This is an automated email from the ASF dual-hosted git repository. lmccay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push: new 07cd031e1 KNOX-2772 - add configuration for jetty renegotiation (#605) 07cd031e1 is described below commit 07cd031e1ee2e6be14308749d61cb5a495a6fe11 Author: 南慧荣 <nanhuir...@gmail.com> AuthorDate: Wed Jul 27 01:20:06 2022 +0800 KNOX-2772 - add configuration for jetty renegotiation (#605) --- .../apache/knox/gateway/config/impl/GatewayConfigImpl.java | 6 ++++++ .../knox/gateway/services/security/impl/JettySSLService.java | 2 ++ .../knox/gateway/config/impl/GatewayConfigImplTest.java | 12 ++++++++++++ .../gateway/services/security/impl/JettySSLServiceTest.java | 1 + .../main/java/org/apache/knox/gateway/GatewayTestConfig.java | 5 +++++ .../java/org/apache/knox/gateway/config/GatewayConfig.java | 2 ++ 6 files changed, 28 insertions(+) diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java index 3e45bac36..ba572a23b 100644 --- a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java +++ b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java @@ -177,6 +177,7 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig { private static final String SSL_EXCLUDE_PROTOCOLS = "ssl.exclude.protocols"; private static final String SSL_INCLUDE_CIPHERS = "ssl.include.ciphers"; private static final String SSL_EXCLUDE_CIPHERS = "ssl.exclude.ciphers"; + private static final String SSL_RENEGOTIATION = "ssl.renegotiation"; // END BACKWARD COMPATIBLE BLOCK public static final String DEFAULT_HTTP_PORT = "8888"; @@ -602,6 +603,11 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig { return list; } + @Override + public boolean isSSLRenegotiationAllowed() { + return getBoolean(SSL_RENEGOTIATION, true); + } + @Override public boolean isClientAuthNeeded() { return Boolean.parseBoolean(get( CLIENT_AUTH_NEEDED, "false" )); diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java index 867e3df88..55f297ecf 100644 --- a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java +++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java @@ -224,6 +224,8 @@ public class JettySSLService implements SSLService { if (sslExcludeProtocols != null && !sslExcludeProtocols.isEmpty()) { sslContextFactory.setExcludeProtocols( sslExcludeProtocols.toArray(new String[0]) ); } + + sslContextFactory.setRenegotiationAllowed(config.isSSLRenegotiationAllowed()); return sslContextFactory; } diff --git a/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java b/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java index 5ec699b53..9fe737edd 100644 --- a/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java +++ b/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java @@ -167,6 +167,18 @@ public class GatewayConfigImplTest { assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) ); } + // KNOX-2772 + @Test + public void testisSSLRenegotiationAllowed() { + GatewayConfigImpl config = new GatewayConfigImpl(); + boolean isSSLRenegotiationAllowed = config.isSSLRenegotiationAllowed(); + assertThat( isSSLRenegotiationAllowed, is(true)); + + config.set("ssl.renegotiation", "false"); + isSSLRenegotiationAllowed = config.isSSLRenegotiationAllowed(); + assertThat( isSSLRenegotiationAllowed, is(false)); + } + @Test( timeout = TestUtils.SHORT_TIMEOUT ) public void testGlobalRulesServices() { GatewayConfigImpl config = new GatewayConfigImpl(); diff --git a/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java b/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java index eb667ea0d..51cdf0508 100644 --- a/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java +++ b/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java @@ -481,6 +481,7 @@ public class JettySSLServiceTest { expect(config.getIncludedSSLCiphers()).andReturn(null).atLeastOnce(); expect(config.getExcludedSSLCiphers()).andReturn(null).atLeastOnce(); expect(config.getExcludedSSLProtocols()).andReturn(null).atLeastOnce(); + expect(config.isSSLRenegotiationAllowed()).andReturn(true).atLeastOnce(); return config; } diff --git a/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java b/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java index 24d07b430..e493892bc 100644 --- a/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java +++ b/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java @@ -300,6 +300,11 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig { return excludedSSLCiphers; } + @Override + public boolean isSSLRenegotiationAllowed() { + return true; + } + public void setExcludedSSLCiphers( List<String> list ) { excludedSSLCiphers = list; } diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java index bf6eee3b1..68cf6ff15 100644 --- a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java +++ b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java @@ -177,6 +177,8 @@ public interface GatewayConfig { List<String> getExcludedSSLCiphers(); + boolean isSSLRenegotiationAllowed(); + boolean isHadoopKerberosSecured(); String getKerberosConfig();