move to using new constructor part 3

slobodanadamovic · slobodanadamovic · commit af00bcd25e34 · 2025-09-07T14:29:34.000+02:00
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/CrossClusterAccessTransportInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/CrossClusterAccessTransportInterceptor.java
@@ -22,6 +22,7 @@
 import org.elasticsearch.tasks.TaskCancellationService;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.RemoteConnectionManager;
+import org.elasticsearch.transport.RemoteConnectionManager.RemoteClusterAliasWithCredentials;
 import org.elasticsearch.transport.SendRequestTransportException;
 import org.elasticsearch.transport.Transport;
 import org.elasticsearch.transport.TransportInterceptor;
@@ -81,7 +82,7 @@ public class CrossClusterAccessTransportInterceptor implements RemoteClusterTran
 
     private final Function<
         Transport.Connection,
-        Optional<RemoteConnectionManager.RemoteClusterAliasWithCredentials>> remoteClusterCredentialsResolver;
+        Optional<RemoteClusterAliasWithCredentials>> remoteClusterCredentialsResolver;
     private final CrossClusterAccessAuthenticationService crossClusterAccessAuthcService;
     private final AuthenticationService authcService;
     private final AuthorizationService authzService;
@@ -120,7 +121,7 @@ public CrossClusterAccessTransportInterceptor(
         SecurityContext securityContext,
         ThreadPool threadPool,
         Settings settings,
-        Function<Transport.Connection, Optional<RemoteConnectionManager.RemoteClusterAliasWithCredentials>> remoteClusterCredentialsResolver
+        Function<Transport.Connection, Optional<RemoteClusterAliasWithCredentials>> remoteClusterCredentialsResolver
     ) {
         this.remoteClusterCredentialsResolver = remoteClusterCredentialsResolver;
         this.crossClusterAccessAuthcService = crossClusterAccessAuthcService;
@@ -164,7 +165,7 @@ public <T extends TransportResponse> void sendRequest(
              * Returns cluster credentials if the connection is remote, and cluster credentials are set up for the target cluster.
              */
             private Optional<RemoteClusterCredentials> getRemoteClusterCredentials(Transport.Connection connection) {
-                final Optional<RemoteConnectionManager.RemoteClusterAliasWithCredentials> remoteClusterAliasWithCredentials =
+                final Optional<RemoteClusterAliasWithCredentials> remoteClusterAliasWithCredentials =
                     remoteClusterCredentialsResolver.apply(connection);
                 if (remoteClusterAliasWithCredentials.isEmpty()) {
                     logger.trace("Connection is not remote");
@@ -325,7 +326,7 @@ private static IllegalArgumentException illegalArgumentExceptionWithDebugLog(Str
     @Override
     public boolean isRemoteClusterConnection(Transport.Connection connection) {
         return remoteClusterCredentialsResolver.apply(connection)
-            .map(RemoteConnectionManager.RemoteClusterAliasWithCredentials::clusterAlias)
+            .map(RemoteClusterAliasWithCredentials::clusterAlias)
             .isPresent();
     }
 
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java
@@ -16,10 +16,8 @@
 import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.common.util.concurrent.RunOnce;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
-import org.elasticsearch.license.XPackLicenseState;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.threadpool.ThreadPool;
-import org.elasticsearch.transport.RemoteConnectionManager.RemoteClusterAliasWithCredentials;
 import org.elasticsearch.transport.SendRequestTransportException;
 import org.elasticsearch.transport.Transport;
 import org.elasticsearch.transport.TransportChannel;
@@ -35,16 +33,11 @@
 import org.elasticsearch.xpack.core.security.transport.ProfileConfigurations;
 import org.elasticsearch.xpack.core.ssl.SSLService;
 import org.elasticsearch.xpack.core.ssl.SslProfile;
-import org.elasticsearch.xpack.security.authc.AuthenticationService;
-import org.elasticsearch.xpack.security.authc.CrossClusterAccessAuthenticationService;
-import org.elasticsearch.xpack.security.authz.AuthorizationService;
 import org.elasticsearch.xpack.security.authz.AuthorizationUtils;
 import org.elasticsearch.xpack.security.authz.PreAuthorizationUtils;
 
 import java.util.Map;
-import java.util.Optional;
 import java.util.concurrent.Executor;
-import java.util.function.Function;
 
 import static org.elasticsearch.core.Strings.format;
 
@@ -73,35 +66,6 @@ public SecurityServerTransportInterceptor(
         this.profileFilters = this.remoteClusterTransportInterceptor.getProfileFilters(profileConfigurations, destructiveOperations);
     }
 
-    SecurityServerTransportInterceptor(
-        Settings settings,
-        ThreadPool threadPool,
-        AuthenticationService authcService,
-        AuthorizationService authzService,
-        SSLService sslService,
-        SecurityContext securityContext,
-        DestructiveOperations destructiveOperations,
-        CrossClusterAccessAuthenticationService crossClusterAccessAuthcService,
-        XPackLicenseState licenseState,
-        // Inject for simplified testing
-        Function<Transport.Connection, Optional<RemoteClusterAliasWithCredentials>> remoteClusterCredentialsResolver
-    ) {
-        this.threadPool = threadPool;
-        this.securityContext = securityContext;
-        this.remoteClusterTransportInterceptor = new CrossClusterAccessTransportInterceptor(
-            crossClusterAccessAuthcService,
-            authcService,
-            authzService,
-            licenseState,
-            securityContext,
-            threadPool,
-            settings,
-            remoteClusterCredentialsResolver
-        );
-        final Map<String, SslProfile> profileConfigurations = ProfileConfigurations.get(settings, sslService, false);
-        this.profileFilters = remoteClusterTransportInterceptor.getProfileFilters(profileConfigurations, destructiveOperations);
-    }
-
     @Override
     public AsyncSender interceptSender(AsyncSender sender) {
         return interceptForAllRequests(remoteClusterTransportInterceptor.interceptSender(sender));
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptorTests.java
@@ -6,6 +6,8 @@
  */
 package org.elasticsearch.xpack.security.transport;
 
+import com.carrotsearch.randomizedtesting.annotations.Repeat;
+
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.TransportVersion;
 import org.elasticsearch.TransportVersions;
@@ -112,6 +114,7 @@
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
+@Repeat(iterations = 1000)
 public class SecurityServerTransportInterceptorTests extends ESTestCase {
 
     private Settings settings;
@@ -637,17 +640,22 @@ public void testSendWithCrossClusterAccessHeadersWithUnsupportedLicense() throws
         final SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(
             settings,
             threadPool,
-            mock(AuthenticationService.class),
-            mock(AuthorizationService.class),
             mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
                 new ClusterSettings(Settings.EMPTY, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))
             ),
-            mock(CrossClusterAccessAuthenticationService.class),
-            unsupportedLicenseState,
-            mockRemoteClusterCredentialsResolver(remoteClusterAlias)
+            new CrossClusterAccessTransportInterceptor(
+                mock(CrossClusterAccessAuthenticationService.class),
+                mock(AuthenticationService.class),
+                mock(AuthorizationService.class),
+                unsupportedLicenseState,
+                securityContext,
+                threadPool,
+                settings,
+                mockRemoteClusterCredentialsResolver(remoteClusterAlias)
+            )
         );
 
         final AsyncSender sender = interceptor.interceptSender(mock(AsyncSender.class, ignored -> {
@@ -774,17 +782,24 @@ private void doTestSendWithCrossClusterAccessHeaders(
         final SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(
             settings,
             threadPool,
-            mock(AuthenticationService.class),
-            authzService,
             mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
                 new ClusterSettings(Settings.EMPTY, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))
             ),
-            mock(CrossClusterAccessAuthenticationService.class),
-            mockLicenseState,
-            ignored -> Optional.of(new RemoteClusterAliasWithCredentials(remoteClusterAlias, new SecureString(encodedApiKey.toCharArray())))
+            new CrossClusterAccessTransportInterceptor(
+                mock(CrossClusterAccessAuthenticationService.class),
+                mock(AuthenticationService.class),
+                authzService,
+                mockLicenseState,
+                securityContext,
+                threadPool,
+                settings,
+                ignored -> Optional.of(
+                    new RemoteClusterAliasWithCredentials(remoteClusterAlias, new SecureString(encodedApiKey.toCharArray()))
+                )
+            )
         );
 
         final AtomicBoolean calledWrappedSender = new AtomicBoolean(false);
@@ -912,21 +927,28 @@ public void testSendWithUserIfCrossClusterAccessHeadersConditionNotMet() throws
         final SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(
             settings,
             threadPool,
-            mock(AuthenticationService.class),
-            authzService,
             mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
                 new ClusterSettings(Settings.EMPTY, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))
             ),
-            mock(CrossClusterAccessAuthenticationService.class),
-            mockLicenseState,
-            ignored -> notRemoteConnection
-                ? Optional.empty()
-                : (finalNoCredential
-                    ? Optional.of(new RemoteClusterAliasWithCredentials(remoteClusterAlias, null))
-                    : Optional.of(new RemoteClusterAliasWithCredentials(remoteClusterAlias, new SecureString(encodedApiKey.toCharArray()))))
+            new CrossClusterAccessTransportInterceptor(
+                mock(CrossClusterAccessAuthenticationService.class),
+                mock(AuthenticationService.class),
+                authzService,
+                mockLicenseState,
+                securityContext,
+                threadPool,
+                settings,
+                ignored -> notRemoteConnection
+                    ? Optional.empty()
+                    : (finalNoCredential
+                        ? Optional.of(new RemoteClusterAliasWithCredentials(remoteClusterAlias, null))
+                        : Optional.of(
+                            new RemoteClusterAliasWithCredentials(remoteClusterAlias, new SecureString(encodedApiKey.toCharArray()))
+                        ))
+            )
         );
 
         final AtomicBoolean calledWrappedSender = new AtomicBoolean(false);
@@ -971,17 +993,24 @@ public void testSendWithCrossClusterAccessHeadersThrowsOnOldConnection() throws
         final SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(
             settings,
             threadPool,
-            mock(AuthenticationService.class),
-            mock(AuthorizationService.class),
             mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
                 new ClusterSettings(Settings.EMPTY, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))
             ),
-            mock(CrossClusterAccessAuthenticationService.class),
-            mockLicenseState,
-            ignored -> Optional.of(new RemoteClusterAliasWithCredentials(remoteClusterAlias, new SecureString(encodedApiKey.toCharArray())))
+            new CrossClusterAccessTransportInterceptor(
+                mock(CrossClusterAccessAuthenticationService.class),
+                mock(AuthenticationService.class),
+                mock(AuthorizationService.class),
+                mockLicenseState,
+                securityContext,
+                threadPool,
+                settings,
+                ignored -> Optional.of(
+                    new RemoteClusterAliasWithCredentials(remoteClusterAlias, new SecureString(encodedApiKey.toCharArray()))
+                )
+            )
         );
 
         final AsyncSender sender = interceptor.interceptSender(new AsyncSender() {
@@ -1070,17 +1099,24 @@ public void testSendRemoteRequestFailsIfUserHasNoRemoteIndicesPrivileges() throw
         final SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(
             settings,
             threadPool,
-            mock(AuthenticationService.class),
-            authzService,
             mockSslService(),
             securityContext,
             new DestructiveOperations(
                 Settings.EMPTY,
                 new ClusterSettings(Settings.EMPTY, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))
             ),
-            mock(CrossClusterAccessAuthenticationService.class),
-            mockLicenseState,
-            ignored -> Optional.of(new RemoteClusterAliasWithCredentials(remoteClusterAlias, new SecureString(encodedApiKey.toCharArray())))
+            new CrossClusterAccessTransportInterceptor(
+                mock(CrossClusterAccessAuthenticationService.class),
+                mock(AuthenticationService.class),
+                authzService,
+                mockLicenseState,
+                securityContext,
+                threadPool,
+                settings,
+                ignored -> Optional.of(
+                    new RemoteClusterAliasWithCredentials(remoteClusterAlias, new SecureString(encodedApiKey.toCharArray()))
+                )
+            )
         );
 
         final AsyncSender sender = interceptor.interceptSender(new AsyncSender() {
