Move SSLService.sslSocketFactory to profile

Author: tvernum

modules/transport-netty4/src/main/java/org/elasticsearch/transport/netty4/TLSConfig.java

@@ -9,8 +9,6 @@
 
 package org.elasticsearch.transport.netty4;
 
-import org.elasticsearch.common.ssl.SslConfiguration;
-
 import javax.net.ssl.SSLEngine;
 
 public record TLSConfig(EngineProvider engineProvider) {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/CommandLineHttpClient.java

@@ -14,7 +14,6 @@
 import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.ssl.SslConfiguration;
 import org.elasticsearch.core.CharArrays;
 import org.elasticsearch.core.CheckedFunction;
 import org.elasticsearch.core.Releasables;
@@ -26,6 +25,7 @@
 import org.elasticsearch.xpack.core.security.HttpResponse.HttpResponseBuilder;
 import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -154,10 +154,12 @@ private HttpResponse execute(
                     sslContext.init(null, new TrustManager[] { fingerprintTrustingTrustManager(pinnedCaCertFingerprint) }, null);
                     httpsConn.setSSLSocketFactory(sslContext.getSocketFactory());
                 } else {
-                    final SslConfiguration sslConfiguration = sslService.getHttpTransportSSLConfiguration();
+                    final SslProfile sslProfile = sslService.profile(XPackSettings.HTTP_SSL_PREFIX);
                     // Requires permission java.lang.RuntimePermission "setFactory";
-                    httpsConn.setSSLSocketFactory(sslService.sslSocketFactory(sslConfiguration));
-                    final boolean isHostnameVerificationEnabled = sslConfiguration.verificationMode().isHostnameVerificationEnabled();
+                    httpsConn.setSSLSocketFactory(sslProfile.socketFactory());
+                    final boolean isHostnameVerificationEnabled = sslProfile.configuration()
+                        .verificationMode()
+                        .isHostnameVerificationEnabled();
                     if (isHostnameVerificationEnabled == false) {
                         httpsConn.setHostnameVerifier((hostname, session) -> true);
                     }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java

@@ -300,25 +300,6 @@ protected void verifySession(HttpHost host, IOSession iosession, SSLSession sess
         };
     }
 
-    /**
-     * Create a new {@link SSLSocketFactory} based on the provided configuration.
-     * The socket factory will also properly configure the ciphers and protocols on each socket that is created
-     *
-     * @param configuration The SSL configuration to use. Typically obtained from {@link #getSSLConfiguration(String)}
-     * @return Never {@code null}.
-     */
-    public SSLSocketFactory sslSocketFactory(SslConfiguration configuration) {
-        final SSLContextHolder contextHolder = sslContextHolder(configuration);
-        SSLSocketFactory socketFactory = contextHolder.sslContext().getSocketFactory();
-        final SecuritySSLSocketFactory securitySSLSocketFactory = new SecuritySSLSocketFactory(
-            () -> contextHolder.sslContext().getSocketFactory(),
-            configuration.supportedProtocols().toArray(Strings.EMPTY_ARRAY),
-            supportedCiphers(socketFactory.getSupportedCipherSuites(), configuration.getCipherSuites(), false)
-        );
-        contextHolder.addReloadListener(securitySSLSocketFactory::reload);
-        return securitySSLSocketFactory;
-    }
-
     /**
      * Returns whether the provided settings results in a valid configuration that can be used for server connections
      *
@@ -788,7 +769,14 @@ public SslConfiguration configuration() {
 
         @Override
         public SSLSocketFactory socketFactory() {
-            return SSLService.this.sslSocketFactory(this.sslConfiguration);
+            SSLSocketFactory socketFactory = context.getSocketFactory();
+            final SecuritySSLSocketFactory securitySSLSocketFactory = new SecuritySSLSocketFactory(
+                () -> context.getSocketFactory(),
+                sslConfiguration.supportedProtocols().toArray(Strings.EMPTY_ARRAY),
+                supportedCiphers(socketFactory.getSupportedCipherSuites(), sslConfiguration.getCipherSuites(), false)
+            );
+            this.addReloadListener(securitySSLSocketFactory::reload);
+            return securitySSLSocketFactory;
         }
 
         @Override

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SslProfile.java

@@ -21,6 +21,12 @@ public interface SslProfile {
 
     SSLContext sslContext();
 
+    /**
+     * Create a new {@link SSLSocketFactory} based on the provided configuration.
+     * The socket factory will also properly configure the ciphers and protocols on each socket that is created
+     *
+     * @return Never {@code null}.
+     */
     SSLSocketFactory socketFactory();
 
     HostnameVerifier hostnameVerifier();

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java

@@ -78,7 +78,6 @@
 import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
 import static org.hamcrest.Matchers.arrayWithSize;
 import static org.hamcrest.Matchers.contains;
-import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.greaterThan;
@@ -536,19 +535,15 @@ public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Except
 
         SSLService sslService = new SSLService(TestEnvironment.newEnvironment(buildEnvSettings(settings)));
 
-        SslConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl");
-
-        final SSLSocketFactory configFactory = sslService.sslSocketFactory(config);
-        final String[] ciphers = sslService.supportedCiphers(configFactory.getSupportedCipherSuites(), config.getCipherSuites(), false);
-        assertThat(configFactory.getDefaultCipherSuites(), is(ciphers));
+        final SslProfile profile = sslService.profile("xpack.security.transport.ssl");
 
-        SslProfile profile = sslService.profile("xpack.security.transport.ssl");
-        final SSLSocketFactory profileFactory = profile.socketFactory();
-        assertThat(profileFactory.getSupportedCipherSuites(), is(configFactory.getSupportedCipherSuites()));
-        assertThat(profileFactory.getDefaultCipherSuites(), is(configFactory.getDefaultCipherSuites()));
+        final SSLSocketFactory factory = profile.socketFactory();
+        final SslConfiguration config = profile.configuration();
+        final String[] ciphers = sslService.supportedCiphers(factory.getSupportedCipherSuites(), config.getCipherSuites(), false);
+        assertThat(factory.getDefaultCipherSuites(), is(ciphers));
 
         final String[] getSupportedProtocols = config.supportedProtocols().toArray(Strings.EMPTY_ARRAY);
-        try (SSLSocket socket = (SSLSocket) randomFrom(configFactory, profileFactory).createSocket()) {
+        try (SSLSocket socket = (SSLSocket) factory.createSocket()) {
             assertThat(socket.getEnabledCipherSuites(), is(ciphers));
             // the order we set the protocols in is not going to be what is returned as internally the JDK may sort the versions
             assertThat(socket.getEnabledProtocols(), arrayContainingInAnyOrder(getSupportedProtocols));

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java

@@ -19,14 +19,14 @@
 import org.elasticsearch.common.io.Streams;
 import org.elasticsearch.common.network.NetworkAddress;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.ssl.SslConfiguration;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.core.Strings;
 import org.elasticsearch.env.TestEnvironment;
 import org.elasticsearch.http.HttpServerTransport;
 import org.elasticsearch.test.SecurityIntegTestCase;
 import org.elasticsearch.xpack.core.common.socket.SocketAccess;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 
 import java.io.InputStreamReader;
 import java.net.InetSocketAddress;
@@ -80,14 +80,11 @@ public void testThatConnectionToHTTPWorks() throws Exception {
             AuthScope.ANY,
             new UsernamePasswordCredentials(nodeClientUsername(), new String(nodeClientPassword().getChars()))
         );
-        SslConfiguration sslConfiguration = service.getSSLConfiguration("xpack.security.http.ssl");
+        SslProfile sslProfile = service.profile("xpack.security.http.ssl");
         try (
             CloseableHttpClient client = HttpClients.custom()
                 .setSSLSocketFactory(
-                    new SSLConnectionSocketFactory(
-                        service.sslSocketFactory(sslConfiguration),
-                        SSLConnectionSocketFactory.getDefaultHostnameVerifier()
-                    )
+                    new SSLConnectionSocketFactory(sslProfile.socketFactory(), SSLConnectionSocketFactory.getDefaultHostnameVerifier())
                 )
                 .setDefaultCredentialsProvider(provider)
                 .build();

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java

@@ -9,12 +9,12 @@
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.common.settings.MockSecureSettings;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.ssl.SslConfiguration;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.env.TestEnvironment;
 import org.elasticsearch.test.SecurityIntegTestCase;
 import org.elasticsearch.transport.Transport;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 
 import java.io.IOException;
 import java.net.SocketException;
@@ -112,8 +112,8 @@ public void testThatSSLConfigurationReloadsOnModification() throws Exception {
             .build();
         String node = randomFrom(internalCluster().getNodeNames());
         SSLService sslService = new SSLService(TestEnvironment.newEnvironment(settings));
-        SslConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
-        SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration);
+        SslProfile sslProfile = sslService.profile("xpack.security.transport.ssl");
+        SSLSocketFactory sslSocketFactory = sslProfile.socketFactory();
         TransportAddress address = internalCluster().getInstance(Transport.class, node).boundAddress().publishAddress();
         // Fails as our nodes do not trust testnode_updated.crt
         try (SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(address.getAddress(), address.getPort())) {

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java

@@ -9,7 +9,6 @@
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.ssl.PemUtils;
-import org.elasticsearch.common.ssl.SslConfiguration;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.core.PathUtils;
 import org.elasticsearch.core.TimeValue;
@@ -22,6 +21,7 @@
 import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
 import org.elasticsearch.xpack.core.ssl.RestrictedTrustManager;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 
@@ -243,8 +243,8 @@ private void tryConnect(CertificateInfo certificate, boolean shouldFail) throws
 
         String node = randomFrom(internalCluster().getNodeNames());
         SSLService sslService = new SSLService(TestEnvironment.newEnvironment(settings));
-        SslConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
-        SSLSocketFactory sslSocketFactory = sslService.sslSocketFactory(sslConfiguration);
+        SslProfile sslProfile = sslService.profile("xpack.security.transport.ssl");
+        SSLSocketFactory sslSocketFactory = sslProfile.socketFactory();
         TransportAddress address = internalCluster().getInstance(Transport.class, node).boundAddress().publishAddress();
         try (SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(address.getAddress(), address.getPort())) {
             assertThat(socket.isConnected(), is(true));

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactory.java

@@ -27,6 +27,7 @@
 import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings;
 import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 import org.elasticsearch.xpack.security.support.ReloadableSecurityComponent;
 
 import java.io.Closeable;
@@ -213,9 +214,9 @@ private ServerSet serverSet(RealmConfig realmConfig, SSLService clientSSLService
         SocketFactory socketFactory = null;
         if (ldapServers.ssl()) {
             final String sslKey = RealmSettings.realmSslPrefix(config.identifier());
-            final SslConfiguration ssl = clientSSLService.getSSLConfiguration(sslKey);
-            socketFactory = clientSSLService.sslSocketFactory(ssl);
-            if (ssl.verificationMode().isHostnameVerificationEnabled()) {
+            final SslProfile ssl = clientSSLService.profile(sslKey);
+            socketFactory = ssl.socketFactory();
+            if (ssl.configuration().verificationMode().isHostnameVerificationEnabled()) {
                 logger.debug("using encryption for LDAP connections with hostname verification");
             } else {
                 logger.debug("using encryption for LDAP connections without hostname verification");

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java

@@ -13,12 +13,12 @@
 import org.apache.lucene.tests.util.LuceneTestCase;
 import org.elasticsearch.common.settings.MockSecureSettings;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.ssl.SslConfiguration;
 import org.elasticsearch.common.ssl.SslVerificationMode;
 import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.env.TestEnvironment;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;
 
 import java.nio.file.Path;
@@ -56,16 +56,9 @@ public static LDAPConnection openConnection(String url, String bindDN, String bi
         options.setConnectTimeoutMillis(Math.toIntExact(DEFAULT_LDAP_TIMEOUT.millis()));
         options.setResponseTimeoutMillis(DEFAULT_LDAP_TIMEOUT.millis());
 
-        final SslConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.authc.realms.ldap.foo.ssl");
+        final SslProfile profile = sslService.profile("xpack.security.authc.realms.ldap.foo.ssl");
         return LdapUtils.privilegedConnect(
-            () -> new LDAPConnection(
-                sslService.sslSocketFactory(sslConfiguration),
-                options,
-                ldapurl.getHost(),
-                ldapurl.getPort(),
-                bindDN,
-                bindPassword
-            )
+            () -> new LDAPConnection(profile.socketFactory(), options, ldapurl.getHost(), ldapurl.getPort(), bindDN, bindPassword)
         );
     }
 }