); @@ -166,14 +154,8 @@ public void testHttpsWithTrustStoreContainingInvalidCertsNotInChain() throws Exc final Settings settings = Settings.builder() .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore_invalid.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore_invalid").path()) .build(); setupSslOnlyMode(settings); @@ -182,7 +164,7 @@ public void testHttpsWithTrustStoreContainingInvalidCertsNotInChain() throws Exc rh.enableHTTPClientSSL = true; rh.trustHTTPServerCertificate = true; rh.sendAdminCertificate = true; - rh.keystore = "node-untspec5-keystore.p12"; + rh.keystore = "node-untspec5-keystore"; String res = rh.executeSimpleRequest("_opendistro/_security/sslinfo?pretty&show_dn=true"); Assert.assertTrue(res.contains("EMAILADDRESS=unt@tst.com")); @@ -209,14 +191,8 @@ public void testCipherAndProtocols() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) // WEAK and insecure cipher, do NOT use this, its here for unittesting only!!! .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, "SSL_RSA_EXPORT_WITH_RC4_40_MD5") // WEAK and insecure protocol, do NOT use this, its here for unittesting only!!! @@ -237,14 +213,8 @@ public void testCipherAndProtocols() throws Exception { settings = Settings.builder() .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) // WEAK and insecure cipher, do NOT use this, its here for unittesting only!!! .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "SSL_RSA_EXPORT_WITH_RC4_40_MD5") // WEAK and insecure protocol, do NOT use this, its here for unittesting only!!! @@ -290,14 +260,8 @@ public void testHttpsOptionalAuth() throws Exception { .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .build(); setupSslOnlyMode(settings); @@ -324,27 +288,15 @@ public void testHttpsAndNodeSSL() throws Exception { .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .put(TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .build(); @@ -567,27 +519,15 @@ public void testHttpsAndNodeSSLFailedCipher() throws Exception { .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .put(TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, "INVALID_CIPHER") @@ -612,14 +552,8 @@ public void testHttpPlainFail() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "OPTIONAL") - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .build(); setupSslOnlyMode(settings); @@ -644,14 +578,8 @@ public void testHttpsNoEnforce() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "NONE") - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .build(); setupSslOnlyMode(settings); @@ -676,14 +604,8 @@ public void testHttpsEnforceFail() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .build(); setupSslOnlyMode(settings); @@ -713,14 +635,8 @@ public void testHttpsV3Fail() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "NONE") - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .build(); setupSslOnlyMode(settings); @@ -741,14 +657,8 @@ public void testNodeClientSSL() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .put(TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false) .build(); @@ -827,27 +737,15 @@ public void testCustomPrincipalExtractor() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .put(TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, "org.opensearch.security.ssl.TestPrincipalExtractor") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .build(); setupSslOnlyMode(settings); @@ -948,14 +846,8 @@ public void testCRL() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_FILE, FileHelper.getAbsoluteFilePathFromClassPath("ssl/crl/revoked.crl")) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, CertificateValidatorTest.CRL_DATE.getTime()) @@ -979,14 +871,8 @@ public void testNodeClientSSLwithJavaTLSv13() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .put(TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false) .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.3") @@ -1036,22 +922,10 @@ public void testTLSv12() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .put(TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1.2") @@ -1078,27 +952,15 @@ public void testHttpsAndNodeSSLKeyPass() throws Exception { .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .put(TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .setSecureSettings(mockSecureSettings) .build(); @@ -1142,11 +1004,11 @@ public void testHttpsAndNodeSSLKeyStoreExtendedUsageEnabled() throws Exception { .put( SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-0-keystore.jks") + FileHelper.resolveStore("ssl/extended_key_usage/node-0-keystore").path() ) .put( SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/truststore.jks") + FileHelper.resolveStore("ssl/extended_key_usage/truststore").path() ) .put(TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false) @@ -1155,14 +1017,8 @@ public void testHttpsAndNodeSSLKeyStoreExtendedUsageEnabled() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .setSecureSettings(mockSecureSettings) .build(); @@ -1198,27 +1054,15 @@ public void testHttpsAndNodeSSLKeyPassFail() throws Exception { .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .put(TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/node-0-keystore").path()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/truststore").path()) .setSecureSettings(mockSecureSettings) .build(); diff --git a/src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java b/src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java index e49317b21d..9bbc6b1dd2 100644 --- a/src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java +++ b/src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java @@ -406,7 +406,7 @@ private RestHelper getRestHelperAdminUser() { rh.enableHTTPClientSSL = true; rh.trustHTTPServerCertificate = true; rh.sendAdminCertificate = true; - rh.keystore = "ssl/reload/kirk-keystore.jks"; + rh.keystore = "ssl/reload/kirk-keystore"; return rh; } @@ -419,7 +419,7 @@ private RestHelper getRestHelperNonAdminUser() { rh.enableHTTPClientSSL = true; rh.trustHTTPServerCertificate = true; rh.sendAdminCertificate = true; - rh.keystore = "ssl/reload/spock-keystore.jks"; + rh.keystore = "ssl/reload/spock-keystore"; return rh; } @@ -484,15 +484,9 @@ private void initTestCluster( ); final Settings initTransportClientSettings = Settings.builder() - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/truststore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore("ssl/reload/truststore").path()) .put(TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/kirk-keystore.jks") - ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.resolveStore("ssl/reload/kirk-keystore").path()) .build(); setup(initTransportClientSettings, new DynamicSecurityConfig(), settingsBuilder.build(), true, clusterConfiguration); diff --git a/src/test/java/org/opensearch/security/ssl/config/JdkSslCertificatesLoaderTest.java b/src/test/java/org/opensearch/security/ssl/config/JdkSslCertificatesLoaderTest.java index 93df4ab7a2..9a00d1ca59 100644 --- a/src/test/java/org/opensearch/security/ssl/config/JdkSslCertificatesLoaderTest.java +++ b/src/test/java/org/opensearch/security/ssl/config/JdkSslCertificatesLoaderTest.java @@ -305,7 +305,7 @@ Path createKeyStore(final String type, final String password, final Map SanParser.parse(x509)); + assertThat(ex.getCause(), instanceOf(UnknownHostException.class)); + } + + @Test + public void badIpSan_nonFipsMode_returnsEmpty() throws Exception { + Assume.assumeFalse(CryptoServicesRegistrar.isInApprovedOnlyMode()); + assertThat(SanParser.parse(buildCertWithBadIpSan()), is("")); + } + + // ── Helpers ───────────────────────────────────────────────────────────────── + + /** Builds a self-signed cert with a 3-byte iPAddress SAN (invalid: must be 4 or 16 bytes). */ + private static X509Certificate buildCertWithBadIpSan() throws Exception { + KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); + kpg.initialize(1024); + KeyPair kp = kpg.generateKeyPair(); + X500Name dn = new X500Name("CN=test"); + Date now = new Date(); + GeneralName badIp = new GeneralName(GeneralName.iPAddress, new DEROctetString(new byte[] { 1, 2, 3 })); + JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder( + dn, + BigInteger.ONE, + now, + new Date(now.getTime() + 86_400_000L), + dn, + kp.getPublic() + ); + builder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(badIp)); + ContentSigner signer = new JcaContentSignerBuilder("SHA512withRSA").build(kp.getPrivate()); + return new JcaX509CertificateConverter().getCertificate(builder.build(signer)); + } + + private static X509Certificate loadCert(CertificateFactory factory) throws Exception { + try (InputStream in = Files.newInputStream(FileHelper.getAbsoluteFilePathFromClassPath(CERT_RESOURCE))) { + return (X509Certificate) factory.generateCertificate(in); + } + } +} diff --git a/src/test/java/org/opensearch/security/ssl/util/CertFromKeystoreTests.java b/src/test/java/org/opensearch/security/ssl/util/CertFromKeystoreTests.java index 62befc9893..aad14617ee 100644 --- a/src/test/java/org/opensearch/security/ssl/util/CertFromKeystoreTests.java +++ b/src/test/java/org/opensearch/security/ssl/util/CertFromKeystoreTests.java @@ -30,11 +30,8 @@ public class CertFromKeystoreTests { @Test public void testLoadSameCertForClientServerUsage() throws UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException { - KeystoreProps props = new KeystoreProps( - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks").toString(), - "JKS", - "changeit" - ); + var ks0 = FileHelper.resolveStore("ssl/node-0-keystore"); + KeystoreProps props = new KeystoreProps(ks0.path().toString(), ks0.type(), "changeit"); CertFromKeystore cert = new CertFromKeystore(props, "node-0", "changeit"); @@ -49,11 +46,8 @@ public void testLoadSameCertForClientServerUsage() throws UnrecoverableKeyExcept @Test public void testLoadSameCertWithoutAlias() throws UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException { - KeystoreProps props = new KeystoreProps( - FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks").toString(), - "JKS", - "changeit" - ); + var ks1 = FileHelper.resolveStore("ssl/node-0-keystore"); + KeystoreProps props = new KeystoreProps(ks1.path().toString(), ks1.type(), "changeit"); CertFromKeystore cert = new CertFromKeystore(props, null, "changeit"); @@ -65,11 +59,8 @@ public void testLoadSameCertWithoutAlias() throws UnrecoverableKeyException, Cer @Test public void testLoadDifferentCertsForClientServerUsage() throws UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException { - KeystoreProps props = new KeystoreProps( - FileHelper.getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-0-keystore.jks").toString(), - "JKS", - "changeit" - ); + var ks2 = FileHelper.resolveStore("ssl/extended_key_usage/node-0-keystore"); + KeystoreProps props = new KeystoreProps(ks2.path().toString(), ks2.type(), "changeit"); CertFromKeystore cert = new CertFromKeystore(props, "node-0-server", "node-0-client", "changeit", "changeit"); diff --git a/src/test/java/org/opensearch/security/ssl/util/CertFromTruststoreTests.java b/src/test/java/org/opensearch/security/ssl/util/CertFromTruststoreTests.java index c7d2b85fc1..8aa69f36c2 100644 --- a/src/test/java/org/opensearch/security/ssl/util/CertFromTruststoreTests.java +++ b/src/test/java/org/opensearch/security/ssl/util/CertFromTruststoreTests.java @@ -29,11 +29,8 @@ public class CertFromTruststoreTests { @Test public void testLoadSameCertForClientServerUsage() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException { - KeystoreProps props = new KeystoreProps( - FileHelper.getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/truststore.jks").toString(), - "JKS", - "changeit" - ); + var ts = FileHelper.resolveStore("ssl/extended_key_usage/truststore"); + KeystoreProps props = new KeystoreProps(ts.path().toString(), ts.type(), "changeit"); CertFromTruststore cert = new CertFromTruststore(props, "root-ca"); @@ -43,11 +40,8 @@ public void testLoadSameCertForClientServerUsage() throws CertificateException, @Test public void testLoadSameCertWithoutAlias() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException { - KeystoreProps props = new KeystoreProps( - FileHelper.getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/truststore.jks").toString(), - "JKS", - "changeit" - ); + var ts = FileHelper.resolveStore("ssl/extended_key_usage/truststore"); + KeystoreProps props = new KeystoreProps(ts.path().toString(), ts.type(), "changeit"); CertFromTruststore cert = new CertFromTruststore(props, null); @@ -56,11 +50,8 @@ public void testLoadSameCertWithoutAlias() throws CertificateException, NoSuchAl public void testLoadDifferentCertsForClientServerUsage() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException { - KeystoreProps props = new KeystoreProps( - FileHelper.getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/truststore.jks").toString(), - "JKS", - "changeit" - ); + var ts = FileHelper.resolveStore("ssl/extended_key_usage/truststore"); + KeystoreProps props = new KeystoreProps(ts.path().toString(), ts.type(), "changeit"); CertFromTruststore cert = new CertFromTruststore(props, "root-ca", "root-ca"); diff --git a/src/test/java/org/opensearch/security/support/PemKeyReaderDetectStoreTypeTest.java b/src/test/java/org/opensearch/security/support/PemKeyReaderDetectStoreTypeTest.java new file mode 100644 index 0000000000..da8c788683 --- /dev/null +++ b/src/test/java/org/opensearch/security/support/PemKeyReaderDetectStoreTypeTest.java @@ -0,0 +1,121 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +package org.opensearch.security.support; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.UncheckedIOException; +import java.security.KeyStore; +import java.security.Security; + +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; +import org.bouncycastle.crypto.CryptoServicesRegistrar; +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; + +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.equalTo; +import static org.opensearch.security.ssl.util.SSLConfigConstants.DEFAULT_STORE_TYPE; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertThrows; +import static org.junit.Assume.assumeFalse; + +public class PemKeyReaderDetectStoreTypeTest { + + static { + if (Security.getProvider("BCFIPS") == null) { + Security.addProvider(new BouncyCastleFipsProvider()); + } + } + + @Rule + public TemporaryFolder tempDir = new TemporaryFolder(); + + @Test + public void detectsJks() throws Exception { + assumeFalse("JKS truststores are not supported in FIPS mode", CryptoServicesRegistrar.isInApprovedOnlyMode()); + File file = storeFile("JKS"); + assertThat(PemKeyReader.extractStoreType(file.getAbsolutePath(), null), equalTo(PemKeyReader.JKS)); + } + + @Test + public void detectsPkcs12() throws Exception { + assumeFalse("PKCS12 truststores are not supported in FIPS mode", CryptoServicesRegistrar.isInApprovedOnlyMode()); + File file = storeFile("PKCS12"); + assertThat(PemKeyReader.extractStoreType(file.getAbsolutePath(), null), equalTo(PemKeyReader.PKCS12)); + } + + @Test + public void detectsBcfks() throws Exception { + File file = storeFile("BCFKS"); + assertThat(PemKeyReader.extractStoreType(file.getAbsolutePath(), null), equalTo(PemKeyReader.BCFKS)); + } + + @Test + public void explicitTypeSkipsDetection() throws Exception { + // file content is irrelevant when type is explicitly provided + assumeFalse("PKCS12 truststores are not supported in FIPS mode", CryptoServicesRegistrar.isInApprovedOnlyMode()); + File file = tempDir.newFile("irrelevant.bin"); + try (FileOutputStream fos = new FileOutputStream(file)) { + fos.write(new byte[] { 0x00, 0x01, 0x02, 0x03 }); + } + assertThat(PemKeyReader.extractStoreType(file.getAbsolutePath(), PemKeyReader.PKCS12), equalTo(PemKeyReader.PKCS12)); + } + + @Test + public void throwsForFileTooShort() throws Exception { + File file = tempDir.newFile("short.bin"); + try (FileOutputStream fos = new FileOutputStream(file)) { + fos.write(new byte[] { 0x30, 0x00 }); + } + assertThrows(IllegalArgumentException.class, () -> PemKeyReader.extractStoreType(file.getAbsolutePath(), null)); + } + + @Test + public void throwsForUnknownFormat() throws Exception { + File file = tempDir.newFile("unknown.bin"); + try (FileOutputStream fos = new FileOutputStream(file)) { + fos.write(new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 }); + } + assertThrows(IllegalArgumentException.class, () -> PemKeyReader.extractStoreType(file.getAbsolutePath(), null)); + } + + @Test + public void throwsForNonExistentFile() { + assertThrows(UncheckedIOException.class, () -> PemKeyReader.extractStoreType("/nonexistent/path/store.jks", null)); + } + + @Test + public void throwsForEmptyFile() throws Exception { + File file = tempDir.newFile("empty.bin"); + assertThrows(IllegalArgumentException.class, () -> PemKeyReader.extractStoreType(file.getAbsolutePath(), null)); + } + + @Test + public void newEmptyStoreReturnsUsableStore() throws Exception { + KeyStore ks = PemKeyReader.newEmptyStore(); + assertNotNull(ks); + assertThat(ks.getType(), equalTo(DEFAULT_STORE_TYPE)); + assertThat(ks.size(), equalTo(0)); + } + + private File storeFile(String type) throws Exception { + File file = tempDir.newFile("store." + type.toLowerCase()); + KeyStore ks = KeyStore.getInstance(type); + ks.load(null, null); + try (FileOutputStream fos = new FileOutputStream(file)) { + ks.store(fos, new char[0]); + } + return file; + } +} diff --git a/src/test/java/org/opensearch/security/system_indices/AbstractSystemIndicesTests.java b/src/test/java/org/opensearch/security/system_indices/AbstractSystemIndicesTests.java index 1fd8b88eed..c23b3f1242 100644 --- a/src/test/java/org/opensearch/security/system_indices/AbstractSystemIndicesTests.java +++ b/src/test/java/org/opensearch/security/system_indices/AbstractSystemIndicesTests.java @@ -87,8 +87,8 @@ void setupWithSsl(boolean isSystemIndexEnabled, boolean isSystemIndexPermissionE .put(ConfigConstants.SECURITY_SYSTEM_INDICES_PERMISSIONS_ENABLED_KEY, isSystemIndexPermissionEnabled) .putList(ConfigConstants.SECURITY_SYSTEM_INDICES_KEY, SYSTEM_INDICES) .put("plugins.security.ssl.http.enabled", true) - .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.resolveStore("node-0-keystore").path()) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.resolveStore("truststore").path()) .put("path.repo", repositoryPath.getRoot().getAbsolutePath()) .build(); setup( @@ -152,7 +152,7 @@ void createSnapshots() { RestHelper superAdminRestHelper() { RestHelper restHelper = restHelper(); - restHelper.keystore = "kirk-keystore.jks"; + restHelper.keystore = "kirk-keystore"; restHelper.enableHTTPClientSSL = true; restHelper.trustHTTPServerCertificate = true; restHelper.sendAdminCertificate = true; diff --git a/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java b/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java index d2da684078..86dbf15493 100644 --- a/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java +++ b/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java @@ -164,13 +164,15 @@ protected RestHighLevelClient getRestClient( try { SSLContextBuilder sslContextBuilder = SSLContexts.custom(); - File keyStoreFile = FileHelper.getAbsoluteFilePathFromClassPath(prefix + keyStoreName).toFile(); - KeyStore keyStore = KeyStore.getInstance(keyStoreName.endsWith(".jks") ? "JKS" : "PKCS12"); + var typedKeyStore = FileHelper.resolveStore(prefix + keyStoreName); + File keyStoreFile = typedKeyStore.path().toFile(); + KeyStore keyStore = KeyStore.getInstance(typedKeyStore.type()); keyStore.load(new FileInputStream(keyStoreFile), null); sslContextBuilder.loadKeyMaterial(keyStore, "changeit".toCharArray()); - KeyStore trustStore = KeyStore.getInstance(trustStoreName.endsWith(".jks") ? "JKS" : "PKCS12"); - File trustStoreFile = FileHelper.getAbsoluteFilePathFromClassPath(prefix + trustStoreName).toFile(); + var typedTrustStore = FileHelper.resolveStore(prefix + trustStoreName); + File trustStoreFile = typedTrustStore.path().toFile(); + KeyStore trustStore = KeyStore.getInstance(typedTrustStore.type()); trustStore.load(new FileInputStream(trustStoreFile), "changeit".toCharArray()); sslContextBuilder.loadTrustMaterial(trustStore, null); @@ -298,12 +300,9 @@ protected Settings.Builder minimumSecuritySettingsBuilder(int node, boolean sslO builder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put( SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath(prefix + "node-0-keystore.jks") - ) - .put( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - FileHelper.getAbsoluteFilePathFromClassPath(prefix + "truststore.jks") + FileHelper.resolveStore(prefix + "node-0-keystore").path() ) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.resolveStore(prefix + "truststore").path()) .put("transport.ssl.enforce_hostname_verification", false); } diff --git a/src/test/java/org/opensearch/security/test/DynamicSecurityConfig.java b/src/test/java/org/opensearch/security/test/DynamicSecurityConfig.java index daeefff84f..cb312cc037 100644 --- a/src/test/java/org/opensearch/security/test/DynamicSecurityConfig.java +++ b/src/test/java/org/opensearch/security/test/DynamicSecurityConfig.java @@ -152,7 +152,7 @@ public List getDynamicConfig(String folder) { ); } - if (null != FileHelper.getAbsoluteFilePathFromClassPath(prefix + securityNodesDn)) { + if (FileHelper.classpathResourceExists(prefix + securityNodesDn)) { ret.add( new IndexRequest(securityIndexName).id(CType.NODESDN.toLCString()) .setRefreshPolicy(RefreshPolicy.IMMEDIATE) @@ -162,7 +162,7 @@ public List getDynamicConfig(String folder) { } final String allowlistYmlFile = prefix + securityAllowlist; - if (null != FileHelper.getAbsoluteFilePathFromClassPath(allowlistYmlFile)) { + if (FileHelper.classpathResourceExists(allowlistYmlFile)) { ret.add( new IndexRequest(securityIndexName).id(CType.ALLOWLIST.toLCString()) .setRefreshPolicy(RefreshPolicy.IMMEDIATE) @@ -171,7 +171,7 @@ public List getDynamicConfig(String folder) { } final String auditYmlFile = prefix + securityAudit; - if (null != FileHelper.getAbsoluteFilePathFromClassPath(auditYmlFile)) { + if (FileHelper.classpathResourceExists(auditYmlFile)) { ret.add( new IndexRequest(securityIndexName).id(CType.AUDIT.toLCString()) .setRefreshPolicy(RefreshPolicy.IMMEDIATE) diff --git a/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java b/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java index dbab0a4ad9..b19042dee4 100644 --- a/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java +++ b/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java @@ -36,16 +36,18 @@ import java.io.Reader; import java.io.StringReader; import java.io.StringWriter; -import java.io.UnsupportedEncodingException; import java.net.URL; import java.net.URLDecoder; import java.nio.charset.StandardCharsets; import java.nio.file.Path; import java.nio.file.Paths; import java.security.KeyStore; +import java.util.List; +import java.util.Map; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.bouncycastle.crypto.CryptoServicesRegistrar; import org.opensearch.common.io.Streams; import org.opensearch.common.xcontent.XContentFactory; @@ -61,39 +63,84 @@ public class FileHelper { protected final static Logger log = LogManager.getLogger(FileHelper.class); - public static KeyStore getKeystoreFromClassPath(final String fileNameFromClasspath, String password) throws Exception { - Path path = getAbsoluteFilePathFromClassPath(fileNameFromClasspath); - if (path == null) { - return null; - } + public static final Map> TYPE_TO_EXTENSION_MAP = Map.of( + "JKS", + List.of(".jks", ".ks"), + "PKCS12", + List.of(".p12", ".pkcs12", ".pfx"), + "BCFKS", // Bouncy Castle FIPS Keystore + List.of(".bcfks") + ); + + public static String inferStoreType(Path filePath) { + return inferStoreType(filePath.getFileName().toString()); + } + + /** + * Make a best guess about the "type" (see {@link KeyStore#getType()}) of the keystore file located at the given {@code Path}. + * This method only references the file name of the keystore, it does not look at its contents. + */ + public static String inferStoreType(String filePath) { + return TYPE_TO_EXTENSION_MAP.entrySet() + .stream() + .filter(entry -> entry.getValue().stream().anyMatch(filePath::endsWith)) + .map(Map.Entry::getKey) + .findFirst() + .orElseThrow(() -> new IllegalArgumentException("Unknown keystore type for file path: " + filePath)); + } + + public record TypedStore(Path path, String type) { + } - KeyStore ks = KeyStore.getInstance("JKS"); - try (FileInputStream fin = new FileInputStream(path.toFile())) { + public static KeyStore getKeystoreFromClassPath(final String baseName, String password) throws Exception { + TypedStore store = resolveStore(baseName); + KeyStore ks = KeyStore.getInstance(store.type()); + try (FileInputStream fin = new FileInputStream(store.path().toFile())) { ks.load(fin, password == null || password.isEmpty() ? null : password.toCharArray()); } return ks; } + /** + * Resolves a keystore/truststore classpath resource by base name (without extension), + * returning both the path and the inferred keystore type. + *

+ * The format is chosen based on the runtime environment: + *

    + *
  • FIPS approved-only mode ({@link CryptoServicesRegistrar#isInApprovedOnlyMode()}) → + * {@code .bcfks} / {@code "BCFKS"}
    • + *
  • Non-FIPS → {@code .jks} / {@code "JKS"} if a JKS variant exists on the classpath, + * otherwise {@code .p12} / {@code "PKCS12"}
    • + *
+ * + * @param baseName classpath-relative base name without extension, e.g. {@code "ssl/truststore"} + * @return a {@link TypedStore} holding the absolute path and the store type string + * @throws IllegalStateException if no matching file is found on the classpath + */ + public static TypedStore resolveStore(final String baseName) { + if (CryptoServicesRegistrar.isInApprovedOnlyMode()) { + return new TypedStore(getAbsoluteFilePathFromClassPath(baseName + ".bcfks"), "BCFKS"); + } + if (classpathResourceExists(baseName + ".jks")) { + return new TypedStore(getAbsoluteFilePathFromClassPath(baseName + ".jks"), "JKS"); + } + return new TypedStore(getAbsoluteFilePathFromClassPath(baseName + ".p12"), "PKCS12"); + } + + public static boolean classpathResourceExists(final String name) { + return FileHelper.class.getClassLoader().getResource(name) != null; + } + public static Path getAbsoluteFilePathFromClassPath(final String fileNameFromClasspath) { - File file = null; final URL fileUrl = FileHelper.class.getClassLoader().getResource(fileNameFromClasspath); if (fileUrl != null) { - try { - file = new File(URLDecoder.decode(fileUrl.getFile(), "UTF-8")); - } catch (final UnsupportedEncodingException e) { - return null; - } - + File file = new File(URLDecoder.decode(fileUrl.getFile(), StandardCharsets.UTF_8)); if (file.exists() && file.canRead()) { return Paths.get(file.getAbsolutePath()); - } else { - log.error("Cannot read from {}, maybe the file does not exists? ", file.getAbsolutePath()); } - - } else { - log.error("Failed to load {}", fileNameFromClasspath); + throw new IllegalStateException("Classpath resource exists but cannot be read: " + file.getAbsolutePath()); } - return null; + throw new IllegalStateException("Classpath resource not found: " + fileNameFromClasspath); } public static String loadFile(final String file) throws IOException { diff --git a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java index e80714c369..ca602e9c84 100644 --- a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java +++ b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java @@ -28,6 +28,7 @@ import java.io.FileInputStream; import java.io.IOException; +import java.nio.file.Path; import java.security.KeyStore; import java.util.ArrayList; import java.util.Arrays; @@ -100,7 +101,7 @@ public class RestHelper { public boolean sendAdminCertificate = false; public boolean trustHTTPServerCertificate = true; public boolean sendHTTPClientCredentials = false; - public String keystore = "node-0-keystore.jks"; + public String keystore = "node-0-keystore"; public final String prefix; // public String truststore = "truststore.jks"; private ClusterInfo clusterInfo; @@ -332,13 +333,17 @@ protected final CloseableHttpAsyncClient getHTTPClient() throws Exception { keystore = prefix + "/" + keystore; } - final String keyStorePath = FileHelper.getAbsoluteFilePathFromClassPath(keystore).toFile().getParent(); + var resolvedKeyStore = FileHelper.resolveStore(keystore); - final KeyStore myTrustStore = KeyStore.getInstance("JKS"); - myTrustStore.load(new FileInputStream(keyStorePath + "/truststore.jks"), "changeit".toCharArray()); + Path ksParent = Path.of(keystore).getParent(); + String keystoreDir = ksParent != null ? ksParent + "/" : ""; + var resolvedTrustStore = FileHelper.resolveStore(keystoreDir + "truststore"); - final KeyStore keyStore = KeyStore.getInstance("JKS"); - keyStore.load(new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath(keystore).toFile()), "changeit".toCharArray()); + final KeyStore myTrustStore = KeyStore.getInstance(resolvedTrustStore.type()); + myTrustStore.load(new FileInputStream(resolvedTrustStore.path().toFile()), "changeit".toCharArray()); + + final KeyStore keyStore = KeyStore.getInstance(resolvedKeyStore.type()); + keyStore.load(new FileInputStream(resolvedKeyStore.path().toFile()), "changeit".toCharArray()); final SSLContextBuilder sslContextbBuilder = SSLContexts.custom(); diff --git a/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java b/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java index 5bcdea2231..3183828e77 100644 --- a/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java +++ b/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java @@ -82,12 +82,7 @@ public class SettingsBasedSSLConfiguratorV4Test { public void testPemTrust() throws Exception { try ( - TestServer testServer = new TestServer( - "sslConfigurator/pem/truststore.jks", - "sslConfigurator/pem/node1-keystore.jks", - "secret", - false - ) + TestServer testServer = new TestServer("sslConfigurator/pem/truststore", "sslConfigurator/pem/node1-keystore", "secret", false) ) { Path rootCaPemPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem"); @@ -120,12 +115,7 @@ public void testPemTrust() throws Exception { public void testPemWrongTrust() throws Exception { try ( - TestServer testServer = new TestServer( - "sslConfigurator/pem/truststore.jks", - "sslConfigurator/pem/node1-keystore.jks", - "secret", - false - ) + TestServer testServer = new TestServer("sslConfigurator/pem/truststore", "sslConfigurator/pem/node1-keystore", "secret", false) ) { Path rootCaPemPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/other-root-ca.pem"); @@ -158,12 +148,7 @@ public void testPemWrongTrust() throws Exception { public void testPemClientAuth() throws Exception { try ( - TestServer testServer = new TestServer( - "sslConfigurator/pem/truststore.jks", - "sslConfigurator/pem/node1-keystore.jks", - "secret", - true - ) + TestServer testServer = new TestServer("sslConfigurator/pem/truststore", "sslConfigurator/pem/node1-keystore", "secret", true) ) { Path rootCaPemPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem"); @@ -198,12 +183,7 @@ public void testPemClientAuth() throws Exception { public void testPemClientAuthFailure() throws Exception { try ( - TestServer testServer = new TestServer( - "sslConfigurator/pem/truststore.jks", - "sslConfigurator/pem/node1-keystore.jks", - "secret", - true - ) + TestServer testServer = new TestServer("sslConfigurator/pem/truststore", "sslConfigurator/pem/node1-keystore", "secret", true) ) { Path rootCaPemPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem"); @@ -248,8 +228,8 @@ public void testPemHostnameVerificationFailure() throws Exception { try ( TestServer testServer = new TestServer( - "sslConfigurator/pem/truststore.jks", - "sslConfigurator/pem/node-wrong-hostname-keystore.jks", + "sslConfigurator/pem/truststore", + "sslConfigurator/pem/node-wrong-hostname-keystore", "secret", false ) @@ -286,8 +266,8 @@ public void testPemHostnameVerificationOff() throws Exception { try ( TestServer testServer = new TestServer( - "sslConfigurator/pem/truststore.jks", - "sslConfigurator/pem/node-wrong-hostname-keystore.jks", + "sslConfigurator/pem/truststore", + "sslConfigurator/pem/node-wrong-hostname-keystore", "secret", false ) @@ -321,14 +301,9 @@ public void testPemHostnameVerificationOff() throws Exception { public void testJksTrust() throws Exception { try ( - TestServer testServer = new TestServer( - "sslConfigurator/jks/truststore.jks", - "sslConfigurator/jks/node1-keystore.jks", - "secret", - false - ) + TestServer testServer = new TestServer("sslConfigurator/jks/truststore", "sslConfigurator/jks/node1-keystore", "secret", false) ) { - Path rootCaJksPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/jks/truststore.jks"); + Path rootCaJksPath = FileHelper.resolveStore("sslConfigurator/jks/truststore").path(); MockSecureSettings mockSecureSettings = new MockSecureSettings(); mockSecureSettings.setString(SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.propertyName, "secret"); @@ -360,14 +335,9 @@ public void testJksTrust() throws Exception { public void testJksWrongTrust() throws Exception { try ( - TestServer testServer = new TestServer( - "sslConfigurator/jks/truststore.jks", - "sslConfigurator/jks/node1-keystore.jks", - "secret", - false - ) + TestServer testServer = new TestServer("sslConfigurator/jks/truststore", "sslConfigurator/jks/node1-keystore", "secret", false) ) { - Path rootCaJksPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/jks/other-root-ca.jks"); + Path rootCaJksPath = FileHelper.resolveStore("sslConfigurator/jks/other-root-ca").path(); MockSecureSettings mockSecureSettings = new MockSecureSettings(); mockSecureSettings.setString(SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.propertyName, "secret"); @@ -399,14 +369,9 @@ public void testJksWrongTrust() throws Exception { @Test public void testTrustAll() throws Exception { try ( - TestServer testServer = new TestServer( - "sslConfigurator/jks/truststore.jks", - "sslConfigurator/jks/node1-keystore.jks", - "secret", - false - ) + TestServer testServer = new TestServer("sslConfigurator/jks/truststore", "sslConfigurator/jks/node1-keystore", "secret", false) ) { - Path rootCaJksPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/jks/other-root-ca.jks"); + Path rootCaJksPath = FileHelper.resolveStore("sslConfigurator/jks/other-root-ca").path(); Settings settings = Settings.builder() .put("prefix.enable_ssl", "true") @@ -503,21 +468,17 @@ private SSLContext createSSLContext(String trustStorePath, String keyStorePath, try { TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - KeyStore trustStore = KeyStore.getInstance("JKS"); - InputStream trustStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath(trustStorePath).toFile()); + var typedTrustStore = FileHelper.resolveStore(trustStorePath); + KeyStore trustStore = KeyStore.getInstance(typedTrustStore.type()); + InputStream trustStream = new FileInputStream(typedTrustStore.path().toFile()); trustStore.load(trustStream, password.toCharArray()); tmf.init(trustStore); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - KeyStore keyStore = KeyStore.getInstance("JKS"); - - Path path = FileHelper.getAbsoluteFilePathFromClassPath(keyStorePath); - - if (path == null) { - throw new RuntimeException("Could not find " + keyStorePath); - } + var typedKeyStore = FileHelper.resolveStore(keyStorePath); + KeyStore keyStore = KeyStore.getInstance(typedKeyStore.type()); - InputStream keyStream = new FileInputStream(path.toFile()); + InputStream keyStream = new FileInputStream(typedKeyStore.path().toFile()); keyStore.load(keyStream, password.toCharArray()); kmf.init(keyStore, password.toCharArray()); diff --git a/src/test/resources/auditlog/kirk-keystore.bcfks b/src/test/resources/auditlog/kirk-keystore.bcfks new file mode 100644 index 0000000000..6b7d09f2a9 Binary files /dev/null and b/src/test/resources/auditlog/kirk-keystore.bcfks differ diff --git a/src/test/resources/auditlog/node-0-keystore.bcfks b/src/test/resources/auditlog/node-0-keystore.bcfks new file mode 100644 index 0000000000..7d8a49ba99 Binary files /dev/null and b/src/test/resources/auditlog/node-0-keystore.bcfks differ diff --git a/src/test/resources/auditlog/spock-keystore.bcfks b/src/test/resources/auditlog/spock-keystore.bcfks new file mode 100644 index 0000000000..f4d90bfac6 Binary files /dev/null and b/src/test/resources/auditlog/spock-keystore.bcfks differ diff --git a/src/test/resources/auditlog/truststore.bcfks b/src/test/resources/auditlog/truststore.bcfks new file mode 100644 index 0000000000..2332ecf110 Binary files /dev/null and b/src/test/resources/auditlog/truststore.bcfks differ diff --git a/src/test/resources/auditlog/truststore_fail.bcfks b/src/test/resources/auditlog/truststore_fail.bcfks new file mode 100644 index 0000000000..4bb047e524 Binary files /dev/null and b/src/test/resources/auditlog/truststore_fail.bcfks differ diff --git a/src/test/resources/cache/kirk-keystore.bcfks b/src/test/resources/cache/kirk-keystore.bcfks new file mode 100644 index 0000000000..dabc26fba6 Binary files /dev/null and b/src/test/resources/cache/kirk-keystore.bcfks differ diff --git a/src/test/resources/cache/node-0-keystore.bcfks b/src/test/resources/cache/node-0-keystore.bcfks new file mode 100644 index 0000000000..870797fae0 Binary files /dev/null and b/src/test/resources/cache/node-0-keystore.bcfks differ diff --git a/src/test/resources/cache/spock-keystore.bcfks b/src/test/resources/cache/spock-keystore.bcfks new file mode 100644 index 0000000000..3d008775b7 Binary files /dev/null and b/src/test/resources/cache/spock-keystore.bcfks differ diff --git a/src/test/resources/cache/truststore.bcfks b/src/test/resources/cache/truststore.bcfks new file mode 100644 index 0000000000..b0f27baad8 Binary files /dev/null and b/src/test/resources/cache/truststore.bcfks differ diff --git a/src/test/resources/dlsfls/kirk-keystore.bcfks b/src/test/resources/dlsfls/kirk-keystore.bcfks new file mode 100644 index 0000000000..5ae55e627f Binary files /dev/null and b/src/test/resources/dlsfls/kirk-keystore.bcfks differ diff --git a/src/test/resources/dlsfls/node-0-keystore.bcfks b/src/test/resources/dlsfls/node-0-keystore.bcfks new file mode 100644 index 0000000000..8d5293c699 Binary files /dev/null and b/src/test/resources/dlsfls/node-0-keystore.bcfks differ diff --git a/src/test/resources/dlsfls/spock-keystore.bcfks b/src/test/resources/dlsfls/spock-keystore.bcfks new file mode 100644 index 0000000000..21ff98d093 Binary files /dev/null and b/src/test/resources/dlsfls/spock-keystore.bcfks differ diff --git a/src/test/resources/dlsfls/truststore.bcfks b/src/test/resources/dlsfls/truststore.bcfks new file mode 100644 index 0000000000..def4892785 Binary files /dev/null and b/src/test/resources/dlsfls/truststore.bcfks differ diff --git a/src/test/resources/jwt/kirk-keystore.bcfks b/src/test/resources/jwt/kirk-keystore.bcfks new file mode 100644 index 0000000000..e81b619649 Binary files /dev/null and b/src/test/resources/jwt/kirk-keystore.bcfks differ diff --git a/src/test/resources/jwt/node-0-keystore.bcfks b/src/test/resources/jwt/node-0-keystore.bcfks new file mode 100644 index 0000000000..bfcb36e9d1 Binary files /dev/null and b/src/test/resources/jwt/node-0-keystore.bcfks differ diff --git a/src/test/resources/jwt/spock-keystore.bcfks b/src/test/resources/jwt/spock-keystore.bcfks new file mode 100644 index 0000000000..c079b5831c Binary files /dev/null and b/src/test/resources/jwt/spock-keystore.bcfks differ diff --git a/src/test/resources/jwt/truststore.bcfks b/src/test/resources/jwt/truststore.bcfks new file mode 100644 index 0000000000..d0d53159e3 Binary files /dev/null and b/src/test/resources/jwt/truststore.bcfks differ diff --git a/src/test/resources/kirk-keystore.bcfks b/src/test/resources/kirk-keystore.bcfks new file mode 100644 index 0000000000..3fd7ffff5e Binary files /dev/null and b/src/test/resources/kirk-keystore.bcfks differ diff --git a/src/test/resources/ldap/kirk-keystore.bcfks b/src/test/resources/ldap/kirk-keystore.bcfks new file mode 100644 index 0000000000..5743c54749 Binary files /dev/null and b/src/test/resources/ldap/kirk-keystore.bcfks differ diff --git a/src/test/resources/ldap/node-0-keystore.bcfks b/src/test/resources/ldap/node-0-keystore.bcfks new file mode 100644 index 0000000000..53aa5fbe32 Binary files /dev/null and b/src/test/resources/ldap/node-0-keystore.bcfks differ diff --git a/src/test/resources/ldap/spock-keystore.bcfks b/src/test/resources/ldap/spock-keystore.bcfks new file mode 100644 index 0000000000..ea253e3d28 Binary files /dev/null and b/src/test/resources/ldap/spock-keystore.bcfks differ diff --git a/src/test/resources/ldap/truststore.bcfks b/src/test/resources/ldap/truststore.bcfks new file mode 100644 index 0000000000..333d5f0af8 Binary files /dev/null and b/src/test/resources/ldap/truststore.bcfks differ diff --git a/src/test/resources/migration/kirk-keystore.bcfks b/src/test/resources/migration/kirk-keystore.bcfks new file mode 100644 index 0000000000..2096cf8ae5 Binary files /dev/null and b/src/test/resources/migration/kirk-keystore.bcfks differ diff --git a/src/test/resources/migration/node-0-keystore.bcfks b/src/test/resources/migration/node-0-keystore.bcfks new file mode 100644 index 0000000000..9c3f0d78cf Binary files /dev/null and b/src/test/resources/migration/node-0-keystore.bcfks differ diff --git a/src/test/resources/migration/spock-keystore.bcfks b/src/test/resources/migration/spock-keystore.bcfks new file mode 100644 index 0000000000..73b7967c13 Binary files /dev/null and b/src/test/resources/migration/spock-keystore.bcfks differ diff --git a/src/test/resources/migration/truststore.bcfks b/src/test/resources/migration/truststore.bcfks new file mode 100644 index 0000000000..35b43fb3ba Binary files /dev/null and b/src/test/resources/migration/truststore.bcfks differ diff --git a/src/test/resources/multitenancy/kirk-keystore.bcfks b/src/test/resources/multitenancy/kirk-keystore.bcfks new file mode 100644 index 0000000000..ef6bc30343 Binary files /dev/null and b/src/test/resources/multitenancy/kirk-keystore.bcfks differ diff --git a/src/test/resources/multitenancy/node-0-keystore.bcfks b/src/test/resources/multitenancy/node-0-keystore.bcfks new file mode 100644 index 0000000000..867c665d4a Binary files /dev/null and b/src/test/resources/multitenancy/node-0-keystore.bcfks differ diff --git a/src/test/resources/multitenancy/spock-keystore.bcfks b/src/test/resources/multitenancy/spock-keystore.bcfks new file mode 100644 index 0000000000..4764b932ad Binary files /dev/null and b/src/test/resources/multitenancy/spock-keystore.bcfks differ diff --git a/src/test/resources/multitenancy/truststore.bcfks b/src/test/resources/multitenancy/truststore.bcfks new file mode 100644 index 0000000000..405cf8919e Binary files /dev/null and b/src/test/resources/multitenancy/truststore.bcfks differ diff --git a/src/test/resources/node-0-keystore.bcfks b/src/test/resources/node-0-keystore.bcfks new file mode 100644 index 0000000000..aa58820f66 Binary files /dev/null and b/src/test/resources/node-0-keystore.bcfks differ diff --git a/src/test/resources/node-1-keystore.bcfks b/src/test/resources/node-1-keystore.bcfks new file mode 100644 index 0000000000..0bf0803444 Binary files /dev/null and b/src/test/resources/node-1-keystore.bcfks differ diff --git a/src/test/resources/node-2-keystore.bcfks b/src/test/resources/node-2-keystore.bcfks new file mode 100644 index 0000000000..33ffb441ab Binary files /dev/null and b/src/test/resources/node-2-keystore.bcfks differ diff --git a/src/test/resources/node-untspec5-keystore.bcfks b/src/test/resources/node-untspec5-keystore.bcfks new file mode 100644 index 0000000000..73b9acf69c Binary files /dev/null and b/src/test/resources/node-untspec5-keystore.bcfks differ diff --git a/src/test/resources/node-untspec6-keystore.bcfks b/src/test/resources/node-untspec6-keystore.bcfks new file mode 100644 index 0000000000..1f3d8c751a Binary files /dev/null and b/src/test/resources/node-untspec6-keystore.bcfks differ diff --git a/src/test/resources/restapi/kirk-keystore.bcfks b/src/test/resources/restapi/kirk-keystore.bcfks new file mode 100644 index 0000000000..a30bb0b11d Binary files /dev/null and b/src/test/resources/restapi/kirk-keystore.bcfks differ diff --git a/src/test/resources/restapi/node-0-keystore.bcfks b/src/test/resources/restapi/node-0-keystore.bcfks new file mode 100644 index 0000000000..e3dd20f10f Binary files /dev/null and b/src/test/resources/restapi/node-0-keystore.bcfks differ diff --git a/src/test/resources/restapi/spock-keystore.bcfks b/src/test/resources/restapi/spock-keystore.bcfks new file mode 100644 index 0000000000..e89866e547 Binary files /dev/null and b/src/test/resources/restapi/spock-keystore.bcfks differ diff --git a/src/test/resources/restapi/truststore.bcfks b/src/test/resources/restapi/truststore.bcfks new file mode 100644 index 0000000000..6a2b083e67 Binary files /dev/null and b/src/test/resources/restapi/truststore.bcfks differ diff --git a/src/test/resources/sanity-tests/kirk-keystore.bcfks b/src/test/resources/sanity-tests/kirk-keystore.bcfks new file mode 100644 index 0000000000..f8c59af6ae Binary files /dev/null and b/src/test/resources/sanity-tests/kirk-keystore.bcfks differ diff --git a/src/test/resources/spock-keystore.bcfks b/src/test/resources/spock-keystore.bcfks new file mode 100644 index 0000000000..5bcec11ca3 Binary files /dev/null and b/src/test/resources/spock-keystore.bcfks differ diff --git a/src/test/resources/ssl/extended_key_usage/node-0-keystore.bcfks b/src/test/resources/ssl/extended_key_usage/node-0-keystore.bcfks new file mode 100644 index 0000000000..a96880444c Binary files /dev/null and b/src/test/resources/ssl/extended_key_usage/node-0-keystore.bcfks differ diff --git a/src/test/resources/ssl/extended_key_usage/truststore.bcfks b/src/test/resources/ssl/extended_key_usage/truststore.bcfks new file mode 100644 index 0000000000..72d0e1f669 Binary files /dev/null and b/src/test/resources/ssl/extended_key_usage/truststore.bcfks differ diff --git a/src/test/resources/ssl/kirk-keystore.bcfks b/src/test/resources/ssl/kirk-keystore.bcfks new file mode 100644 index 0000000000..f459cf68c5 Binary files /dev/null and b/src/test/resources/ssl/kirk-keystore.bcfks differ diff --git a/src/test/resources/ssl/node-0-keystore.bcfks b/src/test/resources/ssl/node-0-keystore.bcfks new file mode 100644 index 0000000000..2b361bf98e Binary files /dev/null and b/src/test/resources/ssl/node-0-keystore.bcfks differ diff --git a/src/test/resources/ssl/node-1-keystore.bcfks b/src/test/resources/ssl/node-1-keystore.bcfks new file mode 100644 index 0000000000..ab0a2198ff Binary files /dev/null and b/src/test/resources/ssl/node-1-keystore.bcfks differ diff --git a/src/test/resources/ssl/node-2-keystore.bcfks b/src/test/resources/ssl/node-2-keystore.bcfks new file mode 100644 index 0000000000..32eb8aa5ea Binary files /dev/null and b/src/test/resources/ssl/node-2-keystore.bcfks differ diff --git a/src/test/resources/ssl/node-untspec5-keystore.bcfks b/src/test/resources/ssl/node-untspec5-keystore.bcfks new file mode 100644 index 0000000000..447d1855d3 Binary files /dev/null and b/src/test/resources/ssl/node-untspec5-keystore.bcfks differ diff --git a/src/test/resources/ssl/reload/kirk-keystore.bcfks b/src/test/resources/ssl/reload/kirk-keystore.bcfks new file mode 100644 index 0000000000..3c5123635e Binary files /dev/null and b/src/test/resources/ssl/reload/kirk-keystore.bcfks differ diff --git a/src/test/resources/ssl/reload/spock-keystore.bcfks b/src/test/resources/ssl/reload/spock-keystore.bcfks new file mode 100644 index 0000000000..08d92f99b7 Binary files /dev/null and b/src/test/resources/ssl/reload/spock-keystore.bcfks differ diff --git a/src/test/resources/ssl/reload/truststore.bcfks b/src/test/resources/ssl/reload/truststore.bcfks new file mode 100644 index 0000000000..6a2178fcde Binary files /dev/null and b/src/test/resources/ssl/reload/truststore.bcfks differ diff --git a/src/test/resources/ssl/spock-keystore.bcfks b/src/test/resources/ssl/spock-keystore.bcfks new file mode 100644 index 0000000000..45dd797e84 Binary files /dev/null and b/src/test/resources/ssl/spock-keystore.bcfks differ diff --git a/src/test/resources/ssl/truststore.bcfks b/src/test/resources/ssl/truststore.bcfks new file mode 100644 index 0000000000..efe5c09dff Binary files /dev/null and b/src/test/resources/ssl/truststore.bcfks differ diff --git a/src/test/resources/ssl/truststore_fail.bcfks b/src/test/resources/ssl/truststore_fail.bcfks new file mode 100644 index 0000000000..3ed45d5d38 Binary files /dev/null and b/src/test/resources/ssl/truststore_fail.bcfks differ diff --git a/src/test/resources/ssl/truststore_invalid.bcfks b/src/test/resources/ssl/truststore_invalid.bcfks new file mode 100644 index 0000000000..5207ef57ba Binary files /dev/null and b/src/test/resources/ssl/truststore_invalid.bcfks differ diff --git a/src/test/resources/ssl/truststore_valid.bcfks b/src/test/resources/ssl/truststore_valid.bcfks new file mode 100644 index 0000000000..944a945b1a Binary files /dev/null and b/src/test/resources/ssl/truststore_valid.bcfks differ diff --git a/src/test/resources/sslConfigurator/jks/node1-keystore.bcfks b/src/test/resources/sslConfigurator/jks/node1-keystore.bcfks new file mode 100644 index 0000000000..06ff9a87a6 Binary files /dev/null and b/src/test/resources/sslConfigurator/jks/node1-keystore.bcfks differ diff --git a/src/test/resources/sslConfigurator/jks/other-root-ca.bcfks b/src/test/resources/sslConfigurator/jks/other-root-ca.bcfks new file mode 100644 index 0000000000..046ba0b831 Binary files /dev/null and b/src/test/resources/sslConfigurator/jks/other-root-ca.bcfks differ diff --git a/src/test/resources/sslConfigurator/jks/truststore.bcfks b/src/test/resources/sslConfigurator/jks/truststore.bcfks new file mode 100644 index 0000000000..5b7b747072 Binary files /dev/null and b/src/test/resources/sslConfigurator/jks/truststore.bcfks differ diff --git a/src/test/resources/sslConfigurator/pem/node-wrong-hostname-keystore.bcfks b/src/test/resources/sslConfigurator/pem/node-wrong-hostname-keystore.bcfks new file mode 100644 index 0000000000..63490856ef Binary files /dev/null and b/src/test/resources/sslConfigurator/pem/node-wrong-hostname-keystore.bcfks differ diff --git a/src/test/resources/sslConfigurator/pem/node1-keystore.bcfks b/src/test/resources/sslConfigurator/pem/node1-keystore.bcfks new file mode 100644 index 0000000000..ec6ee25662 Binary files /dev/null and b/src/test/resources/sslConfigurator/pem/node1-keystore.bcfks differ diff --git a/src/test/resources/sslConfigurator/pem/truststore.bcfks b/src/test/resources/sslConfigurator/pem/truststore.bcfks new file mode 100644 index 0000000000..8770631ebe Binary files /dev/null and b/src/test/resources/sslConfigurator/pem/truststore.bcfks differ diff --git a/src/test/resources/truststore.bcfks b/src/test/resources/truststore.bcfks new file mode 100644 index 0000000000..7fe70f4f04 Binary files /dev/null and b/src/test/resources/truststore.bcfks differ diff --git a/src/test/resources/truststore_fail.bcfks b/src/test/resources/truststore_fail.bcfks new file mode 100644 index 0000000000..be4443b19b Binary files /dev/null and b/src/test/resources/truststore_fail.bcfks differ