Support for Elasticsearch 6.6.2 (#5)

* unit tests passing

* modified pom.xml

* Support for ElasticSearch 6.6.2

* updated version from 0.7.0.1 to 0.8.0.0

plugin-descriptor.properties

@@ -3,7 +3,7 @@
 description=Provides SSL for Elasticsearch 6
 #
 # 'version': plugin's version
-version=0.7.0.1
+version=0.8.0.0
 #
 # 'name': the plugin name
 name=opendistro_security-ssl
@@ -22,4 +22,4 @@ java.version=1.8
 # elasticsearch release. This version is checked when the plugin
 # is loaded so Elasticsearch will refuse to start in the presence of
 # plugins with the incorrect elasticsearch.version.
-elasticsearch.version=6.5.4
+elasticsearch.version=6.6.2

pom.xml

@@ -35,11 +35,11 @@
   <parent>
     <groupId>com.amazon.opendistroforelasticsearch</groupId>
     <artifactId>opendistro_security_parent</artifactId>
-    <version>0.7.0.1</version>
+    <version>0.8.0.0</version>
   </parent>
 
   <artifactId>opendistro_security_ssl</artifactId>
-  <version>0.7.0.1</version>
+  <version>0.8.0.0</version>
   <packaging>jar</packaging>
 
   <name>Open Distro Security SSL</name>
@@ -56,18 +56,18 @@
   </licenses>
 
   <properties>
-    <elasticsearch.version>6.5.4</elasticsearch.version>
+    <elasticsearch.version>6.6.2</elasticsearch.version>
 
     <!-- deps -->
-    <netty-native.version>2.0.15.Final</netty-native.version>
+    <netty-native.version>2.0.20.Final</netty-native.version>
     <log4j.version>2.11.1</log4j.version>
   </properties>
 
   <scm>
     <url>https://github.com/opendistro-for-elasticsearch/security-ssl</url>
     <connection>scm:git:[email protected]:opendistro-for-elasticsearch/security-ssl.git</connection>
     <developerConnection>scm:git:[email protected]:opendistro-for-elasticsearch/security-ssl.git</developerConnection>
-    <tag>v0.7.0.1</tag>
+    <tag>v0.8.0.0</tag>
   </scm>
 
   <issueManagement>
@@ -172,7 +172,7 @@
         <dependency>
           <groupId>com.floragunn</groupId>
           <artifactId>search-guard-static-tcnative-beta</artifactId>
-          <version>1.1.0j-${netty-native.version}-non-fedora-linux-x86_64</version>
+          <version>1.1.1a-${netty-native.version}-non-fedora-linux-x86_64</version>
           <scope>provided</scope>
         </dependency>
       </dependencies>
@@ -183,7 +183,7 @@
         <dependency>
           <groupId>com.floragunn</groupId>
           <artifactId>search-guard-static-tcnative-beta</artifactId>
-          <version>1.1.0j-${netty-native.version}-fedora-linux-x86_64</version>
+          <version>1.1.1a-${netty-native.version}-fedora-linux-x86_64</version>
           <scope>provided</scope>
         </dependency>
       </dependencies>

src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLPlugin.java

@@ -50,6 +50,7 @@
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.SpecialPermission;
+import org.elasticsearch.Version;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.cluster.node.DiscoveryNodes;
@@ -255,14 +256,13 @@ public List<TransportInterceptor> getTransportInterceptors(NamedWriteableRegistr
 
 
     @Override
-    public Map<String, Supplier<Transport>> getTransports(Settings settings, ThreadPool threadPool, BigArrays bigArrays,
-            PageCacheRecycler pageCacheRecycler, CircuitBreakerService circuitBreakerService,
-            NamedWriteableRegistry namedWriteableRegistry, NetworkService networkService) {
-
+       public Map<String, Supplier<Transport>> getTransports(Settings settings, ThreadPool threadPool, PageCacheRecycler pageCacheRecycler,
+            CircuitBreakerService circuitBreakerService, NamedWriteableRegistry namedWriteableRegistry, NetworkService networkService) { 
         Map<String, Supplier<Transport>> transports = new HashMap<String, Supplier<Transport>>();
         if (transportSSLEnabled) {
             transports.put("com.amazon.opendistroforelasticsearch.security.ssl.http.netty.OpenDistroSecuritySSLNettyTransport", 
-                    () -> new OpenDistroSecuritySSLNettyTransport(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService, odsks, NOOP_SSL_EXCEPTION_HANDLER));
+                    () -> new OpenDistroSecuritySSLNettyTransport(settings, Version.CURRENT, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService, odsks, NOOP_SSL_EXCEPTION_HANDLER));
+
         }
         return transports;
 

src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/http/netty/OpenDistroSecuritySSLNettyHttpServerTransport.java

@@ -40,6 +40,8 @@
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLHandshakeException;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.BigArrays;
@@ -53,6 +55,7 @@
 
 public class OpenDistroSecuritySSLNettyHttpServerTransport extends Netty4HttpServerTransport {
 
+    private static final Logger logger = LogManager.getLogger(OpenDistroSecuritySSLNettyHttpServerTransport.class);
     private final OpenDistroSecurityKeyStore sgks;
     private final ThreadContext threadContext;
     private final SslExceptionHandler errorHandler;

src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/OpenDistroSecuritySSLInfoAction.java

@@ -59,13 +59,15 @@ public class OpenDistroSecuritySSLInfoAction extends BaseRestHandler {
     private final OpenDistroSecurityKeyStore sgks;
     final PrincipalExtractor principalExtractor;
     private final Path configPath;
+    private final Settings settings;
 
     public OpenDistroSecuritySSLInfoAction(final Settings settings, final Path configPath, final RestController controller,
             final OpenDistroSecurityKeyStore sgks, final PrincipalExtractor principalExtractor) {
         super(settings);
         this.sgks = sgks;
         this.principalExtractor = principalExtractor;
         this.configPath = configPath;
+        this.settings = settings;
         controller.registerHandler(GET, "/_opendistro/_security/sslinfo", this);
     }
 

src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/OpenDistroSecuritySSLNettyTransport.java

@@ -30,15 +30,6 @@
 
 package com.amazon.opendistroforelasticsearch.security.ssl.transport;
 
-import io.netty.channel.Channel;
-import io.netty.channel.ChannelHandler;
-import io.netty.channel.ChannelHandlerContext;
-import io.netty.channel.ChannelOutboundHandlerAdapter;
-import io.netty.channel.ChannelPromise;
-import io.netty.handler.codec.DecoderException;
-import io.netty.handler.ssl.NotSslRecordException;
-import io.netty.handler.ssl.SslHandler;
-
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 
@@ -49,11 +40,13 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ExceptionsHelper;
+import org.elasticsearch.Version;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
+import org.elasticsearch.common.network.CloseableChannel;
 import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.util.BigArrays;
+import org.elasticsearch.common.util.PageCacheRecycler;
 import org.elasticsearch.indices.breaker.CircuitBreakerService;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.TcpChannel;
@@ -63,21 +56,31 @@
 import com.amazon.opendistroforelasticsearch.security.ssl.SslExceptionHandler;
 import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLConfigConstants;
 
+import io.netty.channel.Channel;
+import io.netty.channel.ChannelHandler;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.channel.ChannelOutboundHandlerAdapter;
+import io.netty.channel.ChannelPromise;
+import io.netty.handler.codec.DecoderException;
+import io.netty.handler.ssl.NotSslRecordException;
+import io.netty.handler.ssl.SslHandler;
+
 public class OpenDistroSecuritySSLNettyTransport extends Netty4Transport {
 
+    private static final Logger logger = LogManager.getLogger(OpenDistroSecuritySSLNettyTransport.class);
     private final OpenDistroSecurityKeyStore sgks;
     private final SslExceptionHandler errorHandler;
 
-    public OpenDistroSecuritySSLNettyTransport(final Settings settings, final ThreadPool threadPool, final NetworkService networkService,
-            final BigArrays bigArrays, final NamedWriteableRegistry namedWriteableRegistry,
-            final CircuitBreakerService circuitBreakerService, final OpenDistroSecurityKeyStore sgks, final SslExceptionHandler errorHandler) {
-        super(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService);
+    public OpenDistroSecuritySSLNettyTransport(final Settings settings, final Version version, final ThreadPool threadPool, final NetworkService networkService,
+        final PageCacheRecycler pageCacheRecycler, final NamedWriteableRegistry namedWriteableRegistry,
+        final CircuitBreakerService circuitBreakerService, final OpenDistroSecurityKeyStore sgks, final SslExceptionHandler errorHandler) {
+        super(settings, version, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService);
         this.sgks = sgks;
         this.errorHandler = errorHandler;
     }
 
     @Override
-    protected void onException(TcpChannel channel, Exception e) {
+    public void onException(TcpChannel channel, Exception e) {
 
 
         if (lifecycle.started()) {
@@ -92,15 +95,15 @@ protected void onException(TcpChannel channel, Exception e) {
 
             if(cause instanceof NotSslRecordException) {
                 logger.warn("Someone ({}) speaks transport plaintext instead of ssl, will close the channel", channel.getLocalAddress());
-                TcpChannel.closeChannel(channel, false);
+                CloseableChannel.closeChannel(channel, false);
                 return;
             } else if (cause instanceof SSLException) {
                 logger.error("SSL Problem "+cause.getMessage(),cause);
-                TcpChannel.closeChannel(channel, false);
+                CloseableChannel.closeChannel(channel, false);
                 return;
             } else if (cause instanceof SSLHandshakeException) {
                 logger.error("Problem during handshake "+cause.getMessage());
-                TcpChannel.closeChannel(channel, false);
+                CloseableChannel.closeChannel(channel, false);
                 return;
             }
         }

src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/OpenDistroSecuritySSLRequestHandler.java

@@ -30,9 +30,6 @@
 
 package com.amazon.opendistroforelasticsearch.security.ssl.transport;
 
-import io.netty.channel.Channel;
-import io.netty.handler.ssl.SslHandler;
-
 import java.lang.reflect.Method;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
@@ -53,12 +50,14 @@
 import org.elasticsearch.transport.TransportChannel;
 import org.elasticsearch.transport.TransportRequest;
 import org.elasticsearch.transport.TransportRequestHandler;
-import org.elasticsearch.transport.netty4.NettyTcpChannel;
+import org.elasticsearch.transport.netty4.Netty4TcpChannel;
 
 import com.amazon.opendistroforelasticsearch.security.ssl.SslExceptionHandler;
 import com.amazon.opendistroforelasticsearch.security.ssl.util.ExceptionUtils;
 import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLRequestHelper;
 
+import io.netty.handler.ssl.SslHandler;
+
 public class OpenDistroSecuritySSLRequestHandler<T extends TransportRequest>
 implements TransportRequestHandler<T> {
 
@@ -120,15 +119,15 @@ public final void messageReceived(T request, TransportChannel channel, Task task
 
         try {
 
-            NettyTcpChannel nettyChannel = null;
+            Netty4TcpChannel nettyChannel = null;
 
             if (innerChannel instanceof TaskTransportChannel) {
                 final TransportChannel inner = ((TaskTransportChannel) innerChannel).getChannel();
-                nettyChannel = (NettyTcpChannel) ((TcpTransportChannel) inner).getChannel();
+                nettyChannel = (Netty4TcpChannel) ((TcpTransportChannel) inner).getChannel();
             } else
             if (innerChannel instanceof TcpTransportChannel) {
                 final TcpChannel inner = ((TcpTransportChannel) innerChannel).getChannel();
-                nettyChannel = (NettyTcpChannel) inner;
+                nettyChannel = (Netty4TcpChannel) inner;
             } else {
                 throw new Exception("Invalid channel of type "+innerChannel.getClass()+ " ("+innerChannel.getChannelType()+")");
             }

src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/util/SSLConfigConstants.java

@@ -186,7 +186,8 @@ public static final String[] getSecureSSLProtocols(Settings settings, boolean ht
         "TLS_AES_256_GCM_SHA384",
 
         //TLS 1.3 OpenSSL
-        "TLS_CHACHA20_POLY1305_SHA256",
+        "TLS_AES_128_CCM_8_SHA256",
+        "TLS_AES_128_CCM_SHA256",
 
         //IBM
         "SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenSSLTest.java

@@ -30,19 +30,27 @@
 
 package com.amazon.opendistroforelasticsearch.security.ssl;
 
-import io.netty.handler.ssl.OpenSsl;
-
 import java.util.HashSet;
+import java.util.Random;
 import java.util.Set;
 
+import org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest;
+import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
+import org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.unit.TimeValue;
+import org.elasticsearch.node.Node;
+import org.elasticsearch.node.PluginAwareNode;
+import org.elasticsearch.transport.Netty4Plugin;
 import org.junit.Assert;
 import org.junit.Assume;
 import org.junit.Before;
 import org.junit.Test;
 
 import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLConfigConstants;
 
+import io.netty.handler.ssl.OpenSsl;
+
 public class OpenSSLTest extends SSLTest {
 
     @Before
@@ -177,4 +185,42 @@ public void testHttpsAndNodeSSLPemEnc() throws Exception {
         Assume.assumeTrue(OpenSsl.isAvailable());
         super.testHttpsAndNodeSSLPemEnc();
     }
+
+    @Test
+    public void testNodeClientSSLwithOpenSslTLSv13() throws Exception {
+
+        Assume.assumeTrue(OpenSsl.isAvailable() && OpenSsl.version() > 0x10101009L);
+
+        final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true)
+                .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL)
+                .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL)
+                .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0")
+                .put("opendistro_security.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks"))
+                .put("opendistro_security.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks"))
+                .put("opendistro_security.ssl.transport.enforce_hostname_verification", false)
+                .put("opendistro_security.ssl.transport.resolve_hostname", false)
+                .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.3")
+                .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_CHACHA20_POLY1305_SHA256")
+                .build();
+
+        startES(settings);
+
+        final Settings tcSettings = Settings.builder().put("cluster.name", clustername).put("path.home", ".")
+                .put("node.name", "client_node_" + new Random().nextInt())
+                .put(settings)// -----
+                .build();
+
+        try (Node node = new PluginAwareNode(tcSettings, Netty4Plugin.class, OpenDistroSecuritySSLPlugin.class).start()) {
+            ClusterHealthResponse res = node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(5))).actionGet();
+            Assert.assertFalse(res.isTimedOut());
+            Assert.assertEquals(4, res.getNumberOfNodes());
+            Assert.assertEquals(4, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size());
+        }
+
+        Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_size_in_bytes\" : 0"));
+        Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_count\" : 0"));
+        Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_size_in_bytes\" : 0"));
+        Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_count\" : 0"));
+    }
+
 }

src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/SSLTest.java

@@ -371,12 +371,8 @@ public void testHttpsAndNodeSSLFailedCipher() throws Exception {
             Assert.fail();
         } catch (Exception e1) {
             Throwable e = ExceptionUtils.getRootCause(e1);
-            if(allowOpenSSL) {
-                Assert.assertTrue(e.toString(), e.toString().contains("no cipher match"));
-            } else {
-                Assert.assertTrue(e.toString(), e.toString().contains("no valid cipher"));
-            }
-        }
+            Assert.assertTrue(e.toString(), e.toString().contains("no valid cipher"));
+       }
     }
 
     @Test