Example 76 with UserException
use of org.opensearch.cli.UserException in project OpenSearch by opensearch-project.
the class KeyStoreWrapper method save.
/**
* Write the keystore to the given config directory.
*/
public synchronized void save(Path configDir, char[] password) throws Exception {
ensureOpen();
NIOFSDirectory directory = new NIOFSDirectory(configDir);
// write to tmp file first, then overwrite
String tmpFile = KEYSTORE_FILENAME + ".tmp";
try (IndexOutput output = EndiannessReverserUtil.createOutput(directory, tmpFile, IOContext.DEFAULT)) {
CodecUtil.writeHeader(output, KEYSTORE_FILENAME, FORMAT_VERSION);
output.writeByte(password.length == 0 ? (byte) 0 : (byte) 1);
// new cipher params
SecureRandom random = Randomness.createSecure();
// use 64 bytes salt, which surpasses that recommended by OWASP
// see https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
byte[] salt = new byte[64];
random.nextBytes(salt);
// use 96 bits (12 bytes) for IV as recommended by NIST
// see http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf section 5.2.1.1
byte[] iv = new byte[12];
random.nextBytes(iv);
// encrypted data
byte[] encryptedBytes = encrypt(password, salt, iv);
// size of data block
output.writeInt(4 + salt.length + 4 + iv.length + 4 + encryptedBytes.length);
output.writeInt(salt.length);
output.writeBytes(salt, salt.length);
output.writeInt(iv.length);
output.writeBytes(iv, iv.length);
output.writeInt(encryptedBytes.length);
output.writeBytes(encryptedBytes, encryptedBytes.length);
CodecUtil.writeFooter(output);
} catch (final AccessDeniedException e) {
final String message = String.format(Locale.ROOT, "unable to create temporary keystore at [%s], write permissions required for [%s] or run [opensearch-keystore upgrade]", configDir.resolve(tmpFile), configDir);
throw new UserException(ExitCodes.CONFIG, message, e);
}
Path keystoreFile = keystorePath(configDir);
Files.move(configDir.resolve(tmpFile), keystoreFile, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
PosixFileAttributeView attrs = Files.getFileAttributeView(keystoreFile, PosixFileAttributeView.class);
if (attrs != null) {
// don't rely on umask: ensure the keystore has minimal permissions
attrs.setPermissions(PosixFilePermissions.fromString("rw-rw----"));
}
}
Also used :
Path(java.nio.file.Path)
NIOFSDirectory(org.apache.lucene.store.NIOFSDirectory)
AccessDeniedException(java.nio.file.AccessDeniedException)
SecureRandom(java.security.SecureRandom)
IndexOutput(org.apache.lucene.store.IndexOutput)
UserException(org.opensearch.cli.UserException)
PosixFileAttributeView(java.nio.file.attribute.PosixFileAttributeView)
Aggregations
UserException (org.opensearch.cli.UserException)76
Path (java.nio.file.Path)44
Matchers.containsString (org.hamcrest.Matchers.containsString)38
Environment (org.opensearch.env.Environment)29
Matchers.hasToString (org.hamcrest.Matchers.hasToString)25
TestEnvironment (org.opensearch.env.TestEnvironment)25
IOException (java.io.IOException)16
Settings (org.opensearch.common.settings.Settings)16
ArrayList (java.util.ArrayList)12
BufferedReader (java.io.BufferedReader)11
Files (java.nio.file.Files)11
MockTerminal (org.opensearch.cli.MockTerminal)11
OpenSearchTestCase (org.opensearch.test.OpenSearchTestCase)11
InputStream (java.io.InputStream)10
List (java.util.List)10
Collectors (java.util.stream.Collectors)10
Terminal (org.opensearch.cli.Terminal)10
Tuple (org.opensearch.common.collect.Tuple)10
StringReader (java.io.StringReader)9
URL (java.net.URL)9
