Add passphrase support to elasticsearch-keystore (#38498)

This change adds support for keystore passphrases to all subcommands
of the elasticsearch-keystore cli tool and adds a subcommand for
changing the passphrase of an existing keystore.
The work to read the passphrase in Elasticsearch when
loading, which will be addressed in a different PR.

Subcommands of elasticsearch-keystore can handle (open and create)
passphrase protected keystores

When reading a keystore, a user is only prompted for a passphrase
only if the keystore is passphrase protected.

When creating a keystore, a user is allowed (default behavior) to create one with an
empty passphrase

Passphrase can be set to be empty when changing/setting it for an
existing keystore

Relates to: #32691
Supersedes: #37472

Author: jkakavas

distribution/docker/docker-test-entrypoint.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 cd /usr/share/elasticsearch/bin/
-./elasticsearch-users useradd x_pack_rest_user -p x-pack-test-password -r superuser || true 
+./elasticsearch-users useradd x_pack_rest_user -p x-pack-test-password -r superuser || true
+./elasticsearch-keystore create
 echo "testnode" > /tmp/password
 cat /tmp/password  | ./elasticsearch-keystore add -x -f -v 'xpack.security.transport.ssl.keystore.secure_password'
 cat /tmp/password  | ./elasticsearch-keystore add -x -f -v 'xpack.security.http.ssl.keystore.secure_password'

distribution/tools/keystore-cli/src/main/java/org/elasticsearch/common/settings/AddFileKeyStoreCommand.java

@@ -26,7 +26,6 @@
 
 import joptsimple.OptionSet;
 import joptsimple.OptionSpec;
-import org.elasticsearch.cli.EnvironmentAwareCommand;
 import org.elasticsearch.cli.ExitCodes;
 import org.elasticsearch.cli.Terminal;
 import org.elasticsearch.cli.UserException;
@@ -37,13 +36,13 @@
 /**
  * A subcommand for the keystore cli which adds a file setting.
  */
-class AddFileKeyStoreCommand extends EnvironmentAwareCommand {
+class AddFileKeyStoreCommand extends BaseKeyStoreCommand {
 
     private final OptionSpec<Void> forceOption;
     private final OptionSpec<String> arguments;
 
     AddFileKeyStoreCommand() {
-        super("Add a file setting to the keystore");
+        super("Add a file setting to the keystore", false);
         this.forceOption = parser.acceptsAll(Arrays.asList("f", "force"), "Overwrite existing setting without prompting");
         // jopt simple has issue with multiple non options, so we just get one set of them here
         // and convert to File when necessary
@@ -52,27 +51,15 @@ class AddFileKeyStoreCommand extends EnvironmentAwareCommand {
     }
 
     @Override
-    protected void execute(Terminal terminal, OptionSet options, Environment env) throws Exception {
-        KeyStoreWrapper keystore = KeyStoreWrapper.load(env.configFile());
-        if (keystore == null) {
-            if (options.has(forceOption) == false &&
-                terminal.promptYesNo("The elasticsearch keystore does not exist. Do you want to create it?", false) == false) {
-                terminal.println("Exiting without creating keystore.");
-                return;
-            }
-            keystore = KeyStoreWrapper.create();
-            keystore.save(env.configFile(), new char[0] /* always use empty passphrase for auto created keystore */);
-            terminal.println("Created elasticsearch keystore in " + env.configFile());
-        } else {
-            keystore.decrypt(new char[0] /* TODO: prompt for password when they are supported */);
-        }
+    protected void executeCommand(Terminal terminal, OptionSet options, Environment env) throws Exception {
 
         List<String> argumentValues = arguments.values(options);
         if (argumentValues.size() == 0) {
             throw new UserException(ExitCodes.USAGE, "Missing setting name");
         }
         String setting = argumentValues.get(0);
-        if (keystore.getSettingNames().contains(setting) && options.has(forceOption) == false) {
+        final KeyStoreWrapper keyStore = getKeyStore();
+        if (keyStore.getSettingNames().contains(setting) && options.has(forceOption) == false) {
             if (terminal.promptYesNo("Setting " + setting + " already exists. Overwrite?", false) == false) {
                 terminal.println("Exiting without modifying keystore.");
                 return;
@@ -90,11 +77,11 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th
             throw new UserException(ExitCodes.USAGE, "Unrecognized extra arguments [" +
                 String.join(", ", argumentValues.subList(2, argumentValues.size())) + "] after filepath");
         }
-        keystore.setFile(setting, Files.readAllBytes(file));
-        keystore.save(env.configFile(), new char[0]);
+        keyStore.setFile(setting, Files.readAllBytes(file));
+        keyStore.save(env.configFile(), getKeyStorePassword().getChars());
     }
 
-    @SuppressForbidden(reason="file arg for cli")
+    @SuppressForbidden(reason = "file arg for cli")
     private Path getPath(String file) {
         return PathUtils.get(file);
     }

distribution/tools/keystore-cli/src/main/java/org/elasticsearch/common/settings/AddStringKeyStoreCommand.java

@@ -20,15 +20,13 @@
 package org.elasticsearch.common.settings;
 
 import java.io.BufferedReader;
-import java.io.CharArrayWriter;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 
 import joptsimple.OptionSet;
 import joptsimple.OptionSpec;
-import org.elasticsearch.cli.EnvironmentAwareCommand;
 import org.elasticsearch.cli.ExitCodes;
 import org.elasticsearch.cli.Terminal;
 import org.elasticsearch.cli.UserException;
@@ -37,14 +35,14 @@
 /**
  * A subcommand for the keystore cli which adds a string setting.
  */
-class AddStringKeyStoreCommand extends EnvironmentAwareCommand {
+class AddStringKeyStoreCommand extends BaseKeyStoreCommand {
 
     private final OptionSpec<Void> stdinOption;
     private final OptionSpec<Void> forceOption;
     private final OptionSpec<String> arguments;
 
     AddStringKeyStoreCommand() {
-        super("Add a string setting to the keystore");
+        super("Add a string setting to the keystore", false);
         this.stdinOption = parser.acceptsAll(Arrays.asList("x", "stdin"), "Read setting value from stdin");
         this.forceOption = parser.acceptsAll(Arrays.asList("f", "force"), "Overwrite existing setting without prompting");
         this.arguments = parser.nonOptions("setting name");
@@ -56,26 +54,13 @@ InputStream getStdin() {
     }
 
     @Override
-    protected void execute(Terminal terminal, OptionSet options, Environment env) throws Exception {
-        KeyStoreWrapper keystore = KeyStoreWrapper.load(env.configFile());
-        if (keystore == null) {
-            if (options.has(forceOption) == false &&
-                terminal.promptYesNo("The elasticsearch keystore does not exist. Do you want to create it?", false) == false) {
-                terminal.println("Exiting without creating keystore.");
-                return;
-            }
-            keystore = KeyStoreWrapper.create();
-            keystore.save(env.configFile(), new char[0] /* always use empty passphrase for auto created keystore */);
-            terminal.println("Created elasticsearch keystore in " + env.configFile());
-        } else {
-            keystore.decrypt(new char[0] /* TODO: prompt for password when they are supported */);
-        }
-
+    protected void executeCommand(Terminal terminal, OptionSet options, Environment env) throws Exception {
         String setting = arguments.value(options);
         if (setting == null) {
             throw new UserException(ExitCodes.USAGE, "The setting name can not be null");
         }
-        if (keystore.getSettingNames().contains(setting) && options.has(forceOption) == false) {
+        final KeyStoreWrapper keyStore = getKeyStore();
+        if (keyStore.getSettingNames().contains(setting) && options.has(forceOption) == false) {
             if (terminal.promptYesNo("Setting " + setting + " already exists. Overwrite?", false) == false) {
                 terminal.println("Exiting without modifying keystore.");
                 return;
@@ -84,26 +69,18 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th
 
         final char[] value;
         if (options.has(stdinOption)) {
-            try (BufferedReader stdinReader = new BufferedReader(new InputStreamReader(getStdin(), StandardCharsets.UTF_8));
-                 CharArrayWriter writer = new CharArrayWriter()) {
-                int charInt;
-                while ((charInt = stdinReader.read()) != -1) {
-                    if ((char) charInt == '\r' || (char) charInt == '\n') {
-                        break;
-                    }
-                    writer.write((char) charInt);
-                }
-                value = writer.toCharArray();
-            }
+            BufferedReader stdinReader = new BufferedReader(new InputStreamReader(getStdin(), StandardCharsets.UTF_8));
+            value = stdinReader.readLine().toCharArray();
         } else {
             value = terminal.readSecret("Enter value for " + setting + ": ");
         }
 
         try {
-            keystore.setString(setting, value);
-        } catch (final IllegalArgumentException e) {
+            keyStore.setString(setting, value);
+        } catch (IllegalArgumentException e) {
             throw new UserException(ExitCodes.DATA_ERROR, e.getMessage());
         }
-        keystore.save(env.configFile(), new char[0]);
+        keyStore.save(env.configFile(), getKeyStorePassword().getChars());
+
     }
 }

distribution/tools/keystore-cli/src/main/java/org/elasticsearch/common/settings/BaseKeyStoreCommand.java

@@ -0,0 +1,115 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.common.settings;
+
+import joptsimple.OptionSet;
+import org.elasticsearch.cli.EnvironmentAwareCommand;
+import org.elasticsearch.cli.ExitCodes;
+import org.elasticsearch.cli.Terminal;
+import org.elasticsearch.cli.UserException;
+import org.elasticsearch.env.Environment;
+
+import java.nio.file.Path;
+import java.util.Arrays;
+
+public abstract class BaseKeyStoreCommand extends EnvironmentAwareCommand {
+
+    private KeyStoreWrapper keyStore;
+    private SecureString keyStorePassword;
+    private final boolean keyStoreMustExist;
+
+    public BaseKeyStoreCommand(String description, boolean keyStoreMustExist) {
+        super(description);
+        this.keyStoreMustExist = keyStoreMustExist;
+    }
+
+    @Override
+    protected final void execute(Terminal terminal, OptionSet options, Environment env) throws Exception {
+        try {
+            final Path configFile = env.configFile();
+            keyStore = KeyStoreWrapper.load(configFile);
+            if (keyStore == null) {
+                if (keyStoreMustExist) {
+                    throw new UserException(ExitCodes.DATA_ERROR, "Elasticsearch keystore not found at [" +
+                        KeyStoreWrapper.keystorePath(env.configFile()) + "]. Use 'create' command to create one.");
+                } else {
+                    if (terminal.promptYesNo("The elasticsearch keystore does not exist. Do you want to create it?", false) == false) {
+                        terminal.println("Exiting without creating keystore.");
+                        return;
+                    }
+                }
+                keyStorePassword = new SecureString(new char[0]);
+                keyStore = KeyStoreWrapper.create();
+                keyStore.save(configFile, keyStorePassword.getChars());
+            } else {
+                keyStorePassword = keyStore.hasPassword() ? readPassword(terminal, false) : new SecureString(new char[0]);
+                keyStore.decrypt(keyStorePassword.getChars());
+            }
+            executeCommand(terminal, options, env);
+        } catch (SecurityException e) {
+            throw new UserException(ExitCodes.DATA_ERROR, e.getMessage());
+        } finally {
+            if (keyStorePassword != null) {
+                keyStorePassword.close();
+            }
+        }
+    }
+
+    protected KeyStoreWrapper getKeyStore() {
+        return keyStore;
+    }
+
+    protected SecureString getKeyStorePassword() {
+        return keyStorePassword;
+    }
+
+    /**
+     * Reads the keystore password from the {@link Terminal}, prompting for verification where applicable and returns it as a
+     * {@link SecureString}.
+     *
+     * @param terminal         the terminal to use for user inputs
+     * @param withVerification whether the user should be prompted for password verification
+     * @return a SecureString with the password the user entered
+     * @throws UserException If the user is prompted for verification and enters a different password
+     */
+    static SecureString readPassword(Terminal terminal, boolean withVerification) throws UserException {
+        final char[] passwordArray;
+        if (withVerification) {
+            passwordArray = terminal.readSecret("Enter new password for the elasticsearch keystore (empty for no password): ");
+            char[] passwordVerification = terminal.readSecret("Enter same password again: ");
+            if (Arrays.equals(passwordArray, passwordVerification) == false) {
+                throw new UserException(ExitCodes.DATA_ERROR, "Passwords are not equal, exiting.");
+            }
+            Arrays.fill(passwordVerification, '\u0000');
+        } else {
+            passwordArray = terminal.readSecret("Enter password for the elasticsearch keystore : ");
+        }
+        final SecureString password = new SecureString(passwordArray);
+        return password;
+    }
+
+    /**
+     * This is called after the keystore password has been read from the stdin and the keystore is decrypted and
+     * loaded. The keystore and keystore passwords are available to classes extending {@link BaseKeyStoreCommand}
+     * using {@link BaseKeyStoreCommand#getKeyStore()} and {@link BaseKeyStoreCommand#getKeyStorePassword()}
+     * respectively.
+     */
+    protected abstract void executeCommand(Terminal terminal, OptionSet options, Environment env) throws Exception;
+}

distribution/tools/keystore-cli/src/main/java/org/elasticsearch/common/settings/ChangeKeyStorePasswordCommand.java

@@ -0,0 +1,47 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.common.settings;
+
+import joptsimple.OptionSet;
+import org.elasticsearch.cli.ExitCodes;
+import org.elasticsearch.cli.Terminal;
+import org.elasticsearch.cli.UserException;
+import org.elasticsearch.env.Environment;
+
+/**
+ * A sub-command for the keystore cli which changes the password.
+ */
+class ChangeKeyStorePasswordCommand extends BaseKeyStoreCommand {
+
+    ChangeKeyStorePasswordCommand() {
+        super("Changes the password of a keystore", true);
+    }
+
+    @Override
+    protected void executeCommand(Terminal terminal, OptionSet options, Environment env) throws Exception {
+        try (SecureString newPassword = readPassword(terminal, true)) {
+            final KeyStoreWrapper keyStore = getKeyStore();
+            keyStore.save(env.configFile(), newPassword.getChars());
+            terminal.println("Elasticsearch keystore password changed successfully.");
+        } catch (SecurityException e) {
+            throw new UserException(ExitCodes.DATA_ERROR, e.getMessage());
+        }
+    }
+}