feat: As a Security Server Administrator I want the diagnostics information available for global configuration and TSA to be improved so that I can more easily figure out issus with it

ocsp

refs: XRDDEV-2921

Author: Mikk Bachmann

src/lib/globalconf-core/src/main/java/org/niis/xroad/globalconf/status/OcspResponderStatus.java

@@ -25,23 +25,27 @@
  */
 package org.niis.xroad.globalconf.status;
 
+import ee.ria.xroad.common.DiagnosticStatus;
+
 import lombok.AccessLevel;
+import lombok.Data;
 import lombok.NoArgsConstructor;
 import lombok.RequiredArgsConstructor;
-import lombok.Value;
+import org.niis.xroad.common.core.exception.ErrorCode;
 
 import java.io.Serializable;
 import java.time.OffsetDateTime;
 
 /**
  * Diagnostics status for single OCSP responder
  */
-@Value
+@Data
 @NoArgsConstructor(force = true, access = AccessLevel.PRIVATE)
 @RequiredArgsConstructor
 public class OcspResponderStatus implements Serializable {
-    int status;
-    String url;
-    OffsetDateTime prevUpdate;
-    OffsetDateTime nextUpdate;
+    private final DiagnosticStatus diagnosticStatus;
+    private final String url;
+    private final OffsetDateTime prevUpdate;
+    private final OffsetDateTime nextUpdate;
+    private ErrorCode errorCode;
 }

src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/converter/OcspResponderDiagnosticConverter.java

@@ -26,17 +26,16 @@
  */
 package org.niis.xroad.securityserver.restapi.converter;
 
+import ee.ria.xroad.common.DiagnosticsStatus;
+
 import com.google.common.collect.Streams;
-import org.niis.xroad.globalconf.status.DiagnosticsStatus;
 import org.niis.xroad.securityserver.restapi.dto.OcspResponderDiagnosticsStatus;
-import org.niis.xroad.securityserver.restapi.openapi.model.DiagnosticStatusClassDto;
+import org.niis.xroad.securityserver.restapi.openapi.model.CodeWithDetailsDto;
 import org.niis.xroad.securityserver.restapi.openapi.model.OcspResponderDiagnosticsDto;
 import org.niis.xroad.securityserver.restapi.openapi.model.OcspResponderDto;
-import org.niis.xroad.securityserver.restapi.openapi.model.OcspStatusDto;
 import org.springframework.stereotype.Component;
 
 import java.util.List;
-import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -65,12 +64,11 @@ public Set<OcspResponderDiagnosticsDto> convert(Iterable<OcspResponderDiagnostic
     private OcspResponderDto convertOcspResponder(DiagnosticsStatus diagnosticsStatus) {
         OcspResponderDto ocspResponder = new OcspResponderDto();
         ocspResponder.setUrl(diagnosticsStatus.getDescription());
-        Optional<OcspStatusDto> statusCode = OcspStatusMapping.map(
-                diagnosticsStatus.getReturnCode());
-        ocspResponder.setStatusCode(statusCode.orElse(null));
-        Optional<DiagnosticStatusClassDto> statusClass = DiagnosticStatusClassMapping.map(
-                diagnosticsStatus.getReturnCode());
-        ocspResponder.setStatusClass(statusClass.orElse(null));
+        if (diagnosticsStatus.getErrorCode() != null) {
+            ocspResponder.setError(new CodeWithDetailsDto(diagnosticsStatus.getErrorCode().code())
+                    .metadata(diagnosticsStatus.getErrorCodeMetadata()));
+        }
+        ocspResponder.setStatusClass(DiagnosticStatusClassMapping.map(diagnosticsStatus.getStatus()));
         if (diagnosticsStatus.getPrevUpdate() != null) {
             ocspResponder.setPrevUpdateAt(diagnosticsStatus.getPrevUpdate());
         }

src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/converter/OcspStatusMapping.java

@@ -25,8 +25,9 @@
  */
 package org.niis.xroad.securityserver.restapi.dto;
 
+import ee.ria.xroad.common.DiagnosticsStatus;
+
 import lombok.Data;
-import org.niis.xroad.globalconf.status.DiagnosticsStatus;
 
 import java.util.List;
 

src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/dto/OcspResponderDiagnosticsStatus.java

@@ -26,7 +26,7 @@
 package org.niis.xroad.signer.core.certmanager;
 
 import ee.ria.xroad.common.CodedException;
-import ee.ria.xroad.common.DiagnosticsErrorCodes;
+import ee.ria.xroad.common.DiagnosticStatus;
 import ee.ria.xroad.common.crypto.identifier.SignAlgorithm;
 import ee.ria.xroad.common.util.CertUtils;
 import ee.ria.xroad.common.util.CryptoUtils;
@@ -36,6 +36,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.cert.ocsp.OCSPException;
 import org.bouncycastle.cert.ocsp.OCSPResp;
+import org.niis.xroad.common.core.exception.ErrorCode;
 import org.niis.xroad.globalconf.GlobalConfProvider;
 import org.niis.xroad.globalconf.cert.CertChain;
 import org.niis.xroad.globalconf.impl.ocsp.OcspVerifier;
@@ -265,7 +266,7 @@ OCSPResp queryCertStatus(X509Certificate subject, OcspVerifierOptions verifierOp
             final OffsetDateTime prevUpdate = TimeUtils.offsetDateTimeNow();
             final OffsetDateTime nextUpdate = prevUpdate
                     .plusSeconds(globalConfProvider.getGlobalConfExtensions().getOcspFetchInterval());
-            int errorCode = DiagnosticsErrorCodes.ERROR_CODE_OCSP_RESPONSE_INVALID;
+            ErrorCode errorCode = null;
 
             try {
                 log.debug("Fetching response from: {}", responderURI);
@@ -277,35 +278,38 @@ OCSPResp queryCertStatus(X509Certificate subject, OcspVerifierOptions verifierOp
                     verifier.verifyValidity(response, subject, issuer);
                     log.debug("Verified OCSP response for certificate '{}'", subject.getSubjectX500Principal());
 
-                    reportOcspDiagnostics(issuer, responderURI, DiagnosticsErrorCodes.RETURN_SUCCESS, prevUpdate,
-                            nextUpdate);
+                    reportOcspDiagnostics(issuer, responderURI, DiagnosticStatus.OK, prevUpdate,
+                            nextUpdate, null);
 
                     return response;
                 }
             } catch (OCSPException e) {
                 log.error("Parsing OCSP response from {} failed", responderURI, e);
-                errorCode = DiagnosticsErrorCodes.ERROR_CODE_OCSP_RESPONSE_INVALID;
+                errorCode = ErrorCode.OCSP_RESPONSE_PARSING_FAILURE;
             } catch (IOException e) {
                 log.error("Unable to connect to responder at {}", responderURI, e);
-                errorCode = DiagnosticsErrorCodes.ERROR_CODE_OCSP_CONNECTION_ERROR;
+                errorCode = ErrorCode.OCSP_CONNECTION_ERROR;
             } catch (CodedException e) {
                 log.warn("Received OCSP response that failed verification", e);
-                errorCode = DiagnosticsErrorCodes.ERROR_CODE_OCSP_RESPONSE_UNVERIFIED;
+                errorCode = ErrorCode.OCSP_RESPONSE_VERIFICATION_FAILURE;
             } catch (Exception e) {
                 log.error("Unable to fetch response from responder at {}", responderURI, e);
-                errorCode = DiagnosticsErrorCodes.ERROR_CODE_OCSP_RESPONSE_INVALID;
+                errorCode = ErrorCode.OCSP_FAILED;
             }
 
-            reportOcspDiagnostics(issuer, responderURI, errorCode, prevUpdate, nextUpdate);
+            reportOcspDiagnostics(issuer, responderURI, DiagnosticStatus.ERROR, prevUpdate, nextUpdate, errorCode);
         }
 
         return null;
     }
 
-    private void reportOcspDiagnostics(X509Certificate issuer, String responderURI, int statusCode,
-                                       OffsetDateTime prevUpdate, OffsetDateTime nextUpdate) {
+    private void reportOcspDiagnostics(X509Certificate issuer, String responderURI, DiagnosticStatus statusCode,
+                                       OffsetDateTime prevUpdate, OffsetDateTime nextUpdate, ErrorCode errorCode) {
 
         OcspResponderStatus responderStatus = new OcspResponderStatus(statusCode, responderURI, prevUpdate, nextUpdate);
+        if (errorCode != null) {
+            responderStatus.setErrorCode(errorCode);
+        }
 
         String subjectName = issuer.getSubjectDN().toString();
 
@@ -393,13 +397,13 @@ private void initializeDiagnostics() {
 
         final Collection<X509Certificate> caCerts = globalConfProvider.getAllCaCerts();
         serviceStatusMap.keySet().retainAll(caCerts.stream()
-                .map(X509Certificate::getSubjectDN)
+                .map(X509Certificate::getSubjectX500Principal)
                 .map(Principal::toString)
                 .collect(Collectors.toSet()));
 
         for (X509Certificate caCertificate : caCerts) {
             try {
-                final String key = caCertificate.getSubjectDN().toString();
+                final String key = caCertificate.getSubjectX500Principal().toString();
                 final CertificationServiceStatus serviceStatus = serviceStatusMap
                         .computeIfAbsent(key, CertificationServiceStatus::new);
 
@@ -408,7 +412,7 @@ private void initializeDiagnostics() {
                 responderStatusMap.keySet().retainAll(addresses);
 
                 addresses.forEach(responderURI -> responderStatusMap.computeIfAbsent(responderURI,
-                        uri -> new OcspResponderStatus(DiagnosticsErrorCodes.ERROR_CODE_OCSP_UNINITIALIZED, uri, null,
+                        uri -> new OcspResponderStatus(DiagnosticStatus.UNINITIALIZED, uri, null,
                                 TimeUtils.offsetDateTimeNow().plusSeconds(fetchInterval))));
             } catch (Exception e) {
                 log.error("Error while initializing diagnostics", e);

src/service/signer/signer-core/src/main/java/org/niis/xroad/signer/core/certmanager/OcspClientWorker.java

@@ -129,25 +129,26 @@ public void init() {
     public GetOcspResponsesResponse handleGetOcspResponses(GetOcspResponses message) throws Exception {
         log.trace("handleGetOcspResponses()");
 
-        String[] base64EncodedResponses = new String[message.getCertHash().length];
-        for (int i = 0; i < message.getCertHash().length; i++) {
-            OCSPResp ocspResponse = getResponse(message.getCertHash()[i]);
+        String[] certHashes = message.getCertHash();
+        String[] base64EncodedResponses = new String[certHashes.length];
+        for (int i = 0; i < certHashes.length; i++) {
+            OCSPResp ocspResponse = getResponse(certHashes[i]);
             if (ocspResponse == null) {
-                log.debug("No cached OCSP response available for cert {}", message.getCertHash()[i]);
+                log.debug("No cached OCSP response available for cert {}", certHashes[i]);
                 // if the response is not in local cache, download it
-                ocspResponse = downloadOcspResponse(message.getCertHash()[i]);
+                ocspResponse = downloadOcspResponse(certHashes[i]);
                 if (ocspResponse != null) {
-                    setResponse(message.getCertHash()[i], ocspResponse);
+                    setResponse(certHashes[i], ocspResponse);
                 }
             } else {
-                log.debug("Found a cached OCSP response for cert {}", message.getCertHash()[i]);
+                log.debug("Found a cached OCSP response for cert {}", certHashes[i]);
             }
 
             if (ocspResponse != null) {
-                log.debug("Acquired an OCSP response for certificate {}", message.getCertHash()[i]);
+                log.debug("Acquired an OCSP response for certificate {}", certHashes[i]);
                 base64EncodedResponses[i] = encodeBase64(ocspResponse.getEncoded());
             } else {
-                log.warn("Could not acquire an OCSP response for certificate {}", message.getCertHash()[i]);
+                log.warn("Could not acquire an OCSP response for certificate {}", certHashes[i]);
             }
         }