Skip to content

Commit 48881de

Browse files
authored
[FEATURE] Broaden SecureSettingsFactory to include http transports (opensearch-project#12907) (opensearch-project#12965)
Signed-off-by: Andriy Redko <andriy.redko@aiven.io> (cherry picked from commit a103b84)
1 parent 2d0aed1 commit 48881de

16 files changed

+596
-155
lines changed

CHANGELOG.md

+1
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
1818

1919
### Changed
2020
- [BWC and API enforcement] Enforcing the presence of API annotations at build time ([#12872](https://github.com/opensearch-project/OpenSearch/pull/12872))
21+
- Improve built-in secure transports support ([#12907](https://github.com/opensearch-project/OpenSearch/pull/12907))
2122

2223
### Deprecated
2324

modules/transport-netty4/src/main/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransport.java

+70-8
Original file line numberDiff line numberDiff line change
@@ -37,27 +37,40 @@
3737
import org.opensearch.core.xcontent.NamedXContentRegistry;
3838
import org.opensearch.http.HttpChannel;
3939
import org.opensearch.http.HttpHandlingSettings;
40+
import org.opensearch.http.HttpServerTransport;
4041
import org.opensearch.http.netty4.Netty4HttpServerTransport;
41-
import org.opensearch.plugins.SecureTransportSettingsProvider;
42+
import org.opensearch.plugins.SecureHttpTransportSettingsProvider;
43+
import org.opensearch.plugins.TransportExceptionHandler;
4244
import org.opensearch.telemetry.tracing.Tracer;
4345
import org.opensearch.threadpool.ThreadPool;
4446
import org.opensearch.transport.SharedGroupFactory;
47+
import org.opensearch.transport.TransportAdapterProvider;
4548
import org.opensearch.transport.netty4.ssl.SslUtils;
4649

4750
import javax.net.ssl.SSLEngine;
4851

52+
import java.util.List;
53+
import java.util.Optional;
54+
import java.util.stream.Collectors;
55+
4956
import io.netty.channel.Channel;
5057
import io.netty.channel.ChannelHandler;
58+
import io.netty.channel.ChannelInboundHandlerAdapter;
5159
import io.netty.handler.codec.DecoderException;
5260
import io.netty.handler.ssl.SslHandler;
5361

5462
/**
5563
* @see <a href="https://github.com/opensearch-project/security/blob/d526c9f6c2a438c14db8b413148204510b9fe2e2/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java">SecuritySSLNettyHttpServerTransport</a>
5664
*/
5765
public class SecureNetty4HttpServerTransport extends Netty4HttpServerTransport {
66+
public static final String REQUEST_HEADER_VERIFIER = "HeaderVerifier";
67+
public static final String REQUEST_DECOMPRESSOR = "RequestDecompressor";
68+
5869
private static final Logger logger = LogManager.getLogger(SecureNetty4HttpServerTransport.class);
59-
private final SecureTransportSettingsProvider secureTransportSettingsProvider;
60-
private final SecureTransportSettingsProvider.ServerExceptionHandler exceptionHandler;
70+
private final SecureHttpTransportSettingsProvider secureHttpTransportSettingsProvider;
71+
private final TransportExceptionHandler exceptionHandler;
72+
private final ChannelInboundHandlerAdapter headerVerifier;
73+
private final TransportAdapterProvider<HttpServerTransport> decompressorProvider;
6174

6275
public SecureNetty4HttpServerTransport(
6376
final Settings settings,
@@ -68,7 +81,7 @@ public SecureNetty4HttpServerTransport(
6881
final Dispatcher dispatcher,
6982
final ClusterSettings clusterSettings,
7083
final SharedGroupFactory sharedGroupFactory,
71-
final SecureTransportSettingsProvider secureTransportSettingsProvider,
84+
final SecureHttpTransportSettingsProvider secureHttpTransportSettingsProvider,
7285
final Tracer tracer
7386
) {
7487
super(
@@ -82,9 +95,45 @@ public SecureNetty4HttpServerTransport(
8295
sharedGroupFactory,
8396
tracer
8497
);
85-
this.secureTransportSettingsProvider = secureTransportSettingsProvider;
86-
this.exceptionHandler = secureTransportSettingsProvider.buildHttpServerExceptionHandler(settings, this)
87-
.orElse(SecureTransportSettingsProvider.ServerExceptionHandler.NOOP);
98+
99+
this.secureHttpTransportSettingsProvider = secureHttpTransportSettingsProvider;
100+
this.exceptionHandler = secureHttpTransportSettingsProvider.buildHttpServerExceptionHandler(settings, this)
101+
.orElse(TransportExceptionHandler.NOOP);
102+
103+
final List<ChannelInboundHandlerAdapter> headerVerifiers = secureHttpTransportSettingsProvider.getHttpTransportAdapterProviders(
104+
settings
105+
)
106+
.stream()
107+
.filter(p -> REQUEST_HEADER_VERIFIER.equalsIgnoreCase(p.name()))
108+
.map(p -> p.create(settings, this, ChannelInboundHandlerAdapter.class))
109+
.filter(Optional::isPresent)
110+
.map(Optional::get)
111+
.collect(Collectors.toList());
112+
113+
if (headerVerifiers.size() > 1) {
114+
throw new IllegalArgumentException("Cannot have more than one header verifier configured, supplied " + headerVerifiers.size());
115+
}
116+
117+
final Optional<TransportAdapterProvider<HttpServerTransport>> decompressorProviderOpt = secureHttpTransportSettingsProvider
118+
.getHttpTransportAdapterProviders(settings)
119+
.stream()
120+
.filter(p -> REQUEST_DECOMPRESSOR.equalsIgnoreCase(p.name()))
121+
.findFirst();
122+
// There could be multiple request decompressor providers configured, using the first one
123+
decompressorProviderOpt.ifPresent(p -> logger.debug("Using request decompressor provider: {}", p));
124+
125+
this.headerVerifier = headerVerifiers.isEmpty() ? null : headerVerifiers.get(0);
126+
this.decompressorProvider = decompressorProviderOpt.orElseGet(() -> new TransportAdapterProvider<HttpServerTransport>() {
127+
@Override
128+
public String name() {
129+
return REQUEST_DECOMPRESSOR;
130+
}
131+
132+
@Override
133+
public <C> Optional<C> create(Settings settings, HttpServerTransport transport, Class<C> adapterClass) {
134+
return Optional.empty();
135+
}
136+
});
88137
}
89138

90139
@Override
@@ -114,7 +163,7 @@ protected SslHttpChannelHandler(final Netty4HttpServerTransport transport, final
114163
protected void initChannel(Channel ch) throws Exception {
115164
super.initChannel(ch);
116165

117-
final SSLEngine sslEngine = secureTransportSettingsProvider.buildSecureHttpServerEngine(
166+
final SSLEngine sslEngine = secureHttpTransportSettingsProvider.buildSecureHttpServerEngine(
118167
settings,
119168
SecureNetty4HttpServerTransport.this
120169
).orElseGet(SslUtils::createDefaultServerSSLEngine);
@@ -123,4 +172,17 @@ protected void initChannel(Channel ch) throws Exception {
123172
ch.pipeline().addFirst("ssl_http", sslHandler);
124173
}
125174
}
175+
176+
protected ChannelInboundHandlerAdapter createHeaderVerifier() {
177+
if (headerVerifier != null) {
178+
return headerVerifier;
179+
} else {
180+
return super.createHeaderVerifier();
181+
}
182+
}
183+
184+
@Override
185+
protected ChannelInboundHandlerAdapter createDecompressor() {
186+
return decompressorProvider.create(settings, this, ChannelInboundHandlerAdapter.class).orElseGet(super::createDecompressor);
187+
}
126188
}

modules/transport-netty4/src/main/java/org/opensearch/transport/Netty4Plugin.java

+3-2
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,7 @@
4949
import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
5050
import org.opensearch.plugins.NetworkPlugin;
5151
import org.opensearch.plugins.Plugin;
52+
import org.opensearch.plugins.SecureHttpTransportSettingsProvider;
5253
import org.opensearch.plugins.SecureTransportSettingsProvider;
5354
import org.opensearch.telemetry.tracing.Tracer;
5455
import org.opensearch.threadpool.ThreadPool;
@@ -160,7 +161,7 @@ public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
160161
NetworkService networkService,
161162
HttpServerTransport.Dispatcher dispatcher,
162163
ClusterSettings clusterSettings,
163-
SecureTransportSettingsProvider secureTransportSettingsProvider,
164+
SecureHttpTransportSettingsProvider secureHttpTransportSettingsProvider,
164165
Tracer tracer
165166
) {
166167
return Collections.singletonMap(
@@ -174,7 +175,7 @@ public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
174175
dispatcher,
175176
clusterSettings,
176177
getSharedGroupFactory(settings),
177-
secureTransportSettingsProvider,
178+
secureHttpTransportSettingsProvider,
178179
tracer
179180
)
180181
);

modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java

+3-2
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@
4242
import org.opensearch.core.common.io.stream.NamedWriteableRegistry;
4343
import org.opensearch.core.indices.breaker.CircuitBreakerService;
4444
import org.opensearch.plugins.SecureTransportSettingsProvider;
45+
import org.opensearch.plugins.TransportExceptionHandler;
4546
import org.opensearch.telemetry.tracing.Tracer;
4647
import org.opensearch.threadpool.ThreadPool;
4748
import org.opensearch.transport.SharedGroupFactory;
@@ -72,7 +73,7 @@ public class SecureNetty4Transport extends Netty4Transport {
7273

7374
private static final Logger logger = LogManager.getLogger(SecureNetty4Transport.class);
7475
private final SecureTransportSettingsProvider secureTransportSettingsProvider;
75-
private final SecureTransportSettingsProvider.ServerExceptionHandler exceptionHandler;
76+
private final TransportExceptionHandler exceptionHandler;
7677

7778
public SecureNetty4Transport(
7879
final Settings settings,
@@ -100,7 +101,7 @@ public SecureNetty4Transport(
100101

101102
this.secureTransportSettingsProvider = secureTransportSettingsProvider;
102103
this.exceptionHandler = secureTransportSettingsProvider.buildServerTransportExceptionHandler(settings, this)
103-
.orElse(SecureTransportSettingsProvider.ServerExceptionHandler.NOOP);
104+
.orElse(TransportExceptionHandler.NOOP);
104105
}
105106

106107
@Override

0 commit comments

Comments
 (0)