From 603832e7f27fb9966ad519e43e03db64dc5d7564 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Tue, 21 Jan 2025 11:06:19 -0800 Subject: [PATCH 01/36] Add addServerConfig() to Netty4GrpcServerTransport to support TLS settings. Allows children to inject generic lambdas modifying the NettyServerBuilder. Lambdas will be executed at server construction. Signed-off-by: Finn Carroll --- .../grpc/Netty4GrpcServerTransport.java | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java index 1fb6a0bca03ea..90eb2f8325c52 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java @@ -8,6 +8,7 @@ package org.opensearch.transport.grpc; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.common.network.NetworkService; @@ -32,6 +33,7 @@ import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicReference; import java.util.function.Function; +import java.util.function.UnaryOperator; import io.grpc.BindableService; import io.grpc.InsecureServerCredentials; @@ -115,7 +117,7 @@ public class Netty4GrpcServerTransport extends NetworkPlugin.AuxTransport { Setting.Property.NodeScope ); - private final Settings settings; + protected final Settings settings; private final NetworkService networkService; private final List services; private final CopyOnWriteArrayList servers = new CopyOnWriteArrayList<>(); @@ -127,6 +129,8 @@ public class Netty4GrpcServerTransport extends NetworkPlugin.AuxTransport { private volatile BoundTransportAddress boundAddress; private volatile EventLoopGroup eventLoopGroup; + private final List> serverBuilderConfigs = new ArrayList<>(); + /** * Creates a new Netty4GrpcServerTransport instance. * @param settings the configured settings. @@ -156,6 +160,10 @@ BoundTransportAddress boundAddress() { return this.boundAddress; } + protected void addServerConfig(UnaryOperator configModifier) { + serverBuilderConfigs.add(configModifier); + } + @Override protected void doStart() { boolean success = false; @@ -249,13 +257,18 @@ private TransportAddress bindAddress(InetAddress hostAddress, PortsRange portRan try { final InetSocketAddress address = new InetSocketAddress(hostAddress, portNumber); - final NettyServerBuilder serverBuilder = NettyServerBuilder.forAddress(address, InsecureServerCredentials.create()) + final NettyServerBuilder serverBuilder = NettyServerBuilder + .forAddress(address, InsecureServerCredentials.create()) .bossEventLoopGroup(eventLoopGroup) .workerEventLoopGroup(eventLoopGroup) .channelType(NioServerSocketChannel.class) .addService(new HealthStatusManager().getHealthService()) .addService(ProtoReflectionService.newInstance()); + for (UnaryOperator op : serverBuilderConfigs) { + op.apply(serverBuilder); + } + services.forEach(serverBuilder::addService); Server srv = serverBuilder.build().start(); From aeaecdeddda191934d4298071da996c91b62a647 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Tue, 21 Jan 2025 12:12:50 -0800 Subject: [PATCH 02/36] Add SecureAuxTransportSettingsProvider to enable TLS for aux transports. SecureAuxTransportSettingsProvider which acts as the entrypoint for injecting security settings into aux transports. To maintain a more generic and widely adaptable interface javax SSLContext is the container of choice for security settings. Signed-off-by: Finn Carroll --- .../opensearch/transport/grpc/GrpcPlugin.java | 23 +++++++++++ .../org/opensearch/plugins/NetworkPlugin.java | 18 +++++++++ .../SecureAuxTransportSettingsProvider.java | 38 +++++++++++++++++++ .../transport/TransportAdapterProvider.java | 2 +- 4 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java index 7f02983010f98..61a65a1ed7533 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java @@ -14,8 +14,10 @@ import org.opensearch.core.indices.breaker.CircuitBreakerService; import org.opensearch.plugins.NetworkPlugin; import org.opensearch.plugins.Plugin; +import org.opensearch.plugins.SecureAuxTransportSettingsProvider; import org.opensearch.telemetry.tracing.Tracer; import org.opensearch.threadpool.ThreadPool; +import org.opensearch.transport.grpc.ssl.SecureNetty4GrpcServerTransport; import java.util.Collections; import java.util.List; @@ -55,6 +57,27 @@ public Map> getAuxTransports( ); } + @Override + public Map> getSecureAuxTransports( + Settings settings, + ThreadPool threadPool, + CircuitBreakerService circuitBreakerService, + NetworkService networkService, + ClusterSettings clusterSettings, + SecureAuxTransportSettingsProvider secureAuxTransportSettingsProvider, + Tracer tracer + ) { + return Collections.singletonMap( + GRPC_TRANSPORT_SETTING_KEY, + () -> new SecureNetty4GrpcServerTransport( + settings, + Collections.emptyList(), + networkService, + secureAuxTransportSettingsProvider + ) + ); + } + @Override public List> getSettings() { return List.of( diff --git a/server/src/main/java/org/opensearch/plugins/NetworkPlugin.java b/server/src/main/java/org/opensearch/plugins/NetworkPlugin.java index 4442189373c93..7dd426cabc283 100644 --- a/server/src/main/java/org/opensearch/plugins/NetworkPlugin.java +++ b/server/src/main/java/org/opensearch/plugins/NetworkPlugin.java @@ -75,6 +75,7 @@ public interface NetworkPlugin { * bootstrap. To allow pluggable AuxTransports access to configurable port ranges we require the port range be provided * through an {@link org.opensearch.common.settings.Setting.AffixSetting} of the form 'AUX_SETTINGS_PREFIX.{aux-transport-key}.ports'. */ + @ExperimentalApi abstract class AuxTransport extends AbstractLifecycleComponent { public static final String AUX_SETTINGS_PREFIX = "aux.transport."; public static final String AUX_TRANSPORT_TYPES_KEY = AUX_SETTINGS_PREFIX + "types"; @@ -159,6 +160,23 @@ default Map> getHttpTransports( return Collections.emptyMap(); } + /** + * Returns a map of secure {@link AuxTransport} suppliers. + * See {@link org.opensearch.plugins.NetworkPlugin.AuxTransport#AUX_TRANSPORT_TYPES_SETTING} to configure a specific implementation. + */ + @ExperimentalApi + default Map> getSecureAuxTransports( + Settings settings, + ThreadPool threadPool, + CircuitBreakerService circuitBreakerService, + NetworkService networkService, + ClusterSettings clusterSettings, + SecureAuxTransportSettingsProvider secureAuxTransportSettingsProvider, + Tracer tracer + ) { + return Collections.emptyMap(); + } + /** * Returns a map of secure {@link Transport} suppliers. * See {@link org.opensearch.common.network.NetworkModule#TRANSPORT_TYPE_KEY} to configure a specific implementation. diff --git a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java new file mode 100644 index 0000000000000..aaecdbaa5e9e7 --- /dev/null +++ b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java @@ -0,0 +1,38 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +package org.opensearch.plugins; + +import org.opensearch.common.annotation.ExperimentalApi; +import org.opensearch.common.settings.Settings; +import org.opensearch.http.HttpServerTransport; +import org.opensearch.transport.TransportAdapterProvider; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLException; +import java.util.Collection; +import java.util.Collections; +import java.util.Optional; + +/** + * A provider for security related settings for gRPC transports. + * + * @opensearch.experimental + */ +@ExperimentalApi +public interface SecureAuxTransportSettingsProvider { + /** + * If supported, builds an {@link SSLContext} instance for {@link NetworkPlugin.AuxTransport} instance + * @param settings settings + * @param transport {@link NetworkPlugin.AuxTransport} instance + * @return if supported, builds the {@link SSLContext} instance + * @throws SSLException throws SSLException if the {@link SSLEngine} instance cannot be built + */ + Optional buildSecureAuxServerSSLContext(Settings settings, NetworkPlugin.AuxTransport transport) throws SSLException; +} diff --git a/server/src/main/java/org/opensearch/transport/TransportAdapterProvider.java b/server/src/main/java/org/opensearch/transport/TransportAdapterProvider.java index 36dbd5a699b40..7e39445b1699c 100644 --- a/server/src/main/java/org/opensearch/transport/TransportAdapterProvider.java +++ b/server/src/main/java/org/opensearch/transport/TransportAdapterProvider.java @@ -32,7 +32,7 @@ public interface TransportAdapterProvider { * Provides a new transport adapter of required transport adapter class and transport instance. * @param transport adapter class * @param settings settings - * @param transport HTTP transport instance + * @param transport transport instance * @param adapterClass required transport adapter class * @return the non-empty {@link Optional} if the transport adapter could be created, empty one otherwise */ From 32f60d83ec1cfb0060f9457edc59f826c8d04113 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Tue, 21 Jan 2025 14:00:57 -0800 Subject: [PATCH 03/36] Add SecureNetty4GrpcServerTransport. Wrap javax SSLContext for compatibility with gRPC server. Signed-off-by: Finn Carroll --- .../transport/grpc/ssl/SSLContextWrapper.java | 90 +++++++++++++++++++ .../ssl/SecureNetty4GrpcServerTransport.java | 82 +++++++++++++++++ 2 files changed, 172 insertions(+) create mode 100644 plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java create mode 100644 plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java new file mode 100644 index 0000000000000..359be19fbf60c --- /dev/null +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java @@ -0,0 +1,90 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ +package org.opensearch.transport.grpc.ssl; + +import io.grpc.netty.shaded.io.netty.buffer.ByteBufAllocator; +import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNegotiator; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLSessionContext; +import java.security.NoSuchAlgorithmException; +import java.util.List; + +/** + * A light wrapper intended to negotiate the difference between two ssl context implementations. + * {@link SSLContext} provided by javax.net.ssl, and + * {@link SslContext} provided by io.grpc. + */ +public class SSLContextWrapper extends SslContext { + private final SSLContext ctxt; + private final boolean client; + + private static final String[] DEFAULT_SSL_PROTOCOLS = { "TLSv1.3", "TLSv1.2", "TLSv1.1" }; + + public SSLContextWrapper(boolean isClient) throws NoSuchAlgorithmException { + this(SSLContext.getDefault(), isClient); + } + + public SSLContextWrapper(SSLContext javaxCtxt, boolean isClient) { + this.ctxt = javaxCtxt; + this.ctxt.getDefaultSSLParameters().setProtocols(DEFAULT_SSL_PROTOCOLS); + this.client = isClient; + } + + @Override + public boolean isClient() { + return client; + } + + @Override + public List cipherSuites() { + return List.of(ctxt.getDefaultSSLParameters().getCipherSuites()); + } + + class DefaultAPN implements ApplicationProtocolNegotiator { + @Override + public List protocols() { + return List.of(ctxt.getDefaultSSLParameters().getProtocols()); + } + } + + // ApplicationProtocolNegotiator is deprecated + @Override + public ApplicationProtocolNegotiator applicationProtocolNegotiator() { + return new DefaultAPN() { + @Override + public List protocols() { + return List.of(ctxt.getDefaultSSLParameters().getApplicationProtocols()); + } + }; + } + + /** + * javax SSLContext handles its own buffer allocation. + * As such we can ignore the netty ByteBufAllocator when creating engines. + */ + @Override + public SSLEngine newEngine(ByteBufAllocator byteBufAllocator) { + return ctxt.createSSLEngine(); + } + + @Override + public SSLEngine newEngine(ByteBufAllocator byteBufAllocator, String s, int i) { + return ctxt.createSSLEngine(s, i); + } + + @Override + public SSLSessionContext sessionContext() { + return this.client? ctxt.getClientSessionContext() : ctxt.getServerSessionContext(); + } +} diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java new file mode 100644 index 0000000000000..df7ef3d08f89f --- /dev/null +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java @@ -0,0 +1,82 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +package org.opensearch.transport.grpc.ssl; + +import io.grpc.BindableService; +import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder; +import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.opensearch.OpenSearchSecurityException; +import org.opensearch.common.network.NetworkService; +import org.opensearch.common.settings.Settings; +import org.opensearch.plugins.NetworkPlugin; +import org.opensearch.plugins.SecureAuxTransportSettingsProvider; +import org.opensearch.plugins.SecureTransportSettingsProvider; +import org.opensearch.transport.grpc.Netty4GrpcServerTransport; + +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLException; +import java.security.NoSuchAlgorithmException; +import java.util.List; +import java.util.Optional; + +/** + * Netty4GrpcServerTransport with TLS enabled. + * Security settings injected through a SecureAuxTransportSettingsProvider. + */ +public class SecureNetty4GrpcServerTransport extends Netty4GrpcServerTransport { + private static final Logger logger = LogManager.getLogger(SecureNetty4GrpcServerTransport.class); + + private final SecureAuxTransportSettingsProvider secureAuxTransportSettingsProvider; + + /** + * Creates a new SecureNetty4GrpcServerTransport instance. + * @param settings the configured settings. + * @param services the gRPC compatible services to be registered with the server. + * @param networkService the bind/publish addresses. + * @param secureTransportSettingsProvider TLS configuration settings. + */ + public SecureNetty4GrpcServerTransport( + Settings settings, + List services, + NetworkService networkService, + SecureAuxTransportSettingsProvider secureTransportSettingsProvider + ) { + super(settings, services, networkService); + this.secureAuxTransportSettingsProvider = secureTransportSettingsProvider; + this.addServerConfig( + (NettyServerBuilder builder) -> { + try { + return builder.sslContext(buildSslContext()); + } catch (SSLException | NoSuchAlgorithmException e) { + throw new RuntimeException(e); + } + } + ); + } + + private SslContext buildSslContext() throws SSLException, NoSuchAlgorithmException { + Optional SSLCtxt = secureAuxTransportSettingsProvider.buildSecureAuxServerSSLContext( + this.settings, + this + ); + + if (SSLCtxt.isPresent()) { + return new SSLContextWrapper(SSLCtxt.get(), false); + } + + return new SSLContextWrapper(false); + } +} From 43ad8e1442a27557c7b206c998a7a8ff52e4b0cd Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Tue, 21 Jan 2025 14:07:23 -0800 Subject: [PATCH 04/36] Spotless apply Signed-off-by: Finn Carroll --- .../opensearch/transport/grpc/GrpcPlugin.java | 7 +--- .../grpc/Netty4GrpcServerTransport.java | 4 +- .../transport/grpc/ssl/SSLContextWrapper.java | 11 +++--- .../ssl/SecureNetty4GrpcServerTransport.java | 37 +++++++------------ 4 files changed, 21 insertions(+), 38 deletions(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java index 61a65a1ed7533..d264c4e25fe9e 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java @@ -69,12 +69,7 @@ public Map> getSecureAuxTransports( ) { return Collections.singletonMap( GRPC_TRANSPORT_SETTING_KEY, - () -> new SecureNetty4GrpcServerTransport( - settings, - Collections.emptyList(), - networkService, - secureAuxTransportSettingsProvider - ) + () -> new SecureNetty4GrpcServerTransport(settings, Collections.emptyList(), networkService, secureAuxTransportSettingsProvider) ); } diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java index 90eb2f8325c52..5c73e50ddac1c 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java @@ -8,7 +8,6 @@ package org.opensearch.transport.grpc; -import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.common.network.NetworkService; @@ -257,8 +256,7 @@ private TransportAddress bindAddress(InetAddress hostAddress, PortsRange portRan try { final InetSocketAddress address = new InetSocketAddress(hostAddress, portNumber); - final NettyServerBuilder serverBuilder = NettyServerBuilder - .forAddress(address, InsecureServerCredentials.create()) + final NettyServerBuilder serverBuilder = NettyServerBuilder.forAddress(address, InsecureServerCredentials.create()) .bossEventLoopGroup(eventLoopGroup) .workerEventLoopGroup(eventLoopGroup) .channelType(NioServerSocketChannel.class) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java index 359be19fbf60c..84be88120c041 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java @@ -10,16 +10,17 @@ */ package org.opensearch.transport.grpc.ssl; -import io.grpc.netty.shaded.io.netty.buffer.ByteBufAllocator; -import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNegotiator; -import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; - import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLSessionContext; + import java.security.NoSuchAlgorithmException; import java.util.List; +import io.grpc.netty.shaded.io.netty.buffer.ByteBufAllocator; +import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNegotiator; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; + /** * A light wrapper intended to negotiate the difference between two ssl context implementations. * {@link SSLContext} provided by javax.net.ssl, and @@ -85,6 +86,6 @@ public SSLEngine newEngine(ByteBufAllocator byteBufAllocator, String s, int i) { @Override public SSLSessionContext sessionContext() { - return this.client? ctxt.getClientSessionContext() : ctxt.getServerSessionContext(); + return this.client ? ctxt.getClientSessionContext() : ctxt.getServerSessionContext(); } } diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java index df7ef3d08f89f..2983367e932d1 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java @@ -8,30 +8,24 @@ package org.opensearch.transport.grpc.ssl; -import io.grpc.BindableService; -import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder; -import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth; -import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; -import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder; -import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.OpenSearchSecurityException; import org.opensearch.common.network.NetworkService; import org.opensearch.common.settings.Settings; -import org.opensearch.plugins.NetworkPlugin; import org.opensearch.plugins.SecureAuxTransportSettingsProvider; -import org.opensearch.plugins.SecureTransportSettingsProvider; import org.opensearch.transport.grpc.Netty4GrpcServerTransport; -import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLException; + import java.security.NoSuchAlgorithmException; import java.util.List; import java.util.Optional; +import io.grpc.BindableService; +import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; + /** * Netty4GrpcServerTransport with TLS enabled. * Security settings injected through a SecureAuxTransportSettingsProvider. @@ -53,25 +47,20 @@ public SecureNetty4GrpcServerTransport( List services, NetworkService networkService, SecureAuxTransportSettingsProvider secureTransportSettingsProvider - ) { + ) { super(settings, services, networkService); this.secureAuxTransportSettingsProvider = secureTransportSettingsProvider; - this.addServerConfig( - (NettyServerBuilder builder) -> { - try { - return builder.sslContext(buildSslContext()); - } catch (SSLException | NoSuchAlgorithmException e) { - throw new RuntimeException(e); - } + this.addServerConfig((NettyServerBuilder builder) -> { + try { + return builder.sslContext(buildSslContext()); + } catch (SSLException | NoSuchAlgorithmException e) { + throw new RuntimeException(e); } - ); + }); } private SslContext buildSslContext() throws SSLException, NoSuchAlgorithmException { - Optional SSLCtxt = secureAuxTransportSettingsProvider.buildSecureAuxServerSSLContext( - this.settings, - this - ); + Optional SSLCtxt = secureAuxTransportSettingsProvider.buildSecureAuxServerSSLContext(this.settings, this); if (SSLCtxt.isPresent()) { return new SSLContextWrapper(SSLCtxt.get(), false); From 3dd549e38b0bf2f6947c31a82f7ba8efd235dca8 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Wed, 22 Jan 2025 08:43:36 -0800 Subject: [PATCH 05/36] Register secure aux transports with Node.java. Hide settings key and override parent port range in SecureNetty4GrpcServerTransport. Signed-off-by: Finn Carroll --- .../opensearch/transport/grpc/GrpcPlugin.java | 5 ++- .../grpc/Netty4GrpcServerTransport.java | 8 ++--- .../ssl/SecureNetty4GrpcServerTransport.java | 15 +++++++++ .../common/network/NetworkModule.java | 31 +++++++++++++++++++ .../plugins/SecureSettingsFactory.java | 7 +++++ .../common/network/NetworkModuleTests.java | 12 +++++++ 6 files changed, 71 insertions(+), 7 deletions(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java index d264c4e25fe9e..e5e70f6784e6e 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java @@ -24,7 +24,6 @@ import java.util.Map; import java.util.function.Supplier; -import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.GRPC_TRANSPORT_SETTING_KEY; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_BIND_HOST; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_HOST; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_PORT; @@ -52,7 +51,7 @@ public Map> getAuxTransports( Tracer tracer ) { return Collections.singletonMap( - GRPC_TRANSPORT_SETTING_KEY, + Netty4GrpcServerTransport.GRPC_TRANSPORT_SETTING_KEY, () -> new Netty4GrpcServerTransport(settings, Collections.emptyList(), networkService) ); } @@ -68,7 +67,7 @@ public Map> getSecureAuxTransports( Tracer tracer ) { return Collections.singletonMap( - GRPC_TRANSPORT_SETTING_KEY, + SecureNetty4GrpcServerTransport.GRPC_TRANSPORT_SETTING_KEY, () -> new SecureNetty4GrpcServerTransport(settings, Collections.emptyList(), networkService, secureAuxTransportSettingsProvider) ); } diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java index 5c73e50ddac1c..a912ab3fb3a9d 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java @@ -116,20 +116,20 @@ public class Netty4GrpcServerTransport extends NetworkPlugin.AuxTransport { Setting.Property.NodeScope ); + protected PortsRange port; protected final Settings settings; + private final NetworkService networkService; private final List services; - private final CopyOnWriteArrayList servers = new CopyOnWriteArrayList<>(); private final String[] bindHosts; private final String[] publishHosts; - private final PortsRange port; private final int nettyEventLoopThreads; + private final CopyOnWriteArrayList servers = new CopyOnWriteArrayList<>(); + private final List> serverBuilderConfigs = new ArrayList<>(); private volatile BoundTransportAddress boundAddress; private volatile EventLoopGroup eventLoopGroup; - private final List> serverBuilderConfigs = new ArrayList<>(); - /** * Creates a new Netty4GrpcServerTransport instance. * @param settings the configured settings. diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java index 2983367e932d1..c66e1a049fc54 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java @@ -11,7 +11,9 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.common.network.NetworkService; +import org.opensearch.common.settings.Setting; import org.opensearch.common.settings.Settings; +import org.opensearch.common.transport.PortsRange; import org.opensearch.plugins.SecureAuxTransportSettingsProvider; import org.opensearch.transport.grpc.Netty4GrpcServerTransport; @@ -35,6 +37,17 @@ public class SecureNetty4GrpcServerTransport extends Netty4GrpcServerTransport { private final SecureAuxTransportSettingsProvider secureAuxTransportSettingsProvider; + /** + * Hide parent GRPC_TRANSPORT_SETTING_KEY and SETTING_GRPC_PORT. + * Overwrite port in constructor with configuration as specified by + * SecureNetty4GrpcServerTransport.GRPC_TRANSPORT_SETTING_KEY and + * SecureNetty4GrpcServerTransport.SETTING_GRPC_PORT. + */ + public static final String GRPC_TRANSPORT_SETTING_KEY = "experimental-secure-transport-grpc"; + public static final Setting SETTING_GRPC_PORT = AUX_TRANSPORT_PORT.getConcreteSettingForNamespace( + GRPC_TRANSPORT_SETTING_KEY + ); + /** * Creates a new SecureNetty4GrpcServerTransport instance. * @param settings the configured settings. @@ -50,6 +63,8 @@ public SecureNetty4GrpcServerTransport( ) { super(settings, services, networkService); this.secureAuxTransportSettingsProvider = secureTransportSettingsProvider; + this.port = SecureNetty4GrpcServerTransport.SETTING_GRPC_PORT.get(settings); + this.addServerConfig((NettyServerBuilder builder) -> { try { return builder.sslContext(buildSslContext()); diff --git a/server/src/main/java/org/opensearch/common/network/NetworkModule.java b/server/src/main/java/org/opensearch/common/network/NetworkModule.java index 5d55fb52c323d..222f344437ef7 100644 --- a/server/src/main/java/org/opensearch/common/network/NetworkModule.java +++ b/server/src/main/java/org/opensearch/common/network/NetworkModule.java @@ -55,6 +55,7 @@ import org.opensearch.http.HttpServerTransport; import org.opensearch.index.shard.PrimaryReplicaSyncer.ResyncTask; import org.opensearch.plugins.NetworkPlugin; +import org.opensearch.plugins.SecureAuxTransportSettingsProvider; import org.opensearch.plugins.SecureHttpTransportSettingsProvider; import org.opensearch.plugins.SecureSettingsFactory; import org.opensearch.plugins.SecureTransportSettingsProvider; @@ -210,6 +211,18 @@ public NetworkModule( ); } + final Collection secureAuxTransportSettingsProviders = secureSettingsFactories.stream() + .map(p -> p.getSecureAuxTransportSettingsProvider(settings)) + .filter(Optional::isPresent) + .map(Optional::get) + .collect(Collectors.toList()); + + if (secureAuxTransportSettingsProviders.size() > 1) { + throw new IllegalArgumentException( + "there is more than one secure auxiliary transport settings provider: " + secureAuxTransportSettingsProviders + ); + } + for (NetworkPlugin plugin : plugins) { Map> httpTransportFactory = plugin.getHttpTransports( settings, @@ -274,6 +287,24 @@ public NetworkModule( } } + // Register any secure auxiliary transports if available + if (secureAuxTransportSettingsProviders.isEmpty() == false) { + final SecureAuxTransportSettingsProvider secureSettingProvider = secureAuxTransportSettingsProviders.iterator().next(); + + final Map> secureAuxTransportFactory = plugin.getSecureAuxTransports( + settings, + threadPool, + circuitBreakerService, + networkService, + clusterSettings, + secureSettingProvider, + tracer + ); + for (Map.Entry> entry : secureAuxTransportFactory.entrySet()) { + registerAuxTransport(entry.getKey(), entry.getValue()); + } + } + // Register any secure transports if available if (secureTransportSettingsProviders.isEmpty() == false) { final SecureTransportSettingsProvider secureSettingProvider = secureTransportSettingsProviders.iterator().next(); diff --git a/server/src/main/java/org/opensearch/plugins/SecureSettingsFactory.java b/server/src/main/java/org/opensearch/plugins/SecureSettingsFactory.java index ec2276ecc62ef..0fdf4b6927eb0 100644 --- a/server/src/main/java/org/opensearch/plugins/SecureSettingsFactory.java +++ b/server/src/main/java/org/opensearch/plugins/SecureSettingsFactory.java @@ -33,4 +33,11 @@ public interface SecureSettingsFactory { * @return optionally, the instance of the {@link SecureHttpTransportSettingsProvider} */ Optional getSecureHttpTransportSettingsProvider(Settings settings); + + /** + * Creates (or provides pre-created) instance of the {@link SecureAuxTransportSettingsProvider} + * @param settings settings + * @return optionally, the instance of the {@link SecureAuxTransportSettingsProvider} + */ + Optional getSecureAuxTransportSettingsProvider(Settings settings); } diff --git a/server/src/test/java/org/opensearch/common/network/NetworkModuleTests.java b/server/src/test/java/org/opensearch/common/network/NetworkModuleTests.java index 447377e372e61..f824f6fa8333b 100644 --- a/server/src/test/java/org/opensearch/common/network/NetworkModuleTests.java +++ b/server/src/test/java/org/opensearch/common/network/NetworkModuleTests.java @@ -47,6 +47,7 @@ import org.opensearch.http.HttpStats; import org.opensearch.http.NullDispatcher; import org.opensearch.plugins.NetworkPlugin; +import org.opensearch.plugins.SecureAuxTransportSettingsProvider; import org.opensearch.plugins.SecureHttpTransportSettingsProvider; import org.opensearch.plugins.SecureSettingsFactory; import org.opensearch.plugins.SecureTransportSettingsProvider; @@ -61,6 +62,7 @@ import org.opensearch.transport.TransportRequest; import org.opensearch.transport.TransportRequestHandler; +import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLException; @@ -130,6 +132,16 @@ public Optional buildHttpServerExceptionHandler( } }); } + + @Override + public Optional getSecureAuxTransportSettingsProvider(Settings settings) { + return Optional.of(new SecureAuxTransportSettingsProvider() { + @Override + public Optional buildSecureAuxServerSSLContext(Settings settings, NetworkPlugin.AuxTransport transport) throws SSLException { + return Optional.empty(); + } + }); + } }; } From 30f0f1adf65877549d0eeb29b9e4ec8c5c8b3ea0 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Wed, 22 Jan 2025 18:15:05 -0800 Subject: [PATCH 06/36] Add SecureNetty4GrpcServerTransport.SETTING_GRPC_PORT to plugin settings. Signed-off-by: Finn Carroll --- .../main/java/org/opensearch/transport/grpc/GrpcPlugin.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java index e5e70f6784e6e..b552d94a3c4cb 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java @@ -26,7 +26,6 @@ import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_BIND_HOST; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_HOST; -import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_PORT; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_PUBLISH_HOST; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_PUBLISH_PORT; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_WORKER_COUNT; @@ -75,7 +74,8 @@ public Map> getSecureAuxTransports( @Override public List> getSettings() { return List.of( - SETTING_GRPC_PORT, + Netty4GrpcServerTransport.SETTING_GRPC_PORT, + SecureNetty4GrpcServerTransport.SETTING_GRPC_PORT, SETTING_GRPC_HOST, SETTING_GRPC_PUBLISH_HOST, SETTING_GRPC_BIND_HOST, From dde2ddf9a6591f3be9ad12a182cb8b8468b91830 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Mon, 3 Feb 2025 15:08:54 -0800 Subject: [PATCH 07/36] Add keys/certs for secure gRPC transport test suite. Signed-off-by: Finn Carroll --- .../src/test/resources/README.txt | 17 +++++++++++ .../src/test/resources/certificate.crt | 22 ++++++++++++++ .../src/test/resources/certificate.key | 28 ++++++++++++++++++ .../src/test/resources/netty4-secure.jks | Bin 0 -> 2806 bytes .../src/test/resources/server.p12 | Bin 0 -> 2782 bytes 5 files changed, 67 insertions(+) create mode 100644 plugins/transport-grpc/src/test/resources/README.txt create mode 100644 plugins/transport-grpc/src/test/resources/certificate.crt create mode 100644 plugins/transport-grpc/src/test/resources/certificate.key create mode 100644 plugins/transport-grpc/src/test/resources/netty4-secure.jks create mode 100644 plugins/transport-grpc/src/test/resources/server.p12 diff --git a/plugins/transport-grpc/src/test/resources/README.txt b/plugins/transport-grpc/src/test/resources/README.txt new file mode 100644 index 0000000000000..c8cec5d3803a4 --- /dev/null +++ b/plugins/transport-grpc/src/test/resources/README.txt @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +# +# This is README describes how the certificates in this directory were created. +# This file can also be executed as a script +# + +# 1. Create certificate key + +openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes + +# 2. Export the certificate in pkcs12 format + +openssl pkcs12 -export -in certificate.crt -inkey certificate.key -out server.p12 -name netty4-secure -password pass:password + +# 3. Import the certificate into JDK keystore (PKCS12 type) + +keytool -importkeystore -srcstorepass password -destkeystore netty4-secure.jks -srckeystore server.p12 -srcstoretype PKCS12 -alias netty4-secure -deststorepass password \ No newline at end of file diff --git a/plugins/transport-grpc/src/test/resources/certificate.crt b/plugins/transport-grpc/src/test/resources/certificate.crt new file mode 100644 index 0000000000000..60821d4eaffa0 --- /dev/null +++ b/plugins/transport-grpc/src/test/resources/certificate.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDpTCCAo2gAwIBAgIUO/AexJsrSJwdOuLWYlMbbZh6ZQIwDQYJKoZIhvcNAQEL +BQAwYjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxl +MQwwCgYDVQQKDANBV1MxEzARBgNVBAsMCk9wZW5TZWFyY2gxETAPBgNVBAMMCFRl +c3RDZXJ0MB4XDTI1MDEyMjE3MjU0OVoXDTI3MTExMjE3MjU0OVowYjELMAkGA1UE +BhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxlMQwwCgYDVQQKDANB +V1MxEzARBgNVBAsMCk9wZW5TZWFyY2gxETAPBgNVBAMMCFRlc3RDZXJ0MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsYwNo3DgxS8SeDi8KodRSixj11T9 +NpqWM0elm6Fabr2oPxod9IcqRRC0zD2T7aznW6YeBaZ26x9wkv9T32jKFTfYoDf6 +cS7BpsG8FPCrNheSd98x5iogWtPWc6PxyUhioJ3LCIKcEa7YAP6/ssmnPazZVkMa +SdHpP1WFvYleeLcZizvCxMi05vrbqPlJo8e5OUINu5Ly01grkgWeDTkYty13GcdA +HNVNiN+oFUOTvz51PpqeoxoUEphjT21jPR4c6Yi7O+eRrezvuOxxOn6dUlGHzj06 +RoEDAIx7cqHePo+iG227S4/xPxbt6CoZs0rAKmTl4FXjqkmM2NxyuwpVcQIDAQAB +o1MwUTAdBgNVHQ4EFgQU8JKhJPriAup/FCmr36A9R+skeEAwHwYDVR0jBBgwFoAU +8JKhJPriAup/FCmr36A9R+skeEAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B +AQsFAAOCAQEAofz97HfxydkilszLOATlxGdQE0LR+w05IoGTEW5u1+3DzKiSK7Kz +HLzjioUfwuwfYZnQVOEa3hGn9iRJp+l2idzAr8o37nNqTOw9R/XfulakqGNY+Wjn +1+57EL/RziZUzoTLJT4KvCWGXk3atylITm2REtknYLmD5XUH+vNUXpr+sBS8LGM/ +jdc6CuYaWZVVmozkTxA64xBobW2WpkjKWSYthPn9c5kScnZyGKKvpN/Xzfo7OYds +V86OnHmOe70UAMmcXmM+lSzBJ4zSLwMEpMoNpPsHMo37IEIfllc0aYa5lGhb4KaJ +U20/BY1iedLpkcTGqjwg58Ymq1nF/1Cvkg== +-----END CERTIFICATE----- diff --git a/plugins/transport-grpc/src/test/resources/certificate.key b/plugins/transport-grpc/src/test/resources/certificate.key new file mode 100644 index 0000000000000..c7b394f56e8e9 --- /dev/null +++ b/plugins/transport-grpc/src/test/resources/certificate.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxjA2jcODFLxJ4 +OLwqh1FKLGPXVP02mpYzR6WboVpuvag/Gh30hypFELTMPZPtrOdbph4FpnbrH3CS +/1PfaMoVN9igN/pxLsGmwbwU8Ks2F5J33zHmKiBa09Zzo/HJSGKgncsIgpwRrtgA +/r+yyac9rNlWQxpJ0ek/VYW9iV54txmLO8LEyLTm+tuo+Umjx7k5Qg27kvLTWCuS +BZ4NORi3LXcZx0Ac1U2I36gVQ5O/PnU+mp6jGhQSmGNPbWM9HhzpiLs755Gt7O+4 +7HE6fp1SUYfOPTpGgQMAjHtyod4+j6IbbbtLj/E/Fu3oKhmzSsAqZOXgVeOqSYzY +3HK7ClVxAgMBAAECggEAJUYkp9s/CQ6il0Q79sa9YW/TzyV72n6WSXJBeZyklmqx +O3wxbUCCNok1F8rWt1dtI+/KTj/eJ+sMEIRTmKvQfydgDnTqGmBpTefO42uKWjsV +KB7exDY0YDUoiNMSpAITGKq/8QuwlcLJ/N1+o9uThY53+1TvnC9aQ05iW0IPaBKY +s2Rks/GDa/m+wlNG/z9QTM2N9KYoNBlNtEQ0/3/T+PjYHTID88uXV6qcGxOkNg5A +uwpjpEevGEWZ1rbbTY74Cy4bKHS/oudT7uEXsI6rlpWh+NGr5Kh6ZcAcNPa+Slqf +DpApYvOKVTtcgtzYi4IuDC83yFO+urBVQugYhZGPtQKBgQDrGzpVsrbQuSNfeHe7 +4b4v0QqrIxAaolFyULjC+O26Vj9RZ3N/mKiCzPp+Q3wrePnKSQ0Ia2M8NLDC64t2 ++9s3l5SJwnRRzJvwMT5daHXc5soifdJp/Qv1rEelyRPsxoTHQpl25vadWJgbxxE5 +Xvw7gJVtXV8h27HiuyQqGkhTjQKBgQDBU1Oo39jr1MUjuWzAISgJS61LGfjQ68TI +I4uxm0cAWI0wIR2/v2cdl673onodqf6Gn/YwMPafmiCnJJ85NSqyQvWDPlSNT++4 +/B9l53im8XZoOOabYgsS70rI6AMha5itwEdX+otNdR+TOMMvvnAQfOPI6wTz4L3k +ZWAjMsA+dQKBgQDmS7GEqJ6zLeccaaC/hY0KwbW1lY78x+sIE1IoijYzxLAZSUC1 +yA+osKjebbR/0Oy93XjKuoZmPya2iIwAbQx7FBwIJVZTmh1V1qbEUMLDM77ksmMe +NyUz7SHxn1nJIVyG4xH4ip0f29yDuSeCDyz8DCRTEJdTTyScd7whEcWvMQKBgQCq +U0vF4VIwlMkLbHaP36ZyaiZHoJ5DEzXQTuDonbG0cFAUM1kOcwfaXqVcr91+/SKu +YYh5dOoUO6rBF9bghCMV40CDXQsJZYADLr5K/eCi1OJJeLhT9dFj4Ue2MhNwAmgF +zP4OWUMZ/zLOdpghHFuHa0EU51r5suwaqeZFnJUbcQKBgC4oPdlu7kD9EkOQC3ON +E08SLwvqq0hUjUWJkMyM/LSqtLD8hY7GqRmBCBAf5MtHLO1V+V8DsvL7NsoVuHI2 +sNBTExE4hw2rwTk2X9ERTVDCpDsh+ZoQ5tAdypbe0R48yc4MBQbQpqzMVwKRy2dc +ZYAeVm9QvuOmJL4OsZI8TYS3 +-----END PRIVATE KEY----- diff --git a/plugins/transport-grpc/src/test/resources/netty4-secure.jks b/plugins/transport-grpc/src/test/resources/netty4-secure.jks new file mode 100644 index 0000000000000000000000000000000000000000..2f203f4391a6cadf0752175a02561a439bffafb6 GIT binary patch literal 2806 zcma)8c{CIX`<{)M&=fP47;BWR841Z6GBx&njZ2m=1~c42#AM&PmSmf;WR0Y;$HhoA z4YF^ko9$+oC9Os7ci!`!_dL(@KJTB;c~NBO76=GNk)e64?9wrqm_1J5 zDPRE^nhYUB<4@>l6q%*cXVe&%m$WsllSn^RGwahyAdnOc1QbDWu(JLCMG!j+042oA?i_;w zx`81;X$WlF58=(ux9CE3NoB*Ppvxg-$bj~x3)vatpI*JOBa&{FCG*OKW%LgT<}Ype zZDVL{O_A6j8yksbLWHCEaz9kZp7lQmFPBTik}_zvzje60E5w~LfB7m?LM z#@f@ehD7nqLO`CWE>>$8BZ!x+7<^3k({SFJ)m*#WHBa|!2o{`)B2{4eXbn4DdQzSX zthxEeVjMY<1yB7*pRr626VT?^M|l$VXi@~SQ>e(OkyvoQ^H|PJJ&U2l;L-8^^S+ab zQ%N+-{7myx1{-C|);nc&$puHGIG)d3S%@V8-ln=7>RfUC!Tu)eg zU4BF6x~!-TLXS6{d!L8ttAZ0Ab-yAs9uoDD>&)-(pcU@4N?Ni1XK!Wjt32^;yhTst z(V7?=L*bJ_ZV6)1A7eLlp~9#vNx9b2uf-f8H5!4t*Tdh~S?{SReJBR6tFM*!MnJP- zjlB4QYj8J%7Q;M;O!Ao3sSoL-zp`OgfUvxxAbdTKPRB$>P2Q7~-P5jr$EbCnr!x3U zK`O-y;T$~ySy9y*@S;T@A;J3s`up>aJ|*&(6bhRAp`M5X2%zYq^CL^nnQL*DGTiX{ z{)5q9rpoAz8kKC~sX_W*N>CZ?IZ0`I^|9t0@IQK{JENSjx0~3e8qAh<5RmTA8OHU? zKaQ=LZJ!&Agw6`s9oQ##0JjVGFcQvsK}B!-6=4Hs)hqM;-f(qODL|uZsx^I$F&lT3 zh(m?nC3!#6x^F}hcp?X?*rkoO)Z_8KOiry1PinZfhwj!MdylBv?>T4n9bO*@L<}+d zI#ici^GT96Oeu8fYyu}>Za8*C^Ut2TXto!Gks9-}?T#m+@57wkQc7zo8r8*Wv~yj9U6p z#mS9Dc^{&O`6o%{+1+jVZL8D9rYq-i@N2}s;hcn=3QDM z{t=8#!6nHBPULZOSrP9%4}W_{ZjKS(-t-%9;QOR@bG}mpytiHsLeGq>TS5Nf;QOp) zwK!?4wxVc)2lN>(9}+HD#-+B^VLL{ic&a#AIj|O_*9o*!awm^_!)yyfA8t14NC7QO z|Bxi_C3;7R-%U2lq~u=r=yG2GkcNc8%~o~|eu07$}({)pA=O|52vrzu#i~?ayd^qUv zb*9DZFw{29U(;Jg6T`SI7VIzEx;pYcW&hT&t~6VL0S@ZRQ$-i<)GUY(Kfe;} z*t4F_Cv{9h8=)@!ic5ALv>;Ld;0tgA5Kk%?pa_ry5KfRQAP^7$a6^gyvkFJ^K+aj* z!?}r|m9HpYRZ>Qw(P)$kiVUIuS~|sAK!(sxsA>=pa5BpNQGov~w9O6`_eRkc6JoYQ zs*3z$p)dGE9{n$&t;gjXH-ywZy!E=0ccy1jI)V&Aedo%a&9~<1)I9yemZcB#I!qQ;M z=|cSg`VyBs@ugSuq_OfGdvI#dSnQ`QhXPEes>*1IWYOw(dS*T-$m6n0lEB50vFT}+ zmNHMLfX|~Jhjz6`{#37^oOVj4RGo!_zolhv7eR}*#bB~Nuy<6i_#PwX?piTFIW>H6 z;38iIWgX<;81ZayDRJ-Gy?az!0~Yqnqvy24C+w{uaNkch$rvX>X`bsI`r)*p{Pew# z+WQ|{ZWD{s`2E?#n6v%tq^% zve>U}xZ_#AMvbJe+(ZMtNHRR@2U!d>@SdQhuh6WY+JUKk`IPjeaea=YMG$u(^gDQn z2;oGt84GpYB|GSSzYQ~yV>Po?^=RY@GRq1DnvPiVQw$idSskZ4oP)Q>JjK%OY_0|G ztu!e|dsfXrq#BVm{K%5z?D$FUb?s%M-dw`e4W+U;@K=>A%S&Q;Pn;-o)?HmcS&5eu zObc_4i>`Y-#~6fp!F#QUl!ng4^E|-80HN_4W8Y{C!57N$a zds!)UbSu=?mSrz|OPr+-*P}9DhpmUx5RzBvR_p{t|ID!JyTbO=qN=H*#;c^ghx}ma zv^H*I2NVClRukM?kjLi+1r+8V4QJ;~%tzClx___rqzEEEYZM>G<+x>$_}r{V<*;VP ztIZMOj&?zE_L)IGPa>CXU~|B-=bx-y7hkyCRi1x)So1D*D3Awev(k#|^POH~y+0!> z6xzm~xsOrSZe<%f6((m9>S^xm881=|d=uw!LqD1;;r`!izD{0Du0914o>iy+Wt;V; zt{%`iwBdqqab2JC zGVS|`ws^ubdC~P=gfJMar+zmpEh6KG+hfYKL(T*ee#R^G5o)M%6uRi@orbiCytON~ z^sbzEilKn-%Ktjf=_NspJNm%lBSF>>YD}cV-<5v9zbU*pm<5>#$4y*sNp!6HyFFQx zFtWc=poi!Jq#{}$i;DDaAs&fVM$M$$wOm+pu}`inE6aQt`2>%yQWsXim%2)}+D_p# zT<-9PmdCXnDRQ6;QD_wBuU`-ZWC1`#NXBT@hue)c=a(0^*_Pa@a}7dawjXjCgjlA; ic>Piwgy#p+I)o+HaLT7pM{;>u|F&iK^WguBtbYL&xCb!+ literal 0 HcmV?d00001 diff --git a/plugins/transport-grpc/src/test/resources/server.p12 b/plugins/transport-grpc/src/test/resources/server.p12 new file mode 100644 index 0000000000000000000000000000000000000000..bb9ce806f1b66b7833078626b3c199fbf50dd4d8 GIT binary patch literal 2782 zcmai$XHXLe6NVE=LJ_1G@C2kP9SH)V2uG0`LJ<;*L7D~yf{02FE%atV6as=kXaNz9 z-lBBy3<@eJA;dzL9!d~Fj+^fr{du#qv-7_1&g{Qu7DnKvu>sj(1nzqfF2zKPL>4cQ z16WAljs+38BM_QD!|NfxtIBQ-d1sgw6&EuHbrmMeJHjT`G8MEfn%LD z71D$V#{kih=h5V&cD;211<5Z&j#4=csk351 zQ^i8Ba}Pd|ao2nX1>9$4RF9a)jaBu|yeJaw2%NdT1~gx~{^p)Zvj(~3lnm!qr~Le- zDdBpGEyMaDDp~uAtbA1csT}h<|L~Y_FG~CbKAvQ1uKdcf)Z+Ox=+BH}fP`(wfk)*CCAiM}!T|vWvdK)2-jId+shz&(jy099st2Hqtf_&leNjh> zQcmP@5~i%P0R>@_pd3Gi;M|r`^U@}ar*qe%TT>HMR#o@WKa7j=2A78Ypcus8mhCHd z^{Vw7TT@`tRX)b_I48dz@Y3Js$QqrD0jaWKhlK4dZtqz$<=lc9-jdI^;Cp8$tk`WU zL+7iIQg0VVbxa;jv-Aii`k~s>MX+F<=bxm`6*f&dGBT^dnzc+@|A8&)Vj}rnjH`c- z!u)vAHq4uaODTU_eL5bXwR!s7Eqvt%(OB2-v1%4OcO3jho1lnQ3->;U6btJn6Kq|?alu?q9F|~+e*_WUEGN!=4AMvn9cRKbm!0$PV*oqtC@_1$#I=a*=E3cbT*#qC5 zYpTx_$+bs=W~oe5$>!aLk?ujxS!ae`Z+kpbK!$q+=b6mFzSS&PCcY@)P*YJXb;BIF zsoNjrT|v3b*m`W?F8#512$96Uhe+9|pSxSVmi5D_L!qg(Q(dkq$4un5ZLL`PE+=?L z{;J*HsK)G3p_Z^$|)hNwSaTP zgMk|$0%%x2&4@l%ka=lYYc=42U9%`TM*UBu_~Y~!#bIiEsZ|A@M8%5OB}tgtj(J84 zflpfVJU;nnKQCotJ=ow5`gx7Rv|Qe6v6A6_uELDKxRs#z=s_<;^&U^IP^0lN(K2_i z2qxbJSTD^dYeqpt^l7g>Hs3Um@QnTA

oj0{2LwBpxr_8+;vocjy_ZKf)!mjhPlT zgzDG4i2tnAfX@<2-v23d`7-a4Z+%2Y)*KSlJdm%B5pbeIbLWmq>$}5!Z5$n^Uo43y zy+}btZnn<~8r;`FAAj3elPd2-ecHpxu(TPys5VJOiaGshns9^2{7NG!vdgRR>wjPA zx>Y>it{y-ueb-uPSmuvtt#gFzp1J$nx2jg-Fa2Fvx9P1w?Sv6_J-u@GBjqKg@3E6( zV9{s#9vtJ~wV7~yK=|aaCpAV<&9sv?C8~u=2*KZ>3RJb}6sPk{y&9Gmv1W?LLUxY{8(d=N?PNl) zIU_qP&!>Dz5L^qkv)(NmQj8n2;yFL}%3`-qA;|G`(uOhN-p#BQc8aUgyd#(3FuW1w zfthFUIELsnS;-9($I1O5RKpF%4vqZl%sdc3C148ps!A6uRc<~bfs7UZt50Zo{JELoI ziKMzSY^Xsl4sas4X=7CdZ9F-1ryI9vZkpDJz?H!t75ijodM!u&m|l04`B-gs^uv6Wlowhmqm2jRqy4Rprc0pTWqUM{^ zfZFDQRFkGBl>i1zg`awLRxa*dolXB=2mHiFg;r$rQ)K;@9LZ22H9MHhFVJ!csR@Ii z+k*XRnGqyc1GmKcH}zc5kW-y3n8NQRsG69#2;e#Z3%Gq)VE_$)3gFhEx(o;c+yr1@ zMldxP@2`)L4G0E+Bn5j5{Nz`S_z8s&eHrCIw+B}OqYJNLXxEV&J5BUOX%Od0aiuAo KQ=sg>RQ?B Date: Mon, 3 Feb 2025 15:09:24 -0800 Subject: [PATCH 08/36] gRPC testing client. Signed-off-by: Finn Carroll --- .../transport/grpc/NettyGrpcClient.java | 120 ++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java new file mode 100644 index 0000000000000..308457ef7a885 --- /dev/null +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java @@ -0,0 +1,120 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +package org.opensearch.transport.grpc; + +import io.grpc.ManagedChannel; +import io.grpc.health.v1.HealthCheckRequest; +import io.grpc.health.v1.HealthCheckResponse; +import io.grpc.health.v1.HealthGrpc; +import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder; +import io.grpc.reflection.v1alpha.ServerReflectionGrpc; +import io.grpc.reflection.v1alpha.ServerReflectionRequest; +import io.grpc.reflection.v1alpha.ServerReflectionResponse; +import io.grpc.stub.StreamObserver; +import org.opensearch.core.common.transport.TransportAddress; + +import java.net.InetSocketAddress; +import java.util.concurrent.CountDownLatch; +import java.util.concurrent.TimeUnit; + +public class NettyGrpcClient { + private final ManagedChannel channel; + private final HealthGrpc.HealthBlockingStub healthStub; + private final ServerReflectionGrpc.ServerReflectionStub reflectionStub; + + public NettyGrpcClient(TransportAddress addr, NettyChannelBuilder channelBuilder) { + channel = channelBuilder.build(); + healthStub = HealthGrpc.newBlockingStub(channel); + reflectionStub = ServerReflectionGrpc.newStub(channel); + } + + public void shutdown() throws InterruptedException { + channel.shutdown().awaitTermination(5, TimeUnit.SECONDS); + } + + /** + * ProtoReflectionService only implements a streaming interface and has no blocking stub. + */ + public void listServices() { + CountDownLatch latch = new CountDownLatch(1); + + StreamObserver responseObserver = new StreamObserver<>() { + @Override + public void onNext(ServerReflectionResponse response) { + if (response.hasListServicesResponse()) { + response.getListServicesResponse().getServiceList().forEach(service -> + System.out.println(service.getName()) + ); + } + } + + @Override + public void onError(Throwable t) { + System.err.println("Error: " + t.getMessage()); + latch.countDown(); + } + + @Override + public void onCompleted() { + latch.countDown(); + } + }; + + StreamObserver requestObserver = + reflectionStub.serverReflectionInfo(responseObserver); + requestObserver.onNext(ServerReflectionRequest.newBuilder() + .setListServices("") + .build()); + requestObserver.onCompleted(); + + try { + if (!latch.await(5, TimeUnit.SECONDS)) { + throw new RuntimeException(NettyGrpcClient.class.getSimpleName() + " timed out waiting for response."); + } + } catch (InterruptedException e) { + throw new RuntimeException(NettyGrpcClient.class.getSimpleName() + " interrupted waiting for response: " + e.getMessage()); + } + } + + public void checkHealth() { + try { + HealthCheckResponse response = healthStub.check(HealthCheckRequest.newBuilder().build()); + System.out.println("Health Status: " + response.getStatus()); + } catch (Exception e) { + System.err.println("Error checking health: " + e.getMessage()); + } + } + + public static class Builder { + private boolean tls = false; + private TransportAddress addr = new TransportAddress(new InetSocketAddress("localhost", 9300)); + + Builder () { } + + public NettyGrpcClient build() { + NettyChannelBuilder channelBuilder = NettyChannelBuilder.forAddress(addr.getAddress(), addr.getPort()); + + if (!tls) { + channelBuilder.usePlaintext(); + } + + return new NettyGrpcClient(addr, channelBuilder); + } + + public Builder setTls(boolean tls) { + this.tls = tls; + return this; + } + + public Builder setAddress(TransportAddress addr) { + this.addr = addr; + return this; + } + } +} From 9b45fe57a5cf1451e7f1cc9d7bb84c9a9b6a0660 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Tue, 4 Feb 2025 10:04:16 -0800 Subject: [PATCH 09/36] Add SecureNetty4GrpcServerTransport unit tests. Signed-off-by: Finn Carroll --- .../SecureNetty4GrpcServerTransportTests.java | 136 ++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java new file mode 100644 index 0000000000000..88d5d6b27391f --- /dev/null +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java @@ -0,0 +1,136 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +package org.opensearch.transport.grpc; + +import io.grpc.BindableService; +import org.hamcrest.MatcherAssert; +import org.junit.After; +import org.opensearch.common.network.NetworkService; +import org.opensearch.common.settings.Settings; +import org.opensearch.core.common.transport.TransportAddress; +import org.opensearch.plugins.NetworkPlugin; +import org.opensearch.plugins.SecureAuxTransportSettingsProvider; +import org.opensearch.test.OpenSearchTestCase; +import org.junit.Before; + +import java.io.IOException; +import java.security.KeyManagementException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableKeyException; +import java.security.cert.CertificateException; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.Optional; + +import org.opensearch.threadpool.TestThreadPool; +import org.opensearch.transport.grpc.ssl.SecureNetty4GrpcServerTransport; + +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLException; + +import static org.hamcrest.Matchers.emptyArray; +import static org.hamcrest.Matchers.not; + +public class SecureNetty4GrpcServerTransportTests extends OpenSearchTestCase { + private TestThreadPool threadPool; + private NetworkService networkService; + private final List services = new ArrayList<>(); + private SecureAuxTransportSettingsProvider settingsProvider; + + static class TestSecureAuxTransportSettingsProvider implements SecureAuxTransportSettingsProvider { + @Override + public Optional buildSecureAuxServerSSLContext(Settings settings, NetworkPlugin.AuxTransport transport) throws SSLException { + try { + final KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load( + SecureNetty4GrpcServerTransport.class.getResourceAsStream("/netty4-secure.jks"), + "password".toCharArray() + ); + + final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509"); + keyManagerFactory.init(keyStore, "password".toCharArray()); + + SSLContext sslContext = SSLContext.getInstance("TLS"); + sslContext.init(keyManagerFactory.getKeyManagers(), null, null); + return Optional.of(sslContext); + } catch (final IOException | + NoSuchAlgorithmException | + UnrecoverableKeyException | + KeyStoreException | + CertificateException | + KeyManagementException ex) { + throw new SSLException(ex); + } + } + } + + @Before + public void setup() { + threadPool = new TestThreadPool("test"); + networkService = new NetworkService(Collections.emptyList()); + settingsProvider = new TestSecureAuxTransportSettingsProvider(); + } + + @After + public void shutdown() { + if (threadPool != null) { + threadPool.shutdownNow(); + } + threadPool = null; + networkService = null; + } + + private static Settings createSettings() { + return Settings.builder().put( + SecureNetty4GrpcServerTransport.SETTING_GRPC_PORT.getKey(), + getPortRange()) + .build(); + } + + public void testGrpcSecureTransportStart() { + try (SecureNetty4GrpcServerTransport serverTransport = new SecureNetty4GrpcServerTransport( + createSettings(), + services, + networkService, + settingsProvider + )) { + serverTransport.start(); + MatcherAssert.assertThat(serverTransport.boundAddress().boundAddresses(), not(emptyArray())); + assertNotNull(serverTransport.boundAddress().publishAddress().address()); + serverTransport.stop(); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + + public void testGrpcSecureTransportHealthcheck() { + try (SecureNetty4GrpcServerTransport serverTransport = new SecureNetty4GrpcServerTransport( + createSettings(), + services, + networkService, + settingsProvider + )) { + serverTransport.start(); + final TransportAddress remoteAddress = randomFrom(serverTransport.boundAddress().boundAddresses()); + + NettyGrpcClient client = new NettyGrpcClient.Builder() + .setAddress(remoteAddress) + .setTls(false) + .build(); + + client.checkHealth(); + } catch (Exception e) { + throw new RuntimeException(e); + } + } +} From 991d0accde5b84e6a660798d96d8a11bdfcd87fc Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Tue, 4 Feb 2025 10:04:51 -0800 Subject: [PATCH 10/36] Add default ALPN settings to SSLContextWrapper. Signed-off-by: Finn Carroll --- .../opensearch/transport/grpc/ssl/SSLContextWrapper.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java index 84be88120c041..3483c215b9a43 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java @@ -12,14 +12,19 @@ import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLSessionContext; import java.security.NoSuchAlgorithmException; import java.util.List; import io.grpc.netty.shaded.io.netty.buffer.ByteBufAllocator; +import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig; +import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNames; import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNegotiator; import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider; /** * A light wrapper intended to negotiate the difference between two ssl context implementations. @@ -31,6 +36,7 @@ public class SSLContextWrapper extends SslContext { private final boolean client; private static final String[] DEFAULT_SSL_PROTOCOLS = { "TLSv1.3", "TLSv1.2", "TLSv1.1" }; + private static final String[] DEFAULT_ALPN = { "h2" }; public SSLContextWrapper(boolean isClient) throws NoSuchAlgorithmException { this(SSLContext.getDefault(), isClient); @@ -65,7 +71,7 @@ public ApplicationProtocolNegotiator applicationProtocolNegotiator() { return new DefaultAPN() { @Override public List protocols() { - return List.of(ctxt.getDefaultSSLParameters().getApplicationProtocols()); + return List.of(DEFAULT_ALPN); } }; } From 0691b8dc0091f84d5b14602482292e8e27af301f Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Tue, 4 Feb 2025 10:07:53 -0800 Subject: [PATCH 11/36] Do not build default SSLContext for secure transport. Safer to fail. Signed-off-by: Finn Carroll --- .../transport/grpc/ssl/SecureNetty4GrpcServerTransport.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java index c66e1a049fc54..3044a6bb5ff91 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java @@ -77,10 +77,10 @@ public SecureNetty4GrpcServerTransport( private SslContext buildSslContext() throws SSLException, NoSuchAlgorithmException { Optional SSLCtxt = secureAuxTransportSettingsProvider.buildSecureAuxServerSSLContext(this.settings, this); - if (SSLCtxt.isPresent()) { - return new SSLContextWrapper(SSLCtxt.get(), false); + if (SSLCtxt.isEmpty()) { + throw new SSLException("SSLContext could not be built from secureAuxTransportSettingsProvider."); } - return new SSLContextWrapper(false); + return new SSLContextWrapper(SSLCtxt.get(), false); } } From 07c458ebeeb74c2d9443ff1fdf6f035b2664345a Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Tue, 4 Feb 2025 10:13:07 -0800 Subject: [PATCH 12/36] WIP tests. Signed-off-by: Finn Carroll --- .../grpc/Netty4GrpcServerTransportTests.java | 30 ++++++++++++++++--- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java index 8cf44eebb293e..381a03b2234ca 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java @@ -10,6 +10,7 @@ import org.opensearch.common.network.NetworkService; import org.opensearch.common.settings.Settings; +import org.opensearch.core.common.transport.TransportAddress; import org.opensearch.test.OpenSearchTestCase; import org.hamcrest.MatcherAssert; import org.junit.Before; @@ -17,12 +18,12 @@ import java.util.List; import io.grpc.BindableService; +import org.opensearch.transport.grpc.ssl.SecureNetty4GrpcServerTransport; import static org.hamcrest.Matchers.emptyArray; import static org.hamcrest.Matchers.not; public class Netty4GrpcServerTransportTests extends OpenSearchTestCase { - private NetworkService networkService; private List services; @@ -32,17 +33,38 @@ public void setup() { services = List.of(); } - public void test() { + public void testStartAndStopServer() { try (Netty4GrpcServerTransport transport = new Netty4GrpcServerTransport(createSettings(), services, networkService)) { transport.start(); - MatcherAssert.assertThat(transport.boundAddress().boundAddresses(), not(emptyArray())); assertNotNull(transport.boundAddress().publishAddress().address()); - transport.stop(); } } +// public void testGrpcTransportHealthcheck() { +// try (Netty4GrpcServerTransport serverTransport = new Netty4GrpcServerTransport( +// createSettings(), +// services, +// networkService +// )) { +// serverTransport.start(); +//// serverTransport.stop(); +// +//// final TransportAddress remoteAddress = randomFrom(serverTransport.boundAddress().boundAddresses()); +//// +//// NettyGrpcClient client = new NettyGrpcClient.Builder() +//// .setAddress(remoteAddress) +//// .setTls(false) +//// .build(); +//// +//// client.checkHealth(); +//// serverTransport.stop(); +// } catch (Exception e) { +// throw new RuntimeException(e); +// } +// } + private static Settings createSettings() { return Settings.builder().put(Netty4GrpcServerTransport.SETTING_GRPC_PORT.getKey(), getPortRange()).build(); } From 190edf2d6b36d0a4b844e14dc9d490f04b274aa2 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Tue, 4 Feb 2025 10:14:01 -0800 Subject: [PATCH 13/36] boundAddress() public for testing. Signed-off-by: Finn Carroll --- .../opensearch/transport/grpc/Netty4GrpcServerTransport.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java index a912ab3fb3a9d..092ab5f287009 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java @@ -155,7 +155,8 @@ public Netty4GrpcServerTransport(Settings settings, List servic this.nettyEventLoopThreads = SETTING_GRPC_WORKER_COUNT.get(settings); } - BoundTransportAddress boundAddress() { + // public for tests + public BoundTransportAddress boundAddress() { return this.boundAddress; } From 9c1b1cfdbd0add7bff136036a9d2d7d931c860fc Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Tue, 4 Feb 2025 11:11:20 -0800 Subject: [PATCH 14/36] Remove proxy detector from gRPC test client. Signed-off-by: Finn Carroll --- .../org/opensearch/transport/grpc/NettyGrpcClient.java | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java index 308457ef7a885..fe558d335d08e 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java @@ -9,6 +9,7 @@ package org.opensearch.transport.grpc; import io.grpc.ManagedChannel; +import io.grpc.ProxyDetector; import io.grpc.health.v1.HealthCheckRequest; import io.grpc.health.v1.HealthCheckResponse; import io.grpc.health.v1.HealthGrpc; @@ -23,6 +24,8 @@ import java.util.concurrent.CountDownLatch; import java.util.concurrent.TimeUnit; +import static io.grpc.internal.GrpcUtil.NOOP_PROXY_DETECTOR; + public class NettyGrpcClient { private final ManagedChannel channel; private final HealthGrpc.HealthBlockingStub healthStub; @@ -94,11 +97,14 @@ public void checkHealth() { public static class Builder { private boolean tls = false; private TransportAddress addr = new TransportAddress(new InetSocketAddress("localhost", 9300)); + private final ProxyDetector proxyDetector = NOOP_PROXY_DETECTOR; // No proxy detection for test client - Builder () { } + Builder () {} public NettyGrpcClient build() { - NettyChannelBuilder channelBuilder = NettyChannelBuilder.forAddress(addr.getAddress(), addr.getPort()); + NettyChannelBuilder channelBuilder = NettyChannelBuilder + .forAddress(addr.getAddress(), addr.getPort()) + .proxyDetector(proxyDetector); if (!tls) { channelBuilder.usePlaintext(); From 6b2802ea60f2713c1cf72b804b6d61868b5de82d Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Tue, 4 Feb 2025 11:11:59 -0800 Subject: [PATCH 15/36] Netty4GrpcServerTransport health check test. Signed-off-by: Finn Carroll --- .../grpc/Netty4GrpcServerTransportTests.java | 43 +++++++++---------- 1 file changed, 21 insertions(+), 22 deletions(-) diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java index 381a03b2234ca..ed27bbb3c1ffc 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java @@ -42,28 +42,27 @@ public void testStartAndStopServer() { } } -// public void testGrpcTransportHealthcheck() { -// try (Netty4GrpcServerTransport serverTransport = new Netty4GrpcServerTransport( -// createSettings(), -// services, -// networkService -// )) { -// serverTransport.start(); -//// serverTransport.stop(); -// -//// final TransportAddress remoteAddress = randomFrom(serverTransport.boundAddress().boundAddresses()); -//// -//// NettyGrpcClient client = new NettyGrpcClient.Builder() -//// .setAddress(remoteAddress) -//// .setTls(false) -//// .build(); -//// -//// client.checkHealth(); -//// serverTransport.stop(); -// } catch (Exception e) { -// throw new RuntimeException(e); -// } -// } + public void testGrpcTransportHealthcheck() { + try (Netty4GrpcServerTransport serverTransport = new Netty4GrpcServerTransport( + createSettings(), + services, + networkService + )) { + serverTransport.start(); + final TransportAddress remoteAddress = randomFrom(serverTransport.boundAddress().boundAddresses()); + + NettyGrpcClient client = new NettyGrpcClient.Builder() + .setAddress(remoteAddress) + .setTls(false) + .build(); + + client.checkHealth(); + client.shutdown(); + serverTransport.stop(); + } catch (Exception e) { + throw new RuntimeException(e); + } + } private static Settings createSettings() { return Settings.builder().put(Netty4GrpcServerTransport.SETTING_GRPC_PORT.getKey(), getPortRange()).build(); From 8e139a8d719ad02d9a6dd34193edca88d4dc7d2b Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Tue, 4 Feb 2025 11:17:13 -0800 Subject: [PATCH 16/36] Small test naming change. Signed-off-by: Finn Carroll --- .../transport/grpc/Netty4GrpcServerTransportTests.java | 2 +- .../transport/grpc/SecureNetty4GrpcServerTransportTests.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java index ed27bbb3c1ffc..6b73368f2a71a 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java @@ -33,7 +33,7 @@ public void setup() { services = List.of(); } - public void testStartAndStopServer() { + public void testGrpcTransportStartStop() { try (Netty4GrpcServerTransport transport = new Netty4GrpcServerTransport(createSettings(), services, networkService)) { transport.start(); MatcherAssert.assertThat(transport.boundAddress().boundAddresses(), not(emptyArray())); diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java index 88d5d6b27391f..c411223abec54 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java @@ -97,7 +97,7 @@ private static Settings createSettings() { .build(); } - public void testGrpcSecureTransportStart() { + public void testGrpcSecureTransportStartStop() { try (SecureNetty4GrpcServerTransport serverTransport = new SecureNetty4GrpcServerTransport( createSettings(), services, From 7a132213976adaf5bad49be0dd287bfbce0b0224 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Wed, 5 Feb 2025 15:18:28 -0800 Subject: [PATCH 17/36] Add return info to test gRPC client. Signed-off-by: Finn Carroll --- .../grpc/Netty4GrpcServerTransportTests.java | 4 ++- .../transport/grpc/NettyGrpcClient.java | 27 +++++++++---------- .../SecureNetty4GrpcServerTransportTests.java | 6 ++++- 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java index 6b73368f2a71a..15ae3288a7bad 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java @@ -8,6 +8,7 @@ package org.opensearch.transport.grpc; +import io.grpc.health.v1.HealthCheckResponse; import org.opensearch.common.network.NetworkService; import org.opensearch.common.settings.Settings; import org.opensearch.core.common.transport.TransportAddress; @@ -56,7 +57,8 @@ public void testGrpcTransportHealthcheck() { .setTls(false) .build(); - client.checkHealth(); + assertEquals(client.checkHealth(), HealthCheckResponse.ServingStatus.SERVING); + client.shutdown(); serverTransport.stop(); } catch (Exception e) { diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java index fe558d335d08e..b5c36d83ce869 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java @@ -17,10 +17,13 @@ import io.grpc.reflection.v1alpha.ServerReflectionGrpc; import io.grpc.reflection.v1alpha.ServerReflectionRequest; import io.grpc.reflection.v1alpha.ServerReflectionResponse; +import io.grpc.reflection.v1alpha.ServiceResponse; import io.grpc.stub.StreamObserver; import org.opensearch.core.common.transport.TransportAddress; import java.net.InetSocketAddress; +import java.util.ArrayList; +import java.util.List; import java.util.concurrent.CountDownLatch; import java.util.concurrent.TimeUnit; @@ -43,24 +46,24 @@ public void shutdown() throws InterruptedException { /** * ProtoReflectionService only implements a streaming interface and has no blocking stub. + * @return List services reported */ - public void listServices() { + public List listServices() { + List respServices = new ArrayList<>(); CountDownLatch latch = new CountDownLatch(1); StreamObserver responseObserver = new StreamObserver<>() { @Override public void onNext(ServerReflectionResponse response) { if (response.hasListServicesResponse()) { - response.getListServicesResponse().getServiceList().forEach(service -> - System.out.println(service.getName()) - ); + respServices.addAll(response.getListServicesResponse().getServiceList()); } } @Override public void onError(Throwable t) { - System.err.println("Error: " + t.getMessage()); latch.countDown(); + throw new RuntimeException(t); } @Override @@ -69,8 +72,7 @@ public void onCompleted() { } }; - StreamObserver requestObserver = - reflectionStub.serverReflectionInfo(responseObserver); + StreamObserver requestObserver = reflectionStub.serverReflectionInfo(responseObserver); requestObserver.onNext(ServerReflectionRequest.newBuilder() .setListServices("") .build()); @@ -83,15 +85,12 @@ public void onCompleted() { } catch (InterruptedException e) { throw new RuntimeException(NettyGrpcClient.class.getSimpleName() + " interrupted waiting for response: " + e.getMessage()); } + + return respServices; } - public void checkHealth() { - try { - HealthCheckResponse response = healthStub.check(HealthCheckRequest.newBuilder().build()); - System.out.println("Health Status: " + response.getStatus()); - } catch (Exception e) { - System.err.println("Error checking health: " + e.getMessage()); - } + public HealthCheckResponse.ServingStatus checkHealth() { + return healthStub.check(HealthCheckRequest.newBuilder().build()).getStatus(); } public static class Builder { diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java index c411223abec54..77069e1539cf4 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java @@ -9,6 +9,7 @@ package org.opensearch.transport.grpc; import io.grpc.BindableService; +import io.grpc.health.v1.HealthCheckResponse; import org.hamcrest.MatcherAssert; import org.junit.After; import org.opensearch.common.network.NetworkService; @@ -128,7 +129,10 @@ public void testGrpcSecureTransportHealthcheck() { .setTls(false) .build(); - client.checkHealth(); + assertEquals(client.checkHealth(), HealthCheckResponse.ServingStatus.SERVING); + + client.shutdown(); + serverTransport.stop(); } catch (Exception e) { throw new RuntimeException(e); } From ec0449a1e0b595fe855a96f4549ee3d180fbfe78 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Wed, 5 Feb 2025 16:08:38 -0800 Subject: [PATCH 18/36] Remove insecure credentials from Netty4GrpcServerTransport. Signed-off-by: Finn Carroll --- .../opensearch/transport/grpc/Netty4GrpcServerTransport.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java index 092ab5f287009..704be0c3ca0c7 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java @@ -257,7 +257,8 @@ private TransportAddress bindAddress(InetAddress hostAddress, PortsRange portRan try { final InetSocketAddress address = new InetSocketAddress(hostAddress, portNumber); - final NettyServerBuilder serverBuilder = NettyServerBuilder.forAddress(address, InsecureServerCredentials.create()) + final NettyServerBuilder serverBuilder = NettyServerBuilder + .forAddress(address) .bossEventLoopGroup(eventLoopGroup) .workerEventLoopGroup(eventLoopGroup) .channelType(NioServerSocketChannel.class) From 9300273d584c78d6bc4ea16e8f21befaf93c86f5 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Wed, 5 Feb 2025 16:29:04 -0800 Subject: [PATCH 19/36] Refactor gRPC test client to accept SslContext. Signed-off-by: Finn Carroll --- .../grpc/Netty4GrpcServerTransportTests.java | 2 - .../transport/grpc/NettyGrpcClient.java | 11 +-- .../SecureNetty4GrpcServerTransportTests.java | 71 ++++++++++--------- 3 files changed, 45 insertions(+), 39 deletions(-) diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java index 15ae3288a7bad..e3d4c9e3b1af2 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java @@ -19,7 +19,6 @@ import java.util.List; import io.grpc.BindableService; -import org.opensearch.transport.grpc.ssl.SecureNetty4GrpcServerTransport; import static org.hamcrest.Matchers.emptyArray; import static org.hamcrest.Matchers.not; @@ -54,7 +53,6 @@ public void testGrpcTransportHealthcheck() { NettyGrpcClient client = new NettyGrpcClient.Builder() .setAddress(remoteAddress) - .setTls(false) .build(); assertEquals(client.checkHealth(), HealthCheckResponse.ServingStatus.SERVING); diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java index b5c36d83ce869..25d8366e1a7bb 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java @@ -14,6 +14,7 @@ import io.grpc.health.v1.HealthCheckResponse; import io.grpc.health.v1.HealthGrpc; import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; import io.grpc.reflection.v1alpha.ServerReflectionGrpc; import io.grpc.reflection.v1alpha.ServerReflectionRequest; import io.grpc.reflection.v1alpha.ServerReflectionResponse; @@ -94,7 +95,7 @@ public HealthCheckResponse.ServingStatus checkHealth() { } public static class Builder { - private boolean tls = false; + private SslContext sslCtxt = null; private TransportAddress addr = new TransportAddress(new InetSocketAddress("localhost", 9300)); private final ProxyDetector proxyDetector = NOOP_PROXY_DETECTOR; // No proxy detection for test client @@ -105,15 +106,17 @@ public NettyGrpcClient build() { .forAddress(addr.getAddress(), addr.getPort()) .proxyDetector(proxyDetector); - if (!tls) { + if (sslCtxt == null) { channelBuilder.usePlaintext(); + } else { + channelBuilder.sslContext(sslCtxt); } return new NettyGrpcClient(addr, channelBuilder); } - public Builder setTls(boolean tls) { - this.tls = tls; + public Builder setSslContext(SslContext sslCtxt) { + this.sslCtxt = sslCtxt; return this; } diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java index 77069e1539cf4..83ef513c027e3 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java @@ -10,6 +10,7 @@ import io.grpc.BindableService; import io.grpc.health.v1.HealthCheckResponse; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; import org.hamcrest.MatcherAssert; import org.junit.After; import org.opensearch.common.network.NetworkService; @@ -33,6 +34,7 @@ import java.util.Optional; import org.opensearch.threadpool.TestThreadPool; +import org.opensearch.transport.grpc.ssl.SSLContextWrapper; import org.opensearch.transport.grpc.ssl.SecureNetty4GrpcServerTransport; import javax.net.ssl.KeyManagerFactory; @@ -48,38 +50,48 @@ public class SecureNetty4GrpcServerTransportTests extends OpenSearchTestCase { private final List services = new ArrayList<>(); private SecureAuxTransportSettingsProvider settingsProvider; - static class TestSecureAuxTransportSettingsProvider implements SecureAuxTransportSettingsProvider { - @Override - public Optional buildSecureAuxServerSSLContext(Settings settings, NetworkPlugin.AuxTransport transport) throws SSLException { - try { - final KeyStore keyStore = KeyStore.getInstance("PKCS12"); - keyStore.load( - SecureNetty4GrpcServerTransport.class.getResourceAsStream("/netty4-secure.jks"), - "password".toCharArray() - ); - - final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509"); - keyManagerFactory.init(keyStore, "password".toCharArray()); - - SSLContext sslContext = SSLContext.getInstance("TLS"); - sslContext.init(keyManagerFactory.getKeyManagers(), null, null); - return Optional.of(sslContext); - } catch (final IOException | - NoSuchAlgorithmException | - UnrecoverableKeyException | - KeyStoreException | - CertificateException | - KeyManagementException ex) { - throw new SSLException(ex); - } + private static SSLContext buildTestSSLContext() throws SSLException { + try { + final KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load( + SecureNetty4GrpcServerTransport.class.getResourceAsStream("/netty4-secure.jks"), + "password".toCharArray() + ); + final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509"); + keyManagerFactory.init(keyStore, "password".toCharArray()); + SSLContext sslContext = SSLContext.getInstance("TLS"); + sslContext.init(keyManagerFactory.getKeyManagers(), null, null); + return sslContext; + } catch (final IOException | + NoSuchAlgorithmException | + UnrecoverableKeyException | + KeyStoreException | + CertificateException | + KeyManagementException ex) { + throw new SSLException(ex); } } + private static SslContext buildClientTestSslContext() throws SSLException, NoSuchAlgorithmException { + return new SSLContextWrapper(buildTestSSLContext(), true); + } + + private static SecureAuxTransportSettingsProvider getSecureSettingsProvider() { + return (settings, transport) -> Optional.of(buildTestSSLContext()); + } + + private static Settings createSettings() { + return Settings.builder().put( + SecureNetty4GrpcServerTransport.SETTING_GRPC_PORT.getKey(), + getPortRange()) + .build(); + } + @Before public void setup() { threadPool = new TestThreadPool("test"); networkService = new NetworkService(Collections.emptyList()); - settingsProvider = new TestSecureAuxTransportSettingsProvider(); + settingsProvider = getSecureSettingsProvider(); } @After @@ -91,13 +103,6 @@ public void shutdown() { networkService = null; } - private static Settings createSettings() { - return Settings.builder().put( - SecureNetty4GrpcServerTransport.SETTING_GRPC_PORT.getKey(), - getPortRange()) - .build(); - } - public void testGrpcSecureTransportStartStop() { try (SecureNetty4GrpcServerTransport serverTransport = new SecureNetty4GrpcServerTransport( createSettings(), @@ -126,7 +131,7 @@ public void testGrpcSecureTransportHealthcheck() { NettyGrpcClient client = new NettyGrpcClient.Builder() .setAddress(remoteAddress) - .setTls(false) + .setSslContext(buildClientTestSslContext()) .build(); assertEquals(client.checkHealth(), HealthCheckResponse.ServingStatus.SERVING); From 9e093c0c8262da7a12ea07afc39372b3a698f5df Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Thu, 13 Feb 2025 08:53:08 -0800 Subject: [PATCH 20/36] Refactor SecureAuxTransportSettingsProvider to implement SecureTransportParameters. Remove SSLContextWrapper model. Signed-off-by: Finn Carroll --- .../transport/grpc/ssl/SSLContextWrapper.java | 97 ------------ .../ssl/SecureNetty4GrpcServerTransport.java | 36 +++-- .../grpc/Netty4GrpcServerTransportTests.java | 11 +- .../transport/grpc/NettyGrpcClient.java | 53 +++++-- .../SecureNetty4GrpcServerTransportTests.java | 138 +++++++++++------- .../SecureAuxTransportSettingsProvider.java | 28 ++-- .../common/network/NetworkModuleTests.java | 7 +- 7 files changed, 174 insertions(+), 196 deletions(-) delete mode 100644 plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java deleted file mode 100644 index 3483c215b9a43..0000000000000 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SSLContextWrapper.java +++ /dev/null @@ -1,97 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ -package org.opensearch.transport.grpc.ssl; - -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLParameters; -import javax.net.ssl.SSLSessionContext; - -import java.security.NoSuchAlgorithmException; -import java.util.List; - -import io.grpc.netty.shaded.io.netty.buffer.ByteBufAllocator; -import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig; -import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNames; -import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNegotiator; -import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; -import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder; -import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider; - -/** - * A light wrapper intended to negotiate the difference between two ssl context implementations. - * {@link SSLContext} provided by javax.net.ssl, and - * {@link SslContext} provided by io.grpc. - */ -public class SSLContextWrapper extends SslContext { - private final SSLContext ctxt; - private final boolean client; - - private static final String[] DEFAULT_SSL_PROTOCOLS = { "TLSv1.3", "TLSv1.2", "TLSv1.1" }; - private static final String[] DEFAULT_ALPN = { "h2" }; - - public SSLContextWrapper(boolean isClient) throws NoSuchAlgorithmException { - this(SSLContext.getDefault(), isClient); - } - - public SSLContextWrapper(SSLContext javaxCtxt, boolean isClient) { - this.ctxt = javaxCtxt; - this.ctxt.getDefaultSSLParameters().setProtocols(DEFAULT_SSL_PROTOCOLS); - this.client = isClient; - } - - @Override - public boolean isClient() { - return client; - } - - @Override - public List cipherSuites() { - return List.of(ctxt.getDefaultSSLParameters().getCipherSuites()); - } - - class DefaultAPN implements ApplicationProtocolNegotiator { - @Override - public List protocols() { - return List.of(ctxt.getDefaultSSLParameters().getProtocols()); - } - } - - // ApplicationProtocolNegotiator is deprecated - @Override - public ApplicationProtocolNegotiator applicationProtocolNegotiator() { - return new DefaultAPN() { - @Override - public List protocols() { - return List.of(DEFAULT_ALPN); - } - }; - } - - /** - * javax SSLContext handles its own buffer allocation. - * As such we can ignore the netty ByteBufAllocator when creating engines. - */ - @Override - public SSLEngine newEngine(ByteBufAllocator byteBufAllocator) { - return ctxt.createSSLEngine(); - } - - @Override - public SSLEngine newEngine(ByteBufAllocator byteBufAllocator, String s, int i) { - return ctxt.createSSLEngine(s, i); - } - - @Override - public SSLSessionContext sessionContext() { - return this.client ? ctxt.getClientSessionContext() : ctxt.getServerSessionContext(); - } -} diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java index 3044a6bb5ff91..ef8dccfffbcbb 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java @@ -8,8 +8,11 @@ package org.opensearch.transport.grpc.ssl; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; +import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig; +import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider; +import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNames; import org.opensearch.common.network.NetworkService; import org.opensearch.common.settings.Setting; import org.opensearch.common.settings.Settings; @@ -17,12 +20,11 @@ import org.opensearch.plugins.SecureAuxTransportSettingsProvider; import org.opensearch.transport.grpc.Netty4GrpcServerTransport; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLException; import java.security.NoSuchAlgorithmException; import java.util.List; -import java.util.Optional; +import java.util.Locale; import io.grpc.BindableService; import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder; @@ -33,8 +35,6 @@ * Security settings injected through a SecureAuxTransportSettingsProvider. */ public class SecureNetty4GrpcServerTransport extends Netty4GrpcServerTransport { - private static final Logger logger = LogManager.getLogger(SecureNetty4GrpcServerTransport.class); - private final SecureAuxTransportSettingsProvider secureAuxTransportSettingsProvider; /** @@ -74,13 +74,25 @@ public SecureNetty4GrpcServerTransport( }); } + /** + * @return io.grpc SslContext from SecureAuxTransportSettingsProvider. + */ private SslContext buildSslContext() throws SSLException, NoSuchAlgorithmException { - Optional SSLCtxt = secureAuxTransportSettingsProvider.buildSecureAuxServerSSLContext(this.settings, this); - - if (SSLCtxt.isEmpty()) { - throw new SSLException("SSLContext could not be built from secureAuxTransportSettingsProvider."); + if (secureAuxTransportSettingsProvider.parameters(settings).isEmpty()) { + throw new SSLException("SSLContext could not be built from SecureAuxTransportSettingsProvider: provider empty"); } - - return new SSLContextWrapper(SSLCtxt.get(), false); + SecureAuxTransportSettingsProvider.SecureTransportParameters params = secureAuxTransportSettingsProvider.parameters(settings).get(); + return SslContextBuilder.forServer(params.keyManagerFactory()) + .trustManager(params.trustManagerFactory()) + .sslProvider(SslProvider.valueOf(params.sslProvider().toUpperCase(Locale.ROOT))) + .clientAuth(ClientAuth.valueOf(params.clientAuth().toUpperCase(Locale.ROOT))) + .protocols(params.protocols()) + .ciphers(params.cipherSuites()) + .applicationProtocolConfig(new ApplicationProtocolConfig( + ApplicationProtocolConfig.Protocol.ALPN, + ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, + ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, + ApplicationProtocolNames.HTTP_2)) + .build(); } } diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java index e3d4c9e3b1af2..4edd36e45b709 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java @@ -50,14 +50,11 @@ public void testGrpcTransportHealthcheck() { )) { serverTransport.start(); final TransportAddress remoteAddress = randomFrom(serverTransport.boundAddress().boundAddresses()); - - NettyGrpcClient client = new NettyGrpcClient.Builder() + try(NettyGrpcClient client = new NettyGrpcClient.Builder() .setAddress(remoteAddress) - .build(); - - assertEquals(client.checkHealth(), HealthCheckResponse.ServingStatus.SERVING); - - client.shutdown(); + .build()){ + assertEquals(client.checkHealth(), HealthCheckResponse.ServingStatus.SERVING); + } serverTransport.stop(); } catch (Exception e) { throw new RuntimeException(e); diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java index 25d8366e1a7bb..ee7ab8e4ca37b 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java @@ -14,23 +14,32 @@ import io.grpc.health.v1.HealthCheckResponse; import io.grpc.health.v1.HealthGrpc; import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder; +import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig; +import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNames; +import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth; import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider; import io.grpc.reflection.v1alpha.ServerReflectionGrpc; import io.grpc.reflection.v1alpha.ServerReflectionRequest; import io.grpc.reflection.v1alpha.ServerReflectionResponse; import io.grpc.reflection.v1alpha.ServiceResponse; import io.grpc.stub.StreamObserver; import org.opensearch.core.common.transport.TransportAddress; +import org.opensearch.plugins.SecureAuxTransportSettingsProvider; +import javax.net.ssl.SSLException; import java.net.InetSocketAddress; import java.util.ArrayList; import java.util.List; +import java.util.Locale; import java.util.concurrent.CountDownLatch; import java.util.concurrent.TimeUnit; import static io.grpc.internal.GrpcUtil.NOOP_PROXY_DETECTOR; +import static org.opensearch.transport.grpc.SecureNetty4GrpcServerTransportTests.createSettings; -public class NettyGrpcClient { +public class NettyGrpcClient implements AutoCloseable { private final ManagedChannel channel; private final HealthGrpc.HealthBlockingStub healthStub; private final ServerReflectionGrpc.ServerReflectionStub reflectionStub; @@ -43,11 +52,20 @@ public NettyGrpcClient(TransportAddress addr, NettyChannelBuilder channelBuilder public void shutdown() throws InterruptedException { channel.shutdown().awaitTermination(5, TimeUnit.SECONDS); + if (!channel.awaitTermination(5, TimeUnit.SECONDS)) { + channel.shutdownNow(); + } + } + + @Override + public void close() throws Exception { + shutdown(); } /** - * ProtoReflectionService only implements a streaming interface and has no blocking stub. - * @return List services reported + * List available gRPC services available on server. + * Note: ProtoReflectionService only implements a streaming interface and has no blocking stub. + * @return List services reported. */ public List listServices() { List respServices = new ArrayList<>(); @@ -90,33 +108,50 @@ public void onCompleted() { return respServices; } + /** + * Request server status. + * @return HealthCheckResponse.ServingStatus. + */ public HealthCheckResponse.ServingStatus checkHealth() { return healthStub.check(HealthCheckRequest.newBuilder().build()).getStatus(); } public static class Builder { - private SslContext sslCtxt = null; + private SecureAuxTransportSettingsProvider settingsProvider = null; private TransportAddress addr = new TransportAddress(new InetSocketAddress("localhost", 9300)); private final ProxyDetector proxyDetector = NOOP_PROXY_DETECTOR; // No proxy detection for test client Builder () {} - public NettyGrpcClient build() { + public NettyGrpcClient build() throws SSLException { NettyChannelBuilder channelBuilder = NettyChannelBuilder .forAddress(addr.getAddress(), addr.getPort()) .proxyDetector(proxyDetector); - if (sslCtxt == null) { + if (settingsProvider == null) { channelBuilder.usePlaintext(); } else { - channelBuilder.sslContext(sslCtxt); + SecureAuxTransportSettingsProvider.SecureTransportParameters params = settingsProvider.parameters(createSettings()).get(); + SslContext ctxt = SslContextBuilder.forClient() + .trustManager(params.trustManagerFactory()) + .sslProvider(SslProvider.valueOf(params.sslProvider().toUpperCase(Locale.ROOT))) + .clientAuth(ClientAuth.valueOf(params.clientAuth().toUpperCase(Locale.ROOT))) + .protocols(params.protocols()) + .ciphers(params.cipherSuites()) + .applicationProtocolConfig(new ApplicationProtocolConfig( + ApplicationProtocolConfig.Protocol.ALPN, + ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, + ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, + ApplicationProtocolNames.HTTP_2)) + .build(); + channelBuilder.sslContext(ctxt); } return new NettyGrpcClient(addr, channelBuilder); } - public Builder setSslContext(SslContext sslCtxt) { - this.sslCtxt = sslCtxt; + public Builder setSecureSettingsProvider(SecureAuxTransportSettingsProvider settingsProvider) { + this.settingsProvider = settingsProvider; return this; } diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java index 83ef513c027e3..be09eca541aa1 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java @@ -10,13 +10,11 @@ import io.grpc.BindableService; import io.grpc.health.v1.HealthCheckResponse; -import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; -import org.hamcrest.MatcherAssert; +import io.grpc.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory; import org.junit.After; import org.opensearch.common.network.NetworkService; import org.opensearch.common.settings.Settings; import org.opensearch.core.common.transport.TransportAddress; -import org.opensearch.plugins.NetworkPlugin; import org.opensearch.plugins.SecureAuxTransportSettingsProvider; import org.opensearch.test.OpenSearchTestCase; import org.junit.Before; @@ -34,15 +32,12 @@ import java.util.Optional; import org.opensearch.threadpool.TestThreadPool; -import org.opensearch.transport.grpc.ssl.SSLContextWrapper; import org.opensearch.transport.grpc.ssl.SecureNetty4GrpcServerTransport; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLException; - -import static org.hamcrest.Matchers.emptyArray; -import static org.hamcrest.Matchers.not; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.TrustManagerFactory; public class SecureNetty4GrpcServerTransportTests extends OpenSearchTestCase { private TestThreadPool threadPool; @@ -50,37 +45,75 @@ public class SecureNetty4GrpcServerTransportTests extends OpenSearchTestCase { private final List services = new ArrayList<>(); private SecureAuxTransportSettingsProvider settingsProvider; - private static SSLContext buildTestSSLContext() throws SSLException { - try { - final KeyStore keyStore = KeyStore.getInstance("PKCS12"); - keyStore.load( - SecureNetty4GrpcServerTransport.class.getResourceAsStream("/netty4-secure.jks"), - "password".toCharArray() - ); - final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509"); - keyManagerFactory.init(keyStore, "password".toCharArray()); - SSLContext sslContext = SSLContext.getInstance("TLS"); - sslContext.init(keyManagerFactory.getKeyManagers(), null, null); - return sslContext; - } catch (final IOException | - NoSuchAlgorithmException | - UnrecoverableKeyException | - KeyStoreException | - CertificateException | - KeyManagementException ex) { - throw new SSLException(ex); - } - } - - private static SslContext buildClientTestSslContext() throws SSLException, NoSuchAlgorithmException { - return new SSLContextWrapper(buildTestSSLContext(), true); - } - private static SecureAuxTransportSettingsProvider getSecureSettingsProvider() { - return (settings, transport) -> Optional.of(buildTestSSLContext()); + return settings -> Optional.of(new SecureAuxTransportSettingsProvider.SecureTransportParameters() { + @Override + public boolean dualModeEnabled() { + return false; + } + + @Override + public String sslProvider() { + return "JDK"; + } + + @Override + public String clientAuth() { + return "NONE"; + } + + @Override + public Iterable protocols() { + return List.of("TLSv1.3", "TLSv1.2"); + } + + @Override + public Iterable cipherSuites() { + /** + * Attempt to fetch supported ciphers from default provider. + * Else fall back to common defaults. + */ + try { + SSLContext context = SSLContext.getInstance("TLS"); + context.init(null, null, null); + SSLEngine engine = context.createSSLEngine(); + return List.of(engine.getSupportedCipherSuites()); + } catch (NoSuchAlgorithmException | KeyManagementException e) { + return List.of( + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // TLSv1.2 + "TLS_AES_128_GCM_SHA256" // TLSv1.3 + ); + } + } + + @Override + public KeyManagerFactory keyManagerFactory() { + try { + final KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load( + SecureNetty4GrpcServerTransport.class.getResourceAsStream("/netty4-secure.jks"), + "password".toCharArray() + ); + final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509"); + keyManagerFactory.init(keyStore, "password".toCharArray()); + return keyManagerFactory; + } catch (UnrecoverableKeyException | + CertificateException | + KeyStoreException | + IOException | + NoSuchAlgorithmException e) { + throw new RuntimeException(e); + } + } + + @Override + public TrustManagerFactory trustManagerFactory() { + return InsecureTrustManagerFactory.INSTANCE; + } + }); } - private static Settings createSettings() { + static Settings createSettings() { return Settings.builder().put( SecureNetty4GrpcServerTransport.SETTING_GRPC_PORT.getKey(), getPortRange()) @@ -111,7 +144,7 @@ public void testGrpcSecureTransportStartStop() { settingsProvider )) { serverTransport.start(); - MatcherAssert.assertThat(serverTransport.boundAddress().boundAddresses(), not(emptyArray())); + assertTrue(serverTransport.boundAddress().boundAddresses().length > 0); assertNotNull(serverTransport.boundAddress().publishAddress().address()); serverTransport.stop(); } catch (Exception e) { @@ -121,23 +154,22 @@ public void testGrpcSecureTransportStartStop() { public void testGrpcSecureTransportHealthcheck() { try (SecureNetty4GrpcServerTransport serverTransport = new SecureNetty4GrpcServerTransport( - createSettings(), - services, - networkService, - settingsProvider - )) { - serverTransport.start(); - final TransportAddress remoteAddress = randomFrom(serverTransport.boundAddress().boundAddresses()); - - NettyGrpcClient client = new NettyGrpcClient.Builder() - .setAddress(remoteAddress) - .setSslContext(buildClientTestSslContext()) - .build(); - + createSettings(), + services, + networkService, + settingsProvider + )) { + serverTransport.start(); + assertTrue(serverTransport.boundAddress().boundAddresses().length > 0); + assertNotNull(serverTransport.boundAddress().publishAddress().address()); + final TransportAddress remoteAddress = randomFrom(serverTransport.boundAddress().boundAddresses()); + try(NettyGrpcClient client = new NettyGrpcClient.Builder() + .setAddress(remoteAddress) + .setSecureSettingsProvider(settingsProvider) + .build()){ assertEquals(client.checkHealth(), HealthCheckResponse.ServingStatus.SERVING); - - client.shutdown(); - serverTransport.stop(); + } + serverTransport.stop(); } catch (Exception e) { throw new RuntimeException(e); } diff --git a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java index aaecdbaa5e9e7..971c7c5b02d21 100644 --- a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java +++ b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java @@ -10,14 +10,9 @@ import org.opensearch.common.annotation.ExperimentalApi; import org.opensearch.common.settings.Settings; -import org.opensearch.http.HttpServerTransport; -import org.opensearch.transport.TransportAdapterProvider; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLException; -import java.util.Collection; -import java.util.Collections; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.TrustManagerFactory; import java.util.Optional; /** @@ -28,11 +23,20 @@ @ExperimentalApi public interface SecureAuxTransportSettingsProvider { /** - * If supported, builds an {@link SSLContext} instance for {@link NetworkPlugin.AuxTransport} instance + * Provides access to SSL params directly for cases where it is not convenient to consume a pre-built javax.net.ssl SSLContext. * @param settings settings - * @param transport {@link NetworkPlugin.AuxTransport} instance - * @return if supported, builds the {@link SSLContext} instance - * @throws SSLException throws SSLException if the {@link SSLEngine} instance cannot be built + * @return an instance of {@link SecureAuxTransportSettingsProvider.SecureTransportParameters} */ - Optional buildSecureAuxServerSSLContext(Settings settings, NetworkPlugin.AuxTransport transport) throws SSLException; + Optional parameters(Settings settings); + + @ExperimentalApi + interface SecureTransportParameters { + boolean dualModeEnabled(); + String sslProvider(); + String clientAuth(); + Iterable protocols(); + Iterable cipherSuites(); + KeyManagerFactory keyManagerFactory(); + TrustManagerFactory trustManagerFactory(); + } } diff --git a/server/src/test/java/org/opensearch/common/network/NetworkModuleTests.java b/server/src/test/java/org/opensearch/common/network/NetworkModuleTests.java index f824f6fa8333b..0e3fa12668a6a 100644 --- a/server/src/test/java/org/opensearch/common/network/NetworkModuleTests.java +++ b/server/src/test/java/org/opensearch/common/network/NetworkModuleTests.java @@ -135,12 +135,7 @@ public Optional buildHttpServerExceptionHandler( @Override public Optional getSecureAuxTransportSettingsProvider(Settings settings) { - return Optional.of(new SecureAuxTransportSettingsProvider() { - @Override - public Optional buildSecureAuxServerSSLContext(Settings settings, NetworkPlugin.AuxTransport transport) throws SSLException { - return Optional.empty(); - } - }); + return Optional.of(settings1 -> Optional.empty()); } }; } From 3334f7eff65152e65de6fdee10f0c39f02aa8030 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Thu, 13 Feb 2025 10:34:01 -0800 Subject: [PATCH 21/36] Clean up test cases. Store SslContext in SecureNetty4GrpcServerTransport. Signed-off-by: Finn Carroll --- .../grpc/Netty4GrpcServerTransport.java | 2 +- .../ssl/SecureNetty4GrpcServerTransport.java | 23 +++++++++------ .../grpc/Netty4GrpcServerTransportTests.java | 8 ++--- .../SecureNetty4GrpcServerTransportTests.java | 29 +++++++------------ 4 files changed, 30 insertions(+), 32 deletions(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java index 704be0c3ca0c7..41cbbc8cd86b2 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java @@ -206,7 +206,7 @@ protected void doStop() { @Override protected void doClose() { - + eventLoopGroup.close(); } private void bindServer() { diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java index ef8dccfffbcbb..fb541b3a94ab7 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java @@ -22,7 +22,6 @@ import javax.net.ssl.SSLException; -import java.security.NoSuchAlgorithmException; import java.util.List; import java.util.Locale; @@ -36,6 +35,7 @@ */ public class SecureNetty4GrpcServerTransport extends Netty4GrpcServerTransport { private final SecureAuxTransportSettingsProvider secureAuxTransportSettingsProvider; + private final SslContext sslContext; /** * Hide parent GRPC_TRANSPORT_SETTING_KEY and SETTING_GRPC_PORT. @@ -65,19 +65,24 @@ public SecureNetty4GrpcServerTransport( this.secureAuxTransportSettingsProvider = secureTransportSettingsProvider; this.port = SecureNetty4GrpcServerTransport.SETTING_GRPC_PORT.get(settings); - this.addServerConfig((NettyServerBuilder builder) -> { - try { - return builder.sslContext(buildSslContext()); - } catch (SSLException | NoSuchAlgorithmException e) { - throw new RuntimeException(e); - } - }); + try { + this.sslContext = buildSslContext(); + } catch (SSLException e) { + throw new RuntimeException(SecureNetty4GrpcServerTransport.class + " failed to build SslContext", e); + } + + this.addServerConfig((NettyServerBuilder builder) -> builder.sslContext(this.sslContext)); + } + + @Override + public void doClose() { + super.doClose(); } /** * @return io.grpc SslContext from SecureAuxTransportSettingsProvider. */ - private SslContext buildSslContext() throws SSLException, NoSuchAlgorithmException { + private SslContext buildSslContext() throws SSLException { if (secureAuxTransportSettingsProvider.parameters(settings).isEmpty()) { throw new SSLException("SSLContext could not be built from SecureAuxTransportSettingsProvider: provider empty"); } diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java index 4edd36e45b709..4d73396aba72d 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java @@ -43,19 +43,19 @@ public void testGrpcTransportStartStop() { } public void testGrpcTransportHealthcheck() { - try (Netty4GrpcServerTransport serverTransport = new Netty4GrpcServerTransport( + try (Netty4GrpcServerTransport transport = new Netty4GrpcServerTransport( createSettings(), services, networkService )) { - serverTransport.start(); - final TransportAddress remoteAddress = randomFrom(serverTransport.boundAddress().boundAddresses()); + transport.start(); + final TransportAddress remoteAddress = randomFrom(transport.boundAddress().boundAddresses()); try(NettyGrpcClient client = new NettyGrpcClient.Builder() .setAddress(remoteAddress) .build()){ assertEquals(client.checkHealth(), HealthCheckResponse.ServingStatus.SERVING); } - serverTransport.stop(); + transport.stop(); } catch (Exception e) { throw new RuntimeException(e); } diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java index be09eca541aa1..5b890c40e4252 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java @@ -31,7 +31,6 @@ import java.util.List; import java.util.Optional; -import org.opensearch.threadpool.TestThreadPool; import org.opensearch.transport.grpc.ssl.SecureNetty4GrpcServerTransport; import javax.net.ssl.KeyManagerFactory; @@ -40,7 +39,6 @@ import javax.net.ssl.TrustManagerFactory; public class SecureNetty4GrpcServerTransportTests extends OpenSearchTestCase { - private TestThreadPool threadPool; private NetworkService networkService; private final List services = new ArrayList<>(); private SecureAuxTransportSettingsProvider settingsProvider; @@ -122,54 +120,49 @@ static Settings createSettings() { @Before public void setup() { - threadPool = new TestThreadPool("test"); networkService = new NetworkService(Collections.emptyList()); settingsProvider = getSecureSettingsProvider(); } @After public void shutdown() { - if (threadPool != null) { - threadPool.shutdownNow(); - } - threadPool = null; networkService = null; } public void testGrpcSecureTransportStartStop() { - try (SecureNetty4GrpcServerTransport serverTransport = new SecureNetty4GrpcServerTransport( + try (SecureNetty4GrpcServerTransport transport = new SecureNetty4GrpcServerTransport( createSettings(), services, networkService, settingsProvider )) { - serverTransport.start(); - assertTrue(serverTransport.boundAddress().boundAddresses().length > 0); - assertNotNull(serverTransport.boundAddress().publishAddress().address()); - serverTransport.stop(); + transport.start(); + assertTrue(transport.boundAddress().boundAddresses().length > 0); + assertNotNull(transport.boundAddress().publishAddress().address()); + transport.stop(); } catch (Exception e) { throw new RuntimeException(e); } } public void testGrpcSecureTransportHealthcheck() { - try (SecureNetty4GrpcServerTransport serverTransport = new SecureNetty4GrpcServerTransport( + try (SecureNetty4GrpcServerTransport transport = new SecureNetty4GrpcServerTransport( createSettings(), services, networkService, settingsProvider )) { - serverTransport.start(); - assertTrue(serverTransport.boundAddress().boundAddresses().length > 0); - assertNotNull(serverTransport.boundAddress().publishAddress().address()); - final TransportAddress remoteAddress = randomFrom(serverTransport.boundAddress().boundAddresses()); + transport.start(); + assertTrue(transport.boundAddress().boundAddresses().length > 0); + assertNotNull(transport.boundAddress().publishAddress().address()); + final TransportAddress remoteAddress = randomFrom(transport.boundAddress().boundAddresses()); try(NettyGrpcClient client = new NettyGrpcClient.Builder() .setAddress(remoteAddress) .setSecureSettingsProvider(settingsProvider) .build()){ assertEquals(client.checkHealth(), HealthCheckResponse.ServingStatus.SERVING); } - serverTransport.stop(); + transport.stop(); } catch (Exception e) { throw new RuntimeException(e); } From 33e66144c1781c1f9ecb77b760d9559d7b3208a0 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Thu, 13 Feb 2025 10:59:19 -0800 Subject: [PATCH 22/36] Configure Netty server to re-use eventLoopGroup pool for service stubs. Signed-off-by: Finn Carroll --- .../org/opensearch/transport/grpc/Netty4GrpcServerTransport.java | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java index 41cbbc8cd86b2..d659e65d4cca0 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java @@ -259,6 +259,7 @@ private TransportAddress bindAddress(InetAddress hostAddress, PortsRange portRan final InetSocketAddress address = new InetSocketAddress(hostAddress, portNumber); final NettyServerBuilder serverBuilder = NettyServerBuilder .forAddress(address) + .directExecutor() .bossEventLoopGroup(eventLoopGroup) .workerEventLoopGroup(eventLoopGroup) .channelType(NioServerSocketChannel.class) From af640f3e4c97b342e5e5feee82b7b069e8806ca8 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Thu, 13 Feb 2025 11:33:34 -0800 Subject: [PATCH 23/36] Remove redundant settings from SecureNetty4GrpcServerTransport. Signed-off-by: Finn Carroll --- .../ssl/SecureNetty4GrpcServerTransport.java | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java index fb541b3a94ab7..ae4dc4fa22fd7 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java @@ -14,9 +14,7 @@ import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider; import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNames; import org.opensearch.common.network.NetworkService; -import org.opensearch.common.settings.Setting; import org.opensearch.common.settings.Settings; -import org.opensearch.common.transport.PortsRange; import org.opensearch.plugins.SecureAuxTransportSettingsProvider; import org.opensearch.transport.grpc.Netty4GrpcServerTransport; @@ -37,17 +35,6 @@ public class SecureNetty4GrpcServerTransport extends Netty4GrpcServerTransport { private final SecureAuxTransportSettingsProvider secureAuxTransportSettingsProvider; private final SslContext sslContext; - /** - * Hide parent GRPC_TRANSPORT_SETTING_KEY and SETTING_GRPC_PORT. - * Overwrite port in constructor with configuration as specified by - * SecureNetty4GrpcServerTransport.GRPC_TRANSPORT_SETTING_KEY and - * SecureNetty4GrpcServerTransport.SETTING_GRPC_PORT. - */ - public static final String GRPC_TRANSPORT_SETTING_KEY = "experimental-secure-transport-grpc"; - public static final Setting SETTING_GRPC_PORT = AUX_TRANSPORT_PORT.getConcreteSettingForNamespace( - GRPC_TRANSPORT_SETTING_KEY - ); - /** * Creates a new SecureNetty4GrpcServerTransport instance. * @param settings the configured settings. @@ -74,11 +61,6 @@ public SecureNetty4GrpcServerTransport( this.addServerConfig((NettyServerBuilder builder) -> builder.sslContext(this.sslContext)); } - @Override - public void doClose() { - super.doClose(); - } - /** * @return io.grpc SslContext from SecureAuxTransportSettingsProvider. */ From 426e1b3ae7456051d23f133b7327383391bebfd9 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Fri, 14 Feb 2025 14:37:21 -0800 Subject: [PATCH 24/36] Add initial readme to plugin root. Signed-off-by: Finn Carroll --- plugins/transport-grpc/README.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 plugins/transport-grpc/README.md diff --git a/plugins/transport-grpc/README.md b/plugins/transport-grpc/README.md new file mode 100644 index 0000000000000..f72fa5bc4588d --- /dev/null +++ b/plugins/transport-grpc/README.md @@ -0,0 +1,22 @@ +# transport-grpc + +An auxiliary transport which runs in parallel to the REST API. +The `transport-grpc` plugin initializes a new client/server transport implementing a gRPC protocol on Netty4. + +Enable this transport with: +``` +setting 'aux.transport.types', '[experimental-transport-grpc]' +setting 'aux.transport.experimental-transport-grpc.port', '9400-9500' //optional +``` + +## Testing + +### Unit Tests + +``` +./gradlew :plugins:transport-grpc:test +``` + +### Integration Tests + +COMING SOON - Fill this out with PR completion From 1fb707a3f2faa66b7d7768aa4bd91f0636047118 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Fri, 14 Feb 2025 14:38:12 -0800 Subject: [PATCH 25/36] Remove multiple transport type settings in GrpcPlugin. Not necessary. Signed-off-by: Finn Carroll --- .../java/org/opensearch/transport/grpc/GrpcPlugin.java | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java index b552d94a3c4cb..d264c4e25fe9e 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/GrpcPlugin.java @@ -24,8 +24,10 @@ import java.util.Map; import java.util.function.Supplier; +import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.GRPC_TRANSPORT_SETTING_KEY; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_BIND_HOST; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_HOST; +import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_PORT; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_PUBLISH_HOST; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_PUBLISH_PORT; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.SETTING_GRPC_WORKER_COUNT; @@ -50,7 +52,7 @@ public Map> getAuxTransports( Tracer tracer ) { return Collections.singletonMap( - Netty4GrpcServerTransport.GRPC_TRANSPORT_SETTING_KEY, + GRPC_TRANSPORT_SETTING_KEY, () -> new Netty4GrpcServerTransport(settings, Collections.emptyList(), networkService) ); } @@ -66,7 +68,7 @@ public Map> getSecureAuxTransports( Tracer tracer ) { return Collections.singletonMap( - SecureNetty4GrpcServerTransport.GRPC_TRANSPORT_SETTING_KEY, + GRPC_TRANSPORT_SETTING_KEY, () -> new SecureNetty4GrpcServerTransport(settings, Collections.emptyList(), networkService, secureAuxTransportSettingsProvider) ); } @@ -74,8 +76,7 @@ public Map> getSecureAuxTransports( @Override public List> getSettings() { return List.of( - Netty4GrpcServerTransport.SETTING_GRPC_PORT, - SecureNetty4GrpcServerTransport.SETTING_GRPC_PORT, + SETTING_GRPC_PORT, SETTING_GRPC_HOST, SETTING_GRPC_PUBLISH_HOST, SETTING_GRPC_BIND_HOST, From 120dffb93b5011cb0369c2da4ec906ba68ba676b Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Fri, 14 Feb 2025 14:39:00 -0800 Subject: [PATCH 26/36] Remove depreacted constructor. Signed-off-by: Finn Carroll --- .../java/org/opensearch/transport/grpc/NettyGrpcClient.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java index ee7ab8e4ca37b..b34260a88b691 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java @@ -29,7 +29,6 @@ import org.opensearch.plugins.SecureAuxTransportSettingsProvider; import javax.net.ssl.SSLException; -import java.net.InetSocketAddress; import java.util.ArrayList; import java.util.List; import java.util.Locale; @@ -65,7 +64,7 @@ public void close() throws Exception { /** * List available gRPC services available on server. * Note: ProtoReflectionService only implements a streaming interface and has no blocking stub. - * @return List services reported. + * @return services registered on the server. */ public List listServices() { List respServices = new ArrayList<>(); @@ -118,7 +117,7 @@ public HealthCheckResponse.ServingStatus checkHealth() { public static class Builder { private SecureAuxTransportSettingsProvider settingsProvider = null; - private TransportAddress addr = new TransportAddress(new InetSocketAddress("localhost", 9300)); + private TransportAddress addr; private final ProxyDetector proxyDetector = NOOP_PROXY_DETECTOR; // No proxy detection for test client Builder () {} From 1757697013ca4b695ccb8a94738d60220c87cb90 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Fri, 14 Feb 2025 14:39:23 -0800 Subject: [PATCH 27/36] Add IT infra to Grpc transport plugin. Signed-off-by: Finn Carroll --- plugins/transport-grpc/build.gradle | 13 +++++++ .../transport/grpc/GrpcTransportIT.java | 35 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java diff --git a/plugins/transport-grpc/build.gradle b/plugins/transport-grpc/build.gradle index 5c6bc8efe1098..a84a58bcaccd5 100644 --- a/plugins/transport-grpc/build.gradle +++ b/plugins/transport-grpc/build.gradle @@ -8,11 +8,21 @@ import org.gradle.api.attributes.java.TargetJvmEnvironment * compatible open source license. */ +apply plugin: 'opensearch.testclusters' +apply plugin: 'opensearch.internal-cluster-test' + opensearchplugin { description = 'gRPC based transport implementation' classname = 'org.opensearch.transport.grpc.GrpcPlugin' } +testClusters { + integTest { + plugin(project.path) + setting 'aux.transport.types', '[experimental-transport-grpc]' + } +} + dependencies { compileOnly "com.google.code.findbugs:jsr305:3.0.2" runtimeOnly "com.google.guava:guava:${versions.guava}" @@ -27,6 +37,9 @@ dependencies { implementation "io.grpc:grpc-stub:${versions.grpc}" implementation "io.grpc:grpc-util:${versions.grpc}" implementation "io.perfmark:perfmark-api:0.26.0" + + testImplementation project(':test:framework') + testImplementation project(':libs:opensearch-core') } tasks.named("dependencyLicenses").configure { diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java new file mode 100644 index 0000000000000..b52be47ebed63 --- /dev/null +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java @@ -0,0 +1,35 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +package org.opensearch.transport.grpc; + + +import org.opensearch.common.settings.Settings; +import org.opensearch.plugins.Plugin; +import org.opensearch.test.OpenSearchIntegTestCase; + +import java.util.Collection; +import java.util.Collections; + +public class GrpcTransportIT extends OpenSearchIntegTestCase { + @Override + protected Settings nodeSettings(int nodeOrdinal) { + return Settings.builder() + .put(super.nodeSettings(nodeOrdinal)) + .build(); + } + + @Override + protected Collection> nodePlugins() { + return Collections.singleton(GrpcPlugin.class); + } + + public void testGrpcTransport() { + System.out.println("TESTING GRPC TRANSPORT"); + } +} From 79cb27b8375e9061d3bd2237759281f045e74013 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Fri, 14 Feb 2025 14:46:37 -0800 Subject: [PATCH 28/36] Spotless apply Signed-off-by: Finn Carroll --- .../grpc/Netty4GrpcServerTransport.java | 4 +- .../ssl/SecureNetty4GrpcServerTransport.java | 23 +++--- .../transport/grpc/GrpcTransportIT.java | 7 +- .../grpc/Netty4GrpcServerTransportTests.java | 12 +--- .../transport/grpc/NettyGrpcClient.java | 44 ++++++------ .../SecureNetty4GrpcServerTransportTests.java | 68 +++++++++--------- .../src/test/resources/server.p12 | Bin 2782 -> 0 bytes 7 files changed, 75 insertions(+), 83 deletions(-) delete mode 100644 plugins/transport-grpc/src/test/resources/server.p12 diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java index d659e65d4cca0..37664a2a10bc5 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java @@ -35,7 +35,6 @@ import java.util.function.UnaryOperator; import io.grpc.BindableService; -import io.grpc.InsecureServerCredentials; import io.grpc.Server; import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder; import io.grpc.netty.shaded.io.netty.channel.EventLoopGroup; @@ -257,8 +256,7 @@ private TransportAddress bindAddress(InetAddress hostAddress, PortsRange portRan try { final InetSocketAddress address = new InetSocketAddress(hostAddress, portNumber); - final NettyServerBuilder serverBuilder = NettyServerBuilder - .forAddress(address) + final NettyServerBuilder serverBuilder = NettyServerBuilder.forAddress(address) .directExecutor() .bossEventLoopGroup(eventLoopGroup) .workerEventLoopGroup(eventLoopGroup) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java index ae4dc4fa22fd7..33a8459f28607 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java @@ -8,11 +8,6 @@ package org.opensearch.transport.grpc.ssl; -import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig; -import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth; -import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder; -import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider; -import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNames; import org.opensearch.common.network.NetworkService; import org.opensearch.common.settings.Settings; import org.opensearch.plugins.SecureAuxTransportSettingsProvider; @@ -25,7 +20,12 @@ import io.grpc.BindableService; import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder; +import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig; +import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNames; +import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth; import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder; +import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider; /** * Netty4GrpcServerTransport with TLS enabled. @@ -75,11 +75,14 @@ private SslContext buildSslContext() throws SSLException { .clientAuth(ClientAuth.valueOf(params.clientAuth().toUpperCase(Locale.ROOT))) .protocols(params.protocols()) .ciphers(params.cipherSuites()) - .applicationProtocolConfig(new ApplicationProtocolConfig( - ApplicationProtocolConfig.Protocol.ALPN, - ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, - ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, - ApplicationProtocolNames.HTTP_2)) + .applicationProtocolConfig( + new ApplicationProtocolConfig( + ApplicationProtocolConfig.Protocol.ALPN, + ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, + ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, + ApplicationProtocolNames.HTTP_2 + ) + ) .build(); } } diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java index b52be47ebed63..9e706ea531614 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java @@ -8,7 +8,6 @@ package org.opensearch.transport.grpc; - import org.opensearch.common.settings.Settings; import org.opensearch.plugins.Plugin; import org.opensearch.test.OpenSearchIntegTestCase; @@ -19,9 +18,7 @@ public class GrpcTransportIT extends OpenSearchIntegTestCase { @Override protected Settings nodeSettings(int nodeOrdinal) { - return Settings.builder() - .put(super.nodeSettings(nodeOrdinal)) - .build(); + return Settings.builder().put(super.nodeSettings(nodeOrdinal)).build(); } @Override @@ -30,6 +27,6 @@ protected Collection> nodePlugins() { } public void testGrpcTransport() { - System.out.println("TESTING GRPC TRANSPORT"); + } } diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java index 4d73396aba72d..ceb9c506516d3 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java @@ -8,7 +8,6 @@ package org.opensearch.transport.grpc; -import io.grpc.health.v1.HealthCheckResponse; import org.opensearch.common.network.NetworkService; import org.opensearch.common.settings.Settings; import org.opensearch.core.common.transport.TransportAddress; @@ -19,6 +18,7 @@ import java.util.List; import io.grpc.BindableService; +import io.grpc.health.v1.HealthCheckResponse; import static org.hamcrest.Matchers.emptyArray; import static org.hamcrest.Matchers.not; @@ -43,16 +43,10 @@ public void testGrpcTransportStartStop() { } public void testGrpcTransportHealthcheck() { - try (Netty4GrpcServerTransport transport = new Netty4GrpcServerTransport( - createSettings(), - services, - networkService - )) { + try (Netty4GrpcServerTransport transport = new Netty4GrpcServerTransport(createSettings(), services, networkService)) { transport.start(); final TransportAddress remoteAddress = randomFrom(transport.boundAddress().boundAddresses()); - try(NettyGrpcClient client = new NettyGrpcClient.Builder() - .setAddress(remoteAddress) - .build()){ + try (NettyGrpcClient client = new NettyGrpcClient.Builder().setAddress(remoteAddress).build()) { assertEquals(client.checkHealth(), HealthCheckResponse.ServingStatus.SERVING); } transport.stop(); diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java index b34260a88b691..50b2f0b92a57f 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/NettyGrpcClient.java @@ -8,6 +8,17 @@ package org.opensearch.transport.grpc; +import org.opensearch.core.common.transport.TransportAddress; +import org.opensearch.plugins.SecureAuxTransportSettingsProvider; + +import javax.net.ssl.SSLException; + +import java.util.ArrayList; +import java.util.List; +import java.util.Locale; +import java.util.concurrent.CountDownLatch; +import java.util.concurrent.TimeUnit; + import io.grpc.ManagedChannel; import io.grpc.ProxyDetector; import io.grpc.health.v1.HealthCheckRequest; @@ -25,18 +36,9 @@ import io.grpc.reflection.v1alpha.ServerReflectionResponse; import io.grpc.reflection.v1alpha.ServiceResponse; import io.grpc.stub.StreamObserver; -import org.opensearch.core.common.transport.TransportAddress; -import org.opensearch.plugins.SecureAuxTransportSettingsProvider; -import javax.net.ssl.SSLException; -import java.util.ArrayList; -import java.util.List; -import java.util.Locale; -import java.util.concurrent.CountDownLatch; -import java.util.concurrent.TimeUnit; - -import static io.grpc.internal.GrpcUtil.NOOP_PROXY_DETECTOR; import static org.opensearch.transport.grpc.SecureNetty4GrpcServerTransportTests.createSettings; +import static io.grpc.internal.GrpcUtil.NOOP_PROXY_DETECTOR; public class NettyGrpcClient implements AutoCloseable { private final ManagedChannel channel; @@ -91,9 +93,7 @@ public void onCompleted() { }; StreamObserver requestObserver = reflectionStub.serverReflectionInfo(responseObserver); - requestObserver.onNext(ServerReflectionRequest.newBuilder() - .setListServices("") - .build()); + requestObserver.onNext(ServerReflectionRequest.newBuilder().setListServices("").build()); requestObserver.onCompleted(); try { @@ -120,11 +120,10 @@ public static class Builder { private TransportAddress addr; private final ProxyDetector proxyDetector = NOOP_PROXY_DETECTOR; // No proxy detection for test client - Builder () {} + Builder() {} public NettyGrpcClient build() throws SSLException { - NettyChannelBuilder channelBuilder = NettyChannelBuilder - .forAddress(addr.getAddress(), addr.getPort()) + NettyChannelBuilder channelBuilder = NettyChannelBuilder.forAddress(addr.getAddress(), addr.getPort()) .proxyDetector(proxyDetector); if (settingsProvider == null) { @@ -137,11 +136,14 @@ public NettyGrpcClient build() throws SSLException { .clientAuth(ClientAuth.valueOf(params.clientAuth().toUpperCase(Locale.ROOT))) .protocols(params.protocols()) .ciphers(params.cipherSuites()) - .applicationProtocolConfig(new ApplicationProtocolConfig( - ApplicationProtocolConfig.Protocol.ALPN, - ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, - ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, - ApplicationProtocolNames.HTTP_2)) + .applicationProtocolConfig( + new ApplicationProtocolConfig( + ApplicationProtocolConfig.Protocol.ALPN, + ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, + ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, + ApplicationProtocolNames.HTTP_2 + ) + ) .build(); channelBuilder.sslContext(ctxt); } diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java index 5b890c40e4252..3f31b798eb218 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java @@ -8,17 +8,20 @@ package org.opensearch.transport.grpc; -import io.grpc.BindableService; -import io.grpc.health.v1.HealthCheckResponse; -import io.grpc.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory; -import org.junit.After; import org.opensearch.common.network.NetworkService; import org.opensearch.common.settings.Settings; import org.opensearch.core.common.transport.TransportAddress; import org.opensearch.plugins.SecureAuxTransportSettingsProvider; import org.opensearch.test.OpenSearchTestCase; +import org.opensearch.transport.grpc.ssl.SecureNetty4GrpcServerTransport; +import org.junit.After; import org.junit.Before; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.TrustManagerFactory; + import java.io.IOException; import java.security.KeyManagementException; import java.security.KeyStore; @@ -31,12 +34,9 @@ import java.util.List; import java.util.Optional; -import org.opensearch.transport.grpc.ssl.SecureNetty4GrpcServerTransport; - -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLEngine; -import javax.net.ssl.TrustManagerFactory; +import io.grpc.BindableService; +import io.grpc.health.v1.HealthCheckResponse; +import io.grpc.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory; public class SecureNetty4GrpcServerTransportTests extends OpenSearchTestCase { private NetworkService networkService; @@ -95,11 +95,7 @@ public KeyManagerFactory keyManagerFactory() { final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509"); keyManagerFactory.init(keyStore, "password".toCharArray()); return keyManagerFactory; - } catch (UnrecoverableKeyException | - CertificateException | - KeyStoreException | - IOException | - NoSuchAlgorithmException e) { + } catch (UnrecoverableKeyException | CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException e) { throw new RuntimeException(e); } } @@ -112,10 +108,7 @@ public TrustManagerFactory trustManagerFactory() { } static Settings createSettings() { - return Settings.builder().put( - SecureNetty4GrpcServerTransport.SETTING_GRPC_PORT.getKey(), - getPortRange()) - .build(); + return Settings.builder().put(SecureNetty4GrpcServerTransport.SETTING_GRPC_PORT.getKey(), getPortRange()).build(); } @Before @@ -130,12 +123,14 @@ public void shutdown() { } public void testGrpcSecureTransportStartStop() { - try (SecureNetty4GrpcServerTransport transport = new SecureNetty4GrpcServerTransport( - createSettings(), - services, - networkService, - settingsProvider - )) { + try ( + SecureNetty4GrpcServerTransport transport = new SecureNetty4GrpcServerTransport( + createSettings(), + services, + networkService, + settingsProvider + ) + ) { transport.start(); assertTrue(transport.boundAddress().boundAddresses().length > 0); assertNotNull(transport.boundAddress().publishAddress().address()); @@ -146,20 +141,23 @@ public void testGrpcSecureTransportStartStop() { } public void testGrpcSecureTransportHealthcheck() { - try (SecureNetty4GrpcServerTransport transport = new SecureNetty4GrpcServerTransport( - createSettings(), - services, - networkService, - settingsProvider - )) { + try ( + SecureNetty4GrpcServerTransport transport = new SecureNetty4GrpcServerTransport( + createSettings(), + services, + networkService, + settingsProvider + ) + ) { transport.start(); assertTrue(transport.boundAddress().boundAddresses().length > 0); assertNotNull(transport.boundAddress().publishAddress().address()); final TransportAddress remoteAddress = randomFrom(transport.boundAddress().boundAddresses()); - try(NettyGrpcClient client = new NettyGrpcClient.Builder() - .setAddress(remoteAddress) - .setSecureSettingsProvider(settingsProvider) - .build()){ + try ( + NettyGrpcClient client = new NettyGrpcClient.Builder().setAddress(remoteAddress) + .setSecureSettingsProvider(settingsProvider) + .build() + ) { assertEquals(client.checkHealth(), HealthCheckResponse.ServingStatus.SERVING); } transport.stop(); diff --git a/plugins/transport-grpc/src/test/resources/server.p12 b/plugins/transport-grpc/src/test/resources/server.p12 deleted file mode 100644 index bb9ce806f1b66b7833078626b3c199fbf50dd4d8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2782 zcmai$XHXLe6NVE=LJ_1G@C2kP9SH)V2uG0`LJ<;*L7D~yf{02FE%atV6as=kXaNz9 z-lBBy3<@eJA;dzL9!d~Fj+^fr{du#qv-7_1&g{Qu7DnKvu>sj(1nzqfF2zKPL>4cQ z16WAljs+38BM_QD!|NfxtIBQ-d1sgw6&EuHbrmMeJHjT`G8MEfn%LD z71D$V#{kih=h5V&cD;211<5Z&j#4=csk351 zQ^i8Ba}Pd|ao2nX1>9$4RF9a)jaBu|yeJaw2%NdT1~gx~{^p)Zvj(~3lnm!qr~Le- zDdBpGEyMaDDp~uAtbA1csT}h<|L~Y_FG~CbKAvQ1uKdcf)Z+Ox=+BH}fP`(wfk)*CCAiM}!T|vWvdK)2-jId+shz&(jy099st2Hqtf_&leNjh> zQcmP@5~i%P0R>@_pd3Gi;M|r`^U@}ar*qe%TT>HMR#o@WKa7j=2A78Ypcus8mhCHd z^{Vw7TT@`tRX)b_I48dz@Y3Js$QqrD0jaWKhlK4dZtqz$<=lc9-jdI^;Cp8$tk`WU zL+7iIQg0VVbxa;jv-Aii`k~s>MX+F<=bxm`6*f&dGBT^dnzc+@|A8&)Vj}rnjH`c- z!u)vAHq4uaODTU_eL5bXwR!s7Eqvt%(OB2-v1%4OcO3jho1lnQ3->;U6btJn6Kq|?alu?q9F|~+e*_WUEGN!=4AMvn9cRKbm!0$PV*oqtC@_1$#I=a*=E3cbT*#qC5 zYpTx_$+bs=W~oe5$>!aLk?ujxS!ae`Z+kpbK!$q+=b6mFzSS&PCcY@)P*YJXb;BIF zsoNjrT|v3b*m`W?F8#512$96Uhe+9|pSxSVmi5D_L!qg(Q(dkq$4un5ZLL`PE+=?L z{;J*HsK)G3p_Z^$|)hNwSaTP zgMk|$0%%x2&4@l%ka=lYYc=42U9%`TM*UBu_~Y~!#bIiEsZ|A@M8%5OB}tgtj(J84 zflpfVJU;nnKQCotJ=ow5`gx7Rv|Qe6v6A6_uELDKxRs#z=s_<;^&U^IP^0lN(K2_i z2qxbJSTD^dYeqpt^l7g>Hs3Um@QnTA

oj0{2LwBpxr_8+;vocjy_ZKf)!mjhPlT zgzDG4i2tnAfX@<2-v23d`7-a4Z+%2Y)*KSlJdm%B5pbeIbLWmq>$}5!Z5$n^Uo43y zy+}btZnn<~8r;`FAAj3elPd2-ecHpxu(TPys5VJOiaGshns9^2{7NG!vdgRR>wjPA zx>Y>it{y-ueb-uPSmuvtt#gFzp1J$nx2jg-Fa2Fvx9P1w?Sv6_J-u@GBjqKg@3E6( zV9{s#9vtJ~wV7~yK=|aaCpAV<&9sv?C8~u=2*KZ>3RJb}6sPk{y&9Gmv1W?LLUxY{8(d=N?PNl) zIU_qP&!>Dz5L^qkv)(NmQj8n2;yFL}%3`-qA;|G`(uOhN-p#BQc8aUgyd#(3FuW1w zfthFUIELsnS;-9($I1O5RKpF%4vqZl%sdc3C148ps!A6uRc<~bfs7UZt50Zo{JELoI ziKMzSY^Xsl4sas4X=7CdZ9F-1ryI9vZkpDJz?H!t75ijodM!u&m|l04`B-gs^uv6Wlowhmqm2jRqy4Rprc0pTWqUM{^ zfZFDQRFkGBl>i1zg`awLRxa*dolXB=2mHiFg;r$rQ)K;@9LZ22H9MHhFVJ!csR@Ii z+k*XRnGqyc1GmKcH}zc5kW-y3n8NQRsG69#2;e#Z3%Gq)VE_$)3gFhEx(o;c+yr1@ zMldxP@2`)L4G0E+Bn5j5{Nz`S_z8s&eHrCIw+B}OqYJNLXxEV&J5BUOX%Od0aiuAo KQ=sg>RQ?B Date: Wed, 19 Feb 2025 14:25:14 -0800 Subject: [PATCH 29/36] Add initial cluster health gRPC IT. Signed-off-by: Finn Carroll --- .../transport/grpc/GrpcTransportIT.java | 30 +++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java index 9e706ea531614..1e90f23fc6790 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java @@ -8,17 +8,34 @@ package org.opensearch.transport.grpc; +import io.grpc.health.v1.HealthCheckResponse; +import org.opensearch.action.admin.cluster.health.ClusterHealthResponse; +import org.opensearch.cluster.health.ClusterHealthStatus; import org.opensearch.common.settings.Settings; +import org.opensearch.common.transport.PortsRange; +import org.opensearch.core.common.transport.TransportAddress; import org.opensearch.plugins.Plugin; import org.opensearch.test.OpenSearchIntegTestCase; +import java.net.InetSocketAddress; import java.util.Collection; import java.util.Collections; +import static org.opensearch.plugins.NetworkPlugin.AuxTransport.AUX_TRANSPORT_PORT; +import static org.opensearch.plugins.NetworkPlugin.AuxTransport.AUX_TRANSPORT_TYPES_KEY; +import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.GRPC_TRANSPORT_SETTING_KEY; + public class GrpcTransportIT extends OpenSearchIntegTestCase { + private final PortsRange TEST_AUX_PORTS = new PortsRange("9400-9500"); + private final TransportAddress PLACEHOLDER_ADDR = new TransportAddress(new InetSocketAddress("127.0.0.1", 9401)); + @Override protected Settings nodeSettings(int nodeOrdinal) { - return Settings.builder().put(super.nodeSettings(nodeOrdinal)).build(); + return Settings.builder() + .put(super.nodeSettings(nodeOrdinal)) + .put(AUX_TRANSPORT_TYPES_KEY, GRPC_TRANSPORT_SETTING_KEY) + .put(AUX_TRANSPORT_PORT.getConcreteSettingForNamespace(GRPC_TRANSPORT_SETTING_KEY).getKey(), TEST_AUX_PORTS.getPortRangeString()) + .build(); } @Override @@ -26,7 +43,16 @@ protected Collection> nodePlugins() { return Collections.singleton(GrpcPlugin.class); } - public void testGrpcTransport() { + public void testStartGrpcTransportClusterHealth() throws Exception { + // REST api cluster health + ClusterHealthResponse healthResponse = client().admin().cluster() + .prepareHealth() + .get(); + assertEquals(ClusterHealthStatus.GREEN, healthResponse.getStatus()); + // gRPC transport service health + try (NettyGrpcClient client = new NettyGrpcClient.Builder().setAddress(PLACEHOLDER_ADDR).build()) { + assertEquals(client.checkHealth(), HealthCheckResponse.ServingStatus.SERVING); + } } } From a584d054a0060e5db59c9c73c94277bd1d358d3c Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Thu, 20 Feb 2025 10:15:21 -0800 Subject: [PATCH 30/36] Rename GrpcTransportIT -> Netty4GrpcServerTransportIT. Signed-off-by: Finn Carroll --- .../{GrpcTransportIT.java => Netty4GrpcServerTransportIT.java} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/{GrpcTransportIT.java => Netty4GrpcServerTransportIT.java} (96%) diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java similarity index 96% rename from plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java rename to plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java index 1e90f23fc6790..28e7a9c7b4520 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/GrpcTransportIT.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java @@ -25,7 +25,7 @@ import static org.opensearch.plugins.NetworkPlugin.AuxTransport.AUX_TRANSPORT_TYPES_KEY; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.GRPC_TRANSPORT_SETTING_KEY; -public class GrpcTransportIT extends OpenSearchIntegTestCase { +public class Netty4GrpcServerTransportIT extends OpenSearchIntegTestCase { private final PortsRange TEST_AUX_PORTS = new PortsRange("9400-9500"); private final TransportAddress PLACEHOLDER_ADDR = new TransportAddress(new InetSocketAddress("127.0.0.1", 9401)); From b921347d84d896ea448b1b7be8e9f0270a0840b7 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Thu, 20 Feb 2025 12:53:29 -0800 Subject: [PATCH 31/36] Move boundAddress() helper up to AuxTransport. Add helper in ITs to fetch gRPC addresses on cluster. Signed-off-by: Finn Carroll --- .../grpc/Netty4GrpcServerTransport.java | 1 + .../grpc/Netty4GrpcServerTransportIT.java | 19 ++++++++++++------- .../org/opensearch/plugins/NetworkPlugin.java | 4 ++++ 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java index 37664a2a10bc5..2dbb82e0c8c5f 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java @@ -155,6 +155,7 @@ public Netty4GrpcServerTransport(Settings settings, List servic } // public for tests + @Override public BoundTransportAddress boundAddress() { return this.boundAddress; } diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java index 28e7a9c7b4520..f5f389c5422d2 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java @@ -12,29 +12,34 @@ import org.opensearch.action.admin.cluster.health.ClusterHealthResponse; import org.opensearch.cluster.health.ClusterHealthStatus; import org.opensearch.common.settings.Settings; -import org.opensearch.common.transport.PortsRange; import org.opensearch.core.common.transport.TransportAddress; import org.opensearch.plugins.Plugin; import org.opensearch.test.OpenSearchIntegTestCase; -import java.net.InetSocketAddress; +import java.util.ArrayList; import java.util.Collection; import java.util.Collections; +import java.util.List; -import static org.opensearch.plugins.NetworkPlugin.AuxTransport.AUX_TRANSPORT_PORT; import static org.opensearch.plugins.NetworkPlugin.AuxTransport.AUX_TRANSPORT_TYPES_KEY; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.GRPC_TRANSPORT_SETTING_KEY; public class Netty4GrpcServerTransportIT extends OpenSearchIntegTestCase { - private final PortsRange TEST_AUX_PORTS = new PortsRange("9400-9500"); - private final TransportAddress PLACEHOLDER_ADDR = new TransportAddress(new InetSocketAddress("127.0.0.1", 9401)); + + private TransportAddress randomNetty4GrpcServerTransportAddr() { + List addresses = new ArrayList<>(); + for (Netty4GrpcServerTransport transport : internalCluster().getInstances(Netty4GrpcServerTransport.class)) { + TransportAddress tAddr = new TransportAddress(transport.boundAddress().publishAddress().address()); + addresses.add(tAddr); + } + return randomFrom(addresses); + } @Override protected Settings nodeSettings(int nodeOrdinal) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) .put(AUX_TRANSPORT_TYPES_KEY, GRPC_TRANSPORT_SETTING_KEY) - .put(AUX_TRANSPORT_PORT.getConcreteSettingForNamespace(GRPC_TRANSPORT_SETTING_KEY).getKey(), TEST_AUX_PORTS.getPortRangeString()) .build(); } @@ -51,7 +56,7 @@ public void testStartGrpcTransportClusterHealth() throws Exception { assertEquals(ClusterHealthStatus.GREEN, healthResponse.getStatus()); // gRPC transport service health - try (NettyGrpcClient client = new NettyGrpcClient.Builder().setAddress(PLACEHOLDER_ADDR).build()) { + try (NettyGrpcClient client = new NettyGrpcClient.Builder().setAddress(randomNetty4GrpcServerTransportAddr()).build()) { assertEquals(client.checkHealth(), HealthCheckResponse.ServingStatus.SERVING); } } diff --git a/server/src/main/java/org/opensearch/plugins/NetworkPlugin.java b/server/src/main/java/org/opensearch/plugins/NetworkPlugin.java index 7dd426cabc283..b1e78ce28e1ce 100644 --- a/server/src/main/java/org/opensearch/plugins/NetworkPlugin.java +++ b/server/src/main/java/org/opensearch/plugins/NetworkPlugin.java @@ -42,6 +42,7 @@ import org.opensearch.common.util.PageCacheRecycler; import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.core.common.io.stream.NamedWriteableRegistry; +import org.opensearch.core.common.transport.BoundTransportAddress; import org.opensearch.core.indices.breaker.CircuitBreakerService; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.http.HttpServerTransport; @@ -92,6 +93,9 @@ abstract class AuxTransport extends AbstractLifecycleComponent { Function.identity(), Setting.Property.NodeScope ); + + // public for tests + public abstract BoundTransportAddress boundAddress(); } /** From 890765856423b90920b3b096a798a915f59e359a Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Thu, 20 Feb 2025 12:57:54 -0800 Subject: [PATCH 32/36] Spotless apply Signed-off-by: Finn Carroll --- .../transport/grpc/Netty4GrpcServerTransportIT.java | 12 ++++-------- .../plugins/SecureAuxTransportSettingsProvider.java | 7 +++++++ .../common/network/NetworkModuleTests.java | 1 - 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java index f5f389c5422d2..561ddad328b59 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java @@ -8,7 +8,6 @@ package org.opensearch.transport.grpc; -import io.grpc.health.v1.HealthCheckResponse; import org.opensearch.action.admin.cluster.health.ClusterHealthResponse; import org.opensearch.cluster.health.ClusterHealthStatus; import org.opensearch.common.settings.Settings; @@ -21,6 +20,8 @@ import java.util.Collections; import java.util.List; +import io.grpc.health.v1.HealthCheckResponse; + import static org.opensearch.plugins.NetworkPlugin.AuxTransport.AUX_TRANSPORT_TYPES_KEY; import static org.opensearch.transport.grpc.Netty4GrpcServerTransport.GRPC_TRANSPORT_SETTING_KEY; @@ -37,10 +38,7 @@ private TransportAddress randomNetty4GrpcServerTransportAddr() { @Override protected Settings nodeSettings(int nodeOrdinal) { - return Settings.builder() - .put(super.nodeSettings(nodeOrdinal)) - .put(AUX_TRANSPORT_TYPES_KEY, GRPC_TRANSPORT_SETTING_KEY) - .build(); + return Settings.builder().put(super.nodeSettings(nodeOrdinal)).put(AUX_TRANSPORT_TYPES_KEY, GRPC_TRANSPORT_SETTING_KEY).build(); } @Override @@ -50,9 +48,7 @@ protected Collection> nodePlugins() { public void testStartGrpcTransportClusterHealth() throws Exception { // REST api cluster health - ClusterHealthResponse healthResponse = client().admin().cluster() - .prepareHealth() - .get(); + ClusterHealthResponse healthResponse = client().admin().cluster().prepareHealth().get(); assertEquals(ClusterHealthStatus.GREEN, healthResponse.getStatus()); // gRPC transport service health diff --git a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java index 971c7c5b02d21..159a45e839d48 100644 --- a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java +++ b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java @@ -13,6 +13,7 @@ import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.TrustManagerFactory; + import java.util.Optional; /** @@ -32,11 +33,17 @@ public interface SecureAuxTransportSettingsProvider { @ExperimentalApi interface SecureTransportParameters { boolean dualModeEnabled(); + String sslProvider(); + String clientAuth(); + Iterable protocols(); + Iterable cipherSuites(); + KeyManagerFactory keyManagerFactory(); + TrustManagerFactory trustManagerFactory(); } } diff --git a/server/src/test/java/org/opensearch/common/network/NetworkModuleTests.java b/server/src/test/java/org/opensearch/common/network/NetworkModuleTests.java index 0e3fa12668a6a..195a95b7a48eb 100644 --- a/server/src/test/java/org/opensearch/common/network/NetworkModuleTests.java +++ b/server/src/test/java/org/opensearch/common/network/NetworkModuleTests.java @@ -62,7 +62,6 @@ import org.opensearch.transport.TransportRequest; import org.opensearch.transport.TransportRequestHandler; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLException; From 7d087f37951568fd0de49ca57689c23f9ed5a003 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Thu, 20 Feb 2025 14:54:00 -0800 Subject: [PATCH 33/36] Changelog Signed-off-by: Finn Carroll --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ab4138c452894..f1502f42b874b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Introduce a setting to disable download of full cluster state from remote on term mismatch([#16798](https://github.com/opensearch-project/OpenSearch/pull/16798/)) - Added ability to retrieve value from DocValues in a flat_object filed([#16802](https://github.com/opensearch-project/OpenSearch/pull/16802)) - Improve performace of NumericTermAggregation by avoiding unnecessary sorting([#17252](https://github.com/opensearch-project/OpenSearch/pull/17252)) +- Add TLS enabled SecureNetty4GrpcServerTransport ([#17406](https://github.com/opensearch-project/OpenSearch/pull/17406)) ### Dependencies - Bump `org.awaitility:awaitility` from 4.2.0 to 4.2.2 ([#17230](https://github.com/opensearch-project/OpenSearch/pull/17230)) From bb953183df98942f821ab7fea262d8efdf396e6a Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Thu, 20 Feb 2025 15:11:00 -0800 Subject: [PATCH 34/36] Javadocs for SecureTransportParameters. Signed-off-by: Finn Carroll --- .../SecureAuxTransportSettingsProvider.java | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java index 159a45e839d48..790990ed3678f 100644 --- a/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java +++ b/server/src/main/java/org/opensearch/plugins/SecureAuxTransportSettingsProvider.java @@ -30,20 +30,54 @@ public interface SecureAuxTransportSettingsProvider { */ Optional parameters(Settings settings); + /** + * Parameters for configuring secure transport connections. + * Provides access to SSL/TLS configuration settings. + */ @ExperimentalApi interface SecureTransportParameters { + /** + * Determines if dual mode is enabled for handling both TLS and plaintext connections. + * When enabled, the server can accept both secure and insecure connections on the same port. + * @return true if dual mode is enabled, false otherwise + */ boolean dualModeEnabled(); + /** + * Get the SSL provider implementation to use (e.g., "JDK", "OPENSSL"). + * @return the name of the SSL provider + */ String sslProvider(); + /** + * Get the client authentication mode (e.g., "NONE", "OPTIONAL", "REQUIRE"). + * Determines whether client certificates are requested/required during handshake. + * @return the client authentication setting + */ String clientAuth(); + /** + * Get enabled TLS protocols (e.g., "TLSv1.2", "TLSv1.3"). + * @return the enabled protocols + */ Iterable protocols(); + /** + * Get enabled cipher suites for TLS connections. + * @return the enabled cipher suites + */ Iterable cipherSuites(); + /** + * KeyManagerFactory which manages the server's identity credentials. + * @return the key manager factory + */ KeyManagerFactory keyManagerFactory(); + /** + * TrustManagerFactory which determines trusted client certificates. + * @return the trust manager factory + */ TrustManagerFactory trustManagerFactory(); } } From 0ac61bab8a5613190d4f6663ffd97ff5dfa2a6af Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Thu, 20 Feb 2025 15:32:06 -0800 Subject: [PATCH 35/36] Fix minor naming conflict after rebase with flight server pr. boundAddress() -> getBoundAddress(). Signed-off-by: Finn Carroll --- .../arrow/flight/bootstrap/FlightService.java | 1 + .../transport/grpc/Netty4GrpcServerTransport.java | 2 +- .../transport/grpc/Netty4GrpcServerTransportIT.java | 2 +- .../transport/grpc/Netty4GrpcServerTransportTests.java | 6 +++--- .../grpc/SecureNetty4GrpcServerTransportTests.java | 10 +++++----- .../java/org/opensearch/plugins/NetworkPlugin.java | 2 +- 6 files changed, 12 insertions(+), 11 deletions(-) diff --git a/plugins/arrow-flight-rpc/src/main/java/org/opensearch/arrow/flight/bootstrap/FlightService.java b/plugins/arrow-flight-rpc/src/main/java/org/opensearch/arrow/flight/bootstrap/FlightService.java index 7735fc3df73e0..fdcbbf43d75bf 100644 --- a/plugins/arrow-flight-rpc/src/main/java/org/opensearch/arrow/flight/bootstrap/FlightService.java +++ b/plugins/arrow-flight-rpc/src/main/java/org/opensearch/arrow/flight/bootstrap/FlightService.java @@ -134,6 +134,7 @@ public StreamManager getStreamManager() { * Retrieves the bound address of the FlightService. * @return The BoundTransportAddress instance. */ + @Override public BoundTransportAddress getBoundAddress() { return serverComponents.getBoundAddress(); } diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java index 2dbb82e0c8c5f..ccd17084baf0f 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java @@ -156,7 +156,7 @@ public Netty4GrpcServerTransport(Settings settings, List servic // public for tests @Override - public BoundTransportAddress boundAddress() { + public BoundTransportAddress getBoundAddress() { return this.boundAddress; } diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java index 561ddad328b59..2284a335b06db 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportIT.java @@ -30,7 +30,7 @@ public class Netty4GrpcServerTransportIT extends OpenSearchIntegTestCase { private TransportAddress randomNetty4GrpcServerTransportAddr() { List addresses = new ArrayList<>(); for (Netty4GrpcServerTransport transport : internalCluster().getInstances(Netty4GrpcServerTransport.class)) { - TransportAddress tAddr = new TransportAddress(transport.boundAddress().publishAddress().address()); + TransportAddress tAddr = new TransportAddress(transport.getBoundAddress().publishAddress().address()); addresses.add(tAddr); } return randomFrom(addresses); diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java index ceb9c506516d3..33182a354c20e 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/Netty4GrpcServerTransportTests.java @@ -36,8 +36,8 @@ public void setup() { public void testGrpcTransportStartStop() { try (Netty4GrpcServerTransport transport = new Netty4GrpcServerTransport(createSettings(), services, networkService)) { transport.start(); - MatcherAssert.assertThat(transport.boundAddress().boundAddresses(), not(emptyArray())); - assertNotNull(transport.boundAddress().publishAddress().address()); + MatcherAssert.assertThat(transport.getBoundAddress().boundAddresses(), not(emptyArray())); + assertNotNull(transport.getBoundAddress().publishAddress().address()); transport.stop(); } } @@ -45,7 +45,7 @@ public void testGrpcTransportStartStop() { public void testGrpcTransportHealthcheck() { try (Netty4GrpcServerTransport transport = new Netty4GrpcServerTransport(createSettings(), services, networkService)) { transport.start(); - final TransportAddress remoteAddress = randomFrom(transport.boundAddress().boundAddresses()); + final TransportAddress remoteAddress = randomFrom(transport.getBoundAddress().boundAddresses()); try (NettyGrpcClient client = new NettyGrpcClient.Builder().setAddress(remoteAddress).build()) { assertEquals(client.checkHealth(), HealthCheckResponse.ServingStatus.SERVING); } diff --git a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java index 3f31b798eb218..ea0ff8a4ad6ac 100644 --- a/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java +++ b/plugins/transport-grpc/src/test/java/org/opensearch/transport/grpc/SecureNetty4GrpcServerTransportTests.java @@ -132,8 +132,8 @@ public void testGrpcSecureTransportStartStop() { ) ) { transport.start(); - assertTrue(transport.boundAddress().boundAddresses().length > 0); - assertNotNull(transport.boundAddress().publishAddress().address()); + assertTrue(transport.getBoundAddress().boundAddresses().length > 0); + assertNotNull(transport.getBoundAddress().publishAddress().address()); transport.stop(); } catch (Exception e) { throw new RuntimeException(e); @@ -150,9 +150,9 @@ public void testGrpcSecureTransportHealthcheck() { ) ) { transport.start(); - assertTrue(transport.boundAddress().boundAddresses().length > 0); - assertNotNull(transport.boundAddress().publishAddress().address()); - final TransportAddress remoteAddress = randomFrom(transport.boundAddress().boundAddresses()); + assertTrue(transport.getBoundAddress().boundAddresses().length > 0); + assertNotNull(transport.getBoundAddress().publishAddress().address()); + final TransportAddress remoteAddress = randomFrom(transport.getBoundAddress().boundAddresses()); try ( NettyGrpcClient client = new NettyGrpcClient.Builder().setAddress(remoteAddress) .setSecureSettingsProvider(settingsProvider) diff --git a/server/src/main/java/org/opensearch/plugins/NetworkPlugin.java b/server/src/main/java/org/opensearch/plugins/NetworkPlugin.java index b1e78ce28e1ce..b294c64e5cdce 100644 --- a/server/src/main/java/org/opensearch/plugins/NetworkPlugin.java +++ b/server/src/main/java/org/opensearch/plugins/NetworkPlugin.java @@ -95,7 +95,7 @@ abstract class AuxTransport extends AbstractLifecycleComponent { ); // public for tests - public abstract BoundTransportAddress boundAddress(); + public abstract BoundTransportAddress getBoundAddress(); } /** From 709cbbb55b3d127e28a1b2c80c5c6dac9c314c84 Mon Sep 17 00:00:00 2001 From: Finn Carroll Date: Fri, 21 Feb 2025 10:59:13 -0800 Subject: [PATCH 36/36] Javadocs for org.opensearch.transport.grpc.ssl + Netty4GrpcServerTransport. Signed-off-by: Finn Carroll --- .../transport/grpc/Netty4GrpcServerTransport.java | 11 +++++++++++ .../opensearch/transport/grpc/ssl/package-info.java | 12 ++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/package-info.java diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java index ccd17084baf0f..fccfc212656a9 100644 --- a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/Netty4GrpcServerTransport.java @@ -115,7 +115,14 @@ public class Netty4GrpcServerTransport extends NetworkPlugin.AuxTransport { Setting.Property.NodeScope ); + /** + * Port range on which servers bind. + */ protected PortsRange port; + + /** + * Settings. + */ protected final Settings settings; private final NetworkService networkService; @@ -160,6 +167,10 @@ public BoundTransportAddress getBoundAddress() { return this.boundAddress; } + /** + * Inject a NettyServerBuilder configuration to be applied at server bind and start. + * @param configModifier builder configuration to set. + */ protected void addServerConfig(UnaryOperator configModifier) { serverBuilderConfigs.add(configModifier); } diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/package-info.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/package-info.java new file mode 100644 index 0000000000000..bffc3e762a0f4 --- /dev/null +++ b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/package-info.java @@ -0,0 +1,12 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +/** + * gRPC transport for OpenSearch implementing TLS. + */ +package org.opensearch.transport.grpc.ssl;