Skip to content

Commit

Permalink
[TEST] Make SSL restrictions update atomic (#31050)
Browse files Browse the repository at this point in the history
SSLTrustRestrictionsTests updates the restrictions YML file during the test run to change the set of restrictions. This update was small, but it wasn't atomic.
If the yml file is reloaded while empty or invalid, then it causes all SSL certificates to be considered invalid (until it is reloaded again), which could break the sniffing/administrative client that runs underneath the tests.
  • Loading branch information
tvernum authored Jun 7, 2018
1 parent 01b5a46 commit bd3aaba
Showing 1 changed file with 12 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,16 @@
import javax.net.ssl.SSLSocketFactory;
import java.io.IOException;
import java.net.SocketException;
import java.nio.file.AtomicMoveNotSupportedException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.concurrent.TimeUnit;

import static java.nio.file.StandardCopyOption.ATOMIC_MOVE;
import static java.nio.file.StandardCopyOption.REPLACE_EXISTING;
import static org.hamcrest.Matchers.is;

/**
Expand All @@ -46,11 +49,6 @@
@TestLogging("org.elasticsearch.xpack.ssl.RestrictedTrustManager:DEBUG")
public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {

/**
* Use a small keysize for performance, since the keys are only used in this test, but a large enough keysize
* to get past the SSL algorithm checker
*/

private static final int RESOURCE_RELOAD_MILLIS = 3;
private static final TimeValue MAX_WAIT_RELOAD = TimeValue.timeValueSeconds(1);

Expand All @@ -61,6 +59,7 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
private static CertificateInfo trustedCert;
private static CertificateInfo untrustedCert;
private static Path restrictionsPath;
private static Path restrictionsTmpPath;

@Override
protected int maxNumberOfNodes() {
Expand Down Expand Up @@ -124,6 +123,8 @@ public Settings nodeSettings(int nodeOrdinal) {
.put(nodeSSL);

restrictionsPath = configPath.resolve("trust_restrictions.yml");
restrictionsTmpPath = configPath.resolve("trust_restrictions.tmp");

writeRestrictions("*.trusted");
builder.put("xpack.ssl.trust_restrictions.path", restrictionsPath);
builder.put("resource.reload.interval.high", RESOURCE_RELOAD_MILLIS + "ms");
Expand All @@ -133,7 +134,12 @@ public Settings nodeSettings(int nodeOrdinal) {

private void writeRestrictions(String trustedPattern) {
try {
Files.write(restrictionsPath, Collections.singleton("trust.subject_name: \"" + trustedPattern + "\""));
Files.write(restrictionsTmpPath, Collections.singleton("trust.subject_name: \"" + trustedPattern + "\""));
try {
Files.move(restrictionsTmpPath, restrictionsPath, REPLACE_EXISTING, ATOMIC_MOVE);
} catch (final AtomicMoveNotSupportedException e) {
Files.move(restrictionsTmpPath, restrictionsPath, REPLACE_EXISTING);
}
} catch (IOException e) {
throw new ElasticsearchException("failed to write restrictions", e);
}
Expand Down

0 comments on commit bd3aaba

Please sign in to comment.