knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject knox git commit: KNOX-742 - Export Commands in KnoxCLI for the gateway-identity Public Cert
Date Tue, 23 Aug 2016 13:00:40 GMT
Repository: knox
Updated Branches:
  refs/heads/master b37e4293d -> e5ef45aae


KNOX-742 - Export Commands in KnoxCLI for the gateway-identity Public Cert

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/e5ef45aa
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/e5ef45aa
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/e5ef45aa

Branch: refs/heads/master
Commit: e5ef45aaecd5dc7372403302fb8be21e485f3a45
Parents: b37e429
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Tue Aug 23 09:00:22 2016 -0400
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Tue Aug 23 09:00:22 2016 -0400

----------------------------------------------------------------------
 .../org/apache/hadoop/gateway/util/KnoxCLI.java | 98 +++++++++++++++++++-
 .../apache/hadoop/gateway/util/KnoxCLITest.java | 47 ++++++++++
 .../security/impl/X509CertificateUtil.java      | 36 +++++++
 3 files changed, 180 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/e5ef45aa/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
index c865bfb..acb2034 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
@@ -20,12 +20,15 @@ package org.apache.hadoop.gateway.util;
 import java.io.BufferedReader;
 import java.io.Console;
 import java.io.File;
+import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.PrintStream;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -52,6 +55,7 @@ import org.apache.hadoop.gateway.services.security.AliasService;
 import org.apache.hadoop.gateway.services.security.KeystoreService;
 import org.apache.hadoop.gateway.services.security.KeystoreServiceException;
 import org.apache.hadoop.gateway.services.security.MasterService;
+import org.apache.hadoop.gateway.services.security.impl.X509CertificateUtil;
 import org.apache.hadoop.gateway.services.topology.TopologyService;
 import org.apache.hadoop.gateway.topology.Provider;
 import org.apache.hadoop.gateway.topology.Topology;
@@ -89,6 +93,7 @@ public class KnoxCLI extends Configured implements Tool {
       "   [" + VersionCommand.USAGE + "]\n" +
       "   [" + MasterCreateCommand.USAGE + "]\n" +
       "   [" + CertCreateCommand.USAGE + "]\n" +
+      "   [" + CertExportCommand.USAGE + "]\n" +
       "   [" + AliasCreateCommand.USAGE + "]\n" +
       "   [" + AliasDeleteCommand.USAGE + "]\n" +
       "   [" + AliasListCommand.USAGE + "]\n" +
@@ -121,6 +126,7 @@ public class KnoxCLI extends Configured implements Tool {
 
   // For testing only
   private String master = null;
+  private String type = null;
 
   /* (non-Javadoc)
    * @see org.apache.hadoop.util.Tool#run(java.lang.String[])
@@ -226,6 +232,12 @@ public class KnoxCLI extends Configured implements Tool {
           printKnoxShellUsage();
           return -1;
         }
+      } else if (args[i].equals("export-cert")) {
+        command = new CertExportCommand();
+        if ((args.length > i + 1) && args[i + 1].equals("--help")) {
+          printKnoxShellUsage();
+          return -1;
+        }
       }else if(args[i].equals("user-auth-test")) {
         if(i + 1 >= args.length) {
           printKnoxShellUsage();
@@ -240,7 +252,6 @@ public class KnoxCLI extends Configured implements Tool {
         } else {
           command = new LDAPSysBindCommand();
         }
-
       } else if (args[i].equals("list-alias")) {
         command = new AliasListCommand();
       } else if (args[i].equals("--value")) {
@@ -284,6 +295,12 @@ public class KnoxCLI extends Configured implements Tool {
         } else {
           this.generate = "true";
         }
+      } else if(args[i].equals("--type")) {
+        if( i+1 >= args.length || args[i+1].startsWith( "-" ) ) {
+          printKnoxShellUsage();
+          return -1;
+        }
+        this.type = args[++i];
       } else if(args[i].equals("--path")) {
         if( i+1 >= args.length || args[i+1].startsWith( "-" ) ) {
           printKnoxShellUsage();
@@ -360,6 +377,9 @@ public class KnoxCLI extends Configured implements Tool {
       out.println( CertCreateCommand.USAGE + "\n\n" + CertCreateCommand.DESC );
       out.println();
       out.println( div );
+      out.println( CertExportCommand.USAGE + "\n\n" + CertExportCommand.DESC );
+      out.println();
+      out.println( div );
       out.println( AliasCreateCommand.USAGE + "\n\n" + AliasCreateCommand.DESC );
       out.println();
       out.println( div );
@@ -464,6 +484,82 @@ public class KnoxCLI extends Configured implements Tool {
    }
  }
 
+ public class CertExportCommand extends Command {
+
+   public static final String USAGE = "export-cert";
+   public static final String DESC = "The export-cert command exports the public certificate\n"
+
+                                     "from the a gateway.jks keystore with the alias of gateway-identity.";
+   private static final String GATEWAY_CREDENTIAL_STORE_NAME = "__gateway";
+   private static final String GATEWAY_IDENTITY_PASSPHRASE = "gateway-identity-passphrase";
+
+    public CertExportCommand() {
+    }
+
+    private GatewayConfig getGatewayConfig() {
+      GatewayConfig result;
+      Configuration conf = getConf();
+      if( conf != null && conf instanceof GatewayConfig ) {
+        result = (GatewayConfig)conf;
+      } else {
+        result = new GatewayConfigImpl();
+      }
+      return result;
+    }
+
+    /* (non-Javadoc)
+     * @see org.apache.hadoop.gateway.util.KnoxCLI.Command#execute()
+     */
+    @Override
+    public void execute() throws Exception {
+      KeystoreService ks = getKeystoreService();
+
+      AliasService as = getAliasService();
+
+      if (ks != null) {
+        try {
+          if (!ks.isKeystoreForGatewayAvailable()) {
+            out.println("No keystore has been created for the gateway. Please use the create-cert
command or populate with a CA signed cert of your own.");
+          }
+          char[] passphrase = as.getPasswordFromAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME,
GATEWAY_IDENTITY_PASSPHRASE);
+          if (passphrase == null) {
+            MasterService ms = services.getService("MasterService");
+            passphrase = ms.getMasterSecret();
+          }
+          Certificate cert = ks.getKeystoreForGateway().getCertificate("gateway-identity");
+          String keyStoreDir = getGatewayConfig().getGatewaySecurityDir() + File.separator
+ "keystores" + File.separator;
+          File ksd = new File(keyStoreDir);
+          if (!ksd.exists()) {
+            if( !ksd.mkdirs() ) {
+              // certainly should not happen if the keystore is known to be available
+              throw new ServiceLifecycleException("Unable to create keystores directory"
+ ksd.getAbsolutePath());
+            }
+          }
+          if ("PEM".equals(type) || type == null) {
+            X509CertificateUtil.writeCertificateToFile(cert, new File(keyStoreDir + "gateway-identity.pem"));
+            out.println("Certificate gateway-identity has been successfully exported to:
" + keyStoreDir + "gateway-identity.pem");
+          }
+          else if ("JKS".equals(type)) {
+            X509CertificateUtil.writeCertificateToJKS(cert, new File(keyStoreDir + "gateway-client-trust.jks"));
+            out.println("Certificate gateway-identity has been successfully exported to:
" + keyStoreDir + "gateway-client-trust.jks");
+          }
+          else {
+            out.println("Invalid type for export file provided. Export has not been done.
Please use: [PEM|JKS] default value is PEM.");
+          }
+        } catch (KeystoreServiceException e) {
+          throw new ServiceLifecycleException("Keystore was not loaded properly - the provided
(or persisted) master secret may not match the password for the keystore.", e);
+        }
+      }
+    }
+
+    /* (non-Javadoc)
+     * @see org.apache.hadoop.gateway.util.KnoxCLI.Command#getUsage()
+     */
+    @Override
+    public String getUsage() {
+      return USAGE + ":\n\n" + DESC;
+    }
+  }
+
  public class CertCreateCommand extends Command {
 
   public static final String USAGE = "create-cert [--hostname h]";

http://git-wip-us.apache.org/repos/asf/knox/blob/e5ef45aa/gateway-server/src/test/java/org/apache/hadoop/gateway/util/KnoxCLITest.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/test/java/org/apache/hadoop/gateway/util/KnoxCLITest.java
b/gateway-server/src/test/java/org/apache/hadoop/gateway/util/KnoxCLITest.java
index 4e8c08e..8eed6ab 100644
--- a/gateway-server/src/test/java/org/apache/hadoop/gateway/util/KnoxCLITest.java
+++ b/gateway-server/src/test/java/org/apache/hadoop/gateway/util/KnoxCLITest.java
@@ -312,6 +312,53 @@ public class KnoxCLITest {
   }
 
   @Test
+  public void testExportCert() throws Exception {
+    GatewayConfigImpl config = new GatewayConfigImpl();
+    FileUtils.deleteQuietly( new File( config.getGatewaySecurityDir() ) );
+    createTestMaster();
+    outContent.reset();
+    KnoxCLI cli = new KnoxCLI();
+    cli.setConf( config );
+    String[] gwCreateArgs = {"create-cert", "--hostname", "hostname1", "--master", "master"};
+    int rc = 0;
+    rc = cli.run(gwCreateArgs);
+    assertEquals(0, rc);
+    assertTrue(outContent.toString(), outContent.toString().contains("gateway-identity has
been successfully " +
+        "created."));
+
+    outContent.reset();
+    String[] gwCreateArgs2 = {"export-cert", "--type", "PEM"};
+    rc = 0;
+    rc = cli.run(gwCreateArgs2);
+    assertEquals(0, rc);
+    assertTrue(outContent.toString(), outContent.toString().contains("Certificate gateway-identity
has been successfully exported to"));
+    assertTrue(outContent.toString(), outContent.toString().contains("gateway-identity.pem"));
+
+    outContent.reset();
+    String[] gwCreateArgs2_5 = {"export-cert"};
+    rc = 0;
+    rc = cli.run(gwCreateArgs2_5);
+    assertEquals(0, rc);
+    assertTrue(outContent.toString(), outContent.toString().contains("Certificate gateway-identity
has been successfully exported to"));
+    assertTrue(outContent.toString(), outContent.toString().contains("gateway-identity.pem"));
+
+    outContent.reset();
+    String[] gwCreateArgs3 = {"export-cert", "--type", "JKS"};
+    rc = 0;
+    rc = cli.run(gwCreateArgs3);
+    assertEquals(0, rc);
+    assertTrue(outContent.toString(), outContent.toString().contains("Certificate gateway-identity
has been successfully exported to"));
+    assertTrue(outContent.toString(), outContent.toString().contains("gateway-client-trust.jks"));
+
+    outContent.reset();
+    String[] gwCreateArgs4 = {"export-cert", "--type", "invalid"};
+    rc = 0;
+    rc = cli.run(gwCreateArgs4);
+    assertEquals(0, rc);
+    assertTrue(outContent.toString(), outContent.toString().contains("Invalid type for export
file provided."));
+  }
+
+  @Test
   public void testCreateMaster() throws Exception {
     GatewayConfigImpl config = new GatewayConfigImpl();
     FileUtils.deleteQuietly( new File( config.getGatewaySecurityDir() ) );

http://git-wip-us.apache.org/repos/asf/knox/blob/e5ef45aa/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/X509CertificateUtil.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/X509CertificateUtil.java
b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/X509CertificateUtil.java
index 936356d..9035b85 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/X509CertificateUtil.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/impl/X509CertificateUtil.java
@@ -17,6 +17,8 @@
  */
 package org.apache.hadoop.gateway.services.security.impl;
 
+import java.io.File;
+import java.io.FileOutputStream;
 import java.io.IOException;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Field;
@@ -25,13 +27,20 @@ import java.lang.reflect.Method;
 import java.math.BigInteger;
 import java.security.GeneralSecurityException;
 import java.security.KeyPair;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.SecureRandom;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Date;
 
 import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
+import org.apache.commons.codec.binary.Base64;
 import org.apache.hadoop.gateway.i18n.GatewaySpiMessages;
 
 public class X509CertificateUtil {
@@ -263,5 +272,32 @@ public class X509CertificateUtil {
     String fieldValue = (String) privateStringField.get(obj);
     return fieldValue;
   }
+
+  public static void writeCertificateToFile(Certificate cert, final File file)
+       throws CertificateEncodingException, IOException {
+    byte[] bytes = cert.getEncoded();
+    final FileOutputStream out = new FileOutputStream( file );
+    Base64 encoder = new Base64( 76, "\n".getBytes( "ASCII" ) );
+    try {
+      out.write( "-----BEGIN CERTIFICATE-----\n".getBytes( "ASCII" ) );
+      out.write( encoder.encodeToString( bytes ).getBytes( "ASCII" ) );
+      out.write( "-----END CERTIFICATE-----\n".getBytes( "ASCII" ) );
+    } finally {
+      out.close();
+    }
+  }
+
+  public static void writeCertificateToJKS(Certificate cert, final File file)
+      throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException
{
+    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+
+    char[] password = "changeme".toCharArray();
+    ks.load(null, password);
+    ks.setCertificateEntry("gateway-identity", cert);
+
+    FileOutputStream fos = new FileOutputStream(file);
+    ks.store(fos, password);
+    fos.close();
+  }
 }
 


Mime
View raw message