This is an automated email from the ASF dual-hosted git repository. mikhail pushed a commit to branch release-2.17.0 in repository https://gitbox.apache.org/repos/asf/beam.git
The following commit(s) were added to refs/heads/release-2.17.0 by this push: new ef2041b BEAM-8861 - Disallow self-signed certs by default new 2cb4724 Merge pull request #10354 from iemejia/release-2.17.0-BEAM-8861 ef2041b is described below commit ef2041b61af9b1b372aa27d27516487eb249b8b0 Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Mon Dec 2 16:37:54 2019 +0000 BEAM-8861 - Disallow self-signed certs by default --- .../beam/sdk/io/elasticsearch/ElasticsearchIO.java | 28 +++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/sdks/java/io/elasticsearch/src/main/java/org/apache/beam/sdk/io/elasticsearch/ElasticsearchIO.java b/sdks/java/io/elasticsearch/src/main/java/org/apache/beam/sdk/io/elasticsearch/ElasticsearchIO.java index b038e51..9b7ddb4 100644 --- a/sdks/java/io/elasticsearch/src/main/java/org/apache/beam/sdk/io/elasticsearch/ElasticsearchIO.java +++ b/sdks/java/io/elasticsearch/src/main/java/org/apache/beam/sdk/io/elasticsearch/ElasticsearchIO.java @@ -72,6 +72,7 @@ import org.apache.http.auth.UsernamePasswordCredentials; import org.apache.http.client.CredentialsProvider; import org.apache.http.client.config.RequestConfig; import org.apache.http.conn.ssl.TrustSelfSignedStrategy; +import org.apache.http.conn.ssl.TrustStrategy; import org.apache.http.entity.BufferedHttpEntity; import org.apache.http.entity.ContentType; import org.apache.http.impl.client.BasicCredentialsProvider; @@ -251,6 +252,9 @@ public class ElasticsearchIO { @Nullable public abstract Integer getConnectTimeout(); + @Nullable + public abstract Boolean getTrustSelfSignedCerts(); + abstract Builder builder(); @AutoValue.Builder @@ -273,6 +277,8 @@ public class ElasticsearchIO { abstract Builder setConnectTimeout(Integer connectTimeout); + abstract Builder setTrustSelfSignedCerts(Boolean trustSelfSignedCerts); + abstract ConnectionConfiguration build(); } @@ -350,6 +356,19 @@ public class ElasticsearchIO { } /** + * If Elasticsearch uses SSL/TLS then configure whether to trust self signed certs or not. The + * default is false. + * + * @param trustSelfSignedCerts Whether to trust self signed certs + * @return a {@link ConnectionConfiguration} describes a connection configuration to + * Elasticsearch. + */ + public ConnectionConfiguration withTrustSelfSignedCerts(Boolean trustSelfSignedCerts) { + checkArgument(trustSelfSignedCerts != null, "trustSelfSignedCerts can not be null"); + return builder().setTrustSelfSignedCerts(trustSelfSignedCerts).build(); + } + + /** * If set, overwrites the default max retry timeout (30000ms) in the Elastic {@link RestClient} * and the default socket timeout (30000ms) in the {@link RequestConfig} of the Elastic {@link * RestClient}. @@ -384,6 +403,7 @@ public class ElasticsearchIO { builder.addIfNotNull(DisplayData.item("keystore.path", getKeystorePath())); builder.addIfNotNull(DisplayData.item("socketAndRetryTimeout", getSocketAndRetryTimeout())); builder.addIfNotNull(DisplayData.item("connectTimeout", getConnectTimeout())); + builder.addIfNotNull(DisplayData.item("trustSelfSignedCerts", getTrustSelfSignedCerts())); } @VisibleForTesting @@ -411,10 +431,12 @@ public class ElasticsearchIO { String keystorePassword = getKeystorePassword(); keyStore.load(is, (keystorePassword == null) ? null : keystorePassword.toCharArray()); } + final TrustStrategy trustStrategy = + getTrustSelfSignedCerts() != null && getTrustSelfSignedCerts() + ? new TrustSelfSignedStrategy() + : null; final SSLContext sslContext = - SSLContexts.custom() - .loadTrustMaterial(keyStore, new TrustSelfSignedStrategy()) - .build(); + SSLContexts.custom().loadTrustMaterial(keyStore, trustStrategy).build(); final SSLIOSessionStrategy sessionStrategy = new SSLIOSessionStrategy(sslContext); restClientBuilder.setHttpClientConfigCallback( httpClientBuilder ->