CertType to store user cert id.

CertType needs to discretely store the unique identifier for a set of certs
which the user will use in CertificatesInfo API. Previously inferred from
the setting prefix, but transport client and transport server are
problematic for this model and cannot be changed for bwc.

Signed-off-by: Finn Carroll <carrofin@amazon.com>

Author: finnegancarroll

src/integrationTest/java/org/opensearch/security/api/CertificatesRestApiIntegrationTest.java

@@ -16,7 +16,6 @@
 import java.util.List;
 import java.util.Map;
 import java.util.StringJoiner;
-import java.util.function.Consumer;
 import java.util.stream.Collectors;
 
 import com.carrotsearch.randomizedtesting.RandomizedContext;
@@ -151,7 +150,7 @@ private void assertSSLCertsInfo(
             Expect each node transport configured with root and issued cert.
             */
             for (CertType expectCert : expectedCertTypes) {
-                final JsonNode transportCertificates = certificates.get(expectCert.certID());
+                final JsonNode transportCertificates = certificates.get(expectCert.id());
                 assertThat(prettyStringBody, transportCertificates.isArray());
                 assertThat(prettyStringBody, transportCertificates.size(), is(2));
                 verifyCertsJson(n.nodeNumber(), transportCertificates.get(0));

src/main/java/org/opensearch/security/dlic/rest/api/ssl/CertificatesInfo.java

@@ -43,7 +43,7 @@ public void writeTo(StreamOutput out) throws IOException {
     public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
         builder.startObject("certificates");
         for (Map.Entry<CertType, List<CertificateInfo>> entry : certificates.entrySet()) {
-            builder.field(entry.getKey().certID(), certificates.get(entry.getKey()));
+            builder.field(entry.getKey().id(), certificates.get(entry.getKey()));
         }
         return builder.endObject();
     }

src/main/java/org/opensearch/security/dlic/rest/api/ssl/TransportCertificatesInfoNodesAction.java

@@ -100,7 +100,7 @@ protected CertificatesNodesResponse.CertificatesNodeResponse nodeOperation(final
     protected CertificatesInfo loadCertificates(final Optional<String> loadCertType) {
         Map<CertType, List<CertificateInfo>> certInfos = new HashMap<>();
         for (CertType certType : CertType.CERT_TYPE_REGISTRY) {
-            if (loadCertType.isEmpty() || loadCertType.get().equalsIgnoreCase(certType.certID())) {
+            if (loadCertType.isEmpty() || loadCertType.get().equalsIgnoreCase(certType.id())) {
                 List<CertificateInfo> certs = sslSettingsManager.sslContextHandler(certType)
                     .map(SslContextHandler::certificates)
                     .map(this::certificatesDetails)

src/main/java/org/opensearch/security/ssl/SslSettingsManager.java

@@ -119,7 +119,7 @@ private Map<CertType, SslContextHandler> buildSslContexts(final Environment envi
             Optional.ofNullable(configurations.get(cert))
                 .ifPresentOrElse(
                     sslConfiguration -> contexts.put(cert, new SslContextHandler(sslConfiguration)),
-                    () -> LOGGER.warn("SSL Configuration for {} Layer hasn't been set", cert.certID())
+                    () -> LOGGER.warn("SSL Configuration for {} Layer hasn't been set", cert.id())
                 );
         });
         return contexts.build();
@@ -129,12 +129,12 @@ public synchronized void reloadSslContext(final CertType certType) {
         sslContextHandler(certType).ifPresentOrElse(sscContextHandler -> {
             try {
                 if (sscContextHandler.reloadSslContext()) {
-                    LOGGER.info("{} SSL context reloaded", certType.certID());
+                    LOGGER.info("{} SSL context reloaded", certType.id());
                 }
             } catch (CertificateException e) {
                 throw new OpenSearchException(e);
             }
-        }, () -> LOGGER.error("Missing SSL Context for {}", certType.certID()));
+        }, () -> LOGGER.error("Missing SSL Context for {}", certType.id()));
     }
 
     private Map<CertType, SslConfiguration> loadConfigurations(final Environment environment) {
@@ -164,8 +164,8 @@ private Map<CertType, SslConfiguration> loadConfigurations(final Environment env
                     auxCert,
                     new SslConfiguration(auxSslParameters, auxTrustAndKeyStore.v1(), auxTrustAndKeyStore.v2())
                 );
-                LOGGER.info("TLS {} Provider                    : {}", auxCert.certID(), auxSslParameters.provider());
-                LOGGER.info("Enabled TLS protocols for {} layer : {}", auxCert.certID(), auxSslParameters.allowedProtocols());
+                LOGGER.info("TLS {} Provider                    : {}", auxCert.id(), auxSslParameters.provider());
+                LOGGER.info("Enabled TLS protocols for {} layer : {}", auxCert.id(), auxSslParameters.allowedProtocols());
             }
         }
 
@@ -291,10 +291,10 @@ private void validateSettings(final CertType certType, final Settings settings,
         } else {
             throw new OpenSearchException(
                 "Wrong "
-                    + certType.certID()
+                    + certType.id()
                     + " SSL configuration. One of Keystore and Truststore files or X.509 PEM certificates and "
                     + "PKCS#8 keys groups should be set to configure "
-                    + certType.certID()
+                    + certType.id()
                     + " layer"
             );
         }
@@ -316,7 +316,7 @@ private void validatePemStoreSettings(CertType transportType, final Settings set
         if (!transportSettings.hasValue(PEM_CERT_FILEPATH) || !transportSettings.hasValue(PEM_KEY_FILEPATH)) {
             throw new OpenSearchException(
                 "Wrong "
-                    + transportType.certID().toLowerCase(Locale.ROOT)
+                    + transportType.id().toLowerCase(Locale.ROOT)
                     + " SSL configuration. "
                     + String.join(", ", transportSettings.get(PEM_CERT_FILEPATH), transportSettings.get(PEM_KEY_FILEPATH))
                     + " must be set"
@@ -325,7 +325,7 @@ private void validatePemStoreSettings(CertType transportType, final Settings set
         if (clientAuth == ClientAuth.REQUIRE && !transportSettings.hasValue(PEM_TRUSTED_CAS_FILEPATH)) {
             throw new OpenSearchException(
                 "Wrong "
-                    + transportType.certID().toLowerCase(Locale.ROOT)
+                    + transportType.id().toLowerCase(Locale.ROOT)
                     + " SSL configuration. "
                     + PEM_TRUSTED_CAS_FILEPATH
                     + " must be set if client auth is required"
@@ -349,7 +349,7 @@ private void validateKeyStoreSettings(CertType transportType, final Settings set
         if (!transportSettings.hasValue(KEYSTORE_FILEPATH)) {
             throw new OpenSearchException(
                 "Wrong "
-                    + transportType.certID().toLowerCase(Locale.ROOT)
+                    + transportType.id().toLowerCase(Locale.ROOT)
                     + " SSL configuration. "
                     + transportSettings.get(KEYSTORE_FILEPATH)
                     + " must be set"
@@ -358,7 +358,7 @@ private void validateKeyStoreSettings(CertType transportType, final Settings set
         if (clientAuth == ClientAuth.REQUIRE && !transportSettings.hasValue(TRUSTSTORE_FILEPATH)) {
             throw new OpenSearchException(
                 "Wrong "
-                    + transportType.certID().toLowerCase(Locale.ROOT)
+                    + transportType.id().toLowerCase(Locale.ROOT)
                     + " SSL configuration. "
                     + TRUSTSTORE_FILEPATH
                     + " must be set if client auth is required"

src/main/java/org/opensearch/security/ssl/config/CertType.java

@@ -30,29 +30,76 @@
 import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_SERVER_PREFIX;
 
 /**
- * CertTypes have a 1-to-1 relationship with ssl contexts and identify
- * the setting prefix under which configuration settings are located.
- * CertTypes are uniquely identified by a `certID` which is used as the key for registering CertTypes on a node
- * and fetching certificate info through a CertificatesInfoNodesRequest.
+ * CertTypes identify the setting prefix under which configuration settings for a set of certificates
+ * are located as well as the id which uniquely identifies a certificate type to the end user.
+ * CertTypes have a 1-to-1 relationship with ssl contexts and are registered in the global
+ * CERT_TYPE_REGISTRY but default for mandatory transports, or dynamically for pluggable auxiliary transports.
  */
 public class CertType implements Writeable {
-    private final String sslConfigSettingPrefix;
+    private final String certSettingPrefix;
+    private final String certID;
+
+    /**
+     * In most cases the certID is the last element of the setting prefix.
+     * We expect this to be the case for all auxiliary transports.
+     * Exceptions where this pattern does not hold include:
+     * "plugins.security.ssl.transport.server."
+     * "plugins.security.ssl.transport.client."
+     * Where users identify these certificates respectively as:
+     * "transport_server" & "transport_client"
+     */
+    public CertType(String certSettingPrefix) {
+        this.certSettingPrefix = certSettingPrefix;
+        String[] parts = certSettingPrefix.split("\\.");
+        this.certID = parts[parts.length - 1].toLowerCase(Locale.ROOT);
+    }
 
-    public static CertType HTTP = new CertType(SSL_HTTP_PREFIX);
-    public static CertType TRANSPORT = new CertType(SSL_TRANSPORT_PREFIX);
-    public static CertType TRANSPORT_CLIENT = new CertType(SSL_TRANSPORT_CLIENT_PREFIX) {
-        @Override
-        public String certID() {
-            return "transport_client";
-        }
-    };
-    public static CertType TRANSPORT_SERVER = new CertType(SSL_TRANSPORT_SERVER_PREFIX) {
-        @Override
-        public String certID() {
-            return "transport_server";
-        }
-    };
+    public CertType(String certSettingPrefix, String certID) {
+        this.certSettingPrefix = certSettingPrefix;
+        this.certID = certID;
+    }
+
+    public CertType(final StreamInput in) throws IOException {
+        this.certSettingPrefix = in.readString();
+        this.certID = in.readString();
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeString(this.certSettingPrefix);
+        out.writeString(this.certID);
+    }
+
+    public String sslSettingPrefix() {
+        return certSettingPrefix;
+    }
+
+    public String id() {
+        return this.certID;
+    }
+
+    @Override
+    public String toString() {
+        return this.id();
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        CertType certType = (CertType) o;
+        return this.id().equals(certType.id());
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(this.id());
+    }
 
+    /*
+    Write only set for tracking certificate types discovered and registered on a node.
+    Not all ssl context configurations are known at compile time, so we track newly discovered CertTypes here.
+    */
     public static class NodeCertTypeRegistry implements Iterable<CertType> {
         private final Set<CertType> RegisteredCertType = new HashSet<>();
 
@@ -75,7 +122,7 @@ public boolean contains(CertType certType) {
 
         public boolean contains(String certID) {
             for (CertType certType : RegisteredCertType) {
-                if (Objects.equals(certType.certID(), certID)) {
+                if (Objects.equals(certType.id(), certID)) {
                     return true;
                 }
             }
@@ -90,54 +137,16 @@ public Iterator<CertType> iterator() {
     }
 
     /*
-    Write only map for tracking certificates type discovered and registered on a node.
-    Not all ssl context configurations are known at compile time, so we track newly discovered CertTypes here.
+    Mandatory transports.
     */
+    public static CertType HTTP = new CertType(SSL_HTTP_PREFIX);
+    public static CertType TRANSPORT = new CertType(SSL_TRANSPORT_PREFIX);
+    public static CertType TRANSPORT_CLIENT = new CertType(SSL_TRANSPORT_CLIENT_PREFIX, "transport_client");
+    public static CertType TRANSPORT_SERVER = new CertType(SSL_TRANSPORT_SERVER_PREFIX, "transport_server");
     public static final NodeCertTypeRegistry CERT_TYPE_REGISTRY = new NodeCertTypeRegistry(
-        HTTP,
-        TRANSPORT,
-        TRANSPORT_CLIENT,
-        TRANSPORT_SERVER
+            HTTP,
+            TRANSPORT,
+            TRANSPORT_CLIENT,
+            TRANSPORT_SERVER
     );
-
-    public CertType(String sslConfigSettingPrefix) {
-        this.sslConfigSettingPrefix = sslConfigSettingPrefix;
-    }
-
-    public CertType(final StreamInput in) throws IOException {
-        this.sslConfigSettingPrefix = in.readString();
-    }
-
-    @Override
-    public void writeTo(StreamOutput out) throws IOException {
-        out.writeString(sslConfigSettingPrefix);
-    }
-
-    public String sslSettingPrefix() {
-        return sslConfigSettingPrefix;
-    }
-
-    public String certID() {
-        String[] parts = sslConfigSettingPrefix.split("\\.");
-        String id = parts[parts.length - 1];
-        return id.toLowerCase(Locale.ROOT);
-    }
-
-    @Override
-    public String toString() {
-        return this.certID();
-    }
-
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) return true;
-        if (o == null || getClass() != o.getClass()) return false;
-        CertType certType = (CertType) o;
-        return this.certID().equals(certType.certID());
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hash(this.certID());
-    }
 }

src/main/java/org/opensearch/security/ssl/config/SslParameters.java

@@ -166,10 +166,10 @@ public SslParameters load() {
                 validateCertDNsOnReload(sslConfigSettings)
             );
             if (sslParameters.allowedProtocols().isEmpty()) {
-                throw new OpenSearchSecurityException("No ssl protocols for " + certType.certID() + " layer");
+                throw new OpenSearchSecurityException("No ssl protocols for " + certType.id() + " layer");
             }
             if (sslParameters.allowedCiphers().isEmpty()) {
-                throw new OpenSearchSecurityException("No valid cipher suites for " + certType.certID() + " layer");
+                throw new OpenSearchSecurityException("No valid cipher suites for " + certType.id() + " layer");
             }
             return sslParameters;
         }

src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java

@@ -162,11 +162,11 @@ public final class SSLConfigConstants {
 
     // helper to resolve setting key for CertType namespace
     public static String getStringAffixKeyForCertType(Setting.AffixSetting<String> affix, CertType certType) {
-        return affix.getConcreteSettingForNamespace(certType.certID()).getKey();
+        return affix.getConcreteSettingForNamespace(certType.id()).getKey();
     }
 
     public static String getBoolAffixKeyForCertType(Setting.AffixSetting<Boolean> affix, CertType certType) {
-        return affix.getConcreteSettingForNamespace(certType.certID()).getKey();
+        return affix.getConcreteSettingForNamespace(certType.id()).getKey();
     }
 
     /**

src/test/java/org/opensearch/security/ssl/SslSettingsManagerReloadListenerTest.java

@@ -107,7 +107,7 @@ public void testReloadsSslContextOnPemStoreFilesChangedForHttp() throws Exceptio
     public void testReloadsSslContextOnPemStoreFilesChangedForAux() throws Exception {
         Settings.Builder settings = defaultSettingsBuilder().putList(
             AUX_TRANSPORT_TYPES_SETTING.getKey(),
-            List.of(MOCK_AUX_CERT_TYPE_FOO.certID())
+            List.of(MOCK_AUX_CERT_TYPE_FOO.id())
         ).put(MOCK_AUX_CERT_TYPE_FOO.sslSettingPrefix() + ENABLED, true);
         reloadSslContextOnPemFilesChangedForTransportType(MOCK_AUX_CERT_TYPE_FOO, settings);
     }
@@ -126,7 +126,7 @@ public void testReloadsSslContextOnJdkStoreFilesChangedForHttp() throws Exceptio
     public void testReloadsSslContextOnJdkStoreFilesChangedForAux() throws Exception {
         Settings.Builder settings = defaultSettingsBuilder().putList(
             AUX_TRANSPORT_TYPES_SETTING.getKey(),
-            List.of(MOCK_AUX_CERT_TYPE_FOO.certID())
+            List.of(MOCK_AUX_CERT_TYPE_FOO.id())
         ).put(MOCK_AUX_CERT_TYPE_FOO.sslSettingPrefix() + ENABLED, true);
         reloadSslContextOnJdkStoreFilesChangedForTransportType(MOCK_AUX_CERT_TYPE_FOO, settings);
     }
@@ -143,7 +143,7 @@ private void reloadSslContextOnJdkStoreFilesChangedForTransportType(CertType cer
         final String trustStoreTypeSetting = settingPrefix + TRUSTSTORE_TYPE;
         final String keyStorePathSetting = settingPrefix + KEYSTORE_FILEPATH;
         final String keyStoreTypeSetting = settingPrefix + KEYSTORE_TYPE;
-        final String certTypeFilePrefix = certType.certID().toLowerCase(Locale.ROOT);
+        final String certTypeFilePrefix = certType.id().toLowerCase(Locale.ROOT);
         final var keyStorePassword = randomAsciiAlphanumOfLength(10);
         final var secureSettings = new MockSecureSettings();
         secureSettings.setString(settingPrefix + "truststore_password_secure", keyStorePassword);
@@ -186,7 +186,7 @@ private void reloadSslContextOnPemFilesChangedForTransportType(CertType certType
         final String pemTrustCasPathSetting = settingPrefix + PEM_TRUSTED_CAS_FILEPATH;
         final String pemCertPathSetting = settingPrefix + PEM_CERT_FILEPATH;
         final String pemKeyPathSetting = settingPrefix + PEM_KEY_FILEPATH;
-        final String certTypeFilePrefix = certType.certID().toLowerCase(Locale.ROOT);
+        final String certTypeFilePrefix = certType.id().toLowerCase(Locale.ROOT);
         MockSecureSettings secureSettings = new MockSecureSettings();
         secureSettings.setString(settingPrefix + "pemkey_password_secure", certificatesRule.privateKeyPassword());
         reloadSslContextOnFilesChanged(
@@ -214,7 +214,7 @@ private void reloadSslContextOnPemFilesChangedForTransportType(CertType certType
 
     private void reloadSslContextOnFilesChanged(CertType certType, final Settings settings, final CertificatesWriter certificatesWriter)
         throws Exception {
-        final String certNamePrefix = certType.certID().toLowerCase(Locale.ROOT);
+        final String certNamePrefix = certType.id().toLowerCase(Locale.ROOT);
         final var defaultCertificates = generateCertificates();
         var defaultKeyPair = defaultCertificates.v1();
         var caCertificate = defaultCertificates.v2().v1();