From 8ab505a555d728394047bddbd71b21aecefdeaa3 Mon Sep 17 00:00:00 2001 From: Jake Landis Date: Thu, 11 Jan 2024 16:30:54 -0600 Subject: [PATCH] Prefer new test cluster framework for new fips setting --- .../src/main/groovy/elasticsearch.fips.gradle | 1 - .../local/FipsEnabledClusterConfigProvider.java | 14 +++++++++++++- .../multi-cluster-tests-with-security/build.gradle | 13 ------------- .../multi-cluster-tests-with-security/build.gradle | 12 ------------ 4 files changed, 13 insertions(+), 27 deletions(-) diff --git a/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle b/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle index aaae18401685a..f691d4bd996a7 100644 --- a/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle +++ b/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle @@ -79,7 +79,6 @@ if (BuildParams.inFipsJvm) { // with no x-pack. Tests having security explicitly enabled/disabled will override this setting setting 'xpack.security.enabled', 'false' setting 'xpack.security.fips_mode.enabled', 'true' - setting 'xpack.security.fips_mode.required_providers', '["BCFIPS", "BCJSSE"]' setting 'xpack.license.self_generated.type', 'trial' setting 'xpack.security.authc.password_hashing.algorithm', 'pbkdf2_stretch' keystorePassword 'keystore-password' diff --git a/test/test-clusters/src/main/java/org/elasticsearch/test/cluster/local/FipsEnabledClusterConfigProvider.java b/test/test-clusters/src/main/java/org/elasticsearch/test/cluster/local/FipsEnabledClusterConfigProvider.java index 473456f6b0cc3..0978689aae56f 100644 --- a/test/test-clusters/src/main/java/org/elasticsearch/test/cluster/local/FipsEnabledClusterConfigProvider.java +++ b/test/test-clusters/src/main/java/org/elasticsearch/test/cluster/local/FipsEnabledClusterConfigProvider.java @@ -8,10 +8,15 @@ package org.elasticsearch.test.cluster.local; + +import org.elasticsearch.test.cluster.util.Version; import org.elasticsearch.test.cluster.util.resource.Resource; +import java.util.HashMap; + public class FipsEnabledClusterConfigProvider implements LocalClusterConfigProvider { + @Override public void apply(LocalClusterSpecBuilder builder) { if (isFipsEnabled()) { @@ -33,7 +38,14 @@ public void apply(LocalClusterSpecBuilder builder) { .setting("xpack.security.fips_mode.enabled", "true") .setting("xpack.license.self_generated.type", "trial") .setting("xpack.security.authc.password_hashing.algorithm", "pbkdf2_stretch") - .keystorePassword("keystore-password"); + .keystorePassword("keystore-password") + .settings(node -> { + var settings = new HashMap(1); + if(node.getVersion().onOrAfter(Version.fromString("8.13.0"))){ + settings.put("xpack.security.fips_mode.required_providers", "[BCFIPS, BCJSSE]"); + } + return settings; + }); } } diff --git a/x-pack/plugin/ml/qa/multi-cluster-tests-with-security/build.gradle b/x-pack/plugin/ml/qa/multi-cluster-tests-with-security/build.gradle index 9d931974d25d5..d102490820a07 100644 --- a/x-pack/plugin/ml/qa/multi-cluster-tests-with-security/build.gradle +++ b/x-pack/plugin/ml/qa/multi-cluster-tests-with-security/build.gradle @@ -50,29 +50,16 @@ testClusters.register('mixed-cluster') { tasks.register('remote-cluster', RestIntegTestTask) { mustRunAfter("precommit") systemProperty 'tests.rest.suite', 'remote_cluster' - maybeDisableForFips(it) } tasks.register('mixed-cluster', RestIntegTestTask) { dependsOn 'remote-cluster' useCluster remoteCluster systemProperty 'tests.rest.suite', 'multi_cluster' - maybeDisableForFips(it) } tasks.register("integTest") { dependsOn 'mixed-cluster' - maybeDisableForFips(it) } tasks.named("check").configure { dependsOn("integTest") } - -//TODO: remove with version 8.14. A new FIPS setting was added in 8.13. Since FIPS configures all test clusters and this specific integTest uses -// the previous minor version, that setting is not available when running in FIPS until 8.14. -def maybeDisableForFips(task) { - if (BuildParams.inFipsJvm) { - if(Version.fromString(project.version).before(Version.fromString('8.14.0'))) { - task.enabled = false - } - } -} diff --git a/x-pack/plugin/transform/qa/multi-cluster-tests-with-security/build.gradle b/x-pack/plugin/transform/qa/multi-cluster-tests-with-security/build.gradle index 8f129789d46b7..ae98c08746fab 100644 --- a/x-pack/plugin/transform/qa/multi-cluster-tests-with-security/build.gradle +++ b/x-pack/plugin/transform/qa/multi-cluster-tests-with-security/build.gradle @@ -54,29 +54,17 @@ testClusters.register('mixed-cluster') { tasks.register('remote-cluster', RestIntegTestTask) { mustRunAfter("precommit") systemProperty 'tests.rest.suite', 'remote_cluster' - maybeDisableForFips(it) } tasks.register('mixed-cluster', RestIntegTestTask) { dependsOn 'remote-cluster' useCluster remoteCluster systemProperty 'tests.rest.suite', 'multi_cluster' - maybeDisableForFips(it) } tasks.register("integTest") { dependsOn 'mixed-cluster' - maybeDisableForFips(it) } tasks.named("check").configure { dependsOn("integTest") } -//TODO: remove with version 8.14. A new FIPS setting was added in 8.13. Since FIPS configures all test clusters and this specific integTest uses -// the previous minor version, that setting is not available when running in FIPS until 8.14. -def maybeDisableForFips(task) { - if (BuildParams.inFipsJvm) { - if(Version.fromString(project.version).before(Version.fromString('8.14.0'))) { - task.enabled = false - } - } -}