Add default SecureAuxTransportParameters.

finnegancarroll · finnegancarroll · commit a07c01b267fe · 2025-04-08T15:47:10.000-07:00
Default client auth to required as it is most restrictive.
Default cipher suites to empty - Use netty defaults.

Signed-off-by: Finn Carroll &lt;carrofin@amazon.com&gt;
diff --git a/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java b/plugins/transport-grpc/src/main/java/org/opensearch/transport/grpc/ssl/SecureNetty4GrpcServerTransport.java
@@ -18,8 +18,10 @@
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
 
+import java.util.Collection;
 import java.util.List;
 import java.util.Locale;
+import java.util.Optional;
 
 import io.grpc.BindableService;
 import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder;
@@ -48,6 +50,22 @@ public class SecureNetty4GrpcServerTransport extends Netty4GrpcServerTransport {
         GRPC_SECURE_TRANSPORT_SETTING_KEY
     );
 
+    /**
+     * In the case no SecureAuxTransportParameters restrict client auth mode to REQUIRE.
+     * Assume no enabled cipher suites. Allow ssl context implementation to select defaults.
+     */
+    private static class DefaultParameters implements SecureAuxTransportSettingsProvider.SecureAuxTransportParameters {
+        @Override
+        public Optional<String> clientAuth() {
+            return Optional.of(ClientAuth.REQUIRE.name());
+        }
+
+        @Override
+        public Collection<String> cipherSuites() {
+            return List.of();
+        }
+    }
+
     /**
      * Creates a new SecureNetty4GrpcServerTransport instance and inject a SecureAuxTransportSslContext
      * into the NettyServerBuilder config to enable TLS on the server.
@@ -75,8 +93,7 @@ public SecureNetty4GrpcServerTransport(
 
     private JdkSslContext getSslContext(Settings settings, SecureAuxTransportSettingsProvider provider) throws SSLException {
         SSLContext sslContext = provider.buildSecureAuxServerTransportContext(settings, this).orElseThrow(IllegalArgumentException::new);
-        SecureAuxTransportSettingsProvider.SecureAuxTransportParameters params = provider.parameters()
-            .orElseThrow(IllegalArgumentException::new);
+        SecureAuxTransportSettingsProvider.SecureAuxTransportParameters params = provider.parameters().orElseGet(DefaultParameters::new);
         ClientAuth clientAuth = ClientAuth.valueOf(params.clientAuth().orElseThrow().toUpperCase(Locale.ROOT));
         return new JdkSslContext(
             sslContext,
