[knox] branch master updated: KNOX-2881 - KnoxCLI handles aliases when testing LDAP (system) authentication (#732)

Tue, 14 Feb 2023 06:17:13 -0800 

This is an automated email from the ASF dual-hosted git repository.

smolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new c06874cc8 KNOX-2881 - KnoxCLI handles aliases when testing LDAP 
(system) authentication (#732)
c06874cc8 is described below

commit c06874cc819cddd422cc30f227cf0282c402c970
Author: Sandor Molnar <[email protected]>
AuthorDate: Tue Feb 14 15:16:40 2023 +0100

    KNOX-2881 - KnoxCLI handles aliases when testing LDAP (system) 
authentication (#732)
---
 .../java/org/apache/knox/gateway/util/KnoxCLI.java | 11 ++++++++--
 .../org/apache/knox/gateway/util/KnoxCLITest.java  | 25 +++++++++++++++++++++-
 .../conf-demo/conf/topologies/sandbox.xml          |  8 +++++++
 3 files changed, 41 insertions(+), 3 deletions(-)

diff --git 
a/gateway-server/src/main/java/org/apache/knox/gateway/util/KnoxCLI.java 
b/gateway-server/src/main/java/org/apache/knox/gateway/util/KnoxCLI.java
index 71c4062a2..f343e2ecf 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/util/KnoxCLI.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/util/KnoxCLI.java
@@ -74,6 +74,7 @@ import org.apache.knox.gateway.services.ServiceType;
 import 
org.apache.knox.gateway.services.config.client.RemoteConfigurationRegistryClient;
 import 
org.apache.knox.gateway.services.config.client.RemoteConfigurationRegistryClientService;
 import org.apache.knox.gateway.services.security.AliasService;
+import org.apache.knox.gateway.services.security.AliasServiceException;
 import org.apache.knox.gateway.services.security.KeystoreService;
 import org.apache.knox.gateway.services.security.KeystoreServiceException;
 import org.apache.knox.gateway.services.security.MasterService;
@@ -103,6 +104,7 @@ public class KnoxCLI extends Configured implements Tool {
 
   private static final Collection<String> SUPPORTED_JWK_ALGORITHMS = Stream
       .of(JWSAlgorithm.HS256.getName(), JWSAlgorithm.HS384.getName(), 
JWSAlgorithm.HS512.getName()).collect(Collectors.toSet());
+  private static final String ALIAS_PREFIX = "${ALIAS=";
   private static final String USAGE_PREFIX = "KnoxCLI {cmd} [options]";
   private static final String COMMANDS =
       "   [--help]\n" +
@@ -1525,7 +1527,7 @@ public class KnoxCLI extends Configured implements Tool {
         username = getSystemUsername(t);
         password = getSystemPassword(t);
         result = authenticateUser(ini, new UsernamePasswordToken(username, 
password));
-      } catch (MissingUsernameException | NoSuchProviderException | 
MissingPasswordException | NullPointerException e) {
+      } catch (MissingUsernameException | NoSuchProviderException | 
MissingPasswordException | NullPointerException | AliasServiceException e) {
         out.println(e.toString());
       }
       return result;
@@ -1554,13 +1556,18 @@ public class KnoxCLI extends Configured implements Tool 
{
      * @param t - topology configuration to use
      * @return - the systemPassword specified in topology. null if non-existent
      */
-    private char[] getSystemPassword(Topology t) throws 
NoSuchProviderException, MissingPasswordException{
+    private char[] getSystemPassword(Topology t) throws 
NoSuchProviderException, MissingPasswordException, AliasServiceException {
       final String SYSTEM_PASSWORD = 
"main.ldapRealm.contextFactory.systemPassword";
       String pass;
       Provider shiro = t.getProvider("authentication", "ShiroProvider");
       if(shiro != null){
         Map<String, String> params = shiro.getParams();
         pass = params.get(SYSTEM_PASSWORD);
+        if (pass.startsWith(ALIAS_PREFIX) && pass.endsWith("}")) {
+          final String alias = pass.substring("${ALIAS=".length(), 
pass.length() - 1);
+          out.println(String.format(Locale.getDefault(), "System password is 
stored as an alias %s; looking it up...", alias));
+          pass = 
String.valueOf(getAliasService().getPasswordFromAliasForCluster(cluster, 
alias));
+        }
       } else {
         throw new NoSuchProviderException("ShiroProvider", "authentication", 
t.getName());
       }
diff --git 
a/gateway-server/src/test/java/org/apache/knox/gateway/util/KnoxCLITest.java 
b/gateway-server/src/test/java/org/apache/knox/gateway/util/KnoxCLITest.java
index d16a8e686..ca58161a1 100644
--- a/gateway-server/src/test/java/org/apache/knox/gateway/util/KnoxCLITest.java
+++ b/gateway-server/src/test/java/org/apache/knox/gateway/util/KnoxCLITest.java
@@ -941,7 +941,30 @@ public class KnoxCLITest {
             "1 alias(es) have been successfully created: [alias1]"));
   }
 
-  private class GatewayConfigMock extends GatewayConfigImpl{
+  @Test
+  public void testSystemUserAuthTest() throws Exception {
+    final String cluster = "sandbox";
+    final String alias = "ldapsystempassword";
+    final AliasService aliasService = 
KnoxCLI.getGatewayServices().getService(ServiceType.ALIAS_SERVICE);
+    try {
+      aliasService.addAliasForCluster(cluster, alias, "admin-password");
+      outContent.reset();
+      final GatewayConfigMock gatewayConfig = new GatewayConfigMock();
+      final URL topoURL = 
ClassLoader.getSystemResource("conf-demo/conf/topologies/" + cluster + ".xml");
+      gatewayConfig.setConfDir( new 
File(topoURL.getFile()).getParentFile().getParent() );
+      final KnoxCLI cli = new KnoxCLI();
+      cli.setConf(gatewayConfig);
+      final String[] args = { "system-user-auth-test", "--cluster", cluster };
+      final int rc = cli.run(args);
+      assertEquals(0, rc);
+      assertTrue(outContent.toString(StandardCharsets.UTF_8.name()), 
outContent.toString(StandardCharsets.UTF_8.name()).contains(
+          "System password is stored as an alias " + alias + "; looking it 
up..."));
+    } finally {
+      aliasService.removeAliasForCluster(cluster, alias);
+    }
+  }
+
+  private class GatewayConfigMock extends GatewayConfigImpl {
     private String confDir;
     public void setConfDir(String location) {
       confDir = location;
diff --git 
a/gateway-server/src/test/resources/conf-demo/conf/topologies/sandbox.xml 
b/gateway-server/src/test/resources/conf-demo/conf/topologies/sandbox.xml
index c7ae79a0e..a692a996f 100644
--- a/gateway-server/src/test/resources/conf-demo/conf/topologies/sandbox.xml
+++ b/gateway-server/src/test/resources/conf-demo/conf/topologies/sandbox.xml
@@ -56,6 +56,14 @@
                 
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                 <value>simple</value>
             </param>
+            <param>
+               <name>main.ldapRealm.contextFactory.systemUsername</name>
+               <value>uid=admin,ou=people,dc=hadoop,dc=apache,dc=org</value>
+            </param>
+            <param>
+               <name>main.ldapRealm.contextFactory.systemPassword</name>
+               <value>${ALIAS=ldapsystempassword}</value>
+            </param>
             <param>
                 <name>urls./**</name>
                 <value>authcBasic</value>

Reply via email to