Class KeyStoreWrapper

java.lang.Object
org.elasticsearch.common.settings.KeyStoreWrapper
All Implemented Interfaces:
java.io.Closeable, java.lang.AutoCloseable, SecureSettings

public class KeyStoreWrapper
extends java.lang.Object
implements SecureSettings
A disk based container for sensitive settings in Elasticsearch. Loading a keystore has 2 phases. First, call load(Path). Then call decrypt(char[]) with the keystore password, or an empty char array if hasPassword() is false. Loading and decrypting should happen in a single thread. Once decrypted, settings may be read in multiple threads.
  • Field Summary

    Fields
    Modifier and Type Field Description
    static Setting<SecureString> SEED_SETTING  
  • Method Summary

    Modifier and Type Method Description
    static void addBootstrapSeed​(KeyStoreWrapper wrapper)
    Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node
    void close()  
    static KeyStoreWrapper create()
    Constructs a new keystore with the given password.
    void decrypt​(char[] password)
    Decrypts the underlying keystore data.
    java.io.InputStream getFile​(java.lang.String setting)
    Return a file setting.
    int getFormatVersion()
    Get the metadata format version for the keystore
    java.util.Set<java.lang.String> getSettingNames()
    It is possible to retrieve the setting names even if the keystore is closed.
    byte[] getSHA256Digest​(java.lang.String setting)
    Returns the SHA256 digest for the setting's value, even after #close() has been called.
    SecureString getString​(java.lang.String setting)
    Return a string setting.
    boolean hasPassword()
    Return true iff calling decrypt(char[]) requires a non-empty password.
    boolean isLoaded()
    Returns true iff the settings are loaded and retrievable.
    static java.nio.file.Path keystorePath​(java.nio.file.Path configDir)
    Returns a path representing the ES keystore in the given config dir.
    static KeyStoreWrapper load​(java.nio.file.Path configDir)
    Loads information about the Elasticsearch keystore from the provided config directory.
    void save​(java.nio.file.Path configDir, char[] password)
    Write the keystore to the given config directory.
    static void upgrade​(KeyStoreWrapper wrapper, java.nio.file.Path configDir, char[] password)
    Upgrades the format of the keystore, if necessary.
    static void validateSettingName​(java.lang.String setting)
    Ensure the given setting name is allowed.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Field Details

  • Method Details

    • getFormatVersion

      public int getFormatVersion()
      Get the metadata format version for the keystore
    • keystorePath

      public static java.nio.file.Path keystorePath​(java.nio.file.Path configDir)
      Returns a path representing the ES keystore in the given config dir.
    • create

      public static KeyStoreWrapper create()
      Constructs a new keystore with the given password.
    • addBootstrapSeed

      public static void addBootstrapSeed​(KeyStoreWrapper wrapper)
      Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node
    • load

      public static KeyStoreWrapper load​(java.nio.file.Path configDir) throws java.io.IOException
      Loads information about the Elasticsearch keystore from the provided config directory. decrypt(char[]) must be called before reading or writing any entries. Returns null if no keystore exists.
      Throws:
      java.io.IOException
    • upgrade

      public static void upgrade​(KeyStoreWrapper wrapper, java.nio.file.Path configDir, char[] password) throws java.lang.Exception
      Upgrades the format of the keystore, if necessary.
      Throws:
      java.lang.Exception
    • isLoaded

      public boolean isLoaded()
      Description copied from interface: SecureSettings
      Returns true iff the settings are loaded and retrievable.
      Specified by:
      isLoaded in interface SecureSettings
    • hasPassword

      public boolean hasPassword()
      Return true iff calling decrypt(char[]) requires a non-empty password.
    • decrypt

      public void decrypt​(char[] password) throws java.security.GeneralSecurityException, java.io.IOException
      Decrypts the underlying keystore data. This may only be called once.
      Throws:
      java.security.GeneralSecurityException
      java.io.IOException
    • save

      public void save​(java.nio.file.Path configDir, char[] password) throws java.lang.Exception
      Write the keystore to the given config directory.
      Throws:
      java.lang.Exception
    • getSettingNames

      public java.util.Set<java.lang.String> getSettingNames()
      It is possible to retrieve the setting names even if the keystore is closed. This allows SecureSetting to correctly determine that a entry exists even though it cannot be read. Thus attempting to read a secure setting after the keystore is closed will generate a "keystore is closed" exception rather than using the fallback setting.
      Specified by:
      getSettingNames in interface SecureSettings
    • getString

      public SecureString getString​(java.lang.String setting)
      Description copied from interface: SecureSettings
      Return a string setting. The SecureString should be closed once it is used.
      Specified by:
      getString in interface SecureSettings
    • getFile

      public java.io.InputStream getFile​(java.lang.String setting)
      Description copied from interface: SecureSettings
      Return a file setting. The InputStream should be closed once it is used.
      Specified by:
      getFile in interface SecureSettings
    • getSHA256Digest

      public byte[] getSHA256Digest​(java.lang.String setting)
      Returns the SHA256 digest for the setting's value, even after #close() has been called. The setting must exist. The digest is used to check for value changes without actually storing the value.
      Specified by:
      getSHA256Digest in interface SecureSettings
    • validateSettingName

      public static void validateSettingName​(java.lang.String setting)
      Ensure the given setting name is allowed.
      Throws:
      java.lang.IllegalArgumentException - if the setting name is not valid
    • close

      public void close()
      Specified by:
      close in interface java.lang.AutoCloseable
      Specified by:
      close in interface java.io.Closeable
      Specified by:
      close in interface SecureSettings