From 07de71673f2342630e1e2d18b1817470f267bd92 Mon Sep 17 00:00:00 2001
From: Stanislav Riabokon <stanislav_riabokon@epam.com>
Date: Wed, 23 Sep 2020 16:52:46 +0400
Subject: [PATCH] GONRG-735 Updated README.md Added a flag
'security.https.certificate.trust' with default value 'false'
---
.../indexer/util/ElasticClientHandler.java | 215 +++++++++++-------
.../src/test/resources/application.properties | 1 +
provider/indexer-gcp/README.md | 2 +
.../indexer/util/ElasticClientHandlerGcp.java | 146 ------------
.../main/resources/application-dev.properties | 4 +-
.../resources/application-kuber.properties | 4 +-
.../resources/application-testing.properties | 4 +-
.../src/main/resources/application.properties | 2 +
8 files changed, 138 insertions(+), 240 deletions(-)
create mode 100644 indexer-core/src/test/resources/application.properties
delete mode 100644 provider/indexer-gcp/src/main/java/org/opengroup/osdu/indexer/util/ElasticClientHandlerGcp.java
diff --git a/indexer-core/src/main/java/org/opengroup/osdu/indexer/util/ElasticClientHandler.java b/indexer-core/src/main/java/org/opengroup/osdu/indexer/util/ElasticClientHandler.java
index 100796717..1d46ee471 100644
--- a/indexer-core/src/main/java/org/opengroup/osdu/indexer/util/ElasticClientHandler.java
+++ b/indexer-core/src/main/java/org/opengroup/osdu/indexer/util/ElasticClientHandler.java
@@ -1,108 +1,153 @@
-// Copyright 2017-2019, Schlumberger
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
package org.opengroup.osdu.indexer.util;
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
+import java.util.Objects;
+import javax.net.ssl.SSLContext;
+import lombok.extern.java.Log;
import org.apache.http.Header;
import org.apache.http.HttpHost;
import org.apache.http.HttpStatus;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
+import org.apache.http.impl.nio.client.HttpAsyncClientBuilder;
import org.apache.http.message.BasicHeader;
+import org.apache.http.ssl.SSLContextBuilder;
import org.elasticsearch.client.RestClient;
import org.elasticsearch.client.RestClientBuilder;
import org.elasticsearch.client.RestHighLevelClient;
import org.opengroup.osdu.core.common.model.http.AppException;
-import org.opengroup.osdu.core.common.model.search.ClusterSettings;
import org.opengroup.osdu.core.common.model.indexer.IElasticSettingService;
+import org.opengroup.osdu.core.common.model.search.ClusterSettings;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
-import java.util.Base64;
-
@Component
+@Log
public class ElasticClientHandler {
- // Elastic cluster Rest client settings
- private static final int CLOUD_REST_CLIENT_PORT = 9243;
- private static final int REST_CLIENT_CONNECT_TIMEOUT = 60000;
- private static final int REST_CLIENT_SOCKET_TIMEOUT = 60000;
- private static final int REST_CLIENT_RETRY_TIMEOUT = 60000;
-
- @Autowired
- private IElasticSettingService elasticSettingService;
-
- public RestHighLevelClient createRestClient() {
- return getCloudRestClient(elasticSettingService.getElasticClusterInformation());
+ // Elastic cluster Rest client settings
+ private static final int CLOUD_REST_CLIENT_PORT = 9243;
+ private static final int REST_CLIENT_CONNECT_TIMEOUT = 60000;
+ private static final int REST_CLIENT_SOCKET_TIMEOUT = 60000;
+ private static final int REST_CLIENT_RETRY_TIMEOUT = 60000;
+
+ @Value("#{new Boolean('${security.https.certificate.trust:false}')}")
+ private Boolean isSecurityHttpsCertificateTrust;
+
+ @Autowired
+ private IElasticSettingService elasticSettingService;
+
+ public RestHighLevelClient createRestClient() {
+ return getCloudRestClient(elasticSettingService.getElasticClusterInformation());
+ }
+
+ // TODO: Remove this temporary implementation when ECE CCS is utilized
+ public RestHighLevelClient createRestClient(final ClusterSettings clusterSettings) {
+ return getCloudRestClient(clusterSettings);
+ }
+
+ private RestHighLevelClient getCloudRestClient(final ClusterSettings clusterSettings) {
+
+ String cluster = null;
+ String host = null;
+ int port = CLOUD_REST_CLIENT_PORT;
+ String protocolScheme = "https";
+ String tls = "true";
+
+ try {
+ cluster = clusterSettings.getHost();
+ host = clusterSettings.getHost();
+ port = clusterSettings.getPort();
+ if (!clusterSettings.isHttps()) {
+ protocolScheme = "http";
+ }
+
+ if (!clusterSettings.isTls()) {
+ tls = "false";
+ }
+ String basicEncoded = Base64
+ .getEncoder().encodeToString(clusterSettings.getUserNameAndPassword().getBytes());
+ String basicAuthenticationHeaderVal = String.format("Basic %s", basicEncoded);
+
+ RestClientBuilder builder = createClientBuilder(host, basicAuthenticationHeaderVal, port,
+ protocolScheme, tls);
+
+ return new RestHighLevelClient(builder);
+ } catch (AppException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new AppException(
+ HttpStatus.SC_INTERNAL_SERVER_ERROR,
+ "search client error",
+ "error creating search client",
+ String
+ .format("Elastic client connection params, cluster: %s, host: %s, port: %s", cluster,
+ host, port),
+ e);
}
- // TODO: Remove this temporary implementation when ECE CCS is utilized
- public RestHighLevelClient createRestClient(final ClusterSettings clusterSettings) {
- return getCloudRestClient(clusterSettings);
+ }
+
+ public RestClientBuilder createClientBuilder(String host, String basicAuthenticationHeaderVal,
+ int port, String protocolScheme, String tls) {
+ RestClientBuilder builder = RestClient.builder(new HttpHost(host, port, protocolScheme));
+ builder.setRequestConfigCallback(
+ requestConfigBuilder -> requestConfigBuilder.setConnectTimeout(REST_CLIENT_CONNECT_TIMEOUT)
+ .setSocketTimeout(REST_CLIENT_SOCKET_TIMEOUT));
+ builder.setMaxRetryTimeoutMillis(REST_CLIENT_RETRY_TIMEOUT);
+
+ Header[] defaultHeaders = new Header[]{
+ new BasicHeader("client.transport.nodes_sampler_interval", "30s"),
+ new BasicHeader("client.transport.ping_timeout", "30s"),
+ new BasicHeader("client.transport.sniff", "false"),
+ new BasicHeader("request.headers.X-Found-Cluster", host),
+ new BasicHeader("cluster.name", host),
+ new BasicHeader("xpack.security.transport.ssl.enabled", tls),
+ new BasicHeader("Authorization", basicAuthenticationHeaderVal),
+ };
+ log.info(String.format(
+ "Elastic client connection uses protocolScheme = %s with a flag "
+ + "'security.https.certificate.trust' = %s",
+ protocolScheme, isSecurityHttpsCertificateTrust));
+ if ("https".equals(protocolScheme) && isSecurityHttpsCertificateTrust) {
+ log.warning("Elastic client connection uses TrustSelfSignedStrategy()");
+ SSLContext sslContext = createSSLContext();
+ builder.setHttpClientConfigCallback(httpClientBuilder ->
+ {
+ HttpAsyncClientBuilder httpAsyncClientBuilder = httpClientBuilder.setSSLContext(sslContext)
+ .setSSLHostnameVerifier(
+ NoopHostnameVerifier.INSTANCE);
+ return httpAsyncClientBuilder;
+ });
}
- private RestHighLevelClient getCloudRestClient(final ClusterSettings clusterSettings) {
-
- String cluster = null;
- String host = null;
- int port = CLOUD_REST_CLIENT_PORT;
- String protocolScheme = "https";
- String tls = "true";
-
- try {
- cluster = clusterSettings.getHost();
- host = clusterSettings.getHost();
- port = clusterSettings.getPort();
- if(!clusterSettings.isHttps()){
- protocolScheme = "http";
- }
-
- if(!clusterSettings.isTls()){
- tls = "false";
- }
- String basicEncoded = Base64.getEncoder().encodeToString(clusterSettings.getUserNameAndPassword().getBytes());
- String basicAuthenticationHeaderVal = String.format("Basic %s", basicEncoded);
-
- RestClientBuilder builder = createClientBuilder(host, basicAuthenticationHeaderVal, port, protocolScheme, tls);
-
- return new RestHighLevelClient(builder);
- } catch (AppException e) {
- throw e;
- } catch (Exception e) {
- throw new AppException(
- HttpStatus.SC_INTERNAL_SERVER_ERROR,
- "search client error",
- "error creating search client",
- String.format("Elastic client connection params, cluster: %s, host: %s, port: %s", cluster, host, port),
- e);
- }
+ builder.setDefaultHeaders(defaultHeaders);
+ return builder;
+ }
+
+ private SSLContext createSSLContext() {
+ SSLContextBuilder sslContextBuilder = new SSLContextBuilder();
+ try {
+ sslContextBuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy());
+ return sslContextBuilder.build();
+ } catch (NoSuchAlgorithmException e) {
+ log.severe(e.getMessage());
+ } catch (KeyStoreException e) {
+ log.severe(e.getMessage());
+ } catch (KeyManagementException e) {
+ log.severe(e.getMessage());
}
+ return null;
+ }
- public RestClientBuilder createClientBuilder(String host, String basicAuthenticationHeaderVal, int port, String protocolScheme, String tls) {
- RestClientBuilder builder = RestClient.builder(new HttpHost(host, port, protocolScheme));
- builder.setRequestConfigCallback(requestConfigBuilder -> requestConfigBuilder.setConnectTimeout(REST_CLIENT_CONNECT_TIMEOUT)
- .setSocketTimeout(REST_CLIENT_SOCKET_TIMEOUT));
- builder.setMaxRetryTimeoutMillis(REST_CLIENT_RETRY_TIMEOUT);
-
- Header[] defaultHeaders = new Header[]{
- new BasicHeader("client.transport.nodes_sampler_interval", "30s"),
- new BasicHeader("client.transport.ping_timeout", "30s"),
- new BasicHeader("client.transport.sniff", "false"),
- new BasicHeader("request.headers.X-Found-Cluster", host),
- new BasicHeader("cluster.name", host),
- new BasicHeader("xpack.security.transport.ssl.enabled", tls),
- new BasicHeader("Authorization", basicAuthenticationHeaderVal),
- };
-
- builder.setDefaultHeaders(defaultHeaders);
- return builder;
- }
+ public Boolean isSecurityHttpsCertificateTrust() {
+ return isSecurityHttpsCertificateTrust;
+ }
+
+ public void setSecurityHttpsCertificateTrust(Boolean isSecurityHttpsCertificateTrust) {
+ this.isSecurityHttpsCertificateTrust = isSecurityHttpsCertificateTrust;
+ }
}
\ No newline at end of file
diff --git a/indexer-core/src/test/resources/application.properties b/indexer-core/src/test/resources/application.properties
new file mode 100644
index 000000000..50f201247
--- /dev/null
+++ b/indexer-core/src/test/resources/application.properties
@@ -0,0 +1 @@
+security.https.certificate.trust=false
\ No newline at end of file
diff --git a/provider/indexer-gcp/README.md b/provider/indexer-gcp/README.md
index eaa3bed2c..97143cbe6 100644
--- a/provider/indexer-gcp/README.md
+++ b/provider/indexer-gcp/README.md
@@ -34,6 +34,8 @@ In order to run the service locally or remotely, you will need to have the follo
| `GOOGLE_CLOUD_PROJECT` | ex `opendes` | Google Cloud Project Id| no | output of infrastructure deployment |
| `GOOGLE_AUDIENCES` | ex `*****.apps.googleusercontent.com` | Client ID for getting access to cloud resources | yes | https://console.cloud.google.com/apis/credentials |
| `GOOGLE_APPLICATION_CREDENTIALS` | ex `/path/to/directory/service-key.json` | Service account credentials, you only need this if running locally | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
+| `security.https.certificate.trust` | ex `false` | Elastic client connection uses TrustSelfSignedStrategy(), if it is 'true' | false | output of infrastructure deployment |
+
### Run Locally
Check that maven is installed:
diff --git a/provider/indexer-gcp/src/main/java/org/opengroup/osdu/indexer/util/ElasticClientHandlerGcp.java b/provider/indexer-gcp/src/main/java/org/opengroup/osdu/indexer/util/ElasticClientHandlerGcp.java
deleted file mode 100644
index 1643e3310..000000000
--- a/provider/indexer-gcp/src/main/java/org/opengroup/osdu/indexer/util/ElasticClientHandlerGcp.java
+++ /dev/null
@@ -1,146 +0,0 @@
-package org.opengroup.osdu.indexer.util;
-
-import java.security.KeyManagementException;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.util.Base64;
-import javax.net.ssl.SSLContext;
-import lombok.extern.java.Log;
-import org.apache.http.Header;
-import org.apache.http.HttpHost;
-import org.apache.http.HttpStatus;
-import org.apache.http.conn.ssl.NoopHostnameVerifier;
-import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
-import org.apache.http.impl.nio.client.HttpAsyncClientBuilder;
-import org.apache.http.message.BasicHeader;
-import org.apache.http.ssl.SSLContextBuilder;
-import org.elasticsearch.client.RestClient;
-import org.elasticsearch.client.RestClientBuilder;
-import org.elasticsearch.client.RestHighLevelClient;
-import org.opengroup.osdu.core.common.model.http.AppException;
-import org.opengroup.osdu.core.common.model.indexer.IElasticSettingService;
-import org.opengroup.osdu.core.common.model.search.ClusterSettings;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Primary;
-import org.springframework.stereotype.Component;
-
-@Component
-@Primary
-@Log
-public class ElasticClientHandlerGcp extends ElasticClientHandler {
-
- // Elastic cluster Rest client settings
- private static final int CLOUD_REST_CLIENT_PORT = 9243;
- private static final int REST_CLIENT_CONNECT_TIMEOUT = 60000;
- private static final int REST_CLIENT_SOCKET_TIMEOUT = 60000;
- private static final int REST_CLIENT_RETRY_TIMEOUT = 60000;
-
- @Value("#{new Boolean('${security.https.certificate.trust}')}")
- private Boolean securityHttpsCertificateTrust;
-
- @Autowired
- private IElasticSettingService elasticSettingService;
-
- public RestHighLevelClient createRestClient() {
- return getCloudRestClient(elasticSettingService.getElasticClusterInformation());
- }
-
- // TODO: Remove this temporary implementation when ECE CCS is utilized
- public RestHighLevelClient createRestClient(final ClusterSettings clusterSettings) {
- return getCloudRestClient(clusterSettings);
- }
-
- private RestHighLevelClient getCloudRestClient(final ClusterSettings clusterSettings) {
-
- String cluster = null;
- String host = null;
- int port = CLOUD_REST_CLIENT_PORT;
- String protocolScheme = "https";
- String tls = "true";
-
- try {
- cluster = clusterSettings.getHost();
- host = clusterSettings.getHost();
- port = clusterSettings.getPort();
- if (!clusterSettings.isHttps()) {
- protocolScheme = "http";
- }
-
- if (!clusterSettings.isTls()) {
- tls = "false";
- }
- String basicEncoded = Base64
- .getEncoder().encodeToString(clusterSettings.getUserNameAndPassword().getBytes());
- String basicAuthenticationHeaderVal = String.format("Basic %s", basicEncoded);
-
- RestClientBuilder builder = createClientBuilder(host, basicAuthenticationHeaderVal, port,
- protocolScheme, tls);
-
- return new RestHighLevelClient(builder);
- } catch (AppException e) {
- throw e;
- } catch (Exception e) {
- throw new AppException(
- HttpStatus.SC_INTERNAL_SERVER_ERROR,
- "search client error",
- "error creating search client",
- String
- .format("Elastic client connection params, cluster: %s, host: %s, port: %s", cluster,
- host, port),
- e);
- }
- }
-
- public RestClientBuilder createClientBuilder(String host, String basicAuthenticationHeaderVal,
- int port, String protocolScheme, String tls) {
- RestClientBuilder builder = RestClient.builder(new HttpHost(host, port, protocolScheme));
- builder.setRequestConfigCallback(
- requestConfigBuilder -> requestConfigBuilder.setConnectTimeout(REST_CLIENT_CONNECT_TIMEOUT)
- .setSocketTimeout(REST_CLIENT_SOCKET_TIMEOUT));
- builder.setMaxRetryTimeoutMillis(REST_CLIENT_RETRY_TIMEOUT);
-
- Header[] defaultHeaders = new Header[]{
- new BasicHeader("client.transport.nodes_sampler_interval", "30s"),
- new BasicHeader("client.transport.ping_timeout", "30s"),
- new BasicHeader("client.transport.sniff", "false"),
- new BasicHeader("request.headers.X-Found-Cluster", host),
- new BasicHeader("cluster.name", host),
- new BasicHeader("xpack.security.transport.ssl.enabled", tls),
- new BasicHeader("Authorization", basicAuthenticationHeaderVal),
- };
- log.info(String.format(
- "Elastic client connection uses protocolScheme = %s with a flag "
- + "'security.https.certificate.trust' = %s",
- protocolScheme, securityHttpsCertificateTrust));
- if ("https".equals(protocolScheme) && securityHttpsCertificateTrust) {
- log.warning("Elastic client connection uses TrustSelfSignedStrategy()");
- SSLContext sslContext = createSSLContext();
- builder.setHttpClientConfigCallback(httpClientBuilder ->
- {
- HttpAsyncClientBuilder httpAsyncClientBuilder = httpClientBuilder.setSSLContext(sslContext)
- .setSSLHostnameVerifier(
- NoopHostnameVerifier.INSTANCE);
- return httpAsyncClientBuilder;
- });
- }
-
- builder.setDefaultHeaders(defaultHeaders);
- return builder;
- }
-
- private SSLContext createSSLContext() {
- SSLContextBuilder sslContextBuilder = new SSLContextBuilder();
- try {
- sslContextBuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy());
- return sslContextBuilder.build();
- } catch (NoSuchAlgorithmException e) {
- log.severe(e.getMessage());
- } catch (KeyStoreException e) {
- log.severe(e.getMessage());
- } catch (KeyManagementException e) {
- log.severe(e.getMessage());
- }
- return null;
- }
-}
diff --git a/provider/indexer-gcp/src/main/resources/application-dev.properties b/provider/indexer-gcp/src/main/resources/application-dev.properties
index 4644fef83..61da3c713 100644
--- a/provider/indexer-gcp/src/main/resources/application-dev.properties
+++ b/provider/indexer-gcp/src/main/resources/application-dev.properties
@@ -18,6 +18,4 @@ CRS_API=https://crs-converter-gae-dot-opendes.appspot.com/api/crs/v1
REDIS_GROUP_HOST=10.0.16.28
REDIS_SEARCH_HOST=10.0.16.20
-GOOGLE_AUDIENCES=245464679631-ktfdfpl147m1mjpbutl00b3cmffissgq.apps.googleusercontent.com
-
-security.https.certificate.trust=${SECURITY_HTTPS_CERTIFICATE_TRUST}
\ No newline at end of file
+GOOGLE_AUDIENCES=245464679631-ktfdfpl147m1mjpbutl00b3cmffissgq.apps.googleusercontent.com
\ No newline at end of file
diff --git a/provider/indexer-gcp/src/main/resources/application-kuber.properties b/provider/indexer-gcp/src/main/resources/application-kuber.properties
index 4a92f155b..bc2a5f901 100644
--- a/provider/indexer-gcp/src/main/resources/application-kuber.properties
+++ b/provider/indexer-gcp/src/main/resources/application-kuber.properties
@@ -21,6 +21,4 @@ REDIS_SEARCH_HOST=${REDIS_SEARCH_HOST}
GOOGLE_AUDIENCES=${GOOGLE_AUDIENCES}
DEPLOYMENT_ENVIRONMENT=CLOUD
-disable.appengine.log.factory=true
-
-security.https.certificate.trust=${SECURITY_HTTPS_CERTIFICATE_TRUST}
\ No newline at end of file
+disable.appengine.log.factory=true
\ No newline at end of file
diff --git a/provider/indexer-gcp/src/main/resources/application-testing.properties b/provider/indexer-gcp/src/main/resources/application-testing.properties
index ef983cb61..fb0c9e2d6 100644
--- a/provider/indexer-gcp/src/main/resources/application-testing.properties
+++ b/provider/indexer-gcp/src/main/resources/application-testing.properties
@@ -18,6 +18,4 @@ CRS_API=https://crs-converter-gae-dot-opendes-evt.appspot.com/api/crs/v1
REDIS_GROUP_HOST=10.253.209.196
REDIS_SEARCH_HOST=10.118.2.140
-GOOGLE_AUDIENCES=833591776864-oobhqvmtdg9rpreubjvn44m5f8revglk.apps.googleusercontent.com
-
-security.https.certificate.trust=false
\ No newline at end of file
+GOOGLE_AUDIENCES=833591776864-oobhqvmtdg9rpreubjvn44m5f8revglk.apps.googleusercontent.com
\ No newline at end of file
diff --git a/provider/indexer-gcp/src/main/resources/application.properties b/provider/indexer-gcp/src/main/resources/application.properties
index 1ccde0848..5861c67c7 100644
--- a/provider/indexer-gcp/src/main/resources/application.properties
+++ b/provider/indexer-gcp/src/main/resources/application.properties
@@ -32,3 +32,5 @@ KMS_KEY=searchService
ELASTIC_DATASTORE_KIND=SearchSettings
ELASTIC_DATASTORE_ID=indexer-service
+
+security.https.certificate.trust=${SECURITY_HTTPS_CERTIFICATE_TRUST}
--
GitLab