Elasticsearch: Don't throw exception on missing CA cert file

modules/elasticsearch/src/main/java/org/testcontainers/elasticsearch/ElasticsearchContainer.java

@@ -1,7 +1,10 @@
 package org.testcontainers.elasticsearch;
 
 import com.github.dockerjava.api.command.InspectContainerResponse;
+import com.github.dockerjava.api.exception.NotFoundException;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.testcontainers.containers.GenericContainer;
 import org.testcontainers.containers.wait.strategy.LogMessageWaitStrategy;
 import org.testcontainers.utility.Base58;
@@ -21,6 +24,7 @@
  * Represents an elasticsearch docker instance which exposes by default port 9200 and 9300 (transport.tcp.port)
  * The docker image is by default fetched from docker.elastic.co/elasticsearch/elasticsearch
  */
+@Slf4j
 public class ElasticsearchContainer extends GenericContainer<ElasticsearchContainer> {
 
     /**
@@ -55,6 +59,7 @@ public class ElasticsearchContainer extends GenericContainer<ElasticsearchContai
     private final boolean isOss;
     private final boolean isAtLeastMajorVersion8;
     private Optional<byte[]> caCertAsBytes = Optional.empty();
+    private String certPath = "/usr/share/elasticsearch/config/certs/http_ca.crt";
 
     /**
      * @deprecated use {@link ElasticsearchContainer(DockerImageName)} instead
@@ -100,10 +105,17 @@ public ElasticsearchContainer(final DockerImageName dockerImageName) {
 
     @Override
     protected void containerIsStarted(InspectContainerResponse containerInfo) {
-        if (isAtLeastMajorVersion8) {
-            byte[] bytes = copyFileFromContainer("/usr/share/elasticsearch/config/certs/http_ca.crt", IOUtils::toByteArray);
-            if (bytes.length > 0) {
-                this.caCertAsBytes = Optional.of(bytes);
+        if (isAtLeastMajorVersion8 && StringUtils.isNotEmpty(certPath)) {
+            try {
+                byte[] bytes = copyFileFromContainer(certPath, IOUtils::toByteArray);
+                if (bytes.length > 0) {
+                    this.caCertAsBytes = Optional.of(bytes);
+                }
+            } catch (NotFoundException e) {
+                // just emit an error message, but do not throw an exception
+                // this might be ok, if the docker image is accidentally looking like version 8 or latest
+                // can happen if Elasticsearch is repackaged, i.e. with custom plugins
+                log.warn("CA cert under " + certPath + " not found.");
             }
         }
     }
@@ -158,6 +170,17 @@ public ElasticsearchContainer withPassword(String password) {
         return this;
     }
 
+    /**
+     * Configure a CA cert path that is not the default
+     *
+     * @param certPath Path to the CA certificate within the Docker container to extract it from after start up
+     * @return this
+     */
+    public ElasticsearchContainer withCertPath(String certPath) {
+        this.certPath = certPath;
+        return this;
+    }
+
     public String getHttpHostAddress() {
         return getHost() + ":" + getMappedPort(ELASTICSEARCH_DEFAULT_PORT);
     }

modules/elasticsearch/src/test/java/org/testcontainers/elasticsearch/ElasticsearchContainerTest.java

@@ -1,5 +1,6 @@
 package org.testcontainers.elasticsearch;
 
+import com.github.dockerjava.api.DockerClient;
 import org.apache.http.HttpHost;
 import org.apache.http.auth.AuthScope;
 import org.apache.http.auth.UsernamePasswordCredentials;
@@ -17,8 +18,12 @@
 import org.elasticsearch.transport.client.PreBuiltTransportClient;
 import org.junit.After;
 import org.junit.Test;
+import org.testcontainers.DockerClientFactory;
+import org.testcontainers.images.RemoteDockerImage;
 import org.testcontainers.utility.DockerImageName;
+import org.testcontainers.utility.MountableFile;
 
+import javax.net.ssl.SSLHandshakeException;
 import java.io.IOException;
 
 import static org.hamcrest.CoreMatchers.containsString;
@@ -252,29 +257,75 @@ public void incompatibleSettingsTest() {
 
     @Test
     public void testElasticsearch8SecureByDefault() throws Exception {
-        try (ElasticsearchContainer container = new ElasticsearchContainer("docker.elastic.co/elasticsearch/elasticsearch:8.0.0")) {
+        try (ElasticsearchContainer container = new ElasticsearchContainer("docker.elastic.co/elasticsearch/elasticsearch:8.1.2")) {
             // Start the container. This step might take some time...
             container.start();
 
-            // Create the secured client.
-            final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
-            credentialsProvider.setCredentials(AuthScope.ANY,
-                new UsernamePasswordCredentials(ELASTICSEARCH_USERNAME, ElasticsearchContainer.ELASTICSEARCH_DEFAULT_PASSWORD));
-
-            client = RestClient.builder(HttpHost.create("https://" + container.getHttpHostAddress()))
-                .setHttpClientConfigCallback(httpClientBuilder -> {
-                    httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
-                    httpClientBuilder.setSSLContext(container.createSslContextFromCa());
-                    return httpClientBuilder;
-                })
-                .build();
+            Response response = getClusterHealth(container);
+            assertThat(response.getStatusLine().getStatusCode(), is(200));
+            assertThat(EntityUtils.toString(response.getEntity()), containsString("cluster_name"));
+        }
+    }
 
-            Response response = client.performRequest(new Request("GET", "/_cluster/health"));
+    @Test
+    public void testElasticsearch8SecureByDefaultCustomCaCertFails() throws Exception {
+        final MountableFile mountableFile = MountableFile.forClasspathResource("http_ca.crt");
+        String caPath = "/tmp/http_ca.crt";
+        try (ElasticsearchContainer container = new ElasticsearchContainer("docker.elastic.co/elasticsearch/elasticsearch:8.1.2")
+            .withCopyToContainer(mountableFile, caPath)
+            .withCertPath(caPath)) {
+
+            container.start();
+
+            // this is expected, as a different cert is used for creating the SSL context
+            assertThrows("PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors", SSLHandshakeException.class, () -> getClusterHealth(container));
+        }
+    }
+
+    @Test
+    public void testElasticsearch8SecureByDefaultFailsSilentlyOnLatestImages() throws Exception {
+        // this test exists for custom images by users that use the `latest` tag
+        // even though the version might be older than version 8
+        // this tags an old 7.x version as :latest
+        tagImage("docker.elastic.co/elasticsearch/elasticsearch:7.9.2", "elasticsearch-tc-older-release", "latest");
+        DockerImageName image = DockerImageName.parse("elasticsearch-tc-older-release:latest").asCompatibleSubstituteFor("docker.elastic.co/elasticsearch/elasticsearch");
+
+        try (ElasticsearchContainer container = new ElasticsearchContainer(image)) {
+            container.start();
+
+            Response response = getClient(container).performRequest(new Request("GET", "/_cluster/health"));
             assertThat(response.getStatusLine().getStatusCode(), is(200));
             assertThat(EntityUtils.toString(response.getEntity()), containsString("cluster_name"));
         }
     }
 
+    private void tagImage(String sourceImage, String targetImage, String targetTag) throws InterruptedException {
+        DockerClient dockerClient = DockerClientFactory.instance().client();
+        dockerClient.tagImageCmd(
+                new RemoteDockerImage(DockerImageName.parse(sourceImage)).get(),
+                targetImage,
+                targetTag
+            )
+            .exec();
+    }
+
+    private Response getClusterHealth(ElasticsearchContainer container) throws IOException {
+        // Create the secured client.
+        final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
+        credentialsProvider.setCredentials(AuthScope.ANY,
+            new UsernamePasswordCredentials(ELASTICSEARCH_USERNAME, ElasticsearchContainer.ELASTICSEARCH_DEFAULT_PASSWORD));
+
+        client = RestClient.builder(HttpHost.create("https://" + container.getHttpHostAddress()))
+            .setHttpClientConfigCallback(httpClientBuilder -> {
+                httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
+                httpClientBuilder.setSSLContext(container.createSslContextFromCa());
+                return httpClientBuilder;
+            })
+            .build();
+
+        return client.performRequest(new Request("GET", "/_cluster/health"));
+    }
+
     private RestClient getClient(ElasticsearchContainer container) {
         if (client == null) {
             final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();

modules/elasticsearch/src/test/resources/http_ca.crt

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFWjCCA0KgAwIBAgIVAPVLz0Dwvzl66ZVpyJY/ntos+qQZMA0GCSqGSIb3DQEB
+CwUAMDwxOjA4BgNVBAMTMUVsYXN0aWNzZWFyY2ggc2VjdXJpdHkgYXV0by1jb25m
+aWd1cmF0aW9uIEhUVFAgQ0EwHhcNMjIwNDE0MDcyOTA4WhcNMjUwNDEzMDcyOTA4
+WjA8MTowOAYDVQQDEzFFbGFzdGljc2VhcmNoIHNlY3VyaXR5IGF1dG8tY29uZmln
+dXJhdGlvbiBIVFRQIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
+ufHmvM04dPKNF6AulX3HrjNfcYy62pBO2oJIKhScetDzuRupv/qiXkO1gzGT3/jk
+8uk57rzylDFoCgFNUyWdYQAXD+qsy5vbAytGVNCHOGSuWlNm1bbDYwZNTXjZTK6C
+CKIY31lbFn9a4oM+Jp1kvIr8GSMQAYDisq+yrVloDLkRs1SPImnoaXsq8epxloBf
+En0vo5V8PtOh+xQFpPP21pd5QohCSB+jMaxaizScWX+k7BijEaS1LCsc2w2PNvwn
+/bEvtW7w9w+HnzRGZW2nVlt8eji1PHMmfM5Zugn4HAxsSvdI9VRFGAeT2moNiSLN
+zxOWmEvQVl2MxRWiTkM1EM7CFDN40hLHtHej8UddeXTDDXyLoUjY3FmaB45rLKdE
+k/rszepc3lmptEMh74iUowKaYZTS5jRqT0yIDzevP5je3JP+pe4aNkx7lWMhTReQ
+6fs97nd71PfJBuMcHPEA14zwSzSRb/8mNqqaQLBb5H1DpDcZtzbBxb4wFSAa7Dd0
+pVl4A04iB4PS3DaWg/im2C5a83nUTld7Lvy+I6cO1MTaXdkzn6EWXtxkHj7P4VXX
+sFTr+Z2A6g/novqderirQzq8aD87MBp2hLBgG59lVB3IXA+CJTzBRBZipU+FOSs2
+1enMlaEa84d8cb+GSpDkmsvamPMhhLeMw6QLmhQXoWMCAwEAAaNTMFEwHQYDVR0O
+BBYEFOt9JC+RiqfFdGf/UT2vfmnV8f+kMB8GA1UdIwQYMBaAFOt9JC+RiqfFdGf/
+UT2vfmnV8f+kMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBALFX
+r2CKtu2DcLFQaZft9LeRK67xU0rjN8w1+0MN9otSkU9avd8atPOI9p6r67HZyoTv
+LDA47ajitzPo4zAXiy4GUXFVCjx3iPOQ4TTCm0YEf9IudLHLqGTbK+Pup6XlfAMb
+RejkztcXkxw3Cy6SjIRq99xU8J6Y1jAggB162hqnp3u42nA1PgOJgo/biUYeVtu7
+Y01gKPdCEkiqmSFxfLiRPv5Z4WyYoKge6UyDYFHu0zyMY7zQ2hzrPMFsEhI4+g5D
+W7ihilcOijhvfeeWIxcP5lRn2pGbf2GtwqtA7Bt9YKp+NQIBPzK7D1ymS0v/CAWh
+3Bv1rqkqDK8TlBybZitTTB6MgGtXOBccouTPmBFBXSWydvW4GW6Dag/ogHHE2vG2
+xlXY6EC1QEzExcM5FZNJI6SOaK0nl+WKAv060U/1ZqcRIkhyctYdkrK4449n1JMy
+wjtwcDW7QxhQspHp8GEXztLctokqGjnuMcgPjVoFdiF3w/IV0UUvVeFK4Oms0YbH
+uFr3q44Fu/Fol68/1CUk1ytgLUS5anf0Q0WlJsmMUX156ATA29dVBfloJN63EYd7
+01uwbjoMJce7MiwTaLIetW75fxxZHlQK9TMNhaQwKUO8SRaNuE4wKURFoKPg/Dqu
+yPhx9adseStlJ3oV6ziEWMwjOK2JmJf0bmIqQ7KR
+-----END CERTIFICATE-----