Replace deprecated SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION setting in tests (#5746)

Signed-off-by: Craig Perkins <[email protected]>

Author: cwperks

bwc-test/build.gradle

@@ -138,7 +138,7 @@ def String extractVersion(versionStr) {
                 node.setting("plugins.security.ssl.transport.pemcert_filepath", "esnode.pem")
                 node.setting("plugins.security.ssl.transport.pemkey_filepath", "esnode-key.pem")
                 node.setting("plugins.security.ssl.transport.pemtrustedcas_filepath", "root-ca.pem")
-                node.setting("plugins.security.ssl.transport.enforce_hostname_verification", "false")
+                node.setting("transport.ssl.enforce_hostname_verification", "false")
                 node.setting("plugins.security.ssl.http.enabled", "true")
                 node.setting("plugins.security.ssl.http.pemcert_filepath", "esnode.pem")
                 node.setting("plugins.security.ssl.http.pemkey_filepath", "esnode-key.pem")

src/integrationTest/java/org/opensearch/security/TlsHostnameVerificationTests.java

@@ -17,13 +17,14 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
-import org.opensearch.security.ssl.util.SSLConfigConstants;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.test.framework.certificate.TestCertificates;
 import org.opensearch.test.framework.cluster.ClusterManager;
 import org.opensearch.test.framework.cluster.LocalCluster;
 import org.opensearch.test.framework.log.LogsRule;
 
+import static org.opensearch.common.network.NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY;
+
 @RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
 @ThreadLeakScope(ThreadLeakScope.Scope.NONE)
 public class TlsHostnameVerificationTests {
@@ -34,9 +35,7 @@ public class TlsHostnameVerificationTests {
     public LocalCluster.Builder clusterBuilder = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
         .anonymousAuth(false)
         .loadConfigurationIntoIndex(false)
-        .nodeSettings(
-            Map.of(ConfigConstants.SECURITY_SSL_ONLY, true, SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true)
-        )
+        .nodeSettings(Map.of(ConfigConstants.SECURITY_SSL_ONLY, true, TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, true))
         .sslOnly(true);
 
     @Test

src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java

@@ -18,8 +18,6 @@
 package org.opensearch.security.ssl;
 
 import java.nio.file.Path;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -41,7 +39,6 @@
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.node.DiscoveryNodes;
 import org.opensearch.cluster.service.ClusterService;
-import org.opensearch.common.Booleans;
 import org.opensearch.common.network.NetworkModule;
 import org.opensearch.common.network.NetworkService;
 import org.opensearch.common.settings.ClusterSettings;
@@ -71,6 +68,7 @@
 import org.opensearch.rest.RestController;
 import org.opensearch.rest.RestHandler;
 import org.opensearch.script.ScriptService;
+import org.opensearch.secure_sm.AccessController;
 import org.opensearch.security.DefaultObjectMapper;
 import org.opensearch.security.NonValidatingObjectMapper;
 import org.opensearch.security.filter.SecurityRestFilter;
@@ -94,6 +92,7 @@
 import io.netty.handler.ssl.OpenSsl;
 import io.netty.util.internal.PlatformDependent;
 
+import static org.opensearch.common.network.NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_AUX_CLIENTAUTH_MODE;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_AUX_ENABLED;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_AUX_ENABLED_CIPHERS;
@@ -104,11 +103,12 @@
 import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_AUX_PEMKEY_PASSWORD;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_AUX_PEMTRUSTEDCAS_FILEPATH;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_AUX_TRUSTSTORE_FILEPATH;
+import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY;
 
 //For ES5 this class has only effect when SSL only plugin is installed
 public class OpenSearchSecuritySSLPlugin extends Plugin implements SystemIndexPlugin, NetworkPlugin {
     private static final Setting<Boolean> SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION = Setting.boolSetting(
-        SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION,
+        SECURITY_SSL_TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY,
         true,
         Property.NodeScope,
         Property.Filtered,
@@ -123,10 +123,6 @@ public class OpenSearchSecuritySSLPlugin extends Plugin implements SystemIndexPl
         Property.Deprecated
     );
 
-    private static boolean USE_NETTY_DEFAULT_ALLOCATOR = Booleans.parseBoolean(
-        System.getProperty("opensearch.unsafe.use_netty_default_allocator"),
-        false
-    );
     protected final Logger log = LogManager.getLogger(this.getClass());
     public static final String CLIENT_TYPE = "client.type";
     protected final boolean client;
@@ -158,14 +154,7 @@ protected OpenSearchSecuritySSLPlugin(final Settings settings, final Path config
             this.configPath = null;
             SSLConfig = new SSLConfig(false, false);
 
-            AccessController.doPrivileged(new PrivilegedAction<Object>() {
-                @Override
-                public Object run() {
-                    System.setProperty("opensearch.set.netty.runtime.available.processors", "false");
-                    return null;
-                }
-            });
-
+            AccessController.doPrivileged(() -> System.setProperty("opensearch.set.netty.runtime.available.processors", "false"));
             return;
         }
         SSLConfig = new SSLConfig(settings);
@@ -198,13 +187,9 @@ public Object run() {
                     sm.checkPermission(new SpecialPermission());
                 }
 
-                AccessController.doPrivileged(new PrivilegedAction<Object>() {
-                    @Override
-                    public Object run() {
-                        System.setProperty(SSLConfigConstants.JDK_TLS_REJECT_CLIENT_INITIATED_RENEGOTIATION, "true");
-                        return null;
-                    }
-                });
+                AccessController.doPrivileged(
+                    () -> System.setProperty(SSLConfigConstants.JDK_TLS_REJECT_CLIENT_INITIATED_RENEGOTIATION, "true")
+                );
                 log.debug(
                     "Client side initiated TLS renegotiation forcibly disabled. This can prevent DoS attacks. (jdk.tls.rejectClientInitiatedRenegotiation set to true)."
                 );
@@ -213,21 +198,11 @@ public Object run() {
             }
         }
 
-        final SecurityManager sm = System.getSecurityManager();
-
-        if (sm != null) {
-            sm.checkPermission(new SpecialPermission());
-        }
-
         // TODO check initialize native netty open ssl libs still neccessary
-        AccessController.doPrivileged(new PrivilegedAction<Object>() {
-            @Override
-            public Object run() {
-                System.setProperty("opensearch.set.netty.runtime.available.processors", "false");
-                PlatformDependent.newFixedMpscQueue(1);
-                OpenSsl.isAvailable();
-                return null;
-            }
+        AccessController.doPrivileged(() -> {
+            System.setProperty("opensearch.set.netty.runtime.available.processors", "false");
+            PlatformDependent.newFixedMpscQueue(1);
+            OpenSsl.isAvailable();
         });
 
         this.settings = settings;
@@ -442,7 +417,7 @@ public List<Setting<?>> getSettings() {
                 Property.Filtered
             )
         );
-        if (!settings.stream().anyMatch(s -> s.getKey().equalsIgnoreCase(NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY))) {
+        if (!settings.stream().anyMatch(s -> s.getKey().equalsIgnoreCase(TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY))) {
             settings.add(SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION);
         }
         if (!settings.stream()
@@ -751,14 +726,14 @@ protected Settings migrateSettings(Settings settings) {
 
         if (!NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION.exists(settings)) {
             builder.put(
-                NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY,
+                TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY,
                 SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION.get(settings)
             );
         } else {
             if (SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION.exists(settings)) {
                 throw new OpenSearchException(
                     "Only one of the settings ["
-                        + NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY
+                        + TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY
                         + ", "
                         + SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION.getKey()
                         + " (deprecated)] could be specified but not both"

src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java

@@ -236,7 +236,7 @@ public static String getStringAffixKeyForCertType(Setting.AffixSetting<String> a
     public static final String SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH = SSL_TRANSPORT_CLIENT_PREFIX
         + PEM_TRUSTED_CAS_FILEPATH;
 
-    public static final String SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION = SSL_TRANSPORT_PREFIX
+    public static final String SECURITY_SSL_TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY = SSL_TRANSPORT_PREFIX
         + "enforce_hostname_verification";
     public static final String SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME = SSL_TRANSPORT_PREFIX
         + "resolve_hostname";

src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java

@@ -100,7 +100,7 @@ public void formatsTest() throws Exception {
                 SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH,
                 FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")
             )
-            .put("plugins.security.ssl.transport.enforce_hostname_verification", false)
+            .put("transport.ssl.enforce_hostname_verification", false)
             .build();
 
         MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null);

src/test/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPluginTest.java

@@ -49,6 +49,7 @@
 import static org.hamcrest.CoreMatchers.nullValue;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.collection.IsMapContaining.hasKey;
+import static org.opensearch.common.network.NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY;
 import static org.junit.Assert.assertThrows;
 
 public class OpenSearchSecuritySSLPluginTest extends AbstractSecurityUnitTest {
@@ -164,7 +165,7 @@ public void testRegisterSecureTransportWithDeprecatedSecuirtyPluginSettings() th
             .put(settings)
             .put(SecuritySettings.SSL_DUAL_MODE_SETTING.getKey(), true)
             .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false)
-            .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)
+            .put(TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false)
             .build();
 
         try (OpenSearchSecuritySSLPlugin plugin = new OpenSearchSecuritySSLPlugin(deprecated, osPathHome, false)) {
@@ -189,7 +190,7 @@ public void testRegisterSecureTransportWithNetworkModuleSettings() throws IOExce
             .put(settings)
             .put(NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED_KEY, true)
             .put(NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME_KEY, false)
-            .put(NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false)
+            .put(TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false)
             .build();
 
         try (OpenSearchSecuritySSLPlugin plugin = new OpenSearchSecuritySSLPlugin(migrated, osPathHome, false)) {
@@ -217,8 +218,8 @@ public void testRegisterSecureTransportWithDuplicateSettings() throws IOExceptio
                 NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME_KEY
             ),
             Tuple.tuple(
-                SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION,
-                NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY
+                SSLConfigConstants.SECURITY_SSL_TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY,
+                TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY
             )
         );
 
@@ -228,7 +229,7 @@ public void testRegisterSecureTransportWithDuplicateSettings() throws IOExceptio
                 .put(duplicate.v1(), true)
                 .put(NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED_KEY, true)
                 .put(NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME_KEY, false)
-                .put(NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false)
+                .put(TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false)
                 .build();
 
             try (OpenSearchSecuritySSLPlugin plugin = new OpenSearchSecuritySSLPlugin(migrated, osPathHome, false)) {