Repository: knox Updated Branches: refs/heads/master 7468deb44 -> d0aa9ec73
KNOX-1254 - Make sure Remote Alias Registry prefers remote over local Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/d0aa9ec7 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/d0aa9ec7 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/d0aa9ec7 Branch: refs/heads/master Commit: d0aa9ec73f747554be8d588fa9db66fead26da5e Parents: 7468deb Author: Sandeep More <[email protected]> Authored: Wed Apr 18 21:29:22 2018 -0400 Committer: Sandeep More <[email protected]> Committed: Wed Apr 18 21:29:22 2018 -0400 ---------------------------------------------------------------------- .../security/impl/RemoteAliasService.java | 22 ++++++++--------- .../security/impl/RemoteAliasMonitorTest.java | 25 +++++++++++++++++++- 2 files changed, 35 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/d0aa9ec7/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/RemoteAliasService.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/RemoteAliasService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/RemoteAliasService.java index 9ba5d0b..b0a47f0 100644 --- a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/RemoteAliasService.java +++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/RemoteAliasService.java @@ -330,13 +330,7 @@ public class RemoteAliasService implements AliasService { /* convert all alias names to lower case since JDK expects the same behaviour */ final String alias = givenAlias.toLowerCase(); - char[] password; - /* try to get it from the local keystore, ignore generate flag. */ - password = localAliasService - .getPasswordFromAliasForCluster(clusterName, alias); - if (password != null) { - return password; - } + char[] password = null; /* try to get it from remote registry */ if (remoteClient != null) { @@ -356,7 +350,7 @@ public class RemoteAliasService implements AliasService { } else { try { - return decrypt(encrypted).toCharArray(); + password = decrypt(encrypted).toCharArray(); } catch (final Exception e) { throw new AliasServiceException(e); } @@ -364,9 +358,15 @@ public class RemoteAliasService implements AliasService { } - /* Case where remote registry is not configured and we need to generate password and save it locally */ - else if (generate) { - return localAliasService + /* + * If + * 1. Remote registry not configured or + * 2. Password not found for given alias in remote registry, + * Then try local keystore + */ + if(password == null) { + /* try to get it from the local keystore, ignore generate flag. */ + password = localAliasService .getPasswordFromAliasForCluster(clusterName, alias, generate); } http://git-wip-us.apache.org/repos/asf/knox/blob/d0aa9ec7/gateway-server/src/test/java/org/apache/knox/gateway/security/impl/RemoteAliasMonitorTest.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/test/java/org/apache/knox/gateway/security/impl/RemoteAliasMonitorTest.java b/gateway-server/src/test/java/org/apache/knox/gateway/security/impl/RemoteAliasMonitorTest.java index b6a4ab9..2558bbe 100644 --- a/gateway-server/src/test/java/org/apache/knox/gateway/security/impl/RemoteAliasMonitorTest.java +++ b/gateway-server/src/test/java/org/apache/knox/gateway/security/impl/RemoteAliasMonitorTest.java @@ -66,6 +66,10 @@ public class RemoteAliasMonitorTest { private static String expectedClusterNameDev = "development"; private static String expectedAliasDev = "knox.test.alias.dev"; private static String expectedPasswordDev = "otherDummyPassword"; + + private static String preferRemoteAlias = "prefer.remote.alias"; + private static String preferRemoteAliasEncryptedPassword = "QmgrK2JBRlE1MUU9OjpIYzZlVUttKzdaWkFOSjlYZVVyVzNRPT06Om5kdTQ3WTJ1by9vSHprZUZHcjBqVG5TaGxsMFVUdUNyN0EvUlZDV1ZHQUU9"; + private static String preferRemoteAliasClearPassword = "ApacheKnoxPassword123"; /* For CLI tests */ private final ByteArrayOutputStream outContent = new ByteArrayOutputStream(); private final ByteArrayOutputStream errContent = new ByteArrayOutputStream(); @@ -123,12 +127,21 @@ public class RemoteAliasMonitorTest { .withACL(acls).forPath( RemoteAliasService.PATH_KNOX_ALIAS_STORE_TOPOLOGY + RemoteAliasService. PATH_SEPARATOR + expectedClusterNameDev); + assertNotNull("Failed to create node:" + RemoteAliasService.PATH_KNOX_ALIAS_STORE_TOPOLOGY + RemoteAliasService. PATH_SEPARATOR + expectedClusterNameDev, client.checkExists().forPath( RemoteAliasService.PATH_KNOX_ALIAS_STORE_TOPOLOGY + RemoteAliasService. PATH_SEPARATOR + expectedClusterNameDev)); + + /* Start Zookeeper with an existing alias */ + client.create().withMode(CreateMode.PERSISTENT). + forPath(RemoteAliasService.PATH_KNOX_ALIAS_STORE_TOPOLOGY + + RemoteAliasService. + PATH_SEPARATOR + expectedClusterName + + RemoteAliasService.PATH_SEPARATOR + preferRemoteAlias, + preferRemoteAliasEncryptedPassword.getBytes()); } @AfterClass @@ -184,6 +197,9 @@ public class RemoteAliasMonitorTest { EasyMock.expect(defaultAlias.getAliasesForCluster(expectedClusterNameDev)) .andReturn(new ArrayList<>()).anyTimes(); + EasyMock.expect(defaultAlias.getPasswordFromAliasForCluster(expectedClusterName, preferRemoteAlias)) + .andReturn("thisiswrong".toCharArray()).anyTimes(); + EasyMock.replay(defaultAlias); final DefaultMasterService ms = EasyMock @@ -212,7 +228,7 @@ public class RemoteAliasMonitorTest { .getAliasesForCluster(expectedClusterNameDev); /* no alias added so ist should be empty */ - Assert.assertEquals(aliases.size(), 0); + Assert.assertEquals(aliases.size(), 1); Assert.assertEquals(aliasesDev.size(), 0); @@ -251,6 +267,13 @@ public class RemoteAliasMonitorTest { Assert.assertEquals(expectedPassword, new String(result)); Assert.assertEquals(expectedPasswordDev, new String(result1)); + /* test that remote alias service prefers remote over local */ + final char[] prefAliasResult = zkAlias + .getPasswordFromAliasForCluster(expectedClusterName, preferRemoteAlias); + Assert.assertEquals(preferRemoteAliasClearPassword, new String(prefAliasResult)); + + zkAlias.stop(); + } }
