fixup!

jfreden · jfreden · commit 3b4bd9fda284 · 2025-09-04T16:36:21.000+02:00
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySigner.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySigner.java
@@ -30,7 +30,6 @@
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collection;
-import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
@@ -57,7 +56,7 @@ public CrossClusterApiKeySigner(Environment environment) {
     public Map<Path, Set<String>> getDependentFilesToClusterAliases() {
         return signingConfigByClusterAlias.entrySet()
             .stream()
-            .filter(entry -> entry.getValue() != SigningConfig.EMPTY && entry.getValue().dependentFiles != null)
+            .filter(entry -> entry.getValue().dependentFiles != null)
             .flatMap(entry -> entry.getValue().dependentFiles.stream().map(path -> Map.entry(path, entry.getKey())))
             .collect(Collectors.groupingBy(Map.Entry::getKey, Collectors.mapping(Map.Entry::getValue, Collectors.toSet())));
     }
@@ -70,7 +69,7 @@ public void loadSigningConfig(String clusterAlias, @Nullable Settings settings,
                 updateSecureSettings
             );
 
-            SigningConfig signingConfig = SigningConfig.EMPTY;
+            SigningConfig signingConfig = new SigningConfig(null, null, effectiveSettings);
             if (effectiveSettings.getByPrefix(SETTINGS_PART_SIGNING).isEmpty() == false) {
                 try {
                     SslKeyConfig keyConfig = CertParsingUtils.createKeyConfig(
@@ -87,12 +86,9 @@ public void loadSigningConfig(String clusterAlias, @Nullable Settings settings,
                         if (keyPair != null) {
                             signingConfig = new SigningConfig(keyPair, keyConfig.getDependentFiles(), effectiveSettings);
                         }
-                    } else {
-                        signingConfig = new SigningConfig(null, null, effectiveSettings);
                     }
                 } catch (Exception e) {
-                    logger.error(String.format("Failed to load signing config for cluster [%s]", clusterAlias), e);
-                    signingConfig = new SigningConfig(null, null, effectiveSettings);
+                    logger.error(Strings.format("Failed to load signing config for cluster [%s]", clusterAlias), e);
                 }
             }
             return signingConfig;
@@ -101,7 +97,7 @@ public void loadSigningConfig(String clusterAlias, @Nullable Settings settings,
 
     public X509CertificateSignature signHeadersForCluster(String clusterAlias, String... headers) {
         SigningConfig signingConfig = signingConfigByClusterAlias.get(clusterAlias);
-        if (signingConfig == null || signingConfig == SigningConfig.EMPTY || signingConfig.keyPair() == null) {
+        if (signingConfig == null || signingConfig.keyPair() == null) {
             return null;
         }
         var keyPair = signingConfig.keyPair();
@@ -119,7 +115,7 @@ public X509CertificateSignature signHeadersForCluster(String clusterAlias, Strin
     }
 
     private void loadSigningConfigs() {
-        this.environment.settings().getGroups(RemoteClusterSettings.REMOTE_CLUSTER_SETTINGS_PREFIX).forEach((alias, settings) -> {
+        this.environment.settings().getGroups(RemoteClusterSettings.REMOTE_CLUSTER_SETTINGS_PREFIX, true).forEach((alias, settings) -> {
             loadSigningConfig(alias, settings, false);
         });
     }
@@ -201,6 +197,14 @@ private static byte[] getSignableBytes(final String... headers) {
         return String.join("\n", headers).getBytes(StandardCharsets.UTF_8);
     }
 
+    private static String calculateFingerprint(X509Certificate certificate) {
+        try {
+            return SslUtil.calculateFingerprint(certificate, "SHA-1");
+        } catch (CertificateEncodingException e) {
+            return "<?>";
+        }
+    }
+
     private record X509KeyPair(X509Certificate certificate, PrivateKey privateKey, String signatureAlgorithm, String fingerprint) {
         X509KeyPair(X509Certificate certificate, PrivateKey privateKey) {
             this(certificate, privateKey, switch (privateKey.getAlgorithm()) {
@@ -213,16 +217,6 @@ private record X509KeyPair(X509Certificate certificate, PrivateKey privateKey, S
         }
     }
 
-    private record SigningConfig(@Nullable X509KeyPair keyPair, Collection<Path> dependentFiles, @Nullable Settings settings) {
-        static SigningConfig EMPTY = new SigningConfig(null, List.of(), null);
-    }
-
-    private static String calculateFingerprint(X509Certificate certificate) {
-        try {
-            return SslUtil.calculateFingerprint(certificate, "SHA-1");
-        } catch (CertificateEncodingException e) {
-            return "<?>";
-        }
-    }
+    private record SigningConfig(@Nullable X509KeyPair keyPair, Collection<Path> dependentFiles, @Nullable Settings settings) {}
 
 }
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySignerReloader.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySignerReloader.java
@@ -116,12 +116,13 @@ public void reload(Settings settings) {
             // closed. Since the secure settings will potentially be used later when the signing config is used to sign headers, the
             // settings need to be retrieved from the keystore and cached
             Settings cachedSettings = Settings.builder().setSecureSettings(extractSecureSettings(settings, getSecureSettings())).build();
-            cachedSettings.getGroups(RemoteClusterSettings.REMOTE_CLUSTER_SETTINGS_PREFIX).forEach((clusterAlias, settingsForCluster) -> {
-                // Only update signing config if settings were found, since empty config means config deletion
-                if (settingsForCluster.isEmpty() == false) {
-                    apiKeySigner.loadSigningConfig(clusterAlias, settingsForCluster, true);
-                }
-            });
+            cachedSettings.getGroups(RemoteClusterSettings.REMOTE_CLUSTER_SETTINGS_PREFIX, true)
+                .forEach((clusterAlias, settingsForCluster) -> {
+                    // Only update signing config if settings were found, since empty config means config deletion
+                    if (settingsForCluster.isEmpty() == false) {
+                        apiKeySigner.loadSigningConfig(clusterAlias, settingsForCluster, true);
+                    }
+                });
         } catch (GeneralSecurityException e) {
             logger.error("Keystore exception while reloading CrossClusterApiKeySigner", e);
         }
