[Backport 2.x] Added secure settings for ssl related passwords: (#2296)

src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java

@@ -83,6 +83,9 @@
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.user.User;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class LDAPAuthorizationBackend implements AuthorizationBackend {
 
     private static final AtomicInteger CONNECTION_COUNTER = new AtomicInteger();
@@ -580,7 +583,7 @@ private static void configureSSL(final ConnectionConfig config, final Settings s
             } else {
                 final KeyStore trustStore = PemKeyReader.loadKeyStore(
                     PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, !trustAll),
-                    settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+                    SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
                     settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)
                 );
 
@@ -594,11 +597,11 @@ private static void configureSSL(final ConnectionConfig config, final Settings s
                         configPath,
                         enableClientAuth
                     ),
-                    settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+                    SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
                     settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE)
                 );
-                final String keyStorePassword = settings.get(
-                    SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+                final String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(
+                    settings,
                     SSLConfigConstants.DEFAULT_STORE_PASSWORD
                 );
 

src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfigurator.java

@@ -49,6 +49,9 @@
 import org.opensearch.security.ssl.util.SSLConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class SettingsBasedSSLConfigurator {
     private static final Logger log = LogManager.getLogger(SettingsBasedSSLConfigurator.class);
 
@@ -328,7 +331,7 @@ private void initFromKeyStore() throws SSLConfigException {
                     configPath,
                     !isTrustAllEnabled()
                 ),
-                settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+                SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
                 settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)
             );
         } catch (Exception e) {
@@ -350,7 +353,7 @@ private void initFromKeyStore() throws SSLConfigException {
                     configPath,
                     enableSslClientAuth
                 ),
-                settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+                SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
                 settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE)
             );
         } catch (Exception e) {
@@ -360,10 +363,7 @@ private void initFromKeyStore() throws SSLConfigException {
             );
         }
 
-        String keyStorePassword = settings.get(
-            SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
-            SSLConfigConstants.DEFAULT_STORE_PASSWORD
-        );
+        String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
         effectiveKeyPassword = keyStorePassword == null || keyStorePassword.isEmpty() ? null : keyStorePassword.toCharArray();
         effectiveKeyAlias = getSetting(CERT_ALIAS);
 

src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java

@@ -31,6 +31,9 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public final class ExternalOpenSearchSink extends AuditLogSink {
 
     private static final List<String> DEFAULT_TLS_PROTOCOLS = Arrays.asList(new String[] { "TLSv1.2", "TLSv1.1" });
@@ -169,7 +172,7 @@ public ExternalOpenSearchSink(
             } else {
                 final KeyStore trustStore = PemKeyReader.loadKeyStore(
                     PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, true),
-                    settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+                    SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
                     settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)
                 );
 
@@ -181,11 +184,11 @@ public ExternalOpenSearchSink(
                         configPath,
                         enableSslClientAuth
                     ),
-                    settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+                    SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD),
                     settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE)
                 );
-                final String keyStorePassword = settings.get(
-                    SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+                final String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(
+                    settings,
                     SSLConfigConstants.DEFAULT_STORE_PASSWORD
                 );
                 effectiveKeyPassword = keyStorePassword == null || keyStorePassword.isEmpty() ? null : keyStorePassword.toCharArray();

src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java

@@ -43,6 +43,8 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class WebhookSink extends AuditLogSink {
 
     /* HttpClient is thread safe */
@@ -339,10 +341,7 @@ public KeyStore run() {
                                 configPath,
                                 false
                             ),
-                            settings.get(
-                                SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
-                                SSLConfigConstants.DEFAULT_STORE_PASSWORD
-                            ),
+                            SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
                             settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)
                         );
                     }

src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java

@@ -78,6 +78,19 @@
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_PEMKEY_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class DefaultSecurityKeyStore implements SecurityKeyStore {
 
     private static final String DEFAULT_STORE_TYPE = "JKS";
@@ -313,8 +326,8 @@ public void initTransportSSLConfig() {
 
             final String keystoreFilePath = resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, true);
             final String keystoreType = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, DEFAULT_STORE_TYPE);
-            final String keystorePassword = settings.get(
-                SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+            final String keystorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(
+                settings,
                 SSLConfigConstants.DEFAULT_STORE_PASSWORD
             );
 
@@ -327,10 +340,7 @@ public void initTransportSSLConfig() {
             }
 
             final String truststoreType = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE);
-            final String truststorePassword = settings.get(
-                SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
-                SSLConfigConstants.DEFAULT_STORE_PASSWORD
-            );
+            final String truststorePassword = SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings);
 
             KeystoreProps keystoreProps = new KeystoreProps(keystoreFilePath, keystoreType, keystorePassword);
 
@@ -349,12 +359,12 @@ public void initTransportSSLConfig() {
                     );
                     final String keystoreServerAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, null);
                     final String keystoreClientAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, null);
-                    final String serverKeyPassword = settings.get(
-                        SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD,
+                    final String serverKeyPassword = SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD.getSetting(
+                        settings,
                         keystorePassword
                     );
-                    final String clientKeyPassword = settings.get(
-                        SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD,
+                    final String clientKeyPassword = SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD.getSetting(
+                        settings,
                         keystorePassword
                     );
 
@@ -390,10 +400,7 @@ public void initTransportSSLConfig() {
                     // when alias is null, we take first entry in the store
                     final String truststoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, null);
                     final String keystoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, null);
-                    final String keyPassword = settings.get(
-                        SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD,
-                        keystorePassword
-                    );
+                    final String keyPassword = SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD.getSetting(settings, keystorePassword);
 
                     certFromKeystore = new CertFromKeystore(keystoreProps, keystoreAlias, keyPassword);
                     certFromTruststore = new CertFromTruststore(truststoreProps, truststoreAlias);
@@ -429,14 +436,14 @@ public void initTransportSSLConfig() {
                         resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, true),
                         resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, true),
                         resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, true),
-                        settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD)
+                        SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD.getSetting(settings)
                     );
 
                     CertFileProps serverCertProps = new CertFileProps(
                         resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, true),
                         resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, true),
                         resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, true),
-                        settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD)
+                        SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD.getSetting(settings)
                     );
 
                     certFromFile = new CertFromFile(clientCertProps, serverCertProps);
@@ -445,7 +452,7 @@ public void initTransportSSLConfig() {
                         resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, true),
                         resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, true),
                         resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, true),
-                        settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD)
+                        SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD.getSetting(settings)
                     );
                     certFromFile = new CertFromFile(certProps);
                 }
@@ -500,12 +507,12 @@ public void initHttpSSLConfig() {
 
             final String keystoreFilePath = resolve(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, true);
             final String keystoreType = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_TYPE, DEFAULT_STORE_TYPE);
-            final String keystorePassword = settings.get(
-                SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD,
+            final String keystorePassword = SECURITY_SSL_HTTP_KEYSTORE_PASSWORD.getSetting(
+                settings,
                 SSLConfigConstants.DEFAULT_STORE_PASSWORD
             );
 
-            final String keyPassword = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, keystorePassword);
+            final String keyPassword = SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD.getSetting(settings, keystorePassword);
 
             final String keystoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, null);
 
@@ -539,10 +546,8 @@ public void initHttpSSLConfig() {
                     final String truststoreFilePath = resolve(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, true);
 
                     final String truststoreType = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE);
-                    final String truststorePassword = settings.get(
-                        SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD,
-                        SSLConfigConstants.DEFAULT_STORE_PASSWORD
-                    );
+                    final String truststorePassword = SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD.getSetting(settings);
+
                     final String truststoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, null);
 
                     KeystoreProps truststoreProps = new KeystoreProps(truststoreFilePath, truststoreType, truststorePassword);
@@ -577,7 +582,7 @@ public void initHttpSSLConfig() {
                     resolve(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, true),
                     resolve(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, true),
                     trustedCas,
-                    settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD)
+                    SECURITY_SSL_HTTP_PEMKEY_PASSWORD.getSetting(settings)
                 );
                 CertFromFile certFromFile = new CertFromFile(certFileProps);
 
@@ -586,7 +591,7 @@ public void initHttpSSLConfig() {
                     certFromFile.getServerPemKey(),
                     certFromFile.getServerPemCert(),
                     certFromFile.getServerTrustedCas(),
-                    settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD),
+                    SECURITY_SSL_HTTP_PEMKEY_PASSWORD.getSetting(settings),
                     getEnabledSSLCiphers(this.sslHTTPProvider, true),
                     sslHTTPProvider,
                     httpClientAuthMode