Module org.elasticsearch.sslconfig
Package org.elasticsearch.common.ssl
Class SslConfigurationLoader
java.lang.Object
org.elasticsearch.common.ssl.SslConfigurationLoader
Loads
SslConfiguration from settings.
This class handles the logic of interpreting the various "ssl.*" configuration settings and their interactions
(as well as being aware of dependencies and conflicts between different settings).
The constructed SslConfiguration has sensible defaults for any settings that are not explicitly configured,
and these defaults can be overridden through the various setDefaultXyz methods.
It is abstract because this library has minimal dependencies, so the extraction of the setting values from
the underlying setting source must be handled by the code that makes use of this class.- See Also:
-
Field Summary
FieldsModifier and TypeFieldDescription -
Constructor Summary
ConstructorsConstructorDescriptionSslConfigurationLoader(String settingPrefix) Construct a new loader with the "standard" default values. -
Method Summary
Modifier and TypeMethodDescriptionprotected static SslTrustConfigbuildDefaultTrustConfig(SslTrustConfig trustConfig, SslKeyConfig keyConfig) buildKeyConfig(Path basePath) protected SslTrustConfigbuildTrustConfig(Path basePath, SslVerificationMode verificationMode, SslKeyConfig keyConfig, Set<X509Field> restrictedTrustFields) protected abstract char[]getSecureSetting(String key) Clients of this class should implement this method to load a fully-qualified key from the preferred secure settings source.getSettingAsList(String key) Clients of this class should implement this method to load a fully-qualified key from the preferred settings source.protected abstract StringgetSettingAsString(String key) Clients of this class should implement this method to load a fully-qualified key from the preferred settings source.protected abstract booleanhasSettings(String prefix) Clients of this class should implement this method to determine whether there are any settings for a given prefix.Resolve all necessary configuration settings, and load aSslConfiguration.protected PathresolvePath(String settingKey, Path basePath) voidsetDefaultCiphers(List<String> defaultCiphers) Change the default supported ciphers.voidsetDefaultClientAuth(SslClientAuthenticationMode defaultClientAuth) Change the default client authentication mode.voidsetDefaultKeyConfig(SslKeyConfig defaultKeyConfig) Change the default key config.voidsetDefaultProtocols(List<String> defaultProtocols) Change the default SSL/TLS protocol list.voidsetDefaultRestrictedTrustFields(List<X509Field> x509Fields) voidsetDefaultTrustConfig(SslTrustConfig defaultTrustConfig) Change the default trust config.voidsetDefaultVerificationMode(SslVerificationMode defaultVerificationMode) Change the default verification mode.voidsetKeyStoreFilter(Function<KeyStore, KeyStore> keyStoreFilter) Apply a filter function to any keystore that is loaded.
-
Field Details
-
GLOBAL_DEFAULT_RESTRICTED_TRUST_FIELDS
-
-
Constructor Details
-
SslConfigurationLoader
Construct a new loader with the "standard" default values.- Parameters:
settingPrefix- The prefix to apply to all settings that are loaded. It may be the empty string, otherwise it must end in a "." (period). For example, if the prefix is"reindex.ssl."then the keys that are passed to methods likegetSettingAsString(String)will be in the form"reindex.ssl.verification_mode", and those same keys will be reported in error messages (viaSslConfigException).
-
-
Method Details
-
setDefaultTrustConfig
Change the default trust config. The initial trust config isDefaultJdkTrustConfig, which trusts the JDK's default CA certs -
setDefaultKeyConfig
Change the default key config. The initial key config isEmptyKeyConfig, which does not provide any keys -
setDefaultVerificationMode
Change the default verification mode. The initial verification mode isSslVerificationMode.FULL. -
setDefaultClientAuth
Change the default client authentication mode. The initial client auth mode isSslClientAuthenticationMode.OPTIONAL. -
setDefaultCiphers
Change the default supported ciphers. -
setDefaultProtocols
Change the default SSL/TLS protocol list. The initial protocol list is defined byDEFAULT_PROTOCOLS -
setKeyStoreFilter
Apply a filter function to any keystore that is loaded.- See Also:
-
setDefaultRestrictedTrustFields
-
hasSettings
Clients of this class should implement this method to determine whether there are any settings for a given prefix. This is used to populateSslConfiguration.explicitlyConfigured(). -
getSettingAsString
Clients of this class should implement this method to load a fully-qualified key from the preferred settings source. This method will be called for basic string settings (seeSslConfigurationKeys.getStringKeys()).The setting should be returned as a string, and this class will convert it to the relevant type.
- Throws:
Exception- If aRuntimeExceptionis thrown, it will be rethrown unwrapped. All checked exceptions are wrapped inSslConfigExceptionbefore being rethrown.
-
getSecureSetting
Clients of this class should implement this method to load a fully-qualified key from the preferred secure settings source. This method will be called for any setting keys that are marked as beingsecuresettings.- Throws:
Exception- If aRuntimeExceptionis thrown, it will be rethrown unwrapped. All checked exceptions are wrapped inSslConfigExceptionbefore being rethrown.
-
getSettingAsList
Clients of this class should implement this method to load a fully-qualified key from the preferred settings source. This method will be called for list settings (seeSslConfigurationKeys.getListKeys()).The setting should be returned as a list of strings, and this class will convert the values to the relevant type.
- Throws:
Exception- If aRuntimeExceptionis thrown, it will be rethrown unwrapped. All checked exceptions are wrapped inSslConfigExceptionbefore being rethrown.
-
load
Resolve all necessary configuration settings, and load aSslConfiguration.- Parameters:
basePath- The base path to use for any settings that represent file paths. Typically points to the Elasticsearch configuration directory.- Throws:
SslConfigException- For any problems with the configuration, or with loading the required SSL classes.
-
buildTrustConfig
protected SslTrustConfig buildTrustConfig(Path basePath, SslVerificationMode verificationMode, SslKeyConfig keyConfig, @Nullable Set<X509Field> restrictedTrustFields) -
buildDefaultTrustConfig
protected static SslTrustConfig buildDefaultTrustConfig(SslTrustConfig trustConfig, SslKeyConfig keyConfig) -
buildKeyConfig
-
resolvePath
-