feat(elasticsearch): add SSL options for Elasticsearch configuration (#7450)

hotfix31 · soyuka · web-flow · commit 8c2760668b14 · 2025-10-24T12:03:52.000+02:00
Co-authored-by: Antoine Bluchet &lt;soyuka@users.noreply.github.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 ### Features
 
+* [21aa2572d](https://github.com/api-platform/core/commit/21aa2572d8fef2b3f05f7307c51348a6c9767e45) feat(elasticsearch): add SSL options for Elasticsearch configuration (#4059)
 * [ba0c76c](https://github.com/api-platform/core/commit/ba0c76c6f5c8afa8622e87a155b8b99f453d6453) feat(doctrine): remove put & path for readonly entity (#7019)
 
 ## v4.2.2
diff --git a/src/Symfony/Bundle/DependencyInjection/ApiPlatformExtension.php b/src/Symfony/Bundle/DependencyInjection/ApiPlatformExtension.php
@@ -907,6 +907,8 @@ private function registerElasticsearchConfiguration(ContainerBuilder $container,
         $container->registerForAutoconfiguration(RequestBodySearchCollectionExtensionInterface::class)
             ->addTag('api_platform.elasticsearch.request_body_search_extension.collection');
         $container->setParameter('api_platform.elasticsearch.hosts', $config['elasticsearch']['hosts']);
+        $container->setParameter('api_platform.elasticsearch.ssl_ca_bundle', $config['elasticsearch']['ssl_ca_bundle']);
+        $container->setParameter('api_platform.elasticsearch.ssl_verification', $config['elasticsearch']['ssl_verification']);
         $loader->load('elasticsearch.php');
     }
 
diff --git a/src/Symfony/Bundle/DependencyInjection/Compiler/ElasticsearchClientPass.php b/src/Symfony/Bundle/DependencyInjection/Compiler/ElasticsearchClientPass.php
@@ -56,6 +56,14 @@ public function process(ContainerBuilder $container): void
             }
         }
 
+        if ($sslCaBundle = $container->getParameter('api_platform.elasticsearch.ssl_ca_bundle')) {
+            $clientConfiguration['CABundle'] = $sslCaBundle;
+        }
+
+        if (false === $container->getParameter('api_platform.elasticsearch.ssl_verification')) {
+            $clientConfiguration['SSLVerification'] = false;
+        }
+
         $clientDefinition = $container->getDefinition('api_platform.elasticsearch.client');
 
         if (!$clientConfiguration) {
diff --git a/src/Symfony/Bundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/DependencyInjection/Configuration.php
@@ -473,6 +473,10 @@ private function addElasticsearchSection(ArrayNodeDefinition $rootNode): void
                 ->arrayNode('elasticsearch')
                     ->canBeEnabled()
                     ->addDefaultsIfNotSet()
+                    ->validate()
+                        ->ifTrue(static fn (array $v): bool => null !== ($v['ssl_ca_bundle'] ?? null) && false === ($v['ssl_verification'] ?? true))
+                        ->thenInvalid('The "ssl_ca_bundle" and "ssl_verification: false" options cannot be used together. Either provide a CA bundle path or disable SSL verification, not both.')
+                    ->end()
                     ->children()
                         ->booleanNode('enabled')
                             ->defaultFalse()
@@ -497,6 +501,14 @@ private function addElasticsearchSection(ArrayNodeDefinition $rootNode): void
                             ->defaultValue([])
                             ->prototype('scalar')->end()
                         ->end()
+                        ->scalarNode('ssl_ca_bundle')
+                            ->defaultNull()
+                            ->info('Path to the SSL CA bundle file for Elasticsearch SSL verification.')
+                        ->end()
+                        ->booleanNode('ssl_verification')
+                            ->defaultTrue()
+                            ->info('Enable or disable SSL verification for Elasticsearch connections.')
+                        ->end()
                     ->end()
                 ->end()
             ->end();
diff --git a/tests/Symfony/Bundle/DependencyInjection/Compiler/ElasticsearchClientPassTest.php b/tests/Symfony/Bundle/DependencyInjection/Compiler/ElasticsearchClientPassTest.php
@@ -69,6 +69,8 @@ public function testProcess(): void
         $containerBuilderProphecy = $this->prophesize(ContainerBuilder::class);
         $containerBuilderProphecy->getParameter('api_platform.elasticsearch.enabled')->willReturn(true)->shouldBeCalled();
         $containerBuilderProphecy->getParameter('api_platform.elasticsearch.hosts')->willReturn(['http://localhost:9200'])->shouldBeCalled();
+        $containerBuilderProphecy->getParameter('api_platform.elasticsearch.ssl_ca_bundle')->willReturn(null)->shouldBeCalled();
+        $containerBuilderProphecy->getParameter('api_platform.elasticsearch.ssl_verification')->willReturn(true)->shouldBeCalled();
         $containerBuilderProphecy->has('logger')->willReturn(true)->shouldBeCalled();
         $containerBuilderProphecy->getDefinition('api_platform.elasticsearch.client')->willReturn($clientDefinitionProphecy->reveal())->shouldBeCalled();
 
@@ -89,6 +91,8 @@ public function testProcessWithoutConfiguration(): void
         $containerBuilderProphecy = $this->prophesize(ContainerBuilder::class);
         $containerBuilderProphecy->getParameter('api_platform.elasticsearch.enabled')->willReturn(true)->shouldBeCalled();
         $containerBuilderProphecy->getParameter('api_platform.elasticsearch.hosts')->willReturn([])->shouldBeCalled();
+        $containerBuilderProphecy->getParameter('api_platform.elasticsearch.ssl_ca_bundle')->willReturn(null)->shouldBeCalled();
+        $containerBuilderProphecy->getParameter('api_platform.elasticsearch.ssl_verification')->willReturn(true)->shouldBeCalled();
         $containerBuilderProphecy->has('logger')->willReturn(false)->shouldBeCalled();
         $containerBuilderProphecy->getDefinition('api_platform.elasticsearch.client')->willReturn($clientDefinitionProphecy->reveal())->shouldBeCalled();
 
@@ -102,4 +106,102 @@ public function testProcessWithElasticsearchDisabled(): void
 
         (new ElasticsearchClientPass())->process($containerBuilderProphecy->reveal());
     }
+
+    public function testProcessWithSslCaBundle(): void
+    {
+        $clientBuilder = class_exists(\Elasticsearch\ClientBuilder::class)
+            // ES v7
+            ? \Elasticsearch\ClientBuilder::class
+            // ES v8 and up
+            : \Elastic\Elasticsearch\ClientBuilder::class;
+
+        $clientDefinition = $this->createMock(Definition::class);
+        $clientDefinition->expects($this->once())
+            ->method('setFactory')
+            ->with([$clientBuilder, 'fromConfig'])
+            ->willReturnSelf();
+
+        $clientDefinition->expects($this->once())
+            ->method('setArguments')
+            ->with($this->callback(function ($arguments) {
+                $config = $arguments[0];
+
+                return isset($config['hosts'])
+                    && $config['hosts'] === ['https://localhost:9200']
+                    && isset($config['CABundle'])
+                    && '/path/to/ca-bundle.crt' === $config['CABundle']
+                    && isset($config['logger'])
+                    && $config['logger'] instanceof Reference;
+            }))
+            ->willReturnSelf();
+
+        $containerBuilder = $this->createMock(ContainerBuilder::class);
+        $containerBuilder->method('getParameter')
+            ->willReturnMap([
+                ['api_platform.elasticsearch.enabled', true],
+                ['api_platform.elasticsearch.hosts', ['https://localhost:9200']],
+                ['api_platform.elasticsearch.ssl_ca_bundle', '/path/to/ca-bundle.crt'],
+                ['api_platform.elasticsearch.ssl_verification', true],
+            ]);
+
+        $containerBuilder->expects($this->once())
+            ->method('has')
+            ->with('logger')
+            ->willReturn(true);
+
+        $containerBuilder->expects($this->once())
+            ->method('getDefinition')
+            ->with('api_platform.elasticsearch.client')
+            ->willReturn($clientDefinition);
+
+        (new ElasticsearchClientPass())->process($containerBuilder);
+    }
+
+    public function testProcessWithSslVerificationDisabled(): void
+    {
+        $clientBuilder = class_exists(\Elasticsearch\ClientBuilder::class)
+            ? \Elasticsearch\ClientBuilder::class
+            : \Elastic\Elasticsearch\ClientBuilder::class;
+
+        $clientDefinition = $this->createMock(Definition::class);
+        $clientDefinition->expects($this->once())
+            ->method('setFactory')
+            ->with([$clientBuilder, 'fromConfig'])
+            ->willReturnSelf();
+
+        $clientDefinition->expects($this->once())
+            ->method('setArguments')
+            ->with($this->callback(function ($arguments) {
+                $config = $arguments[0];
+
+                return isset($config['hosts'])
+                    && $config['hosts'] === ['https://localhost:9200']
+                    && isset($config['SSLVerification'])
+                    && false === $config['SSLVerification']
+                    && isset($config['logger'])
+                    && $config['logger'] instanceof Reference;
+            }))
+            ->willReturnSelf();
+
+        $containerBuilder = $this->createMock(ContainerBuilder::class);
+        $containerBuilder->method('getParameter')
+            ->willReturnMap([
+                ['api_platform.elasticsearch.enabled', true],
+                ['api_platform.elasticsearch.hosts', ['https://localhost:9200']],
+                ['api_platform.elasticsearch.ssl_ca_bundle', null],
+                ['api_platform.elasticsearch.ssl_verification', false],
+            ]);
+
+        $containerBuilder->expects($this->once())
+            ->method('has')
+            ->with('logger')
+            ->willReturn(true);
+
+        $containerBuilder->expects($this->once())
+            ->method('getDefinition')
+            ->with('api_platform.elasticsearch.client')
+            ->willReturn($clientDefinition);
+
+        (new ElasticsearchClientPass())->process($containerBuilder);
+    }
 }
diff --git a/tests/Symfony/Bundle/DependencyInjection/ConfigurationTest.php b/tests/Symfony/Bundle/DependencyInjection/ConfigurationTest.php
@@ -135,6 +135,8 @@ private function runDefaultConfigTests(array $doctrineIntegrationsToLoad = ['orm
             'elasticsearch' => [
                 'enabled' => false,
                 'hosts' => [],
+                'ssl_ca_bundle' => null,
+                'ssl_verification' => true,
             ],
             'oauth' => [
                 'enabled' => false,
@@ -439,4 +441,55 @@ public function testOpenApiTags(): void
 
         $this->assertEquals(['name' => 'test3', 'description' => null], $config['openapi']['tags'][1]);
     }
+
+    public function testElasticsearchSslCaBundleConfiguration(): void
+    {
+        $config = $this->processor->processConfiguration($this->configuration, [
+            'api_platform' => [
+                'elasticsearch' => [
+                    'enabled' => true,
+                    'hosts' => ['https://localhost:9200'],
+                    'ssl_ca_bundle' => '/path/to/ca-bundle.crt',
+                ],
+            ],
+        ]);
+
+        $this->assertTrue($config['elasticsearch']['enabled']);
+        $this->assertSame('/path/to/ca-bundle.crt', $config['elasticsearch']['ssl_ca_bundle']);
+        $this->assertTrue($config['elasticsearch']['ssl_verification']);
+    }
+
+    public function testElasticsearchSslVerificationDisabled(): void
+    {
+        $config = $this->processor->processConfiguration($this->configuration, [
+            'api_platform' => [
+                'elasticsearch' => [
+                    'enabled' => true,
+                    'hosts' => ['https://localhost:9200'],
+                    'ssl_verification' => false,
+                ],
+            ],
+        ]);
+
+        $this->assertTrue($config['elasticsearch']['enabled']);
+        $this->assertFalse($config['elasticsearch']['ssl_verification']);
+        $this->assertNull($config['elasticsearch']['ssl_ca_bundle']);
+    }
+
+    public function testElasticsearchSslCaBundleAndVerificationDisabledMutuallyExclusive(): void
+    {
+        $this->expectException(InvalidConfigurationException::class);
+        $this->expectExceptionMessage('The "ssl_ca_bundle" and "ssl_verification: false" options cannot be used together. Either provide a CA bundle path or disable SSL verification, not both.');
+
+        $this->processor->processConfiguration($this->configuration, [
+            'api_platform' => [
+                'elasticsearch' => [
+                    'enabled' => true,
+                    'hosts' => ['https://localhost:9200'],
+                    'ssl_ca_bundle' => '/path/to/ca-bundle.crt',
+                    'ssl_verification' => false,
+                ],
+            ],
+        ]);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -907,6 +907,8 @@ private function registerElasticsearchConfiguration(ContainerBuilder $container,`
`907`	`907`	`$container->registerForAutoconfiguration(RequestBodySearchCollectionExtensionInterface::class)`
`908`	`908`	`->addTag('api_platform.elasticsearch.request_body_search_extension.collection');`
`909`	`909`	`$container->setParameter('api_platform.elasticsearch.hosts', $config['elasticsearch']['hosts']);`
	`910`	`+ $container->setParameter('api_platform.elasticsearch.ssl_ca_bundle', $config['elasticsearch']['ssl_ca_bundle']);`
	`911`	`+ $container->setParameter('api_platform.elasticsearch.ssl_verification', $config['elasticsearch']['ssl_verification']);`
`910`	`912`	`$loader->load('elasticsearch.php');`
`911`	`913`	`}`
`912`	`914`
Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,14 @@ public function process(ContainerBuilder $container): void`
`56`	`56`	`}`
`57`	`57`	`}`
`58`	`58`
	`59`	`+ if ($sslCaBundle = $container->getParameter('api_platform.elasticsearch.ssl_ca_bundle')) {`
	`60`	`+ $clientConfiguration['CABundle'] = $sslCaBundle;`
	`61`	`+ }`
	`62`	`+`
	`63`	`+ if (false === $container->getParameter('api_platform.elasticsearch.ssl_verification')) {`
	`64`	`+ $clientConfiguration['SSLVerification'] = false;`
	`65`	`+ }`
	`66`	`+`
`59`	`67`	`$clientDefinition = $container->getDefinition('api_platform.elasticsearch.client');`
`60`	`68`
`61`	`69`	`if (!$clientConfiguration) {`