Show the whole cert chain in SslHealthIndicator

Author: jonatan-ivanov

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/ssl/SslHealthContributorAutoConfigurationTests.java

@@ -29,7 +29,7 @@
 import org.springframework.boot.autoconfigure.AutoConfigurations;
 import org.springframework.boot.autoconfigure.ssl.SslAutoConfiguration;
 import org.springframework.boot.info.SslInfo;
-import org.springframework.boot.info.SslInfo.CertificateInfo;
+import org.springframework.boot.info.SslInfo.CertificateChain;
 import org.springframework.boot.ssl.SslBundles;
 import org.springframework.boot.test.context.runner.ApplicationContextRunner;
 import org.springframework.context.annotation.Bean;
@@ -64,9 +64,11 @@ void beansShouldBeConfigured() {
 			Health health = context.getBean(SslHealthIndicator.class).health();
 			assertThat(health.getStatus()).isSameAs(Status.OUT_OF_SERVICE);
 			assertThat(health.getDetails()).hasSize(1);
-			List<CertificateInfo> certificates = (List<CertificateInfo>) health.getDetails().get("certificates");
-			assertThat(certificates).hasSize(1);
-			assertThat(certificates.get(0)).isInstanceOf(CertificateInfo.class);
+			List<CertificateChain> certificateChains = (List<CertificateChain>) health.getDetails()
+				.get("certificateChains");
+			assertThat(certificateChains).hasSize(1);
+			assertThat(certificateChains.get(0)).isInstanceOf(CertificateChain.class);
+
 		});
 	}
 
@@ -83,9 +85,10 @@ void beansShouldBeConfiguredWithWarningThreshold() {
 				Health health = context.getBean(SslHealthIndicator.class).health();
 				assertThat(health.getStatus()).isSameAs(Status.OUT_OF_SERVICE);
 				assertThat(health.getDetails()).hasSize(1);
-				List<CertificateInfo> certificates = (List<CertificateInfo>) health.getDetails().get("certificates");
-				assertThat(certificates).hasSize(1);
-				assertThat(certificates.get(0)).isInstanceOf(CertificateInfo.class);
+				List<CertificateChain> certificateChains = (List<CertificateChain>) health.getDetails()
+					.get("certificateChains");
+				assertThat(certificateChains).hasSize(1);
+				assertThat(certificateChains.get(0)).isInstanceOf(CertificateChain.class);
 			});
 	}
 
@@ -101,9 +104,10 @@ void customBeansShouldBeConfigured() {
 			Health health = context.getBean(SslHealthIndicator.class).health();
 			assertThat(health.getStatus()).isSameAs(Status.OUT_OF_SERVICE);
 			assertThat(health.getDetails()).hasSize(1);
-			List<CertificateInfo> certificates = (List<CertificateInfo>) health.getDetails().get("certificates");
-			assertThat(certificates).hasSize(1);
-			assertThat(certificates.get(0)).isInstanceOf(CertificateInfo.class);
+			List<CertificateChain> certificateChains = (List<CertificateChain>) health.getDetails()
+				.get("certificateChains");
+			assertThat(certificateChains).hasSize(1);
+			assertThat(certificateChains.get(0)).isInstanceOf(CertificateChain.class);
 		});
 	}
 

spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/ssl/SslHealthIndicator.java

@@ -25,7 +25,7 @@
 import org.springframework.boot.actuate.health.HealthIndicator;
 import org.springframework.boot.actuate.health.Status;
 import org.springframework.boot.info.SslInfo;
-import org.springframework.boot.info.SslInfo.CertificateInfo;
+import org.springframework.boot.info.SslInfo.CertificateChain;
 import org.springframework.boot.info.SslInfo.CertificateInfo.Validity;
 
 /**
@@ -38,9 +38,6 @@
  */
 public class SslHealthIndicator extends AbstractHealthIndicator {
 
-	private static final Status WILL_EXPIRE_SOON_STATUS = new Status(Validity.Status.WILL_EXPIRE_SOON.name(),
-			"One of the certificates will expire within the defined threshold.");
-
 	private final SslInfo sslInfo;
 
 	public SslHealthIndicator(SslInfo sslInfo) {
@@ -49,32 +46,43 @@ public SslHealthIndicator(SslInfo sslInfo) {
 
 	@Override
 	protected void doHealthCheck(Builder builder) throws Exception {
-		List<CertificateInfo> notValidCertificates = this.sslInfo.getBundles()
+		List<CertificateChain> notValidCertificateChains = this.sslInfo.getBundles()
 			.stream()
 			.flatMap((bundle) -> bundle.getCertificateChains().stream())
-			.flatMap((certificateChain) -> certificateChain.getCertificates().stream())
-			.filter((certificate) -> certificate.getValidity() != null)
-			.filter((certificate) -> certificate.getValidity().getStatus() != Validity.Status.VALID)
+			.filter(this::containsNotValidCertificate)
 			.toList();
 
-		if (notValidCertificates.isEmpty()) {
+		if (notValidCertificateChains.isEmpty()) {
 			builder.status(Status.UP);
 		}
 		else {
-			Set<Validity.Status> statuses = notValidCertificates.stream()
-				.map((certificate) -> certificate.getValidity().getStatus())
-				.collect(Collectors.toUnmodifiableSet());
+			Set<Validity.Status> statuses = collectCertificateStatuses(notValidCertificateChains);
 			if (statuses.contains(Validity.Status.EXPIRED) || statuses.contains(Validity.Status.NOT_YET_VALID)) {
 				builder.status(Status.OUT_OF_SERVICE);
 			}
 			else if (statuses.contains(Validity.Status.WILL_EXPIRE_SOON)) {
-				builder.status(WILL_EXPIRE_SOON_STATUS);
+				builder.status(new Status("WARNING"));
 			}
 			else {
 				builder.status(Status.OUT_OF_SERVICE);
 			}
-			builder.withDetail("certificates", notValidCertificates);
+			builder.withDetail("certificateChains", notValidCertificateChains);
 		}
 	}
 
+	private boolean containsNotValidCertificate(CertificateChain certificateChain) {
+		return certificateChain.getCertificates()
+			.stream()
+			.filter((certificate) -> certificate.getValidity() != null)
+			.anyMatch((certificate) -> certificate.getValidity().getStatus() != Validity.Status.VALID);
+	}
+
+	private Set<Validity.Status> collectCertificateStatuses(List<CertificateChain> certificateChains) {
+		return certificateChains.stream()
+			.flatMap((certificateChain) -> certificateChain.getCertificates().stream())
+			.filter((certificate) -> certificate.getValidity() != null)
+			.map((certificate) -> certificate.getValidity().getStatus())
+			.collect(Collectors.toUnmodifiableSet());
+	}
+
 }

spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/ssl/SslHealthIndicatorTests.java

@@ -76,9 +76,10 @@ void shouldBeOutOfServiceIfACertificateIsExpired() {
 		Health health = this.healthIndicator.health();
 		assertThat(health.getStatus()).isEqualTo(Status.OUT_OF_SERVICE);
 		assertThat(health.getDetails()).hasSize(1);
-		List<CertificateInfo> certificates = (List<CertificateInfo>) health.getDetails().get("certificates");
-		assertThat(certificates).hasSize(1);
-		assertThat(certificates.get(0)).isInstanceOf(CertificateInfo.class);
+		List<CertificateChain> certificateChains = (List<CertificateChain>) health.getDetails()
+			.get("certificateChains");
+		assertThat(certificateChains).hasSize(1);
+		assertThat(certificateChains.get(0)).isInstanceOf(CertificateChain.class);
 	}
 
 	@Test
@@ -88,21 +89,23 @@ void shouldBeOutOfServiceIfACertificateIsNotYetValid() {
 		Health health = this.healthIndicator.health();
 		assertThat(health.getStatus()).isEqualTo(Status.OUT_OF_SERVICE);
 		assertThat(health.getDetails()).hasSize(1);
-		List<CertificateInfo> certificates = (List<CertificateInfo>) health.getDetails().get("certificates");
-		assertThat(certificates).hasSize(1);
-		assertThat(certificates.get(0)).isInstanceOf(CertificateInfo.class);
+		List<CertificateChain> certificateChains = (List<CertificateChain>) health.getDetails()
+			.get("certificateChains");
+		assertThat(certificateChains).hasSize(1);
+		assertThat(certificateChains.get(0)).isInstanceOf(CertificateChain.class);
 	}
 
 	@Test
 	@SuppressWarnings("unchecked")
-	void shouldReportWillExpireSoonIfACertificateWillExpireSoon() {
+	void shouldReportWarningIfACertificateWillExpireSoon() {
 		given(this.validity.getStatus()).willReturn(Validity.Status.WILL_EXPIRE_SOON);
 		Health health = this.healthIndicator.health();
-		assertThat(health.getStatus()).isEqualTo(new Status(Validity.Status.WILL_EXPIRE_SOON.name()));
+		assertThat(health.getStatus()).isEqualTo(new Status("WARNING"));
 		assertThat(health.getDetails()).hasSize(1);
-		List<CertificateInfo> certificates = (List<CertificateInfo>) health.getDetails().get("certificates");
-		assertThat(certificates).hasSize(1);
-		assertThat(certificates.get(0)).isInstanceOf(CertificateInfo.class);
+		List<CertificateChain> certificateChains = (List<CertificateChain>) health.getDetails()
+			.get("certificateChains");
+		assertThat(certificateChains).hasSize(1);
+		assertThat(certificateChains.get(0)).isInstanceOf(CertificateChain.class);
 	}
 
 	@Test
@@ -112,9 +115,10 @@ void shouldBeOutOfServiceIfACertificateHasUnMappedValidityStatus() {
 		Health health = this.healthIndicator.health();
 		assertThat(health.getStatus()).isEqualTo(Status.OUT_OF_SERVICE);
 		assertThat(health.getDetails()).hasSize(1);
-		List<CertificateInfo> certificates = (List<CertificateInfo>) health.getDetails().get("certificates");
-		assertThat(certificates).hasSize(1);
-		assertThat(certificates.get(0)).isInstanceOf(CertificateInfo.class);
+		List<CertificateChain> certificateChains = (List<CertificateChain>) health.getDetails()
+			.get("certificateChains");
+		assertThat(certificateChains).hasSize(1);
+		assertThat(certificateChains.get(0)).isInstanceOf(CertificateChain.class);
 	}
 
 }

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-tomcat-ssl/src/test/java/smoketest/tomcat/ssl/SampleTomcatSslApplicationTests.java

@@ -64,6 +64,7 @@ void testSslHealth() {
 		ResponseEntity<String> entity = this.restTemplate.getForEntity("/actuator/health", String.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.SERVICE_UNAVAILABLE);
 		assertThat(entity.getBody()).contains("\"status\":\"OUT_OF_SERVICE\"")
+			.contains("\"alias\":\"spring-boot-ssl-sample\"")
 			.contains("\"status\":\"EXPIRED\"")
 			.contains("\"subject\":\"CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown\"");
 	}