You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2022/07/26 17:20:11 UTC

[knox] branch master updated: KNOX-2772 - add configuration for jetty renegotiation (#605)

This is an automated email from the ASF dual-hosted git repository.

lmccay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new 07cd031e1 KNOX-2772 - add configuration for jetty renegotiation (#605)
07cd031e1 is described below

commit 07cd031e1ee2e6be14308749d61cb5a495a6fe11
Author: 南慧荣 <na...@gmail.com>
AuthorDate: Wed Jul 27 01:20:06 2022 +0800

    KNOX-2772 - add configuration for jetty renegotiation (#605)
---
 .../apache/knox/gateway/config/impl/GatewayConfigImpl.java   |  6 ++++++
 .../knox/gateway/services/security/impl/JettySSLService.java |  2 ++
 .../knox/gateway/config/impl/GatewayConfigImplTest.java      | 12 ++++++++++++
 .../gateway/services/security/impl/JettySSLServiceTest.java  |  1 +
 .../main/java/org/apache/knox/gateway/GatewayTestConfig.java |  5 +++++
 .../java/org/apache/knox/gateway/config/GatewayConfig.java   |  2 ++
 6 files changed, 28 insertions(+)

diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
index 3e45bac36..ba572a23b 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
@@ -177,6 +177,7 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig {
   private static final String SSL_EXCLUDE_PROTOCOLS = "ssl.exclude.protocols";
   private static final String SSL_INCLUDE_CIPHERS = "ssl.include.ciphers";
   private static final String SSL_EXCLUDE_CIPHERS = "ssl.exclude.ciphers";
+  private static final String SSL_RENEGOTIATION = "ssl.renegotiation";
   // END BACKWARD COMPATIBLE BLOCK
 
   public static final String DEFAULT_HTTP_PORT = "8888";
@@ -602,6 +603,11 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig {
     return list;
   }
 
+  @Override
+  public boolean isSSLRenegotiationAllowed() {
+    return getBoolean(SSL_RENEGOTIATION, true);
+  }
+
   @Override
   public boolean isClientAuthNeeded() {
     return Boolean.parseBoolean(get( CLIENT_AUTH_NEEDED, "false" ));
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java
index 867e3df88..55f297ecf 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java
@@ -224,6 +224,8 @@ public class JettySSLService implements SSLService {
     if (sslExcludeProtocols != null && !sslExcludeProtocols.isEmpty()) {
       sslContextFactory.setExcludeProtocols( sslExcludeProtocols.toArray(new String[0]) );
     }
+
+    sslContextFactory.setRenegotiationAllowed(config.isSSLRenegotiationAllowed());
     return sslContextFactory;
   }
 
diff --git a/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java b/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
index 5ec699b53..9fe737edd 100644
--- a/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
+++ b/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
@@ -167,6 +167,18 @@ public class GatewayConfigImplTest {
     assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
   }
 
+  // KNOX-2772
+  @Test
+  public void testisSSLRenegotiationAllowed() {
+    GatewayConfigImpl config = new GatewayConfigImpl();
+    boolean isSSLRenegotiationAllowed = config.isSSLRenegotiationAllowed();
+    assertThat( isSSLRenegotiationAllowed, is(true));
+
+    config.set("ssl.renegotiation", "false");
+    isSSLRenegotiationAllowed = config.isSSLRenegotiationAllowed();
+    assertThat( isSSLRenegotiationAllowed, is(false));
+  }
+
   @Test( timeout = TestUtils.SHORT_TIMEOUT )
   public void testGlobalRulesServices() {
     GatewayConfigImpl config = new GatewayConfigImpl();
diff --git a/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java b/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java
index eb667ea0d..51cdf0508 100644
--- a/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java
+++ b/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java
@@ -481,6 +481,7 @@ public class JettySSLServiceTest {
     expect(config.getIncludedSSLCiphers()).andReturn(null).atLeastOnce();
     expect(config.getExcludedSSLCiphers()).andReturn(null).atLeastOnce();
     expect(config.getExcludedSSLProtocols()).andReturn(null).atLeastOnce();
+    expect(config.isSSLRenegotiationAllowed()).andReturn(true).atLeastOnce();
     return config;
   }
 
diff --git a/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java b/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
index 24d07b430..e493892bc 100644
--- a/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
+++ b/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
@@ -300,6 +300,11 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig {
     return excludedSSLCiphers;
   }
 
+  @Override
+  public boolean isSSLRenegotiationAllowed() {
+    return true;
+  }
+
   public void setExcludedSSLCiphers( List<String> list ) {
     excludedSSLCiphers = list;
   }
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
index bf6eee3b1..68cf6ff15 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
@@ -177,6 +177,8 @@ public interface GatewayConfig {
 
   List<String> getExcludedSSLCiphers();
 
+  boolean isSSLRenegotiationAllowed();
+
   boolean isHadoopKerberosSecured();
 
   String getKerberosConfig();