opensearch 2.4.0

Official OpenSearch Rust client
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193

/*
 * Licensed to Elasticsearch B.V. under one or more contributor
 * license agreements. See the NOTICE file distributed with
 * this work for additional information regarding copyright
 * ownership. Elasticsearch B.V. licenses this file to you under
 * the Apache License, Version 2.0 (the "License"); you may
 * not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *	http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
//! These tests require a cluster configured with Security. One can be spun up using the
//! .ci/run-opensearch.sh script as follows:
//!
//!
//! DETACH=true .ci/run-opensearch.sh
#![cfg(any(feature = "native-tls", feature = "rustls-tls"))]
#![allow(unused)]

pub mod common;
use common::*;

use anyhow::anyhow;
use opensearch::{
    cert::{Certificate, CertificateValidation},
    http::response::Response,
    Error,
};

static CA_CERT: &[u8] = include_bytes!("../../.ci/certs/root-ca.crt");
static CA_CHAIN_CERT: &[u8] = include_bytes!("../../.ci/certs/ca-chain.crt");
static ESNODE_CERT: &[u8] = include_bytes!("../../.ci/certs/esnode.crt");
static ESNODE_NO_SAN_CERT: &[u8] = include_bytes!("../../.ci/certs/esnode-no-san.crt");

fn assert_is_untrusted_cert_error(res: Result<Response, Error>) {
    let e = res.expect_err("Result should be an untrusted cert error");

    let untrusted_cert_error = if cfg!(windows) {
        "terminated in a root certificate which is not trusted by the trust provider"
    } else if cfg!(target_os = "macos") {
        "The certificate was not trusted"
    } else {
        "unable to get local issuer certificate"
    };

    let mut source: Option<&dyn std::error::Error> = Some(&e);
    while let Some(err) = source {
        if err.to_string().contains(untrusted_cert_error) {
            return;
        }

        source = err.source();
    }

    panic!(
        "Expected error message to contain '{}' but was {:#?}",
        untrusted_cert_error, e
    )
}

/// Default certificate validation with a self signed certificate
#[tokio::test]
#[cfg(any(feature = "native-tls", feature = "rustls-tls"))]
async fn default_certificate_validation() {
    let client = client::create_with(|b| b.cert_validation(CertificateValidation::Default));
    let res = client.ping().send().await;
    assert_is_untrusted_cert_error(res);
}

/// Allows any certificate through
#[tokio::test]
async fn none_certificate_validation() -> anyhow::Result<()> {
    let client = client::create_with(|b| b.cert_validation(CertificateValidation::None));
    let _response = client.ping().send().await?;
    Ok(())
}

/// Certificate provided by the server contains the one given to the client
/// within the authority chain, and hostname matches
#[tokio::test]
#[cfg(all(
    any(feature = "native-tls", feature = "rustls-tls"),
    not(target_os = "macos")
))]
async fn full_certificate_ca_validation() -> anyhow::Result<()> {
    let cert = Certificate::from_pem(CA_CERT)?;
    let client = client::create_with(|b| b.cert_validation(CertificateValidation::Full(cert)));
    let _response = client.ping().send().await?;
    Ok(())
}

/// Try to load a certificate chain.
#[tokio::test]
#[cfg(all(
    any(feature = "native-tls", feature = "rustls-tls"),
    not(target_os = "macos")
))]
async fn full_certificate_ca_chain_validation() -> anyhow::Result<()> {
    let mut cert = Certificate::from_pem(CA_CHAIN_CERT)?;
    cert.append(Certificate::from_pem(CA_CERT)?);
    assert_eq!(cert.len(), 3, "expected three certificates in CA chain");
    let client = client::create_with(|b| b.cert_validation(CertificateValidation::Full(cert)));
    let _response = client.ping().send().await?;
    Ok(())
}

/// Certificate provided by the server is the one given to the client and hostname matches
#[tokio::test]
#[cfg(all(windows, feature = "native-tls"))]
async fn full_certificate_validation() -> anyhow::Result<()> {
    let cert = Certificate::from_pem(ESNODE_CERT)?;
    let client = client::create_with(|b| b.cert_validation(CertificateValidation::Full(cert)));
    let _response = client.ping().send().await?;
    Ok(())
}

/// Certificate provided by the server is the one given to the client and hostname matches, using rustls-tls
#[tokio::test]
#[cfg(all(feature = "rustls-tls", not(target_os = "macos")))]
async fn full_certificate_validation_rustls_tls() -> anyhow::Result<()> {
    let mut chain: Vec<u8> = Vec::with_capacity(ESNODE_CERT.len() + CA_CERT.len());
    chain.extend(CA_CERT);
    chain.extend(ESNODE_CERT);

    let cert = Certificate::from_pem(chain.as_slice())?;
    let client = client::create_with(|b| b.cert_validation(CertificateValidation::Full(cert)));
    let _response = client.ping().send().await?;
    Ok(())
}

/// Certificate provided by the server is the one given to the client. This fails on Linux because
/// it appears that it also needs the CA for the cert
#[tokio::test]
#[cfg(all(unix, feature = "native-tls"))]
async fn full_certificate_validation() {
    let cert = Certificate::from_pem(ESNODE_CERT).unwrap();
    let client = client::create_with(|b| b.cert_validation(CertificateValidation::Full(cert)));
    let res = client.ping().send().await;
    assert_is_untrusted_cert_error(res);
}

/// Certificate provided by the server is the one given to the client
#[tokio::test]
#[cfg(all(windows, feature = "native-tls"))]
async fn certificate_certificate_validation() -> anyhow::Result<()> {
    let cert = Certificate::from_pem(ESNODE_CERT)?;
    let client =
        client::create_with(|b| b.cert_validation(CertificateValidation::Certificate(cert)));
    let _response = client.ping().send().await?;
    Ok(())
}

/// Certificate provided by the server is the one given to the client. This fails on Linux because
/// it appears that it also needs the CA for the cert
#[tokio::test]
#[cfg(all(unix, feature = "native-tls"))]
async fn certificate_certificate_validation() {
    let cert = Certificate::from_pem(ESNODE_CERT).unwrap();
    let client =
        client::create_with(|b| b.cert_validation(CertificateValidation::Certificate(cert)));
    let res = client.ping().send().await;
    assert_is_untrusted_cert_error(res);
}

/// Certificate provided by the server contains the one given to the client
/// within the authority chain
#[tokio::test]
#[cfg(all(feature = "native-tls", not(target_os = "macos")))]
async fn certificate_certificate_ca_validation() -> anyhow::Result<()> {
    let cert = Certificate::from_pem(CA_CERT)?;
    let client =
        client::create_with(|b| b.cert_validation(CertificateValidation::Certificate(cert)));
    let _response = client.ping().send().await?;
    Ok(())
}

/// Certificate provided by the server does not match the one given to the client
#[tokio::test]
#[cfg(feature = "native-tls")]
async fn fail_certificate_certificate_validation() {
    let cert = Certificate::from_pem(ESNODE_NO_SAN_CERT).unwrap();
    let client =
        client::create_with(|b| b.cert_validation(CertificateValidation::Certificate(cert)));
    let res = client.ping().send().await;
    assert_is_untrusted_cert_error(res);
}