elasticsearch: support a ca cert

jasonish · jasonish · commit 1ce5dcc50474 · 2025-01-23T00:11:58.000-06:00
#222
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,7 @@
   https://github.com/jasonish/evebox/issues/52
 - [sqlite] Use server side events to stream back data such as
   aggregations, so updates in the UI can start right away.
+- [elastic] Support custom certificate authority: https://github.com/jasonish/evebox/issues/222
 
 ## 0.19.0 - 2024-12-13
 
diff --git a/examples/evebox.yaml b/examples/evebox.yaml
@@ -56,6 +56,8 @@ database:
     #username: username
     #password: password
 
+    #cacert: http_ca.crt
+
   retention:
     # Only keep events for the past 7 days.
     # - SQLite only
diff --git a/src/bin/evebox.rs b/src/bin/evebox.rs
@@ -122,6 +122,14 @@ async fn evebox_main() -> Result<(), Box<dyn std::error::Error>> {
                 .env("EVEBOX_ELASTICSEARCH_PASSWORD")
                 .hide(true),
         )
+        .arg(
+            clap::Arg::new("database.elasticsearch.cacert")
+                .long("elasticsearch-cacert")
+                .action(ArgAction::Set)
+                .value_name("FILENAME")
+                .help("Elasticsearch CA certificate filename")
+                .env("EVEBOX_ELASTICSEARCH_CACERT"),
+        )
         .arg(
             clap::Arg::new("database.elasticsearch.index")
                 .short('i')
diff --git a/src/elastic/client.rs b/src/elastic/client.rs
@@ -6,6 +6,8 @@ use serde::Serialize;
 use serde_json::Value;
 use std::cmp::Ordering;
 use std::collections::HashMap;
+use std::io::BufReader;
+use std::io::Read;
 use std::time::Duration;
 use tracing::warn;
 
@@ -23,23 +25,13 @@ pub enum ClientError {
     String(String),
 }
 
-#[derive(Debug, Default)]
+#[derive(Debug, Default, Clone)]
 pub(crate) struct Client {
     pub url: String,
     pub disable_certificate_validation: bool,
     pub username: Option<String>,
     pub password: Option<String>,
-}
-
-impl Clone for Client {
-    fn clone(&self) -> Self {
-        Self {
-            url: self.url.clone(),
-            disable_certificate_validation: self.disable_certificate_validation,
-            username: self.username.clone(),
-            password: self.password.clone(),
-        }
-    }
+    cert: Option<reqwest::Certificate>,
 }
 
 fn default_username() -> Option<String> {
@@ -50,12 +42,38 @@ fn default_password() -> Option<String> {
     std::env::var("EVEBOX_ELASTICSEARCH_PASSWORD").ok()
 }
 
+fn load_certificate_from_file(filename: &str) -> anyhow::Result<reqwest::Certificate> {
+    let file = std::fs::File::open(filename)?;
+    let mut reader = BufReader::new(file);
+    let mut buffer = vec![];
+    reader.read_to_end(&mut buffer)?;
+    Ok(reqwest::Certificate::from_pem(&buffer)?)
+}
+
+/// Load a certificate from the specified in
+/// EVEBOX_ELASTICSEARCH_HTTP_CA_CERT. Returning None if not set, or
+/// if an error occurs. But log the error before returning None.
+fn load_certificate_from_env() -> Option<reqwest::Certificate> {
+    if let Ok(filename) = std::env::var("EVEBOX_ELASTICSEARCH_CACERT") {
+        match load_certificate_from_file(&filename) {
+            Ok(cert) => Some(cert),
+            Err(err) => {
+                warn!("Failed to load Elasticsearch HTTP CA certificate from {}, will continue without: {}", filename, err);
+                None
+            }
+        }
+    } else {
+        None
+    }
+}
+
 impl Client {
     pub fn new(url: &str) -> Self {
         Self {
             url: url.to_string(),
             username: std::env::var("EVEBOX_ELASTICSEARCH_USERNAME").ok(),
             password: std::env::var("EVEBOX_ELASTICSEARCH_PASSWORD").ok(),
+            cert: load_certificate_from_env(),
             ..Default::default()
         }
     }
@@ -65,6 +83,11 @@ impl Client {
         if self.disable_certificate_validation {
             builder = builder.danger_accept_invalid_certs(true);
         }
+
+        if let Some(cert) = self.cert.clone() {
+            builder = builder.add_root_certificate(cert);
+        }
+
         builder.build()
     }
 
@@ -272,6 +295,7 @@ pub(crate) struct ClientBuilder {
     disable_certificate_validation: bool,
     username: Option<String>,
     password: Option<String>,
+    cert: Option<reqwest::Certificate>,
 }
 
 impl ClientBuilder {
@@ -280,6 +304,7 @@ impl ClientBuilder {
             url: url.to_string(),
             username: default_username(),
             password: default_password(),
+            cert: load_certificate_from_env(),
             ..ClientBuilder::default()
         }
     }
@@ -299,14 +324,21 @@ impl ClientBuilder {
         self
     }
 
+    pub(crate) fn with_cacert(mut self, cacert: &str) -> anyhow::Result<Self> {
+        self.cert = Some(load_certificate_from_file(cacert)?);
+        Ok(self)
+    }
+
     pub fn build(self) -> Client {
         Client {
             url: self.url.clone(),
             disable_certificate_validation: self.disable_certificate_validation,
             username: self.username,
             password: self.password,
+            cert: self.cert,
         }
     }
+
 }
 
 #[derive(Deserialize, Serialize, Debug)]
diff --git a/src/server/main.rs b/src/server/main.rs
@@ -78,6 +78,7 @@ pub async fn main(args: &clap::ArgMatches) -> Result<()> {
     server_config.elastic_ecs = config.get_bool("database.elasticsearch.ecs")?;
     server_config.elastic_username = config.get("database.elasticsearch.username")?;
     server_config.elastic_password = config.get("database.elasticsearch.password")?;
+    server_config.elastic_cacert = config.get("database.elasticsearch.cacert")?;
     server_config.data_directory = config.get("data-directory")?;
     server_config.no_check_certificate = config
         .get_bool("database.elasticsearch.disable-certificate-check")?
@@ -459,6 +460,9 @@ async fn configure_datastore(config: Config, server_config: &ServerConfig) -> Re
             if let Some(password) = &server_config.elastic_password {
                 client = client.with_password(password);
             }
+            if let Some(cacert) = &server_config.elastic_cacert {
+                client = client.with_cacert(cacert)?;
+            }
             client = client.disable_certificate_validation(server_config.no_check_certificate);
 
             let client = client.build();
diff --git a/src/server/mod.rs b/src/server/mod.rs
@@ -66,6 +66,7 @@ pub(crate) struct ServerConfig {
     pub elastic_no_index_suffix: bool,
     pub elastic_username: Option<String>,
     pub elastic_password: Option<String>,
+    pub elastic_cacert: Option<String>,
     pub elastic_ecs: bool,
     pub data_directory: Option<String>,
     pub authentication_required: bool,
