This is an automated email from the ASF dual-hosted git repository.
jkonisa pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-sidecar.git
The following commit(s) were added to refs/heads/trunk by this push:
new 646f13fd CASSSIDECAR-401 Incorrect SSL Configuration Keys in
CdcPublisher.secretsProvider() (#315)
646f13fd is described below
commit 646f13fd333687ba4debc569acd79f4be252f07e
Author: Jyothsna konisa <[email protected]>
AuthorDate: Thu Feb 12 05:02:48 2026 -0800
CASSSIDECAR-401 Incorrect SSL Configuration Keys in
CdcPublisher.secretsProvider() (#315)
Patch by Jyothsna Konisa; Reviewed by Bernardo Botella and Josh McKenzie
for CASSSIDECAR-401
---
CHANGES.txt | 1 +
.../apache/cassandra/sidecar/cdc/CdcPublisher.java | 38 ++++---------
.../cassandra/sidecar/cdc/CdcPublisherTests.java | 63 +++++++++++++++++++++-
3 files changed, 71 insertions(+), 31 deletions(-)
diff --git a/CHANGES.txt b/CHANGES.txt
index 674c6ccf..de8b008a 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,5 +1,6 @@
0.3.0
-----
+ * Incorrect SSL Configuration Keys in CdcPublisher.secretsProvider()
(CASSSIDECAR-401)
* Fix ClusterTopologyMonitor delay parsing error due to missing time unit
suffix (CASSSIDECAR-406)
* Adding storage_port to instance configuration and metadata (CASSSIDECAR-399)
* Sidecar endpoint to support on-demand repair operation (CASSSIDECAR-268)
diff --git
a/server/src/main/java/org/apache/cassandra/sidecar/cdc/CdcPublisher.java
b/server/src/main/java/org/apache/cassandra/sidecar/cdc/CdcPublisher.java
index 38c8bdd4..75aa6667 100644
--- a/server/src/main/java/org/apache/cassandra/sidecar/cdc/CdcPublisher.java
+++ b/server/src/main/java/org/apache/cassandra/sidecar/cdc/CdcPublisher.java
@@ -18,9 +18,9 @@
package org.apache.cassandra.sidecar.cdc;
-import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import java.util.TreeMap;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -76,19 +76,6 @@ public class CdcPublisher implements
Handler<Message<Object>>, PeriodicTask
private static final Logger LOGGER =
LoggerFactory.getLogger(CdcPublisher.class);
private static final long INITIALIZATION_LOOP_DELAY_MILLIS = 1000;
- // SSL Configuration Keys
- private static final String SSL_ENABLED_KEY = "enabled";
- private static final String SSL_PREFER_OPENSSL_KEY = "preferOpenSSL";
- private static final String SSL_CLIENT_AUTH_KEY = "clientAuth";
- private static final String SSL_CIPHER_SUITES_KEY = "cipherSuites";
- private static final String SSL_SECURE_TRANSPORT_PROTOCOLS_KEY =
"secureTransportProtocols";
- private static final String SSL_HANDSHAKE_TIMEOUT_KEY = "handshakeTimeout";
- private static final String SSL_KEYSTORE_PATH_KEY = "keystorePath";
- private static final String SSL_KEYSTORE_PASSWORD_KEY = "keystorePassword";
- private static final String SSL_KEYSTORE_TYPE_KEY = "keystoreType";
- private static final String SSL_TRUSTSTORE_PATH_KEY = "truststorePath";
- private static final String SSL_TRUSTSTORE_PASSWORD_KEY =
"truststorePassword";
- private static final String SSL_TRUSTSTORE_TYPE_KEY = "truststoreType";
private final TaskExecutorPool executorPools;
private final CdcConfig conf;
private volatile boolean isRunning = false;
@@ -163,29 +150,22 @@ public class CdcPublisher implements
Handler<Message<Object>>, PeriodicTask
return null;
}
- Map<String, String> sslConfigMap = new HashMap<>();
-
- sslConfigMap.put(SSL_ENABLED_KEY, sslConfiguration.enabled() + "");
- sslConfigMap.put(SSL_PREFER_OPENSSL_KEY,
sslConfiguration.preferOpenSSL() + "");
- sslConfigMap.put(SSL_CLIENT_AUTH_KEY, sslConfiguration.clientAuth());
- sslConfigMap.put(SSL_CIPHER_SUITES_KEY, String.join(",",
sslConfiguration.cipherSuites()));
- sslConfigMap.put(SSL_SECURE_TRANSPORT_PROTOCOLS_KEY, String.join(",",
sslConfiguration.secureTransportProtocols()));
- sslConfigMap.put(SSL_HANDSHAKE_TIMEOUT_KEY,
sslConfiguration.handshakeTimeout().toString());
+ Map<String, String> sslConfigMap = new
TreeMap<>(String.CASE_INSENSITIVE_ORDER);
if (sslConfiguration.isKeystoreConfigured())
{
KeyStoreConfiguration keystore = sslConfiguration.keystore();
- sslConfigMap.put(SSL_KEYSTORE_PATH_KEY, keystore.path());
- sslConfigMap.put(SSL_KEYSTORE_PASSWORD_KEY, keystore.password());
- sslConfigMap.put(SSL_KEYSTORE_TYPE_KEY, keystore.type());
+ sslConfigMap.put(SslConfig.KEYSTORE_PATH, keystore.path());
+ sslConfigMap.put(SslConfig.KEYSTORE_PASSWORD, keystore.password());
+ sslConfigMap.put(SslConfig.KEYSTORE_TYPE, keystore.type());
}
if (sslConfiguration.isTrustStoreConfigured())
{
KeyStoreConfiguration truststore = sslConfiguration.truststore();
- sslConfigMap.put(SSL_TRUSTSTORE_PATH_KEY, truststore.path());
- sslConfigMap.put(SSL_TRUSTSTORE_PASSWORD_KEY,
truststore.password());
- sslConfigMap.put(SSL_TRUSTSTORE_TYPE_KEY, truststore.type());
+ sslConfigMap.put(SslConfig.TRUSTSTORE_PATH, truststore.path());
+ sslConfigMap.put(SslConfig.TRUSTSTORE_PASSWORD,
truststore.password());
+ sslConfigMap.put(SslConfig.TRUSTSTORE_TYPE, truststore.type());
}
SslConfig sslConfig = SslConfig.create(sslConfigMap);
@@ -234,7 +214,7 @@ public class CdcPublisher implements
Handler<Message<Object>>, PeriodicTask
{
return;
}
- databaseAccessor.session(); // throws IllegalStateException if session
unavailable
+ databaseAccessor.session();
cdcManager = new CdcManager(eventConsumer(conf, avroSerializer),
schemaSupplier,
diff --git
a/server/src/test/java/org/apache/cassandra/sidecar/cdc/CdcPublisherTests.java
b/server/src/test/java/org/apache/cassandra/sidecar/cdc/CdcPublisherTests.java
index f6eecf10..4665e555 100644
---
a/server/src/test/java/org/apache/cassandra/sidecar/cdc/CdcPublisherTests.java
+++
b/server/src/test/java/org/apache/cassandra/sidecar/cdc/CdcPublisherTests.java
@@ -36,6 +36,7 @@ import org.apache.cassandra.cdc.sidecar.ClusterConfigProvider;
import org.apache.cassandra.cdc.sidecar.SidecarCdcClient;
import org.apache.cassandra.cdc.stats.ICdcStats;
import org.apache.cassandra.secrets.SecretsProvider;
+import org.apache.cassandra.secrets.SslConfigSecretsProvider;
import
org.apache.cassandra.sidecar.common.server.utils.SecondBoundConfiguration;
import org.apache.cassandra.sidecar.concurrent.ExecutorPools;
import org.apache.cassandra.sidecar.concurrent.TaskExecutorPool;
@@ -187,11 +188,15 @@ public class CdcPublisherTests
SecretsProvider result = cdcPublisher.secretsProvider();
assertThat(result).isNotNull();
+ assertThat(result.keyStoreType()).isEqualTo("JKS");
+
assertThat(result.keyStorePassword()).isEqualTo("keystorePassword".toCharArray());
}
@Test
void testSecretsProviderWithTruststoreOnly()
{
+ // SslConfig validation requires keystore password to always be
provided
+ // This test validates that truststore-only configuration is rejected
KeyStoreConfiguration truststoreConfig = mockKeystoreConfiguration(
"/path/to/truststore.jks",
"truststorePassword",
@@ -212,9 +217,13 @@ public class CdcPublisherTests
when(sslConfig.truststore()).thenReturn(truststoreConfig);
when(sidecarConfiguration.sidecarClientConfiguration().sslConfiguration()).thenReturn(sslConfig);
- SecretsProvider result = cdcPublisher.secretsProvider();
+ // SslConfig.create() validates and requires keystore password when
any SSL config is provided
+ IllegalArgumentException exception =
org.junit.jupiter.api.Assertions.assertThrows(
+ IllegalArgumentException.class,
+ () -> cdcPublisher.secretsProvider()
+ );
- assertThat(result).isNotNull();
+ assertThat(exception.getMessage()).contains("KEYSTORE_PASSWORD");
}
@Test
@@ -250,6 +259,56 @@ public class CdcPublisherTests
SecretsProvider result = cdcPublisher.secretsProvider();
assertThat(result).isNotNull();
+ assertThat(result.keyStoreType()).isEqualTo("PKCS12");
+
assertThat(result.keyStorePassword()).isEqualTo("keystorePass123".toCharArray());
+ assertThat(result.trustStoreType()).isEqualTo("PKCS12");
+
assertThat(result.trustStorePassword()).isEqualTo("truststorePass456".toCharArray());
+ }
+
+ @Test
+ void testSecretsProviderUsesCorrectSslConfigKeys()
+ {
+ // This test validates that CdcPublisher uses SslConfig constants with
MapUtils.lowerCaseKey()
+ KeyStoreConfiguration keystoreConfig = mockKeystoreConfiguration(
+ "/path/to/keystore.jks",
+ "keystorePassword",
+ "JKS"
+ );
+
+ KeyStoreConfiguration truststoreConfig = mockKeystoreConfiguration(
+ "/path/to/truststore.jks",
+ "truststorePassword",
+ "PKCS12"
+ );
+
+ SslConfiguration sslConfig = mockSslConfiguration(
+ true,
+ false,
+ "REQUIRED",
+ Collections.emptyList(),
+ Arrays.asList("TLSv1.2"),
+ "10s",
+ true,
+ true
+ );
+
+ when(sslConfig.keystore()).thenReturn(keystoreConfig);
+ when(sslConfig.truststore()).thenReturn(truststoreConfig);
+
when(sidecarConfiguration.sidecarClientConfiguration().sslConfiguration()).thenReturn(sslConfig);
+
+ SecretsProvider result = cdcPublisher.secretsProvider();
+
+ // Validate that the SecretsProvider was created successfully using
the correct keys
+ assertThat(result).isNotNull();
+ assertThat(result).isInstanceOf(SslConfigSecretsProvider.class);
+
+ // Verify keystore configuration is accessible
+ assertThat(result.keyStoreType()).isEqualTo("JKS");
+
assertThat(result.keyStorePassword()).isEqualTo("keystorePassword".toCharArray());
+
+ // Verify truststore configuration is accessible
+ assertThat(result.trustStoreType()).isEqualTo("PKCS12");
+
assertThat(result.trustStorePassword()).isEqualTo("truststorePassword".toCharArray());
}
@Test
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
