Search in sources :

Example 1 with KeyStoreWrapper

use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.

the class BootstrapTests method testLoadSecureSettings.

public void testLoadSecureSettings() throws Exception {
    final Path configPath = env.configFile();
    final SecureString seed;
    try (KeyStoreWrapper keyStoreWrapper = KeyStoreWrapper.create()) {
        seed = KeyStoreWrapper.SEED_SETTING.get(Settings.builder().setSecureSettings(keyStoreWrapper).build());
        assertNotNull(seed);
        assertTrue(seed.length() > 0);
        keyStoreWrapper.save(configPath, new char[0]);
    }
    assertTrue(Files.exists(configPath.resolve("opensearch.keystore")));
    try (SecureSettings secureSettings = Bootstrap.loadSecureSettings(env)) {
        SecureString seedAfterLoad = KeyStoreWrapper.SEED_SETTING.get(Settings.builder().setSecureSettings(secureSettings).build());
        assertEquals(seedAfterLoad.toString(), seed.toString());
        assertTrue(Files.exists(configPath.resolve("opensearch.keystore")));
    }
}
Also used : Path(java.nio.file.Path) SecureSettings(org.opensearch.common.settings.SecureSettings) KeyStoreWrapper(org.opensearch.common.settings.KeyStoreWrapper) SecureString(org.opensearch.common.settings.SecureString)

Example 2 with KeyStoreWrapper

use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.

the class TransportNodesReloadSecureSettingsAction method nodeOperation.

@Override
protected NodesReloadSecureSettingsResponse.NodeResponse nodeOperation(NodeRequest nodeReloadRequest) {
    final NodesReloadSecureSettingsRequest request = nodeReloadRequest.request;
    // We default to using an empty string as the keystore password so that we mimic pre 7.3 API behavior
    final SecureString secureSettingsPassword = request.hasPassword() ? request.getSecureSettingsPassword() : new SecureString(new char[0]);
    try (KeyStoreWrapper keystore = KeyStoreWrapper.load(environment.configFile())) {
        // reread keystore from config file
        if (keystore == null) {
            return new NodesReloadSecureSettingsResponse.NodeResponse(clusterService.localNode(), new IllegalStateException("Keystore is missing"));
        }
        // decrypt the keystore using the password from the request
        keystore.decrypt(secureSettingsPassword.getChars());
        // add the keystore to the original node settings object
        final Settings settingsWithKeystore = Settings.builder().put(environment.settings(), false).setSecureSettings(keystore).build();
        final List<Exception> exceptions = new ArrayList<>();
        // broadcast the new settings object (with the open embedded keystore) to all reloadable plugins
        pluginsService.filterPlugins(ReloadablePlugin.class).stream().forEach(p -> {
            try {
                p.reload(settingsWithKeystore);
            } catch (final Exception e) {
                logger.warn((Supplier<?>) () -> new ParameterizedMessage("Reload failed for plugin [{}]", p.getClass().getSimpleName()), e);
                exceptions.add(e);
            }
        });
        ExceptionsHelper.rethrowAndSuppress(exceptions);
        return new NodesReloadSecureSettingsResponse.NodeResponse(clusterService.localNode(), null);
    } catch (final Exception e) {
        return new NodesReloadSecureSettingsResponse.NodeResponse(clusterService.localNode(), e);
    } finally {
        secureSettingsPassword.close();
    }
}
Also used : ArrayList(java.util.ArrayList) OpenSearchException(org.opensearch.OpenSearchException) FailedNodeException(org.opensearch.action.FailedNodeException) IOException(java.io.IOException) Supplier(org.apache.logging.log4j.util.Supplier) ParameterizedMessage(org.apache.logging.log4j.message.ParameterizedMessage) KeyStoreWrapper(org.opensearch.common.settings.KeyStoreWrapper) SecureString(org.opensearch.common.settings.SecureString) Settings(org.opensearch.common.settings.Settings)

Example 3 with KeyStoreWrapper

use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.

the class UpgradeCliTests method assertKeystoreImported.

private void assertKeystoreImported(String passwd) throws IOException, GeneralSecurityException {
    // assert keystore is created
    KeyStoreWrapper keystore = KeyStoreWrapper.load(env.configFile());
    assertNotNull(keystore);
    // assert all keystore settings are imported
    keystore.decrypt(passwd.toCharArray());
    assertThat(keystore.getSettingNames(), hasItems(KeyStoreWrapper.SEED_SETTING.getKey(), "test.setting.key", "test.setting.file"));
    assertThat(keystore.getString("test.setting.key").toString(), is("test.setting.value"));
    InputStream is = keystore.getFile("test.setting.file");
    byte[] bytes = new byte[is.available()];
    assertThat(is.read(bytes), greaterThan(0));
    String actual = StandardCharsets.UTF_8.decode(ByteBuffer.wrap(bytes)).toString();
    String expected = "{\"some_key\": \"some_val\"}";
    assertThat(actual, is(expected));
}
Also used : InputStream(java.io.InputStream) KeyStoreWrapper(org.opensearch.common.settings.KeyStoreWrapper)

Example 4 with KeyStoreWrapper

use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.

the class ImportKeystoreTask method accept.

@Override
public void accept(final Tuple<TaskInput, Terminal> input) {
    final TaskInput taskInput = input.v1();
    final Terminal terminal = input.v2();
    SecureString keyStorePassword = new SecureString(new char[0]);
    try {
        terminal.println("Importing keystore settings ...");
        final KeyStoreWrapper esKeystore = KeyStoreWrapper.load(taskInput.getEsConfig(), ES_KEYSTORE_FILENAME);
        if (esKeystore == null) {
            terminal.println("No elasticsearch keystore settings to import.");
            return;
        }
        KeyStoreWrapper openSearchKeystore = KeyStoreWrapper.load(taskInput.getOpenSearchConfig().resolve(OPENSEARCH_KEYSTORE_FILENAME));
        if (openSearchKeystore == null) {
            openSearchKeystore = KeyStoreWrapper.create();
        }
        if (esKeystore.hasPassword()) {
            final char[] passwordArray = terminal.readSecret("Enter password for the elasticsearch keystore : ");
            keyStorePassword = new SecureString(passwordArray);
        }
        esKeystore.decrypt(keyStorePassword.getChars());
        for (String setting : esKeystore.getSettingNames()) {
            if (setting.equals("keystore.seed")) {
                continue;
            }
            if (!openSearchKeystore.getSettingNames().contains(setting)) {
                InputStream settingIS = esKeystore.getFile(setting);
                byte[] bytes = new byte[settingIS.available()];
                settingIS.read(bytes);
                KeystoreWrapperUtil.saveSetting(openSearchKeystore, setting, bytes);
            }
        }
        openSearchKeystore.save(taskInput.getOpenSearchConfig(), keyStorePassword.getChars());
        terminal.println("Success!" + System.lineSeparator());
    } catch (Exception e) {
        throw new RuntimeException("Error importing keystore settings from elasticsearch, " + e);
    } finally {
        keyStorePassword.close();
    }
}
Also used : InputStream(java.io.InputStream) KeyStoreWrapper(org.opensearch.common.settings.KeyStoreWrapper) SecureString(org.opensearch.common.settings.SecureString) Terminal(org.opensearch.cli.Terminal) SecureString(org.opensearch.common.settings.SecureString)

Example 5 with KeyStoreWrapper

use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.

the class Bootstrap method loadSecureSettings.

static SecureSettings loadSecureSettings(Environment initialEnv) throws BootstrapException {
    final KeyStoreWrapper keystore;
    try {
        keystore = KeyStoreWrapper.load(initialEnv.configFile());
    } catch (IOException e) {
        throw new BootstrapException(e);
    }
    SecureString password;
    try {
        if (keystore != null && keystore.hasPassword()) {
            password = readPassphrase(System.in, KeyStoreAwareCommand.MAX_PASSPHRASE_LENGTH);
        } else {
            password = new SecureString(new char[0]);
        }
    } catch (IOException e) {
        throw new BootstrapException(e);
    }
    try {
        if (keystore == null) {
            final KeyStoreWrapper keyStoreWrapper = KeyStoreWrapper.create();
            keyStoreWrapper.save(initialEnv.configFile(), new char[0]);
            return keyStoreWrapper;
        } else {
            keystore.decrypt(password.getChars());
            KeyStoreWrapper.upgrade(keystore, initialEnv.configFile(), password.getChars());
        }
    } catch (Exception e) {
        throw new BootstrapException(e);
    } finally {
        password.close();
    }
    return keystore;
}
Also used : KeyStoreWrapper(org.opensearch.common.settings.KeyStoreWrapper) IOException(java.io.IOException) SecureString(org.opensearch.common.settings.SecureString) UserException(org.opensearch.cli.UserException) CreationException(org.opensearch.common.inject.CreationException) URISyntaxException(java.net.URISyntaxException) OpenSearchException(org.opensearch.OpenSearchException) IOException(java.io.IOException) NodeValidationException(org.opensearch.node.NodeValidationException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) UnsupportedEncodingException(java.io.UnsupportedEncodingException)

Aggregations

KeyStoreWrapper (org.opensearch.common.settings.KeyStoreWrapper)5 SecureString (org.opensearch.common.settings.SecureString)4 IOException (java.io.IOException)2 InputStream (java.io.InputStream)2 OpenSearchException (org.opensearch.OpenSearchException)2 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 URISyntaxException (java.net.URISyntaxException)1 Path (java.nio.file.Path)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 ArrayList (java.util.ArrayList)1 ParameterizedMessage (org.apache.logging.log4j.message.ParameterizedMessage)1 Supplier (org.apache.logging.log4j.util.Supplier)1 FailedNodeException (org.opensearch.action.FailedNodeException)1 Terminal (org.opensearch.cli.Terminal)1 UserException (org.opensearch.cli.UserException)1 CreationException (org.opensearch.common.inject.CreationException)1 SecureSettings (org.opensearch.common.settings.SecureSettings)1 Settings (org.opensearch.common.settings.Settings)1 NodeValidationException (org.opensearch.node.NodeValidationException)1