Class KeyStoreWrapper

  • All Implemented Interfaces:
    java.io.Closeable, java.lang.AutoCloseable, SecureSettings

    public class KeyStoreWrapper
    extends java.lang.Object
    implements SecureSettings
    A disk based container for sensitive settings in Elasticsearch. Loading a keystore has 2 phases. First, call load(Path). Then call decrypt(char[]) with the keystore password, or an empty char array if hasPassword() is false. Loading and decrypting should happen in a single thread. Once decrypted, settings may be read in multiple threads.
    • Method Summary

      Modifier and Type Method Description
      static void addBootstrapSeed​(KeyStoreWrapper wrapper)
      Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node
      void close()  
      static KeyStoreWrapper create()
      Constructs a new keystore with the given password.
      void decrypt​(char[] password)
      Decrypts the underlying keystore data.
      java.io.InputStream getFile​(java.lang.String setting)
      Return a file setting.
      int getFormatVersion()
      Get the metadata format version for the keystore
      java.util.Set<java.lang.String> getSettingNames()
      It is possible to retrieve the setting names even if the keystore is closed.
      byte[] getSHA256Digest​(java.lang.String setting)
      Returns the SHA256 digest for the setting's value, even after #close() has been called.
      SecureString getString​(java.lang.String setting)
      Return a string setting.
      boolean hasPassword()
      Return true iff calling decrypt(char[]) requires a non-empty password.
      boolean isLoaded()
      Returns true iff the settings are loaded and retrievable.
      static java.nio.file.Path keystorePath​(java.nio.file.Path configDir)
      Returns a path representing the ES keystore in the given config dir.
      static KeyStoreWrapper load​(java.nio.file.Path configDir)
      Loads information about the Elasticsearch keystore from the provided config directory.
      void save​(java.nio.file.Path configDir, char[] password)
      Write the keystore to the given config directory.
      static void upgrade​(KeyStoreWrapper wrapper, java.nio.file.Path configDir, char[] password)
      Upgrades the format of the keystore, if necessary.
      static void validateSettingName​(java.lang.String setting)
      Ensure the given setting name is allowed.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Method Detail

      • getFormatVersion

        public int getFormatVersion()
        Get the metadata format version for the keystore
      • keystorePath

        public static java.nio.file.Path keystorePath​(java.nio.file.Path configDir)
        Returns a path representing the ES keystore in the given config dir.
      • create

        public static KeyStoreWrapper create()
        Constructs a new keystore with the given password.
      • addBootstrapSeed

        public static void addBootstrapSeed​(KeyStoreWrapper wrapper)
        Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node
      • load

        public static KeyStoreWrapper load​(java.nio.file.Path configDir)
                                    throws java.io.IOException
        Loads information about the Elasticsearch keystore from the provided config directory. decrypt(char[]) must be called before reading or writing any entries. Returns null if no keystore exists.
        Throws:
        java.io.IOException
      • upgrade

        public static void upgrade​(KeyStoreWrapper wrapper,
                                   java.nio.file.Path configDir,
                                   char[] password)
                            throws java.lang.Exception
        Upgrades the format of the keystore, if necessary.
        Throws:
        java.lang.Exception
      • isLoaded

        public boolean isLoaded()
        Description copied from interface: SecureSettings
        Returns true iff the settings are loaded and retrievable.
        Specified by:
        isLoaded in interface SecureSettings
      • hasPassword

        public boolean hasPassword()
        Return true iff calling decrypt(char[]) requires a non-empty password.
      • decrypt

        public void decrypt​(char[] password)
                     throws java.security.GeneralSecurityException,
                            java.io.IOException
        Decrypts the underlying keystore data. This may only be called once.
        Throws:
        java.security.GeneralSecurityException
        java.io.IOException
      • save

        public void save​(java.nio.file.Path configDir,
                         char[] password)
                  throws java.lang.Exception
        Write the keystore to the given config directory.
        Throws:
        java.lang.Exception
      • getSettingNames

        public java.util.Set<java.lang.String> getSettingNames()
        It is possible to retrieve the setting names even if the keystore is closed. This allows SecureSetting to correctly determine that a entry exists even though it cannot be read. Thus attempting to read a secure setting after the keystore is closed will generate a "keystore is closed" exception rather than using the fallback setting.
        Specified by:
        getSettingNames in interface SecureSettings
      • getFile

        public java.io.InputStream getFile​(java.lang.String setting)
        Description copied from interface: SecureSettings
        Return a file setting. The InputStream should be closed once it is used.
        Specified by:
        getFile in interface SecureSettings
      • getSHA256Digest

        public byte[] getSHA256Digest​(java.lang.String setting)
        Returns the SHA256 digest for the setting's value, even after #close() has been called. The setting must exist. The digest is used to check for value changes without actually storing the value.
        Specified by:
        getSHA256Digest in interface SecureSettings
      • validateSettingName

        public static void validateSettingName​(java.lang.String setting)
        Ensure the given setting name is allowed.
        Throws:
        java.lang.IllegalArgumentException - if the setting name is not valid
      • close

        public void close()
        Specified by:
        close in interface java.lang.AutoCloseable
        Specified by:
        close in interface java.io.Closeable
        Specified by:
        close in interface SecureSettings