Introduce SecureHttpTransportParameters experimental API (to complement SecureTransportParameters counterpart) (opensearch-project#18572)

reta · tandonks · commit b45e7195d2e6 · 2025-08-05T12:37:16.000+05:30
Signed-off-by: Andriy Redko &lt;drreta@gmail.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Added
 - Add support for Warm Indices Write Block on Flood Watermark breach ([#18375](https://github.com/opensearch-project/OpenSearch/pull/18375))
 - Ability to run Code Coverage with Gradle and produce the jacoco reports locally ([#18509](https://github.com/opensearch-project/OpenSearch/issues/18509))
+- Introduce SecureHttpTransportParameters experimental API (to complement SecureTransportParameters counterpart) ([#18572](https://github.com/opensearch-project/OpenSearch/issues/18572))
 
 ### Changed
 
diff --git a/server/src/main/java/org/opensearch/plugins/DefaultSecureHttpTransportParameters.java b/server/src/main/java/org/opensearch/plugins/DefaultSecureHttpTransportParameters.java
@@ -0,0 +1,51 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.plugins;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.Optional;
+
+/**
+ * Default implementation of {@link SecureHttpTransportSettingsProvider.SecureHttpTransportParameters}.
+ */
+class DefaultSecureHttpTransportParameters implements SecureHttpTransportSettingsProvider.SecureHttpTransportParameters {
+    @Override
+    public Optional<KeyManagerFactory> keyManagerFactory() {
+        return Optional.empty();
+    }
+
+    @Override
+    public Optional<String> sslProvider() {
+        return Optional.empty();
+    }
+
+    @Override
+    public Optional<String> clientAuth() {
+        return Optional.empty();
+    }
+
+    @Override
+    public Collection<String> protocols() {
+        return List.of();
+    }
+
+    @Override
+    public Collection<String> cipherSuites() {
+        return List.of();
+    }
+
+    @Override
+    public Optional<TrustManagerFactory> trustManagerFactory() {
+        return Optional.empty();
+    }
+}
diff --git a/server/src/main/java/org/opensearch/plugins/SecureHttpTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureHttpTransportSettingsProvider.java
@@ -13,8 +13,10 @@
 import org.opensearch.http.HttpServerTransport;
 import org.opensearch.transport.TransportAdapterProvider;
 
+import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
+import javax.net.ssl.TrustManagerFactory;
 
 import java.util.Collection;
 import java.util.Collections;
@@ -37,6 +39,48 @@ public interface SecureHttpTransportSettingsProvider {
      */
     final String REQUEST_DECOMPRESSOR = "RequestDecompressor";
 
+    /**
+     * Dynamic parameters that can be provided by the {@link SecureHttpTransportParameters}
+     */
+    @ExperimentalApi
+    interface SecureHttpTransportParameters {
+        /**
+         * Provides the instance of {@link KeyManagerFactory}
+         * @return instance of {@link KeyManagerFactory}
+         */
+        Optional<KeyManagerFactory> keyManagerFactory();
+
+        /**
+         * Provides the SSL provider (JDK, OpenSsl, ...) if supported by transport
+         * @return SSL provider
+         */
+        Optional<String> sslProvider();
+
+        /**
+         * Provides desired client authentication level
+         * @return client authentication level
+         */
+        Optional<String> clientAuth();
+
+        /**
+         * Provides the list of supported protocols
+         * @return list of supported protocols
+         */
+        Collection<String> protocols();
+
+        /**
+         * Provides the list of supported cipher suites
+         * @return list of supported cipher suites
+         */
+        Collection<String> cipherSuites();
+
+        /**
+         * Provides the instance of {@link TrustManagerFactory}
+         * @return instance of {@link TrustManagerFactory}
+         */
+        Optional<TrustManagerFactory> trustManagerFactory();
+    }
+
     /**
      * Collection of additional {@link TransportAdapterProvider}s that are specific to particular HTTP transport
      * @param settings settings
@@ -46,6 +90,16 @@ default Collection<TransportAdapterProvider<HttpServerTransport>> getHttpTranspo
         return Collections.emptyList();
     }
 
+    /**
+     * Returns parameters that can be dynamically provided by a plugin providing a {@link SecureHttpTransportParameters}
+     * implementation
+     * @param settings settings
+     * @return an instance of {@link SecureHttpTransportParameters}
+     */
+    default Optional<SecureHttpTransportParameters> parameters(Settings settings) {
+        return Optional.of(new DefaultSecureHttpTransportParameters());
+    }
+
     /**
      * If supported, builds the {@link TransportExceptionHandler} instance for {@link HttpServerTransport} instance
      * @param settings settings
diff --git a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
@@ -53,18 +53,46 @@ default Optional<SecureTransportParameters> parameters(Settings settings) {
      */
     @ExperimentalApi
     interface SecureTransportParameters {
+        /**
+         * Enable / Disable dual model (if supported by transport)
+         * @return dual model enabled or not
+         */
         boolean dualModeEnabled();
 
+        /**
+         * Provides the instance of {@link KeyManagerFactory}
+         * @return instance of {@link KeyManagerFactory}
+         */
         Optional<KeyManagerFactory> keyManagerFactory();
 
+        /**
+         * Provides the SSL provider (JDK, OpenSsl, ...) if supported by transport
+         * @return SSL provider
+         */
         Optional<String> sslProvider();
 
+        /**
+         * Provides desired client authentication level
+         * @return client authentication level
+         */
         Optional<String> clientAuth();
 
+        /**
+         * Provides the list of supported protocols
+         * @return list of supported protocols
+         */
         Collection<String> protocols();
 
+        /**
+         * Provides the list of supported cipher suites
+         * @return list of supported cipher suites
+         */
         Collection<String> cipherSuites();
 
+        /**
+         * Provides the instance of {@link TrustManagerFactory}
+         * @return instance of {@link TrustManagerFactory}
+         */
         Optional<TrustManagerFactory> trustManagerFactory();
     }
 
