diff --git a/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java b/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java index 7bde676399..4bb79d4e62 100644 --- a/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java +++ b/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java @@ -31,8 +31,8 @@ import org.joda.time.format.DateTimeFormat; import org.joda.time.format.DateTimeFormatter; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; public final class ExternalOpenSearchSink extends AuditLogSink { diff --git a/src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java b/src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java index 40c278026b..289f38a6ee 100644 --- a/src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java +++ b/src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java @@ -50,7 +50,7 @@ import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.support.PemKeyReader; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; public class WebhookSink extends AuditLogSink { diff --git a/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java b/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java index 8da9986c13..0100e414d0 100755 --- a/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java +++ b/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java @@ -82,8 +82,8 @@ import org.ldaptive.ssl.SslConfig; import org.ldaptive.ssl.ThreadLocalTLSSocketFactory; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; public class LDAPAuthorizationBackend implements AuthorizationBackend { @@ -300,7 +300,7 @@ private static Connection getConnection0( configureSSL(config, settings, configPath); final String bindDn = settings.get(ConfigConstants.LDAP_BIND_DN, null); - final String password = settings.get(ConfigConstants.LDAP_PASSWORD, null); + final String password = ConfigConstants.LDAP_PASSWORD.getSetting(settings, null); if (isDebugEnabled) { log.debug("bindDn {}, password {}", bindDn, password != null && password.length() > 0 ? "****" : ""); @@ -564,13 +564,13 @@ private static void configureSSL(final ConnectionConfig config, final Settings s } PrivateKey authenticationKey = PemKeyReader.loadKeyFromStream( - settings.get(ConfigConstants.LDAPS_PEMKEY_PASSWORD), + ConfigConstants.LDAPS_PEMKEY_PASSWORD.getSetting(settings), PemKeyReader.resolveStream(ConfigConstants.LDAPS_PEMKEY_CONTENT, settings) ); if (authenticationKey == null) { authenticationKey = PemKeyReader.loadKeyFromFile( - settings.get(ConfigConstants.LDAPS_PEMKEY_PASSWORD), + ConfigConstants.LDAPS_PEMKEY_PASSWORD.getSetting(settings), PemKeyReader.resolve(ConfigConstants.LDAPS_PEMKEY_FILEPATH, settings, configPath, enableClientAuth) ); } diff --git a/src/main/java/org/opensearch/security/auth/ldap/util/ConfigConstants.java b/src/main/java/org/opensearch/security/auth/ldap/util/ConfigConstants.java index eea141eac6..1b8c601fd0 100755 --- a/src/main/java/org/opensearch/security/auth/ldap/util/ConfigConstants.java +++ b/src/main/java/org/opensearch/security/auth/ldap/util/ConfigConstants.java @@ -11,6 +11,8 @@ package org.opensearch.security.auth.ldap.util; +import org.opensearch.security.setting.SecurableLegacySetting; + public final class ConfigConstants { public static final String LDAP_AUTHC_USERBASE = "userbase"; @@ -40,7 +42,6 @@ public final class ConfigConstants { public static final String LDAP_HOSTS = "hosts"; public static final String LDAP_BIND_DN = "bind_dn"; - public static final String LDAP_PASSWORD = "password"; public static final String LDAP_FAKE_LOGIN_ENABLED = "fakelogin_enabled"; public static final String LDAP_SEARCH_ALL_BASES = "search_all_bases"; @@ -64,7 +65,6 @@ public final class ConfigConstants { public static final String LDAPS_PEMKEY_FILEPATH = "pemkey_filepath"; public static final String LDAPS_PEMKEY_CONTENT = "pemkey_content"; - public static final String LDAPS_PEMKEY_PASSWORD = "pemkey_password"; public static final String LDAPS_PEMCERT_FILEPATH = "pemcert_filepath"; public static final String LDAPS_PEMCERT_CONTENT = "pemcert_content"; public static final String LDAPS_PEMTRUSTEDCAS_FILEPATH = "pemtrustedcas_filepath"; @@ -93,6 +93,10 @@ public final class ConfigConstants { public static final String LDAP_POOL_PRUNING_PERIOD = "pool.pruning_period"; public static final String LDAP_POOL_IDLE_TIME = "pool.idle_time"; + // legacy unsecure and secure settings + public static final SecurableLegacySetting LDAP_PASSWORD = new SecurableLegacySetting("password"); + public static final SecurableLegacySetting LDAPS_PEMKEY_PASSWORD = new SecurableLegacySetting("pemkey_password"); + private ConfigConstants() { } diff --git a/src/main/java/org/opensearch/security/auth/ldap2/LDAPConnectionFactoryFactory.java b/src/main/java/org/opensearch/security/auth/ldap2/LDAPConnectionFactoryFactory.java index 441533a629..c5099cda67 100644 --- a/src/main/java/org/opensearch/security/auth/ldap2/LDAPConnectionFactoryFactory.java +++ b/src/main/java/org/opensearch/security/auth/ldap2/LDAPConnectionFactoryFactory.java @@ -184,7 +184,7 @@ private ConnectionInitializer getConnectionInitializer() { BindConnectionInitializer result = new BindConnectionInitializer(); String bindDn = settings.get(ConfigConstants.LDAP_BIND_DN, null); - String password = settings.get(ConfigConstants.LDAP_PASSWORD, null); + String password = ConfigConstants.LDAP_PASSWORD.getSetting(settings); if (password != null && password.length() == 0) { password = null; diff --git a/src/main/java/org/opensearch/security/setting/SecurableLegacySetting.java b/src/main/java/org/opensearch/security/setting/SecurableLegacySetting.java new file mode 100644 index 0000000000..05845258b8 --- /dev/null +++ b/src/main/java/org/opensearch/security/setting/SecurableLegacySetting.java @@ -0,0 +1,99 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +package org.opensearch.security.setting; + +import java.util.Optional; + +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + +import org.opensearch.common.settings.SecureSetting; +import org.opensearch.common.settings.Setting; +import org.opensearch.common.settings.Settings; +import org.opensearch.core.common.settings.SecureString; + +/** + * Wrapper for legacy settings that support a secure variant located in the Keystore. + *

+ * Secure name is the insecure name with "_secure" appended to it. + */ +public class SecurableLegacySetting { + private static final Logger LOG = LogManager.getLogger(SecurableLegacySetting.class); + + public static final String SECURE_SUFFIX = "_secure"; + + public final String insecurePropertyName; + + public final String propertyName; + + public final String defaultValue; + + public SecurableLegacySetting(String insecurePropertyName) { + this(insecurePropertyName, null); + } + + public SecurableLegacySetting(String insecurePropertyName, String defaultValue) { + this(insecurePropertyName, String.format("%s%s", insecurePropertyName, SECURE_SUFFIX), defaultValue); + } + + public SecurableLegacySetting(String insecurePropertyName, String propertyName, String defaultValue) { + super(); + this.insecurePropertyName = insecurePropertyName; + this.propertyName = propertyName; + this.defaultValue = defaultValue; + } + + public Setting asSetting() { + final Setting fallback = new InsecureFallbackStringSetting(this.insecurePropertyName, this.propertyName); + return SecureSetting.secureString(this.propertyName, fallback); + } + + public Setting asInsecureSetting() { + return new InsecureFallbackStringSetting(this.insecurePropertyName, this.propertyName); + } + + public String getSetting(Settings settings) { + return this.getSetting(settings, this.defaultValue); + } + + public String getSetting(Settings settings, String defaultValue) { + return Optional.of(this.asSetting().get(settings)).filter(ss -> ss.length() > 0).map(SecureString::toString).orElse(defaultValue); + } + + /** + * Alternative to InsecureStringSetting, which doesn't raise an exception if allow_insecure_settings is false, but + * instead log.WARNs the violation. This is to appease a potential cyclic dependency between commons-utils + */ + private static class InsecureFallbackStringSetting extends Setting { + private final String name; + private final String secureName; + + private InsecureFallbackStringSetting(String name, String secureName) { + super(name, "", s -> new SecureString(s.toCharArray()), Property.Deprecated, Property.Filtered, Property.NodeScope); + this.name = name; + this.secureName = secureName; + } + + public SecureString get(Settings settings) { + if (this.exists(settings)) { + LOG.warn( + "Setting [{}] has a secure counterpart [{}] which should be used instead. Allowing use of {} for legacy setups", + this.name, + this.secureName, + this.name + ); + } + + return super.get(settings); + } + } +} diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java index d6f24c125c..82842e126b 100644 --- a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java +++ b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java @@ -89,18 +89,18 @@ import io.netty.handler.ssl.SslProvider; import io.netty.handler.ssl.SupportedCipherSuiteFilter; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_PEMKEY_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_HTTP_PEMKEY_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; public class DefaultSecurityKeyStore implements SecurityKeyStore { diff --git a/src/main/java/org/opensearch/security/ssl/SecureSSLSettings.java b/src/main/java/org/opensearch/security/ssl/SecureSSLSettings.java index 5aad07fbdd..559c539b05 100644 --- a/src/main/java/org/opensearch/security/ssl/SecureSSLSettings.java +++ b/src/main/java/org/opensearch/security/ssl/SecureSSLSettings.java @@ -16,17 +16,11 @@ import java.util.Arrays; import java.util.List; -import java.util.Optional; import java.util.stream.Collectors; import java.util.stream.Stream; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; - -import org.opensearch.common.settings.SecureSetting; import org.opensearch.common.settings.Setting; -import org.opensearch.common.settings.Settings; -import org.opensearch.core.common.settings.SecureString; +import org.opensearch.security.setting.SecurableLegacySetting; import static org.opensearch.security.ssl.util.SSLConfigConstants.DEFAULT_STORE_PASSWORD; @@ -34,97 +28,65 @@ * Container for secured settings (passwords for certs, keystores) and the now deprecated original settings */ public final class SecureSSLSettings { - private static final Logger LOG = LogManager.getLogger(SecureSSLSettings.class); - - public static final String SECURE_SUFFIX = "_secure"; private static final String PREFIX = "plugins.security.ssl"; private static final String HTTP_PREFIX = PREFIX + ".http"; private static final String TRANSPORT_PREFIX = PREFIX + ".transport"; - public enum SSLSetting { - // http settings - SECURITY_SSL_HTTP_PEMKEY_PASSWORD(HTTP_PREFIX + ".pemkey_password"), - SECURITY_SSL_HTTP_KEYSTORE_PASSWORD(HTTP_PREFIX + ".keystore_password"), - SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD(HTTP_PREFIX + ".keystore_keypassword"), - SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD(HTTP_PREFIX + ".truststore_password", DEFAULT_STORE_PASSWORD), - - // transport settings - SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD(TRANSPORT_PREFIX + ".pemkey_password"), - SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD(TRANSPORT_PREFIX + ".server.pemkey_password"), - SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD(TRANSPORT_PREFIX + ".client.pemkey_password"), - SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD(TRANSPORT_PREFIX + ".keystore_password"), - SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD(TRANSPORT_PREFIX + ".keystore_keypassword"), - SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD(TRANSPORT_PREFIX + ".server.keystore_keypassword"), - SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD(TRANSPORT_PREFIX + ".client.keystore_keypassword"), - SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD(TRANSPORT_PREFIX + ".truststore_password", DEFAULT_STORE_PASSWORD); - - SSLSetting(String insecurePropertyName) { - this(insecurePropertyName, null); - } - - SSLSetting(String insecurePropertyName, String defaultValue) { - this.insecurePropertyName = insecurePropertyName; - this.propertyName = String.format("%s%s", this.insecurePropertyName, SECURE_SUFFIX); - this.defaultValue = defaultValue; - } - - public final String insecurePropertyName; - - public final String propertyName; - - public final String defaultValue; - - public Setting asSetting() { - return SecureSetting.secureString(this.propertyName, new InsecureFallbackStringSetting(this.insecurePropertyName)); - } - - public Setting asInsecureSetting() { - return new InsecureFallbackStringSetting(this.insecurePropertyName); - } - - public String getSetting(Settings settings) { - return this.getSetting(settings, this.defaultValue); - } - - public String getSetting(Settings settings, String defaultValue) { - return Optional.of(this.asSetting().get(settings)) - .filter(ss -> ss.length() > 0) - .map(SecureString::toString) - .orElse(defaultValue); - } - } + // http settings + public final static SecurableLegacySetting SECURITY_SSL_HTTP_PEMKEY_PASSWORD = new SecurableLegacySetting( + HTTP_PREFIX + ".pemkey_password" + ); + public final static SecurableLegacySetting SECURITY_SSL_HTTP_KEYSTORE_PASSWORD = new SecurableLegacySetting( + HTTP_PREFIX + ".keystore_password" + ); + public final static SecurableLegacySetting SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD = new SecurableLegacySetting( + HTTP_PREFIX + ".keystore_keypassword" + ); + public final static SecurableLegacySetting SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD = new SecurableLegacySetting( + HTTP_PREFIX + ".truststore_password", + DEFAULT_STORE_PASSWORD + ); + + // transport settings + public final static SecurableLegacySetting SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD = new SecurableLegacySetting( + TRANSPORT_PREFIX + ".pemkey_password" + ); + public final static SecurableLegacySetting SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD = new SecurableLegacySetting( + TRANSPORT_PREFIX + ".server.pemkey_password" + ); + public final static SecurableLegacySetting SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD = new SecurableLegacySetting( + TRANSPORT_PREFIX + ".client.pemkey_password" + ); + public final static SecurableLegacySetting SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD = new SecurableLegacySetting( + TRANSPORT_PREFIX + ".keystore_password" + ); + public final static SecurableLegacySetting SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD = new SecurableLegacySetting( + TRANSPORT_PREFIX + ".keystore_keypassword" + ); + public final static SecurableLegacySetting SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD = new SecurableLegacySetting( + TRANSPORT_PREFIX + ".server.keystore_keypassword" + ); + public final static SecurableLegacySetting SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD = new SecurableLegacySetting( + TRANSPORT_PREFIX + ".client.keystore_keypassword" + ); + public final static SecurableLegacySetting SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD = new SecurableLegacySetting( + TRANSPORT_PREFIX + ".truststore_password", + DEFAULT_STORE_PASSWORD + ); private SecureSSLSettings() {} public static List> getSecureSettings() { - return Arrays.stream(SSLSetting.values()) + return Arrays.stream(SecureSSLSettings.class.getDeclaredFields()) + .filter(field -> SecurableLegacySetting.class.isAssignableFrom(field.getType())) + .map(field -> { + try { + return (SecurableLegacySetting) field.get(null); + } catch (IllegalAccessException e) { + throw new RuntimeException("Unable to access field: " + field.getName(), e); + } + }) .flatMap(setting -> Stream.of(setting.asSetting(), setting.asInsecureSetting())) .collect(Collectors.toList()); } - - /** - * Alternative to InsecureStringSetting, which doesn't raise an exception if allow_insecure_settings is false, but - * instead log.WARNs the violation. This is to appease a potential cyclic dependency between commons-utils - */ - private static class InsecureFallbackStringSetting extends Setting { - private final String name; - - private InsecureFallbackStringSetting(String name) { - super(name, "", s -> new SecureString(s.toCharArray()), Property.Deprecated, Property.Filtered, Property.NodeScope); - this.name = name; - } - - public SecureString get(Settings settings) { - if (this.exists(settings)) { - LOG.warn( - "Setting [{}] has a secure counterpart [{}{}] which should be used instead - allowing for legacy SSL setups", - this.name, - this.name, - SECURE_SUFFIX - ); - } - - return super.get(settings); - } - } } diff --git a/src/main/java/org/opensearch/security/ssl/config/SslCertificatesLoader.java b/src/main/java/org/opensearch/security/ssl/config/SslCertificatesLoader.java index 40de2f93f1..7462b0eb3f 100644 --- a/src/main/java/org/opensearch/security/ssl/config/SslCertificatesLoader.java +++ b/src/main/java/org/opensearch/security/ssl/config/SslCertificatesLoader.java @@ -23,8 +23,8 @@ import org.opensearch.common.settings.SecureSetting; import org.opensearch.common.settings.Settings; import org.opensearch.env.Environment; +import org.opensearch.security.setting.SecurableLegacySetting; -import static org.opensearch.security.ssl.SecureSSLSettings.SECURE_SUFFIX; import static org.opensearch.security.ssl.util.SSLConfigConstants.DEFAULT_STORE_PASSWORD; import static org.opensearch.security.ssl.util.SSLConfigConstants.DEFAULT_STORE_TYPE; import static org.opensearch.security.ssl.util.SSLConfigConstants.KEYSTORE_ALIAS; @@ -99,7 +99,7 @@ public Tuple loadConfiguration(f } private char[] resolvePassword(final String legacyPasswordSettings, final Settings settings, final String defaultPassword) { - final var securePasswordSetting = String.format("%s%s", legacyPasswordSettings, SECURE_SUFFIX); + final var securePasswordSetting = String.format("%s%s", legacyPasswordSettings, SecurableLegacySetting.SECURE_SUFFIX); final var securePassword = SecureSetting.secureString(securePasswordSetting, null).get(settings); final var legacyPassword = settings.get(legacyPasswordSettings, defaultPassword); if (!securePassword.isEmpty() && legacyPassword != null && !legacyPassword.equals(defaultPassword)) { diff --git a/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java b/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java index fe9bd50dd5..36ae2b22e1 100644 --- a/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java +++ b/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java @@ -47,7 +47,7 @@ import org.opensearch.security.ssl.transport.PrincipalExtractor; import org.opensearch.security.ssl.transport.PrincipalExtractor.Type; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD; public class SSLRequestHelper { diff --git a/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfigurator.java b/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfigurator.java index 0ec161c64a..75dd2bd332 100644 --- a/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfigurator.java +++ b/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfigurator.java @@ -47,8 +47,8 @@ import org.opensearch.security.ssl.util.SSLConfigConstants; import org.opensearch.security.support.PemKeyReader; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; public class SettingsBasedSSLConfigurator { private static final Logger log = LogManager.getLogger(SettingsBasedSSLConfigurator.class); diff --git a/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4.java b/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4.java index ea170878f4..90f96a06bd 100644 --- a/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4.java +++ b/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4.java @@ -48,8 +48,8 @@ import org.opensearch.security.ssl.util.SSLConfigConstants; import org.opensearch.security.support.PemKeyReader; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; public class SettingsBasedSSLConfiguratorV4 { private static final Logger log = LogManager.getLogger(SettingsBasedSSLConfigurator.class); diff --git a/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTest.java b/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTest.java index 553befc5a6..2152565185 100755 --- a/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTest.java +++ b/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTest.java @@ -23,6 +23,7 @@ import org.junit.Test; import org.opensearch.OpenSearchSecurityException; +import org.opensearch.common.settings.MockSecureSettings; import org.opensearch.common.settings.Settings; import org.opensearch.security.auth.ldap.backend.LDAPAuthenticationBackend; import org.opensearch.security.auth.ldap.backend.LDAPAuthorizationBackend; @@ -116,7 +117,27 @@ public void testLdapAuthenticationBindDn() throws Exception { .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,o=TEST") .put(ConfigConstants.LDAP_BIND_DN, "cn=Captain Spock,ou=people,o=TEST") - .put(ConfigConstants.LDAP_PASSWORD, "spocksecret") + .put(ConfigConstants.LDAP_PASSWORD.insecurePropertyName, "spocksecret") + .build(); + + final LdapUser user = (LdapUser) new LDAPAuthenticationBackend(settings, null).authenticate( + new AuthCredentials("jacksonm", "secret".getBytes(StandardCharsets.UTF_8)) + ); + Assert.assertNotNull(user); + assertThat(user.getName(), is("cn=Michael Jackson,ou=people,o=TEST")); + } + + @Test + public void testLdapAuthenticationBindDnWithSecurePassword() throws Exception { + final var mockSecureSettings = new MockSecureSettings(); + mockSecureSettings.setString(ConfigConstants.LDAP_PASSWORD.propertyName, "spocksecret"); + + final Settings settings = Settings.builder() + .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapPort) + .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") + .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,o=TEST") + .put(ConfigConstants.LDAP_BIND_DN, "cn=Captain Spock,ou=people,o=TEST") + .setSecureSettings(mockSecureSettings) .build(); final LdapUser user = (LdapUser) new LDAPAuthenticationBackend(settings, null).authenticate( @@ -134,7 +155,7 @@ public void testLdapAuthenticationWrongBindDn() throws Exception { .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,o=TEST") .put(ConfigConstants.LDAP_BIND_DN, "cn=Captain Spock,ou=people,o=TEST") - .put(ConfigConstants.LDAP_PASSWORD, "wrong") + .put(ConfigConstants.LDAP_PASSWORD.insecurePropertyName, "wrong") .build(); new LDAPAuthenticationBackend(settings, null).authenticate( diff --git a/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestClientCert.java b/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestClientCert.java index 7d5cd60bee..adf9ca5836 100644 --- a/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestClientCert.java +++ b/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestClientCert.java @@ -154,7 +154,7 @@ public void testBindDnAuthLocalhost() throws Exception { .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,dc=example,dc=com") .put(ConfigConstants.LDAP_AUTHC_USERNAME_ATTRIBUTE, "uid") .put(ConfigConstants.LDAP_BIND_DN, "cn=ldapbinder,ou=people,dc=example,dc=com") - .put(ConfigConstants.LDAP_PASSWORD, "ldapbinder") + .put(ConfigConstants.LDAP_PASSWORD.insecurePropertyName, "ldapbinder") .put("path.home", ".") .build(); diff --git a/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestNewStyleConfig.java b/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestNewStyleConfig.java index c5e70a68dc..df120710fe 100644 --- a/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestNewStyleConfig.java +++ b/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestNewStyleConfig.java @@ -116,7 +116,7 @@ public void testLdapAuthenticationBindDn() throws Exception { .put("users.u1.search", "(uid={0})") .put("users.u1.base", "ou=people,o=TEST") .put(ConfigConstants.LDAP_BIND_DN, "cn=Captain Spock,ou=people,o=TEST") - .put(ConfigConstants.LDAP_PASSWORD, "spocksecret") + .put(ConfigConstants.LDAP_PASSWORD.insecurePropertyName, "spocksecret") .build(); final LdapUser user = (LdapUser) new LDAPAuthenticationBackend(settings, null).authenticate( @@ -134,7 +134,7 @@ public void testLdapAuthenticationWrongBindDn() throws Exception { .put("users.u1.search", "(uid={0})") .put("users.u1.base", "ou=people,o=TEST") .put(ConfigConstants.LDAP_BIND_DN, "cn=Captain Spock,ou=people,o=TEST") - .put(ConfigConstants.LDAP_PASSWORD, "wrong") + .put(ConfigConstants.LDAP_PASSWORD.insecurePropertyName, "wrong") .build(); new LDAPAuthenticationBackend(settings, null).authenticate( diff --git a/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestClientCert2.java b/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestClientCert2.java index bc42dce764..95521178bc 100644 --- a/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestClientCert2.java +++ b/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestClientCert2.java @@ -156,7 +156,7 @@ public void testBindDnAuthLocalhost() throws Exception { .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,dc=example,dc=com") .put(ConfigConstants.LDAP_AUTHC_USERNAME_ATTRIBUTE, "uid") .put(ConfigConstants.LDAP_BIND_DN, "cn=ldapbinder,ou=people,dc=example,dc=com") - .put(ConfigConstants.LDAP_PASSWORD, "ldapbinder") + .put(ConfigConstants.LDAP_PASSWORD.insecurePropertyName, "ldapbinder") .put("path.home", ".") .build(); diff --git a/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestNewStyleConfig2.java b/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestNewStyleConfig2.java index 56dfd2bd09..3a374dc6bc 100644 --- a/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestNewStyleConfig2.java +++ b/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestNewStyleConfig2.java @@ -138,7 +138,7 @@ public void testLdapAuthenticationBindDn() throws Exception { .put("users.u1.search", "(uid={0})") .put("users.u1.base", "ou=people,o=TEST") .put(ConfigConstants.LDAP_BIND_DN, "cn=Captain Spock,ou=people,o=TEST") - .put(ConfigConstants.LDAP_PASSWORD, "spocksecret") + .put(ConfigConstants.LDAP_PASSWORD.insecurePropertyName, "spocksecret") .build(); final LdapUser user = (LdapUser) new LDAPAuthenticationBackend2(settings, null).authenticate( @@ -156,7 +156,7 @@ public void testLdapAuthenticationWrongBindDn() throws Exception { .put("users.u1.search", "(uid={0})") .put("users.u1.base", "ou=people,o=TEST") .put(ConfigConstants.LDAP_BIND_DN, "cn=Captain Spock,ou=people,o=TEST") - .put(ConfigConstants.LDAP_PASSWORD, "wrong") + .put(ConfigConstants.LDAP_PASSWORD.insecurePropertyName, "wrong") .build(); new LDAPAuthenticationBackend2(settings, null).authenticate( diff --git a/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestOldStyleConfig2.java b/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestOldStyleConfig2.java index fd5beec5cd..3ec8199d4d 100755 --- a/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestOldStyleConfig2.java +++ b/src/test/java/org/opensearch/security/auth/ldap2/LdapBackendTestOldStyleConfig2.java @@ -154,7 +154,7 @@ public void testLdapAuthenticationBindDn() throws Exception { .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,o=TEST") .put(ConfigConstants.LDAP_BIND_DN, "cn=Captain Spock,ou=people,o=TEST") - .put(ConfigConstants.LDAP_PASSWORD, "spocksecret") + .put(ConfigConstants.LDAP_PASSWORD.insecurePropertyName, "spocksecret") .build(); final LdapUser user = (LdapUser) new LDAPAuthenticationBackend2(settings, null).authenticate( @@ -171,7 +171,7 @@ public void testLdapAuthenticationWrongBindDn() throws Exception { .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,o=TEST") .put(ConfigConstants.LDAP_BIND_DN, "cn=Captain Spock,ou=people,o=TEST") - .put(ConfigConstants.LDAP_PASSWORD, "wrong") + .put(ConfigConstants.LDAP_PASSWORD.insecurePropertyName, "wrong") .build(); new LDAPAuthenticationBackend2(settings, null).authenticate( diff --git a/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java b/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java index 0511afc5da..e97fec2e5b 100644 --- a/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java +++ b/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java @@ -28,8 +28,8 @@ import org.opensearch.commons.rest.SecureRestClientBuilder; import org.opensearch.test.rest.OpenSearchRestTestCase; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD; import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED; import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH; import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH; diff --git a/src/test/java/org/opensearch/security/setting/SecurableLegacySettingTest.java b/src/test/java/org/opensearch/security/setting/SecurableLegacySettingTest.java new file mode 100644 index 0000000000..a325479cc6 --- /dev/null +++ b/src/test/java/org/opensearch/security/setting/SecurableLegacySettingTest.java @@ -0,0 +1,60 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +package org.opensearch.security.setting; + +import org.junit.Test; + +import org.opensearch.common.settings.MockSecureSettings; +import org.opensearch.common.settings.Settings; + +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.is; + +public class SecurableLegacySettingTest { + private final String settingName = "test.setting"; + private final SecurableLegacySetting secureSetting = new SecurableLegacySetting(settingName); + + @Test + public void testSettingNames() { + assertThat(secureSetting.propertyName, is(settingName + SecurableLegacySetting.SECURE_SUFFIX)); + assertThat(secureSetting.insecurePropertyName, is(settingName)); + } + + @Test + public void testGetSecureSetting() { + final var mockSecureSettings = new MockSecureSettings(); + + mockSecureSettings.setString(secureSetting.propertyName, "test-password"); + final var settings = Settings.builder().setSecureSettings(mockSecureSettings).build(); + final var password = secureSetting.getSetting(settings); + assertThat(password, is("test-password")); + } + + @Test + public void testGetInsecureSetting() { + final var settings = Settings.builder().put(settingName, "test-password").build(); + final var password = secureSetting.getSetting(settings); + assertThat(password, is("test-password")); + } + + @Test + public void testShouldFavorSecureOverInsecureSetting() { + final var mockSecureSettings = new MockSecureSettings(); + mockSecureSettings.setString(secureSetting.propertyName, "secure-password"); + final var settings = Settings.builder() + .setSecureSettings(mockSecureSettings) + .put(secureSetting.insecurePropertyName, "insecure-password") + .build(); + final var password = secureSetting.getSetting(settings); + assertThat(password, is("secure-password")); + } +} diff --git a/src/test/java/org/opensearch/security/ssl/SSLTest.java b/src/test/java/org/opensearch/security/ssl/SSLTest.java index 598655fbea..31ee938fb5 100644 --- a/src/test/java/org/opensearch/security/ssl/SSLTest.java +++ b/src/test/java/org/opensearch/security/ssl/SSLTest.java @@ -63,12 +63,12 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.is; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_PEMKEY_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_HTTP_PEMKEY_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; @SuppressWarnings({ "resource", "unchecked" }) public class SSLTest extends SingleClusterTest { diff --git a/src/test/java/org/opensearch/security/ssl/SecureSSLSettingsTest.java b/src/test/java/org/opensearch/security/ssl/SecureSSLSettingsTest.java index f68f28db27..6e6b8f0fe1 100644 --- a/src/test/java/org/opensearch/security/ssl/SecureSSLSettingsTest.java +++ b/src/test/java/org/opensearch/security/ssl/SecureSSLSettingsTest.java @@ -7,13 +7,6 @@ import org.junit.Assert; import org.junit.Test; -import org.opensearch.common.settings.MockSecureSettings; -import org.opensearch.common.settings.Settings; - -import static org.hamcrest.MatcherAssert.assertThat; -import static org.hamcrest.Matchers.is; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_PEMKEY_PASSWORD; - public class SecureSSLSettingsTest { @Test public void testGetSettings() { @@ -21,32 +14,4 @@ public void testGetSettings() { Assert.assertNotNull(settings); Assert.assertTrue(settings.size() > 0); } - - @Test - public void testGetSecureSetting() { - final var mockSecureSettings = new MockSecureSettings(); - mockSecureSettings.setString(SECURITY_SSL_HTTP_PEMKEY_PASSWORD.propertyName, "test-password"); - final var settings = Settings.builder().setSecureSettings(mockSecureSettings).build(); - final var password = SECURITY_SSL_HTTP_PEMKEY_PASSWORD.getSetting(settings); - assertThat(password, is("test-password")); - } - - @Test - public void testGetInsecureSetting() { - final var settings = Settings.builder().put(SECURITY_SSL_HTTP_PEMKEY_PASSWORD.insecurePropertyName, "test-password").build(); - final var password = SECURITY_SSL_HTTP_PEMKEY_PASSWORD.getSetting(settings); - assertThat(password, is("test-password")); - } - - @Test - public void testShouldFavorSecureOverInsecureSetting() { - final var mockSecureSettings = new MockSecureSettings(); - mockSecureSettings.setString(SECURITY_SSL_HTTP_PEMKEY_PASSWORD.propertyName, "secure-password"); - final var settings = Settings.builder() - .setSecureSettings(mockSecureSettings) - .put(SECURITY_SSL_HTTP_PEMKEY_PASSWORD.insecurePropertyName, "insecure-password") - .build(); - final var password = SECURITY_SSL_HTTP_PEMKEY_PASSWORD.getSetting(settings); - assertThat(password, is("secure-password")); - } } diff --git a/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java b/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java index 5bcdea2231..8d689bf8ed 100644 --- a/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java +++ b/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java @@ -71,7 +71,7 @@ import static org.hamcrest.CoreMatchers.either; import static org.hamcrest.CoreMatchers.instanceOf; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; +import static org.opensearch.security.ssl.SecureSSLSettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; public class SettingsBasedSSLConfiguratorV4Test {