[jira] [Work logged] (KNOX-1812) The Knox Gateway truststore should be configurable

[ASF GitHub Bot (JIRA)]

     [ 
https://issues.apache.org/jira/browse/KNOX-1812?focusedWorklogId=211073&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-211073
 ]

ASF GitHub Bot logged work on KNOX-1812:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 11/Mar/19 15:31
            Start Date: 11/Mar/19 15:31
    Worklog Time Spent: 10m 
      Work Description: rlevas commented on pull request #69: KNOX-1812 - The 
Knox Gateway truststore should be configurable
URL: https://github.com/apache/knox/pull/69#discussion_r264289465
 
 

 ##########
 File path: 
gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreServiceTest.java
 ##########
 @@ -0,0 +1,178 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ *
+ */
+
+package org.apache.knox.gateway.services.security.impl;
+
+import static org.easymock.EasyMock.createMock;
+import static org.easymock.EasyMock.createMockBuilder;
+import static org.easymock.EasyMock.createNiceMock;
+import static org.easymock.EasyMock.eq;
+import static org.easymock.EasyMock.expect;
+import static org.easymock.EasyMock.replay;
+import static org.easymock.EasyMock.verify;
+import static org.junit.Assert.assertEquals;
+
+import org.apache.knox.gateway.config.GatewayConfig;
+import org.apache.knox.gateway.config.impl.GatewayConfigImpl;
+import org.apache.knox.gateway.services.security.AliasService;
+import org.apache.knox.gateway.services.security.KeystoreServiceException;
+import org.apache.knox.gateway.services.security.MasterService;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+import java.io.File;
+import java.nio.file.Paths;
+import java.security.KeyStore;
+import java.util.Collections;
+
+public class DefaultKeystoreServiceTest {
+  @Rule
+  public final TemporaryFolder testFolder = new TemporaryFolder();
+
+  @Test
+  public void testGetTruststoreForHttpClientDefaults() throws Exception {
+    final File dataDir = testFolder.newFolder();
+
+    GatewayConfigImpl config = new GatewayConfigImpl();
+    config.set("gateway.data.dir", dataDir.getAbsolutePath());
+
+    KeyStore keystore = createNiceMock(KeyStore.class);
+
+    DefaultKeystoreService keystoreService = 
createMockBuilder(DefaultKeystoreService.class)
+        .addMockedMethod("getKeystoreForGateway")
+        .createMock();
+    expect(keystoreService.getKeystoreForGateway()).andReturn(keystore).once();
+
+    replay(keystore, keystoreService);
+
+    keystoreService.init(config, Collections.emptyMap());
+
+    assertEquals(keystore, keystoreService.getTruststoreForHttpClient());
+
+    verify(keystore, keystoreService);
+  }
+
+  @Test
+  public void testGetTruststoreForHttpClientCustomTrustStore() throws 
Exception {
+    final File dataDir = testFolder.newFolder();
+    final File truststoreFile = testFolder.newFile();
+    final String truststoreType = "jks";
+    final String truststorePasswordAlias = "password-alias";
+    final char[] truststorePassword = "truststore_password".toCharArray();
+
+    GatewayConfigImpl config = new GatewayConfigImpl();
+    config.set("gateway.data.dir", dataDir.getAbsolutePath());
+    config.set("gateway.httpclient.truststore.path", 
truststoreFile.getAbsolutePath());
 
 Review comment:
   I didn't want to do that since I wanted to test that the constants (used 
internally) were correct.
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 211073)
    Time Spent: 1h 10m  (was: 1h)

> The Knox Gateway truststore should be configurable
> --------------------------------------------------
>
>                 Key: KNOX-1812
>                 URL: https://issues.apache.org/jira/browse/KNOX-1812
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Major
>              Labels: truststore
>             Fix For: 1.3.0
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> The Knox Gateway truststore should be configurable
> Knox relies on a trust store for various purposes
> * The *KnoxCLI* (via a KnoxSession) uses a truststore to trust the connection 
> to the Knox Gateway server
> ** The truststore is determined by the Java system properties 
> ({{javax.net.ssl.trustStore}}, {{javax.net.ssl.trustStorePassword}}) or the 
> JVM's cacerts file
> * The *Knox Gateway* server uses a truststore to trust the connections going 
> out to the services (if connecting via TLS/SSL)
> ** The truststore is set to be the same keystore as the Gateway's identitiy 
> keystore.
> ** See 
> {{org.apache.knox.gateway.dispatch.DefaultHttpClientFactory#createHttpClient}}.
> * The *Knox Gateway* server uses a truststore to trust the user/client 
> connecting to it when clientauth is enabled
> ** The truststore is set to be the same keystore as the Gateway's identity 
> keystore unless one is explicitly specified in the gateway-site.xml file 
> ({{gateway.truststore.path}}, {{gateway.truststore.type}}). If a truststore 
> is explicitly set, the password for the truststore is looked up, using alias 
> name "{{gateway-truststore-password}}", from the alias service.
> ** See 
> {{org.apache.knox.gateway.services.security.impl.JettySSLService#buildSslContextFactory}}.
> By making the outgoing connection truststore (#2, from above) configurable, 
> it will be possible to use the same truststore for both incoming and outgoing 
> connections, which will be convenient when services communicate with each 
> other via the Knox Gateway. 
> To make sure the truststore configuration is flexible and backwards 
> compatible with older versions of Knox,  new properties should be introduced 
> in the gateway-site.xml file:
> * {{gateway.httpclient.truststore.path}}
> * {{gateway.httpclient.truststore.type}}
> * {{gateway.httpclient.truststore.password.alias}}
> Note: This naming convention goes along with the following properties used to 
> configure the Gateway's HTTPClient instance: 
> * {{gateway.httpclient.maxConnections}}
> * {{gateway.httpclient.connectionTimeout}}
> * {{gateway.httpclient.socketTimeout}}
> If {{gateway.httpclient.truststore.path}} is not set in the configuration, 
> then Gateway's identity keystore will be used (which is the current 
> implementation); else, the configured truststore details will be used. 
>  
> Also, to keep things consistent, the password alias name for the _clientauth_ 
> truststore should be configurable using the property name:
> * {{gateway.truststore.password.alias}} (default: 
> "{{gateway-truststore-password}}")



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)