KNOX-3263: Setting JVM's default truststore password as a System property when creating CM service discovery ApiClient, if needed (#1159)

Author: smolnar82

gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/ApiClientFactory.java

@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.knox.gateway.topology.discovery.cm;
+
+import org.apache.knox.gateway.config.GatewayConfig;
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.services.security.AliasService;
+import org.apache.knox.gateway.services.security.AliasServiceException;
+import org.apache.knox.gateway.topology.discovery.ServiceDiscoveryConfig;
+
+import java.security.KeyStore;
+
+public class ApiClientFactory {
+
+    private static final ClouderaManagerServiceDiscoveryMessages LOG = MessagesFactory.get(ClouderaManagerServiceDiscoveryMessages.class);
+    static final String TRUSTSTORE_PASSWORD_SYSTEM_PROPERTY = "javax.net.ssl.trustStorePassword";
+    public static final String TRUSTSTORE_PASSWORD_ALIAS = "cm.discovery.trustStorePassword";
+
+    public static DiscoveryApiClient getApiClient(final GatewayConfig gatewayConfig, final ServiceDiscoveryConfig discoveryConfig,
+                                                  final AliasService aliasService, final KeyStore truststore) {
+        try {
+            final char[] trustStorePassword = aliasService.getPasswordFromAliasForGateway(TRUSTSTORE_PASSWORD_ALIAS);
+            if (trustStorePassword != null) {
+                System.setProperty(TRUSTSTORE_PASSWORD_SYSTEM_PROPERTY, new String(trustStorePassword));
+            }
+            return new DiscoveryApiClient(gatewayConfig, discoveryConfig, aliasService, truststore);
+        } catch (AliasServiceException e) {
+            LOG.clouderaManagerApiClientBuildError(e);
+            throw new ServiceDiscoveryException("Unable to retrieve CM service discovery truststore password", e);
+        } finally {
+            System.clearProperty(TRUSTSTORE_PASSWORD_SYSTEM_PROPERTY);
+        }
+    }
+}

gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/ClouderaManagerServiceDiscovery.java

@@ -158,7 +158,7 @@ private DiscoveryApiClient getClient(GatewayConfig gatewayConfig, ServiceDiscove
       throw new IllegalArgumentException("Missing or invalid discovery address.");
     }
 
-    DiscoveryApiClient client = new DiscoveryApiClient(gatewayConfig, discoveryConfig, aliasService, truststore);
+    DiscoveryApiClient client = ApiClientFactory.getApiClient(gatewayConfig, discoveryConfig, aliasService, truststore);
     client.setDebugging(debug);
     return client;
   }

gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/ClouderaManagerServiceDiscoveryMessages.java

@@ -325,4 +325,7 @@ void roleConfigurationPropertyHasChanged(String propertyName,
   @Message(level = MessageLevel.INFO, text = "Role fetch strategy was set to {0}. Will fetch role configuration by each service with page size {1} and client base path is {2}")
   void usingRoleStrategyWithPageSize(String roleFetchConfigValue, long pageSize, String basePath);
 
+  @Message(level = MessageLevel.ERROR, text = "Error while building CM dicovery ApiClient: {0}")
+  void clouderaManagerApiClientBuildError(@StackTrace(level = MessageLevel.DEBUG) Exception e);
+
 }

gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/ServiceDiscoveryException.java

@@ -0,0 +1,24 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.knox.gateway.topology.discovery.cm;
+
+public class ServiceDiscoveryException extends RuntimeException {
+
+    public ServiceDiscoveryException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/monitor/PollingConfigurationAnalyzer.java

@@ -47,6 +47,7 @@
 import org.apache.knox.gateway.services.topology.impl.GatewayStatusService;
 import org.apache.knox.gateway.topology.ClusterConfigurationMonitorService;
 import org.apache.knox.gateway.topology.discovery.ServiceDiscoveryConfig;
+import org.apache.knox.gateway.topology.discovery.cm.ApiClientFactory;
 import org.apache.knox.gateway.topology.discovery.cm.ClouderaManagerServiceDiscoveryMessages;
 import org.apache.knox.gateway.topology.discovery.cm.DiscoveryApiClient;
 import org.apache.knox.gateway.topology.discovery.cm.ServiceModelGeneratorsHolder;
@@ -475,7 +476,7 @@ private Instant getEventQueryTimestamp(final String address, final String cluste
    */
   private DiscoveryApiClient getApiClient(final ServiceDiscoveryConfig discoveryConfig) {
     return clients.computeIfAbsent(discoveryConfig.getAddress(),
-                                   c -> new DiscoveryApiClient(gatewayConfig, discoveryConfig, aliasService, truststore));
+                                   c -> ApiClientFactory.getApiClient(gatewayConfig, discoveryConfig, aliasService, truststore));
   }
 
   /**

gateway-discovery-cm/src/test/java/org/apache/knox/gateway/topology/discovery/cm/ApiClientFactoryTest.java

@@ -0,0 +1,125 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.knox.gateway.topology.discovery.cm;
+
+import org.apache.knox.gateway.config.GatewayConfig;
+import org.apache.knox.gateway.services.security.AliasService;
+import org.apache.knox.gateway.services.security.AliasServiceException;
+import org.apache.knox.gateway.topology.discovery.ServiceDiscoveryConfig;
+import org.easymock.EasyMock;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.security.KeyStore;
+import java.util.Collections;
+import java.util.Properties;
+
+public class ApiClientFactoryTest {
+
+    Properties originalProps;
+
+    @Before
+    public void setUp() {
+        originalProps = System.getProperties();
+    }
+
+    @After
+    public void tearDown() {
+        System.setProperties(originalProps);
+    }
+
+    @Test
+    public void testSystemPropertySetWhenAliasExists() throws AliasServiceException {
+        testGetApiClient(true);
+    }
+
+    @Test
+    public void testSystemPropertyNotSetWhenAliasNotExists() throws AliasServiceException {
+        testGetApiClient(false);
+    }
+
+    private void testGetApiClient(final boolean shouldSetSystemProperty) throws AliasServiceException {
+        final String trustStorePassword = "changeit";
+        final RecordingProperties testProps = new RecordingProperties(originalProps);
+        System.setProperties(testProps);
+
+        final GatewayConfig gatewayConfig = EasyMock.createMock(GatewayConfig.class);
+        EasyMock.expect(gatewayConfig.getClouderaManagerServiceDiscoveryApiVersion()).andReturn("57").anyTimes();
+        EasyMock.expect(gatewayConfig.getClouderaManagerServiceDiscoveryConnectTimeoutMillis()).andReturn(1L).anyTimes();
+        EasyMock.expect(gatewayConfig.getClouderaManagerServiceDiscoveryReadTimeoutMillis()).andReturn(1L).anyTimes();
+        EasyMock.expect(gatewayConfig.getClouderaManagerServiceDiscoveryWriteTimeoutMillis()).andReturn(1L).anyTimes();
+        EasyMock.expect(gatewayConfig.getIncludedSSLCiphers()).andReturn(Collections.emptyList()).anyTimes();
+        EasyMock.expect(gatewayConfig.getIncludedSSLProtocols()).andReturn(Collections.emptySet()).anyTimes();
+        final ServiceDiscoveryConfig serviceDiscoveryConfig = EasyMock.createMock(ServiceDiscoveryConfig.class);
+        EasyMock.expect(serviceDiscoveryConfig.getAddress()).andReturn("myCmHost").anyTimes();
+        EasyMock.expect(serviceDiscoveryConfig.getUser()).andReturn("myCmUser").anyTimes();
+        EasyMock.expect(serviceDiscoveryConfig.getPasswordAlias()).andReturn("myCmPasswordAlias").anyTimes();
+        final AliasService aliasService = EasyMock.createMock(AliasService.class);
+        if (shouldSetSystemProperty) {
+            EasyMock.expect(aliasService.getPasswordFromAliasForGateway(ApiClientFactory.TRUSTSTORE_PASSWORD_ALIAS)).andReturn(trustStorePassword.toCharArray()).anyTimes();
+        } else {
+            EasyMock.expect(aliasService.getPasswordFromAliasForGateway(ApiClientFactory.TRUSTSTORE_PASSWORD_ALIAS)).andReturn(null).anyTimes();
+        }
+        EasyMock.expect(aliasService.getPasswordFromAliasForGateway("myCmPasswordAlias")).andReturn("myCmPassword".toCharArray()).anyTimes();
+        final KeyStore trustStore = EasyMock.createMock(KeyStore.class);
+
+        EasyMock.replay(aliasService, gatewayConfig, serviceDiscoveryConfig, trustStore);
+        ApiClientFactory.getApiClient(gatewayConfig, serviceDiscoveryConfig, aliasService, trustStore);
+
+        if (shouldSetSystemProperty) {
+            Assert.assertEquals(ApiClientFactory.TRUSTSTORE_PASSWORD_SYSTEM_PROPERTY, testProps.lastSetKey);
+            Assert.assertEquals(trustStorePassword, testProps.lastSetValue);
+            Assert.assertEquals(ApiClientFactory.TRUSTSTORE_PASSWORD_SYSTEM_PROPERTY, testProps.lastRemovedKey);
+        } else {
+            Assert.assertNull(testProps.lastSetKey);
+            Assert.assertNull(testProps.lastSetValue);
+            Assert.assertEquals(ApiClientFactory.TRUSTSTORE_PASSWORD_SYSTEM_PROPERTY, testProps.lastRemovedKey);
+        }
+    }
+
+    static class RecordingProperties extends Properties {
+        private final Properties delegate;
+
+        String lastSetKey;
+        String lastSetValue;
+        String lastRemovedKey;
+
+        RecordingProperties(Properties delegate) {
+            this.delegate = delegate;
+        }
+
+        @Override
+        public synchronized Object setProperty(String key, String value) {
+            lastSetKey = key;
+            lastSetValue = value;
+            return delegate.setProperty(key, value);
+        }
+
+        @Override
+        public synchronized Object remove(Object key) {
+            lastRemovedKey = (String) key;
+            return delegate.remove(key);
+        }
+
+        @Override
+        public String getProperty(String key) {
+            return delegate.getProperty(key);
+        }
+    }
+}