opensearch-project · peternied · Dec 8, 2022 · Dec 4, 2022 · Dec 8, 2022 · Dec 8, 2022
@@ -83,6 +83,9 @@
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.user.User;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class LDAPAuthorizationBackend implements AuthorizationBackend {
 
  private static final AtomicInteger CONNECTION_COUNTER = new AtomicInteger();
@@ -566,8 +569,7 @@ private static void configureSSL(final ConnectionConfig config, final Settings s
  final KeyStore trustStore = PemKeyReader.loadKeyStore(
  PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings,
  configPath, !trustAll),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
- SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+ SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
 
  final List<String> trustStoreAliases = settings.getAsList(ConfigConstants.LDAPS_JKS_TRUST_ALIAS, null);
@@ -576,12 +578,11 @@ private static void configureSSL(final ConnectionConfig config, final Settings s
  final KeyStore keyStore = PemKeyReader.loadKeyStore(
  PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings,
  configPath, enableClientAuth),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+ SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings,
  SSLConfigConstants.DEFAULT_STORE_PASSWORD),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
- final String keyStorePassword = settings.get(
- SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
- SSLConfigConstants.DEFAULT_STORE_PASSWORD);
+ final String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD
+ .getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
 
  final String keyStoreAlias = settings.get(ConfigConstants.LDAPS_JKS_CERT_ALIAS, null);
  final String[] keyStoreAliases = keyStoreAlias == null ? null : new String[] { keyStoreAlias };

@@ -48,6 +48,9 @@
 import org.opensearch.security.ssl.util.SSLConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class SettingsBasedSSLConfigurator {
  private static final Logger log = LogManager.getLogger(SettingsBasedSSLConfigurator.class);
 
@@ -305,8 +308,7 @@ private void initFromKeyStore() throws SSLConfigException {
  trustStore = PemKeyReader.loadKeyStore(
  PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings,
  configPath, !isTrustAllEnabled()),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
- SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+ SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
  } catch (Exception e) {
  throw new SSLConfigException("Error loading trust store from "
@@ -321,15 +323,15 @@ private void initFromKeyStore() throws SSLConfigException {
  keyStore = PemKeyReader.loadKeyStore(
  PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings,
  configPath, enableSslClientAuth),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+ SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings,
  SSLConfigConstants.DEFAULT_STORE_PASSWORD),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
  } catch (Exception e) {
  throw new SSLConfigException("Error loading key store from "
  + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH), e);
  }
 
- String keyStorePassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+ String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings,
  SSLConfigConstants.DEFAULT_STORE_PASSWORD);
  effectiveKeyPassword = keyStorePassword == null || keyStorePassword.isEmpty() ? null
  : keyStorePassword.toCharArray();

@@ -49,6 +49,9 @@
 import org.opensearch.security.ssl.util.SSLConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class SettingsBasedSSLConfiguratorV4 {
  private static final Logger log = LogManager.getLogger(SettingsBasedSSLConfigurator.class);
 
@@ -306,8 +309,7 @@ private void initFromKeyStore() throws SSLConfigException {
  trustStore = PemKeyReader.loadKeyStore(
  PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings,
  configPath, !isTrustAllEnabled()),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
- SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+ SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
  } catch (Exception e) {
  throw new SSLConfigException("Error loading trust store from "
@@ -322,16 +324,16 @@ private void initFromKeyStore() throws SSLConfigException {
  keyStore = PemKeyReader.loadKeyStore(
  PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings,
  configPath, enableSslClientAuth),
- settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+ SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings,
  SSLConfigConstants.DEFAULT_STORE_PASSWORD),
  settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
  } catch (Exception e) {
  throw new SSLConfigException("Error loading key store from "
  + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH), e);
  }
 
- String keyStorePassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
- SSLConfigConstants.DEFAULT_STORE_PASSWORD);
+ String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD
+ .getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
  effectiveKeyPassword = keyStorePassword == null || keyStorePassword.isEmpty() ? null
  : keyStorePassword.toCharArray();
  effectiveKeyAlias = getSetting(CERT_ALIAS);

@@ -31,6 +31,9 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public final class ExternalOpenSearchSink extends AuditLogSink {
 
  private static final List<String> DEFAULT_TLS_PROTOCOLS = Arrays.asList(new String[] { "TLSv1.2", "TLSv1.1"});
@@ -117,14 +120,14 @@ public ExternalOpenSearchSink(final String name, final Settings settings, final
 
  } else {
  final KeyStore trustStore = PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, true)
- , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD)
+ , SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings)
  , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
 
  //for client authentication
  final KeyStore keyStore = PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings, configPath, enableSslClientAuth)
- , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD)
+ , SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD)
  , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
- final String keyStorePassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
+ final String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
  effectiveKeyPassword = keyStorePassword==null||keyStorePassword.isEmpty()?null:keyStorePassword.toCharArray();
  effectiveKeyAlias = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS, null);
 

@@ -50,6 +50,8 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class WebhookSink extends AuditLogSink {
 
  /* HttpClient is thread safe */
@@ -328,7 +330,7 @@ public KeyStore run() {
 
  } else {
  return PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, false)
- , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD)
+ , SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings)
  , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
  }
  } catch(Exception ex) {