You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by mo...@apache.org on 2020/02/22 14:43:31 UTC

[knox] branch master updated: KNOX-2239 - Websocket use the configured truststore in gateway-site config file (#269)

This is an automated email from the ASF dual-hosted git repository.

more pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new 58e3b99  KNOX-2239 - Websocket use the configured truststore in gateway-site config file (#269)
58e3b99 is described below

commit 58e3b99384ac3b0ca4f26c094c0c0a58571b5d92
Author: Sandeep Moré <mo...@gmail.com>
AuthorDate: Sat Feb 22 09:43:24 2020 -0500

    KNOX-2239 - Websocket use the configured truststore in gateway-site config file (#269)
---
 gateway-server/pom.xml                             | 10 +++++++++
 .../websockets/GatewayWebsocketHandler.java        | 26 +++++++++++++++++-----
 .../gateway/websockets/ProxyWebSocketAdapter.java  | 19 +++++++++++++++-
 pom.xml                                            | 10 +++++++++
 4 files changed, 59 insertions(+), 6 deletions(-)

diff --git a/gateway-server/pom.xml b/gateway-server/pom.xml
index ed3b7d6..5b43d7a 100644
--- a/gateway-server/pom.xml
+++ b/gateway-server/pom.xml
@@ -324,6 +324,16 @@
         </dependency>
 
         <dependency>
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-client</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.eclipse.jetty.websocket</groupId>
+            <artifactId>websocket-client</artifactId>
+        </dependency>
+
+        <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-annotations</artifactId>
         </dependency>
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/websockets/GatewayWebsocketHandler.java b/gateway-server/src/main/java/org/apache/knox/gateway/websockets/GatewayWebsocketHandler.java
index 8fff20b..0d6d8d2 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/websockets/GatewayWebsocketHandler.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/websockets/GatewayWebsocketHandler.java
@@ -20,11 +20,13 @@ package org.apache.knox.gateway.websockets;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.knox.gateway.config.GatewayConfig;
 import org.apache.knox.gateway.i18n.messages.MessagesFactory;
-import org.apache.knox.gateway.services.ServiceType;
 import org.apache.knox.gateway.services.GatewayServices;
+import org.apache.knox.gateway.services.ServiceType;
 import org.apache.knox.gateway.services.registry.ServiceDefEntry;
 import org.apache.knox.gateway.services.registry.ServiceDefinitionRegistry;
 import org.apache.knox.gateway.services.registry.ServiceRegistry;
+import org.apache.knox.gateway.services.security.KeystoreService;
+import org.apache.knox.gateway.services.security.KeystoreServiceException;
 import org.eclipse.jetty.websocket.server.WebSocketHandler;
 import org.eclipse.jetty.websocket.servlet.ServletUpgradeRequest;
 import org.eclipse.jetty.websocket.servlet.ServletUpgradeResponse;
@@ -35,6 +37,7 @@ import javax.websocket.ClientEndpointConfig;
 import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URL;
+import java.security.KeyStore;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
@@ -80,7 +83,6 @@ public class GatewayWebsocketHandler extends WebSocketHandler
     this.config = config;
     this.services = services;
     pool = Executors.newFixedThreadPool(POOL_SIZE);
-
   }
 
   @Override
@@ -118,14 +120,28 @@ public class GatewayWebsocketHandler extends WebSocketHandler
       LOG.debugLog("Generated backend URL for websocket connection: " + backendURL);
 
       /* Upgrade happens here */
-      return new ProxyWebSocketAdapter
-              (URI.create(backendURL), pool, getClientEndpointConfig(req), config);
+      final ClientEndpointConfig clientConfig = getClientEndpointConfig(req);
+      clientConfig.getUserProperties().put("org.apache.knox.gateway.websockets.truststore", getTruststore());
+      return new ProxyWebSocketAdapter(URI.create(backendURL), pool, clientConfig, config);
     } catch (final Exception e) {
       LOG.failedCreatingWebSocket(e);
-      throw e;
+      throw new RuntimeException(e);
+    }
+  }
+
+
+  private KeyStore getTruststore() throws KeystoreServiceException {
+    final KeystoreService ks = this.services
+        .getService(ServiceType.KEYSTORE_SERVICE);
+    KeyStore trustKeystore = null;
+    trustKeystore = ks.getTruststoreForHttpClient();
+    if (trustKeystore == null) {
+      trustKeystore = ks.getKeystoreForGateway();
     }
+    return trustKeystore;
   }
 
+
   /**
    * Returns a {@link ClientEndpointConfig} config that contains the headers
    * to be passed to the backend.
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/websockets/ProxyWebSocketAdapter.java b/gateway-server/src/main/java/org/apache/knox/gateway/websockets/ProxyWebSocketAdapter.java
index 9d5015d..95687ab 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/websockets/ProxyWebSocketAdapter.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/websockets/ProxyWebSocketAdapter.java
@@ -40,7 +40,7 @@ import org.eclipse.jetty.websocket.api.RemoteEndpoint;
 import org.eclipse.jetty.websocket.api.Session;
 import org.eclipse.jetty.websocket.api.StatusCode;
 import org.eclipse.jetty.websocket.api.WebSocketAdapter;
-
+import java.security.KeyStore;
 /**
  * Handles outbound/inbound Websocket connections and sessions.
  *
@@ -100,6 +100,23 @@ public class ProxyWebSocketAdapter extends WebSocketAdapter {
     container.setAsyncSendTimeout(frontEndSession.getPolicy().getAsyncWriteTimeout());
     container.setDefaultMaxSessionIdleTimeout(frontEndSession.getPolicy().getIdleTimeout());
 
+    KeyStore ks = null;
+    if(clientConfig != null) {
+      ks = (KeyStore) clientConfig.getUserProperties().get("org.apache.knox.gateway.websockets.truststore");
+    }
+
+    /*
+       Currently javax.websocket API has no provisions to configure SSL
+       https://github.com/eclipse-ee4j/websocket-api/issues/210
+       Until that gets fixed we'll have to resort to this.
+    */
+    if(container instanceof org.eclipse.jetty.websocket.jsr356.ClientContainer &&
+        ((org.eclipse.jetty.websocket.jsr356.ClientContainer)container).getClient() != null &&
+        ((org.eclipse.jetty.websocket.jsr356.ClientContainer)container).getClient().getSslContextFactory() != null ) {
+      ((org.eclipse.jetty.websocket.jsr356.ClientContainer)container).getClient().getHttpClient().getSslContextFactory().setTrustStore(ks);
+      LOG.logMessage("Truststore for websocket setup");
+    }
+
     final ProxyInboundClient backendSocket = new ProxyInboundClient(getMessageCallback());
 
     /* build the configuration */
diff --git a/pom.xml b/pom.xml
index a49e717..132a920 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1953,6 +1953,16 @@
 
             <!-- Websocket support -->
             <dependency>
+                <groupId>org.eclipse.jetty</groupId>
+                <artifactId>jetty-client</artifactId>
+                <version>${jetty.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.eclipse.jetty.websocket</groupId>
+                <artifactId>websocket-client</artifactId>
+                <version>${jetty.version}</version>
+            </dependency>
+            <dependency>
                 <groupId>javax.websocket</groupId>
                 <artifactId>javax.websocket-api</artifactId>
                 <version>${javax.websocket-api.version}</version>