Access SSL contexts using names instead of Settings

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport.java

@@ -28,12 +28,12 @@
 import org.elasticsearch.xpack.core.ssl.SSLService;
 
 import javax.net.ssl.SSLEngine;
-
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;
 
 import static org.elasticsearch.xpack.core.security.SecurityField.setting;
 
@@ -58,29 +58,31 @@ public SecurityNetty4Transport(
         super(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService);
         this.sslService = sslService;
         this.sslEnabled = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings);
-        final Settings transportSSLSettings = settings.getByPrefix(setting("transport.ssl."));
         if (sslEnabled) {
-            this.sslConfiguration = sslService.sslConfiguration(transportSSLSettings, Settings.EMPTY);
-            Map<String, Settings> profileSettingsMap = settings.getGroups("transport.profiles.", true);
-            Map<String, SSLConfiguration> profileConfiguration = new HashMap<>(profileSettingsMap.size() + 1);
-            for (Map.Entry<String, Settings> entry : profileSettingsMap.entrySet()) {
-                Settings profileSettings = entry.getValue();
-                final Settings profileSslSettings = profileSslSettings(profileSettings);
-                SSLConfiguration configuration =  sslService.sslConfiguration(profileSslSettings, transportSSLSettings);
-                profileConfiguration.put(entry.getKey(), configuration);
-            }
-
-            if (profileConfiguration.containsKey(TcpTransport.DEFAULT_PROFILE) == false) {
-                profileConfiguration.put(TcpTransport.DEFAULT_PROFILE, sslConfiguration);
-            }
-
+            this.sslConfiguration = sslService.getSSLConfiguration(setting("transport.ssl."));
+            Map<String, SSLConfiguration> profileConfiguration = getTransportProfileConfigurations(settings, sslService, sslConfiguration);
             this.profileConfiguration = Collections.unmodifiableMap(profileConfiguration);
         } else {
             this.profileConfiguration = Collections.emptyMap();
             this.sslConfiguration = null;
         }
     }
 
+    public static Map<String, SSLConfiguration> getTransportProfileConfigurations(Settings settings, SSLService sslService,
+                                                                                  SSLConfiguration defaultConfiguration) {
+        Set<String> profileNames = settings.getGroups("transport.profiles.", true).keySet();
+        Map<String, SSLConfiguration> profileConfiguration = new HashMap<>(profileNames.size() + 1);
+        for (String profileName : profileNames) {
+            SSLConfiguration configuration = sslService.getSSLConfiguration("transport.profiles." + profileName + "." + setting("ssl"));
+            profileConfiguration.put(profileName, configuration);
+        }
+
+        if (profileConfiguration.containsKey(TcpTransport.DEFAULT_PROFILE) == false) {
+            profileConfiguration.put(TcpTransport.DEFAULT_PROFILE, defaultConfiguration);
+        }
+        return profileConfiguration;
+    }
+
     @Override
     protected void doStart() {
         super.doStart();
@@ -209,8 +211,4 @@ public void connect(ChannelHandlerContext ctx, SocketAddress remoteAddress,
             super.connect(ctx, remoteAddress, localAddress, promise);
         }
     }
-
-    public static Settings profileSslSettings(Settings profileSettings) {
-        return profileSettings.getByPrefix(setting("ssl."));
-    }
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings.java

@@ -22,6 +22,8 @@
 import java.util.Locale;
 import java.util.Optional;
 import java.util.function.Function;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 /**
  * Bridges SSLConfiguration into the {@link Settings} framework, using {@link Setting} objects.
@@ -221,4 +223,10 @@ public static Collection<Setting<?>> getProfileSettings() {
                 CLIENT_AUTH_SETTING_PROFILES, VERIFICATION_MODE_SETTING_PROFILES);
     }
 
+    public List<Setting<SecureString>> getSecureSettingsInUse(Settings settings) {
+        return Stream.of(this.truststorePassword, this.x509KeyPair.keystorePassword,
+            this.x509KeyPair.keystoreKeyPassword, this.x509KeyPair.keyPassword)
+            .filter(s -> s.exists(settings))
+            .collect(Collectors.toList());
+    }
 }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4TransportTests.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.core.security.transport.netty4;
+
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.env.Environment;
+import org.elasticsearch.env.TestEnvironment;
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
+import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.core.ssl.VerificationMode;
+import org.hamcrest.Matchers;
+
+import java.util.Map;
+
+import static org.elasticsearch.xpack.core.security.transport.netty4.SecurityNetty4Transport.getTransportProfileConfigurations;
+
+public class SecurityNetty4TransportTests extends ESTestCase {
+
+    public void testGetTransportProfileConfigurations() {
+        final Settings settings = Settings.builder()
+            .put("path.home", createTempDir())
+            .put("xpack.security.transport.ssl.verification_mode", VerificationMode.CERTIFICATE.name())
+            .put("transport.profiles.full.xpack.security.ssl.verification_mode", VerificationMode.FULL.name())
+            .put("transport.profiles.cert.xpack.security.ssl.verification_mode", VerificationMode.CERTIFICATE.name())
+            .put("transport.profiles.none.xpack.security.ssl.verification_mode", VerificationMode.NONE.name())
+            .build();
+        final Environment env = TestEnvironment.newEnvironment(settings);
+        SSLService sslService = new SSLService(settings, env);
+        final SSLConfiguration defaultConfig = sslService.getSSLConfiguration("xpack.security.transport.ssl");
+        final Map<String, SSLConfiguration> profileConfigurations = getTransportProfileConfigurations(settings, sslService, defaultConfig);
+        assertThat(profileConfigurations.size(), Matchers.equalTo(4));
+        assertThat(profileConfigurations.keySet(), Matchers.containsInAnyOrder("full", "cert", "none", "default"));
+        assertThat(profileConfigurations.get("full").verificationMode(), Matchers.equalTo(VerificationMode.FULL));
+        assertThat(profileConfigurations.get("cert").verificationMode(), Matchers.equalTo(VerificationMode.CERTIFICATE));
+        assertThat(profileConfigurations.get("none").verificationMode(), Matchers.equalTo(VerificationMode.NONE));
+        assertThat(profileConfigurations.get("default"), Matchers.sameInstance(defaultConfig));
+    }
+}

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java

@@ -303,7 +303,7 @@ public void testReloadingKeyStoreException() throws Exception {
                 .build();
         Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
         final SSLService sslService = new SSLService(settings, env);
-        final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY);
+        final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
         new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) {
             @Override
             void reloadSSLContext(SSLConfiguration configuration) {
@@ -344,7 +344,7 @@ public void testReloadingPEMKeyConfigException() throws Exception {
                 .build();
         Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
         final SSLService sslService = new SSLService(settings, env);
-        final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY);
+        final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
         new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) {
             @Override
             void reloadSSLContext(SSLConfiguration configuration) {
@@ -379,7 +379,7 @@ public void testTrustStoreReloadException() throws Exception {
                 .build();
         Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
         final SSLService sslService = new SSLService(settings, env);
-        final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY);
+        final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
         new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) {
             @Override
             void reloadSSLContext(SSLConfiguration configuration) {
@@ -411,7 +411,7 @@ public void testPEMTrustReloadException() throws Exception {
             .build();
         Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
         final SSLService sslService = new SSLService(settings, env);
-        final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY);
+        final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
         new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) {
             @Override
             void reloadSSLContext(SSLConfiguration configuration) {
@@ -440,7 +440,7 @@ private void validateSSLConfigurationIsReloaded(Settings settings, Environment e
 
         final CountDownLatch reloadLatch = new CountDownLatch(1);
         final SSLService sslService = new SSLService(settings, env);
-        final SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY);
+        final SSLConfiguration config = sslService.getSSLConfiguration("xpack.ssl");
         new SSLConfigurationReloader(settings, env, sslService, resourceWatcherService) {
             @Override
             void reloadSSLContext(SSLConfiguration configuration) {