Add 'SslProfileExtension' SPI interface (#134609)

This new SPI extension point allows plugins to define new SSL profiles
(contexts) that will be automatically loaded and managed by the
SSLService

Each extension defines the settings prefix(s) that it uses
(e.g.  "foo.bar.ssl") and then the SSL Service reads those settings
and constructs `SslConfiguration` and `SslProfile` objects from those
settings. The `SslProfile` is provided back to the extension for its
use

Author: tvernum

docs/changelog/134609.yaml

@@ -0,0 +1,5 @@
+pr: 134609
+summary: Add 'SslProfileExtension' SPI interface
+area: TLS
+type: enhancement
+issues: []

x-pack/plugin/core/src/main/java/module-info.java

@@ -191,6 +191,7 @@
     exports org.elasticsearch.xpack.core.sql;
     exports org.elasticsearch.xpack.core.ssl.action;
     exports org.elasticsearch.xpack.core.ssl.cert;
+    exports org.elasticsearch.xpack.core.ssl.extension;
     exports org.elasticsearch.xpack.core.ssl.rest;
     exports org.elasticsearch.xpack.core.ssl;
     exports org.elasticsearch.xpack.core.template;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackPlugin.java

@@ -28,7 +28,6 @@
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsFilter;
-import org.elasticsearch.common.ssl.SslConfiguration;
 import org.elasticsearch.common.util.BigArrays;
 import org.elasticsearch.core.Booleans;
 import org.elasticsearch.env.Environment;
@@ -110,6 +109,7 @@
 import org.elasticsearch.xpack.core.security.authz.RoleMappingMetadata;
 import org.elasticsearch.xpack.core.ssl.SSLConfigurationReloader;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.extension.SslProfileExtension;
 import org.elasticsearch.xpack.core.termsenum.action.TermsEnumAction;
 import org.elasticsearch.xpack.core.termsenum.action.TransportTermsEnumAction;
 import org.elasticsearch.xpack.core.termsenum.rest.RestTermsEnumAction;
@@ -185,6 +185,8 @@ public Void run() {
     private static SetOnce<XPackLicenseState> licenseState = new SetOnce<>();
     private static SetOnce<LicenseService> licenseService = new SetOnce<>();
 
+    private final List<SslProfileExtension> sslExtensions = new ArrayList<>();
+
     public XPackPlugin(final Settings settings) {
         super();
         // FIXME: The settings might be changed after this (e.g. from "additionalSettings" method in other plugins)
@@ -465,6 +467,8 @@ public List<Setting<?>> getSettings() {
         List<Setting<?>> settings = super.getSettings();
         settings.add(SourceOnlySnapshotRepository.SOURCE_ONLY);
 
+        settings.addAll(SSLService.getExtensionSettings(this.sslExtensions));
+
         // Don't register the license setting if there is an alternate implementation loaded as an extension.
         // this relies on the order in which methods are called - loadExtensions, (this method) getSettings, then createComponents
         if (getSharedLicenseService() == null) {
@@ -496,9 +500,9 @@ public Collection<IndexSettingProvider> getAdditionalIndexSettingProviders(Index
      * of SSLContexts when configuration files change on disk.
      */
     private SSLService createSSLService(Environment environment, ResourceWatcherService resourceWatcherService) {
-        final Map<String, SslConfiguration> sslConfigurations = SSLService.getSSLConfigurations(environment);
+        final SSLService.LoadedSslConfigurations sslConfigurations = SSLService.getSSLConfigurations(environment, this.sslExtensions);
         // Must construct the reloader before the SSL service so that we don't miss any config changes, see #54867
-        final SSLConfigurationReloader reloader = new SSLConfigurationReloader(resourceWatcherService, sslConfigurations.values());
+        final SSLConfigurationReloader reloader = new SSLConfigurationReloader(resourceWatcherService, sslConfigurations);
         final SSLService sslService = new SSLService(environment, sslConfigurations);
         reloader.setSSLService(sslService);
         setSslService(sslService);
@@ -507,6 +511,11 @@ private SSLService createSSLService(Environment environment, ResourceWatcherServ
 
     @Override
     public void loadExtensions(ExtensionLoader loader) {
+        loadLicenseService(loader);
+        this.sslExtensions.addAll(loader.loadExtensions(SslProfileExtension.class));
+    }
+
+    private void loadLicenseService(ExtensionLoader loader) {
         List<MutableLicenseService> licenseServices = loader.loadExtensions(MutableLicenseService.class);
         if (licenseServices.size() > 1) {
             throw new IllegalStateException(MutableLicenseService.class + " may not have multiple implementations");

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloader.java

@@ -45,17 +45,17 @@ protected boolean blockingAllowed() {
         }
     };
 
-    public SSLConfigurationReloader(ResourceWatcherService resourceWatcherService, Collection<SslConfiguration> sslConfigurations) {
-        startWatching(reloadConsumer(sslServiceFuture), resourceWatcherService, sslConfigurations);
+    public SSLConfigurationReloader(ResourceWatcherService resourceWatcherService, SSLService.LoadedSslConfigurations sslConfiguration) {
+        startWatching(reloadConsumer(sslServiceFuture), resourceWatcherService, sslConfiguration);
     }
 
     // for testing
     SSLConfigurationReloader(
         Consumer<SslConfiguration> reloadConsumer,
         ResourceWatcherService resourceWatcherService,
-        Collection<SslConfiguration> sslConfigurations
+        SSLService.LoadedSslConfigurations sslConfiguration
     ) {
-        startWatching(reloadConsumer, resourceWatcherService, sslConfigurations);
+        startWatching(reloadConsumer, resourceWatcherService, sslConfiguration);
     }
 
     public void setSSLService(SSLService sslService) {
@@ -84,10 +84,10 @@ private static Consumer<SslConfiguration> reloadConsumer(Future<SSLService> futu
     private static void startWatching(
         Consumer<SslConfiguration> reloadConsumer,
         ResourceWatcherService resourceWatcherService,
-        Collection<SslConfiguration> sslConfigurations
+        SSLService.LoadedSslConfigurations sslConfigurations
     ) {
         Map<Path, List<SslConfiguration>> pathToConfigurationsMap = new HashMap<>();
-        for (SslConfiguration sslConfiguration : sslConfigurations) {
+        for (SslConfiguration sslConfiguration : sslConfigurations.configurations()) {
             final Collection<Path> filesToMonitor = sslConfiguration.getDependentFiles();
             for (Path file : filesToMonitor) {
                 pathToConfigurationsMap.compute(file, (path, list) -> {