Move SSLIOSessionStrategy creation to a builder

Author: tvernum

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLIOSessionStrategyBuilder.java

@@ -0,0 +1,93 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.ssl;
+
+import org.apache.http.HttpHost;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
+import org.apache.http.nio.reactor.IOSession;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.logging.LoggerMessageFormat;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.ssl.SslConfiguration;
+import org.elasticsearch.common.ssl.SslDiagnostics;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLSession;
+import javax.security.auth.x500.X500Principal;
+
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+public class SSLIOSessionStrategyBuilder {
+
+    public static final SSLIOSessionStrategyBuilder INSTANCE = new SSLIOSessionStrategyBuilder();
+
+    public SSLIOSessionStrategy sslIOSessionStrategy(SslConfiguration config, SSLContext sslContext) {
+        String[] ciphers = supportedCiphers(sslParameters(sslContext).getCipherSuites(), config.getCipherSuites(), false);
+        String[] supportedProtocols = config.supportedProtocols().toArray(Strings.EMPTY_ARRAY);
+        HostnameVerifier verifier;
+
+        if (config.verificationMode().isHostnameVerificationEnabled()) {
+            verifier = SSLIOSessionStrategy.getDefaultHostnameVerifier();
+        } else {
+            verifier = NoopHostnameVerifier.INSTANCE;
+        }
+
+        return sslIOSessionStrategy(sslContext, supportedProtocols, ciphers, verifier);
+    }
+
+    /**
+     * This method exists to simplify testing
+     */
+    String[] supportedCiphers(String[] supportedCiphers, List<String> requestedCiphers, boolean log) {
+        return SSLService.supportedCiphers(supportedCiphers, requestedCiphers, log);
+    }
+
+    /**
+     * The {@link SSLParameters} that are associated with the {@code sslContext}.
+     * <p>
+     * This method exists to simplify testing since {@link SSLContext#getSupportedSSLParameters()} is {@code final}.
+     *
+     * @param sslContext The SSL context for the current SSL settings
+     * @return Never {@code null}.
+     */
+    SSLParameters sslParameters(SSLContext sslContext) {
+        return sslContext.getSupportedSSLParameters();
+    }
+
+    /**
+     * This method only exists to simplify testing because {@link SSLIOSessionStrategy} does
+     * not expose any of the parameters that you give it.
+     */
+    SSLIOSessionStrategy sslIOSessionStrategy(SSLContext sslContext, String[] protocols, String[] ciphers, HostnameVerifier verifier) {
+        return new SSLIOSessionStrategy(sslContext, protocols, ciphers, verifier) {
+            @Override
+            protected void verifySession(HttpHost host, IOSession iosession, SSLSession session) throws SSLException {
+                if (verifier.verify(host.getHostName(), session) == false) {
+                    final Certificate[] certs = session.getPeerCertificates();
+                    final X509Certificate x509 = (X509Certificate) certs[0];
+                    final X500Principal x500Principal = x509.getSubjectX500Principal();
+                    final String altNames = Strings.collectionToCommaDelimitedString(SslDiagnostics.describeValidHostnames(x509));
+                    throw new SSLPeerUnverifiedException(
+                        LoggerMessageFormat.format(
+                            "Expected SSL certificate to be valid for host [{}],"
+                                + " but it is only valid for subject alternative names [{}] and subject [{}]",
+                            new Object[] { host.getHostName(), altNames, x500Principal.toString() }
+                        )
+                    );
+                }
+            }
+        };
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java

@@ -240,64 +240,7 @@ public SslProfile profile(String profileName) {
     @Deprecated
     public SSLIOSessionStrategy sslIOSessionStrategy(Settings settingsToUse) {
         SslConfiguration config = sslConfiguration(settingsToUse);
-        return sslIOSessionStrategy(config, sslContext(config));
-    }
-
-    SSLIOSessionStrategy sslIOSessionStrategy(SslConfiguration config, SSLContext sslContext) {
-        String[] ciphers = supportedCiphers(sslParameters(sslContext).getCipherSuites(), config.getCipherSuites(), false);
-        String[] supportedProtocols = config.supportedProtocols().toArray(Strings.EMPTY_ARRAY);
-        HostnameVerifier verifier;
-
-        if (config.verificationMode().isHostnameVerificationEnabled()) {
-            verifier = SSLIOSessionStrategy.getDefaultHostnameVerifier();
-        } else {
-            verifier = NoopHostnameVerifier.INSTANCE;
-        }
-
-        return sslIOSessionStrategy(sslContext, supportedProtocols, ciphers, verifier);
-    }
-
-    /**
-     * The {@link SSLParameters} that are associated with the {@code sslContext}.
-     * <p>
-     * This method exists to simplify testing since {@link SSLContext#getSupportedSSLParameters()} is {@code final}.
-     *
-     * @param sslContext The SSL context for the current SSL settings
-     * @return Never {@code null}.
-     */
-    SSLParameters sslParameters(SSLContext sslContext) {
-        return sslContext.getSupportedSSLParameters();
-    }
-
-    /**
-     * This method only exists to simplify testing of {@link #sslIOSessionStrategy(Settings)} because {@link SSLIOSessionStrategy} does
-     * not expose any of the parameters that you give it.
-     *
-     * @param sslContext SSL Context used to handle SSL / TCP requests
-     * @param protocols  Supported protocols
-     * @param ciphers    Supported ciphers
-     * @param verifier   Hostname verifier
-     * @return Never {@code null}.
-     */
-    SSLIOSessionStrategy sslIOSessionStrategy(SSLContext sslContext, String[] protocols, String[] ciphers, HostnameVerifier verifier) {
-        return new SSLIOSessionStrategy(sslContext, protocols, ciphers, verifier) {
-            @Override
-            protected void verifySession(HttpHost host, IOSession iosession, SSLSession session) throws SSLException {
-                if (verifier.verify(host.getHostName(), session) == false) {
-                    final Certificate[] certs = session.getPeerCertificates();
-                    final X509Certificate x509 = (X509Certificate) certs[0];
-                    final X500Principal x500Principal = x509.getSubjectX500Principal();
-                    final String altNames = Strings.collectionToCommaDelimitedString(SslDiagnostics.describeValidHostnames(x509));
-                    throw new SSLPeerUnverifiedException(
-                        LoggerMessageFormat.format(
-                            "Expected SSL certificate to be valid for host [{}],"
-                                + " but it is only valid for subject alternative names [{}] and subject [{}]",
-                            new Object[] { host.getHostName(), altNames, x500Principal.toString() }
-                        )
-                    );
-                }
-            }
-        };
+        return SSLIOSessionStrategyBuilder.INSTANCE.sslIOSessionStrategy(config, sslContext(config));
     }
 
     /**
@@ -374,7 +317,7 @@ Collection<SslConfiguration> getLoadedSslConfigurations() {
      *
      * @throws IllegalArgumentException if no supported ciphers are in the requested ciphers
      */
-    String[] supportedCiphers(String[] supportedCiphers, List<String> requestedCiphers, boolean log) {
+    static String[] supportedCiphers(String[] supportedCiphers, List<String> requestedCiphers, boolean log) {
         List<String> supportedCiphersList = new ArrayList<>(requestedCiphers.size());
         List<String> unsupportedCiphers = new LinkedList<>();
         boolean found;
@@ -795,7 +738,7 @@ public SSLConnectionSocketFactory connectionSocketFactory() {
 
         @Override
         public SSLIOSessionStrategy ioSessionStrategy4() {
-            return sslIOSessionStrategy(this.sslConfiguration, context);
+            return SSLIOSessionStrategyBuilder.INSTANCE.sslIOSessionStrategy(this.sslConfiguration, context);
         }
 
         @Override

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLIOSessionStrategyBuilderTests.java

@@ -0,0 +1,88 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.ssl;
+
+import junit.framework.TestCase;
+
+import org.apache.http.conn.ssl.DefaultHostnameVerifier;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.ssl.SslConfiguration;
+import org.elasticsearch.common.ssl.SslVerificationMode;
+import org.elasticsearch.env.TestEnvironment;
+import org.elasticsearch.test.ESTestCase;
+import org.mockito.Mockito;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLParameters;
+
+import java.util.List;
+
+import static org.hamcrest.Matchers.instanceOf;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.sameInstance;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyList;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class SSLIOSessionStrategyBuilderTests extends ESTestCase {
+
+    public void testBuildSSLStrategy() {
+        var env = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build());
+        // this just exhaustively verifies that the right things are called and that it uses the right parameters
+        SslVerificationMode mode = randomFrom(SslVerificationMode.values());
+        Settings settings = Settings.builder()
+            .put("supported_protocols", "protocols")
+            .put("cipher_suites", "INVALID_CIPHER")
+            .put("verification_mode", mode.name())
+            .build();
+        SSLIOSessionStrategyBuilder builder = mock(SSLIOSessionStrategyBuilder.class);
+        SslConfiguration sslConfig = SslSettingsLoader.load(settings, null, env);
+        SSLParameters sslParameters = mock(SSLParameters.class);
+        SSLContext sslContext = mock(SSLContext.class);
+        String[] protocols = new String[] { "protocols" };
+        String[] ciphers = new String[] { "ciphers!!!" };
+        String[] supportedCiphers = new String[] { "supported ciphers" };
+        List<String> requestedCiphers = List.of("INVALID_CIPHER");
+        SSLIOSessionStrategy sslStrategy = mock(SSLIOSessionStrategy.class);
+
+        when(builder.supportedCiphers(any(String[].class), anyList(), any(Boolean.TYPE))).thenAnswer(inv -> {
+            final Object[] args = inv.getArguments();
+            assertThat(args[0], is(supportedCiphers));
+            assertThat(args[1], is(requestedCiphers));
+            assertThat(args[2], is(false));
+            return ciphers;
+        });
+        when(builder.sslParameters(sslContext)).thenReturn(sslParameters);
+        when(sslParameters.getCipherSuites()).thenReturn(supportedCiphers);
+
+        when(builder.sslIOSessionStrategy(any(SSLContext.class), any(String[].class), any(String[].class), any(HostnameVerifier.class)))
+            .thenAnswer(inv -> {
+                final Object[] args = inv.getArguments();
+                assertThat(args[0], is(sslContext));
+                assertThat(args[1], is(protocols));
+                assertThat(args[2], is(ciphers));
+                if (mode.isHostnameVerificationEnabled()) {
+                    assertThat(args[3], instanceOf(DefaultHostnameVerifier.class));
+                } else {
+                    assertThat(args[3], sameInstance(NoopHostnameVerifier.INSTANCE));
+                }
+                return sslStrategy;
+            });
+
+        when(builder.sslIOSessionStrategy(Mockito.eq(sslConfig), Mockito.any(SSLContext.class))).thenCallRealMethod();
+
+        final SslConfiguration config = new SSLService(env).sslConfiguration(settings);
+        final SSLIOSessionStrategy actual = builder.sslIOSessionStrategy(config, sslContext);
+        assertThat(actual, sameInstance(sslStrategy));
+    }
+
+}

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java

@@ -539,7 +539,7 @@ public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Except
 
         final SSLSocketFactory factory = profile.socketFactory();
         final SslConfiguration config = profile.configuration();
-        final String[] ciphers = sslService.supportedCiphers(factory.getSupportedCipherSuites(), config.getCipherSuites(), false);
+        final String[] ciphers = SSLService.supportedCiphers(factory.getSupportedCipherSuites(), config.getCipherSuites(), false);
         assertThat(factory.getDefaultCipherSuites(), is(ciphers));
 
         final String[] getSupportedProtocols = config.supportedProtocols().toArray(Strings.EMPTY_ARRAY);
@@ -566,7 +566,7 @@ public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception {
         final SslProfile profile = sslService.profile("xpack.security.transport.ssl");
         final SSLEngine engine = profile.engine(null, -1);
         final SslConfiguration configuration = profile.configuration();
-        final String[] ciphers = sslService.supportedCiphers(engine.getSupportedCipherSuites(), configuration.getCipherSuites(), false);
+        final String[] ciphers = SSLService.supportedCiphers(engine.getSupportedCipherSuites(), configuration.getCipherSuites(), false);
         final String[] getSupportedProtocols = configuration.supportedProtocols().toArray(Strings.EMPTY_ARRAY);
         assertThat(engine.getEnabledCipherSuites(), is(ciphers));
         assertArrayEquals(ciphers, engine.getSSLParameters().getCipherSuites());
@@ -575,58 +575,6 @@ public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception {
         assertThat(engine.getSSLParameters().getProtocols(), arrayContainingInAnyOrder(getSupportedProtocols));
     }
 
-    public void testSSLStrategy() {
-        // this just exhaustively verifies that the right things are called and that it uses the right parameters
-        SslVerificationMode mode = randomFrom(SslVerificationMode.values());
-        Settings settings = Settings.builder()
-            .put("supported_protocols", "protocols")
-            .put("cipher_suites", "INVALID_CIPHER")
-            .put("verification_mode", mode.name())
-            .build();
-        SSLService sslService = mock(SSLService.class);
-        SslConfiguration sslConfig = SslSettingsLoader.load(settings, null, env);
-        SSLParameters sslParameters = mock(SSLParameters.class);
-        SSLContext sslContext = mock(SSLContext.class);
-        String[] protocols = new String[] { "protocols" };
-        String[] ciphers = new String[] { "ciphers!!!" };
-        String[] supportedCiphers = new String[] { "supported ciphers" };
-        List<String> requestedCiphers = List.of("INVALID_CIPHER");
-        SSLIOSessionStrategy sslStrategy = mock(SSLIOSessionStrategy.class);
-
-        when(sslService.sslConfiguration(settings)).thenReturn(sslConfig);
-        when(sslService.sslContext(sslConfig)).thenReturn(sslContext);
-        when(sslService.supportedCiphers(any(String[].class), anyList(), any(Boolean.TYPE))).thenAnswer(inv -> {
-            final Object[] args = inv.getArguments();
-            assertThat(args[0], is(supportedCiphers));
-            assertThat(args[1], is(requestedCiphers));
-            assertThat(args[2], is(false));
-            return ciphers;
-        });
-        when(sslService.sslParameters(sslContext)).thenReturn(sslParameters);
-        when(sslParameters.getCipherSuites()).thenReturn(supportedCiphers);
-
-        when(sslService.sslIOSessionStrategy(any(SSLContext.class), any(String[].class), any(String[].class), any(HostnameVerifier.class)))
-            .thenAnswer(inv -> {
-                final Object[] args = inv.getArguments();
-                assertThat(args[0], is(sslContext));
-                assertThat(args[1], is(protocols));
-                assertThat(args[2], is(ciphers));
-                if (mode.isHostnameVerificationEnabled()) {
-                    assertThat(args[3], instanceOf(DefaultHostnameVerifier.class));
-                } else {
-                    assertThat(args[3], sameInstance(NoopHostnameVerifier.INSTANCE));
-                }
-                return sslStrategy;
-            });
-
-        // ensure it actually goes through and calls the real method
-        when(sslService.sslIOSessionStrategy(settings)).thenCallRealMethod();
-        when(sslService.sslIOSessionStrategy(Mockito.eq(sslConfig), Mockito.any(SSLContext.class))).thenCallRealMethod();
-
-        final SSLIOSessionStrategy actual = sslService.sslIOSessionStrategy(settings);
-        assertThat(actual, sameInstance(sslStrategy));
-    }
-
     public void testGetConfigurationByContextName() throws Exception {
         assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm());
         final SSLContext sslContext = SSLContext.getInstance("TLSv1.2");