diff --git a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java index 74f4eb50d4c38..a2ffcb68c05f9 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java @@ -16,6 +16,7 @@ import org.apache.http.client.methods.HttpPut; import org.apache.http.message.BasicHeader; import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy; +import org.apache.http.ssl.SSLContextBuilder; import org.apache.http.ssl.SSLContexts; import org.apache.http.util.EntityUtils; import org.apache.logging.log4j.message.ParameterizedMessage; @@ -68,10 +69,12 @@ import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; +import java.security.GeneralSecurityException; import java.security.KeyManagementException; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.util.ArrayList; @@ -81,6 +84,7 @@ import java.util.HashSet; import java.util.List; import java.util.Map; +import java.util.Objects; import java.util.Set; import java.util.TreeSet; import java.util.concurrent.TimeUnit; @@ -106,7 +110,13 @@ public abstract class ESRestTestCase extends ESTestCase { public static final String TRUSTSTORE_PATH = "truststore.path"; public static final String TRUSTSTORE_PASSWORD = "truststore.password"; + public static final String CERTIFICATE_AUTHORITIES = "certificate_authorities"; + + public static final String CLIENT_CERT_PATH = "client.cert.path"; + public static final String CLIENT_KEY_PATH = "client.key.path"; + public static final String CLIENT_KEY_PASSWORD = "client.key.password"; + public static final String CLIENT_SOCKET_TIMEOUT = "client.socket.timeout"; public static final String CLIENT_PATH_PREFIX = "client.path.prefix"; @@ -1013,29 +1023,30 @@ protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOE } protected static void configureClient(RestClientBuilder builder, Settings settings) throws IOException { + String truststorePath = settings.get(TRUSTSTORE_PATH); String certificateAuthorities = settings.get(CERTIFICATE_AUTHORITIES); - String keystorePath = settings.get(TRUSTSTORE_PATH); + String clientCertificatePath = settings.get(CLIENT_CERT_PATH); - if (certificateAuthorities != null && keystorePath != null) { + if (certificateAuthorities != null && truststorePath != null) { throw new IllegalStateException("Cannot set both " + CERTIFICATE_AUTHORITIES + " and " + TRUSTSTORE_PATH + ". Please configure one of these."); } - if (keystorePath != null) { + if (truststorePath != null) { if (inFipsJvm()) { - throw new IllegalStateException("Keystore " + keystorePath + "cannot be used in FIPS 140 mode. Please configure " + throw new IllegalStateException("Keystore " + truststorePath + "cannot be used in FIPS 140 mode. Please configure " + CERTIFICATE_AUTHORITIES + " with a PEM encoded trusted CA/certificate instead"); } final String keystorePass = settings.get(TRUSTSTORE_PASSWORD); if (keystorePass == null) { throw new IllegalStateException(TRUSTSTORE_PATH + " is provided but not " + TRUSTSTORE_PASSWORD); } - Path path = PathUtils.get(keystorePath); - if (!Files.exists(path)) { + Path path = PathUtils.get(truststorePath); + if (Files.exists(path) == false) { throw new IllegalStateException(TRUSTSTORE_PATH + " is set but points to a non-existing file"); } try { - final String keyStoreType = keystorePath.endsWith(".p12") ? "PKCS12" : "jks"; + final String keyStoreType = truststorePath.endsWith(".p12") ? "PKCS12" : "jks"; KeyStore keyStore = KeyStore.getInstance(keyStoreType); try (InputStream is = Files.newInputStream(path)) { keyStore.load(is, keystorePass.toCharArray()); @@ -1048,21 +1059,35 @@ protected static void configureClient(RestClientBuilder builder, Settings settin } } if (certificateAuthorities != null) { - Path path = PathUtils.get(certificateAuthorities); - if (!Files.exists(path)) { + Path caPath = PathUtils.get(certificateAuthorities); + if (Files.exists(caPath) == false) { throw new IllegalStateException(CERTIFICATE_AUTHORITIES + " is set but points to a non-existing file"); } try { KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null, null); - Certificate cert = PemUtils.readCertificates(Collections.singletonList(path)).get(0); - keyStore.setCertificateEntry(cert.toString(), cert); - SSLContext sslcontext = SSLContexts.custom().loadTrustMaterial(keyStore, null).build(); + Certificate caCert = PemUtils.readCertificates(Collections.singletonList(caPath)).get(0); + keyStore.setCertificateEntry(caCert.toString(), caCert); + final SSLContextBuilder sslContextBuilder = SSLContexts.custom(); + if (clientCertificatePath != null) { + final Path certPath = PathUtils.get(clientCertificatePath); + final Path keyPath = PathUtils.get(Objects.requireNonNull(settings.get(CLIENT_KEY_PATH), "No key provided")); + final String password = settings.get(CLIENT_KEY_PASSWORD); + final char[] passwordChars = password == null ? null : password.toCharArray(); + final PrivateKey key = PemUtils.readPrivateKey(keyPath, () -> passwordChars); + final Certificate[] clientCertChain + = PemUtils.readCertificates(Collections.singletonList(certPath)).toArray(new Certificate[1]); + keyStore.setKeyEntry("client", key, passwordChars, clientCertChain); + sslContextBuilder.loadKeyMaterial(keyStore, passwordChars); + } + SSLContext sslcontext = sslContextBuilder.loadTrustMaterial(keyStore, null).build(); SSLIOSessionStrategy sessionStrategy = new SSLIOSessionStrategy(sslcontext); builder.setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder.setSSLStrategy(sessionStrategy)); - } catch (KeyStoreException | NoSuchAlgorithmException | KeyManagementException | CertificateException e) { + } catch (GeneralSecurityException e) { throw new RuntimeException("Error setting up ssl", e); } + } else if (clientCertificatePath != null) { + throw new IllegalStateException("Client certificates are currently only supported when using a custom CA"); } Map headers = ThreadContext.buildDefaultHeaders(settings); Header[] defaultHeaders = new Header[headers.size()]; diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java index 93244dd70e5b8..3aaa4ac143f5c 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java @@ -258,7 +258,7 @@ public static X509ExtendedTrustManager trustManager(Certificate[] certificates) return trustManager(store, TrustManagerFactory.getDefaultAlgorithm()); } - static KeyStore trustStore(Certificate[] certificates) + public static KeyStore trustStore(Certificate[] certificates) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException { assert certificates != null : "Cannot create trust store with null certificates"; KeyStore store = KeyStore.getInstance(KeyStore.getDefaultType()); diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/build.gradle b/x-pack/plugin/security/qa/smoke-test-all-realms/build.gradle new file mode 100644 index 0000000000000..d7aff4e58432c --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/build.gradle @@ -0,0 +1,85 @@ +/* + * This QA test is intended to smoke test all security realms with minimal dependencies. + * That is, it makes sure a node that has every realm configured can start, and tests those realms that can be tested without needing external services. + * This tradeoff is intentional because we want this set of tests to be very stable - failures in this QA suite should be an indicator that + * something is broken in Elasticsearch (and not that an external docker fixture broke) + * This test is also intended to work correctly on FIPS mode because we also want to know if a realm breaks on FIPS. + */ + +apply plugin: 'elasticsearch.java-rest-test' + +dependencies { + javaRestTestImplementation project(path: xpackModule('core')) + javaRestTestImplementation project(path: xpackModule('security'), configuration: 'testArtifacts') + javaRestTestImplementation project(path: xpackModule('core'), configuration: 'testArtifacts') +} + +testClusters.javaRestTest { + testDistribution = 'DEFAULT' + numberOfNodes = 2 + + extraConfigFile 'http-server.key', file('src/javaRestTest/resources/ssl/http-server.key') + extraConfigFile 'http-server.crt', file('src/javaRestTest/resources/ssl/http-server.crt') + extraConfigFile 'http-client-ca.crt', file('src/javaRestTest/resources/ssl/http-client-ca.crt') + extraConfigFile 'saml-metadata.xml', file('src/javaRestTest/resources/saml-metadata.xml') + extraConfigFile 'kerberos.keytab', file('src/javaRestTest/resources/kerberos.keytab') + extraConfigFile 'oidc-jwkset.json', file('src/javaRestTest/resources/oidc-jwkset.json') + + setting 'xpack.ml.enabled', 'false' + setting 'xpack.security.enabled', 'true' + setting 'xpack.security.authc.token.enabled', 'true' + setting 'xpack.security.authc.api_key.enabled', 'true' + + // Need a trial license (not basic) to enable all realms + setting 'xpack.license.self_generated.type', 'trial' + // Need SSL to enable PKI realms + setting 'xpack.security.http.ssl.enabled', 'true' + setting 'xpack.security.http.ssl.certificate', 'http-server.crt' + setting 'xpack.security.http.ssl.key', 'http-server.key' + setting 'xpack.security.http.ssl.key_passphrase', 'http-password' + setting 'xpack.security.http.ssl.client_authentication', 'optional' + setting 'xpack.security.http.ssl.certificate_authorities', 'http-client-ca.crt' + + // Don't need transport SSL, so leave it out + setting 'xpack.security.transport.ssl.enabled', 'false' + + // Configure every realm type + // - File + setting 'xpack.security.authc.realms.file.file0.order', '0' + // - Native + setting 'xpack.security.authc.realms.native.native1.order', '1' + // - LDAP (configured but won't work because we don't want external fixtures in this test suite) + setting 'xpack.security.authc.realms.ldap.ldap2.order', '2' + setting 'xpack.security.authc.realms.ldap.ldap2.url', 'ldap://localhost:7777' + setting 'xpack.security.authc.realms.ldap.ldap2.user_search.base_dn', 'OU=users,DC=example,DC=com' + // - AD (configured but won't work because we don't want external fixtures in this test suite) + setting 'xpack.security.authc.realms.active_directory.ad3.order', '3' + setting 'xpack.security.authc.realms.active_directory.ad3.domain_name', 'localhost' + // - PKI (works) + setting 'xpack.security.authc.realms.pki.pki4.order', '4' + // - SAML (configured but won't work because we don't want external fixtures in this test suite) + setting 'xpack.security.authc.realms.saml.saml5.order', '5' + setting 'xpack.security.authc.realms.saml.saml5.idp.metadata.path', 'saml-metadata.xml' + setting 'xpack.security.authc.realms.saml.saml5.idp.entity_id', 'http://idp.example.com/' + setting 'xpack.security.authc.realms.saml.saml5.sp.entity_id', 'http://kibana.example.net/' + setting 'xpack.security.authc.realms.saml.saml5.sp.acs', 'http://kibana.example.net/api/security/v1/saml' + setting 'xpack.security.authc.realms.saml.saml5.attributes.principal', 'uid' + // - Kerberos (configured but won't work because we don't want external fixtures in this test suite) + setting 'xpack.security.authc.realms.kerberos.kerb6.order', '6' + setting 'xpack.security.authc.realms.kerberos.kerb6.keytab.path', 'kerberos.keytab' + // - OIDC (configured but won't work because we don't want external fixtures in this test suite) + setting 'xpack.security.authc.realms.oidc.openid7.order', '7' + setting 'xpack.security.authc.realms.oidc.openid7.rp.client_id', 'http://rp.example.net' + setting 'xpack.security.authc.realms.oidc.openid7.rp.response_type', 'id_token' + setting 'xpack.security.authc.realms.oidc.openid7.rp.redirect_uri', 'https://kibana.example.net/api/security/v1/oidc' + setting 'xpack.security.authc.realms.oidc.openid7.op.issuer', 'https://op.example.com/' + setting 'xpack.security.authc.realms.oidc.openid7.op.authorization_endpoint', 'https://op.example.com/auth' + setting 'xpack.security.authc.realms.oidc.openid7.op.jwkset_path', 'oidc-jwkset.json' + setting 'xpack.security.authc.realms.oidc.openid7.claims.principal', 'sub' + keystore 'xpack.security.authc.realms.oidc.openid7.rp.client_secret', 'this-is-my-secret' + + extraConfigFile 'roles.yml', file('src/javaRestTest/resources/roles.yml') + user username: "admin_user", password: "admin-password" + user username: "security_test_user", password: "security-test-password", role: "security_test_role" +} + diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/FileRealmAuthIT.java b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/FileRealmAuthIT.java new file mode 100644 index 0000000000000..b610f9db2064f --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/FileRealmAuthIT.java @@ -0,0 +1,38 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package org.elasticsearch.xpack.security.authc; + +import org.elasticsearch.client.RequestOptions; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; + +import java.io.IOException; +import java.util.Map; + +/** + * Integration Rest Test for testing authentication when all possible realms are configured + */ +public class FileRealmAuthIT extends SecurityRealmSmokeTestCase { + + // Declared in build.gradle + private static final String USERNAME = "security_test_user"; + private static final SecureString PASSWORD = new SecureString("security-test-password".toCharArray()); + private static final String ROLE_NAME = "security_test_role"; + + public void testAuthenticationUsingFileRealm() throws IOException { + Map authenticate = super.authenticate( + RequestOptions.DEFAULT.toBuilder().addHeader("Authorization", + UsernamePasswordToken.basicAuthHeaderValue(USERNAME, PASSWORD)) + ); + + assertUsername(authenticate, USERNAME); + assertRealm(authenticate, "file", "file0"); + assertRoles(authenticate, ROLE_NAME); + } + +} diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/NativeRealmAuthIT.java b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/NativeRealmAuthIT.java new file mode 100644 index 0000000000000..5431455cb66d8 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/NativeRealmAuthIT.java @@ -0,0 +1,52 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package org.elasticsearch.xpack.security.authc; + +import org.elasticsearch.client.RequestOptions; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; +import org.junit.After; +import org.junit.Before; + +import java.io.IOException; +import java.util.Collections; +import java.util.Map; + +/** + * Integration Rest Test for testing authentication when all possible realms are configured + */ +public class NativeRealmAuthIT extends SecurityRealmSmokeTestCase { + + private static final String USERNAME = "test_native_user"; + private static final SecureString PASSWORD = new SecureString("native-user-password".toCharArray()); + private static final String ROLE_NAME = "native_role"; + + @Before + public void createUsersAndRoles() throws IOException { + createUser(USERNAME, PASSWORD, Collections.singletonList(ROLE_NAME)); + createRole("native_role", Collections.singleton("monitor")); + } + + @After + public void cleanUp() throws IOException { + deleteUser(USERNAME); + deleteRole(ROLE_NAME); + } + + public void testAuthenticationUsingNativeRealm() throws IOException { + Map authenticate = super.authenticate( + RequestOptions.DEFAULT.toBuilder().addHeader("Authorization", + UsernamePasswordToken.basicAuthHeaderValue(USERNAME, PASSWORD)) + ); + + assertUsername(authenticate, USERNAME); + assertRealm(authenticate, "native", "native1"); + assertRoles(authenticate, ROLE_NAME); + } + +} diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/PkiRealmAuthIT.java b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/PkiRealmAuthIT.java new file mode 100644 index 0000000000000..fa502f9800427 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/PkiRealmAuthIT.java @@ -0,0 +1,44 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package org.elasticsearch.xpack.security.authc; + +import org.elasticsearch.client.RequestOptions; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; + +import java.io.IOException; +import java.util.Map; + +/** + * Integration Rest Test for testing authentication when all possible realms are configured + */ +public class PkiRealmAuthIT extends SecurityRealmSmokeTestCase { + + // Derived from certificate attributes (pki-auth.crt) + private static final String USERNAME = "pki-auth"; + + @Override + protected Settings restClientSettings() { + Settings.Builder builder = Settings.builder() + .put(super.restClientSettings()) + .put(CLIENT_CERT_PATH, getDataPath("/ssl/pki-auth.crt")) + .put(CLIENT_KEY_PATH, getDataPath("/ssl/pki-auth.key")) + .put(CLIENT_KEY_PASSWORD, "http-password"); + builder.remove(ThreadContext.PREFIX + ".Authorization"); + return builder.build(); + } + + public void testAuthenticationUsingFileRealm() throws IOException { + Map authenticate = super.authenticate(RequestOptions.DEFAULT.toBuilder()); + + assertUsername(authenticate, USERNAME); + assertRealm(authenticate, "pki", "pki4"); + assertRoles(authenticate, new String[0]); + } + +} diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/RealmInfoIT.java b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/RealmInfoIT.java new file mode 100644 index 0000000000000..9a66236a72cc3 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/RealmInfoIT.java @@ -0,0 +1,36 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package org.elasticsearch.xpack.security.authc; + +import org.elasticsearch.client.Request; +import org.elasticsearch.client.Response; +import org.elasticsearch.test.rest.yaml.ObjectPath; +import org.hamcrest.Matchers; + +import java.io.IOException; +import java.util.Map; + +/** + * Integration Rest Test for testing authentication when all possible realms are configured + */ +public class RealmInfoIT extends SecurityRealmSmokeTestCase { + + public void testThatAllRealmTypesAreEnabled() throws IOException { + final Request request = new Request("GET", "_xpack/usage"); + final Response response = client().performRequest(request); + Map usage = entityAsMap(response); + + Map realms = ObjectPath.evaluate(usage, "security.realms"); + realms.forEach((type, config) -> { + assertThat(config, Matchers.instanceOf(Map.class)); + assertThat("Realm type [" + type + "] is not enabled", + ((Map) config).get("enabled"), Matchers.equalTo(true)); + }); + } + +} diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/ReservedRealmAuthIT.java b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/ReservedRealmAuthIT.java new file mode 100644 index 0000000000000..7c99b7c31eba6 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/ReservedRealmAuthIT.java @@ -0,0 +1,44 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package org.elasticsearch.xpack.security.authc; + +import org.elasticsearch.client.RequestOptions; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken; +import org.junit.Before; + +import java.io.IOException; +import java.util.Map; + +/** + * Integration Rest Test for testing authentication when all possible realms are configured + */ +public class ReservedRealmAuthIT extends SecurityRealmSmokeTestCase { + + private static final String USERNAME = "kibana_system"; + private static final String ROLE_NAME = "kibana_system"; + + private SecureString password; + + @Before + public void setUserPassword() throws IOException { + this.password = new SecureString(randomAlphaOfLengthBetween(14, 20).toCharArray()); + changePassword(USERNAME, password); + } + + public void testAuthenticationUsingReservedRealm() throws IOException { + Map authenticate = super.authenticate( + RequestOptions.DEFAULT.toBuilder().addHeader("Authorization", UsernamePasswordToken.basicAuthHeaderValue(USERNAME, password)) + ); + + assertUsername(authenticate, USERNAME); + assertRealm(authenticate, "reserved", "reserved"); + assertRoles(authenticate, ROLE_NAME); + } + +} diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/SecurityRealmSmokeTestCase.java b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/SecurityRealmSmokeTestCase.java new file mode 100644 index 0000000000000..4e5a3dfbad059 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/SecurityRealmSmokeTestCase.java @@ -0,0 +1,150 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package org.elasticsearch.xpack.security.authc; + +import org.elasticsearch.client.Request; +import org.elasticsearch.client.RequestOptions; +import org.elasticsearch.client.Response; +import org.elasticsearch.client.RestHighLevelClient; +import org.elasticsearch.client.security.ChangePasswordRequest; +import org.elasticsearch.client.security.DeleteRoleRequest; +import org.elasticsearch.client.security.DeleteUserRequest; +import org.elasticsearch.client.security.PutRoleRequest; +import org.elasticsearch.client.security.PutUserRequest; +import org.elasticsearch.client.security.RefreshPolicy; +import org.elasticsearch.client.security.user.User; +import org.elasticsearch.client.security.user.privileges.Role; +import org.elasticsearch.common.Strings; +import org.elasticsearch.common.io.PathUtils; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; +import org.elasticsearch.test.rest.ESRestTestCase; +import org.junit.BeforeClass; + +import java.io.FileNotFoundException; +import java.io.IOException; +import java.net.URL; +import java.nio.file.Path; +import java.util.Collection; +import java.util.Collections; +import java.util.List; +import java.util.Map; + +import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; +import static org.hamcrest.Matchers.arrayContainingInAnyOrder; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasEntry; +import static org.hamcrest.Matchers.instanceOf; + +public abstract class SecurityRealmSmokeTestCase extends ESRestTestCase { + + private static Path httpCAPath; + private RestHighLevelClient highLevelAdminClient; + + @BeforeClass + public static void findHttpCertificateAuthority() throws Exception { + final URL resource = SecurityRealmSmokeTestCase.class.getResource("/ssl/http-server-ca.crt"); + if (resource == null) { + throw new FileNotFoundException("Cannot find classpath resource /ssl/http-server-ca.crt"); + } + httpCAPath = PathUtils.get(resource.toURI()); + } + + @Override + protected Settings restAdminSettings() { + String token = basicAuthHeaderValue("admin_user", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .put(CERTIFICATE_AUTHORITIES, httpCAPath) + .build(); + } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("security_test_user", new SecureString("security-test-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .put(CERTIFICATE_AUTHORITIES, httpCAPath) + .build(); + } + + @Override + protected String getProtocol() { + // Because http.ssl.enabled = true + return "https"; + } + + protected Map authenticate(RequestOptions.Builder options) throws IOException { + final Request request = new Request("GET", "_security/_authenticate"); + request.setOptions(options); + final Response response = client().performRequest(request); + return entityAsMap(response); + } + + protected void assertUsername(Map authenticateResponse, String username) { + assertThat(authenticateResponse, hasEntry("username", username)); + } + + protected void assertRealm(Map authenticateResponse, String realmType, String realmName) { + assertThat(authenticateResponse, hasEntry(equalTo("authentication_realm"), instanceOf(Map.class))); + Map realmObj = (Map) authenticateResponse.get("authentication_realm"); + assertThat(realmObj, hasEntry("type", realmType)); + assertThat(realmObj, hasEntry("name", realmName)); + } + + protected void assertRoles(Map authenticateResponse, String... roles) { + assertThat(authenticateResponse, hasEntry(equalTo("roles"), instanceOf(List.class))); + String[] roleJson = ((List) authenticateResponse.get("roles")).toArray(new String[roles.length]); + assertThat("Server returned unexpected roles list [" + Strings.arrayToCommaDelimitedString(roleJson) + "]", + roleJson, + arrayContainingInAnyOrder(roles) + ); + } + + protected void createUser(String username, SecureString password, List roles) throws IOException { + final RestHighLevelClient client = getHighLevelAdminClient(); + client.security().putUser( + PutUserRequest.withPassword(new User(username, roles), password.getChars(), true, RefreshPolicy.WAIT_UNTIL), + RequestOptions.DEFAULT); + } + + protected void changePassword(String username, SecureString password) throws IOException { + final RestHighLevelClient client = getHighLevelAdminClient(); + client.security().changePassword(new ChangePasswordRequest(username, password.getChars(), RefreshPolicy.WAIT_UNTIL), + RequestOptions.DEFAULT); + } + + protected void createRole(String name, Collection clusterPrivileges) throws IOException { + final RestHighLevelClient client = getHighLevelAdminClient(); + final Role role = Role.builder().name(name).clusterPrivileges(clusterPrivileges).build(); + client.security().putRole(new PutRoleRequest(role, RefreshPolicy.WAIT_UNTIL), RequestOptions.DEFAULT); + } + + protected void deleteUser(String username) throws IOException { + final RestHighLevelClient client = getHighLevelAdminClient(); + client.security().deleteUser(new DeleteUserRequest(username), RequestOptions.DEFAULT); + } + + protected void deleteRole(String name) throws IOException { + final RestHighLevelClient client = getHighLevelAdminClient(); + client.security().deleteRole(new DeleteRoleRequest(name), RequestOptions.DEFAULT); + } + + private RestHighLevelClient getHighLevelAdminClient() { + if (highLevelAdminClient == null) { + highLevelAdminClient = new RestHighLevelClient( + adminClient(), + ignore -> { + }, + Collections.emptyList()) { + }; + } + return highLevelAdminClient; + } +} diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/kerberos.keytab b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/kerberos.keytab new file mode 100644 index 0000000000000..e69de29bb2d1d diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/oidc-jwkset.json b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/oidc-jwkset.json new file mode 100644 index 0000000000000..4dc970f924105 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/oidc-jwkset.json @@ -0,0 +1,35 @@ +{ + "keys": [ + { + "kty": "RSA", + "e": "AQAB", + "use": "sig", + "kid": "CXup", + "n": "hrwD-lc-IwzwidCANmy4qsiZk11yp9kHykOuP0yOnwi36VomYTQVEzZXgh2sDJpGgAutdQudgwLoV8tVSsTG9SQHgJjH9Pd_9V4Ab6PANyZNG6DSeiq1QfiFlEP6Obt0JbRB3W7X2vkxOVaNoWrYskZodxU2V0ogeVL_LkcCGAyNu2jdx3j0DjJatNVk7ystNxb9RfHhJGgpiIkO5S3QiSIVhbBKaJHcZHPF1vq9g0JMGuUCI-OTSVg6XBkTLEGw1C_R73WD_oVEBfdXbXnLukoLHBS11p3OxU7f4rfxA_f_72_UwmWGJnsqS3iahbms3FkvqoL9x_Vj3GhuJSf97Q" + }, + { + "kty": "EC", + "use": "sig", + "crv": "P-256", + "kid": "yGvt", + "x": "pvgdqM3RCshljmuCF1D2Ez1w5ei5k7-bpimWLPNeEHI", + "y": "JSmUhbUTqiFclVLEdw6dz038F7Whw4URobjXbAReDuM" + }, + { + "kty": "EC", + "use": "sig", + "crv": "P-384", + "kid": "9nHY", + "x": "JPKhjhE0Bj579Mgj3Cn3ERGA8fKVYoGOaV9BPKhtnEobphf8w4GSeigMesL-038W", + "y": "UbJa1QRX7fo9LxSlh7FOH5ABT5lEtiQeQUcX9BW0bpJFlEVGqwec80tYLdOIl59M" + }, + { + "kty": "EC", + "use": "sig", + "crv": "P-521", + "kid": "tVzS", + "x": "AZgkRHlIyNQJlPIwTWdHqouw41k9dS3GJO04BDEnJnd_Dd1owlCn9SMXA-JuXINn4slwbG4wcECbctXb2cvdGtmn", + "y": "AdBC6N9lpupzfzcIY3JLIuc8y8MnzV-ItmzHQcC5lYWMTbuM9NU_FlvINeVo8g6i4YZms2xFB-B0VVdaoF9kUswC" + } + ] +} diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/roles.yml b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/roles.yml new file mode 100644 index 0000000000000..9b2171257fc61 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/roles.yml @@ -0,0 +1,8 @@ +# A basic role that is used to test security +security_test_role: + cluster: + - monitor + - "cluster:admin/xpack/license/*" + indices: + - names: [ "index_allowed" ] + privileges: [ "read", "write", "create_index" ] diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/saml-metadata.xml b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/saml-metadata.xml new file mode 100644 index 0000000000000..ee78a039c21f4 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/saml-metadata.xml @@ -0,0 +1,28 @@ + + + + + MIIDTDCCAjSgAwIBAgIVALwU/Fbhg4ZK7tJxlGbCJGHe3Ly6MA0GCSqGSIb3DQEB + CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu + ZXJhdGVkIENBMB4XDTIxMDIxMTAxMTkwNVoXDTI0MDIxMTAxMTkwNVowPDETMBEG + CgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxDDAKBgNV + BAMTA2lkcDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXkYQY+N+eu + GuxEG2kId1AcMPI2TZTuDFskD1NzTDXUH4gN7brR5g2TVNqpRutObc9Ymovyxw91 + g//57zL44ev9EytWVc0She4NKQRsJAMI3aczccboxWwNLzNW3llkY9pu1Fq17Jib + k0zZ9jg0okc1Xj0F5mXgQElsalspJ2ythG8jeahwa08UfHgN6yJKIx8wLZgVetlc + j90Iy8vNimyphopQP+r7t86A9i2HP9OsRiRrNR4lDxd5BcrbRQhb9Dse2HNHHHkk + YEdSRV1QxhzI2tinFrz/fL+gW4SLiLJYGr9ZTPitFuSyWmmlROp288LFJghmAI5G + S1x0NL0aMm0CAwEAAaNNMEswHQYDVR0OBBYEFDDo2pEmEcsxiABqCfceSc6VRowg + MB8GA1UdIwQYMBaAFLtcLb9C2CnCSYhMigKmvQN2i0kbMAkGA1UdEwQCMAAwDQYJ + KoZIhvcNAQELBQADggEBAA5pHuamEc6yB6vaUlwcKFWFI4QY2CJJwmeYJG1V8Wl/ + IoFevTvBdYAKBwPMaoVySY+4BB314J0MmfhWQ9CxFoWzYpoT1L41NlADWrEOjwXt + wrMjphkZnimnB/xXpPjYydZTXo1y0b08CUSp0ua9kwySzgfyaIpeZl5dkNZPqvUf + vxl8tR19LpqB4/J9XvDqgK+aFFZUIYlPGGB5N7YR/o4fS9kLqFKy9FPiJOufN/rq + t3gzItYNtO/RWagX1cngqDsflyovlOVvxv4D3IRZ0gzlCZwx05PeB7LYvjG2nIS2 + 9LBd3nyFanAcHajurMupyOuY9ug0VSuC4zQzMfSNMv4= + + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/README.asciidoc b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/README.asciidoc new file mode 100644 index 0000000000000..c57d448ade77c --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/README.asciidoc @@ -0,0 +1,63 @@ += Keystore Details +This document details the steps used to create the certificate and keystore files in this directory. + +== Instructions on generating certificates + +The certificates in this directory have been generated using elasticsearch-certutil (8.0.0 SNAPSHOT) + +=== Certificates for security the HTTP server +[source,shell] +----------------------------------------------------------------------------------------------------------- +elasticsearch-certutil ca --pem --out=${PWD}/http-server-ca.zip --pass="ca-password" --days=3500 +unzip http-server-ca.zip +mv ca/ca.crt ./http-server-ca.crt +mv ca/ca.key ./http-server-ca.key + +rm http-server-ca.zip +rmdir ca +----------------------------------------------------------------------------------------------------------- + +[source,shell] +----------------------------------------------------------------------------------------------------------- +elasticsearch-certutil cert --pem --name=http-server --out=${PWD}/http-server.zip --pass="http-password" --days=3500 \ + --ca-cert=${PWD}/http-server-ca.crt --ca-key=${PWD}/http-server-ca.key --ca-pass="ca-password" \ + --dns=localhost --dns=localhost.localdomain --dns=localhost4 --dns=localhost4.localdomain4 --dns=localhost6 --dns=localhost6.localdomain6 \ + --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1 + +unzip http-server.zip +mv http-server/http-server.* ./ + +rm http-server.zip +rmdir http-server +----------------------------------------------------------------------------------------------------------- + +[source,shell] +----------------------------------------------------------------------------------------------------------- +keytool -importcert -file http-server-ca.crt -keystore http-server-ca.p12 -storetype PKCS12 -storepass "password" -alias ca +----------------------------------------------------------------------------------------------------------- + +=== Certificates to support PKI auth + +[source,shell] +----------------------------------------------------------------------------------------------------------- +elasticsearch-certutil ca --pem --out=${PWD}/http-client-ca.zip --pass="ca-password" --days=3500 +unzip http-client-ca.zip +mv ca/ca.crt ./http-client-ca.crt +mv ca/ca.key ./http-client-ca.key + +rm http-client-ca.zip +rmdir ca +----------------------------------------------------------------------------------------------------------- + +[source,shell] +----------------------------------------------------------------------------------------------------------- +elasticsearch-certutil cert --pem --name=pki-auth --out=${PWD}/pki-auth.zip --pass="http-password" --days=3500 \ + --ca-cert=${PWD}/http-client-ca.crt --ca-key=${PWD}/http-client-ca.key --ca-pass="ca-password" + +unzip pki-auth.zip +mv pki-auth/pki-auth.* ./ + +rm pki-auth.zip +rmdir pki-auth +----------------------------------------------------------------------------------------------------------- + diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-client-ca.crt b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-client-ca.crt new file mode 100644 index 0000000000000..f4e55e77681a0 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-client-ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUSCwIIISvC5WpMRS4+FZNH+oAQR8wDQYJKoZIhvcNAQEL +BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l +cmF0ZWQgQ0EwHhcNMjEwMjEwMjM1NDQ4WhcNMzAwOTExMjM1NDQ4WjA0MTIwMAYD +VQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBDQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIKhZWJK8cFpze76MqjTtCZH +I5pHeNQw+1J9KHlfgLn17IdQ0RljMfuF+EOkk8bf0q1CFa6/rs5A7zbHptUZlZ0J +wTSntd9WHNIIzwFQoCcy9HjWWrkJx+lHJVhf4cCrAlxDg+ltBcEGOosQLm8kEddV +toK9mVnyYytM7vFVjF5VDdE/J9BnQbXMR3r1JVzNtq0q5V2eb4Ne+hYos+smA5Ma +g0c/JGO0vhxwUKMrc1hacW1WyIGhs6F5UQtr2MSg/Lo/GXl1sLk8Vkuu1ZSAooZr +6mlNZqJBXNFUkVastFhIIG3ckSDHlqIlbaYbdrhVSf9CjjeBQ+0Lc66Qw30FEG8C +AwEAAaNTMFEwHQYDVR0OBBYEFH3YuTqhORMmuMFn0qggxldoRSXVMB8GA1UdIwQY +MBaAFH3YuTqhORMmuMFn0qggxldoRSXVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAFxE2OB/wrGzNxNyEW0xHCj/hGBFAbBwDXu6wLtkNjyuXqXO +zHwcc85dD6pj2EWVKbiyFFEIjHpQeJtaG74dPko+K7CfhbLACmIHSZpxlB+X4lDR +ApuUjde6Dp2ohEO6xqB8kuy0fIm2qhOIwdy8DqqwqeXFntlfKombWnbpBWKDmZ36 +f5U7hMVLkAlgqb5/wRBqrAqTxQtFqe/R1iSpB859p+sL4R/IPBs90RNs9/LuJads +ieqGj59bzUEE/Bb7weVvgOzp25MITCQ2i76hWVMPHBCBQZSxrQdNzMPeAZs1mDaK +0LDvajtnbKq8bSzkCke+/FW9wV8LLgyCCOoGQGM= +-----END CERTIFICATE----- diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-client-ca.key b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-client-ca.key new file mode 100644 index 0000000000000..7e97989b84723 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-client-ca.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,E5EC395FEA95C5846466B295767AD501 + +PeWr8qXpE6lta4orHb1UL4ktuDAfch9IFynU/0C8ZYcZd7riHwhoKnHlox6Njg6+ +sbpxiQcGvhruGDjkSNjw0eHO+cTD8/K8er8q6bv2DJ6egm9bsbs8VOz604c8BGQS +HIl5alpee2AtmHfJkSaDQWb3pRguo2o7KDxcqxIC6To3GS1dgux1hlYFaiM6cX9V +0c6XH6EwBK0eo9SbxWuaTR0rB6r1GXJd1kutFVC5a04KjkLSCujpMoxKdyP+W+gM +baWIFb98Aozyly753149t+C81C9J7U5aDlVmtOwm/8wIHDskhuk9tdHl05LCtv7/ +FDbzwHN8XsSdVY2Ax4kk3GfVOI80YUfram5FTfmwZRO9XK4wwEtdCSvgkYzeu8Np +ku9gV2r9OiuDSOI1TRXjObk/JWM8fItakyIu1P+v+SmL9s8gDMfMDDtbruqvTh2z +H6bk8xtLDGz7zWFcomJPUnRcMWhtW4xL15jJiAcaYgijioUty9UJd22Jv5oa/C7+ +bCvmW+sQAa4gpryfGwDEXFZv+S6lNjRqdOnobCDnew6pJsiHY/3neLjFUtBXqkum +ixAVVyKcazeS3koiv4fpkYD1CcrSVYxf4fotvBx86eB/9O+bwdLb8pbdivIEWISl +3wsAcqYC8eJp29RYt+RS8r7dfJ2n8kWcq6XwFY0EclFHCnDtbwHNZrLiM2XPf1dO +r1wkcUYTKB/KEEL0Td0mAFvfs5yb3UeSq4qe3ZuSZaTafhstPt9HolcKCROE1rXx +cO36zcoUp3JzaKJPorsA4YdF2jro8Y8psdKQXB3kb4s3JEuEL+oh/T3gSLi73R0F +mAYHDicwNHPvySVrA9oxczC7v7OrjmmrGnVcz8mwdhZaQeCULvuWGotUWTT2Vkie +2qpRAfSC0+mzBIz95FZEaQUcZFQZ9aab19w7LxhMO5PAe8k0ogwG8mJuXqUd3pcf +9DDWon6yO3JgB9CtmJCCu0YZXNyP/z9tZSjJxUI002M/exw+C8THebUCkVSHrB/C +Op+NPq1oLyVcJ8bnTEsK0ysGylfmBkQapvtnDRiypVRBv3YCKua4e6U0T8GxHLMM +AItzKx+HG7gx2mwPlWoDmq4nhFp3ME1GE1VqDquzo8f2aR08BKCdOOgxgjntXJRM +8QR6yH3k+3rZ/7aY/sXUgRK/l2b0/+vbk1xtioRq/u0BxkhDqiXZ2cG/BJWXayDg +GbaMbciRqfCcViWCH8mB+BDzp91OWMDYRDQtqYngA4hWgxeBbH45bju8ygjQONbK +Lz8Z1j/Htpi8cvim7Fc2SEQ83/SO64Q5MwzpmbeNOtvtmUVkut2/kKjMzT20niUP +y++M6gcBYgBeLhA5dEGyTQtA2Dmh1PQnEfe7Pfb10i9HpmcTHUun1e7LVJKfk8ul +z49dp0OxQiD4ExK+u6zhXMmOVi3NJz+G8OINTgIcWG+6fj78UuybuBO3sQpkQyHk ++ub2ituXxcQBLOfLHHK9PXnun4h2UovrudHX9PduPwgQ7pOVmad9hecQrrd08oyT +uBMyygUye67DQuZft4lVPJimWdQgB7TmDhk2bXqT510mVKIZHWiHVTmSLiGl50zs +-----END RSA PRIVATE KEY----- diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.crt b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.crt new file mode 100644 index 0000000000000..362fa1d700b78 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIVAMuHthk+o2IHB9u8nysBdt6iWcG8MA0GCSqGSIb3DQEB +CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu +ZXJhdGVkIENBMB4XDTIxMDIxMDIzNTE1NloXDTMwMDkxMTIzNTE1NlowNDEyMDAG +A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCT/nfuBZM+o9lWmt58nZn9 +SN9/ken8kbLb01ZoHG2ssPivSj+HjispJjK2C+5k/3MPqP4ngCgJzR8jrW2C3yG2 +G8/RhrB96f6hw6vbZZSt/LqY1nO6hR3rLoUUY3+wNv8EaaMOuwhOJKqwccoCsTsE +EK1ztUEpszbkMgJEZ+HJ1Cb/SUjFeXvOUtmtE/W339AHEQWAkhomCtgrsq6XJ/8P +Hxa8rPnaIgh0nmUXvqsHNw/UAmtOqUkmzJYiCuqJCpXTZvzFEl3QMjKwClAuTXry +pW2pEdmk4QGWdoOCNgx7DfEyRzc6/x2GfZPLN3H89Ob9KD9/OKCRCxeZd2Ell9IN +AgMBAAGjUzBRMB0GA1UdDgQWBBS8ifqU0tXT9s9Sf+xl+BJEfc5LRDAfBgNVHSME +GDAWgBS8ifqU0tXT9s9Sf+xl+BJEfc5LRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG +SIb3DQEBCwUAA4IBAQAWV997kl+MVMscfzY9PED9yA9/VZJyBhVFRp7z7EA7RrxK +pIdaKb6uuOxlZSFysQgzN7o68FMgrU7aTml1FFgmh4d9smHiV9y5WMVH+mrg3t+V +i4SZbdzJLXFkUer2rnXE8oCISRrdC9jq0Lfd70dW9BzLZrlRFNwDD4XaYIEkLUu3 +IFnFPXbQOwbDhlzRiBbYBbDpFEX3/eSS3fDi2fF44WbYEJtlnMAdCSCpu//KSg71 +28OxzCfYvGS3G3S1HKDnuja+zBHfnKwxA8Fl/O/6RKY1DKZs3XldOwJcIgrgnm86 +0JHkAZdE2nFUHWS2D7BTOCM+55J6cbfis/ZNjk1y +-----END CERTIFICATE----- diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.key b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.key new file mode 100644 index 0000000000000..a8412d2278b13 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,890A9BAC12DD7E772BB95D396FF96C76 + +5Wrk2AtWFxnf4yeZjpTEJ0K84PEWSo6aQvxo5V/fVTIdEhpsEiDTVmRUAf096lxz +sIH3/dHpDyQLuJxLfkgp1v57crlB+2NTxWO3aBmC9x+zwMgJFjjnTnaoOF14HYSd +goZezx7EN0AyJuAAVZUfeHvrDac8m/C7d4UafFbvT7RixsJgFhH8Yv/uevyRfp6p +A+ZyZPKtqKrU4taDu0ln8f2sWnc+t7e7K/CwkNmzCx2Jptbt6mM85ik+6tASobrZ +tkHjmzrfqyjVNBZz2IUHuCeaOeJatHyxeZhOg9o/kEQKw0ERx6CIyIeNiROexd1g +K9532RmAdALXxcMtAzN/YvIzFqRf8ipRPTuaHDJ7R7VastNl4I5LD0rMOR3U6hnR +hNVYDMHm7M52KJInvgCyO10mpEqL0XI09xOdE9uvRvmaopH89jceZi42hPIyNj8n +MjTAclFbvUhMZRrivEZGbEpBSO4prGzDz9qj78rAt3sOIgVkMOCKnhUURuRyHLuH +pbOVyCC5pfLhfMpl7vf7ShxieQnrC8HlMeYBChfT9xLNP3gxf96PNY/Fs+DESgb2 +NppSkAuOImWLtG1dnVffBBlH0xBQGNp7OXoXY3+Ibk/+FLGAWsxtJ6NlJvE18jXa +Lp9Hd1k+R9b1qTvAIQnqhYSaPJUEbRtV270e1GDLGrfsbQBrgzGcHDZKFJtw85IN +9AidTJNzHPGJHMFHcanc0wMqvjhjg0CHvRMb39ko6QQg2u/XIB+vcYy3n67KT24e +D8TH6CDTnkdbrp3ejM7XhM4/weFHjfuwgxF6pqoA0Pd0LbnbH8C5bmfPbs0nLQHJ +vrBdYPJNtCB7B2IQd+BxqEuKKglpushEYN9KFvfVQuLrKqaTdE8/GgmuwlNzGvPD +jc5SAjCWImryftzIakU8SXsQWCaOCaMOvqr8l/rO3JvTTdUzfUYMb+xd4ohAFmwE +6l4gm01XOJ+hmJkOYwOtnPfaIeDbZczz52mOLPbXkQBc29HzcjprdVyxtHcEfBR6 +sLKXUpuwrarJvrFSBqmY6WVarhjO06gNv77fhCchGA7On8pJpOU+VL7sUW+Jk/vg +vMDaayNkNKBr/2QHd5YUYvopWm7a7pL1Z9Y8nz01TJDegj2JVjc65xAE//r8oEyU +aF2pPp0jSWKEkRB1P8JqQis9bfxLYxbsbF5HO3ADaBZVkkGjqVh+6o8S/VxIQgwr +tRRTPxG2tU19xGE2F756E8v+IaYKG4/PwE1Vb/A9NcTXyR0QZO1L0C3/Rp7AssuL +jARJqtMJtaEvMEzcnWtPGoJbLLLkFUADQdunx2vIcdjQL0iB6iyYISV9R6Gyc8ou +biWGMwUeYBSTAlwBGTGgM8apcRSlUiic1u0K5WmSyee1RjvXJWR5Ct/wvfGHVbu4 +Ha79dJjcJGLSUinWKYh3RLaJvSV1r/j/thqbtspWnR72cUdG6EFmrls7g7oxOWD7 +F4m0S2bbakxfcSZpQE+lqnKLkEPrYXqNkoA7QNzBemqBVYLg3whUyqGS0z+LaZW0 +vKyi5U6mmcvfMNdWEKswHQe7RciAQrSGXgIiqYVM1ipSo4uo9NB84XDIKVb98+0X +-----END RSA PRIVATE KEY----- diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.p12 b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.p12 new file mode 100644 index 0000000000000..089a9bfba4f1e Binary files /dev/null and b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server-ca.p12 differ diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server.crt b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server.crt new file mode 100644 index 0000000000000..0b7956400e023 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuTCCAqGgAwIBAgIUCcrR2XFErsgYaTXPqKO9TiEBG0QwDQYJKoZIhvcNAQEL +BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l +cmF0ZWQgQ0EwHhcNMjEwMjEwMjM1MzU0WhcNMzAwOTExMjM1MzU0WjAWMRQwEgYD +VQQDEwtodHRwLXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AIRJbttYRqopVNwlLQ+OmQZ6cXDILSXOn2JlePpgYHS03NMgeNAI5JY7Q0pBX/7C +GQnUvXAw7+1eJA4v/6SBui0FyFlWTzNDsEfjt/00CjsgAxYXb/SSxb1f0pcJSOHh +y4nKM9/hPzHZxGSm7YTTPBt+69KsuTbz6w+aUkZa+/Ll/PuXa4hwbuUO1IeMr99m +wtq4KIhbSU2tNe4LoCbhfhvv1QNsw2WbsDAuk2BXrwTsAKrjy3f2iyJiOz4eBTLq +G1lg6uf2Na2VTYPSl+0SleTxnYgQS0xE4U4Al8bxbuTI9L5GOMVGqscNHEtOz9nI +EbFwskMmLc6WAz0SPQksHT0CAwEAAaOB4DCB3TAdBgNVHQ4EFgQUC0RHPPXYUCOm +kvXdsenszNiw/AowHwYDVR0jBBgwFoAUvIn6lNLV0/bPUn/sZfgSRH3OS0QwgY8G +A1UdEQSBhzCBhIIJbG9jYWxob3N0ghdsb2NhbGhvc3Q2LmxvY2FsZG9tYWluNocE +fwAAAYcQAAAAAAAAAAAAAAAAAAAAAYIKbG9jYWxob3N0NIIKbG9jYWxob3N0NoIV +bG9jYWxob3N0LmxvY2FsZG9tYWlughdsb2NhbGhvc3Q0LmxvY2FsZG9tYWluNDAJ +BgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAQrGXc0BGPgTAn2AGtuq4aefX6 +61DlYTI/13hmuUrXoSYV3KjnyZ35b7air765Jnze533TYyc3LTG2ATZTid7ypOlF +8+MxOfEg5QmvkcBiP1npYe46gWnaLr2MPwA2h1UTomLkPtr+BkaTGITiGHJde+6A +F9SPqPX9ntRuARwUWXhBfYoRWCcUbKscdQLG7THfg4lUb+jQJ+3Hfmz0p/ffGpz6 +7culVn9PnveC0gRTnVm1rzU45anD/BB2ufyLLO2j2qEj/K4XJNTd9O8in+m+9baT +/bzQkHK/kcyLma3cOsGNdsV8C+slDt6eDpC8FU86YdwIrWlc98WNLPKEFLnE +-----END CERTIFICATE----- diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server.key b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server.key new file mode 100644 index 0000000000000..4cab0e8825297 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/http-server.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,ABFB4CA48E6FDE2FB61D22D1DBD62ECC + +uzUgIXivx1+QIXBGukekWhS2ETnixqB7YKJ8bDkCBWU1Mx9rTFTHfu0Nh9YmRJLA +EsPLgF74TOCJ2R482bFNPi8TB3oVxvWAHDXcRcpuNyKxGIOhJUWofIKeLkV0l6W5 +w55Yq94BOhEjx/bLv9MIUV8w++296R9NNewU03C0KYygYr0QkPLsqKsW6uTSOyi4 +zQX/8ZoQsV85miEQeRc5iv24wqEVEzNVucohd/0dxZ4CfE9bT9SQ5BmDjMqRbsVV +rhQqR9fSkM4M0f3iaEqO8TyG0Zx3CUqluXI4ARVOR33rw5ImV3ig0dXzndoM6PJl +wT1tlsKUWYTfXcgM93n0w6qP9PpV0gYBZo+bNnLqlEl+SvWxtfdnAw2OuOa7frUq +51k0NuSgokA1WF/njD3J7XSLqBuUi/0PetgWoY3IydbcUZK6OUwYk/s0YkDLEPoN +f+9arh334/yY5oZGlqRfK3d0ng10452Y/7fMZ9DOgD3z2Azz49nQhPovdgS23BKk +5kSmQg+GOkp8no1wlkggVYQLgsJaVkIAAKTmXRmJBiZS7d6M+MrvfURpcWRodlRS +V6vPZTAlR5cdPJ29pHscsL60F78njNf2LrhaBx2QbPB6h4hAN1cBMw04oLJRHF6z +GJl+ONf++00E9A5vVMZSf4nOFRw5HqIR5GmouV1KzMhG7uIJySOnIWt1+FPjNlZc +AmHQ0/Y4xPjyLkzAbjU/wHtvuQrLJWwcFbCy6s16Qhl+P+6CFsFPVMM1BLKiuqxV +WYRkfUrgu+J6JVZ0LeKFFrF8cyJ2FqnDT/qBJGn8+stMjUg5KYOQLE3ebIlE46+t +iDUfAcdxRcy4ekAZZs+4mDVmFVo24tw+YDU+7sPYJ1zTOHOE1yHzh3dkjShOI8zj +osoiqrQuJVw93GaR8g3BWtkpSHJvPpwrcZdc3n3125ENtgvuYxAqTqXEYT9p1mTl +6818nj9dx2l+jtCVEnwP7DOp6bfzeSUaGHgN0S2sO4w4eIrD6p3vlEd8fiUScwjz +2wblk0CqaT87SFrsVBunpfvV7pJrGUFy3MWCv9jxQdn0vsvzgB7TKjJOXxBNPA0K +m+P73rlxzyr7a0MhNk+dyqjIe4rd8ZzmkKsY1PeHAXF0TMAl3Lu+2T6WW/0CLsYC +oG+Xc9W791NWUuFyZNyxMhvJ7A6QV9bQGC6rdKs8vRNdkm5EYJ8M7Jw5Nox0QWRX +YRkEWOM4EwySKvQOnshERdHIY3L4lYHT2IjLWkcHX3NbHWOEJdA53/I2Zi+2CFJJ +jwxzebJ9HSfNm0yu7PVBoX1ov4fq1hz4PnBGjBVNgiDVBlvw4drXxuReTDCXYfpy +09AMABl4EBfwoUkctBd/7KIJNuVk/bV3tbFgmCLHtg9hVeRpDHYiQBGRMh/lsuyD +6ITAlPk3M2gEGTwWfeiyhfKo74eClWQiwt2kaSneUG9flIsME7ViDiwGYQxqWgnB +GfL8X3PtB2IoPrGugUyQxYSuW0onBT45/8DLsstYdijMmy7edBQS4skni4zNzeaB +3AY3kEz6DnBVHMCqdfFjTIQJ2Ot2Zt+Vbp0XMUY3EDJENgb0FhZdT7IQTyXDmFOE +-----END RSA PRIVATE KEY----- diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/pki-auth.crt b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/pki-auth.crt new file mode 100644 index 0000000000000..49f212897b8ed --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/pki-auth.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDIjCCAgqgAwIBAgIURUBzIrSMO+65o3KZ5ZAMNqisXCQwDQYJKoZIhvcNAQEL +BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l +cmF0ZWQgQ0EwHhcNMjEwMjEwMjM1NTQ1WhcNMzAwOTExMjM1NTQ1WjATMREwDwYD +VQQDEwhwa2ktYXV0aDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALOa +ec6hHxn6VlSDCHEQJmeuqWsSW2vF/Hy4QdUDDK4iUJ0MZEecrmbALdKY1PtvINUk +OAgc/9q1abQsXkvU155QmKDxBpd1jXY7HaVlhhOjEj+qhV9xSL7uYv0v5DMT1cPf +en+ZNf9aI0x5EKoMmyVb+W30cu+k75isBPE3LcZQLwG54U1g20l54xmKWD29jqJ6 +Q8AA+2NorFlp3NJsyW0U746sUogDXJE7Dtf4hsmIhw0VkJF89QwobccFIwXiZmVT +NhniRc/0/MocnEEGFTd6QSjh76qmChUMwpjNxSbfT4C2s969O0HOXekdooIPLypZ +a73reiVk3DAy1yQ0ZSkCAwEAAaNNMEswHQYDVR0OBBYEFCh5MVXAUNd4nk36dVY2 +EGFuh9w1MB8GA1UdIwQYMBaAFH3YuTqhORMmuMFn0qggxldoRSXVMAkGA1UdEwQC +MAAwDQYJKoZIhvcNAQELBQADggEBAHYCbDQA/q2V9rAPFWUOfO6sT8VAmVVrYzdo +4JONnOsPf3dp8jUhmz4xInSjYlcQdjyEByFhxLEXrT1Bed7GGS0RU60SPHe9YOjr +ovD9kZutqvEeQDcfYoun2qxF0n1tfvbV3mbuydw9h9Pgaa0d7pbK1fJiyr5o8myO +XtE/b0oZMqEiOF3MHo28A10W7ikdo5iB+wTpjpRqjBxLIXQY+q9NWmgp9WmDoNeR +SFgPmFOYqGjf1TcvHSyRKsCIEGmZrjjQl1NYqPfJCDFsxlF4Qt5mUf1s3gW7Aevw +jQA9QCPvN1C3z9r4/qIo+U07Ol1deb6/9v5NWmomR6GUM0l/0ZE= +-----END CERTIFICATE----- diff --git a/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/pki-auth.key b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/pki-auth.key new file mode 100644 index 0000000000000..925a41bb78378 --- /dev/null +++ b/x-pack/plugin/security/qa/smoke-test-all-realms/src/javaRestTest/resources/ssl/pki-auth.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,AA42F98B16A0D8ADA8C387861B419850 + +Ax/A9kbNOHvgbskJLdOw4lD/hw4kCIhm3f203xXUC4KVWcnctvAMB4u015RnKoRn +Z9HAZYDY3SqqjjBPm7ljytz4BAdiAOINUhMk60Pq82RyyMZMeHftB6dPIbAsJMH8 +DJVOvc8UPoraSIe22D8UJAOnXJJioMWsQDrTpibIVKGzw5xU2EJLrQWCTdZ+ZKGp +IJArpCI/FIKTFatwANjs8CR9wZouVjqC3VFj3wbnVieNnyUpcuDXyWkdkOTIQf+h +zQwnBgzezJxR8Ul/F/0luaMqQs338ow7i8Cnwc2ZrjOLiTybvzXD0G2Bh7cfVt+7 +GzvbRoYTxlQOGeKv+9UFen4//s6Hd28akFoI8sLq0UKLWpfrmXSEESgMqXAeEA4j +/6vrzYMlO18q9mhIEX+KhbfApDelaWyvDAIqLMeTr2TnL2a1wcCJh6BrSB36Kvyt +3Y4zRg/ZEDLsbewTXirvjPr9unTjTIhrUOngwTpcIqjeU4f9YGCWuJrAdoYCSV1r +fsaVY9Kx8K7M32MeVREvcMZ1DK4oJ7f6ioi1DWco//+o52IdZPAx9lHGzhCSYed3 +007IFRIY7r5/srTlNZyKNGF89RNwPfg+95/3jRAWC/NJn9QEcNh5j7XpL8exvMhu +UQwuj+VuLl8miakM6BG5Zq0Mg82RNtMRDmnHC/PMN1xGtZSi+VdFP7L2OkQqqI0X +FrStV8+91gDsWN/RisdC44c912z+9i/dZ1rWEUAgfDkJQZgEVQf/NFBdh9jZdCMc +Jo3lTjB554tGOMwq/OWK7hxXw2n9BpVRUDzvnSq7K7bcRAmrPBAHA+q+xqWZxKh+ +Tni2Ppa2UXE4j05hIa2120XHm+ASYAkV9tzbOuz+MbSMuCqEEP1zNk2sWrOIIcYE +eTTmEbbZDR5YWPSOFvF+Dau9RoFInCqKve42V90v+UIqEe35dHa7FahX/2tkZ2x5 +XJ/aTEjZWMpcOCg/gQIfOm0Z6qqOegK3WxFIDvBntaQCGs80+kxQV+WaQuqqq+BS +YD3djGpUdXjOgd0xH1GEjSKuadC9PRx4H+S0appa2NAkWeV84134bOC4FTJZrGuO +2ZXITN6Yca/YtEfHo2NAO86XBzpBDJY7X5nydV0ORPgyvXJl3rqT62ykBv3iD/He +p8W7rxg/1FK2cpNRLp7FCGL37Sz036jx6BBidz2t4/+zu33lw07VPELrn8GE1SKh +bQipdeJAA4+89Qreg1ZZ8L1HGbnPuzctg+hlTC7A38//imYHasGchyh6/gCuGkCn +oREvW82XcoDRZ9OW0z07cL31afjTAqZW6xhu00GAl+Bv+XJ9thfBv2C4IBfWuu0t +ccMFGpmLL8fjPJF9yMEE2nsUU3w5jXqJ507uCxwpzU634s7IQhmpHtiwPs4KGxkR +xL5TxYmhfZnT5VayVgkR10wDfLeoeKuuzMHy4RyGYpwVVj0647+OcYLpbd16w62s +fOERLjxHKwCijWHOog8kTtffL63EnrSWLrkun/L5DI1dpEUoYknqHPgMNcESdrOv +CFiWpub1Y/brUYPuf/X48lsD4G/cJOyxZPFpAkS5ea6MlpaMMsuPDmvi8dQckqcb +-----END RSA PRIVATE KEY-----