use of org.opensearch.common.settings.SecureString in project OpenSearch by opensearch-project.
the class BootstrapTests method assertPassphraseRead.
private void assertPassphraseRead(String source, String expected) {
try (InputStream stream = new ByteArrayInputStream(source.getBytes(StandardCharsets.UTF_8))) {
SecureString result = Bootstrap.readPassphrase(stream, MAX_PASSPHRASE_LENGTH);
assertThat(result, equalTo(expected));
} catch (IOException e) {
throw new RuntimeException(e);
}
}
use of org.opensearch.common.settings.SecureString in project OpenSearch by opensearch-project.
the class BootstrapTests method testLoadSecureSettings.
public void testLoadSecureSettings() throws Exception {
final Path configPath = env.configFile();
final SecureString seed;
try (KeyStoreWrapper keyStoreWrapper = KeyStoreWrapper.create()) {
seed = KeyStoreWrapper.SEED_SETTING.get(Settings.builder().setSecureSettings(keyStoreWrapper).build());
assertNotNull(seed);
assertTrue(seed.length() > 0);
keyStoreWrapper.save(configPath, new char[0]);
}
assertTrue(Files.exists(configPath.resolve("opensearch.keystore")));
try (SecureSettings secureSettings = Bootstrap.loadSecureSettings(env)) {
SecureString seedAfterLoad = KeyStoreWrapper.SEED_SETTING.get(Settings.builder().setSecureSettings(secureSettings).build());
assertEquals(seedAfterLoad.toString(), seed.toString());
assertTrue(Files.exists(configPath.resolve("opensearch.keystore")));
}
}
use of org.opensearch.common.settings.SecureString in project OpenSearch by opensearch-project.
the class AzureStorageSettings method validateAndCreateProxySettings.
static ProxySettings validateAndCreateProxySettings(final Settings settings, final String clientName) {
final ProxySettings.ProxyType proxyType = getConfigValue(settings, clientName, PROXY_TYPE_SETTING);
final String proxyHost = getConfigValue(settings, clientName, PROXY_HOST_SETTING);
final int proxyPort = getConfigValue(settings, clientName, PROXY_PORT_SETTING);
final SecureString proxyUserName = getConfigValue(settings, clientName, PROXY_USERNAME_SETTING);
final SecureString proxyPassword = getConfigValue(settings, clientName, PROXY_PASSWORD_SETTING);
// Validate proxy settings
if (proxyType == ProxySettings.ProxyType.DIRECT && (proxyPort != 0 || Strings.hasText(proxyHost) || Strings.hasText(proxyUserName) || Strings.hasText(proxyPassword))) {
throw new SettingsException("Azure proxy port or host or username or password have been set but proxy type is not defined.");
}
if (proxyType != ProxySettings.ProxyType.DIRECT && (proxyPort == 0 || Strings.isEmpty(proxyHost))) {
throw new SettingsException("Azure proxy type has been set but proxy host or port is not defined.");
}
if (proxyType == ProxySettings.ProxyType.DIRECT) {
return ProxySettings.NO_PROXY_SETTINGS;
}
try {
final InetAddress proxyHostAddress = InetAddress.getByName(proxyHost);
return new ProxySettings(proxyType, proxyHostAddress, proxyPort, proxyUserName.toString(), proxyPassword.toString());
} catch (final UnknownHostException e) {
throw new SettingsException("Azure proxy host is unknown.", e);
}
}
use of org.opensearch.common.settings.SecureString in project OpenSearch by opensearch-project.
the class S3ClientSettings method validateAndCreateProxySettings.
static ProxySettings validateAndCreateProxySettings(final Settings settings, final String clientName, final Protocol awsProtocol) {
ProxySettings.ProxyType proxyType = getConfigValue(settings, clientName, PROXY_TYPE_SETTING);
final String proxyHost = getConfigValue(settings, clientName, PROXY_HOST_SETTING);
final int proxyPort = getConfigValue(settings, clientName, PROXY_PORT_SETTING);
final SecureString proxyUserName = getConfigValue(settings, clientName, PROXY_USERNAME_SETTING);
final SecureString proxyPassword = getConfigValue(settings, clientName, PROXY_PASSWORD_SETTING);
if (awsProtocol != Protocol.HTTPS && proxyType == ProxySettings.ProxyType.DIRECT && Strings.hasText(proxyHost)) {
// This is backward compatibility for the current behaviour.
// The default value for Protocol settings is HTTPS,
// The expectation of ex-developers that protocol is the same as the proxy protocol
// which is a separate setting for AWS SDK.
// In this case, proxy type should be the same as a protocol,
// when proxy host and port have been set
proxyType = ProxySettings.ProxyType.valueOf(awsProtocol.name());
deprecationLogger.deprecate(PROTOCOL_SETTING.getConcreteSettingForNamespace(clientName).getKey(), "Using of " + PROTOCOL_SETTING.getConcreteSettingForNamespace(clientName).getKey() + " as proxy type is deprecated and will be removed in future releases. Please use " + PROXY_TYPE_SETTING.getConcreteSettingForNamespace(clientName).getKey() + " instead to specify proxy type.");
}
// Validate proxy settings
if (proxyType == ProxySettings.ProxyType.DIRECT && (proxyPort != 80 || Strings.hasText(proxyHost) || Strings.hasText(proxyUserName) || Strings.hasText(proxyPassword))) {
throw new SettingsException("S3 proxy port or host or username or password have been set but proxy type is not defined.");
}
if (proxyType != ProxySettings.ProxyType.DIRECT && Strings.isEmpty(proxyHost)) {
throw new SettingsException("S3 proxy type has been set but proxy host or port is not defined.");
}
if (proxyType == ProxySettings.ProxyType.DIRECT) {
return ProxySettings.NO_PROXY_SETTINGS;
}
if (awsProtocol == Protocol.HTTP && proxyType == ProxySettings.ProxyType.SOCKS) {
throw new SettingsException("SOCKS proxy is not supported for HTTP protocol");
}
validateInetAddressFor(proxyHost);
return new ProxySettings(proxyType, proxyHost, proxyPort, proxyUserName.toString(), proxyPassword.toString());
}
use of org.opensearch.common.settings.SecureString in project OpenSearch by opensearch-project.
the class ReloadSecureSettingsIT method testReloadAllNodesWithPasswordWithoutTLSFails.
public void testReloadAllNodesWithPasswordWithoutTLSFails() throws Exception {
final PluginsService pluginsService = internalCluster().getInstance(PluginsService.class);
final MockReloadablePlugin mockReloadablePlugin = pluginsService.filterPlugins(MockReloadablePlugin.class).stream().findFirst().get();
final Environment environment = internalCluster().getInstance(Environment.class);
final AtomicReference<AssertionError> reloadSettingsError = new AtomicReference<>();
final int initialReloadCount = mockReloadablePlugin.getReloadCount();
final char[] password = randomAlphaOfLength(12).toCharArray();
writeEmptyKeystore(environment, password);
final CountDownLatch latch = new CountDownLatch(1);
client().admin().cluster().prepareReloadSecureSettings().setNodesIds(Strings.EMPTY_ARRAY).setSecureStorePassword(new SecureString(password)).execute(new ActionListener<NodesReloadSecureSettingsResponse>() {
@Override
public void onResponse(NodesReloadSecureSettingsResponse nodesReloadResponse) {
reloadSettingsError.set(new AssertionError("Nodes request succeeded when it should have failed", null));
latch.countDown();
}
@Override
public void onFailure(Exception e) {
try {
if (e instanceof RemoteTransportException) {
// transport client was used, so need to unwrap the returned exception
assertThat(e.getCause(), instanceOf(Exception.class));
e = (Exception) e.getCause();
}
assertThat(e, instanceOf(OpenSearchException.class));
assertThat(e.getMessage(), containsString("Secure settings cannot be updated cluster wide when TLS for the " + "transport layer is not enabled"));
} finally {
latch.countDown();
}
}
});
latch.await();
if (reloadSettingsError.get() != null) {
throw reloadSettingsError.get();
}
// no reload should be triggered
assertThat(mockReloadablePlugin.getReloadCount(), equalTo(initialReloadCount));
}
Aggregations