[Backport 2.x] Added secure settings for ssl related passwords: (open…

…search-project#2296) (opensearch-project#3037)

### Description
Backports 2c20be0 from opensearch-project#2296 


### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https:/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Darshit Chanpura <[email protected]>
Co-authored-by: Chris White <[email protected]>
Co-authored-by: Craig Perkins <[email protected]>

src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java

@@ -83,6 +83,9 @@
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.user.User;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class LDAPAuthorizationBackend implements AuthorizationBackend {
 
  private static final AtomicInteger CONNECTION_COUNTER = new AtomicInteger();
@@ -580,7 +583,7 @@ private static void configureSSL(final ConnectionConfig config, final Settings s
  } else {
  final KeyStore trustStore = PemKeyReader.loadKeyStore(
  PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, !trustAll),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+ SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)
  );
 
@@ -594,11 +597,11 @@ private static void configureSSL(final ConnectionConfig config, final Settings s
  configPath,
  enableClientAuth
  ),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+ SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE)
  );
- final String keyStorePassword = settings.get(
- SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+ final String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(
+ settings,
  SSLConfigConstants.DEFAULT_STORE_PASSWORD
  );
 

src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfigurator.java

@@ -49,6 +49,9 @@
 import org.opensearch.security.ssl.util.SSLConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class SettingsBasedSSLConfigurator {
  private static final Logger log = LogManager.getLogger(SettingsBasedSSLConfigurator.class);
 
@@ -328,7 +331,7 @@ private void initFromKeyStore() throws SSLConfigException {
  configPath,
  !isTrustAllEnabled()
  ),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+ SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)
  );
  } catch (Exception e) {
@@ -350,7 +353,7 @@ private void initFromKeyStore() throws SSLConfigException {
  configPath,
  enableSslClientAuth
  ),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+ SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE)
  );
  } catch (Exception e) {
@@ -360,10 +363,7 @@ private void initFromKeyStore() throws SSLConfigException {
  );
  }
 
- String keyStorePassword = settings.get(
- SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
- SSLConfigConstants.DEFAULT_STORE_PASSWORD
- );
+ String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
  effectiveKeyPassword = keyStorePassword == null || keyStorePassword.isEmpty() ? null : keyStorePassword.toCharArray();
  effectiveKeyAlias = getSetting(CERT_ALIAS);
 

src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java

@@ -31,6 +31,9 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public final class ExternalOpenSearchSink extends AuditLogSink {
 
  private static final List<String> DEFAULT_TLS_PROTOCOLS = Arrays.asList(new String[] { "TLSv1.2", "TLSv1.1" });
@@ -169,7 +172,7 @@ public ExternalOpenSearchSink(
  } else {
  final KeyStore trustStore = PemKeyReader.loadKeyStore(
  PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, true),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+ SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)
  );
 
@@ -181,11 +184,11 @@ public ExternalOpenSearchSink(
  configPath,
  enableSslClientAuth
  ),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+ SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE)
  );
- final String keyStorePassword = settings.get(
- SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+ final String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(
+ settings,
  SSLConfigConstants.DEFAULT_STORE_PASSWORD
  );
  effectiveKeyPassword = keyStorePassword == null || keyStorePassword.isEmpty() ? null : keyStorePassword.toCharArray();

src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java

@@ -43,6 +43,8 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class WebhookSink extends AuditLogSink {
 
  /* HttpClient is thread safe */
@@ -339,10 +341,7 @@ public KeyStore run() {
  configPath,
  false
  ),
- settings.get(
- SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
- SSLConfigConstants.DEFAULT_STORE_PASSWORD
- ),
+ SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)
  );
  }

src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java

@@ -78,6 +78,19 @@
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_PEMKEY_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class DefaultSecurityKeyStore implements SecurityKeyStore {
 
  private static final String DEFAULT_STORE_TYPE = "JKS";
@@ -313,8 +326,8 @@ public void initTransportSSLConfig() {
 
  final String keystoreFilePath = resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, true);
  final String keystoreType = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, DEFAULT_STORE_TYPE);
- final String keystorePassword = settings.get(
- SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+ final String keystorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(
+ settings,
  SSLConfigConstants.DEFAULT_STORE_PASSWORD
  );
 
@@ -327,10 +340,7 @@ public void initTransportSSLConfig() {
  }
 
  final String truststoreType = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE);
- final String truststorePassword = settings.get(
- SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
- SSLConfigConstants.DEFAULT_STORE_PASSWORD
- );
+ final String truststorePassword = SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings);
 
  KeystoreProps keystoreProps = new KeystoreProps(keystoreFilePath, keystoreType, keystorePassword);
 
@@ -349,12 +359,12 @@ public void initTransportSSLConfig() {
  );
  final String keystoreServerAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, null);
  final String keystoreClientAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, null);
- final String serverKeyPassword = settings.get(
- SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD,
+ final String serverKeyPassword = SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD.getSetting(
+ settings,
  keystorePassword
  );
- final String clientKeyPassword = settings.get(
- SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD,
+ final String clientKeyPassword = SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD.getSetting(
+ settings,
  keystorePassword
  );
 
@@ -390,10 +400,7 @@ public void initTransportSSLConfig() {
  // when alias is null, we take first entry in the store
  final String truststoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, null);
  final String keystoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, null);
- final String keyPassword = settings.get(
- SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD,
- keystorePassword
- );
+ final String keyPassword = SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD.getSetting(settings, keystorePassword);
 
  certFromKeystore = new CertFromKeystore(keystoreProps, keystoreAlias, keyPassword);
  certFromTruststore = new CertFromTruststore(truststoreProps, truststoreAlias);
@@ -429,14 +436,14 @@ public void initTransportSSLConfig() {
  resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, true),
  resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, true),
  resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, true),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD)
+ SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD.getSetting(settings)
  );
 
  CertFileProps serverCertProps = new CertFileProps(
  resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, true),
  resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, true),
  resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, true),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD)
+ SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD.getSetting(settings)
  );
 
  certFromFile = new CertFromFile(clientCertProps, serverCertProps);
@@ -445,7 +452,7 @@ public void initTransportSSLConfig() {
  resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, true),
  resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, true),
  resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, true),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD)
+ SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD.getSetting(settings)
  );
  certFromFile = new CertFromFile(certProps);
  }
@@ -500,12 +507,12 @@ public void initHttpSSLConfig() {
 
  final String keystoreFilePath = resolve(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, true);
  final String keystoreType = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_TYPE, DEFAULT_STORE_TYPE);
- final String keystorePassword = settings.get(
- SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD,
+ final String keystorePassword = SECURITY_SSL_HTTP_KEYSTORE_PASSWORD.getSetting(
+ settings,
  SSLConfigConstants.DEFAULT_STORE_PASSWORD
  );
 
- final String keyPassword = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, keystorePassword);
+ final String keyPassword = SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD.getSetting(settings, keystorePassword);
 
  final String keystoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, null);
 
@@ -539,10 +546,8 @@ public void initHttpSSLConfig() {
  final String truststoreFilePath = resolve(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, true);
 
  final String truststoreType = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE);
- final String truststorePassword = settings.get(
- SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD,
- SSLConfigConstants.DEFAULT_STORE_PASSWORD
- );
+ final String truststorePassword = SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD.getSetting(settings);
+
  final String truststoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, null);
 
  KeystoreProps truststoreProps = new KeystoreProps(truststoreFilePath, truststoreType, truststorePassword);
@@ -577,7 +582,7 @@ public void initHttpSSLConfig() {
  resolve(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, true),
  resolve(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, true),
  trustedCas,
- settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD)
+ SECURITY_SSL_HTTP_PEMKEY_PASSWORD.getSetting(settings)
  );
  CertFromFile certFromFile = new CertFromFile(certFileProps);
 
@@ -586,7 +591,7 @@ public void initHttpSSLConfig() {
  certFromFile.getServerPemKey(),
  certFromFile.getServerPemCert(),
  certFromFile.getServerTrustedCas(),
- settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD),
+ SECURITY_SSL_HTTP_PEMKEY_PASSWORD.getSetting(settings),
  getEnabledSSLCiphers(this.sslHTTPProvider, true),
  sslHTTPProvider,
  httpClientAuthMode