Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Multiple Datasources] Add TLS configuration for multiple data sources #6171

Merged
merged 14 commits into from
Mar 22, 2024
Merged

[Multiple Datasources] Add TLS configuration for multiple data sources #6171

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
0857686
Add TLS configuration for multiple data sources
cwperks Mar 16, 2024
261dd8e
Add to CHANGELOG and add examples commented out in opensearch_dashboa…
cwperks Mar 16, 2024
9e3b24d
Add tests and replace instance of any
cwperks Mar 18, 2024
05ec9e0
Merge branch 'main' into multiple-datasource-tls
cwperks Mar 18, 2024
8782afe
Add tls config to legacy client
cwperks Mar 18, 2024
a13dbe5
Merge branch 'main' into multiple-datasource-tls
cwperks Mar 19, 2024
ff40dc7
Merge branch 'main' into multiple-datasource-tls
cwperks Mar 19, 2024
d23067a
Merge branch 'multiple-datasource-tls' of https://github.com/cwperks/…
cwperks Mar 19, 2024
f2851f6
Add test for certificate mode
cwperks Mar 19, 2024
6110ba0
Respond to PR feedback
cwperks Mar 20, 2024
4d935f1
Merge branch 'main' into multiple-datasource-tls
cwperks Mar 20, 2024
14664fa
Extract readCertificateAuthorities to util file and add more tests
cwperks Mar 21, 2024
24c2ca7
Merge branch 'main' into multiple-datasource-tls
cwperks Mar 21, 2024
a2b7f61
Merge branch 'main' into multiple-datasource-tls
cwperks Mar 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
- [Chrome] Introduce registerCollapsibleNavHeader to allow plugins to customize the rendering of nav menu header ([#5244](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5244))
- [Dynamic Configurations] Pass request headers when making application config calls ([#6164](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/6164))
- [Discover] Options button to configure legacy mode and remove the top navigation option ([#6170](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/6170))
- [Multiple Datasource] Add TLS configuration for multiple data sources ([#6171](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/6171))


### 🐛 Bug Fixes
Expand Down
8 changes: 8 additions & 0 deletions config/opensearch_dashboards.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,14 @@
# 'ff00::/8',
# ]

# Optional setting that enables you to specify a path to PEM files for the certificate
# authority for your connected datasources.
#data_source.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
cwperks marked this conversation as resolved.
Show resolved Hide resolved

# To disregard the validity of SSL certificates for connected data sources, change this setting's value to 'none'.
# Possible values include full, certificate and none
#data_source.ssl.verificationMode: full
cwperks marked this conversation as resolved.
Show resolved Hide resolved

# Set enabled false to hide authentication method in OpenSearch Dashboards.
# If this setting is commented then all 3 options will be available in OpenSearch Dashboards.
# Default value will be considered to True.
Expand Down
9 changes: 9 additions & 0 deletions src/plugins/data_source/config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,15 @@ export const configSchema = schema.object({
defaultValue: new Array(32).fill(0),
}),
}),
ssl: schema.object({
verificationMode: schema.oneOf(
[schema.literal('none'), schema.literal('certificate'), schema.literal('full')],
{ defaultValue: 'full' }
),
certificateAuthorities: schema.maybe(
schema.oneOf([schema.string(), schema.arrayOf(schema.string(), { minSize: 1 })])
),
}),
clientPool: schema.object({
size: schema.number({ defaultValue: 5 }),
}),
Expand Down
97 changes: 90 additions & 7 deletions src/plugins/data_source/server/client/client_config.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,20 @@
import { DataSourcePluginConfigType } from '../../config';
import { parseClientOptions } from './client_config';

const TEST_DATA_SOURCE_ENDPOINT = 'http://test.com/';
jest.mock('fs');
const mockReadFileSync: jest.Mock = jest.requireMock('fs').readFileSync;

const config = {
enabled: true,
clientPool: {
size: 5,
},
} as DataSourcePluginConfigType;
const TEST_DATA_SOURCE_ENDPOINT = 'http://test.com/';

describe('parseClientOptions', () => {
test('include the ssl client configs as defaults', () => {
const config = {
enabled: true,
clientPool: {
size: 5,
},
} as DataSourcePluginConfigType;

expect(parseClientOptions(config, TEST_DATA_SOURCE_ENDPOINT)).toEqual(
expect.objectContaining({
node: TEST_DATA_SOURCE_ENDPOINT,
Expand All @@ -26,4 +29,84 @@ describe('parseClientOptions', () => {
})
);
});

test('test ssl config with verification mode set to none', () => {
cwperks marked this conversation as resolved.
Show resolved Hide resolved
const config = {
enabled: true,
ssl: {
verificationMode: 'none',
},
clientPool: {
size: 5,
},
} as DataSourcePluginConfigType;
expect(parseClientOptions(config, TEST_DATA_SOURCE_ENDPOINT)).toEqual(
expect.objectContaining({
node: TEST_DATA_SOURCE_ENDPOINT,
ssl: {
requestCert: true,
rejectUnauthorized: false,
ca: [],
},
})
);
});

test('test ssl config with verification mode set to certificate', () => {
const config = {
enabled: true,
ssl: {
verificationMode: 'certificate',
certificateAuthorities: ['some-path'],
},
clientPool: {
size: 5,
},
} as DataSourcePluginConfigType;
mockReadFileSync.mockReset();
mockReadFileSync.mockImplementation((path: string) => `content-of-${path}`);
const parsedConfig = parseClientOptions(config, TEST_DATA_SOURCE_ENDPOINT);
expect(mockReadFileSync).toHaveBeenCalledTimes(1);
mockReadFileSync.mockClear();
expect(parsedConfig).toEqual(
expect.objectContaining({
node: TEST_DATA_SOURCE_ENDPOINT,
ssl: {
requestCert: true,
rejectUnauthorized: true,
checkServerIdentity: expect.any(Function),
ca: ['content-of-some-path'],
},
})
);
expect(parsedConfig.ssl?.checkServerIdentity()).toBeUndefined();
});

test('test ssl config with verification mode set to full', () => {
const config = {
enabled: true,
ssl: {
verificationMode: 'full',
certificateAuthorities: ['some-path'],
},
clientPool: {
size: 5,
},
} as DataSourcePluginConfigType;
mockReadFileSync.mockReset();
mockReadFileSync.mockImplementation((path: string) => `content-of-${path}`);
const parsedConfig = parseClientOptions(config, TEST_DATA_SOURCE_ENDPOINT);
expect(mockReadFileSync).toHaveBeenCalledTimes(1);
mockReadFileSync.mockClear();
expect(parsedConfig).toEqual(
expect.objectContaining({
node: TEST_DATA_SOURCE_ENDPOINT,
ssl: {
requestCert: true,
rejectUnauthorized: true,
ca: ['content-of-some-path'],
},
})
);
});
});
74 changes: 70 additions & 4 deletions src/plugins/data_source/server/client/client_config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,18 @@
*/

import { ClientOptions } from '@opensearch-project/opensearch';
import { readFileSync } from 'fs';
import { checkServerIdentity } from 'tls';
import { DataSourcePluginConfigType } from '../../config';

/** @internal */
type DataSourceSSLConfigOptions = Partial<{
requestCert: boolean;
rejectUnauthorized: boolean;
checkServerIdentity: typeof checkServerIdentity;
ca: string[];
}>;

/**
* Parse the client options from given data source config and endpoint
*
Expand All @@ -18,14 +28,70 @@
endpoint: string,
registeredSchema: any[]
): ClientOptions {
const sslConfig: DataSourceSSLConfigOptions = {
requestCert: true,
rejectUnauthorized: true,
};

if (config.ssl) {
const verificationMode = config.ssl.verificationMode;
switch (verificationMode) {
case 'none':
sslConfig.rejectUnauthorized = false;
break;
case 'certificate':
sslConfig.rejectUnauthorized = true;

// by default, NodeJS is checking the server identify
sslConfig.checkServerIdentity = () => undefined;
cwperks marked this conversation as resolved.
Show resolved Hide resolved
break;
case 'full':
sslConfig.rejectUnauthorized = true;
break;
default:
throw new Error(`Unknown ssl verificationMode: ${verificationMode}`);

Check warning on line 52 in src/plugins/data_source/server/client/client_config.ts

View check run for this annotation

Codecov / codecov/patch

src/plugins/data_source/server/client/client_config.ts#L52 

Added line #L52 was not covered by tests
}

const { certificateAuthorities } = readCertificateAuthorities(config);

sslConfig.ca = certificateAuthorities || [];
}

const clientOptions: ClientOptions = {
node: endpoint,
ssl: {
requestCert: true,
rejectUnauthorized: true,
},
ssl: sslConfig,
plugins: registeredSchema,
};

return clientOptions;
}

export const readCertificateAuthorities = (rawConfig: any) => {
cwperks marked this conversation as resolved.
Show resolved Hide resolved
cwperks marked this conversation as resolved.
Show resolved Hide resolved
let certificateAuthorities: string[] | undefined;

const addCAs = (ca: string[] | undefined) => {
cwperks marked this conversation as resolved.
Show resolved Hide resolved
cwperks marked this conversation as resolved.
Show resolved Hide resolved
if (ca && ca.length) {
certificateAuthorities = [...(certificateAuthorities || []), ...ca];
}
};

const ca = rawConfig.ssl.certificateAuthorities;
if (ca) {
const parsed: string[] = [];
const paths = Array.isArray(ca) ? ca : [ca];
if (paths.length > 0) {
cwperks marked this conversation as resolved.
Show resolved Hide resolved
for (const path of paths) {
parsed.push(readFile(path));
}
addCAs(parsed);
}
}

return {
certificateAuthorities,
};
};

const readFile = (file: string) => {
return readFileSync(file, 'utf8');
};
94 changes: 87 additions & 7 deletions src/plugins/data_source/server/legacy/client_config.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,20 @@
import { DataSourcePluginConfigType } from '../../config';
import { parseClientOptions } from './client_config';

const TEST_DATA_SOURCE_ENDPOINT = 'http://test.com/';
jest.mock('fs');
const mockReadFileSync: jest.Mock = jest.requireMock('fs').readFileSync;

const config = {
enabled: true,
clientPool: {
size: 5,
},
} as DataSourcePluginConfigType;
const TEST_DATA_SOURCE_ENDPOINT = 'http://test.com/';

describe('parseClientOptions', () => {
test('include the ssl client configs as defaults', () => {
const config = {
enabled: true,
clientPool: {
size: 5,
},
} as DataSourcePluginConfigType;

expect(parseClientOptions(config, TEST_DATA_SOURCE_ENDPOINT)).toEqual(
expect.objectContaining({
host: TEST_DATA_SOURCE_ENDPOINT,
Expand All @@ -25,4 +28,81 @@ describe('parseClientOptions', () => {
})
);
});

test('test ssl config with verification mode set to none', () => {
const config = {
enabled: true,
ssl: {
verificationMode: 'none',
},
clientPool: {
size: 5,
},
} as DataSourcePluginConfigType;
expect(parseClientOptions(config, TEST_DATA_SOURCE_ENDPOINT)).toEqual(
expect.objectContaining({
host: TEST_DATA_SOURCE_ENDPOINT,
ssl: {
rejectUnauthorized: false,
ca: [],
},
})
);
});

test('test ssl config with verification mode set to certificate', () => {
const config = {
enabled: true,
ssl: {
verificationMode: 'certificate',
certificateAuthorities: ['some-path'],
},
clientPool: {
size: 5,
},
} as DataSourcePluginConfigType;
mockReadFileSync.mockReset();
mockReadFileSync.mockImplementation((path: string) => `content-of-${path}`);
const parsedConfig = parseClientOptions(config, TEST_DATA_SOURCE_ENDPOINT);
expect(mockReadFileSync).toHaveBeenCalledTimes(1);
mockReadFileSync.mockClear();
expect(parsedConfig).toEqual(
expect.objectContaining({
host: TEST_DATA_SOURCE_ENDPOINT,
ssl: {
rejectUnauthorized: true,
checkServerIdentity: expect.any(Function),
ca: ['content-of-some-path'],
},
})
);
expect(parsedConfig.ssl?.checkServerIdentity()).toBeUndefined();
});

test('test ssl config with verification mode set to full', () => {
const config = {
enabled: true,
ssl: {
verificationMode: 'full',
certificateAuthorities: ['some-path'],
},
clientPool: {
size: 5,
},
} as DataSourcePluginConfigType;
mockReadFileSync.mockReset();
mockReadFileSync.mockImplementation((path: string) => `content-of-${path}`);
const parsedConfig = parseClientOptions(config, TEST_DATA_SOURCE_ENDPOINT);
expect(mockReadFileSync).toHaveBeenCalledTimes(1);
mockReadFileSync.mockClear();
expect(parsedConfig).toEqual(
expect.objectContaining({
host: TEST_DATA_SOURCE_ENDPOINT,
ssl: {
rejectUnauthorized: true,
ca: ['content-of-some-path'],
},
})
);
});
});
Loading
Loading