Access SSL contexts using names instead of Settings

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings.java

@@ -22,6 +22,8 @@
 import java.util.Locale;
 import java.util.Optional;
 import java.util.function.Function;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 /**
  * Bridges SSLConfiguration into the {@link Settings} framework, using {@link Setting} objects.
@@ -221,4 +223,10 @@ public static Collection<Setting<?>> getProfileSettings() {
                 CLIENT_AUTH_SETTING_PROFILES, VERIFICATION_MODE_SETTING_PROFILES);
     }
 
+    public List<Setting<SecureString>> getSecureSettingsInUse(Settings settings) {
+        return Stream.of(this.truststorePassword, this.x509KeyPair.keystorePassword,
+            this.x509KeyPair.keystoreKeyPassword, this.x509KeyPair.keyPassword)
+            .filter(s -> s.exists(settings))
+            .collect(Collectors.toList());
+    }
 }

x-pack/plugin/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/exporter/Exporters.java

@@ -55,6 +55,7 @@ public Exporters(Settings settings, Map<String, Exporter.Factory> factories,
         this.licenseState = Objects.requireNonNull(licenseState);
 
         clusterService.getClusterSettings().addSettingsUpdateConsumer(this::setExportersSetting, getSettings());
+        HttpExporter.registerSettingValidators(clusterService);
         // this ensures, that logging is happening by adding an empty consumer per affix setting
         for (Setting.AffixSetting<?> affixSetting : getSettings()) {
             clusterService.getClusterSettings().addAffixUpdateConsumer(affixSetting, (s, o) -> {}, (s, o) -> {});

x-pack/plugin/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporter.java

@@ -34,6 +34,8 @@
 import org.elasticsearch.common.util.set.Sets;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.xpack.core.monitoring.exporter.MonitoringTemplateUtils;
+import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
+import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
 import org.elasticsearch.xpack.core.ssl.SSLService;
 import org.elasticsearch.xpack.monitoring.exporter.ClusterAlertsUtil;
 import org.elasticsearch.xpack.monitoring.exporter.Exporter;
@@ -50,6 +52,7 @@
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.Function;
 import java.util.function.Supplier;
+import java.util.stream.Collectors;
 
 /**
  * {@code HttpExporter} uses the low-level {@link RestClient} to connect to a user-specified set of nodes for exporting Monitoring
@@ -252,6 +255,30 @@ public HttpExporter(final Config config, final SSLService sslService, final Thre
         listener.setResource(resource);
     }
 
+    /**
+     * Adds a validator for the {@link #SSL_SETTING} to prevent dynamic updates when secure settings also exist within that setting
+     * groups (ssl context).
+     * Because it is not possible to re-read the secure settings during a dynamic update, we cannot rebuild the {@link SSLIOSessionStrategy}
+     * (see {@link #configureSecurity(RestClientBuilder, Config, SSLService)} if this exporter has been configured with secure settings
+     */
+    public static void registerSettingValidators(ClusterService clusterService) {
+        clusterService.getClusterSettings().addAffixUpdateConsumer(SSL_SETTING,
+            (ignoreKey, ignoreSettings) -> {
+            // no-op update. We only care about the validator
+            },
+            (namespace, settings) -> {
+                final List<String> secureSettings = SSLConfigurationSettings.withoutPrefix()
+                    .getSecureSettingsInUse(settings)
+                    .stream()
+                    .map(Setting::getKey)
+                    .collect(Collectors.toList());
+                if (secureSettings.isEmpty() == false) {
+                    throw new IllegalStateException("Cannot dynamically update SSL settings for the exporter [" + namespace
+                        + "] as it depends on the secure setting(s) [" + Strings.collectionToCommaDelimitedString(secureSettings) + "]");
+                }
+            });
+    }
+
     /**
      * Create a {@link RestClientBuilder} from the HTTP Exporter's {@code config}.
      *
@@ -443,8 +470,20 @@ private static void configureHeaders(final RestClientBuilder builder, final Conf
      * @throws SettingsException if any setting causes issues
      */
     private static void configureSecurity(final RestClientBuilder builder, final Config config, final SSLService sslService) {
-        final Settings sslSettings = SSL_SETTING.getConcreteSettingForNamespace(config.name()).get(config.settings());
-        final SSLIOSessionStrategy sslStrategy = sslService.sslIOSessionStrategy(sslSettings);
+        final Setting<Settings> concreteSetting = SSL_SETTING.getConcreteSettingForNamespace(config.name());
+        final Settings sslSettings = concreteSetting.get(config.settings());
+        final SSLIOSessionStrategy sslStrategy;
+        if (SSLConfigurationSettings.withoutPrefix().getSecureSettingsInUse(sslSettings).isEmpty()) {
+            // This configuration does not use secure settings, so it is possible that is has been dynamically updated.
+            // We need to load a new SSL strategy in case these settings differ from the ones that the SSL service was configured with.
+            sslStrategy = sslService.sslIOSessionStrategy(sslSettings);
+        } else {
+            // This configuration uses secure settings. We cannot load a new SSL strategy, as the secure settings have already been closed.
+            // Due to #registerSettingValidators we know that the settings not been dynamically updated, and the pre-configured strategy
+            // is still the correct configuration for use in this exporter.
+            final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration(concreteSetting.getKey());
+            sslStrategy = sslService.sslIOSessionStrategy(sslConfiguration);
+        }
         final CredentialsProvider credentialsProvider = createCredentialsProvider(config);
         List<String> hostList = HOST_SETTING.getConcreteSettingForNamespace(config.name()).get(config.settings());
         // sending credentials in plaintext!

x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpSslExporterIT.java

@@ -0,0 +1,188 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.monitoring.exporter.http;
+
+import org.elasticsearch.action.ActionFuture;
+import org.elasticsearch.action.admin.cluster.settings.ClusterUpdateSettingsRequest;
+import org.elasticsearch.action.admin.cluster.settings.ClusterUpdateSettingsResponse;
+import org.elasticsearch.common.settings.MockSecureSettings;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.env.Environment;
+import org.elasticsearch.env.TestEnvironment;
+import org.elasticsearch.test.ESIntegTestCase;
+import org.elasticsearch.test.ESIntegTestCase.Scope;
+import org.elasticsearch.test.http.MockWebServer;
+import org.elasticsearch.xpack.core.ssl.TestsSSLService;
+import org.elasticsearch.xpack.core.ssl.VerificationMode;
+import org.elasticsearch.xpack.monitoring.exporter.Exporter;
+import org.elasticsearch.xpack.monitoring.exporter.Exporters;
+import org.elasticsearch.xpack.monitoring.test.MonitoringIntegTestCase;
+import org.hamcrest.CoreMatchers;
+import org.junit.AfterClass;
+import org.junit.Before;
+
+import javax.net.ssl.SSLContext;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.instanceOf;
+import static org.hamcrest.Matchers.notNullValue;
+
+@ESIntegTestCase.ClusterScope(scope = Scope.SUITE,
+    numDataNodes = 1, numClientNodes = 0, transportClientRatio = 0.0, supportsDedicatedMasters = false)
+public class HttpSslExporterIT extends MonitoringIntegTestCase {
+
+    private final Settings globalSettings = Settings.builder().put("path.home", createTempDir()).build();
+    private final Environment environment = TestEnvironment.newEnvironment(globalSettings);
+
+    private static MockWebServer webServer;
+    private static Path keystore;
+    private MockSecureSettings secureSettings;
+
+
+    @AfterClass
+    public static void cleanUpStatics() {
+        if (webServer != null) {
+            webServer.close();
+            webServer = null;
+        }
+        keystore = null;
+    }
+
+    @Override
+    protected boolean ignoreExternalCluster() {
+        return true;
+    }
+
+    @Override
+    protected Settings nodeSettings(int nodeOrdinal) {
+        if (keystore == null) {
+            keystore = getDataPath("/org/elasticsearch/xpack/monitoring/exporter/http/testnode.jks");
+            assertThat(Files.exists(keystore), CoreMatchers.is(true));
+        }
+
+        if (webServer == null) {
+            try {
+                webServer = buildWebServer();
+            } catch (IOException e) {
+                throw new RuntimeException(e);
+            }
+        }
+
+        final String address = "https://" + webServer.getHostName() + ":" + webServer.getPort();
+        final Settings.Builder builder = Settings.builder()
+            .put(super.nodeSettings(nodeOrdinal))
+            .put("xpack.monitoring.exporters.plaintext.type", "http")
+            .put("xpack.monitoring.exporters.plaintext.enabled", true)
+            .put("xpack.monitoring.exporters.plaintext.host", address)
+            .put("xpack.monitoring.exporters.plaintext.ssl.truststore.path", keystore)
+            .put("xpack.monitoring.exporters.plaintext.ssl.truststore.password", "testnode")
+            .put("xpack.monitoring.exporters.secure.type", "http")
+            .put("xpack.monitoring.exporters.secure.enabled", true)
+            .put("xpack.monitoring.exporters.secure.host", address)
+            .put("xpack.monitoring.exporters.secure.ssl.truststore.path", keystore);
+
+        secureSettings = new MockSecureSettings();
+        secureSettings.setString("xpack.monitoring.exporters.secure.ssl.truststore.secure_password", "testnode");
+        builder.setSecureSettings(secureSettings);
+
+        return builder.build();
+    }
+
+    private MockWebServer buildWebServer() throws IOException {
+        final Settings sslSettings = Settings.builder()
+            .put("xpack.ssl.keystore.path", keystore)
+            .put("xpack.ssl.keystore.password", "testnode")
+            .put(globalSettings)
+            .build();
+
+        TestsSSLService sslService = new TestsSSLService(sslSettings, environment);
+        final SSLContext sslContext = sslService.sslContext(Settings.EMPTY);
+        MockWebServer server = new MockWebServer(sslContext, false);
+        server.start();
+        return server;
+    }
+
+    @Before
+    // Force the exporters to be built from closed secure settings (as they would be in a production environment)
+    public void closeSecureSettings() throws IOException {
+        if (secureSettings != null) {
+            secureSettings.close();
+        }
+    }
+
+    public void testCannotUpdateSslSettingsWithSecureSettings() throws Exception {
+        // Verify that it was created even though it has a secure setting
+        assertExporterExists("secure");
+
+        // Verify that we cannot modify the SSL settings
+        final ActionFuture<ClusterUpdateSettingsResponse> future = setVerificationMode("secure", VerificationMode.CERTIFICATE);
+        final IllegalArgumentException iae = expectThrows(IllegalArgumentException.class, future::actionGet);
+        assertThat(iae.getCause(), instanceOf(IllegalStateException.class));
+        assertThat(iae.getCause().getMessage(), containsString("secure_password"));
+    }
+
+    public void testCanUpdateSslSettingsWithNoSecureSettings() {
+        final ActionFuture<ClusterUpdateSettingsResponse> future = setVerificationMode("plaintext", VerificationMode.CERTIFICATE);
+        final ClusterUpdateSettingsResponse response = future.actionGet();
+        assertThat(response, notNullValue());
+        clearTransientSettings("plaintext");
+    }
+
+    public void testCanAddNewExporterWithSsl() {
+        Path truststore = getDataPath("/org/elasticsearch/xpack/monitoring/exporter/http/testnode.jks");
+        assertThat(Files.exists(truststore), CoreMatchers.is(true));
+
+        final ClusterUpdateSettingsRequest updateSettings = new ClusterUpdateSettingsRequest();
+        final Settings settings = Settings.builder()
+            .put("xpack.monitoring.exporters._new.type", "http")
+            .put("xpack.monitoring.exporters._new.host", "https://" + webServer.getHostName() + ":" + webServer.getPort())
+            .put("xpack.monitoring.exporters._new.ssl.truststore.path", truststore)
+            .put("xpack.monitoring.exporters._new.ssl.truststore.password", "testnode")
+            .put("xpack.monitoring.exporters._new.ssl.verification_mode", VerificationMode.NONE.name())
+            .build();
+        updateSettings.transientSettings(settings);
+        final ActionFuture<ClusterUpdateSettingsResponse> future = client().admin().cluster().updateSettings(updateSettings);
+        final ClusterUpdateSettingsResponse response = future.actionGet();
+        assertThat(response, notNullValue());
+
+        assertExporterExists("_new");
+        clearTransientSettings("_new");
+    }
+
+    private void assertExporterExists(String secure) {
+        final Exporter httpExporter = getExporter(secure);
+        assertThat(httpExporter, notNullValue());
+        assertThat(httpExporter, instanceOf(HttpExporter.class));
+    }
+
+    private Exporter getExporter(String name) {
+        final Exporters exporters = internalCluster().getInstance(Exporters.class);
+        assertThat(exporters, notNullValue());
+        return exporters.getExporter(name);
+    }
+
+    private ActionFuture<ClusterUpdateSettingsResponse> setVerificationMode(String name, VerificationMode mode) {
+        final ClusterUpdateSettingsRequest updateSettings = new ClusterUpdateSettingsRequest();
+        final Settings settings = Settings.builder()
+            .put("xpack.monitoring.exporters." + name + ".ssl.verification_mode", mode.name())
+            .build();
+        updateSettings.transientSettings(settings);
+        return client().admin().cluster().updateSettings(updateSettings);
+    }
+
+    private void clearTransientSettings(String... names) {
+        final ClusterUpdateSettingsRequest updateSettings = new ClusterUpdateSettingsRequest();
+        final Settings.Builder builder = Settings.builder();
+        for (String name : names) {
+            builder.put("xpack.monitoring.exporters." + name + ".*", (String) null);
+        }
+        updateSettings.transientSettings(builder.build());
+        client().admin().cluster().updateSettings(updateSettings).actionGet();
+    }
+}

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java

@@ -38,7 +38,7 @@ class PkiRealmBootstrapCheck implements BootstrapCheck {
     private List<SSLConfiguration> loadSslConfigurations(Settings settings) {
         final List<SSLConfiguration> list = new ArrayList<>();
         if (HTTP_SSL_ENABLED.get(settings)) {
-            list.add(sslService.sslConfiguration(SSLService.getHttpTransportSSLSettings(settings), Settings.EMPTY));
+            list.add(sslService.getHttpTransportSSLConfiguration());
         }
 
         if (XPackSettings.TRANSPORT_SSL_ENABLED.get(settings)) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -117,16 +117,17 @@
 import org.elasticsearch.xpack.core.security.authz.accesscontrol.SecurityIndexSearcherWrapper;
 import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissions;
 import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
-import org.elasticsearch.xpack.security.authz.store.FileRolesStore;
 import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore;
 import org.elasticsearch.xpack.core.security.index.IndexAuditTrailField;
 import org.elasticsearch.xpack.core.security.user.AnonymousUser;
+import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
 import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
 import org.elasticsearch.xpack.core.ssl.SSLService;
 import org.elasticsearch.xpack.core.ssl.TLSLicenseBootstrapCheck;
 import org.elasticsearch.xpack.core.ssl.action.GetCertificateInfoAction;
 import org.elasticsearch.xpack.core.ssl.action.TransportGetCertificateInfoAction;
 import org.elasticsearch.xpack.core.ssl.rest.RestGetCertificateInfoAction;
+import org.elasticsearch.xpack.core.template.TemplateUtils;
 import org.elasticsearch.xpack.security.action.filter.SecurityActionFilter;
 import org.elasticsearch.xpack.security.action.interceptor.BulkShardRequestInterceptor;
 import org.elasticsearch.xpack.security.action.interceptor.IndicesAliasesRequestInterceptor;
@@ -172,6 +173,7 @@
 import org.elasticsearch.xpack.security.authz.SecuritySearchOperationListener;
 import org.elasticsearch.xpack.security.authz.accesscontrol.OptOutQueryCache;
 import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
+import org.elasticsearch.xpack.security.authz.store.FileRolesStore;
 import org.elasticsearch.xpack.security.authz.store.NativeRolesStore;
 import org.elasticsearch.xpack.security.ingest.HashProcessor;
 import org.elasticsearch.xpack.security.ingest.SetSecurityUserProcessor;
@@ -202,7 +204,6 @@
 import org.elasticsearch.xpack.security.transport.filter.IPFilter;
 import org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4HttpServerTransport;
 import org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4ServerTransport;
-import org.elasticsearch.xpack.core.template.TemplateUtils;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 
@@ -231,9 +232,9 @@
 import static java.util.Collections.singletonList;
 import static org.elasticsearch.cluster.metadata.IndexMetaData.INDEX_FORMAT_SETTING;
 import static org.elasticsearch.xpack.core.XPackSettings.HTTP_SSL_ENABLED;
-import static org.elasticsearch.xpack.security.support.SecurityIndexManager.SECURITY_TEMPLATE_NAME;
-import static org.elasticsearch.xpack.security.support.SecurityIndexManager.SECURITY_INDEX_NAME;
 import static org.elasticsearch.xpack.security.support.SecurityIndexManager.INTERNAL_INDEX_FORMAT;
+import static org.elasticsearch.xpack.security.support.SecurityIndexManager.SECURITY_INDEX_NAME;
+import static org.elasticsearch.xpack.security.support.SecurityIndexManager.SECURITY_TEMPLATE_NAME;
 
 public class Security extends Plugin implements ActionPlugin, IngestPlugin, NetworkPlugin, ClusterPlugin,
         DiscoveryPlugin, MapperPlugin, ExtensiblePlugin {
@@ -870,10 +871,9 @@ public UnaryOperator<RestHandler> getRestHandlerWrapper(ThreadContext threadCont
             return null;
         }
         final boolean ssl = HTTP_SSL_ENABLED.get(settings);
-        Settings httpSSLSettings = SSLService.getHttpTransportSSLSettings(settings);
-        boolean extractClientCertificate = ssl && getSslService().isSSLClientAuthEnabled(httpSSLSettings);
-        return handler -> new SecurityRestFilter(getLicenseState(), threadContext, authcService.get(), handler,
-                extractClientCertificate);
+        final SSLConfiguration httpSSLConfig = getSslService().getHttpTransportSSLConfiguration();
+        boolean extractClientCertificate = ssl && getSslService().isSSLClientAuthEnabled(httpSSLConfig);
+        return handler -> new SecurityRestFilter(getLicenseState(), threadContext, authcService.get(), handler, extractClientCertificate);
     }
 
     @Override