Skip to content

[CI] HttpCertificateCommandTests testGenerateMultipleCertificateWithNewCA failing #126471

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
elasticsearchmachine opened this issue Apr 8, 2025 · 8 comments · Fixed by #126621
Closed

[CI] HttpCertificateCommandTests testGenerateMultipleCertificateWithNewCA failing #126471

elasticsearchmachine opened this issue Apr 8, 2025 · 8 comments · Fixed by #126621
Assignees
@slobodanadamovic
Labels
low-risk An open issue or test failure that is a low risk to future releases :Security/TLS SSL/TLS, Certificates Team:Security Meta label for security team >test-failure Triaged test failures from CI

Comments

@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Apr 8, 2025
edited
Loading

Build Scans:

Reproduction Line:

./gradlew ":x-pack:plugin:security:cli:test" --tests "org.elasticsearch.xpack.security.cli.HttpCertificateCommandTests.testGenerateMultipleCertificateWithNewCA" -Dtests.seed=3385ED15607E6F4B -Dtests.locale=en-VC -Dtests.timezone=Atlantic/Faroe -Druntime.java=24

Applicable branches:
9.0

Reproduces locally?:
N/A

Failure History:
See dashboard

Failure Message:

java.lang.AssertionError: keyUsage bit [5] not expected to be set: []
Expected: <false>
     but: was <true>

Issue Reasons:

  • [9.0] 4 failures in test testGenerateMultipleCertificateWithNewCA (4.1% fail rate in 97 executions)

Note:
This issue was created using new test triage automation. Please report issues or feedback to es-delivery.
@elasticsearchmachine elasticsearchmachine added :Security/TLS SSL/TLS, Certificates >test-failure Triaged test failures from CI labels Apr 8, 2025
@elasticsearchmachine
Copy link
Collaborator Author

This has been muted on branch main

Mute Reasons:

  • [main] 2 failures in test testGenerateMultipleCertificateWithNewCA (0.9% fail rate in 229 executions)

Build Scans:

elasticsearchmachine added a commit that referenced this issue Apr 8, 2025
@elasticsearchmachine
Mute org.elasticsearch.xpack.security.cli.HttpCertificateCommandTests…
2c0b71f 
… testGenerateMultipleCertificateWithNewCA #126471
@elasticsearchmachine elasticsearchmachine added Team:Security Meta label for security team needs:risk Requires assignment of a risk label (low, medium, blocker) labels Apr 8, 2025
@elasticsearchmachine
Copy link
Collaborator Author

Pinging @elastic/es-security (Team:Security)

@n1v0lg
Copy link
Contributor

n1v0lg commented Apr 8, 2025

Should be related to #126376 -- @slobodanadamovic would you be able to take a quick look? (Just wanna make sure this is a test issue, not prod code, because feature freeze).

@n1v0lg
Copy link
Contributor

n1v0lg commented Apr 8, 2025

The nice thing is it actually reproduces with:

./gradlew ":x-pack:plugin:security:cli:test" --tests "org.elasticsearch.xpack.security.cli.HttpCertificateCommandTests.testGenerateMultipleCertificateWithNewCA" -Dtests.seed=9741894DA1305379 -Dtests.locale=tr-Latn-TR -Dtests.timezone=Pacific/Enderbury -Druntime.java=24

on main

@n1v0lg
Copy link
Contributor

n1v0lg commented Apr 8, 2025

Happens when caKeyUsage = randomSubsetOf(CertGenUtils.KEY_USAGE_MAPPINGS.keySet()); is empty.

@n1v0lg
Copy link
Contributor

n1v0lg commented Apr 8, 2025

Right, makes sense we now set a value by default so it's a matter of a broken test expection, not a prod code issue. Assigning low-risk.

@n1v0lg n1v0lg added the low-risk An open issue or test failure that is a low risk to future releases label Apr 8, 2025
@n1v0lg n1v0lg self-assigned this Apr 8, 2025
@n1v0lg n1v0lg added >test-failure Triaged test failures from CI and removed >test-failure Triaged test failures from CI needs:risk Requires assignment of a risk label (low, medium, blocker) labels Apr 8, 2025
@slobodanadamovic
Copy link
Contributor

Yeah, it's a test issue. I will raise a PR to fix it.
It hits an edge case where we randomly generate an empty list of key usages. The empty means, just apply defaults, but we assert based on the generated empty set.

@elasticsearchmachine
Copy link
Collaborator Author

This has been muted on branch 9.0

Mute Reasons:

  • [9.0] 4 failures in test testGenerateMultipleCertificateWithNewCA (4.1% fail rate in 97 executions)

Build Scans:

elasticsearchmachine added a commit that referenced this issue Apr 9, 2025
@elasticsearchmachine
Mute org.elasticsearch.xpack.security.cli.HttpCertificateCommandTests…
712ccda 
… testGenerateMultipleCertificateWithNewCA #126471
slobodanadamovic added a commit to slobodanadamovic/elasticsearch that referenced this issue Apr 10, 2025
@slobodanadamovic
[Test] Fix testGenerateMultipleCertificateWithNewCA
03b6cc7 
Fixes an edge case where we randomly generate an empty list of key
usages then pass it to `certutil` command.
The empty means just apply the defaults, but we assert based on the
generated empty set.

Resolves elastic#126471
@slobodanadamovic slobodanadamovic mentioned this issue Apr 10, 2025
Merged
slobodanadamovic added a commit that referenced this issue Apr 11, 2025
@slobodanadamovic @tvernum
[Test] Fix testGenerateMultipleCertificateWithNewCA (#126621)
3db258e 
Fixes an edge case where we randomly generate an empty list of key
usages then pass it to `certutil` command.
The empty means just apply the defaults, but we assert based on the
generated empty set.

Resolves #126471

Co-authored-by: Tim Vernum <[email protected]>
slobodanadamovic added a commit to slobodanadamovic/elasticsearch that referenced this issue Apr 11, 2025
@slobodanadamovic
[Test] Fix testGenerateMultipleCertificateWithNewCA (elastic#126621)
10509cb 
Fixes an edge case where we randomly generate an empty list of key
usages then pass it to `certutil` command.
The empty means just apply the defaults, but we assert based on the
generated empty set.

Resolves elastic#126471

Co-authored-by: Tim Vernum <[email protected]>
(cherry picked from commit 3db258e)

# Conflicts:
#	muted-tests.yml
elasticsearchmachine pushed a commit that referenced this issue Apr 11, 2025
@slobodanadamovic
[Test] Fix testGenerateMultipleCertificateWithNewCA (#126621) (#126654)
65c3809 
Fixes an edge case where we randomly generate an empty list of key
usages then pass it to `certutil` command.
The empty means just apply the defaults, but we assert based on the
generated empty set.

Resolves #126471

Co-authored-by: Tim Vernum <[email protected]>
(cherry picked from commit 3db258e)

# Conflicts:
#	muted-tests.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@slobodanadamovic slobodanadamovic

Labels
low-risk An open issue or test failure that is a low risk to future releases :Security/TLS SSL/TLS, Certificates Team:Security Meta label for security team >test-failure Triaged test failures from CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Test] Fix testGenerateMultipleCertificateWithNewCA slobodanadamovic/elasticsearch
3 participants
@slobodanadamovic @n1v0lg @elasticsearchmachine