fixup! Clean

Author: jfreden

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySignatureManagerIntegTests.java

@@ -12,12 +12,12 @@
 import org.elasticsearch.common.ssl.PemKeyConfig;
 import org.elasticsearch.test.SecurityIntegTestCase;
 
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SIGNING_CERT_PATH;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SIGNING_KEYSTORE_ALIAS;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SIGNING_KEYSTORE_PATH;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SIGNING_KEYSTORE_SECURE_PASSWORD;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SIGNING_KEYSTORE_TYPE;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SIGNING_KEY_PATH;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SIGNING_CERT_PATH;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SIGNING_KEYSTORE_ALIAS;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SIGNING_KEYSTORE_PATH;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SIGNING_KEYSTORE_SECURE_PASSWORD;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SIGNING_KEYSTORE_TYPE;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SIGNING_KEY_PATH;
 import static org.hamcrest.Matchers.equalToIgnoringCase;
 
 public class CrossClusterApiKeySignatureManagerIntegTests extends SecurityIntegTestCase {

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/transport/CrossClusterSigningConfigReloaderIntegTests.java

@@ -28,14 +28,14 @@
 
 import javax.net.ssl.KeyManagerFactory;
 
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SIGNING_CERT_PATH;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SIGNING_KEYSTORE_ALGORITHM;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SIGNING_KEYSTORE_ALIAS;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SIGNING_KEYSTORE_PATH;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SIGNING_KEYSTORE_SECURE_PASSWORD;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SIGNING_KEYSTORE_TYPE;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SIGNING_KEY_PATH;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SIGNING_KEY_SECURE_PASSPHRASE;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SIGNING_CERT_PATH;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SIGNING_KEYSTORE_ALGORITHM;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SIGNING_KEYSTORE_ALIAS;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SIGNING_KEYSTORE_PATH;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SIGNING_KEYSTORE_SECURE_PASSWORD;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SIGNING_KEYSTORE_TYPE;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SIGNING_KEY_PATH;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SIGNING_KEY_SECURE_PASSPHRASE;
 import static org.hamcrest.Matchers.equalTo;
 
 public class CrossClusterSigningConfigReloaderIntegTests extends SecurityIntegTestCase {
@@ -302,7 +302,7 @@ private void addAndRemoveClusterConfigsRuntime(
         } finally {
             var builder = Settings.builder();
             for (var clusterAlias : clusterAliases) {
-                CrossClusterApiKeySignatureSettings.getDynamicSettings().forEach(setting -> {
+                CrossClusterApiKeySigningSettings.getDynamicSettings().forEach(setting -> {
                     builder.putNull(setting.getConcreteSettingForNamespace(clusterAlias).getKey());
                 });
             }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -420,7 +420,7 @@
 import org.elasticsearch.xpack.security.support.SecuritySystemIndices;
 import org.elasticsearch.xpack.security.transport.CrossClusterAccessTransportInterceptor;
 import org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureManager;
-import org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings;
+import org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings;
 import org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningConfigReloader;
 import org.elasticsearch.xpack.security.transport.RemoteClusterTransportInterceptor;
 import org.elasticsearch.xpack.security.transport.SecurityHttpSettings;
@@ -1310,10 +1310,6 @@ private List<CustomAuthenticator> getCustomAuthenticatorFromExtensions(SecurityE
         }
     }
 
-    private void createCrossClusterApiKeySigning() {
-
-    }
-
     private ServiceAccountService createServiceAccountService(
         List<Object> components,
         CacheInvalidatorRegistry cacheInvalidatorRegistry,
@@ -1581,7 +1577,7 @@ public static List<Setting<?>> getSettings(List<SecurityExtension> securityExten
         settingsList.add(CachingServiceAccountTokenStore.CACHE_MAX_TOKENS_SETTING);
         settingsList.add(SimpleRole.CACHE_SIZE_SETTING);
         settingsList.add(NativeRoleMappingStore.LAST_LOAD_CACHE_ENABLED_SETTING);
-        settingsList.addAll(CrossClusterApiKeySignatureSettings.getSettings());
+        settingsList.addAll(CrossClusterApiKeySigningSettings.getSettings());
 
         // hide settings
         settingsList.add(Setting.stringListSetting(SecurityField.setting("hide_settings"), Property.NodeScope, Property.Filtered));

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySignatureManager.java

@@ -24,13 +24,9 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.GeneralSecurityException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.Signature;
-import java.security.SignatureException;
 import java.security.cert.CertificateEncodingException;
-import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collection;
@@ -46,8 +42,8 @@
 import javax.net.ssl.X509ExtendedTrustManager;
 import javax.net.ssl.X509KeyManager;
 
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.KEYSTORE_ALIAS_SUFFIX;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SETTINGS_PART_SIGNING;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.KEYSTORE_ALIAS_SUFFIX;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SETTINGS_PART_SIGNING;
 
 public class CrossClusterApiKeySignatureManager implements ReloadableFileBasedSigningConfigProvider {
     private final Logger logger = LogManager.getLogger(getClass());
@@ -173,7 +169,7 @@ public boolean verify(X509CertificateSignature signature, String... headers) {
             try {
                 // Make sure the provided certificate chain is trusted
                 trustManager.checkClientTrusted(signature.certificates(), AUTH_TYPE);
-                // TODO Make sure the signing certificate belongs to the correct DN (the api key identity)
+                // TODO Make sure the signing certificate belongs to the correct DN (the configured api key cert identity)
                 // Make sure signature is correct
                 final Signature signer = Signature.getInstance(signature.algorithm());
                 signer.initVerify(signature.certificates()[0]);
@@ -271,7 +267,6 @@ private X509KeyPair buildKeyPair(X509KeyManager keyManager, SslKeyConfig keyConf
             case 1 -> {
                 final String aliasFromKeyStore = aliases.iterator().next();
                 final X509Certificate[] chain = keyManager.getCertificateChain(aliasFromKeyStore);
-                // TODO ideally we would not sent the root cert here. What's the best way to filter it out?
                 yield new X509KeyPair(chain, keyManager.getPrivateKey(aliasFromKeyStore));
             }
             default -> throw new IllegalStateException(
@@ -303,7 +298,6 @@ private X509KeyPair buildKeyPair(X509KeyManager keyManager, SslKeyConfig keyConf
             throw new IllegalStateException("Key config missing certificate chain for alias [" + alias + "]");
         }
 
-        // TODO ideally we would not sent the root cert here. What's the best way to filter it out?
         return new X509KeyPair(chain, keyManager.getPrivateKey(alias));
     }
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySigningConfigReloader.java

@@ -34,9 +34,9 @@
 import java.util.function.Consumer;
 import java.util.stream.Collectors;
 
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.SETTINGS_PART_SIGNING;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.getDynamicSettings;
-import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySignatureSettings.getSecureSettings;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.SETTINGS_PART_SIGNING;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.getDynamicSettings;
+import static org.elasticsearch.xpack.security.transport.CrossClusterApiKeySigningSettings.getSecureSettings;
 
 /**
  * Responsible for reloading a provided {@link ReloadableFileBasedSigningConfigProvider} when updates are received from the following

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySignatureSettings.java renamed to x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySigningSettings.java

@@ -18,7 +18,7 @@
 
 import javax.net.ssl.KeyManagerFactory;
 
-public class CrossClusterApiKeySignatureSettings {
+public class CrossClusterApiKeySigningSettings {
     static final String SETTINGS_PART_SIGNING = "signing";
 
     static final String KEYSTORE_ALIAS_SUFFIX = "keystore.alias";
@@ -128,8 +128,6 @@ public class CrossClusterApiKeySignatureSettings {
         key -> Setting.simpleString(key, "", Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Dynamic)
     );
 
-    // TODO SHOULD TRUST_RESTRICTIONS_X509_FIELDS BE ADDED!?
-
     public static List<Setting.AffixSetting<?>> getDynamicSettings() {
         return List.of(
             SIGNING_KEYSTORE_ALIAS,

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySigningConfigReloaderTests.java

@@ -52,7 +52,7 @@ public void setUp() throws Exception {
     public void testSimpleDynamicSettingsUpdate() {
         Settings settings = settingsBuilder.put("cluster.remote.my_remote.signing.keystore.alias", "mykey").build();
         var environment = TestEnvironment.newEnvironment(settings);
-        var clusterSettings = new ClusterSettings(settings, new HashSet<>(CrossClusterApiKeySignatureSettings.getDynamicSettings()));
+        var clusterSettings = new ClusterSettings(settings, new HashSet<>(CrossClusterApiKeySigningSettings.getDynamicSettings()));
 
         var crossClusterApiKeySigningConfigReloader = new CrossClusterApiKeySigningConfigReloader(
             TestEnvironment.newEnvironment(settings),
@@ -88,7 +88,7 @@ public void testDynamicSettingsUpdateWithAddedFiles() throws Exception {
 
         var clusterSettings = new ClusterSettings(
             settingsBuilder.build(),
-            new HashSet<>(CrossClusterApiKeySignatureSettings.getDynamicSettings())
+            new HashSet<>(CrossClusterApiKeySigningSettings.getDynamicSettings())
         );
 
         var crossClusterApiKeySigningConfigReloader = new CrossClusterApiKeySigningConfigReloader(
@@ -121,7 +121,7 @@ public void testDynamicSettingsUpdateWithAddedFiles() throws Exception {
     }
 
     public void testSimpleSecureSettingsReload() {
-        var clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(CrossClusterApiKeySignatureSettings.getDynamicSettings()));
+        var clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(CrossClusterApiKeySigningSettings.getDynamicSettings()));
         var environment = TestEnvironment.newEnvironment(settingsBuilder.build());
         var crossClusterApiKeySigningConfigReloader = new CrossClusterApiKeySigningConfigReloader(
             environment,
@@ -141,7 +141,7 @@ public void testSimpleSecureSettingsReload() {
     }
 
     public void testSecureSettingsReloadNoMatchingSecureSettings() {
-        var clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(CrossClusterApiKeySignatureSettings.getDynamicSettings()));
+        var clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(CrossClusterApiKeySigningSettings.getDynamicSettings()));
         var environment = TestEnvironment.newEnvironment(settingsBuilder.build());
         var crossClusterApiKeySigningConfigReloader = new CrossClusterApiKeySigningConfigReloader(
             environment,
@@ -161,7 +161,7 @@ public void testSecureSettingsReloadNoMatchingSecureSettings() {
 
     public void testFileUpdatedReloaded() throws Exception {
         var fileToMonitor = createTempFile();
-        var clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(CrossClusterApiKeySignatureSettings.getDynamicSettings()));
+        var clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(CrossClusterApiKeySigningSettings.getDynamicSettings()));
         var initialSettings = settingsBuilder.put("cluster.remote.my_remote.signing.keystore.path", fileToMonitor).build();
         var environment = TestEnvironment.newEnvironment(initialSettings);
         var crossClusterApiKeySigningConfigReloader = new CrossClusterApiKeySigningConfigReloader(
@@ -185,7 +185,7 @@ public void testFileUpdatedReloaded() throws Exception {
 
     public void testFileDeletedReloaded() throws Exception {
         var fileToMonitor = createTempFile();
-        var clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(CrossClusterApiKeySignatureSettings.getDynamicSettings()));
+        var clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(CrossClusterApiKeySigningSettings.getDynamicSettings()));
         var initialSettings = settingsBuilder.put("cluster.remote.my_remote.signing.keystore.path", fileToMonitor).build();
         var environment = TestEnvironment.newEnvironment(initialSettings);
         var crossClusterApiKeySigningConfigReloader = new CrossClusterApiKeySigningConfigReloader(