Adds a common certificate validity check

Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura · Nov 30, 2023 · c91394b · c91394b
1 parent 50c67bb
commit c91394b
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 30 deletions.
diff --git a/src/main/java/org/opensearch/security/tools/democonfig/Installer.java b/src/main/java/org/opensearch/security/tools/democonfig/Installer.java
@@ -205,33 +205,40 @@ static void setOpenSearchVariables() {
         OPENSEARCH_LIB_PATH = BASE_DIR + "lib" + File.separator;
         OPENSEARCH_INSTALL_TYPE = determineInstallType();
 
-        boolean shouldExit = false;
+        Set<String> errorMessages = validatePaths();
+
+        if (!errorMessages.isEmpty()) {
+            errorMessages.forEach(System.out::println);
+            System.exit(-1);
+        }
+
+        OPENSEARCH_CONF_DIR = new File(OPENSEARCH_CONF_FILE).getParent();
+        OPENSEARCH_CONF_DIR = new File(OPENSEARCH_CONF_DIR).getAbsolutePath() + File.separator;
+    }
+
+    /**
+     * Helper method
+     * Returns a set of error messages for the paths that didn't contain files/directories
+     * @return a set containing error messages if any, empty otherwise
+     */
+    private static Set<String> validatePaths() {
+        Set<String> errorMessages = new HashSet<>();
         if (!(new File(OPENSEARCH_CONF_FILE).exists())) {
-            System.out.println("Unable to determine OpenSearch config file. Quit.");
-            shouldExit = true;
+            errorMessages.add("Unable to determine OpenSearch config file. Quit.");
         }
 
         if (!(new File(OPENSEARCH_BIN_DIR).exists())) {
-            System.out.println("Unable to determine OpenSearch bin directory. Quit.");
-            shouldExit = true;
+            errorMessages.add("Unable to determine OpenSearch bin directory. Quit.");
         }
 
         if (!(new File(OPENSEARCH_PLUGINS_DIR).exists())) {
-            System.out.println("Unable to determine OpenSearch plugins directory. Quit.");
-            shouldExit = true;
+            errorMessages.add("Unable to determine OpenSearch plugins directory. Quit.");
         }
 
         if (!(new File(OPENSEARCH_LIB_PATH).exists())) {
-            System.out.println("Unable to determine OpenSearch lib directory. Quit.");
-            shouldExit = true;
-        }
-
-        if (shouldExit) {
-            System.exit(-1);
+            errorMessages.add("Unable to determine OpenSearch lib directory. Quit.");
         }
-
-        OPENSEARCH_CONF_DIR = new File(OPENSEARCH_CONF_FILE).getParent();
-        OPENSEARCH_CONF_DIR = new File(OPENSEARCH_CONF_DIR).getAbsolutePath() + File.separator;
+        return errorMessages;
     }
 
     /**

diff --git a/src/test/java/org/opensearch/security/tools/democonfig/CertificateGeneratorTests.java b/src/test/java/org/opensearch/security/tools/democonfig/CertificateGeneratorTests.java
@@ -12,8 +12,15 @@
 package org.opensearch.security.tools.democonfig;
 
 import java.io.File;
-import java.nio.file.Files;
-import java.nio.file.Path;
+import java.io.FileInputStream;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.LocalDate;
+import java.time.Period;
+import java.util.Date;
+import java.util.TimeZone;
 
 import org.junit.After;
 import org.junit.Before;
@@ -22,10 +29,8 @@
 import org.opensearch.security.tools.democonfig.util.NoExitSecurityManager;
 
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.not;
 import static org.opensearch.security.tools.democonfig.Installer.OPENSEARCH_CONF_DIR;
 import static org.opensearch.security.tools.democonfig.util.DemoConfigHelperUtil.createDirectory;
 import static org.opensearch.security.tools.democonfig.util.DemoConfigHelperUtil.deleteDirectoryRecursive;
@@ -57,16 +62,7 @@ public void testCreateDemoCertificates() {
             assertThat(certFile.exists(), is(equalTo(true)));
             assertThat(certFile.canRead(), is(equalTo(true)));
 
-            String fileContents = null;
-            try {
-                fileContents = new String(Files.readAllBytes(Path.of(certFilePath)));
-            } catch (Exception e) {
-                fail("Expected the test to pass.");
-            }
-
-            assertThat(fileContents.isEmpty(), not(true));
-            assertThat(fileContents, containsString("---BEGIN"));
-            assertThat(fileContents, containsString("---END"));
+            checkCertificateValidity(certFilePath);
         }
     }
 
@@ -83,4 +79,35 @@ public void testCreateDemoCertificates_invalidPath() {
             System.setSecurityManager(null);
         }
     }
+
+    private static void checkCertificateValidity(String certPath) {
+        try (FileInputStream certInputStream = new FileInputStream(certPath)) {
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            Certificate certificate = cf.generateCertificate(certInputStream);
+
+            if (certificate instanceof X509Certificate) {
+                X509Certificate x509Certificate = (X509Certificate) certificate;
+                x509Certificate.checkValidity();
+
+                Date expiryDate = x509Certificate.getNotAfter();
+                Instant expiry = expiryDate.toInstant();
+
+                assertThat(isExpiryAtLeastAYearLater(expiry), is(equalTo(true)));
+                assertThat(x509Certificate.getSigAlgName(), is(equalTo("SHA256withRSA")));
+            } else {
+                fail("Certificate is invalid. Expected X.509 certificate.");
+            }
+        } catch (Exception e) {
+            System.out.println("Error checking certificate validity: " + e.getMessage());
+        }
+    }
+
+    private static boolean isExpiryAtLeastAYearLater(Instant expiry) {
+        Instant currentInstant = Instant.now();
+        LocalDate expiryDate = LocalDate.ofInstant(expiry, TimeZone.getTimeZone("EDT").toZoneId());
+        LocalDate currentDate = LocalDate.ofInstant(currentInstant, TimeZone.getTimeZone("EDT").toZoneId());
+
+        Period gap = Period.between(currentDate, expiryDate);
+        return gap.getYears() >= 1;
+    }
 }
diff --git a/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java b/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
@@ -44,6 +44,7 @@
 import static org.opensearch.security.tools.democonfig.Installer.FILE_EXTENSION;
 import static org.opensearch.security.tools.democonfig.Installer.OPENSEARCH_CONF_DIR;
 import static org.opensearch.security.tools.democonfig.Installer.OPENSEARCH_CONF_FILE;
+import static org.opensearch.security.tools.democonfig.Installer.resetState;
 import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.getSecurityAdminCommands;
 import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.isStringAlreadyPresentInFile;
 import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.writeSecurityConfigToOpenSearchYML;
@@ -76,6 +77,7 @@ public void tearDown() throws NoSuchFieldException, IllegalAccessException {
         deleteDirectoryRecursive(OPENSEARCH_CONF_DIR);
         Installer.environment = ExecutionEnvironment.DEMO;
         unsetEnv(adminPasswordKey);
+        resetState();
     }
 
     @Test