Test adjustments for FIPS 140 in Java 8

[jkakavas]

This commit touches many of our tests but the changes are actually
few. Setting xpack.security.ssl.diagnose.trust to true
wraps SunJSSE TrustManager with our own DiagnosticTrustManager and
this is not allowed when SunJSSE is in FIPS mode. So when we
use SunJSSE in FIPS mode ( currently only when running our tests
with FIPS mode on for Java 8 runtime ), we need to make sure that
the Diagnostic TrustManager is not enabled. This change
ensures that whenever a new SSLService is to be created, we
explicitly pass xpack.security.ssl.diagnose.trust=false in the
settings used for the SSLService, when we run in FIPS mode in
Java 8.

[elasticmachine]

Pinging @elastic/es-core-infra (:Core/Infra/Build)

[elasticmachine]

Pinging @elastic/es-security (:Security/Security)

[jkakavas]

I'm not sure how we track this and if we have an issue for it ( couldn't find one but I might have failed ) . There was some relevant discussion around this in #49667. Discussed it briefly with @rjernst on slack, and I didn't want to open an issue for this specific case here as it is only part of the problem.

[tvernum]

That doesn't sound right to me. Doesn't environment contain the extra settings here? I think it's supposed to.

[rjernst]

Yes environment should have the extra settings. My comment in slack was about the Settings passed into Plugin constructors.

[jkakavas]

09:34:37 Step 1/26 : FROM centos:7 AS builder
09:34:37 Get https://registry-1.docker.io/v2/: net/http: TLS handshake timeout
09:34:37 
09:34:38 
09:34:38 > Task :extractElasticsearchLinux7.7.0-SNAPSHOT
09:34:39 
09:34:39 > Task :modules:reindex:javadoc
09:34:39 Could not load entry 982b9b97231514a30536541e6a2aae42 from remote build cache
09:34:39 org.gradle.caching.BuildCacheException: Read timed out

[jkakavas]

@elasticmachine run elasticsearch-ci/default-distro

[jkakavas]

importing inFipsSunJsseJvm() and using it in classes that extend LuceneTestCase directly causes failures like https://gradle-enterprise.elastic.co/s/yphikcuckyz5e where the transport client doesn't connect to the node. Ι spent time on understanding why but need to move on for now so I replicated the check for (Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)) && JavaVersion.current().getVersion().get(0) == 8) in EnrichTransportClientIT and MigrateToolIT

[pugnascotia]

Can't you just do this? I tried the import against your branch and it was OK.

Suggested change

	if (Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)) && JavaVersion.current().getVersion().get(0) == 8) {
	if (inFipsSunJsseJvm()) {

[jkakavas]

#52211 (comment)

[pugnascotia]

Same here?

Suggested change

	if (Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)) && JavaVersion.current().getVersion().get(0) == 8) {
	if (inFipsSunJsseJvm()) {

[jkakavas]

see #52211 (comment)

[rjernst]

This needs a comment in code (and preferably a tracking issue) or someone may inadvertently try to make the same obvious change.

[jkakavas]

yes, that makes total sense - I'll make do

[tvernum]

LGTM, but I'd like to understand what's going on in createComponents.

[tvernum]

That doesn't sound right to me. Doesn't environment contain the extra settings here? I think it's supposed to.

[jkakavas]

That doesn't sound right to me. Doesn't environment contain the extra settings here? I think it's supposed to.

Happy to explain @tvernum , this tripped me also while troubleshooting the errors.

See

elasticsearch/server/src/main/java/org/elasticsearch/node/Node.java

Lines 271 to 273 in a304d9a

	protected Node(
	final Environment environment, Collection<Class<? extends Plugin>> classpathPlugins, boolean forbidPrivateIndexSettings) {
	logger = LogManager.getLogger(Node.class);

We get the environment in the constructor of the Node

Then in

elasticsearch/server/src/main/java/org/elasticsearch/node/Node.java

Lines 315 to 330 in a304d9a

	this.pluginsService = new PluginsService(tmpSettings, environment.configFile(), environment.modulesFile(),
	environment.pluginsFile(), classpathPlugins);
	final Settings settings = pluginsService.updatedSettings();
	final Set<DiscoveryNodeRole> possibleRoles = Stream.concat(
	DiscoveryNodeRole.BUILT_IN_ROLES.stream(),
	pluginsService.filterPlugins(Plugin.class)
	.stream()
	.map(Plugin::getRoles)
	.flatMap(Set::stream))
	.collect(Collectors.toSet());
	DiscoveryNode.setPossibleRoles(possibleRoles);
	localNodeFactory = new LocalNodeFactory(settings, nodeEnvironment.nodeId());
	// create the environment based on the finalized (processed) view of the settings
	// this is just to makes sure that people get the same settings, no matter where they ask them from
	this.environment = new Environment(settings, environment.configFile());

we call updatedSettings() on the plugins, get their new settings and create a new Environment that we store in the class variable environment. We now have the local scope environment which is what is passed in the constructor and the this.environment which is the Environment with the potentially added settings from the plugins.

I would think that we then use this.environment for the rest of the method, and we do for the most part, except when we don't.

elasticsearch/server/src/main/java/org/elasticsearch/node/Node.java

Lines 454 to 471 in a304d9a

	final MetaDataCreateIndexService metaDataCreateIndexService = new MetaDataCreateIndexService(
	settings,
	clusterService,
	indicesService,
	clusterModule.getAllocationService(),
	aliasValidator,
	environment,
	settingsModule.getIndexScopedSettings(),
	threadPool,
	xContentRegistry,
	systemIndexDescriptors,
	forbidPrivateIndexSettings);
	Collection<Object> pluginComponents = pluginsService.filterPlugins(Plugin.class).stream()
	.flatMap(p -> p.createComponents(client, clusterService, threadPool, resourceWatcherService,
	scriptModule.getScriptService(), xContentRegistry, environment, nodeEnvironment,
	namedWriteableRegistry).stream())
	.collect(Collectors.toList());

We create the MetaDataCreateIndexService and we call createComponents() on each of the plugins using the local scope environment which doesn't have the additional settings. And this is why this

elasticsearch/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java

Line 142 in 26b9cf7

NamedXContentRegistry xContentRegistry, Environment environment,

doesn't have the additional settings

Now, it could be that this is a simple mistake because the method parameter shadows the class field, but @elastic/es-core-infra is aware of this and it made sense to attack this at in a different PR, this my comment in #52211 (comment).

HTH

[jkakavas]

@rjernst I think I addressed your comment, but pinging for an explicit LGTM just in case

[rjernst]

Sorry for causing confusion. This does seem like a case where we should use additionalSettings().

[rjernst]

Can't this be returnned from additionalSettings()?

[jkakavas]

Apologies if I misunderstood @rjernst but did you read through #52211 (comment) ? I'll go and double check this again but this was supposed to show why additionalSettings doesn't solve this here

[rjernst]

Sorry I missed that explanation. It looks to me like a bug. We should be passing the final environment everywhere once it is created.

[jkakavas]

I'll raise a PR to fix that then and change to use additionalSettings here

[rjernst]

I've opened #52602 to cleanup the name to avoid this situation.