From de86092917c09a1c727df6c9d5e5502ac3c4b9b1 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 15 Mar 2024 14:04:47 -0400 Subject: [PATCH 1/2] fix(jmxauth): tolerate JMX auth failures at discovery, re-attempt if new matching Credentials added --- src/main/java/io/cryostat/targets/Target.java | 6 +-- .../java/io/cryostat/targets/Targets.java | 44 +++++++++++++++++++ 2 files changed, 45 insertions(+), 5 deletions(-) diff --git a/src/main/java/io/cryostat/targets/Target.java b/src/main/java/io/cryostat/targets/Target.java index 6906ad945..9060cbfad 100644 --- a/src/main/java/io/cryostat/targets/Target.java +++ b/src/main/java/io/cryostat/targets/Target.java @@ -244,11 +244,7 @@ void prePersist(Target target) throws JvmIdException { .await() .atMost(Duration.ofSeconds(10)); } catch (Exception e) { - // TODO tolerate this in the condition that the connection failed because of JMX - // auth. In that instance then persist the entity with a null jvmId, but listen for - // new Credentials and test them against any targets with null jvmIds to see if we - // can populate them. - throw new JvmIdException(e); + logger.info(e); } } diff --git a/src/main/java/io/cryostat/targets/Targets.java b/src/main/java/io/cryostat/targets/Targets.java index e7db592a9..284450f1a 100644 --- a/src/main/java/io/cryostat/targets/Targets.java +++ b/src/main/java/io/cryostat/targets/Targets.java @@ -16,18 +16,62 @@ package io.cryostat.targets; import java.net.URI; +import java.time.Duration; import java.util.List; +import java.util.Optional; +import io.cryostat.credentials.Credential; +import io.cryostat.expressions.MatchExpressionEvaluator; + +import io.quarkus.vertx.ConsumeEvent; import jakarta.annotation.security.RolesAllowed; +import jakarta.inject.Inject; +import jakarta.transaction.Transactional; import jakarta.ws.rs.GET; import jakarta.ws.rs.Path; import jakarta.ws.rs.core.Response; +import org.jboss.logging.Logger; import org.jboss.resteasy.reactive.RestPath; import org.jboss.resteasy.reactive.RestResponse; +import org.projectnessie.cel.tools.ScriptException; @Path("") public class Targets { + @Inject MatchExpressionEvaluator matchExpressionEvaluator; + @Inject TargetConnectionManager connectionManager; + @Inject Logger logger; + + @ConsumeEvent(value = Credential.CREDENTIALS_STORED, blocking = true) + @Transactional + void updateCredential(Credential credential) { + Target.find("jvmId", (String) null) + .list() + .forEach( + t -> { + try { + if (matchExpressionEvaluator.applies( + credential.matchExpression, t)) { + t.jvmId = + connectionManager + .executeDirect( + t, + Optional.empty(), + conn -> + conn.getJvmIdentifier() + .getHash()) + .await() + .atMost(Duration.ofSeconds(10)); + t.persist(); + } + } catch (ScriptException e) { + logger.error(e); + } catch (Exception e) { + logger.warn(e); + } + }); + } + @GET @Path("/api/v1/targets") @RolesAllowed("read") From b58e36416508d024134c9e5697d65397ddbdede6 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 15 Mar 2024 13:47:25 -0400 Subject: [PATCH 2/2] JSON request filter allows ids in matchexpressions --- src/main/java/io/cryostat/JsonRequestFilter.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/java/io/cryostat/JsonRequestFilter.java b/src/main/java/io/cryostat/JsonRequestFilter.java index b2308e9df..a63ee9d67 100644 --- a/src/main/java/io/cryostat/JsonRequestFilter.java +++ b/src/main/java/io/cryostat/JsonRequestFilter.java @@ -33,7 +33,8 @@ public class JsonRequestFilter implements ContainerRequestFilter { static final Set disallowedFields = Set.of("id"); - static final Set allowedPaths = Set.of("/api/v2.2/discovery"); + static final Set allowedPaths = + Set.of("/api/v2.2/discovery", "/api/beta/matchexpressions"); private final ObjectMapper objectMapper = new ObjectMapper();