elastic
diff --git a/‎server/src/main/java/org/elasticsearch/transport/RemoteClusterSettings.java‎
Lines changed: 9 additions & 7 deletions b/‎server/src/main/java/org/elasticsearch/transport/RemoteClusterSettings.java‎
Lines changed: 9 additions & 7 deletions
diff --git a/‎x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySignerIntegTests.java‎
Lines changed: 127 additions & 0 deletions b/‎x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySignerIntegTests.java‎
Lines changed: 127 additions & 0 deletions
@@ -42,12 +42,14 @@
 
 public class RemoteClusterSettings {
 
+    public static final String REMOTE_CLUSTER_SETTINGS_PREFIX = "cluster.remote.";
+
     public static final TimeValue DEFAULT_INITIAL_CONNECTION_TIMEOUT = TimeValue.timeValueSeconds(30);
     /**
      * The initial connect timeout for remote cluster connections
      */
     public static final Setting<TimeValue> REMOTE_INITIAL_CONNECTION_TIMEOUT_SETTING = Setting.positiveTimeSetting(
-        "cluster.remote.initial_connect_timeout",
+        REMOTE_CLUSTER_SETTINGS_PREFIX + "initial_connect_timeout",
         DEFAULT_INITIAL_CONNECTION_TIMEOUT,
         Setting.Property.NodeScope
     );
@@ -59,13 +61,13 @@ public class RemoteClusterSettings {
      * The value of the setting is expected to be a boolean, {@code true} for nodes that can become gateways, {@code false} otherwise.
      */
     public static final Setting<String> REMOTE_NODE_ATTRIBUTE = Setting.simpleString(
-        "cluster.remote.node.attr",
+        REMOTE_CLUSTER_SETTINGS_PREFIX + "node.attr",
         Setting.Property.NodeScope
     );
 
     public static final boolean DEFAULT_SKIP_UNAVAILABLE = true;
     public static final Setting.AffixSetting<Boolean> REMOTE_CLUSTER_SKIP_UNAVAILABLE = Setting.affixKeySetting(
-        "cluster.remote.",
+        REMOTE_CLUSTER_SETTINGS_PREFIX,
         "skip_unavailable",
         (ns, key) -> boolSetting(
             key,
@@ -77,7 +79,7 @@ public class RemoteClusterSettings {
     );
 
     public static final Setting.AffixSetting<TimeValue> REMOTE_CLUSTER_PING_SCHEDULE = Setting.affixKeySetting(
-        "cluster.remote.",
+        REMOTE_CLUSTER_SETTINGS_PREFIX,
         "transport.ping_schedule",
         (ns, key) -> timeSetting(
             key,
@@ -89,7 +91,7 @@ public class RemoteClusterSettings {
     );
 
     public static final Setting.AffixSetting<Compression.Enabled> REMOTE_CLUSTER_COMPRESS = Setting.affixKeySetting(
-        "cluster.remote.",
+        REMOTE_CLUSTER_SETTINGS_PREFIX,
         "transport.compress",
         (ns, key) -> enumSetting(
             Compression.Enabled.class,
@@ -102,7 +104,7 @@ public class RemoteClusterSettings {
     );
 
     public static final Setting.AffixSetting<Compression.Scheme> REMOTE_CLUSTER_COMPRESSION_SCHEME = Setting.affixKeySetting(
-        "cluster.remote.",
+        REMOTE_CLUSTER_SETTINGS_PREFIX,
         "transport.compression_scheme",
         (ns, key) -> enumSetting(
             Compression.Scheme.class,
@@ -115,7 +117,7 @@ public class RemoteClusterSettings {
     );
 
     public static final Setting.AffixSetting<SecureString> REMOTE_CLUSTER_CREDENTIALS = Setting.affixKeySetting(
-        "cluster.remote.",
+        REMOTE_CLUSTER_SETTINGS_PREFIX,
         "credentials",
         key -> SecureSetting.secureString(key, null)
     );
 
@@ -0,0 +1,127 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.transport;
+
+import org.elasticsearch.common.settings.MockSecureSettings;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.ssl.PemKeyConfig;
+import org.elasticsearch.test.SecurityIntegTestCase;
+
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignerSettings.SIGNING_CERT_PATH;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignerSettings.SIGNING_KEYSTORE_ALIAS;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignerSettings.SIGNING_KEYSTORE_PATH;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignerSettings.SIGNING_KEYSTORE_SECURE_PASSWORD;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignerSettings.SIGNING_KEY_PATH;
+
+public class CrossClusterApiKeySignerIntegTests extends SecurityIntegTestCase {
+
+    private static final String DYNAMIC_TEST_CLUSTER_ALIAS = "dynamic_test_cluster";
+    private static final String STATIC_TEST_CLUSTER_ALIAS = "static_test_cluster";
+
+    public void testSignWithPemKeyConfig() {
+        final CrossClusterApiKeySigner signer = internalCluster().getInstance(
+            CrossClusterApiKeySigner.class,
+            internalCluster().getRandomNodeName()
+        );
+        final String[] testHeaders = randomArray(5, String[]::new, () -> randomAlphanumericOfLength(randomInt(20)));
+
+        X509CertificateSignature signature = signer.sign(STATIC_TEST_CLUSTER_ALIAS, testHeaders);
+        signature.certificate().getPublicKey();
+
+        var keyConfig = new PemKeyConfig(
+            "signing_rsa.crt",
+            "signing_rsa.key",
+            new char[0],
+            getDataPath("/org/elasticsearch/xpack/security/signature/signing_rsa.crt").getParent()
+        );
+
+        assertEquals(signature.algorithm(), keyConfig.getKeys().getFirst().v2().getSigAlgName());
+        assertEquals(signature.certificate(), keyConfig.getKeys().getFirst().v2());
+    }
+
+    public void testSignUnknownClusterAlias() {
+        final CrossClusterApiKeySigner signer = internalCluster().getInstance(
+            CrossClusterApiKeySigner.class,
+            internalCluster().getRandomNodeName()
+        );
+        final String[] testHeaders = randomArray(5, String[]::new, () -> randomAlphanumericOfLength(randomInt(20)));
+
+        X509CertificateSignature signature = signer.sign("unknowncluster", testHeaders);
+        assertNull(signature);
+    }
+
+    public void testSeveralKeyStoreAliases() {
+        final CrossClusterApiKeySigner signer = internalCluster().getInstance(
+            CrossClusterApiKeySigner.class,
+            internalCluster().getRandomNodeName()
+        );
+
+        try {
+            // Create a new config without an alias. Since there are several aliases in the keystore, no signature should be generated
+            updateClusterSettings(
+                Settings.builder()
+                    .put(
+                        SIGNING_KEYSTORE_PATH.getConcreteSettingForNamespace(DYNAMIC_TEST_CLUSTER_ALIAS).getKey(),
+                        getDataPath("/org/elasticsearch/xpack/security/signature/signing.jks")
+                    )
+            );
+
+            {
+                X509CertificateSignature signature = signer.sign(DYNAMIC_TEST_CLUSTER_ALIAS, "test", "test");
+                assertNull(signature);
+            }
+
+            // Add an alias from the keystore
+            updateClusterSettings(
+                Settings.builder()
+                    .put(SIGNING_KEYSTORE_ALIAS.getConcreteSettingForNamespace(DYNAMIC_TEST_CLUSTER_ALIAS).getKey(), "wholelottakey")
+            );
+            {
+                X509CertificateSignature signature = signer.sign(DYNAMIC_TEST_CLUSTER_ALIAS, "test", "test");
+                assertNotNull(signature);
+            }
+
+            // Add an alias not in the keystore
+            updateClusterSettings(
+                Settings.builder()
+                    .put(SIGNING_KEYSTORE_ALIAS.getConcreteSettingForNamespace(DYNAMIC_TEST_CLUSTER_ALIAS).getKey(), "idonotexist")
+            );
+            {
+                X509CertificateSignature signature = signer.sign(DYNAMIC_TEST_CLUSTER_ALIAS, "test", "test");
+                assertNull(signature);
+            }
+        } finally {
+            updateClusterSettings(
+                Settings.builder()
+                    .putNull(SIGNING_KEYSTORE_PATH.getConcreteSettingForNamespace(DYNAMIC_TEST_CLUSTER_ALIAS).getKey())
+                    .putNull(SIGNING_KEYSTORE_ALIAS.getConcreteSettingForNamespace(DYNAMIC_TEST_CLUSTER_ALIAS).getKey())
+                    .setSecureSettings(new MockSecureSettings())
+            );
+        }
+    }
+
+    @Override
+    protected Settings nodeSettings(int nodeOrdinal, Settings otherSettings) {
+        var builder = Settings.builder();
+        MockSecureSettings secureSettings = (MockSecureSettings) builder.put(super.nodeSettings(nodeOrdinal, otherSettings))
+            .put(
+                SIGNING_CERT_PATH.getConcreteSettingForNamespace(STATIC_TEST_CLUSTER_ALIAS).getKey(),
+                getDataPath("/org/elasticsearch/xpack/security/signature/signing_rsa.crt")
+            )
+            .put(
+                SIGNING_KEY_PATH.getConcreteSettingForNamespace(STATIC_TEST_CLUSTER_ALIAS).getKey(),
+                getDataPath("/org/elasticsearch/xpack/security/signature/signing_rsa.key")
+            )
+            .getSecureSettings();
+        secureSettings.setString(
+            SIGNING_KEYSTORE_SECURE_PASSWORD.getConcreteSettingForNamespace(DYNAMIC_TEST_CLUSTER_ALIAS).getKey(),
+            "secretpassword"
+        );
+        return builder.build();
+    }
+}