Search in sources :

Example 6 with SslCertificateEntry

use of com.sequenceiq.redbeams.configuration.SslCertificateEntry in project cloudbreak by hortonworks.

the class AllocateDatabaseServerV4RequestToDBStackConverterTest method conversionTestWhenSslEnabledAndAwsAndSingleCertErrorBlankCloudProviderIdentifier.

@Test
void conversionTestWhenSslEnabledAndAwsAndSingleCertErrorBlankCloudProviderIdentifier() {
    setupMinimalValid(createSslConfigV4Request(SslMode.ENABLED), AWS_CLOUD_PLATFORM);
    when(databaseServerSslCertificateConfig.getNumberOfCertsByCloudPlatformAndRegion(AWS_CLOUD_PLATFORM.name(), REGION)).thenReturn(SINGLE_CERT);
    SslCertificateEntry sslCertificateEntryV3Broken = new SslCertificateEntry(VERSION_3, "", CERT_PEM_V3, x509Certificate);
    when(databaseServerSslCertificateConfig.getCertByCloudPlatformAndRegionAndVersion(AWS_CLOUD_PLATFORM.name(), REGION, VERSION_3)).thenReturn(sslCertificateEntryV3Broken);
    IllegalStateException illegalStateException = assertThrows(IllegalStateException.class, () -> underTest.convert(allocateRequest, OWNER_CRN));
    assertThat(illegalStateException).hasMessage("Blank CloudProviderIdentifier in SSL certificate version 3 for cloud platform \"AWS\"");
    verify(databaseServerSslCertificateConfig, never()).getCertsByCloudPlatformAndRegionAndVersions(anyString(), anyString(), any());
}
Also used : SslCertificateEntry(com.sequenceiq.redbeams.configuration.SslCertificateEntry) Test(org.junit.jupiter.api.Test) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)

Example 7 with SslCertificateEntry

use of com.sequenceiq.redbeams.configuration.SslCertificateEntry in project cloudbreak by hortonworks.

the class AllocateDatabaseServerV4RequestToDBStackConverterTest method conversionTestWhenSslEnabledAndAzureAndTwoCertsErrorDuplicatedCertPem.

@Test
void conversionTestWhenSslEnabledAndAzureAndTwoCertsErrorDuplicatedCertPem() {
    setupMinimalValid(createSslConfigV4Request(SslMode.ENABLED), AZURE_CLOUD_PLATFORM);
    SslCertificateEntry sslCertificateEntryV2DuplicateOfV3 = new SslCertificateEntry(VERSION_2, CLOUD_PROVIDER_IDENTIFIER_V3, CERT_PEM_V3, x509Certificate);
    when(databaseServerSslCertificateConfig.getNumberOfCertsByCloudPlatformAndRegion(AZURE_CLOUD_PLATFORM.name(), REGION)).thenReturn(TWO_CERTS);
    when(databaseServerSslCertificateConfig.getCertsByCloudPlatformAndRegionAndVersions(AZURE_CLOUD_PLATFORM.name(), REGION, VERSION_2, VERSION_3)).thenReturn(Set.of(sslCertificateEntryV2DuplicateOfV3, sslCertificateEntryV3));
    IllegalStateException illegalStateException = assertThrows(IllegalStateException.class, () -> underTest.convert(allocateRequest, OWNER_CRN));
    assertThat(illegalStateException).hasMessage("Received duplicated SSL certificate PEM when requesting versions [2, 3] for cloud platform \"AZURE\"");
    verify(databaseServerSslCertificateConfig, never()).getCertByCloudPlatformAndRegionAndVersion(anyString(), anyString(), anyInt());
}
Also used : SslCertificateEntry(com.sequenceiq.redbeams.configuration.SslCertificateEntry) Test(org.junit.jupiter.api.Test) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)

Example 8 with SslCertificateEntry

use of com.sequenceiq.redbeams.configuration.SslCertificateEntry in project cloudbreak by hortonworks.

the class DatabaseServerSslCertificateSyncService method syncSslCertificateAws.

private void syncSslCertificateAws(CloudContext cloudContext, DBStack dbStack, CloudDatabaseServerSslCertificate activeSslRootCertificate) {
    SslConfig sslConfig = dbStack.getSslConfig();
    String cloudPlatform = dbStack.getCloudPlatform();
    String desiredSslCertificateIdentifier = sslConfig.getSslCertificateActiveCloudProviderIdentifier();
    String activeSslCertificateIdentifier = activeSslRootCertificate.getCertificateIdentifier();
    // The latter case is not, however, handled specially, so that the DBStack of the legacy DB server can be also updated to get rid of legacy null values.
    if (activeSslCertificateIdentifier.equals(desiredSslCertificateIdentifier)) {
        LOGGER.info("Active SSL certificate CloudProviderIdentifier for cloud platform \"{}\" matches the desired one: \"{}\", database stack {}", cloudPlatform, activeSslCertificateIdentifier, cloudContext);
    } else {
        // Always sync CloudProviderIdentifier; this may result in an "SSL certificate outdated" status for the DB server registration.
        sslConfig.setSslCertificateActiveCloudProviderIdentifier(activeSslCertificateIdentifier);
        SslCertificateEntry activeSslCertificateEntry = databaseServerSslCertificateConfig.getCertByCloudPlatformAndRegionAndCloudProviderIdentifier(cloudPlatform, dbStack.getRegion(), activeSslCertificateIdentifier);
        if (activeSslCertificateEntry == null) {
            // This is only possible if the newly launched DB server uses a super-recent SSL root certificate that is yet unknown to CB,
            // or if the DB server SSL root certificate is too old and has already been removed from CB.
            // Neither is a typical scenario, but they will always result in an "SSL certificate outdated" status for the DB server registration.
            LOGGER.warn("Mismatching SSL certificate CloudProviderIdentifier for cloud platform \"{}\": desired=\"{}\", actual=\"{}\", " + "database stack {}. Unable to determine version & PEM for the actual CloudProviderIdentifier, leaving database server " + "registration unchanged.", cloudPlatform, desiredSslCertificateIdentifier, activeSslCertificateIdentifier, cloudContext);
        } else {
            // This makes the DB server registration in sync with the cloud provider DB server instance,
            // but it may also result in an "SSL certificate outdated" status for the DB server registration
            // if the cloud provider side SSL certificate lags behind the highest version supported by CB.
            LOGGER.info("Mismatching SSL certificate CloudProviderIdentifier for cloud platform \"{}\": desired=\"{}\", actual=\"{}\", " + "database stack {}. Updating database server registration with the version & PEM of the actual CloudProviderIdentifier.", cloudPlatform, desiredSslCertificateIdentifier, activeSslCertificateIdentifier, cloudContext);
            validateCert(cloudPlatform, activeSslCertificateIdentifier, activeSslCertificateEntry);
            sslConfig.setSslCertificateActiveVersion(activeSslCertificateEntry.getVersion());
            sslConfig.setSslCertificates(Collections.singleton(activeSslCertificateEntry.getCertPem()));
        }
        dbStackService.save(dbStack);
    }
}
Also used : SslConfig(com.sequenceiq.redbeams.domain.stack.SslConfig) SslCertificateEntry(com.sequenceiq.redbeams.configuration.SslCertificateEntry)

Example 9 with SslCertificateEntry

use of com.sequenceiq.redbeams.configuration.SslCertificateEntry in project cloudbreak by hortonworks.

the class AllocateDatabaseServerV4RequestToDBStackConverter method getSslConfig.

// FIXME Potentially extract this whole logic into a service as it might be needed later for cert rotation
private SslConfig getSslConfig(AllocateDatabaseServerV4Request source, DBStack dbStack) {
    SslConfig sslConfig = new SslConfig();
    if (sslEnabled && source.getSslConfig() != null && SslMode.isEnabled(source.getSslConfig().getSslMode())) {
        String cloudPlatform = dbStack.getCloudPlatform();
        String region = dbStack.getRegion();
        // TODO Determine the highest available SSL cert version for GCP; update sslCertificateActiveVersion during provisioning
        int maxVersion = databaseServerSslCertificateConfig.getMaxVersionByCloudPlatformAndRegion(cloudPlatform, region);
        sslConfig.setSslCertificateActiveVersion(maxVersion);
        // TODO Add SslConfig.sslCertificateMaxVersion and keep it up-to-date (mostly for GCP)
        Set<String> certs;
        String cloudProviderIdentifier;
        int numberOfCerts = databaseServerSslCertificateConfig.getNumberOfCertsByCloudPlatformAndRegion(cloudPlatform, region);
        if (numberOfCerts == 0) {
            // TODO Initialize SSL cert & CloudProviderIdentifier for GCP
            // This is possible for cloud platforms where SSL is supported, but the certs are not pre-registered in CB; see e.g. GCP
            certs = Collections.emptySet();
            cloudProviderIdentifier = null;
        } else if (numberOfCerts == 1 || !CloudPlatform.AZURE.equals(source.getCloudPlatform())) {
            SslCertificateEntry cert = databaseServerSslCertificateConfig.getCertByCloudPlatformAndRegionAndVersion(cloudPlatform, region, maxVersion);
            validateCert(cloudPlatform, maxVersion, cert);
            certs = Collections.singleton(cert.getCertPem());
            cloudProviderIdentifier = cert.getCloudProviderIdentifier();
        } else {
            // In Azure and for > 1 certs, include both the most recent cert and the preceding one
            Set<SslCertificateEntry> certsTemp = databaseServerSslCertificateConfig.getCertsByCloudPlatformAndRegionAndVersions(cloudPlatform, region, maxVersion - 1, maxVersion).stream().filter(Objects::nonNull).collect(Collectors.toSet());
            validateNonNullCertsCount(cloudPlatform, maxVersion, certsTemp);
            findAndValidateCertByVersion(cloudPlatform, maxVersion - 1, certsTemp);
            cloudProviderIdentifier = findAndValidateCertByVersion(cloudPlatform, maxVersion, certsTemp).getCloudProviderIdentifier();
            certs = certsTemp.stream().map(SslCertificateEntry::getCertPem).collect(Collectors.toSet());
            validateUniqueCertsCount(cloudPlatform, maxVersion, certs);
        }
        sslConfig.setSslCertificates(certs);
        sslConfig.setSslCertificateActiveCloudProviderIdentifier(cloudProviderIdentifier);
        sslConfig.setSslCertificateType(SslCertificateType.CLOUD_PROVIDER_OWNED);
    }
    return sslConfig;
}
Also used : SslConfig(com.sequenceiq.redbeams.domain.stack.SslConfig) Set(java.util.Set) SslCertificateEntry(com.sequenceiq.redbeams.configuration.SslCertificateEntry) Objects(java.util.Objects)

Example 10 with SslCertificateEntry

use of com.sequenceiq.redbeams.configuration.SslCertificateEntry in project cloudbreak by hortonworks.

the class DatabaseServerSslCertificateSyncServiceTest method syncSslCertificateIfNeededTestWhenSuccessSslAwsCloudProviderOwnedMismatchingActiveSslRootCertificateFound.

@ParameterizedTest(name = "{0}")
@MethodSource("syncSslCertificateIfNeededTestWhenSuccessSslAwsCloudProviderOwnedMismatchingActiveSslRootCertificateDataProvider")
void syncSslCertificateIfNeededTestWhenSuccessSslAwsCloudProviderOwnedMismatchingActiveSslRootCertificateFound(String testCaseName, String sslCertificateActiveCloudProviderIdentifier) throws Exception {
    DBStack dbStack = getDBStack(createSslConfig(SslCertificateType.CLOUD_PROVIDER_OWNED, sslCertificateActiveCloudProviderIdentifier));
    dbStack.setCloudPlatform(CloudPlatform.AWS.name());
    setupCloudConnectorMock();
    when(resourceConnector.getDatabaseServerActiveSslRootCertificate(authenticatedContext, databaseStack)).thenReturn(new CloudDatabaseServerSslCertificate(CloudDatabaseServerSslCertificateType.ROOT, CERT_ID_2));
    SslCertificateEntry cert = new SslCertificateEntry(CERT_VERSION, CERT_ID_2, CERT_PEM, x509Cert);
    when(databaseServerSslCertificateConfig.getCertByCloudPlatformAndRegionAndCloudProviderIdentifier(CloudPlatform.AWS.name(), REGION, CERT_ID_2)).thenReturn(cert);
    underTest.syncSslCertificateIfNeeded(cloudContext, cloudCredential, dbStack, databaseStack);
    verify(dbStackService).save(dbStackArgumentCaptor.capture());
    verifyDbStackCaptured(CERT_VERSION, Set.of(CERT_PEM));
}
Also used : DBStack(com.sequenceiq.redbeams.domain.stack.DBStack) CloudDatabaseServerSslCertificate(com.sequenceiq.cloudbreak.cloud.model.database.CloudDatabaseServerSslCertificate) SslCertificateEntry(com.sequenceiq.redbeams.configuration.SslCertificateEntry) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest) MethodSource(org.junit.jupiter.params.provider.MethodSource)

Aggregations

SslCertificateEntry (com.sequenceiq.redbeams.configuration.SslCertificateEntry)11 ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)7 Test (org.junit.jupiter.api.Test)6 DBStack (com.sequenceiq.redbeams.domain.stack.DBStack)4 CloudDatabaseServerSslCertificate (com.sequenceiq.cloudbreak.cloud.model.database.CloudDatabaseServerSslCertificate)3 SslConfig (com.sequenceiq.redbeams.domain.stack.SslConfig)2 AllocateDatabaseServerV4Request (com.sequenceiq.redbeams.api.endpoint.v4.databaseserver.requests.AllocateDatabaseServerV4Request)1 DatabaseServerV4StackRequest (com.sequenceiq.redbeams.api.endpoint.v4.stacks.DatabaseServerV4StackRequest)1 NetworkV4StackRequest (com.sequenceiq.redbeams.api.endpoint.v4.stacks.NetworkV4StackRequest)1 SecurityGroupV4StackRequest (com.sequenceiq.redbeams.api.endpoint.v4.stacks.SecurityGroupV4StackRequest)1 Objects (java.util.Objects)1 Set (java.util.Set)1 BeforeEach (org.junit.jupiter.api.BeforeEach)1 MethodSource (org.junit.jupiter.params.provider.MethodSource)1