forked from opensearch-project/security
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Introduce 2 new endpoint:
`_plugins/_security/api/certificates`
`_plugins/_security/api/certificates/{nodeId}`
Query parameters:
- cert_type
- timeout
which provides information about SSL certificates for each node in the
cluster
Signed-off-by: Andrey Pleskach <[email protected]>- Loading branch information
1 parent
3b94522
commit 2c07bfb
Showing
14 changed files
with
913 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
196 changes: 196 additions & 0 deletions
196
src/integrationTest/java/org/opensearch/security/api/CertificatesRestApiIntegrationTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,196 @@ | ||
| /* | ||
| * SPDX-License-Identifier: Apache-2.0 | ||
| * | ||
| * The OpenSearch Contributors require contributions made to | ||
| * this file be licensed under the Apache-2.0 license or a | ||
| * compatible open source license. | ||
| * | ||
| * Modifications Copyright OpenSearch Contributors. See | ||
| * GitHub history for details. | ||
| */ | ||
| package org.opensearch.security.api; | ||
|
|
||
| import java.util.ArrayList; | ||
| import java.util.Collection; | ||
| import java.util.Collections; | ||
| import java.util.List; | ||
| import java.util.Set; | ||
| import java.util.StringJoiner; | ||
| import java.util.stream.Collectors; | ||
|
|
||
| import com.carrotsearch.randomizedtesting.RandomizedContext; | ||
| import com.google.common.collect.ImmutableList; | ||
| import com.fasterxml.jackson.databind.JsonNode; | ||
| import org.apache.commons.lang3.tuple.Pair; | ||
| import org.junit.Test; | ||
|
|
||
| import org.opensearch.security.dlic.rest.api.Endpoint; | ||
| import org.opensearch.security.dlic.rest.api.ssl.CertificateType; | ||
| import org.opensearch.test.framework.TestSecurityConfig; | ||
| import org.opensearch.test.framework.certificate.TestCertificates; | ||
| import org.opensearch.test.framework.cluster.LocalOpenSearchCluster; | ||
| import org.opensearch.test.framework.cluster.TestRestClient; | ||
|
|
||
| import static org.hamcrest.CoreMatchers.containsString; | ||
| import static org.hamcrest.CoreMatchers.is; | ||
| import static org.hamcrest.MatcherAssert.assertThat; | ||
| import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; | ||
| import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION; | ||
| import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED; | ||
|
|
||
| public class CertificatesRestApiIntegrationTest extends AbstractApiIntegrationTest { | ||
|
|
||
| final static String REST_API_ADMIN_SSL_INFO = "rest-api-admin-ssl-info"; | ||
|
|
||
| final static String REGULAR_USER = "regular_user"; | ||
|
|
||
| static { | ||
| clusterSettings.put(SECURITY_RESTAPI_ADMIN_ENABLED, true); | ||
| testSecurityConfig.roles( | ||
| new TestSecurityConfig.Role("simple_user_role").clusterPermissions("cluster:admin/security/certificates/info") | ||
| ) | ||
| .rolesMapping(new TestSecurityConfig.RoleMapping("simple_user_role").users(REGULAR_USER, ADMIN_USER_NAME)) | ||
| .user(new TestSecurityConfig.User(REGULAR_USER)) | ||
| .withRestAdminUser(REST_ADMIN_USER, allRestAdminPermissions()) | ||
| .withRestAdminUser(REST_API_ADMIN_SSL_INFO, restAdminPermission(Endpoint.SSL, CERTS_INFO_ACTION)); | ||
| } | ||
|
|
||
| @Override | ||
| protected String apiPathPrefix() { | ||
| return PLUGINS_PREFIX; | ||
| } | ||
|
|
||
| protected String sslCertsPath(String... path) { | ||
| final var fullPath = new StringJoiner("/"); | ||
| fullPath.add(super.apiPath("certificates")); | ||
| if (path != null) { | ||
| for (final var p : path) { | ||
| fullPath.add(p); | ||
| } | ||
| } | ||
| return fullPath.toString(); | ||
| } | ||
|
|
||
| @Test | ||
| public void forbiddenForRegularUser() throws Exception { | ||
| withUser(REGULAR_USER, client -> forbidden(() -> client.get(sslCertsPath()))); | ||
| } | ||
|
|
||
| @Test | ||
| public void forbiddenForAdminUser() throws Exception { | ||
| withUser(ADMIN_USER_NAME, client -> forbidden(() -> client.get(sslCertsPath()))); | ||
| } | ||
|
|
||
| @Test | ||
| public void availableForTlsAdmin() throws Exception { | ||
| withUser(ADMIN_USER_NAME, localCluster.getAdminCertificate(), this::verifySSLCertsInfo); | ||
| } | ||
|
|
||
| @Test | ||
| public void availableForRestAdmin() throws Exception { | ||
| withUser(REST_ADMIN_USER, this::verifySSLCertsInfo); | ||
| withUser(REST_API_ADMIN_SSL_INFO, this::verifySSLCertsInfo); | ||
| } | ||
|
|
||
| private void verifySSLCertsInfo(final TestRestClient client) throws Exception { | ||
| assertSSLCertsInfo(nodesWithOrder(), Set.of(CertificateType.HTTP, CertificateType.TRANSPORT), ok(() -> client.get(sslCertsPath()))); | ||
| if (localCluster.nodes().size() > 1) { | ||
| final var randomNodes = randomNodes(); | ||
| final var nodeIds = randomNodes.stream() | ||
| .map(Pair::getRight) | ||
| .map(n -> n.esNode().getNodeEnvironment().nodeId()) | ||
| .collect(Collectors.joining(",")); | ||
| assertSSLCertsInfo( | ||
| randomNodes, | ||
| Set.of(CertificateType.HTTP, CertificateType.TRANSPORT), | ||
| ok(() -> client.get(sslCertsPath(nodeIds))) | ||
| ); | ||
| } | ||
| final var randomCertType = randomFrom(List.of(CertificateType.HTTP, CertificateType.TRANSPORT)); | ||
| assertSSLCertsInfo( | ||
| nodesWithOrder(), | ||
| Set.of(randomCertType), | ||
| ok(() -> client.get(String.format("%s?cert_type=%s", sslCertsPath(), randomCertType))) | ||
| ); | ||
|
|
||
| } | ||
|
|
||
| private void assertSSLCertsInfo( | ||
| final List<Pair<Integer, LocalOpenSearchCluster.Node>> expectedNode, | ||
| final Set<CertificateType> expectedCertTypes, | ||
| final TestRestClient.HttpResponse response | ||
| ) { | ||
| final var body = response.bodyAsJsonNode(); | ||
| final var prettyStringBody = body.toPrettyString(); | ||
|
|
||
| final var _nodes = body.get("_nodes"); | ||
| assertThat(prettyStringBody, _nodes.get("total").asInt(), is(expectedNode.size())); | ||
| assertThat(prettyStringBody, _nodes.get("successful").asInt(), is(expectedNode.size())); | ||
| assertThat(prettyStringBody, _nodes.get("failed").asInt(), is(0)); | ||
| assertThat(prettyStringBody, body.get("cluster_name").asText(), is(localCluster.getClusterName())); | ||
|
|
||
| final var nodes = body.get("nodes"); | ||
|
|
||
| for (final var nodeWithOrder : expectedNode) { | ||
| final var esNode = nodeWithOrder.getRight().esNode(); | ||
| final var node = nodes.get(esNode.getNodeEnvironment().nodeId()); | ||
| assertThat(prettyStringBody, node.get("name").asText(), is(nodeWithOrder.getRight().getNodeName())); | ||
| assertThat(prettyStringBody, node.has("certificates")); | ||
| final var certificates = node.get("certificates"); | ||
| if (expectedCertTypes.contains(CertificateType.HTTP)) { | ||
| final var httpCertificates = certificates.get(CertificateType.HTTP.value()); | ||
| assertThat(prettyStringBody, httpCertificates.isArray()); | ||
| assertThat(prettyStringBody, httpCertificates.size(), is(1)); | ||
| verifyCertsJson(nodeWithOrder.getLeft(), httpCertificates.get(0)); | ||
| } | ||
| if (expectedCertTypes.contains(CertificateType.TRANSPORT)) { | ||
| final var transportCertificates = certificates.get(CertificateType.TRANSPORT.value()); | ||
| assertThat(prettyStringBody, transportCertificates.isArray()); | ||
| assertThat(prettyStringBody, transportCertificates.size(), is(1)); | ||
| verifyCertsJson(nodeWithOrder.getLeft(), transportCertificates.get(0)); | ||
| } | ||
| } | ||
|
|
||
| } | ||
|
|
||
| private void verifyCertsJson(final int nodeNumber, final JsonNode jsonNode) { | ||
| assertThat(jsonNode.toPrettyString(), jsonNode.get("issuer_dn").asText(), is(TestCertificates.CA_SUBJECT)); | ||
| assertThat( | ||
| jsonNode.toPrettyString(), | ||
| jsonNode.get("subject_dn").asText(), | ||
| is(String.format(TestCertificates.NODE_SUBJECT_PATTERN, nodeNumber)) | ||
| ); | ||
| assertThat( | ||
| jsonNode.toPrettyString(), | ||
| jsonNode.get("san").asText(), | ||
| containsString(String.format("node-%s.example.com", nodeNumber)) | ||
| ); | ||
| assertThat(jsonNode.toPrettyString(), jsonNode.has("not_before")); | ||
| assertThat(jsonNode.toPrettyString(), jsonNode.has("not_after")); | ||
| } | ||
|
|
||
| private List<Pair<Integer, LocalOpenSearchCluster.Node>> randomNodes() { | ||
| final var nodesWithOrder = nodesWithOrder(); | ||
| int leaveElements = randomIntBetween(1, nodesWithOrder.size() - 1); | ||
| return randomSubsetOf(leaveElements, nodesWithOrder); | ||
| } | ||
|
|
||
| private List<Pair<Integer, LocalOpenSearchCluster.Node>> nodesWithOrder() { | ||
| final var list = ImmutableList.<Pair<Integer, LocalOpenSearchCluster.Node>>builder(); | ||
| for (int i = 0; i < localCluster.nodes().size(); i++) | ||
| list.add(Pair.of(i, localCluster.nodes().get(i))); | ||
| return list.build(); | ||
| } | ||
|
|
||
| public <T> List<T> randomSubsetOf(int size, Collection<T> collection) { | ||
| if (size > collection.size()) { | ||
| throw new IllegalArgumentException( | ||
| "Can't pick " + size + " random objects from a collection of " + collection.size() + " objects" | ||
| ); | ||
| } | ||
| List<T> tempList = new ArrayList<>(collection); | ||
| Collections.shuffle(tempList, RandomizedContext.current().getRandom()); | ||
| return tempList.subList(0, size); | ||
| } | ||
|
|
||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
120 changes: 120 additions & 0 deletions
120
src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| /* | ||
| * SPDX-License-Identifier: Apache-2.0 | ||
| * | ||
| * The OpenSearch Contributors require contributions made to | ||
| * this file be licensed under the Apache-2.0 license or a | ||
| * compatible open source license. | ||
| * | ||
| * Modifications Copyright OpenSearch Contributors. See | ||
| * GitHub history for details. | ||
| */ | ||
|
|
||
| package org.opensearch.security.dlic.rest.api; | ||
|
|
||
| import java.util.List; | ||
|
|
||
| import com.google.common.collect.ImmutableList; | ||
| import org.apache.logging.log4j.LogManager; | ||
| import org.apache.logging.log4j.Logger; | ||
|
|
||
| import org.opensearch.cluster.service.ClusterService; | ||
| import org.opensearch.core.action.ActionListener; | ||
| import org.opensearch.rest.RestRequest; | ||
| import org.opensearch.rest.action.RestActions; | ||
| import org.opensearch.security.dlic.rest.api.ssl.CertificateType; | ||
| import org.opensearch.security.dlic.rest.api.ssl.CertificatesActionType; | ||
| import org.opensearch.security.dlic.rest.api.ssl.CertificatesInfoNodesRequest; | ||
| import org.opensearch.security.dlic.rest.api.ssl.CertificatesNodesResponse; | ||
| import org.opensearch.security.securityconf.impl.CType; | ||
| import org.opensearch.threadpool.ThreadPool; | ||
|
|
||
| import static org.opensearch.security.dlic.rest.api.Responses.internalServerError; | ||
| import static org.opensearch.security.dlic.rest.api.Responses.ok; | ||
| import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION; | ||
| import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_API_ROUTE_PREFIX; | ||
| import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix; | ||
|
|
||
| public class CertificatesApiAction extends AbstractApiAction { | ||
|
|
||
| private final static Logger LOGGER = LogManager.getLogger(CertificatesApiAction.class); | ||
|
|
||
| private static final List<Route> ROUTES = addRoutesPrefix( | ||
| ImmutableList.of(new Route(RestRequest.Method.GET, "/certificates"), new Route(RestRequest.Method.GET, "/certificates/{nodeId}")), | ||
| PLUGIN_API_ROUTE_PREFIX | ||
| ); | ||
|
|
||
| public CertificatesApiAction( | ||
| final ClusterService clusterService, | ||
| final ThreadPool threadPool, | ||
| final SecurityApiDependencies securityApiDependencies | ||
| ) { | ||
| super(Endpoint.SSL, clusterService, threadPool, securityApiDependencies); | ||
| this.requestHandlersBuilder.configureRequestHandlers(this::securitySSLCertsRequestHandlers); | ||
| } | ||
|
|
||
| @Override | ||
| public List<Route> routes() { | ||
| return ROUTES; | ||
| } | ||
|
|
||
| @Override | ||
| public String getName() { | ||
| return "HTTP and Transport Certificates Actions"; | ||
| } | ||
|
|
||
| @Override | ||
| protected CType getConfigType() { | ||
| return null; | ||
| } | ||
|
|
||
| @Override | ||
| protected void consumeParameters(RestRequest request) { | ||
| request.param("nodeId"); | ||
| request.param("cert_type"); | ||
| } | ||
|
|
||
| private void securitySSLCertsRequestHandlers(RequestHandler.RequestHandlersBuilder requestHandlersBuilder) { | ||
| requestHandlersBuilder.withAccessHandler(this::accessHandler) | ||
| .allMethodsNotImplemented() | ||
| .verifyAccessForAllMethods() | ||
| .override( | ||
| RestRequest.Method.GET, | ||
| (channel, request, client) -> client.execute( | ||
| CertificatesActionType.INSTANCE, | ||
| new CertificatesInfoNodesRequest( | ||
| CertificateType.from(request.param("cert_type")), | ||
| true, | ||
| request.paramAsStringArrayOrEmptyIfAll("nodeId") | ||
| ).timeout(request.param("timeout")), | ||
| new ActionListener<>() { | ||
| @Override | ||
| public void onResponse(final CertificatesNodesResponse response) { | ||
| ok(channel, (builder, params) -> { | ||
| builder.startObject(); | ||
| RestActions.buildNodesHeader(builder, channel.request(), response); | ||
| builder.field("cluster_name", response.getClusterName().value()); | ||
| response.toXContent(builder, channel.request()); | ||
| builder.endObject(); | ||
| return builder; | ||
| }); | ||
| } | ||
|
|
||
| @Override | ||
| public void onFailure(Exception e) { | ||
| LOGGER.error("Cannot load SSL certificates info due to", e); | ||
| internalServerError(channel, "Cannot load SSL certificates info " + e.getMessage() + "."); | ||
| } | ||
| } | ||
| ) | ||
| ); | ||
| } | ||
|
|
||
| boolean accessHandler(final RestRequest request) { | ||
| if (request.method() == RestRequest.Method.GET) { | ||
| return securityApiDependencies.restApiAdminPrivilegesEvaluator().isCurrentUserAdminFor(endpoint, CERTS_INFO_ACTION); | ||
| } else { | ||
| return false; | ||
| } | ||
| } | ||
|
|
||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.