You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by al...@apache.org on 2019/11/06 20:55:54 UTC
[nifi] branch master updated: NIFI-6830 Added regression test.
Added failing unit test. Added Test Resources. Implemented KeyPassword
detection in the SSLContextFactory. Resolved Java 8/11 unit test issue.
Fixed unit test wildcard imports and added Javadoc to test helper methods.
This is an automated email from the ASF dual-hosted git repository.
alopresto pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/master by this push:
new 36bdb47 NIFI-6830 Added regression test. Added failing unit test. Added Test Resources. Implemented KeyPassword detection in the SSLContextFactory. Resolved Java 8/11 unit test issue. Fixed unit test wildcard imports and added Javadoc to test helper methods.
36bdb47 is described below
commit 36bdb474c30c8a88530cee1d220e9d3c1e0dc888
Author: mtien <mt...@gmail.com>
AuthorDate: Mon Nov 4 16:08:07 2019 -0800
NIFI-6830 Added regression test. Added failing unit test. Added Test Resources.
Implemented KeyPassword detection in the SSLContextFactory.
Resolved Java 8/11 unit test issue.
Fixed unit test wildcard imports and added Javadoc to test helper methods.
This closes #3873.
Signed-off-by: Andy LoPresto <al...@apache.org>
---
.../apache/nifi/io/socket/SSLContextFactory.java | 18 ++-
.../nifi/io/socket/SSLContextFactoryTest.groovy | 150 +++++++++++++++++++++
.../src/test/resources/differentpassword.jks | Bin 0 -> 1988 bytes
.../src/test/resources/samepassword.jks | Bin 0 -> 1956 bytes
4 files changed, 162 insertions(+), 6 deletions(-)
diff --git a/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SSLContextFactory.java b/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SSLContextFactory.java
index 06a299f..ce07106 100644
--- a/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SSLContextFactory.java
+++ b/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SSLContextFactory.java
@@ -26,6 +26,7 @@ import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
+import java.util.Arrays;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
@@ -42,6 +43,7 @@ public class SSLContextFactory {
private final String keystore;
private final char[] keystorePass;
private final String keystoreType;
+ private final char[] keyPassword;
private final String truststore;
private final char[] truststorePass;
private final String truststoreType;
@@ -53,6 +55,7 @@ public class SSLContextFactory {
keystore = properties.getProperty(NiFiProperties.SECURITY_KEYSTORE);
keystorePass = getPass(properties.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD));
keystoreType = properties.getProperty(NiFiProperties.SECURITY_KEYSTORE_TYPE);
+ keyPassword = getPass(properties.getProperty(NiFiProperties.SECURITY_KEY_PASSWD));
truststore = properties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE);
truststorePass = getPass(properties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD));
@@ -67,7 +70,11 @@ public class SSLContextFactory {
FileUtils.closeQuietly(keyStoreStream);
}
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- keyManagerFactory.init(keyStore, keystorePass);
+ if (keyPassword != null && !Arrays.equals(keyPassword, keystorePass)) {
+ keyManagerFactory.init(keyStore, keyPassword);
+ } else {
+ keyManagerFactory.init(keyStore, keystorePass);
+ }
// prepare the truststore
final KeyStore trustStore = KeyStoreUtils.getTrustStore(truststoreType);
@@ -91,14 +98,13 @@ public class SSLContextFactory {
/**
* Creates a SSLContext instance using the given information.
*
- *
* @return a SSLContext instance
- * @throws java.security.KeyStoreException if problem with keystore
- * @throws java.io.IOException if unable to create context
- * @throws java.security.NoSuchAlgorithmException if algorithm isn't known
+ * @throws java.security.KeyStoreException if problem with keystore
+ * @throws java.io.IOException if unable to create context
+ * @throws java.security.NoSuchAlgorithmException if algorithm isn't known
* @throws java.security.cert.CertificateException if certificate is invalid
* @throws java.security.UnrecoverableKeyException if the key cannot be recovered
- * @throws java.security.KeyManagementException if the key is improper
+ * @throws java.security.KeyManagementException if the key is improper
*/
public SSLContext createSslContext() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException,
UnrecoverableKeyException, KeyManagementException {
diff --git a/nifi-commons/nifi-socket-utils/src/test/groovy/org/apache/nifi/io/socket/SSLContextFactoryTest.groovy b/nifi-commons/nifi-socket-utils/src/test/groovy/org/apache/nifi/io/socket/SSLContextFactoryTest.groovy
new file mode 100644
index 0000000..bfda771
--- /dev/null
+++ b/nifi-commons/nifi-socket-utils/src/test/groovy/org/apache/nifi/io/socket/SSLContextFactoryTest.groovy
@@ -0,0 +1,150 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.io.socket
+
+import org.apache.nifi.util.NiFiProperties
+import org.bouncycastle.jce.provider.BouncyCastleProvider
+import org.junit.After
+import org.junit.AfterClass
+import org.junit.Before
+import org.junit.BeforeClass
+import org.junit.Test
+import org.junit.runner.RunWith
+import org.junit.runners.JUnit4
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
+
+import javax.net.ssl.SSLContext
+import java.security.Security
+
+@RunWith(JUnit4.class)
+class SSLContextFactoryTest extends GroovyTestCase {
+ private static final Logger logger = LoggerFactory.getLogger(SSLContextFactoryTest.class)
+
+ private static String NF_PROPS_FILE = null
+
+ @BeforeClass
+ static void setUpOnce() throws Exception {
+ Security.addProvider(new BouncyCastleProvider())
+
+ if (System.getProperty(NiFiProperties.PROPERTIES_FILE_PATH)) {
+ NF_PROPS_FILE = System.getProperty(NiFiProperties.PROPERTIES_FILE_PATH)
+ System.setProperty(NiFiProperties.PROPERTIES_FILE_PATH, null)
+ }
+
+ logger.metaClass.methodMissing = { String name, args ->
+ logger.info("[${name?.toUpperCase()}] ${(args as List).join(" ")}")
+ }
+ }
+
+ @Before
+ void setUp() throws Exception {
+
+ }
+
+ @After
+ void tearDown() throws Exception {
+ }
+
+ @AfterClass
+ static void tearDownOnce() throws Exception {
+ if (NF_PROPS_FILE) {
+ System.setProperty(NiFiProperties.PROPERTIES_FILE_PATH, NF_PROPS_FILE)
+ }
+ }
+
+ /**
+ * Returns a {@link NiFiProperties} object configured with default values for accessing
+ * keystores and truststores. The values can be overridden by providing a map parameter.
+ *
+ * @param overrides an optional Map of overriding configuration values
+ * @return the configured NiFiProperties object
+ */
+ private static NiFiProperties buildNiFiProperties(Map<String, String> overrides = [:]) {
+ final Map DEFAULTS = [
+ (NiFiProperties.SECURITY_KEYSTORE_PASSWD) : "keystorepassword",
+ (NiFiProperties.SECURITY_KEYSTORE) : "src/test/resources/samepassword.jks",
+ (NiFiProperties.SECURITY_KEYSTORE_TYPE) : "JKS",
+ (NiFiProperties.SECURITY_TRUSTSTORE_PASSWD): "changeit",
+ (NiFiProperties.SECURITY_TRUSTSTORE) : buildCacertsPath(),
+ (NiFiProperties.SECURITY_TRUSTSTORE_TYPE) : "JKS",
+ ]
+ DEFAULTS.putAll(overrides)
+ NiFiProperties.createBasicNiFiProperties(null, DEFAULTS)
+ }
+
+ /**
+ * Returns the file path to the {@code cacerts} default JRE truststore. Handles Java 8
+ * and earlier as well as Java 9 and later directory structures.
+ *
+ * @return the path to cacerts
+ */
+ private static String buildCacertsPath() {
+ String javaHome = System.getenv("JAVA_HOME")
+ if (System.getProperty("java.version").startsWith("1.")) {
+ javaHome + "/jre/lib/security/cacerts"
+ } else {
+ javaHome + "/lib/security/cacerts"
+ }
+ }
+
+ @Test
+ void testShouldVerifyKeystoreWithSameKeyPassword() throws Exception {
+ // Arrange
+
+ // Set up the keystore configuration as NiFiProperties object
+ NiFiProperties np = buildNiFiProperties()
+
+ // Create the SSLContextFactory with the config
+ SSLContextFactory sslcf = new SSLContextFactory(np)
+
+ // Act
+
+ // Access the SSLContextFactory to create an SSLContext
+ SSLContext sslContext = sslcf.createSslContext()
+
+ // Assert
+
+ // The SSLContext was accessible and correct
+ assert sslContext
+ }
+
+ @Test
+ void testShouldVerifyKeystoreWithDifferentKeyPassword() throws Exception {
+ // Arrange
+
+ // Set up the keystore configuration as NiFiProperties object
+ // (prior to NIFI-6830, an UnrecoverableKeyException was thrown due to the wrong password being provided)
+ NiFiProperties np = buildNiFiProperties([
+ (NiFiProperties.SECURITY_KEYSTORE) : "src/test/resources/differentpassword.jks",
+ (NiFiProperties.SECURITY_KEY_PASSWD): "keypassword",
+ ])
+
+ // Create the SSLContextFactory with the config
+ SSLContextFactory sslcf = new SSLContextFactory(np)
+
+ // Act
+
+ // Access the SSLContextFactory to create an SSLContext
+ SSLContext sslContext = sslcf.createSslContext()
+
+ // Assert
+
+ // The SSLContext was accessible and correct
+ assert sslContext
+ }
+}
diff --git a/nifi-commons/nifi-socket-utils/src/test/resources/differentpassword.jks b/nifi-commons/nifi-socket-utils/src/test/resources/differentpassword.jks
new file mode 100644
index 0000000..e791f4b
Binary files /dev/null and b/nifi-commons/nifi-socket-utils/src/test/resources/differentpassword.jks differ
diff --git a/nifi-commons/nifi-socket-utils/src/test/resources/samepassword.jks b/nifi-commons/nifi-socket-utils/src/test/resources/samepassword.jks
new file mode 100644
index 0000000..4f10840
Binary files /dev/null and b/nifi-commons/nifi-socket-utils/src/test/resources/samepassword.jks differ