Fix createLDAPCertStore failing in FIPS mode (#144376)#144453
Fix createLDAPCertStore failing in FIPS mode (#144376)#144453JVerwolf merged 27 commits intoelastic:mainfrom
Conversation
In FIPS environments the LDAP CertStore provider is absent, so
CertStore.getInstance("LDAP", null) throws NoSuchAlgorithmException
with no cause. The entitlement check handler treated any NSAE as a
denial and returned HTTP 403, causing EntitlementsAllowedNonModularIT
to fail.
The fix catches NSAE in createLDAPCertStore() and re-throws only when
getCause() != null, which is the signature of a genuine entitlement
denial (the instrumentation creates the exception as
new NoSuchAlgorithmException(notEntitledException)). A no-cause NSAE
means the provider is simply absent and should be silently swallowed.
Adds unit tests that reproduce both paths by temporarily manipulating
JCA providers.
|
Pinging @elastic/es-core-infra (Team:Core/Infra) |
|
Hi @JVerwolf, I've created a changelog YAML for you. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds handling for NoSuchAlgorithmException in createLDAPCertStore so the exception is suppressed when the LDAP CertStore algorithm is unavailable but rethrown when its cause is a NotEntitledException. Introduces NetworkAccessCheckActionsTests with four regression tests covering provider-present, provider-absent, entitlement-denial, and non-entitlement-denial paths. Removes two entries from muted-tests.yml that muted createLDAPCertStore-related tests. Suggested labels
🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@JVerwolf Thanks for handling this. I'll close my mute PR since it makes no sense to proceed with it. One small suggestion, can you add Also, these tests are failing in other branches as well. It would be great to backport this fix to all active ones. |
|
@slobodanadamovic @JVerwolf since the PR is still waiting on a review it'd be great to mute the tests in the meantime to avoid blocking other PRs. Thanks for the fix @JVerwolf! |
I can re-open #144431 and merge it if I get 👍 (or do we even require approval for muting tests?) |
nope mutes go straight to main without approval 👍 (I think automation might even just straight commit them without PRs but perhaps I'm making that part up) |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
@slobodanadamovic I don't think you need approval to mute tests, but I gave it a 👍 anyways. Thanks for this! Question: I don't see the labels you mentioned: |
My bad, they don't have |
|
Keep in mind that we now muted the failing tests on main. You'll need to unmute them after merging the main branch - since they will be skipped. |
| } catch (InvalidAlgorithmParameterException ex) { | ||
| // Assert we actually hit the class we care about, LDAPCertStore (or its impl) | ||
| assert Arrays.stream(ex.getStackTrace()).anyMatch(e -> e.getClassName().endsWith("LDAPCertStore")); | ||
| } catch (NoSuchAlgorithmException ex) { |
There was a problem hiding this comment.
@jdconrad should we consider solving this in a general way? Potentially always checking the thrown exception cause to ensure it's a NotEntitledException?
There was a problem hiding this comment.
I was considering seeing if a different exception made more sense, but the problem remains that we need to know if something isn't entitled. I'll think about how to fix this today.
There was a problem hiding this comment.
@JVerwolf After reviewing rule options, I do think NoSuchAlgorithmException is still the best one.
@mark-vieira is correct that we should guard this test with an additional check, though, to make sure it was actually a NEE that was thrown, but because the bridge is compile-only, you'll have to use a string comparison.
if (ex.getCause() != null && ex.getCause().getClass().getName().equals("org.elasticsearch.enti
+tlement.bridge.NotEntitledException"))
Add a test for the normal (non-FIPS) path where the LDAP CertStore provider is present and InvalidAlgorithmParameterException is caught. Harden the provider removal helper to fail fast with a clear assertion if a provider to be removed is not found in the installed list, rather than silently using position 0 and restoring to the wrong slot.
…elasticsearch into fix/144376-ldap-certstore-fips
jdconrad
left a comment
jdconrad
left a comment
There was a problem hiding this comment.
Just one minor change request.
| } catch (InvalidAlgorithmParameterException ex) { | ||
| // Assert we actually hit the class we care about, LDAPCertStore (or its impl) | ||
| assert Arrays.stream(ex.getStackTrace()).anyMatch(e -> e.getClassName().endsWith("LDAPCertStore")); | ||
| } catch (NoSuchAlgorithmException ex) { |
There was a problem hiding this comment.
@JVerwolf After reviewing rule options, I do think NoSuchAlgorithmException is still the best one.
@mark-vieira is correct that we should guard this test with an additional check, though, to make sure it was actually a NEE that was thrown, but because the bridge is compile-only, you'll have to use a string comparison.
if (ex.getCause() != null && ex.getCause().getClass().getName().equals("org.elasticsearch.enti
+tlement.bridge.NotEntitledException"))
|
I'm running into two (seemingly) unrelated failures that also happen on main:
|
|
run elasticsearch-ci/part-1-fips-140-3 |
|
This PR is blocked on this issue: #144678, as it's preventing a clean CI run. |
|
@elasticmachine test serverless |
|
Passed in CI but the status failed to report back to GH: https://buildkite.com/elastic/elasticsearch-pull-request/builds/131176. Merging |
💔 Backport failedYou can use sqren/backport to manually backport by running |
In FIPS environments the LDAP CertStore provider is absent, so
CertStore.getInstance("LDAP", null) throws NoSuchAlgorithmException
with no cause. The entitlement check handler treated any NSAE as a
denial and returned HTTP 403, causing EntitlementsAllowedNonModularIT
to fail.
The fix catches NSAE in createLDAPCertStore() and re-throws only when
getCause() != null, which is the signature of a genuine entitlement
denial (the instrumentation creates the exception as
new NoSuchAlgorithmException(notEntitledException)). A no-cause NSAE
means the provider is simply absent and should be silently swallowed.
Adds unit tests that reproduce both paths by temporarily manipulating
JCA providers.
(cherry picked from commit 8234302)
# Conflicts:
# muted-tests.yml
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
In FIPS environments the LDAP CertStore provider is absent, so
CertStore.getInstance("LDAP", null) throws NoSuchAlgorithmException
with no cause. The entitlement check handler treated any NSAE as a
denial and returned HTTP 403, causing EntitlementsAllowedNonModularIT
to fail.
The fix catches NSAE in createLDAPCertStore() and re-throws only when
getCause() != null, which is the signature of a genuine entitlement
denial (the instrumentation creates the exception as
new NoSuchAlgorithmException(notEntitledException)). A no-cause NSAE
means the provider is simply absent and should be silently swallowed.
Adds unit tests that reproduce both paths by temporarily manipulating
JCA providers.
(cherry picked from commit 8234302)
# Conflicts:
# muted-tests.yml
In FIPS environments the LDAP CertStore provider is absent, so
CertStore.getInstance("LDAP", null) throws NoSuchAlgorithmException
with no cause. The entitlement check handler treated any NSAE as a
denial and returned HTTP 403, causing EntitlementsAllowedNonModularIT
to fail.
The fix catches NSAE in createLDAPCertStore() and re-throws only when
getCause() != null, which is the signature of a genuine entitlement
denial (the instrumentation creates the exception as
new NoSuchAlgorithmException(notEntitledException)). A no-cause NSAE
means the provider is simply absent and should be silently swallowed.
Adds unit tests that reproduce both paths by temporarily manipulating
JCA providers.
(cherry picked from commit 8234302)
# Conflicts:
# muted-tests.yml
In FIPS environments the LDAP CertStore provider is absent, so CertStore.getInstance(LDAP, null) throws NoSuchAlgorithmException with no cause. The entitlement check handler treated any NSAE as a denial and returned HTTP 403, causing EntitlementsAllowedNonModularIT to fail. The fix catches NSAE in createLDAPCertStore() and re-throws only when getCause() != null, which is the signature of a genuine entitlement denial (the instrumentation creates the exception as new NoSuchAlgorithmException(notEntitledException)). A no-cause NSAE means the provider is simply absent and should be silently swallowed. Adds unit tests that reproduce both paths by temporarily manipulating JCA providers. (cherry picked from commit 8234302)
In FIPS environments the LDAP CertStore provider is absent, so CertStore.getInstance(LDAP, null) throws NoSuchAlgorithmException with no cause. The entitlement check handler treated any NSAE as a denial and returned HTTP 403, causing EntitlementsAllowedNonModularIT to fail. The fix catches NSAE in createLDAPCertStore() and re-throws only when getCause() != null, which is the signature of a genuine entitlement denial (the instrumentation creates the exception as new NoSuchAlgorithmException(notEntitledException)). A no-cause NSAE means the provider is simply absent and should be silently swallowed. Adds unit tests that reproduce both paths by temporarily manipulating JCA providers. (cherry picked from commit 8234302)
In FIPS environments the LDAP CertStore provider is absent, so CertStore.getInstance(LDAP, null) throws NoSuchAlgorithmException with no cause. The entitlement check handler treated any NSAE as a denial and returned HTTP 403, causing EntitlementsAllowedNonModularIT to fail. The fix catches NSAE in createLDAPCertStore() and re-throws only when getCause() != null, which is the signature of a genuine entitlement denial (the instrumentation creates the exception as new NoSuchAlgorithmException(notEntitledException)). A no-cause NSAE means the provider is simply absent and should be silently swallowed. Adds unit tests that reproduce both paths by temporarily manipulating JCA providers. (cherry picked from commit 8234302)
In FIPS environments the LDAP CertStore provider is absent, so CertStore.getInstance(LDAP, null) throws NoSuchAlgorithmException with no cause. The entitlement check handler treated any NSAE as a denial and returned HTTP 403, causing EntitlementsAllowedNonModularIT to fail. The fix catches NSAE in createLDAPCertStore() and re-throws only when getCause() != null, which is the signature of a genuine entitlement denial (the instrumentation creates the exception as new NoSuchAlgorithmException(notEntitledException)). A no-cause NSAE means the provider is simply absent and should be silently swallowed. Adds unit tests that reproduce both paths by temporarily manipulating JCA providers. (cherry picked from commit 8234302)
In FIPS environments the LDAP CertStore provider is absent, so CertStore.getInstance(LDAP, null) throws NoSuchAlgorithmException with no cause. The entitlement check handler treated any NSAE as a denial and returned HTTP 403, causing EntitlementsAllowedNonModularIT to fail. The fix catches NSAE in createLDAPCertStore() and re-throws only when getCause() != null, which is the signature of a genuine entitlement denial (the instrumentation creates the exception as new NoSuchAlgorithmException(notEntitledException)). A no-cause NSAE means the provider is simply absent and should be silently swallowed. Adds unit tests that reproduce both paths by temporarily manipulating JCA providers. (cherry picked from commit 8234302)
In FIPS environments the LDAP CertStore provider is absent, so CertStore.getInstance(LDAP, null) throws NoSuchAlgorithmException with no cause. The entitlement check handler treated any NSAE as a denial and returned HTTP 403, causing EntitlementsAllowedNonModularIT to fail. The fix catches NSAE in createLDAPCertStore() and re-throws only when getCause() != null, which is the signature of a genuine entitlement denial (the instrumentation creates the exception as new NoSuchAlgorithmException(notEntitledException)). A no-cause NSAE means the provider is simply absent and should be silently swallowed. Adds unit tests that reproduce both paths by temporarily manipulating JCA providers. (cherry picked from commit 8234302)
In FIPS environments the LDAP CertStore provider is absent, so
CertStore.getInstance("LDAP", null) throws NoSuchAlgorithmException
with no cause. The entitlement check handler treated any NSAE as a
denial and returned HTTP 403, causing EntitlementsAllowedNonModularIT
to fail.
The fix catches NSAE in createLDAPCertStore() and re-throws only when
getCause() != null, which is the signature of a genuine entitlement
denial (the instrumentation creates the exception as
new NoSuchAlgorithmException(notEntitledException)). A no-cause NSAE
means the provider is simply absent and should be silently swallowed.
Adds unit tests that reproduce both paths by temporarily manipulating
JCA providers.
In FIPS environments the LDAP CertStore provider is absent, so
CertStore.getInstance("LDAP", null) throws NoSuchAlgorithmException
with no cause. The entitlement check handler treated any NSAE as a
denial and returned HTTP 403, causing EntitlementsAllowedNonModularIT
to fail.
The fix catches NSAE in createLDAPCertStore() and re-throws only when
getCause() != null, which is the signature of a genuine entitlement
denial (the instrumentation creates the exception as
new NoSuchAlgorithmException(notEntitledException)). A no-cause NSAE
means the provider is simply absent and should be silently swallowed.
Adds unit tests that reproduce both paths by temporarily manipulating
JCA providers.
In FIPS environments the LDAP CertStore provider is absent, so
CertStore.getInstance("LDAP", null) throws NoSuchAlgorithmException
with no cause. The entitlement check handler treated any NSAE as a
denial and returned HTTP 403, causing EntitlementsAllowedNonModularIT
to fail.
The fix catches NSAE in createLDAPCertStore() and re-throws only when
getCause() != null, which is the signature of a genuine entitlement
denial (the instrumentation creates the exception as
new NoSuchAlgorithmException(notEntitledException)). A no-cause NSAE
means the provider is simply absent and should be silently swallowed.
Adds unit tests that reproduce both paths by temporarily manipulating
JCA providers.
6 participants
In FIPS environments the LDAP CertStore provider is absent, so CertStore.getInstance("LDAP", null) throws NoSuchAlgorithmException with no cause. The entitlement check handler treated any NSAE as a denial and returned HTTP 403, causing EntitlementsAllowedNonModularIT to fail.
The fix catches NSAE(NoSuchAlgorithmException) in createLDAPCertStore() and re-throws only when getCause() != null, which is the signature of a genuine entitlement denial (the instrumentation creates the exception as new NoSuchAlgorithmException(notEntitledException)). A no-cause NSAE means the provider is simply absent and should be silently swallowed.
Adds unit tests that reproduce both paths by temporarily manipulating JCA providers.
Closes: #144376
Closes: #144377
Relates: #144431