Switch to built-in security transports from core (opensearch-project#…

…4119) ### Description The security plugin does not need to provide the secure transports anymore but SecureSettingsFactory so the core transport modules will be able to configure those. ### Issues Resolved Closes opensearch-project#4118 Is this a backport? If so, please add backport PR # and/or commits # ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Andriy Redko <[email protected]>
reta · Mar 26, 2024 · e2a06f0 · e2a06f0
1 parent a731e62
commit e2a06f0
Show file tree

Hide file tree

Showing 14 changed files with 487 additions and 957 deletions.
diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -46,6 +46,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.BiFunction;
@@ -114,6 +115,8 @@
 import org.opensearch.plugins.ExtensionAwarePlugin;
 import org.opensearch.plugins.IdentityPlugin;
 import org.opensearch.plugins.MapperPlugin;
+import org.opensearch.plugins.SecureSettingsFactory;
+import org.opensearch.plugins.SecureTransportSettingsProvider;
 import org.opensearch.repositories.RepositoriesService;
 import org.opensearch.rest.RestController;
 import org.opensearch.rest.RestHandler;
@@ -150,8 +153,8 @@
 import org.opensearch.security.dlic.rest.validation.PasswordValidator;
 import org.opensearch.security.filter.SecurityFilter;
 import org.opensearch.security.filter.SecurityRestFilter;
-import org.opensearch.security.http.SecurityHttpServerTransport;
-import org.opensearch.security.http.SecurityNonSslHttpServerTransport;
+import org.opensearch.security.http.NonSslHttpServerTransport;
+import org.opensearch.security.http.SecureHttpServerTransport;
 import org.opensearch.security.http.XFFResolver;
 import org.opensearch.security.identity.SecurityTokenManager;
 import org.opensearch.security.privileges.PrivilegesEvaluator;
@@ -167,11 +170,11 @@
 import org.opensearch.security.securityconf.DynamicConfigFactory;
 import org.opensearch.security.setting.OpensearchDynamicSetting;
 import org.opensearch.security.setting.TransportPassiveAuthSetting;
+import org.opensearch.security.ssl.OpenSearchSecureSettingsFactory;
 import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin;
 import org.opensearch.security.ssl.SslExceptionHandler;
 import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
 import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor;
-import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport;
 import org.opensearch.security.ssl.util.SSLConfigConstants;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.GuardedSearchOperationWrapper;
@@ -199,6 +202,7 @@
 import org.opensearch.transport.TransportRequestOptions;
 import org.opensearch.transport.TransportResponseHandler;
 import org.opensearch.transport.TransportService;
+import org.opensearch.transport.netty4.ssl.SecureNetty4Transport;
 import org.opensearch.watcher.ResourceWatcherService;
 
 import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS;
@@ -858,44 +862,44 @@ public <T extends TransportResponse> void sendRequest(
     }
 
     @Override
-    public Map<String, Supplier<Transport>> getTransports(
+    public Map<String, Supplier<Transport>> getSecureTransports(
         Settings settings,
         ThreadPool threadPool,
         PageCacheRecycler pageCacheRecycler,
         CircuitBreakerService circuitBreakerService,
         NamedWriteableRegistry namedWriteableRegistry,
         NetworkService networkService,
+        SecureTransportSettingsProvider secureTransportSettingsProvider,
         Tracer tracer
     ) {
         Map<String, Supplier<Transport>> transports = new HashMap<String, Supplier<Transport>>();
 
         if (SSLConfig.isSslOnlyMode()) {
-            return super.getTransports(
+            return super.getSecureTransports(
                 settings,
                 threadPool,
                 pageCacheRecycler,
                 circuitBreakerService,
                 namedWriteableRegistry,
                 networkService,
+                secureTransportSettingsProvider,
                 tracer
             );
         }
 
         if (transportSSLEnabled) {
             transports.put(
                 "org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport",
-                () -> new SecuritySSLNettyTransport(
-                    settings,
+                () -> new SecureNetty4Transport(
+                    migrateSettings(settings),
                     Version.CURRENT,
                     threadPool,
                     networkService,
                     pageCacheRecycler,
                     namedWriteableRegistry,
                     circuitBreakerService,
-                    sks,
-                    evaluateSslExceptionHandler(),
                     sharedGroupFactory,
-                    SSLConfig,
+                    secureTransportSettingsProvider,
                     tracer
                 )
             );
@@ -904,7 +908,7 @@ public Map<String, Supplier<Transport>> getTransports(
     }
 
     @Override
-    public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
+    public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
         Settings settings,
         ThreadPool threadPool,
         BigArrays bigArrays,
@@ -914,11 +918,12 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
         NetworkService networkService,
         Dispatcher dispatcher,
         ClusterSettings clusterSettings,
+        SecureTransportSettingsProvider secureTransportSettingsProvider,
         Tracer tracer
     ) {
 
         if (SSLConfig.isSslOnlyMode()) {
-            return super.getHttpTransports(
+            return super.getSecureHttpTransports(
                 settings,
                 threadPool,
                 bigArrays,
@@ -928,6 +933,7 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
                 networkService,
                 dispatcher,
                 clusterSettings,
+                secureTransportSettingsProvider,
                 tracer
             );
         }
@@ -943,17 +949,16 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
                     evaluateSslExceptionHandler()
                 );
                 // TODO close odshst
-                final SecurityHttpServerTransport odshst = new SecurityHttpServerTransport(
-                    settings,
+                final SecureHttpServerTransport odshst = new SecureHttpServerTransport(
+                    migrateSettings(settings),
                     networkService,
                     bigArrays,
                     threadPool,
-                    sks,
-                    evaluateSslExceptionHandler(),
                     xContentRegistry,
                     validatingDispatcher,
                     clusterSettings,
                     sharedGroupFactory,
+                    secureTransportSettingsProvider,
                     tracer,
                     securityRestHandler
                 );
@@ -962,15 +967,16 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
             } else if (!client) {
                 return Collections.singletonMap(
                     "org.opensearch.security.http.SecurityHttpServerTransport",
-                    () -> new SecurityNonSslHttpServerTransport(
-                        settings,
+                    () -> new NonSslHttpServerTransport(
+                        migrateSettings(settings),
                         networkService,
                         bigArrays,
                         threadPool,
                         xContentRegistry,
                         dispatcher,
                         clusterSettings,
                         sharedGroupFactory,
+                        secureTransportSettingsProvider,
                         tracer,
                         securityRestHandler
                     )
@@ -2005,6 +2011,11 @@ public SecurityTokenManager getTokenManager() {
         return tokenManager;
     }
 
+    @Override
+    public Optional<SecureSettingsFactory> getSecureSettingFactory(Settings settings) {
+        return Optional.of(new OpenSearchSecureSettingsFactory(settings, sks, sslExceptionHandler));
+    }
+
     public static class GuiceHolder implements LifecycleComponent {
 
         private static RepositoriesService repositoriesService;

diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
@@ -69,10 +69,10 @@
 
 import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
-import static org.opensearch.security.http.SecurityHttpServerTransport.CONTEXT_TO_RESTORE;
-import static org.opensearch.security.http.SecurityHttpServerTransport.EARLY_RESPONSE;
-import static org.opensearch.security.http.SecurityHttpServerTransport.IS_AUTHENTICATED;
-import static org.opensearch.security.http.SecurityHttpServerTransport.UNCONSUMED_PARAMS;
+import static org.opensearch.security.http.SecureHttpServerTransport.CONTEXT_TO_RESTORE;
+import static org.opensearch.security.http.SecureHttpServerTransport.EARLY_RESPONSE;
+import static org.opensearch.security.http.SecureHttpServerTransport.IS_AUTHENTICATED;
+import static org.opensearch.security.http.SecureHttpServerTransport.UNCONSUMED_PARAMS;
 
 public class SecurityRestFilter {
 

diff --git a/...tp/SecurityNonSslHttpServerTransport.java → ...urity/http/NonSslHttpServerTransport.java b/...tp/SecurityNonSslHttpServerTransport.java → ...urity/http/NonSslHttpServerTransport.java
@@ -33,6 +33,8 @@
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.http.HttpHandlingSettings;
 import org.opensearch.http.netty4.Netty4HttpServerTransport;
+import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
+import org.opensearch.plugins.SecureTransportSettingsProvider;
 import org.opensearch.security.filter.SecurityRestFilter;
 import org.opensearch.security.ssl.http.netty.Netty4ConditionalDecompressor;
 import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
@@ -44,11 +46,11 @@
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelInboundHandlerAdapter;
 
-public class SecurityNonSslHttpServerTransport extends Netty4HttpServerTransport {
+public class NonSslHttpServerTransport extends SecureNetty4HttpServerTransport {
 
     private final ChannelInboundHandlerAdapter headerVerifier;
 
-    public SecurityNonSslHttpServerTransport(
+    public NonSslHttpServerTransport(
         final Settings settings,
         final NetworkService networkService,
         final BigArrays bigArrays,
@@ -57,6 +59,7 @@ public SecurityNonSslHttpServerTransport(
         final Dispatcher dispatcher,
         final ClusterSettings clusterSettings,
         final SharedGroupFactory sharedGroupFactory,
+        final SecureTransportSettingsProvider secureTransportSettingsProvider,
         final Tracer tracer,
         final SecurityRestFilter restFilter
     ) {
@@ -69,6 +72,7 @@ public SecurityNonSslHttpServerTransport(
             dispatcher,
             clusterSettings,
             sharedGroupFactory,
+            secureTransportSettingsProvider,
             tracer
         );
         headerVerifier = new Netty4HttpRequestHeaderVerifier(restFilter, threadPool, settings);

diff --git a/...ity/http/SecurityHttpServerTransport.java → ...urity/http/SecureHttpServerTransport.java b/...ity/http/SecurityHttpServerTransport.java → ...urity/http/SecureHttpServerTransport.java
@@ -34,19 +34,21 @@
 import org.opensearch.common.util.BigArrays;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
+import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
+import org.opensearch.plugins.SecureTransportSettingsProvider;
 import org.opensearch.security.filter.SecurityResponse;
 import org.opensearch.security.filter.SecurityRestFilter;
-import org.opensearch.security.ssl.SecurityKeyStore;
-import org.opensearch.security.ssl.SslExceptionHandler;
-import org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport;
+import org.opensearch.security.ssl.http.netty.Netty4ConditionalDecompressor;
+import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
 import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
 import org.opensearch.telemetry.tracing.Tracer;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.SharedGroupFactory;
 
+import io.netty.channel.ChannelInboundHandlerAdapter;
 import io.netty.util.AttributeKey;
 
-public class SecurityHttpServerTransport extends SecuritySSLNettyHttpServerTransport {
+public class SecureHttpServerTransport extends SecureNetty4HttpServerTransport {
 
     public static final AttributeKey<SecurityResponse> EARLY_RESPONSE = AttributeKey.newInstance("opensearch-http-early-response");
     public static final AttributeKey<Set<String>> UNCONSUMED_PARAMS = AttributeKey.newInstance("opensearch-http-request-consumed-params");
@@ -56,17 +58,18 @@ public class SecurityHttpServerTransport extends SecuritySSLNettyHttpServerTrans
     public static final AttributeKey<Boolean> SHOULD_DECOMPRESS = AttributeKey.newInstance("opensearch-http-should-decompress");
     public static final AttributeKey<Boolean> IS_AUTHENTICATED = AttributeKey.newInstance("opensearch-http-is-authenticated");
 
-    public SecurityHttpServerTransport(
+    private final ChannelInboundHandlerAdapter headerVerifier;
+
+    public SecureHttpServerTransport(
         final Settings settings,
         final NetworkService networkService,
         final BigArrays bigArrays,
         final ThreadPool threadPool,
-        final SecurityKeyStore odsks,
-        final SslExceptionHandler sslExceptionHandler,
         final NamedXContentRegistry namedXContentRegistry,
         final ValidatingDispatcher dispatcher,
         final ClusterSettings clusterSettings,
         SharedGroupFactory sharedGroupFactory,
+        final SecureTransportSettingsProvider secureTransportSettingsProvider,
         Tracer tracer,
         SecurityRestFilter restFilter
     ) {
@@ -75,14 +78,24 @@ public SecurityHttpServerTransport(
             networkService,
             bigArrays,
             threadPool,
-            odsks,
             namedXContentRegistry,
             dispatcher,
-            sslExceptionHandler,
             clusterSettings,
             sharedGroupFactory,
-            tracer,
-            restFilter
+            secureTransportSettingsProvider,
+            tracer
         );
+
+        headerVerifier = new Netty4HttpRequestHeaderVerifier(restFilter, threadPool, settings);
+    }
+
+    @Override
+    protected ChannelInboundHandlerAdapter createHeaderVerifier() {
+        return headerVerifier;
+    }
+
+    @Override
+    protected ChannelInboundHandlerAdapter createDecompressor() {
+        return new Netty4ConditionalDecompressor();
     }
 }
diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java
@@ -0,0 +1,74 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.ssl;
+
+import java.util.Optional;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
+
+import org.opensearch.common.settings.Settings;
+import org.opensearch.http.HttpServerTransport;
+import org.opensearch.plugins.SecureSettingsFactory;
+import org.opensearch.plugins.SecureTransportSettingsProvider;
+import org.opensearch.transport.TcpTransport;
+
+public class OpenSearchSecureSettingsFactory implements SecureSettingsFactory {
+    private final Settings settings;
+    private final SecurityKeyStore sks;
+    private final SslExceptionHandler sslExceptionHandler;
+
+    public OpenSearchSecureSettingsFactory(Settings settings, SecurityKeyStore sks, SslExceptionHandler sslExceptionHandler) {
+        this.settings = settings;
+        this.sks = sks;
+        this.sslExceptionHandler = sslExceptionHandler;
+    }
+
+    @Override
+    public Optional<SecureTransportSettingsProvider> getSecureTransportSettingsProvider(Settings settings) {
+        return Optional.of(new SecureTransportSettingsProvider() {
+            @Override
+            public Optional<ServerExceptionHandler> buildHttpServerExceptionHandler(Settings settings, HttpServerTransport transport) {
+                return Optional.of(new ServerExceptionHandler() {
+                    @Override
+                    public void onError(Throwable t) {
+                        sslExceptionHandler.logError(t, true);
+                    }
+                });
+            }
+
+            @Override
+            public Optional<ServerExceptionHandler> buildServerTransportExceptionHandler(Settings settings, TcpTransport transport) {
+                return Optional.of(new ServerExceptionHandler() {
+                    @Override
+                    public void onError(Throwable t) {
+                        sslExceptionHandler.logError(t, false);
+                    }
+                });
+            }
+
+            @Override
+            public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
+                return Optional.of(sks.createHTTPSSLEngine());
+            }
+
+            @Override
+            public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, TcpTransport transport) throws SSLException {
+                return Optional.of(sks.createServerTransportSSLEngine());
+            }
+
+            @Override
+            public Optional<SSLEngine> buildSecureClientTransportEngine(Settings settings, String hostname, int port) throws SSLException {
+                return Optional.of(sks.createClientTransportSSLEngine(hostname, port));
+            }
+        });
+    }
+}