NIFI-6026 - First commit which adds a new tls-toolkit mode called Key… #3340
Conversation
…store. Should instead integrate the functionality into standalone mode. NIFI-6026 - Updated splitKeystore to use standalone mode with a -splitKeystore argument. NIFI-6026 - Removed unused file and references.
…argument checking in the command line parsing.
|
Reviewing... |
| tlsToolkitStandaloneCommandLine.printUsage("Error generating TLS configuration. (" + e.getMessage() + ")"); | ||
| System.exit(ExitCode.ERROR_GENERATING_CONFIG.ordinal()); | ||
|
|
||
| StandaloneConfig conf = tlsToolkitStandaloneCommandLine.createSplitKeystoreConfig(); |
There was a problem hiding this comment.
I think it makes sense to check isSplitKeystore before creating this config object because currently this is always created whether it is needed or not.
There was a problem hiding this comment.
Updated this to use the command line parsed args rather than the config, and will no longer create the config unless it's required.
| @@ -168,6 +188,17 @@ protected CommandLine doParse(String... args) throws CommandLineParseException { | |||
| clientPasswordsGenerated = commandLine.getOptionValues(CLIENT_CERT_PASSWORD_ARG) == null; | |||
| overwrite = commandLine.hasOption(OVERWRITE_ARG); | |||
|
|
|||
| if(commandLine.hasOption(SPLIT_KEYSTORE_ARG)) { | |||
| if(commandLine.hasOption(KEY_STORE_PASSWORD_ARG) && commandLine.hasOption(KEY_PASSWORD_ARG)) { | |||
There was a problem hiding this comment.
I think KEY_PASSWORD_ARG can legitimately be empty if the keystore password and key password are the same (i.e. no explicit key password was set).
There was a problem hiding this comment.
Updated to use the keystore password if no key password is provided and added unit test.
|
Why did |
… if keystore and key passwords are the same. Added some more tests.
Using this for unit tests as it has known keystore and key passwords. |
| @@ -113,6 +118,8 @@ protected TlsToolkitStandaloneCommandLine(PasswordUtil passwordUtil) { | |||
| addOptionWithArg(null, NIFI_DN_SUFFIX_ARG, "String to append to hostname(s) when determining DN.", TlsConfig.DEFAULT_DN_SUFFIX); | |||
| addOptionNoArg("O", OVERWRITE_ARG, "Overwrite existing host output."); | |||
| addOptionWithArg(null, ADDITIONAL_CA_CERTIFICATE_ARG, "Path to additional CA certificate (used to sign toolkit CA certificate) in PEM format if necessary"); | |||
| addOptionWithArg("splitKeystore", SPLIT_KEYSTORE_ARG, "Split out a given keystore into its unencrypted key and certificates. Use -S and -K to specify the keystore and key passwords."); | |||
There was a problem hiding this comment.
Providing the "splitKeystore" string as the first argument to this call means that -splitKeystore and --splitKeystore are both supported here. Please pass null as the first argument instead, otherwise this leads to ambiguity and breaks consistency.
| } | ||
|
|
||
| @Test | ||
| public void testOutputCertsAsPem() throws Exception { |
There was a problem hiding this comment.
I'd prefer if these tests were more descriptive -- list the expectations for what is happening here. The keystore should have a known number of entries, and that number should match the number of outputs. In addition, the key signature should be compared with that queried from the keystore directly, not just asserted that it is non-null. The same goes for the key assertions in the subsequent test.
| HashMap<String, Key> keys = TlsHelper.extractKeys(keyStore, "changeit".toCharArray()); | ||
| assertEquals(1, keys.size()); | ||
| keys.forEach((String alias, Key key) -> assertEquals("PKCS#8", key.getFormat())); | ||
| } |
There was a problem hiding this comment.
I would like to see test cases documenting the following use cases:
- Run with no keystore provided
- Run with no keystore password provided
- Run with wrong keystore password provided
- Run with keystore with no aliases
- Run with keystore with multiple aliases
- Run with correct keystore password but wrong key password provided
|
I ran through a series of manual tests on the toolkit mode. I like the functionality, and it works with both keystore formats. I made some comments requesting some unit test improvements and the removal of the "single hyphen" long argument in the CLI invocation. Once those are done, I will +1 and merge. Thanks. |
…ded a check for empty keystores. Made tests a bit cleaner.
|
Ran |
…store. Should instead integrate the functionality into standalone mode.
NIFI-6026 - Updated splitKeystore to use standalone mode with a -splitKeystore argument.
NIFI-6026 - Removed unused file and references.
Thank you for submitting a contribution to Apache NiFi.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
For all changes:
Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
Has your PR been rebased against the latest commit within the target branch (typically master)?
Is your initial contribution a single, squashed commit?
For code changes:
For documentation related changes:
Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.