keith-turner closed pull request #371: ACCUMULO-4792 Improve crypto configuration checks URL: https://github.com/apache/accumulo/pull/371
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/core/src/main/java/org/apache/accumulo/core/conf/ConfigSanityCheck.java b/core/src/main/java/org/apache/accumulo/core/conf/ConfigSanityCheck.java index f787d5e7f2..33453be436 100644 --- a/core/src/main/java/org/apache/accumulo/core/conf/ConfigSanityCheck.java +++ b/core/src/main/java/org/apache/accumulo/core/conf/ConfigSanityCheck.java @@ -31,6 +31,9 @@ private static final Logger log = LoggerFactory.getLogger(ConfigSanityCheck.class); private static final String PREFIX = "BAD CONFIG "; + private static final String NULL_CIPHER = "NullCipher"; + private static final String NULL_CRYPTO_MODULE = "NullCryptoModule"; + private static final String NULL_SECRET_KEY_ENCRYPTION_STRATEGY = "NullSecretKeyEncryptionStrategy"; @SuppressWarnings("deprecation") private static final Property INSTANCE_DFS_URI = Property.INSTANCE_DFS_URI; @SuppressWarnings("deprecation") @@ -49,8 +52,10 @@ public static void validate(Iterable<Entry<String,String>> entries) { String instanceZkTimeoutValue = null; boolean usingVolumes = false; - String cipherSuite = null; - String keyAlgorithm = null; + String cipherSuite = NULL_CIPHER; + String keyAlgorithm = NULL_CIPHER; + String secretKeyEncryptionStrategy = NULL_SECRET_KEY_ENCRYPTION_STRATEGY; + String cryptoModule = NULL_CRYPTO_MODULE; for (Entry<String,String> entry : entries) { String key = entry.getKey(); String value = entry.getValue(); @@ -81,13 +86,20 @@ else if (!prop.getType().isValidFormat(value)) if (key.equals(Property.CRYPTO_CIPHER_SUITE.getKey())) { cipherSuite = Objects.requireNonNull(value); - Preconditions.checkArgument(cipherSuite.equals("NullCipher") || cipherSuite.split("/").length == 3, + Preconditions.checkArgument(cipherSuite.equals(NULL_CIPHER) || cipherSuite.split("/").length == 3, "Cipher suite must be NullCipher or in the form algorithm/mode/padding. Suite: " + cipherSuite + " is invalid."); } if (key.equals(Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey())) { keyAlgorithm = Objects.requireNonNull(value); } + + if (key.equals(Property.CRYPTO_MODULE_CLASS.getKey())) { + cryptoModule = Objects.requireNonNull(value); + } + if (key.equals(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey())) { + secretKeyEncryptionStrategy = Objects.requireNonNull(value); + } } if (instanceZkTimeoutValue != null) { @@ -98,12 +110,12 @@ else if (!prop.getType().isValidFormat(value)) log.warn("Use of {} and {} are deprecated. Consider using {} instead.", INSTANCE_DFS_URI, INSTANCE_DFS_DIR, Property.INSTANCE_VOLUMES); } - if (cipherSuite.equals("NullCipher") && !keyAlgorithm.equals("NullCipher")) { - fatal(Property.CRYPTO_CIPHER_SUITE.getKey() + " should be configured when " + Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey() + " is set."); + if ((cipherSuite.equals(NULL_CIPHER) || keyAlgorithm.equals(NULL_CIPHER)) && !cipherSuite.equals(keyAlgorithm)) { + fatal(Property.CRYPTO_CIPHER_SUITE.getKey() + " and " + Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME + " must both be configured."); } - if (!cipherSuite.equals("NullCipher") && keyAlgorithm.equals("NullCipher")) { - fatal(Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey() + " should be configured when " + Property.CRYPTO_CIPHER_SUITE.getKey() + " is set."); + if (cryptoModule.equals(NULL_CRYPTO_MODULE) ^ secretKeyEncryptionStrategy.equals(NULL_SECRET_KEY_ENCRYPTION_STRATEGY)) { + fatal(Property.CRYPTO_MODULE_CLASS.getKey() + " and " + Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey() + " must both be configured."); } } diff --git a/core/src/test/java/org/apache/accumulo/core/conf/ConfigSanityCheckTest.java b/core/src/test/java/org/apache/accumulo/core/conf/ConfigSanityCheckTest.java index 9f2ff8efce..f359b4ef74 100644 --- a/core/src/test/java/org/apache/accumulo/core/conf/ConfigSanityCheckTest.java +++ b/core/src/test/java/org/apache/accumulo/core/conf/ConfigSanityCheckTest.java @@ -28,8 +28,6 @@ @Before public void setUp() { m = new java.util.HashMap<>(); - m.put(Property.CRYPTO_CIPHER_SUITE.getKey(), "NullCipher"); - m.put(Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey(), "NullCipher"); } @Test @@ -93,4 +91,32 @@ public void testFail_cipherSuiteNotSetKeyAlgorithmSet() { m.put(Property.CRYPTO_CIPHER_KEY_ALGORITHM_NAME.getKey(), "AES"); ConfigSanityCheck.validate(m.entrySet()); } + + @Test(expected = SanityCheckException.class) + public void testFail_cryptoModuleSetSecretKeyEncryptionStrategyNotSet() { + m.put(Property.CRYPTO_MODULE_CLASS.getKey(), "DefaultCryptoModule"); + m.put(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey(), "NullSecretKeyEncryptionStrategy"); + ConfigSanityCheck.validate(m.entrySet()); + } + + @Test(expected = SanityCheckException.class) + public void testFail_cryptoModuleNotSetSecretKeyEncryptionStrategySet() { + m.put(Property.CRYPTO_MODULE_CLASS.getKey(), "NullCryptoModule"); + m.put(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey(), "SecretKeyEncryptionStrategy"); + ConfigSanityCheck.validate(m.entrySet()); + } + + @Test + public void testPass_cryptoModuleAndSecretKeyEncryptionStrategyBothNull() { + m.put(Property.CRYPTO_MODULE_CLASS.getKey(), "NullCryptoModule"); + m.put(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey(), "NullSecretKeyEncryptionStrategy"); + ConfigSanityCheck.validate(m.entrySet()); + } + + @Test + public void testPass_cryptoModuleAndSecretKeyEncryptionStrategyBothSet() { + m.put(Property.CRYPTO_MODULE_CLASS.getKey(), "DefaultCryptoModule"); + m.put(Property.CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS.getKey(), "SecretKeyEncryptionStrategy"); + ConfigSanityCheck.validate(m.entrySet()); + } } ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services