Class SslConfigurationLoader

java.lang.Object
org.elasticsearch.common.ssl.SslConfigurationLoader

public abstract class SslConfigurationLoader extends Object
Loads SslConfiguration from settings. This class handles the logic of interpreting the various "ssl.*" configuration settings and their interactions (as well as being aware of dependencies and conflicts between different settings). The constructed SslConfiguration has sensible defaults for any settings that are not explicitly configured, and these defaults can be overridden through the various setDefaultXyz methods. It is abstract because this library has minimal dependencies, so the extraction of the setting values from the underlying setting source must be handled by the code that makes use of this class.
See Also:
  • Field Details

    • GLOBAL_DEFAULT_RESTRICTED_TRUST_FIELDS

      public static final List<X509Field> GLOBAL_DEFAULT_RESTRICTED_TRUST_FIELDS
    • DEFAULT_HANDSHAKE_TIMEOUT

      public static final TimeValue DEFAULT_HANDSHAKE_TIMEOUT
  • Constructor Details

    • SslConfigurationLoader

      public SslConfigurationLoader(String settingPrefix)
      Construct a new loader with the "standard" default values.
      Parameters:
      settingPrefix - The prefix to apply to all settings that are loaded. It may be the empty string, otherwise it must end in a "." (period). For example, if the prefix is "reindex.ssl." then the keys that are passed to methods like getSettingAsString(String) will be in the form "reindex.ssl.verification_mode", and those same keys will be reported in error messages (via SslConfigException).
  • Method Details

    • setDefaultTrustConfig

      public void setDefaultTrustConfig(SslTrustConfig defaultTrustConfig)
      Change the default trust config. The initial trust config is DefaultJdkTrustConfig, which trusts the JDK's default CA certs
    • setDefaultKeyConfig

      public void setDefaultKeyConfig(SslKeyConfig defaultKeyConfig)
      Change the default key config. The initial key config is EmptyKeyConfig, which does not provide any keys
    • setDefaultVerificationMode

      public void setDefaultVerificationMode(SslVerificationMode defaultVerificationMode)
      Change the default verification mode. The initial verification mode is SslVerificationMode.FULL.
    • setDefaultClientAuth

      public void setDefaultClientAuth(SslClientAuthenticationMode defaultClientAuth)
      Change the default client authentication mode. The initial client auth mode is SslClientAuthenticationMode.OPTIONAL.
    • setDefaultCiphers

      public void setDefaultCiphers(List<String> defaultCiphers)
      Change the default supported ciphers.
    • setDefaultProtocols

      public void setDefaultProtocols(List<String> defaultProtocols)
      Change the default SSL/TLS protocol list. The initial protocol list is defined by DEFAULT_PROTOCOLS
    • setKeyStoreFilter

      public void setKeyStoreFilter(Function<KeyStore,KeyStore> keyStoreFilter)
      Apply a filter function to any keystore that is loaded.
      See Also:
    • setDefaultRestrictedTrustFields

      public void setDefaultRestrictedTrustFields(List<X509Field> x509Fields)
    • hasSettings

      protected abstract boolean hasSettings(String prefix)
      Clients of this class should implement this method to determine whether there are any settings for a given prefix. This is used to populate SslConfiguration.explicitlyConfigured().
    • getSettingAsString

      protected abstract String getSettingAsString(String key) throws Exception
      Clients of this class should implement this method to load a fully-qualified key from the preferred settings source. This method will be called for basic string settings (see SslConfigurationKeys.getStringKeys()).

      The setting should be returned as a string, and this class will convert it to the relevant type.

      Throws:
      Exception - If a RuntimeException is thrown, it will be rethrown unwrapped. All checked exceptions are wrapped in SslConfigException before being rethrown.
    • getSecureSetting

      protected abstract char[] getSecureSetting(String key) throws Exception
      Clients of this class should implement this method to load a fully-qualified key from the preferred secure settings source. This method will be called for any setting keys that are marked as being secure settings.
      Throws:
      Exception - If a RuntimeException is thrown, it will be rethrown unwrapped. All checked exceptions are wrapped in SslConfigException before being rethrown.
    • getSettingAsList

      protected abstract List<String> getSettingAsList(String key) throws Exception
      Clients of this class should implement this method to load a fully-qualified key from the preferred settings source. This method will be called for list settings (see SslConfigurationKeys.getListKeys()).

      The setting should be returned as a list of strings, and this class will convert the values to the relevant type.

      Throws:
      Exception - If a RuntimeException is thrown, it will be rethrown unwrapped. All checked exceptions are wrapped in SslConfigException before being rethrown.
    • load

      public SslConfiguration load(Path basePath)
      Resolve all necessary configuration settings, and load a SslConfiguration.
      Parameters:
      basePath - The base path to use for any settings that represent file paths. Typically points to the Elasticsearch configuration directory.
      Throws:
      SslConfigException - For any problems with the configuration, or with loading the required SSL classes.
    • buildTrustConfig

      protected SslTrustConfig buildTrustConfig(Path basePath, SslVerificationMode verificationMode, SslKeyConfig keyConfig, @Nullable Set<X509Field> restrictedTrustFields)
    • buildDefaultTrustConfig

      protected static SslTrustConfig buildDefaultTrustConfig(SslTrustConfig trustConfig, SslKeyConfig keyConfig)
    • buildKeyConfig

      public SslKeyConfig buildKeyConfig(Path basePath)
    • resolvePath

      protected Path resolvePath(String settingKey, Path basePath)