This is an automated email from the ASF dual-hosted git repository.
smolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 5bf5f6d KNOX-2462 - Make credential store type configurable (#381)
5bf5f6d is described below
commit 5bf5f6de9f7315495f4c5e2686ee187e29ed5de7
Author: Sandor Molnar <[email protected]>
AuthorDate: Tue Nov 10 16:30:21 2020 +0100
KNOX-2462 - Make credential store type configurable (#381)
* KNOX-2462 - Make credential store type configurable
* KNOX-2464 - KnoxCLI should pass GatewayConfig when setting up master
secret so that encryptor becomes initialized
* KNOX-2463 - Let end-users customize security algorithm for internal
credential stores
---
.../org/apache/knox/gateway/GatewayMessages.java | 3 ++
.../gateway/config/impl/GatewayConfigImpl.java | 10 ++++
.../services/security/impl/CLIMasterService.java | 2 +-
.../security/impl/DefaultKeystoreService.java | 55 +++++++++++++++-------
.../token/impl/AliasBasedTokenStateService.java | 3 +-
.../security/impl/RemoteAliasServiceTest.java | 7 ++-
.../impl/DefaultTokenAuthorityServiceTest.java | 22 +++++++++
.../apache/knox/gateway/websockets/BadUrlTest.java | 3 ++
.../gateway/websockets/WebsocketEchoTestBase.java | 3 ++
.../WebsocketMultipleConnectionTest.java | 3 ++
.../apache/knox/gateway/config/GatewayConfig.java | 16 +++++++
.../org/apache/knox/gateway/GatewayTestConfig.java | 10 ++++
12 files changed, 118 insertions(+), 19 deletions(-)
diff --git
a/gateway-server/src/main/java/org/apache/knox/gateway/GatewayMessages.java
b/gateway-server/src/main/java/org/apache/knox/gateway/GatewayMessages.java
index 3c18484..0373e8b 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/GatewayMessages.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/GatewayMessages.java
@@ -187,6 +187,9 @@ public interface GatewayMessages {
@Message( level = MessageLevel.INFO, text = "Credential store found for the
cluster: {0} - no need to create one." )
void credentialStoreForClusterFoundNotCreating(String clusterName);
+ @Message(level = MessageLevel.WARN, text = "An existing credential store
found for the cluster {0} with a different type of {1}")
+ void credentialStoreForClusterFoundWithDifferentType(String clusterName,
String existingCredentialStoreType);
+
@Message( level = MessageLevel.ERROR, text = "Unable to obtain the password
for the gateway truststore using the alias {0}: {1}" )
void failedToGetPasswordForGatewayTruststore(String alias, Exception e);
diff --git
a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
index 4efcd13..c0881ac 100644
---
a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
+++
b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
@@ -661,6 +661,16 @@ public class GatewayConfigImpl extends Configuration
implements GatewayConfig {
}
@Override
+ public String getCredentialStoreAlgorithm() {
+ return get(CREDENTIAL_STORE_ALG, DEFAULT_CREDENTIAL_STORE_ALG);
+ }
+
+ @Override
+ public String getCredentialStoreType() {
+ return get(CREDENTIAL_STORE_TYPE, DEFAULT_CREDENTIAL_STORE_TYPE);
+ }
+
+ @Override
public int getThreadPoolMax() {
int i = getInt( THREAD_POOL_MAX, 254 );
// Testing has shown that a value lower than 5 prevents Jetty from
servicing request.
diff --git
a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/CLIMasterService.java
b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/CLIMasterService.java
index 4d0926a..245d668 100644
---
a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/CLIMasterService.java
+++
b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/CLIMasterService.java
@@ -38,7 +38,7 @@ public class CLIMasterService extends CMFMasterService
implements MasterService,
boolean persisting = options.get( "persist-master").equals("true");
String securityDir = config.getGatewaySecurityDir();
String filename = "master";
- setupMasterSecret(securityDir, filename, persisting);
+ setupMasterSecret(securityDir, filename, persisting, config);
}
@Override
diff --git
a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
index 9487dc4..e814bf9 100644
---
a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
+++
b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
@@ -19,6 +19,8 @@ package org.apache.knox.gateway.services.security.impl;
import static
org.apache.knox.gateway.services.security.AliasService.NO_CLUSTER_NAME;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.filefilter.PrefixFileFilter;
import org.apache.commons.lang3.builder.EqualsBuilder;
import org.apache.commons.lang3.builder.HashCodeBuilder;
import org.apache.knox.gateway.GatewayMessages;
@@ -35,6 +37,8 @@ import org.apache.knox.gateway.util.X509CertificateUtil;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
+import java.io.File;
+import java.io.FileFilter;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
@@ -69,8 +73,7 @@ import javax.crypto.spec.SecretKeySpec;
public class DefaultKeystoreService implements KeystoreService {
private static final String DN_TEMPLATE =
"CN={0},OU=Test,O=Hadoop,L=Test,ST=Test,C=US";
- public static final String CREDENTIALS_SUFFIX = "-credentials.jceks";
- private static final String CREDENTIALS_STORE_TYPE = "JCEKS";
+ public static final String CREDENTIALS_SUFFIX = "-credentials.";
private static final String CERT_GEN_MODE = "hadoop.gateway.cert.gen.mode";
private static final String CERT_GEN_MODE_LOCALHOST = "localhost";
private static final String CERT_GEN_MODE_HOSTNAME = "hostname";
@@ -84,6 +87,10 @@ public class DefaultKeystoreService implements
KeystoreService {
private MasterService masterService;
private Path keyStoreDirPath;
+ private String credentialStoreAlgorithm;
+ private String credentialStoreType;
+ private String credentialsSuffix;
+
public void setMasterService(MasterService ms) {
this.masterService = ms;
}
@@ -107,6 +114,10 @@ public class DefaultKeystoreService implements
KeystoreService {
if (this.cache == null) {
this.cache =
Caffeine.newBuilder().expireAfterAccess(config.getKeystoreCacheEntryTimeToLiveInMinutes(),
TimeUnit.MINUTES).maximumSize(config.getKeystoreCacheSizeLimit()).build();
}
+
+ this.credentialStoreAlgorithm = config.getCredentialStoreAlgorithm();
+ this.credentialStoreType = config.getCredentialStoreType();
+ this.credentialsSuffix = CREDENTIALS_SUFFIX +
this.credentialStoreType.toLowerCase(Locale.ROOT);
}
@Override
@@ -213,15 +224,27 @@ public class DefaultKeystoreService implements
KeystoreService {
@Override
public void createCredentialStoreForCluster(String clusterName) throws
KeystoreServiceException {
- createKeyStore(keyStoreDirPath.resolve(clusterName + CREDENTIALS_SUFFIX),
- CREDENTIALS_STORE_TYPE, masterService.getMasterSecret());
+ checkExistingCredentialStore(clusterName);
+ createKeyStore(keyStoreDirPath.resolve(clusterName +
this.credentialsSuffix), this.credentialStoreType,
masterService.getMasterSecret());
+ }
+
+ private void checkExistingCredentialStore(String clusterName) {
+ final File[] existingClusterCredentialStoreFiles =
keyStoreDirPath.toFile().listFiles((FileFilter) new
PrefixFileFilter(clusterName + CREDENTIALS_SUFFIX));
+ if (existingClusterCredentialStoreFiles != null) {
+ for (File existingClusterCredentialStoreFile :
existingClusterCredentialStoreFiles) {
+ String existingCredentialStoreType =
FilenameUtils.getExtension(existingClusterCredentialStoreFile.getName());
+ if (!this.credentialStoreType.equals(existingCredentialStoreType)) {
+ LOG.credentialStoreForClusterFoundWithDifferentType(clusterName,
existingCredentialStoreType);
+ }
+ }
+ }
}
@Override
public boolean isCredentialStoreForClusterAvailable(String clusterName)
throws KeystoreServiceException {
- final Path keyStoreFilePath = keyStoreDirPath.resolve(clusterName +
CREDENTIALS_SUFFIX);
+ final Path keyStoreFilePath = keyStoreDirPath.resolve(clusterName +
this.credentialsSuffix);
try {
- return isKeyStoreAvailable(keyStoreFilePath, CREDENTIALS_STORE_TYPE,
masterService.getMasterSecret());
+ return isKeyStoreAvailable(keyStoreFilePath, this.credentialStoreType,
masterService.getMasterSecret());
} catch (KeyStoreException | IOException e) {
throw new KeystoreServiceException(e);
}
@@ -281,12 +304,10 @@ public class DefaultKeystoreService implements
KeystoreService {
}
@Override
- public KeyStore getCredentialStoreForCluster(String clusterName)
- throws KeystoreServiceException {
+ public KeyStore getCredentialStoreForCluster(String clusterName) throws
KeystoreServiceException {
// Do not fail getting the credential store if the keystore file does not
exist. The returned
// KeyStore will be empty. This seems like a potential bug, but is the
behavior before KNOX-1812
- return getKeystore(keyStoreDirPath.resolve(clusterName +
CREDENTIALS_SUFFIX),
- CREDENTIALS_STORE_TYPE, null, false);
+ return getKeystore(keyStoreDirPath.resolve(clusterName +
this.credentialsSuffix), this.credentialStoreType, null, false);
}
@Override
@@ -306,12 +327,12 @@ public class DefaultKeystoreService implements
KeystoreService {
try {
// Add all the credential keys to the keystore
for (Map.Entry<String, String> credential : credentials.entrySet()) {
- final Key key = new
SecretKeySpec(credential.getValue().getBytes(StandardCharsets.UTF_8), "AES");
+ final Key key = new
SecretKeySpec(credential.getValue().getBytes(StandardCharsets.UTF_8),
this.credentialStoreAlgorithm);
ks.setKeyEntry(credential.getKey(), key,
masterService.getMasterSecret(), null);
}
// Write all the changes once
- final Path keyStoreFilePath = keyStoreDirPath.resolve(clusterName +
CREDENTIALS_SUFFIX);
+ final Path keyStoreFilePath = keyStoreDirPath.resolve(clusterName +
this.credentialsSuffix);
writeKeyStoreToFile(ks, keyStoreFilePath,
masterService.getMasterSecret());
addToCache(clusterName, credentials);
} catch (KeyStoreException | IOException | CertificateException |
NoSuchAlgorithmException e) {
@@ -347,7 +368,10 @@ public class DefaultKeystoreService implements
KeystoreService {
public char[] getCredentialForCluster(String clusterName, String alias,
KeyStore ks) throws KeystoreServiceException {
try {
char[] credential = null;
- final Key credentialKey = ks.getKey(alias,
masterService.getMasterSecret());
+ Key credentialKey = ks.getKey(alias, masterService.getMasterSecret());
+ if (credentialKey == null) {
+ credentialKey = ks.getKey(alias.toLowerCase(Locale.ROOT),
masterService.getMasterSecret());
+ }
if (credentialKey != null) {
final String credentialString = new String(credentialKey.getEncoded(),
StandardCharsets.UTF_8);
credential = credentialString.toCharArray();
@@ -380,7 +404,7 @@ public class DefaultKeystoreService implements
KeystoreService {
removeFromCache(clusterName, aliases);
// Update the keystore file once to reflect all the alias deletions
- final Path keyStoreFilePath = keyStoreDirPath.resolve(clusterName +
CREDENTIALS_SUFFIX);
+ final Path keyStoreFilePath = keyStoreDirPath.resolve(clusterName +
this.credentialsSuffix);
writeKeyStoreToFile(ks, keyStoreFilePath,
masterService.getMasterSecret());
} catch (KeyStoreException | IOException | CertificateException |
NoSuchAlgorithmException e) {
LOG.failedToRemoveCredentialForCluster(clusterName, e);
@@ -488,8 +512,7 @@ public class DefaultKeystoreService implements
KeystoreService {
// Package private for unit test access
// We need this to be synchronized to prevent multiple threads from using at
once
- synchronized KeyStore createKeyStore(Path keystoreFilePath, String
keystoreType, char[] password)
- throws KeystoreServiceException {
+ synchronized KeyStore createKeyStore(Path keystoreFilePath, String
keystoreType, char[] password) throws KeystoreServiceException {
if (Files.notExists(keystoreFilePath)) {
// Ensure the parent directory exists...
try {
diff --git
a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
index 4886cef..2581d94 100644
---
a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
+++
b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
@@ -24,6 +24,7 @@ import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
+import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
@@ -114,7 +115,7 @@ public class AliasBasedTokenStateService extends
DefaultTokenStateService {
}
if (tokenStateServiceStatistics != null) {
- this.gatewayCredentialsFilePath =
Paths.get(config.getGatewayKeystoreDir()).resolve(AliasService.NO_CLUSTER_NAME
+ DefaultKeystoreService.CREDENTIALS_SUFFIX);
+ this.gatewayCredentialsFilePath =
Paths.get(config.getGatewayKeystoreDir()).resolve(AliasService.NO_CLUSTER_NAME
+ DefaultKeystoreService.CREDENTIALS_SUFFIX +
config.getCredentialStoreType().toLowerCase(Locale.ROOT));
tokenStateServiceStatistics.setGatewayCredentialsFileSize(this.gatewayCredentialsFilePath.toFile().length());
}
}
diff --git
a/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/RemoteAliasServiceTest.java
b/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/RemoteAliasServiceTest.java
index ab453a7..1c1596f 100644
---
a/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/RemoteAliasServiceTest.java
+++
b/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/RemoteAliasServiceTest.java
@@ -50,7 +50,8 @@ public class RemoteAliasServiceTest {
.andReturn(false).anyTimes();
String keystoreDir = testFolder.newFolder().getAbsolutePath();
EasyMock.expect(gc.getGatewayKeystoreDir()).andReturn(keystoreDir).anyTimes();
-
+
EasyMock.expect(gc.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(gc.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
EasyMock.replay(gc);
final String expectedClusterName = "sandbox";
@@ -144,6 +145,8 @@ public class RemoteAliasServiceTest {
.andReturn(true).anyTimes();
String keystoreDir = testFolder.newFolder().getAbsolutePath();
EasyMock.expect(gc.getGatewayKeystoreDir()).andReturn(keystoreDir).anyTimes();
+
EasyMock.expect(gc.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(gc.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
EasyMock.replay(gc);
@@ -239,6 +242,8 @@ public class RemoteAliasServiceTest {
GatewayConfig gc = EasyMock.createNiceMock(GatewayConfig.class);
EasyMock.expect(gc.isRemoteAliasServiceEnabled()).andReturn(true).anyTimes();
EasyMock.expect(gc.getRemoteAliasServiceConfiguration()).andReturn(remoteAliasConfigs).anyTimes();
+
EasyMock.expect(gc.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(gc.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
EasyMock.replay(gc);
final String expectedClusterName = "sandbox";
diff --git
a/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityServiceTest.java
b/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityServiceTest.java
index 83a663e..485f752 100644
---
a/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityServiceTest.java
+++
b/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityServiceTest.java
@@ -61,6 +61,8 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyPassphraseAlias()).andReturn(GatewayConfig.DEFAULT_SIGNING_KEY_PASSPHRASE_ALIAS).anyTimes();
EasyMock.expect(config.getSigningKeystoreType()).andReturn("jks").anyTimes();
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
+
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
@@ -108,6 +110,8 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyPassphraseAlias()).andReturn(GatewayConfig.DEFAULT_SIGNING_KEY_PASSPHRASE_ALIAS).anyTimes();
EasyMock.expect(config.getSigningKeystoreType()).andReturn("jks").anyTimes();
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
+
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
@@ -156,6 +160,8 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyPassphraseAlias()).andReturn(GatewayConfig.DEFAULT_SIGNING_KEY_PASSPHRASE_ALIAS).anyTimes();
EasyMock.expect(config.getSigningKeystoreType()).andReturn("jks").anyTimes();
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
+
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
@@ -203,6 +209,8 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyPassphraseAlias()).andReturn(GatewayConfig.DEFAULT_SIGNING_KEY_PASSPHRASE_ALIAS).anyTimes();
EasyMock.expect(config.getSigningKeystoreType()).andReturn("jks").anyTimes();
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
+
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
@@ -251,6 +259,8 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyPassphraseAlias()).andReturn(GatewayConfig.DEFAULT_SIGNING_KEY_PASSPHRASE_ALIAS).anyTimes();
EasyMock.expect(config.getSigningKeystoreType()).andReturn("jks").anyTimes();
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
+
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
@@ -304,6 +314,8 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyPassphraseAlias()).andReturn(GatewayConfig.DEFAULT_SIGNING_KEY_PASSPHRASE_ALIAS).anyTimes();
EasyMock.expect(config.getSigningKeystoreType()).andReturn("jks").anyTimes();
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
+
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
@@ -355,6 +367,8 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
EasyMock.expect(config.getKeystoreCacheEntryTimeToLiveInMinutes()).andReturn(0L).anyTimes();
EasyMock.expect(config.getKeystoreCacheSizeLimit()).andReturn(0L).anyTimes();
+
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
MasterService ms = EasyMock.createMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray()).atLeastOnce();
@@ -396,6 +410,8 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeystorePasswordAlias()).andReturn(GatewayConfig.DEFAULT_SIGNING_KEYSTORE_PASSWORD_ALIAS).anyTimes();
EasyMock.expect(config.getKeystoreCacheEntryTimeToLiveInMinutes()).andReturn(0L).anyTimes();
EasyMock.expect(config.getKeystoreCacheSizeLimit()).andReturn(0L).anyTimes();
+
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
MasterService ms = EasyMock.createMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray()).atLeastOnce();
@@ -442,6 +458,8 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
EasyMock.expect(config.getKeystoreCacheEntryTimeToLiveInMinutes()).andReturn(0L).anyTimes();
EasyMock.expect(config.getKeystoreCacheSizeLimit()).andReturn(0L).anyTimes();
+
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
MasterService ms = EasyMock.createMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("invalid_password".toCharArray()).atLeastOnce();
@@ -488,6 +506,8 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyAlias()).andReturn("invalid_key").anyTimes();
EasyMock.expect(config.getKeystoreCacheEntryTimeToLiveInMinutes()).andReturn(0L).anyTimes();
EasyMock.expect(config.getKeystoreCacheSizeLimit()).andReturn(0L).anyTimes();
+
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
MasterService ms = EasyMock.createMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray()).atLeastOnce();
@@ -534,6 +554,8 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
EasyMock.expect(config.getKeystoreCacheEntryTimeToLiveInMinutes()).andReturn(0L).anyTimes();
EasyMock.expect(config.getKeystoreCacheSizeLimit()).andReturn(0L).anyTimes();
+
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
MasterService ms = EasyMock.createMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray()).atLeastOnce();
diff --git
a/gateway-server/src/test/java/org/apache/knox/gateway/websockets/BadUrlTest.java
b/gateway-server/src/test/java/org/apache/knox/gateway/websockets/BadUrlTest.java
index 2fca3c5..b6bc60e 100644
---
a/gateway-server/src/test/java/org/apache/knox/gateway/websockets/BadUrlTest.java
+++
b/gateway-server/src/test/java/org/apache/knox/gateway/websockets/BadUrlTest.java
@@ -312,6 +312,9 @@ public class BadUrlTest {
EasyMock.expect(gatewayConfig.getServiceParameter(EasyMock.anyString(),
EasyMock.anyString())).andReturn("").anyTimes();
+
EasyMock.expect(gatewayConfig.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(gatewayConfig.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.replay(gatewayConfig);
try {
diff --git
a/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketEchoTestBase.java
b/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketEchoTestBase.java
index bf11748..08decd4 100644
---
a/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketEchoTestBase.java
+++
b/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketEchoTestBase.java
@@ -338,6 +338,9 @@ public class WebsocketEchoTestBase {
EasyMock.expect(gatewayConfig.getServiceParameter(EasyMock.anyString(),
EasyMock.anyString())).andReturn("").anyTimes();
+
EasyMock.expect(gatewayConfig.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(gatewayConfig.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.replay(gatewayConfig);
try {
diff --git
a/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketMultipleConnectionTest.java
b/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketMultipleConnectionTest.java
index d7db608..e40ec17 100644
---
a/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketMultipleConnectionTest.java
+++
b/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketMultipleConnectionTest.java
@@ -375,6 +375,9 @@ public class WebsocketMultipleConnectionTest {
EasyMock.expect(gatewayConfig.getServiceParameter(EasyMock.anyString(),
EasyMock.anyString())).andReturn("").anyTimes();
+
EasyMock.expect(gatewayConfig.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
+
EasyMock.expect(gatewayConfig.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.replay(gatewayConfig);
try {
diff --git
a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
index 41b2071..45e95de 100644
---
a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
+++
b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
@@ -89,6 +89,11 @@ public interface GatewayConfig {
String DEFAULT_HTTP_CLIENT_TRUSTSTORE_TYPE = KeyStore.getDefaultType();
String DEFAULT_HTTP_CLIENT_TRUSTSTORE_PASSWORD_ALIAS =
"gateway-httpclient-truststore-password";
+ String CREDENTIAL_STORE_ALG = "gateway.credential.store.alg";
+ String DEFAULT_CREDENTIAL_STORE_ALG = "AES";
+ String CREDENTIAL_STORE_TYPE = "gateway.credential.store.type";
+ String DEFAULT_CREDENTIAL_STORE_TYPE = "JCEKS";
+
String REMOTE_CONFIG_REGISTRY_TYPE = "type";
String REMOTE_CONFIG_REGISTRY_ADDRESS = "address";
String REMOTE_CONFIG_REGISTRY_NAMESPACE = "namespace";
@@ -234,6 +239,17 @@ public interface GatewayConfig {
*/
String getHttpClientTruststorePasswordAlias();
+ /**
+ * @return the algorithm that is used when creating a SecretKey when adding
an
+ * alias into a credential store
+ */
+ String getCredentialStoreAlgorithm();
+
+ /**
+ * @return the type of the credential store used by AliasService
+ */
+ String getCredentialStoreType();
+
int getThreadPoolMax();
int getHttpServerRequestBuffer();
diff --git
a/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
b/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
index 2b50450..ca23af9 100644
---
a/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
+++
b/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
@@ -412,6 +412,16 @@ public class GatewayTestConfig extends Configuration
implements GatewayConfig {
}
@Override
+ public String getCredentialStoreAlgorithm() {
+ return DEFAULT_CREDENTIAL_STORE_ALG;
+ }
+
+ @Override
+ public String getCredentialStoreType() {
+ return DEFAULT_CREDENTIAL_STORE_TYPE;
+ }
+
+ @Override
public int getThreadPoolMax() {
return 254;
}
