This is an automated email from the ASF dual-hosted git repository. kturner pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/accumulo.git
The following commit(s) were added to refs/heads/master by this push: new 1325e81 ACCUMULO-4792 Improve crypto configuration checks (#371) 1325e81 is described below commit 1325e81ef3c5639305379aa83ea4d0dafb1c60fe Author: Nick <31989480+pirc...@users.noreply.github.com> AuthorDate: Wed Feb 14 15:26:18 2018 -0500 ACCUMULO-4792 Improve crypto configuration checks (#371) Added a check to the configuration sanity checker to ensure that, if a crypto module other than NullCryptoModule was selected, a SecretKeyEncryptionStrategy other than NullSecretKeyEncryptionStrategy must also be selected (and vice versa). --- .../accumulo/core/conf/ConfigSanityCheck.java | 26 ++++++++++++++----- .../accumulo/core/conf/ConfigSanityCheckTest.java | 30 ++++++++++++++++++++-- 2 files changed, 47 insertions(+), 9 deletions(-) diff --git a/core/src/main/java/org/apache/accumulo/core/conf/ConfigSanityCheck.java b/core/src/main/java/org/apache/accumulo/core/conf/ConfigSanityCheck.java index f787d5e..33453be 100644 --- a/core/src/main/java/org/apache/accumulo/core/conf/ConfigSanityCheck.java +++ b/core/src/main/java/org/apache/accumulo/core/conf/ConfigSanityCheck.java @@ -31,6 +31,9 @@ public class ConfigSanityCheck { private static final Logger log = LoggerFactory.getLogger(ConfigSanityCheck.class); private static final String PREFIX = "BAD CONFIG "; + private static final String NULL_CIPHER = "NullCipher"; + private static final String NULL_CRYPTO_MODULE = "NullCryptoModule"; + private static final String NULL_SECRET_KEY_ENCRYPTION_STRATEGY = "NullSecretKeyEncryptionStrategy"; @SuppressWarnings("deprecation") private static final Property INSTANCE_DFS_URI = Property.INSTANCE_DFS_URI; @SuppressWarnings("deprecation") @@ -49,8 +52,10 @@ public class ConfigSanityCheck { public static void validate(Iterable<Entry<String,String>> entries) { String instanceZkTimeoutValue = null; boolean usingVolumes = false; - String cipherSuite = null; - String keyAlgorithm = null; + String cipherSuite = NULL_CIPHER; + String keyAlgorithm = NULL_CIPHER; + String secretKeyEncryptionStrategy = NULL_SECRET_KEY_ENCRYPTION_STRATEGY; + String cryptoModule = NULL_CRYPTO_MODULE; for (Entry<String,String> entry : entries) { String key = entry.getKey(); String value = entry.getValue(); @@ -81,13 +86,20 @@ public class ConfigSanityCheck { if (key.equals(Property.CRYPTO_CIPHER_SUITE.getKey())) { cipherSuite = Objects.requireNonNull(value); - Preconditions.checkArgument(cipherSuite.equals("NullCipher") || cipherSuite.split("/").length == 3, + Preconditions.checkArgument(cipherSuite.equals(NULL_CIPHER) || cipherSuite.split("/").length == 3, "Cipher suite must be NullCipher or in the form algorithm/mode/padding. Suite: " + cipherSuite + " is invalid."); } if (key.equals(Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey())) { keyAlgorithm = Objects.requireNonNull(value); } + + if (key.equals(Property.CRYPTO_MODULE_CLASS.getKey())) { + cryptoModule = Objects.requireNonNull(value); + } + if (key.equals(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey())) { + secretKeyEncryptionStrategy = Objects.requireNonNull(value); + } } if (instanceZkTimeoutValue != null) { @@ -98,12 +110,12 @@ public class ConfigSanityCheck { log.warn("Use of {} and {} are deprecated. Consider using {} instead.", INSTANCE_DFS_URI, INSTANCE_DFS_DIR, Property.INSTANCE_VOLUMES); } - if (cipherSuite.equals("NullCipher") && !keyAlgorithm.equals("NullCipher")) { - fatal(Property.CRYPTO_CIPHER_SUITE.getKey() + " should be configured when " + Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey() + " is set."); + if ((cipherSuite.equals(NULL_CIPHER) || keyAlgorithm.equals(NULL_CIPHER)) && !cipherSuite.equals(keyAlgorithm)) { + fatal(Property.CRYPTO_CIPHER_SUITE.getKey() + " and " + Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME + " must both be configured."); } - if (!cipherSuite.equals("NullCipher") && keyAlgorithm.equals("NullCipher")) { - fatal(Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey() + " should be configured when " + Property.CRYPTO_CIPHER_SUITE.getKey() + " is set."); + if (cryptoModule.equals(NULL_CRYPTO_MODULE) ^ secretKeyEncryptionStrategy.equals(NULL_SECRET_KEY_ENCRYPTION_STRATEGY)) { + fatal(Property.CRYPTO_MODULE_CLASS.getKey() + " and " + Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey() + " must both be configured."); } } diff --git a/core/src/test/java/org/apache/accumulo/core/conf/ConfigSanityCheckTest.java b/core/src/test/java/org/apache/accumulo/core/conf/ConfigSanityCheckTest.java index 9f2ff8e..f359b4e 100644 --- a/core/src/test/java/org/apache/accumulo/core/conf/ConfigSanityCheckTest.java +++ b/core/src/test/java/org/apache/accumulo/core/conf/ConfigSanityCheckTest.java @@ -28,8 +28,6 @@ public class ConfigSanityCheckTest { @Before public void setUp() { m = new java.util.HashMap<>(); - m.put(Property.CRYPTO_CIPHER_SUITE.getKey(), "NullCipher"); - m.put(Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey(), "NullCipher"); } @Test @@ -93,4 +91,32 @@ public class ConfigSanityCheckTest { m.put(Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey(), "AES"); ConfigSanityCheck.validate(m.entrySet()); } + + @Test(expected = SanityCheckException.class) + public void testFail_cryptoModuleSetSecretKeyEncryptionStrategyNotSet() { + m.put(Property.CRYPTO_MODULE_CLASS.getKey(), "DefaultCryptoModule"); + m.put(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey(), "NullSecretKeyEncryptionStrategy"); + ConfigSanityCheck.validate(m.entrySet()); + } + + @Test(expected = SanityCheckException.class) + public void testFail_cryptoModuleNotSetSecretKeyEncryptionStrategySet() { + m.put(Property.CRYPTO_MODULE_CLASS.getKey(), "NullCryptoModule"); + m.put(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey(), "SecretKeyEncryptionStrategy"); + ConfigSanityCheck.validate(m.entrySet()); + } + + @Test + public void testPass_cryptoModuleAndSecretKeyEncryptionStrategyBothNull() { + m.put(Property.CRYPTO_MODULE_CLASS.getKey(), "NullCryptoModule"); + m.put(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey(), "NullSecretKeyEncryptionStrategy"); + ConfigSanityCheck.validate(m.entrySet()); + } + + @Test + public void testPass_cryptoModuleAndSecretKeyEncryptionStrategyBothSet() { + m.put(Property.CRYPTO_MODULE_CLASS.getKey(), "DefaultCryptoModule"); + m.put(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey(), "SecretKeyEncryptionStrategy"); + ConfigSanityCheck.validate(m.entrySet()); + } } -- To stop receiving notification emails like this one, please contact ktur...@apache.org.