Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CI] Failures in SamlRealmTests on 6.8 #73314

Closed
droberts195 opened this issue May 24, 2021 · 3 comments
Closed

[CI] Failures in SamlRealmTests on 6.8 #73314

droberts195 opened this issue May 24, 2021 · 3 comments
Assignees
@tvernum
Labels
:Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team >test-failure Triaged test failures from CI

Comments

@droberts195
Copy link
Contributor

Build scan:

https://gradle-enterprise.elastic.co/s/3auabo7jtnf6s

Repro line:

./gradlew ':x-pack:plugin:security:unitTest' \
  -Dtests.seed=68F25F624E2A1164 \
  -Dtests.class=org.elasticsearch.xpack.security.authc.saml.SamlRealmTests \
  -Dtests.security.manager=true \
  -Dtests.locale=en-US \
  -Dtests.timezone=UTC \
  -Dcompiler.java=11 \
  -Druntime.java=8

Reproduces locally?:

No (which is quite strange as this seems to make almost every periodic 6.8 build fail across multiple platforms)

Applicable branches:

6.8

Failure history:

https://build-stats.elastic.co/app/kibana#/discover?_g=(refreshInterval:(pause:!t,value:0),time:(from:now-30d,mode:quick,to:now))&_a=(columns:!(_source),index:b646ed00-7efc-11e8-bf69-63c8ef516157,interval:auto,query:(language:lucene,query:SamlRealmTests),sort:!(process.time-start,desc))

Failures started on 6th May. Frequency of failures increased on 18th May.

Failure excerpt:

   > Throwable #1: java.security.PrivilegedActionException: net.shibboleth.utilities.java.support.component.ComponentInitializationException: Error refreshing metadata during init
   > 	at __randomizedtesting.SeedInfo.seed([B324C19F0D73FC0C:E9A194C30B6FDA46]:0)
   > 	at java.security.AccessController.doPrivileged(Native Method)
   > 	at org.elasticsearch.xpack.security.authc.saml.SamlRealm.initialiseResolver(SamlRealm.java:631)
   > 	at org.elasticsearch.xpack.security.authc.saml.SamlRealm.parseHttpMetadata(SamlRealm.java:544)
   > 	at org.elasticsearch.xpack.security.authc.saml.SamlRealm.initializeResolver(SamlRealm.java:517)
   > 	at org.elasticsearch.xpack.security.authc.saml.SamlRealmTests.testReadIdpMetadataFromHttps(SamlRealmTests.java:148)
   > 	at java.lang.Thread.run(Thread.java:748)
   > Caused by: net.shibboleth.utilities.java.support.component.ComponentInitializationException: Error refreshing metadata during init
   > 	at org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver.initMetadataResolver(AbstractReloadingMetadataResolver.java:264)
   > 	at org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver.doInitialize(AbstractMetadataResolver.java:287)
   > 	at net.shibboleth.utilities.java.support.component.AbstractInitializableComponent.initialize(AbstractInitializableComponent.java:61)
   > 	at org.elasticsearch.xpack.security.authc.saml.SamlRealm.lambda$initialiseResolver$11(SamlRealm.java:632)
   > 	... 42 more
   > Caused by: net.shibboleth.utilities.java.support.resolver.ResolverException: net.shibboleth.utilities.java.support.resolver.ResolverException: Error retrieving metadata from https://localhost:33951
   > 	at org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver.refresh(AbstractReloadingMetadataResolver.java:297)
   > 	at org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver.initMetadataResolver(AbstractReloadingMetadataResolver.java:262)
   > 	... 45 more
   > Caused by: net.shibboleth.utilities.java.support.resolver.ResolverException: Error retrieving metadata from https://localhost:33951
   > 	at org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver.fetchMetadata(HTTPMetadataResolver.java:314)
   > 	at org.elasticsearch.xpack.security.authc.saml.SamlRealm$PrivilegedHTTPMetadataResolver.access$001(SamlRealm.java:559)
   > 	at org.elasticsearch.xpack.security.authc.saml.SamlRealm$PrivilegedHTTPMetadataResolver.lambda$fetchMetadata$0(SamlRealm.java:569)
   > 	at java.security.AccessController.doPrivileged(Native Method)
   > 	at org.elasticsearch.xpack.security.authc.saml.SamlRealm$PrivilegedHTTPMetadataResolver.fetchMetadata(SamlRealm.java:568)
   > 	at org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver.refresh(AbstractReloadingMetadataResolver.java:285)
   > 	... 46 more
   > Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
   > 	at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1470)
   > 	at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1298)
   > 	at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1199)
   > 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401)
   > 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373)
   > 	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
   > 	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
   > 	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
   > 	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
   > 	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
   > 	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
   > 	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
   > 	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
   > 	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
   > 	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
   > 	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
   > 	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
   > 	at org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver.fetchMetadata(HTTPMetadataResolver.java:287)
   > 	... 51 more
   > Caused by: java.io.EOFException: SSL peer shut down incorrectly
   > 	at sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:480)
   > 	at sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:469)
   > 	at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:159)
   > 	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:110)
   > 	at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1290)
   > 	... 67 more

This looks like the same error as #30445, although that was fixed years ago.
@droberts195 droberts195 added >test-failure Triaged test failures from CI :Security/IdentityProvider Identity Provider (SSO) project in X-Pack labels May 24, 2021
@elasticmachine elasticmachine added the Team:Security Meta label for security team label May 24, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@droberts195 droberts195 mentioned this issue May 24, 2021
Merged
droberts195 added a commit that referenced this issue May 24, 2021
@droberts195
Mute SamlRealmTests (#73315)
edb09a0 
Due to #73314
@droberts195
Copy link
Contributor Author

Muted in 6.8 by #73315

This was referenced May 28, 2021
Closed
Merged
@tvernum tvernum added :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) and removed :Security/IdentityProvider Identity Provider (SSO) project in X-Pack labels Jul 14, 2021
@tvernum tvernum self-assigned this Jul 14, 2021
tvernum added a commit to tvernum/elasticsearch that referenced this issue Jul 14, 2021
@tvernum
Update SamlRealmTests to use TLSv1.2 only
4721dd8 
Recent JDK builds disable TLSv1 and TLSv1.1, which would cause this test
to fail whenver it was (randonly) configured to use those protocols.

For the purposes of this test it is no longer necessary to test with
older protocols, and the test can rely on TLSv1.2 instead.

Resolves: elastic#73314
@tvernum tvernum mentioned this issue Jul 14, 2021
Merged
tvernum added a commit that referenced this issue Jul 14, 2021
@tvernum
Update SamlRealmTests to use TLSv1.2 only (#75324)
98dca65 
Recent JDK builds disable TLSv1 and TLSv1.1, which would cause this test
to fail whenever it was (randomly) configured to use those protocols.

For the purposes of this test it is no longer necessary to test with
older protocols, and the test can rely on TLSv1.2 instead.

Resolves: #73314
@jkakavas
Copy link
Member

This was resolved in #75324

2lambda123 pushed a commit to 2lambda123/elastic-elasticsearch that referenced this issue May 3, 2024
@droberts195
Mute SamlRealmTests
bdfa580 
Due to elastic/elasticsearch#73314
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tvernum tvernum

Labels
:Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team >test-failure Triaged test failures from CI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tvernum @droberts195 @jkakavas @elasticmachine