honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update x-pack to support TcpChannel (elastic/x-pack-elasticsearch#2983) 

This is related to elastic/elasticsearch#27132. This commit updates
x-pack to support signature changes introduced in that PR.

Original commit: elastic/x-pack-elasticsearch@461c96ffe6
This commit is contained in:
Tim Brooks 2017-11-15 12:38:56 -07:00 committed by GitHub
parent f8497dc943
commit d45c2d784c
3 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plugin/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java
View File

@ -52,7 +52,7 @@ public class SecurityRestFilter implements RestHandler {
Netty4HttpRequest nettyHttpRequest = (Netty4HttpRequest) request; Netty4HttpRequest nettyHttpRequest = (Netty4HttpRequest) request;
SslHandler handler = nettyHttpRequest.getChannel().pipeline().get(SslHandler.class); SslHandler handler = nettyHttpRequest.getChannel().pipeline().get(SslHandler.class);
assert handler != null; assert handler != null;
ServerTransportFilter.extactClientCertificates(logger, threadContext, handler.engine(), nettyHttpRequest.getChannel()); ServerTransportFilter.extractClientCertificates(logger, threadContext, handler.engine(), nettyHttpRequest.getChannel());
} }
service.authenticate(maybeWrapRestRequest(request), ActionListener.wrap( service.authenticate(maybeWrapRestRequest(request), ActionListener.wrap(
authentication -> { authentication -> {

9
plugin/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java
View File

@ -24,6 +24,7 @@ import org.elasticsearch.transport.TcpTransportChannel;
import org.elasticsearch.transport.TransportChannel; import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportService; import org.elasticsearch.transport.TransportService;
import org.elasticsearch.transport.netty4.NettyTcpChannel;
import org.elasticsearch.xpack.security.SecurityContext; import org.elasticsearch.xpack.security.SecurityContext;
import org.elasticsearch.xpack.security.action.SecurityActionMapper; import org.elasticsearch.xpack.security.action.SecurityActionMapper;
import org.elasticsearch.xpack.security.authc.Authentication; import org.elasticsearch.xpack.security.authc.Authentication;
@ -114,12 +115,12 @@ public interface ServerTransportFilter {
} }
if (extractClientCert && (unwrappedChannel instanceof TcpTransportChannel) && if (extractClientCert && (unwrappedChannel instanceof TcpTransportChannel) &&
((TcpTransportChannel) unwrappedChannel).getChannel() instanceof io.netty.channel.Channel) { ((TcpTransportChannel) unwrappedChannel).getChannel() instanceof NettyTcpChannel) {
Channel channel = (io.netty.channel.Channel) ((TcpTransportChannel) unwrappedChannel).getChannel(); Channel channel = ((NettyTcpChannel) ((TcpTransportChannel) unwrappedChannel).getChannel()).getLowLevelChannel();
SslHandler sslHandler = channel.pipeline().get(SslHandler.class); SslHandler sslHandler = channel.pipeline().get(SslHandler.class);
if (channel.isOpen()) { if (channel.isOpen()) {
assert sslHandler != null : "channel [" + channel + "] did not have a ssl handler. pipeline " + channel.pipeline(); assert sslHandler != null : "channel [" + channel + "] did not have a ssl handler. pipeline " + channel.pipeline();
extactClientCertificates(logger, threadContext, sslHandler.engine(), channel); extractClientCertificates(logger, threadContext, sslHandler.engine(), channel);
} }
} }
@ -170,7 +171,7 @@ public interface ServerTransportFilter {
} }
} }
static void extactClientCertificates(Logger logger, ThreadContext threadContext, SSLEngine sslEngine, Object channel) { static void extractClientCertificates(Logger logger, ThreadContext threadContext, SSLEngine sslEngine, Channel channel) {
try { try {
Certificate[] certs = sslEngine.getSession().getPeerCertificates(); Certificate[] certs = sslEngine.getSession().getPeerCertificates();
if (certs instanceof X509Certificate[]) { if (certs instanceof X509Certificate[]) {

12
plugin/src/main/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4Transport.java
View File

@ -19,8 +19,10 @@ import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.BigArrays; import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.indices.breaker.CircuitBreakerService; import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TcpChannel;
import org.elasticsearch.transport.TcpTransport; import org.elasticsearch.transport.TcpTransport;
import org.elasticsearch.transport.netty4.Netty4Transport; import org.elasticsearch.transport.netty4.Netty4Transport;
import org.elasticsearch.transport.netty4.NettyTcpChannel;
import org.elasticsearch.xpack.XPackSettings; import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.ssl.SSLConfiguration; import org.elasticsearch.xpack.ssl.SSLConfiguration;
import org.elasticsearch.xpack.ssl.SSLService; import org.elasticsearch.xpack.ssl.SSLService;
@ -107,10 +109,10 @@ public class SecurityNetty4Transport extends Netty4Transport {
} }
@Override @Override
protected void onException(Channel channel, Exception e) { protected void onException(NettyTcpChannel channel, Exception e) {
if (!lifecycle.started()) { if (!lifecycle.started()) {
// just close and ignore - we are already stopped and just need to make sure we release all resources // just close and ignore - we are already stopped and just need to make sure we release all resources
closeChannelWhileHandlingExceptions(channel); TcpChannel.closeChannel(channel, false);
} else if (isNotSslRecordException(e)) { } else if (isNotSslRecordException(e)) {
if (logger.isTraceEnabled()) { if (logger.isTraceEnabled()) {
logger.trace( logger.trace(
@ -118,21 +120,21 @@ public class SecurityNetty4Transport extends Netty4Transport {
} else { } else {
logger.warn("received plaintext traffic on an encrypted channel, closing connection {}", channel); logger.warn("received plaintext traffic on an encrypted channel, closing connection {}", channel);
} }
closeChannelWhileHandlingExceptions(channel); TcpChannel.closeChannel(channel, false);
} else if (isCloseDuringHandshakeException(e)) { } else if (isCloseDuringHandshakeException(e)) {
if (logger.isTraceEnabled()) { if (logger.isTraceEnabled()) {
logger.trace(new ParameterizedMessage("connection {} closed during ssl handshake", channel), e); logger.trace(new ParameterizedMessage("connection {} closed during ssl handshake", channel), e);
} else { } else {
logger.warn("connection {} closed during handshake", channel); logger.warn("connection {} closed during handshake", channel);
} }
closeChannelWhileHandlingExceptions(channel); TcpChannel.closeChannel(channel, false);
} else if (isReceivedCertificateUnknownException(e)) { } else if (isReceivedCertificateUnknownException(e)) {
if (logger.isTraceEnabled()) { if (logger.isTraceEnabled()) {
logger.trace(new ParameterizedMessage("client did not trust server's certificate, closing connection {}", channel), e); logger.trace(new ParameterizedMessage("client did not trust server's certificate, closing connection {}", channel), e);
} else { } else {
logger.warn("client did not trust this server's certificate, closing connection {}", channel); logger.warn("client did not trust this server's certificate, closing connection {}", channel);
} }
closeChannelWhileHandlingExceptions(channel); TcpChannel.closeChannel(channel, false);
} else { } else {
super.onException(channel, e); super.onException(channel, e);
} }