Skip to content

Commit 42b4b91

Browse files
willbroadbeltwillbroadbelt
committed
JVMCBC-1607: Improve how trusted certificates are logged
Motivation: When TLS is enabled, the CoreCreatedEvent logged by the SDK includes the full list of trusted certificates, which can be very long. Other interesting config properties are also logged, but they appear after the certificates. If the user’s logging library is configured to truncate long messages, these other properties can end up being omitted because the certificates take up so much space. Changes: Limited the number of certificates logged in the CoreCreatedEvent to 5, indicating how many total certs there are that havent been logged. And log all the certificates at Debug level in a separate log msg. Change-Id: I686ad448975862a42c10504e2d2ee33b1fc4e0ac Reviewed-on: https://review.couchbase.org/c/couchbase-jvm-clients/+/227715 Tested-by: Build Bot <[email protected]> Reviewed-by: David Nault <[email protected]>
1 parent 0adc9b1 commit 42b4b91

File tree

4 files changed

+157
-8
lines changed

4 files changed

+157
-8
lines changed

core-io/src/main/java/com/couchbase/client/core/Core.java

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,8 @@
107107
import com.couchbase.client.core.util.Deadline;
108108
import com.couchbase.client.core.util.LatestStateSubscription;
109109
import com.couchbase.client.core.util.NanoTimestamp;
110+
import org.slf4j.LoggerFactory;
111+
import org.slf4j.Logger;
110112
import reactor.core.Disposable;
111113
import reactor.core.publisher.Flux;
112114
import reactor.core.publisher.Mono;
@@ -133,6 +135,7 @@
133135
import java.util.stream.Stream;
134136

135137
import static com.couchbase.client.core.api.CoreCouchbaseOps.checkConnectionStringScheme;
138+
import static com.couchbase.client.core.util.CbCollections.isNullOrEmpty;
136139
import static com.couchbase.client.core.util.ConnectionStringUtil.asConnectionString;
137140
import static com.couchbase.client.core.util.ConnectionStringUtil.sanityCheckPorts;
138141
import static java.util.Collections.emptySet;
@@ -148,6 +151,7 @@
148151
*/
149152
@Stability.Volatile
150153
public class Core implements CoreCouchbaseOps, AutoCloseable {
154+
private static final Logger logger = LoggerFactory.getLogger(Core.class);
151155

152156
/**
153157
* Locates the right node for the KV service.
@@ -344,6 +348,10 @@ public RequestTracer requestTracer() {
344348

345349
eventBus.publish(new CoreCreatedEvent(coreContext, environment, emptySet(), CoreLimiter.numInstances(), connectionString));
346350

351+
if (!isNullOrEmpty(coreContext.environment().securityConfig().trustCertificates())) {
352+
logger.debug("Trusted certificates: {}", coreContext.environment().securityConfig().trustCertificatesToString());
353+
}
354+
347355
long watchdogInterval = INVALID_STATE_WATCHDOG_INTERVAL.getSeconds();
348356
if (watchdogInterval <= 1) {
349357
throw InvalidArgumentException.fromMessage("The Watchdog Interval cannot be smaller than 1 second!");

core-io/src/main/java/com/couchbase/client/core/env/SecurityConfig.java

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,8 @@ public static boolean userSpecifiedTrustSource(SecurityConfig config) {
8787
}
8888
}
8989

90+
private static final int PRINT_N_CERTS = 5;
91+
9092
private final boolean nativeTlsEnabled;
9193
private final boolean hostnameVerificationEnabled;
9294
private final boolean tlsEnabled;
@@ -346,7 +348,7 @@ Map<String, Object> exportAsMap() {
346348
export.put("tlsEnabled", tlsEnabled);
347349
export.put("nativeTlsEnabled", nativeTlsEnabled);
348350
export.put("hostnameVerificationEnabled", hostnameVerificationEnabled);
349-
export.put("trustCertificates", trustCertificates != null ? trustCertificatesToString() : null);
351+
export.put("trustCertificates", trustCertificates != null ? trustCertificatesToString(PRINT_N_CERTS) : null);
350352
export.put("trustManagerFactory", trustManagerFactory != null ? trustManagerFactory.getClass().getSimpleName() : null);
351353
export.put("ciphers", ciphers);
352354
return export;
@@ -607,15 +609,22 @@ public static List<String> defaultCiphers(final boolean nativeTlsEnabled) {
607609
return SslHandlerFactory.defaultCiphers(nativeTlsEnabled);
608610
}
609611

610-
private String trustCertificatesToString() {
612+
@Stability.Internal
613+
public String trustCertificatesToString() {
614+
return trustCertificatesToString(Integer.MAX_VALUE);
615+
}
616+
617+
private String trustCertificatesToString(final int printNCerts) {
611618
if (isNullOrEmpty(trustCertificates)) {
612619
return null;
613620
}
614621

615-
return trustCertificates.stream()
616-
.map(it -> it.getSubjectDN() + " (valid from " + it.getNotBefore().toInstant() + " to " + it.getNotAfter().toInstant() + ")")
617-
.collect(toList())
618-
.toString();
622+
return new StringBuilder().append(trustCertificates.stream()
623+
.map(it -> it.getSubjectDN() + " (valid from " + it.getNotBefore().toInstant() + " to " + it.getNotAfter().toInstant() + ")")
624+
.limit(printNCerts)
625+
.collect(toList()))
626+
.append(trustCertificates.size() > printNCerts ? " (and " + (trustCertificates.size() - printNCerts) + " more)" : "")
627+
.toString();
619628
}
620629

621630
/**

core-io/src/test/java/com/couchbase/client/core/env/SecurityConfigTest.java

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -73,13 +73,30 @@ void trustOneCertificateFromFile() {
7373

7474
@Test
7575
void trustTwoCertificatesFromFile() {
76-
checkCertificatesFromFile(
76+
SecurityConfig config = checkCertificatesFromFile(
7777
"two-certificates.pem",
7878
listOf(
7979
"CN=Couchbase Server 1d6c9ec6",
8080
"CN=Couchbase Server f233ba43"
8181
)
8282
);
83+
assertFalse(config.exportAsMap().get("trustCertificates").toString().contains(" (and "));
84+
}
85+
86+
@Test
87+
void trustSixCertificatesFromFile() {
88+
SecurityConfig config = checkCertificatesFromFile(
89+
"six-certificates.pem",
90+
listOf(
91+
"CN=Couchbase Server 1d6c9ec6",
92+
"CN=Couchbase Server f233ba43",
93+
"CN=Couchbase Server 1d6c9ec6",
94+
"CN=Couchbase Server f233ba43",
95+
"CN=Couchbase Server 1d6c9ec6",
96+
"CN=Couchbase Server f233ba43"
97+
)
98+
);
99+
assertTrue(config.exportAsMap().get("trustCertificates").toString().contains(" (and 1 more)"));
83100
}
84101

85102
@Test
@@ -92,7 +109,7 @@ void canReadDefaultCaCertificates() {
92109
assertEquals(jvm.size() + capella.size(), defaults.size());
93110
}
94111

95-
private void checkCertificatesFromFile(
112+
private SecurityConfig checkCertificatesFromFile(
96113
String resourceName,
97114
List<String> expectedSubjectDns
98115
) {
@@ -105,6 +122,7 @@ private void checkCertificatesFromFile(
105122
.map(it -> it.getSubjectDN().getName())
106123
.collect(toList())
107124
);
125+
return config;
108126
}
109127

110128
private static Path getResourceAsPath(

core-io/src/test/resources/com/couchbase/client/core/env/six-certificates.pem

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,114 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIDAjCCAeqgAwIBAgIIFpZtHpcc9cgwDQYJKoZIhvcNAQELBQAwJDEiMCAGA1UE
3+
AxMZQ291Y2hiYXNlIFNlcnZlciAxZDZjOWVjNjAeFw0xMzAxMDEwMDAwMDBaFw00
4+
OTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGUNvdWNoYmFzZSBTZXJ2ZXIgMWQ2Yzll
5+
YzYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDagbxtpv/RTBOS3LEL
6+
yMJI4N1QPVmPyZfMR2XhOBQzzXpEWrIIoc5hW5hcCNnPs94hMgtrIK3o14//kRfS
7+
EjGqIbKepdruNvGgkXLeASlTc3aCh4vVdWMSrGNjIJTOqkeagA1vyKE4BU592oGC
8+
KhmMkAX/fJS2+aHgNMar9/4xqUic6eNScQhVSF9AbTt3c/87IHNDTPavatvbFllY
9+
X+H1J/yErUwj9SJBaqpJhU7zUmdo6v28gp4kvN4sIjd7FpFf0n2usRRdPMEOKEIK
10+
bA/Fu575oXs4/05AeP/ZG0xzU4kMOWIBxqejZ4hUFfQps7adQHaWD3BJVryNx04T
11+
O+KXAgMBAAGjODA2MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcD
12+
ATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC7s5rYi+1QNJcH
13+
sYRcmSZ5Rv9u4YN1cUYZ8Gb+RdfX2IBJff+vf15iBf4N2XWnA+zCn/WCm8sgaZ1Y
14+
HP4Dn55aBIIfhOUdJ8bJL9eK9Ew9IQ4FrT1UkmDd/CqE4/pIwHamWfcpII20XnqE
15+
FPiymngFAkAMAaynzku/Lw9VmbaafiLBUvwx3aJzF3totNd6LdigAG5iH4Ir2fhb
16+
gtGoZ9ZuskKRJ8pGXu95DrJ6VJJQBwveUCYqHX+hx16iyMdsYZ/EObhbkXacEaBo
17+
xFptQ/XVtEO/zh0gqSnUD/dROeUG28zbDKdP4Q1b70XE87HKnjYDcpfwfyJwo0Xg
18+
FT2XIEXd
19+
-----END CERTIFICATE-----
20+
-----BEGIN CERTIFICATE-----
21+
MIIDAjCCAeqgAwIBAgIIFsmouG9qrMQwDQYJKoZIhvcNAQELBQAwJDEiMCAGA1UE
22+
AxMZQ291Y2hiYXNlIFNlcnZlciBmMjMzYmE0MzAeFw0xMzAxMDEwMDAwMDBaFw00
23+
OTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGUNvdWNoYmFzZSBTZXJ2ZXIgZjIzM2Jh
24+
NDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRdb+uGSgCfkP2QYbe
25+
4OI45cxp67I+43s3rVeK3/EVNdmcVsost943DRN8wGGlAl3UNMY499vJ/P5rV1+N
26+
ALvsGGsgY9QuRUeiEPXFBsyQTA6kZOcCBhlUflPnZFH//OpwAgPBbU96BJRuIM/K
27+
1gIrmcBLB9x8WHTOYIwEqwnqE6uReEJxG5L4J7oFj8zvrWRvQD3tkQgNpMKCJGJn
28+
PleIxzzYA8VZ4XytE5O4rB/wFlGsPW4LDMAOLuZ6slpojFAEGbaxtHKtvwupMfgi
29+
yzRmsJrHzsWd4Gy9ualeB+7r9fktDvzaffid2SW+z1sdP/FzNhTiiKOg4JgX+CB5
30+
Zd+/AgMBAAGjODA2MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcD
31+
ATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC+/tKhyohI3/Bg
32+
wBV3r9VoBkJ6j1r6oh6+ncx9Hu/DkJp7IYuwMcmzgXx7bYgTbjTpbB2rxUmwaTY7
33+
V9iJU6iW1xmdE00wGDYIqcUq+quGl9cf0aqJWMwoETPCAt7Gl35PeuOMgBZN1Bez
34+
Akh8ieoMJrOyL6bBP5j1zRMHdF+BhP5SKIIxriaPIlQAJXEAH0Q8VWphuO1qI/9w
35+
8ZM3rDQmlZUZJoGznATEccgH6gC6TOnGbRlIqKDSob0doPzJHHKUxWDaqAZVGsgf
36+
gJsIJjscpbmD05t74gCVwOSCDTwoFAYAAGx+PlxqV3/xTsfEow+8L64i5j7GYPwc
37+
k9mh/NQD
38+
-----END CERTIFICATE-----
39+
-----BEGIN CERTIFICATE-----
40+
MIIDAjCCAeqgAwIBAgIIFpZtHpcc9cgwDQYJKoZIhvcNAQELBQAwJDEiMCAGA1UE
41+
AxMZQ291Y2hiYXNlIFNlcnZlciAxZDZjOWVjNjAeFw0xMzAxMDEwMDAwMDBaFw00
42+
OTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGUNvdWNoYmFzZSBTZXJ2ZXIgMWQ2Yzll
43+
YzYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDagbxtpv/RTBOS3LEL
44+
yMJI4N1QPVmPyZfMR2XhOBQzzXpEWrIIoc5hW5hcCNnPs94hMgtrIK3o14//kRfS
45+
EjGqIbKepdruNvGgkXLeASlTc3aCh4vVdWMSrGNjIJTOqkeagA1vyKE4BU592oGC
46+
KhmMkAX/fJS2+aHgNMar9/4xqUic6eNScQhVSF9AbTt3c/87IHNDTPavatvbFllY
47+
X+H1J/yErUwj9SJBaqpJhU7zUmdo6v28gp4kvN4sIjd7FpFf0n2usRRdPMEOKEIK
48+
bA/Fu575oXs4/05AeP/ZG0xzU4kMOWIBxqejZ4hUFfQps7adQHaWD3BJVryNx04T
49+
O+KXAgMBAAGjODA2MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcD
50+
ATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC7s5rYi+1QNJcH
51+
sYRcmSZ5Rv9u4YN1cUYZ8Gb+RdfX2IBJff+vf15iBf4N2XWnA+zCn/WCm8sgaZ1Y
52+
HP4Dn55aBIIfhOUdJ8bJL9eK9Ew9IQ4FrT1UkmDd/CqE4/pIwHamWfcpII20XnqE
53+
FPiymngFAkAMAaynzku/Lw9VmbaafiLBUvwx3aJzF3totNd6LdigAG5iH4Ir2fhb
54+
gtGoZ9ZuskKRJ8pGXu95DrJ6VJJQBwveUCYqHX+hx16iyMdsYZ/EObhbkXacEaBo
55+
xFptQ/XVtEO/zh0gqSnUD/dROeUG28zbDKdP4Q1b70XE87HKnjYDcpfwfyJwo0Xg
56+
FT2XIEXd
57+
-----END CERTIFICATE-----
58+
-----BEGIN CERTIFICATE-----
59+
MIIDAjCCAeqgAwIBAgIIFsmouG9qrMQwDQYJKoZIhvcNAQELBQAwJDEiMCAGA1UE
60+
AxMZQ291Y2hiYXNlIFNlcnZlciBmMjMzYmE0MzAeFw0xMzAxMDEwMDAwMDBaFw00
61+
OTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGUNvdWNoYmFzZSBTZXJ2ZXIgZjIzM2Jh
62+
NDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRdb+uGSgCfkP2QYbe
63+
4OI45cxp67I+43s3rVeK3/EVNdmcVsost943DRN8wGGlAl3UNMY499vJ/P5rV1+N
64+
ALvsGGsgY9QuRUeiEPXFBsyQTA6kZOcCBhlUflPnZFH//OpwAgPBbU96BJRuIM/K
65+
1gIrmcBLB9x8WHTOYIwEqwnqE6uReEJxG5L4J7oFj8zvrWRvQD3tkQgNpMKCJGJn
66+
PleIxzzYA8VZ4XytE5O4rB/wFlGsPW4LDMAOLuZ6slpojFAEGbaxtHKtvwupMfgi
67+
yzRmsJrHzsWd4Gy9ualeB+7r9fktDvzaffid2SW+z1sdP/FzNhTiiKOg4JgX+CB5
68+
Zd+/AgMBAAGjODA2MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcD
69+
ATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC+/tKhyohI3/Bg
70+
wBV3r9VoBkJ6j1r6oh6+ncx9Hu/DkJp7IYuwMcmzgXx7bYgTbjTpbB2rxUmwaTY7
71+
V9iJU6iW1xmdE00wGDYIqcUq+quGl9cf0aqJWMwoETPCAt7Gl35PeuOMgBZN1Bez
72+
Akh8ieoMJrOyL6bBP5j1zRMHdF+BhP5SKIIxriaPIlQAJXEAH0Q8VWphuO1qI/9w
73+
8ZM3rDQmlZUZJoGznATEccgH6gC6TOnGbRlIqKDSob0doPzJHHKUxWDaqAZVGsgf
74+
gJsIJjscpbmD05t74gCVwOSCDTwoFAYAAGx+PlxqV3/xTsfEow+8L64i5j7GYPwc
75+
k9mh/NQD
76+
-----END CERTIFICATE-----
77+
-----BEGIN CERTIFICATE-----
78+
MIIDAjCCAeqgAwIBAgIIFpZtHpcc9cgwDQYJKoZIhvcNAQELBQAwJDEiMCAGA1UE
79+
AxMZQ291Y2hiYXNlIFNlcnZlciAxZDZjOWVjNjAeFw0xMzAxMDEwMDAwMDBaFw00
80+
OTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGUNvdWNoYmFzZSBTZXJ2ZXIgMWQ2Yzll
81+
YzYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDagbxtpv/RTBOS3LEL
82+
yMJI4N1QPVmPyZfMR2XhOBQzzXpEWrIIoc5hW5hcCNnPs94hMgtrIK3o14//kRfS
83+
EjGqIbKepdruNvGgkXLeASlTc3aCh4vVdWMSrGNjIJTOqkeagA1vyKE4BU592oGC
84+
KhmMkAX/fJS2+aHgNMar9/4xqUic6eNScQhVSF9AbTt3c/87IHNDTPavatvbFllY
85+
X+H1J/yErUwj9SJBaqpJhU7zUmdo6v28gp4kvN4sIjd7FpFf0n2usRRdPMEOKEIK
86+
bA/Fu575oXs4/05AeP/ZG0xzU4kMOWIBxqejZ4hUFfQps7adQHaWD3BJVryNx04T
87+
O+KXAgMBAAGjODA2MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcD
88+
ATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC7s5rYi+1QNJcH
89+
sYRcmSZ5Rv9u4YN1cUYZ8Gb+RdfX2IBJff+vf15iBf4N2XWnA+zCn/WCm8sgaZ1Y
90+
HP4Dn55aBIIfhOUdJ8bJL9eK9Ew9IQ4FrT1UkmDd/CqE4/pIwHamWfcpII20XnqE
91+
FPiymngFAkAMAaynzku/Lw9VmbaafiLBUvwx3aJzF3totNd6LdigAG5iH4Ir2fhb
92+
gtGoZ9ZuskKRJ8pGXu95DrJ6VJJQBwveUCYqHX+hx16iyMdsYZ/EObhbkXacEaBo
93+
xFptQ/XVtEO/zh0gqSnUD/dROeUG28zbDKdP4Q1b70XE87HKnjYDcpfwfyJwo0Xg
94+
FT2XIEXd
95+
-----END CERTIFICATE-----
96+
-----BEGIN CERTIFICATE-----
97+
MIIDAjCCAeqgAwIBAgIIFsmouG9qrMQwDQYJKoZIhvcNAQELBQAwJDEiMCAGA1UE
98+
AxMZQ291Y2hiYXNlIFNlcnZlciBmMjMzYmE0MzAeFw0xMzAxMDEwMDAwMDBaFw00
99+
OTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGUNvdWNoYmFzZSBTZXJ2ZXIgZjIzM2Jh
100+
NDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRdb+uGSgCfkP2QYbe
101+
4OI45cxp67I+43s3rVeK3/EVNdmcVsost943DRN8wGGlAl3UNMY499vJ/P5rV1+N
102+
ALvsGGsgY9QuRUeiEPXFBsyQTA6kZOcCBhlUflPnZFH//OpwAgPBbU96BJRuIM/K
103+
1gIrmcBLB9x8WHTOYIwEqwnqE6uReEJxG5L4J7oFj8zvrWRvQD3tkQgNpMKCJGJn
104+
PleIxzzYA8VZ4XytE5O4rB/wFlGsPW4LDMAOLuZ6slpojFAEGbaxtHKtvwupMfgi
105+
yzRmsJrHzsWd4Gy9ualeB+7r9fktDvzaffid2SW+z1sdP/FzNhTiiKOg4JgX+CB5
106+
Zd+/AgMBAAGjODA2MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcD
107+
ATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC+/tKhyohI3/Bg
108+
wBV3r9VoBkJ6j1r6oh6+ncx9Hu/DkJp7IYuwMcmzgXx7bYgTbjTpbB2rxUmwaTY7
109+
V9iJU6iW1xmdE00wGDYIqcUq+quGl9cf0aqJWMwoETPCAt7Gl35PeuOMgBZN1Bez
110+
Akh8ieoMJrOyL6bBP5j1zRMHdF+BhP5SKIIxriaPIlQAJXEAH0Q8VWphuO1qI/9w
111+
8ZM3rDQmlZUZJoGznATEccgH6gC6TOnGbRlIqKDSob0doPzJHHKUxWDaqAZVGsgf
112+
gJsIJjscpbmD05t74gCVwOSCDTwoFAYAAGx+PlxqV3/xTsfEow+8L64i5j7GYPwc
113+
k9mh/NQD
114+
-----END CERTIFICATE-----

0 commit comments

Comments
 (0)