Examples with SslConfig com.sequenceiq.redbeams.domain.stack.SslConfig used on opensource projects

Example 11 with SslConfig

use of com.sequenceiq.redbeams.domain.stack.SslConfig in project cloudbreak by hortonworks.

the class DatabaseServerConfigToDatabaseServerV4ResponseConverterTest method testConversionOfSslConfigWhenDbStackPresentAndCertificateTypeNone.

@Test
void testConversionOfSslConfigWhenDbStackPresentAndCertificateTypeNone() {
    DatabaseServerConfig server = new DatabaseServerConfig();
    server.setResourceCrn(TestData.getTestCrn(RESOURCE_TYPE_DATABASE_SERVER, RESOURCE_ID));
    server.setDatabaseVendor(DatabaseVendor.POSTGRES);
    DBStack dbStack = new DBStack();
    dbStack.setSslConfig(new SslConfig());
    initDBStackStatus(dbStack);
    server.setDbStack(dbStack);
    DatabaseServerV4Response response = converter.convert(server);
    assertThat(response).isNotNull();
    SslConfigV4Response sslConfigV4Response = response.getSslConfig();
    assertThat(sslConfigV4Response).isNotNull();
    assertThat(sslConfigV4Response.getSslMode()).isEqualTo(SslMode.DISABLED);
    assertThat(sslConfigV4Response.getSslCertificateType()).isEqualTo(SslCertificateType.NONE);
    assertThat(response.getStatus()).isEqualTo(dbStack.getStatus());
}

Example 12 with SslConfig

use of com.sequenceiq.redbeams.domain.stack.SslConfig in project cloudbreak by hortonworks.

the class DatabaseServerConfigToDatabaseServerV4ResponseConverterTest method testConversionOfSslConfigWhenDbStackPresentAndCertificateTypeCloudProviderOwned.

@ParameterizedTest(name = "{0}")
@MethodSource("testConversionOfSslConfigWhenDbStackPresentAndCertificateTypeCloudProviderOwnedDataProvider")
void testConversionOfSslConfigWhenDbStackPresentAndCertificateTypeCloudProviderOwned(String testCaseName, Integer certActiveVersionInput, String certActiveCloudProviderIdentifierInput, int certActiveVersionExpected, String certActiveCloudProviderIdentifierExpected) {
    DatabaseServerConfig server = new DatabaseServerConfig();
    server.setResourceCrn(TestData.getTestCrn(RESOURCE_TYPE_DATABASE_SERVER, RESOURCE_ID));
    server.setDatabaseVendor(DatabaseVendor.POSTGRES);
    DBStack dbStack = new DBStack();
    dbStack.setCloudPlatform(CLOUD_PLATFORM);
    dbStack.setRegion(REGION);
    SslConfig sslConfig = new SslConfig();
    sslConfig.setSslCertificateType(SslCertificateType.CLOUD_PROVIDER_OWNED);
    sslConfig.setSslCertificates(CERTS);
    sslConfig.setSslCertificateActiveVersion(certActiveVersionInput);
    sslConfig.setSslCertificateActiveCloudProviderIdentifier(certActiveCloudProviderIdentifierInput);
    dbStack.setSslConfig(sslConfig);
    server.setDbStack(dbStack);
    when(databaseServerSslCertificateConfig.getMaxVersionByCloudPlatformAndRegion(CLOUD_PLATFORM, REGION)).thenReturn(CERT_MAX_VERSION);
    when(databaseServerSslCertificateConfig.getLegacyMaxVersionByCloudPlatformAndRegion(CLOUD_PLATFORM, REGION)).thenReturn(CERT_LEGACY_MAX_VERSION);
    when(databaseServerSslCertificateConfig.getLegacyCloudProviderIdentifierByCloudPlatformAndRegion(CLOUD_PLATFORM, REGION)).thenReturn(CERT_LEGACY_CLOUD_PROVIDER_IDENTIFIER);
    DatabaseServerV4Response response = converter.convert(server);
    assertThat(response).isNotNull();
    SslConfigV4Response sslConfigV4Response = response.getSslConfig();
    assertThat(sslConfigV4Response).isNotNull();
    assertThat(sslConfigV4Response.getSslMode()).isEqualTo(SslMode.ENABLED);
    assertThat(sslConfigV4Response.getSslCertificateType()).isEqualTo(SslCertificateType.CLOUD_PROVIDER_OWNED);
    assertThat(sslConfigV4Response.getSslCertificates()).isSameAs(CERTS);
    assertThat(sslConfigV4Response.getSslCertificateHighestAvailableVersion()).isEqualTo(CERT_MAX_VERSION);
    assertThat(sslConfigV4Response.getSslCertificateActiveVersion()).isEqualTo(certActiveVersionExpected);
    assertThat(sslConfigV4Response.getSslCertificateActiveCloudProviderIdentifier()).isEqualTo(certActiveCloudProviderIdentifierExpected);
}

Example 13 with SslConfig

use of com.sequenceiq.redbeams.domain.stack.SslConfig in project cloudbreak by hortonworks.

the class DatabaseServerSslCertificateSyncService method syncSslCertificateAws.

private void syncSslCertificateAws(CloudContext cloudContext, DBStack dbStack, CloudDatabaseServerSslCertificate activeSslRootCertificate) {
    SslConfig sslConfig = dbStack.getSslConfig();
    String cloudPlatform = dbStack.getCloudPlatform();
    String desiredSslCertificateIdentifier = sslConfig.getSslCertificateActiveCloudProviderIdentifier();
    String activeSslCertificateIdentifier = activeSslRootCertificate.getCertificateIdentifier();
    // The latter case is not, however, handled specially, so that the DBStack of the legacy DB server can be also updated to get rid of legacy null values.
    if (activeSslCertificateIdentifier.equals(desiredSslCertificateIdentifier)) {
        LOGGER.info("Active SSL certificate CloudProviderIdentifier for cloud platform \"{}\" matches the desired one: \"{}\", database stack {}", cloudPlatform, activeSslCertificateIdentifier, cloudContext);
    } else {
        // Always sync CloudProviderIdentifier; this may result in an "SSL certificate outdated" status for the DB server registration.
        sslConfig.setSslCertificateActiveCloudProviderIdentifier(activeSslCertificateIdentifier);
        SslCertificateEntry activeSslCertificateEntry = databaseServerSslCertificateConfig.getCertByCloudPlatformAndRegionAndCloudProviderIdentifier(cloudPlatform, dbStack.getRegion(), activeSslCertificateIdentifier);
        if (activeSslCertificateEntry == null) {
            // This is only possible if the newly launched DB server uses a super-recent SSL root certificate that is yet unknown to CB,
            // or if the DB server SSL root certificate is too old and has already been removed from CB.
            // Neither is a typical scenario, but they will always result in an "SSL certificate outdated" status for the DB server registration.
            LOGGER.warn("Mismatching SSL certificate CloudProviderIdentifier for cloud platform \"{}\": desired=\"{}\", actual=\"{}\", " + "database stack {}. Unable to determine version & PEM for the actual CloudProviderIdentifier, leaving database server " + "registration unchanged.", cloudPlatform, desiredSslCertificateIdentifier, activeSslCertificateIdentifier, cloudContext);
        } else {
            // This makes the DB server registration in sync with the cloud provider DB server instance,
            // but it may also result in an "SSL certificate outdated" status for the DB server registration
            // if the cloud provider side SSL certificate lags behind the highest version supported by CB.
            LOGGER.info("Mismatching SSL certificate CloudProviderIdentifier for cloud platform \"{}\": desired=\"{}\", actual=\"{}\", " + "database stack {}. Updating database server registration with the version & PEM of the actual CloudProviderIdentifier.", cloudPlatform, desiredSslCertificateIdentifier, activeSslCertificateIdentifier, cloudContext);
            validateCert(cloudPlatform, activeSslCertificateIdentifier, activeSslCertificateEntry);
            sslConfig.setSslCertificateActiveVersion(activeSslCertificateEntry.getVersion());
            sslConfig.setSslCertificates(Collections.singleton(activeSslCertificateEntry.getCertPem()));
        }
        dbStackService.save(dbStack);
    }
}

Example 14 with SslConfig

use of com.sequenceiq.redbeams.domain.stack.SslConfig in project cloudbreak by hortonworks.

the class DatabaseServerSslCertificatePrescriptionService method prescribeSslCertificateIfNeeded.

public void prescribeSslCertificateIfNeeded(CloudContext cloudContext, CloudCredential cloudCredential, DBStack dbStack, DatabaseStack databaseStack) {
    SslConfig sslConfig = dbStack.getSslConfig();
    String cloudPlatform = dbStack.getCloudPlatform();
    if (sslConfig != null && SslCertificateType.CLOUD_PROVIDER_OWNED.equals(sslConfig.getSslCertificateType()) && CloudPlatform.AWS.name().equals(cloudPlatform)) {
        prescribeSslCertificateIfNeededAws(cloudContext, cloudCredential, dbStack, databaseStack.getDatabaseServer());
    } else {
        LOGGER.info("SSL not enabled or unsupported cloud platform \"{}\": SslConfig={}. " + "Skipping SSL certificate CloudProviderIdentifier prescription for database stack {}", cloudPlatform, sslConfig, cloudContext);
    }
}

Example 15 with SslConfig

use of com.sequenceiq.redbeams.domain.stack.SslConfig in project cloudbreak by hortonworks.

the class AllocateDatabaseServerV4RequestToDBStackConverter method getSslConfig.

// FIXME Potentially extract this whole logic into a service as it might be needed later for cert rotation
private SslConfig getSslConfig(AllocateDatabaseServerV4Request source, DBStack dbStack) {
    SslConfig sslConfig = new SslConfig();
    if (sslEnabled && source.getSslConfig() != null && SslMode.isEnabled(source.getSslConfig().getSslMode())) {
        String cloudPlatform = dbStack.getCloudPlatform();
        String region = dbStack.getRegion();
        // TODO Determine the highest available SSL cert version for GCP; update sslCertificateActiveVersion during provisioning
        int maxVersion = databaseServerSslCertificateConfig.getMaxVersionByCloudPlatformAndRegion(cloudPlatform, region);
        sslConfig.setSslCertificateActiveVersion(maxVersion);
        // TODO Add SslConfig.sslCertificateMaxVersion and keep it up-to-date (mostly for GCP)
        Set<String> certs;
        String cloudProviderIdentifier;
        int numberOfCerts = databaseServerSslCertificateConfig.getNumberOfCertsByCloudPlatformAndRegion(cloudPlatform, region);
        if (numberOfCerts == 0) {
            // TODO Initialize SSL cert & CloudProviderIdentifier for GCP
            // This is possible for cloud platforms where SSL is supported, but the certs are not pre-registered in CB; see e.g. GCP
            certs = Collections.emptySet();
            cloudProviderIdentifier = null;
        } else if (numberOfCerts == 1 || !CloudPlatform.AZURE.equals(source.getCloudPlatform())) {
            SslCertificateEntry cert = databaseServerSslCertificateConfig.getCertByCloudPlatformAndRegionAndVersion(cloudPlatform, region, maxVersion);
            validateCert(cloudPlatform, maxVersion, cert);
            certs = Collections.singleton(cert.getCertPem());
            cloudProviderIdentifier = cert.getCloudProviderIdentifier();
        } else {
            // In Azure and for > 1 certs, include both the most recent cert and the preceding one
            Set<SslCertificateEntry> certsTemp = databaseServerSslCertificateConfig.getCertsByCloudPlatformAndRegionAndVersions(cloudPlatform, region, maxVersion - 1, maxVersion).stream().filter(Objects::nonNull).collect(Collectors.toSet());
            validateNonNullCertsCount(cloudPlatform, maxVersion, certsTemp);
            findAndValidateCertByVersion(cloudPlatform, maxVersion - 1, certsTemp);
            cloudProviderIdentifier = findAndValidateCertByVersion(cloudPlatform, maxVersion, certsTemp).getCloudProviderIdentifier();
            certs = certsTemp.stream().map(SslCertificateEntry::getCertPem).collect(Collectors.toSet());
            validateUniqueCertsCount(cloudPlatform, maxVersion, certs);
        }
        sslConfig.setSslCertificates(certs);
        sslConfig.setSslCertificateActiveCloudProviderIdentifier(cloudProviderIdentifier);
        sslConfig.setSslCertificateType(SslCertificateType.CLOUD_PROVIDER_OWNED);
    }
    return sslConfig;
}