Allow transport TLS to be disabled

Signed-off-by: Craig Perkins <[email protected]>

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -413,10 +413,6 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath)
 
         log.info("Clustername: {}", settings.get("cluster.name", "opensearch"));
 
-        if (!transportSSLEnabled && !SSLConfig.isSslOnlyMode()) {
-            throw new IllegalStateException(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED + " must be set to 'true'");
-        }
-
         if (!client) {
             final List<Path> filesWithWrongPermissions = AccessController.doPrivileged(new PrivilegedAction<List<Path>>() {
                 @Override
@@ -1255,7 +1251,9 @@ public Settings additionalSettings() {
         builder.put(super.additionalSettings());
 
         if (!SSLConfig.isSslOnlyMode()) {
-            builder.put(NetworkModule.TRANSPORT_TYPE_KEY, "org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport");
+            if (transportSSLEnabled) {
+                builder.put(NetworkModule.TRANSPORT_TYPE_KEY, "org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport");
+            }
             builder.put(NetworkModule.HTTP_TYPE_KEY, "org.opensearch.security.http.SecurityHttpServerTransport");
         }
         return builder.build();

src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java

@@ -146,7 +146,7 @@ protected OpenSearchSecuritySSLPlugin(final Settings settings, final Path config
             this.extendedKeyUsageEnabled = false;
             this.sslSettingsManager = null;
             this.configPath = null;
-            SSLConfig = new SSLConfig(false, false);
+            SSLConfig = new SSLConfig(false, false, false);
 
             AccessController.doPrivileged(new PrivilegedAction<Object>() {
                 @Override

src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java

@@ -57,7 +57,7 @@ public Netty4HttpRequestHeaderVerifier(SecurityRestFilter restFilter, ThreadPool
         this.injectUserEnabled = settings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false);
         boolean disabled = settings.getAsBoolean(ConfigConstants.SECURITY_DISABLED, false);
         if (disabled) {
-            sslConfig = new SSLConfig(false, false);
+            sslConfig = new SSLConfig(false, false, false);
         } else {
             sslConfig = new SSLConfig(settings);
         }

src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java

@@ -19,21 +19,30 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.SecuritySettings;
 
+import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED;
+import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT;
+
 public class SSLConfig {
 
     private static final Logger logger = LogManager.getLogger(SSLConfig.class);
 
     private final boolean sslOnly;
     private volatile boolean dualModeEnabled;
+    private volatile boolean transportSSLEnabled;
 
-    public SSLConfig(final boolean sslOnly, final boolean dualModeEnabled) {
+    public SSLConfig(final boolean sslOnly, final boolean dualModeEnabled, final boolean transportSSLEnabled) {
         this.sslOnly = sslOnly;
         this.dualModeEnabled = dualModeEnabled;
+        this.transportSSLEnabled = transportSSLEnabled;
         logger.info("SSL dual mode is {}", isDualModeEnabled() ? "enabled" : "disabled");
     }
 
     public SSLConfig(final Settings settings) {
-        this(settings.getAsBoolean(ConfigConstants.SECURITY_SSL_ONLY, false), SecuritySettings.SSL_DUAL_MODE_SETTING.get(settings));
+        this(
+            settings.getAsBoolean(ConfigConstants.SECURITY_SSL_ONLY, false),
+            SecuritySettings.SSL_DUAL_MODE_SETTING.get(settings),
+            settings.getAsBoolean(SECURITY_SSL_TRANSPORT_ENABLED, SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT)
+        );
     }
 
     public void registerClusterSettingsChangeListener(final ClusterSettings clusterSettings) {
@@ -57,4 +66,8 @@ public boolean isDualModeEnabled() {
     public boolean isSslOnlyMode() {
         return sslOnly;
     }
+
+    public boolean isTransportSSLEnabled() {
+        return transportSSLEnabled;
+    }
 }

src/main/java/org/opensearch/security/ssl/transport/SecuritySSLRequestHandler.java

@@ -113,14 +113,9 @@ public final void messageReceived(T request, TransportChannel channel, Task task
                 if (SSLConfig.isDualModeEnabled()) {
                     log.info("Communication in dual mode. Skipping SSL handler check");
                     threadContext.putTransient(ConfigConstants.SECURITY_SSL_DUAL_MODE_SKIP_SECURITY, Boolean.TRUE);
-                    messageReceivedDecorate(request, actualHandler, channel, task);
-                    return;
                 }
-                final String msg = "No ssl handler found (SG 11)";
-                // log.error(msg);
-                final Exception exception = new OpenSearchException(msg);
-                channel.sendResponse(exception);
-                throw exception;
+                messageReceivedDecorate(request, actualHandler, channel, task);
+                return;
             }
 
             final Certificate[] peerCerts = sslhandler.engine().getSession().getPeerCertificates();

src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java

@@ -70,6 +70,7 @@ public class SecurityRequestHandler<T extends TransportRequest> extends Security
     private final AuditLog auditLog;
     private final InterClusterRequestEvaluator requestEvalProvider;
     private final ClusterService cs;
+    private final SSLConfig SSLConfig;
 
     SecurityRequestHandler(
         String action,
@@ -86,6 +87,7 @@ public class SecurityRequestHandler<T extends TransportRequest> extends Security
         this.auditLog = auditLog;
         this.requestEvalProvider = requestEvalProvider;
         this.cs = cs;
+        this.SSLConfig = SSLConfig;
     }
 
     @Override
@@ -265,7 +267,8 @@ protected void messageReceivedDecorate(
 
             String principal = null;
 
-            if ((principal = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL)) == null) {
+            if (SSLConfig.isTransportSSLEnabled()
+                && (principal = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL)) == null) {
                 Exception ex = new OpenSearchSecurityException(
                     "No SSL client certificates found for transport type "
                         + transportChannel.getChannelType()
@@ -286,9 +289,10 @@ protected void messageReceivedDecorate(
 
                 // network intercluster request or cross search cluster request
                 // CS-SUPPRESS-SINGLE: RegexpSingleline Used to allow/disallow TLS connections to extensions
-                if (!(HeaderHelper.isInterClusterRequest(getThreadContext())
-                    || HeaderHelper.isTrustedClusterRequest(getThreadContext())
-                    || HeaderHelper.isExtensionRequest(getThreadContext()))) {
+                if (SSLConfig.isTransportSSLEnabled()
+                    && !(HeaderHelper.isInterClusterRequest(getThreadContext())
+                        || HeaderHelper.isTrustedClusterRequest(getThreadContext())
+                        || HeaderHelper.isExtensionRequest(getThreadContext()))) {
                     // CS-ENFORCE-SINGLE
                     final OpenSearchException exception = ExceptionUtils.clusterWrongNodeCertConfigException(principal);
                     log.error(exception.toString());