Added secure settings for ssl related passwords: (opensearch-project#…

…2296) Added secure settings for ssl related passwords: * plugins.security.ssl.http.pemkey_password_secure * plugins.security.ssl.http.keystore_password_secure * plugins.security.ssl.http.keystore_keypassword_secure * plugins.security.ssl.http.truststore_password_secure * plugins.security.ssl.transport.pemkey_password_secure * plugins.security.ssl.transport.server.pemkey_password_secure * plugins.security.ssl.transport.client.pemkey_password_secure * plugins.security.ssl.transport.keystore_password_secure * plugins.security.ssl.transport.keystore_keypassword_secure * plugins.security.ssl.transport.server.keystore_keypassword_secure * plugins.security.ssl.transport.client.keystore_keypassword_secure * plugins.security.ssl.transport.truststore_password_secure Signed-off-by: Chris White <[email protected]> (cherry picked from commit 2c20be0)
DarshitChanpura · Jul 20, 2023 · c69d489 · c69d489
1 parent e2a3a38
commit c69d489
Show file tree

Hide file tree

Showing 14 changed files with 1,766 additions and 270 deletions.
diff --git a/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java b/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java
@@ -83,6 +83,9 @@
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.user.User;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class LDAPAuthorizationBackend implements AuthorizationBackend {
 
  private static final AtomicInteger CONNECTION_COUNTER = new AtomicInteger();
@@ -580,7 +583,7 @@ private static void configureSSL(final ConnectionConfig config, final Settings s
  } else {
  final KeyStore trustStore = PemKeyReader.loadKeyStore(
  PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, !trustAll),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+ SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)
  );
 
@@ -594,11 +597,11 @@ private static void configureSSL(final ConnectionConfig config, final Settings s
  configPath,
  enableClientAuth
  ),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+ SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE)
  );
- final String keyStorePassword = settings.get(
- SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+ final String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(
+ settings,
  SSLConfigConstants.DEFAULT_STORE_PASSWORD
  );
 

diff --git a/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfigurator.java b/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfigurator.java
@@ -49,6 +49,9 @@
 import org.opensearch.security.ssl.util.SSLConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class SettingsBasedSSLConfigurator {
  private static final Logger log = LogManager.getLogger(SettingsBasedSSLConfigurator.class);
 
@@ -328,7 +331,7 @@ private void initFromKeyStore() throws SSLConfigException {
  configPath,
  !isTrustAllEnabled()
  ),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+ SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)
  );
  } catch (Exception e) {
@@ -350,7 +353,7 @@ private void initFromKeyStore() throws SSLConfigException {
  configPath,
  enableSslClientAuth
  ),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+ SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE)
  );
  } catch (Exception e) {
@@ -360,10 +363,7 @@ private void initFromKeyStore() throws SSLConfigException {
  );
  }
 
- String keyStorePassword = settings.get(
- SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
- SSLConfigConstants.DEFAULT_STORE_PASSWORD
- );
+ String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
  effectiveKeyPassword = keyStorePassword == null || keyStorePassword.isEmpty() ? null : keyStorePassword.toCharArray();
  effectiveKeyAlias = getSetting(CERT_ALIAS);