Move TransportGetLicenseAction to SAME Threadpool (#80993)

This is motivated by a number of recent SDHs that had these transport actions
queue up on the manangement pool. These were not the reason for the blockage on
the managment queue, but they are often sent at a high rate by Beats in the same
scenarios that see a high rate of stats requests from Beats.
Moving them off of the management pool at least makes sure that we don't get Beats
retrying them over and over on slowness and generally saves some resources by
avoiding ctx switches and having these requests live for longer than necessary.

There's no point in running this on the management pool. It should have
already been fast enough for SAME with the exception of reading the public key
from disk maybe. Made it so the public key is just a constant and doesn't have
to be read+deserialized over and over and also cached the verified property for
a `License` instance so it should never have to be computed in practice anyway.

Author: original-brownbear

x-pack/license-tools/src/main/java/org/elasticsearch/license/licensor/tools/LicenseVerificationTool.java

@@ -17,6 +17,7 @@
 import org.elasticsearch.common.cli.LoggingAwareCommand;
 import org.elasticsearch.core.PathUtils;
 import org.elasticsearch.core.SuppressForbidden;
+import org.elasticsearch.license.CryptUtils;
 import org.elasticsearch.license.License;
 import org.elasticsearch.license.LicenseVerifier;
 import org.elasticsearch.xcontent.ToXContent;
@@ -70,7 +71,7 @@ protected void execute(Terminal terminal, OptionSet options) throws Exception {
         }
 
         // verify
-        if (LicenseVerifier.verifyLicense(licenseSpec, Files.readAllBytes(publicKeyPath)) == false) {
+        if (LicenseVerifier.verifyLicense(licenseSpec, CryptUtils.readPublicKey(Files.readAllBytes(publicKeyPath))) == false) {
             throw new UserException(ExitCodes.DATA_ERROR, "Invalid License!");
         }
         XContentBuilder builder = XContentFactory.contentBuilder(XContentType.JSON);

x-pack/license-tools/src/test/java/org/elasticsearch/license/licensor/LicenseVerificationTests.java

@@ -7,6 +7,7 @@
 package org.elasticsearch.license.licensor;
 
 import org.elasticsearch.core.TimeValue;
+import org.elasticsearch.license.CryptUtils;
 import org.elasticsearch.license.DateUtils;
 import org.elasticsearch.license.License;
 import org.elasticsearch.license.LicenseVerifier;
@@ -16,28 +17,32 @@
 
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.security.PublicKey;
 
 public class LicenseVerificationTests extends ESTestCase {
 
     protected Path pubKeyPath = null;
+    protected PublicKey publicKey;
     protected Path priKeyPath = null;
 
     @Before
     public void setup() throws Exception {
         pubKeyPath = getDataPath("/public.key");
+        publicKey = CryptUtils.readPublicKey(Files.readAllBytes(pubKeyPath));
         priKeyPath = getDataPath("/private.key");
     }
 
     @After
     public void cleanUp() {
         pubKeyPath = null;
+        publicKey = null;
         priKeyPath = null;
     }
 
     public void testGeneratedLicenses() throws Exception {
         final TimeValue fortyEightHours = TimeValue.timeValueHours(2 * 24);
         final License license = TestUtils.generateSignedLicense(fortyEightHours, pubKeyPath, priKeyPath);
-        assertTrue(LicenseVerifier.verifyLicense(license, Files.readAllBytes(pubKeyPath)));
+        assertTrue(LicenseVerifier.verifyLicense(license, publicKey));
     }
 
     public void testLicenseTampering() throws Exception {
@@ -50,15 +55,15 @@ public void testLicenseTampering() throws Exception {
             .validate()
             .build();
 
-        assertFalse(LicenseVerifier.verifyLicense(tamperedLicense, Files.readAllBytes(pubKeyPath)));
+        assertFalse(LicenseVerifier.verifyLicense(tamperedLicense, publicKey));
     }
 
     public void testRandomLicenseVerification() throws Exception {
         TestUtils.LicenseSpec licenseSpec = TestUtils.generateRandomLicenseSpec(
             randomIntBetween(License.VERSION_START, License.VERSION_CURRENT)
         );
         License generatedLicense = generateSignedLicense(licenseSpec, pubKeyPath, priKeyPath);
-        assertTrue(LicenseVerifier.verifyLicense(generatedLicense, Files.readAllBytes(pubKeyPath)));
+        assertTrue(LicenseVerifier.verifyLicense(generatedLicense, publicKey));
     }
 
     private static License generateSignedLicense(TestUtils.LicenseSpec spec, Path pubKeyPath, Path priKeyPath) throws Exception {

x-pack/plugin/core/src/main/java/org/elasticsearch/license/License.java

@@ -471,6 +471,24 @@ private static void validateLimits(String type, int maxNodes, int maxResourceUni
         }
     }
 
+    private Boolean isVerified;
+
+    public boolean verified() {
+        final Boolean v = isVerified;
+        if (v != null) {
+            return v;
+        }
+        final boolean verified = doVerify();
+        this.isVerified = verified;
+        return verified;
+    }
+
+    private boolean doVerify() {
+        boolean autoGeneratedLicense = License.isAutoGeneratedLicense(signature());
+        return (autoGeneratedLicense && SelfGeneratedLicense.verify(this))
+            || (autoGeneratedLicense == false && LicenseVerifier.verifyLicense(this));
+    }
+
     public static License readLicense(StreamInput in) throws IOException {
         int version = in.readVInt(); // Version for future extensibility
         if (version > VERSION_CURRENT) {

x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicenseService.java

@@ -23,11 +23,11 @@
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.time.DateFormatter;
+import org.elasticsearch.core.Nullable;
 import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.gateway.GatewayService;
 import org.elasticsearch.protocol.xpack.XPackInfoResponse;
-import org.elasticsearch.protocol.xpack.license.DeleteLicenseRequest;
 import org.elasticsearch.protocol.xpack.license.LicensesStatus;
 import org.elasticsearch.protocol.xpack.license.PutLicenseResponse;
 import org.elasticsearch.threadpool.ThreadPool;
@@ -110,7 +110,7 @@ public class LicenseService extends AbstractLifecycleComponent implements Cluste
      * Currently active license
      */
     private final AtomicReference<License> currentLicense = new AtomicReference<>();
-    private SchedulerEngine scheduler;
+    private final SchedulerEngine scheduler;
     private final Clock clock;
 
     /**
@@ -121,7 +121,7 @@ public class LicenseService extends AbstractLifecycleComponent implements Cluste
     /**
      * Callbacks to notify relative to license expiry
      */
-    private List<ExpirationCallback> expirationCallbacks = new ArrayList<>();
+    private final List<ExpirationCallback> expirationCallbacks = new ArrayList<>();
 
     /**
      * Which license types are permitted to be uploaded to the cluster
@@ -362,7 +362,7 @@ public void triggered(SchedulerEngine.Event event) {
     /**
      * Remove license from the cluster state metadata
      */
-    public void removeLicense(final DeleteLicenseRequest request, final ActionListener<PostStartBasicResponse> listener) {
+    public void removeLicense(final ActionListener<PostStartBasicResponse> listener) {
         final PostStartBasicRequest startBasicRequest = new PostStartBasicRequest().acknowledge(true);
         clusterService.submitStateUpdateTask(
             "delete license",
@@ -609,15 +609,13 @@ public static License getLicense(final Metadata metadata) {
         return getLicense(licensesMetadata);
     }
 
-    static License getLicense(final LicensesMetadata metadata) {
+    static License getLicense(@Nullable final LicensesMetadata metadata) {
         if (metadata != null) {
             License license = metadata.getLicense();
             if (license == LicensesMetadata.LICENSE_TOMBSTONE) {
                 return license;
             } else if (license != null) {
-                boolean autoGeneratedLicense = License.isAutoGeneratedLicense(license.signature());
-                if ((autoGeneratedLicense && SelfGeneratedLicense.verify(license))
-                    || (autoGeneratedLicense == false && LicenseVerifier.verifyLicense(license))) {
+                if (license.verified()) {
                     return license;
                 }
             }

x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicenseVerifier.java

@@ -21,6 +21,7 @@
 import java.nio.ByteBuffer;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
 import java.security.Signature;
 import java.security.SignatureException;
 import java.util.Arrays;
@@ -38,7 +39,7 @@ public class LicenseVerifier {
      * @param license to verify
      * @return true if valid, false otherwise
      */
-    public static boolean verifyLicense(final License license, byte[] publicKeyData) {
+    public static boolean verifyLicense(final License license, PublicKey publicKey) {
         byte[] signedContent = null;
         byte[] publicKeyFingerprint = null;
         try {
@@ -58,7 +59,7 @@ public static boolean verifyLicense(final License license, byte[] publicKeyData)
             XContentBuilder contentBuilder = XContentFactory.contentBuilder(XContentType.JSON);
             license.toXContent(contentBuilder, new ToXContent.MapParams(Collections.singletonMap(License.LICENSE_SPEC_VIEW_MODE, "true")));
             Signature rsa = Signature.getInstance("SHA512withRSA");
-            rsa.initVerify(CryptUtils.readPublicKey(publicKeyData));
+            rsa.initVerify(publicKey);
             BytesRefIterator iterator = BytesReference.bytes(contentBuilder).iterator();
             BytesRef ref;
             while ((ref = iterator.next()) != null) {
@@ -74,15 +75,19 @@ public static boolean verifyLicense(final License license, byte[] publicKeyData)
         }
     }
 
-    public static boolean verifyLicense(final License license) {
-        final byte[] publicKeyBytes;
+    private static final PublicKey PUBLIC_KEY;
+
+    static {
         try (InputStream is = LicenseVerifier.class.getResourceAsStream("/public.key")) {
             ByteArrayOutputStream out = new ByteArrayOutputStream();
             Streams.copy(is, out);
-            publicKeyBytes = out.toByteArray();
-        } catch (IOException ex) {
-            throw new IllegalStateException(ex);
+            PUBLIC_KEY = CryptUtils.readPublicKey(out.toByteArray());
+        } catch (IOException e) {
+            throw new AssertionError("key file is part of the source and must deserialize correctly", e);
         }
-        return verifyLicense(license, publicKeyBytes);
+    }
+
+    public static boolean verifyLicense(final License license) {
+        return verifyLicense(license, PUBLIC_KEY);
     }
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicensesMetadata.java

@@ -52,7 +52,7 @@ public class LicensesMetadata extends AbstractNamedDiffable<Metadata.Custom>
         .expiryDate(0)
         .build();
 
-    private License license;
+    private final License license;
 
     // This field describes the version of x-pack for which this cluster has exercised a trial. If the field
     // is null, then no trial has been exercised. We keep the version to leave open the possibility that we

x-pack/plugin/core/src/main/java/org/elasticsearch/license/TransportDeleteLicenseAction.java

@@ -61,7 +61,6 @@ protected void masterOperation(
         final ActionListener<AcknowledgedResponse> listener
     ) throws ElasticsearchException {
         licenseService.removeLicense(
-            request,
             listener.delegateFailure(
                 (l, postStartBasicResponse) -> l.onResponse(AcknowledgedResponse.of(postStartBasicResponse.isAcknowledged()))
             )

x-pack/plugin/core/src/main/java/org/elasticsearch/license/TransportGetLicenseAction.java

@@ -23,13 +23,10 @@
 
 public class TransportGetLicenseAction extends TransportMasterNodeReadAction<GetLicenseRequest, GetLicenseResponse> {
 
-    private final LicenseService licenseService;
-
     @Inject
     public TransportGetLicenseAction(
         TransportService transportService,
         ClusterService clusterService,
-        LicenseService licenseService,
         ThreadPool threadPool,
         ActionFilters actionFilters,
         IndexNameExpressionResolver indexNameExpressionResolver
@@ -43,9 +40,8 @@ public TransportGetLicenseAction(
             GetLicenseRequest::new,
             indexNameExpressionResolver,
             GetLicenseResponse::new,
-            ThreadPool.Names.MANAGEMENT
+            ThreadPool.Names.SAME
         );
-        this.licenseService = licenseService;
     }
 
     @Override
@@ -60,6 +56,6 @@ protected void masterOperation(
         ClusterState state,
         final ActionListener<GetLicenseResponse> listener
     ) throws ElasticsearchException {
-        listener.onResponse(new GetLicenseResponse(licenseService.getLicense()));
+        listener.onResponse(new GetLicenseResponse(LicenseService.getLicense(state.metadata())));
     }
 }

x-pack/plugin/core/src/test/java/org/elasticsearch/license/LicensesManagerServiceTests.java

@@ -11,7 +11,6 @@
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.plugins.Plugin;
-import org.elasticsearch.protocol.xpack.license.DeleteLicenseRequest;
 import org.elasticsearch.protocol.xpack.license.LicensesStatus;
 import org.elasticsearch.test.ESSingleNodeTestCase;
 import org.elasticsearch.xpack.core.LocalStateCompositeXPackPlugin;
@@ -125,7 +124,7 @@ public void testRemoveLicenses() throws Exception {
     private void removeAndAckSignedLicenses(final LicenseService licenseService) {
         final CountDownLatch latch = new CountDownLatch(1);
         final AtomicBoolean success = new AtomicBoolean(false);
-        licenseService.removeLicense(new DeleteLicenseRequest(), new ActionListener<PostStartBasicResponse>() {
+        licenseService.removeLicense(new ActionListener<PostStartBasicResponse>() {
             @Override
             public void onResponse(PostStartBasicResponse postStartBasicResponse) {
                 if (postStartBasicResponse.isAcknowledged()) {