KNOX-2469 - Fixing Knox keystore path directory creation for symlinks #383
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jameschen1519
changed the title
smolnar82
changed the title
lmccay
requested changes
Nov 15, 2020
...ver/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
Show resolved
Hide resolved
|
@jameschen1519 - thank you for this contribution! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
(It is very important that you created an Apache Knox JIRA for this change and that the PR title/commit message includes the Apache Knox JIRA ID!)
What changes were proposed in this pull request?
This patch fixes a potential issue regarding the creation of Knox's keystores. The current logic checks to see if the keystore path exists--if it doesn't, it tries to create the parent folder of the keystore path. However, there is an edge case, as described in JDK-8130464, where the directory creation fails if the final, parent directory of the keystore path is a symlink. This causes a failure during startup. This PR remedies this by checking if the keystore parent directory exists instead of checking the keystore itself, as checking directories is symlink-safe. There is also no extra logic after the keystore creation, so if the keystore does exist, this turns into a no-op.
(Please fill in changes proposed in this fix)
How was this patch tested?
(Please explain how this patch was tested. For instance: running automated unit/integration tests, manual tests. Please write down your test steps as detailed as possible)
(If this patch involves UI changes, please attach a screen-shot; otherwise, remove this)
This PR was tested against an environment in which the keystore path's parent directory is a symlink on Knox 1.4.0. The tests that pass before this change pass after this change, locally.
One issue that may be worth noting is that this does not fix the case where some ancestor directory within the keystore path directory chain is an invalid symlink. If C:\a is a symlink to C:\b but C:\b does not exist, then the attempt to create C:\a\z will fail. However, depending on how we would like to do this, this might be a task best assigned to the users.
Please review Knox Contributing Process before opening a pull request.