[
https://issues.apache.org/jira/browse/KNOX-3085?focusedWorklogId=953352&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-953352
]
ASF GitHub Bot logged work on KNOX-3085:
----------------------------------------
Author: ASF GitHub Bot
Created on: 21/Jan/25 15:23
Start Date: 21/Jan/25 15:23
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #981:
URL: https://github.com/apache/knox/pull/981#discussion_r1923926079
##########
gateway-service-metadata/src/main/java/org/apache/knox/gateway/service/metadata/KnoxMetadataResource.java:
##########
@@ -169,32 +164,31 @@ private Response
generateFailureFileDownloadResponse(Status status, String error
return responseBuilder.build();
}
- private Certificate getPublicCertificate(GatewayServices gatewayServices,
GatewayConfig config) {
+ private Certificate[] getPublicCertificates() {
try {
- final KeystoreService keystoreService =
gatewayServices.getService(ServiceType.KEYSTORE_SERVICE);
- return
keystoreService.getKeystoreForGateway().getCertificate(config.getIdentityKeyAlias());
- } catch (KeyStoreException | KeystoreServiceException e) {
+ return
X509CertificateUtil.fetchPublicCertsFromServer(request.getRequestURL().toString(),
true, null);
Review Comment:
This is why the build is failing:
```
2025-01-15T21:06:09.1903508Z [ERROR] COMPILATION ERROR :
2025-01-15T21:06:09.1908060Z [INFO]
-------------------------------------------------------------
2025-01-15T21:06:09.1913374Z [ERROR]
/home/runner/work/knox/knox/gateway-service-metadata/src/main/java/org/apache/knox/gateway/service/metadata/KnoxMetadataResource.java:[169,33]
cannot find symbol
2025-01-15T21:06:09.1919329Z symbol: method
fetchPublicCertsFromServer(java.lang.String,boolean,<nulltype>)
2025-01-15T21:06:09.1920613Z location: class
org.apache.knox.gateway.util.X509CertificateUtil
2025-01-15T21:06:09.1922183Z [ERROR]
/home/runner/work/knox/knox/gateway-service-metadata/src/main/java/org/apache/knox/gateway/service/metadata/KnoxMetadataResource.java:[180,28]
cannot find symbol
2025-01-15T21:06:09.1938355Z symbol: method
writeCertificatesToFile(java.security.cert.Certificate[],java.io.File)
2025-01-15T21:06:09.1939307Z location: class
org.apache.knox.gateway.util.X509CertificateUtil
2025-01-15T21:06:09.1939866Z [INFO] 2 errors
```
Issue Time Tracking
-------------------
Worklog Id: (was: 953352)
Time Spent: 0.5h (was: 20m)
> Metadata API should return the certificate chain (if any) instead of only the
> configured Knox instance certificate
> ------------------------------------------------------------------------------------------------------------------
>
> Key: KNOX-3085
> URL: https://issues.apache.org/jira/browse/KNOX-3085
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 2.1.0
> Reporter: Philip Zampino
> Assignee: Philip Zampino
> Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Currently if you hit the Knox metadata API, it will return the
> locally-configured Knox certificate. This works great if there is nothing
> between the client and Knox. When a LB is in the middle, the returned
> certificate is incorrect. The certificate that should be returned is one for
> the endpoint that is accessed. This means we should try to return the LB
> certificate if there is a LB.
> Since we know what URL was accessed to hit the metadata API, Knox itself
> should be able to grab the certificate chain for that host:port and return
> the PEM and JKS version of it. This will require basically doing an `openssl
> s_client -connect host:port` from Java and converting into the correct
> format. Conveniently, the Knox CLI has something like this today that
> downloads the Knox certificate. We should be able to reuse the same logic in
> the metadata API and return the correct certificate information.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
