Elasticsearch keystore passphrase for startup scripts

Vagrantfile

@@ -471,6 +471,7 @@ JAVA
     ensure curl
     ensure unzip
     ensure rsync
+    ensure expect
 
     installed bats || {
       # Bats lives in a git repository....

distribution/docker/src/docker/bin/docker-entrypoint.sh

@@ -84,8 +84,18 @@ if [[ -f bin/elasticsearch-users ]]; then
   # honor the variable if it's present.
   if [[ -n "$ELASTIC_PASSWORD" ]]; then
     [[ -f /usr/share/elasticsearch/config/elasticsearch.keystore ]] || (run_as_other_user_if_needed elasticsearch-keystore create)
-    if ! (run_as_other_user_if_needed elasticsearch-keystore list | grep -q '^bootstrap.password$'); then
-      (run_as_other_user_if_needed echo "$ELASTIC_PASSWORD" | elasticsearch-keystore add -x 'bootstrap.password')
+    if ! (run_as_other_user_if_needed elasticsearch-keystore has-passwd --silent) ; then
+      # keystore is unencrypted
+      if ! (run_as_other_user_if_needed elasticsearch-keystore list | grep -q '^bootstrap.password$'); then
+        (run_as_other_user_if_needed echo "$ELASTIC_PASSWORD" | elasticsearch-keystore add -x 'bootstrap.password')
+      fi
+    else
+      # keystore requires password
+      if ! (run_as_other_user_if_needed echo "$KEYSTORE_PASSWORD" \
+          | elasticsearch-keystore list | grep -q '^bootstrap.password$') ; then
+        COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$ELASTIC_PASSWORD")"
+        (run_as_other_user_if_needed echo "$COMMANDS" | elasticsearch-keystore add -x 'bootstrap.password')
+      fi
     fi
   fi
 fi
@@ -97,4 +107,4 @@ if [[ "$(id -u)" == "0" ]]; then
   fi
 fi
 
-run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch "${es_opts[@]}"
+run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch "${es_opts[@]}" <<<"$KEYSTORE_PASSWORD"

distribution/packages/build.gradle

@@ -234,6 +234,10 @@ Closure commonPackageConfig(String type, boolean oss, boolean jdk) {
       from "${packagingFiles}/systemd/sysctl/elasticsearch.conf"
       fileMode 0644
     }
+    into('/usr/share/elasticsearch/bin') {
+      from "${packagingFiles}/systemd/systemd-entrypoint"
+      fileMode 0755
+    }
 
     // ========= sysV init =========
     configurationFile '/etc/init.d/elasticsearch'

distribution/packages/src/common/scripts/posttrans

@@ -4,7 +4,12 @@ if [ ! -f /etc/elasticsearch/elasticsearch.keystore ]; then
     chmod 660 /etc/elasticsearch/elasticsearch.keystore
     md5sum /etc/elasticsearch/elasticsearch.keystore > /etc/elasticsearch/.elasticsearch.keystore.initial_md5sum
 else
-    /usr/share/elasticsearch/bin/elasticsearch-keystore upgrade
+    if /usr/share/elasticsearch/bin/elasticsearch-keystore has-passwd --silent ; then
+      echo "### Warning: unable to upgrade encrypted keystore" 1>&2
+      echo " Please run elasticsearch-keystore upgrade and enter password" 1>&2
+    else
+      /usr/share/elasticsearch/bin/elasticsearch-keystore upgrade
+    fi
 fi
 
 ${scripts.footer}

distribution/packages/src/common/systemd/elasticsearch.service

@@ -19,7 +19,7 @@ WorkingDirectory=/usr/share/elasticsearch
 User=elasticsearch
 Group=elasticsearch
 
-ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet
+ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid --quiet
 
 # StandardOutput is configured to redirect to journalctl since
 # some error messages may be logged in standard output before

distribution/packages/src/common/systemd/systemd-entrypoint

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# This wrapper script allows SystemD to feed a file containing a passphrase into
+# the main Elasticsearch startup script
+
+if [ -n "$ES_KEYSTORE_PASSPHRASE_FILE" ] ; then
+  exec /usr/share/elasticsearch/bin/elasticsearch "$@" < "$ES_KEYSTORE_PASSPHRASE_FILE"
+else
+  exec /usr/share/elasticsearch/bin/elasticsearch "$@"
+fi

distribution/src/bin/elasticsearch

@@ -20,6 +20,19 @@ if [ -z "$ES_TMPDIR" ]; then
   ES_TMPDIR=`"$JAVA" -cp "$ES_CLASSPATH" org.elasticsearch.tools.launchers.TempDirectory`
 fi
 
+# get keystore password before setting java options to avoid
+# conflicting GC configurations for the keystore tools
+unset KEYSTORE_PASSWORD
+KEYSTORE_PASSWORD=
+if ! echo $* | grep -E -q '(^-h |-h$| -h |--help$|--help |^-V |-V$| -V |--version$|--version )' \
+    && "`dirname "$0"`"/elasticsearch-keystore has-passwd --silent
+then
+  if ! read -s -r -p "Elasticsearch keystore password: " KEYSTORE_PASSWORD ; then
+    echo "Failed to read keystore password on console" 1>&2
+    exit 1
+  fi
+fi
+
 ES_JVM_OPTIONS="$ES_PATH_CONF"/jvm.options
 ES_JAVA_OPTS=`export ES_TMPDIR; "$JAVA" -cp "$ES_CLASSPATH" org.elasticsearch.tools.launchers.JvmOptionsParser "$ES_JVM_OPTIONS"`
 
@@ -35,7 +48,7 @@ if ! echo $* | grep -E '(^-d |-d$| -d |--daemonize$|--daemonize )' > /dev/null;
     -Des.bundled_jdk="$ES_BUNDLED_JDK" \
     -cp "$ES_CLASSPATH" \
     org.elasticsearch.bootstrap.Elasticsearch \
-    "$@"
+    "$@" <<<"$KEYSTORE_PASSWORD"
 else
   exec \
     "$JAVA" \
@@ -48,7 +61,7 @@ else
     -cp "$ES_CLASSPATH" \
     org.elasticsearch.bootstrap.Elasticsearch \
     "$@" \
-    <&- &
+    <<<"$KEYSTORE_PASSWORD" &
   retval=$?
   pid=$!
   [ $retval -eq 0 ] || exit $retval

distribution/src/bin/elasticsearch-cli.bat

@@ -25,5 +25,5 @@ set ES_JAVA_OPTS=-Xms4m -Xmx64m -XX:+UseSerialGC %ES_JAVA_OPTS%
   -cp "%ES_CLASSPATH%" ^
   "%ES_MAIN_CLASS%" ^
   %*
-  
+
 exit /b %ERRORLEVEL%

distribution/src/bin/elasticsearch.bat

@@ -4,6 +4,7 @@ setlocal enabledelayedexpansion
 setlocal enableextensions
 
 SET params='%*'
+SET checkpassword=Y
 
 :loop
 FOR /F "usebackq tokens=1* delims= " %%A IN (!params!) DO (
@@ -18,6 +19,20 @@ FOR /F "usebackq tokens=1* delims= " %%A IN (!params!) DO (
 		SET silent=Y
 	)
 
+	IF "!current!" == "-h" (
+		SET checkpassword=N
+	)
+	IF "!current!" == "--help" (
+		SET checkpassword=N
+	)
+
+	IF "!current!" == "-V" (
+		SET checkpassword=N
+	)
+	IF "!current!" == "--version" (
+		SET checkpassword=N
+	)
+
 	IF "!silent!" == "Y" (
 		SET nopauseonerror=Y
 	) ELSE (
@@ -41,6 +56,18 @@ IF ERRORLEVEL 1 (
 	EXIT /B %ERRORLEVEL%
 )
 
+SET KEYSTORE_PASSWORD=
+IF "%checkpassword%"=="Y" (
+  CALL "%~dp0elasticsearch-keystore.bat" has-passwd --silent
+  IF !ERRORLEVEL! EQU 0 (
+    SET /P KEYSTORE_PASSWORD=Elasticsearch keystore password:
+    IF !ERRORLEVEL! NEQ 0 (
+      ECHO Failed to read keystore password on standard input
+      EXIT /B !ERRORLEVEL!
+    )
+  )
+)
+
 if not defined ES_TMPDIR (
   for /f "tokens=* usebackq" %%a in (`CALL %JAVA% -cp "!ES_CLASSPATH!" "org.elasticsearch.tools.launchers.TempDirectory"`) do set  ES_TMPDIR=%%a
 )
@@ -54,7 +81,20 @@ if "%MAYBE_JVM_OPTIONS_PARSER_FAILED%" == "jvm_options_parser_failed" (
   exit /b 1
 )
 
-%JAVA% %ES_JAVA_OPTS% -Delasticsearch -Des.path.home="%ES_HOME%" -Des.path.conf="%ES_PATH_CONF%" -Des.distribution.flavor="%ES_DISTRIBUTION_FLAVOR%" -Des.distribution.type="%ES_DISTRIBUTION_TYPE%" -Des.bundled_jdk="%ES_BUNDLED_JDK%" -cp "%ES_CLASSPATH%" "org.elasticsearch.bootstrap.Elasticsearch" !newparams!
+rem windows batch pipe will choke on special characters in strings
+SET KEYSTORE_PASSWORD=!KEYSTORE_PASSWORD:^^=^^^^!
+SET KEYSTORE_PASSWORD=!KEYSTORE_PASSWORD:^&=^^^&!
+SET KEYSTORE_PASSWORD=!KEYSTORE_PASSWORD:^|=^^^|!
+SET KEYSTORE_PASSWORD=!KEYSTORE_PASSWORD:^<=^^^<!
+SET KEYSTORE_PASSWORD=!KEYSTORE_PASSWORD:^>=^^^>!
+SET KEYSTORE_PASSWORD=!KEYSTORE_PASSWORD:^\=^^^\!
+
+ECHO.!KEYSTORE_PASSWORD!| %JAVA% %ES_JAVA_OPTS% -Delasticsearch ^
+  -Des.path.home="%ES_HOME%" -Des.path.conf="%ES_PATH_CONF%" ^
+  -Des.distribution.flavor="%ES_DISTRIBUTION_FLAVOR%" ^
+  -Des.distribution.type="%ES_DISTRIBUTION_TYPE%" ^
+  -Des.bundled_jdk="%ES_BUNDLED_JDK%" ^
+  -cp "%ES_CLASSPATH%" "org.elasticsearch.bootstrap.Elasticsearch" !newparams!
 
 endlocal
 endlocal

distribution/tools/keystore-cli/src/main/java/org/elasticsearch/common/settings/HasPasswordKeyStoreCommand.java

@@ -0,0 +1,57 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.common.settings;
+
+import joptsimple.OptionSet;
+import org.elasticsearch.cli.KeyStoreAwareCommand;
+import org.elasticsearch.cli.Terminal;
+import org.elasticsearch.cli.UserException;
+import org.elasticsearch.env.Environment;
+
+import java.nio.file.Path;
+
+public class HasPasswordKeyStoreCommand extends KeyStoreAwareCommand {
+
+    static final int NO_PASSWORD_EXIT_CODE = 1;
+
+    HasPasswordKeyStoreCommand() {
+        super("Succeeds if the keystore exists and is password-protected, " +
+            "fails with exit code " + NO_PASSWORD_EXIT_CODE + " otherwise.");
+    }
+
+    @Override
+    protected void execute(Terminal terminal, OptionSet options, Environment env) throws Exception {
+        final Path configFile = env.configFile();
+        final KeyStoreWrapper keyStore = KeyStoreWrapper.load(configFile);
+
+        // We handle error printing here so we can respect the "--silent" flag
+        // We have to throw an exception to get a nonzero exit code
+        if (keyStore == null) {
+            terminal.errorPrintln(Terminal.Verbosity.NORMAL, "ERROR: Elasticsearch keystore not found");
+            throw new UserException(NO_PASSWORD_EXIT_CODE, null);
+        }
+        if (keyStore.hasPassword() == false) {
+            terminal.errorPrintln(Terminal.Verbosity.NORMAL, "ERROR: Keystore is not password-protected");
+            throw new UserException(NO_PASSWORD_EXIT_CODE, null);
+        }
+
+        terminal.println(Terminal.Verbosity.NORMAL, "Keystore is password-protected");
+    }
+}

distribution/tools/keystore-cli/src/main/java/org/elasticsearch/common/settings/KeyStoreCli.java

@@ -36,6 +36,7 @@ private KeyStoreCli() {
         subcommands.put("remove", new RemoveSettingKeyStoreCommand());
         subcommands.put("upgrade", new UpgradeKeyStoreCommand());
         subcommands.put("passwd", new ChangeKeyStorePasswordCommand());
+        subcommands.put("has-passwd", new HasPasswordKeyStoreCommand());
     }
 
     public static void main(String[] args) throws Exception {

distribution/tools/keystore-cli/src/test/java/org/elasticsearch/bootstrap/BootstrapTests.java

@@ -28,18 +28,30 @@
 import org.elasticsearch.test.ESTestCase;
 import org.junit.After;
 import org.junit.Before;
+import org.junit.Rule;
+import org.junit.rules.ExpectedException;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.FileSystem;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.List;
 
+import static org.hamcrest.Matchers.equalTo;
+
 public class BootstrapTests extends ESTestCase {
     Environment env;
     List<FileSystem> fileSystems = new ArrayList<>();
 
+    private static final int MAX_PASSPHRASE_LENGTH = 10;
+
+    @Rule
+    public ExpectedException expectedException = ExpectedException.none();
+
     @After
     public void closeMockFileSystems() throws IOException {
         IOUtils.close(fileSystems);
@@ -66,4 +78,47 @@ public void testLoadSecureSettings() throws Exception {
             assertTrue(Files.exists(configPath.resolve("elasticsearch.keystore")));
         }
     }
+
+    public void testReadCharsFromStdin() throws Exception {
+        assertPassphraseRead("hello", "hello");
+        assertPassphraseRead("hello\n", "hello");
+        assertPassphraseRead("hello\r\n", "hello");
+
+        assertPassphraseRead("hellohello", "hellohello");
+        assertPassphraseRead("hellohello\n", "hellohello");
+        assertPassphraseRead("hellohello\r\n", "hellohello");
+
+        assertPassphraseRead("hello\nhi\n", "hello");
+        assertPassphraseRead("hello\r\nhi\r\n", "hello");
+    }
+
+    public void testPassphraseTooLong() throws Exception {
+        expectedException.expect(RuntimeException.class);
+        expectedException.expectMessage("Password exceeded maximum length of 10");
+        // read from an input stream to a character array
+        byte[] source = "hellohello!\n".getBytes(StandardCharsets.UTF_8);
+        try (InputStream stream = new ByteArrayInputStream(source)) {
+            Bootstrap.readPassphrase(stream, MAX_PASSPHRASE_LENGTH);
+        }
+    }
+
+    public void testNoPassPhraseProvided() throws Exception {
+        expectedException.expect(RuntimeException.class);
+        expectedException.expectMessage("Keystore passphrase required but none provided.");
+        // read from an input stream to a character array
+        byte[] source = "\r\n".getBytes(StandardCharsets.UTF_8);
+        try (InputStream stream = new ByteArrayInputStream(source)) {
+            Bootstrap.readPassphrase(stream, MAX_PASSPHRASE_LENGTH);
+        }
+    }
+
+    private void assertPassphraseRead(String source, String expected) {
+        try (InputStream stream = new ByteArrayInputStream(source.getBytes(StandardCharsets.UTF_8))) {
+            char[] result = Bootstrap.readPassphrase(stream, MAX_PASSPHRASE_LENGTH);
+            assertThat(result, equalTo(expected.toCharArray()));
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
 }