Remove duplicate ssl setup in sql/qa projects (elastic#57319)

* Remove duplicate ssl setup in sql/qa projects
* Fix enforcement of task instances
* Use static data for cert generation
* Move ssl testing logic into a plugin
* Document test cert creation

buildSrc/build.gradle

@@ -230,6 +230,8 @@ if (project != rootProject) {
   forbiddenPatterns {
     exclude '**/*.wav'
     exclude '**/*.p12'
+    exclude '**/*.jks'
+    exclude '**/*.crt'
     // the file that actually defines nocommit
     exclude '**/ForbiddenPatternsTask.java'
     exclude '**/*.bcfks'

buildSrc/src/main/groovy/org/elasticsearch/gradle/test/TestWithSslPlugin.java

@@ -0,0 +1,88 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.gradle.test;
+
+import org.elasticsearch.gradle.ExportElasticsearchBuildResourcesTask;
+import org.elasticsearch.gradle.precommit.ForbiddenPatternsTask;
+import org.elasticsearch.gradle.testclusters.ElasticsearchCluster;
+import org.elasticsearch.gradle.testclusters.RestTestRunnerTask;
+import org.elasticsearch.gradle.testclusters.TestClustersAware;
+import org.elasticsearch.gradle.testclusters.TestClustersPlugin;
+import org.elasticsearch.gradle.util.Util;
+import org.gradle.api.NamedDomainObjectContainer;
+import org.gradle.api.Plugin;
+import org.gradle.api.Project;
+import org.gradle.api.tasks.SourceSet;
+import org.gradle.api.tasks.TaskProvider;
+
+import java.io.File;
+
+public class TestWithSslPlugin implements Plugin<Project> {
+
+    @Override
+    public void apply(Project project) {
+        File keyStoreDir = new File(project.getBuildDir(), "keystore");
+        TaskProvider<ExportElasticsearchBuildResourcesTask> exportKeyStore = project.getTasks()
+            .register("copyTestCertificates", ExportElasticsearchBuildResourcesTask.class, (t) -> {
+                t.copy("test/ssl/test-client.crt");
+                t.copy("test/ssl/test-client.jks");
+                t.copy("test/ssl/test-node.crt");
+                t.copy("test/ssl/test-node.jks");
+                t.setOutputDir(keyStoreDir);
+            });
+
+        project.getPlugins().withType(StandaloneRestTestPlugin.class).configureEach(restTestPlugin -> {
+            SourceSet testSourceSet = Util.getJavaTestSourceSet(project).get();
+            testSourceSet.getResources().srcDir(new File(keyStoreDir, "test/ssl"));
+            testSourceSet.compiledBy(exportKeyStore);
+
+            project.getTasks().withType(TestClustersAware.class).configureEach(clusterAware -> clusterAware.dependsOn(exportKeyStore));
+
+            // Tell the tests we're running with ssl enabled
+            project.getTasks()
+                .withType(RestTestRunnerTask.class)
+                .configureEach(runner -> runner.systemProperty("tests.ssl.enabled", "true"));
+        });
+
+        project.getPlugins().withType(TestClustersPlugin.class).configureEach(clustersPlugin -> {
+            File keystoreDir = new File(project.getBuildDir(), "keystore/test/ssl");
+            File nodeKeystore = new File(keystoreDir, "test-node.jks");
+            File clientKeyStore = new File(keystoreDir, "test-client.jks");
+            NamedDomainObjectContainer<ElasticsearchCluster> clusters = (NamedDomainObjectContainer<ElasticsearchCluster>) project
+                .getExtensions()
+                .getByName(TestClustersPlugin.EXTENSION_NAME);
+            clusters.all(c -> {
+                // ceremony to set up ssl
+                c.setting("xpack.security.transport.ssl.keystore.path", "test-node.jks");
+                c.setting("xpack.security.http.ssl.keystore.path", "test-node.jks");
+                c.keystore("xpack.security.transport.ssl.keystore.secure_password", "keypass");
+                c.keystore("xpack.security.http.ssl.keystore.secure_password", "keypass");
+
+                // copy keystores & certs into config/
+                c.extraConfigFile(nodeKeystore.getName(), nodeKeystore);
+                c.extraConfigFile(clientKeyStore.getName(), clientKeyStore);
+            });
+        });
+
+        project.getTasks()
+            .withType(ForbiddenPatternsTask.class)
+            .configureEach(forbiddenPatternTask -> forbiddenPatternTask.exclude("**/*.crt"));
+    }
+}

buildSrc/src/main/java/org/elasticsearch/gradle/testclusters/TestClustersAware.java

@@ -7,7 +7,7 @@
 import java.util.Collection;
 import java.util.concurrent.Callable;
 
-interface TestClustersAware extends Task {
+public interface TestClustersAware extends Task {
 
     @Nested
     Collection<ElasticsearchCluster> getClusters();

buildSrc/src/main/resources/META-INF/gradle-plugins/elasticsearch.test-with-ssl.properties

@@ -0,0 +1,20 @@
+#
+# Licensed to Elasticsearch under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+implementation-class=org.elasticsearch.gradle.test.TestWithSslPlugin

buildSrc/src/main/resources/test/ssl/README.md

@@ -0,0 +1,20 @@
+This directory contains test certificates used for testing ssl handling.
+
+These keystores and certificates can be used via applying the `elasticsearch.test-with-ssl` plugin.
+
+The generated certificates are valid till 05. Jun 2030.
+
+The certificates are generated using catch-all SAN in the following procedure:
+
+1. Generate the node's keystore:
+   `keytool -genkey -alias test-node -keystore test-node.jks -keyalg RSA -keysize 2048 -validity 3654 -dname CN="Elasticsearch Build Test Infrastructure" -keypass keypass -storepass keypass -ext san=dns:localhost,dns:localhost.localdomain,dns:localhost4,dns:localhost4.localdomain4,dns:localhost6,dns:localhost6.localdomain6,ip:127.0.0.1,ip:0:0:0:0:0:0:0:1`
+2. Generate the client's keystore:
+   `keytool -genkey -alias test-client -keystore test-client.jks -keyalg RSA -keysize 2048 -validity 3654 -dname CN="Elasticsearch Build Test Infrastructure" -keypass keypass -storepass keypass -ext san=dns:localhost,dns:localhost.localdomain,dns:localhost4,dns:localhost4.localdomain4,dns:localhost6,dns:localhost6.localdomain6,ip:127.0.0.1,ip:0:0:0:0:0:0:0:1`
+3. Export the node's certificate:
+   `keytool -export -alias test-node -keystore test-node.jks -storepass keypass -file test-node.crt`
+4. Import the node certificate in the client's keystore:
+   `keytool -import -alias test-node -keystore test-client.jks -storepass keypass -file test-node.crt -noprompt`
+5. Export the client's certificate:
+   `keytool -export -alias test-client -keystore test-client.jks -storepass keypass -file test-client.crt`
+6. Import the client certificate in the node's keystore:
+   `keytool -import -alias test-client -keystore test-node.jks -storepass keypass -file test-client.crt -noprompt`