Use CertType enum instead of ssl config prefix

Signed-off-by: Andrey Pleskach <[email protected]>
willyborankin · Sep 10, 2024 · 32abc34 · 32abc34
1 parent 8d93ac9
commit 32abc34
Show file tree

Hide file tree

Showing 8 changed files with 134 additions and 116 deletions.
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java
@@ -32,6 +32,7 @@
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.ssl.SslContextHandler;
 import org.opensearch.security.ssl.SslSettingsManager;
+import org.opensearch.security.ssl.config.CertType;
 import org.opensearch.security.ssl.config.Certificate;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.threadpool.ThreadPool;
@@ -43,9 +44,6 @@
 import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION;
 import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.RELOAD_CERTS_ACTION;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
-import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_HTTP_PREFIX;
-import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_CLIENT_PREFIX;
-import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_PREFIX;
 
 /**
  * Rest API action to get SSL certificate information related to http and transport encryption.
@@ -152,13 +150,13 @@ protected void loadCertificates(final RestChannel channel) throws IOException {
                 .field(
                     "http_certificates_list",
                     generateCertDetailList(
-                        sslSettingsManager.sslContextHandler(SSL_HTTP_PREFIX).map(SslContextHandler::keyMaterialCertificates).orElse(null)
+                        sslSettingsManager.sslContextHandler(CertType.HTTP).map(SslContextHandler::keyMaterialCertificates).orElse(null)
                     )
                 )
                 .field(
                     "transport_certificates_list",
                     generateCertDetailList(
-                        sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX)
+                        sslSettingsManager.sslContextHandler(CertType.TRANSPORT)
                             .map(SslContextHandler::keyMaterialCertificates)
                             .orElse(null)
                     )
@@ -192,16 +190,16 @@ protected void reloadCertificates(final RestChannel channel, final RestRequest r
         try {
             switch (certType) {
                 case "http":
-                    if (sslSettingsManager.sslConfiguration(SSL_HTTP_PREFIX).isPresent()) {
-                        sslSettingsManager.reloadSslContext(SSL_HTTP_PREFIX);
+                    if (sslSettingsManager.sslConfiguration(CertType.HTTP).isPresent()) {
+                        sslSettingsManager.reloadSslContext(CertType.HTTP);
                         ok(channel, (builder, params) -> builder.startObject().field("message", "updated http certs").endObject());
                     } else {
                         badRequest(channel, "SSL for HTTP is disabled");
                     }
                     break;
                 case "transport":
-                    sslSettingsManager.reloadSslContext(SSL_TRANSPORT_PREFIX);
-                    sslSettingsManager.reloadSslContext(SSL_TRANSPORT_CLIENT_PREFIX);
+                    sslSettingsManager.reloadSslContext(CertType.TRANSPORT);
+                    sslSettingsManager.reloadSslContext(CertType.TRANSPORT_CLIENT);
                     ok(channel, (builder, params) -> builder.startObject().field("message", "updated transport certs").endObject());
                     break;
                 default:

diff --git a/.../java/org/opensearch/security/dlic/rest/api/ssl/TransportCertificatesInfoNodesAction.java b/.../java/org/opensearch/security/dlic/rest/api/ssl/TransportCertificatesInfoNodesAction.java
@@ -26,14 +26,12 @@
 import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.security.ssl.SslContextHandler;
 import org.opensearch.security.ssl.SslSettingsManager;
+import org.opensearch.security.ssl.config.CertType;
 import org.opensearch.security.ssl.config.Certificate;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.TransportRequest;
 import org.opensearch.transport.TransportService;
 
-import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_HTTP_PREFIX;
-import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_PREFIX;
-
 public class TransportCertificatesInfoNodesAction extends TransportNodesAction<
     CertificatesInfoNodesRequest,
     CertificatesNodesResponse,
@@ -101,13 +99,13 @@ protected CertificatesInfo loadCertificates(final CertificateType certificateTyp
         var httpCertificates = List.<CertificateInfo>of();
         var transportsCertificates = List.<CertificateInfo>of();
         if (CertificateType.isHttp(certificateType)) {
-            httpCertificates = sslSettingsManager.sslContextHandler(SSL_HTTP_PREFIX)
+            httpCertificates = sslSettingsManager.sslContextHandler(CertType.HTTP)
                 .map(SslContextHandler::keyMaterialCertificates)
                 .map(this::certificatesDetails)
                 .orElse(List.of());
         }
         if (CertificateType.isTransport(certificateType)) {
-            transportsCertificates = sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX)
+            transportsCertificates = sslSettingsManager.sslContextHandler(CertType.TRANSPORT)
                 .map(SslContextHandler::keyMaterialCertificates)
                 .map(this::certificatesDetails)
                 .orElse(List.of());

diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java
@@ -25,6 +25,7 @@
 import org.opensearch.plugins.SecureTransportSettingsProvider;
 import org.opensearch.plugins.TransportExceptionHandler;
 import org.opensearch.security.filter.SecurityRestFilter;
+import org.opensearch.security.ssl.config.CertType;
 import org.opensearch.security.ssl.http.netty.Netty4ConditionalDecompressor;
 import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
 import org.opensearch.threadpool.ThreadPool;
@@ -33,10 +34,6 @@
 
 import io.netty.channel.ChannelInboundHandlerAdapter;
 
-import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_HTTP_PREFIX;
-import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_CLIENT_PREFIX;
-import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_PREFIX;
-
 public class OpenSearchSecureSettingsFactory implements SecureSettingsFactory {
     private final ThreadPool threadPool;
     private final SslSettingsManager sslSettingsManager;
@@ -70,12 +67,12 @@ public void onError(Throwable t) {
 
             @Override
             public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, Transport transport) throws SSLException {
-                return sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX).map(SslContextHandler::createSSLEngine);
+                return sslSettingsManager.sslContextHandler(CertType.TRANSPORT).map(SslContextHandler::createSSLEngine);
             }
 
             @Override
             public Optional<SSLEngine> buildSecureClientTransportEngine(Settings settings, String hostname, int port) throws SSLException {
-                return sslSettingsManager.sslContextHandler(SSL_TRANSPORT_CLIENT_PREFIX).map(c -> c.createSSLEngine(hostname, port));
+                return sslSettingsManager.sslContextHandler(CertType.TRANSPORT_CLIENT).map(c -> c.createSSLEngine(hostname, port));
             }
         });
     }
@@ -132,7 +129,7 @@ public void onError(Throwable t) {
 
             @Override
             public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
-                return sslSettingsManager.sslContextHandler(SSL_HTTP_PREFIX).map(SslContextHandler::createSSLEngine);
+                return sslSettingsManager.sslContextHandler(CertType.HTTP).map(SslContextHandler::createSSLEngine);
             }
         });
     }

diff --git a/src/main/java/org/opensearch/security/ssl/SslSettingsManager.java b/src/main/java/org/opensearch/security/ssl/SslSettingsManager.java
@@ -25,6 +25,7 @@
 import org.opensearch.OpenSearchException;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.env.Environment;
+import org.opensearch.security.ssl.config.CertType;
 import org.opensearch.security.ssl.config.SslCertificatesLoader;
 import org.opensearch.security.ssl.config.SslParameters;
 
@@ -64,10 +65,7 @@
 import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS;
-import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_HTTP_PREFIX;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_CLIENT_EXTENDED_PREFIX;
-import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_CLIENT_PREFIX;
-import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_PREFIX;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_SERVER_EXTENDED_PREFIX;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.TRUSTSTORE_ALIAS;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.TRUSTSTORE_FILEPATH;
@@ -76,53 +74,53 @@ public class SslSettingsManager {
 
     private final static Logger LOGGER = LogManager.getLogger(SslSettingsManager.class);
 
-    private final Map<String, SslContextHandler> sslSettingsContexts;
+    private final Map<CertType, SslContextHandler> sslSettingsContexts;
 
     public SslSettingsManager(final Environment environment) {
         this.sslSettingsContexts = buildSslContexts(environment);
     }
 
-    public Optional<SslConfiguration> sslConfiguration(final String sslConfigPrefix) {
-        return Optional.ofNullable(sslSettingsContexts.get(sslConfigPrefix)).map(SslContextHandler::sslConfiguration);
+    public Optional<SslConfiguration> sslConfiguration(final CertType certType) {
+        return Optional.ofNullable(sslSettingsContexts.get(certType)).map(SslContextHandler::sslConfiguration);
     }
 
-    public Optional<SslContextHandler> sslContextHandler(final String sslConfigPrefix) {
+    public Optional<SslContextHandler> sslContextHandler(final CertType sslConfigPrefix) {
         return Optional.ofNullable(sslSettingsContexts.get(sslConfigPrefix));
     }
 
-    private Map<String, SslContextHandler> buildSslContexts(final Environment environment) {
-        final var contexts = new ImmutableMap.Builder<String, SslContextHandler>();
+    private Map<CertType, SslContextHandler> buildSslContexts(final Environment environment) {
+        final var contexts = new ImmutableMap.Builder<CertType, SslContextHandler>();
         final var configurations = loadConfigurations(environment);
-        Optional.ofNullable(configurations.get(SSL_HTTP_PREFIX))
+        Optional.ofNullable(configurations.get(CertType.HTTP))
             .ifPresentOrElse(
-                sslConfiguration -> contexts.put(SSL_HTTP_PREFIX, new SslContextHandler(sslConfiguration)),
+                sslConfiguration -> contexts.put(CertType.HTTP, new SslContextHandler(sslConfiguration)),
                 () -> LOGGER.warn("SSL Configuration for HTTP Layer hasn't been set")
             );
-        Optional.ofNullable(configurations.get(SSL_TRANSPORT_PREFIX)).ifPresentOrElse(sslConfiguration -> {
-            contexts.put(SSL_TRANSPORT_PREFIX, new SslContextHandler(sslConfiguration));
-            final var transportClientConfiguration = Optional.ofNullable(configurations.get(SSL_TRANSPORT_CLIENT_PREFIX))
+        Optional.ofNullable(configurations.get(CertType.TRANSPORT)).ifPresentOrElse(sslConfiguration -> {
+            contexts.put(CertType.TRANSPORT, new SslContextHandler(sslConfiguration));
+            final var transportClientConfiguration = Optional.ofNullable(configurations.get(CertType.TRANSPORT_CLIENT))
                 .orElse(sslConfiguration);
-            contexts.put(SSL_TRANSPORT_CLIENT_PREFIX, new SslContextHandler(transportClientConfiguration, true));
+            contexts.put(CertType.TRANSPORT_CLIENT, new SslContextHandler(transportClientConfiguration, true));
         }, () -> LOGGER.warn("SSL Configuration for Transport Layer hasn't been set"));
         return contexts.build();
     }
 
-    public synchronized void reloadSslContext(final String sslConfigPrefix) {
-        sslContextHandler(sslConfigPrefix).ifPresentOrElse(sscContextHandler -> {
-            LOGGER.info("Reloading {} SSL context", sslConfigPrefix);
+    public synchronized void reloadSslContext(final CertType certType) {
+        sslContextHandler(certType).ifPresentOrElse(sscContextHandler -> {
+            LOGGER.info("Reloading {} SSL context", certType.name());
             try {
                 sscContextHandler.reloadSslContext();
             } catch (CertificateException e) {
                 throw new OpenSearchException(e);
             }
-            LOGGER.info("{} SSL context reloaded", sslConfigPrefix);
-        }, () -> LOGGER.error("Missing SSL Context for {}", sslConfigPrefix));
+            LOGGER.info("{} SSL context reloaded", certType.name());
+        }, () -> LOGGER.error("Missing SSL Context for {}", certType.name()));
     }
 
-    private Map<String, SslConfiguration> loadConfigurations(final Environment environment) {
+    private Map<CertType, SslConfiguration> loadConfigurations(final Environment environment) {
         final var settings = environment.settings();
-        final var httpSettings = settings.getByPrefix(SSL_HTTP_PREFIX);
-        final var transpotSettings = settings.getByPrefix(SSL_TRANSPORT_PREFIX);
+        final var httpSettings = settings.getByPrefix(CertType.HTTP.sslConfigPrefix());
+        final var transpotSettings = settings.getByPrefix(CertType.TRANSPORT.sslConfigPrefix());
         if (httpSettings.isEmpty() && transpotSettings.isEmpty()) {
             throw new OpenSearchException("No SSL configuration found");
         }
@@ -132,13 +130,13 @@ private Map<String, SslConfiguration> loadConfigurations(final Environment envir
         final var httpEnabled = httpSettings.getAsBoolean(ENABLED, SECURITY_SSL_HTTP_ENABLED_DEFAULT);
         final var transportEnabled = transpotSettings.getAsBoolean(ENABLED, SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT);
 
-        final var configurationBuilder = ImmutableMap.<String, SslConfiguration>builder();
+        final var configurationBuilder = ImmutableMap.<CertType, SslConfiguration>builder();
         if (httpEnabled && !clientNode(settings)) {
             validateHttpSettings(httpSettings);
             final var httpSslParameters = SslParameters.loader(httpSettings).load(true);
-            final var httpTrustAndKeyStore = new SslCertificatesLoader(SSL_HTTP_PREFIX).loadConfiguration(environment);
+            final var httpTrustAndKeyStore = new SslCertificatesLoader(CertType.HTTP.sslConfigPrefix()).loadConfiguration(environment);
             configurationBuilder.put(
-                SSL_HTTP_PREFIX,
+                CertType.HTTP,
                 new SslConfiguration(httpSslParameters, httpTrustAndKeyStore.v1(), httpTrustAndKeyStore.v2())
             );
             LOGGER.info("TLS HTTP Provider                    : {}", httpSslParameters.provider());
@@ -149,26 +147,28 @@ private Map<String, SslConfiguration> loadConfigurations(final Environment envir
             if (hasExtendedKeyUsageEnabled(transpotSettings)) {
                 validateTransportSettings(transpotSettings);
                 final var transportServerTrustAndKeyStore = new SslCertificatesLoader(
-                    SSL_TRANSPORT_PREFIX,
+                    CertType.TRANSPORT.sslConfigPrefix(),
                     SSL_TRANSPORT_SERVER_EXTENDED_PREFIX
                 ).loadConfiguration(environment);
                 configurationBuilder.put(
-                    SSL_TRANSPORT_PREFIX,
+                    CertType.TRANSPORT,
                     new SslConfiguration(transportSslParameters, transportServerTrustAndKeyStore.v1(), transportServerTrustAndKeyStore.v2())
                 );
                 final var transportClientTrustAndKeyStore = new SslCertificatesLoader(
-                    SSL_TRANSPORT_PREFIX,
+                    CertType.TRANSPORT.sslConfigPrefix(),
                     SSL_TRANSPORT_CLIENT_EXTENDED_PREFIX
                 ).loadConfiguration(environment);
                 configurationBuilder.put(
-                    SSL_TRANSPORT_CLIENT_PREFIX,
+                    CertType.TRANSPORT_CLIENT,
                     new SslConfiguration(transportSslParameters, transportClientTrustAndKeyStore.v1(), transportClientTrustAndKeyStore.v2())
                 );
             } else {
                 validateTransportSettings(transpotSettings);
-                final var transportTrustAndKeyStore = new SslCertificatesLoader(SSL_TRANSPORT_PREFIX).loadConfiguration(environment);
+                final var transportTrustAndKeyStore = new SslCertificatesLoader(CertType.TRANSPORT.sslConfigPrefix()).loadConfiguration(
+                    environment
+                );
                 configurationBuilder.put(
-                    SSL_TRANSPORT_PREFIX,
+                    CertType.TRANSPORT,
                     new SslConfiguration(transportSslParameters, transportTrustAndKeyStore.v1(), transportTrustAndKeyStore.v2())
                 );
             }
@@ -352,9 +352,7 @@ void openSslWarnings(final Settings settings) {
                         + "'opensearch.unsafe.use_netty_default_allocator' system property to true"
                 );
             } else {
-                LOGGER.warn(
-                    "Support for OpenSSL with Java 12+ has been removed from Open Distro Security since Elasticsearch 7.4.0. Using JDK SSL instead."
-                );
+                LOGGER.warn("Support for OpenSSL with Java 12+ has been removed from OpenSearch Security. Using JDK SSL instead.");
             }
         }
         if (OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()) {

diff --git a/src/main/java/org/opensearch/security/ssl/config/CertType.java b/src/main/java/org/opensearch/security/ssl/config/CertType.java
@@ -0,0 +1,33 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.ssl.config;
+
+import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_HTTP_PREFIX;
+import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_CLIENT_PREFIX;
+import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_PREFIX;
+
+public enum CertType {
+    HTTP(SSL_HTTP_PREFIX),
+    TRANSPORT(SSL_TRANSPORT_PREFIX),
+    TRANSPORT_CLIENT(SSL_TRANSPORT_CLIENT_PREFIX);
+
+    private final String sslConfigPrefix;
+
+    private CertType(String sslConfigPrefix) {
+        this.sslConfigPrefix = sslConfigPrefix;
+    }
+
+    public String sslConfigPrefix() {
+        return sslConfigPrefix;
+    }
+
+}