Support user info in Elasticsearch URIs

[evgeniycheban]

Fixes gh-21291

[wilkinsona]

Thanks very much for the PR, @evgeniycheban

Could you please take a look at adding some tests for the new functionality? I think they could be implemented as additions to org.springframework.boot.autoconfigure.elasticsearch.ElasticsearchRestClientAutoConfigurationTests. It looks like you can get the nodes from the RestClient to verify that the configuration has been applied correctly. As part of the tests, it would be good to verify the behaviour of URIs with and without any user info and how the separate username and password properties are used.

[evgeniycheban]

Thanks very much for the PR, @evgeniycheban

Could you please take a look at adding some tests for the new functionality? I think they could be implemented as additions to org.springframework.boot.autoconfigure.elasticsearch.ElasticsearchRestClientAutoConfigurationTests. It looks like you can get the nodes from the RestClient to verify that the configuration has been applied correctly. As part of the tests, it would be good to verify the behaviour of URIs with and without any user info and how the separate username and password properties are used.

Thanks for the review, @wilkinsona

Sure, I will add tests.

[evgeniycheban]

@wilkinsona I added tests.

When you have a moment, please take a look.

[wilkinsona]

Thanks for the updates. I've left a few more comments. Could you please take a look when you have a moment?

[wilkinsona]

Creating a field for the CredentialsProvider and allowing it to be injected doesn't seem to be related to supporting user info in the URI. Can you please revert this part of the changes?

[evgeniycheban]

I added this to make testing easer, because we can not access credentialsProvider field from InternalHttpAsyncClient. It can also be useful in some cases when the user needs to use a custom CredentialsProvider.

[wilkinsona]

I don't think it's safe to expose a CredentialProvider as a bean. In this case the credentials that it provides are specific to Elasticsearch, but there's nothing about the bean that indicates that's the case. It could be accidentally consumed and used anywhere that's working with an Apache HTTP client, potentially leaking credentials to another service.

For this sort of situation, we prefer to use AssertJ's support for extracting fields. In this case it would look something like this:

assertThat(client).extracting("client")
		.extracting("credentialsProvider", InstanceOfAssertFactories.type(CredentialsProvider.class))
		.satisfies((credentialsProvider) -> {
			Credentials uriCredentials = credentialsProvider.getCredentials(new AuthScope("localhost", 9200));
			assertThat(uriCredentials.getUserPrincipal().getName()).isEqualTo("user");
			assertThat(uriCredentials.getPassword()).isEqualTo("password");
			Credentials defaultCredentials = credentialsProvider.getCredentials(new AuthScope("localhost", 9201));
			assertThat(defaultCredentials.getUserPrincipal().getName()).isEqualTo("admin");
			assertThat(defaultCredentials.getPassword()).isEqualTo("admin");
		});

[evgeniycheban]

Thank you for the AssertJ example, @wilkinsona
I will update tests.

[evgeniycheban]

Fixed.

[wilkinsona]

I think the username in the URI should win so the name of the principal should be user.

[evgeniycheban]

Yes, that is right, in this assert we are checking that if the URI does not contain credentials then spring.elasticsearch.rest.username and spring.elasticsearch.rest.password will be used.

[wilkinsona]

Sorry, I'd missed that there are two URIs being configured, one with credentials and one without.

[wilkinsona]

Similarly, I think the password in the URI should win so it should be password.

[wilkinsona]

Sorry, ignore this. I'd missed that there are two URIs being configured, one with credentials and one without.

[wilkinsona]

I don't think it's safe to expose a CredentialProvider as a bean. In this case the credentials that it provides are specific to Elasticsearch, but there's nothing about the bean that indicates that's the case. It could be accidentally consumed and used anywhere that's working with an Apache HTTP client, potentially leaking credentials to another service.

For this sort of situation, we prefer to use AssertJ's support for extracting fields. In this case it would look something like this:

assertThat(client).extracting("client")
		.extracting("credentialsProvider", InstanceOfAssertFactories.type(CredentialsProvider.class))
		.satisfies((credentialsProvider) -> {
			Credentials uriCredentials = credentialsProvider.getCredentials(new AuthScope("localhost", 9200));
			assertThat(uriCredentials.getUserPrincipal().getName()).isEqualTo("user");
			assertThat(uriCredentials.getPassword()).isEqualTo("password");
			Credentials defaultCredentials = credentialsProvider.getCredentials(new AuthScope("localhost", 9201));
			assertThat(defaultCredentials.getUserPrincipal().getName()).isEqualTo("admin");
			assertThat(defaultCredentials.getPassword()).isEqualTo("admin");
		});

[evgeniycheban]

@wilkinsona Could you please take a look at the latest changes when you have a moment?

[murdos]

@wilkinsona : is there any chance to get this in 2.3.x ?
Indeed this feature was available with Jest, but support has been removed in 2.3.

[wilkinsona]

Yes. Given the situation with Jest, it seems reasonable to include this in 2.3.x.

[philwebb]

Thanks very much for the PR @evgeniycheban, this is now in 2.3.x and master. I made some minor tweaks in f8982bd (mainly to protect against URL parse exceptions).