From c6799de2a431f91e71d4a16dc8b73b29ff6ddabd Mon Sep 17 00:00:00 2001
From: Jay Modi <jaymode@users.noreply.github.com>
Date: Thu, 7 Dec 2017 09:50:25 -0700
Subject: [PATCH] Do not enforce TLS if discovery type is single-node
 (elastic/x-pack-elasticsearch#3245)

This commit adds a check for the discovery type so that the TLS join validator does not fail join
requests when the discovery type is single-node.

relates elastic/x-pack-elasticsearch#2828

Original commit: elastic/x-pack-elasticsearch@fdfdb76b0b30f8b09f81e2442b560d9adf83f73b
---
 .../org/elasticsearch/xpack/security/Security.java    | 11 ++++++++---
 .../elasticsearch/xpack/security/SecurityTests.java   |  5 +++--
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/Security.java b/plugin/src/main/java/org/elasticsearch/xpack/security/Security.java
index 3c61e85ca20..c4e14ff3672 100644
--- a/plugin/src/main/java/org/elasticsearch/xpack/security/Security.java
+++ b/plugin/src/main/java/org/elasticsearch/xpack/security/Security.java
@@ -49,6 +49,7 @@ import org.elasticsearch.common.xcontent.XContent;
 import org.elasticsearch.common.xcontent.XContentFactory;
 import org.elasticsearch.common.xcontent.XContentParser;
 import org.elasticsearch.common.xcontent.XContentType;
+import org.elasticsearch.discovery.DiscoveryModule;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.http.HttpServerTransport;
 import org.elasticsearch.index.IndexModule;
@@ -970,7 +971,8 @@ public class Security implements ActionPlugin, IngestPlugin, NetworkPlugin, Clus
     @Override
     public BiConsumer<DiscoveryNode, ClusterState> getJoinValidator() {
         if (enabled) {
-            return new ValidateTLSOnJoin(XPackSettings.TRANSPORT_SSL_ENABLED.get(settings))
+            return new ValidateTLSOnJoin(XPackSettings.TRANSPORT_SSL_ENABLED.get(settings),
+                    DiscoveryModule.DISCOVERY_TYPE_SETTING.get(settings))
                 .andThen(new ValidateUpgradedSecurityIndex());
         }
         return null;
@@ -978,15 +980,18 @@ public class Security implements ActionPlugin, IngestPlugin, NetworkPlugin, Clus
 
     static final class ValidateTLSOnJoin implements BiConsumer<DiscoveryNode, ClusterState> {
         private final boolean isTLSEnabled;
+        private final String discoveryType;
 
-        ValidateTLSOnJoin(boolean isTLSEnabled) {
+        ValidateTLSOnJoin(boolean isTLSEnabled, String discoveryType) {
             this.isTLSEnabled = isTLSEnabled;
+            this.discoveryType = discoveryType;
         }
 
         @Override
         public void accept(DiscoveryNode node, ClusterState state) {
             License license = LicenseService.getLicense(state.metaData());
-            if (license != null && license.isProductionLicense() && isTLSEnabled == false) {
+            if (license != null && license.isProductionLicense() &&
+                    isTLSEnabled == false && "single-node".equals(discoveryType) == false) {
                 throw new IllegalStateException("TLS setup is required for license type [" + license.operationMode().name() + "]");
             }
         }
diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java
index c05acad5806..37837619a72 100644
--- a/plugin/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java
+++ b/plugin/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java
@@ -253,14 +253,15 @@ public class SecurityTests extends ESTestCase {
         int numIters = randomIntBetween(1,10);
         for (int i = 0; i < numIters; i++) {
             boolean tlsOn = randomBoolean();
-            Security.ValidateTLSOnJoin validator = new Security.ValidateTLSOnJoin(tlsOn);
+            String discoveryType = randomFrom("single-node", "zen", randomAlphaOfLength(4));
+            Security.ValidateTLSOnJoin validator = new Security.ValidateTLSOnJoin(tlsOn, discoveryType);
             MetaData.Builder builder = MetaData.builder();
             License license = TestUtils.generateSignedLicense(TimeValue.timeValueHours(24));
             TestUtils.putLicense(builder, license);
             ClusterState state = ClusterState.builder(ClusterName.DEFAULT).metaData(builder.build()).build();
             EnumSet<License.OperationMode> productionModes = EnumSet.of(License.OperationMode.GOLD, License.OperationMode.PLATINUM,
                     License.OperationMode.STANDARD);
-            if (productionModes.contains(license.operationMode()) && tlsOn == false) {
+            if (productionModes.contains(license.operationMode()) && tlsOn == false && "single-node".equals(discoveryType) == false) {
                 IllegalStateException ise = expectThrows(IllegalStateException.class, () -> validator.accept(node, state));
                 assertEquals("TLS setup is required for license type [" + license.operationMode().name() + "]", ise.getMessage());
             } else {