From 5d9375cd0ac2cfe54ab09662a810a0b850b37c2f Mon Sep 17 00:00:00 2001 From: Abdul Muneer Kolarkunnu Date: Thu, 17 Oct 2024 12:29:54 +0530 Subject: [PATCH 1/4] Improve error message when a node with an incorrectly configured certificate attempts to connect Updated the error message to understand what is the exact reason and renamed the API name to match the intention of API. Resolves #4601 Signed-off-by: Abdul Muneer Kolarkunnu --- .../java/org/opensearch/security/ssl/util/ExceptionUtils.java | 4 ++-- .../opensearch/security/transport/SecurityRequestHandler.java | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java b/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java index 83982239f0..efe4d68c92 100644 --- a/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java +++ b/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java @@ -76,7 +76,7 @@ public static OpenSearchException createJwkCreationException(Throwable cause) { return new OpenSearchException("An error occurred during the creation of Jwk: {}", cause, cause.getMessage()); } - public static OpenSearchException createTransportClientNoLongerSupportedException() { - return new OpenSearchException("Transport client authentication no longer supported."); + public static OpenSearchException clusterWrongNodeCertConfigException() { + return new OpenSearchException("Node certificate configuration is wrong or certificate is invalid."); } } diff --git a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java index 5845c63672..493ee85bd6 100644 --- a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java +++ b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java @@ -290,7 +290,7 @@ protected void messageReceivedDecorate( || HeaderHelper.isTrustedClusterRequest(getThreadContext()) || HeaderHelper.isExtensionRequest(getThreadContext()))) { // CS-ENFORCE-SINGLE - final OpenSearchException exception = ExceptionUtils.createTransportClientNoLongerSupportedException(); + final OpenSearchException exception = ExceptionUtils.clusterWrongNodeCertConfigException(); log.error(exception.toString()); transportChannel.sendResponse(exception); return; From 805c1697a0affd32186592bc5aedbebdc5d7ca5a Mon Sep 17 00:00:00 2001 From: Abdul Muneer Kolarkunnu Date: Thu, 17 Oct 2024 13:17:17 +0530 Subject: [PATCH 2/4] Improve error message when a node with an incorrectly configured certificate attempts to connect Updated the error message to understand what is the exact reason and renamed the API name to match the intention of API. Resolves #4601 Signed-off-by: Abdul Muneer Kolarkunnu --- .../opensearch/security/ccstest/CrossClusterSearchTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java index 32ab78dbdf..ae55bc1ca5 100644 --- a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java +++ b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java @@ -1355,7 +1355,7 @@ public void testCcsWithDiffCertsWithNoNodesDnUpdate() throws Exception { String uri = "cross_cluster_two:twitter/_search?pretty"; HttpResponse ccs = rh1.executeGetRequest(uri, encodeBasicHeader("twitter", "nagilum")); assertThat(ccs.getStatusCode(), equalTo(HttpStatus.SC_INTERNAL_SERVER_ERROR)); - assertThat(ccs.getBody(), containsString("Transport client authentication no longer supported")); + assertThat(ccs.getBody(), containsString("Node certificate configuration is wrong or certificate is invalid.")); } @Test From 85134f7f3953304241b2e321f4361f4aeaa71edf Mon Sep 17 00:00:00 2001 From: Abdul Muneer Kolarkunnu Date: Fri, 18 Oct 2024 10:38:54 +0530 Subject: [PATCH 3/4] Improve error message when a node with an incorrectly configured certificate attempts to connect Updated the error message to understand what is the exact reason and renamed the API name to match the intention of API. Resolves #4601 Signed-off-by: Abdul Muneer Kolarkunnu --- .../org/opensearch/security/ssl/util/ExceptionUtils.java | 6 ++++-- .../security/transport/SecurityRequestHandler.java | 2 +- .../security/ccstest/CrossClusterSearchTests.java | 4 +++- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java b/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java index efe4d68c92..4018f4aa48 100644 --- a/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java +++ b/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java @@ -76,7 +76,9 @@ public static OpenSearchException createJwkCreationException(Throwable cause) { return new OpenSearchException("An error occurred during the creation of Jwk: {}", cause, cause.getMessage()); } - public static OpenSearchException clusterWrongNodeCertConfigException() { - return new OpenSearchException("Node certificate configuration is wrong or certificate is invalid."); + public static OpenSearchException clusterWrongNodeCertConfigException(String sslPrincipal) { + return new OpenSearchException("Node presenting certificate with SSL Principal {" + sslPrincipal + "} could" + + " not securely connect to the cluster. Please ensure the principal is correct and present in the" + + " nodes_dn list."); } } diff --git a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java index 493ee85bd6..18c0c21282 100644 --- a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java +++ b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java @@ -290,7 +290,7 @@ protected void messageReceivedDecorate( || HeaderHelper.isTrustedClusterRequest(getThreadContext()) || HeaderHelper.isExtensionRequest(getThreadContext()))) { // CS-ENFORCE-SINGLE - final OpenSearchException exception = ExceptionUtils.clusterWrongNodeCertConfigException(); + final OpenSearchException exception = ExceptionUtils.clusterWrongNodeCertConfigException(principal); log.error(exception.toString()); transportChannel.sendResponse(exception); return; diff --git a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java index ae55bc1ca5..16d323d4ed 100644 --- a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java +++ b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java @@ -1355,7 +1355,9 @@ public void testCcsWithDiffCertsWithNoNodesDnUpdate() throws Exception { String uri = "cross_cluster_two:twitter/_search?pretty"; HttpResponse ccs = rh1.executeGetRequest(uri, encodeBasicHeader("twitter", "nagilum")); assertThat(ccs.getStatusCode(), equalTo(HttpStatus.SC_INTERNAL_SERVER_ERROR)); - assertThat(ccs.getBody(), containsString("Node certificate configuration is wrong or certificate is invalid.")); + assertThat(ccs.getBody(), containsString("Node presenting certificate with SSL Principal " + + "{CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE} could not securely connect to the cluster. Please" + + " ensure the principal is correct and present in the nodes_dn list.")); } @Test From 9ecd5f44e3c29f03fecb6c5a9baa564e340e8341 Mon Sep 17 00:00:00 2001 From: Abdul Muneer Kolarkunnu Date: Fri, 18 Oct 2024 17:33:21 +0530 Subject: [PATCH 4/4] Improve error message when a node with an incorrectly configured certificate attempts to connect Updated the error message to understand what is the exact reason and renamed the API name to match the intention of API. Resolves #4601 Signed-off-by: Abdul Muneer Kolarkunnu --- .../opensearch/security/ssl/util/ExceptionUtils.java | 10 +++++++--- .../security/ccstest/CrossClusterSearchTests.java | 11 ++++++++--- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java b/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java index 4018f4aa48..4683075f1d 100644 --- a/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java +++ b/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java @@ -77,8 +77,12 @@ public static OpenSearchException createJwkCreationException(Throwable cause) { } public static OpenSearchException clusterWrongNodeCertConfigException(String sslPrincipal) { - return new OpenSearchException("Node presenting certificate with SSL Principal {" + sslPrincipal + "} could" + - " not securely connect to the cluster. Please ensure the principal is correct and present in the" + - " nodes_dn list."); + return new OpenSearchException( + "Node presenting certificate with SSL Principal {" + + sslPrincipal + + "} could" + + " not securely connect to the cluster. Please ensure the principal is correct and present in the" + + " nodes_dn list." + ); } } diff --git a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java index 16d323d4ed..d6a427e581 100644 --- a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java +++ b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java @@ -1355,9 +1355,14 @@ public void testCcsWithDiffCertsWithNoNodesDnUpdate() throws Exception { String uri = "cross_cluster_two:twitter/_search?pretty"; HttpResponse ccs = rh1.executeGetRequest(uri, encodeBasicHeader("twitter", "nagilum")); assertThat(ccs.getStatusCode(), equalTo(HttpStatus.SC_INTERNAL_SERVER_ERROR)); - assertThat(ccs.getBody(), containsString("Node presenting certificate with SSL Principal " + - "{CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE} could not securely connect to the cluster. Please" + - " ensure the principal is correct and present in the nodes_dn list.")); + assertThat( + ccs.getBody(), + containsString( + "Node presenting certificate with SSL Principal " + + "{CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE} could not securely connect to the cluster. Please" + + " ensure the principal is correct and present in the nodes_dn list." + ) + ); } @Test