org.elasticsearch.xpack.security.enrollment.tool.CreateEnrollmentTokenTool Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of x-pack-security Show documentation
Show all versions of x-pack-security Show documentation
Elasticsearch Expanded Pack Plugin - Security
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
package org.elasticsearch.xpack.security.enrollment.tool;
import joptsimple.OptionSet;
import joptsimple.OptionSpec;
import org.elasticsearch.cli.ExitCodes;
import org.elasticsearch.cli.Terminal;
import org.elasticsearch.cli.UserException;
import org.elasticsearch.common.settings.KeyStoreWrapper;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.core.CheckedFunction;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.CommandLineHttpClient;
import org.elasticsearch.xpack.security.enrollment.ExternalEnrollmentTokenGenerator;
import org.elasticsearch.xpack.security.tool.BaseRunAsSuperuserCommand;
import java.net.URL;
import java.util.List;
import java.util.function.Function;
class CreateEnrollmentTokenTool extends BaseRunAsSuperuserCommand {
private final OptionSpec scope;
private final Function clientFunction;
private final CheckedFunction createEnrollmentTokenFunction;
static final List ALLOWED_SCOPES = List.of("node", "kibana");
CreateEnrollmentTokenTool() {
this(
environment -> new CommandLineHttpClient(environment),
environment -> KeyStoreWrapper.load(environment.configFile()),
environment -> new ExternalEnrollmentTokenGenerator(environment)
);
}
CreateEnrollmentTokenTool(
Function clientFunction,
CheckedFunction keyStoreFunction,
CheckedFunction createEnrollmentTokenFunction
) {
super(clientFunction, keyStoreFunction, "Creates enrollment tokens for elasticsearch nodes and kibana instances");
this.createEnrollmentTokenFunction = createEnrollmentTokenFunction;
this.clientFunction = clientFunction;
scope = parser.acceptsAll(List.of("scope", "s"), "The scope of this enrollment token, can be either \"node\" or \"kibana\"")
.withRequiredArg()
.required();
}
@Override
protected void validate(Terminal terminal, OptionSet options, Environment env) throws Exception {
if (XPackSettings.ENROLLMENT_ENABLED.get(env.settings()) == false) {
throw new UserException(
ExitCodes.CONFIG,
"[xpack.security.enrollment.enabled] must be set to `true` to create an enrollment token"
);
}
final String tokenScope = scope.value(options);
if (ALLOWED_SCOPES.contains(tokenScope) == false) {
terminal.errorPrintln("The scope of this enrollment token, can only be one of " + ALLOWED_SCOPES);
throw new UserException(ExitCodes.USAGE, "Invalid scope");
}
}
@Override
protected void executeCommand(Terminal terminal, OptionSet options, Environment env, String username, SecureString password)
throws Exception {
final String tokenScope = scope.value(options);
final URL baseUrl = options.has(urlOption)
? new URL(options.valueOf(urlOption))
: new URL(clientFunction.apply(env).getDefaultURL());
try {
ExternalEnrollmentTokenGenerator externalEnrollmentTokenGenerator = createEnrollmentTokenFunction.apply(env);
if (tokenScope.equals("node")) {
terminal.println(externalEnrollmentTokenGenerator.createNodeEnrollmentToken(username, password, baseUrl).getEncoded());
} else {
terminal.println(externalEnrollmentTokenGenerator.createKibanaEnrollmentToken(username, password, baseUrl).getEncoded());
}
} catch (Exception e) {
terminal.errorPrintln("Unable to create enrollment token for scope [" + tokenScope + "]");
throw new UserException(ExitCodes.CANT_CREATE, e.getMessage(), e.getCause());
}
}
}