Skip to content

Commit

Permalink
Added secure settings for ssl related passwords: (opensearch-project#…
Browse files Browse the repository at this point in the history 
…2296)

Added secure settings for ssl related passwords:

* plugins.security.ssl.http.pemkey_password_secure
* plugins.security.ssl.http.keystore_password_secure
* plugins.security.ssl.http.keystore_keypassword_secure
* plugins.security.ssl.http.truststore_password_secure
* plugins.security.ssl.transport.pemkey_password_secure
* plugins.security.ssl.transport.server.pemkey_password_secure
* plugins.security.ssl.transport.client.pemkey_password_secure
* plugins.security.ssl.transport.keystore_password_secure
* plugins.security.ssl.transport.keystore_keypassword_secure
* plugins.security.ssl.transport.server.keystore_keypassword_secure
* plugins.security.ssl.transport.client.keystore_keypassword_secure
* plugins.security.ssl.transport.truststore_password_secure

Signed-off-by: Chris White <chriswhite199@gmail.com>
  • Loading branch information
@chriswhite199
chriswhite199 authored Dec 8, 2022
1 parent aad9379 commit 2c20be0
Show file tree
Hide file tree
Showing 14 changed files with 694 additions and 421 deletions.
13 changes: 7 additions & 6 deletions src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,9 @@
import org.opensearch.security.user.AuthCredentials;
import org.opensearch.security.user.User;

import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;

public class LDAPAuthorizationBackend implements AuthorizationBackend {

private static final AtomicInteger CONNECTION_COUNTER = new AtomicInteger();
Expand Down Expand Up @@ -566,8 +569,7 @@ private static void configureSSL(final ConnectionConfig config, final Settings s
final KeyStore trustStore = PemKeyReader.loadKeyStore(
PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings,
configPath, !trustAll),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD),
SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));

final List<String> trustStoreAliases = settings.getAsList(ConfigConstants.LDAPS_JKS_TRUST_ALIAS, null);
Expand All @@ -576,12 +578,11 @@ private static void configureSSL(final ConnectionConfig config, final Settings s
final KeyStore keyStore = PemKeyReader.loadKeyStore(
PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings,
configPath, enableClientAuth),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings,
SSLConfigConstants.DEFAULT_STORE_PASSWORD),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
final String keyStorePassword = settings.get(
SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD);
final String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD
.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD);

final String keyStoreAlias = settings.get(ConfigConstants.LDAPS_JKS_CERT_ALIAS, null);
final String[] keyStoreAliases = keyStoreAlias == null ? null : new String[] { keyStoreAlias };
Expand Down
10 changes: 6 additions & 4 deletions src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfigurator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@
import org.opensearch.security.ssl.util.SSLConfigConstants;
import org.opensearch.security.support.PemKeyReader;

import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;

public class SettingsBasedSSLConfigurator {
private static final Logger log = LogManager.getLogger(SettingsBasedSSLConfigurator.class);

Expand Down Expand Up @@ -305,8 +308,7 @@ private void initFromKeyStore() throws SSLConfigException {
trustStore = PemKeyReader.loadKeyStore(
PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings,
configPath, !isTrustAllEnabled()),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD),
SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
} catch (Exception e) {
throw new SSLConfigException("Error loading trust store from "
Expand All @@ -321,15 +323,15 @@ private void initFromKeyStore() throws SSLConfigException {
keyStore = PemKeyReader.loadKeyStore(
PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings,
configPath, enableSslClientAuth),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings,
SSLConfigConstants.DEFAULT_STORE_PASSWORD),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
} catch (Exception e) {
throw new SSLConfigException("Error loading key store from "
+ settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH), e);
}

String keyStorePassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings,
SSLConfigConstants.DEFAULT_STORE_PASSWORD);
effectiveKeyPassword = keyStorePassword == null || keyStorePassword.isEmpty() ? null
: keyStorePassword.toCharArray();
Expand Down
12 changes: 7 additions & 5 deletions src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfiguratorV4.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@
import org.opensearch.security.ssl.util.SSLConfigConstants;
import org.opensearch.security.support.PemKeyReader;

import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;

public class SettingsBasedSSLConfiguratorV4 {
private static final Logger log = LogManager.getLogger(SettingsBasedSSLConfigurator.class);

Expand Down Expand Up @@ -306,8 +309,7 @@ private void initFromKeyStore() throws SSLConfigException {
trustStore = PemKeyReader.loadKeyStore(
PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings,
configPath, !isTrustAllEnabled()),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD),
SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
} catch (Exception e) {
throw new SSLConfigException("Error loading trust store from "
Expand All @@ -322,16 +324,16 @@ private void initFromKeyStore() throws SSLConfigException {
keyStore = PemKeyReader.loadKeyStore(
PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings,
configPath, enableSslClientAuth),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings,
SSLConfigConstants.DEFAULT_STORE_PASSWORD),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
} catch (Exception e) {
throw new SSLConfigException("Error loading key store from "
+ settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH), e);
}

String keyStorePassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD);
String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD
.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
effectiveKeyPassword = keyStorePassword == null || keyStorePassword.isEmpty() ? null
: keyStorePassword.toCharArray();
effectiveKeyAlias = getSetting(CERT_ALIAS);
Expand Down
9 changes: 6 additions & 3 deletions src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@
import org.opensearch.security.support.ConfigConstants;
import org.opensearch.security.support.PemKeyReader;

import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;

public final class ExternalOpenSearchSink extends AuditLogSink {

private static final List<String> DEFAULT_TLS_PROTOCOLS = Arrays.asList(new String[] { "TLSv1.2", "TLSv1.1"});
Expand Down Expand Up @@ -117,14 +120,14 @@ public ExternalOpenSearchSink(final String name, final Settings settings, final

} else {
final KeyStore trustStore = PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, true)
, settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD)
, SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings)
, settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));

//for client authentication
final KeyStore keyStore = PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings, configPath, enableSslClientAuth)
, settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD)
, SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD)
, settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
final String keyStorePassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
final String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
effectiveKeyPassword = keyStorePassword==null||keyStorePassword.isEmpty()?null:keyStorePassword.toCharArray();
effectiveKeyAlias = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS, null);

Expand Down
4 changes: 3 additions & 1 deletion src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@
import org.opensearch.security.support.ConfigConstants;
import org.opensearch.security.support.PemKeyReader;

import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;

public class WebhookSink extends AuditLogSink {

/* HttpClient is thread safe */
Expand Down Expand Up @@ -328,7 +330,7 @@ public KeyStore run() {

} else {
return PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, false)
, settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD)
, SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings)
, settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
}
} catch(Exception ex) {
Expand Down
Loading

0 comments on commit 2c20be0

Please sign in to comment.