[asterixdb] 01/08: [NO ISSUE][HYR][NET] += trust store to sec cfg

Wed, 08 Dec 2021 13:36:06 -0800 

This is an automated email from the ASF dual-hosted git repository.

alsuliman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/asterixdb.git

commit 84935cdbf530d0812966827a94d8d7dfc211ce94
Author: Michael Blow <[email protected]>
AuthorDate: Tue Nov 23 16:02:21 2021 -0500

    [NO ISSUE][HYR][NET] += trust store to sec cfg
    
    Change-Id: I358eb5b9b0f0f40b1588c12ed473e4e920e8fbbe
    Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/14184
    Integration-Tests: Jenkins <[email protected]>
    Tested-by: Jenkins <[email protected]>
    Reviewed-by: Michael Blow <[email protected]>
    Reviewed-by: Ian Maxon <[email protected]>
---
 .../api/network/INetworkSecurityConfig.java        | 17 ++++++++++++-
 .../ipc/security/NetworkSecurityConfig.java        | 29 ++++++++++++++--------
 .../ipc/security/NetworkSecurityManager.java       |  8 ++++--
 3 files changed, 41 insertions(+), 13 deletions(-)

diff --git 
a/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java
 
b/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java
index 772ee9f..95c3efc 100644
--- 
a/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java
+++ 
b/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java
@@ -20,6 +20,7 @@ package org.apache.hyracks.api.network;
 
 import java.io.File;
 import java.security.KeyStore;
+import java.util.Optional;
 
 public interface INetworkSecurityConfig {
 
@@ -52,9 +53,23 @@ public interface INetworkSecurityConfig {
     String getKeyStorePassword();
 
     /**
-     * Gets a trust store file to be used for validating certificates of 
secured connections.
+     * Gets the trust store to be used for validating certificates of secured 
connections
+     *
+     * @return the trust store to be used
+     */
+    KeyStore getTrustStore();
+
+    /**
+     * Gets a trust store file to be used if {@link 
INetworkSecurityConfig#getTrustStore()} returns null.
      *
      * @return the trust store file
      */
     File getTrustStoreFile();
+
+    /**
+     * Gets the password for the trust store file, if configured
+     *
+     * @return the password to the trust store file, if configured
+     */
+    Optional<String> getTrustStorePassword();
 }
\ No newline at end of file
diff --git 
a/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityConfig.java
 
b/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityConfig.java
index 7f02830..5ebd282 100644
--- 
a/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityConfig.java
+++ 
b/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityConfig.java
@@ -20,6 +20,7 @@ package org.apache.hyracks.ipc.security;
 
 import java.io.File;
 import java.security.KeyStore;
+import java.util.Optional;
 
 import org.apache.hyracks.api.network.INetworkSecurityConfig;
 
@@ -29,44 +30,52 @@ public class NetworkSecurityConfig implements 
INetworkSecurityConfig {
     private final File keyStoreFile;
     private final File trustStoreFile;
     private final String keyStorePassword;
-    private final KeyStore keyStore;
 
     private NetworkSecurityConfig(boolean sslEnabled, String keyStoreFile, 
String keyStorePassword,
-            String trustStoreFile, KeyStore keyStore) {
+            String trustStoreFile) {
         this.sslEnabled = sslEnabled;
         this.keyStoreFile = keyStoreFile != null ? new File(keyStoreFile) : 
null;
         this.keyStorePassword = keyStorePassword;
         this.trustStoreFile = trustStoreFile != null ? new 
File(trustStoreFile) : null;
-        this.keyStore = keyStore;
     }
 
     public static NetworkSecurityConfig of(boolean sslEnabled, String 
keyStoreFile, String keyStorePassword,
             String trustStoreFile) {
-        return new NetworkSecurityConfig(sslEnabled, keyStoreFile, 
keyStorePassword, trustStoreFile, null);
-    }
-
-    public static NetworkSecurityConfig of(boolean sslEnabled, KeyStore 
keyStore, String keyStorePassword,
-            String trustStoreFile) {
-        return new NetworkSecurityConfig(sslEnabled, null, keyStorePassword, 
trustStoreFile, keyStore);
+        return new NetworkSecurityConfig(sslEnabled, keyStoreFile, 
keyStorePassword, trustStoreFile);
     }
 
+    @Override
     public boolean isSslEnabled() {
         return sslEnabled;
     }
 
+    @Override
     public File getKeyStoreFile() {
         return keyStoreFile;
     }
 
+    @Override
     public String getKeyStorePassword() {
         return keyStorePassword;
     }
 
+    @Override
     public KeyStore getKeyStore() {
-        return keyStore;
+        return null;
     }
 
+    @Override
+    public KeyStore getTrustStore() {
+        return null;
+    }
+
+    @Override
     public File getTrustStoreFile() {
         return trustStoreFile;
     }
+
+    @Override
+    public Optional<String> getTrustStorePassword() {
+        return Optional.empty();
+    }
 }
diff --git 
a/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityManager.java
 
b/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityManager.java
index 0c8d429..e352260 100644
--- 
a/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityManager.java
+++ 
b/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityManager.java
@@ -43,7 +43,7 @@ public class NetworkSecurityManager implements 
INetworkSecurityManager {
         this.config = config;
         if (config.isSslEnabled()) {
             System.setProperty("javax.net.ssl.trustStore", 
config.getTrustStoreFile().getAbsolutePath());
-            System.setProperty("javax.net.ssl.trustStorePassword", 
config.getKeyStorePassword());
+            config.getTrustStorePassword().ifPresent(pw -> 
System.setProperty("javax.net.ssl.trustStorePassword", pw));
         }
         sslSocketFactory = new SslSocketChannelFactory(this);
     }
@@ -60,7 +60,11 @@ public class NetworkSecurityManager implements 
INetworkSecurityManager {
             KeyManagerFactory keyManagerFactory = 
KeyManagerFactory.getInstance(defaultAlgorithm);
             TrustManagerFactory trustManagerFactory = 
TrustManagerFactory.getInstance(defaultAlgorithm);
             keyManagerFactory.init(engineKeyStore, password);
-            final KeyStore trustStore = loadTrustStoreFromFile(password);
+            KeyStore trustStore = config.getTrustStore();
+            if (trustStore == null) {
+                trustStore =
+                        
loadTrustStoreFromFile(config.getTrustStorePassword().map(String::toCharArray).orElse(null));
+            }
             trustManagerFactory.init(trustStore);
             SSLContext ctx = SSLContext.getInstance(TSL_VERSION);
             ctx.init(keyManagerFactory.getKeyManagers(), 
trustManagerFactory.getTrustManagers(), new SecureRandom());

Reply via email to