Fix issue opensearch-project#4280

Introduce 2 new endpoint: `_plugins/_security/api/certificates` `_plugins/_security/api/certificates/{nodeId}` Query parameters: - cert_type which provides information about SSL certificates for each node in the cluster Signed-off-by: Andrey Pleskach <[email protected]>
willyborankin · May 1, 2024 · 67645ed · 67645ed
1 parent f501cfe
commit 67645ed
Show file tree

Hide file tree

Showing 14 changed files with 957 additions and 38 deletions.
diff --git a/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java
@@ -245,9 +245,13 @@ protected void withUser(
         }
     }
 
+    protected String apiPathPrefix() {
+        return randomFrom(List.of(LEGACY_OPENDISTRO_PREFIX, PLUGINS_PREFIX));
+    }
+
     protected String securityPath(String... path) {
         final var fullPath = new StringJoiner("/");
-        fullPath.add(randomFrom(List.of(LEGACY_OPENDISTRO_PREFIX, PLUGINS_PREFIX)));
+        fullPath.add(apiPathPrefix());
         if (path != null) {
             for (final var p : path)
                 fullPath.add(p);

diff --git a/src/integrationTest/java/org/opensearch/security/api/CertificatesRestApiIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/CertificatesRestApiIntegrationTest.java
@@ -0,0 +1,188 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+package org.opensearch.security.api;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+import java.util.StringJoiner;
+import java.util.stream.Collectors;
+
+import com.carrotsearch.randomizedtesting.RandomizedContext;
+import com.google.common.collect.ImmutableList;
+import com.fasterxml.jackson.databind.JsonNode;
+import org.apache.commons.lang3.tuple.Pair;
+import org.junit.Test;
+
+import org.opensearch.security.dlic.rest.api.Endpoint;
+import org.opensearch.security.dlic.rest.api.ssl.CertificateType;
+import org.opensearch.test.framework.certificate.TestCertificates;
+import org.opensearch.test.framework.cluster.LocalOpenSearchCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
+import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
+
+public class CertificatesRestApiIntegrationTest extends AbstractApiIntegrationTest {
+
+    final static String REST_API_ADMIN_SSL_INFO = "rest-api-admin-ssl-info";
+
+    static {
+        clusterSettings.put(SECURITY_RESTAPI_ADMIN_ENABLED, true);
+        testSecurityConfig.withRestAdminUser(REST_ADMIN_USER, allRestAdminPermissions())
+            .withRestAdminUser(REST_API_ADMIN_SSL_INFO, restAdminPermission(Endpoint.SSL, CERTS_INFO_ACTION));
+    }
+
+    @Override
+    protected String apiPathPrefix() {
+        return PLUGINS_PREFIX;
+    }
+
+    protected String sslCertsPath(String... path) {
+        final var fullPath = new StringJoiner("/");
+        fullPath.add(super.apiPath("certificates"));
+        if (path != null) {
+            for (final var p : path) {
+                fullPath.add(p);
+            }
+        }
+        return fullPath.toString();
+    }
+
+    @Test
+    public void forbiddenForRegularUser() throws Exception {
+        withUser(NEW_USER, client -> forbidden(() -> client.get(sslCertsPath())));
+    }
+
+    @Test
+    public void forbiddenForAdminUser() throws Exception {
+        withUser(ADMIN_USER_NAME, client -> forbidden(() -> client.get(sslCertsPath())));
+    }
+
+    @Test
+    public void availableForTlsAdmin() throws Exception {
+        withUser(ADMIN_USER_NAME, localCluster.getAdminCertificate(), this::verifySSLCertsInfo);
+    }
+
+    @Test
+    public void availableForRestAdmin() throws Exception {
+        withUser(REST_ADMIN_USER, this::verifySSLCertsInfo);
+        withUser(REST_API_ADMIN_SSL_INFO, this::verifySSLCertsInfo);
+    }
+
+    private void verifySSLCertsInfo(final TestRestClient client) throws Exception {
+        assertSSLCertsInfo(nodesWithOrder(), Set.of(CertificateType.HTTP, CertificateType.TRANSPORT), ok(() -> client.get(sslCertsPath())));
+        if (localCluster.nodes().size() > 1) {
+            final var randomNodes = randomNodes();
+            final var nodeIds = randomNodes.stream()
+                .map(Pair::getRight)
+                .map(n -> n.esNode().getNodeEnvironment().nodeId())
+                .collect(Collectors.joining(","));
+            assertSSLCertsInfo(
+                randomNodes,
+                Set.of(CertificateType.HTTP, CertificateType.TRANSPORT),
+                ok(() -> client.get(sslCertsPath(nodeIds)))
+            );
+        }
+        final var randomCertType = randomFrom(List.of(CertificateType.HTTP, CertificateType.TRANSPORT));
+        assertSSLCertsInfo(
+            nodesWithOrder(),
+            Set.of(randomCertType),
+            ok(() -> client.get(String.format("%s?cert_type=%s", sslCertsPath(), randomCertType)))
+        );
+
+    }
+
+    private void assertSSLCertsInfo(
+        final List<Pair<Integer, LocalOpenSearchCluster.Node>> expectedNode,
+        final Set<CertificateType> expectedCertTypes,
+        final TestRestClient.HttpResponse response
+    ) {
+        final var body = response.bodyAsJsonNode();
+        final var prettyStringBody = body.toPrettyString();
+
+        final var _nodes = body.get("_nodes");
+        assertThat(prettyStringBody, _nodes.get("total").asInt(), is(expectedNode.size()));
+        assertThat(prettyStringBody, _nodes.get("successful").asInt(), is(expectedNode.size()));
+        assertThat(prettyStringBody, _nodes.get("failed").asInt(), is(0));
+        assertThat(prettyStringBody, body.get("cluster_name").asText(), is(localCluster.getClusterName()));
+
+        final var nodes = body.get("nodes");
+
+        for (final var nodeWithOrder : expectedNode) {
+            final var esNode = nodeWithOrder.getRight().esNode();
+            final var node = nodes.get(esNode.getNodeEnvironment().nodeId());
+            assertThat(prettyStringBody, node.get("name").asText(), is(nodeWithOrder.getRight().getNodeName()));
+            assertThat(prettyStringBody, node.has("certificates"));
+            final var certificates = node.get("certificates");
+            if (expectedCertTypes.contains(CertificateType.HTTP)) {
+                final var httpCertificates = certificates.get(CertificateType.HTTP.value());
+                assertThat(prettyStringBody, httpCertificates.isArray());
+                assertThat(prettyStringBody, httpCertificates.size(), is(1));
+                verifyCertsJson(nodeWithOrder.getLeft(), httpCertificates.get(0));
+            }
+            if (expectedCertTypes.contains(CertificateType.TRANSPORT)) {
+                final var transportCertificates = certificates.get(CertificateType.TRANSPORT.value());
+                assertThat(prettyStringBody, transportCertificates.isArray());
+                assertThat(prettyStringBody, transportCertificates.size(), is(1));
+                verifyCertsJson(nodeWithOrder.getLeft(), transportCertificates.get(0));
+            }
+        }
+
+    }
+
+    private void verifyCertsJson(final int nodeNumber, final JsonNode jsonNode) {
+        assertThat(jsonNode.toPrettyString(), jsonNode.get("issuer_dn").asText(), is(TestCertificates.CA_SUBJECT));
+        assertThat(
+            jsonNode.toPrettyString(),
+            jsonNode.get("subject_dn").asText(),
+            is(String.format(TestCertificates.NODE_SUBJECT_PATTERN, nodeNumber))
+        );
+        assertThat(
+            jsonNode.toPrettyString(),
+            jsonNode.get("san").asText(),
+            containsString(String.format("node-%s.example.com", nodeNumber))
+        );
+        assertThat(jsonNode.toPrettyString(), jsonNode.has("not_before"));
+        assertThat(jsonNode.toPrettyString(), jsonNode.has("not_after"));
+    }
+
+    private List<Pair<Integer, LocalOpenSearchCluster.Node>> randomNodes() {
+        final var nodesWithOrder = nodesWithOrder();
+        int leaveElements = randomIntBetween(1, nodesWithOrder.size() - 1);
+        return randomSubsetOf(leaveElements, nodesWithOrder);
+    }
+
+    private List<Pair<Integer, LocalOpenSearchCluster.Node>> nodesWithOrder() {
+        final var list = ImmutableList.<Pair<Integer, LocalOpenSearchCluster.Node>>builder();
+        for (int i = 0; i < localCluster.nodes().size(); i++)
+            list.add(Pair.of(i, localCluster.nodes().get(i)));
+        return list.build();
+    }
+
+    public <T> List<T> randomSubsetOf(int size, Collection<T> collection) {
+        if (size > collection.size()) {
+            throw new IllegalArgumentException(
+                "Can't pick " + size + " random objects from a collection of " + collection.size() + " objects"
+            );
+        }
+        List<T> tempList = new ArrayList<>(collection);
+        Collections.shuffle(tempList, RandomizedContext.current().getRandom());
+        return tempList.subList(0, size);
+    }
+
+}
diff --git a/src/integrationTest/java/org/opensearch/security/api/SslCertsRestApiIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/SslCertsRestApiIntegrationTest.java
@@ -20,6 +20,7 @@
 import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION;
 import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
 
+@Deprecated
 public class SslCertsRestApiIntegrationTest extends AbstractApiIntegrationTest {
 
     final static String REST_API_ADMIN_SSL_INFO = "rest-api-admin-ssl-info";

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -154,6 +154,8 @@
 import org.opensearch.security.configuration.SecurityFlsDlsIndexSearcherWrapper;
 import org.opensearch.security.dlic.rest.api.Endpoint;
 import org.opensearch.security.dlic.rest.api.SecurityRestApiActions;
+import org.opensearch.security.dlic.rest.api.ssl.CertificatesActionType;
+import org.opensearch.security.dlic.rest.api.ssl.TransportCertificatesInfoNodesAction;
 import org.opensearch.security.dlic.rest.validation.PasswordValidator;
 import org.opensearch.security.filter.SecurityFilter;
 import org.opensearch.security.filter.SecurityRestFilter;
@@ -173,6 +175,7 @@
 import org.opensearch.security.securityconf.DynamicConfigFactory;
 import org.opensearch.security.setting.OpensearchDynamicSetting;
 import org.opensearch.security.setting.TransportPassiveAuthSetting;
+import org.opensearch.security.ssl.ExternalSecurityKeyStore;
 import org.opensearch.security.ssl.OpenSearchSecureSettingsFactory;
 import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin;
 import org.opensearch.security.ssl.SslExceptionHandler;
@@ -656,6 +659,10 @@ public UnaryOperator<RestHandler> getRestHandlerWrapper(final ThreadContext thre
         List<ActionHandler<? extends ActionRequest, ? extends ActionResponse>> actions = new ArrayList<>(1);
         if (!disabled && !SSLConfig.isSslOnlyMode()) {
             actions.add(new ActionHandler<>(ConfigUpdateAction.INSTANCE, TransportConfigUpdateAction.class));
+            // external storage does not support reload and does not provide SSL certs info
+            if (!ExternalSecurityKeyStore.hasExternalSslContext(settings)) {
+                actions.add(new ActionHandler<>(CertificatesActionType.INSTANCE, TransportCertificatesInfoNodesAction.class));
+            }
             actions.add(new ActionHandler<>(WhoAmIAction.INSTANCE, TransportWhoAmIAction.class));
         }
         return actions;
@@ -1179,6 +1186,9 @@ public Collection<Object> createComponents(
         components.add(si);
         components.add(dcf);
         components.add(userService);
+        if (!ExternalSecurityKeyStore.hasExternalSslContext(settings)) {
+            components.add(sks);
+        }
         final var allowDefaultInit = settings.getAsBoolean(SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false);
         final var useClusterState = useClusterStateToInitSecurityConfig(settings);
         if (!SSLConfig.isSslOnlyMode() && !isDisabled(settings) && allowDefaultInit && useClusterState) {

diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java
@@ -0,0 +1,120 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.dlic.rest.api;
+
+import java.util.List;
+
+import com.google.common.collect.ImmutableList;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import org.opensearch.cluster.service.ClusterService;
+import org.opensearch.core.action.ActionListener;
+import org.opensearch.rest.RestRequest;
+import org.opensearch.rest.action.RestActions;
+import org.opensearch.security.dlic.rest.api.ssl.CertificateType;
+import org.opensearch.security.dlic.rest.api.ssl.CertificatesActionType;
+import org.opensearch.security.dlic.rest.api.ssl.CertificatesInfoNodesRequest;
+import org.opensearch.security.dlic.rest.api.ssl.CertificatesNodesResponse;
+import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.threadpool.ThreadPool;
+
+import static org.opensearch.security.dlic.rest.api.Responses.internalServerError;
+import static org.opensearch.security.dlic.rest.api.Responses.ok;
+import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION;
+import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_API_ROUTE_PREFIX;
+import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
+
+public class CertificatesApiAction extends AbstractApiAction {
+
+    private final static Logger LOGGER = LogManager.getLogger(CertificatesApiAction.class);
+
+    private static final List<Route> ROUTES = addRoutesPrefix(
+        ImmutableList.of(new Route(RestRequest.Method.GET, "/certificates"), new Route(RestRequest.Method.GET, "/certificates/{nodeId}")),
+        PLUGIN_API_ROUTE_PREFIX
+    );
+
+    public CertificatesApiAction(
+        final ClusterService clusterService,
+        final ThreadPool threadPool,
+        final SecurityApiDependencies securityApiDependencies
+    ) {
+        super(Endpoint.SSL, clusterService, threadPool, securityApiDependencies);
+        this.requestHandlersBuilder.configureRequestHandlers(this::securitySSLCertsRequestHandlers);
+    }
+
+    @Override
+    public List<Route> routes() {
+        return ROUTES;
+    }
+
+    @Override
+    public String getName() {
+        return "HTTP and Transport Certificates Actions";
+    }
+
+    @Override
+    protected CType getConfigType() {
+        return null;
+    }
+
+    @Override
+    protected void consumeParameters(RestRequest request) {
+        request.param("nodeId");
+        request.param("cert_type");
+    }
+
+    private void securitySSLCertsRequestHandlers(RequestHandler.RequestHandlersBuilder requestHandlersBuilder) {
+        requestHandlersBuilder.withAccessHandler(this::accessHandler)
+            .allMethodsNotImplemented()
+            .verifyAccessForAllMethods()
+            .override(
+                RestRequest.Method.GET,
+                (channel, request, client) -> client.execute(
+                    CertificatesActionType.INSTANCE,
+                    new CertificatesInfoNodesRequest(
+                        CertificateType.from(request.param("cert_type")),
+                        true,
+                        request.paramAsStringArrayOrEmptyIfAll("nodeId")
+                    ),
+                    new ActionListener<>() {
+                        @Override
+                        public void onResponse(final CertificatesNodesResponse response) {
+                            ok(channel, (builder, params) -> {
+                                builder.startObject();
+                                RestActions.buildNodesHeader(builder, channel.request(), response);
+                                builder.field("cluster_name", response.getClusterName().value());
+                                response.toXContent(builder, channel.request());
+                                builder.endObject();
+                                return builder;
+                            });
+                        }
+
+                        @Override
+                        public void onFailure(Exception e) {
+                            LOGGER.error("Cannot load SSL certificates info due to", e);
+                            internalServerError(channel, "Cannot load SSL certificates info " + e.getMessage() + ".");
+                        }
+                    }
+                )
+            );
+    }
+
+    boolean accessHandler(final RestRequest request) {
+        if (request.method() == RestRequest.Method.GET) {
+            return securityApiDependencies.restApiAdminPrivilegesEvaluator().isCurrentUserAdminFor(endpoint, CERTS_INFO_ACTION);
+        } else {
+            return false;
+        }
+    }
+
+}