keith-turner closed pull request #371: ACCUMULO-4792 Improve crypto
configuration checks
URL: https://github.com/apache/accumulo/pull/371
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/core/src/main/java/org/apache/accumulo/core/conf/ConfigSanityCheck.java
b/core/src/main/java/org/apache/accumulo/core/conf/ConfigSanityCheck.java
index f787d5e7f2..33453be436 100644
--- a/core/src/main/java/org/apache/accumulo/core/conf/ConfigSanityCheck.java
+++ b/core/src/main/java/org/apache/accumulo/core/conf/ConfigSanityCheck.java
@@ -31,6 +31,9 @@
private static final Logger log =
LoggerFactory.getLogger(ConfigSanityCheck.class);
private static final String PREFIX = "BAD CONFIG ";
+ private static final String NULL_CIPHER = "NullCipher";
+ private static final String NULL_CRYPTO_MODULE = "NullCryptoModule";
+ private static final String NULL_SECRET_KEY_ENCRYPTION_STRATEGY =
"NullSecretKeyEncryptionStrategy";
@SuppressWarnings("deprecation")
private static final Property INSTANCE_DFS_URI = Property.INSTANCE_DFS_URI;
@SuppressWarnings("deprecation")
@@ -49,8 +52,10 @@
public static void validate(Iterable<Entry<String,String>> entries) {
String instanceZkTimeoutValue = null;
boolean usingVolumes = false;
- String cipherSuite = null;
- String keyAlgorithm = null;
+ String cipherSuite = NULL_CIPHER;
+ String keyAlgorithm = NULL_CIPHER;
+ String secretKeyEncryptionStrategy = NULL_SECRET_KEY_ENCRYPTION_STRATEGY;
+ String cryptoModule = NULL_CRYPTO_MODULE;
for (Entry<String,String> entry : entries) {
String key = entry.getKey();
String value = entry.getValue();
@@ -81,13 +86,20 @@ else if (!prop.getType().isValidFormat(value))
if (key.equals(Property.CRYPTO_CIPHER_SUITE.getKey())) {
cipherSuite = Objects.requireNonNull(value);
- Preconditions.checkArgument(cipherSuite.equals("NullCipher") ||
cipherSuite.split("/").length == 3,
+ Preconditions.checkArgument(cipherSuite.equals(NULL_CIPHER) ||
cipherSuite.split("/").length == 3,
"Cipher suite must be NullCipher or in the form
algorithm/mode/padding. Suite: " + cipherSuite + " is invalid.");
}
if (key.equals(Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey())) {
keyAlgorithm = Objects.requireNonNull(value);
}
+
+ if (key.equals(Property.CRYPTO_MODULE_CLASS.getKey())) {
+ cryptoModule = Objects.requireNonNull(value);
+ }
+ if
(key.equals(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey())) {
+ secretKeyEncryptionStrategy = Objects.requireNonNull(value);
+ }
}
if (instanceZkTimeoutValue != null) {
@@ -98,12 +110,12 @@ else if (!prop.getType().isValidFormat(value))
log.warn("Use of {} and {} are deprecated. Consider using {} instead.",
INSTANCE_DFS_URI, INSTANCE_DFS_DIR, Property.INSTANCE_VOLUMES);
}
- if (cipherSuite.equals("NullCipher") &&
!keyAlgorithm.equals("NullCipher")) {
- fatal(Property.CRYPTO_CIPHER_SUITE.getKey() + " should be configured
when " + Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey() + " is set.");
+ if ((cipherSuite.equals(NULL_CIPHER) || keyAlgorithm.equals(NULL_CIPHER))
&& !cipherSuite.equals(keyAlgorithm)) {
+ fatal(Property.CRYPTO_CIPHER_SUITE.getKey() + " and " +
Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME + " must both be configured.");
}
- if (!cipherSuite.equals("NullCipher") &&
keyAlgorithm.equals("NullCipher")) {
- fatal(Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey() + " should be
configured when " + Property.CRYPTO_CIPHER_SUITE.getKey() + " is set.");
+ if (cryptoModule.equals(NULL_CRYPTO_MODULE) ^
secretKeyEncryptionStrategy.equals(NULL_SECRET_KEY_ENCRYPTION_STRATEGY)) {
+ fatal(Property.CRYPTO_MODULE_CLASS.getKey() + " and " +
Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey() + " must both be
configured.");
}
}
diff --git
a/core/src/test/java/org/apache/accumulo/core/conf/ConfigSanityCheckTest.java
b/core/src/test/java/org/apache/accumulo/core/conf/ConfigSanityCheckTest.java
index 9f2ff8efce..f359b4ef74 100644
---
a/core/src/test/java/org/apache/accumulo/core/conf/ConfigSanityCheckTest.java
+++
b/core/src/test/java/org/apache/accumulo/core/conf/ConfigSanityCheckTest.java
@@ -28,8 +28,6 @@
@Before
public void setUp() {
m = new java.util.HashMap<>();
- m.put(Property.CRYPTO_CIPHER_SUITE.getKey(), "NullCipher");
- m.put(Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey(), "NullCipher");
}
@Test
@@ -93,4 +91,32 @@ public void testFail_cipherSuiteNotSetKeyAlgorithmSet() {
m.put(Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey(), "AES");
ConfigSanityCheck.validate(m.entrySet());
}
+
+ @Test(expected = SanityCheckException.class)
+ public void testFail_cryptoModuleSetSecretKeyEncryptionStrategyNotSet() {
+ m.put(Property.CRYPTO_MODULE_CLASS.getKey(), "DefaultCryptoModule");
+ m.put(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey(),
"NullSecretKeyEncryptionStrategy");
+ ConfigSanityCheck.validate(m.entrySet());
+ }
+
+ @Test(expected = SanityCheckException.class)
+ public void testFail_cryptoModuleNotSetSecretKeyEncryptionStrategySet() {
+ m.put(Property.CRYPTO_MODULE_CLASS.getKey(), "NullCryptoModule");
+ m.put(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey(),
"SecretKeyEncryptionStrategy");
+ ConfigSanityCheck.validate(m.entrySet());
+ }
+
+ @Test
+ public void testPass_cryptoModuleAndSecretKeyEncryptionStrategyBothNull() {
+ m.put(Property.CRYPTO_MODULE_CLASS.getKey(), "NullCryptoModule");
+ m.put(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey(),
"NullSecretKeyEncryptionStrategy");
+ ConfigSanityCheck.validate(m.entrySet());
+ }
+
+ @Test
+ public void testPass_cryptoModuleAndSecretKeyEncryptionStrategyBothSet() {
+ m.put(Property.CRYPTO_MODULE_CLASS.getKey(), "DefaultCryptoModule");
+ m.put(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey(),
"SecretKeyEncryptionStrategy");
+ ConfigSanityCheck.validate(m.entrySet());
+ }
}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
