This is an automated email from the ASF dual-hosted git repository.
mikhail pushed a commit to branch release-2.17.0
in repository https://gitbox.apache.org/repos/asf/beam.git
The following commit(s) were added to refs/heads/release-2.17.0 by this push:
new ef2041b BEAM-8861 - Disallow self-signed certs by default
new 2cb4724 Merge pull request #10354 from
iemejia/release-2.17.0-BEAM-8861
ef2041b is described below
commit ef2041b61af9b1b372aa27d27516487eb249b8b0
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Mon Dec 2 16:37:54 2019 +0000
BEAM-8861 - Disallow self-signed certs by default
---
.../beam/sdk/io/elasticsearch/ElasticsearchIO.java | 28 +++++++++++++++++++---
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git
a/sdks/java/io/elasticsearch/src/main/java/org/apache/beam/sdk/io/elasticsearch/ElasticsearchIO.java
b/sdks/java/io/elasticsearch/src/main/java/org/apache/beam/sdk/io/elasticsearch/ElasticsearchIO.java
index b038e51..9b7ddb4 100644
---
a/sdks/java/io/elasticsearch/src/main/java/org/apache/beam/sdk/io/elasticsearch/ElasticsearchIO.java
+++
b/sdks/java/io/elasticsearch/src/main/java/org/apache/beam/sdk/io/elasticsearch/ElasticsearchIO.java
@@ -72,6 +72,7 @@ import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
+import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.entity.BufferedHttpEntity;
import org.apache.http.entity.ContentType;
import org.apache.http.impl.client.BasicCredentialsProvider;
@@ -251,6 +252,9 @@ public class ElasticsearchIO {
@Nullable
public abstract Integer getConnectTimeout();
+ @Nullable
+ public abstract Boolean getTrustSelfSignedCerts();
+
abstract Builder builder();
@AutoValue.Builder
@@ -273,6 +277,8 @@ public class ElasticsearchIO {
abstract Builder setConnectTimeout(Integer connectTimeout);
+ abstract Builder setTrustSelfSignedCerts(Boolean trustSelfSignedCerts);
+
abstract ConnectionConfiguration build();
}
@@ -350,6 +356,19 @@ public class ElasticsearchIO {
}
/**
+ * If Elasticsearch uses SSL/TLS then configure whether to trust self
signed certs or not. The
+ * default is false.
+ *
+ * @param trustSelfSignedCerts Whether to trust self signed certs
+ * @return a {@link ConnectionConfiguration} describes a connection
configuration to
+ * Elasticsearch.
+ */
+ public ConnectionConfiguration withTrustSelfSignedCerts(Boolean
trustSelfSignedCerts) {
+ checkArgument(trustSelfSignedCerts != null, "trustSelfSignedCerts can
not be null");
+ return builder().setTrustSelfSignedCerts(trustSelfSignedCerts).build();
+ }
+
+ /**
* If set, overwrites the default max retry timeout (30000ms) in the
Elastic {@link RestClient}
* and the default socket timeout (30000ms) in the {@link RequestConfig}
of the Elastic {@link
* RestClient}.
@@ -384,6 +403,7 @@ public class ElasticsearchIO {
builder.addIfNotNull(DisplayData.item("keystore.path",
getKeystorePath()));
builder.addIfNotNull(DisplayData.item("socketAndRetryTimeout",
getSocketAndRetryTimeout()));
builder.addIfNotNull(DisplayData.item("connectTimeout",
getConnectTimeout()));
+ builder.addIfNotNull(DisplayData.item("trustSelfSignedCerts",
getTrustSelfSignedCerts()));
}
@VisibleForTesting
@@ -411,10 +431,12 @@ public class ElasticsearchIO {
String keystorePassword = getKeystorePassword();
keyStore.load(is, (keystorePassword == null) ? null :
keystorePassword.toCharArray());
}
+ final TrustStrategy trustStrategy =
+ getTrustSelfSignedCerts() != null && getTrustSelfSignedCerts()
+ ? new TrustSelfSignedStrategy()
+ : null;
final SSLContext sslContext =
- SSLContexts.custom()
- .loadTrustMaterial(keyStore, new TrustSelfSignedStrategy())
- .build();
+ SSLContexts.custom().loadTrustMaterial(keyStore,
trustStrategy).build();
final SSLIOSessionStrategy sessionStrategy = new
SSLIOSessionStrategy(sslContext);
restClientBuilder.setHttpClientConfigCallback(
httpClientBuilder ->
