Allow uppercase in keystore setting names (#45222)

The elasticsearch keystore was originally backed by a PKCS#12 keystore, which had several limitations. To overcome some of these limitations in encoding, the setting names existing within the keystore were limited to lowercase alphanumberic (with underscore). Now that the keystore is backed by an encrypted blob, this restriction is no longer relevant. This commit relaxes that restriction by allowing uppercase ascii characters as well.

closes #43835
This commit is contained in:
Vega 2019-08-17 08:48:56 +08:00 committed by Ryan Ernst
parent 200579bfce
commit 6f2daa85e3
4 changed files with 10 additions and 10 deletions

View File

@ -100,7 +100,7 @@ public class KeyStoreWrapper implements SecureSettings {
/** /**
* A regex for the valid characters that a setting name in the keystore may use. * A regex for the valid characters that a setting name in the keystore may use.
*/ */
private static final Pattern ALLOWED_SETTING_NAME = Pattern.compile("[a-z0-9_\\-.]+"); private static final Pattern ALLOWED_SETTING_NAME = Pattern.compile("[A-Za-z0-9_\\-.]+");
public static final Setting<SecureString> SEED_SETTING = SecureSetting.secureString("keystore.seed", null); public static final Setting<SecureString> SEED_SETTING = SecureSetting.secureString("keystore.seed", null);

View File

@ -23,7 +23,6 @@ import java.io.ByteArrayInputStream;
import java.io.CharArrayWriter; import java.io.CharArrayWriter;
import java.io.InputStream; import java.io.InputStream;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.util.Locale;
import java.util.Map; import java.util.Map;
import org.elasticsearch.cli.Command; import org.elasticsearch.cli.Command;
@ -176,14 +175,15 @@ public class AddStringKeyStoreCommandTests extends KeyStoreCommandTestCase {
assertThat(e.getMessage(), containsString("The setting name can not be null")); assertThat(e.getMessage(), containsString("The setting name can not be null"));
} }
public void testUpperCaseInName() throws Exception { public void testSpecialCharacterInName() throws Exception {
createKeystore(""); createKeystore("");
terminal.addSecretInput("value"); terminal.addSecretInput("value");
final String key = randomAlphaOfLength(4) + randomAlphaOfLength(1).toUpperCase(Locale.ROOT) + randomAlphaOfLength(4); final String key = randomAlphaOfLength(4) + '@' + randomAlphaOfLength(4);
final UserException e = expectThrows(UserException.class, () -> execute(key)); final UserException e = expectThrows(UserException.class, () -> execute(key));
final String exceptionString= "Setting name [" + key + "] does not match the allowed setting name pattern [[A-Za-z0-9_\\-.]+]";
assertThat( assertThat(
e, e,
hasToString(containsString("Setting name [" + key + "] does not match the allowed setting name pattern [[a-z0-9_\\-.]+]"))); hasToString(containsString(exceptionString)));
} }
void setInput(String inputStr) { void setInput(String inputStr) {

View File

@ -318,12 +318,12 @@ public class KeyStoreWrapperTests extends ESTestCase {
} }
public void testIllegalSettingName() throws Exception { public void testIllegalSettingName() throws Exception {
IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () -> KeyStoreWrapper.validateSettingName("UpperCase")); IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () -> KeyStoreWrapper.validateSettingName("*"));
assertTrue(e.getMessage().contains("does not match the allowed setting name pattern")); assertTrue(e.getMessage().contains("does not match the allowed setting name pattern"));
KeyStoreWrapper keystore = KeyStoreWrapper.create(); KeyStoreWrapper keystore = KeyStoreWrapper.create();
e = expectThrows(IllegalArgumentException.class, () -> keystore.setString("UpperCase", new char[0])); e = expectThrows(IllegalArgumentException.class, () -> keystore.setString("*", new char[0]));
assertTrue(e.getMessage().contains("does not match the allowed setting name pattern")); assertTrue(e.getMessage().contains("does not match the allowed setting name pattern"));
e = expectThrows(IllegalArgumentException.class, () -> keystore.setFile("UpperCase", new byte[0])); e = expectThrows(IllegalArgumentException.class, () -> keystore.setFile("*", new byte[0]));
assertTrue(e.getMessage().contains("does not match the allowed setting name pattern")); assertTrue(e.getMessage().contains("does not match the allowed setting name pattern"));
} }

View File

@ -498,10 +498,10 @@ public class SettingsTests extends ESTestCase {
public void testSecureSettingIllegalName() { public void testSecureSettingIllegalName() {
IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () -> IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () ->
SecureSetting.secureString("UpperCaseSetting", null)); SecureSetting.secureString("*IllegalName", null));
assertTrue(e.getMessage().contains("does not match the allowed setting name pattern")); assertTrue(e.getMessage().contains("does not match the allowed setting name pattern"));
e = expectThrows(IllegalArgumentException.class, () -> e = expectThrows(IllegalArgumentException.class, () ->
SecureSetting.secureFile("UpperCaseSetting", null)); SecureSetting.secureFile("*IllegalName", null));
assertTrue(e.getMessage().contains("does not match the allowed setting name pattern")); assertTrue(e.getMessage().contains("does not match the allowed setting name pattern"));
} }