Move createSslEngine to profile

Author: tvernum

modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/TLSConfig.java

@@ -13,26 +13,26 @@
 
 import javax.net.ssl.SSLEngine;
 
-public record TLSConfig(SslConfiguration sslConfiguration, EngineProvider engineProvider) {
+public record TLSConfig(EngineProvider engineProvider) {
 
     public boolean isTLSEnabled() {
-        return sslConfiguration != null;
+        return engineProvider != null;
     }
 
     public SSLEngine createServerSSLEngine() {
         assert isTLSEnabled();
-        SSLEngine sslEngine = engineProvider.create(sslConfiguration, null, -1);
+        SSLEngine sslEngine = engineProvider.create(null, -1);
         sslEngine.setUseClientMode(false);
         return sslEngine;
     }
 
     public static TLSConfig noTLS() {
-        return new TLSConfig(null, null);
+        return new TLSConfig(null);
     }
 
     @FunctionalInterface
     public interface EngineProvider {
 
-        SSLEngine create(SslConfiguration configuration, String host, int port);
+        SSLEngine create(String host, int port);
     }
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java

@@ -319,41 +319,6 @@ public SSLSocketFactory sslSocketFactory(SslConfiguration configuration) {
         return securitySSLSocketFactory;
     }
 
-    /**
-     * Creates an {@link SSLEngine} based on the provided configuration. This SSLEngine can be used for a connection that requires
-     * hostname verification assuming the provided
-     * host and port are correct. The SSLEngine created by this method is most useful for clients with hostname verification enabled
-     *
-     * @param configuration the ssl configuration
-     * @param host          the host of the remote endpoint. If using hostname verification, this should match what is in the remote
-     *                      endpoint's certificate
-     * @param port          the port of the remote endpoint
-     * @return {@link SSLEngine}
-     * @see #getSSLConfiguration(String)
-     */
-    public SSLEngine createSSLEngine(SslConfiguration configuration, String host, int port) {
-        SSLContext sslContext = sslContext(configuration);
-        SSLEngine sslEngine = sslContext.createSSLEngine(host, port);
-        String[] ciphers = supportedCiphers(sslEngine.getSupportedCipherSuites(), configuration.getCipherSuites(), false);
-        String[] supportedProtocols = configuration.supportedProtocols().toArray(Strings.EMPTY_ARRAY);
-        SSLParameters parameters = new SSLParameters(ciphers, supportedProtocols);
-        if (configuration.verificationMode().isHostnameVerificationEnabled() && host != null) {
-            // By default, an SSLEngine will not perform hostname verification. In order to perform hostname verification
-            // we need to specify a EndpointIdentificationAlgorithm. We use the HTTPS algorithm to prevent against
-            // man in the middle attacks for all of our connections.
-            parameters.setEndpointIdentificationAlgorithm("HTTPS");
-        }
-        // we use the cipher suite order so that we can prefer the ciphers we set first in the list
-        parameters.setUseCipherSuitesOrder(true);
-        configuration.clientAuth().configure(parameters);
-
-        // many SSLEngine options can be configured using either SSLParameters or direct methods on the engine itself, but there is one
-        // tricky aspect; if you set a value directly on the engine and then later set the SSLParameters the value set directly on the
-        // engine will be overwritten by the value in the SSLParameters
-        sslEngine.setSSLParameters(parameters);
-        return sslEngine;
-    }
-
     /**
      * Returns whether the provided settings results in a valid configuration that can be used for server connections
      *
@@ -847,7 +812,25 @@ public SSLIOSessionStrategy ioSessionStrategy4() {
 
         @Override
         public SSLEngine engine(String host, int port) {
-            return SSLService.this.createSSLEngine(this.configuration(), host, port);
+            final SSLEngine sslEngine = this.context.createSSLEngine(host, port);
+            final String[] ciphers = supportedCiphers(sslEngine.getSupportedCipherSuites(), this.sslConfiguration.getCipherSuites(), false);
+            final String[] supportedProtocols = this.configuration().supportedProtocols().toArray(Strings.EMPTY_ARRAY);
+            final SSLParameters parameters = new SSLParameters(ciphers, supportedProtocols);
+            if (this.sslConfiguration.verificationMode().isHostnameVerificationEnabled() && host != null) {
+                // By default, an SSLEngine will not perform hostname verification. In order to perform hostname verification
+                // we need to specify a EndpointIdentificationAlgorithm. We use the HTTPS algorithm to prevent against
+                // man in the middle attacks for all of our connections.
+                parameters.setEndpointIdentificationAlgorithm("HTTPS");
+            }
+            // we use the cipher suite order so that we can prefer the ciphers we set first in the list
+            parameters.setUseCipherSuitesOrder(true);
+            this.sslConfiguration.clientAuth().configure(parameters);
+
+            // many SSLEngine options can be configured using either SSLParameters or direct methods on the engine itself, but there is one
+            // tricky aspect; if you set a value directly on the engine and then later set the SSLParameters the value set directly on the
+            // engine will be overwritten by the value in the SSLParameters
+            sslEngine.setSSLParameters(parameters);
+            return sslEngine;
         }
 
         synchronized void reload() {

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java

@@ -163,28 +163,16 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception {
             .build();
 
         SslConfiguration configuration = SslSettingsLoader.load(customTruststoreSettings, null, env);
-        SSLEngine sslEngineWithTruststore = sslService.createSSLEngine(configuration, null, -1);
+        SslProfile profile = sslService.profile("transport.profiles.foo.xpack.security.ssl");
+        assertThat(profile.configuration(), equalTo(configuration));
+        assertThat(profile.configuration().getDependentFiles(), contains(testClientStore));
+        SSLEngine sslEngineWithTruststore = profile.engine(null, -1);
         assertThat(sslEngineWithTruststore, is(not(nullValue())));
 
-        SslConfiguration defaultConfig = sslService.getSSLConfiguration("xpack.security.transport.ssl");
-        SSLEngine sslEngine = sslService.createSSLEngine(defaultConfig, null, -1);
+        SslProfile defaultProfile = sslService.profile("xpack.security.transport.ssl");
+        SSLEngine sslEngine = defaultProfile.engine(null, -1);
         assertThat(sslEngineWithTruststore, is(not(sameInstance(sslEngine))));
-
-        final SslConfiguration profileConfiguration = sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl");
-        assertThat(profileConfiguration, notNullValue());
-        assertThat(profileConfiguration.getDependentFiles(), contains(testClientStore));
-
-        final SslProfile defaultSslProfile = sslService.profile(
-            randomFrom("xpack.security.transport.ssl", "xpack.security.transport.ssl.")
-        );
-        assertThat(defaultSslProfile, notNullValue());
-        assertThat(defaultSslProfile.configuration().trustConfig().getDependentFiles(), containsInAnyOrder(testnodeStore));
-
-        final SslProfile fooSslProfile = sslService.profile(
-            randomFrom("transport.profiles.foo.xpack.security.ssl", "transport.profiles.foo.xpack.security.ssl.")
-        );
-        assertThat(fooSslProfile, notNullValue());
-        assertThat(fooSslProfile.configuration().trustConfig().getDependentFiles(), containsInAnyOrder(testClientStore));
+        assertThat(defaultProfile.configuration().getDependentFiles(), contains(testnodeStore));
     }
 
     public void testThatSslContextCachingWorks() throws Exception {
@@ -230,10 +218,7 @@ public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception {
             .build();
 
         final SSLService sslService = new SSLService(TestEnvironment.newEnvironment(buildEnvSettings(settings)));
-        SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
-        sslService.createSSLEngine(configuration, null, -1);
-
-        final SslProfile profile = sslService.profile("xpack.security.transport.ssl.");
+        final SslProfile profile = sslService.profile("xpack.security.transport.ssl");
         profile.engine(null, -1);
     }
 
@@ -250,8 +235,8 @@ public void testIncorrectKeyPasswordThrowsException() throws Exception {
                 .setSecureSettings(secureSettings)
                 .build();
             final SSLService sslService = new SSLService(TestEnvironment.newEnvironment(buildEnvSettings(settings)));
-            SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
-            sslService.createSSLEngine(configuration, null, -1);
+            SslProfile profile = sslService.profile("xpack.security.transport.ssl");
+            profile.engine(null, -1);
             fail("expected an exception");
         } catch (ElasticsearchException e) {
             assertThat(e, throwableWithMessage(startsWith("failed to load SSL configuration [xpack.security.transport.ssl] - ")));
@@ -268,10 +253,7 @@ public void testThatSSLv3IsNotEnabled() throws Exception {
             .put("xpack.security.transport.ssl.key", testnodeKey)
             .setSecureSettings(secureSettings)
             .build();
-        SSLService sslService = new SSLService(TestEnvironment.newEnvironment(buildEnvSettings(settings)));
-        SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
-        SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
-        assertThat(Arrays.asList(engine.getEnabledProtocols()), not(hasItem("SSLv3")));
+        final SSLService sslService = new SSLService(TestEnvironment.newEnvironment(buildEnvSettings(settings)));
 
         final SslProfile profile = sslService.profile("xpack.security.transport.ssl.");
         final String[] profileProtocols = profile.engine(null, -1).getEnabledProtocols();
@@ -281,11 +263,9 @@ public void testThatSSLv3IsNotEnabled() throws Exception {
 
     public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception {
         SSLService sslService = new SSLService(env);
-        SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
-        SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1);
-        assertThat(sslEngine, notNullValue());
-
-        assertThat(sslService.profile("xpack.security.transport.ssl.").engine(null, -1), notNullValue());
+        final SslProfile profile = sslService.profile("xpack.security.transport.ssl");
+        final SSLEngine engine = profile.engine(null, -1);
+        assertThat(engine, notNullValue());
     }
 
     public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception {
@@ -297,8 +277,8 @@ public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception {
             .setSecureSettings(secureSettings)
             .build();
         SSLService sslService = new SSLService(TestEnvironment.newEnvironment(buildEnvSettings(settings)));
-        SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.http.ssl");
-        SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1);
+        SslProfile profile = sslService.profile("xpack.security.http.ssl");
+        SSLEngine sslEngine = profile.engine(null, -1);
         assertThat(sslEngine, notNullValue());
 
         assertThat(sslService.profile("xpack.security.http.ssl.").engine(null, -1), notNullValue());
@@ -496,16 +476,10 @@ public void testCiphersAndInvalidCiphersWork() throws Exception {
             .build();
         SSLService sslService = new SSLService(TestEnvironment.newEnvironment(buildEnvSettings(settings)));
 
-        final SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
-        SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
-        assertThat(engine, is(notNullValue()));
-        String[] enabledCiphers = engine.getEnabledCipherSuites();
-        assertThat(Arrays.asList(enabledCiphers), not(contains("foo", "bar")));
-
-        final SslProfile profile = sslService.profile("xpack.security.transport.ssl.");
-        engine = profile.engine(null, -1);
+        final SslProfile profile = sslService.profile("xpack.security.transport.ssl");
+        var engine = profile.engine(null, -1);
         assertThat(engine, is(notNullValue()));
-        enabledCiphers = engine.getEnabledCipherSuites();
+        var enabledCiphers = engine.getEnabledCipherSuites();
         assertThat(Arrays.asList(enabledCiphers), not(contains("foo", "bar")));
     }
 
@@ -544,13 +518,8 @@ public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception {
 
         SSLService sslService = new SSLService(TestEnvironment.newEnvironment(buildEnvSettings(settings)));
 
-        final SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
-        SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
-        assertThat(engine, is(notNullValue()));
-        assertTrue(engine.getSSLParameters().getUseCipherSuitesOrder());
-
-        final SslProfile profile = sslService.profile("xpack.security.transport.ssl.");
-        engine = profile.engine(null, -1);
+        final SslProfile profile = sslService.profile("xpack.security.transport.ssl");
+        SSLEngine engine = profile.engine(null, -1);
         assertThat(engine, is(notNullValue()));
         assertTrue(engine.getSSLParameters().getUseCipherSuitesOrder());
     }
@@ -598,9 +567,10 @@ public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception {
             .put("xpack.security.transport.ssl.key", testnodeKey)
             .setSecureSettings(secureSettings)
             .build();
-        SSLService sslService = new SSLService(TestEnvironment.newEnvironment(buildEnvSettings(settings)));
-        SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
-        SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
+        final SSLService sslService = new SSLService(TestEnvironment.newEnvironment(buildEnvSettings(settings)));
+        final SslProfile profile = sslService.profile("xpack.security.transport.ssl");
+        final SSLEngine engine = profile.engine(null, -1);
+        final SslConfiguration configuration = profile.configuration();
         final String[] ciphers = sslService.supportedCiphers(engine.getSupportedCipherSuites(), configuration.getCipherSuites(), false);
         final String[] getSupportedProtocols = configuration.supportedProtocols().toArray(Strings.EMPTY_ARRAY);
         assertThat(engine.getEnabledCipherSuites(), is(ciphers));

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -222,6 +222,7 @@
 import org.elasticsearch.xpack.core.security.user.AnonymousUser;
 import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 import org.elasticsearch.xpack.core.ssl.TransportTLSBootstrapCheck;
 import org.elasticsearch.xpack.core.ssl.action.GetCertificateInfoAction;
 import org.elasticsearch.xpack.core.ssl.action.TransportGetCertificateInfoAction;
@@ -2031,10 +2032,11 @@ public boolean test(String profile, InetSocketAddress peerAddress) {
         httpTransports.put(SecurityField.NAME4, () -> {
             final boolean ssl = HTTP_SSL_ENABLED.get(settings);
             final SSLService sslService = getSslService();
-            final SslConfiguration sslConfiguration;
             final BiConsumer<Channel, ThreadContext> populateClientCertificate;
+            final TLSConfig tlsConfig;
             if (ssl) {
-                sslConfiguration = sslService.getHttpTransportSSLConfiguration();
+                final SslProfile sslProfile = sslService.profile(XPackSettings.HTTP_SSL_PREFIX);
+                final SslConfiguration sslConfiguration = sslProfile.configuration();
                 if (SSLService.isConfigurationValidForServerUsage(sslConfiguration) == false) {
                     throw new IllegalArgumentException(
                         "a key must be provided to run as a server. the key should be configured using the "
@@ -2046,8 +2048,9 @@ public boolean test(String profile, InetSocketAddress peerAddress) {
                 } else {
                     populateClientCertificate = (channel, threadContext) -> {};
                 }
+                tlsConfig = new TLSConfig(sslProfile::engine);
             } else {
-                sslConfiguration = null;
+                tlsConfig = TLSConfig.noTLS();
                 populateClientCertificate = (channel, threadContext) -> {};
             }
             final AuthenticationService authenticationService = this.authcService.get();
@@ -2061,7 +2064,7 @@ public boolean test(String profile, InetSocketAddress peerAddress) {
                 clusterSettings,
                 getNettySharedGroupFactory(settings),
                 telemetryProvider,
-                new TLSConfig(sslConfiguration, sslService::createSSLEngine),
+                tlsConfig,
                 acceptPredicate,
                 (httpRequest, channel, listener) -> {
                     HttpPreRequest httpPreRequest = HttpHeadersAuthenticatorUtils.asHttpPreRequest(httpRequest);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportCloseNotifyTests.java

@@ -43,6 +43,7 @@
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.netty4.SharedGroupFactory;
 import org.elasticsearch.transport.netty4.TLSConfig;
+import org.elasticsearch.xpack.core.XPackSettings;
 import org.elasticsearch.xpack.core.ssl.SSLService;
 
 import java.security.cert.CertificateException;
@@ -108,7 +109,7 @@ private HttpServer setupHttpServer(String tlsProtocols) throws CertificateExcept
             randomClusterSettings(),
             new SharedGroupFactory(settings),
             TelemetryProvider.NOOP,
-            new TLSConfig(sslService.getHttpTransportSSLConfiguration(), sslService::createSSLEngine),
+            new TLSConfig(sslService.profile(XPackSettings.HTTP_SSL_PREFIX)::engine),
             null,
             randomFrom((httpPreRequest, channel, listener) -> listener.onResponse(null), null)
         );