Search in sources :

Example 1 with SecureString

use of org.opensearch.common.settings.SecureString in project OpenSearch by opensearch-project.

the class BootstrapTests method assertPassphraseRead.

private void assertPassphraseRead(String source, String expected) {
    try (InputStream stream = new ByteArrayInputStream(source.getBytes(StandardCharsets.UTF_8))) {
        SecureString result = Bootstrap.readPassphrase(stream, MAX_PASSPHRASE_LENGTH);
        assertThat(result, equalTo(expected));
    } catch (IOException e) {
        throw new RuntimeException(e);
    }
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) IOException(java.io.IOException) SecureString(org.opensearch.common.settings.SecureString)

Example 2 with SecureString

use of org.opensearch.common.settings.SecureString in project OpenSearch by opensearch-project.

the class BootstrapTests method testLoadSecureSettings.

public void testLoadSecureSettings() throws Exception {
    final Path configPath = env.configFile();
    final SecureString seed;
    try (KeyStoreWrapper keyStoreWrapper = KeyStoreWrapper.create()) {
        seed = KeyStoreWrapper.SEED_SETTING.get(Settings.builder().setSecureSettings(keyStoreWrapper).build());
        assertNotNull(seed);
        assertTrue(seed.length() > 0);
        keyStoreWrapper.save(configPath, new char[0]);
    }
    assertTrue(Files.exists(configPath.resolve("opensearch.keystore")));
    try (SecureSettings secureSettings = Bootstrap.loadSecureSettings(env)) {
        SecureString seedAfterLoad = KeyStoreWrapper.SEED_SETTING.get(Settings.builder().setSecureSettings(secureSettings).build());
        assertEquals(seedAfterLoad.toString(), seed.toString());
        assertTrue(Files.exists(configPath.resolve("opensearch.keystore")));
    }
}
Also used : Path(java.nio.file.Path) SecureSettings(org.opensearch.common.settings.SecureSettings) KeyStoreWrapper(org.opensearch.common.settings.KeyStoreWrapper) SecureString(org.opensearch.common.settings.SecureString)

Example 3 with SecureString

use of org.opensearch.common.settings.SecureString in project OpenSearch by opensearch-project.

the class AzureStorageSettings method validateAndCreateProxySettings.

static ProxySettings validateAndCreateProxySettings(final Settings settings, final String clientName) {
    final ProxySettings.ProxyType proxyType = getConfigValue(settings, clientName, PROXY_TYPE_SETTING);
    final String proxyHost = getConfigValue(settings, clientName, PROXY_HOST_SETTING);
    final int proxyPort = getConfigValue(settings, clientName, PROXY_PORT_SETTING);
    final SecureString proxyUserName = getConfigValue(settings, clientName, PROXY_USERNAME_SETTING);
    final SecureString proxyPassword = getConfigValue(settings, clientName, PROXY_PASSWORD_SETTING);
    // Validate proxy settings
    if (proxyType == ProxySettings.ProxyType.DIRECT && (proxyPort != 0 || Strings.hasText(proxyHost) || Strings.hasText(proxyUserName) || Strings.hasText(proxyPassword))) {
        throw new SettingsException("Azure proxy port or host or username or password have been set but proxy type is not defined.");
    }
    if (proxyType != ProxySettings.ProxyType.DIRECT && (proxyPort == 0 || Strings.isEmpty(proxyHost))) {
        throw new SettingsException("Azure proxy type has been set but proxy host or port is not defined.");
    }
    if (proxyType == ProxySettings.ProxyType.DIRECT) {
        return ProxySettings.NO_PROXY_SETTINGS;
    }
    try {
        final InetAddress proxyHostAddress = InetAddress.getByName(proxyHost);
        return new ProxySettings(proxyType, proxyHostAddress, proxyPort, proxyUserName.toString(), proxyPassword.toString());
    } catch (final UnknownHostException e) {
        throw new SettingsException("Azure proxy host is unknown.", e);
    }
}
Also used : UnknownHostException(java.net.UnknownHostException) SecureString(org.opensearch.common.settings.SecureString) SettingsException(org.opensearch.common.settings.SettingsException) InetAddress(java.net.InetAddress) SecureString(org.opensearch.common.settings.SecureString)

Example 4 with SecureString

use of org.opensearch.common.settings.SecureString in project OpenSearch by opensearch-project.

the class S3ClientSettings method validateAndCreateProxySettings.

static ProxySettings validateAndCreateProxySettings(final Settings settings, final String clientName, final Protocol awsProtocol) {
    ProxySettings.ProxyType proxyType = getConfigValue(settings, clientName, PROXY_TYPE_SETTING);
    final String proxyHost = getConfigValue(settings, clientName, PROXY_HOST_SETTING);
    final int proxyPort = getConfigValue(settings, clientName, PROXY_PORT_SETTING);
    final SecureString proxyUserName = getConfigValue(settings, clientName, PROXY_USERNAME_SETTING);
    final SecureString proxyPassword = getConfigValue(settings, clientName, PROXY_PASSWORD_SETTING);
    if (awsProtocol != Protocol.HTTPS && proxyType == ProxySettings.ProxyType.DIRECT && Strings.hasText(proxyHost)) {
        // This is backward compatibility for the current behaviour.
        // The default value for Protocol settings is HTTPS,
        // The expectation of ex-developers that protocol is the same as the proxy protocol
        // which is a separate setting for AWS SDK.
        // In this case, proxy type should be the same as a protocol,
        // when proxy host and port have been set
        proxyType = ProxySettings.ProxyType.valueOf(awsProtocol.name());
        deprecationLogger.deprecate(PROTOCOL_SETTING.getConcreteSettingForNamespace(clientName).getKey(), "Using of " + PROTOCOL_SETTING.getConcreteSettingForNamespace(clientName).getKey() + " as proxy type is deprecated and will be removed in future releases. Please use " + PROXY_TYPE_SETTING.getConcreteSettingForNamespace(clientName).getKey() + " instead to specify proxy type.");
    }
    // Validate proxy settings
    if (proxyType == ProxySettings.ProxyType.DIRECT && (proxyPort != 80 || Strings.hasText(proxyHost) || Strings.hasText(proxyUserName) || Strings.hasText(proxyPassword))) {
        throw new SettingsException("S3 proxy port or host or username or password have been set but proxy type is not defined.");
    }
    if (proxyType != ProxySettings.ProxyType.DIRECT && Strings.isEmpty(proxyHost)) {
        throw new SettingsException("S3 proxy type has been set but proxy host or port is not defined.");
    }
    if (proxyType == ProxySettings.ProxyType.DIRECT) {
        return ProxySettings.NO_PROXY_SETTINGS;
    }
    if (awsProtocol == Protocol.HTTP && proxyType == ProxySettings.ProxyType.SOCKS) {
        throw new SettingsException("SOCKS proxy is not supported for HTTP protocol");
    }
    validateInetAddressFor(proxyHost);
    return new ProxySettings(proxyType, proxyHost, proxyPort, proxyUserName.toString(), proxyPassword.toString());
}
Also used : SecureString(org.opensearch.common.settings.SecureString) SettingsException(org.opensearch.common.settings.SettingsException) SecureString(org.opensearch.common.settings.SecureString)

Example 5 with SecureString

use of org.opensearch.common.settings.SecureString in project OpenSearch by opensearch-project.

the class ReloadSecureSettingsIT method testReloadAllNodesWithPasswordWithoutTLSFails.

public void testReloadAllNodesWithPasswordWithoutTLSFails() throws Exception {
    final PluginsService pluginsService = internalCluster().getInstance(PluginsService.class);
    final MockReloadablePlugin mockReloadablePlugin = pluginsService.filterPlugins(MockReloadablePlugin.class).stream().findFirst().get();
    final Environment environment = internalCluster().getInstance(Environment.class);
    final AtomicReference<AssertionError> reloadSettingsError = new AtomicReference<>();
    final int initialReloadCount = mockReloadablePlugin.getReloadCount();
    final char[] password = randomAlphaOfLength(12).toCharArray();
    writeEmptyKeystore(environment, password);
    final CountDownLatch latch = new CountDownLatch(1);
    client().admin().cluster().prepareReloadSecureSettings().setNodesIds(Strings.EMPTY_ARRAY).setSecureStorePassword(new SecureString(password)).execute(new ActionListener<NodesReloadSecureSettingsResponse>() {

        @Override
        public void onResponse(NodesReloadSecureSettingsResponse nodesReloadResponse) {
            reloadSettingsError.set(new AssertionError("Nodes request succeeded when it should have failed", null));
            latch.countDown();
        }

        @Override
        public void onFailure(Exception e) {
            try {
                if (e instanceof RemoteTransportException) {
                    // transport client was used, so need to unwrap the returned exception
                    assertThat(e.getCause(), instanceOf(Exception.class));
                    e = (Exception) e.getCause();
                }
                assertThat(e, instanceOf(OpenSearchException.class));
                assertThat(e.getMessage(), containsString("Secure settings cannot be updated cluster wide when TLS for the " + "transport layer is not enabled"));
            } finally {
                latch.countDown();
            }
        }
    });
    latch.await();
    if (reloadSettingsError.get() != null) {
        throw reloadSettingsError.get();
    }
    // no reload should be triggered
    assertThat(mockReloadablePlugin.getReloadCount(), equalTo(initialReloadCount));
}
Also used : PluginsService(org.opensearch.plugins.PluginsService) RemoteTransportException(org.opensearch.transport.RemoteTransportException) AtomicReference(java.util.concurrent.atomic.AtomicReference) CountDownLatch(java.util.concurrent.CountDownLatch) OpenSearchException(org.opensearch.OpenSearchException) RemoteTransportException(org.opensearch.transport.RemoteTransportException) AccessControlException(java.security.AccessControlException) Environment(org.opensearch.env.Environment) SecureString(org.opensearch.common.settings.SecureString) NodesReloadSecureSettingsResponse(org.opensearch.action.admin.cluster.node.reload.NodesReloadSecureSettingsResponse)

Aggregations

SecureString (org.opensearch.common.settings.SecureString)20 OpenSearchException (org.opensearch.OpenSearchException)9 AccessControlException (java.security.AccessControlException)7 CountDownLatch (java.util.concurrent.CountDownLatch)7 AtomicReference (java.util.concurrent.atomic.AtomicReference)7 NodesReloadSecureSettingsResponse (org.opensearch.action.admin.cluster.node.reload.NodesReloadSecureSettingsResponse)7 Environment (org.opensearch.env.Environment)7 RemoteTransportException (org.opensearch.transport.RemoteTransportException)7 Map (java.util.Map)6 PluginsService (org.opensearch.plugins.PluginsService)5 KeyStoreWrapper (org.opensearch.common.settings.KeyStoreWrapper)4 SettingsException (org.opensearch.common.settings.SettingsException)4 IOException (java.io.IOException)3 InputStream (java.io.InputStream)3 BytesReference (org.opensearch.common.bytes.BytesReference)3 InetAddress (java.net.InetAddress)2 UnknownHostException (java.net.UnknownHostException)2 SecureSettings (org.opensearch.common.settings.SecureSettings)2 Settings (org.opensearch.common.settings.Settings)2 AWSCredentials (com.amazonaws.auth.AWSCredentials)1