[NO ISSUE][HYR][NET] += trust store to sec cfg
Change-Id: I358eb5b9b0f0f40b1588c12ed473e4e920e8fbbe
Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/14184
Integration-Tests: Jenkins <jenkins@fulliautomatix.ics.uci.edu>
Tested-by: Jenkins <jenkins@fulliautomatix.ics.uci.edu>
Reviewed-by: Michael Blow <mblow@apache.org>
Reviewed-by: Ian Maxon <imaxon@uci.edu>
diff --git a/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java b/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java
index 772ee9f..95c3efc 100644
--- a/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java
+++ b/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java
@@ -20,6 +20,7 @@
import java.io.File;
import java.security.KeyStore;
+import java.util.Optional;
public interface INetworkSecurityConfig {
@@ -52,9 +53,23 @@
String getKeyStorePassword();
/**
- * Gets a trust store file to be used for validating certificates of secured connections.
+ * Gets the trust store to be used for validating certificates of secured connections
+ *
+ * @return the trust store to be used
+ */
+ KeyStore getTrustStore();
+
+ /**
+ * Gets a trust store file to be used if {@link INetworkSecurityConfig#getTrustStore()} returns null.
*
* @return the trust store file
*/
File getTrustStoreFile();
+
+ /**
+ * Gets the password for the trust store file, if configured
+ *
+ * @return the password to the trust store file, if configured
+ */
+ Optional<String> getTrustStorePassword();
}
\ No newline at end of file
diff --git a/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityConfig.java b/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityConfig.java
index 7f02830..5ebd282 100644
--- a/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityConfig.java
+++ b/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityConfig.java
@@ -20,6 +20,7 @@
import java.io.File;
import java.security.KeyStore;
+import java.util.Optional;
import org.apache.hyracks.api.network.INetworkSecurityConfig;
@@ -29,44 +30,52 @@
private final File keyStoreFile;
private final File trustStoreFile;
private final String keyStorePassword;
- private final KeyStore keyStore;
private NetworkSecurityConfig(boolean sslEnabled, String keyStoreFile, String keyStorePassword,
- String trustStoreFile, KeyStore keyStore) {
+ String trustStoreFile) {
this.sslEnabled = sslEnabled;
this.keyStoreFile = keyStoreFile != null ? new File(keyStoreFile) : null;
this.keyStorePassword = keyStorePassword;
this.trustStoreFile = trustStoreFile != null ? new File(trustStoreFile) : null;
- this.keyStore = keyStore;
}
public static NetworkSecurityConfig of(boolean sslEnabled, String keyStoreFile, String keyStorePassword,
String trustStoreFile) {
- return new NetworkSecurityConfig(sslEnabled, keyStoreFile, keyStorePassword, trustStoreFile, null);
+ return new NetworkSecurityConfig(sslEnabled, keyStoreFile, keyStorePassword, trustStoreFile);
}
- public static NetworkSecurityConfig of(boolean sslEnabled, KeyStore keyStore, String keyStorePassword,
- String trustStoreFile) {
- return new NetworkSecurityConfig(sslEnabled, null, keyStorePassword, trustStoreFile, keyStore);
- }
-
+ @Override
public boolean isSslEnabled() {
return sslEnabled;
}
+ @Override
public File getKeyStoreFile() {
return keyStoreFile;
}
+ @Override
public String getKeyStorePassword() {
return keyStorePassword;
}
+ @Override
public KeyStore getKeyStore() {
- return keyStore;
+ return null;
}
+ @Override
+ public KeyStore getTrustStore() {
+ return null;
+ }
+
+ @Override
public File getTrustStoreFile() {
return trustStoreFile;
}
+
+ @Override
+ public Optional<String> getTrustStorePassword() {
+ return Optional.empty();
+ }
}
diff --git a/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityManager.java b/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityManager.java
index 0c8d429..e352260 100644
--- a/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityManager.java
+++ b/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityManager.java
@@ -43,7 +43,7 @@
this.config = config;
if (config.isSslEnabled()) {
System.setProperty("javax.net.ssl.trustStore", config.getTrustStoreFile().getAbsolutePath());
- System.setProperty("javax.net.ssl.trustStorePassword", config.getKeyStorePassword());
+ config.getTrustStorePassword().ifPresent(pw -> System.setProperty("javax.net.ssl.trustStorePassword", pw));
}
sslSocketFactory = new SslSocketChannelFactory(this);
}
@@ -60,7 +60,11 @@
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(defaultAlgorithm);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(defaultAlgorithm);
keyManagerFactory.init(engineKeyStore, password);
- final KeyStore trustStore = loadTrustStoreFromFile(password);
+ KeyStore trustStore = config.getTrustStore();
+ if (trustStore == null) {
+ trustStore =
+ loadTrustStoreFromFile(config.getTrustStorePassword().map(String::toCharArray).orElse(null));
+ }
trustManagerFactory.init(trustStore);
SSLContext ctx = SSLContext.getInstance(TSL_VERSION);
ctx.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());