From bc3115144634fce07e0aac66de451ee7f39730a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mariana=20Gonz=C3=A1lez=20Velarde?= <mariana@fnal.gov>
Date: Fri, 6 Dec 2024 12:18:33 -0600
Subject: [PATCH 1/2] Save and Restore: Add authentication for Elasticsearch.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Mariana González Velarde <mariana@fnal.gov>
---
 .../persistence/config/ElasticConfig.java     | 31 ++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/services/save-and-restore/src/main/java/org/phoebus/service/saveandrestore/persistence/config/ElasticConfig.java b/services/save-and-restore/src/main/java/org/phoebus/service/saveandrestore/persistence/config/ElasticConfig.java
index eb6f1b289d..ca811432f2 100644
--- a/services/save-and-restore/src/main/java/org/phoebus/service/saveandrestore/persistence/config/ElasticConfig.java
+++ b/services/save-and-restore/src/main/java/org/phoebus/service/saveandrestore/persistence/config/ElasticConfig.java
@@ -13,8 +13,15 @@
 import co.elastic.clients.transport.endpoints.BooleanResponse;
 import co.elastic.clients.transport.rest_client.RestClientTransport;
 import com.fasterxml.jackson.databind.module.SimpleModule;
+import org.apache.http.Header;
 import org.apache.http.HttpHost;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.http.client.CredentialsProvider;
+import org.apache.http.impl.client.BasicCredentialsProvider;
+import org.apache.http.message.BasicHeader;
 import org.elasticsearch.client.RestClient;
+import org.elasticsearch.client.RestClientBuilder;
 import org.epics.vtype.VType;
 import org.phoebus.applications.saveandrestore.model.Node;
 import org.phoebus.applications.saveandrestore.model.NodeType;
@@ -75,6 +82,16 @@ public class ElasticConfig {
     @Value("${elasticsearch.http.port:9200}")
     private int port;
 
+    @Value("${elasticsearch.authorization.header:}")
+    private String authorizationHeader;
+
+    @Value("${elasticsearch.authorization.username:}")
+    private String username;
+
+    @Value("${elasticsearch.authorization.password}")
+    private String password;
+
+
     private ElasticsearchClient client;
     private static final AtomicBoolean esInitialized = new AtomicBoolean();
 
@@ -95,8 +112,20 @@ public class ElasticConfig {
     public ElasticsearchClient getClient() {
         if (client == null) {
             // Create the low-level client
-            RestClient httpClient = RestClient.builder(new HttpHost(host, port)).build();
+            RestClientBuilder clientBuilder = RestClient.builder(new HttpHost(host, port));
 
+            // Configure authentication
+            if (!authorizationHeader.isEmpty()) {
+                clientBuilder.setDefaultHeaders(new Header[] {new BasicHeader("Authorization", authorizationHeader)});
+                if (!username.isEmpty() || !password.isEmpty()) {
+                    logger.warning("elasticsearch.authorization_header is set, ignoring elasticsearch.username and elasticsearch.password.");
+                }
+            } else if (!username.isEmpty() || !password.isEmpty()) {
+                final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
+                credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(username, password));
+                clientBuilder.setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider));
+            }
+            RestClient httpClient = clientBuilder.build();
             JacksonJsonpMapper jacksonJsonpMapper = new JacksonJsonpMapper();
             SimpleModule module = new SimpleModule();
             module.addSerializer(VType.class, new VTypeSerializer());

From da01367643743f55d66410082884a3a7e62bc886 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mariana=20Gonz=C3=A1lez=20Velarde?= <mariana@fnal.gov>
Date: Fri, 6 Dec 2024 13:06:04 -0600
Subject: [PATCH 2/2] Add documentation in the save and restore
 applications.properties which explains how to use an authenticated client to
 elastic.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Mariana González Velarde <mariana@fnal.gov>
---
 .../src/main/resources/application.properties         | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/services/save-and-restore/src/main/resources/application.properties b/services/save-and-restore/src/main/resources/application.properties
index 6ad52e731e..6e3842668a 100644
--- a/services/save-and-restore/src/main/resources/application.properties
+++ b/services/save-and-restore/src/main/resources/application.properties
@@ -9,6 +9,17 @@ server.port=8080
 elasticsearch.network.host=localhost
 elasticsearch.http.port=9200
 
+# The value for the `Authorization` header used in requests to the Elasticsearch server.
+# This header supports token-based or API key-based authentication.
+# See https://www.elastic.co/guide/en/elasticsearch/client/java-api-client/8.12/_other_authentication_methods.html
+elasticsearch.authorization.header =
+
+# Username and password for basic authentication with the Elasticsearch server.
+# These credentials are only used if `elasticsearch.authorization.header` is not set.
+elasticsearch.authorization.username =
+elasticsearch.authorization.password =
+
+
 # Do not change this!
 spring.jackson.serialization.write-dates-as-timestamps=false