[
https://issues.apache.org/jira/browse/KNOX-3107?focusedWorklogId=960850&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-960850
]
ASF GitHub Bot logged work on KNOX-3107:
----------------------------------------
Author: ASF GitHub Bot
Created on: 07/Mar/25 19:54
Start Date: 07/Mar/25 19:54
Worklog Time Spent: 10m
Work Description: pzampino commented on code in PR #1002:
URL: https://github.com/apache/knox/pull/1002#discussion_r1985603662
##########
gateway-provider-security-authc-remote/src/main/java/org/apache/knox/gateway/filter/RemoteAuthFilter.java:
##########
@@ -132,12 +132,69 @@ public void init(FilterConfig filterConfig) throws
ServletException {
groupHeaders = Arrays.asList(groupHeaderParam.split("\\s*,\\s*"));
}
- truststorePath = filterConfig.getInitParameter(CONFIG_TRUSTSTORE_PATH);
- truststorePassword =
filterConfig.getInitParameter(CONFIG_TRUSTSTORE_PASSWORD);
- truststoreType = filterConfig.getInitParameter(CONFIG_TRUSTSTORE_TYPE);
+ buildTrustStore(filterConfig);
+ }
+
+ private void buildTrustStore(FilterConfig filterConfig) throws
ServletException {
+ String truststorePath =
filterConfig.getInitParameter(CONFIG_TRUSTSTORE_PATH);
+ String truststorePassword =
filterConfig.getInitParameter(CONFIG_TRUSTSTORE_PASSWORD);
+ String truststoreType =
filterConfig.getInitParameter(CONFIG_TRUSTSTORE_TYPE);
if (truststoreType == null || truststoreType.isEmpty()) {
truststoreType = DEFAULT_TRUSTSTORE_TYPE;
}
+
+ ServletContext context = filterConfig.getServletContext();
+ if (context != null) {
+ String topologyName = (String)
context.getAttribute(GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE);
+ GatewayServices services = (GatewayServices)
context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
+ if (services != null) {
+ try {
+ final AliasService aliasService =
services.getService(ServiceType.ALIAS_SERVICE);
+ if (truststorePath != null && !truststorePath.isEmpty()) {
+ if (truststorePassword == null || truststorePassword.isEmpty()) {
+ // let's check the for an alias given the intent to specify a
truststore path
Review Comment:
nit: comment typo
##########
gateway-provider-security-authc-remote/src/main/java/org/apache/knox/gateway/filter/RemoteAuthFilter.java:
##########
@@ -132,12 +132,69 @@ public void init(FilterConfig filterConfig) throws
ServletException {
groupHeaders = Arrays.asList(groupHeaderParam.split("\\s*,\\s*"));
}
- truststorePath = filterConfig.getInitParameter(CONFIG_TRUSTSTORE_PATH);
- truststorePassword =
filterConfig.getInitParameter(CONFIG_TRUSTSTORE_PASSWORD);
- truststoreType = filterConfig.getInitParameter(CONFIG_TRUSTSTORE_TYPE);
+ buildTrustStore(filterConfig);
+ }
+
+ private void buildTrustStore(FilterConfig filterConfig) throws
ServletException {
+ String truststorePath =
filterConfig.getInitParameter(CONFIG_TRUSTSTORE_PATH);
+ String truststorePassword =
filterConfig.getInitParameter(CONFIG_TRUSTSTORE_PASSWORD);
+ String truststoreType =
filterConfig.getInitParameter(CONFIG_TRUSTSTORE_TYPE);
if (truststoreType == null || truststoreType.isEmpty()) {
truststoreType = DEFAULT_TRUSTSTORE_TYPE;
}
+
+ ServletContext context = filterConfig.getServletContext();
+ if (context != null) {
+ String topologyName = (String)
context.getAttribute(GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE);
+ GatewayServices services = (GatewayServices)
context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
+ if (services != null) {
+ try {
+ final AliasService aliasService =
services.getService(ServiceType.ALIAS_SERVICE);
+ if (truststorePath != null && !truststorePath.isEmpty()) {
+ if (truststorePassword == null || truststorePassword.isEmpty()) {
+ // let's check the for an alias given the intent to specify a
truststore path
+ char[] passChars =
aliasService.getPasswordFromAliasForCluster(topologyName,
+ CONFIG_TRUSTSTORE_PASSWORD, false);
+ if (passChars != null) {
+ truststorePassword = new String(passChars);
+ }
+ if (truststorePassword == null || truststorePassword.isEmpty()) {
+ truststorePassword = new
String(aliasService.getPasswordFromAliasForGateway(CONFIG_TRUSTSTORE_PASSWORD));
+ }
+ }
+ }
+ KeystoreService keystoreService =
services.getService(ServiceType.KEYSTORE_SERVICE);
+ trustStore = getTrustStore(truststorePath, truststoreType,
truststorePassword, keystoreService);
+ } catch (AliasServiceException | IOException e) {
+ throw new ServletException("Error while initializing
RemoteAuthProvider", e);
+ }
+ }
+ } else if (truststorePath != null && !truststorePath.isEmpty()) {
Review Comment:
Do we get here if the ServletContext cannot be resolved? Seems like perhaps,
rather than an else clause, there should be a check to see if we were able to
initialize the trust store.
Issue Time Tracking
-------------------
Worklog Id: (was: 960850)
Time Spent: 20m (was: 10m)
> Alias Support for the RemoteAuthProvider truststore password
> ------------------------------------------------------------
>
> Key: KNOX-3107
> URL: https://issues.apache.org/jira/browse/KNOX-3107
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Fix For: 2.2.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Need to add Alias support for protecting the topology level config for the
> RemoteAuthProvider truststore. While it is likely that it will usually
> leverage the gateway level truststore and not need this for anything but
> testing and dev environments, some usecases/deployments may want to configure
> this at the topology level.
> Let's not require the password to be in the topology file.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
