Examples with AliasService org.apache.knox.gateway.services.security.AliasService used on opensource projects

Example 21 with AliasService

use of org.apache.knox.gateway.services.security.AliasService in project knox by apache.

the class SimpleDescriptorHandlerFuncTest method testSimpleDescriptorHandlerQueryStringCredentialAliasCreation.

/**
 * KNOX-1136
 * <p>
 * Test that a credential store is created, and a encryptQueryString alias is defined, with a password that is not
 * random (but is derived from the master secret and the topology name).
 * <p>
 * N.B. This test depends on the NoOpServiceDiscovery extension being configured in META-INF/services
 */
@Test
public void testSimpleDescriptorHandlerQueryStringCredentialAliasCreation() throws Exception {
    final String testMasterSecret = "mysecret";
    final String discoveryType = "NO_OP";
    final String clusterName = "dummy";
    final Map<String, List<String>> serviceURLs = new HashMap<>();
    serviceURLs.put("RESOURCEMANAGER", Collections.singletonList("http://myhost:1234/resource"));
    File testRootDir = TestUtils.createTempDir(getClass().getSimpleName());
    File testConfDir = new File(testRootDir, "conf");
    File testProvDir = new File(testConfDir, "shared-providers");
    File testTopoDir = new File(testConfDir, "topologies");
    File testDeployDir = new File(testConfDir, "deployments");
    // Write the externalized provider config to a temp file
    File providerConfig = new File(testProvDir, "ambari-cluster-policy.xml");
    FileUtils.write(providerConfig, TEST_PROVIDER_CONFIG);
    File topologyFile = null;
    try {
        File destDir = new File(System.getProperty("java.io.tmpdir")).getCanonicalFile();
        // Mock out the simple descriptor
        SimpleDescriptor testDescriptor = EasyMock.createNiceMock(SimpleDescriptor.class);
        EasyMock.expect(testDescriptor.getName()).andReturn("mysimpledescriptor").anyTimes();
        EasyMock.expect(testDescriptor.getDiscoveryAddress()).andReturn(null).anyTimes();
        EasyMock.expect(testDescriptor.getDiscoveryType()).andReturn(discoveryType).anyTimes();
        EasyMock.expect(testDescriptor.getDiscoveryUser()).andReturn(null).anyTimes();
        EasyMock.expect(testDescriptor.getProviderConfig()).andReturn(providerConfig.getAbsolutePath()).anyTimes();
        EasyMock.expect(testDescriptor.getClusterName()).andReturn(clusterName).anyTimes();
        List<SimpleDescriptor.Service> serviceMocks = new ArrayList<>();
        for (String serviceName : serviceURLs.keySet()) {
            SimpleDescriptor.Service svc = EasyMock.createNiceMock(SimpleDescriptor.Service.class);
            EasyMock.expect(svc.getName()).andReturn(serviceName).anyTimes();
            EasyMock.expect(svc.getURLs()).andReturn(serviceURLs.get(serviceName)).anyTimes();
            EasyMock.expect(svc.getParams()).andReturn(Collections.emptyMap()).anyTimes();
            EasyMock.replay(svc);
            serviceMocks.add(svc);
        }
        EasyMock.expect(testDescriptor.getServices()).andReturn(serviceMocks).anyTimes();
        EasyMock.replay(testDescriptor);
        // Try setting up enough of the GatewayServer to support the test...
        GatewayConfig config = EasyMock.createNiceMock(GatewayConfig.class);
        InetSocketAddress gatewayAddress = new InetSocketAddress(0);
        EasyMock.expect(config.getGatewayTopologyDir()).andReturn(testTopoDir.getAbsolutePath()).anyTimes();
        EasyMock.expect(config.getGatewayDeploymentDir()).andReturn(testDeployDir.getAbsolutePath()).anyTimes();
        EasyMock.expect(config.getGatewayAddress()).andReturn(gatewayAddress).anyTimes();
        EasyMock.expect(config.getGatewayPortMappings()).andReturn(Collections.emptyMap()).anyTimes();
        EasyMock.replay(config);
        // Setup the Gateway Services
        GatewayServices gatewayServices = EasyMock.createNiceMock(GatewayServices.class);
        // Master Service
        MasterService ms = EasyMock.createNiceMock(MasterService.class);
        EasyMock.expect(ms.getMasterSecret()).andReturn(testMasterSecret.toCharArray()).anyTimes();
        EasyMock.replay(ms);
        EasyMock.expect(gatewayServices.getService("MasterService")).andReturn(ms).anyTimes();
        // Keystore Service
        KeystoreService ks = EasyMock.createNiceMock(KeystoreService.class);
        EasyMock.expect(ks.isCredentialStoreForClusterAvailable(testDescriptor.getName())).andReturn(false).once();
        ks.createCredentialStoreForCluster(testDescriptor.getName());
        EasyMock.expectLastCall().once();
        KeyStore credStore = EasyMock.createNiceMock(KeyStore.class);
        EasyMock.expect(ks.getCredentialStoreForCluster(testDescriptor.getName())).andReturn(credStore).anyTimes();
        EasyMock.replay(ks);
        EasyMock.expect(gatewayServices.getService(GatewayServices.KEYSTORE_SERVICE)).andReturn(ks).anyTimes();
        // Alias Service
        AliasService as = EasyMock.createNiceMock(AliasService.class);
        // Captures for validating the alias creation for a generated topology
        Capture<String> capturedCluster = EasyMock.newCapture();
        Capture<String> capturedAlias = EasyMock.newCapture();
        Capture<String> capturedPwd = EasyMock.newCapture();
        as.addAliasForCluster(capture(capturedCluster), capture(capturedAlias), capture(capturedPwd));
        EasyMock.expectLastCall().anyTimes();
        EasyMock.replay(as);
        EasyMock.expect(gatewayServices.getService(GatewayServices.ALIAS_SERVICE)).andReturn(as).anyTimes();
        // Topology Service
        TopologyService ts = EasyMock.createNiceMock(TopologyService.class);
        ts.addTopologyChangeListener(anyObject());
        EasyMock.expectLastCall().anyTimes();
        ts.reloadTopologies();
        EasyMock.expectLastCall().anyTimes();
        EasyMock.expect(ts.getTopologies()).andReturn(Collections.emptyList()).anyTimes();
        EasyMock.replay(ts);
        EasyMock.expect(gatewayServices.getService(GatewayServices.TOPOLOGY_SERVICE)).andReturn(ts).anyTimes();
        EasyMock.replay(gatewayServices);
        // Start a GatewayService with the GatewayServices mock
        GatewayServer server = GatewayServer.startGateway(config, gatewayServices);
        // Invoke the simple descriptor handler, which will also create the credential store
        // (because it doesn't exist) and the encryptQueryString alias
        Map<String, File> files = SimpleDescriptorHandler.handle(config, testDescriptor, providerConfig.getParentFile(), destDir);
        topologyFile = files.get("topology");
        // Validate the AliasService interaction
        assertEquals("Unexpected cluster name for the alias (should be the topology name).", testDescriptor.getName(), capturedCluster.getValue());
        assertEquals("Unexpected alias name.", "encryptQueryString", capturedAlias.getValue());
        assertEquals("Unexpected alias value (should be master secret + topology name.", testMasterSecret + testDescriptor.getName(), capturedPwd.getValue());
    } catch (Exception e) {
        e.printStackTrace();
        fail(e.getMessage());
    } finally {
        FileUtils.forceDelete(testRootDir);
        if (topologyFile != null) {
            topologyFile.delete();
        }
    }
}

Example 22 with AliasService

use of org.apache.knox.gateway.services.security.AliasService in project knox by apache.

the class RemoteConfigurationMonitorTest method testZooKeeperConfigMonitorSASLNodesExistWithUnacceptableACL.

@Test
public void testZooKeeperConfigMonitorSASLNodesExistWithUnacceptableACL() throws Exception {
    final String configMonitorName = "zkConfigClient";
    final String alias = "zkPass";
    // Setup the base GatewayConfig mock
    GatewayConfig gc = EasyMock.createNiceMock(GatewayConfig.class);
    EasyMock.expect(gc.getGatewayProvidersConfigDir()).andReturn(providersDir.getAbsolutePath()).anyTimes();
    EasyMock.expect(gc.getGatewayDescriptorsDir()).andReturn(descriptorsDir.getAbsolutePath()).anyTimes();
    EasyMock.expect(gc.getRemoteRegistryConfigurationNames()).andReturn(Collections.singletonList(configMonitorName)).anyTimes();
    final String registryConfig = GatewayConfig.REMOTE_CONFIG_REGISTRY_TYPE + "=" + ZooKeeperClientService.TYPE + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_ADDRESS + "=" + zkCluster.getConnectString() + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_PRINCIPAL + "=" + ZK_USERNAME + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_AUTH_TYPE + "=Digest;" + GatewayConfig.REMOTE_CONFIG_REGISTRY_CREDENTIAL_ALIAS + "=" + alias;
    EasyMock.expect(gc.getRemoteRegistryConfiguration(configMonitorName)).andReturn(registryConfig).anyTimes();
    EasyMock.expect(gc.getRemoteConfigurationMonitorClientName()).andReturn(configMonitorName).anyTimes();
    EasyMock.replay(gc);
    AliasService aliasService = EasyMock.createNiceMock(AliasService.class);
    EasyMock.expect(aliasService.getPasswordFromAliasForGateway(alias)).andReturn(ZK_PASSWORD.toCharArray()).anyTimes();
    EasyMock.replay(aliasService);
    RemoteConfigurationRegistryClientService clientService = (new ZooKeeperClientServiceProvider()).newInstance();
    clientService.setAliasService(aliasService);
    clientService.init(gc, Collections.emptyMap());
    clientService.start();
    RemoteConfigurationMonitorFactory.setClientService(clientService);
    RemoteConfigurationMonitor cm = RemoteConfigurationMonitorFactory.get(gc);
    assertNotNull("Failed to load RemoteConfigurationMonitor", cm);
    final ACL ANY_AUTHENTICATED_USER_ALL = new ACL(ZooDefs.Perms.ALL, new Id("auth", ""));
    List<ACL> acls = Arrays.asList(ANY_AUTHENTICATED_USER_ALL, new ACL(ZooDefs.Perms.WRITE, ZooDefs.Ids.ANYONE_ID_UNSAFE));
    client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX);
    client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_CONFIG);
    client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_PROVIDERS);
    client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_DESCRIPTORS);
    // Make sure both ACLs were applied
    List<ACL> preACLs = client.getACL().forPath(PATH_KNOX);
    assertEquals(2, preACLs.size());
    // Check that the config nodes really do exist (the monitor will NOT create them if they're present)
    assertNotNull(client.checkExists().forPath(PATH_KNOX));
    assertNotNull(client.checkExists().forPath(PATH_KNOX_CONFIG));
    assertNotNull(client.checkExists().forPath(PATH_KNOX_PROVIDERS));
    assertNotNull(client.checkExists().forPath(PATH_KNOX_DESCRIPTORS));
    try {
        cm.start();
    } catch (Exception e) {
        fail("Failed to start monitor: " + e.getMessage());
    }
    // Validate the expected ACLs on the Knox config znodes (make sure the monitor removed the world:anyone ACL)
    List<ACL> expectedACLs = Collections.singletonList(SASL_TESTUSER_ALL);
    validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX));
    validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_CONFIG));
    validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_PROVIDERS));
    validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_DESCRIPTORS));
}

Example 23 with AliasService

use of org.apache.knox.gateway.services.security.AliasService in project knox by apache.

the class RemoteConfigurationMonitorTest method testZooKeeperConfigMonitorSASLCreateNodes.

@Test
public void testZooKeeperConfigMonitorSASLCreateNodes() throws Exception {
    final String configMonitorName = "zkConfigClient";
    final String alias = "zkPass";
    // Setup the base GatewayConfig mock
    GatewayConfig gc = EasyMock.createNiceMock(GatewayConfig.class);
    EasyMock.expect(gc.getGatewayProvidersConfigDir()).andReturn(providersDir.getAbsolutePath()).anyTimes();
    EasyMock.expect(gc.getGatewayDescriptorsDir()).andReturn(descriptorsDir.getAbsolutePath()).anyTimes();
    EasyMock.expect(gc.getRemoteRegistryConfigurationNames()).andReturn(Collections.singletonList(configMonitorName)).anyTimes();
    final String registryConfig = GatewayConfig.REMOTE_CONFIG_REGISTRY_TYPE + "=" + ZooKeeperClientService.TYPE + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_ADDRESS + "=" + zkCluster.getConnectString() + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_PRINCIPAL + "=" + ZK_USERNAME + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_AUTH_TYPE + "=Digest;" + GatewayConfig.REMOTE_CONFIG_REGISTRY_CREDENTIAL_ALIAS + "=" + alias;
    EasyMock.expect(gc.getRemoteRegistryConfiguration(configMonitorName)).andReturn(registryConfig).anyTimes();
    EasyMock.expect(gc.getRemoteConfigurationMonitorClientName()).andReturn(configMonitorName).anyTimes();
    EasyMock.replay(gc);
    AliasService aliasService = EasyMock.createNiceMock(AliasService.class);
    EasyMock.expect(aliasService.getPasswordFromAliasForGateway(alias)).andReturn(ZK_PASSWORD.toCharArray()).anyTimes();
    EasyMock.replay(aliasService);
    RemoteConfigurationRegistryClientService clientService = (new ZooKeeperClientServiceProvider()).newInstance();
    clientService.setAliasService(aliasService);
    clientService.init(gc, Collections.emptyMap());
    clientService.start();
    RemoteConfigurationMonitorFactory.setClientService(clientService);
    RemoteConfigurationMonitor cm = RemoteConfigurationMonitorFactory.get(gc);
    assertNotNull("Failed to load RemoteConfigurationMonitor", cm);
    // Check that the config nodes really don't yet exist (the monitor will create them if they're not present)
    assertNull(client.checkExists().forPath(PATH_KNOX));
    assertNull(client.checkExists().forPath(PATH_KNOX_CONFIG));
    assertNull(client.checkExists().forPath(PATH_KNOX_PROVIDERS));
    assertNull(client.checkExists().forPath(PATH_KNOX_DESCRIPTORS));
    try {
        cm.start();
    } catch (Exception e) {
        fail("Failed to start monitor: " + e.getMessage());
    }
    // Test auth violation
    clientService.get(configMonitorName).createEntry("/auth_test/child_node/test1");
    assertNull("Creation should have been prevented since write access is not granted to the test client.", client.checkExists().forPath("/auth_test/child_node/test1"));
    assertTrue("Creation should have been prevented since write access is not granted to the test client.", client.getChildren().forPath("/auth_test/child_node").isEmpty());
    // Validate the expected ACLs on the Knox config znodes (make sure the monitor created them correctly)
    List<ACL> expectedACLs = Collections.singletonList(SASL_TESTUSER_ALL);
    validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX));
    validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_CONFIG));
    validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_PROVIDERS));
    validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_DESCRIPTORS));
    // Test the Knox config nodes, for which authentication should be sufficient for access
    try {
        final String pc_one_znode = getProviderPath("providers-config1.xml");
        final File pc_one = new File(providersDir, "providers-config1.xml");
        final String pc_two_znode = getProviderPath("providers-config2.xml");
        final File pc_two = new File(providersDir, "providers-config2.xml");
        client.create().withMode(CreateMode.PERSISTENT).forPath(pc_one_znode, TEST_PROVIDERS_CONFIG_1.getBytes());
        Thread.sleep(100);
        assertTrue(pc_one.exists());
        assertEquals(TEST_PROVIDERS_CONFIG_1, FileUtils.readFileToString(pc_one));
        client.create().withMode(CreateMode.PERSISTENT).forPath(getProviderPath("providers-config2.xml"), TEST_PROVIDERS_CONFIG_2.getBytes());
        Thread.sleep(100);
        assertTrue(pc_two.exists());
        assertEquals(TEST_PROVIDERS_CONFIG_2, FileUtils.readFileToString(pc_two));
        client.setData().forPath(pc_two_znode, TEST_PROVIDERS_CONFIG_1.getBytes());
        Thread.sleep(100);
        assertTrue(pc_two.exists());
        assertEquals(TEST_PROVIDERS_CONFIG_1, FileUtils.readFileToString(pc_two));
        client.delete().forPath(pc_two_znode);
        Thread.sleep(100);
        assertFalse(pc_two.exists());
        client.delete().forPath(pc_one_znode);
        Thread.sleep(100);
        assertFalse(pc_one.exists());
        final String desc_one_znode = getDescriptorPath("test1.json");
        final String desc_two_znode = getDescriptorPath("test2.json");
        final String desc_three_znode = getDescriptorPath("test3.json");
        final File desc_one = new File(descriptorsDir, "test1.json");
        final File desc_two = new File(descriptorsDir, "test2.json");
        final File desc_three = new File(descriptorsDir, "test3.json");
        client.create().withMode(CreateMode.PERSISTENT).forPath(desc_one_znode, TEST_DESCRIPTOR_1.getBytes());
        Thread.sleep(100);
        assertTrue(desc_one.exists());
        assertEquals(TEST_DESCRIPTOR_1, FileUtils.readFileToString(desc_one));
        client.create().withMode(CreateMode.PERSISTENT).forPath(desc_two_znode, TEST_DESCRIPTOR_1.getBytes());
        Thread.sleep(100);
        assertTrue(desc_two.exists());
        assertEquals(TEST_DESCRIPTOR_1, FileUtils.readFileToString(desc_two));
        client.setData().forPath(desc_two_znode, TEST_DESCRIPTOR_2.getBytes());
        Thread.sleep(100);
        assertTrue(desc_two.exists());
        assertEquals(TEST_DESCRIPTOR_2, FileUtils.readFileToString(desc_two));
        client.create().withMode(CreateMode.PERSISTENT).forPath(desc_three_znode, TEST_DESCRIPTOR_1.getBytes());
        Thread.sleep(100);
        assertTrue(desc_three.exists());
        assertEquals(TEST_DESCRIPTOR_1, FileUtils.readFileToString(desc_three));
        client.delete().forPath(desc_two_znode);
        Thread.sleep(100);
        assertFalse("Expected test2.json to have been deleted.", desc_two.exists());
        client.delete().forPath(desc_three_znode);
        Thread.sleep(100);
        assertFalse(desc_three.exists());
        client.delete().forPath(desc_one_znode);
        Thread.sleep(100);
        assertFalse(desc_one.exists());
    } finally {
        cm.stop();
    }
}

Example 24 with AliasService

use of org.apache.knox.gateway.services.security.AliasService in project knox by apache.

the class EncryptDecryptUriProcessorTest method testEncryptDecrypt.

@Test
public void testEncryptDecrypt() throws Exception {
    String encryptedValueParamName = "address";
    String clusterName = "test-cluster-name";
    String passwordAlias = "encryptQueryString";
    // Test encryption.  Result is in encryptedAdrress
    AliasService as = EasyMock.createNiceMock(AliasService.class);
    String secret = "asdf";
    EasyMock.expect(as.getPasswordFromAliasForCluster(clusterName, passwordAlias)).andReturn(secret.toCharArray()).anyTimes();
    CryptoService cryptoService = new DefaultCryptoService();
    ((DefaultCryptoService) cryptoService).setAliasService(as);
    GatewayServices gatewayServices = EasyMock.createNiceMock(GatewayServices.class);
    EasyMock.expect(gatewayServices.getService(GatewayServices.CRYPTO_SERVICE)).andReturn(cryptoService);
    UrlRewriteEnvironment encEnvironment = EasyMock.createNiceMock(UrlRewriteEnvironment.class);
    EasyMock.expect(encEnvironment.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(gatewayServices).anyTimes();
    EasyMock.expect(encEnvironment.getAttribute(GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE)).andReturn(clusterName).anyTimes();
    UrlRewriteContext encContext = EasyMock.createNiceMock(UrlRewriteContext.class);
    EncryptStepContextParams hostPortParams = new EncryptStepContextParams();
    hostPortParams.addParam("host", Arrays.asList("host.yarn.com"));
    hostPortParams.addParam("port", Arrays.asList("8088"));
    EasyMock.expect(encContext.getParameters()).andReturn(hostPortParams);
    Capture<EncryptStepContextParams> encodedValue = new Capture<EncryptStepContextParams>();
    encContext.addParameters(EasyMock.capture(encodedValue));
    EasyMock.replay(gatewayServices, as, encEnvironment, encContext);
    EncryptUriDescriptor descriptor = new EncryptUriDescriptor();
    descriptor.setTemplate("{host}:{port}");
    descriptor.setParam(encryptedValueParamName);
    EncryptUriProcessor processor = new EncryptUriProcessor();
    processor.initialize(encEnvironment, descriptor);
    UrlRewriteStepStatus encStatus = processor.process(encContext);
    assertThat(encStatus, is(UrlRewriteStepStatus.SUCCESS));
    assertThat(encodedValue.getValue(), notNullValue());
    assertThat(encodedValue.getValue().resolve(encryptedValueParamName).size(), is(1));
    String encryptedAdrress = encodedValue.getValue().resolve(encryptedValueParamName).get(0);
    assertThat(encryptedAdrress, not(isEmptyOrNullString()));
    assertThat(encryptedAdrress, not("{host}:{port}"));
    assertThat(encryptedAdrress, not("hdp:8088"));
    // Test decryption.  Result is in dectryptedAdrress.
    String decParam = "foo";
    gatewayServices = EasyMock.createNiceMock(GatewayServices.class);
    EasyMock.expect(gatewayServices.getService(GatewayServices.CRYPTO_SERVICE)).andReturn(cryptoService);
    as = EasyMock.createNiceMock(AliasService.class);
    EasyMock.expect(as.getPasswordFromAliasForCluster(clusterName, passwordAlias)).andReturn(secret.toCharArray()).anyTimes();
    UrlRewriteEnvironment decEnvironment = EasyMock.createNiceMock(UrlRewriteEnvironment.class);
    EasyMock.expect(decEnvironment.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(gatewayServices).anyTimes();
    EasyMock.expect(decEnvironment.getAttribute(GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE)).andReturn(clusterName).anyTimes();
    UrlRewriteContext decContext = EasyMock.createNiceMock(UrlRewriteContext.class);
    EncryptStepContextParams encryptedParams = new EncryptStepContextParams();
    // Value was encrypted by EncryptUriProcessor
    encryptedParams.addParam(decParam, Arrays.asList(encryptedAdrress));
    encryptedParams.addParam("foo1", Arrays.asList("test"));
    EasyMock.expect(decContext.getParameters()).andReturn(encryptedParams);
    Capture<EncryptStepContextParams> decodedValue = new Capture<EncryptStepContextParams>();
    decContext.addParameters(EasyMock.capture(decodedValue));
    EasyMock.replay(gatewayServices, as, decEnvironment, decContext);
    DecryptUriDescriptor decDescriptor = new DecryptUriDescriptor();
    decDescriptor.setParam(decParam);
    DecryptUriProcessor decProcessor = new DecryptUriProcessor();
    decProcessor.initialize(decEnvironment, decDescriptor);
    UrlRewriteStepStatus decStatus = decProcessor.process(decContext);
    assertThat(decStatus, is(UrlRewriteStepStatus.SUCCESS));
    assertThat(decodedValue.getValue(), notNullValue());
    assertThat(decodedValue.getValue().resolve(decParam).size(), is(1));
    String dectryptedAdrress = decodedValue.getValue().resolve(decParam).get(0);
    assertThat(dectryptedAdrress, is("host.yarn.com:8088"));
}

Example 25 with AliasService

use of org.apache.knox.gateway.services.security.AliasService in project knox by apache.

the class DefaultHttpClientFactory method createHttpClient.

@Override
public HttpClient createHttpClient(FilterConfig filterConfig) {
    HttpClientBuilder builder = null;
    GatewayConfig gatewayConfig = (GatewayConfig) filterConfig.getServletContext().getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE);
    GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
    if (gatewayConfig != null && gatewayConfig.isMetricsEnabled()) {
        MetricsService metricsService = services.getService(GatewayServices.METRICS_SERVICE);
        builder = metricsService.getInstrumented(HttpClientBuilder.class);
    } else {
        builder = HttpClients.custom();
    }
    if (Boolean.parseBoolean(filterConfig.getInitParameter("useTwoWaySsl"))) {
        char[] keypass = null;
        MasterService ms = services.getService("MasterService");
        AliasService as = services.getService(GatewayServices.ALIAS_SERVICE);
        try {
            keypass = as.getGatewayIdentityPassphrase();
        } catch (AliasServiceException e) {
        // nop - default passphrase will be used
        }
        if (keypass == null) {
            // there has been no alias created for the key - let's assume it is the same as the keystore password
            keypass = ms.getMasterSecret();
        }
        KeystoreService ks = services.getService(GatewayServices.KEYSTORE_SERVICE);
        final SSLContext sslcontext;
        try {
            KeyStore keystoreForGateway = ks.getKeystoreForGateway();
            sslcontext = SSLContexts.custom().loadTrustMaterial(keystoreForGateway, new TrustSelfSignedStrategy()).loadKeyMaterial(keystoreForGateway, keypass).build();
        } catch (Exception e) {
            throw new IllegalArgumentException("Unable to create SSLContext", e);
        }
        builder.setSSLSocketFactory(new SSLConnectionSocketFactory(sslcontext));
    }
    if ("true".equals(System.getProperty(GatewayConfig.HADOOP_KERBEROS_SECURED))) {
        CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
        credentialsProvider.setCredentials(AuthScope.ANY, new UseJaasCredentials());
        Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new KnoxSpnegoAuthSchemeFactory(true)).build();
        builder = builder.setDefaultAuthSchemeRegistry(authSchemeRegistry).setDefaultCookieStore(new HadoopAuthCookieStore()).setDefaultCredentialsProvider(credentialsProvider);
    } else {
        builder = builder.setDefaultCookieStore(new NoCookieStore());
    }
    builder.setKeepAliveStrategy(DefaultConnectionKeepAliveStrategy.INSTANCE);
    builder.setConnectionReuseStrategy(DefaultConnectionReuseStrategy.INSTANCE);
    builder.setRedirectStrategy(new NeverRedirectStrategy());
    builder.setRetryHandler(new NeverRetryHandler());
    int maxConnections = getMaxConnections(filterConfig);
    builder.setMaxConnTotal(maxConnections);
    builder.setMaxConnPerRoute(maxConnections);
    builder.setDefaultRequestConfig(getRequestConfig(filterConfig));
    HttpClient client = builder.build();
    return client;
}