Skip to content

Commit

Permalink
Setting 'insecure' overrides 'certPath' (opensearch-project#5268)
Browse files Browse the repository at this point in the history
Signed-off-by: Jan Høydahl <[email protected]>
  • Loading branch information
janhoy authored Jan 10, 2025
1 parent 3f7f5d2 commit c614f95
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 10 deletions.
8 changes: 4 additions & 4 deletions data-prepper-plugins/opensearch/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ pipeline:

- `hosts`: A list of IP addresses of OpenSearch nodes.

- `cert`(optional): CA certificate that is pem encoded. Accepts both .pem or .crt. This enables the client to trust the CA that has signed the certificate that the OpenSearch cluster is using.
- `cert`(optional): CA certificate that is pem encoded. Accepts both `.pem` or `.crt`. This enables the client to trust the CA that has signed the certificate that the OpenSearch cluster is using. This setting has no effect if `insecure` is set to `true`.
Default is null.

- `aws_sigv4`: A boolean flag to sign the HTTP request with AWS credentials. Only applies to Amazon OpenSearch Service. See [security](security.md) for details. Default to `false`.
Expand All @@ -118,7 +118,7 @@ Default is null.

- `aws_sts_header_overrides`: An optional map of header overrides to make when assuming the IAM role for the sink plugin.

- `insecure`: A boolean flag to turn off SSL certificate verification. If set to true, CA certificate verification will be turned off and insecure HTTP requests will be sent. Default to `false`.
- `insecure`: A boolean flag to turn off SSL certificate verification. If set to true, CA certificate verification will be turned off and insecure HTTP requests will be sent. Setting this will override any `cert` configured. Default to `false`.

- `aws` (Optional) : AWS configurations. See [AWS Configuration](#aws_configuration) for details. SigV4 is enabled by default when this option is used. If this option is present, `aws_` options are not expected to be present. If any of `aws_` options are present along with this, error is thrown.

Expand Down Expand Up @@ -674,10 +674,10 @@ and then every hour after the first time the index is processed.
### <a name="connection_configuration">Connection Configuration</a>
* `insecure` (Optional): A boolean flag to turn off SSL certificate verification. If set to true, CA certificate verification will be turned off and insecure HTTP requests will be sent. Default to false.
* `insecure` (Optional): A boolean flag to turn off SSL certificate verification. If set to true, CA certificate verification will be turned off and insecure HTTP requests will be sent. Setting this will override any `cert` configured. Default to false.
* `cert` (Optional) : CA certificate that is pem encoded. Accepts both .pem or .crt. This enables the client to trust the CA that has signed the certificate that the OpenSearch cluster is using. Default is null.
* `cert` (Optional) : CA certificate that is pem encoded. Accepts both `.pem` or `.crt`. This enables the client to trust the CA that has signed the certificate that the OpenSearch cluster is using. This setting has no effect if `insecure` is set to `true`. Default is null.
* `socket_timeout` (Optional) : A String that indicates the timeout duration for waiting for data. Supports ISO_8601 notation Strings ("PT20.345S", "PT15M", etc.) as well as simple notation Strings for seconds ("60s") and milliseconds ("1500ms"). If this timeout value not set, the underlying Apache HttpClient would rely on operating system settings for managing socket timeouts.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -275,11 +275,11 @@ public static ConnectionConfiguration readConnectionConfiguration(final PluginSe

final String certPath = pluginSetting.getStringOrDefault(CERT_PATH, null);
final boolean insecure = pluginSetting.getBooleanOrDefault(INSECURE, false);
if (certPath != null) {
builder = builder.withCert(certPath);
} else {
//We will set insecure flag only if certPath is null
builder = builder.withInsecure(insecure);
// Insecure == true will override configured certPath
if (insecure) {
builder.withInsecure(insecure);
} else if (certPath != null) {
builder.withCert(certPath);
}
final String proxy = pluginSetting.getStringOrDefault(PROXY, null);
builder = builder.withProxy(proxy);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -283,7 +283,20 @@ void testCreateClientWithCertPath() throws IOException {
client.close();
}

@Test
@Test
void testCreateClientWithInsecureAndCertPath() throws IOException {
// Insecure should take precedence over cert path when both are set
final PluginSetting pluginSetting = generatePluginSetting(
TEST_HOSTS, TEST_USERNAME, TEST_PASSWORD, TEST_CONNECT_TIMEOUT, TEST_SOCKET_TIMEOUT, false, null, null, TEST_CERT_PATH, true);
final ConnectionConfiguration connectionConfiguration =
ConnectionConfiguration.readConnectionConfiguration(pluginSetting);
assertNull(connectionConfiguration.getCertPath());
final RestHighLevelClient client = connectionConfiguration.createClient(awsCredentialsSupplier);
assertNotNull(client);
client.close();
}

@Test
void testCreateOpenSearchClientWithCertPath() throws IOException {
final PluginSetting pluginSetting = generatePluginSetting(
TEST_HOSTS, TEST_USERNAME, TEST_PASSWORD, TEST_CONNECT_TIMEOUT, TEST_SOCKET_TIMEOUT, false, null, null, TEST_CERT_PATH, false);
Expand Down

0 comments on commit c614f95

Please sign in to comment.