Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GH-39014: [Java] Add default truststore along with KeychainStore when on Mac system #39235

Merged
merged 3 commits into from
Dec 22, 2023
Merged

GH-39014: [Java] Add default truststore along with KeychainStore when on Mac system #39235

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a4a9671
Add default keystore when on Mac
ravjotbrar Dec 14, 2023
8ed561a
Fix spacing
ravjotbrar Dec 14, 2023
71dbfd9
Fix test
ravjotbrar Dec 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 12 additions & 9 deletions ...re/src/main/java/org/apache/arrow/driver/jdbc/client/utils/ClientAuthenticationUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,16 @@ static KeyStore getKeyStoreInstance(String instance)
return keyStore;
}

@VisibleForTesting
static KeyStore getDefaultKeyStoreInstance(String password)
throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
try (InputStream fileInputStream = getKeystoreInputStream()) {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(fileInputStream, password == null ? null : password.toCharArray());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it need to load all cacerts files? Is there a way to restrict files needed to be loaded based on security concerns?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you elaborate on the security concerns from loading all the cacerts files?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the current user workaround, there is no more question for my side #39235 (comment)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good to me. Maybe it would be better to name this method geetDefaultTrustStore() but that's not a big deal.

return keyStore;
}
}

static String getOperatingSystem() {
return System.getProperty("os.name");
}
Expand Down Expand Up @@ -156,16 +166,9 @@ public static InputStream getCertificateInputStreamFromSystem(String password) t
keyStoreList.add(getKeyStoreInstance("Windows-MY"));
} else if (isMac()) {
keyStoreList.add(getKeyStoreInstance("KeychainStore"));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it not necessary to delete this method now?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I considered it, but I don't see the harm in keeping it, especially if users are now importing certificates into their user keychain as a workaround.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, thanks for letting me know.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a big deal to keep it for now imho.

keyStoreList.add(getDefaultKeyStoreInstance(password));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the order matter? Should the system key store come first?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It appears order does not matter, given that pemWriter writes data for all keystores added to the keystore list. I also did a manual test that required the default keystore and it passed successfully.

} else {
try (InputStream fileInputStream = getKeystoreInputStream()) {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
if (password == null) {
keyStore.load(fileInputStream, null);
} else {
keyStore.load(fileInputStream, password.toCharArray());
}
keyStoreList.add(keyStore);
}
keyStoreList.add(getDefaultKeyStoreInstance(password));
}

return getCertificatesInputStream(keyStoreList);
Expand Down
42 changes: 39 additions & 3 deletions ...rc/test/java/org/apache/arrow/driver/jdbc/client/utils/ClientAuthenticationUtilsTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,33 @@ public void testGetKeyStoreInstance() throws IOException,
}
}

@Test
public void testGetDefaultKeyStoreInstancePassword() throws IOException,
KeyStoreException, CertificateException, NoSuchAlgorithmException {
try (MockedStatic<KeyStore> keyStoreMockedStatic = Mockito.mockStatic(KeyStore.class)) {

keyStoreMockedStatic
.when(() -> ClientAuthenticationUtils.getDefaultKeyStoreInstance("changeit"))
.thenReturn(keyStoreMock);
KeyStore receiveKeyStore = ClientAuthenticationUtils.getDefaultKeyStoreInstance("changeit");
Assert.assertEquals(receiveKeyStore, keyStoreMock);
}
}

@Test
public void testGetDefaultKeyStoreInstanceNoPassword() throws IOException,
KeyStoreException, CertificateException, NoSuchAlgorithmException {
try (MockedStatic<KeyStore> keyStoreMockedStatic = Mockito.mockStatic(KeyStore.class)) {

keyStoreMockedStatic
.when(() -> ClientAuthenticationUtils.getDefaultKeyStoreInstance(null))
.thenReturn(keyStoreMock);
KeyStore receiveKeyStore = ClientAuthenticationUtils.getDefaultKeyStoreInstance(null);
Assert.assertEquals(receiveKeyStore, keyStoreMock);
}
}


@Test
public void testGetCertificateInputStreamFromMacSystem() throws IOException,
KeyStoreException, CertificateException, NoSuchAlgorithmException {
Expand All @@ -90,11 +117,18 @@ public void testGetCertificateInputStreamFromMacSystem() throws IOException,
keyStoreMockedStatic.when(() -> ClientAuthenticationUtils
.getKeyStoreInstance("KeychainStore"))
.thenReturn(keyStoreMock);
keyStoreMockedStatic.when(() -> ClientAuthenticationUtils
.getDefaultKeyStoreInstance("changeit"))
.thenReturn(keyStoreMock);
clientAuthenticationUtilsMockedStatic
.when(ClientAuthenticationUtils::getKeystoreInputStream)
.thenCallRealMethod();
keyStoreMockedStatic.when(KeyStore::getDefaultType).thenCallRealMethod();
keyStoreMockedStatic.when(() -> ClientAuthenticationUtils
.getCertificatesInputStream(Mockito.any()))
.thenReturn(mock);

InputStream inputStream = ClientAuthenticationUtils.getCertificateInputStreamFromSystem("test");
InputStream inputStream = ClientAuthenticationUtils.getCertificateInputStreamFromSystem("changeit");
Assert.assertEquals(inputStream, mock);
}
}
Expand Down Expand Up @@ -136,9 +170,11 @@ public void testGetCertificateInputStreamFromLinuxSystem() throws IOException,

setOperatingSystemMock(clientAuthenticationUtilsMockedStatic, false, false);
keyStoreMockedStatic.when(() -> ClientAuthenticationUtils
.getCertificatesInputStream(Mockito.any()))
.getCertificatesInputStream(Mockito.any()))
.thenReturn(mock);

keyStoreMockedStatic.when(() -> ClientAuthenticationUtils
.getDefaultKeyStoreInstance(Mockito.any()))
.thenReturn(keyStoreMock);
clientAuthenticationUtilsMockedStatic
.when(ClientAuthenticationUtils::getKeystoreInputStream)
.thenCallRealMethod();
Expand Down
Loading