From 3433f5850668fd275bd127c5b8111d9bc9243575 Mon Sep 17 00:00:00 2001
From: Aldo Mihasi <amihasi@cite-sa.gr>
Date: Wed, 8 Jun 2022 16:23:49 +0300
Subject: [PATCH] Add ssl support for elasticsearch

---
 .../ElasticSearchConfiguration.java           | 54 ++++++++++++++++---
 .../config/application-devel.properties       |  3 ++
 2 files changed, 51 insertions(+), 6 deletions(-)

diff --git a/dmp-backend/web/src/main/java/eu/eudat/configurations/ElasticSearchConfiguration.java b/dmp-backend/web/src/main/java/eu/eudat/configurations/ElasticSearchConfiguration.java
index e299035e1..49f7de4b4 100644
--- a/dmp-backend/web/src/main/java/eu/eudat/configurations/ElasticSearchConfiguration.java
+++ b/dmp-backend/web/src/main/java/eu/eudat/configurations/ElasticSearchConfiguration.java
@@ -4,11 +4,14 @@ import org.apache.http.HttpHost;
 import org.apache.http.auth.AuthScope;
 import org.apache.http.auth.UsernamePasswordCredentials;
 import org.apache.http.client.CredentialsProvider;
+import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
 import org.apache.http.impl.client.BasicCredentialsProvider;
 import org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager;
 import org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor;
 import org.apache.http.nio.reactor.IOReactorException;
 import org.apache.http.nio.reactor.IOReactorExceptionHandler;
+import org.apache.http.ssl.SSLContextBuilder;
+import org.apache.http.ssl.SSLContexts;
 import org.elasticsearch.client.RestClient;
 import org.elasticsearch.client.RestHighLevelClient;
 import org.slf4j.Logger;
@@ -18,7 +21,17 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.env.Environment;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
 
 /**
  * Created by ikalyvas on 7/5/2018.
@@ -56,12 +69,41 @@ public class ElasticSearchConfiguration {
                 }
             });
 
-            RestHighLevelClient client = new RestHighLevelClient(
-                    RestClient.builder(
-                            new HttpHost(this.environment.getProperty("elasticsearch.host"),
-                                    Integer.parseInt(this.environment.getProperty("elasticsearch.port")), "http"))
-                            .setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder
-                                    .setDefaultCredentialsProvider(credentialsProvider).setConnectionManager(new PoolingNHttpClientConnectionManager(ioReactor))));
+            RestHighLevelClient client;
+            if(this.environment.getProperty("elasticsearch.usingssl", Boolean.class)){
+
+                Path caCertificatePath = Paths.get(this.environment.getProperty("elasticsearch.certPath"));
+                CertificateFactory factory =
+                        CertificateFactory.getInstance("X.509");
+                Certificate trustedCa;
+                try (InputStream is = Files.newInputStream(caCertificatePath)) {
+                    trustedCa = factory.generateCertificate(is);
+                }
+                KeyStore trustStore = KeyStore.getInstance("pkcs12");
+                trustStore.load(null, null);
+                trustStore.setCertificateEntry("ca", trustedCa);
+
+                TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+                tmf.init(trustStore);
+
+                SSLContext sslContext = SSLContext.getInstance("TLS");
+                sslContext.init(null, tmf.getTrustManagers(), null);
+
+                client = new RestHighLevelClient(
+                        RestClient.builder(
+                                new HttpHost(this.environment.getProperty("elasticsearch.host"),
+                                        Integer.parseInt(this.environment.getProperty("elasticsearch.port")), "https"))
+                                .setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder
+                                        .setDefaultCredentialsProvider(credentialsProvider).setSSLContext(sslContext)));
+            }
+            else {
+                 client = new RestHighLevelClient(
+                        RestClient.builder(
+                                new HttpHost(this.environment.getProperty("elasticsearch.host"),
+                                        Integer.parseInt(this.environment.getProperty("elasticsearch.port")), "http"))
+                                .setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder
+                                        .setDefaultCredentialsProvider(credentialsProvider).setConnectionManager(new PoolingNHttpClientConnectionManager(ioReactor))));
+            }
             return client;
         }catch (IOReactorException ex) {
             throw new RuntimeException(ex);
diff --git a/dmp-backend/web/src/main/resources/config/application-devel.properties b/dmp-backend/web/src/main/resources/config/application-devel.properties
index 396776273..8ae02affd 100644
--- a/dmp-backend/web/src/main/resources/config/application-devel.properties
+++ b/dmp-backend/web/src/main/resources/config/application-devel.properties
@@ -14,6 +14,9 @@ elasticsearch.port = 9200
 elasticsearch.username=elastic
 elasticsearch.password=
 elasticsearch.index=dmps
+elasticsearch.usingssl=false
+elasticsearch.certPath =
+elasticsearch.certKey =
 
 ####################ELK OVERRIDES CONFIGURATIONS##########
 http-logger.server-address = http://localhost:31311