make test-suite runnable under FIPS

Signed-off-by: Igonin <iigonin@sternad.de>
Co-authored-by: Benny Goerzig <benny.goerzig@sap.com>
Co-authored-by: Karsten Schnitter <k.schnitter@sap.com>
Co-authored-by: Kai Sternad <k.sternad@sternad.de>

Author: 4 people

src/integrationTest/java/org/opensearch/security/TlsHostnameVerificationTests.java

@@ -12,6 +12,7 @@
 import java.util.Map;
 
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.junit.Assert;
 import org.junit.Rule;
 import org.junit.Test;
@@ -57,7 +58,11 @@ public void clusterShouldNotStart_nodesSanIpsAreInvalid() {
             cluster.before();
             Assert.fail("Cluster should not start, an exception expected");
         } catch (Exception e) {
-            logsRule.assertThatContain("No subject alternative names matching IP address 127.0.0.1 found");
+            if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
+                logsRule.assertThatStackTraceContain("No subject alternative name found matching IP address 127.0.0.1");
+            } else {
+                logsRule.assertThatContain("No subject alternative names matching IP address 127.0.0.1 found");
+            }
         }
     }
 }

src/integrationTest/java/org/opensearch/security/TlsTests.java

@@ -20,6 +20,7 @@
 import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse;
 import org.apache.hc.client5.http.impl.classic.HttpClients;
 import org.apache.hc.core5.http.NoHttpResponseException;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.junit.ClassRule;
 import org.junit.Rule;
 import org.junit.Test;
@@ -51,7 +52,7 @@ public class TlsTests {
 
     private static final User USER_ADMIN = new User("admin").roles(ALL_ACCESS);
 
-    public static final String SUPPORTED_CIPHER_SUIT = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
+    public static final String SUPPORTED_CIPHER_SUIT = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";
     public static final String NOT_SUPPORTED_CIPHER_SUITE = "TLS_RSA_WITH_AES_128_CBC_SHA";
     public static final String AUTH_INFO_ENDPOINT = "/_opendistro/_security/authinfo?pretty";
 
@@ -99,7 +100,11 @@ public void shouldSupportClientCipherSuite_negative() throws IOException {
         try (CloseableHttpClient client = cluster.getClosableHttpClient(new String[] { NOT_SUPPORTED_CIPHER_SUITE })) {
             HttpGet httpGet = new HttpGet("https://localhost:" + cluster.getHttpPort() + AUTH_INFO_ENDPOINT);
 
-            assertThatThrownBy(() -> client.execute(httpGet), instanceOf(SSLHandshakeException.class));
+            if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
+                assertThatThrownBy(() -> client.execute(httpGet), instanceOf(IllegalStateException.class));
+            } else {
+                assertThatThrownBy(() -> client.execute(httpGet), instanceOf(SSLHandshakeException.class));
+            }
         }
     }
 }

src/integrationTest/java/org/opensearch/security/hash/HashingTests.java

@@ -37,7 +37,7 @@
 @ThreadLeakScope(ThreadLeakScope.Scope.NONE)
 public class HashingTests extends RandomizedTest {
 
-    private static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS);
+    protected static TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS);
 
     static final String PASSWORD = "top$ecret1234!";
 

src/integrationTest/java/org/opensearch/security/hash/PBKDF2CustomConfigHashingTests.java

@@ -16,11 +16,11 @@
 
 import org.apache.http.HttpStatus;
 import org.awaitility.Awaitility;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
 import org.opensearch.security.support.ConfigConstants;
-import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.cluster.ClusterManager;
 import org.opensearch.test.framework.cluster.LocalCluster;
 import org.opensearch.test.framework.cluster.TestRestClient;
@@ -44,9 +44,8 @@ public static void startCluster() {
         function = randomFrom(List.of("SHA224", "SHA256", "SHA384", "SHA512"));
         iterations = randomFrom(List.of(32000, 64000, 128000, 256000));
         length = randomFrom(List.of(128, 256, 512));
-
-        TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS)
-            .hash(generatePBKDF2Hash("secret", function, iterations, length));
+        var password = CryptoServicesRegistrar.isInApprovedOnlyMode() ? "dtekVF0vEAA9FNvm#KMkTwMN" : "secret";
+        ADMIN_USER = ADMIN_USER.hash(generatePBKDF2Hash(password, function, iterations, length)).password("dtekVF0vEAA9FNvm#KMkTwMN");
         cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
             .authc(AUTHC_HTTPBASIC_INTERNAL)
             .users(ADMIN_USER)
@@ -68,7 +67,7 @@ public static void startCluster() {
             .build();
         cluster.before();
 
-        try (TestRestClient client = cluster.getRestClient(ADMIN_USER.getName(), "secret")) {
+        try (TestRestClient client = cluster.getRestClient(ADMIN_USER.getName(), password)) {
             Awaitility.await()
                 .alias("Load default configuration")
                 .until(() -> client.securityHealth().getTextFromJsonBody("/status"), equalTo("UP"));

src/integrationTest/java/org/opensearch/security/hash/PBKDF2DefaultConfigHashingTests.java

@@ -15,6 +15,7 @@
 import java.util.Map;
 
 import org.apache.http.HttpStatus;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.junit.ClassRule;
 import org.junit.Test;
 
@@ -28,15 +29,20 @@
 
 public class PBKDF2DefaultConfigHashingTests extends HashingTests {
 
-    private static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS)
-        .hash(
-            generatePBKDF2Hash(
-                "secret",
-                ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_FUNCTION_DEFAULT,
-                ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_ITERATIONS_DEFAULT,
-                ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_LENGTH_DEFAULT
+    private static final String password = CryptoServicesRegistrar.isInApprovedOnlyMode() ? "dtekVF0vEAA9FNvm#KMkTwMN" : "secret";
+
+    static {
+        ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS)
+            .hash(
+                generatePBKDF2Hash(
+                    password,
+                    ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_FUNCTION_DEFAULT,
+                    ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_ITERATIONS_DEFAULT,
+                    ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_LENGTH_DEFAULT
+                )
             )
-        );
+            .password(password);
+    }
 
     @ClassRule
     public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)

src/integrationTest/java/org/opensearch/security/http/UntrustedLdapServerCertificateTest.java

@@ -12,6 +12,7 @@
 import java.util.List;
 
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.junit.ClassRule;
 import org.junit.Rule;
 import org.junit.Test;
@@ -98,7 +99,11 @@ public void shouldNotAuthenticateUserWithLdap() {
 
             response.assertStatusCode(401);
         }
-        logsRule.assertThatStackTraceContain("javax.net.ssl.SSLHandshakeException");
+        if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
+            logsRule.assertThatStackTraceContain("org.bouncycastle.tls.TlsFatalAlert");
+        } else {
+            logsRule.assertThatStackTraceContain("javax.net.ssl.SSLHandshakeException");
+        }
     }
 
 }

src/integrationTest/java/org/opensearch/test/framework/cluster/CloseableHttpClientFactory.java

@@ -23,6 +23,7 @@
 import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
 import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
 import org.apache.hc.core5.http.io.SocketConfig;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 
 class CloseableHttpClientFactory {
 
@@ -50,9 +51,12 @@ public CloseableHttpClient getHTTPClient() {
 
         final HttpClientBuilder hcb = HttpClients.custom();
 
+        // TLSv1.3 dropped support for AES-CBC
+        String[] protocols = supportedCipherSuites != null && CryptoServicesRegistrar.isInApprovedOnlyMode() ? new String[] { "TLSv1.2" } : null;
+
         final SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
             this.sslContext,
-            null,
+            protocols,
             supportedCipherSuites,
             NoopHostnameVerifier.INSTANCE
         );

src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java

@@ -39,6 +39,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
+import org.ldaptive.ssl.DefaultHostnameVerifier;
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.core.common.Strings;
@@ -201,6 +202,20 @@ private static void checkConnection0(
             config.setConnectionInitializer(new BindConnectionInitializer(bindDn, new Credential(password)));
 
             DefaultConnectionFactory connFactory = new DefaultConnectionFactory(config);
+
+            // Register custom socket factory for SNI hostname verification with BouncyCastle FIPS if SSL is enabled
+            if (config.getLdapUrl() != null && config.getLdapUrl().startsWith("ldaps:")) {
+                // Extract hostname from LDAP URL and set in ThreadLocal for SNI
+                String ldapUrl = config.getLdapUrl();
+                int protocolEnd = ldapUrl.indexOf("://");
+                if (protocolEnd > 0) {
+                    String hostPort = ldapUrl.substring(protocolEnd + 3);
+                    String hostname = hostPort.contains(":") ? hostPort.substring(0, hostPort.indexOf(":")) : hostPort;
+                    org.opensearch.security.auth.ldap2.SNISettingTLSSocketFactory.setHostname(hostname);
+                }
+                configureCustomSocketFactory(connFactory);
+            }
+
             connection = connFactory.getConnection();
 
             connection.open();
@@ -257,6 +272,12 @@ private static Connection getConnection0(
                     log.trace("Connect to {}", config.getLdapUrl());
                 }
 
+                // Set hostname in ThreadLocal for SNI before SSL configuration
+                // This is needed for BouncyCastle FIPS hostname verification
+                if (enableSSL) {
+                    org.opensearch.security.auth.ldap2.SNISettingTLSSocketFactory.setHostname(split[0]);
+                }
+
                 configureSSL(config, settings, configPath);
 
                 final String bindDn = settings.get(ConfigConstants.LDAP_BIND_DN, null);
@@ -302,6 +323,14 @@ private static Connection getConnection0(
                 }
 
                 DefaultConnectionFactory connFactory = new DefaultConnectionFactory(config);
+
+                // Register custom socket factory for SNI hostname verification with BouncyCastle FIPS
+                // This addresses a known issue where JNDI LDAP doesn't pass hostname to SSLSocketFactory
+                // See: https://github.com/bcgit/bc-java/issues/460
+                if (enableSSL) {
+                    configureCustomSocketFactory(connFactory);
+                }
+
                 connection = connFactory.getConnection();
 
                 connection.open();
@@ -462,6 +491,14 @@ private static void restoreClassLoader0(final ClassLoader cl) {
         }
     }
 
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    private static void configureCustomSocketFactory(DefaultConnectionFactory connFactory) {
+        Map<String, Object> props = new HashMap<>();
+        props.put("java.naming.ldap.factory.socket", "org.opensearch.security.auth.ldap2.SNISettingTLSSocketFactory");
+        final org.ldaptive.provider.ProviderConfig providerConfig = connFactory.getProvider().getProviderConfig();
+        providerConfig.setProperties(props);
+    }
+
     private static void configureSSL(final ConnectionConfig config, final Settings settings, final Path configPath) throws Exception {
 
         final boolean isDebugEnabled = log.isDebugEnabled();
@@ -607,6 +644,8 @@ private static void configureSSL(final ConnectionConfig config, final Settings s
 
                 System.setProperty(COM_SUN_JNDI_LDAP_OBJECT_DISABLE_ENDPOINT_IDENTIFICATION, "true");
 
+            } else {
+                sslConfig.setHostnameVerifier(new DefaultHostnameVerifier());
             }
 
             final List<String> enabledCipherSuites = settings.getAsList(ConfigConstants.LDAPS_ENABLED_SSL_CIPHERS, Collections.emptyList());

src/main/java/org/opensearch/security/auth/ldap2/HostnameAwareConnectionFactory.java

@@ -0,0 +1,91 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.auth.ldap2;
+
+import java.net.URI;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.ldaptive.Connection;
+import org.ldaptive.ConnectionFactory;
+
+/**
+ * Wrapper around ConnectionFactory that extracts the hostname from the LDAP URL
+ * and stores it in ThreadLocal for use by SNISettingTLSSocketFactory.
+ *
+ * <p>This is necessary because JNDI LDAP resolves hostnames to IP addresses before
+ * creating SSL sockets, making the hostname unavailable for SNI configuration.
+ */
+public class HostnameAwareConnectionFactory implements ConnectionFactory {
+
+    private static final Logger log = LogManager.getLogger(HostnameAwareConnectionFactory.class);
+    private static final Pattern LDAP_URL_PATTERN = Pattern.compile("ldaps?://([^:/]+)(?::(\\d+))?");
+
+    private final ConnectionFactory delegate;
+    private final String ldapUrl;
+
+    public HostnameAwareConnectionFactory(ConnectionFactory delegate, String ldapUrl) {
+        this.delegate = delegate;
+        this.ldapUrl = ldapUrl;
+    }
+
+    @Override
+    public Connection getConnection() throws org.ldaptive.LdapException {
+        // Extract hostname from LDAP URL and set in ThreadLocal before getting connection
+        String hostname = extractHostname(ldapUrl);
+        if (hostname != null) {
+            log.debug("Setting hostname for LDAP connection: {}", hostname);
+            SNISettingTLSSocketFactory.setHostname(hostname);
+        } else {
+            log.debug("Could not extract hostname from LDAP URL: {}", ldapUrl);
+        }
+
+        // ThreadLocal is cleared in SNISettingTLSSocketFactory.configureSocket() after socket creation
+        return delegate.getConnection();
+    }
+
+    /**
+     * Extracts the hostname from an LDAP URL.
+     * Handles space-separated multiple URLs by extracting the first one.
+     *
+     * @param url the LDAP URL (e.g., "ldaps://localhost:636" or "ldaps://server1:636 ldaps://server2:636")
+     * @return the hostname, or null if extraction fails
+     */
+    static String extractHostname(String url) {
+        if (url == null || url.isEmpty()) {
+            return null;
+        }
+
+        // Handle space-separated multiple URLs - extract the first one
+        String firstUrl = url.split("\\s+")[0];
+
+        try {
+            // Try parsing as URI first
+            URI uri = new URI(firstUrl);
+            if (uri.getHost() != null) {
+                return uri.getHost();
+            }
+        } catch (Exception e) {
+            // Fall through to regex pattern
+        }
+
+        // Fallback to regex pattern
+        Matcher matcher = LDAP_URL_PATTERN.matcher(firstUrl);
+        if (matcher.find()) {
+            return matcher.group(1);
+        }
+
+        return null;
+    }
+}