fixup! Reduce scope

Author: jfreden

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySignerIntegTests.java

@@ -30,7 +30,7 @@ public void testSignWithPemKeyConfig() {
         );
         final String[] testHeaders = randomArray(5, String[]::new, () -> randomAlphanumericOfLength(randomInt(20)));
 
-        X509CertificateSignature signature = signer.signHeadersForCluster(STATIC_TEST_CLUSTER_ALIAS, testHeaders);
+        X509CertificateSignature signature = signer.sign(STATIC_TEST_CLUSTER_ALIAS, testHeaders);
         signature.certificate().getPublicKey();
 
         var keyConfig = new PemKeyConfig(
@@ -51,7 +51,7 @@ public void testSignUnknownClusterAlias() {
         );
         final String[] testHeaders = randomArray(5, String[]::new, () -> randomAlphanumericOfLength(randomInt(20)));
 
-        X509CertificateSignature signature = signer.signHeadersForCluster("unknowncluster", testHeaders);
+        X509CertificateSignature signature = signer.sign("unknowncluster", testHeaders);
         assertNull(signature);
     }
 
@@ -72,7 +72,7 @@ public void testSeveralKeyStoreAliases() {
             );
 
             {
-                X509CertificateSignature signature = signer.signHeadersForCluster(DYNAMIC_TEST_CLUSTER_ALIAS, "test", "test");
+                X509CertificateSignature signature = signer.sign(DYNAMIC_TEST_CLUSTER_ALIAS, "test", "test");
                 assertNull(signature);
             }
 
@@ -82,7 +82,7 @@ public void testSeveralKeyStoreAliases() {
                     .put(SIGNING_KEYSTORE_ALIAS.getConcreteSettingForNamespace(DYNAMIC_TEST_CLUSTER_ALIAS).getKey(), "wholelottakey")
             );
             {
-                X509CertificateSignature signature = signer.signHeadersForCluster(DYNAMIC_TEST_CLUSTER_ALIAS, "test", "test");
+                X509CertificateSignature signature = signer.sign(DYNAMIC_TEST_CLUSTER_ALIAS, "test", "test");
                 assertNotNull(signature);
             }
 
@@ -92,7 +92,7 @@ public void testSeveralKeyStoreAliases() {
                     .put(SIGNING_KEYSTORE_ALIAS.getConcreteSettingForNamespace(DYNAMIC_TEST_CLUSTER_ALIAS).getKey(), "idonotexist")
             );
             {
-                X509CertificateSignature signature = signer.signHeadersForCluster(DYNAMIC_TEST_CLUSTER_ALIAS, "test", "test");
+                X509CertificateSignature signature = signer.sign(DYNAMIC_TEST_CLUSTER_ALIAS, "test", "test");
                 assertNull(signature);
             }
         } finally {

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/transport/CrossClusterSigningConfigurationReloaderIntegTests.java

@@ -109,7 +109,7 @@ public void testDependentKeyConfigFilesUpdated() throws Exception {
                 Map.of(SIGNING_KEY_SECURE_PASSPHRASE.getConcreteSettingForNamespace(testClusterAlias).getKey(), "marshall".toCharArray())
             );
 
-            assertNull(signer.signHeadersForCluster(testClusterAlias, "a_header"));
+            assertNull(signer.sign(testClusterAlias, "a_header"));
             Path tempDir = createTempDir();
             Path signingCert = tempDir.resolve("signing.crt");
             Files.copy(getDataPath("/org/elasticsearch/xpack/security/signature/signing_rsa.crt"), signingCert);
@@ -129,14 +129,14 @@ public void testDependentKeyConfigFilesUpdated() throws Exception {
             );
 
             // Make sure a signature can be created
-            var signatureBefore = signer.signHeadersForCluster(testClusterAlias, "test", "test");
+            var signatureBefore = signer.sign(testClusterAlias, "test", "test");
             assertNotNull(signatureBefore);
 
             Files.move(updatedSigningCert, signingCert, StandardCopyOption.REPLACE_EXISTING);
             Files.move(updatedSigningKey, signingKey, StandardCopyOption.REPLACE_EXISTING);
 
             assertBusy(() -> {
-                var signatureAfter = signer.signHeadersForCluster(testClusterAlias, "test", "test");
+                var signatureAfter = signer.sign(testClusterAlias, "test", "test");
                 assertNotNull(signatureAfter);
                 assertNotEquals(signatureAfter, signatureBefore);
             });
@@ -157,7 +157,7 @@ public void testRemoveFileWithConfig() throws Exception {
                 internalCluster().getRandomNodeName()
             );
 
-            assertNull(signer.signHeadersForCluster("test_cluster", "a_header"));
+            assertNull(signer.sign("test_cluster", "a_header"));
             Path tempDir = createTempDir();
             Path signingCert = tempDir.resolve("signing.crt");
             Files.copy(getDataPath("/org/elasticsearch/xpack/security/signature/signing_rsa.crt"), signingCert);
@@ -172,14 +172,14 @@ public void testRemoveFileWithConfig() throws Exception {
             );
 
             // Make sure a signature can be created
-            var signatureBefore = signer.signHeadersForCluster("test_cluster", "test", "test");
+            var signatureBefore = signer.sign("test_cluster", "test", "test");
             assertNotNull(signatureBefore);
 
             // This should just fail the update, not remove any actual configs
             Files.delete(signingCert);
             Files.delete(signingKey);
 
-            var signatureAfter = signer.signHeadersForCluster("test_cluster", "test", "test");
+            var signatureAfter = signer.sign("test_cluster", "test", "test");
             assertNotNull(signatureAfter);
             assertEquals(signatureAfter, signatureBefore);
         } finally {
@@ -206,15 +206,15 @@ private void addAndRemoveClusterConfigsRuntime(
         try {
             for (var clusterAlias : clusterAliases) {
                 // Try to create a signature for a remote cluster that doesn't exist
-                assertNull(signer.signHeadersForCluster(clusterAlias, testHeaders));
+                assertNull(signer.sign(clusterAlias, testHeaders));
                 clusterCreator.accept(clusterAlias);
                 // Make sure a signature can be created
-                assertNotNull(signer.signHeadersForCluster(clusterAlias, testHeaders));
+                assertNotNull(signer.sign(clusterAlias, testHeaders));
             }
             for (var clusterAlias : clusterAliases) {
                 clusterRemover.accept(clusterAlias);
                 // Make sure no signature was created
-                assertBusy(() -> assertNull(signer.signHeadersForCluster(clusterAlias, testHeaders)));
+                assertBusy(() -> assertNull(signer.sign(clusterAlias, testHeaders)));
             }
         } finally {
             var builder = Settings.builder();
@@ -223,7 +223,9 @@ private void addAndRemoveClusterConfigsRuntime(
                     builder.putNull(setting.getConcreteSettingForNamespace(clusterAlias).getKey());
                 });
             }
-            updateClusterSettings(builder.setSecureSettings(new MockSecureSettings()));
+            if (clusterAliases.isEmpty() == false) {
+                updateClusterSettings(builder.setSecureSettings(new MockSecureSettings()));
+            }
         }
     }
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/CrossClusterAccessHeaders.java

@@ -8,44 +8,27 @@
 package org.elasticsearch.xpack.security.authc;
 
 import org.elasticsearch.common.util.concurrent.ThreadContext;
-import org.elasticsearch.core.Nullable;
 import org.elasticsearch.xpack.core.security.action.apikey.ApiKey;
 import org.elasticsearch.xpack.core.security.authc.CrossClusterAccessSubjectInfo;
-import org.elasticsearch.xpack.security.transport.X509CertificateSignature;
 
 import java.io.IOException;
 import java.util.Objects;
 
 public final class CrossClusterAccessHeaders {
 
     public static final String CROSS_CLUSTER_ACCESS_CREDENTIALS_HEADER_KEY = "_cross_cluster_access_credentials";
-    public static final String CROSS_CLUSTER_ACCESS_SIGNATURE_HEADER_KEY = "_cross_cluster_access_signature";
-
     private final String credentialsHeader;
     private final CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo;
-    private final X509CertificateSignature signature;
 
     public CrossClusterAccessHeaders(String credentialsHeader, CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo) {
-        this(credentialsHeader, crossClusterAccessSubjectInfo, null);
-    }
-
-    public CrossClusterAccessHeaders(
-        String credentialsHeader,
-        CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo,
-        @Nullable X509CertificateSignature signature
-    ) {
         assert credentialsHeader.startsWith("ApiKey ") : "credentials header must start with [ApiKey ]";
         this.credentialsHeader = credentialsHeader;
         this.crossClusterAccessSubjectInfo = crossClusterAccessSubjectInfo;
-        this.signature = signature;
     }
 
     public void writeToContext(final ThreadContext ctx) throws IOException {
         ctx.putHeader(CROSS_CLUSTER_ACCESS_CREDENTIALS_HEADER_KEY, credentialsHeader);
         crossClusterAccessSubjectInfo.writeToContext(ctx);
-        if (signature != null) {
-            ctx.putHeader(CROSS_CLUSTER_ACCESS_SIGNATURE_HEADER_KEY, signature.encodeToString());
-        }
     }
 
     public static CrossClusterAccessHeaders readFromContext(final ThreadContext ctx) throws IOException {
@@ -58,7 +41,7 @@ public static CrossClusterAccessHeaders readFromContext(final ThreadContext ctx)
         // Invoke parsing logic to validate that the header decodes to a valid API key credential
         // Call `close` since the returned value is an auto-closable
         parseCredentialsHeader(credentialsHeader).close();
-        return new CrossClusterAccessHeaders(credentialsHeader, CrossClusterAccessSubjectInfo.readFromContext(ctx), null);
+        return new CrossClusterAccessHeaders(credentialsHeader, CrossClusterAccessSubjectInfo.readFromContext(ctx));
     }
 
     public ApiKeyService.ApiKeyCredentials credentials() {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySigner.java

@@ -63,7 +63,7 @@ public Map<Path, Set<String>> getDependentFilesToClusterAliases() {
 
     public void loadSigningConfig(String clusterAlias, @Nullable Settings settings, boolean updateSecureSettings) {
         signingConfigByClusterAlias.compute(clusterAlias, (key, currentSigningConfig) -> {
-            var effectiveSettings = buildEffectiveSettingsForSigningConfig(
+            var effectiveSettings = buildEffectiveSettings(
                 currentSigningConfig != null ? currentSigningConfig.settings : null,
                 settings,
                 updateSecureSettings
@@ -95,7 +95,7 @@ public void loadSigningConfig(String clusterAlias, @Nullable Settings settings,
         });
     }
 
-    public X509CertificateSignature signHeadersForCluster(String clusterAlias, String... headers) {
+    public X509CertificateSignature sign(String clusterAlias, String... headers) {
         SigningConfig signingConfig = signingConfigByClusterAlias.get(clusterAlias);
         if (signingConfig == null || signingConfig.keyPair() == null) {
             return null;
@@ -121,12 +121,13 @@ private void loadSigningConfigs() {
     }
 
     /**
-     * Build the actual remote cluster settings to use
+     * Build the effective remote cluster settings by merging the currently configured (if any) and new/updated settings
+     * <p>
      * - If newSettings is null - use existing settings, used to refresh the dependent files
      * - If updateSecureSettings is true - merge secure settings from newSettings with current settings, used by secure settings refresh
      * - If updateSecureSettings is false - merge new settings with existing secure settings, used for regular settings update
      */
-    private Settings buildEffectiveSettingsForSigningConfig(
+    private Settings buildEffectiveSettings(
         @Nullable Settings currentSettings,
         @Nullable Settings newSettings,
         boolean updateSecureSettings
@@ -148,7 +149,7 @@ private Settings buildEffectiveSettingsForSigningConfig(
         return Settings.builder().put(settingsSource, false).setSecureSettings(secureSettings).build();
     }
 
-    void reloadFilesForClusters(Set<String> clusterAliases) {
+    void reloadSigningConfigs(Set<String> clusterAliases) {
         clusterAliases.forEach(alias -> loadSigningConfig(alias, null, true));
     }
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySignerReloader.java

@@ -51,14 +51,14 @@ public CrossClusterApiKeySignerReloader(
             logger.info("Updating cross cluster signing configuration for key [{}] with settings [{}]", key, val);
             apiKeySigner.loadSigningConfig(key, val.getByPrefix(RemoteClusterSettings.REMOTE_CLUSTER_SETTINGS_PREFIX + key + "."), false);
             watchDependentFilesForClusterAliases(
-                apiKeySigner::reloadFilesForClusters,
+                apiKeySigner::reloadSigningConfigs,
                 resourceWatcherService,
                 apiKeySigner.getDependentFilesToClusterAliases()
             );
         });
 
         watchDependentFilesForClusterAliases(
-            apiKeySigner::reloadFilesForClusters,
+            apiKeySigner::reloadSigningConfigs,
             resourceWatcherService,
             apiKeySigner.getDependentFilesToClusterAliases()
         );

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java

@@ -8,7 +8,6 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.TransportVersion;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.admin.cluster.state.ClusterStateAction;
@@ -60,7 +59,6 @@
 import org.elasticsearch.xpack.security.authz.AuthorizationUtils;
 import org.elasticsearch.xpack.security.authz.PreAuthorizationUtils;
 
-import java.io.IOException;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Optional;
@@ -372,38 +370,21 @@ private <T extends TransportResponse> void sendWithCrossClusterAccessHeaders(
                             )
                         );
                     }
-                    CrossClusterAccessSubjectInfo subjectInfo = SystemUser.crossClusterAccessSubjectInfo(
-                        authentication.getEffectiveSubject().getTransportVersion(),
-                        authentication.getEffectiveSubject().getRealm().getNodeName()
+                    final var crossClusterAccessHeaders = new CrossClusterAccessHeaders(
+                        remoteClusterCredentials.credentials(),
+                        SystemUser.crossClusterAccessSubjectInfo(
+                            authentication.getEffectiveSubject().getTransportVersion(),
+                            authentication.getEffectiveSubject().getRealm().getNodeName()
+                        )
                     );
-                    try {
-                        final var crossClusterAccessHeaders = new CrossClusterAccessHeaders(
-                            remoteClusterCredentials.credentials(),
-                            subjectInfo,
-                            crossClusterApiKeySigner.signHeadersForCluster(
-                                remoteClusterAlias,
-                                remoteClusterCredentials.credentials(),
-                                subjectInfo.encode()
-                            )
-                        );
-                        // To be able to enforce index-level privileges under the new remote cluster security model,
-                        // we switch from old-style internal actions to their new equivalent indices actions so that
-                        // they will be checked for index privileges against the index specified in the requests
-                        final String effectiveAction = RCS_INTERNAL_ACTIONS_REPLACEMENTS.getOrDefault(action, action);
-                        if (false == effectiveAction.equals(action)) {
-                            logger.trace("switching internal action from [{}] to [{}]", action, effectiveAction);
-                        }
-                        sendWithCrossClusterAccessHeaders(
-                            crossClusterAccessHeaders,
-                            connection,
-                            effectiveAction,
-                            request,
-                            options,
-                            handler
-                        );
-                    } catch (IOException e) {
-                        throw new ElasticsearchSecurityException("Failed to sign cross cluster headers", e);
+                    // To be able to enforce index-level privileges under the new remote cluster security model,
+                    // we switch from old-style internal actions to their new equivalent indices actions so that
+                    // they will be checked for index privileges against the index specified in the requests
+                    final String effectiveAction = RCS_INTERNAL_ACTIONS_REPLACEMENTS.getOrDefault(action, action);
+                    if (false == effectiveAction.equals(action)) {
+                        logger.trace("switching internal action from [{}] to [{}]", action, effectiveAction);
                     }
+                    sendWithCrossClusterAccessHeaders(crossClusterAccessHeaders, connection, effectiveAction, request, options, handler);
                 } else {
                     assert false == action.startsWith("internal:") : "internal action must be sent with system user";
                     authzService.getRoleDescriptorsIntersectionForRemoteCluster(
@@ -427,18 +408,9 @@ private <T extends TransportResponse> void sendWithCrossClusterAccessHeaders(
                                     remoteClusterAlias
                                 );
                             }
-                            CrossClusterAccessSubjectInfo subjectInfo = new CrossClusterAccessSubjectInfo(
-                                authentication,
-                                roleDescriptorsIntersection
-                            );
                             final var crossClusterAccessHeaders = new CrossClusterAccessHeaders(
                                 remoteClusterCredentials.credentials(),
-                                subjectInfo,
-                                crossClusterApiKeySigner.signHeadersForCluster(
-                                    remoteClusterAlias,
-                                    remoteClusterCredentials.credentials(),
-                                    subjectInfo.encode()
-                                )
+                                new CrossClusterAccessSubjectInfo(authentication, roleDescriptorsIntersection)
                             );
                             sendWithCrossClusterAccessHeaders(crossClusterAccessHeaders, connection, action, request, options, handler);
                         }, // it's safe to not use a context restore handler here since `getRoleDescriptorsIntersectionForRemoteCluster`