Improve CryptoService error message on missing secure file (#43623) (#44364)

This improves the error message when encrypting of sensitive watcher
data is configured, but no system file was specified in the keystore.
This error message is displayed on startup.

This also closes the input stream of the secure file properly.

Closes #43619

Author: jbaiera

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/watcher/crypto/CryptoService.java

@@ -8,21 +8,20 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ElasticsearchException;
+import org.elasticsearch.common.CharArrays;
 import org.elasticsearch.common.io.Streams;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.xpack.core.watcher.WatcherField;
 import org.elasticsearch.xpack.core.security.SecurityField;
-import org.elasticsearch.common.CharArrays;
+import org.elasticsearch.xpack.core.watcher.WatcherField;
 
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.MessageDigest;
@@ -79,11 +78,16 @@ public CryptoService(Settings settings) throws IOException {
             throw new IllegalArgumentException("invalid key length [" + keyLength + "]. value must be a multiple of 8");
         }
 
-        SecretKey systemKey = readSystemKey(WatcherField.ENCRYPTION_KEY_SETTING.get(settings));
-        try {
-            encryptionKey = encryptionKey(systemKey, keyLength, keyAlgorithm);
-        } catch (NoSuchAlgorithmException nsae) {
-            throw new ElasticsearchException("failed to start crypto service. could not load encryption key", nsae);
+        try (InputStream in = WatcherField.ENCRYPTION_KEY_SETTING.get(settings)) {
+            if (in == null) {
+                throw new ElasticsearchException("setting [" + WatcherField.ENCRYPTION_KEY_SETTING.getKey() + "] must be set in keystore");
+            }
+            SecretKey systemKey = readSystemKey(in);
+            try {
+                encryptionKey = encryptionKey(systemKey, keyLength, keyAlgorithm);
+            } catch (NoSuchAlgorithmException nsae) {
+                throw new ElasticsearchException("failed to start crypto service. could not load encryption key", nsae);
+            }
         }
         assert encryptionKey != null : "the encryption key should never be null";
     }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/watcher/crypto/CryptoServiceTests.java

@@ -54,6 +54,11 @@ public void testEncryptedChar() throws Exception {
         assertThat(service.isEncrypted(service.encrypt(randomAlphaOfLength(10).toCharArray())), is(true));
     }
 
+    public void testErrorMessageWhenSecureEncryptionKeySettingDoesNotExist() throws Exception {
+        final ElasticsearchException e = expectThrows(ElasticsearchException.class, () -> new CryptoService(Settings.EMPTY));
+        assertThat(e.getMessage(), is("setting [" + WatcherField.ENCRYPTION_KEY_SETTING.getKey() + "] must be set in keystore"));
+    }
+
     public static byte[] generateKey() {
         try {
             KeyGenerator generator = KeyGenerator.getInstance(CryptoService.KEY_ALGO);