security: remove auto ssl and disable transport ssl by default

This commit removes the code to auto generate a ssl certificate on startup and disables ssl
on the transport layer by default.

Original commit: elastic/x-pack-elasticsearch@1dc9b17842

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/AutoGeneratedKeyConfig.java

@@ -1,222 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.shield.ssl;
-
-import org.elasticsearch.ElasticsearchException;
-import org.elasticsearch.common.Nullable;
-import org.elasticsearch.common.logging.ESLogger;
-import org.elasticsearch.common.util.set.Sets;
-import org.elasticsearch.env.Environment;
-
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.X509ExtendedKeyManager;
-import javax.net.ssl.X509ExtendedTrustManager;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.Reader;
-import java.net.InetAddress;
-import java.net.Socket;
-import java.nio.charset.StandardCharsets;
-import java.nio.file.Path;
-import java.security.KeyPair;
-import java.security.Principal;
-import java.security.PrivateKey;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-/**
- */
-class AutoGeneratedKeyConfig extends KeyConfig {
-
-    private static final char[] PASSWORD = "changeme".toCharArray();
-
-    private final Set<InetAddress> certificateAddresses = new HashSet<>();
-    private final X509ExtendedKeyManager[] keyManagers;
-    private final X509ExtendedTrustManager[] trustManagers;
-    private final KeyPair keyPair;
-    private final Certificate caCert;
-    private final Exception failure;
-
-    private boolean certGenerated = false;
-
-    AutoGeneratedKeyConfig(boolean includeSystem) {
-        super(includeSystem, false);
-        Exception thrown = null;
-        X509ExtendedTrustManager trustManager;
-        Certificate caCert = null;
-        KeyPair keyPair = null;
-        try {
-            keyPair = CertUtils.generateKeyPair();
-            caCert = readCACert();
-            X509ExtendedTrustManager[] managers = CertUtils.trustManagers(new Certificate[] { caCert });
-            trustManager = managers[0];
-        } catch (Exception e) {
-            thrown = e;
-            trustManager = new EmptyX509TrustManager();
-        }
-
-        this.failure = thrown;
-        this.caCert = caCert;
-        this.keyPair = keyPair;
-        this.keyManagers = new X509ExtendedKeyManager[] { new ReloadableX509KeyManager(new EmptyX509KeyManager(), null) };
-        this.trustManagers = new X509ExtendedTrustManager[] { new ReloadableTrustManager(trustManager, null) };
-    }
-
-    @Override
-    X509ExtendedKeyManager[] loadKeyManagers(@Nullable Environment environment) {
-        return keyManagers;
-    }
-
-    @Override
-    X509ExtendedTrustManager[] nonSystemTrustManagers(@Nullable Environment environment) {
-        return trustManagers;
-    }
-
-    @Override
-    void validate() {
-        if (failure != null) {
-            throw new ElasticsearchException("failed to auto generate keypair and read CA cert", failure);
-        }
-    }
-
-    @Override
-    List<Path> filesToMonitor(@Nullable Environment environment) {
-        return Collections.emptyList();
-    }
-
-    @Override
-    public String toString() {
-        return "AutoGeneratedKeyConfig";
-    }
-
-    synchronized void generateCertIfNecessary(boolean resolveHostnames, String nodeName, Set<InetAddress> addresses, ESLogger logger)
-            throws Exception {
-        if (failure != null) {
-            throw new ElasticsearchException("failed to auto generate keypair and read CA cert", failure);
-        }
-
-        // we shouldn't regenerate if we have no new addresses
-        if (certGenerated && Sets.difference(addresses, certificateAddresses).isEmpty()) {
-            return;
-        }
-
-        this.certificateAddresses.addAll(addresses);
-        final PrivateKey caPrivateKey = readCAPrivateKey();
-        final X509Certificate signedCert =
-                CertUtils.generateSignedCertificate(resolveHostnames, nodeName, certificateAddresses, keyPair, caCert, caPrivateKey);
-        Certificate[] certChain = new Certificate[] { signedCert, caCert };
-        X509ExtendedKeyManager[] keyManagers = CertUtils.keyManagers(certChain, keyPair.getPrivate(), PASSWORD);
-        X509ExtendedTrustManager[] trustManagers = CertUtils.trustManagers(certChain);
-        ((ReloadableX509KeyManager) this.keyManagers[0]).setKeyManager(keyManagers[0]);
-        ((ReloadableTrustManager) this.trustManagers[0]).setTrustManager(trustManagers[0]);
-        this.certGenerated = true;
-        logMessages(signedCert, logger);
-    }
-
-    static Certificate readCACert() throws Exception {
-        try (InputStream inputStream = AutoGeneratedKeyConfig.class.getResourceAsStream("/cacert.pem");
-             Reader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8)) {
-            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
-            List<Certificate> certificateList = new ArrayList<>(1);
-            CertUtils.readCertificates(reader, certificateList, certificateFactory);
-            if (certificateList.size() != 1) {
-                throw new IllegalStateException("expected [1] default CA certificate but found [" + certificateList.size() + "]");
-            }
-            return certificateList.get(0);
-        }
-    }
-
-    static PrivateKey readCAPrivateKey() throws Exception {
-        try (InputStream inputStream = AutoGeneratedKeyConfig.class.getResourceAsStream("/cakey.pem");
-             Reader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8)) {
-            return CertUtils.readPrivateKey(reader, PASSWORD);
-        }
-    }
-
-    static void logMessages(X509Certificate signedCert, ESLogger logger) {
-        logger.info("auto generated a X.509 certificate and private/public key pair for SSL use. this should never be used in production " +
-                "as the signing certificate authority is the same for every installation of X-Pack.{}generated certificate:{}{}",
-                System.lineSeparator(), System.lineSeparator(), signedCert.toString());
-    }
-
-    private static class EmptyX509KeyManager extends X509ExtendedKeyManager {
-
-        @Override
-        public String[] getClientAliases(String s, Principal[] principals) {
-            return null;
-        }
-
-        @Override
-        public String chooseClientAlias(String[] strings, Principal[] principals, Socket socket) {
-            return null;
-        }
-
-        @Override
-        public String[] getServerAliases(String s, Principal[] principals) {
-            return null;
-        }
-
-        @Override
-        public String chooseServerAlias(String s, Principal[] principals, Socket socket) {
-            return null;
-        }
-
-        @Override
-        public X509Certificate[] getCertificateChain(String s) {
-            return null;
-        }
-
-        @Override
-        public PrivateKey getPrivateKey(String s) {
-            return null;
-        }
-    }
-
-    private static class EmptyX509TrustManager extends X509ExtendedTrustManager {
-
-        @Override
-        public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
-            throw new CertificateException("trust nothing");
-        }
-
-        @Override
-        public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
-            throw new CertificateException("trust nothing");
-        }
-
-        @Override
-        public void checkClientTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) throws CertificateException {
-            throw new CertificateException("trust nothing");
-        }
-
-        @Override
-        public void checkServerTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) throws CertificateException {
-            throw new CertificateException("trust nothing");
-        }
-
-        @Override
-        public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
-            throw new CertificateException("trust nothing");
-        }
-
-        @Override
-        public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
-            throw new CertificateException("trust nothing");
-        }
-
-        @Override
-        public X509Certificate[] getAcceptedIssuers() {
-            return null;
-        }
-    }
-}

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/KeyConfig.java

@@ -64,16 +64,18 @@ abstract class KeyConfig extends TrustConfig {
         if (reloadEnabled && resourceWatcherService != null && listener != null) {
             ReloadableX509KeyManager reloadableX509KeyManager = new ReloadableX509KeyManager(keyManagers[0], environment);
             List<Path> filesToMonitor = filesToMonitor(environment);
-            ChangeListener changeListener = new ChangeListener(filesToMonitor, reloadableX509KeyManager, listener);
+            if (filesToMonitor.isEmpty() == false) {
-            try {
+                ChangeListener changeListener = new ChangeListener(filesToMonitor, reloadableX509KeyManager, listener);
-                for (Path dir : directoriesToMonitor(filesToMonitor)) {
+                try {
-                    FileWatcher fileWatcher = new FileWatcher(dir);
+                    for (Path dir : directoriesToMonitor(filesToMonitor)) {
-                    fileWatcher.addListener(changeListener);
+                        FileWatcher fileWatcher = new FileWatcher(dir);
-                    resourceWatcherService.add(fileWatcher, Frequency.HIGH);
+                        fileWatcher.addListener(changeListener);
+                        resourceWatcherService.add(fileWatcher, Frequency.HIGH);
+                    }
+                    return new X509ExtendedKeyManager[]{reloadableX509KeyManager};
+                } catch (IOException e) {
+                    throw new ElasticsearchException("failed to add file watcher", e);
                 }
-                return new X509ExtendedKeyManager[] { reloadableX509KeyManager };
-            } catch (IOException e) {
-                throw new ElasticsearchException("failed to add file watcher", e);
             }
         }
         return keyManagers;

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/SSLConfiguration.java

@@ -5,37 +5,22 @@
  */
 package org.elasticsearch.shield.ssl;
 
-import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.common.inject.Inject;
-import org.elasticsearch.common.logging.ESLogger;
-import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
-import org.elasticsearch.common.transport.BoundTransportAddress;
-import org.elasticsearch.common.transport.InetSocketTransportAddress;
-import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.common.unit.TimeValue;
-import org.elasticsearch.node.Node;
-import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport;
-import org.elasticsearch.shield.transport.netty.ShieldNettyTransport;
-import org.elasticsearch.transport.TransportSettings;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManagerFactory;
-import java.net.InetAddress;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.HashSet;
 import java.util.List;
-import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
-import java.util.Set;
 import java.util.function.Function;
 
-import static org.elasticsearch.shield.Security.featureEnabledSetting;
 import static org.elasticsearch.shield.Security.setting;
 import static org.elasticsearch.shield.support.OptionalSettings.createInt;
 import static org.elasticsearch.shield.support.OptionalSettings.createString;
@@ -111,11 +96,6 @@ public abstract class SSLConfiguration {
         public static final int DEFAULT_SESSION_CACHE_SIZE = 1000;
         public static final String DEFAULT_PROTOCOL = "TLSv1.2";
 
-        public static final Setting<Boolean> AUTO_GENERATE_SSL_SETTING =
-                Setting.boolSetting(featureEnabledSetting("ssl.auto_generate"), true, Property.NodeScope, Property.Filtered);
-        static final Setting<Boolean> AUTO_GEN_RESOLVE_HOST_SETTING =
-                Setting.boolSetting(setting("ssl.auto_generate.resolve_name"), true, Property.NodeScope, Property.Filtered);
-
         // common settings
         static final Setting<List<String>> CIPHERS_SETTING = Setting.listSetting(globalKey(Custom.CIPHERS_SETTING), DEFAULT_CIPHERS,
                 Function.identity(), Property.NodeScope, Property.Filtered);
@@ -184,14 +164,10 @@ public abstract class SSLConfiguration {
             settingsModule.registerSetting(Global.SESSION_CACHE_SIZE_SETTING);
             settingsModule.registerSetting(Global.SESSION_CACHE_TIMEOUT_SETTING);
             settingsModule.registerSetting(Global.CA_PATHS_SETTING);
-            settingsModule.registerSetting(Global.AUTO_GENERATE_SSL_SETTING);
-            settingsModule.registerSetting(Global.AUTO_GEN_RESOLVE_HOST_SETTING);
             settingsModule.registerSetting(Global.INCLUDE_JDK_CERTS_SETTING);
             settingsModule.registerSetting(Global.RELOAD_ENABLED_SETTING);
         }
 
-        private final ESLogger logger;
-        private final Settings settings;
         private final KeyConfig keyConfig;
         private final TrustConfig trustConfig;
         private final String sslProtocol;
@@ -207,8 +183,6 @@ public abstract class SSLConfiguration {
          */
         @Inject
         public Global(Settings settings) {
-            this.settings = settings;
-            this.logger = Loggers.getLogger(getClass(), settings);
             this.keyConfig = createGlobalKeyConfig(settings);
             this.trustConfig = createGlobalTrustConfig(settings, keyConfig);
             this.sslProtocol = PROTOCOL_SETTING.get(settings);
@@ -266,79 +240,11 @@ public abstract class SSLConfiguration {
                     "]}";
         }
 
-        public void onTransportStart(BoundTransportAddress boundAddress, Map<String, BoundTransportAddress> profileBoundAddresses) {
-            if (shouldAutoGenerateKeyAndCertificate(settings) == false) {
-                return;
-            }
-
-            Set<InetAddress> uniqueAddresses = new HashSet<>();
-            if (boundAddress != null) {
-                // this could be null if we came from a transport client
-                addInetAddresses(uniqueAddresses, boundAddress.boundAddresses());
-                addInetAddresses(uniqueAddresses, boundAddress.publishAddress());
-            }
-
-            for (BoundTransportAddress profileAddress : profileBoundAddresses.values()) {
-                addInetAddresses(uniqueAddresses, profileAddress.boundAddresses());
-                addInetAddresses(uniqueAddresses, profileAddress.publishAddress());
-            }
-
-            try {
-                ((AutoGeneratedKeyConfig) keyConfig).generateCertIfNecessary(AUTO_GEN_RESOLVE_HOST_SETTING.get(settings),
-                        Node.NODE_NAME_SETTING.get(settings), uniqueAddresses, logger);
-            } catch (Exception e) {
-                throw new ElasticsearchException("failed to initialize auto generated certificate and key");
-            }
-        }
-
         private static String globalKey(Setting setting) {
             return setting("ssl." + setting.getKey());
         }
 
-        static void addInetAddresses(Set<InetAddress> addresses, TransportAddress... transportAddresses) {
-            for (TransportAddress transportAddress : transportAddresses) {
-                addresses.add(((InetSocketTransportAddress)transportAddress).address().getAddress());
-            }
-        }
-
-        static boolean shouldAutoGenerateKeyAndCertificate(Settings settings) {
-            if (AUTO_GENERATE_SSL_SETTING.get(settings) == false) {
-                return false;
-            }
-
-            // did they configure some SSL settings other than auto generate
-            Settings.Builder builder = Settings.builder().put(settings);
-            builder.remove(AUTO_GEN_RESOLVE_HOST_SETTING.getKey());
-            builder.remove(AUTO_GENERATE_SSL_SETTING.getKey());
-            builder.remove(INCLUDE_JDK_CERTS_SETTING.getKey());
-            Settings nonAutoGen = builder.build();
-            if (nonAutoGen.getByPrefix(setting("ssl.")).isEmpty() == false) {
-                return false;
-            }
-
-            // SSL needs to be enabled somewhere
-            final boolean transportEnabled = ShieldNettyTransport.SSL_SETTING.get(settings);
-            final boolean httpEnabled = ShieldNettyHttpServerTransport.SSL_SETTING.get(settings);
-            if (transportEnabled || httpEnabled) {
-                return true;
-            }
-
-            // check the profiles... maybe disabled SSL on default transport and enabled on a profile
-            Map<String, Settings> profiles = TransportSettings.TRANSPORT_PROFILES_SETTING.get(settings).getAsGroups(true);
-            for (Settings profileSettings : profiles.values()) {
-                if (ShieldNettyTransport.profileSsl(profileSettings, settings)) {
-                    return true;
-                }
-            }
-
-            return false;
-        }
-
         static KeyConfig createGlobalKeyConfig(Settings settings) {
-            if (shouldAutoGenerateKeyAndCertificate(settings)) {
-                return new AutoGeneratedKeyConfig(INCLUDE_JDK_CERTS_SETTING.get(settings));
-            }
-
             String keyStorePath = KEYSTORE_PATH_SETTING.get(settings).orElse(null);
             String keyPath = KEY_PATH_SETTING.get(settings).orElse(null);
             if (keyPath != null && keyStorePath != null) {
@@ -368,11 +274,6 @@ public abstract class SSLConfiguration {
         }
 
         static TrustConfig createGlobalTrustConfig(Settings settings, KeyConfig keyInfo) {
-            if (keyInfo instanceof AutoGeneratedKeyConfig) {
-                assert shouldAutoGenerateKeyAndCertificate(settings);
-                return keyInfo;
-            }
-
             String trustStorePath = TRUSTSTORE_PATH_SETTING.get(settings).orElse(null);
             List<String> caPaths = getListOrNull(CA_PATHS_SETTING, settings);
             boolean includeSystem = INCLUDE_JDK_CERTS_SETTING.get(settings);

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/StoreTrustConfig.java

@@ -58,6 +58,9 @@ class StoreTrustConfig extends TrustConfig {
 
     @Override
     List<Path> filesToMonitor(@Nullable Environment environment) {
+        if (trustStorePath == null) {
+            return Collections.emptyList();
+        }
         return Collections.singletonList(CertUtils.resolvePath(trustStorePath, environment));
     }
 

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java

@@ -52,21 +52,16 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {
     private final ServerSSLService sslService;
     private final boolean ssl;
     private final Settings sslSettings;
-    private final Global globalSSLConfiguration;
 
     @Inject
     public ShieldNettyHttpServerTransport(Settings settings, NetworkService networkService, BigArrays bigArrays, IPFilter ipFilter,
-                                          ServerSSLService sslService, ThreadPool threadPool, Global sslConfig) {
+                                          ServerSSLService sslService, ThreadPool threadPool) {
         super(settings, networkService, bigArrays, threadPool);
         this.ipFilter = ipFilter;
         this.ssl = SSL_SETTING.get(settings);
         this.sslService =  sslService;
-        this.globalSSLConfiguration = sslConfig;
         if (ssl) {
-            Settings.Builder builder = Settings.builder().put(settings.getByPrefix(setting("http.ssl.")));
+            sslSettings = settings.getByPrefix(setting("http.ssl."));
-            builder.remove("client.auth");
-            builder.remove("enabled");
-            sslSettings = builder.build();
         } else {
             sslSettings = Settings.EMPTY;
         }
@@ -101,7 +96,6 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {
     @Override
     protected void doStart() {
         super.doStart();
-        globalSSLConfiguration.onTransportStart(this.boundAddress(), Collections.emptyMap());
         ipFilter.setBoundHttpTransportAddress(this.boundAddress());
     }
 

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransport.java

@@ -18,7 +18,6 @@ import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.common.util.BigArrays;
 import org.elasticsearch.indices.breaker.CircuitBreakerService;
 import org.elasticsearch.shield.ssl.ClientSSLService;
-import org.elasticsearch.shield.ssl.SSLConfiguration.Global;
 import org.elasticsearch.shield.ssl.ServerSSLService;
 import org.elasticsearch.shield.transport.SSLClientAuth;
 import org.elasticsearch.shield.transport.filter.IPFilter;
@@ -48,7 +47,7 @@ import static org.elasticsearch.shield.transport.SSLExceptionHelper.isNotSslReco
 public class ShieldNettyTransport extends NettyTransport {
 
     public static final String CLIENT_AUTH_DEFAULT = SSLClientAuth.REQUIRED.name();
-    public static final boolean SSL_DEFAULT = true;
+    public static final boolean SSL_DEFAULT = false;
 
     public static final Setting<Boolean> DEPRECATED_HOSTNAME_VERIFICATION_SETTING =
             Setting.boolSetting(setting("ssl.hostname_verification"), true, Property.NodeScope, Property.Filtered, Property.Deprecated);
@@ -79,7 +78,6 @@ public class ShieldNettyTransport extends NettyTransport {
 
     private final ServerSSLService serverSslService;
     private final ClientSSLService clientSSLService;
-    private final Global globalSSLConfiguration;
     private final @Nullable IPFilter authenticator;
     private final boolean ssl;
 
@@ -87,21 +85,19 @@ public class ShieldNettyTransport extends NettyTransport {
     public ShieldNettyTransport(Settings settings, ThreadPool threadPool, NetworkService networkService, BigArrays bigArrays,
                                 Version version, @Nullable IPFilter authenticator, @Nullable ServerSSLService serverSSLService,
                                 ClientSSLService clientSSLService, NamedWriteableRegistry namedWriteableRegistry,
-                                CircuitBreakerService circuitBreakerService, Global globalSSLConfiguration) {
+                                CircuitBreakerService circuitBreakerService) {
         super(settings, threadPool, networkService, bigArrays, version, namedWriteableRegistry, circuitBreakerService);
         this.authenticator = authenticator;
         this.ssl = SSL_SETTING.get(settings);
         this.serverSslService = serverSSLService;
         this.clientSSLService = clientSSLService;
-        this.globalSSLConfiguration = globalSSLConfiguration;
     }
 
     @Override
     protected void doStart() {
         super.doStart();
-        globalSSLConfiguration.onTransportStart(boundAddress, profileBoundAddresses);
         if (authenticator != null) {
-            authenticator.setBoundTransportAddress(this.boundAddress(), profileBoundAddresses());
+            authenticator.setBoundTransportAddress(boundAddress(), profileBoundAddresses());
         }
     }
 

elasticsearch/x-pack/shield/src/main/resources/cacert.pem

@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDsjCCApqgAwIBAgIJAKGDffMf8r51MA0GCSqGSIb3DQEBCwUAMEQxGTAXBgNV
-BAoTEEVsYXN0aWNzZWFyY2ggQlYxCzAJBgNVBAYTAk5MMRowGAYDVQQDExFYLVBh
-Y2sgRGVmYXVsdCBDQTAeFw0xNjA0MTkxNDQ1NDdaFw0yMTA0MTgxNDQ1NDdaMEQx
-GTAXBgNVBAoTEEVsYXN0aWNzZWFyY2ggQlYxCzAJBgNVBAYTAk5MMRowGAYDVQQD
-ExFYLVBhY2sgRGVmYXVsdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAMEtxhGU9TNgfaYFYFTehSkI1tCxPoe9WdvLd6Ag1DggN2Sp65xhDuWLNX4R
-mAo7PyXvic+shqfLDjca6R7OgisubldFN3qiw8IwXzjMey/MC0pThsPJS9TQFc6i
-a4oNmd4QpvoctqAW8qCOqB+PEUNMx6B54sjqX1/CBGuCB4HZJud//RRbANAf8WKN
-nf4z9vM4nk4m6UF0hShCuKdlU+zlDp0/LdkuYn+fn6JmWVNmwMR4Ym9M1i0RKaBI
-OE0pgPVIYTRhuU+VyCRGg4ue7tdPlWpps25EihgwEWoieS0lLSGPqEVPC7Msk+HA
-kOs4DwJahs0RAep+PJNNrcdSB/0CAwEAAaOBpjCBozAMBgNVHRMEBTADAQH/MB0G
-A1UdDgQWBBR5tSUNfOVoB2DrCDjFIauzzxsP+DB0BgNVHSMEbTBrgBR5tSUNfOVo
-B2DrCDjFIauzzxsP+KFIpEYwRDEZMBcGA1UEChMQRWxhc3RpY3NlYXJjaCBCVjEL
-MAkGA1UEBhMCTkwxGjAYBgNVBAMTEVgtUGFjayBEZWZhdWx0IENBggkAoYN98x/y
-vnUwDQYJKoZIhvcNAQELBQADggEBAIv6mt9qW93Y8ZKD7neiYvS6lzN6/yTCRDZ0
-sPMYX1BV4dgwIfa3Nc5Iz7fl9MJRQMUaQg1yDmQzoavtRtw8K2Rd1GHtF1pRBwz6
-y2th20gVGKXtIyaS5l8oxJ5nlV+GX439In8ovM8Q0CqRN/3X36v77OTTt/FCt24w
-8cA6igo9DMfLylfhIU6R3rcImMMPPE/cgXSE6lPCBX0zK2m1h3Bsp9cNAgndUsI6
-1xSfnDoO+DuOrze6NX9gzFvy6IwgcTF9vlQ55eXAgy263+k7IhBQydFscNrIFpM5
-enqQIqgzcEs5FZcq/V1RWlI5phxsOYaImoN9MJMSO9D3avWOtcE=
------END CERTIFICATE-----

elasticsearch/x-pack/shield/src/main/resources/cakey.pem

@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,BF10B2B7AF64C239
-
-xWhoEPwuO8I2qXRG5nSVSPXLltxmzmTxK3VvZPxaf++PTMt+r3F414px763NWigr
-Wka3f6p2EJI3huafk47mth02OS268A6hCx3wrp9pq0SrzZVTHqML0OqyNyLJNK8j
-azu6IdCFNaFsh6Z5y2PSJ8SWAX11QcYF6g8IRBwGcGr4pmMdJmKEoliuxJ0oGJIy
-0hEdeeqiiwEMP2I97CH3g+CtD8eh3+XyNapzSWe7j2Y3wU9lrVUdicUPDOibLVbU
-xiLz+HJ0BmNbHF3ND8JiDAZUAYQVjvENHP3VIqm68kzRiHcxsHzVhW6iNz1QTwmR
-vugODGkOoYCV0Yfap1Fjawt7bT0emGU7Lbv/E80X43t4kgoeIOGxX96XYIfwJT9C
-VVYwtmn85Fr8FmmPRIUYJlMlqm+mvwcRdBxYXKyaamvN7cj8G5pj5A7dgXlSAz7z
-JaywteP3GzXdzXAS+ehYrZCkBkdIaMbtNIBFV9ZChDvKWJidGkpajDQtSTNixEnS
-42+qMmg4b0AWEcPtlJJJuYZmgl3XXLkfgiyiQ6dnATyq5tE5PxSzHorUCBIv4Bp3
-sJCcgsP7TTy3dhr+dyQdsWCVyM9HxUeUzxVj4ULfB6wTAd6duMNHxiIkh3bsxdni
-xRm2vNQraW64K/xDTsccbp2emhKpJT3KAU2+ZFAEQUJDMejoQv0b1klOcGZGFKh3
-IMmwaSdZfRfh3pIDyRJARHkQ5fPv19SKwtUmwL1ygqR0iRcK7kN9D+lvhzL7RYcP
-bKkndgr5jwHdqdGZvrFz2NshcqOwKzKr1tTkXRL8BN6s1s4Az1NQBWyK+bjotF+D
-zf3HDUGa94xYF5KFbZCKMUenL4OV+K4qqUvbwqBE/s4rsUkB6p9SSySFc9M8Obmm
-U6ZP4hr7/WZpO0AZr6OUX6HMXCeIex0tanINVijDR8Qq7zwa0Nt1t4bnfGbEqPo+
-ew5MWjxqEWOb7cJogIjTKokcLqlp4OyVYkP5XdXNqKrnNE23xQNeTeD+W1zZxuJo
-KdYQA82NC8vW1uHeEfCiJx4Giziqg6zEhNtF6t0wHebGfLORDICvNsb0Df2tYunj
-rtduSaQRVGTT8YRheJFl0B+n8xrLTOqtbFL6PPb/eU4O3C0La8h8VZNSmXBTY/0A
-UfeHsxmO7SoAdz8cSiXjvlwVwkt0gbPCbFBTSwALTS0vMas71xI62Dl53EsEup0K
-oV9agBfEZyVlse8VC/Js8sZi7cICmCrHcvhKWnju3QB47vPti00/aj6MgE0oLHC4
-8CicYeFCyREaxzF+HnOriuG3f82wUfJhtejwefE4xytvJTBTz+5f2j+FI2CL4OGp
-R6ix+r/JoygSSIssmxnpcUZQpCxbthfvfBQEvQKq6YDgwgSDfhWAFvLTx45HFDz5
-if/wgMDTlL9BP+PcNY4xY73qU9Za1AYdDdS9nWSD3pRz9SZc4gRrLLdLmRzUsCU+
-t2Lrvy0AAFVBzf1RZYN0kVArUdgFGiUQyvsyGyFu8FYww23VZuxglIniHVD5JBa+
-gymaHiWlKadGciVT552SuYFz89c8nkRFiSEwz/1aLNHP/fFqfVCD2A==
------END RSA PRIVATE KEY-----

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ldap/AbstractAdLdapRealmTestCase.java

@@ -92,11 +92,6 @@ abstract public class AbstractAdLdapRealmTestCase extends ShieldIntegTestCase {
         return sslEnabled;
     }
 
-    @Override
-    protected boolean autoSSLEnabled() {
-        return sslEnabled && (useGlobalSSL == false);
-    }
-
     protected String configRoleMappings() {
         return realmConfig.configRoleMappings();
     }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java

@@ -131,7 +131,7 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase {
         final boolean useSSL = useShield && randomBoolean();
         logger.info("--> remote indexing enabled. shield enabled: [{}], SSL enabled: [{}], nodes: [{}]", useShield, useSSL, numNodes);
         ShieldSettingsSource cluster2SettingsSource =
-                new ShieldSettingsSource(numNodes, useSSL, randomBoolean(), systemKey(), createTempDir(), Scope.SUITE) {
+                new ShieldSettingsSource(numNodes, useSSL, systemKey(), createTempDir(), Scope.SUITE) {
             @Override
             public Settings nodeSettings(int nodeOrdinal) {
                 Settings.Builder builder = Settings.builder()

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/RemoteIndexAuditTrailStartingTests.java

@@ -42,7 +42,6 @@ public class RemoteIndexAuditTrailStartingTests extends ShieldIntegTestCase {
     private InternalTestCluster remoteCluster;
 
     private final boolean useSSL = randomBoolean();
-    private final boolean autoSSL = randomBoolean();
     private final boolean localAudit = randomBoolean();
     private final String outputs = randomFrom("index", "logfile", "index,logfile");
 
@@ -51,11 +50,6 @@ public class RemoteIndexAuditTrailStartingTests extends ShieldIntegTestCase {
         return useSSL;
     }
 
-    @Override
-    public boolean autoSSLEnabled() {
-        return autoSSL;
-    }
-
     @Override
     public Settings nodeSettings(int nodeOrdinal) {
         return Settings.builder()
@@ -93,8 +87,7 @@ public class RemoteIndexAuditTrailStartingTests extends ShieldIntegTestCase {
 
         // Setup a second test cluster with randomization for number of nodes, shield enabled, and SSL
         final int numNodes = randomIntBetween(2, 3);
-        ShieldSettingsSource cluster2SettingsSource = new ShieldSettingsSource(numNodes, useSSL, autoSSL, systemKey(), createTempDir(),
+        ShieldSettingsSource cluster2SettingsSource = new ShieldSettingsSource(numNodes, useSSL, systemKey(), createTempDir(), Scope.TEST) {
-                Scope.TEST) {
             @Override
             public Settings nodeSettings(int nodeOrdinal) {
                 Settings.Builder builder = Settings.builder()

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/AbstractActiveDirectoryIntegTests.java

@@ -25,25 +25,19 @@ public class AbstractActiveDirectoryIntegTests extends ESTestCase {
 
     protected ClientSSLService clientSSLService;
     protected Settings globalSettings;
-    protected boolean useGlobalSSL;
 
     @Before
     public void initializeSslSocketFactory() throws Exception {
-        useGlobalSSL = randomBoolean();
         Path keystore = getDataPath("../ldap/support/ldaptrust.jks");
         /*
          * Prior to each test we reinitialize the socket factory with a new SSLService so that we get a new SSLContext.
          * If we re-use a SSLContext, previously connected sessions can get re-established which breaks hostname
          * verification tests since a re-established connection does not perform hostname verification.
          */
-        Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
+        globalSettings = Settings.builder().put("path.home", createTempDir())
-        if (useGlobalSSL) {
+                .put("xpack.security.ssl.keystore.path", keystore)
-            builder.put("xpack.security.ssl.keystore.path", keystore)
+                .put("xpack.security.ssl.keystore.password", "changeit")
-                    .put("xpack.security.ssl.keystore.password", "changeit");
+                .build();
-        } else {
-            builder.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false);
-        }
-        globalSettings = builder.build();
         Environment environment = new Environment(globalSettings);
         clientSSLService = new ClientSSLService(globalSettings, new Global(globalSettings));
         clientSSLService.setEnvironment(environment);
@@ -56,11 +50,9 @@ public class AbstractActiveDirectoryIntegTests extends ESTestCase {
                 .put(ActiveDirectorySessionFactory.AD_DOMAIN_NAME_SETTING, adDomainName)
                 .put(ActiveDirectorySessionFactory.AD_USER_SEARCH_BASEDN_SETTING, userSearchDN)
                 .put(ActiveDirectorySessionFactory.AD_USER_SEARCH_SCOPE_SETTING, scope)
-                .put(ActiveDirectorySessionFactory.HOSTNAME_VERIFICATION_SETTING, hostnameVerification);
+                .put(ActiveDirectorySessionFactory.HOSTNAME_VERIFICATION_SETTING, hostnameVerification)
-        if (useGlobalSSL == false) {
+                .put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
-            builder.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
+                .put("ssl.truststore.password", "changeit");
-                    .put("ssl.truststore.password", "changeit");
-        }
         return builder.build();
     }
 }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactoryTests.java

@@ -208,14 +208,11 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryI
     public void testStandardLdapConnection() throws Exception {
         String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
         String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
-        Settings settings = LdapTestCase.buildLdapSettings(AD_LDAP_URL, userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE);
+        Settings settings = Settings.builder()
-        if (useGlobalSSL == false) {
+                .put(LdapTestCase.buildLdapSettings(AD_LDAP_URL, userTemplate, groupSearchBase, LdapSearchScope.SUB_TREE))
-            settings = Settings.builder()
+                .put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
-                    .put(settings)
+                .put("ssl.truststore.password", "changeit")
-                    .put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
+                .build();
-                    .put("ssl.truststore.password", "changeit")
-                    .build();
-        }
         RealmConfig config = new RealmConfig("ad-as-ldap-test", settings, globalSettings);
         LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService).init();
 
@@ -234,14 +231,11 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryI
     @SuppressWarnings("unchecked")
     public void testStandardLdapWithAttributeGroups() throws Exception {
         String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
-        Settings settings = LdapTestCase.buildLdapSettings(new String[] { AD_LDAP_URL }, userTemplate, false);
+        Settings settings = Settings.builder()
-        if (useGlobalSSL == false) {
+                .put(LdapTestCase.buildLdapSettings(new String[] { AD_LDAP_URL }, userTemplate, false))
-            settings = Settings.builder()
+                .put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
-                    .put(settings)
+                .put("ssl.truststore.password", "changeit")
-                    .put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
+                .build();
-                    .put("ssl.truststore.password", "changeit")
-                    .build();
-        }
         RealmConfig config = new RealmConfig("ad-as-ldap-test", settings, globalSettings);
         LdapSessionFactory sessionFactory = new LdapSessionFactory(config, clientSSLService).init();
 
@@ -291,11 +285,9 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryI
         Settings.Builder builder = Settings.builder()
                 .put(ActiveDirectorySessionFactory.URLS_SETTING, ldapUrl)
                 .put(ActiveDirectorySessionFactory.AD_DOMAIN_NAME_SETTING, adDomainName)
-                .put(ActiveDirectorySessionFactory.HOSTNAME_VERIFICATION_SETTING, hostnameVerification);
+                .put(ActiveDirectorySessionFactory.HOSTNAME_VERIFICATION_SETTING, hostnameVerification)
-        if (useGlobalSSL == false) {
+                .put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
-            builder.put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))
+                .put("ssl.truststore.password", "changeit");
-                    .put("ssl.truststore.password", "changeit");
-        }
         return builder.build();
     }
 }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/GroupsResolverTestCase.java

@@ -33,14 +33,10 @@ public abstract class GroupsResolverTestCase extends ESTestCase {
     public void setUpLdapConnection() throws Exception {
         Path keystore = getDataPath("../ldap/support/ldaptrust.jks");
         boolean useGlobalSSL = randomBoolean();
-        Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
+        Settings settings = Settings.builder().put("path.home", createTempDir())
-        if (useGlobalSSL) {
+                .put("xpack.security.ssl.keystore.path", keystore)
-            builder.put("xpack.security.ssl.keystore.path", keystore)
+                .put("xpack.security.ssl.keystore.password", "changeit")
-                    .put("xpack.security.ssl.keystore.password", "changeit");
+                .build();
-        } else {
-            builder.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false);
-        }
-        Settings settings = builder.build();
         Environment env = new Environment(settings);
         ClientSSLService clientSSLService = new ClientSSLService(settings, new Global(settings));
         clientSSLService.setEnvironment(env);

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/OpenLdapTests.java

@@ -38,27 +38,21 @@ public class OpenLdapTests extends ESTestCase {
     public static final String OPEN_LDAP_URL = "ldaps://54.200.235.244:636";
     public static final String PASSWORD = "NickFuryHeartsES";
 
-    private boolean useGlobalSSL;
     private ClientSSLService clientSSLService;
     private Settings globalSettings;
 
     @Before
     public void initializeSslSocketFactory() throws Exception {
-        useGlobalSSL = randomBoolean();
         Path keystore = getDataPath("../ldap/support/ldaptrust.jks");
         /*
          * Prior to each test we reinitialize the socket factory with a new SSLService so that we get a new SSLContext.
          * If we re-use a SSLContext, previously connected sessions can get re-established which breaks hostname
          * verification tests since a re-established connection does not perform hostname verification.
          */
-        Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
+        globalSettings = Settings.builder().put("path.home", createTempDir())
-        if (useGlobalSSL) {
+                .put("xpack.security.ssl.keystore.path", keystore)
-            builder.put("xpack.security.ssl.keystore.path", keystore)
+                .put("xpack.security.ssl.keystore.password", "changeit")
-                    .put("xpack.security.ssl.keystore.password", "changeit");
+                .build();
-        } else {
-            builder.put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false);
-        }
-        globalSettings = builder.build();
         Environment environment = new Environment(globalSettings);
         clientSSLService = new ClientSSLService(globalSettings, new Global(globalSettings));
         clientSSLService.setEnvironment(environment);
@@ -186,9 +180,6 @@ public class OpenLdapTests extends ESTestCase {
 
     Settings buildLdapSettings(String ldapUrl, String userTemplate, String groupSearchBase, LdapSearchScope scope) {
         Settings baseSettings = LdapTestCase.buildLdapSettings(ldapUrl, userTemplate, groupSearchBase, scope);
-        if (useGlobalSSL) {
-            return baseSettings;
-        }
         return Settings.builder()
                 .put(baseSettings)
                 .put("ssl.truststore.path", getDataPath("../ldap/support/ldaptrust.jks"))

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiAuthenticationTests.java

@@ -74,11 +74,6 @@ public class PkiAuthenticationTests extends ShieldIntegTestCase {
         return true;
     }
 
-    @Override
-    protected boolean autoSSLEnabled() {
-        return false;
-    }
-
     public void testTransportClientCanAuthenticateViaPki() {
         Settings settings = getSSLSettingsForStore("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks", "testnode");
         try (TransportClient client = createTransportClient(settings)) {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiOptionalClientAuthTests.java

@@ -77,11 +77,6 @@ public class PkiOptionalClientAuthTests extends ShieldIntegTestCase {
         return true;
     }
 
-    @Override
-    protected boolean autoSSLEnabled() {
-        return false;
-    }
-
     public void testRestClientWithoutClientCertificate() throws Exception {
         HttpServerTransport httpServerTransport = internalCluster().getDataNodeInstance(HttpServerTransport.class);
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/pki/PkiWithoutClientAuthenticationTests.java

@@ -57,11 +57,6 @@ public class PkiWithoutClientAuthenticationTests extends ShieldIntegTestCase {
         return true;
     }
 
-    @Override
-    protected boolean autoSSLEnabled() {
-        return false;
-    }
-
     @Override
     public Settings nodeSettings(int nodeOrdinal) {
         return Settings.builder()

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/AutoSSLIntegTests.java

@@ -1,60 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.shield.ssl;
-
-import org.elasticsearch.client.transport.NoNodeAvailableException;
-import org.elasticsearch.client.transport.TransportClient;
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.transport.TransportAddress;
-import org.elasticsearch.shield.Security;
-import org.elasticsearch.shield.transport.netty.ShieldNettyTransport;
-import org.elasticsearch.test.ShieldIntegTestCase;
-import org.elasticsearch.transport.Transport;
-import org.elasticsearch.xpack.XPackPlugin;
-
-import static org.elasticsearch.test.ShieldSettingsSource.DEFAULT_PASSWORD;
-import static org.elasticsearch.test.ShieldSettingsSource.DEFAULT_USER_NAME;
-import static org.hamcrest.Matchers.containsString;
-
-public class AutoSSLIntegTests extends ShieldIntegTestCase {
-
-    @Override
-    public boolean sslTransportEnabled() {
-        return true;
-    }
-
-    @Override
-    public boolean autoSSLEnabled() {
-        return true;
-    }
-
-    public void testTransportClient() {
-        String clusterName = internalCluster().getClusterName();
-        TransportAddress transportAddress = randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses());
-        try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class)
-                .settings(Settings.builder()
-                        .put("cluster.name", clusterName)
-                        .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD))
-                .build()) {
-            transportClient.addTransportAddress(transportAddress);
-            assertGreenClusterState(transportClient);
-        }
-
-        // now try with SSL disabled and it should fail
-        try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class)
-                .settings(Settings.builder()
-                        .put("cluster.name", clusterName)
-                        .put(ShieldNettyTransport.SSL_SETTING.getKey(), false)
-                        .put(Security.USER_SETTING.getKey(), DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD))
-                .build()) {
-            transportClient.addTransportAddress(transportAddress);
-            assertGreenClusterState(transportClient);
-            fail("should not have been able to connect");
-        } catch (NoNodeAvailableException e) {
-            assertThat(e.getMessage(), containsString("None of the configured nodes are available"));
-        }
-    }
-}

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ClientSSLServiceTests.java

@@ -152,9 +152,7 @@ public class ClientSSLServiceTests extends ESTestCase {
     }
 
     public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception {
-        ClientSSLService sslService = createClientSSLService(Settings.builder()
+        ClientSSLService sslService = createClientSSLService(Settings.EMPTY);
-                .put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false)
-                .build());
         SSLEngine sslEngine = sslService.createSSLEngine();
         assertThat(sslEngine, notNullValue());
     }
@@ -179,8 +177,7 @@ public class ClientSSLServiceTests extends ESTestCase {
 
     @Network
     public void testThatSSLContextWithoutSettingsWorks() throws Exception {
-        ClientSSLService sslService = createClientSSLService(Settings.builder()
+        ClientSSLService sslService = createClientSSLService(Settings.EMPTY);
-                .put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false).build());
         SSLContext sslContext = sslService.sslContext();
         try (CloseableHttpClient client = HttpClients.custom().setSslcontext(sslContext).build()) {
             // Execute a GET on a site known to have a valid certificate signed by a trusted public CA

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/SSLConfigurationTests.java

@@ -53,14 +53,11 @@ import static org.hamcrest.Matchers.sameInstance;
 
 public class SSLConfigurationTests extends ESTestCase {
 
-    private static final Settings NO_AUTO_GEN = Settings.builder()
-            .put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false)
-            .build();
-
     public void testThatSSLConfigurationHasCorrectDefaults() {
         SSLConfiguration globalConfig = new Global(Settings.EMPTY);
-        assertThat(globalConfig.keyConfig(), instanceOf(AutoGeneratedKeyConfig.class));
+        assertThat(globalConfig.keyConfig(), sameInstance(KeyConfig.NONE));
-        assertThat(globalConfig.trustConfig(), sameInstance(globalConfig.keyConfig()));
+        assertThat(globalConfig.trustConfig(), is(not((globalConfig.keyConfig()))));
+        assertThat(globalConfig.trustConfig(), instanceOf(StoreTrustConfig.class));
         assertThat(globalConfig.sessionCacheSize(), is(equalTo(Global.DEFAULT_SESSION_CACHE_SIZE)));
         assertThat(globalConfig.sessionCacheTimeout(), is(equalTo(Global.DEFAULT_SESSION_CACHE_TIMEOUT)));
         assertThat(globalConfig.protocol(), is(equalTo(Global.DEFAULT_PROTOCOL)));
@@ -74,7 +71,7 @@ public class SSLConfigurationTests extends ESTestCase {
     }
 
     public void testThatSSLConfigurationWithoutAutoGenHasCorrectDefaults() {
-        SSLConfiguration globalSettings = new Global(NO_AUTO_GEN);
+        SSLConfiguration globalSettings = new Global(Settings.EMPTY);
         SSLConfiguration scopedSettings = new Custom(Settings.EMPTY, globalSettings);
         for (SSLConfiguration sslConfiguration : Arrays.asList(globalSettings, scopedSettings)) {
             assertThat(sslConfiguration.keyConfig(), sameInstance(KeyConfig.NONE));
@@ -101,7 +98,7 @@ public class SSLConfigurationTests extends ESTestCase {
         SSLConfiguration globalSettings = new Global(settings);
         SSLConfiguration scopedSettings = new Custom(profileSettings, globalSettings);
         SSLConfiguration scopedEmptyGlobalSettings =
-                new Custom(profileSettings, new Global(NO_AUTO_GEN));
+                new Custom(profileSettings, new Global(Settings.EMPTY));
         for (SSLConfiguration sslConfiguration : Arrays.asList(globalSettings, scopedSettings, scopedEmptyGlobalSettings)) {
             assertThat(sslConfiguration.keyConfig(), instanceOf(StoreKeyConfig.class));
             StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.keyConfig();
@@ -129,7 +126,7 @@ public class SSLConfigurationTests extends ESTestCase {
         // Pass settings in as profile settings
         Settings profileSettings = settings.getByPrefix("xpack.security.ssl.");
         SSLConfiguration sslConfiguration1 = new Custom(profileSettings,
-                randomBoolean() ? sslConfiguration : new Global(NO_AUTO_GEN));
+                randomBoolean() ? sslConfiguration : new Global(Settings.EMPTY));
         assertThat(sslConfiguration1.keyConfig(), instanceOf(StoreKeyConfig.class));
         ksKeyInfo = (StoreKeyConfig) sslConfiguration1.keyConfig();
         assertThat(ksKeyInfo.keyStorePassword, is(equalTo("password")));
@@ -183,8 +180,8 @@ public class SSLConfigurationTests extends ESTestCase {
     }
 
     public void testThatEmptySettingsAreEqual() {
-        SSLConfiguration sslConfiguration = new Global(NO_AUTO_GEN);
+        SSLConfiguration sslConfiguration = new Global(Settings.EMPTY);
-        SSLConfiguration sslConfiguration1 = new Global(NO_AUTO_GEN);
+        SSLConfiguration sslConfiguration1 = new Global(Settings.EMPTY);
         assertThat(sslConfiguration.equals(sslConfiguration1), is(equalTo(true)));
         assertThat(sslConfiguration1.equals(sslConfiguration), is(equalTo(true)));
         assertThat(sslConfiguration.equals(sslConfiguration), is(equalTo(true)));
@@ -230,8 +227,8 @@ public class SSLConfigurationTests extends ESTestCase {
     }
 
     public void testThatEmptySettingsHaveSameHashCode() {
-        SSLConfiguration sslConfiguration = new Global(NO_AUTO_GEN);
+        SSLConfiguration sslConfiguration = new Global(Settings.EMPTY);
-        SSLConfiguration sslConfiguration1 = new Global(NO_AUTO_GEN);
+        SSLConfiguration sslConfiguration1 = new Global(Settings.EMPTY);
         assertThat(sslConfiguration.hashCode(), is(equalTo(sslConfiguration1.hashCode())));
 
         SSLConfiguration profileSettings = new Custom(Settings.EMPTY, sslConfiguration);

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/SSLReloadIntegTests.java

@@ -90,11 +90,6 @@ public class SSLReloadIntegTests extends ShieldIntegTestCase {
         return true;
     }
 
-    @Override
-    protected boolean autoSSLEnabled() {
-        return false;
-    }
-
     public void testThatSSLConfigurationReloadsOnModification() throws Exception {
         KeyPair keyPair = CertUtils.generateKeyPair();
         X509Certificate certificate = getCertificate(keyPair);

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ServerSSLServiceTests.java

@@ -152,8 +152,7 @@ public class ServerSSLServiceTests extends ESTestCase {
     }
 
     public void testThatCreateSSLEngineWithoutAnySettingsDoesNotWork() throws Exception {
-        ServerSSLService sslService = new ServerSSLService(Settings.EMPTY, env, new Global(Settings.builder()
+        ServerSSLService sslService = new ServerSSLService(Settings.EMPTY, env, new Global(Settings.EMPTY), null);
-                .put(Global.AUTO_GENERATE_SSL_SETTING.getKey(), false).build()), null);
         try {
             sslService.createSSLEngine();
             fail("Expected IllegalArgumentException");

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ServerTransportFilterIntegrationTests.java

@@ -51,11 +51,6 @@ public class ServerTransportFilterIntegrationTests extends ShieldIntegTestCase {
         return true;
     }
 
-    @Override
-    protected boolean autoSSLEnabled() {
-        return false;
-    }
-
     @Override
     protected Settings nodeSettings(int nodeOrdinal) {
         Settings.Builder settingsBuilder = Settings.builder();

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/IPHostnameVerificationTests.java

@@ -24,11 +24,6 @@ public class IPHostnameVerificationTests extends ShieldIntegTestCase {
         return true;
     }
 
-    @Override
-    protected boolean autoSSLEnabled() {
-        return false;
-    }
-
     @Override
     protected Settings nodeSettings(int nodeOrdinal) {
         Settings settings = super.nodeSettings(nodeOrdinal);

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransportTests.java

@@ -49,7 +49,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
     public void testDefaultClientAuth() throws Exception {
         Settings settings = Settings.builder().put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true).build();
         ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
-                mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
+                mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
         NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
         assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
@@ -62,7 +62,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
                 .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true)
                 .put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
         ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
-                mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
+                mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
         NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
         assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
@@ -75,7 +75,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
                 .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true)
                 .put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
         ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
-                mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
+                mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
         NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
         assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(true));
@@ -88,7 +88,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
                 .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true)
                 .put(ShieldNettyHttpServerTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
         ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
-                mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
+                mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
         NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
         assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
@@ -99,7 +99,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
         Settings settings = Settings.builder()
                 .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true).build();
         ShieldNettyHttpServerTransport transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
-                mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
+                mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
         NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory();
         SSLEngine defaultEngine = factory.getPipeline().get(SslHandler.class).getEngine();
@@ -109,7 +109,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
                 .put("xpack.security.http.ssl.supported_protocols", "TLSv1.2")
                 .build();
         transport = new ShieldNettyHttpServerTransport(settings, mock(NetworkService.class),
-                mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class), mock(Global.class));
+                mock(BigArrays.class), mock(IPFilter.class), serverSSLService, mock(ThreadPool.class));
         NettyHttpMockUtil.setOpenChannelsHandlerToMock(transport);
         factory = transport.configureServerChannelPipelineFactory();
         SSLEngine customEngine = factory.getPipeline().get(SslHandler.class).getEngine();

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransportTests.java

@@ -53,7 +53,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
         Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
         ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
                 mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
-                mock(CircuitBreakerService.class), mock(Global.class));
+                mock(CircuitBreakerService.class));
         NettyMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
                 Settings.builder().put("xpack.security.ssl", false).build());
@@ -64,7 +64,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
         Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), false).build();
         ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
                 mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
-                mock(CircuitBreakerService.class), mock(Global.class));
+                mock(CircuitBreakerService.class));
         NettyMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
                 Settings.builder().put("xpack.security.ssl", true).build());
@@ -75,7 +75,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
         Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
         ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
                 mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
-                mock(CircuitBreakerService.class), mock(Global.class));
+                mock(CircuitBreakerService.class));
         NettyMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
         assertThat(factory.getPipeline().get(SslHandler.class).getEngine(), notNullValue());
@@ -85,7 +85,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
         Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
         ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
                 mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
-                mock(CircuitBreakerService.class), mock(Global.class));
+                mock(CircuitBreakerService.class));
         NettyMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
         assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(true));
@@ -99,7 +99,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
                 .put(ShieldNettyTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
         ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
                 mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
-                mock(CircuitBreakerService.class), mock(Global.class));
+                mock(CircuitBreakerService.class));
         NettyMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
         assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(true));
@@ -113,7 +113,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
                 .put(ShieldNettyTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
         ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
                 mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
-                mock(CircuitBreakerService.class), mock(Global.class));
+                mock(CircuitBreakerService.class));
         NettyMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
         assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
@@ -127,7 +127,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
                 .put(ShieldNettyTransport.CLIENT_AUTH_SETTING.getKey(), value).build();
         ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
                 mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
-                mock(CircuitBreakerService.class), mock(Global.class));
+                mock(CircuitBreakerService.class));
         NettyMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
         assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
@@ -139,7 +139,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
         Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
         ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
                 mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
-                mock(CircuitBreakerService.class), mock(Global.class));
+                mock(CircuitBreakerService.class));
         NettyMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
                 Settings.builder().put(ShieldNettyTransport.PROFILE_CLIENT_AUTH_SETTING, value).build());
@@ -152,7 +152,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
         Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
         ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class),
                 mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class),
-                mock(CircuitBreakerService.class), mock(Global.class));
+                mock(CircuitBreakerService.class));
         NettyMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
                 Settings.builder().put(ShieldNettyTransport.PROFILE_CLIENT_AUTH_SETTING.getKey(), value).build());
@@ -165,7 +165,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
         Settings settings = Settings.builder().put(ShieldNettyTransport.SSL_SETTING.getKey(), true).build();
         ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class),
                 mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService,
-                mock(NamedWriteableRegistry.class), mock(CircuitBreakerService.class), mock(Global.class));
+                mock(NamedWriteableRegistry.class), mock(CircuitBreakerService.class));
         NettyMockUtil.setOpenChannelsHandlerToMock(transport);
         ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client",
                 Settings.builder().put(ShieldNettyTransport.PROFILE_CLIENT_AUTH_SETTING.getKey(), value).build());

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/SslHostnameVerificationTests.java

@@ -32,11 +32,6 @@ public class SslHostnameVerificationTests extends ShieldIntegTestCase {
         return true;
     }
 
-    @Override
-    protected boolean autoSSLEnabled() {
-        return false;
-    }
-
     @Override
     protected Settings nodeSettings(int nodeOrdinal) {
         Settings settings = super.nodeSettings(nodeOrdinal);

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslClientAuthTests.java

@@ -54,11 +54,6 @@ public class SslClientAuthTests extends ShieldIntegTestCase {
         return true;
     }
 
-    @Override
-    protected boolean autoSSLEnabled() {
-        return false;
-    }
-
     public void testThatHttpFailsWithoutSslClientAuth() throws IOException {
         SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
                 SSLContexts.createDefault(),

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslIntegrationTests.java

@@ -56,11 +56,6 @@ public class SslIntegrationTests extends ShieldIntegTestCase {
         return true;
     }
 
-    @Override
-    protected boolean autoSSLEnabled() {
-        return false;
-    }
-
     // no SSL exception as this is the exception is returned when connecting
     public void testThatUnconfiguredCiphersAreRejected() {
         try (TransportClient transportClient = TransportClient.builder().addPlugin(XPackPlugin.class).settings(Settings.builder()

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/ssl/SslMultiPortTests.java

@@ -87,11 +87,6 @@ public class SslMultiPortTests extends ShieldIntegTestCase {
         return true;
     }
 
-    @Override
-    protected boolean autoSSLEnabled() {
-        return false;
-    }
-
     private TransportClient createTransportClient(Settings additionalSettings) {
         Settings clientSettings = transportClientSettings();
         if (additionalSettings.getByPrefix("xpack.security.ssl.").isEmpty() == false) {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldIntegTestCase.java

@@ -100,8 +100,7 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase {
     @BeforeClass
     public static void initDefaultSettings() {
         if (SHIELD_DEFAULT_SETTINGS == null) {
-            SHIELD_DEFAULT_SETTINGS = new ShieldSettingsSource(maxNumberOfNodes(), randomBoolean(), randomBoolean(), createTempDir(),
+            SHIELD_DEFAULT_SETTINGS = new ShieldSettingsSource(maxNumberOfNodes(), randomBoolean(), createTempDir(), Scope.SUITE);
-                    Scope.SUITE);
         }
     }
 
@@ -124,13 +123,13 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase {
             switch (currentClusterScope) {
                 case SUITE:
                     if (customShieldSettingsSource == null) {
-                        customShieldSettingsSource = new CustomShieldSettingsSource(sslTransportEnabled(), autoSSLEnabled(),
+                        customShieldSettingsSource =
-                                createTempDir(), currentClusterScope);
+                                new CustomShieldSettingsSource(sslTransportEnabled(), createTempDir(), currentClusterScope);
                     }
                     break;
                 case TEST:
-                    customShieldSettingsSource = new CustomShieldSettingsSource(sslTransportEnabled(), autoSSLEnabled(), createTempDir(),
+                    customShieldSettingsSource =
-                            currentClusterScope);
+                            new CustomShieldSettingsSource(sslTransportEnabled(), createTempDir(), currentClusterScope);
                     break;
             }
         }
@@ -266,18 +265,14 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase {
         return randomBoolean();
     }
 
-    protected boolean autoSSLEnabled() {
-        return randomBoolean();
-    }
-
     protected Class<? extends XPackPlugin> xpackPluginClass() {
         return SHIELD_DEFAULT_SETTINGS.xpackPluginClass();
     }
 
     private class CustomShieldSettingsSource extends ShieldSettingsSource {
 
-        private CustomShieldSettingsSource(boolean sslTransportEnabled, boolean autoSSLEnabled, Path configDir, Scope scope) {
+        private CustomShieldSettingsSource(boolean sslTransportEnabled, Path configDir, Scope scope) {
-            super(maxNumberOfNodes(), sslTransportEnabled, autoSSLEnabled, configDir, scope);
+            super(maxNumberOfNodes(), sslTransportEnabled, configDir, scope);
         }
 
         @Override

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java

@@ -12,6 +12,7 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.marvel.Monitoring;
 import org.elasticsearch.plugins.Plugin;
+import org.elasticsearch.test.ESIntegTestCase.Scope;
 import org.elasticsearch.shield.authc.file.FileRealm;
 import org.elasticsearch.shield.authc.esnative.NativeRealm;
 import org.elasticsearch.shield.Security;
@@ -84,7 +85,6 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
     private final String subfolderPrefix;
     private final byte[] systemKey;
     private final boolean sslTransportEnabled;
-    private final boolean autoSSLEnabled;
     private final boolean hostnameVerificationEnabled;
     private final boolean hostnameVerificationResolveNameEnabled;
 
@@ -96,9 +96,8 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
      * @param parentFolder the parent folder that will contain all of the configuration files that need to be created
      * @param scope the scope of the test that is requiring an instance of ShieldSettingsSource
      */
-    public ShieldSettingsSource(int numOfNodes, boolean sslTransportEnabled, boolean autoSSLEnabled, Path parentFolder,
+    public ShieldSettingsSource(int numOfNodes, boolean sslTransportEnabled, Path parentFolder, Scope scope) {
-                                ESIntegTestCase.Scope scope) {
+        this(numOfNodes, sslTransportEnabled, generateKey(), parentFolder, scope);
-        this(numOfNodes, sslTransportEnabled, autoSSLEnabled, generateKey(), parentFolder, scope);
     }
 
     /**
@@ -110,14 +109,12 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
      * @param parentFolder the parent folder that will contain all of the configuration files that need to be created
      * @param scope the scope of the test that is requiring an instance of ShieldSettingsSource
      */
-    public ShieldSettingsSource(int numOfNodes, boolean sslTransportEnabled, boolean autoSSLEnabled, byte[] systemKey, Path parentFolder,
+    public ShieldSettingsSource(int numOfNodes, boolean sslTransportEnabled, byte[] systemKey, Path parentFolder, Scope scope) {
-                                ESIntegTestCase.Scope scope) {
         super(numOfNodes, DEFAULT_SETTINGS);
         this.systemKey = systemKey;
         this.parentFolder = parentFolder;
         this.subfolderPrefix = scope.name();
         this.sslTransportEnabled = sslTransportEnabled;
-        this.autoSSLEnabled = autoSSLEnabled;
         this.hostnameVerificationEnabled = randomBoolean();
         this.hostnameVerificationResolveNameEnabled = randomBoolean();
     }
@@ -216,10 +213,6 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
     }
 
     public Settings getNodeSSLSettings() {
-        if (sslTransportEnabled && autoSSLEnabled) {
-            return Settings.EMPTY;
-        }
-
         if (randomBoolean()) {
             return getSSLSettingsForPEMFiles("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.pem", "testnode",
                     Collections.singletonList("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.crt"),
@@ -235,10 +228,6 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
     }
 
     public Settings getClientSSLSettings() {
-        if (sslTransportEnabled && autoSSLEnabled) {
-            return Settings.EMPTY;
-        }
-
         if (randomBoolean()) {
             return getSSLSettingsForPEMFiles("/org/elasticsearch/shield/transport/ssl/certs/simple/testclient.pem", "testclient",
                     Collections.singletonList("/org/elasticsearch/shield/transport/ssl/certs/simple/testclient.crt"),