Remove SSLService.getHostnameVerifier

Author: tvernum

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java

@@ -257,14 +257,6 @@ SSLIOSessionStrategy sslIOSessionStrategy(SslConfiguration config, SSLContext ss
         return sslIOSessionStrategy(sslContext, supportedProtocols, ciphers, verifier);
     }
 
-    public static HostnameVerifier getHostnameVerifier(SslConfiguration sslConfiguration) {
-        if (sslConfiguration.verificationMode().isHostnameVerificationEnabled()) {
-            return new DefaultHostnameVerifier();
-        } else {
-            return NoopHostnameVerifier.INSTANCE;
-        }
-    }
-
     /**
      * The {@link SSLParameters} that are associated with the {@code sslContext}.
      * <p>
@@ -836,11 +828,15 @@ public SSLSocketFactory socketFactory() {
 
         @Override
         public HostnameVerifier hostnameVerifier() {
-            return SSLService.getHostnameVerifier(this.sslConfiguration);
+            if (this.sslConfiguration.verificationMode().isHostnameVerificationEnabled()) {
+                return new DefaultHostnameVerifier();
+            } else {
+                return NoopHostnameVerifier.INSTANCE;
+            }
         }
 
         @Override
-        public SSLConnectionSocketFactory socketConnectionFactory() {
+        public SSLConnectionSocketFactory connectionSocketFactory() {
             return new SSLConnectionSocketFactory(socketFactory(), hostnameVerifier());
         }
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SslProfile.java

@@ -25,7 +25,7 @@ public interface SslProfile {
 
     HostnameVerifier hostnameVerifier();
 
-    SSLConnectionSocketFactory socketConnectionFactory();
+    SSLConnectionSocketFactory connectionSocketFactory();
 
     /**
      * @return An object that is useful for configuring Apache Http Client v4.x

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtUtil.java

@@ -44,7 +44,6 @@
 import org.elasticsearch.common.settings.RotatableSecret;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.SettingsException;
-import org.elasticsearch.common.ssl.SslConfiguration;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.xcontent.XContentBuilder;
@@ -53,6 +52,7 @@
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -273,11 +273,13 @@ public static CloseableHttpAsyncClient createHttpClient(final RealmConfig realmC
             return AccessController.doPrivileged((PrivilegedExceptionAction<CloseableHttpAsyncClient>) () -> {
                 final ConnectingIOReactor ioReactor = new DefaultConnectingIOReactor();
                 final String sslKey = RealmSettings.realmSslPrefix(realmConfig.identifier());
-                final SslConfiguration sslConfiguration = sslService.getSSLConfiguration(sslKey);
-                final SSLContext clientContext = sslService.sslContext(sslConfiguration);
-                final HostnameVerifier verifier = SSLService.getHostnameVerifier(sslConfiguration);
+
+                final SslProfile sslProfile = sslService.profile(sslKey);
+                final SSLContext clientContext = sslProfile.sslContext();
+                final HostnameVerifier verifier = sslProfile.hostnameVerifier();
                 final Registry<SchemeIOSessionStrategy> registry = RegistryBuilder.<SchemeIOSessionStrategy>create()
                     .register("http", NoopIOSessionStrategy.INSTANCE)
+                    // TODO: Should this use profile.ioSessionStrategy4 ?
                     .register("https", new SSLIOSessionStrategy(clientContext, verifier))
                     .build();
                 final PoolingNHttpClientConnectionManager connectionManager = new PoolingNHttpClientConnectionManager(ioReactor, registry);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java

@@ -80,7 +80,6 @@
 import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.common.Strings;
-import org.elasticsearch.common.ssl.SslConfiguration;
 import org.elasticsearch.common.util.concurrent.ListenableFuture;
 import org.elasticsearch.core.CheckedRunnable;
 import org.elasticsearch.core.Nullable;
@@ -93,6 +92,7 @@
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 import org.elasticsearch.xpack.security.PrivilegedFileWatcher;
 import org.elasticsearch.xpack.security.authc.jwt.JwtUtil;
 
@@ -715,11 +715,12 @@ private CloseableHttpAsyncClient createHttpClient() {
                     IOReactorConfig.custom().setSoKeepAlive(realmConfig.getSetting(HTTP_TCP_KEEP_ALIVE)).build()
                 );
                 final String sslKey = RealmSettings.realmSslPrefix(realmConfig.identifier());
-                final SslConfiguration sslConfiguration = sslService.getSSLConfiguration(sslKey);
-                final SSLContext clientContext = sslService.sslContext(sslConfiguration);
-                final HostnameVerifier verifier = SSLService.getHostnameVerifier(sslConfiguration);
+                final SslProfile sslProfile = sslService.profile(sslKey);
+                final SSLContext clientContext = sslProfile.sslContext();
+                final HostnameVerifier verifier = sslProfile.hostnameVerifier();
                 Registry<SchemeIOSessionStrategy> registry = RegistryBuilder.<SchemeIOSessionStrategy>create()
                     .register("http", NoopIOSessionStrategy.INSTANCE)
+                    // TODO: Should this use profile.ioSessionStrategy4 ?
                     .register("https", new SSLIOSessionStrategy(clientContext, verifier))
                     .build();
                 PoolingNHttpClientConnectionManager connectionManager = new PoolingNHttpClientConnectionManager(ioReactor, registry);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java

@@ -23,7 +23,6 @@
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.SettingsException;
-import org.elasticsearch.common.ssl.SslConfiguration;
 import org.elasticsearch.common.ssl.SslKeyConfig;
 import org.elasticsearch.common.util.CollectionUtils;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
@@ -49,6 +48,7 @@
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 import org.elasticsearch.xpack.security.PrivilegedFileWatcher;
 import org.elasticsearch.xpack.security.authc.Realms;
 import org.elasticsearch.xpack.security.authc.TokenService;
@@ -107,7 +107,6 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.X509KeyManager;
 
 import static org.elasticsearch.common.Strings.collectionToCommaDelimitedString;
@@ -684,9 +683,8 @@ private static Tuple<AbstractReloadingMetadataResolver, Supplier<EntityDescripto
         HttpClientBuilder builder = HttpClientBuilder.create();
         // ssl setup
         final String sslKey = RealmSettings.realmSslPrefix(config.identifier());
-        final SslConfiguration sslConfiguration = sslService.getSSLConfiguration(sslKey);
-        final HostnameVerifier verifier = SSLService.getHostnameVerifier(sslConfiguration);
-        SSLConnectionSocketFactory factory = new SSLConnectionSocketFactory(sslService.sslSocketFactory(sslConfiguration), verifier);
+        final SslProfile sslProfile = sslService.profile(sslKey);
+        final SSLConnectionSocketFactory factory = sslProfile.connectionSocketFactory();
         builder.setSSLSocketFactory(factory);
 
         TimeValue maxRefresh = config.getSetting(IDP_METADATA_HTTP_REFRESH);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageCertificateVerificationTests.java

@@ -29,6 +29,7 @@
 import org.elasticsearch.test.http.MockWebServer;
 import org.elasticsearch.xpack.core.common.socket.SocketAccess;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.SslProfile;
 
 import java.io.FileNotFoundException;
 import java.io.IOException;
@@ -170,18 +171,18 @@ private void connect(SSLSocket clientSocket, MockWebServer webServer) throws IOE
     }
 
     private CloseableHttpClient buildHttpClient(SSLService sslService) {
-        final SslConfiguration sslConfiguration = sslService.getSSLConfiguration(HTTP_CLIENT_SSL);
-        final HostnameVerifier verifier = SSLService.getHostnameVerifier(sslConfiguration);
-        final SSLSocketFactory socketFactory = sslService.sslSocketFactory(sslConfiguration);
+        final SslProfile profile = sslService.profile(HTTP_CLIENT_SSL);
+        final HostnameVerifier verifier = profile.hostnameVerifier();
+        final SSLSocketFactory socketFactory = profile.socketFactory();
         final SSLConnectionSocketFactory connectionSocketFactory = new SSLConnectionSocketFactory(socketFactory, verifier);
         return HttpClientBuilder.create().setSSLSocketFactory(connectionSocketFactory).build();
     }
 
     private RestClient buildRestClient(SSLService sslService, MockWebServer webServer) {
-        final SslConfiguration sslConfiguration = sslService.getSSLConfiguration(HTTP_CLIENT_SSL);
+        final SslProfile profile = sslService.profile(HTTP_CLIENT_SSL);
         final HttpHost httpHost = new HttpHost(webServer.getHostName(), webServer.getPort(), "https");
         return RestClient.builder(httpHost)
-            .setHttpClientConfigCallback(client -> client.setSSLStrategy(sslService.sslIOSessionStrategy(sslConfiguration)))
+            .setHttpClientConfigCallback(client -> client.setSSLStrategy(profile.ioSessionStrategy4()))
             .build();
     }
 

x-pack/plugin/watcher/src/main/java/org/elasticsearch/xpack/watcher/common/http/HttpClient.java

@@ -48,7 +48,6 @@
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.regex.Regex;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.ssl.SslConfiguration;
 import org.elasticsearch.common.unit.ByteSizeValue;
 import org.elasticsearch.common.util.Maps;
 import org.elasticsearch.core.Streams;
@@ -76,8 +75,6 @@
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicReference;
 
-import javax.net.ssl.HostnameVerifier;
-
 public class HttpClient implements Closeable {
 
     private static final String SETTINGS_SSL_PREFIX = "xpack.http.ssl.";
@@ -117,9 +114,7 @@ private CloseableHttpClient createHttpClient() {
         HttpClientBuilder clientBuilder = HttpClientBuilder.create();
 
         // ssl setup
-        SslConfiguration sslConfiguration = sslService.getSSLConfiguration(SETTINGS_SSL_PREFIX);
-        HostnameVerifier verifier = SSLService.getHostnameVerifier(sslConfiguration);
-        SSLConnectionSocketFactory factory = new SSLConnectionSocketFactory(sslService.sslSocketFactory(sslConfiguration), verifier);
+        SSLConnectionSocketFactory factory = sslService.profile(SETTINGS_SSL_PREFIX).connectionSocketFactory();
         clientBuilder.setSSLSocketFactory(factory);
 
         final SocketConfig.Builder socketConfigBuilder = SocketConfig.custom();