Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Access SSL contexts using names instead of Settings #30953

Merged
merged 39 commits into from
Jul 13, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
8fbe6e1
Refer to SSL contexts by name not settings
tvernum May 7, 2018
222015b
Merge branch 'master' into fix/30344-ssl-context-names
tvernum May 10, 2018
a360d22
[WIP] Use named SSL context in LDAP
tvernum May 14, 2018
29077e2
Merge branch 'master' into fix/30344-ssl-context-names
tvernum May 28, 2018
9ea7a52
Update openldap QA tests for named SSL contexts
tvernum May 28, 2018
997a1ec
Remove sslSocketFactory(Settings) from SSLService
tvernum May 28, 2018
2999649
Deprecate createSSLEngine(Settings)
tvernum May 29, 2018
bcde8a5
Remove createSSLEngine(Settings)
tvernum May 29, 2018
6ce4d32
Reduce use of Settings in SSL
tvernum May 30, 2018
f9cc028
Merge branch 'master' into fix/30344-ssl-context-names
tvernum May 30, 2018
e0561ee
Merge branch 'master' into fix/30344-ssl-context-names
tvernum Jun 12, 2018
bee987c
Improve SSLService tests
tvernum Jun 12, 2018
7c060d7
Small cleanup
tvernum Jun 12, 2018
2282d01
Merge branch 'master' into fix/30344-ssl-context-names
tvernum Jun 13, 2018
1aa0c14
Add additional test for named SSL configurations
tvernum Jun 14, 2018
39e6629
Merge branch 'master' into fix/30344-ssl-context-names
tvernum Jun 14, 2018
ef58ff1
Merge branch 'master' into fix/30344-ssl-context-names
tvernum Jun 14, 2018
d94dd57
Merge branch 'master' into fix/30344-ssl-context-names
tvernum Jun 14, 2018
ee32357
Remove unused imports
tvernum Jun 14, 2018
5a57fd6
Merge branch 'master' into fix/30344-ssl-context-names
tvernum Jun 15, 2018
cf2fdf0
Merge branch 'master' into fix/30344-ssl-context-names
tvernum Jun 18, 2018
42e3aa1
Fix test (feedback)
tvernum Jun 18, 2018
fb0505e
Merge branch 'master' into fix/30344-ssl-context-names
tvernum Jun 22, 2018
37cc028
Merge branch 'master' into fix/30344-ssl-context-names
tvernum Jun 26, 2018
817c565
Merge branch 'master' into fix/30344-ssl-context-names
tvernum Jul 9, 2018
2eb845a
Fix monitoring to work with dynamic SSL settings
tvernum Jul 9, 2018
2f6c87b
Merge branch 'master' into fix/30344-ssl-context-names
tvernum Jul 10, 2018
255a42e
Cleanup test static vars
tvernum Jul 10, 2018
8ea7e35
Address feedback from @jaymode (round 1)
tvernum Jul 10, 2018
e8d8299
Fix import
tvernum Jul 10, 2018
b11d61b
Rename test & context name
tvernum Jul 11, 2018
f4bab91
Remove more uses of sslConfiguration from settings
tvernum Jul 11, 2018
f637dc7
Merge branch 'master' into fix/30344-ssl-context-names
tvernum Jul 11, 2018
f774e6d
Remove remaining uses of deprecated methods
tvernum Jul 11, 2018
d1f3147
Don't use JKS keystore in test
tvernum Jul 11, 2018
44c4cf1
Fix broken test
tvernum Jul 11, 2018
9a0c026
Merge branch 'master' into fix/30344-ssl-context-names
tvernum Jul 12, 2018
bc3095e
Fix broken tests
tvernum Jul 12, 2018
9f6fa6d
Merge branch 'master' into fix/30344-ssl-context-names
tvernum Jul 13, 2018
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,12 @@
import org.elasticsearch.xpack.core.ssl.SSLService;

import javax.net.ssl.SSLEngine;

import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;

import static org.elasticsearch.xpack.core.security.SecurityField.setting;

Expand All @@ -58,29 +58,31 @@ public SecurityNetty4Transport(
super(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService);
this.sslService = sslService;
this.sslEnabled = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings);
final Settings transportSSLSettings = settings.getByPrefix(setting("transport.ssl."));
if (sslEnabled) {
this.sslConfiguration = sslService.sslConfiguration(transportSSLSettings, Settings.EMPTY);
Map<String, Settings> profileSettingsMap = settings.getGroups("transport.profiles.", true);
Map<String, SSLConfiguration> profileConfiguration = new HashMap<>(profileSettingsMap.size() + 1);
for (Map.Entry<String, Settings> entry : profileSettingsMap.entrySet()) {
Settings profileSettings = entry.getValue();
final Settings profileSslSettings = profileSslSettings(profileSettings);
SSLConfiguration configuration = sslService.sslConfiguration(profileSslSettings, transportSSLSettings);
profileConfiguration.put(entry.getKey(), configuration);
}

if (profileConfiguration.containsKey(TcpTransport.DEFAULT_PROFILE) == false) {
profileConfiguration.put(TcpTransport.DEFAULT_PROFILE, sslConfiguration);
}

this.sslConfiguration = sslService.getSSLConfiguration(setting("transport.ssl."));
Map<String, SSLConfiguration> profileConfiguration = getTransportProfileConfigurations(settings, sslService, sslConfiguration);
this.profileConfiguration = Collections.unmodifiableMap(profileConfiguration);
} else {
this.profileConfiguration = Collections.emptyMap();
this.sslConfiguration = null;
}
}

public static Map<String, SSLConfiguration> getTransportProfileConfigurations(Settings settings, SSLService sslService,
SSLConfiguration defaultConfiguration) {
Set<String> profileNames = settings.getGroups("transport.profiles.", true).keySet();
Map<String, SSLConfiguration> profileConfiguration = new HashMap<>(profileNames.size() + 1);
for (String profileName : profileNames) {
SSLConfiguration configuration = sslService.getSSLConfiguration("transport.profiles." + profileName + "." + setting("ssl"));
profileConfiguration.put(profileName, configuration);
}

if (profileConfiguration.containsKey(TcpTransport.DEFAULT_PROFILE) == false) {
profileConfiguration.put(TcpTransport.DEFAULT_PROFILE, defaultConfiguration);
}
return profileConfiguration;
}

@Override
protected void doStart() {
super.doStart();
Expand Down Expand Up @@ -209,8 +211,4 @@ public void connect(ChannelHandlerContext ctx, SocketAddress remoteAddress,
super.connect(ctx, remoteAddress, localAddress, promise);
}
}

public static Settings profileSslSettings(Settings profileSettings) {
return profileSettings.getByPrefix(setting("ssl."));
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@
import java.util.Locale;
import java.util.Optional;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;

/**
* Bridges SSLConfiguration into the {@link Settings} framework, using {@link Setting} objects.
Expand Down Expand Up @@ -221,4 +223,10 @@ public static Collection<Setting<?>> getProfileSettings() {
CLIENT_AUTH_SETTING_PROFILES, VERIFICATION_MODE_SETTING_PROFILES);
}

public List<Setting<SecureString>> getSecureSettingsInUse(Settings settings) {
return Stream.of(this.truststorePassword, this.x509KeyPair.keystorePassword,
this.x509KeyPair.keystoreKeyPassword, this.x509KeyPair.keyPassword)
.filter(s -> s.exists(settings))
.collect(Collectors.toList());
}
}

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/

package org.elasticsearch.xpack.core.security.transport.netty4;

import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.env.TestEnvironment;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.core.ssl.VerificationMode;
import org.hamcrest.Matchers;

import java.util.Map;

import static org.elasticsearch.xpack.core.security.transport.netty4.SecurityNetty4Transport.getTransportProfileConfigurations;

public class SecurityNetty4TransportTests extends ESTestCase {

public void testGetTransportProfileConfigurations() {
final Settings settings = Settings.builder()
.put("path.home", createTempDir())
.put("xpack.security.transport.ssl.verification_mode", VerificationMode.CERTIFICATE.name())
.put("transport.profiles.full.xpack.security.ssl.verification_mode", VerificationMode.FULL.name())
.put("transport.profiles.cert.xpack.security.ssl.verification_mode", VerificationMode.CERTIFICATE.name())
.put("transport.profiles.none.xpack.security.ssl.verification_mode", VerificationMode.NONE.name())
.build();
final Environment env = TestEnvironment.newEnvironment(settings);
SSLService sslService = new SSLService(settings, env);
final SSLConfiguration defaultConfig = sslService.getSSLConfiguration("xpack.security.transport.ssl");
final Map<String, SSLConfiguration> profileConfigurations = getTransportProfileConfigurations(settings, sslService, defaultConfig);
assertThat(profileConfigurations.size(), Matchers.equalTo(4));
assertThat(profileConfigurations.keySet(), Matchers.containsInAnyOrder("full", "cert", "none", "default"));
assertThat(profileConfigurations.get("full").verificationMode(), Matchers.equalTo(VerificationMode.FULL));
assertThat(profileConfigurations.get("cert").verificationMode(), Matchers.equalTo(VerificationMode.CERTIFICATE));
assertThat(profileConfigurations.get("none").verificationMode(), Matchers.equalTo(VerificationMode.NONE));
assertThat(profileConfigurations.get("default"), Matchers.sameInstance(defaultConfig));
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -303,7 +303,7 @@ public void testReloadingKeyStoreException() throws Exception {
.build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) {
@Override
void reloadSSLContext(SSLConfiguration configuration) {
Expand Down Expand Up @@ -344,7 +344,7 @@ public void testReloadingPEMKeyConfigException() throws Exception {
.build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) {
@Override
void reloadSSLContext(SSLConfiguration configuration) {
Expand Down Expand Up @@ -379,7 +379,7 @@ public void testTrustStoreReloadException() throws Exception {
.build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) {
@Override
void reloadSSLContext(SSLConfiguration configuration) {
Expand Down Expand Up @@ -411,7 +411,7 @@ public void testPEMTrustReloadException() throws Exception {
.build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) {
@Override
void reloadSSLContext(SSLConfiguration configuration) {
Expand Down Expand Up @@ -440,7 +440,7 @@ private void validateSSLConfigurationIsReloaded(Settings settings, Environment e

final CountDownLatch reloadLatch = new CountDownLatch(1);
final SSLService sslService = new SSLService(settings, env);
final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY);
final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) {
@Override
void reloadSSLContext(SSLConfiguration configuration) {
Expand Down
Loading