First pass at creating a plugin for encrypting fields

.java-version

@@ -0,0 +1 @@
+17.0

keystore-added.gradle

@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+rootProject {
+  if(project.name == 'elasticsearch') {
+    afterEvaluate {
+      testClusters.configureEach {
+        keystore 'xpack.ingestion.encryption_key', '_passwd'
+      }
+    }
+  }
+}

x-pack/plugin/enterprise-search/build.gradle

@@ -0,0 +1,23 @@
+apply plugin: 'elasticsearch.internal-es-plugin'
+
+esplugin {
+  name 'enterprise-search'
+  description 'A module for ingestion encryption'
+  classname 'org.elasticsearch.xpack.enterprisesearch.EnterpriseSearchPlugin'
+  extendedPlugins = ['x-pack-core']
+}
+archivesBaseName = 'x-pack-enterprise-search'
+
+dependencies {
+  compileOnly project(":server")
+  compileOnly project(path: xpackModule('core'))
+}
+
+tasks.named("dependencyLicenses").configure {
+  ignoreSha 'x-pack-core'
+}
+
+//no tests
+tasks.named("test").configure {
+  enabled = false
+}

x-pack/plugin/enterprise-search/src/main/java/org/elasticsearch/xpack/enterprisesearch/EnterpriseSearchPlugin.java

@@ -0,0 +1,111 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+package org.elasticsearch.xpack.enterprisesearch;
+
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
+import org.elasticsearch.cluster.node.DiscoveryNodes;
+import org.elasticsearch.common.settings.ClusterSettings;
+import org.elasticsearch.common.settings.IndexScopedSettings;
+import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.settings.SettingsFilter;
+import org.elasticsearch.indices.SystemIndexDescriptor;
+import org.elasticsearch.plugins.ActionPlugin;
+import org.elasticsearch.plugins.Plugin;
+import org.elasticsearch.plugins.SystemIndexPlugin;
+import org.elasticsearch.rest.RestController;
+import org.elasticsearch.rest.RestHandler;
+import org.elasticsearch.xpack.enterprisesearch.action.decrypt.DecryptAction;
+import org.elasticsearch.xpack.enterprisesearch.action.decrypt.DecryptRestHandler;
+import org.elasticsearch.xpack.enterprisesearch.action.decrypt.DecryptTransportAction;
+import org.elasticsearch.xpack.enterprisesearch.action.encrypt.EncryptAction;
+import org.elasticsearch.xpack.enterprisesearch.action.encrypt.EncryptRestHandler;
+import org.elasticsearch.xpack.enterprisesearch.action.encrypt.EncryptTransportAction;
+import org.elasticsearch.xpack.enterprisesearch.index.ConnectorIndex;
+import org.elasticsearch.xpack.enterprisesearch.index.SyncJobIndex;
+import org.elasticsearch.xpack.enterprisesearch.setting.EntSearchField;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.function.Supplier;
+
+import static java.util.Collections.singletonList;
+
+public class EnterpriseSearchPlugin extends Plugin implements SystemIndexPlugin {
+    public static final String FEATURE_NAME = "Enterprise Search Connectors";
+    public static final String DESCRIPTION = "The state and metadata surrounding registered connectors and their sync jobs";
+
+    @Override
+    public List<RestHandler> getRestHandlers(final Settings settings,
+                                             final RestController restController,
+                                             final ClusterSettings clusterSettings,
+                                             final IndexScopedSettings indexScopedSettings,
+                                             final SettingsFilter settingsFilter,
+                                             final IndexNameExpressionResolver indexNameExpressionResolver,
+                                             final Supplier<DiscoveryNodes> nodesInCluster) {
+
+        return List.of(
+            new EncryptRestHandler(),
+            new DecryptRestHandler()
+        );
+    }
+
+    @Override
+    public List<ActionHandler<? extends ActionRequest, ? extends ActionResponse>> getActions() {
+        return List.of(
+            new ActionHandler<>(EncryptAction.INSTANCE, EncryptTransportAction.class),
+            new ActionHandler<>(DecryptAction.INSTANCE, DecryptTransportAction.class)
+        );
+    }
+
+    @Override
+    public List<Setting<?>> getSettings() {
+        return singletonList(EntSearchField.ENCRYPTION_KEY_SETTING);
+    }
+
+    @Override
+    public String getFeatureName() {
+        return FEATURE_NAME;
+    }
+
+    @Override
+    public String getFeatureDescription() {
+        return DESCRIPTION;
+    }
+
+    @Override
+    public Collection<SystemIndexDescriptor> getSystemIndexDescriptors(Settings settings) {
+        SystemIndexDescriptor connectorsIndex = SystemIndexDescriptor.builder()
+            .setIndexPattern(".elastic-connectors-v*")
+            .setDescription("State of individual connectors")
+            .setType(SystemIndexDescriptor.Type.INTERNAL_MANAGED)
+            .setPrimaryIndex(".elastic-connectors-v1")
+            .setAliasName(".elastic-connectors")
+            .setMappings(ConnectorIndex.MAPPING_JSON)
+            .setSettings(SyncJobIndex.SETTINGS)
+            .setVersionMetaKey("es-version")
+            .setOrigin(FEATURE_NAME)
+            .build();
+        SystemIndexDescriptor syncJobsIndex = SystemIndexDescriptor.builder()
+            .setIndexPattern(".elastic-connectors-sync-jobs-v*")
+            .setDescription("History/log of connector sync jobs")
+            .setType(SystemIndexDescriptor.Type.INTERNAL_MANAGED)
+            .setPrimaryIndex(".elastic-connectors-sync-jobs-v1")
+            .setAliasName(".elastic-connectors-sync-jobs")
+            .setMappings(SyncJobIndex.MAPPING_JSON)
+            .setSettings(SyncJobIndex.SETTINGS)
+            .setVersionMetaKey("es-version")
+            .setOrigin(FEATURE_NAME)
+            .build();
+
+        return List.of(connectorsIndex, syncJobsIndex);
+    }
+}

x-pack/plugin/enterprise-search/src/main/java/org/elasticsearch/xpack/enterprisesearch/action/decrypt/DecryptAction.java

@@ -0,0 +1,22 @@
+
+
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.enterprisesearch.action.decrypt;
+
+import org.elasticsearch.action.ActionType;
+
+public class DecryptAction extends ActionType<DecryptResponse> {
+
+    public static final DecryptAction INSTANCE = new DecryptAction();
+    public static final String NAME = "indices:data/read/ent-search-decrypt";
+
+    public DecryptAction() {
+        super(NAME, DecryptResponse::new);
+    }
+}

x-pack/plugin/enterprise-search/src/main/java/org/elasticsearch/xpack/enterprisesearch/action/decrypt/DecryptRequest.java

@@ -0,0 +1,105 @@
+
+
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.enterprisesearch.action.decrypt;
+
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.action.IndicesRequest;
+import org.elasticsearch.action.support.IndicesOptions;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.xcontent.ToXContentObject;
+import org.elasticsearch.xcontent.XContentBuilder;
+
+import java.io.IOException;
+
+public class DecryptRequest extends ActionRequest implements IndicesRequest, ToXContentObject {
+
+    private String index;
+    private String id;
+    private String field;
+
+    public DecryptRequest(){
+        super();
+    }
+
+    public DecryptRequest(StreamInput in) throws IOException {
+        super(in);
+        this.index = in.readString();
+        this.id = in.readString();
+        this.field = in.readString();
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(index);
+        out.writeString(id);
+        out.writeString(field);
+    }
+
+    public String getIndex() {
+        return index;
+    }
+
+    public void setIndex(String index) {
+        this.index = index;
+    }
+
+    public String getId() {
+        return id;
+    }
+
+    public void setId(String id) {
+        this.id = id;
+    }
+
+    public String getField() {
+        return field;
+    }
+
+    public void setField(String field) {
+        this.field = field;
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        return builder
+            .startObject()
+            .field("index", params.param("index"))
+            .field("id", params.param("id"))
+            .field("field", params.param("field"))
+            .endObject();
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        return null; // TODO
+    }
+
+    /**
+     * Returns the array of indices that the action relates to
+     */
+    @Override
+    public String[] indices() {
+        String[] indices = new String[1];
+        indices[0] = index;
+        return indices;
+    }
+
+    /**
+     * Returns the indices options used to resolve indices. They tell for instance whether a single index is
+     * accepted, whether an empty array will be converted to _all, and how wildcards will be expanded if needed.
+     */
+    @Override
+    public IndicesOptions indicesOptions() {
+        return IndicesOptions.STRICT_EXPAND_OPEN_CLOSED_HIDDEN; // TODO no idea what this is about
+    }
+}

x-pack/plugin/enterprise-search/src/main/java/org/elasticsearch/xpack/enterprisesearch/action/decrypt/DecryptResponse.java

@@ -0,0 +1,70 @@
+
+
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.enterprisesearch.action.decrypt;
+
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.common.xcontent.StatusToXContentObject;
+import org.elasticsearch.rest.RestStatus;
+import org.elasticsearch.xcontent.XContentBuilder;
+
+import java.io.IOException;
+
+public class DecryptResponse extends ActionResponse implements StatusToXContentObject {
+
+    String value;
+
+    public DecryptResponse(){
+        super();
+    }
+
+    public DecryptResponse(StreamInput in) throws IOException {
+        super(in);
+        this.value = in.readString();
+    }
+
+    public String getValue() {
+        return value;
+    }
+
+    public void setValue(String value) {
+        this.value = value;
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        return builder.startObject()
+            .field("value", value)
+            .endObject();
+    }
+
+    /**
+     * Write this into the {@linkplain StreamOutput}.
+     *
+     * @param out
+     */
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeString(value);
+    }
+
+    /**
+     * Returns the REST status to make sure it is returned correctly
+     */
+    @Override
+    public RestStatus status() {
+        if (value != null) {
+            return RestStatus.OK;
+        } else {
+            return RestStatus.INTERNAL_SERVER_ERROR;
+        }
+    }
+}