Add more meaningful keystore version mismatch errors (#46291)

This commit changes the version bounds of keystore reading to give
better error messages when a user has a too new or too old format.

relates #44624
This commit is contained in:
Ryan Ernst 2019-09-11 09:53:52 -07:00 committed by Ryan Ernst
parent 44c4412406
commit fa9327cdb9
1 changed files with 12 additions and 2 deletions

View File

@ -20,6 +20,8 @@
package org.elasticsearch.common.settings;
import org.apache.lucene.codecs.CodecUtil;
import org.apache.lucene.index.IndexFormatTooNewException;
import org.apache.lucene.index.IndexFormatTooOldException;
import org.apache.lucene.store.BufferedChecksumIndexInput;
import org.apache.lucene.store.ChecksumIndexInput;
import org.apache.lucene.store.IOContext;
@ -40,7 +42,6 @@ import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
@ -217,7 +218,16 @@ public class KeyStoreWrapper implements SecureSettings {
SimpleFSDirectory directory = new SimpleFSDirectory(configDir);
try (IndexInput indexInput = directory.openInput(KEYSTORE_FILENAME, IOContext.READONCE)) {
ChecksumIndexInput input = new BufferedChecksumIndexInput(indexInput);
int formatVersion = CodecUtil.checkHeader(input, KEYSTORE_FILENAME, MIN_FORMAT_VERSION, FORMAT_VERSION);
final int formatVersion;
try {
formatVersion = CodecUtil.checkHeader(input, KEYSTORE_FILENAME, MIN_FORMAT_VERSION, FORMAT_VERSION);
} catch (IndexFormatTooOldException e) {
throw new IllegalStateException("The Elasticsearch keystore [" + keystoreFile + "] format is too old. " +
"You should delete and recreate it in order to upgrade.", e);
} catch (IndexFormatTooNewException e) {
throw new IllegalStateException("The Elasticsearch keystore [" + keystoreFile + "] format is too new. " +
"Are you trying to downgrade? You should delete and recreate it in order to downgrade.", e);
}
byte hasPasswordByte = input.readByte();
boolean hasPassword = hasPasswordByte == 1;
if (hasPassword == false && hasPasswordByte != 0) {