You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@beam.apache.org by GitBox <gi...@apache.org> on 2022/11/18 02:11:09 UTC
[GitHub] [beam] chamikaramj commented on a diff in pull request #24229: Add rootCaCertificate option to SplunkIO
chamikaramj commented on code in PR #24229:
URL: https://github.com/apache/beam/pull/24229#discussion_r1025916723
##########
sdks/java/io/splunk/src/main/java/org/apache/beam/sdk/io/splunk/CustomX509TrustManager.java:
##########
@@ -0,0 +1,98 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.beam.sdk.io.splunk;
+
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+import org.checkerframework.checker.initialization.qual.UnknownInitialization;
+import org.checkerframework.checker.nullness.qual.Nullable;
+
+/** A Custom X509TrustManager that trusts a user provided CA and default CA's. */
+public class CustomX509TrustManager implements X509TrustManager {
+
+ private final @Nullable X509TrustManager defaultTrustManager;
+
+ private final @Nullable X509TrustManager userTrustManager;
+
+ public CustomX509TrustManager(X509Certificate userCertificate)
+ throws CertificateException, KeyStoreException, NoSuchAlgorithmException, IOException {
+ // Get Default Trust Manager
+ TrustManagerFactory trustMgrFactory =
+ TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ trustMgrFactory.init((KeyStore) null);
+ defaultTrustManager = getX509TrustManager(trustMgrFactory.getTrustManagers());
+
+ // Create Trust Manager with user provided certificate
+ KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ trustStore.load(null, null);
+ trustStore.setCertificateEntry("User Provided Root CA", userCertificate);
+ trustMgrFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ trustMgrFactory.init(trustStore);
+ userTrustManager = getX509TrustManager(trustMgrFactory.getTrustManagers());
+ }
+
+ private @Nullable X509TrustManager getX509TrustManager(
+ @UnknownInitialization CustomX509TrustManager this, TrustManager[] trustManagers) {
+ for (TrustManager tm : trustManagers) {
+ if (tm instanceof X509TrustManager) {
+ return (X509TrustManager) tm;
+ }
+ }
+ return null;
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType)
+ throws CertificateException {
+ if (defaultTrustManager != null) {
+ defaultTrustManager.checkClientTrusted(chain, authType);
Review Comment:
Should we fallback to using "userTrustManager" here as well ?
##########
sdks/java/io/splunk/src/main/java/org/apache/beam/sdk/io/splunk/SplunkIO.java:
##########
@@ -264,6 +269,35 @@ public Write withDisableCertificateValidation(Boolean disableCertificateValidati
.build();
}
+ /**
+ * Same as {@link Builder#withRootCaCertificatePath(ValueProvider)} but without a {@link
+ * ValueProvider}.
+ *
+ * @param rootCaCertificatePath Path to root CA certificate
+ * @return {@link Builder}
+ */
+ public Write withRootCaCertificatePath(ValueProvider<String> rootCaCertificatePath) {
+ checkArgument(
+ rootCaCertificatePath != null,
+ "withRootCaCertificatePath(rootCaCertificatePath) called with null input.");
+ return toBuilder().setRootCaCertificatePath(rootCaCertificatePath).build();
+ }
+
+ /**
+ * Method to set the root CA certificate.
+ *
+ * @param rootCaCertificatePath Path to root CA certificate
+ * @return {@link Builder}
+ */
+ public Write withRootCaCertificatePath(String rootCaCertificatePath) {
+ checkArgument(
Review Comment:
Ditto.
##########
sdks/java/io/splunk/src/main/java/org/apache/beam/sdk/io/splunk/HttpEventPublisher.java:
##########
@@ -349,14 +378,24 @@ private CloseableHttpClient getHttpClient(
? NoopHostnameVerifier.INSTANCE
: new DefaultHostnameVerifier();
- SSLContextBuilder sslContextBuilder = SSLContextBuilder.create();
+ SSLContext sslContext = SSLContextBuilder.create().build();
if (disableCertificateValidation) {
LOG.info("Certificate validation is disabled");
- sslContextBuilder.loadTrustMaterial((TrustStrategy) (chain, authType) -> true);
+ sslContext =
+ SSLContextBuilder.create()
Review Comment:
Should we just use the builder above instead of creating another one ?
##########
sdks/java/io/splunk/src/main/java/org/apache/beam/sdk/io/splunk/SplunkEventWriter.java:
##########
@@ -396,6 +411,41 @@ private static void flushWriteFailures(
}
}
+ /**
+ * Reads a root CA certificate from GCS and returns it as raw bytes.
+ *
+ * @param filePath path to root CA cert in GCS
+ * @return raw contents of cert
+ * @throws RuntimeException thrown if not able to read or parse cert
+ */
+ public static byte[] getCertFromGcsAsBytes(String filePath) throws IOException {
+ ReadableByteChannel channel = getGcsFileByteChannel(filePath);
+ try (InputStream inputStream = Channels.newInputStream(channel)) {
+ return IOUtils.toByteArray(inputStream);
+ } catch (IOException e) {
+ throw new RuntimeException("Error when reading: " + filePath, e);
+ }
+ }
+
+ /** Handles getting the {@link ReadableByteChannel} for {@code filePath}. */
+ private static ReadableByteChannel getGcsFileByteChannel(String filePath) throws IOException {
Review Comment:
Is filePath expected to be a glob (not the exact path) ?
If it's an exact file path, this matching and verification is unnecessary and we can just assume it to be a single file and do "FileSystems.open" (and remove this method).
##########
sdks/java/io/splunk/src/main/java/org/apache/beam/sdk/io/splunk/SplunkIO.java:
##########
@@ -264,6 +269,35 @@ public Write withDisableCertificateValidation(Boolean disableCertificateValidati
.build();
}
+ /**
+ * Same as {@link Builder#withRootCaCertificatePath(ValueProvider)} but without a {@link
+ * ValueProvider}.
+ *
+ * @param rootCaCertificatePath Path to root CA certificate
+ * @return {@link Builder}
+ */
+ public Write withRootCaCertificatePath(ValueProvider<String> rootCaCertificatePath) {
+ checkArgument(
Review Comment:
Please use CheckNotNull instead: https://github.com/GoogleCloudPlatform/DataflowTemplates/blob/d8c84c6f735848c715eef23c1af3486a1248f11c/v1/src/main/java/com/google/cloud/teleport/splunk/SplunkEvent.java#L78
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org