Add remote cluster security SPI extension (#134785)

This PR defines a new remote cluster security SPI extension point.
It allows providing custom `RemoteClusterSecurityExtension` via 
SPI by registering a `RemoteClusterSecurityExtension.Provider`.

Currently, it's possible to register only a single extension provider  
which is defined "internally". 

If a custom extension provider is not detected, it will fallback to 
the `CrossClusterAccessSecurityExtension.Provider` by default.

Author: slobodanadamovic

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java

@@ -66,6 +66,7 @@
 import org.elasticsearch.plugins.ClusterPlugin;
 import org.elasticsearch.plugins.DiscoveryPlugin;
 import org.elasticsearch.plugins.EnginePlugin;
+import org.elasticsearch.plugins.ExtensiblePlugin;
 import org.elasticsearch.plugins.FieldPredicate;
 import org.elasticsearch.plugins.IndexStorePlugin;
 import org.elasticsearch.plugins.IngestPlugin;
@@ -211,6 +212,12 @@ public List<Setting<?>> getSettings() {
         return settings;
     }
 
+    @Override
+    public void loadExtensions(ExtensionLoader loader) {
+        super.loadExtensions(loader);
+        filterPlugins(ExtensiblePlugin.class).forEach(p -> p.loadExtensions(loader));
+    }
+
     @Override
     public List<String> getSettingsFilter() {
         List<String> filters = new ArrayList<>(super.getSettingsFilter());

x-pack/plugin/security/qa/rcs-extension/build.gradle

@@ -0,0 +1,21 @@
+apply plugin: 'elasticsearch.base-internal-es-plugin'
+apply plugin: 'elasticsearch.internal-java-rest-test'
+
+esplugin {
+  name = 'test-rcs-extension-plugin'
+  description = 'A plugin for testing RemoteClusterSecurityExtension'
+  classname = 'org.elasticsearch.xpack.security.rcs.extension.RemoteClusterSecurityExtensionTestPlugin'
+  extendedPlugins = ['x-pack-core', 'x-pack-security']
+}
+
+dependencies {
+  compileOnly project(':x-pack:plugin:core')
+  compileOnly project(':x-pack:plugin:security')
+  clusterPlugins project(':x-pack:plugin:security:qa:rcs-extension')
+
+  javaRestTestImplementation project(':x-pack:plugin:core')
+  javaRestTestImplementation project(':x-pack:plugin:security')
+  javaRestTestImplementation project(':test:framework')
+}
+
+tasks.named("javadoc").configure { enabled = false }

x-pack/plugin/security/qa/rcs-extension/src/javaRestTest/java/org/elasticsearch/xpack/security/rcs/extension/RemoteClusterSecurityExtensionIT.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.rcs.extension;
+
+import org.elasticsearch.client.Request;
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.test.cluster.ElasticsearchCluster;
+import org.elasticsearch.test.cluster.local.distribution.DistributionType;
+import org.elasticsearch.test.rest.ESRestTestCase;
+import org.junit.ClassRule;
+
+import static org.hamcrest.Matchers.equalTo;
+
+public class RemoteClusterSecurityExtensionIT extends ESRestTestCase {
+
+    @ClassRule
+    public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
+        .distribution(DistributionType.INTEG_TEST)
+        .name("test-rcs-extension-cluster")
+        .plugin("test-rcs-extension-plugin")
+        .setting("xpack.security.enabled", "true")
+        .user("test-admin", "x-pack-test-password")
+        .build();
+
+    @Override
+    protected String getTestRestCluster() {
+        return cluster.getHttpAddresses();
+    }
+
+    @Override
+    protected Settings restClientSettings() {
+        return Settings.builder()
+            .put(
+                ThreadContext.PREFIX + ".Authorization",
+                basicAuthHeaderValue("test-admin", new SecureString("x-pack-test-password".toCharArray()))
+            )
+            .build();
+    }
+
+    /**
+     * Simple test which checks if rcs extension is loaded
+     * by asserting that RCS extension's setting is returned
+     * by {@code /_cluster/settings} API.
+     */
+    public void testExtensionIsLoaded() throws Exception {
+        var settings = assertOKAndCreateObjectPath(client().performRequest(new Request("GET", "/_cluster/settings?include_defaults=true")));
+        assertThat(settings.evaluate("defaults.xpack.test.rcs.extension.setting"), equalTo("default-rcs-extension-setting-value"));
+    }
+}

x-pack/plugin/security/qa/rcs-extension/src/main/java/module-info.java

@@ -0,0 +1,12 @@
+import org.elasticsearch.xpack.security.rcs.extension.TestRemoteClusterSecurityExtension;
+import org.elasticsearch.xpack.security.transport.extension.RemoteClusterSecurityExtension;
+
+module org.elasticsearch.internal.security {
+    requires org.elasticsearch.base;
+    requires org.elasticsearch.server;
+    requires org.elasticsearch.xcore;
+    requires org.elasticsearch.security;
+    requires org.elasticsearch.sslconfig;
+
+    provides RemoteClusterSecurityExtension.Provider with TestRemoteClusterSecurityExtension.Provider;
+}

x-pack/plugin/security/qa/rcs-extension/src/main/java/org/elasticsearch/xpack/security/rcs/extension/RemoteClusterSecurityExtensionTestPlugin.java

@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.rcs.extension;
+
+import org.elasticsearch.plugins.Plugin;
+
+public class RemoteClusterSecurityExtensionTestPlugin extends Plugin {}

x-pack/plugin/security/qa/rcs-extension/src/main/java/org/elasticsearch/xpack/security/rcs/extension/TestRemoteClusterSecurityExtension.java

@@ -0,0 +1,129 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.rcs.extension;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.support.DestructiveOperations;
+import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.ssl.SslConfiguration;
+import org.elasticsearch.common.util.Maps;
+import org.elasticsearch.transport.Transport;
+import org.elasticsearch.transport.TransportInterceptor;
+import org.elasticsearch.transport.TransportRequest;
+import org.elasticsearch.xpack.core.XPackSettings;
+import org.elasticsearch.xpack.core.security.SecurityContext;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
+import org.elasticsearch.xpack.security.authc.RemoteClusterAuthenticationService;
+import org.elasticsearch.xpack.security.transport.RemoteClusterTransportInterceptor;
+import org.elasticsearch.xpack.security.transport.ServerTransportFilter;
+import org.elasticsearch.xpack.security.transport.extension.RemoteClusterSecurityExtension;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+
+public class TestRemoteClusterSecurityExtension implements RemoteClusterSecurityExtension {
+
+    public static final Setting<String> DUMMY_EXTENSION_SETTING = Setting.simpleString(
+        "xpack.test.rcs.extension.setting",
+        "default-rcs-extension-setting-value",
+        Setting.Property.NodeScope
+    );
+
+    private final Components components;
+
+    public TestRemoteClusterSecurityExtension(Components components) {
+        this.components = components;
+    }
+
+    @Override
+    public RemoteClusterTransportInterceptor getTransportInterceptor() {
+        return new RemoteClusterTransportInterceptor() {
+
+            @Override
+            public TransportInterceptor.AsyncSender interceptSender(TransportInterceptor.AsyncSender sender) {
+                return sender;
+            }
+
+            @Override
+            public boolean isRemoteClusterConnection(Transport.Connection connection) {
+                return false;
+            }
+
+            public boolean hasRemoteClusterAccessHeadersInContext(SecurityContext securityContext) {
+                return false;
+            }
+
+            @Override
+            public Map<String, ServerTransportFilter> getProfileTransportFilters(
+                Map<String, SslProfile> profileConfigurations,
+                DestructiveOperations destructiveOperations
+            ) {
+                Map<String, ServerTransportFilter> profileFilters = Maps.newMapWithExpectedSize(profileConfigurations.size() + 1);
+                Settings settings = components.settings();
+                final boolean transportSSLEnabled = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings);
+
+                for (Map.Entry<String, SslProfile> entry : profileConfigurations.entrySet()) {
+                    final String profileName = entry.getKey();
+                    final SslProfile sslProfile = entry.getValue();
+                    final SslConfiguration profileConfiguration = sslProfile.configuration();
+                    profileFilters.put(
+                        profileName,
+                        new ServerTransportFilter(
+                            components.authenticationService(),
+                            components.authorizationService(),
+                            components.threadPool().getThreadContext(),
+                            transportSSLEnabled && SSLService.isSSLClientAuthEnabled(profileConfiguration),
+                            destructiveOperations,
+                            components.securityContext()
+                        )
+                    );
+                }
+                // We need to register here the default security
+                // server transport filter which ensures that all
+                // incoming transport requests are properly
+                // authenticated and authorized.
+                return Collections.unmodifiableMap(profileFilters);
+            }
+
+        };
+    }
+
+    @Override
+    public RemoteClusterAuthenticationService getAuthenticationService() {
+        return new RemoteClusterAuthenticationService() {
+
+            @Override
+            public void authenticate(String action, TransportRequest request, ActionListener<Authentication> listener) {
+                listener.onFailure(new IllegalStateException("not relevant for this test"));
+            }
+
+            @Override
+            public void authenticateHeaders(Map<String, String> headers, ActionListener<Void> listener) {
+                listener.onResponse(null);
+            }
+        };
+    }
+
+    public static class Provider implements RemoteClusterSecurityExtension.Provider {
+
+        @Override
+        public RemoteClusterSecurityExtension getExtension(Components components) {
+            return new TestRemoteClusterSecurityExtension(components);
+        }
+
+        @Override
+        public List<Setting<?>> getSettings() {
+            return List.of(DUMMY_EXTENSION_SETTING);
+        }
+    }
+
+}

x-pack/plugin/security/qa/rcs-extension/src/main/resources/META-INF/services/org.elasticsearch.xpack.security.transport.extension.RemoteClusterSecurityExtension$Provider

@@ -0,0 +1,8 @@
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+org.elasticsearch.xpack.security.rcs.extension.TestRemoteClusterSecurityExtension$Provider

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySignerIntegTests.java

@@ -26,10 +26,7 @@ public class CrossClusterApiKeySignerIntegTests extends SecurityIntegTestCase {
     private static final String STATIC_TEST_CLUSTER_ALIAS = "static_test_cluster";
 
     public void testSignWithPemKeyConfig() {
-        final CrossClusterApiKeySigner signer = internalCluster().getInstance(
-            CrossClusterApiKeySigner.class,
-            internalCluster().getRandomNodeName()
-        );
+        final CrossClusterApiKeySigner signer = getCrossClusterApiKeySignerInstance();
         final String[] testHeaders = randomArray(5, String[]::new, () -> randomAlphanumericOfLength(randomInt(20)));
 
         X509CertificateSignature signature = signer.sign(STATIC_TEST_CLUSTER_ALIAS, testHeaders);
@@ -47,21 +44,15 @@ public void testSignWithPemKeyConfig() {
     }
 
     public void testSignUnknownClusterAlias() {
-        final CrossClusterApiKeySigner signer = internalCluster().getInstance(
-            CrossClusterApiKeySigner.class,
-            internalCluster().getRandomNodeName()
-        );
+        final CrossClusterApiKeySigner signer = getCrossClusterApiKeySignerInstance();
         final String[] testHeaders = randomArray(5, String[]::new, () -> randomAlphanumericOfLength(randomInt(20)));
 
         X509CertificateSignature signature = signer.sign("unknowncluster", testHeaders);
         assertNull(signature);
     }
 
     public void testSeveralKeyStoreAliases() {
-        final CrossClusterApiKeySigner signer = internalCluster().getInstance(
-            CrossClusterApiKeySigner.class,
-            internalCluster().getRandomNodeName()
-        );
+        final CrossClusterApiKeySigner signer = getCrossClusterApiKeySignerInstance();
 
         try {
             // Create a new config without an alias. Since there are several aliases in the keystore, no signature should be generated
@@ -131,4 +122,9 @@ protected Settings nodeSettings(int nodeOrdinal, Settings otherSettings) {
         );
         return builder.build();
     }
+
+    private static CrossClusterApiKeySigner getCrossClusterApiKeySignerInstance() {
+        return CrossClusterTestHelper.getCrossClusterApiKeySigner(internalCluster());
+    }
+
 }

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/transport/CrossClusterSigningConfigReloaderIntegTests.java

@@ -100,10 +100,7 @@ public void testAddSecureSettingsConfigRuntime() throws Exception {
 
     public void testDependentKeyConfigFilesUpdated() throws Exception {
         assumeFalse("Test credentials uses key encryption not supported in Fips JVM", inFipsJvm());
-        final CrossClusterApiKeySigner signer = internalCluster().getInstance(
-            CrossClusterApiKeySigner.class,
-            internalCluster().getRandomNodeName()
-        );
+        final CrossClusterApiKeySigner signer = getCrossClusterApiKeySignerInstance();
 
         String testClusterAlias = "test_cluster";
 
@@ -159,10 +156,7 @@ public void testDependentKeyConfigFilesUpdated() throws Exception {
 
     public void testRemoveFileWithConfig() throws Exception {
         try {
-            final CrossClusterApiKeySigner signer = internalCluster().getInstance(
-                CrossClusterApiKeySigner.class,
-                internalCluster().getRandomNodeName()
-            );
+            final CrossClusterApiKeySigner signer = getCrossClusterApiKeySignerInstance();
 
             assertNull(signer.sign("test_cluster", "a_header"));
             Path tempDir = createTempDir();
@@ -217,10 +211,7 @@ private void addAndRemoveClusterConfigsRuntime(
         Consumer<String> clusterCreator,
         Consumer<String> clusterRemover
     ) throws Exception {
-        final CrossClusterApiKeySigner signer = internalCluster().getInstance(
-            CrossClusterApiKeySigner.class,
-            internalCluster().getRandomNodeName()
-        );
+        final CrossClusterApiKeySigner signer = getCrossClusterApiKeySignerInstance();
         final String[] testHeaders = randomArray(5, String[]::new, () -> randomAlphanumericOfLength(randomInt(20)));
 
         try {
@@ -302,4 +293,9 @@ public boolean transportSSLEnabled() {
         // Needs to be enabled to allow updates to secure settings
         return true;
     }
+
+    private static CrossClusterApiKeySigner getCrossClusterApiKeySignerInstance() {
+        return CrossClusterTestHelper.getCrossClusterApiKeySigner(internalCluster());
+    }
+
 }

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/transport/CrossClusterTestHelper.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.transport;
+
+import org.elasticsearch.test.InternalTestCluster;
+
+final class CrossClusterTestHelper {
+
+    /**
+     * Returns {@link CrossClusterApiKeySigner} instance from a random node of the given cluster.
+     */
+    static CrossClusterApiKeySigner getCrossClusterApiKeySigner(InternalTestCluster cluster) {
+        RemoteClusterTransportInterceptor interceptor = cluster.getInstance(
+            RemoteClusterTransportInterceptor.class,
+            cluster.getRandomNodeName()
+        );
+        assert interceptor instanceof CrossClusterAccessTransportInterceptor
+            : "expected cross-cluster interceptor but got " + interceptor.getClass();
+        return ((CrossClusterAccessTransportInterceptor) interceptor).getCrossClusterApiKeySigner();
+    }
+
+    private CrossClusterTestHelper() {
+        throw new IllegalAccessError("not allowed!");
+    }
+}