From 269828c42ebeede31f2b869ae3acfe94bdbf0638 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Wed, 25 Jun 2025 13:06:45 -0700 Subject: [PATCH 1/7] Pass aux transport to secure settings parameters(). Signed-off-by: Finn Carroll --- .../transport/grpc/ssl/SecureNetty4GrpcServerTransport.java | 2 +- .../opensearch/plugins/SecureAuxTransportSettingsProvider.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/plugin/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/plugin/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java index a886679ada293..0fd5b2d4a6cd6 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/plugin/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/plugin/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java @@ -114,7 +114,7 @@ private JdkSslContext getSslContext(Settings settings, SecureAuxTransportSetting throw new SSLException("Failed to build default SSLContext for " + SecureNetty4GrpcServerTransport.class.getName(), e); } } - SecureAuxTransportSettingsProvider.SecureAuxTransportParameters params = provider.parameters().orElseGet(DefaultParameters::new); + SecureAuxTransportSettingsProvider.SecureAuxTransportParameters params = provider.parameters(this).orElseGet(DefaultParameters::new); ClientAuth clientAuth = ClientAuth.valueOf(params.clientAuth().orElseThrow().toUpperCase(Locale.ROOT)); return new JdkSslContext( sslContext.get(), diff --git a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java index f90d642409b01..971db7dc8db25 100644 --- a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java +++ b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java @@ -36,7 +36,7 @@ default Optional buildSecureAuxServerTransportContext(Settings setti * Additional params required for configuring ALPN. * @return an instance of {@link SecureAuxTransportSettingsProvider.SecureAuxTransportParameters} */ - default Optional parameters() { + default Optional parameters(AuxTransport transport) { return Optional.empty(); } From 9dc8394e939ea7f5d4528a3d9bb12a5961d6127e Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Wed, 25 Jun 2025 13:21:49 -0700 Subject: [PATCH 2/7] Update javadocs, fix UTs. Signed-off-by: Finn Carroll --- .../plugin/transport/grpc/ssl/SecureSettingsHelpers.java | 2 +- .../opensearch/plugins/SecureAuxTransportSettingsProvider.java | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/plugin/transport/grpc/ssl/SecureSettingsHelpers.java b/plugins/transport-grpc/src/test/java/org/opensearch/plugin/transport/grpc/ssl/SecureSettingsHelpers.java index 387889eb87ae0..a90da46edc43c 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/plugin/transport/grpc/ssl/SecureSettingsHelpers.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/plugin/transport/grpc/ssl/SecureSettingsHelpers.java @@ -126,7 +126,7 @@ public Optional buildSecureAuxServerTransportContext(Settings settin } @Override - public Optional parameters() { + public Optional parameters(AuxTransport transport) { return Optional.of(new SecureAuxTransportParameters() { @Override public Optional clientAuth() { diff --git a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java index 971db7dc8db25..389c09319559a 100644 --- a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java +++ b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java @@ -26,6 +26,8 @@ public interface SecureAuxTransportSettingsProvider { /** * Fetch an SSLContext as managed by pluggable security provider. + * @param settings for providing additional configuration options when building the ssl context. + * @param transport the auxiliary transport for which an SSLContext is built. * @return an instance of SSLContext. */ default Optional buildSecureAuxServerTransportContext(Settings settings, AuxTransport transport) throws SSLException { @@ -34,6 +36,7 @@ default Optional buildSecureAuxServerTransportContext(Settings setti /** * Additional params required for configuring ALPN. + * @param transport the auxiliary transport to be provided SecureAuxTransportParameters. * @return an instance of {@link SecureAuxTransportSettingsProvider.SecureAuxTransportParameters} */ default Optional parameters(AuxTransport transport) { From ce2e77407c220ff2823381d4aa76f8984353aa8b Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Wed, 25 Jun 2025 13:26:03 -0700 Subject: [PATCH 3/7] Spotless apply Signed-off-by: Finn Carroll --- .../transport/grpc/ssl/SecureNetty4GrpcServerTransport.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/plugin/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/plugin/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java index 0fd5b2d4a6cd6..5bc329afe8559 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/plugin/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/plugin/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java @@ -114,7 +114,8 @@ private JdkSslContext getSslContext(Settings settings, SecureAuxTransportSetting throw new SSLException("Failed to build default SSLContext for " + SecureNetty4GrpcServerTransport.class.getName(), e); } } - SecureAuxTransportSettingsProvider.SecureAuxTransportParameters params = provider.parameters(this).orElseGet(DefaultParameters::new); + SecureAuxTransportSettingsProvider.SecureAuxTransportParameters params = provider.parameters(this) + .orElseGet(DefaultParameters::new); ClientAuth clientAuth = ClientAuth.valueOf(params.clientAuth().orElseThrow().toUpperCase(Locale.ROOT)); return new JdkSslContext( sslContext.get(), From 5d2815389717630cceb3d03a8d7a95ea2ca4bc4d Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Thu, 26 Jun 2025 15:06:09 -0700 Subject: [PATCH 4/7] Pass aux transport key as unique identifier instead of transport ref. Signed-off-by: Finn Carroll --- .../grpc/ssl/SecureNetty4GrpcServerTransport.java | 4 ++-- .../transport/grpc/ssl/SecureSettingsHelpers.java | 5 ++--- .../SecureAuxTransportSettingsProvider.java | 14 +++++++++----- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/plugin/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/plugin/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java index 5bc329afe8559..3facd6305f176 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/plugin/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/plugin/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java @@ -106,7 +106,7 @@ public String settingKey() { * @param provider for SSLContext and SecureAuxTransportParameters (ClientAuth and enabled ciphers). */ private JdkSslContext getSslContext(Settings settings, SecureAuxTransportSettingsProvider provider) throws SSLException { - Optional sslContext = provider.buildSecureAuxServerTransportContext(settings, this); + Optional sslContext = provider.buildSecureAuxServerTransportContext(settings, this.settingKey()); if (sslContext.isEmpty()) { try { sslContext = Optional.of(SSLContext.getDefault()); @@ -114,7 +114,7 @@ private JdkSslContext getSslContext(Settings settings, SecureAuxTransportSetting throw new SSLException("Failed to build default SSLContext for " + SecureNetty4GrpcServerTransport.class.getName(), e); } } - SecureAuxTransportSettingsProvider.SecureAuxTransportParameters params = provider.parameters(this) + SecureAuxTransportSettingsProvider.SecureAuxTransportParameters params = provider.parameters(settings, this.settingKey()) .orElseGet(DefaultParameters::new); ClientAuth clientAuth = ClientAuth.valueOf(params.clientAuth().orElseThrow().toUpperCase(Locale.ROOT)); return new JdkSslContext( diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/plugin/transport/grpc/ssl/SecureSettingsHelpers.java b/plugins/transport-grpc/src/test/java/org/opensearch/plugin/transport/grpc/ssl/SecureSettingsHelpers.java index a90da46edc43c..53628401508a6 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/plugin/transport/grpc/ssl/SecureSettingsHelpers.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/plugin/transport/grpc/ssl/SecureSettingsHelpers.java @@ -10,7 +10,6 @@ import org.opensearch.common.settings.Settings; import org.opensearch.plugins.SecureAuxTransportSettingsProvider; -import org.opensearch.transport.AuxTransport; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; @@ -110,7 +109,7 @@ static SecureAuxTransportSettingsProvider getSecureSettingsProvider( ) { return new SecureAuxTransportSettingsProvider() { @Override - public Optional buildSecureAuxServerTransportContext(Settings settings, AuxTransport transport) + public Optional buildSecureAuxServerTransportContext(Settings settings, String auxEnableSettingKey) throws SSLException { // Choose a random protocol from among supported test defaults String protocol = randomFrom(DEFAULT_SSL_PROTOCOLS); @@ -126,7 +125,7 @@ public Optional buildSecureAuxServerTransportContext(Settings settin } @Override - public Optional parameters(AuxTransport transport) { + public Optional parameters(Settings settings, String auxEnableSettingKey) { return Optional.of(new SecureAuxTransportParameters() { @Override public Optional clientAuth() { diff --git a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java index 389c09319559a..1d8d1112f26f0 100644 --- a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java +++ b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java @@ -10,7 +10,6 @@ import org.opensearch.common.annotation.ExperimentalApi; import org.opensearch.common.settings.Settings; -import org.opensearch.transport.AuxTransport; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLException; @@ -27,19 +26,24 @@ public interface SecureAuxTransportSettingsProvider { /** * Fetch an SSLContext as managed by pluggable security provider. * @param settings for providing additional configuration options when building the ssl context. - * @param transport the auxiliary transport for which an SSLContext is built. + * @param auxTransportSettingKey key for enabling this transport with AUX_TRANSPORT_TYPES_SETTING. * @return an instance of SSLContext. */ - default Optional buildSecureAuxServerTransportContext(Settings settings, AuxTransport transport) throws SSLException { + default Optional buildSecureAuxServerTransportContext(Settings settings, String auxTransportSettingKey) + throws SSLException { return Optional.empty(); } /** * Additional params required for configuring ALPN. - * @param transport the auxiliary transport to be provided SecureAuxTransportParameters. + * @param settings for providing additional configuration options when building secure params. + * @param auxTransportSettingKey key for enabling this transport with AUX_TRANSPORT_TYPES_SETTING. * @return an instance of {@link SecureAuxTransportSettingsProvider.SecureAuxTransportParameters} */ - default Optional parameters(AuxTransport transport) { + default Optional parameters( + Settings settings, + String auxTransportSettingKey + ) throws SSLException { return Optional.empty(); } From 8d22f0a7c67ffa9951f9619863d46800fe9003b1 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Fri, 27 Jun 2025 11:09:06 -0700 Subject: [PATCH 5/7] Consistent naming. auxTransportSettingKey -> auxTransportType. Signed-off-by: Finn Carroll --- .../plugin/transport/grpc/ssl/SecureSettingsHelpers.java | 4 ++-- .../plugins/SecureAuxTransportSettingsProvider.java | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/plugin/transport/grpc/ssl/SecureSettingsHelpers.java b/plugins/transport-grpc/src/test/java/org/opensearch/plugin/transport/grpc/ssl/SecureSettingsHelpers.java index 53628401508a6..5cc65ee615a2a 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/plugin/transport/grpc/ssl/SecureSettingsHelpers.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/plugin/transport/grpc/ssl/SecureSettingsHelpers.java @@ -109,7 +109,7 @@ static SecureAuxTransportSettingsProvider getSecureSettingsProvider( ) { return new SecureAuxTransportSettingsProvider() { @Override - public Optional buildSecureAuxServerTransportContext(Settings settings, String auxEnableSettingKey) + public Optional buildSecureAuxServerTransportContext(Settings settings, String auxTransportType) throws SSLException { // Choose a random protocol from among supported test defaults String protocol = randomFrom(DEFAULT_SSL_PROTOCOLS); @@ -125,7 +125,7 @@ public Optional buildSecureAuxServerTransportContext(Settings settin } @Override - public Optional parameters(Settings settings, String auxEnableSettingKey) { + public Optional parameters(Settings settings, String auxTransportType) { return Optional.of(new SecureAuxTransportParameters() { @Override public Optional clientAuth() { diff --git a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java index 1d8d1112f26f0..fbf8754741724 100644 --- a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java +++ b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java @@ -26,10 +26,10 @@ public interface SecureAuxTransportSettingsProvider { /** * Fetch an SSLContext as managed by pluggable security provider. * @param settings for providing additional configuration options when building the ssl context. - * @param auxTransportSettingKey key for enabling this transport with AUX_TRANSPORT_TYPES_SETTING. + * @param auxTransportType key for enabling this transport with AUX_TRANSPORT_TYPES_SETTING. * @return an instance of SSLContext. */ - default Optional buildSecureAuxServerTransportContext(Settings settings, String auxTransportSettingKey) + default Optional buildSecureAuxServerTransportContext(Settings settings, String auxTransportType) throws SSLException { return Optional.empty(); } @@ -37,12 +37,12 @@ default Optional buildSecureAuxServerTransportContext(Settings setti /** * Additional params required for configuring ALPN. * @param settings for providing additional configuration options when building secure params. - * @param auxTransportSettingKey key for enabling this transport with AUX_TRANSPORT_TYPES_SETTING. + * @param auxTransportType key for enabling this transport with AUX_TRANSPORT_TYPES_SETTING. * @return an instance of {@link SecureAuxTransportSettingsProvider.SecureAuxTransportParameters} */ default Optional parameters( Settings settings, - String auxTransportSettingKey + String auxTransportType ) throws SSLException { return Optional.empty(); } From 4af57d28c0b0e0dd245c1b2719105ed2d8504538 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Fri, 27 Jun 2025 11:12:03 -0700 Subject: [PATCH 6/7] Changelog. Signed-off-by: Finn Carroll --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 622b43caabf79..e3d13e6b09733 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ### Changed - Update Subject interface to use CheckedRunnable ([#18570](https://github.com/opensearch-project/OpenSearch/issues/18570)) +- Update SecureAuxTransportSettingsProvider to distinguish between aux transport types ([#18616](https://github.com/opensearch-project/OpenSearch/pull/18616)) ### Dependencies - Bump `stefanzweifel/git-auto-commit-action` from 5 to 6 ([#18524](https://github.com/opensearch-project/OpenSearch/pull/18524)) From 0b0fde7ebe93c8079f6a40d7bde7a5977dbdab23 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Fri, 27 Jun 2025 11:18:32 -0700 Subject: [PATCH 7/7] Spotless apply Signed-off-by: Finn Carroll --- .../plugins/SecureAuxTransportSettingsProvider.java | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java index fbf8754741724..826d5ca641b22 100644 --- a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java +++ b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java @@ -29,8 +29,7 @@ public interface SecureAuxTransportSettingsProvider { * @param auxTransportType key for enabling this transport with AUX_TRANSPORT_TYPES_SETTING. * @return an instance of SSLContext. */ - default Optional buildSecureAuxServerTransportContext(Settings settings, String auxTransportType) - throws SSLException { + default Optional buildSecureAuxServerTransportContext(Settings settings, String auxTransportType) throws SSLException { return Optional.empty(); } @@ -40,10 +39,8 @@ default Optional buildSecureAuxServerTransportContext(Settings setti * @param auxTransportType key for enabling this transport with AUX_TRANSPORT_TYPES_SETTING. * @return an instance of {@link SecureAuxTransportSettingsProvider.SecureAuxTransportParameters} */ - default Optional parameters( - Settings settings, - String auxTransportType - ) throws SSLException { + default Optional parameters(Settings settings, String auxTransportType) + throws SSLException { return Optional.empty(); }