use credential manager to decrypt password

Signed-off-by: Zhongnan Su <[email protected]>
elastic-analytics · Jul 21, 2022 · 1a8e74b · 1a8e74b
1 parent 282e578
commit 1a8e74b
Show file tree

Hide file tree

Showing 11 changed files with 74 additions and 41 deletions.
diff --git a/src/core/server/core_route_handler_context.ts b/src/core/server/core_route_handler_context.ts
@@ -41,6 +41,7 @@ import {
 import { Auditor } from './audit_trail';
 import { InternalUiSettingsServiceStart, IUiSettingsClient } from './ui_settings';
 import { InternalOpenSearchDataServiceStart } from './opensearch_data/types';
+import { ConnectionError } from '@opensearch-project/opensearch/lib/errors';
 
 class CoreOpenSearchRouteHandlerContext {
   #client?: IScopedClusterClient;
@@ -74,8 +75,17 @@ class CoreOpenSearchDataSourceRouteHandlerContext {
   constructor(private readonly opensearchDataStart: InternalOpenSearchDataServiceStart) {}
 
   public async getClient(dataSourceId: string) {
-    const client = await this.opensearchDataStart.client.asDataSource(dataSourceId);
-    return client;
+    try {
+      const client = await this.opensearchDataStart.client.asDataSource(dataSourceId);
+      return client;
+    } catch (error) {
+      if (error.message) {
+        throw new Error(error.message);
+      } else
+        throw new Error(
+          `Fail to get data source client for dataSource id: [${dataSourceId}]. Detail: ${error}`
+        );
+    }
   }
 }
 

diff --git a/src/core/server/opensearch_data/client/data_source_client.ts b/src/core/server/opensearch_data/client/data_source_client.ts
@@ -10,6 +10,7 @@ import { Client } from '@opensearch-project/opensearch';
 import { Logger } from '../../logging';
 import { OpenSearchClient, OpenSearchClientConfig } from '../../opensearch/client';
 import { SavedObjectsClientContract } from '../../saved_objects/types';
+import { CryptoCli } from '../../../../../src/plugins/credential_management/server/crypto/cli/crypto_cli';
 
 /**
  * TODO: update doc
@@ -39,6 +40,17 @@ export interface ICustomDataSourceClient extends IDdataSourceClient {
   close: () => Promise<void>;
 }
 
+// TODO: tmp
+interface DataSourceInfo {
+  endpoint: string;
+  credentialId: string;
+}
+
+interface CredentialInfo {
+  username: string;
+  password: string;
+}
+
 export class DataSourceClient implements ICustomDataSourceClient {
   public dataSourceClientsPool: Map<string, Client>;
   private savedObjectClient: SavedObjectsClientContract;
@@ -57,26 +69,14 @@ export class DataSourceClient implements ICustomDataSourceClient {
     // 2. throw error if isDataSourceEnabled == false, while API is called
   }
   async asDataSource(dataSourceId: string) {
-    // 1. fetch meta info of data source using saved_object client
-    const dataSource = await this.savedObjectClient.get('data-source', dataSourceId);
-
-    // 2. TODO: parse to DataSource object, need update once dataSource type is in place
-    const dataSourceObj = dataSource!.attributes as any;
-    const url = dataSourceObj.endpoint.url;
-    /**
-     * TODO:
-     * credential manager will provide "decrypt(authId: string)" to return auth
-     * Example code: cosnt {username, password} = credentialManager.decrpt(dataSourceObj.authId)
-     */
-    const username = dataSourceObj.endpoint.credentials.username;
-    const password = dataSourceObj.endpoint.credentials.password;
-
+    const { endpoint, credentialId } = await this.getDataSourceInfo(dataSourceId);
+    const { username, password } = await this.getCredentialInfo(credentialId);
     // 2. build/find client and return
     let dataSourceClient = this.dataSourceClientsPool.get(dataSourceId);
     if (!dataSourceClient) {
       // TODO: make use of existing default clientConfig to build client
       dataSourceClient = new Client({
-        node: url,
+        node: endpoint,
         auth: {
           username,
           password,
@@ -88,6 +88,33 @@ export class DataSourceClient implements ICustomDataSourceClient {
     return dataSourceClient;
   }
 
+  private async getDataSourceInfo(dataSourceId: string): Promise<DataSourceInfo> {
+    // 1. fetch meta info of data source using saved_object client
+    const dataSource = await this.savedObjectClient.get('data-source', dataSourceId);
+    // 2. TODO: parse to DataSource object, need update once dataSource type is in place
+    const dataSourceObj = dataSource!.attributes as any;
+    const endpoint = dataSourceObj.endpoint;
+    const credentialId = dataSource!.references[0].id;
+
+    return { endpoint, credentialId };
+  }
+
+  private async getCredentialInfo(credentialId: string): Promise<CredentialInfo> {
+    /**
+     * TODO:
+     * credential manager will provide "decrypt(authId: string)" to return auth
+     * Example code: cosnt {username, password} = credentialManager.decrpt(dataSourceObj.authId)
+     */
+    const credential = await this.savedObjectClient.get('credential', credentialId);
+    const credentialObj = credential!.attributes as any;
+    const { user_name: username, password: encryptedPassword } = credentialObj.credential_material;
+
+    const password = await CryptoCli.getInstance().decrypt(
+      Buffer.from(encryptedPassword, 'base64')
+    );
+    return { username, password };
+  }
+
   // close anything in pool
   public async close() {
     if (this.isClosed) {

diff --git a/src/core/server/opensearch_data/opensearch_data_service.ts b/src/core/server/opensearch_data/opensearch_data_service.ts
@@ -14,26 +14,19 @@ import { CoreContext } from '../core_context';
 import { Logger } from '../logging';
 import { OpenSearchClientConfig } from '../opensearch/client';
 import { OpenSearchConfig, OpenSearchConfigType } from '../opensearch/opensearch_config';
-import { OpenSearchService } from '../opensearch/opensearch_service';
-import {
-  InternalOpenSearchServiceSetup,
-  InternalOpenSearchServiceStart,
-} from '../opensearch/types';
 import { pollOpenSearchNodesVersion } from '../opensearch/version_check/ensure_opensearch_version';
-import {
-  InternalSavedObjectsServiceSetup,
-  InternalSavedObjectsServiceStart,
-  SavedObjectsClient,
-} from '../saved_objects';
+import { InternalSavedObjectsServiceStart, SavedObjectsClient } from '../saved_objects';
 import { SavedObjectsClientContract } from '../types';
 import { DataSourceClient } from './client/data_source_client';
+import { InternalOpenSearchDataServiceSetup, InternalOpenSearchDataServiceStart } from './types';
 
 interface StartDeps {
   savedObjects: InternalSavedObjectsServiceStart;
   auditTrail: AuditTrailStart;
 }
 
-export class OpenSearchDataService implements CoreService<any, any> {
+export class OpenSearchDataService
+  implements CoreService<InternalOpenSearchDataServiceSetup, InternalOpenSearchDataServiceStart> {
   private readonly log: Logger;
   private readonly config$: Observable<OpenSearchConfig>;
   private auditorFactory?: AuditorFactory;
@@ -76,7 +69,7 @@ export class OpenSearchDataService implements CoreService<any, any> {
     this.dataSourceClient = this.createDataSourceClient('data-source', config);
 
     return {
-      dataSourceClient: this.dataSourceClient,
+      client: this.dataSourceClient,
     };
   }
 

diff --git a/src/plugins/credential_management/server/crypto/cli/crypto_cli.ts b/src/plugins/credential_management/server/crypto/cli/crypto_cli.ts
@@ -56,7 +56,7 @@ export class CryptoCli {
     return result.result.toString('base64');
   }
 
-  public async decrypt(encrypted: Buffer) {
+  public async decrypt(encrypted: Buffer): Promise<string> {
     const result = await this._decrypt(this._keyring, encrypted);
     return result.plaintext.toString();
   }
@@ -80,7 +80,7 @@ export class CryptoCli {
     return './crypto_material';
   }
 
-  // TODO: Support configurable crypto materials file path 
+  // TODO: Support configurable crypto materials file path
   public static generateCryptoMaterials(keyName: string, keyNamespace: string) {
     const cryptoMaterials = {
       keyName,

diff --git a/src/plugins/credential_management/server/crypto/crypto_material b/src/plugins/credential_management/server/crypto/crypto_material
@@ -0,0 +1 @@
+{"keyName":"aes-name","keyNamespace":"aes-namespace","unencryptedMasterKey":{"type":"Buffer","data":[82,211,208,102,55,15,103,156,227,11,248,9,202,116,107,16,43,113,221,124,192,154,35,230,215,22,192,32,196,210,187,213]}}
diff --git a/src/plugins/data/common/index_patterns/index_patterns/index_patterns.ts b/src/plugins/data/common/index_patterns/index_patterns/index_patterns.ts
@@ -354,6 +354,7 @@ export class IndexPatternsService {
         fieldFormatMap,
         typeMeta,
         type,
+        dataSourceId,
       },
     } = savedObject;
 
@@ -373,6 +374,7 @@ export class IndexPatternsService {
       fields: this.fieldArrayToMap(parsedFields),
       typeMeta: parsedTypeMeta,
       type,
+      dataSourceId,
     };
   };
 

diff --git a/src/plugins/data/common/index_patterns/types.ts b/src/plugins/data/common/index_patterns/types.ts
@@ -61,6 +61,7 @@ export interface IndexPatternAttributes {
   intervalName?: string;
   sourceFilters?: string;
   fieldFormatMap?: string;
+  dataSourceId?: string;
 }
 
 export type OnNotification = (toastInputFields: ToastInputFields) => void;

diff --git a/src/plugins/data/common/search/opensearch_search/types.ts b/src/plugins/data/common/search/opensearch_search/types.ts
@@ -56,6 +56,7 @@ export type ISearchRequestParams<T = Record<string, any>> = {
 export interface IOpenSearchSearchRequest
   extends IOpenSearchDashboardsSearchRequest<ISearchRequestParams> {
   indexType?: string;
+  dataSourceId?: string;
 }
 
 export type IOpenSearchSearchResponse<Source = any> = IOpenSearchDashboardsSearchResponse<

diff --git a/src/plugins/data/common/search/search_source/search_source.ts b/src/plugins/data/common/search/search_source/search_source.ts
@@ -289,10 +289,7 @@ export class SearchSource {
       response = await this.legacyFetch(searchRequest, options);
     } else {
       if (this.dataSourceId) {
-        options = {
-          ...options,
-          dataSourceId: this.dataSourceId,
-        };
+        searchRequest.dataSourceId = this.dataSourceId;
       }
       response = await this.fetchSearch(searchRequest, options);
     }
@@ -346,10 +343,10 @@ export class SearchSource {
     const params = getSearchParamsFromRequest(searchRequest, {
       getConfig,
     });
-
-    return search({ params, indexType: searchRequest.indexType }, options).then(({ rawResponse }) =>
-      onResponse(searchRequest, rawResponse)
-    );
+    return search(
+      { params, indexType: searchRequest.indexType, dataSourceId: searchRequest.dataSourceId },
+      options
+    ).then(({ rawResponse }) => onResponse(searchRequest, rawResponse));
   }
 
   /**

diff --git a/src/plugins/data/server/saved_objects/index_patterns.ts b/src/plugins/data/server/saved_objects/index_patterns.ts
@@ -61,6 +61,7 @@ export const indexPatternSavedObjectType: SavedObjectsType = {
     properties: {
       title: { type: 'text' },
       type: { type: 'keyword' },
+      dataSourceId: { type: 'keyword' },
     },
   },
   migrations: indexPatternSavedObjectTypeMigrations as any,

diff --git a/src/plugins/data/server/search/opensearch_search/opensearch_search_strategy.ts b/src/plugins/data/server/search/opensearch_search/opensearch_search_strategy.ts
@@ -70,8 +70,8 @@ export const opensearchSearchStrategyProvider = (
       });
 
       try {
-        const selectedClient = options?.dataSourceId
-          ? await context.core.opensearchData.getClient(options?.dataSourceId)
+        const selectedClient = request.dataSourceId
+          ? await context.core.opensearchData.getClient(request.dataSourceId)
           : context.core.opensearch.client.asCurrentUser;
 
         const promise = shimAbortSignal(selectedClient.search(params), options?.abortSignal);
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"keyName":"aes-name","keyNamespace":"aes-namespace","unencryptedMasterKey":{"type":"Buffer","data":[82,211,208,102,55,15,103,156,227,11,248,9,202,116,107,16,43,113,221,124,192,154,35,230,215,22,192,32,196,210,187,213]}}