Repository: knox Updated Branches: refs/heads/master b24df614d -> 370c292b1
KNOX-556 - provide better diagnostics for keystore failures Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/370c292b Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/370c292b Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/370c292b Branch: refs/heads/master Commit: 370c292b159a4c7b3b8ce40321f454f08ad31e21 Parents: b24df61 Author: Larry McCay <lmc...@hortonworks.com> Authored: Mon Jun 8 11:35:16 2015 -0400 Committer: Larry McCay <lmc...@hortonworks.com> Committed: Mon Jun 8 11:35:16 2015 -0400 ---------------------------------------------------------------------- .../gateway/encrypturi/EncryptUriMessages.java | 31 ++++++++++++ .../impl/EncryptUriDeploymentContributor.java | 11 ++++- .../SecureQueryDeploymentContributor.java | 10 +++- .../securequery/SecureQueryMessages.java | 31 ++++++++++++ .../provider/federation/jwt/JWTMessages.java | 7 +++ .../jwt/filter/AccessTokenFederationFilter.java | 8 +++- .../filter/JWTAccessTokenAssertionFilter.java | 18 ++++++- .../jwt/filter/JWTAuthCodeAssertionFilter.java | 50 +++++++++++--------- .../jwt/filter/JWTFederationFilter.java | 13 ++++- .../gateway/picketlink/PicketlinkMessages.java | 4 ++ ...PicketlinkFederationProviderContributor.java | 14 +++++- .../shirorealm/KnoxLdapContextFactory.java | 8 +++- .../apache/hadoop/gateway/GatewayMessages.java | 4 ++ .../services/DefaultGatewayServices.java | 1 + .../security/impl/DefaultAliasService.java | 49 +++++++++++++++---- .../security/impl/DefaultCryptoService.java | 44 ++++++++++++----- .../security/impl/DefaultKeystoreService.java | 21 +++++--- .../services/security/impl/JettySSLService.java | 31 ++++++++++-- .../impl/DefaultTokenAuthorityService.java | 29 ++++++++---- .../services/security/CryptoServiceTest.java | 6 +++ .../service/knoxsso/KnoxSSOMessages.java | 4 ++ .../gateway/service/knoxsso/WebSSOResource.java | 35 ++++++++------ .../service/vault/CredentialResource.java | 17 ++++++- .../gateway/services/security/AliasService.java | 31 ++++++++---- .../security/AliasServiceException.java | 27 +++++++++++ .../services/security/KeystoreService.java | 4 +- .../security/impl/BaseKeystoreService.java | 14 +++--- .../security/impl/CMFKeystoreService.java | 20 ++++---- .../security/token/JWTokenAuthority.java | 12 +++-- .../security/token/TokenServiceException.java | 30 ++++++++++++ 30 files changed, 460 insertions(+), 124 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-provider-rewrite-step-encrypt-uri/src/main/java/org/apache/hadoop/gateway/encrypturi/EncryptUriMessages.java ---------------------------------------------------------------------- diff --git a/gateway-provider-rewrite-step-encrypt-uri/src/main/java/org/apache/hadoop/gateway/encrypturi/EncryptUriMessages.java b/gateway-provider-rewrite-step-encrypt-uri/src/main/java/org/apache/hadoop/gateway/encrypturi/EncryptUriMessages.java new file mode 100644 index 0000000..d7550e4 --- /dev/null +++ b/gateway-provider-rewrite-step-encrypt-uri/src/main/java/org/apache/hadoop/gateway/encrypturi/EncryptUriMessages.java @@ -0,0 +1,31 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.gateway.encrypturi; + +import org.apache.hadoop.gateway.i18n.messages.Message; +import org.apache.hadoop.gateway.i18n.messages.MessageLevel; +import org.apache.hadoop.gateway.i18n.messages.Messages; +import org.apache.hadoop.gateway.i18n.messages.StackTrace; + +@Messages(logger="org.apache.hadoop.gateway.encrypturi") +public interface EncryptUriMessages { + + @Message( level = MessageLevel.ERROR, text = "Failed to create or verify the presence of a password for URL encryption: {0}" ) + void unableCreatePasswordForEncryption(@StackTrace( level = MessageLevel.DEBUG ) Exception e); + +} http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-provider-rewrite-step-encrypt-uri/src/main/java/org/apache/hadoop/gateway/encrypturi/impl/EncryptUriDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/gateway-provider-rewrite-step-encrypt-uri/src/main/java/org/apache/hadoop/gateway/encrypturi/impl/EncryptUriDeploymentContributor.java b/gateway-provider-rewrite-step-encrypt-uri/src/main/java/org/apache/hadoop/gateway/encrypturi/impl/EncryptUriDeploymentContributor.java index fbe266a..dc1a941 100644 --- a/gateway-provider-rewrite-step-encrypt-uri/src/main/java/org/apache/hadoop/gateway/encrypturi/impl/EncryptUriDeploymentContributor.java +++ b/gateway-provider-rewrite-step-encrypt-uri/src/main/java/org/apache/hadoop/gateway/encrypturi/impl/EncryptUriDeploymentContributor.java @@ -22,8 +22,12 @@ import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor; import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase; import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor; import org.apache.hadoop.gateway.descriptor.ResourceDescriptor; +import org.apache.hadoop.gateway.encrypturi.EncryptUriMessages; import org.apache.hadoop.gateway.encrypturi.api.EncryptUriDescriptor; +import org.apache.hadoop.gateway.i18n.messages.MessagesFactory; +import org.apache.hadoop.gateway.provider.federation.jwt.JWTMessages; import org.apache.hadoop.gateway.services.security.AliasService; +import org.apache.hadoop.gateway.services.security.AliasServiceException; import org.apache.hadoop.gateway.topology.Provider; import org.apache.hadoop.gateway.topology.Service; @@ -33,6 +37,7 @@ public class EncryptUriDeploymentContributor extends ProviderDeploymentContributorBase implements ProviderDeploymentContributor { + private static EncryptUriMessages log = MessagesFactory.get( EncryptUriMessages.class ); public static final String PROVIDER_ROLE_NAME = "encrypt"; public static final String PROVIDER_IMPL_NAME = "default"; private AliasService as; @@ -60,7 +65,11 @@ public class EncryptUriDeploymentContributor // we don't want to overwrite an existing alias from a previous topology deployment // so we can't just blindly generateAlias here. // this version of getPassword will generate a value for it only if missing - this.as.getPasswordFromAliasForCluster(clusterName, EncryptUriDescriptor.PASSWORD_ALIAS, true); + try { + this.as.getPasswordFromAliasForCluster(clusterName, EncryptUriDescriptor.PASSWORD_ALIAS, true); + } catch (AliasServiceException e) { + log.unableCreatePasswordForEncryption(e); + } } @Override http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-provider-rewrite-step-secure-query/src/main/java/org/apache/hadoop/gateway/securequery/SecureQueryDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/gateway-provider-rewrite-step-secure-query/src/main/java/org/apache/hadoop/gateway/securequery/SecureQueryDeploymentContributor.java b/gateway-provider-rewrite-step-secure-query/src/main/java/org/apache/hadoop/gateway/securequery/SecureQueryDeploymentContributor.java index 248e441..f9ce5c0 100644 --- a/gateway-provider-rewrite-step-secure-query/src/main/java/org/apache/hadoop/gateway/securequery/SecureQueryDeploymentContributor.java +++ b/gateway-provider-rewrite-step-secure-query/src/main/java/org/apache/hadoop/gateway/securequery/SecureQueryDeploymentContributor.java @@ -22,7 +22,10 @@ import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor; import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase; import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor; import org.apache.hadoop.gateway.descriptor.ResourceDescriptor; +import org.apache.hadoop.gateway.encrypturi.EncryptUriMessages; +import org.apache.hadoop.gateway.i18n.messages.MessagesFactory; import org.apache.hadoop.gateway.services.security.AliasService; +import org.apache.hadoop.gateway.services.security.AliasServiceException; import org.apache.hadoop.gateway.topology.Provider; import org.apache.hadoop.gateway.topology.Service; @@ -32,6 +35,7 @@ public class SecureQueryDeploymentContributor extends ProviderDeploymentContributorBase implements ProviderDeploymentContributor { + private static SecureQueryMessages log = MessagesFactory.get( SecureQueryMessages.class ); public static final String PROVIDER_ROLE_NAME = "secure-query"; public static final String PROVIDER_IMPL_NAME = "default"; private AliasService as; @@ -59,7 +63,11 @@ public class SecureQueryDeploymentContributor // we don't want to overwrite an existing alias from a previous topology deployment // so we can't just blindly generateAlias here. // this version of getPassword will generate a value for it only if missing - this.as.getPasswordFromAliasForCluster(clusterName, "encryptQueryString", true); + try { + this.as.getPasswordFromAliasForCluster(clusterName, "encryptQueryString", true); + } catch (AliasServiceException e) { + log.unableCreatePasswordForEncryption(e); + } } @Override http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-provider-rewrite-step-secure-query/src/main/java/org/apache/hadoop/gateway/securequery/SecureQueryMessages.java ---------------------------------------------------------------------- diff --git a/gateway-provider-rewrite-step-secure-query/src/main/java/org/apache/hadoop/gateway/securequery/SecureQueryMessages.java b/gateway-provider-rewrite-step-secure-query/src/main/java/org/apache/hadoop/gateway/securequery/SecureQueryMessages.java new file mode 100644 index 0000000..27cadaa --- /dev/null +++ b/gateway-provider-rewrite-step-secure-query/src/main/java/org/apache/hadoop/gateway/securequery/SecureQueryMessages.java @@ -0,0 +1,31 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.gateway.securequery; + +import org.apache.hadoop.gateway.i18n.messages.Message; +import org.apache.hadoop.gateway.i18n.messages.MessageLevel; +import org.apache.hadoop.gateway.i18n.messages.Messages; +import org.apache.hadoop.gateway.i18n.messages.StackTrace; + +@Messages(logger="org.apache.hadoop.gateway.securequery") +public interface SecureQueryMessages { + + @Message( level = MessageLevel.ERROR, text = "Failed to create or verify the presence of a password for query string encryption: {0}" ) + void unableCreatePasswordForEncryption(@StackTrace( level = MessageLevel.DEBUG ) Exception e); + +} http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java index 7438a25..08561ff 100644 --- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java +++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java @@ -20,6 +20,7 @@ package org.apache.hadoop.gateway.provider.federation.jwt; import org.apache.hadoop.gateway.i18n.messages.Message; import org.apache.hadoop.gateway.i18n.messages.MessageLevel; import org.apache.hadoop.gateway.i18n.messages.Messages; +import org.apache.hadoop.gateway.i18n.messages.StackTrace; @Messages(logger="org.apache.hadoop.gateway.provider.federation.jwt") public interface JWTMessages { @@ -34,4 +35,10 @@ public interface JWTMessages { @Message( level = MessageLevel.INFO, text = "Expected Bearer token is missing." ) void missingBearerToken(); + + @Message( level = MessageLevel.INFO, text = "Unable to verify token: {0}" ) + void unableToVerifyToken(@StackTrace( level = MessageLevel.ERROR) Exception e); + + @Message( level = MessageLevel.ERROR, text = "Unable to verify token: {0}" ) + void unableToIssueToken(@StackTrace( level = MessageLevel.DEBUG) Exception e); } http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java index a4ac454..cf2c244 100644 --- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java +++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java @@ -39,6 +39,7 @@ import org.apache.hadoop.gateway.provider.federation.jwt.JWTMessages; import org.apache.hadoop.gateway.security.PrimaryPrincipal; import org.apache.hadoop.gateway.services.GatewayServices; import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority; +import org.apache.hadoop.gateway.services.security.token.TokenServiceException; import org.apache.hadoop.gateway.services.security.token.impl.JWTToken; public class AccessTokenFederationFilter implements Filter { @@ -63,7 +64,12 @@ public class AccessTokenFederationFilter implements Filter { // what follows the bearer designator should be the JWT token being used to request or as an access token String wireToken = header.substring(BEARER.length()); JWTToken token = JWTToken.parseToken(wireToken); - boolean verified = authority.verifyToken(token); + boolean verified = false; + try { + verified = authority.verifyToken(token); + } catch (TokenServiceException e) { + log.unableToVerifyToken(e); + } if (verified) { long expires = Long.parseLong(token.getExpires()); if (expires > System.currentTimeMillis()) { http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java index f4d0ae8..8de9a75 100644 --- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java +++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java @@ -32,9 +32,12 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.hadoop.gateway.filter.security.AbstractIdentityAssertionFilter; +import org.apache.hadoop.gateway.i18n.messages.MessagesFactory; +import org.apache.hadoop.gateway.provider.federation.jwt.JWTMessages; import org.apache.hadoop.gateway.services.GatewayServices; import org.apache.hadoop.gateway.services.registry.ServiceRegistry; import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority; +import org.apache.hadoop.gateway.services.security.token.TokenServiceException; import org.apache.hadoop.gateway.services.security.token.impl.JWTToken; import org.apache.hadoop.gateway.util.JsonUtils; @@ -44,6 +47,7 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt private static final String TOKEN_TYPE = "token_type"; private static final String ACCESS_TOKEN = "access_token"; private static final String BEARER = "Bearer "; + private static JWTMessages log = MessagesFactory.get( JWTMessages.class ); private long validity; private JWTokenAuthority authority = null; private ServiceRegistry sr; @@ -74,7 +78,12 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt JWTToken token = JWTToken.parseToken(wireToken); // ensure that there is a valid jwt token available and that there isn't a misconfiguration of filters if (token != null) { - authority.verifyToken(token); + try { + authority.verifyToken(token); + } + catch (TokenServiceException e) { + log.unableToVerifyToken(e); + } } else { throw new ServletException("Expected JWT Token not provided as Bearer token"); @@ -132,7 +141,12 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt return principalName; } }; - JWTToken token = authority.issueToken(p, serviceName, "RS256", expires); + JWTToken token = null; + try { + token = authority.issueToken(p, serviceName, "RS256", expires); + } catch (TokenServiceException e) { + log.unableToIssueToken(e); + } accessToken = token.toString(); return accessToken; http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java index 8d649a5..c985be9 100644 --- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java +++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java @@ -32,6 +32,7 @@ import org.apache.hadoop.gateway.filter.security.AbstractIdentityAssertionFilter import org.apache.hadoop.gateway.services.GatewayServices; import org.apache.hadoop.gateway.services.registry.ServiceRegistry; import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority; +import org.apache.hadoop.gateway.services.security.token.TokenServiceException; import org.apache.hadoop.gateway.services.security.token.impl.JWTToken; import org.apache.hadoop.gateway.util.JsonUtils; @@ -63,29 +64,34 @@ public class JWTAuthCodeAssertionFilter extends AbstractIdentityAssertionFilter Subject subject = Subject.getSubject(AccessController.getContext()); String principalName = getPrincipalName(subject); principalName = mapper.mapUserPrincipal(principalName); - JWTToken authCode = authority.issueToken(subject, "RS256"); - - // get the url for the token service - String url = null; - if (sr != null) { - url = sr.lookupServiceURL("token", "TGS"); + JWTToken authCode; + try { + authCode = authority.issueToken(subject, "RS256"); + // get the url for the token service + String url = null; + if (sr != null) { + url = sr.lookupServiceURL("token", "TGS"); + } + + HashMap<String, Object> map = new HashMap<String, Object>(); + // TODO: populate map from JWT authorization code + map.put("iss", authCode.getIssuer()); + map.put("sub", authCode.getPrincipal()); + map.put("aud", authCode.getAudience()); + map.put("exp", authCode.getExpires()); + map.put("code", authCode.toString()); + if (url != null) { + map.put("tke", url); + } + + String jsonResponse = JsonUtils.renderAsJsonString(map); + + response.getWriter().write(jsonResponse); + response.getWriter().flush(); + } catch (TokenServiceException e) { + // TODO Auto-generated catch block + e.printStackTrace(); } - - HashMap<String, Object> map = new HashMap<String, Object>(); - // TODO: populate map from JWT authorization code - map.put("iss", authCode.getIssuer()); - map.put("sub", authCode.getPrincipal()); - map.put("aud", authCode.getAudience()); - map.put("exp", authCode.getExpires()); - map.put("code", authCode.toString()); - if (url != null) { - map.put("tke", url); - } - - String jsonResponse = JsonUtils.renderAsJsonString(map); - - response.getWriter().write(jsonResponse); - response.getWriter().flush(); return; // break filter chain } } http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java index 20b0b06..67e3a97 100644 --- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java +++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java @@ -17,8 +17,12 @@ */ package org.apache.hadoop.gateway.provider.federation.jwt.filter; +import org.apache.commons.logging.Log; +import org.apache.hadoop.gateway.i18n.messages.MessagesFactory; +import org.apache.hadoop.gateway.provider.federation.jwt.JWTMessages; import org.apache.hadoop.gateway.services.GatewayServices; import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority; +import org.apache.hadoop.gateway.services.security.token.TokenServiceException; import org.apache.hadoop.gateway.services.security.token.impl.JWTToken; import javax.security.auth.Subject; @@ -41,7 +45,7 @@ import java.util.Set; public class JWTFederationFilter implements Filter { private static final String BEARER = "Bearer "; - + private static JWTMessages log = MessagesFactory.get( JWTMessages.class ); private JWTokenAuthority authority = null; @Override @@ -60,7 +64,12 @@ public class JWTFederationFilter implements Filter { // what follows the bearer designator should be the JWT token being used to request or as an access token String wireToken = header.substring(BEARER.length()); JWTToken token = JWTToken.parseToken(wireToken); - boolean verified = authority.verifyToken(token); + boolean verified = false; + try { + verified = authority.verifyToken(token); + } catch (TokenServiceException e) { + log.unableToVerifyToken(e); + } if (verified) { // TODO: validate expiration // confirm that audience matches intended target - which for this filter must be HSSO http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java index 0272ba6..d60d5b3 100644 --- a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java +++ b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java @@ -20,6 +20,7 @@ package org.apache.hadoop.gateway.picketlink; import org.apache.hadoop.gateway.i18n.messages.Message; import org.apache.hadoop.gateway.i18n.messages.MessageLevel; import org.apache.hadoop.gateway.i18n.messages.Messages; +import org.apache.hadoop.gateway.i18n.messages.StackTrace; @Messages(logger="org.apache.hadoop.gateway.picketlink") public interface PicketlinkMessages { @@ -30,4 +31,7 @@ public interface PicketlinkMessages { @Message( level = MessageLevel.DEBUG, text = "setting cookie for original-url") public void settingCookieForOriginalURL(); + @Message( level = MessageLevel.ERROR, text = "Unable to get the gateway identity passphrase: {0}") + public void unableToGetGatewayIdentityPassphrase(@StackTrace( level = MessageLevel.DEBUG) Exception e); + } http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/deploy/PicketlinkFederationProviderContributor.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/deploy/PicketlinkFederationProviderContributor.java b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/deploy/PicketlinkFederationProviderContributor.java index 212fbd6..4f90a41 100644 --- a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/deploy/PicketlinkFederationProviderContributor.java +++ b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/deploy/PicketlinkFederationProviderContributor.java @@ -26,7 +26,10 @@ import org.apache.hadoop.gateway.deploy.DeploymentContext; import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase; import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor; import org.apache.hadoop.gateway.descriptor.ResourceDescriptor; +import org.apache.hadoop.gateway.i18n.messages.MessagesFactory; +import org.apache.hadoop.gateway.picketlink.PicketlinkMessages; import org.apache.hadoop.gateway.services.security.AliasService; +import org.apache.hadoop.gateway.services.security.AliasServiceException; import org.apache.hadoop.gateway.services.security.MasterService; import org.apache.hadoop.gateway.topology.Provider; import org.apache.hadoop.gateway.topology.Service; @@ -47,7 +50,8 @@ public class PicketlinkFederationProviderContributor extends private static final String VALIDATING_ALIAS_KEY = "validating.alias.key"; private static final String VALIDATING_ALIAS_VALUE = "validating.alias.value"; private static final String CLOCK_SKEW_MILIS = "clock.skew.milis"; - + private static PicketlinkMessages log = MessagesFactory.get( PicketlinkMessages.class ); + private MasterService ms = null; private AliasService as = null; @@ -92,7 +96,13 @@ public class PicketlinkFederationProviderContributor extends } config.setSigningKeyAlias(SIGNINGKEY_ALIAS); if (as != null) { - config.setSigningKeyPass(new String(as.getPasswordFromAliasForGateway("gateway-identity-passphrase"))); + char[] passphrase = null; + try { + passphrase = as.getGatewayIdentityPassphrase(); + config.setSigningKeyPass(new String(passphrase)); + } catch (AliasServiceException e) { + log.unableToGetGatewayIdentityPassphrase(e); + } } config.setValidatingAliasKey(params.get(VALIDATING_ALIAS_KEY)); config.setValidatingAliasValue(params.get(VALIDATING_ALIAS_VALUE)); http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapContextFactory.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapContextFactory.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapContextFactory.java index 7c8c52e..b4d0c5c 100644 --- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapContextFactory.java +++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapContextFactory.java @@ -31,6 +31,7 @@ import org.apache.hadoop.gateway.config.impl.GatewayConfigImpl; import org.apache.hadoop.gateway.i18n.messages.MessagesFactory; import org.apache.hadoop.gateway.services.GatewayServices; import org.apache.hadoop.gateway.services.security.AliasService; +import org.apache.hadoop.gateway.services.security.AliasServiceException; import org.apache.hadoop.gateway.util.KnoxCLI; import org.apache.shiro.realm.ldap.JndiLdapContextFactory; @@ -97,7 +98,12 @@ public class KnoxLdapContextFactory extends JndiLdapContextFactory { //System.err.println("FACTORY systempass 30: " + systemPass); //System.err.println("FACTORY clustername 40: " + clusterName); //System.err.println("FACTORY SystemProperty GatewayHome 50: " + System.getProperty(GatewayConfig.GATEWAY_HOME_VAR)); - char[] password = aliasService.getPasswordFromAliasForCluster(clusterName, systemPass); + char[] password = null; + try { + password = aliasService.getPasswordFromAliasForCluster(clusterName, systemPass); + } catch (AliasServiceException e) { + LOG.unableToGetPassword(e); + } //System.err.println("FACTORY password: " + ((password == null) ? "NULL" : new String(password))); if ( password != null ) { //System.err.println("FACTORY SUCCESS 20 system password :" + new String(password)); http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java index 452acad..88d1294 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java @@ -22,6 +22,7 @@ import org.apache.hadoop.gateway.i18n.messages.Message; import org.apache.hadoop.gateway.i18n.messages.MessageLevel; import org.apache.hadoop.gateway.i18n.messages.Messages; import org.apache.hadoop.gateway.i18n.messages.StackTrace; +import org.apache.hadoop.gateway.services.security.AliasServiceException; import org.apache.hadoop.gateway.services.security.KeystoreServiceException; import org.apache.hadoop.gateway.util.urltemplate.Template; @@ -354,4 +355,7 @@ public interface GatewayMessages { @Message( level = MessageLevel.INFO, text = "System Property: {0}={1}" ) void logSysProp( String name, String property ); + + @Message( level = MessageLevel.ERROR, text = "Unable to get password: {0}" ) + void unableToGetPassword(@StackTrace( level = MessageLevel.DEBUG ) Exception e); } http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java index 42d14b1..fe4125a 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java @@ -64,6 +64,7 @@ public class DefaultGatewayServices implements GatewayServices { DefaultAliasService alias = new DefaultAliasService(); alias.setKeystoreService(ks); + alias.setMasterService(ms); alias.init(config, options); services.put(ALIAS_SERVICE, alias); http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultAliasService.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultAliasService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultAliasService.java index a58dc6e..8cf31a5 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultAliasService.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultAliasService.java @@ -31,11 +31,15 @@ import org.apache.hadoop.gateway.config.GatewayConfig; import org.apache.hadoop.gateway.i18n.messages.MessagesFactory; import org.apache.hadoop.gateway.services.ServiceLifecycleException; import org.apache.hadoop.gateway.services.security.AliasService; +import org.apache.hadoop.gateway.services.security.AliasServiceException; import org.apache.hadoop.gateway.services.security.KeystoreService; import org.apache.hadoop.gateway.services.security.KeystoreServiceException; +import org.apache.hadoop.gateway.services.security.MasterService; public class DefaultAliasService implements AliasService { - private static final GatewayMessages LOG = MessagesFactory.get( GatewayMessages.class ); + private static final GatewayMessages LOG = MessagesFactory.get( GatewayMessages.class ); + + private static final String GATEWAY_IDENTITY_PASSPHRASE = "gateway-identity-passphrase"; protected char[] chars = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'j', 'k', 'm', 'n', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', @@ -44,6 +48,7 @@ public class DefaultAliasService implements AliasService { '2', '3', '4', '5', '6', '7', '8', '9',}; private KeystoreService keystoreService; + private MasterService masterService; @Override public void init(GatewayConfig config, Map<String, String> options) @@ -57,12 +62,22 @@ public class DefaultAliasService implements AliasService { @Override public void stop() throws ServiceLifecycleException { } - + + @Override + public char[] getGatewayIdentityPassphrase() throws AliasServiceException { + char[] passphrase = getPasswordFromAliasForGateway(GATEWAY_IDENTITY_PASSPHRASE); + if (passphrase == null) { + passphrase = masterService.getMasterSecret(); + } + return passphrase; + } + /* (non-Javadoc) * @see org.apache.hadoop.gateway.services.security.impl.AliasService#getAliasForCluster(java.lang.String, java.lang.String) */ @Override - public char[] getPasswordFromAliasForCluster(String clusterName, String alias) { + public char[] getPasswordFromAliasForCluster(String clusterName, String alias) + throws AliasServiceException { return getPasswordFromAliasForCluster(clusterName, alias, false); } @@ -70,7 +85,8 @@ public class DefaultAliasService implements AliasService { * @see org.apache.hadoop.gateway.services.security.impl.AliasService#getAliasForCluster(java.lang.String, java.lang.String, boolean) */ @Override - public char[] getPasswordFromAliasForCluster(String clusterName, String alias, boolean generate) { + public char[] getPasswordFromAliasForCluster(String clusterName, String alias, boolean generate) + throws AliasServiceException { char[] credential = null; try { credential = keystoreService.getCredentialForCluster(clusterName, alias); @@ -82,6 +98,7 @@ public class DefaultAliasService implements AliasService { } } catch (KeystoreServiceException e) { LOG.failedToGetCredentialForCluster(clusterName, e); + throw new AliasServiceException(e); } return credential; } @@ -99,12 +116,19 @@ public class DefaultAliasService implements AliasService { this.keystoreService = ks; } + public void setMasterService(MasterService ms) { + this.masterService = ms; + + } + @Override - public void generateAliasForCluster(String clusterName, String alias) { + public void generateAliasForCluster(String clusterName, String alias) + throws AliasServiceException { try { keystoreService.getCredentialStoreForCluster(clusterName); } catch (KeystoreServiceException e) { LOG.failedToGenerateAliasForCluster(clusterName, e); + throw new AliasServiceException(e); } String passwordString = generatePassword(16); addAliasForCluster(clusterName, alias, passwordString); @@ -123,17 +147,24 @@ public class DefaultAliasService implements AliasService { } @Override - public void removeAliasForCluster(String clusterName, String alias) { - keystoreService.removeCredentialForCluster(clusterName, alias); + public void removeAliasForCluster(String clusterName, String alias) + throws AliasServiceException { + try { + keystoreService.removeCredentialForCluster(clusterName, alias); + } catch (KeystoreServiceException e) { + throw new AliasServiceException(e); + } } @Override - public char[] getPasswordFromAliasForGateway(String alias) { + public char[] getPasswordFromAliasForGateway(String alias) + throws AliasServiceException { return getPasswordFromAliasForCluster("__gateway", alias); } @Override - public void generateAliasForGateway(String alias) { + public void generateAliasForGateway(String alias) + throws AliasServiceException { generateAliasForCluster("__gateway", alias); } http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultCryptoService.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultCryptoService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultCryptoService.java index e4a004d..b3c9d97 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultCryptoService.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultCryptoService.java @@ -30,6 +30,7 @@ import org.apache.hadoop.gateway.GatewayMessages; import org.apache.hadoop.gateway.config.GatewayConfig; import org.apache.hadoop.gateway.i18n.messages.MessagesFactory; import org.apache.hadoop.gateway.services.security.AliasService; +import org.apache.hadoop.gateway.services.security.AliasServiceException; import org.apache.hadoop.gateway.services.security.CryptoService; import org.apache.hadoop.gateway.services.security.EncryptionResult; import org.apache.hadoop.gateway.services.security.KeystoreService; @@ -37,7 +38,6 @@ import org.apache.hadoop.gateway.services.security.KeystoreServiceException; import org.apache.hadoop.gateway.services.ServiceLifecycleException; public class DefaultCryptoService implements CryptoService { - private static final String GATEWAY_IDENTITY_PASSPHRASE = "gateway-identity-passphrase"; private static final GatewayMessages LOG = MessagesFactory.get( GatewayMessages.class ); private AliasService as = null; @@ -73,12 +73,23 @@ public class DefaultCryptoService implements CryptoService { @Override public void createAndStoreEncryptionKeyForCluster(String clusterName, String alias) { - as.generateAliasForCluster(clusterName, alias); + try { + as.generateAliasForCluster(clusterName, alias); + } catch (AliasServiceException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } } @Override public EncryptionResult encryptForCluster(String clusterName, String alias, byte[] clear) { - char[] password = as.getPasswordFromAliasForCluster(clusterName, alias); + char[] password = null; + try { + password = as.getPasswordFromAliasForCluster(clusterName, alias); + } catch (AliasServiceException e2) { + // TODO Auto-generated catch block + e2.printStackTrace(); + } if (password != null) { AESEncryptor aes = null; try { @@ -107,16 +118,21 @@ public class DefaultCryptoService implements CryptoService { @Override public byte[] decryptForCluster(String clusterName, String alias, byte[] cipherText, byte[] iv, byte[] salt) { - char[] password = as.getPasswordFromAliasForCluster(clusterName, alias); - if (password != null) { - AESEncryptor aes = new AESEncryptor(new String(password)); - try { - return aes.decrypt(salt, iv, cipherText); - } catch (Exception e) { - LOG.failedToDecryptPasswordForCluster( clusterName, e ); + char[] password = null; + try { + password = as.getPasswordFromAliasForCluster(clusterName, alias); + if (password != null) { + AESEncryptor aes = new AESEncryptor(new String(password)); + try { + return aes.decrypt(salt, iv, cipherText); + } catch (Exception e) { + LOG.failedToDecryptPasswordForCluster( clusterName, e ); + } } - } - else { + else { + LOG.failedToDecryptCipherForClusterNullPassword( clusterName ); + } + } catch (AliasServiceException e1) { LOG.failedToDecryptCipherForClusterNullPassword( clusterName ); } return null; @@ -150,7 +166,7 @@ public class DefaultCryptoService implements CryptoService { @Override public byte[] sign(String algorithm, String alias, String payloadToSign) { try { - char[] passphrase = as.getPasswordFromAliasForGateway(GATEWAY_IDENTITY_PASSPHRASE); + char[] passphrase = as.getGatewayIdentityPassphrase(); PrivateKey privateKey = (PrivateKey) ks.getKeyForGateway(alias, passphrase); Signature signature = Signature.getInstance(algorithm); signature.initSign(privateKey); @@ -166,6 +182,8 @@ public class DefaultCryptoService implements CryptoService { LOG.failedToSignData( e ); } catch (KeystoreServiceException e) { LOG.failedToSignData( e ); + } catch (AliasServiceException e) { + LOG.failedToSignData( e ); } return null; } http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java index 8e0cc4b..8d91c65 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java @@ -82,18 +82,19 @@ public class DefaultKeystoreService extends BaseKeystoreService implements Keyst } @Override - public KeyStore getKeystoreForGateway() { + public KeyStore getKeystoreForGateway() throws KeystoreServiceException { final File keyStoreFile = new File( keyStoreDir + GATEWAY_KEYSTORE ); return getKeystore(keyStoreFile, "JKS"); } @Override - public void addSelfSignedCertForGateway(String alias, char[] passphrase) { + public void addSelfSignedCertForGateway(String alias, char[] passphrase) throws KeystoreServiceException { addSelfSignedCertForGateway(alias, passphrase, null); } @Override - public void addSelfSignedCertForGateway(String alias, char[] passphrase, String hostname) { + public void addSelfSignedCertForGateway(String alias, char[] passphrase, String hostname) + throws KeystoreServiceException { KeyPairGenerator keyPairGenerator; try { @@ -122,10 +123,13 @@ public class DefaultKeystoreService extends BaseKeystoreService implements Keyst //writeCertificateToFile( cert, new File( keyStoreDir + alias + ".pem" ) ); } catch (NoSuchAlgorithmException e) { LOG.failedToAddSeflSignedCertForGateway( alias, e ); + throw new KeystoreServiceException(e); } catch (GeneralSecurityException e) { LOG.failedToAddSeflSignedCertForGateway( alias, e ); + throw new KeystoreServiceException(e); } catch (IOException e) { LOG.failedToAddSeflSignedCertForGateway( alias, e ); + throw new KeystoreServiceException(e); } } @@ -189,12 +193,14 @@ public class DefaultKeystoreService extends BaseKeystoreService implements Keyst return key; } - public KeyStore getCredentialStoreForCluster(String clusterName) { + public KeyStore getCredentialStoreForCluster(String clusterName) + throws KeystoreServiceException { final File keyStoreFile = new File( keyStoreDir + clusterName + CREDENTIALS_SUFFIX ); return getKeystore(keyStoreFile, "JCEKS"); } - public void addCredentialForCluster(String clusterName, String alias, String value) { + public void addCredentialForCluster(String clusterName, String alias, String value) + throws KeystoreServiceException { KeyStore ks = getCredentialStoreForCluster(clusterName); addCredential(alias, value, ks); final File keyStoreFile = new File( keyStoreDir + clusterName + CREDENTIALS_SUFFIX ); @@ -212,7 +218,8 @@ public class DefaultKeystoreService extends BaseKeystoreService implements Keyst } @Override - public char[] getCredentialForCluster(String clusterName, String alias) { + public char[] getCredentialForCluster(String clusterName, String alias) + throws KeystoreServiceException { char[] credential = null; KeyStore ks = getCredentialStoreForCluster(clusterName); if (ks != null) { @@ -239,7 +246,7 @@ public class DefaultKeystoreService extends BaseKeystoreService implements Keyst * @see org.apache.hadoop.gateway.services.security.KeystoreService#removeCredentialForCluster(java.lang.String, java.lang.String, java.security.KeyStore) */ @Override - public void removeCredentialForCluster(String clusterName, String alias) { + public void removeCredentialForCluster(String clusterName, String alias) throws KeystoreServiceException { KeyStore ks = getCredentialStoreForCluster(clusterName); removeCredential(alias, ks); final File keyStoreFile = new File( keyStoreDir + clusterName + CREDENTIALS_SUFFIX ); http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java index c3b257f..f2facee 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java @@ -32,6 +32,7 @@ import org.apache.hadoop.gateway.config.GatewayConfig; import org.apache.hadoop.gateway.i18n.messages.MessagesFactory; import org.apache.hadoop.gateway.services.ServiceLifecycleException; import org.apache.hadoop.gateway.services.security.AliasService; +import org.apache.hadoop.gateway.services.security.AliasServiceException; import org.apache.hadoop.gateway.services.security.KeystoreService; import org.apache.hadoop.gateway.services.security.KeystoreServiceException; import org.apache.hadoop.gateway.services.security.MasterService; @@ -93,7 +94,12 @@ public class JettySSLService implements SSLService { if (!ks.isKeystoreForGatewayAvailable()) { log.creatingKeyStoreForGateway(); ks.createKeystoreForGateway(); - char[] passphrase = as.getPasswordFromAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE); + char[] passphrase = null; + try { + passphrase = as.getGatewayIdentityPassphrase(); + } catch (AliasServiceException e) { + throw new ServiceLifecycleException("Error accessing credential store for the gateway.", e); + } if (passphrase == null) { passphrase = ms.getMasterSecret(); } @@ -117,7 +123,12 @@ public class JettySSLService implements SSLService { private void logAndValidateCertificate() throws ServiceLifecycleException { // let's log the hostname (CN) and cert expiry from the gateway's public cert to aid in SSL debugging - Certificate cert = as.getCertificateForGateway("gateway-identity"); + Certificate cert; + try { + cert = as.getCertificateForGateway("gateway-identity"); + } catch (AliasServiceException e) { + throw new ServiceLifecycleException("Cannot Retreive Gateway SSL Certificate. Server will not start.", e); + } if (cert != null) { if (cert instanceof X509Certificate) { X500Principal x500Principal = ((X509Certificate)cert).getSubjectX500Principal(); @@ -152,7 +163,12 @@ public class JettySSLService implements SSLService { sslContextFactory.setKeyStorePath(keystoreFileName); char[] master = ms.getMasterSecret(); sslContextFactory.setKeyStorePassword(new String(master)); - char[] keypass = as.getPasswordFromAliasForGateway(GATEWAY_IDENTITY_PASSPHRASE); + char[] keypass = null; + try { + keypass = as.getGatewayIdentityPassphrase(); + } catch (AliasServiceException e) { + // nop - default passphrase will be used + } if (keypass == null) { // there has been no alias created for the key - let's assume it is the same as the keystore password keypass = master; @@ -163,7 +179,12 @@ public class JettySSLService implements SSLService { if (clientAuthNeeded) { if (truststorePath != null) { sslContextFactory.setTrustStore(truststorePath); - char[] truststorePwd = as.getPasswordFromAliasForGateway(GATEWAY_TRUSTSTORE_PASSWORD); + char[] truststorePwd = null; + try { + truststorePwd = as.getPasswordFromAliasForGateway(GATEWAY_TRUSTSTORE_PASSWORD); + } catch (AliasServiceException e) { + // nop - master secret will be used + } if (truststorePwd != null) { truststorePassword = new String(truststorePwd); } @@ -189,7 +210,7 @@ public class JettySSLService implements SSLService { SslConnector sslConnector = new SslSelectChannelConnector( sslContextFactory ); return sslConnector; - } + } @Override public void start() throws ServiceLifecycleException { http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java index 118239e..d4e5c5f 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java @@ -30,9 +30,11 @@ import org.apache.hadoop.gateway.config.GatewayConfig; import org.apache.hadoop.gateway.services.Service; import org.apache.hadoop.gateway.services.ServiceLifecycleException; import org.apache.hadoop.gateway.services.security.AliasService; +import org.apache.hadoop.gateway.services.security.AliasServiceException; import org.apache.hadoop.gateway.services.security.KeystoreService; import org.apache.hadoop.gateway.services.security.KeystoreServiceException; import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority; +import org.apache.hadoop.gateway.services.security.token.TokenServiceException; import org.apache.hadoop.gateway.services.security.token.impl.JWTToken; import com.nimbusds.jose.JWSSigner; @@ -57,7 +59,7 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority, Service { * @see org.apache.hadoop.gateway.provider.federation.jwt.JWTokenAuthority#issueToken(javax.security.auth.Subject, java.lang.String) */ @Override - public JWTToken issueToken(Subject subject, String algorithm) { + public JWTToken issueToken(Subject subject, String algorithm) throws TokenServiceException { Principal p = (Principal) subject.getPrincipals().toArray()[0]; return issueToken(p, algorithm); } @@ -66,11 +68,12 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority, Service { * @see org.apache.hadoop.gateway.provider.federation.jwt.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String) */ @Override - public JWTToken issueToken(Principal p, String algorithm) { + public JWTToken issueToken(Principal p, String algorithm) throws TokenServiceException { return issueToken(p, null, algorithm); } - public JWTToken issueToken(Principal p, String audience, String algorithm) { + public JWTToken issueToken(Principal p, String audience, String algorithm) + throws TokenServiceException { return issueToken(p, audience, algorithm, -1); } @@ -78,7 +81,8 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority, Service { * @see org.apache.hadoop.gateway.provider.federation.jwt.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String, java.lang.String) */ @Override - public JWTToken issueToken(Principal p, String audience, String algorithm, long expires) { + public JWTToken issueToken(Principal p, String audience, String algorithm, long expires) + throws TokenServiceException { String[] claimArray = new String[4]; claimArray[0] = "HSSO"; claimArray[1] = p.getName(); @@ -98,9 +102,15 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority, Service { if ("RS256".equals(algorithm)) { token = new JWTToken("RS256", claimArray); RSAPrivateKey key; + char[] passphrase = null; + try { + passphrase = as.getGatewayIdentityPassphrase(); + } catch (AliasServiceException e) { + throw new TokenServiceException(e); + } try { key = (RSAPrivateKey) ks.getKeyForGateway("gateway-identity", - as.getPasswordFromAliasForGateway("gateway-identity-passphrase")); + passphrase); JWSSigner signer = new RSASSASigner(key); token.sign(signer); } catch (KeystoreServiceException e) { @@ -116,7 +126,8 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority, Service { } @Override - public boolean verifyToken(JWTToken token) { + public boolean verifyToken(JWTToken token) + throws TokenServiceException { boolean rc = false; PublicKey key; try { @@ -126,11 +137,9 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority, Service { // consider jwk for specifying the key too rc = token.verify(verifier); } catch (KeyStoreException e) { - // TODO Auto-generated catch block - e.printStackTrace(); + throw new TokenServiceException("Cannot verify token.", e); } catch (KeystoreServiceException e) { - // TODO Auto-generated catch block - e.printStackTrace(); + throw new TokenServiceException("Cannot verify token.", e); } return rc; } http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-server/src/test/java/org/apache/hadoop/gateway/services/security/CryptoServiceTest.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/test/java/org/apache/hadoop/gateway/services/security/CryptoServiceTest.java b/gateway-server/src/test/java/org/apache/hadoop/gateway/services/security/CryptoServiceTest.java index 0accd03..bcd5ec2 100644 --- a/gateway-server/src/test/java/org/apache/hadoop/gateway/services/security/CryptoServiceTest.java +++ b/gateway-server/src/test/java/org/apache/hadoop/gateway/services/security/CryptoServiceTest.java @@ -103,6 +103,12 @@ public class CryptoServiceTest { // TODO Auto-generated method stub return null; } + + @Override + public char[] getGatewayIdentityPassphrase() throws AliasServiceException { + // TODO Auto-generated method stub + return null; + } }; cs = new DefaultCryptoService(); ((DefaultCryptoService)cs).setAliasService(as); http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java ---------------------------------------------------------------------- diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java index f277ac2..e6c767b 100644 --- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java +++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java @@ -20,6 +20,7 @@ package org.apache.hadoop.gateway.service.knoxsso; import org.apache.hadoop.gateway.i18n.messages.Message; import org.apache.hadoop.gateway.i18n.messages.MessageLevel; import org.apache.hadoop.gateway.i18n.messages.Messages; +import org.apache.hadoop.gateway.i18n.messages.StackTrace; @Messages(logger="org.apache.hadoop.gateway.service.knoxsso") public interface KnoxSSOMessages { @@ -43,4 +44,7 @@ public interface KnoxSSOMessages { @Message( level = MessageLevel.INFO, text = "JWT cookie successfully added.") void addedJWTCookie(); + + @Message( level = MessageLevel.ERROR, text = "Unable to issue token.") + void unableToIssueToken(@StackTrace( level = MessageLevel.DEBUG) Exception e); } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java ---------------------------------------------------------------------- diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java index a81cc2d..9b3d0ad 100644 --- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java +++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java @@ -21,7 +21,6 @@ import java.io.IOException; import java.net.URI; import java.net.URISyntaxException; import java.security.Principal; -import java.util.Date; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; @@ -37,6 +36,7 @@ import javax.ws.rs.WebApplicationException; import org.apache.hadoop.gateway.i18n.messages.MessagesFactory; import org.apache.hadoop.gateway.services.GatewayServices; import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority; +import org.apache.hadoop.gateway.services.security.token.TokenServiceException; import org.apache.hadoop.gateway.services.security.token.impl.JWT; import static javax.ws.rs.core.MediaType.APPLICATION_JSON; @@ -96,21 +96,26 @@ public class WebSSOResource { JWTokenAuthority ts = services.getService(GatewayServices.TOKEN_SERVICE); Principal p = ((HttpServletRequest)request).getUserPrincipal(); - JWT token = ts.issueToken(p, "RS256"); - - addJWTHadoopCookie(original, token); - - if (removeOriginalUrlCookie) { - removeOriginalUrlCookie(response); - } - - log.aboutToRedirectToOriginal(original); - response.setStatus(statusCode); - response.setHeader("Location", original); try { - response.getOutputStream().close(); - } catch (IOException e) { - log.unableToCloseOutputStream(e.getMessage(), e.getStackTrace().toString()); + JWT token = ts.issueToken(p, "RS256"); + + addJWTHadoopCookie(original, token); + + if (removeOriginalUrlCookie) { + removeOriginalUrlCookie(response); + } + + log.aboutToRedirectToOriginal(original); + response.setStatus(statusCode); + response.setHeader("Location", original); + try { + response.getOutputStream().close(); + } catch (IOException e) { + log.unableToCloseOutputStream(e.getMessage(), e.getStackTrace().toString()); + } + } + catch (TokenServiceException e) { + log.unableToIssueToken(e); } return null; } http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-service-vault/src/main/java/org/apache/hadoop/gateway/service/vault/CredentialResource.java ---------------------------------------------------------------------- diff --git a/gateway-service-vault/src/main/java/org/apache/hadoop/gateway/service/vault/CredentialResource.java b/gateway-service-vault/src/main/java/org/apache/hadoop/gateway/service/vault/CredentialResource.java index 9f60624..e5bc65a 100644 --- a/gateway-service-vault/src/main/java/org/apache/hadoop/gateway/service/vault/CredentialResource.java +++ b/gateway-service-vault/src/main/java/org/apache/hadoop/gateway/service/vault/CredentialResource.java @@ -29,6 +29,7 @@ import javax.ws.rs.core.Response; import org.apache.hadoop.gateway.services.GatewayServices; import org.apache.hadoop.gateway.services.security.AliasService; +import org.apache.hadoop.gateway.services.security.AliasServiceException; import static javax.ws.rs.core.MediaType.APPLICATION_JSON; import static javax.ws.rs.core.MediaType.APPLICATION_XML; @@ -82,7 +83,13 @@ public class CredentialResource { getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE); String clusterName = (String) request.getServletContext().getAttribute(GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE); AliasService as = services.getService(GatewayServices.ALIAS_SERVICE); - List<String> aliases = as.getAliasesForCluster(clusterName); + List<String> aliases = null; + try { + aliases = as.getAliasesForCluster(clusterName); + } catch (AliasServiceException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } return aliases; } @@ -95,7 +102,13 @@ public class CredentialResource { getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE); String clusterName = (String) request.getServletContext().getAttribute(GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE); AliasService as = services.getService(GatewayServices.ALIAS_SERVICE); - char[] credential = as.getPasswordFromAliasForCluster(clusterName, alias); + char[] credential = null; + try { + credential = as.getPasswordFromAliasForCluster(clusterName, alias); + } catch (AliasServiceException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } if (credential != null) { return new CredentialValue(alias, new String(credential)); } http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/AliasService.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/AliasService.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/AliasService.java index 70b36a7..db7f4b1 100644 --- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/AliasService.java +++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/AliasService.java @@ -24,21 +24,32 @@ import org.apache.hadoop.gateway.services.Service; public interface AliasService extends Service { - public abstract List<String> getAliasesForCluster(String clusterName); + List<String> getAliasesForCluster(String clusterName) + throws AliasServiceException; - public abstract void addAliasForCluster(String clusterName, String alias, String value); + void addAliasForCluster(String clusterName, String alias, + String value) throws AliasServiceException; - public abstract void removeAliasForCluster(String clusterName, String alias); + void removeAliasForCluster(String clusterName, String alias) + throws AliasServiceException; - public abstract char[] getPasswordFromAliasForCluster(String clusterName, String alias); + char[] getPasswordFromAliasForCluster(String clusterName, + String alias) throws AliasServiceException; - public abstract char[] getPasswordFromAliasForCluster(String clusterName, String alias, boolean generate); + char[] getPasswordFromAliasForCluster(String clusterName, + String alias, boolean generate) throws AliasServiceException; - void generateAliasForCluster(String clusterName, String alias); + void generateAliasForCluster(String clusterName, String alias) + throws AliasServiceException; - public abstract char[] getPasswordFromAliasForGateway(String alias); + char[] getPasswordFromAliasForGateway(String alias) + throws AliasServiceException; - void generateAliasForGateway(String alias); - - Certificate getCertificateForGateway(String alias); + char[] getGatewayIdentityPassphrase() throws AliasServiceException; + + void generateAliasForGateway(String alias) + throws AliasServiceException; + + Certificate getCertificateForGateway(String alias) + throws AliasServiceException; } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/AliasServiceException.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/AliasServiceException.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/AliasServiceException.java new file mode 100644 index 0000000..f40561c --- /dev/null +++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/AliasServiceException.java @@ -0,0 +1,27 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.gateway.services.security; + +@SuppressWarnings("serial") +public class AliasServiceException extends Exception { + + public AliasServiceException(Exception e) { + super(e); + } + +} http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/KeystoreService.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/KeystoreService.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/KeystoreService.java index 345ba44..04a35f4 100644 --- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/KeystoreService.java +++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/KeystoreService.java @@ -26,7 +26,7 @@ public interface KeystoreService { public void addSelfSignedCertForGateway(String alias, char[] passphrase) throws KeystoreServiceException; - void addSelfSignedCertForGateway(String alias, char[] passphrase, String hostname); + void addSelfSignedCertForGateway(String alias, char[] passphrase, String hostname) throws KeystoreServiceException; public KeyStore getKeystoreForGateway() throws KeystoreServiceException; @@ -42,7 +42,7 @@ public interface KeystoreService { public void addCredentialForCluster(String clusterName, String alias, String key) throws KeystoreServiceException; - public void removeCredentialForCluster(String clusterName, String alias); + public void removeCredentialForCluster(String clusterName, String alias) throws KeystoreServiceException; public char[] getCredentialForCluster(String clusterName, String alias) throws KeystoreServiceException; } http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/BaseKeystoreService.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/BaseKeystoreService.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/BaseKeystoreService.java index 726d9de..ce9a36c 100644 --- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/BaseKeystoreService.java +++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/BaseKeystoreService.java @@ -65,7 +65,7 @@ public class BaseKeystoreService { keyStore.load( null, masterPassword ); } - return keyStore; + return keyStore; } private static FileOutputStream createKeyStoreFile( String fileName ) throws IOException { @@ -143,18 +143,22 @@ public class BaseKeystoreService { return false; } - protected KeyStore getKeystore(final File keyStoreFile, String storeType) { + protected KeyStore getKeystore(final File keyStoreFile, String storeType) throws KeystoreServiceException { KeyStore credStore = null; try { credStore = loadKeyStore( keyStoreFile, masterService.getMasterSecret(), storeType); } catch (CertificateException e) { LOG.failedToLoadKeystore( keyStoreFile.getName(), storeType, e ); + throw new KeystoreServiceException(e); } catch (KeyStoreException e) { LOG.failedToLoadKeystore( keyStoreFile.getName(), storeType, e ); + throw new KeystoreServiceException(e); } catch (NoSuchAlgorithmException e) { LOG.failedToLoadKeystore( keyStoreFile.getName(), storeType, e ); + throw new KeystoreServiceException(e); } catch (IOException e) { LOG.failedToLoadKeystore( keyStoreFile.getName(), storeType, e ); + throw new KeystoreServiceException(e); } return credStore; } @@ -220,12 +224,10 @@ public class BaseKeystoreService { throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException { // TODO: backup the keystore on disk before attempting a write and restore on failure final FileOutputStream out = new FileOutputStream(file); - try - { + try { keyStore.store( out, masterService.getMasterSecret()); } - finally - { + finally { out.close(); } } http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/CMFKeystoreService.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/CMFKeystoreService.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/CMFKeystoreService.java index 119eff5..06dad1c 100644 --- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/CMFKeystoreService.java +++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/CMFKeystoreService.java @@ -60,12 +60,13 @@ public class CMFKeystoreService extends BaseKeystoreService { createKeystore(filename, "JKS"); } - public KeyStore getKeystore() { + public KeyStore getKeystore() throws KeystoreServiceException { final File keyStoreFile = new File( keyStoreDir + serviceName ); return getKeystore(keyStoreFile, "JKS"); } - public void addSelfSignedCert(String alias, char[] passphrase) { + public void addSelfSignedCert(String alias, char[] passphrase) + throws KeystoreServiceException { KeyPairGenerator keyPairGenerator; try { keyPairGenerator = KeyPairGenerator.getInstance("RSA"); @@ -74,11 +75,14 @@ public class CMFKeystoreService extends BaseKeystoreService { X509Certificate cert = X509CertificateUtil.generateCertificate(TEST_CERT_DN, KPair, 365, "SHA1withRSA"); KeyStore privateKS = getKeystore(); - privateKS.setKeyEntry(alias, KPair.getPrivate(), + if (privateKS != null) { + privateKS.setKeyEntry(alias, KPair.getPrivate(), passphrase, new java.security.cert.Certificate[]{cert}); - - writeKeystoreToFile(privateKS, new File( keyStoreDir + serviceName )); + writeKeystoreToFile(privateKS, new File( keyStoreDir + serviceName )); + } else { + throw new IOException("Unable to open gateway keystore."); + } } catch (NoSuchAlgorithmException e) { LOG.failedToAddSeflSignedCertForGateway(alias, e); } catch (GeneralSecurityException e) { @@ -133,12 +137,12 @@ public class CMFKeystoreService extends BaseKeystoreService { return key; } - public KeyStore getCredentialStore() { + public KeyStore getCredentialStore() throws KeystoreServiceException { final File keyStoreFile = new File( keyStoreDir + serviceName + CREDENTIALS_SUFFIX ); return getKeystore(keyStoreFile, "JCEKS"); } - public void addCredential(String alias, String value) { + public void addCredential(String alias, String value) throws KeystoreServiceException { KeyStore ks = getCredentialStore(); addCredential(alias, value, ks); final File keyStoreFile = new File( keyStoreDir + serviceName + CREDENTIALS_SUFFIX ); @@ -155,7 +159,7 @@ public class CMFKeystoreService extends BaseKeystoreService { } } - public char[] getCredential(String alias) { + public char[] getCredential(String alias) throws KeystoreServiceException { char[] credential = null; KeyStore ks = getCredentialStore(); credential = getCredential(alias, credential, ks); http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java index f2e4a3d..bb978bf 100644 --- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java +++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java @@ -25,15 +25,17 @@ import org.apache.hadoop.gateway.services.security.token.impl.JWTToken; public interface JWTokenAuthority { - JWTToken issueToken(Subject subject, String algorithm); + JWTToken issueToken(Subject subject, String algorithm) + throws TokenServiceException; - JWTToken issueToken(Principal p, String algorithm); + JWTToken issueToken(Principal p, String algorithm) + throws TokenServiceException; JWTToken issueToken(Principal p, String audience, - String algorithm); + String algorithm) throws TokenServiceException; - boolean verifyToken(JWTToken token); + boolean verifyToken(JWTToken token) throws TokenServiceException; JWTToken issueToken(Principal p, String audience, String algorithm, - long expires); + long expires) throws TokenServiceException; } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/370c292b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/TokenServiceException.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/TokenServiceException.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/TokenServiceException.java new file mode 100644 index 0000000..90518b5 --- /dev/null +++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/TokenServiceException.java @@ -0,0 +1,30 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.gateway.services.security.token; + +@SuppressWarnings("serial") +public class TokenServiceException extends Exception { + + public TokenServiceException(Exception e) { + super(e); + } + + public TokenServiceException(String message, Exception e) { + super(message, e); + } +}