use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.
the class BootstrapTests method testLoadSecureSettings.
public void testLoadSecureSettings() throws Exception {
final Path configPath = env.configFile();
final SecureString seed;
try (KeyStoreWrapper keyStoreWrapper = KeyStoreWrapper.create()) {
seed = KeyStoreWrapper.SEED_SETTING.get(Settings.builder().setSecureSettings(keyStoreWrapper).build());
assertNotNull(seed);
assertTrue(seed.length() > 0);
keyStoreWrapper.save(configPath, new char[0]);
}
assertTrue(Files.exists(configPath.resolve("opensearch.keystore")));
try (SecureSettings secureSettings = Bootstrap.loadSecureSettings(env)) {
SecureString seedAfterLoad = KeyStoreWrapper.SEED_SETTING.get(Settings.builder().setSecureSettings(secureSettings).build());
assertEquals(seedAfterLoad.toString(), seed.toString());
assertTrue(Files.exists(configPath.resolve("opensearch.keystore")));
}
}
use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.
the class TransportNodesReloadSecureSettingsAction method nodeOperation.
@Override
protected NodesReloadSecureSettingsResponse.NodeResponse nodeOperation(NodeRequest nodeReloadRequest) {
final NodesReloadSecureSettingsRequest request = nodeReloadRequest.request;
// We default to using an empty string as the keystore password so that we mimic pre 7.3 API behavior
final SecureString secureSettingsPassword = request.hasPassword() ? request.getSecureSettingsPassword() : new SecureString(new char[0]);
try (KeyStoreWrapper keystore = KeyStoreWrapper.load(environment.configFile())) {
// reread keystore from config file
if (keystore == null) {
return new NodesReloadSecureSettingsResponse.NodeResponse(clusterService.localNode(), new IllegalStateException("Keystore is missing"));
}
// decrypt the keystore using the password from the request
keystore.decrypt(secureSettingsPassword.getChars());
// add the keystore to the original node settings object
final Settings settingsWithKeystore = Settings.builder().put(environment.settings(), false).setSecureSettings(keystore).build();
final List<Exception> exceptions = new ArrayList<>();
// broadcast the new settings object (with the open embedded keystore) to all reloadable plugins
pluginsService.filterPlugins(ReloadablePlugin.class).stream().forEach(p -> {
try {
p.reload(settingsWithKeystore);
} catch (final Exception e) {
logger.warn((Supplier<?>) () -> new ParameterizedMessage("Reload failed for plugin [{}]", p.getClass().getSimpleName()), e);
exceptions.add(e);
}
});
ExceptionsHelper.rethrowAndSuppress(exceptions);
return new NodesReloadSecureSettingsResponse.NodeResponse(clusterService.localNode(), null);
} catch (final Exception e) {
return new NodesReloadSecureSettingsResponse.NodeResponse(clusterService.localNode(), e);
} finally {
secureSettingsPassword.close();
}
}
use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.
the class UpgradeCliTests method assertKeystoreImported.
private void assertKeystoreImported(String passwd) throws IOException, GeneralSecurityException {
// assert keystore is created
KeyStoreWrapper keystore = KeyStoreWrapper.load(env.configFile());
assertNotNull(keystore);
// assert all keystore settings are imported
keystore.decrypt(passwd.toCharArray());
assertThat(keystore.getSettingNames(), hasItems(KeyStoreWrapper.SEED_SETTING.getKey(), "test.setting.key", "test.setting.file"));
assertThat(keystore.getString("test.setting.key").toString(), is("test.setting.value"));
InputStream is = keystore.getFile("test.setting.file");
byte[] bytes = new byte[is.available()];
assertThat(is.read(bytes), greaterThan(0));
String actual = StandardCharsets.UTF_8.decode(ByteBuffer.wrap(bytes)).toString();
String expected = "{\"some_key\": \"some_val\"}";
assertThat(actual, is(expected));
}
use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.
the class ImportKeystoreTask method accept.
@Override
public void accept(final Tuple<TaskInput, Terminal> input) {
final TaskInput taskInput = input.v1();
final Terminal terminal = input.v2();
SecureString keyStorePassword = new SecureString(new char[0]);
try {
terminal.println("Importing keystore settings ...");
final KeyStoreWrapper esKeystore = KeyStoreWrapper.load(taskInput.getEsConfig(), ES_KEYSTORE_FILENAME);
if (esKeystore == null) {
terminal.println("No elasticsearch keystore settings to import.");
return;
}
KeyStoreWrapper openSearchKeystore = KeyStoreWrapper.load(taskInput.getOpenSearchConfig().resolve(OPENSEARCH_KEYSTORE_FILENAME));
if (openSearchKeystore == null) {
openSearchKeystore = KeyStoreWrapper.create();
}
if (esKeystore.hasPassword()) {
final char[] passwordArray = terminal.readSecret("Enter password for the elasticsearch keystore : ");
keyStorePassword = new SecureString(passwordArray);
}
esKeystore.decrypt(keyStorePassword.getChars());
for (String setting : esKeystore.getSettingNames()) {
if (setting.equals("keystore.seed")) {
continue;
}
if (!openSearchKeystore.getSettingNames().contains(setting)) {
InputStream settingIS = esKeystore.getFile(setting);
byte[] bytes = new byte[settingIS.available()];
settingIS.read(bytes);
KeystoreWrapperUtil.saveSetting(openSearchKeystore, setting, bytes);
}
}
openSearchKeystore.save(taskInput.getOpenSearchConfig(), keyStorePassword.getChars());
terminal.println("Success!" + System.lineSeparator());
} catch (Exception e) {
throw new RuntimeException("Error importing keystore settings from elasticsearch, " + e);
} finally {
keyStorePassword.close();
}
}
use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.
the class Bootstrap method loadSecureSettings.
static SecureSettings loadSecureSettings(Environment initialEnv) throws BootstrapException {
final KeyStoreWrapper keystore;
try {
keystore = KeyStoreWrapper.load(initialEnv.configFile());
} catch (IOException e) {
throw new BootstrapException(e);
}
SecureString password;
try {
if (keystore != null && keystore.hasPassword()) {
password = readPassphrase(System.in, KeyStoreAwareCommand.MAX_PASSPHRASE_LENGTH);
} else {
password = new SecureString(new char[0]);
}
} catch (IOException e) {
throw new BootstrapException(e);
}
try {
if (keystore == null) {
final KeyStoreWrapper keyStoreWrapper = KeyStoreWrapper.create();
keyStoreWrapper.save(initialEnv.configFile(), new char[0]);
return keyStoreWrapper;
} else {
keystore.decrypt(password.getChars());
KeyStoreWrapper.upgrade(keystore, initialEnv.configFile(), password.getChars());
}
} catch (Exception e) {
throw new BootstrapException(e);
} finally {
password.close();
}
return keystore;
}
Aggregations