Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch to built-in security transports from core #4119

Merged
merged 4 commits into from
Mar 26, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.BiFunction;
Expand Down Expand Up @@ -114,6 +115,8 @@
import org.opensearch.plugins.ExtensionAwarePlugin;
import org.opensearch.plugins.IdentityPlugin;
import org.opensearch.plugins.MapperPlugin;
import org.opensearch.plugins.SecureSettingsFactory;
import org.opensearch.plugins.SecureTransportSettingsProvider;
import org.opensearch.repositories.RepositoriesService;
import org.opensearch.rest.RestController;
import org.opensearch.rest.RestHandler;
Expand Down Expand Up @@ -167,11 +170,11 @@
import org.opensearch.security.securityconf.DynamicConfigFactory;
import org.opensearch.security.setting.OpensearchDynamicSetting;
import org.opensearch.security.setting.TransportPassiveAuthSetting;
import org.opensearch.security.ssl.OpenSearchSecureSettingsFactory;
import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin;
import org.opensearch.security.ssl.SslExceptionHandler;
import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor;
import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport;
import org.opensearch.security.ssl.util.SSLConfigConstants;
import org.opensearch.security.support.ConfigConstants;
import org.opensearch.security.support.GuardedSearchOperationWrapper;
Expand Down Expand Up @@ -199,6 +202,7 @@
import org.opensearch.transport.TransportRequestOptions;
import org.opensearch.transport.TransportResponseHandler;
import org.opensearch.transport.TransportService;
import org.opensearch.transport.netty4.ssl.SecureNetty4Transport;
import org.opensearch.watcher.ResourceWatcherService;

import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS;
Expand Down Expand Up @@ -858,44 +862,44 @@ public <T extends TransportResponse> void sendRequest(
}

@Override
public Map<String, Supplier<Transport>> getTransports(
public Map<String, Supplier<Transport>> getSecureTransports(
Settings settings,
ThreadPool threadPool,
PageCacheRecycler pageCacheRecycler,
CircuitBreakerService circuitBreakerService,
NamedWriteableRegistry namedWriteableRegistry,
NetworkService networkService,
SecureTransportSettingsProvider secureTransportSettingsProvider,
Tracer tracer
) {
Map<String, Supplier<Transport>> transports = new HashMap<String, Supplier<Transport>>();

if (SSLConfig.isSslOnlyMode()) {
return super.getTransports(
return super.getSecureTransports(
settings,
threadPool,
pageCacheRecycler,
circuitBreakerService,
namedWriteableRegistry,
networkService,
secureTransportSettingsProvider,
tracer
);
}

if (transportSSLEnabled) {
transports.put(
"org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport",
() -> new SecuritySSLNettyTransport(
settings,
() -> new SecureNetty4Transport(
migrateSettings(settings),
Version.CURRENT,
threadPool,
networkService,
pageCacheRecycler,
namedWriteableRegistry,
circuitBreakerService,
sks,
evaluateSslExceptionHandler(),
sharedGroupFactory,
SSLConfig,
secureTransportSettingsProvider,
tracer
)
);
Expand All @@ -904,7 +908,7 @@ public Map<String, Supplier<Transport>> getTransports(
}

@Override
public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
Settings settings,
ThreadPool threadPool,
BigArrays bigArrays,
Expand All @@ -914,11 +918,12 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
NetworkService networkService,
Dispatcher dispatcher,
ClusterSettings clusterSettings,
SecureTransportSettingsProvider secureTransportSettingsProvider,
Tracer tracer
) {

if (SSLConfig.isSslOnlyMode()) {
return super.getHttpTransports(
return super.getSecureHttpTransports(
settings,
threadPool,
bigArrays,
Expand All @@ -928,6 +933,7 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
networkService,
dispatcher,
clusterSettings,
secureTransportSettingsProvider,
tracer
);
}
Expand All @@ -944,16 +950,15 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
);
// TODO close odshst
final SecurityHttpServerTransport odshst = new SecurityHttpServerTransport(
settings,
migrateSettings(settings),
networkService,
bigArrays,
threadPool,
sks,
evaluateSslExceptionHandler(),
xContentRegistry,
validatingDispatcher,
clusterSettings,
sharedGroupFactory,
secureTransportSettingsProvider,
tracer,
securityRestHandler
);
Expand All @@ -963,14 +968,15 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
return Collections.singletonMap(
"org.opensearch.security.http.SecurityHttpServerTransport",
() -> new SecurityNonSslHttpServerTransport(
settings,
migrateSettings(settings),
networkService,
bigArrays,
threadPool,
xContentRegistry,
dispatcher,
clusterSettings,
sharedGroupFactory,
secureTransportSettingsProvider,
tracer,
securityRestHandler
)
Expand Down Expand Up @@ -2005,6 +2011,11 @@ public SecurityTokenManager getTokenManager() {
return tokenManager;
}

@Override
public Optional<SecureSettingsFactory> getSecureSettingFactory(Settings settings) {
return Optional.of(new OpenSearchSecureSettingsFactory(settings, sks, sslExceptionHandler));
}

public static class GuiceHolder implements LifecycleComponent {

private static RepositoriesService repositoriesService;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,19 +34,21 @@
import org.opensearch.common.util.BigArrays;
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
import org.opensearch.plugins.SecureTransportSettingsProvider;
import org.opensearch.security.filter.SecurityResponse;
import org.opensearch.security.filter.SecurityRestFilter;
import org.opensearch.security.ssl.SecurityKeyStore;
import org.opensearch.security.ssl.SslExceptionHandler;
import org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport;
import org.opensearch.security.ssl.http.netty.Netty4ConditionalDecompressor;
import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
import org.opensearch.telemetry.tracing.Tracer;
import org.opensearch.threadpool.ThreadPool;
import org.opensearch.transport.SharedGroupFactory;

import io.netty.channel.ChannelInboundHandlerAdapter;
import io.netty.util.AttributeKey;

public class SecurityHttpServerTransport extends SecuritySSLNettyHttpServerTransport {
public class SecurityHttpServerTransport extends SecureNetty4HttpServerTransport {
reta marked this conversation as resolved.
Show resolved Hide resolved

public static final AttributeKey<SecurityResponse> EARLY_RESPONSE = AttributeKey.newInstance("opensearch-http-early-response");
public static final AttributeKey<Set<String>> UNCONSUMED_PARAMS = AttributeKey.newInstance("opensearch-http-request-consumed-params");
Expand All @@ -56,17 +58,18 @@ public class SecurityHttpServerTransport extends SecuritySSLNettyHttpServerTrans
public static final AttributeKey<Boolean> SHOULD_DECOMPRESS = AttributeKey.newInstance("opensearch-http-should-decompress");
public static final AttributeKey<Boolean> IS_AUTHENTICATED = AttributeKey.newInstance("opensearch-http-is-authenticated");

private final ChannelInboundHandlerAdapter headerVerifier;

public SecurityHttpServerTransport(
final Settings settings,
final NetworkService networkService,
final BigArrays bigArrays,
final ThreadPool threadPool,
final SecurityKeyStore odsks,
final SslExceptionHandler sslExceptionHandler,
final NamedXContentRegistry namedXContentRegistry,
final ValidatingDispatcher dispatcher,
final ClusterSettings clusterSettings,
SharedGroupFactory sharedGroupFactory,
final SecureTransportSettingsProvider secureTransportSettingsProvider,
Tracer tracer,
SecurityRestFilter restFilter
) {
Expand All @@ -75,14 +78,24 @@ public SecurityHttpServerTransport(
networkService,
bigArrays,
threadPool,
odsks,
namedXContentRegistry,
dispatcher,
sslExceptionHandler,
clusterSettings,
sharedGroupFactory,
tracer,
restFilter
secureTransportSettingsProvider,
tracer
);

headerVerifier = new Netty4HttpRequestHeaderVerifier(restFilter, threadPool, settings);
}

@Override
protected ChannelInboundHandlerAdapter createHeaderVerifier() {
return headerVerifier;
}

@Override
protected ChannelInboundHandlerAdapter createDecompressor() {
return new Netty4ConditionalDecompressor();
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.http.HttpHandlingSettings;
import org.opensearch.http.netty4.Netty4HttpServerTransport;
import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
import org.opensearch.plugins.SecureTransportSettingsProvider;
import org.opensearch.security.filter.SecurityRestFilter;
import org.opensearch.security.ssl.http.netty.Netty4ConditionalDecompressor;
import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
Expand All @@ -44,7 +46,7 @@
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelInboundHandlerAdapter;

public class SecurityNonSslHttpServerTransport extends Netty4HttpServerTransport {
public class SecurityNonSslHttpServerTransport extends SecureNetty4HttpServerTransport {
reta marked this conversation as resolved.
Show resolved Hide resolved

private final ChannelInboundHandlerAdapter headerVerifier;

Expand All @@ -57,6 +59,7 @@ public SecurityNonSslHttpServerTransport(
final Dispatcher dispatcher,
final ClusterSettings clusterSettings,
final SharedGroupFactory sharedGroupFactory,
final SecureTransportSettingsProvider secureTransportSettingsProvider,
final Tracer tracer,
final SecurityRestFilter restFilter
) {
Expand All @@ -69,6 +72,7 @@ public SecurityNonSslHttpServerTransport(
dispatcher,
clusterSettings,
sharedGroupFactory,
secureTransportSettingsProvider,
tracer
);
headerVerifier = new Netty4HttpRequestHeaderVerifier(restFilter, threadPool, settings);
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
* Modifications Copyright OpenSearch Contributors. See
* GitHub history for details.
*/

package org.opensearch.security.ssl;

import java.util.Optional;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;

import org.opensearch.common.settings.Settings;
import org.opensearch.http.HttpServerTransport;
import org.opensearch.plugins.SecureSettingsFactory;
import org.opensearch.plugins.SecureTransportSettingsProvider;
import org.opensearch.transport.TcpTransport;

public class OpenSearchSecureSettingsFactory implements SecureSettingsFactory {
private final Settings settings;
private final SecurityKeyStore sks;
private final SslExceptionHandler sslExceptionHandler;

public OpenSearchSecureSettingsFactory(Settings settings, SecurityKeyStore sks, SslExceptionHandler sslExceptionHandler) {
this.settings = settings;
this.sks = sks;
this.sslExceptionHandler = sslExceptionHandler;
}

@Override
public Optional<SecureTransportSettingsProvider> getSecureTransportSettingsProvider(Settings settings) {
return Optional.of(new SecureTransportSettingsProvider() {
@Override
public Optional<ServerExceptionHandler> buildHttpServerExceptionHandler(Settings settings, HttpServerTransport transport) {
return Optional.of(new ServerExceptionHandler() {
@Override
public void onError(Throwable t) {
sslExceptionHandler.logError(t, true);
}
});
}

@Override
public Optional<ServerExceptionHandler> buildServerTransportExceptionHandler(Settings settings, TcpTransport transport) {
return Optional.of(new ServerExceptionHandler() {
@Override
public void onError(Throwable t) {
sslExceptionHandler.logError(t, false);
}
});
}

@Override
public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
return Optional.of(sks.createHTTPSSLEngine());
}

@Override
public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, TcpTransport transport) throws SSLException {
return Optional.of(sks.createServerTransportSSLEngine());
}

@Override
public Optional<SSLEngine> buildSecureClientTransportEngine(Settings settings, String hostname, int port) throws SSLException {
return Optional.of(sks.createClientTransportSSLEngine(hostname, port));
}
});
}
}
Loading
Loading