Add reload listener to SslProfile (#135244)

This change allows components and plugins that are dependent on a
`SslProfile` to be notified when that profile is reloaded.

This is useful if they have objects (e.g. http clients) that have been
built around the profile's runtime objects (trust manager, etc) and
they need to cascade the reload downwards.

Author: tvernum

docs/changelog/135244.yaml

@@ -0,0 +1,5 @@
+pr: 135244
+summary: Add reload listener to `SslProfile`
+area: TLS
+type: enhancement
+issues: []

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java

@@ -57,6 +57,7 @@
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicInteger;
+import java.util.function.Consumer;
 import java.util.function.Function;
 import java.util.function.Predicate;
 import java.util.function.Supplier;
@@ -772,7 +773,7 @@ final class SSLContextHolder implements SslProfile {
         private final SslKeyConfig keyConfig;
         private final SslTrustConfig trustConfig;
         private final SslConfiguration sslConfiguration;
-        private final List<Runnable> reloadListeners;
+        private final List<Consumer<? super SSLContextHolder>> reloadListeners;
 
         SSLContextHolder(SSLContext context, SslConfiguration sslConfiguration) {
             this.context = context;
@@ -799,7 +800,7 @@ public SSLSocketFactory socketFactory() {
                 sslConfiguration.supportedProtocols().toArray(Strings.EMPTY_ARRAY),
                 supportedCiphers(socketFactory.getSupportedCipherSuites(), sslConfiguration.getCipherSuites(), false)
             );
-            this.addReloadListener(securitySSLSocketFactory::reload);
+            this.addReloadListener(profile -> securitySSLSocketFactory.reload());
             return securitySSLSocketFactory;
         }
 
@@ -850,11 +851,16 @@ public SSLEngine engine(String host, int port) {
             return sslEngine;
         }
 
+        @Override
+        public void addReloadListener(Consumer<SslProfile> listener) {
+            this.reloadListeners.add(listener);
+        }
+
         synchronized void reload() {
             invalidateSessions(context.getClientSessionContext());
             invalidateSessions(context.getServerSessionContext());
             reloadSslContext();
-            this.reloadListeners.forEach(Runnable::run);
+            this.reloadListeners.forEach(l -> l.accept(this));
         }
 
         private void reloadSslContext() {
@@ -875,10 +881,6 @@ private void reloadSslContext() {
                 throw new ElasticsearchException("failed to initialize the SSLContext", e);
             }
         }
-
-        public void addReloadListener(Runnable listener) {
-            this.reloadListeners.add(listener);
-        }
     }
 
     /**

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SslProfile.java

@@ -12,6 +12,8 @@
 import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
 import org.elasticsearch.common.ssl.SslConfiguration;
 
+import java.util.function.Consumer;
+
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
@@ -49,4 +51,10 @@ public interface SslProfile {
     TlsStrategy clientTlsStrategy();
 
     SSLEngine engine(String host, int port);
+
+    /**
+     * Add a listener that is called when this profile is reloaded (for example, because one of the {@link #configuration() configuration's}
+     * {@link SslConfiguration#getDependentFiles() dependent files} is modified.
+     */
+    void addReloadListener(Consumer<SslProfile> listener);
 }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java

@@ -73,6 +73,7 @@
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.CyclicBarrier;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Consumer;
 
@@ -84,6 +85,7 @@
 import static org.elasticsearch.test.TestMatchers.throwableWithMessage;
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.sameInstance;
 
 /**
@@ -629,7 +631,12 @@ private void validateSSLConfigurationIsReloaded(
     ) throws Exception {
         final CyclicBarrier reloadBarrier = new CyclicBarrier(2);
         final SSLService sslService = new SSLService(env);
-        final SslConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl");
+        final SslProfile profile = sslService.profile("xpack.security.transport.ssl");
+        final AtomicBoolean profileReloaded = new AtomicBoolean(false);
+        profile.addReloadListener(p -> {
+            assertThat(p, sameInstance(profile));
+            profileReloaded.set(true);
+        });
         final Consumer<SslConfiguration> reloadConsumer = sslConfiguration -> {
             try {
                 sslService.reloadSSLContext(sslConfiguration);
@@ -643,7 +650,7 @@ private void validateSSLConfigurationIsReloaded(
         };
         new SSLConfigurationReloader(reloadConsumer, resourceWatcherService, SSLService.getSSLConfigurations(env, List.of()));
         // Baseline checks
-        preChecks.accept(sslService.sslContextHolder(config).sslContext());
+        preChecks.accept(sslService.sslContextHolder(profile.configuration()).sslContext());
 
         assertEquals("nothing should have called reload", 0, reloadBarrier.getNumberWaiting());
 
@@ -655,7 +662,8 @@ private void validateSSLConfigurationIsReloaded(
         }
 
         // checks after reload
-        postChecks.accept(sslService.sslContextHolder(config).sslContext());
+        postChecks.accept(sslService.sslContextHolder(profile.configuration()).sslContext());
+        assertThat(profileReloaded.get(), is(true));
     }
 
     private static void atomicMoveIfPossible(Path source, Path target) throws IOException {

x-pack/plugin/security/qa/ssl-extension/src/javaRestTest/java/org/elasticsearch/xpack/core/ssl/extension/SslProfileExtensionIT.java

@@ -9,16 +9,20 @@
 
 import org.elasticsearch.client.Request;
 import org.elasticsearch.client.Response;
+import org.elasticsearch.common.io.Streams;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.test.cluster.ElasticsearchCluster;
+import org.elasticsearch.test.cluster.LogType;
 import org.elasticsearch.test.cluster.local.distribution.DistributionType;
+import org.elasticsearch.test.cluster.util.resource.MutableResource;
 import org.elasticsearch.test.cluster.util.resource.Resource;
 import org.elasticsearch.test.rest.ESRestTestCase;
 import org.hamcrest.Matchers;
 import org.junit.ClassRule;
 
+import java.io.InputStream;
 import java.util.List;
 import java.util.Map;
 
@@ -28,11 +32,13 @@
 
 public class SslProfileExtensionIT extends ESRestTestCase {
 
+    private static final MutableResource caFile = MutableResource.from(Resource.fromClasspath("ca1.crt"));
+
     @ClassRule
     public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
         .distribution(DistributionType.INTEG_TEST)
         .plugin("test-ssl-extension")
-        .configFile("test.ssl.ca.crt", Resource.fromClasspath("ca.crt"))
+        .configFile("test.ssl.ca.crt", caFile)
         .setting("test.ssl.certificate_authorities", "test.ssl.ca.crt")
         .setting("xpack.security.enabled", "true")
         .user("admin", "pass/word")
@@ -57,4 +63,14 @@ public void testCertificateIsLoaded() throws Exception {
         assertThat(certs, hasItem(hasEntry("path", "test.ssl.ca.crt")));
     }
 
+    public void testCertificateReload() throws Exception {
+        caFile.update(Resource.fromClasspath("ca2.crt"));
+        assertBusy(() -> {
+            try (InputStream log = cluster.getNodeLog(0, LogType.SERVER_JSON)) {
+                final List<String> logLines = Streams.readAllLines(log);
+                assertThat(logLines, hasItem(Matchers.containsString("TEST SSL PROFILE RELOADED [test.ssl]")));
+            }
+        });
+    }
+
 }

x-pack/plugin/security/qa/ssl-extension/src/javaRestTest/resources/ca.crt renamed to x-pack/plugin/security/qa/ssl-extension/src/javaRestTest/resources/ca1.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqzCCApOgAwIBAgIUIxeD5zWFBndCDsdJCxCUJlf4bGMwDQYJKoZIhvcNAQEL
+BQAwXTETMBEGCgmSJomT8ixkARkWA29yZzEdMBsGCgmSJomT8ixkARkWDWVsYXN0
+aWNzZWFyY2gxDTALBgNVBAsTBHRlc3QxGDAWBgNVBAMTD3NzbC1wcm9maWxlLWFs
+dDAeFw0yNTA5MjMwMjE5MThaFw0yODA5MjIwMjE5MThaMF0xEzARBgoJkiaJk/Is
+ZAEZFgNvcmcxHTAbBgoJkiaJk/IsZAEZFg1lbGFzdGljc2VhcmNoMQ0wCwYDVQQL
+EwR0ZXN0MRgwFgYDVQQDEw9zc2wtcHJvZmlsZS1hbHQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCkbUzJoaxX9BbKfPiZsY2CyjPcI+A3FbP5qhSFC3hO
+HdEamn+GWCbzN3PUupWy/i0bEFA8WTOfPmO4/Td8V0RrNg0ONC/TkqShz9/39Vcp
+TnMlPuaIAQDjSZ0a8KcJMCfde3sutjK7pD+DHYaQasJ2wXZlhWB/BSrwzAdBzNBz
+Ca7+aKeYoXNk/QlA3bm3isFWjI8IVtX3L6o1XwHM4haJxgaUkdZBVe8So3OSQbft
+GXhaxKZkj3kWGwSY3Bp8/GuYYEisDGK6JNc2Mla9oYKJsp3sTmJoxMZZ0a9uEsWf
+JodUxGyZr7TUbZ6focnXcN2ikFbO/kfKq9uDvCAvCyZzAgMBAAGjYzBhMB0GA1Ud
+DgQWBBQytaNb2xfEtJaew29FP73J2WiYrzAfBgNVHSMEGDAWgBQytaNb2xfEtJae
+w29FP73J2WiYrzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAQEACrsvGa+fgXlQ5NbFv2AYKwAlPgssZpIJaoL0A1F7S42K
+p8KZ0TYIwtFEVhNmjwyR9pVVfk00Wjmiab9jouPGIq8Lg3VP6w3DQoYYthXymdGW
+4f+mZ0OP4Djq4ReKf05SUdmd4BndKPc1rVNk+qyrRNzIJEuHyINYVyiXxmyuFcP5
+5VRh1KLDe8Xn2TeZw6S0ZHPgwReg3JaGrLauJo8LOk3X8y9/f/u7c4XZkAHTjHyE
+L5JSzNFiJ2bzOz+t6WRE196QBZGcxI0TZP/MebGlC5q4nCha48Akp35IkKJQMo9L
+ko97anazKRarty3blQhONWQXA/6gxTJHDwXxBydYZQ==
+-----END CERTIFICATE-----

x-pack/plugin/security/qa/ssl-extension/src/javaRestTest/resources/ca2.crt

@@ -4,6 +4,7 @@
 module org.elasticsearch.internal.ssl {
     requires org.elasticsearch.server;
     requires org.elasticsearch.xcore;
+    requires org.elasticsearch.logging;
 
     provides SslProfileExtension with TestSslProfile;
 }

x-pack/plugin/security/qa/ssl-extension/src/main/java/module-info.java

@@ -7,19 +7,24 @@
 
 package org.elasticsearch.test.xpack.core.ssl.extension;
 
+import org.elasticsearch.logging.LogManager;
+import org.elasticsearch.logging.Logger;
 import org.elasticsearch.xpack.core.ssl.SslProfile;
 import org.elasticsearch.xpack.core.ssl.extension.SslProfileExtension;
 
 import java.util.Set;
 
 public class TestSslProfile implements SslProfileExtension {
+
+    private final Logger logger = LogManager.getLogger(getClass());
+
     @Override
     public Set<String> getSettingPrefixes() {
         return Set.of("test.ssl");
     }
 
     @Override
     public void applyProfile(String prefix, SslProfile profile) {
-        // no-op
+        profile.addReloadListener(p -> logger.info("TEST SSL PROFILE RELOADED [{}] [{}]", prefix, p));
     }
 }