• Home
• org.elasticsearch.plugin
• x-pack-core
• 7.12.1
• source code
• RestrictedTrustConfig.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.elasticsearch.xpack.core.ssl.RestrictedTrustConfig Maven / Gradle / Ivy

/*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the Elastic License
 * 2.0; you may not use this file except in compliance with the Elastic License
 * 2.0.
 */
package org.elasticsearch.xpack.core.ssl;

import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.CollectionUtils;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.ssl.cert.CertificateInfo;

import javax.net.ssl.X509ExtendedTrustManager;

import java.io.IOException;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
import java.util.Collection;
import java.util.List;
import java.util.Objects;

/**
 * An implementation of {@link TrustConfig} that constructs a {@link RestrictedTrustManager}.
 * This implementation always wraps another TrustConfig to perform the
 * underlying certificate validation.
 */
public final class RestrictedTrustConfig extends TrustConfig {

    private static final String RESTRICTIONS_KEY_SUBJECT_NAME = "trust.subject_name";
    private final String groupConfigPath;
    private final TrustConfig delegate;

    RestrictedTrustConfig(String groupConfigPath, TrustConfig delegate) {
        this.groupConfigPath = Objects.requireNonNull(groupConfigPath);
        this.delegate = Objects.requireNonNull(delegate);
    }

    @Override
    RestrictedTrustManager createTrustManager(@Nullable Environment environment) {
        try {
            final X509ExtendedTrustManager delegateTrustManager = delegate.createTrustManager(environment);
            final CertificateTrustRestrictions trustGroupConfig = readTrustGroup(resolveGroupConfigPath(environment));
            return new RestrictedTrustManager(delegateTrustManager, trustGroupConfig);
        } catch (IOException e) {
            throw new ElasticsearchException("failed to initialize TrustManager for {}", e, toString());
        }
    }

    @Override
    Collection certificates(Environment environment) throws GeneralSecurityException, IOException {
        return delegate.certificates(environment);
    }

    @Override
    List filesToMonitor(@Nullable Environment environment) {
        return CollectionUtils.appendToCopy(delegate.filesToMonitor(environment), resolveGroupConfigPath(environment));
    }

    @Override
    public String toString() {
        return "restrictedTrust=[" + groupConfigPath + ']';
    }

    @Override
    public boolean equals(Object o) {
        if (this == o) return true;
        if (o == null || getClass() != o.getClass()) return false;

        RestrictedTrustConfig that = (RestrictedTrustConfig) o;
        return this.groupConfigPath.equals(that.groupConfigPath) && this.delegate.equals(that.delegate);
    }

    @Override
    public int hashCode() {
        int result = groupConfigPath.hashCode();
        result = 31 * result + delegate.hashCode();
        return result;
    }

    private Path resolveGroupConfigPath(@Nullable Environment environment) {
        return CertParsingUtils.resolvePath(groupConfigPath, environment);
    }

    private CertificateTrustRestrictions readTrustGroup(Path path) throws IOException {
        Settings settings = Settings.builder().loadFromPath(path).build();
        final List trustNodeNames = settings.getAsList(RESTRICTIONS_KEY_SUBJECT_NAME);
        return new CertificateTrustRestrictions(trustNodeNames);
    }
}