From ec11799003edc08898d6199891324c70b111aed5 Mon Sep 17 00:00:00 2001 From: Jay Modi Date: Tue, 1 Aug 2017 13:04:34 -0600 Subject: [PATCH] Read the token passphrase earlier in the bootstrap check (elastic/x-pack-elasticsearch#2144) This commit moves the reading of the token passphrase to the creation of the bootstrap check to avoid issues with the secure settings keystore already being closed and thus causing issues during startup. Original commit: elastic/x-pack-elasticsearch@bba1cc832da55a9425d14633df45eb889343bb08 --- .../security/TokenPassphraseBootstrapCheck.java | 12 +++++++----- .../security/TokenPassphraseBootstrapCheckTests.java | 11 +++++++++++ 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheck.java b/plugin/src/main/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheck.java index ae56133bd95..f495cefcfc9 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheck.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheck.java @@ -19,17 +19,19 @@ final class TokenPassphraseBootstrapCheck implements BootstrapCheck { static final int MINIMUM_PASSPHRASE_LENGTH = 8; - private final Settings settings; + private final boolean tokenServiceEnabled; + private final SecureString tokenPassphrase; TokenPassphraseBootstrapCheck(Settings settings) { - this.settings = settings; + this.tokenServiceEnabled = XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.get(settings); + this.tokenPassphrase = TokenService.TOKEN_PASSPHRASE.get(settings); } @Override public boolean check() { - if (XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.get(settings)) { - try (SecureString secureString = TokenService.TOKEN_PASSPHRASE.get(settings)) { - return secureString.length() < MINIMUM_PASSPHRASE_LENGTH || secureString.equals(TokenService.DEFAULT_PASSPHRASE); + try (SecureString ignore = tokenPassphrase) { + if (tokenServiceEnabled) { + return tokenPassphrase.length() < MINIMUM_PASSPHRASE_LENGTH || tokenPassphrase.equals(TokenService.DEFAULT_PASSPHRASE); } } // service is not enabled so no need to check diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheckTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheckTests.java index 97b99b152ac..6e040a643a0 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheckTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheckTests.java @@ -47,4 +47,15 @@ public class TokenPassphraseBootstrapCheckTests extends ESTestCase { secureSettings.setString(TokenService.TOKEN_PASSPHRASE.getKey(), TokenService.DEFAULT_PASSPHRASE); assertFalse(new TokenPassphraseBootstrapCheck(settings).check()); } + + public void testTokenPassphraseCheckAfterSecureSettingsClosed() throws Exception { + Settings settings = Settings.builder().put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true).build(); + MockSecureSettings secureSettings = new MockSecureSettings(); + secureSettings.setString("foo", "bar"); // leniency in setSecureSettings... if its empty it's skipped + settings = Settings.builder().put(settings).setSecureSettings(secureSettings).build(); + secureSettings.setString(TokenService.TOKEN_PASSPHRASE.getKey(), TokenService.DEFAULT_PASSPHRASE); + final TokenPassphraseBootstrapCheck check = new TokenPassphraseBootstrapCheck(settings); + secureSettings.close(); + assertTrue(check.check()); + } }