Search in sources :

Example 76 with UserException

use of org.opensearch.cli.UserException in project OpenSearch by opensearch-project.

the class KeyStoreWrapper method save.

/**
 * Write the keystore to the given config directory.
 */
public synchronized void save(Path configDir, char[] password) throws Exception {
    ensureOpen();
    NIOFSDirectory directory = new NIOFSDirectory(configDir);
    // write to tmp file first, then overwrite
    String tmpFile = KEYSTORE_FILENAME + ".tmp";
    try (IndexOutput output = EndiannessReverserUtil.createOutput(directory, tmpFile, IOContext.DEFAULT)) {
        CodecUtil.writeHeader(output, KEYSTORE_FILENAME, FORMAT_VERSION);
        output.writeByte(password.length == 0 ? (byte) 0 : (byte) 1);
        // new cipher params
        SecureRandom random = Randomness.createSecure();
        // use 64 bytes salt, which surpasses that recommended by OWASP
        // see https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
        byte[] salt = new byte[64];
        random.nextBytes(salt);
        // use 96 bits (12 bytes) for IV as recommended by NIST
        // see http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf section 5.2.1.1
        byte[] iv = new byte[12];
        random.nextBytes(iv);
        // encrypted data
        byte[] encryptedBytes = encrypt(password, salt, iv);
        // size of data block
        output.writeInt(4 + salt.length + 4 + iv.length + 4 + encryptedBytes.length);
        output.writeInt(salt.length);
        output.writeBytes(salt, salt.length);
        output.writeInt(iv.length);
        output.writeBytes(iv, iv.length);
        output.writeInt(encryptedBytes.length);
        output.writeBytes(encryptedBytes, encryptedBytes.length);
        CodecUtil.writeFooter(output);
    } catch (final AccessDeniedException e) {
        final String message = String.format(Locale.ROOT, "unable to create temporary keystore at [%s], write permissions required for [%s] or run [opensearch-keystore upgrade]", configDir.resolve(tmpFile), configDir);
        throw new UserException(ExitCodes.CONFIG, message, e);
    }
    Path keystoreFile = keystorePath(configDir);
    Files.move(configDir.resolve(tmpFile), keystoreFile, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
    PosixFileAttributeView attrs = Files.getFileAttributeView(keystoreFile, PosixFileAttributeView.class);
    if (attrs != null) {
        // don't rely on umask: ensure the keystore has minimal permissions
        attrs.setPermissions(PosixFilePermissions.fromString("rw-rw----"));
    }
}
Also used : Path(java.nio.file.Path) NIOFSDirectory(org.apache.lucene.store.NIOFSDirectory) AccessDeniedException(java.nio.file.AccessDeniedException) SecureRandom(java.security.SecureRandom) IndexOutput(org.apache.lucene.store.IndexOutput) UserException(org.opensearch.cli.UserException) PosixFileAttributeView(java.nio.file.attribute.PosixFileAttributeView)

Aggregations

UserException (org.opensearch.cli.UserException)76 Path (java.nio.file.Path)44 Matchers.containsString (org.hamcrest.Matchers.containsString)38 Environment (org.opensearch.env.Environment)29 Matchers.hasToString (org.hamcrest.Matchers.hasToString)25 TestEnvironment (org.opensearch.env.TestEnvironment)25 IOException (java.io.IOException)16 Settings (org.opensearch.common.settings.Settings)16 ArrayList (java.util.ArrayList)12 BufferedReader (java.io.BufferedReader)11 Files (java.nio.file.Files)11 MockTerminal (org.opensearch.cli.MockTerminal)11 OpenSearchTestCase (org.opensearch.test.OpenSearchTestCase)11 InputStream (java.io.InputStream)10 List (java.util.List)10 Collectors (java.util.stream.Collectors)10 Terminal (org.opensearch.cli.Terminal)10 Tuple (org.opensearch.common.collect.Tuple)10 StringReader (java.io.StringReader)9 URL (java.net.URL)9