Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extended /certificates endpoint with additional SSL certs info #4882

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Extended /certificates endpoint with additional SSL certs info #4882

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 10 additions & 17 deletions src/integrationTest/java/org/opensearch/security/api/CertificatesRestApiIntegrationTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.StringJoiner;
Expand All @@ -24,7 +25,7 @@
import org.junit.Test;

import org.opensearch.security.dlic.rest.api.Endpoint;
import org.opensearch.security.dlic.rest.api.ssl.CertificateType;
import org.opensearch.security.ssl.config.CertType;
import org.opensearch.test.framework.TestSecurityConfig;
import org.opensearch.test.framework.certificate.TestCertificates;
import org.opensearch.test.framework.cluster.LocalOpenSearchCluster;
Expand Down Expand Up @@ -107,21 +108,13 @@ private void verifyTimeoutRequest(final TestRestClient client) throws Exception
}

private void verifySSLCertsInfo(final TestRestClient client) throws Exception {
assertSSLCertsInfo(
localCluster.nodes(),
Set.of(CertificateType.HTTP, CertificateType.TRANSPORT),
ok(() -> client.get(sslCertsPath()))
);
assertSSLCertsInfo(localCluster.nodes(), CertType.TYPES, ok(() -> client.get(sslCertsPath())));
if (localCluster.nodes().size() > 1) {
final var randomNodes = randomNodes();
final var nodeIds = randomNodes.stream().map(n -> n.esNode().getNodeEnvironment().nodeId()).collect(Collectors.joining(","));
assertSSLCertsInfo(
randomNodes,
Set.of(CertificateType.HTTP, CertificateType.TRANSPORT),
ok(() -> client.get(sslCertsPath(nodeIds)))
);
assertSSLCertsInfo(randomNodes, CertType.TYPES, ok(() -> client.get(sslCertsPath(nodeIds))));
}
final var randomCertType = randomFrom(List.of(CertificateType.HTTP, CertificateType.TRANSPORT));
final var randomCertType = randomFrom(List.copyOf(CertType.TYPES));
assertSSLCertsInfo(
localCluster.nodes(),
Set.of(randomCertType),
Expand All @@ -132,7 +125,7 @@ private void verifySSLCertsInfo(final TestRestClient client) throws Exception {

private void assertSSLCertsInfo(
final List<LocalOpenSearchCluster.Node> expectedNode,
final Set<CertificateType> expectedCertTypes,
final Set<String> expectedCertTypes,
final TestRestClient.HttpResponse response
) {
final var body = response.bodyAsJsonNode();
Expand All @@ -152,14 +145,14 @@ private void assertSSLCertsInfo(
assertThat(prettyStringBody, node.get("name").asText(), is(n.getNodeName()));
assertThat(prettyStringBody, node.has("certificates"));
final var certificates = node.get("certificates");
if (expectedCertTypes.contains(CertificateType.HTTP)) {
final var httpCertificates = certificates.get(CertificateType.HTTP.value());
if (expectedCertTypes.contains(CertType.HTTP.name().toUpperCase(Locale.ROOT))) {
final var httpCertificates = certificates.get(CertType.HTTP.name().toUpperCase(Locale.ROOT));
assertThat(prettyStringBody, httpCertificates.isArray());
assertThat(prettyStringBody, httpCertificates.size(), is(1));
verifyCertsJson(n.nodeNumber(), httpCertificates.get(0));
}
if (expectedCertTypes.contains(CertificateType.TRANSPORT)) {
final var transportCertificates = certificates.get(CertificateType.TRANSPORT.value());
if (expectedCertTypes.contains(CertType.TRANSPORT_CLIENT.name().toUpperCase(Locale.ROOT))) {
final var transportCertificates = certificates.get(CertType.TRANSPORT.name().toUpperCase(Locale.ROOT));
assertThat(prettyStringBody, transportCertificates.isArray());
assertThat(prettyStringBody, transportCertificates.size(), is(1));
verifyCertsJson(n.nodeNumber(), transportCertificates.get(0));
Expand Down
18 changes: 12 additions & 6 deletions src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,9 @@

import org.opensearch.cluster.service.ClusterService;
import org.opensearch.core.action.ActionListener;
import org.opensearch.core.common.Strings;
import org.opensearch.rest.RestRequest;
import org.opensearch.rest.action.RestActions;
import org.opensearch.security.dlic.rest.api.ssl.CertificateType;
import org.opensearch.security.dlic.rest.api.ssl.CertificatesActionType;
import org.opensearch.security.dlic.rest.api.ssl.CertificatesInfoNodesRequest;
import org.opensearch.security.dlic.rest.api.ssl.CertificatesNodesResponse;
Expand Down Expand Up @@ -82,11 +82,9 @@
RestRequest.Method.GET,
(channel, request, client) -> client.execute(
CertificatesActionType.INSTANCE,
new CertificatesInfoNodesRequest(
CertificateType.from(request.param("cert_type")),
true,
request.paramAsStringArrayOrEmptyIfAll("nodeId")
).timeout(request.param("timeout")),
new CertificatesInfoNodesRequest(certType(request), true, request.paramAsStringArrayOrEmptyIfAll("nodeId")).timeout(
request.param("timeout")
),
new ActionListener<>() {
@Override
public void onResponse(final CertificatesNodesResponse response) {
Expand All @@ -110,6 +108,14 @@
);
}

private String certType(final RestRequest request) {
final var t = request.param("cert_type");
if (!Strings.isEmpty(t) && "all".equals(t)) {
return null;

Check warning on line 114 in src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java#L114 

Added line #L114 was not covered by tests
}
return t;
}

boolean accessHandler(final RestRequest request) {
if (request.method() == RestRequest.Method.GET) {
return securityApiDependencies.restApiAdminPrivilegesEvaluator().isCurrentUserAdminFor(endpoint, CERTS_INFO_ACTION);
Expand Down
59 changes: 35 additions & 24 deletions src/main/java/org/opensearch/security/dlic/rest/api/ssl/CertificateInfo.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@
package org.opensearch.security.dlic.rest.api.ssl;

import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Objects;

import org.opensearch.core.common.io.stream.StreamInput;
Expand All @@ -33,7 +32,29 @@ public class CertificateInfo implements Writeable, ToXContent {

private final String notBefore;

public CertificateInfo(String subject, String san, String issuer, String notAfter, String notBefore) {
private final String format;

private final String alias;

private final boolean hasPrivateKey;

private final String serialNumber;

public CertificateInfo(
String format,
String alias,
String serialNumber,
boolean hasPrivateKey,
String subject,
String san,
String issuer,
String notAfter,
String notBefore
) {
this.format = format;
this.alias = alias;
this.serialNumber = serialNumber;
this.hasPrivateKey = hasPrivateKey;
this.subject = subject;
this.san = san;
this.issuer = issuer;
Expand All @@ -47,6 +68,10 @@ public CertificateInfo(final StreamInput in) throws IOException {
this.issuer = in.readOptionalString();
this.notAfter = in.readOptionalString();
this.notBefore = in.readOptionalString();
this.format = in.readOptionalString();
this.alias = in.readOptionalString();
this.serialNumber = in.readOptionalString();
this.hasPrivateKey = in.readBoolean();
}

@Override
Expand All @@ -56,41 +81,27 @@ public void writeTo(final StreamOutput out) throws IOException {
out.writeOptionalString(issuer);
out.writeOptionalString(notAfter);
out.writeOptionalString(notBefore);
out.writeOptionalString(format);
out.writeOptionalString(alias);
out.writeOptionalString(serialNumber);
out.writeBoolean(hasPrivateKey);
}

@Override
public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params params) throws IOException {
return builder.startObject()
.field("format", format)
.field("alias", alias)
.field("subject_dn", subject)
.field("san", san)
.field("serial_number", serialNumber)
.field("issuer_dn", issuer)
.field("has_private_key", hasPrivateKey)
.field("not_after", notAfter)
.field("not_before", notAfter)
.endObject();
}

public static CertificateInfo from(final X509Certificate x509Certificate, final String subjectAlternativeNames) {
String subject = null;
String issuer = null;
String notAfter = null;
String notBefore = null;
if (x509Certificate != null) {
if (x509Certificate.getSubjectX500Principal() != null) {
subject = x509Certificate.getSubjectX500Principal().getName();
}
if (x509Certificate.getIssuerX500Principal() != null) {
issuer = x509Certificate.getIssuerX500Principal().getName();
}
if (x509Certificate.getNotAfter() != null) {
notAfter = x509Certificate.getNotAfter().toInstant().toString();
}
if (x509Certificate.getNotBefore() != null) {
notBefore = x509Certificate.getNotBefore().toInstant().toString();
}
}
return new CertificateInfo(subject, subjectAlternativeNames, issuer, notAfter, notBefore);
}

@Override
public boolean equals(Object o) {
if (this == o) return true;
Expand Down
48 changes: 0 additions & 48 deletions src/main/java/org/opensearch/security/dlic/rest/api/ssl/CertificateType.java
View file
Open in desktop

This file was deleted.

13 changes: 8 additions & 5 deletions src/main/java/org/opensearch/security/dlic/rest/api/ssl/CertificatesInfo.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,24 +13,26 @@

import java.io.IOException;
import java.util.List;
import java.util.Locale;
import java.util.Map;

import org.opensearch.core.common.io.stream.StreamInput;
import org.opensearch.core.common.io.stream.StreamOutput;
import org.opensearch.core.common.io.stream.Writeable;
import org.opensearch.core.xcontent.ToXContent;
import org.opensearch.core.xcontent.XContentBuilder;
import org.opensearch.security.ssl.config.CertType;

public class CertificatesInfo implements Writeable, ToXContent {

private final Map<CertificateType, List<CertificateInfo>> certificates;
private final Map<CertType, List<CertificateInfo>> certificates;

public CertificatesInfo(final Map<CertificateType, List<CertificateInfo>> certificates) {
public CertificatesInfo(final Map<CertType, List<CertificateInfo>> certificates) {
this.certificates = certificates;
}

public CertificatesInfo(final StreamInput in) throws IOException {
certificates = in.readMap(keyIn -> keyIn.readEnum(CertificateType.class), listIn -> listIn.readList(CertificateInfo::new));
certificates = in.readMap(keyIn -> keyIn.readEnum(CertType.class), listIn -> listIn.readList(CertificateInfo::new));
}

@Override
Expand All @@ -41,8 +43,9 @@ public void writeTo(StreamOutput out) throws IOException {
@Override
public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
return builder.startObject("certificates")
.field(CertificateType.HTTP.value(), certificates.get(CertificateType.HTTP))
.field(CertificateType.TRANSPORT.value(), certificates.get(CertificateType.TRANSPORT))
.field(CertType.HTTP.name().toLowerCase(Locale.ROOT), certificates.get(CertType.HTTP))
.field(CertType.TRANSPORT.name().toLowerCase(Locale.ROOT), certificates.get(CertType.TRANSPORT))
.field(CertType.TRANSPORT_CLIENT.name().toLowerCase(Locale.ROOT), certificates.get(CertType.TRANSPORT_CLIENT))
.endObject();
}
}
26 changes: 20 additions & 6 deletions src/main/java/org/opensearch/security/dlic/rest/api/ssl/CertificatesInfoNodesRequest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,31 +12,35 @@
package org.opensearch.security.dlic.rest.api.ssl;

import java.io.IOException;
import java.util.Optional;

import org.opensearch.action.ActionRequestValidationException;
import org.opensearch.action.support.nodes.BaseNodesRequest;
import org.opensearch.core.common.Strings;
import org.opensearch.core.common.io.stream.StreamInput;
import org.opensearch.core.common.io.stream.StreamOutput;
import org.opensearch.security.ssl.config.CertType;

public class CertificatesInfoNodesRequest extends BaseNodesRequest<CertificatesInfoNodesRequest> {

private final CertificateType certificateType;
private final String certificateType;

private final boolean inMemory;

public CertificatesInfoNodesRequest(CertificateType certificateType, boolean inMemory, String... nodesIds) {
public CertificatesInfoNodesRequest(String certificateType, boolean inMemory, String... nodesIds) {
super(nodesIds);
this.certificateType = certificateType;
this.inMemory = inMemory;
}

public CertificatesInfoNodesRequest(final StreamInput in) throws IOException {
super(in);
certificateType = in.readEnum(CertificateType.class);
certificateType = in.readOptionalString();
inMemory = in.readBoolean();
}

public CertificateType certificateType() {
return certificateType;
public Optional<String> certificateType() {
return Optional.ofNullable(certificateType);
}

public boolean inMemory() {
Expand All @@ -46,7 +50,17 @@
@Override
public void writeTo(final StreamOutput out) throws IOException {
super.writeTo(out);
out.writeEnum(certificateType);
out.writeOptionalString(certificateType);
out.writeBoolean(inMemory);
}

@Override
public ActionRequestValidationException validate() {
if (!Strings.isEmpty(certificateType) && !CertType.TYPES.contains(certificateType)) {
final var errorMessage = new ActionRequestValidationException();
errorMessage.addValidationError("wrong certificate type " + certificateType + ". Please use one of " + CertType.TYPES);
return errorMessage;

Check warning on line 62 in src/main/java/org/opensearch/security/dlic/rest/api/ssl/CertificatesInfoNodesRequest.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/dlic/rest/api/ssl/CertificatesInfoNodesRequest.java#L60-L62 

Added lines #L60 - L62 were not covered by tests
}
return super.validate();
}
}
Loading
Loading