KNOX-3105 - Add Topology Level Config for Truststore to RemoteAuthProvider (#1001)

* KNOX-3105 - Add Topology Level Config for Truststore to RemoteAuthProvider

Author: lmccay

gateway-provider-security-authc-remote/src/main/java/org/apache/knox/gateway/filter/RemoteAuthFilter.java

@@ -63,20 +63,24 @@
 
 public class RemoteAuthFilter implements Filter {
 
-  private static final String CONFIG_REMOTE_AUTH_URL = "remote.auth.url";
-  private static final String CONFIG_INCLUDE_HEADERS = "remote.auth.include.headers";
-  private static final String CONFIG_CACHE_KEY_HEADER = "remote.auth.cache.key";
-  private static final String CONFIG_EXPIRE_AFTER = "remote.auth.expire.after";
-  private static final String DEFAULT_CACHE_KEY_HEADER = "Authorization";
-  private static final String CONFIG_USER_HEADER = "remote.auth.user.header";
-  private static final String CONFIG_GROUP_HEADER = "remote.auth.group.header";
-  private static final String DEFAULT_CONFIG_USER_HEADER = "X-Knox-Actor-ID";
-  private static final String DEFAULT_CONFIG_GROUP_HEADER = "X-Knox-Actor-Groups-*";
-  private static final String WILDCARD = "*";
+  static final String REMOTE_AUTH = "remote.auth.";
+  static final String CONFIG_REMOTE_AUTH_URL = REMOTE_AUTH + "url";
+  static final String CONFIG_INCLUDE_HEADERS = REMOTE_AUTH + "include.headers";
+  static final String CONFIG_CACHE_KEY_HEADER = REMOTE_AUTH + "cache.key";
+  static final String CONFIG_EXPIRE_AFTER = REMOTE_AUTH + "expire.after";
+  static final String DEFAULT_CACHE_KEY_HEADER = "Authorization";
+  static final String CONFIG_USER_HEADER = REMOTE_AUTH + "user.header";
+  static final String CONFIG_GROUP_HEADER = REMOTE_AUTH + "group.header";
+  static final String DEFAULT_CONFIG_USER_HEADER = "X-Knox-Actor-ID";
+  static final String DEFAULT_CONFIG_GROUP_HEADER = "X-Knox-Actor-Groups-*";
+  static final String CONFIG_TRUSTSTORE_PATH = REMOTE_AUTH + "truststore.path";
+  static final String CONFIG_TRUSTSTORE_PASSWORD = REMOTE_AUTH + "truststore.password";
+  static final String CONFIG_TRUSTSTORE_TYPE = REMOTE_AUTH + "truststore.type";
+  static final String DEFAULT_TRUSTSTORE_TYPE = "JKS";
+  static final String WILDCARD = "*";
   static final String TRACE_ID = "trace_id";
   static final String REQUEST_ID_HEADER_NAME = "X-Request-Id";
 
-
   private String remoteAuthUrl;
   private List<String> includeHeaders;
   private String cacheKeyHeader;
@@ -94,6 +98,10 @@ public class RemoteAuthFilter implements Filter {
           AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME );
   private final RemoteAuthMessages LOGGER = MessagesFactory.get( RemoteAuthMessages.class );
 
+  private String truststorePath;
+  private String truststorePassword;
+  private String truststoreType;
+
   @Override
   public void init(FilterConfig filterConfig) throws ServletException {
     remoteAuthUrl = filterConfig.getInitParameter(CONFIG_REMOTE_AUTH_URL);
@@ -123,6 +131,13 @@ public void init(FilterConfig filterConfig) throws ServletException {
     } else {
       groupHeaders = Arrays.asList(groupHeaderParam.split("\\s*,\\s*"));
     }
+
+    truststorePath = filterConfig.getInitParameter(CONFIG_TRUSTSTORE_PATH);
+    truststorePassword = filterConfig.getInitParameter(CONFIG_TRUSTSTORE_PASSWORD);
+    truststoreType = filterConfig.getInitParameter(CONFIG_TRUSTSTORE_TYPE);
+    if (truststoreType == null || truststoreType.isEmpty()) {
+      truststoreType = DEFAULT_TRUSTSTORE_TYPE;
+    }
   }
 
   public SSLSocketFactory createSSLSocketFactory(KeyStore trustStore) throws Exception {
@@ -202,33 +217,46 @@ private HttpURLConnection getHttpURLConnection(ServletContext servletContext) th
     if (services != null) {
       KeystoreService keystoreService = services.getService(ServiceType.KEYSTORE_SERVICE);
       if (keystoreService != null) {
-        try {
-          truststore = keystoreService.getTruststoreForHttpClient();
-          if (truststore == null) {
-            truststore = keystoreService.getKeystoreForGateway();
-          }
-        } catch (KeystoreServiceException e) {
-          LOGGER.failedToLoadTruststore(e.getMessage(), e);
-        }
+        truststore = getTrustStore(truststore, keystoreService);
       }
     }
     HttpURLConnection connection;
     if (httpURLConnection == null) {
       URL url = new URL(remoteAuthUrl);
       connection = (HttpURLConnection) url.openConnection();
       if (truststore != null) {
-          try {
-              ((HttpsURLConnection) connection).setSSLSocketFactory(createSSLSocketFactory(truststore));
-          } catch (Exception e) {
-              throw new RuntimeException(e);
-          }
+        try {
+          ((HttpsURLConnection) connection).setSSLSocketFactory(createSSLSocketFactory(truststore));
+        } catch (Exception e) {
+          throw new RuntimeException(e);
+        }
       }
     } else {
       connection = httpURLConnection;
     }
     return connection;
   }
 
+  private KeyStore getTrustStore(KeyStore truststore, KeystoreService keystoreService) throws IOException {
+    try {
+      // Try topology-specific truststore first if configured
+      if (truststorePath != null && !truststorePath.isEmpty()) {
+        truststore = keystoreService.loadTruststore(truststorePath, truststoreType, truststorePassword);
+      }
+      // Fall back to gateway-level truststore
+      if (truststore == null) {
+        truststore = keystoreService.getTruststoreForHttpClient();
+        if (truststore == null) {
+          truststore = keystoreService.getKeystoreForGateway();
+        }
+      }
+    } catch (KeystoreServiceException e) {
+      LOGGER.failedToLoadTruststore(e.getMessage(), e);
+      throw new IOException("Failed to load truststore: ", e);
+    }
+    return truststore;
+  }
+
   private void continueWithEstablishedSecurityContext(Subject subject, final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain) throws IOException, ServletException {
     try {
       Subject.doAs(

gateway-provider-security-authc-remote/src/test/java/org/apache/knox/gateway/filter/RemoteAuthFilterTest.java

@@ -19,6 +19,10 @@
 
 import org.apache.knox.gateway.security.GroupPrincipal;
 import org.apache.knox.gateway.security.PrimaryPrincipal;
+import org.apache.knox.gateway.services.GatewayServices;
+import org.apache.knox.gateway.services.ServiceType;
+import org.apache.knox.gateway.services.security.KeystoreService;
+import org.apache.knox.gateway.services.security.KeystoreServiceException;
 import org.apache.knox.test.mock.MockServletContext;
 import org.easymock.EasyMock;
 import org.junit.Before;
@@ -28,6 +32,7 @@
 import javax.security.auth.Subject;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
@@ -45,17 +50,19 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.security.KeyStore;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
+@SuppressWarnings("PMD.JUnit4TestShouldUseBeforeAnnotation")
 public class RemoteAuthFilterTest {
 
     public static final String BEARER_INVALID_TOKEN = "Bearer invalid-token";
     public static final String BEARER_VALID_TOKEN = "Bearer valid-token";
-    public static final String URL_SUCCESS = "http://example.com/auth";
-    private static final String URL_FAIL = "http://example.com/authfail";
+    public static final String URL_SUCCESS = "https://example.com/auth";
+    private static final String URL_FAIL = "https://example.com/authfail";
     public static final String X_AUTHENTICATED_USER = "X-Authenticated-User";
     public static final String X_AUTHENTICATED_GROUP = "X-Authenticated-Group";
     public static final String X_AUTHENTICATED_GROUP_2 = "X-Authenticated-Group-2";
@@ -65,22 +72,52 @@ public class RemoteAuthFilterTest {
     private HttpServletRequest requestMock;
     private HttpServletResponse responseMock;
     private TestFilterChain chainMock;
+    private GatewayServices gatewayServicesMock;
+    private KeystoreService keystoreServiceMock;
+    private ServletContext servletContextMock;
+
     @Before
-    public void setUp() {
-        FilterConfig filterConfigMock = EasyMock.createNiceMock(FilterConfig.class);
+    public void createMocks() {
         requestMock = EasyMock.createMock(HttpServletRequest.class);
         responseMock = EasyMock.createMock(HttpServletResponse.class);
+    }
+
+    private void setUp(String trustStorePath, String trustStorePass, String trustStoreType) {
+        // Reset existing mocks
+        EasyMock.reset(requestMock, responseMock);
+
+        FilterConfig filterConfigMock = EasyMock.createNiceMock(FilterConfig.class);
         chainMock = new TestFilterChain();
 
-        EasyMock.expect(filterConfigMock.getInitParameter("remote.auth.url")).andReturn("http://example.com/auth").anyTimes();
-        EasyMock.expect(filterConfigMock.getInitParameter("remote.auth.include.headers")).andReturn("Authorization").anyTimes();
-        EasyMock.expect(filterConfigMock.getInitParameter("remote.auth.cache.key")).andReturn("Authorization").anyTimes();
-        EasyMock.expect(filterConfigMock.getInitParameter("remote.auth.expire.after")).andReturn("5").anyTimes();
-        EasyMock.expect(filterConfigMock.getInitParameter("remote.auth.user.header")).andReturn(X_AUTHENTICATED_USER).anyTimes();
-        EasyMock.expect(filterConfigMock.getInitParameter("remote.auth.group.header"))
+        // Create and configure Gateway Services mocks
+        gatewayServicesMock = EasyMock.createNiceMock(GatewayServices.class);
+        keystoreServiceMock = EasyMock.createNiceMock(KeystoreService.class);
+        servletContextMock = EasyMock.createNiceMock(ServletContext.class);
+
+        // Set up Gateway Services expectations
+        EasyMock.expect(gatewayServicesMock.getService(ServiceType.KEYSTORE_SERVICE))
+               .andReturn(keystoreServiceMock)
+               .anyTimes();
+        EasyMock.expect(servletContextMock.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE))
+               .andReturn(gatewayServicesMock)
+               .anyTimes();
+
+        // Basic config
+        EasyMock.expect(filterConfigMock.getInitParameter(RemoteAuthFilter.CONFIG_REMOTE_AUTH_URL)).andReturn("https://example.com/auth").anyTimes();
+        EasyMock.expect(filterConfigMock.getInitParameter(RemoteAuthFilter.CONFIG_INCLUDE_HEADERS)).andReturn("Authorization").anyTimes();
+        EasyMock.expect(filterConfigMock.getInitParameter(RemoteAuthFilter.DEFAULT_CACHE_KEY_HEADER)).andReturn("Authorization").anyTimes();
+        EasyMock.expect(filterConfigMock.getInitParameter(RemoteAuthFilter.CONFIG_EXPIRE_AFTER)).andReturn("5").anyTimes();
+        EasyMock.expect(filterConfigMock.getInitParameter(RemoteAuthFilter.CONFIG_USER_HEADER)).andReturn(X_AUTHENTICATED_USER).anyTimes();
+        EasyMock.expect(filterConfigMock.getInitParameter(RemoteAuthFilter.CONFIG_GROUP_HEADER))
                .andReturn(X_AUTHENTICATED_GROUP + "," + X_AUTHENTICATED_GROUP_2 + ",X-Custom-Group-*").anyTimes();
 
-        EasyMock.replay(filterConfigMock);
+        // Trust store config
+        EasyMock.expect(filterConfigMock.getInitParameter(RemoteAuthFilter.CONFIG_TRUSTSTORE_PATH)).andReturn(trustStorePath).anyTimes();
+        EasyMock.expect(filterConfigMock.getInitParameter(RemoteAuthFilter.CONFIG_TRUSTSTORE_PASSWORD)).andReturn(trustStorePass).anyTimes();
+        EasyMock.expect(filterConfigMock.getInitParameter(RemoteAuthFilter.CONFIG_TRUSTSTORE_TYPE)).andReturn(trustStoreType).anyTimes();
+
+        // Only replay the mocks that won't need additional expectations
+        EasyMock.replay(filterConfigMock, gatewayServicesMock, servletContextMock);
 
         filter = new RemoteAuthFilter();
         try {
@@ -90,6 +127,11 @@ public void setUp() {
         }
     }
 
+    // Default setup method for backward compatibility
+    private void setUp() {
+        setUp(null, null, null);
+    }
+
     private void setupURLConnection(String url) {
         try {
             filter.httpURLConnection = new MockHttpURLConnection(new URL(url));
@@ -100,6 +142,8 @@ private void setupURLConnection(String url) {
 
     @Test
     public void successfulAuthentication() throws Exception {
+        setUp();
+
         EasyMock.expect(requestMock.getServletContext()).andReturn(new MockServletContext()).anyTimes();
         EasyMock.expect(requestMock.getHeader("Authorization")).andReturn(BEARER_VALID_TOKEN).anyTimes();
         EasyMock.expect(responseMock.getStatus()).andReturn(200).anyTimes();
@@ -134,6 +178,8 @@ public void successfulAuthentication() throws Exception {
 
     @Test
     public void authenticationFailsWithInvalidToken() throws Exception {
+        setUp();
+
         EasyMock.expect(requestMock.getServletContext()).andReturn(new MockServletContext()).anyTimes();
         EasyMock.expect(responseMock.getStatus()).andReturn(401).anyTimes();
         EasyMock.expect(requestMock.getHeader("Authorization")).andReturn(BEARER_INVALID_TOKEN).anyTimes();
@@ -160,11 +206,12 @@ public void authenticationFailsWithInvalidToken() throws Exception {
 
     @Test
     public void testCacheBehavior() throws Exception {
+        setUp();
+
         String principalName = "lmccayiv";
         String groupNames = "admin2,scientists";
         Subject subject = new Subject();
         subject.getPrincipals().add(new PrimaryPrincipal(principalName));
-        // Add groups to the principal if available
         Arrays.stream(groupNames.split(",")).forEach(groupName -> subject.getPrincipals()
                 .add(new GroupPrincipal(groupName)));
         filter.setCachedSubject(BEARER_VALID_TOKEN, subject);
@@ -202,9 +249,10 @@ public void testCacheBehavior() throws Exception {
 
     @Test
     public void testTraceIdPropagation() throws Exception {
+        setUp();
+
         String expectedTraceId = "test-trace-123";
 
-        // Set up mocks
         EasyMock.expect(requestMock.getServletContext())
             .andReturn(new MockServletContext())
             .anyTimes();
@@ -250,6 +298,8 @@ public String getRequestProperty(String key) {
 
     @Test
     public void successfulAuthenticationWithMultipleGroups() throws Exception {
+        setUp();
+
         EasyMock.expect(requestMock.getServletContext()).andReturn(new MockServletContext()).anyTimes();
         EasyMock.expect(requestMock.getHeader("Authorization")).andReturn(BEARER_VALID_TOKEN).anyTimes();
         EasyMock.expect(responseMock.getStatus()).andReturn(200).anyTimes();
@@ -287,6 +337,95 @@ public void successfulAuthenticationWithMultipleGroups() throws Exception {
         }
     }
 
+    @Test
+    public void testSuccessfulHttpsRequestWithTrustStore() throws Exception {
+        // Setup with valid trust store configuration
+        setUp("/path/to/truststore.jks", "trustpass", "JKS");
+
+        KeyStore testTruststore = KeyStore.getInstance("JKS");
+        EasyMock.expect(keystoreServiceMock.loadTruststore("/path/to/truststore.jks", "JKS", "trustpass"))
+               .andReturn(testTruststore)
+               .anyTimes();
+
+        EasyMock.expect(requestMock.getServletContext())
+               .andReturn(servletContextMock)
+               .anyTimes();
+        EasyMock.expect(requestMock.getHeader("Authorization"))
+               .andReturn(BEARER_VALID_TOKEN)
+               .anyTimes();
+        EasyMock.expect(responseMock.getStatus())
+               .andReturn(200)
+               .anyTimes();
+        responseMock.sendError(EasyMock.eq(HttpServletResponse.SC_UNAUTHORIZED), EasyMock.anyString());
+        EasyMock.expectLastCall().andThrow(new AssertionError("Authentication should be successful, but was not.")).anyTimes();
+
+        EasyMock.replay(requestMock, responseMock, keystoreServiceMock);
+
+        setupURLConnection("https://example.com/auth");
+        filter.doFilter(requestMock, responseMock, chainMock);
+
+        assertTrue("Filter chain should have been called", chainMock.doFilterCalled);
+    }
+
+    @Test
+    public void testHttpsRequestWithoutTrustStore() throws Exception {
+        // Setup without trust store configuration
+        setUp(null, null, null);
+
+        KeyStore defaultTruststore = KeyStore.getInstance("JKS");
+        EasyMock.expect(keystoreServiceMock.getTruststoreForHttpClient())
+               .andReturn(defaultTruststore)
+               .anyTimes();
+
+        EasyMock.expect(requestMock.getServletContext())
+               .andReturn(servletContextMock)
+               .anyTimes();
+        EasyMock.expect(requestMock.getHeader("Authorization"))
+               .andReturn(BEARER_VALID_TOKEN)
+               .anyTimes();
+        EasyMock.expect(responseMock.getStatus())
+               .andReturn(200)
+               .anyTimes();
+        responseMock.sendError(EasyMock.eq(HttpServletResponse.SC_UNAUTHORIZED), EasyMock.anyString());
+        EasyMock.expectLastCall().andThrow(new AssertionError("Authentication should be successful, but was not.")).anyTimes();
+
+        EasyMock.replay(requestMock, responseMock, keystoreServiceMock);
+
+        setupURLConnection("https://example.com/auth");
+        filter.doFilter(requestMock, responseMock, chainMock);
+
+        assertTrue("Filter chain should have been called with default trust store", chainMock.doFilterCalled);
+    }
+
+    @Test
+    public void testHttpsRequestWithInvalidTrustStoreConfig() throws Exception {
+        // Setup with invalid trust store configuration
+        setUp("/nonexistent/path/truststore.jks", "password", "JKS");
+
+        EasyMock.expect(keystoreServiceMock.loadTruststore("/nonexistent/path/truststore.jks", "JKS", "password"))
+               .andThrow(new KeystoreServiceException("Failed to load truststore"))
+               .anyTimes();
+
+        EasyMock.expect(requestMock.getServletContext())
+               .andReturn(servletContextMock)
+               .anyTimes();
+        EasyMock.expect(requestMock.getHeader("Authorization"))
+               .andReturn(BEARER_VALID_TOKEN)
+               .anyTimes();
+        EasyMock.expect(responseMock.getStatus())
+               .andReturn(500)
+               .anyTimes();
+        responseMock.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Error processing authentication request");
+        EasyMock.expectLastCall().once();
+
+        EasyMock.replay(requestMock, responseMock, keystoreServiceMock);
+
+        filter.doFilter(requestMock, responseMock, chainMock);
+
+        assertFalse("Filter chain should not have been called", chainMock.doFilterCalled);
+        EasyMock.verify(responseMock);
+    }
+
     public static class MockHttpURLConnection extends HttpURLConnection {
         private final URL url;
         private int responseCode;