Example 1 with KeystoreService
use of org.apache.knox.gateway.services.security.KeystoreService in project knox by apache.
the class DefaultTokenAuthorityServiceTest method testTokenCreationAudience.
@Test
public void testTokenCreationAudience() throws Exception {
Principal principal = EasyMock.createNiceMock(Principal.class);
EasyMock.expect(principal.getName()).andReturn("john.doe@example.com");
GatewayConfig config = EasyMock.createNiceMock(GatewayConfig.class);
String basedir = System.getProperty("basedir");
if (basedir == null) {
basedir = new File(".").getCanonicalPath();
}
EasyMock.expect(config.getGatewaySecurityDir()).andReturn(basedir + "/target/test-classes");
EasyMock.expect(config.getSigningKeystoreName()).andReturn("server-keystore.jks");
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
AliasService as = EasyMock.createNiceMock(AliasService.class);
EasyMock.expect(as.getGatewayIdentityPassphrase()).andReturn("horton".toCharArray());
EasyMock.replay(principal, config, ms, as);
KeystoreService ks = new DefaultKeystoreService();
((DefaultKeystoreService) ks).setMasterService(ms);
((DefaultKeystoreService) ks).init(config, new HashMap<String, String>());
JWTokenAuthority ta = new DefaultTokenAuthorityService();
((DefaultTokenAuthorityService) ta).setAliasService(as);
((DefaultTokenAuthorityService) ta).setKeystoreService(ks);
((DefaultTokenAuthorityService) ta).init(config, new HashMap<String, String>());
JWT token = ta.issueToken(principal, "https://login.example.com", "RS256");
assertEquals("KNOXSSO", token.getIssuer());
assertEquals("john.doe@example.com", token.getSubject());
assertEquals("https://login.example.com", token.getAudience());
assertTrue(ta.verifyToken(token));
}
Also used :
AliasService(org.apache.knox.gateway.services.security.AliasService)
DefaultKeystoreService(org.apache.knox.gateway.services.security.impl.DefaultKeystoreService)
JWT(org.apache.knox.gateway.services.security.token.impl.JWT)
JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority)
DefaultKeystoreService(org.apache.knox.gateway.services.security.impl.DefaultKeystoreService)
KeystoreService(org.apache.knox.gateway.services.security.KeystoreService)
File(java.io.File)
MasterService(org.apache.knox.gateway.services.security.MasterService)
Principal(java.security.Principal)
GatewayConfig(org.apache.knox.gateway.config.GatewayConfig)
Test(org.junit.Test)
Example 2 with KeystoreService
use of org.apache.knox.gateway.services.security.KeystoreService in project knox by apache.
the class DefaultTokenAuthorityServiceTest method testTokenCreation.
@Test
public void testTokenCreation() throws Exception {
Principal principal = EasyMock.createNiceMock(Principal.class);
EasyMock.expect(principal.getName()).andReturn("john.doe@example.com");
GatewayConfig config = EasyMock.createNiceMock(GatewayConfig.class);
String basedir = System.getProperty("basedir");
if (basedir == null) {
basedir = new File(".").getCanonicalPath();
}
EasyMock.expect(config.getGatewaySecurityDir()).andReturn(basedir + "/target/test-classes");
EasyMock.expect(config.getSigningKeystoreName()).andReturn("server-keystore.jks");
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
AliasService as = EasyMock.createNiceMock(AliasService.class);
EasyMock.expect(as.getGatewayIdentityPassphrase()).andReturn("horton".toCharArray());
EasyMock.replay(principal, config, ms, as);
KeystoreService ks = new DefaultKeystoreService();
((DefaultKeystoreService) ks).setMasterService(ms);
((DefaultKeystoreService) ks).init(config, new HashMap<String, String>());
JWTokenAuthority ta = new DefaultTokenAuthorityService();
((DefaultTokenAuthorityService) ta).setAliasService(as);
((DefaultTokenAuthorityService) ta).setKeystoreService(ks);
((DefaultTokenAuthorityService) ta).init(config, new HashMap<String, String>());
JWT token = ta.issueToken(principal, "RS256");
assertEquals("KNOXSSO", token.getIssuer());
assertEquals("john.doe@example.com", token.getSubject());
assertTrue(ta.verifyToken(token));
}
Also used :
AliasService(org.apache.knox.gateway.services.security.AliasService)
DefaultKeystoreService(org.apache.knox.gateway.services.security.impl.DefaultKeystoreService)
JWT(org.apache.knox.gateway.services.security.token.impl.JWT)
JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority)
DefaultKeystoreService(org.apache.knox.gateway.services.security.impl.DefaultKeystoreService)
KeystoreService(org.apache.knox.gateway.services.security.KeystoreService)
File(java.io.File)
MasterService(org.apache.knox.gateway.services.security.MasterService)
Principal(java.security.Principal)
GatewayConfig(org.apache.knox.gateway.config.GatewayConfig)
Test(org.junit.Test)
Example 3 with KeystoreService
use of org.apache.knox.gateway.services.security.KeystoreService in project knox by apache.
the class DefaultTokenAuthorityServiceTest method testTokenCreationNullAudience.
@Test
public void testTokenCreationNullAudience() throws Exception {
Principal principal = EasyMock.createNiceMock(Principal.class);
EasyMock.expect(principal.getName()).andReturn("john.doe@example.com");
GatewayConfig config = EasyMock.createNiceMock(GatewayConfig.class);
String basedir = System.getProperty("basedir");
if (basedir == null) {
basedir = new File(".").getCanonicalPath();
}
EasyMock.expect(config.getGatewaySecurityDir()).andReturn(basedir + "/target/test-classes");
EasyMock.expect(config.getSigningKeystoreName()).andReturn("server-keystore.jks");
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
AliasService as = EasyMock.createNiceMock(AliasService.class);
EasyMock.expect(as.getGatewayIdentityPassphrase()).andReturn("horton".toCharArray());
EasyMock.replay(principal, config, ms, as);
KeystoreService ks = new DefaultKeystoreService();
((DefaultKeystoreService) ks).setMasterService(ms);
((DefaultKeystoreService) ks).init(config, new HashMap<String, String>());
JWTokenAuthority ta = new DefaultTokenAuthorityService();
((DefaultTokenAuthorityService) ta).setAliasService(as);
((DefaultTokenAuthorityService) ta).setKeystoreService(ks);
((DefaultTokenAuthorityService) ta).init(config, new HashMap<String, String>());
JWT token = ta.issueToken(principal, null, "RS256");
assertEquals("KNOXSSO", token.getIssuer());
assertEquals("john.doe@example.com", token.getSubject());
assertTrue(ta.verifyToken(token));
}
Also used :
AliasService(org.apache.knox.gateway.services.security.AliasService)
DefaultKeystoreService(org.apache.knox.gateway.services.security.impl.DefaultKeystoreService)
JWT(org.apache.knox.gateway.services.security.token.impl.JWT)
JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority)
DefaultKeystoreService(org.apache.knox.gateway.services.security.impl.DefaultKeystoreService)
KeystoreService(org.apache.knox.gateway.services.security.KeystoreService)
File(java.io.File)
MasterService(org.apache.knox.gateway.services.security.MasterService)
Principal(java.security.Principal)
GatewayConfig(org.apache.knox.gateway.config.GatewayConfig)
Test(org.junit.Test)
Example 4 with KeystoreService
use of org.apache.knox.gateway.services.security.KeystoreService in project knox by apache.
the class SimpleDescriptorHandler method provisionQueryParamEncryptionCredential.
/**
* KNOX-1136
*
* Provision the query string encryption password prior to it being randomly generated during the topology
* deployment.
*
* @param topologyName The name of the topology for which the credential will be provisioned.
*
* @return true if the credential was successfully provisioned; otherwise, false.
*/
private static boolean provisionQueryParamEncryptionCredential(final String topologyName) {
boolean result = false;
try {
GatewayServices services = GatewayServer.getGatewayServices();
if (services != null) {
MasterService ms = services.getService("MasterService");
if (ms != null) {
KeystoreService ks = services.getService(GatewayServices.KEYSTORE_SERVICE);
if (ks != null) {
if (!ks.isCredentialStoreForClusterAvailable(topologyName)) {
ks.createCredentialStoreForCluster(topologyName);
}
// If the credential store existed, or it was just successfully created
if (ks.getCredentialStoreForCluster(topologyName) != null) {
AliasService aliasService = services.getService(GatewayServices.ALIAS_SERVICE);
if (aliasService != null) {
// Derive and set the query param encryption password
String queryEncryptionPass = new String(ms.getMasterSecret()) + topologyName;
aliasService.addAliasForCluster(topologyName, "encryptQueryString", queryEncryptionPass);
result = true;
}
}
}
}
}
} catch (Exception e) {
log.exceptionCreatingPasswordForEncryption(topologyName, e);
}
return result;
}
Also used :
GatewayServices(org.apache.knox.gateway.services.GatewayServices)
AliasService(org.apache.knox.gateway.services.security.AliasService)
KeystoreService(org.apache.knox.gateway.services.security.KeystoreService)
MasterService(org.apache.knox.gateway.services.security.MasterService)
URISyntaxException(java.net.URISyntaxException)
IOException(java.io.IOException)
Example 5 with KeystoreService
use of org.apache.knox.gateway.services.security.KeystoreService in project knox by apache.
the class SimpleDescriptorHandlerFuncTest method testSimpleDescriptorHandlerQueryStringCredentialAliasCreation.
/**
* KNOX-1136
* <p>
* Test that a credential store is created, and a encryptQueryString alias is defined, with a password that is not
* random (but is derived from the master secret and the topology name).
* <p>
* N.B. This test depends on the NoOpServiceDiscovery extension being configured in META-INF/services
*/
@Test
public void testSimpleDescriptorHandlerQueryStringCredentialAliasCreation() throws Exception {
final String testMasterSecret = "mysecret";
final String discoveryType = "NO_OP";
final String clusterName = "dummy";
final Map<String, List<String>> serviceURLs = new HashMap<>();
serviceURLs.put("RESOURCEMANAGER", Collections.singletonList("http://myhost:1234/resource"));
File testRootDir = TestUtils.createTempDir(getClass().getSimpleName());
File testConfDir = new File(testRootDir, "conf");
File testProvDir = new File(testConfDir, "shared-providers");
File testTopoDir = new File(testConfDir, "topologies");
File testDeployDir = new File(testConfDir, "deployments");
// Write the externalized provider config to a temp file
File providerConfig = new File(testProvDir, "ambari-cluster-policy.xml");
FileUtils.write(providerConfig, TEST_PROVIDER_CONFIG);
File topologyFile = null;
try {
File destDir = new File(System.getProperty("java.io.tmpdir")).getCanonicalFile();
// Mock out the simple descriptor
SimpleDescriptor testDescriptor = EasyMock.createNiceMock(SimpleDescriptor.class);
EasyMock.expect(testDescriptor.getName()).andReturn("mysimpledescriptor").anyTimes();
EasyMock.expect(testDescriptor.getDiscoveryAddress()).andReturn(null).anyTimes();
EasyMock.expect(testDescriptor.getDiscoveryType()).andReturn(discoveryType).anyTimes();
EasyMock.expect(testDescriptor.getDiscoveryUser()).andReturn(null).anyTimes();
EasyMock.expect(testDescriptor.getProviderConfig()).andReturn(providerConfig.getAbsolutePath()).anyTimes();
EasyMock.expect(testDescriptor.getClusterName()).andReturn(clusterName).anyTimes();
List<SimpleDescriptor.Service> serviceMocks = new ArrayList<>();
for (String serviceName : serviceURLs.keySet()) {
SimpleDescriptor.Service svc = EasyMock.createNiceMock(SimpleDescriptor.Service.class);
EasyMock.expect(svc.getName()).andReturn(serviceName).anyTimes();
EasyMock.expect(svc.getURLs()).andReturn(serviceURLs.get(serviceName)).anyTimes();
EasyMock.expect(svc.getParams()).andReturn(Collections.emptyMap()).anyTimes();
EasyMock.replay(svc);
serviceMocks.add(svc);
}
EasyMock.expect(testDescriptor.getServices()).andReturn(serviceMocks).anyTimes();
EasyMock.replay(testDescriptor);
// Try setting up enough of the GatewayServer to support the test...
GatewayConfig config = EasyMock.createNiceMock(GatewayConfig.class);
InetSocketAddress gatewayAddress = new InetSocketAddress(0);
EasyMock.expect(config.getGatewayTopologyDir()).andReturn(testTopoDir.getAbsolutePath()).anyTimes();
EasyMock.expect(config.getGatewayDeploymentDir()).andReturn(testDeployDir.getAbsolutePath()).anyTimes();
EasyMock.expect(config.getGatewayAddress()).andReturn(gatewayAddress).anyTimes();
EasyMock.expect(config.getGatewayPortMappings()).andReturn(Collections.emptyMap()).anyTimes();
EasyMock.replay(config);
// Setup the Gateway Services
GatewayServices gatewayServices = EasyMock.createNiceMock(GatewayServices.class);
// Master Service
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn(testMasterSecret.toCharArray()).anyTimes();
EasyMock.replay(ms);
EasyMock.expect(gatewayServices.getService("MasterService")).andReturn(ms).anyTimes();
// Keystore Service
KeystoreService ks = EasyMock.createNiceMock(KeystoreService.class);
EasyMock.expect(ks.isCredentialStoreForClusterAvailable(testDescriptor.getName())).andReturn(false).once();
ks.createCredentialStoreForCluster(testDescriptor.getName());
EasyMock.expectLastCall().once();
KeyStore credStore = EasyMock.createNiceMock(KeyStore.class);
EasyMock.expect(ks.getCredentialStoreForCluster(testDescriptor.getName())).andReturn(credStore).anyTimes();
EasyMock.replay(ks);
EasyMock.expect(gatewayServices.getService(GatewayServices.KEYSTORE_SERVICE)).andReturn(ks).anyTimes();
// Alias Service
AliasService as = EasyMock.createNiceMock(AliasService.class);
// Captures for validating the alias creation for a generated topology
Capture<String> capturedCluster = EasyMock.newCapture();
Capture<String> capturedAlias = EasyMock.newCapture();
Capture<String> capturedPwd = EasyMock.newCapture();
as.addAliasForCluster(capture(capturedCluster), capture(capturedAlias), capture(capturedPwd));
EasyMock.expectLastCall().anyTimes();
EasyMock.replay(as);
EasyMock.expect(gatewayServices.getService(GatewayServices.ALIAS_SERVICE)).andReturn(as).anyTimes();
// Topology Service
TopologyService ts = EasyMock.createNiceMock(TopologyService.class);
ts.addTopologyChangeListener(anyObject());
EasyMock.expectLastCall().anyTimes();
ts.reloadTopologies();
EasyMock.expectLastCall().anyTimes();
EasyMock.expect(ts.getTopologies()).andReturn(Collections.emptyList()).anyTimes();
EasyMock.replay(ts);
EasyMock.expect(gatewayServices.getService(GatewayServices.TOPOLOGY_SERVICE)).andReturn(ts).anyTimes();
EasyMock.replay(gatewayServices);
// Start a GatewayService with the GatewayServices mock
GatewayServer server = GatewayServer.startGateway(config, gatewayServices);
// Invoke the simple descriptor handler, which will also create the credential store
// (because it doesn't exist) and the encryptQueryString alias
Map<String, File> files = SimpleDescriptorHandler.handle(config, testDescriptor, providerConfig.getParentFile(), destDir);
topologyFile = files.get("topology");
// Validate the AliasService interaction
assertEquals("Unexpected cluster name for the alias (should be the topology name).", testDescriptor.getName(), capturedCluster.getValue());
assertEquals("Unexpected alias name.", "encryptQueryString", capturedAlias.getValue());
assertEquals("Unexpected alias value (should be master secret + topology name.", testMasterSecret + testDescriptor.getName(), capturedPwd.getValue());
} catch (Exception e) {
e.printStackTrace();
fail(e.getMessage());
} finally {
FileUtils.forceDelete(testRootDir);
if (topologyFile != null) {
topologyFile.delete();
}
}
}
Also used :
GatewayServices(org.apache.knox.gateway.services.GatewayServices)
AliasService(org.apache.knox.gateway.services.security.AliasService)
HashMap(java.util.HashMap)
InetSocketAddress(java.net.InetSocketAddress)
ArrayList(java.util.ArrayList)
AliasService(org.apache.knox.gateway.services.security.AliasService)
MasterService(org.apache.knox.gateway.services.security.MasterService)
KeystoreService(org.apache.knox.gateway.services.security.KeystoreService)
TopologyService(org.apache.knox.gateway.services.topology.TopologyService)
MasterService(org.apache.knox.gateway.services.security.MasterService)
KeyStore(java.security.KeyStore)
SimpleDescriptor(org.apache.knox.gateway.topology.simple.SimpleDescriptor)
TopologyService(org.apache.knox.gateway.services.topology.TopologyService)
ArrayList(java.util.ArrayList)
List(java.util.List)
KeystoreService(org.apache.knox.gateway.services.security.KeystoreService)
File(java.io.File)
GatewayConfig(org.apache.knox.gateway.config.GatewayConfig)
Test(org.junit.Test)
Aggregations
AliasService (org.apache.knox.gateway.services.security.AliasService)8
KeystoreService (org.apache.knox.gateway.services.security.KeystoreService)8
MasterService (org.apache.knox.gateway.services.security.MasterService)8
GatewayConfig (org.apache.knox.gateway.config.GatewayConfig)7
File (java.io.File)6
Test (org.junit.Test)6
Principal (java.security.Principal)5
DefaultKeystoreService (org.apache.knox.gateway.services.security.impl.DefaultKeystoreService)5
JWTokenAuthority (org.apache.knox.gateway.services.security.token.JWTokenAuthority)5
JWT (org.apache.knox.gateway.services.security.token.impl.JWT)4
GatewayServices (org.apache.knox.gateway.services.GatewayServices)3
IOException (java.io.IOException)2
KeyStore (java.security.KeyStore)2
InetSocketAddress (java.net.InetSocketAddress)1
URISyntaxException (java.net.URISyntaxException)1
ArrayList (java.util.ArrayList)1
HashMap (java.util.HashMap)1
List (java.util.List)1
SSLContext (javax.net.ssl.SSLContext)1
ProtocolException (org.apache.http.ProtocolException)1
