Add infrastructure for elasticsearch keystore #22335
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| /* | ||
| * Licensed to Elasticsearch under one or more contributor | ||
| * license agreements. See the NOTICE file distributed with | ||
| * this work for additional information regarding copyright | ||
| * ownership. Elasticsearch licenses this file to you under | ||
| * the Apache License, Version 2.0 (the "License"); you may | ||
| * not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
|
|
||
| package org.elasticsearch.common.settings; | ||
|
|
||
| import java.io.BufferedReader; | ||
| import java.io.InputStream; | ||
| import java.io.InputStreamReader; | ||
| import java.nio.charset.StandardCharsets; | ||
| import java.util.Arrays; | ||
|
|
||
| import joptsimple.OptionSet; | ||
| import joptsimple.OptionSpec; | ||
| import org.elasticsearch.cli.EnvironmentAwareCommand; | ||
| import org.elasticsearch.cli.ExitCodes; | ||
| import org.elasticsearch.cli.Terminal; | ||
| import org.elasticsearch.cli.UserException; | ||
| import org.elasticsearch.env.Environment; | ||
|
|
||
| /** | ||
| * A subcommand for the keystore cli which adds a string setting. | ||
| */ | ||
| class AddStringKeyStoreCommand extends EnvironmentAwareCommand { | ||
|
|
||
| private final OptionSpec<Void> stdinOption; | ||
| private final OptionSpec<Void> forceOption; | ||
| private final OptionSpec<String> arguments; | ||
|
|
||
| AddStringKeyStoreCommand() { | ||
| super("Add a string setting to the keystore"); | ||
| this.stdinOption = parser.acceptsAll(Arrays.asList("x", "stdin"), "Read setting value from stdin"); | ||
| this.forceOption = parser.acceptsAll(Arrays.asList("f", "force"), "Overwrite existing setting without prompting"); | ||
| this.arguments = parser.nonOptions("setting name"); | ||
| } | ||
|
|
||
| // pkg private so tests can manipulate | ||
| InputStream getStdin() { | ||
| return System.in; | ||
| } | ||
|
|
||
| @Override | ||
| protected void execute(Terminal terminal, OptionSet options, Environment env) throws Exception { | ||
| KeyStoreWrapper keystore = KeyStoreWrapper.loadMetadata(env.configFile()); | ||
| if (keystore == null) { | ||
|
There was a problem hiding this comment. More of a user friendliness / usability aspect, but it would be great if we invoked the CreateKeyStoreCommand here. It is pretty minor since the create command would ideally only be run once. There was a problem hiding this comment. I don't think we should. I would rather it be an error and explicit rather than magic/leniency. There was a problem hiding this comment. That's also fine with me. It's not a big deal since it's probably a one time only operation |
||
| throw new UserException(ExitCodes.DATA_ERROR, "Elasticsearch keystore not found. Use 'create' command to create one."); | ||
| } | ||
|
|
||
| keystore.loadKeystore(new char[0] /* TODO: prompt for password when they are supported */); | ||
|
|
||
| String setting = arguments.value(options); | ||
| if (keystore.getSettings().contains(setting) && options.has(forceOption) == false) { | ||
| String answer = terminal.readText("Setting " + setting + " already exists. Overwrite? [y/N]"); | ||
| if (answer.equals("y") == false) { | ||
|
There was a problem hiding this comment. Another minor thing from a usability standpoint, can we check the input and make sure it was either |
||
| terminal.println("Exiting without modifying keystore."); | ||
| return; | ||
| } | ||
| } | ||
|
|
||
| final char[] value; | ||
| if (options.has(stdinOption)) { | ||
| BufferedReader stdinReader = new BufferedReader(new InputStreamReader(getStdin(), StandardCharsets.UTF_8)); | ||
| value = stdinReader.readLine().toCharArray(); | ||
| } else { | ||
| value = terminal.readSecret("Enter value for " + setting + ": "); | ||
| } | ||
|
|
||
| keystore.setStringSetting(setting, value); | ||
| keystore.save(env.configFile()); | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| /* | ||
| * Licensed to Elasticsearch under one or more contributor | ||
| * license agreements. See the NOTICE file distributed with | ||
| * this work for additional information regarding copyright | ||
| * ownership. Elasticsearch licenses this file to you under | ||
| * the Apache License, Version 2.0 (the "License"); you may | ||
| * not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
|
|
||
| package org.elasticsearch.common.settings; | ||
|
|
||
| import java.nio.file.Files; | ||
| import java.nio.file.Path; | ||
|
|
||
| import joptsimple.OptionSet; | ||
| import org.elasticsearch.cli.EnvironmentAwareCommand; | ||
| import org.elasticsearch.cli.Terminal; | ||
| import org.elasticsearch.env.Environment; | ||
|
|
||
| /** | ||
| * A subcommand for the keystore cli to create a new keystore. | ||
| */ | ||
| class CreateKeyStoreCommand extends EnvironmentAwareCommand { | ||
|
|
||
|
|
||
| CreateKeyStoreCommand() { | ||
| super("Creates a new elasticsearch keystore"); | ||
| } | ||
|
|
||
| @Override | ||
| protected void execute(Terminal terminal, OptionSet options, Environment env) throws Exception { | ||
| Path keystoreFile = KeyStoreWrapper.keystorePath(env.configFile()); | ||
| if (Files.exists(keystoreFile)) { | ||
| String answer = terminal.readText("An elasticsearch keystore already exists. Overwrite? [y/N] "); | ||
| if (answer.equals("y") == false) { | ||
| terminal.println("Exiting without creating keystore."); | ||
| return; | ||
| } | ||
| } | ||
|
|
||
|
|
||
| char[] password = new char[0];// terminal.readSecret("Enter passphrase (empty for no passphrase): "); | ||
| /* TODO: uncomment when entering passwords on startup is supported | ||
| char[] passwordRepeat = terminal.readSecret("Enter same passphrase again: "); | ||
| if (Arrays.equals(password, passwordRepeat) == false) { | ||
| throw new UserException(ExitCodes.DATA_ERROR, "Passphrases are not equal, exiting."); | ||
| }*/ | ||
|
|
||
| KeyStoreWrapper keystore = KeyStoreWrapper.create(password); | ||
| keystore.save(env.configFile()); | ||
| terminal.println("Created elasticsearch keystore in " + env.configFile()); | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| /* | ||
| * Licensed to Elasticsearch under one or more contributor | ||
| * license agreements. See the NOTICE file distributed with | ||
| * this work for additional information regarding copyright | ||
| * ownership. Elasticsearch licenses this file to you under | ||
| * the Apache License, Version 2.0 (the "License"); you may | ||
| * not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
|
|
||
| package org.elasticsearch.common.settings; | ||
|
|
||
| import org.elasticsearch.cli.MultiCommand; | ||
| import org.elasticsearch.cli.Terminal; | ||
|
|
||
| /** | ||
| * A cli tool for managing secrets in the elasticsearch keystore. | ||
| */ | ||
| public class KeyStoreCli extends MultiCommand { | ||
|
|
||
| private KeyStoreCli() { | ||
| super("A tool for managing settings stored in the elasticsearch keystore"); | ||
| subcommands.put("create", new CreateKeyStoreCommand()); | ||
| subcommands.put("list", new ListKeyStoreCommand()); | ||
| subcommands.put("add", new AddStringKeyStoreCommand()); | ||
| subcommands.put("remove", new RemoveSettingKeyStoreCommand()); | ||
| } | ||
|
|
||
| public static void main(String[] args) throws Exception { | ||
| exit(new KeyStoreCli().main(args, Terminal.DEFAULT)); | ||
| } | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
final?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These can't be final because they are subclassed in tests in order to manipulate eg the environment the command runs with.