Polish "Add SslInfoContributor and SslHealthIndicator"

See gh-41205

Author: mhalbritter

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/info/InfoContributorAutoConfiguration.java

@@ -107,14 +107,14 @@ public ProcessInfoContributor processInfoContributor() {
 	@Bean
 	@ConditionalOnEnabledInfoContributor(value = "ssl", fallback = InfoContributorFallback.DISABLE)
 	@Order(DEFAULT_ORDER)
-	public SslInfoContributor sslInfoContributor(SslInfo sslInfo) {
+	SslInfoContributor sslInfoContributor(SslInfo sslInfo) {
 		return new SslInfoContributor(sslInfo);
 	}
 
 	@Bean
 	@ConditionalOnMissingBean
 	@ConditionalOnEnabledInfoContributor(value = "ssl", fallback = InfoContributorFallback.DISABLE)
-	public SslInfo sslInfo(SslBundles sslBundles, SslHealthIndicatorProperties sslHealthIndicatorProperties) {
+	SslInfo sslInfo(SslBundles sslBundles, SslHealthIndicatorProperties sslHealthIndicatorProperties) {
 		return new SslInfo(sslBundles, sslHealthIndicatorProperties.getCertificateValidityWarningThreshold());
 	}
 

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/ssl/SslHealthContributorAutoConfiguration.java

@@ -40,13 +40,13 @@ public class SslHealthContributorAutoConfiguration {
 
 	@Bean
 	@ConditionalOnMissingBean(name = "sslHealthIndicator")
-	public SslHealthIndicator sslHealthIndicator(SslInfo sslInfo) {
+	SslHealthIndicator sslHealthIndicator(SslInfo sslInfo) {
 		return new SslHealthIndicator(sslInfo);
 	}
 
 	@Bean
 	@ConditionalOnMissingBean
-	public SslInfo sslInfo(SslBundles sslBundles, SslHealthIndicatorProperties sslHealthIndicatorProperties) {
+	SslInfo sslInfo(SslBundles sslBundles, SslHealthIndicatorProperties sslHealthIndicatorProperties) {
 		return new SslInfo(sslBundles, sslHealthIndicatorProperties.getCertificateValidityWarningThreshold());
 	}
 

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -227,12 +227,6 @@
       "description": "Whether to enable Redis health check.",
       "defaultValue": true
     },
-    {
-      "name": "management.health.ssl.certificate-validity-warning-threshold",
-      "type": "java.time.Duration",
-      "description": "If an SSL Certificate will be invalid within the time span defined by this threshold, it should trigger a warning.",
-      "defaultValue": "14d"
-    },
     {
       "name": "management.health.ssl.enabled",
       "type": "java.lang.Boolean",

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/ssl/SslHealthContributorAutoConfigurationTests.java

@@ -39,6 +39,8 @@
 
 /**
  * Tests for {@link SslHealthContributorAutoConfiguration}.
+ *
+ * @author Jonatan Ivanov
  */
 class SslHealthContributorAutoConfigurationTests {
 
@@ -56,24 +58,21 @@ void beansShouldNotBeConfigured() {
 	}
 
 	@Test
-	@SuppressWarnings("unchecked")
 	void beansShouldBeConfigured() {
 		this.contextRunner.run((context) -> {
 			assertThat(context).hasSingleBean(SslHealthIndicator.class);
 			assertThat(context).hasSingleBean(SslInfo.class);
 			Health health = context.getBean(SslHealthIndicator.class).health();
 			assertThat(health.getStatus()).isSameAs(Status.OUT_OF_SERVICE);
-			assertThat(health.getDetails()).hasSize(1);
-			List<CertificateChain> certificateChains = (List<CertificateChain>) health.getDetails()
-				.get("certificateChains");
-			assertThat(certificateChains).hasSize(1);
-			assertThat(certificateChains.get(0)).isInstanceOf(CertificateChain.class);
+			assertDetailsKeys(health);
+			List<CertificateChain> invalidChains = getInvalidChains(health);
+			assertThat(invalidChains).hasSize(1);
+			assertThat(invalidChains).first().isInstanceOf(CertificateChain.class);
 
 		});
 	}
 
 	@Test
-	@SuppressWarnings("unchecked")
 	void beansShouldBeConfiguredWithWarningThreshold() {
 		this.contextRunner.withPropertyValues("management.health.ssl.certificate-validity-warning-threshold=1d")
 			.run((context) -> {
@@ -84,16 +83,14 @@ void beansShouldBeConfiguredWithWarningThreshold() {
 					.isEqualTo(Duration.ofDays(1));
 				Health health = context.getBean(SslHealthIndicator.class).health();
 				assertThat(health.getStatus()).isSameAs(Status.OUT_OF_SERVICE);
-				assertThat(health.getDetails()).hasSize(1);
-				List<CertificateChain> certificateChains = (List<CertificateChain>) health.getDetails()
-					.get("certificateChains");
-				assertThat(certificateChains).hasSize(1);
-				assertThat(certificateChains.get(0)).isInstanceOf(CertificateChain.class);
+				assertDetailsKeys(health);
+				List<CertificateChain> invalidChains = getInvalidChains(health);
+				assertThat(invalidChains).hasSize(1);
+				assertThat(invalidChains).first().isInstanceOf(CertificateChain.class);
 			});
 	}
 
 	@Test
-	@SuppressWarnings("unchecked")
 	void customBeansShouldBeConfigured() {
 		this.contextRunner.withUserConfiguration(CustomSslInfoConfiguration.class).run((context) -> {
 			assertThat(context).hasSingleBean(SslHealthIndicator.class);
@@ -103,14 +100,22 @@ void customBeansShouldBeConfigured() {
 			assertThat(context.getBean(SslInfo.class)).isSameAs(context.getBean("customSslInfo"));
 			Health health = context.getBean(SslHealthIndicator.class).health();
 			assertThat(health.getStatus()).isSameAs(Status.OUT_OF_SERVICE);
-			assertThat(health.getDetails()).hasSize(1);
-			List<CertificateChain> certificateChains = (List<CertificateChain>) health.getDetails()
-				.get("certificateChains");
-			assertThat(certificateChains).hasSize(1);
-			assertThat(certificateChains.get(0)).isInstanceOf(CertificateChain.class);
+			assertDetailsKeys(health);
+			List<CertificateChain> invalidChains = getInvalidChains(health);
+			assertThat(invalidChains).hasSize(1);
+			assertThat(invalidChains).first().isInstanceOf(CertificateChain.class);
 		});
 	}
 
+	private static void assertDetailsKeys(Health health) {
+		assertThat(health.getDetails()).containsOnlyKeys("validChains", "invalidChains");
+	}
+
+	@SuppressWarnings("unchecked")
+	private static List<CertificateChain> getInvalidChains(Health health) {
+		return (List<CertificateChain>) health.getDetails().get("invalidChains");
+	}
+
 	@Configuration(proxyBeanMethods = false)
 	static class CustomSslInfoConfiguration {
 

spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/ssl/SslHealthIndicator.java

@@ -17,21 +17,17 @@
 package org.springframework.boot.actuate.ssl;
 
 import java.util.List;
-import java.util.Set;
-import java.util.stream.Collectors;
 
 import org.springframework.boot.actuate.health.AbstractHealthIndicator;
 import org.springframework.boot.actuate.health.Health.Builder;
 import org.springframework.boot.actuate.health.HealthIndicator;
 import org.springframework.boot.actuate.health.Status;
 import org.springframework.boot.info.SslInfo;
 import org.springframework.boot.info.SslInfo.CertificateChain;
-import org.springframework.boot.info.SslInfo.CertificateInfo.Validity;
 
 /**
  * {@link HealthIndicator} that checks the certificates the application uses and reports
- * {@link Status#OUT_OF_SERVICE} when a certificate is invalid or "WILL_EXPIRE_SOON" if it
- * will expire within the configurable threshold.
+ * {@link Status#OUT_OF_SERVICE} when a certificate is invalid.
  *
  * @author Jonatan Ivanov
  * @since 3.4.0
@@ -46,43 +42,38 @@ public SslHealthIndicator(SslInfo sslInfo) {
 
 	@Override
 	protected void doHealthCheck(Builder builder) throws Exception {
-		List<CertificateChain> notValidCertificateChains = this.sslInfo.getBundles()
+		List<CertificateChain> certificateChains = this.sslInfo.getBundles()
 			.stream()
 			.flatMap((bundle) -> bundle.getCertificateChains().stream())
-			.filter(this::containsNotValidCertificate)
 			.toList();
-
-		if (notValidCertificateChains.isEmpty()) {
+		List<CertificateChain> validCertificateChains = certificateChains.stream()
+			.filter(this::containsOnlyValidCertificates)
+			.toList();
+		List<CertificateChain> invalidCertificateChains = certificateChains.stream()
+			.filter(this::containsInvalidCertificate)
+			.toList();
+		builder.withDetail("validChains", validCertificateChains);
+		builder.withDetail("invalidChains", invalidCertificateChains);
+		if (invalidCertificateChains.isEmpty()) {
 			builder.status(Status.UP);
 		}
 		else {
-			Set<Validity.Status> statuses = collectCertificateStatuses(notValidCertificateChains);
-			if (statuses.contains(Validity.Status.EXPIRED) || statuses.contains(Validity.Status.NOT_YET_VALID)) {
-				builder.status(Status.OUT_OF_SERVICE);
-			}
-			else if (statuses.contains(Validity.Status.WILL_EXPIRE_SOON)) {
-				builder.status(Status.UP);
-			}
-			else {
-				builder.status(Status.OUT_OF_SERVICE);
-			}
-			builder.withDetail("certificateChains", notValidCertificateChains);
+			builder.status(Status.OUT_OF_SERVICE);
 		}
 	}
 
-	private boolean containsNotValidCertificate(CertificateChain certificateChain) {
+	private boolean containsOnlyValidCertificates(CertificateChain certificateChain) {
 		return certificateChain.getCertificates()
 			.stream()
 			.filter((certificate) -> certificate.getValidity() != null)
-			.anyMatch((certificate) -> certificate.getValidity().getStatus() != Validity.Status.VALID);
+			.allMatch((certificate) -> certificate.getValidity().getStatus().isValid());
 	}
 
-	private Set<Validity.Status> collectCertificateStatuses(List<CertificateChain> certificateChains) {
-		return certificateChains.stream()
-			.flatMap((certificateChain) -> certificateChain.getCertificates().stream())
+	private boolean containsInvalidCertificate(CertificateChain certificateChain) {
+		return certificateChain.getCertificates()
+			.stream()
 			.filter((certificate) -> certificate.getValidity() != null)
-			.map((certificate) -> certificate.getValidity().getStatus())
-			.collect(Collectors.toUnmodifiableSet());
+			.anyMatch((certificate) -> !certificate.getValidity().getStatus().isValid());
 	}
 
 }

spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/ssl/SslHealthIndicatorTests.java

@@ -66,59 +66,66 @@ void shouldBeUpIfNoSslIssuesDetected() {
 		given(this.validity.getStatus()).willReturn(Validity.Status.VALID);
 		Health health = this.healthIndicator.health();
 		assertThat(health.getStatus()).isEqualTo(Status.UP);
-		assertThat(health.getDetails()).isEmpty();
+		assertDetailsKeys(health);
+		List<CertificateChain> validChains = getValidChains(health);
+		assertThat(validChains).hasSize(1);
+		assertThat(validChains.get(0)).isInstanceOf(CertificateChain.class);
+		List<CertificateChain> invalidChains = getInvalidChains(health);
+		assertThat(invalidChains).isEmpty();
 	}
 
 	@Test
-	@SuppressWarnings("unchecked")
 	void shouldBeOutOfServiceIfACertificateIsExpired() {
 		given(this.validity.getStatus()).willReturn(Validity.Status.EXPIRED);
 		Health health = this.healthIndicator.health();
 		assertThat(health.getStatus()).isEqualTo(Status.OUT_OF_SERVICE);
-		assertThat(health.getDetails()).hasSize(1);
-		List<CertificateChain> certificateChains = (List<CertificateChain>) health.getDetails()
-			.get("certificateChains");
-		assertThat(certificateChains).hasSize(1);
-		assertThat(certificateChains.get(0)).isInstanceOf(CertificateChain.class);
+		assertDetailsKeys(health);
+		List<CertificateChain> validChains = getValidChains(health);
+		assertThat(validChains).isEmpty();
+		List<CertificateChain> invalidChains = getInvalidChains(health);
+		assertThat(invalidChains).hasSize(1);
+		assertThat(invalidChains.get(0)).isInstanceOf(CertificateChain.class);
 	}
 
 	@Test
-	@SuppressWarnings("unchecked")
 	void shouldBeOutOfServiceIfACertificateIsNotYetValid() {
 		given(this.validity.getStatus()).willReturn(Validity.Status.NOT_YET_VALID);
 		Health health = this.healthIndicator.health();
 		assertThat(health.getStatus()).isEqualTo(Status.OUT_OF_SERVICE);
-		assertThat(health.getDetails()).hasSize(1);
-		List<CertificateChain> certificateChains = (List<CertificateChain>) health.getDetails()
-			.get("certificateChains");
-		assertThat(certificateChains).hasSize(1);
-		assertThat(certificateChains.get(0)).isInstanceOf(CertificateChain.class);
+		assertDetailsKeys(health);
+		List<CertificateChain> validChains = getValidChains(health);
+		assertThat(validChains).isEmpty();
+		List<CertificateChain> invalidChains = getInvalidChains(health);
+		assertThat(invalidChains).hasSize(1);
+		assertThat(invalidChains.get(0)).isInstanceOf(CertificateChain.class);
+
 	}
 
 	@Test
-	@SuppressWarnings("unchecked")
 	void shouldReportWarningIfACertificateWillExpireSoon() {
 		given(this.validity.getStatus()).willReturn(Validity.Status.WILL_EXPIRE_SOON);
 		Health health = this.healthIndicator.health();
 		assertThat(health.getStatus()).isEqualTo(Status.UP);
-		assertThat(health.getDetails()).hasSize(1);
-		List<CertificateChain> certificateChains = (List<CertificateChain>) health.getDetails()
-			.get("certificateChains");
-		assertThat(certificateChains).hasSize(1);
-		assertThat(certificateChains.get(0)).isInstanceOf(CertificateChain.class);
+		assertDetailsKeys(health);
+		List<CertificateChain> validChains = getValidChains(health);
+		assertThat(validChains).hasSize(1);
+		assertThat(validChains.get(0)).isInstanceOf(CertificateChain.class);
+		List<CertificateChain> invalidChains = getInvalidChains(health);
+		assertThat(invalidChains).isEmpty();
+	}
+
+	private static void assertDetailsKeys(Health health) {
+		assertThat(health.getDetails()).containsOnlyKeys("validChains", "invalidChains");
 	}
 
-	@Test
 	@SuppressWarnings("unchecked")
-	void shouldBeOutOfServiceIfACertificateHasUnMappedValidityStatus() {
-		given(this.validity.getStatus()).willReturn(mock(Validity.Status.class));
-		Health health = this.healthIndicator.health();
-		assertThat(health.getStatus()).isEqualTo(Status.OUT_OF_SERVICE);
-		assertThat(health.getDetails()).hasSize(1);
-		List<CertificateChain> certificateChains = (List<CertificateChain>) health.getDetails()
-			.get("certificateChains");
-		assertThat(certificateChains).hasSize(1);
-		assertThat(certificateChains.get(0)).isInstanceOf(CertificateChain.class);
+	private static List<CertificateChain> getInvalidChains(Health health) {
+		return (List<CertificateChain>) health.getDetails().get("invalidChains");
+	}
+
+	@SuppressWarnings("unchecked")
+	private static List<CertificateChain> getValidChains(Health health) {
+		return (List<CertificateChain>) health.getDetails().get("validChains");
 	}
 
 }

spring-boot-project/spring-boot-docs/src/docs/antora/modules/reference/pages/actuator/endpoints.adoc

@@ -651,12 +651,14 @@ with the `key` listed in the following table:
 
 | `ssl`
 | javadoc:org.springframework.boot.actuate.ssl.SslHealthIndicator[]
-| Checks that SSL Cerificates are ok.
+| Checks that SSL Certificates are ok.
 |===
 
 TIP: You can disable them all by setting the configprop:management.health.defaults.enabled[] property.
 
-TIP: The `ssl` `HealthIndicator` has a "warning threshold" property. If an SSL Certificate will be invalid within the time span defined by this threshold, the `HealthIndicator` will warn you but it will still return HTTP 200 to not disrupt the application. You can use this threshold to give yourself enough lead time to rotate the soon to be expired certificate. See the `management.health.ssl.certificate-validity-warning-threshold` property.
+TIP: The `ssl` `HealthIndicator` has a "warning threshold" property named configprop:management.health.ssl.certificate-validity-warning-threshold[].
+If an SSL Certificate will be invalid within the time span defined by this threshold, the `HealthIndicator` will warn you but it will still return HTTP 200 to not disrupt the application.
+You can use this threshold to give yourself enough lead time to rotate the soon to be expired certificate.
 
 
 

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/info/SslInfo.java

@@ -216,23 +216,33 @@ public enum Status {
 				/**
 				 * The certificate is valid.
 				 */
-				VALID,
+				VALID(true),
 
 				/**
 				 * The certificate's validity date range is in the future.
 				 */
-				NOT_YET_VALID,
+				NOT_YET_VALID(false),
 
 				/**
 				 * The certificate's validity date range is in the past.
 				 */
-				EXPIRED,
+				EXPIRED(false),
 
 				/**
-				 * The certificate is still valid but the end of its validity date range
+				 * The certificate is still valid, but the end of its validity date range
 				 * is within the defined threshold.
 				 */
-				WILL_EXPIRE_SOON
+				WILL_EXPIRE_SOON(true);
+
+				private final boolean valid;
+
+				Status(boolean valid) {
+					this.valid = valid;
+				}
+
+				public boolean isValid() {
+					return this.valid;
+				}
 
 			}