commit 07cd031e1ee2e6be14308749d61cb5a495a6fe11
author 南慧荣 <nanhuirong@gmail.com> Wed Jul 27 01:20:06 2022 +0800
committer GitHub <noreply@github.com> Tue Jul 26 13:20:06 2022 -0400
tree dd8695e773f351898650db968ad22148132d79e6
parent 82cd96d99398cc9aad86596fb65240ccd0244498

KNOX-2772 - add configuration for jetty renegotiation (#605)

gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java

diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
index 3e45bac..ba572a2 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
@@ -177,6 +177,7 @@
   private static final String SSL_EXCLUDE_PROTOCOLS = "ssl.exclude.protocols";
   private static final String SSL_INCLUDE_CIPHERS = "ssl.include.ciphers";
   private static final String SSL_EXCLUDE_CIPHERS = "ssl.exclude.ciphers";
+  private static final String SSL_RENEGOTIATION = "ssl.renegotiation";
   // END BACKWARD COMPATIBLE BLOCK
 
   public static final String DEFAULT_HTTP_PORT = "8888";
@@ -603,6 +604,11 @@
   }
 
   @Override
+  public boolean isSSLRenegotiationAllowed() {
+    return getBoolean(SSL_RENEGOTIATION, true);
+  }
+
+  @Override
   public boolean isClientAuthNeeded() {
     return Boolean.parseBoolean(get( CLIENT_AUTH_NEEDED, "false" ));
   }

gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java

diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java
index 867e3df..55f297e 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java
@@ -224,6 +224,8 @@
     if (sslExcludeProtocols != null && !sslExcludeProtocols.isEmpty()) {
       sslContextFactory.setExcludeProtocols( sslExcludeProtocols.toArray(new String[0]) );
     }
+
+    sslContextFactory.setRenegotiationAllowed(config.isSSLRenegotiationAllowed());
     return sslContextFactory;
   }
 

gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java

diff --git a/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java b/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
index 5ec699b..9fe737e 100644
--- a/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
+++ b/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
@@ -167,6 +167,18 @@
     assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
   }
 
+  // KNOX-2772
+  @Test
+  public void testisSSLRenegotiationAllowed() {
+    GatewayConfigImpl config = new GatewayConfigImpl();
+    boolean isSSLRenegotiationAllowed = config.isSSLRenegotiationAllowed();
+    assertThat( isSSLRenegotiationAllowed, is(true));
+
+    config.set("ssl.renegotiation", "false");
+    isSSLRenegotiationAllowed = config.isSSLRenegotiationAllowed();
+    assertThat( isSSLRenegotiationAllowed, is(false));
+  }
+
   @Test( timeout = TestUtils.SHORT_TIMEOUT )
   public void testGlobalRulesServices() {
     GatewayConfigImpl config = new GatewayConfigImpl();

gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java

diff --git a/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java b/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java
index eb667ea..51cdf05 100644
--- a/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java
+++ b/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java
@@ -481,6 +481,7 @@
     expect(config.getIncludedSSLCiphers()).andReturn(null).atLeastOnce();
     expect(config.getExcludedSSLCiphers()).andReturn(null).atLeastOnce();
     expect(config.getExcludedSSLProtocols()).andReturn(null).atLeastOnce();
+    expect(config.isSSLRenegotiationAllowed()).andReturn(true).atLeastOnce();
     return config;
   }
 

gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java

diff --git a/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java b/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
index 24d07b4..e493892 100644
--- a/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
+++ b/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
@@ -300,6 +300,11 @@
     return excludedSSLCiphers;
   }
 
+  @Override
+  public boolean isSSLRenegotiationAllowed() {
+    return true;
+  }
+
   public void setExcludedSSLCiphers( List<String> list ) {
     excludedSSLCiphers = list;
   }

gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java

diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
index bf6eee3..68cf6ff 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
@@ -177,6 +177,8 @@
 
   List<String> getExcludedSSLCiphers();
 
+  boolean isSSLRenegotiationAllowed();
+
   boolean isHadoopKerberosSecured();
 
   String getKerberosConfig();