[Test] Reuse existing TLS setup infrastructure in tests

x-pack/plugin/security/build.gradle

@@ -151,11 +151,6 @@ dependencies {
  testImplementation('org.apache.directory.server:ldap-client-test:2.0.0-M24')
  testImplementation('org.apache.directory.server:apacheds-interceptor-kerberos:2.0.0-M24')
  testImplementation('org.apache.directory.mavibot:mavibot:1.0.0-M8')
-
- // netty self signed certificate dependency
- testImplementation('org.bouncycastle:bcprov-jdk18on:1.78.1')
- testImplementation ('org.bouncycastle:bcutil-jdk18on:1.78.1')
- testImplementation('org.bouncycastle:bcpkix-jdk18on:1.78.1')
 }
 
 tasks.named("test").configure {

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4TransportCloseNotifyIT.java

@@ -25,18 +25,15 @@
 import io.netty.handler.ssl.SslContextBuilder;
 import io.netty.handler.ssl.SslHandler;
 import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
-import io.netty.handler.ssl.util.SelfSignedCertificate;
 
 import org.elasticsearch.action.admin.cluster.state.ClusterStateAction;
 import org.elasticsearch.action.support.CancellableActionTestPlugin;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.CollectionUtils;
-import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.http.HttpServerTransport;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
 import org.elasticsearch.test.ESIntegTestCase.Scope;
-import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.SecurityIntegTestCase;
 
 import java.util.Collection;
@@ -45,12 +42,11 @@
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.Consumer;
 
+import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
 import static org.elasticsearch.test.TaskAssertions.assertAllTasksHaveFinished;
 import static org.elasticsearch.test.rest.ESRestTestCase.basicAuthHeaderValue;
 
 @ClusterScope(numDataNodes = 0, scope = Scope.TEST)
-@ESTestCase.WithoutSecurityManager
-@SuppressForbidden(reason = "requires java.io.File for netty self-signed certificate")
 public class SecurityNetty4TransportCloseNotifyIT extends SecurityIntegTestCase {
 
  @Override
@@ -60,17 +56,9 @@ protected boolean addMockHttpTransport() {
 
  @Override
  protected Settings nodeSettings(int nodeOrdinal, Settings otherSettings) {
- try {
- var ssc = new SelfSignedCertificate();
- return Settings.builder()
- .put(super.nodeSettings(nodeOrdinal, otherSettings))
- .put("xpack.security.http.ssl.enabled", true)
- .put("xpack.security.http.ssl.key", ssc.privateKey().getPath())
- .put("xpack.security.http.ssl.certificate", ssc.certificate().getPath())
- .build();
- } catch (Exception e) {
- throw new RuntimeException(e);
- }
+ final Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal, otherSettings));
+ addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", randomBoolean());
+ return builder.put("xpack.security.http.ssl.enabled", true).build();
  }
 
  @Override

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportCloseNotifyTests.java

@@ -25,11 +25,9 @@
 import io.netty.handler.ssl.SslContextBuilder;
 import io.netty.handler.ssl.SslHandler;
 import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
-import io.netty.handler.ssl.util.SelfSignedCertificate;
 import io.netty.util.concurrent.Future;
 
 import org.elasticsearch.common.network.NetworkService;
-import org.elasticsearch.common.settings.MockSecureSettings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.core.SuppressForbidden;
@@ -62,6 +60,8 @@
 
 import javax.net.ssl.SSLException;
 
+import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForNodePEMFiles;
+
 @ESTestCase.WithoutSecurityManager
 @SuppressForbidden(reason = "requires java.io.File for netty self-signed certificate")
 public class SecurityNetty4HttpServerTransportCloseNotifyTests extends AbstractHttpServerTransportTestCase {
@@ -93,17 +93,12 @@ private static <T> void safeAwait(Future<T> nettyFuture) {
  * The server will not reply to request automatically, to send response poll the queue.
  */
  private HttpServer setupHttpServer(String tlsProtocols) throws CertificateException {
- var ssc = new SelfSignedCertificate();
  var threadPool = new TestThreadPool("tls-close-notify");
  var dispatcher = new QueuedDispatcher();
- var secureSettings = new MockSecureSettings();
- secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode");
- var settings = Settings.builder()
- .put("xpack.security.http.ssl.enabled", true)
- .put("xpack.security.http.ssl.key", ssc.privateKey().getPath())
- .put("xpack.security.http.ssl.certificate", ssc.certificate().getPath())
+ final Settings.Builder builder = Settings.builder();
+ addSSLSettingsForNodePEMFiles(builder, "xpack.security.http.", randomBoolean());
+ var settings = builder.put("xpack.security.http.ssl.enabled", true)
  .put("path.home", createTempDir())
- .setSecureSettings(secureSettings)
  .put("xpack.security.http.ssl.supported_protocols", tlsProtocols)
  .build();
  var env = TestEnvironment.newEnvironment(settings);