This is an automated email from the ASF dual-hosted git repository.
smolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 8a95b1f KNOX-2598 - Added SSL connection support for PostgreSQL
database type in JDBC token state management (#442)
8a95b1f is described below
commit 8a95b1fe4ebd8605480db300dc051eb404db2bb9
Author: Sandor Molnar <[email protected]>
AuthorDate: Sun May 2 20:41:49 2021 +0200
KNOX-2598 - Added SSL connection support for PostgreSQL database type in
JDBC token state management (#442)
---
.../gateway/config/impl/GatewayConfigImpl.java | 19 +++++++
.../org/apache/knox/gateway/util/JDBCUtils.java | 17 +++++++
.../apache/knox/gateway/util/JDBCUtilsTest.java | 58 +++++++++++++++++++---
.../apache/knox/gateway/config/GatewayConfig.java | 6 +++
.../org/apache/knox/gateway/GatewayTestConfig.java | 18 +++++++
5 files changed, 112 insertions(+), 6 deletions(-)
diff --git
a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
index 6ae40fe..16fdc2c 100644
---
a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
+++
b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
@@ -277,6 +277,9 @@ public class GatewayConfigImpl extends Configuration
implements GatewayConfig {
private static final String GATEWAY_DATABASE_HOST =
GATEWAY_CONFIG_FILE_PREFIX + ".database.host";
private static final String GATEWAY_DATABASE_PORT =
GATEWAY_CONFIG_FILE_PREFIX + ".database.port";
private static final String GATEWAY_DATABASE_NAME =
GATEWAY_CONFIG_FILE_PREFIX + ".database.name";
+ private static final String GATEWAY_DATABASE_SSL_ENABLED =
GATEWAY_CONFIG_FILE_PREFIX + ".database.ssl.enabled";
+ private static final String GATEWAY_DATABASE_VERIFY_SERVER_CERT =
GATEWAY_CONFIG_FILE_PREFIX + ".database.ssl.verify.server.cert";
+ private static final String GATEWAY_DATABASE_TRUSTSTORE_FILE =
GATEWAY_CONFIG_FILE_PREFIX + ".database.ssl.truststore.file";
public GatewayConfigImpl() {
init();
@@ -1258,4 +1261,20 @@ public class GatewayConfigImpl extends Configuration
implements GatewayConfig {
public String getDatabaseName() {
return get(GATEWAY_DATABASE_NAME, "GATEWAY_DATABASE");
}
+
+ @Override
+ public boolean isDatabaseSslEnabled() {
+ return getBoolean(GATEWAY_DATABASE_SSL_ENABLED, false);
+ }
+
+ @Override
+ public boolean verifyDatabaseSslServerCertificate() {
+ return getBoolean(GATEWAY_DATABASE_VERIFY_SERVER_CERT, true);
+ }
+
+ @Override
+ public String getDatabaseSslTruststoreFileName() {
+ return get(GATEWAY_DATABASE_TRUSTSTORE_FILE);
+ }
+
}
diff --git
a/gateway-server/src/main/java/org/apache/knox/gateway/util/JDBCUtils.java
b/gateway-server/src/main/java/org/apache/knox/gateway/util/JDBCUtils.java
index 338619e..644e4de 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/util/JDBCUtils.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/util/JDBCUtils.java
@@ -24,12 +24,15 @@ import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.postgresql.ds.PGSimpleDataSource;
+import org.postgresql.jdbc.SslMode;
+import org.postgresql.ssl.NonValidatingFactory;
public class JDBCUtils {
public static final String POSTGRESQL_DB_TYPE = "postgresql";
public static final String DERBY_DB_TYPE = "derbydb";
public static final String DATABASE_USER_ALIAS_NAME =
"gateway_database_user";
public static final String DATABASE_PASSWORD_ALIAS_NAME =
"gateway_database_password";
+ public static final String DATABASE_TRUSTSTORE_PASSWORD_ALIAS_NAME =
"gateway_database_ssl_truststore_password";
public static DataSource getDataSource(GatewayConfig gatewayConfig,
AliasService aliasService) throws AliasServiceException {
if (POSTGRESQL_DB_TYPE.equalsIgnoreCase(gatewayConfig.getDatabaseType())) {
@@ -47,9 +50,23 @@ public class JDBCUtils {
postgresDataSource.setPortNumbers(new int[] {
gatewayConfig.getDatabasePort() });
postgresDataSource.setUser(getDatabaseUser(aliasService));
postgresDataSource.setPassword(getDatabasePassword(aliasService));
+ configurePostgreSQLSsl(gatewayConfig, aliasService, postgresDataSource);
return postgresDataSource;
}
+ private static void configurePostgreSQLSsl(GatewayConfig gatewayConfig,
AliasService aliasService, PGSimpleDataSource postgresDataSource) throws
AliasServiceException {
+ if (gatewayConfig.isDatabaseSslEnabled()) {
+ postgresDataSource.setSsl(true);
+ postgresDataSource.setSslMode(SslMode.VERIFY_FULL.value);
+ if (gatewayConfig.verifyDatabaseSslServerCertificate()) {
+
postgresDataSource.setSslRootCert(gatewayConfig.getDatabaseSslTruststoreFileName());
+ postgresDataSource.setSslPassword(getDatabaseAlias(aliasService,
DATABASE_TRUSTSTORE_PASSWORD_ALIAS_NAME));
+ } else {
+
postgresDataSource.setSslfactory(NonValidatingFactory.class.getCanonicalName());
+ }
+ }
+ }
+
private static DataSource createDerbyDatasource(GatewayConfig gatewayConfig,
AliasService aliasService) throws AliasServiceException {
final ClientDataSource derbyDatasource = new ClientDataSource();
derbyDatasource.setDatabaseName(gatewayConfig.getDatabaseName());
diff --git
a/gateway-server/src/test/java/org/apache/knox/gateway/util/JDBCUtilsTest.java
b/gateway-server/src/test/java/org/apache/knox/gateway/util/JDBCUtilsTest.java
index 5cf5221..a83a4ea 100644
---
a/gateway-server/src/test/java/org/apache/knox/gateway/util/JDBCUtilsTest.java
+++
b/gateway-server/src/test/java/org/apache/knox/gateway/util/JDBCUtilsTest.java
@@ -18,8 +18,11 @@
package org.apache.knox.gateway.util;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
+
import org.apache.derby.jdbc.ClientDataSource;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.services.security.AliasService;
@@ -27,6 +30,7 @@ import
org.apache.knox.gateway.services.security.AliasServiceException;
import org.easymock.EasyMock;
import org.junit.Test;
import org.postgresql.ds.PGSimpleDataSource;
+import org.postgresql.ssl.NonValidatingFactory;
public class JDBCUtilsTest {
@@ -43,13 +47,8 @@ public class JDBCUtilsTest {
@Test
public void postgresDataSourceShouldHaveProperConnectionProperties() throws
AliasServiceException {
final GatewayConfig gatewayConfig =
EasyMock.createNiceMock(GatewayConfig.class);
-
EasyMock.expect(gatewayConfig.getDatabaseType()).andReturn(JDBCUtils.POSTGRESQL_DB_TYPE).anyTimes();
-
EasyMock.expect(gatewayConfig.getDatabaseHost()).andReturn("localhost").anyTimes();
-
EasyMock.expect(gatewayConfig.getDatabasePort()).andReturn(5432).anyTimes();
-
EasyMock.expect(gatewayConfig.getDatabaseName()).andReturn("sampleDatabase");
final AliasService aliasService =
EasyMock.createNiceMock(AliasService.class);
-
EasyMock.expect(aliasService.getPasswordFromAliasForGateway(JDBCUtils.DATABASE_USER_ALIAS_NAME)).andReturn("user".toCharArray()).anyTimes();
-
EasyMock.expect(aliasService.getPasswordFromAliasForGateway(JDBCUtils.DATABASE_PASSWORD_ALIAS_NAME)).andReturn("password".toCharArray()).anyTimes();
+ setBasicPostgresExpectations(gatewayConfig, aliasService);
EasyMock.replay(gatewayConfig, aliasService);
final PGSimpleDataSource dataSource = (PGSimpleDataSource)
JDBCUtils.getDataSource(gatewayConfig, aliasService);
assertEquals("localhost", dataSource.getServerNames()[0]);
@@ -57,6 +56,53 @@ public class JDBCUtilsTest {
assertEquals("sampleDatabase", dataSource.getDatabaseName());
assertEquals("user", dataSource.getUser());
assertEquals("password", dataSource.getPassword());
+ assertFalse(dataSource.isSsl());
+ }
+
+ private void setBasicPostgresExpectations(GatewayConfig gatewayConfig,
AliasService aliasService) throws AliasServiceException {
+
EasyMock.expect(gatewayConfig.getDatabaseType()).andReturn(JDBCUtils.POSTGRESQL_DB_TYPE).anyTimes();
+
EasyMock.expect(gatewayConfig.getDatabaseHost()).andReturn("localhost").anyTimes();
+
EasyMock.expect(gatewayConfig.getDatabasePort()).andReturn(5432).anyTimes();
+
EasyMock.expect(gatewayConfig.getDatabaseName()).andReturn("sampleDatabase");
+
EasyMock.expect(aliasService.getPasswordFromAliasForGateway(JDBCUtils.DATABASE_USER_ALIAS_NAME)).andReturn("user".toCharArray()).anyTimes();
+
EasyMock.expect(aliasService.getPasswordFromAliasForGateway(JDBCUtils.DATABASE_PASSWORD_ALIAS_NAME)).andReturn("password".toCharArray()).anyTimes();
+ }
+
+ @Test
+ public void testPostgreSqlSslEnabledVerificationDisabled() throws Exception {
+ final GatewayConfig gatewayConfig =
EasyMock.createNiceMock(GatewayConfig.class);
+ final AliasService aliasService =
EasyMock.createNiceMock(AliasService.class);
+ setBasicPostgresExpectations(gatewayConfig, aliasService);
+
+ //SSL config expectations
+
EasyMock.expect(gatewayConfig.isDatabaseSslEnabled()).andReturn(true).anyTimes();
+
EasyMock.expect(gatewayConfig.verifyDatabaseSslServerCertificate()).andReturn(false).anyTimes();
+
+ EasyMock.replay(gatewayConfig, aliasService);
+ final PGSimpleDataSource dataSource = (PGSimpleDataSource)
JDBCUtils.getDataSource(gatewayConfig, aliasService);
+ assertTrue(dataSource.isSsl());
+ assertNull(dataSource.getSslRootCert());
+ assertEquals(dataSource.getSslfactory(),
NonValidatingFactory.class.getCanonicalName());
+ EasyMock.verify(gatewayConfig, aliasService);
+ }
+
+ @Test
+ public void testPostgreSqlSslEnabledVerificationEnabled() throws Exception {
+ final GatewayConfig gatewayConfig =
EasyMock.createNiceMock(GatewayConfig.class);
+ final AliasService aliasService =
EasyMock.createNiceMock(AliasService.class);
+ setBasicPostgresExpectations(gatewayConfig, aliasService);
+
+ //SSL config expectations
+
EasyMock.expect(gatewayConfig.isDatabaseSslEnabled()).andReturn(true).anyTimes();
+
EasyMock.expect(gatewayConfig.verifyDatabaseSslServerCertificate()).andReturn(true).anyTimes();
+
EasyMock.expect(gatewayConfig.getDatabaseSslTruststoreFileName()).andReturn("/sample/file/path").anyTimes();
+
EasyMock.expect(aliasService.getPasswordFromAliasForGateway(JDBCUtils.DATABASE_TRUSTSTORE_PASSWORD_ALIAS_NAME)).andReturn("password".toCharArray()).anyTimes();
+
+ EasyMock.replay(gatewayConfig, aliasService);
+ final PGSimpleDataSource dataSource = (PGSimpleDataSource)
JDBCUtils.getDataSource(gatewayConfig, aliasService);
+ assertTrue(dataSource.isSsl());
+ assertEquals(dataSource.getSslRootCert(), "/sample/file/path");
+ EasyMock.verify(gatewayConfig, aliasService);
}
@Test
diff --git
a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
index 4d87061..1e015cf 100644
---
a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
+++
b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
@@ -756,4 +756,10 @@ public interface GatewayConfig {
String getDatabaseName();
+ boolean isDatabaseSslEnabled();
+
+ boolean verifyDatabaseSslServerCertificate();
+
+ String getDatabaseSslTruststoreFileName();
+
}
diff --git
a/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
b/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
index 6291e70..c3e9773 100644
---
a/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
+++
b/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
@@ -874,4 +874,22 @@ public class GatewayTestConfig extends Configuration
implements GatewayConfig {
return null;
}
+
+ @Override
+ public boolean isDatabaseSslEnabled() {
+ return false;
+ }
+
+
+ @Override
+ public boolean verifyDatabaseSslServerCertificate() {
+ return false;
+ }
+
+
+ @Override
+ public String getDatabaseSslTruststoreFileName() {
+ return null;
+ }
+
}
