Skip to content

[CI] SSLErrorMessageFileTests class failing #121960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
elasticsearchmachine opened this issue Feb 6, 2025 · 10 comments
Closed

[CI] SSLErrorMessageFileTests class failing #121960

elasticsearchmachine opened this issue Feb 6, 2025 · 10 comments
Assignees
@n1v0lg
Labels
low-risk An open issue or test failure that is a low risk to future releases :Security/Security Security issues without another label Team:Security Meta label for security team >test-failure Triaged test failures from CI

Comments

@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Feb 6, 2025
edited
Loading

Build Scans:

Reproduction Line:

./gradlew ":x-pack:plugin:security:test" --tests "org.elasticsearch.xpack.ssl.SSLErrorMessageFileTests.testMessageForCertificateAuthoritiesOutsideConfigDir" -Dtests.seed=980B56688AF2245A -Dtests.jvm.argline="-Des.entitlements.enabled=true" -Dtests.locale=zgh-Tfng-MA -Dtests.timezone=Asia/Bahrain -Druntime.java=24

Applicable branches:
main

Reproduces locally?:
N/A

Failure History:
See dashboard

Failure Message:

java.lang.AssertionError: 
Expected: a throwable with message of "failed to load SSL configuration [xpack.monitoring.exporters.http.ssl] - cannot read configured PEM certificate_authorities [/this/path/is/outside/the/config/directory/file.error] because access to read the file is blocked; SSL resources should be placed in the [/dev/shm/bk/bk-agent-prod-gcp-1740575026537098452/elastic/elasticsearch-periodic/x-pack/plugin/security/build/testrun/test/temp/org.elasticsearch.xpack.ssl.SSLErrorMessageFileTests_980B56688AF2245A-001/tempDir-053/config] directory"
     but: was <org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.monitoring.exporters.http.ssl] - cannot read configured PEM certificate_authorities [/this/path/is/outside/the/config/directory/file.error] because the file does not exist> at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:622)

Issue Reasons:

  • [main] 17 consecutive failures in step openjdk24_entitlements_true_checkpart4_java-matrix
  • [main] 17 consecutive failures in step openjdk24_entitlements_false_checkpart4_java-matrix
  • [main] 34 failures in class org.elasticsearch.xpack.ssl.SSLErrorMessageFileTests (3.5% fail rate in 958 executions)
  • [main] 17 failures in step openjdk24_entitlements_true_checkpart4_java-matrix (100.0% fail rate in 17 executions)
  • [main] 17 failures in step openjdk24_entitlements_false_checkpart4_java-matrix (100.0% fail rate in 17 executions)
  • [main] 17 failures in pipeline elasticsearch-periodic (100.0% fail rate in 17 executions)

Note:
This issue was created using new test triage automation. Please report issues or feedback to es-delivery.
@elasticsearchmachine elasticsearchmachine added :Security/TLS SSL/TLS, Certificates >test-failure Triaged test failures from CI Team:Security Meta label for security team needs:risk Requires assignment of a risk label (low, medium, blocker) labels Feb 6, 2025
@elasticsearchmachine
Copy link
Collaborator Author

Pinging @elastic/es-security (Team:Security)

@n1v0lg n1v0lg added :Core/Infra/Core Core issues without another label Team:Core/Infra Meta label for core/infra team labels Feb 14, 2025
@elasticsearchmachine
Copy link
Collaborator Author

Pinging @elastic/es-core-infra (Team:Core/Infra)

@n1v0lg
Copy link
Contributor

n1v0lg commented Feb 14, 2025

This passes reliably without entitlements and fails with them enabled:

./gradlew ":x-pack:plugin:security:test" --tests "org.elasticsearch.xpack.ssl.SSLErrorMessageFileTests.testMessageForPemKeyOutsideConfigDir" -Dtests.jvm.argline="-Des.entitlements.enabled=true" -Dtests.locale=prg-PL -Dtests.timezone=Etc/GMT+1 -Druntime.java=24

(Note that no seed is needed above).

Based on the assertion failure, I'm assuming that we're missing entitlements-related config:

Expected:

failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured PEM private key [/this/path/is/outside/the/config/directory/file.error] because access to read the file is blocked; SSL resources should be placed in the [<omitted>/x-pack/plugin/security/build/testrun/test/temp/org.elasticsearch.xpack.ssl.SSLErrorMessageFileTests_42EC0C234925F23B-001/tempDir-002/config] directory

But was:

failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured PEM private key [/this/path/is/outside/the/config/directory/file.error] because the file does not exist

Could someone from Core Infra take a look? Thanks!

@n1v0lg n1v0lg removed :Security/TLS SSL/TLS, Certificates Team:Security Meta label for security team labels Feb 14, 2025
@rjernst
Copy link
Member

rjernst commented Feb 14, 2025

This looks like a test-only problem. We need test config for entitlements to fix.
cc @prdoyle

@prdoyle prdoyle self-assigned this Feb 14, 2025
@prdoyle prdoyle added low-risk An open issue or test failure that is a low risk to future releases and removed needs:risk Requires assignment of a risk label (low, medium, blocker) labels Feb 14, 2025
@rjernst
Copy link
Member

rjernst commented Feb 14, 2025

@n1v0lg This is not entitlements related (note that although entitlements are in the jvm args, that is only used when running ES currently, not in unit tests such as this one). The problem is this test ran on JDK 24, where no security manager can be used. It looks like the test (or the ssl error message code) is specifically looking for security manager exceptions. It should be refactored to work without that.

@prdoyle prdoyle removed their assignment Feb 14, 2025
@prdoyle prdoyle added needs:risk Requires assignment of a risk label (low, medium, blocker) and removed low-risk An open issue or test failure that is a low risk to future releases labels Feb 14, 2025
@ldematte ldematte added :Security/Security Security issues without another label and removed :Core/Infra/Core Core issues without another label Team:Core/Infra Meta label for core/infra team labels Feb 17, 2025
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Feb 17, 2025
@n1v0lg
Copy link
Contributor

n1v0lg commented Feb 17, 2025

Good catch @rjernst -- on my plate to take another look 👀

@n1v0lg n1v0lg self-assigned this Feb 18, 2025
@mosche
Copy link
Contributor

mosche commented Feb 26, 2025

@n1v0lg any progress on this? This blocks us from migrating to JDK 24

@n1v0lg
Copy link
Contributor

n1v0lg commented Feb 26, 2025
edited
Loading

@mosche I'll take a look today or find someone else from the security team.

@mosche
Copy link
Contributor

mosche commented Feb 26, 2025

Thanks @n1v0lg, I had a brief look. The failing tests rely on security manager denying the operation, this won't be possible using entitlements (at last at the moment). Entitlement checks are not enabled for unit tests, but only when running Elasticsearch (e.g. in REST tests).
I'll raise a PR to skip these tests if running without security manager.

@mosche mosche added low-risk An open issue or test failure that is a low risk to future releases and removed needs:risk Requires assignment of a risk label (low, medium, blocker) labels Feb 26, 2025
@mosche mosche mentioned this issue Feb 26, 2025
Merged
@mosche
Copy link
Contributor

mosche commented Feb 26, 2025
edited
Loading

Fixing this issue will require a follow up by @elastic/es-security to migrate code from handling AccessControlException to NotEntitledException

Respective tests would have to be implemented as REST tests

@n1v0lg n1v0lg mentioned this issue Feb 26, 2025
Merged
elasticsearchmachine pushed a commit that referenced this issue Feb 27, 2025
@n1v0lg
Handle NotEntitledException in SSL file utils (#123491)
a776263 
SSL file utils currently only handle security manager access control
exceptions around file read checks. This PR extends these to support
entitlement checks as well. 

There is no easy way to unit test this since we can't run unit tests
with entitlements enabled (for now). The PR includes a REST test
instead. 

Relates: #121960
n1v0lg added a commit to n1v0lg/elasticsearch that referenced this issue Feb 27, 2025
@n1v0lg
Handle NotEntitledException in SSL file utils (elastic#123491)
5644649 
SSL file utils currently only handle security manager access control
exceptions around file read checks. This PR extends these to support
entitlement checks as well. 

There is no easy way to unit test this since we can't run unit tests
with entitlements enabled (for now). The PR includes a REST test
instead. 

Relates: elastic#121960
n1v0lg added a commit to n1v0lg/elasticsearch that referenced this issue Feb 27, 2025
@n1v0lg
Handle NotEntitledException in SSL file utils (elastic#123491)
de11bc5 
SSL file utils currently only handle security manager access control
exceptions around file read checks. This PR extends these to support
entitlement checks as well. 

There is no easy way to unit test this since we can't run unit tests
with entitlements enabled (for now). The PR includes a REST test
instead. 

Relates: elastic#121960
elasticsearchmachine pushed a commit that referenced this issue Feb 27, 2025
@n1v0lg
Handle NotEntitledException in SSL file utils (#123491) (#123603)
7e3d85a 
SSL file utils currently only handle security manager access control
exceptions around file read checks. This PR extends these to support
entitlement checks as well. 

There is no easy way to unit test this since we can't run unit tests
with entitlements enabled (for now). The PR includes a REST test
instead. 

Relates: #121960
@n1v0lg n1v0lg closed this as completed Feb 27, 2025
elasticsearchmachine pushed a commit that referenced this issue Feb 27, 2025
@n1v0lg
Handle NotEntitledException in SSL file utils (#123491) (#123604)
cb173d9 
SSL file utils currently only handle security manager access control
exceptions around file read checks. This PR extends these to support
entitlement checks as well. 

There is no easy way to unit test this since we can't run unit tests
with entitlements enabled (for now). The PR includes a REST test
instead. 

Relates: #121960
elasticsearchmachine pushed a commit that referenced this issue Feb 27, 2025
@n1v0lg
Handle NotEntitledException in SSL file utils (#123491) (#123605)
10ed6af 
SSL file utils currently only handle security manager access control
exceptions around file read checks. This PR extends these to support
entitlement checks as well. 

There is no easy way to unit test this since we can't run unit tests
with entitlements enabled (for now). The PR includes a REST test
instead. 

Relates: #121960
GalLalouche pushed a commit to GalLalouche/elasticsearch that referenced this issue Feb 27, 2025
@n1v0lg @GalLalouche
Handle NotEntitledException in SSL file utils (elastic#123491)
f968229 
SSL file utils currently only handle security manager access control
exceptions around file read checks. This PR extends these to support
entitlement checks as well.

There is no easy way to unit test this since we can't run unit tests
with entitlements enabled (for now). The PR includes a REST test
instead.

Relates: elastic#121960
This was referenced Apr 23, 2025
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@n1v0lg n1v0lg

Labels
low-risk An open issue or test failure that is a low risk to future releases :Security/Security Security issues without another label Team:Security Meta label for security team >test-failure Triaged test failures from CI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rjernst @prdoyle @mosche @ldematte @n1v0lg @elasticsearchmachine