use of com.sequenceiq.redbeams.configuration.SslCertificateEntry in project cloudbreak by hortonworks.
the class AllocateDatabaseServerV4RequestToDBStackConverterTest method conversionTestWhenSslEnabledAndAwsAndSingleCertErrorBlankCloudProviderIdentifier.
@Test
void conversionTestWhenSslEnabledAndAwsAndSingleCertErrorBlankCloudProviderIdentifier() {
setupMinimalValid(createSslConfigV4Request(SslMode.ENABLED), AWS_CLOUD_PLATFORM);
when(databaseServerSslCertificateConfig.getNumberOfCertsByCloudPlatformAndRegion(AWS_CLOUD_PLATFORM.name(), REGION)).thenReturn(SINGLE_CERT);
SslCertificateEntry sslCertificateEntryV3Broken = new SslCertificateEntry(VERSION_3, "", CERT_PEM_V3, x509Certificate);
when(databaseServerSslCertificateConfig.getCertByCloudPlatformAndRegionAndVersion(AWS_CLOUD_PLATFORM.name(), REGION, VERSION_3)).thenReturn(sslCertificateEntryV3Broken);
IllegalStateException illegalStateException = assertThrows(IllegalStateException.class, () -> underTest.convert(allocateRequest, OWNER_CRN));
assertThat(illegalStateException).hasMessage("Blank CloudProviderIdentifier in SSL certificate version 3 for cloud platform \"AWS\"");
verify(databaseServerSslCertificateConfig, never()).getCertsByCloudPlatformAndRegionAndVersions(anyString(), anyString(), any());
}
use of com.sequenceiq.redbeams.configuration.SslCertificateEntry in project cloudbreak by hortonworks.
the class AllocateDatabaseServerV4RequestToDBStackConverterTest method conversionTestWhenSslEnabledAndAzureAndTwoCertsErrorDuplicatedCertPem.
@Test
void conversionTestWhenSslEnabledAndAzureAndTwoCertsErrorDuplicatedCertPem() {
setupMinimalValid(createSslConfigV4Request(SslMode.ENABLED), AZURE_CLOUD_PLATFORM);
SslCertificateEntry sslCertificateEntryV2DuplicateOfV3 = new SslCertificateEntry(VERSION_2, CLOUD_PROVIDER_IDENTIFIER_V3, CERT_PEM_V3, x509Certificate);
when(databaseServerSslCertificateConfig.getNumberOfCertsByCloudPlatformAndRegion(AZURE_CLOUD_PLATFORM.name(), REGION)).thenReturn(TWO_CERTS);
when(databaseServerSslCertificateConfig.getCertsByCloudPlatformAndRegionAndVersions(AZURE_CLOUD_PLATFORM.name(), REGION, VERSION_2, VERSION_3)).thenReturn(Set.of(sslCertificateEntryV2DuplicateOfV3, sslCertificateEntryV3));
IllegalStateException illegalStateException = assertThrows(IllegalStateException.class, () -> underTest.convert(allocateRequest, OWNER_CRN));
assertThat(illegalStateException).hasMessage("Received duplicated SSL certificate PEM when requesting versions [2, 3] for cloud platform \"AZURE\"");
verify(databaseServerSslCertificateConfig, never()).getCertByCloudPlatformAndRegionAndVersion(anyString(), anyString(), anyInt());
}
use of com.sequenceiq.redbeams.configuration.SslCertificateEntry in project cloudbreak by hortonworks.
the class DatabaseServerSslCertificateSyncService method syncSslCertificateAws.
private void syncSslCertificateAws(CloudContext cloudContext, DBStack dbStack, CloudDatabaseServerSslCertificate activeSslRootCertificate) {
SslConfig sslConfig = dbStack.getSslConfig();
String cloudPlatform = dbStack.getCloudPlatform();
String desiredSslCertificateIdentifier = sslConfig.getSslCertificateActiveCloudProviderIdentifier();
String activeSslCertificateIdentifier = activeSslRootCertificate.getCertificateIdentifier();
// The latter case is not, however, handled specially, so that the DBStack of the legacy DB server can be also updated to get rid of legacy null values.
if (activeSslCertificateIdentifier.equals(desiredSslCertificateIdentifier)) {
LOGGER.info("Active SSL certificate CloudProviderIdentifier for cloud platform \"{}\" matches the desired one: \"{}\", database stack {}", cloudPlatform, activeSslCertificateIdentifier, cloudContext);
} else {
// Always sync CloudProviderIdentifier; this may result in an "SSL certificate outdated" status for the DB server registration.
sslConfig.setSslCertificateActiveCloudProviderIdentifier(activeSslCertificateIdentifier);
SslCertificateEntry activeSslCertificateEntry = databaseServerSslCertificateConfig.getCertByCloudPlatformAndRegionAndCloudProviderIdentifier(cloudPlatform, dbStack.getRegion(), activeSslCertificateIdentifier);
if (activeSslCertificateEntry == null) {
// This is only possible if the newly launched DB server uses a super-recent SSL root certificate that is yet unknown to CB,
// or if the DB server SSL root certificate is too old and has already been removed from CB.
// Neither is a typical scenario, but they will always result in an "SSL certificate outdated" status for the DB server registration.
LOGGER.warn("Mismatching SSL certificate CloudProviderIdentifier for cloud platform \"{}\": desired=\"{}\", actual=\"{}\", " + "database stack {}. Unable to determine version & PEM for the actual CloudProviderIdentifier, leaving database server " + "registration unchanged.", cloudPlatform, desiredSslCertificateIdentifier, activeSslCertificateIdentifier, cloudContext);
} else {
// This makes the DB server registration in sync with the cloud provider DB server instance,
// but it may also result in an "SSL certificate outdated" status for the DB server registration
// if the cloud provider side SSL certificate lags behind the highest version supported by CB.
LOGGER.info("Mismatching SSL certificate CloudProviderIdentifier for cloud platform \"{}\": desired=\"{}\", actual=\"{}\", " + "database stack {}. Updating database server registration with the version & PEM of the actual CloudProviderIdentifier.", cloudPlatform, desiredSslCertificateIdentifier, activeSslCertificateIdentifier, cloudContext);
validateCert(cloudPlatform, activeSslCertificateIdentifier, activeSslCertificateEntry);
sslConfig.setSslCertificateActiveVersion(activeSslCertificateEntry.getVersion());
sslConfig.setSslCertificates(Collections.singleton(activeSslCertificateEntry.getCertPem()));
}
dbStackService.save(dbStack);
}
}
use of com.sequenceiq.redbeams.configuration.SslCertificateEntry in project cloudbreak by hortonworks.
the class AllocateDatabaseServerV4RequestToDBStackConverter method getSslConfig.
// FIXME Potentially extract this whole logic into a service as it might be needed later for cert rotation
private SslConfig getSslConfig(AllocateDatabaseServerV4Request source, DBStack dbStack) {
SslConfig sslConfig = new SslConfig();
if (sslEnabled && source.getSslConfig() != null && SslMode.isEnabled(source.getSslConfig().getSslMode())) {
String cloudPlatform = dbStack.getCloudPlatform();
String region = dbStack.getRegion();
// TODO Determine the highest available SSL cert version for GCP; update sslCertificateActiveVersion during provisioning
int maxVersion = databaseServerSslCertificateConfig.getMaxVersionByCloudPlatformAndRegion(cloudPlatform, region);
sslConfig.setSslCertificateActiveVersion(maxVersion);
// TODO Add SslConfig.sslCertificateMaxVersion and keep it up-to-date (mostly for GCP)
Set<String> certs;
String cloudProviderIdentifier;
int numberOfCerts = databaseServerSslCertificateConfig.getNumberOfCertsByCloudPlatformAndRegion(cloudPlatform, region);
if (numberOfCerts == 0) {
// TODO Initialize SSL cert & CloudProviderIdentifier for GCP
// This is possible for cloud platforms where SSL is supported, but the certs are not pre-registered in CB; see e.g. GCP
certs = Collections.emptySet();
cloudProviderIdentifier = null;
} else if (numberOfCerts == 1 || !CloudPlatform.AZURE.equals(source.getCloudPlatform())) {
SslCertificateEntry cert = databaseServerSslCertificateConfig.getCertByCloudPlatformAndRegionAndVersion(cloudPlatform, region, maxVersion);
validateCert(cloudPlatform, maxVersion, cert);
certs = Collections.singleton(cert.getCertPem());
cloudProviderIdentifier = cert.getCloudProviderIdentifier();
} else {
// In Azure and for > 1 certs, include both the most recent cert and the preceding one
Set<SslCertificateEntry> certsTemp = databaseServerSslCertificateConfig.getCertsByCloudPlatformAndRegionAndVersions(cloudPlatform, region, maxVersion - 1, maxVersion).stream().filter(Objects::nonNull).collect(Collectors.toSet());
validateNonNullCertsCount(cloudPlatform, maxVersion, certsTemp);
findAndValidateCertByVersion(cloudPlatform, maxVersion - 1, certsTemp);
cloudProviderIdentifier = findAndValidateCertByVersion(cloudPlatform, maxVersion, certsTemp).getCloudProviderIdentifier();
certs = certsTemp.stream().map(SslCertificateEntry::getCertPem).collect(Collectors.toSet());
validateUniqueCertsCount(cloudPlatform, maxVersion, certs);
}
sslConfig.setSslCertificates(certs);
sslConfig.setSslCertificateActiveCloudProviderIdentifier(cloudProviderIdentifier);
sslConfig.setSslCertificateType(SslCertificateType.CLOUD_PROVIDER_OWNED);
}
return sslConfig;
}
use of com.sequenceiq.redbeams.configuration.SslCertificateEntry in project cloudbreak by hortonworks.
the class DatabaseServerSslCertificateSyncServiceTest method syncSslCertificateIfNeededTestWhenSuccessSslAwsCloudProviderOwnedMismatchingActiveSslRootCertificateFound.
@ParameterizedTest(name = "{0}")
@MethodSource("syncSslCertificateIfNeededTestWhenSuccessSslAwsCloudProviderOwnedMismatchingActiveSslRootCertificateDataProvider")
void syncSslCertificateIfNeededTestWhenSuccessSslAwsCloudProviderOwnedMismatchingActiveSslRootCertificateFound(String testCaseName, String sslCertificateActiveCloudProviderIdentifier) throws Exception {
DBStack dbStack = getDBStack(createSslConfig(SslCertificateType.CLOUD_PROVIDER_OWNED, sslCertificateActiveCloudProviderIdentifier));
dbStack.setCloudPlatform(CloudPlatform.AWS.name());
setupCloudConnectorMock();
when(resourceConnector.getDatabaseServerActiveSslRootCertificate(authenticatedContext, databaseStack)).thenReturn(new CloudDatabaseServerSslCertificate(CloudDatabaseServerSslCertificateType.ROOT, CERT_ID_2));
SslCertificateEntry cert = new SslCertificateEntry(CERT_VERSION, CERT_ID_2, CERT_PEM, x509Cert);
when(databaseServerSslCertificateConfig.getCertByCloudPlatformAndRegionAndCloudProviderIdentifier(CloudPlatform.AWS.name(), REGION, CERT_ID_2)).thenReturn(cert);
underTest.syncSslCertificateIfNeeded(cloudContext, cloudCredential, dbStack, databaseStack);
verify(dbStackService).save(dbStackArgumentCaptor.capture());
verifyDbStackCaptured(CERT_VERSION, Set.of(CERT_PEM));
}
Aggregations