Change Netty4Transport to use SslProfile

Author: tvernum

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurations.java

@@ -11,6 +11,7 @@
 import org.elasticsearch.transport.TransportSettings;
 import org.elasticsearch.xpack.core.XPackSettings;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -73,12 +74,12 @@ private ProfileConfigurations() {}
      *         as an entry for the "default" profile. If the remote_cluster feature is enabled, it also
      *         contains an entry for the synthetic "_remote_cluster" profile.
      */
-    public static Map<String, SslConfiguration> get(Settings settings, SSLService sslService, boolean sslEnabledOnly) {
+    public static Map<String, SslProfile> get(Settings settings, SSLService sslService, boolean sslEnabledOnly) {
         final boolean transportSslEnabled = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings);
         final boolean remoteClusterPortEnabled = REMOTE_CLUSTER_SERVER_ENABLED.get(settings);
         final boolean remoteClusterServerSslEnabled = remoteClusterPortEnabled && REMOTE_CLUSTER_SERVER_SSL_ENABLED.get(settings);
 
-        final Map<String, SslConfiguration> profileConfigurations = new HashMap<>();
+        final Map<String, SslProfile> profileConfigurations = new HashMap<>();
 
         if (sslEnabledOnly) {
             if (transportSslEnabled == false && remoteClusterServerSslEnabled == false) {
@@ -87,10 +88,7 @@ public static Map<String, SslConfiguration> get(Settings settings, SSLService ss
                 // The single TRANSPORT_SSL_ENABLED setting determines whether SSL is enabled for both
                 // the default transport profile and any custom transport profiles. That is, SSL is
                 // always either enabled or disabled together for default and custom transport profiles.
-                profileConfigurations.put(
-                    REMOTE_CLUSTER_PROFILE,
-                    sslService.getSSLConfiguration(XPackSettings.REMOTE_CLUSTER_SERVER_SSL_PREFIX)
-                );
+                profileConfigurations.put(REMOTE_CLUSTER_PROFILE, sslService.profile(XPackSettings.REMOTE_CLUSTER_SERVER_SSL_PREFIX));
                 return profileConfigurations;
             } else if (remoteClusterServerSslEnabled == false) {
                 populateFromTransportProfiles(settings, sslService, profileConfigurations);
@@ -103,10 +101,7 @@ public static Map<String, SslConfiguration> get(Settings settings, SSLService ss
         populateFromTransportProfiles(settings, sslService, profileConfigurations);
         if (remoteClusterPortEnabled) {
             assert profileConfigurations.containsKey(REMOTE_CLUSTER_PROFILE) == false;
-            profileConfigurations.put(
-                REMOTE_CLUSTER_PROFILE,
-                sslService.getSSLConfiguration(XPackSettings.REMOTE_CLUSTER_SERVER_SSL_PREFIX)
-            );
+            profileConfigurations.put(REMOTE_CLUSTER_PROFILE, sslService.profile(XPackSettings.REMOTE_CLUSTER_SERVER_SSL_PREFIX));
         }
 
         return profileConfigurations;
@@ -115,9 +110,9 @@ public static Map<String, SslConfiguration> get(Settings settings, SSLService ss
     private static void populateFromTransportProfiles(
         Settings settings,
         SSLService sslService,
-        Map<String, SslConfiguration> profileConfigurations
+        Map<String, SslProfile> profileConfigurations
     ) {
-        final SslConfiguration defaultConfiguration = sslService.getSSLConfiguration(setting("transport.ssl."));
+        final SslProfile defaultProfile = sslService.profile(setting("transport.ssl."));
 
         Set<String> profileNames = settings.getGroups("transport.profiles.", true).keySet();
         for (String profileName : profileNames) {
@@ -136,11 +131,11 @@ private static void populateFromTransportProfiles(
                 }
             }
 
-            SslConfiguration configuration = sslService.getSSLConfiguration("transport.profiles." + profileName + "." + setting("ssl"));
-            profileConfigurations.put(profileName, configuration);
+            final SslProfile profile = sslService.profile("transport.profiles." + profileName + "." + setting("ssl"));
+            profileConfigurations.put(profileName, profile);
         }
 
         assert profileConfigurations.containsKey(TransportSettings.DEFAULT_PROFILE) == false;
-        profileConfigurations.put(TransportSettings.DEFAULT_PROFILE, defaultConfiguration);
+        profileConfigurations.put(TransportSettings.DEFAULT_PROFILE, defaultProfile);
     }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport.java

@@ -24,7 +24,6 @@
 import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
 import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.ssl.SslConfiguration;
 import org.elasticsearch.common.unit.ByteSizeValue;
 import org.elasticsearch.common.util.PageCacheRecycler;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
@@ -47,6 +46,7 @@
 import org.elasticsearch.xpack.core.security.transport.ProfileConfigurations;
 import org.elasticsearch.xpack.core.security.transport.SecurityTransportExceptionHandler;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 import org.elasticsearch.xpack.security.authc.CrossClusterAccessAuthenticationService;
 
 import java.net.InetSocketAddress;
@@ -73,11 +73,11 @@ public class SecurityNetty4Transport extends Netty4Transport {
 
     private final SecurityTransportExceptionHandler exceptionHandler;
     private final SSLService sslService;
-    private final SslConfiguration defaultSslConfiguration;
-    private final Map<String, SslConfiguration> profileConfigurations;
+    private final SslProfile defaultSslProfile;
+    private final Map<String, SslProfile> profiles;
     private final boolean transportSslEnabled;
     private final boolean remoteClusterServerSslEnabled;
-    private final SslConfiguration remoteClusterClientSslConfiguration;
+    private final SslProfile remoteClusterClientSslProfile;
     private final RemoteClusterClientBootstrapOptions remoteClusterClientBootstrapOptions;
     private final CrossClusterAccessAuthenticationService crossClusterAccessAuthenticationService;
 
@@ -108,16 +108,16 @@ public SecurityNetty4Transport(
         this.sslService = sslService;
         this.transportSslEnabled = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings);
         this.remoteClusterServerSslEnabled = REMOTE_CLUSTER_SERVER_SSL_ENABLED.get(settings);
-        this.profileConfigurations = Collections.unmodifiableMap(ProfileConfigurations.get(settings, sslService, true));
-        this.defaultSslConfiguration = this.profileConfigurations.get(TransportSettings.DEFAULT_PROFILE);
-        assert this.transportSslEnabled == false || this.defaultSslConfiguration != null;
+        this.profiles = Collections.unmodifiableMap(ProfileConfigurations.get(settings, sslService, true));
+        this.defaultSslProfile = this.profiles.get(TransportSettings.DEFAULT_PROFILE);
+        assert this.transportSslEnabled == false || this.defaultSslProfile != null;
 
         // Client configuration does not depend on whether the remote access port is enabled
         if (REMOTE_CLUSTER_CLIENT_SSL_ENABLED.get(settings)) {
-            this.remoteClusterClientSslConfiguration = sslService.getSSLConfiguration(REMOTE_CLUSTER_CLIENT_SSL_PREFIX);
-            assert this.remoteClusterClientSslConfiguration != null;
+            this.remoteClusterClientSslProfile = sslService.profile(REMOTE_CLUSTER_CLIENT_SSL_PREFIX);
+            assert this.remoteClusterClientSslProfile != null;
         } else {
-            this.remoteClusterClientSslConfiguration = null;
+            this.remoteClusterClientSslProfile = null;
         }
         this.remoteClusterClientBootstrapOptions = RemoteClusterClientBootstrapOptions.fromSettings(settings);
     }
@@ -131,20 +131,20 @@ protected void doStart() {
     public final ChannelHandler getServerChannelInitializer(String name) {
         if (remoteClusterPortEnabled && REMOTE_CLUSTER_PROFILE.equals(name)) {
             if (remoteClusterServerSslEnabled) {
-                final SslConfiguration remoteClusterSslConfiguration = profileConfigurations.get(name);
-                if (remoteClusterSslConfiguration == null) {
+                final SslProfile remoteClusterSslProfile = profiles.get(name);
+                if (remoteClusterSslProfile == null) {
                     throw new IllegalStateException("remote cluster SSL is enabled but no configuration is found");
                 }
-                return getSslChannelInitializer(name, remoteClusterSslConfiguration);
+                return getSslChannelInitializer(name, remoteClusterSslProfile);
             } else {
                 return getNoSslChannelInitializer(name);
             }
         } else if (transportSslEnabled) {
-            SslConfiguration configuration = profileConfigurations.get(name);
-            if (configuration == null) {
+            SslProfile profile = profiles.get(name);
+            if (profile == null) {
                 throw new IllegalStateException("unknown profile: " + name);
             }
-            return getSslChannelInitializer(name, configuration);
+            return getSslChannelInitializer(name, profile);
         } else {
             return getNoSslChannelInitializer(name);
         }
@@ -228,27 +228,27 @@ public void onException(TcpChannel channel, Exception e) {
     }
 
     public class SslChannelInitializer extends ServerChannelInitializer {
-        private final SslConfiguration configuration;
+        private final SslProfile profile;
 
-        public SslChannelInitializer(String name, SslConfiguration configuration) {
+        public SslChannelInitializer(String name, SslProfile profile) {
             super(name);
-            this.configuration = configuration;
+            this.profile = profile;
         }
 
         @Override
         protected void initChannel(Channel ch) throws Exception {
-            SSLEngine serverEngine = sslService.createSSLEngine(configuration, null, -1);
+            SSLEngine serverEngine = profile.engine(null, -1);
             serverEngine.setUseClientMode(false);
             final SslHandler sslHandler = new SslHandler(serverEngine);
-            sslHandler.setHandshakeTimeoutMillis(configuration.handshakeTimeoutMillis());
+            sslHandler.setHandshakeTimeoutMillis(profile.configuration().handshakeTimeoutMillis());
             ch.pipeline().addFirst("sslhandler", sslHandler);
             super.initChannel(ch);
             assert ch.pipeline().first() == sslHandler : "SSL handler must be first handler in pipeline";
         }
     }
 
-    protected ServerChannelInitializer getSslChannelInitializer(final String name, final SslConfiguration configuration) {
-        return new SslChannelInitializer(name, configuration);
+    protected ServerChannelInitializer getSslChannelInitializer(final String name, final SslProfile profile) {
+        return new SslChannelInitializer(name, profile);
     }
 
     @Override
@@ -260,21 +260,23 @@ private class SecurityClientChannelInitializer extends ClientChannelInitializer
 
         private final boolean hostnameVerificationEnabled;
         private final SNIHostName serverName;
-        private final SslConfiguration channelSslConfiguration;
+        private final SslProfile channelSslProfile;
 
         SecurityClientChannelInitializer(DiscoveryNode node, ConnectionProfile connectionProfile) {
             final String transportProfile = connectionProfile.getTransportProfile();
             logger.trace("initiating security client channel with transport profile [{}]", transportProfile);
             // Only client connections to a new RCS remote cluster can have transport profile of _remote_cluster
             // All other client connections use the default transport profile regardless of the transport profile used on the server side.
             if (REMOTE_CLUSTER_PROFILE.equals(transportProfile)) {
-                this.channelSslConfiguration = remoteClusterClientSslConfiguration;
+                this.channelSslProfile = remoteClusterClientSslProfile;
             } else {
                 assert TransportSettings.DEFAULT_PROFILE.equals(transportProfile);
-                this.channelSslConfiguration = defaultSslConfiguration;
+                this.channelSslProfile = defaultSslProfile;
             }
-            if (this.channelSslConfiguration != null) {
-                this.hostnameVerificationEnabled = this.channelSslConfiguration.verificationMode().isHostnameVerificationEnabled();
+            if (this.channelSslProfile != null) {
+                this.hostnameVerificationEnabled = this.channelSslProfile.configuration()
+                    .verificationMode()
+                    .isHostnameVerificationEnabled();
             } else {
                 this.hostnameVerificationEnabled = false;
             }
@@ -293,29 +295,27 @@ private class SecurityClientChannelInitializer extends ClientChannelInitializer
         @Override
         protected void initChannel(Channel ch) throws Exception {
             super.initChannel(ch);
-            if (channelSslConfiguration != null) {
+            if (channelSslProfile != null) {
                 ch.pipeline()
-                    .addFirst(
-                        new ClientSslHandlerInitializer(channelSslConfiguration, sslService, hostnameVerificationEnabled, serverName)
-                    );
+                    .addFirst(new ClientSslHandlerInitializer(channelSslProfile, sslService, hostnameVerificationEnabled, serverName));
             }
         }
     }
 
     private static class ClientSslHandlerInitializer extends ChannelOutboundHandlerAdapter {
 
         private final boolean hostnameVerificationEnabled;
-        private final SslConfiguration sslConfiguration;
+        private final SslProfile sslProfile;
         private final SSLService sslService;
         private final SNIServerName serverName;
 
         private ClientSslHandlerInitializer(
-            SslConfiguration sslConfiguration,
+            SslProfile sslProfile,
             SSLService sslService,
             boolean hostnameVerificationEnabled,
             SNIServerName serverName
         ) {
-            this.sslConfiguration = sslConfiguration;
+            this.sslProfile = sslProfile;
             this.hostnameVerificationEnabled = hostnameVerificationEnabled;
             this.sslService = sslService;
             this.serverName = serverName;
@@ -328,9 +328,9 @@ public void connect(ChannelHandlerContext ctx, SocketAddress remoteAddress, Sock
             if (hostnameVerificationEnabled) {
                 InetSocketAddress inetSocketAddress = (InetSocketAddress) remoteAddress;
                 // we create the socket based on the name given. don't reverse DNS
-                sslEngine = sslService.createSSLEngine(sslConfiguration, inetSocketAddress.getHostString(), inetSocketAddress.getPort());
+                sslEngine = sslProfile.engine(inetSocketAddress.getHostString(), inetSocketAddress.getPort());
             } else {
-                sslEngine = sslService.createSSLEngine(sslConfiguration, null, -1);
+                sslEngine = sslProfile.engine(null, -1);
             }
 
             sslEngine.setUseClientMode(true);
@@ -341,7 +341,7 @@ public void connect(ChannelHandlerContext ctx, SocketAddress remoteAddress, Sock
             }
             final ChannelPromise connectPromise = ctx.newPromise();
             final SslHandler sslHandler = new SslHandler(sslEngine);
-            sslHandler.setHandshakeTimeoutMillis(sslConfiguration.handshakeTimeoutMillis());
+            sslHandler.setHandshakeTimeoutMillis(sslProfile.configuration().handshakeTimeoutMillis());
             ctx.pipeline().replace(this, "ssl", sslHandler);
             final Future<?> handshakePromise = sslHandler.handshakeFuture();
             Netty4Utils.addListener(connectPromise, result -> {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java

@@ -47,6 +47,7 @@
 import org.elasticsearch.xpack.core.security.user.SystemUser;
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 import org.elasticsearch.xpack.security.Security;
 import org.elasticsearch.xpack.security.action.SecurityActionMapper;
 import org.elasticsearch.xpack.security.audit.AuditUtil;
@@ -482,16 +483,16 @@ public <T extends TransportRequest> TransportRequestHandler<T> interceptHandler(
     }
 
     private Map<String, ServerTransportFilter> initializeProfileFilters(DestructiveOperations destructiveOperations) {
-        final Map<String, SslConfiguration> profileConfigurations = ProfileConfigurations.get(settings, sslService, false);
+        final Map<String, SslProfile> profileConfigurations = ProfileConfigurations.get(settings, sslService, false);
 
         Map<String, ServerTransportFilter> profileFilters = Maps.newMapWithExpectedSize(profileConfigurations.size() + 1);
 
         final boolean transportSSLEnabled = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings);
         final boolean remoteClusterPortEnabled = REMOTE_CLUSTER_SERVER_ENABLED.get(settings);
         final boolean remoteClusterServerSSLEnabled = XPackSettings.REMOTE_CLUSTER_SERVER_SSL_ENABLED.get(settings);
 
-        for (Map.Entry<String, SslConfiguration> entry : profileConfigurations.entrySet()) {
-            final SslConfiguration profileConfiguration = entry.getValue();
+        for (Map.Entry<String, SslProfile> entry : profileConfigurations.entrySet()) {
+            final SslConfiguration profileConfiguration = entry.getValue().configuration();
             final String profileName = entry.getKey();
             final boolean useRemoteClusterProfile = remoteClusterPortEnabled && profileName.equals(REMOTE_CLUSTER_PROFILE);
             if (useRemoteClusterProfile) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4ServerTransport.java

@@ -13,14 +13,14 @@
 import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
 import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.ssl.SslConfiguration;
 import org.elasticsearch.common.util.PageCacheRecycler;
 import org.elasticsearch.core.Nullable;
 import org.elasticsearch.indices.breaker.CircuitBreakerService;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.netty4.SharedGroupFactory;
 import org.elasticsearch.xpack.core.security.transport.netty4.SecurityNetty4Transport;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 import org.elasticsearch.xpack.security.authc.CrossClusterAccessAuthenticationService;
 import org.elasticsearch.xpack.security.transport.filter.IPFilter;
 
@@ -71,8 +71,8 @@ protected ChannelHandler getNoSslChannelInitializer(final String name) {
     }
 
     @Override
-    protected ServerChannelInitializer getSslChannelInitializer(final String name, final SslConfiguration configuration) {
-        return new SecurityServerChannelInitializer(name, configuration);
+    protected ServerChannelInitializer getSslChannelInitializer(final String name, final SslProfile profile) {
+        return new SecurityServerChannelInitializer(name, profile);
     }
 
     public class IPFilterServerChannelInitializer extends ServerChannelInitializer {
@@ -90,8 +90,8 @@ protected void initChannel(final Channel ch) throws Exception {
 
     public class SecurityServerChannelInitializer extends SslChannelInitializer {
 
-        SecurityServerChannelInitializer(final String name, final SslConfiguration configuration) {
-            super(name, configuration);
+        SecurityServerChannelInitializer(final String name, final SslProfile profile) {
+            super(name, profile);
         }
 
         @Override