Allow PkiRealm to use truststore.password setting (elastic/x-pack-elasticsearch#2727)

This change fixes an incorrect check for a missing password setting for the PKI realm. The check
only allowed the secure setting to be used for the PkiRealm password even though the legacy setting
is still valid. This change fixes the check.

Relates elastic/x-pack-elasticsearch#2487

Original commit: elastic/x-pack-elasticsearch@a4524c2c05

plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java

@@ -174,9 +174,10 @@ public class PkiRealm extends Realm {
 
     private static X509TrustManager trustManagersFromTruststore(String truststorePath, RealmConfig realmConfig) {
         final Settings settings = realmConfig.settings();
-        if (SSL_SETTINGS.truststorePassword.exists(settings) == false) {
-            throw new IllegalArgumentException(
-                "[" + RealmSettings.getFullSettingKey(realmConfig, SSL_SETTINGS.truststorePassword) + "] is not configured"
+        if (SSL_SETTINGS.truststorePassword.exists(settings) == false && SSL_SETTINGS.legacyTruststorePassword.exists(settings) == false) {
+            throw new IllegalArgumentException("Neither [" +
+                    RealmSettings.getFullSettingKey(realmConfig, SSL_SETTINGS.truststorePassword) + "] or [" +
+                    RealmSettings.getFullSettingKey(realmConfig, SSL_SETTINGS.legacyTruststorePassword) + "] is configured"
             );
         }
         try (SecureString password = SSL_SETTINGS.truststorePassword.get(settings)) {

plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java

@@ -214,10 +214,22 @@ public class PkiRealmTests extends ESTestCase {
                     new ThreadContext(globalSettings)), mock(UserRoleMapper.class));
             fail("exception should have been thrown");
         } catch (IllegalArgumentException e) {
-            assertThat(e.getMessage(), containsString("[xpack.security.authc.realms.mypki.truststore.secure_password] is not configured"));
+            assertThat(e.getMessage(), containsString("Neither [xpack.security.authc.realms.mypki.truststore.secure_password] or [" +
+                    "xpack.security.authc.realms.mypki.truststore.password] is configured"));
         }
     }
 
+    public void testTruststorePathWithLegacyPasswordDoesNotThrow() throws Exception {
+        Settings settings = Settings.builder()
+                .put("truststore.path",
+                        getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.jks"))
+                .put("truststore.password", "testnode-client-profile")
+                .build();
+        new PkiRealm(new RealmConfig("mypki", settings, globalSettings, new Environment(globalSettings),
+                new ThreadContext(globalSettings)), mock(UserRoleMapper.class));
+        assertSettingDeprecationsAndWarnings(new Setting[] { SSLConfigurationSettings.withoutPrefix().legacyTruststorePassword });
+    }
+
     public void testCertificateWithOnlyCnExtractsProperly() throws Exception {
         X509Certificate certificate = mock(X509Certificate.class);
         X500Principal principal = new X500Principal("CN=PKI Client");