KNOX-1254 - Make sure Remote Alias Registry prefers remote over local
authorSandeep More <more@apache.org>
Thu, 19 Apr 2018 01:29:22 +0000 (21:29 -0400)
committerSandeep More <more@apache.org>
Thu, 19 Apr 2018 01:29:22 +0000 (21:29 -0400)
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/RemoteAliasService.java
gateway-server/src/test/java/org/apache/knox/gateway/security/impl/RemoteAliasMonitorTest.java

index 9ba5d0b..b0a47f0 100644 (file)
@@ -330,13 +330,7 @@ public class RemoteAliasService implements AliasService {
     /* convert all alias names to lower case since JDK expects the same behaviour */
     final String alias = givenAlias.toLowerCase();
 
-    char[] password;
-    /* try to get it from the local keystore, ignore generate flag. */
-    password = localAliasService
-        .getPasswordFromAliasForCluster(clusterName, alias);
-    if (password != null) {
-      return password;
-    }
+    char[] password = null;
 
     /* try to get it from remote registry */
     if (remoteClient != null) {
@@ -356,7 +350,7 @@ public class RemoteAliasService implements AliasService {
 
       } else {
         try {
-          return decrypt(encrypted).toCharArray();
+          password = decrypt(encrypted).toCharArray();
         } catch (final Exception e) {
           throw new AliasServiceException(e);
         }
@@ -364,9 +358,15 @@ public class RemoteAliasService implements AliasService {
 
     }
 
-    /* Case where remote registry is not configured and we need to generate password and save it locally */
-    else if (generate) {
-      return localAliasService
+    /*
+     * If
+     * 1. Remote registry not configured or
+     * 2. Password not found for given alias in remote registry,
+     * Then try local keystore
+     */
+    if(password == null) {
+      /* try to get it from the local keystore, ignore generate flag. */
+      password = localAliasService
           .getPasswordFromAliasForCluster(clusterName, alias, generate);
     }
 
index b6a4ab9..2558bbe 100644 (file)
@@ -66,6 +66,10 @@ public class RemoteAliasMonitorTest {
   private static String expectedClusterNameDev = "development";
   private static String expectedAliasDev = "knox.test.alias.dev";
   private static String expectedPasswordDev = "otherDummyPassword";
+
+  private static String preferRemoteAlias = "prefer.remote.alias";
+  private static String preferRemoteAliasEncryptedPassword = "QmgrK2JBRlE1MUU9OjpIYzZlVUttKzdaWkFOSjlYZVVyVzNRPT06Om5kdTQ3WTJ1by9vSHprZUZHcjBqVG5TaGxsMFVUdUNyN0EvUlZDV1ZHQUU9";
+  private static String preferRemoteAliasClearPassword = "ApacheKnoxPassword123";
   /* For CLI tests */
   private final ByteArrayOutputStream outContent = new ByteArrayOutputStream();
   private final ByteArrayOutputStream errContent = new ByteArrayOutputStream();
@@ -123,12 +127,21 @@ public class RemoteAliasMonitorTest {
         .withACL(acls).forPath(
         RemoteAliasService.PATH_KNOX_ALIAS_STORE_TOPOLOGY + RemoteAliasService.
             PATH_SEPARATOR + expectedClusterNameDev);
+
     assertNotNull("Failed to create node:"
         + RemoteAliasService.PATH_KNOX_ALIAS_STORE_TOPOLOGY
         + RemoteAliasService.
         PATH_SEPARATOR + expectedClusterNameDev, client.checkExists().forPath(
         RemoteAliasService.PATH_KNOX_ALIAS_STORE_TOPOLOGY + RemoteAliasService.
             PATH_SEPARATOR + expectedClusterNameDev));
+
+    /* Start Zookeeper with an existing alias */
+    client.create().withMode(CreateMode.PERSISTENT).
+        forPath(RemoteAliasService.PATH_KNOX_ALIAS_STORE_TOPOLOGY
+                + RemoteAliasService.
+                PATH_SEPARATOR + expectedClusterName
+                + RemoteAliasService.PATH_SEPARATOR + preferRemoteAlias,
+            preferRemoteAliasEncryptedPassword.getBytes());
   }
 
   @AfterClass
@@ -184,6 +197,9 @@ public class RemoteAliasMonitorTest {
     EasyMock.expect(defaultAlias.getAliasesForCluster(expectedClusterNameDev))
         .andReturn(new ArrayList<>()).anyTimes();
 
+    EasyMock.expect(defaultAlias.getPasswordFromAliasForCluster(expectedClusterName, preferRemoteAlias))
+        .andReturn("thisiswrong".toCharArray()).anyTimes();
+
     EasyMock.replay(defaultAlias);
 
     final DefaultMasterService ms = EasyMock
@@ -212,7 +228,7 @@ public class RemoteAliasMonitorTest {
         .getAliasesForCluster(expectedClusterNameDev);
 
     /* no alias added so ist should be empty */
-    Assert.assertEquals(aliases.size(), 0);
+    Assert.assertEquals(aliases.size(), 1);
     Assert.assertEquals(aliasesDev.size(), 0);
 
 
@@ -251,6 +267,13 @@ public class RemoteAliasMonitorTest {
     Assert.assertEquals(expectedPassword, new String(result));
     Assert.assertEquals(expectedPasswordDev, new String(result1));
 
+    /* test that remote alias service prefers remote over local */
+    final char[] prefAliasResult = zkAlias
+        .getPasswordFromAliasForCluster(expectedClusterName, preferRemoteAlias);
+    Assert.assertEquals(preferRemoteAliasClearPassword, new String(prefAliasResult));
+
+    zkAlias.stop();
+
   }
 
 }