Introduce SslProfile object

Author: tvernum

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java

@@ -9,6 +9,7 @@
 import org.apache.http.HttpHost;
 import org.apache.http.conn.ssl.DefaultHostnameVerifier;
 import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
 import org.apache.http.nio.reactor.IOSession;
 import org.apache.logging.log4j.LogManager;
@@ -216,6 +217,14 @@ public static void registerSettings(List<Setting<?>> settingList) {
         settingList.add(DIAGNOSE_TRUST_EXCEPTIONS_SETTING);
     }
 
+    public SslProfile profile(String profileName) {
+        final SslConfiguration configuration = getSSLConfiguration(profileName);
+        if (configuration == null) {
+            throw new IllegalArgumentException(Strings.format("No SSL configuration for context name [%s]", profileName));
+        }
+        return sslContextHolder(configuration);
+    }
+
     /**
      * Create a new {@link SSLIOSessionStrategy} based on the provided settings. The settings are used to identify the SSL configuration
      * that should be used to create the context.
@@ -797,7 +806,7 @@ private static SSLSocket createWithPermissions(CheckedSupplier<Socket, IOExcepti
         }
     }
 
-    final class SSLContextHolder {
+    final class SSLContextHolder implements SslProfile {
         private volatile SSLContext context;
         private final SslKeyConfig keyConfig;
         private final SslTrustConfig trustConfig;
@@ -812,10 +821,40 @@ final class SSLContextHolder {
             this.reloadListeners = new ArrayList<>();
         }
 
-        SSLContext sslContext() {
+        public SSLContext sslContext() {
             return context;
         }
 
+        @Override
+        public SslConfiguration configuration() {
+            return this.sslConfiguration;
+        }
+
+        @Override
+        public SSLSocketFactory socketFactory() {
+            return SSLService.this.sslSocketFactory(this.sslConfiguration);
+        }
+
+        @Override
+        public HostnameVerifier hostnameVerifier() {
+            return SSLService.getHostnameVerifier(this.sslConfiguration);
+        }
+
+        @Override
+        public SSLConnectionSocketFactory socketConnectionFactory() {
+            return new SSLConnectionSocketFactory(socketFactory(), hostnameVerifier());
+        }
+
+        @Override
+        public SSLIOSessionStrategy ioSessionStrategy4() {
+            return SSLService.this.sslIOSessionStrategy(this.sslConfiguration);
+        }
+
+        @Override
+        public SSLEngine engine(String host, int port) {
+            return SSLService.this.createSSLEngine(this.configuration(), host, port);
+        }
+
         synchronized void reload() {
             invalidateSessions(context.getClientSessionContext());
             invalidateSessions(context.getServerSessionContext());

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SslProfile.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.ssl;
+
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
+import org.elasticsearch.common.ssl.SslConfiguration;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSocketFactory;
+
+public interface SslProfile {
+    SslConfiguration configuration();
+
+    SSLContext sslContext();
+
+    SSLSocketFactory socketFactory();
+
+    HostnameVerifier hostnameVerifier();
+
+    SSLConnectionSocketFactory socketConnectionFactory();
+
+    /**
+     * @return An object that is useful for configuring Apache Http Client v4.x
+     */
+    SSLIOSessionStrategy ioSessionStrategy4();
+
+    SSLEngine engine(String host, int port);
+}

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java

@@ -77,10 +77,12 @@
 import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
 import static org.hamcrest.Matchers.arrayWithSize;
 import static org.hamcrest.Matchers.contains;
+import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.greaterThan;
 import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.Matchers.hasItemInArray;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.iterableWithSize;
@@ -170,6 +172,18 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception {
         final SslConfiguration profileConfiguration = sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl");
         assertThat(profileConfiguration, notNullValue());
         assertThat(profileConfiguration.getDependentFiles(), contains(testClientStore));
+
+        final SslProfile defaultSslProfile = sslService.profile(
+            randomFrom("xpack.security.transport.ssl", "xpack.security.transport.ssl.")
+        );
+        assertThat(defaultSslProfile, notNullValue());
+        assertThat(defaultSslProfile.configuration().trustConfig().getDependentFiles(), containsInAnyOrder(testnodeStore));
+
+        final SslProfile fooSslProfile = sslService.profile(
+            randomFrom("transport.profiles.foo.xpack.security.ssl", "transport.profiles.foo.xpack.security.ssl.")
+        );
+        assertThat(fooSslProfile, notNullValue());
+        assertThat(fooSslProfile.configuration().trustConfig().getDependentFiles(), containsInAnyOrder(testClientStore));
     }
 
     public void testThatSslContextCachingWorks() throws Exception {
@@ -192,6 +206,12 @@ public void testThatSslContextCachingWorks() throws Exception {
         final SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         final SSLContext configContext = sslService.sslContext(configuration);
         assertThat(configContext, is(sameInstance(sslContext)));
+
+        final SslProfile defaultSslProfile = sslService.profile(
+            randomFrom("xpack.security.transport.ssl", "xpack.security.transport.ssl.")
+        );
+        assertThat(defaultSslProfile, notNullValue());
+        assertThat(defaultSslProfile.sslContext(), sameInstance(sslContext));
     }
 
     public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception {
@@ -211,6 +231,9 @@ public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception {
         final SSLService sslService = new SSLService(TestEnvironment.newEnvironment(buildEnvSettings(settings)));
         SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         sslService.createSSLEngine(configuration, null, -1);
+
+        final SslProfile profile = sslService.profile("xpack.security.transport.ssl.");
+        profile.engine(null, -1);
     }
 
     public void testIncorrectKeyPasswordThrowsException() throws Exception {
@@ -248,13 +271,20 @@ public void testThatSSLv3IsNotEnabled() throws Exception {
         SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
         assertThat(Arrays.asList(engine.getEnabledProtocols()), not(hasItem("SSLv3")));
+
+        final SslProfile profile = sslService.profile("xpack.security.transport.ssl.");
+        final String[] profileProtocols = profile.engine(null, -1).getEnabledProtocols();
+        assertThat(profileProtocols, not(hasItemInArray("SSLv3")));
+        assertThat(profileProtocols, hasItemInArray("TLSv1.2"));
     }
 
     public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception {
         SSLService sslService = new SSLService(env);
         SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1);
         assertThat(sslEngine, notNullValue());
+
+        assertThat(sslService.profile("xpack.security.transport.ssl.").engine(null, -1), notNullValue());
     }
 
     public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception {
@@ -269,6 +299,8 @@ public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception {
         SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.http.ssl");
         SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1);
         assertThat(sslEngine, notNullValue());
+
+        assertThat(sslService.profile("xpack.security.http.ssl.").engine(null, -1), notNullValue());
     }
 
     public void testCreateWithKeystoreIsValidForServer() throws Exception {
@@ -366,6 +398,15 @@ public void testGetVerificationMode() throws Exception {
             sslService.getSSLConfiguration("transport.profiles.foo.xpack.security.ssl.").verificationMode(),
             is(SslVerificationMode.FULL)
         );
+
+        assertThat(
+            sslService.profile("xpack.security.transport.ssl").configuration().verificationMode(),
+            is(SslVerificationMode.CERTIFICATE)
+        );
+        assertThat(
+            sslService.profile("transport.profiles.foo.xpack.security.ssl").configuration().verificationMode(),
+            is(SslVerificationMode.FULL)
+        );
     }
 
     public void testIsSSLClientAuthEnabled() throws Exception {
@@ -453,11 +494,18 @@ public void testCiphersAndInvalidCiphersWork() throws Exception {
             .putList("xpack.security.transport.ssl.ciphers", ciphers.toArray(new String[ciphers.size()]))
             .build();
         SSLService sslService = new SSLService(TestEnvironment.newEnvironment(buildEnvSettings(settings)));
-        SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
+
+        final SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
         assertThat(engine, is(notNullValue()));
         String[] enabledCiphers = engine.getEnabledCipherSuites();
         assertThat(Arrays.asList(enabledCiphers), not(contains("foo", "bar")));
+
+        final SslProfile profile = sslService.profile("xpack.security.transport.ssl.");
+        engine = profile.engine(null, -1);
+        assertThat(engine, is(notNullValue()));
+        enabledCiphers = engine.getEnabledCipherSuites();
+        assertThat(Arrays.asList(enabledCiphers), not(contains("foo", "bar")));
     }
 
     public void testInvalidCiphersOnlyThrowsException() throws Exception {
@@ -492,11 +540,18 @@ public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception {
             .put("xpack.security.transport.ssl.key", testnodeKey)
             .setSecureSettings(secureSettings)
             .build();
+
         SSLService sslService = new SSLService(TestEnvironment.newEnvironment(buildEnvSettings(settings)));
-        SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
+
+        final SslConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SSLEngine engine = sslService.createSSLEngine(configuration, null, -1);
         assertThat(engine, is(notNullValue()));
         assertTrue(engine.getSSLParameters().getUseCipherSuitesOrder());
+
+        final SslProfile profile = sslService.profile("xpack.security.transport.ssl.");
+        engine = profile.engine(null, -1);
+        assertThat(engine, is(notNullValue()));
+        assertTrue(engine.getSSLParameters().getUseCipherSuitesOrder());
     }
 
     public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception {
@@ -508,14 +563,22 @@ public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Except
             .put("xpack.security.transport.ssl.key", testnodeKey)
             .setSecureSettings(secureSettings)
             .build();
+
         SSLService sslService = new SSLService(TestEnvironment.newEnvironment(buildEnvSettings(settings)));
+
         SslConfiguration config = sslService.getSSLConfiguration("xpack.security.transport.ssl");
-        final SSLSocketFactory factory = sslService.sslSocketFactory(config);
-        final String[] ciphers = sslService.supportedCiphers(factory.getSupportedCipherSuites(), config.getCipherSuites(), false);
-        assertThat(factory.getDefaultCipherSuites(), is(ciphers));
+
+        final SSLSocketFactory configFactory = sslService.sslSocketFactory(config);
+        final String[] ciphers = sslService.supportedCiphers(configFactory.getSupportedCipherSuites(), config.getCipherSuites(), false);
+        assertThat(configFactory.getDefaultCipherSuites(), is(ciphers));
+
+        SslProfile profile = sslService.profile("xpack.security.transport.ssl");
+        final SSLSocketFactory profileFactory = profile.socketFactory();
+        assertThat(profileFactory.getSupportedCipherSuites(), is(configFactory.getSupportedCipherSuites()));
+        assertThat(profileFactory.getDefaultCipherSuites(), is(configFactory.getDefaultCipherSuites()));
 
         final String[] getSupportedProtocols = config.supportedProtocols().toArray(Strings.EMPTY_ARRAY);
-        try (SSLSocket socket = (SSLSocket) factory.createSocket()) {
+        try (SSLSocket socket = (SSLSocket) randomFrom(configFactory, profileFactory).createSocket()) {
             assertThat(socket.getEnabledCipherSuites(), is(ciphers));
             // the order we set the protocols in is not going to be what is returned as internally the JDK may sort the versions
             assertThat(socket.getEnabledProtocols(), arrayContainingInAnyOrder(getSupportedProtocols));
@@ -644,6 +707,8 @@ public void testGetConfigurationByContextName() throws Exception {
             assertThat("KeyStore Path for " + name, keyConfig.getDependentFiles(), contains(testnodeStore));
             assertThat("Cipher for " + name, configuration.getCipherSuites(), contains(getCipherSuites[i]));
             assertThat("Configuration for " + name + ".", sslService.getSSLConfiguration(name + "."), sameInstance(configuration));
+
+            assertThat(sslService.profile(name).configuration(), sameInstance(configuration));
         }
     }
 
@@ -893,13 +958,17 @@ public int getSessionCacheSize() {
 
     @Network
     public void testThatSSLContextWithoutSettingsWorks() throws Exception {
-        SSLService sslService = new SSLService(env);
-        SSLContext sslContext = sslService.sslContext(sslService.sslConfiguration(Settings.EMPTY));
-        try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) {
-            // Execute a GET on a site known to have a valid certificate signed by a trusted public CA
-            // This will result in an SSLHandshakeException if the SSLContext does not trust the CA, but the default
-            // truststore trusts all common public CAs so the handshake will succeed
-            privilegedConnect(() -> client.execute(new HttpGet("https://www.elastic.co/")).close());
+        final SSLService sslService = new SSLService(env);
+        final SSLContext sslContext1 = sslService.sslContext(sslService.sslConfiguration(Settings.EMPTY));
+        final SSLContext sslContext2 = sslService.profile("xpack.http.ssl").sslContext();
+     
+        for (var sslContext : List.of(sslContext1, sslContext2)) {
+            try (CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build()) {
+                // Execute a GET on a site known to have a valid certificate signed by a trusted public CA
+                // This will result in an SSLHandshakeException if the SSLContext does not trust the CA, but the default
+                // truststore trusts all common public CAs so the handshake will succeed
+                privilegedConnect(() -> client.execute(new HttpGet("https://www.elastic.co/")).close());
+            }
         }
     }