[Backport 2.19] Always install demo certs if configured with demo certs

CHANGELOG.md

@@ -10,3 +10,4 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Bump `checkstyle` from 10.3.3 to 10.26.1 ([#5480](https://github.com/opensearch-project/security/pull/5480))
 - Add tenancy access info to serialized user in threadcontext ([#5519](https://github.com/opensearch-project/security/pull/5519))
 - Optimized wildcard matching runtime performance ([#5543](https://github.com/opensearch-project/security/pull/5543))
+- Always install demo certs if configured with demo certs ([#5517](https://github.com/opensearch-project/security/pull/5517))

src/main/java/org/opensearch/security/tools/democonfig/CertificateGenerator.java

@@ -33,23 +33,19 @@ public CertificateGenerator(Installer installer) {
     public void createDemoCertificates() {
         for (Certificates cert : Certificates.values()) {
             String filePath = this.installer.OPENSEARCH_CONF_DIR + File.separator + cert.getFileName();
-            writeCertificateToFile(filePath, cert.getContent());
-        }
-    }
-
-    /**
-     * Helper method to write the certificates to their own file
-     * @param filePath the file which needs to be written
-     * @param content the content which needs to be written to this file
-     */
-    static void writeCertificateToFile(String filePath, String content) {
-        try {
-            FileWriter fileWriter = new FileWriter(filePath, StandardCharsets.UTF_8);
-            fileWriter.write(content);
-            fileWriter.close();
-        } catch (IOException e) {
-            System.err.println("Error writing certificate file: " + filePath);
-            System.exit(-1);
+            File file = new File(filePath);
+            if (file.exists()) {
+                System.out.println("File " + filePath + " already exists. Skipping.");
+                continue;
+            }
+            try {
+                FileWriter fileWriter = new FileWriter(filePath, StandardCharsets.UTF_8);
+                fileWriter.write(cert.getContent());
+                fileWriter.close();
+            } catch (IOException e) {
+                System.err.println("Error writing certificate file: " + filePath);
+                System.exit(-1);
+            }
         }
     }
 }

src/main/java/org/opensearch/security/tools/democonfig/Installer.java

@@ -40,8 +40,7 @@ public class Installer {
     private static Installer instance;
 
     private static SecuritySettingsConfigurer securitySettingsConfigurer;
-
-    private static CertificateGenerator certificateGenerator;
+    static CertificateGenerator certificateGenerator;
 
     boolean assumeyes = false;
     boolean initsecurity = false;

src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java

@@ -37,6 +37,7 @@
 import org.yaml.snakeyaml.Yaml;
 
 import static org.opensearch.security.DefaultObjectMapper.YAML_MAPPER;
+import static org.opensearch.security.tools.democonfig.Installer.certificateGenerator;
 
 /**
  * This class updates the security related configuration, as needed.
@@ -103,6 +104,59 @@ public void configureSecuritySettings() throws IOException {
         writeSecurityConfigToOpenSearchYML();
     }
 
+    boolean isSecurityPluginIsConfiguredWithDemoCerts() {
+        if (installer.OPENSEARCH_CONF_FILE == null || !new File(installer.OPENSEARCH_CONF_FILE).exists()) {
+            return false;
+        }
+
+        try (BufferedReader br = new BufferedReader(new FileReader(installer.OPENSEARCH_CONF_FILE, StandardCharsets.UTF_8))) {
+            Yaml yaml = new Yaml();
+            Map<String, Object> yamlData = yaml.load(br);
+            if (yamlData == null) return false;
+
+            String[] requiredSettings = {
+                "plugins.security.ssl.transport.pemcert_filepath",
+                "plugins.security.ssl.transport.pemkey_filepath",
+                "plugins.security.ssl.transport.pemtrustedcas_filepath",
+                "plugins.security.ssl.http.pemcert_filepath",
+                "plugins.security.ssl.http.pemkey_filepath",
+                "plugins.security.ssl.http.pemtrustedcas_filepath" };
+
+            String[] expectedValues = { "esnode.pem", "esnode-key.pem", "root-ca.pem", "esnode.pem", "esnode-key.pem", "root-ca.pem" };
+
+            for (int i = 0; i < requiredSettings.length; i++) {
+                String value = getNestedValue(yamlData, requiredSettings[i]);
+                if (!expectedValues[i].equals(value)) {
+                    return false;
+                }
+            }
+            return true;
+        } catch (IOException e) {
+            return false;
+        }
+    }
+
+    @SuppressWarnings("unchecked")
+    private String getNestedValue(Map<String, Object> yamlData, String key) {
+        // Check for flattened key first
+        if (yamlData.containsKey(key)) {
+            Object value = yamlData.get(key);
+            return value instanceof String ? (String) value : null;
+        }
+
+        // Check for nested structure
+        String[] parts = key.split("\\.");
+        Object current = yamlData;
+        for (String part : parts) {
+            if (current instanceof Map) {
+                current = ((Map<String, Object>) current).get(part);
+            } else {
+                return null;
+            }
+        }
+        return current instanceof String ? (String) current : null;
+    }
+
     /**
      * Checks if security plugin is already configured. If so, the script execution will exit.
      */
@@ -117,6 +171,9 @@ void checkIfSecurityPluginIsAlreadyConfigured() {
                     // Check for flat keys
                     for (String key : yamlData.keySet()) {
                         if (key.startsWith("plugins.security")) {
+                            if (isSecurityPluginIsConfiguredWithDemoCerts()) {
+                                certificateGenerator.createDemoCertificates();
+                            }
                             System.out.println(installer.OPENSEARCH_CONF_FILE + " seems to be already configured for Security. Quit.");
                             System.exit(installer.skip_updates);
                         }
@@ -126,6 +183,9 @@ void checkIfSecurityPluginIsAlreadyConfigured() {
                         Map<String, Object> plugins = (Map<String, Object>) yamlData.get("plugins");
                         for (String key : plugins.keySet()) {
                             if (key.startsWith("security")) {
+                                if (isSecurityPluginIsConfiguredWithDemoCerts()) {
+                                    certificateGenerator.createDemoCertificates();
+                                }
                                 System.out.println(installer.OPENSEARCH_CONF_FILE + " seems to be already configured for Security. Quit.");
                                 System.exit(installer.skip_updates);
                             }