From 7a4ceababf2316ed4d352ca669fcb76f5f77407c Mon Sep 17 00:00:00 2001 From: thanicz Date: Tue, 5 May 2026 07:37:38 +0200 Subject: [PATCH] KNOX-3314: Ensure secure length for encryptQueryString generated by descriptors --- .../apache/knox/gateway/SimpleDescriptorHandlerFuncTest.java | 5 +++-- .../gateway/topology/simple/SimpleDescriptorHandler.java | 4 +++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/gateway-test/src/test/java/org/apache/knox/gateway/SimpleDescriptorHandlerFuncTest.java b/gateway-test/src/test/java/org/apache/knox/gateway/SimpleDescriptorHandlerFuncTest.java index d0f5cd7529..ca5a60502d 100644 --- a/gateway-test/src/test/java/org/apache/knox/gateway/SimpleDescriptorHandlerFuncTest.java +++ b/gateway-test/src/test/java/org/apache/knox/gateway/SimpleDescriptorHandlerFuncTest.java @@ -47,6 +47,7 @@ import java.util.Collections; import java.util.HashMap; import java.util.List; +import java.util.Locale; import java.util.Map; import static org.easymock.EasyMock.anyObject; @@ -250,8 +251,8 @@ public void testSimpleDescriptorHandlerQueryStringCredentialAliasCreation() thro assertEquals("Unexpected cluster name for the alias (should be the topology name).", testDescriptor.getName(), capturedCluster.getValue()); assertEquals("Unexpected alias name.", "encryptQueryString", capturedAlias.getValue()); - assertEquals("Unexpected alias value (should be master secret + topology name.", - testMasterSecret + testDescriptor.getName(), capturedPwd.getValue()); + assertEquals("Unexpected alias value.", + String.format(Locale.ROOT, SimpleDescriptorHandler.ENCRYPT_QUERY_STRING_TEMPLATE, testMasterSecret, testDescriptor.getName()), capturedPwd.getValue()); assertEquals(1, NoOpServiceDiscovery.discoveryCalled); } catch (Exception e) { diff --git a/gateway-topology-simple/src/main/java/org/apache/knox/gateway/topology/simple/SimpleDescriptorHandler.java b/gateway-topology-simple/src/main/java/org/apache/knox/gateway/topology/simple/SimpleDescriptorHandler.java index b4fbe01827..b6bbc3270c 100644 --- a/gateway-topology-simple/src/main/java/org/apache/knox/gateway/topology/simple/SimpleDescriptorHandler.java +++ b/gateway-topology-simple/src/main/java/org/apache/knox/gateway/topology/simple/SimpleDescriptorHandler.java @@ -99,6 +99,8 @@ public class SimpleDescriptorHandler { "CLIENTID", "HEALTH").collect(Collectors.toSet())); + public static final String ENCRYPT_QUERY_STRING_TEMPLATE = "knox:query-encryption:%s:%s"; + public static Map handle(GatewayConfig config, File desc, File destDirectory, Service...gatewayServices) throws IOException { return handle(config, SimpleDescriptorFactory.parse(desc.getAbsolutePath()), desc.getParentFile(), destDirectory, gatewayServices); } @@ -312,7 +314,7 @@ private static boolean provisionQueryParamEncryptionCredential(final String topo AliasService aliasService = services.getService(ServiceType.ALIAS_SERVICE); if (aliasService != null) { // Derive and set the query param encryption password - String queryEncryptionPass = new String(ms.getMasterSecret()) + topologyName; + String queryEncryptionPass = String.format(Locale.ROOT, ENCRYPT_QUERY_STRING_TEMPLATE, new String(ms.getMasterSecret()), topologyName); aliasService.addAliasForCluster(topologyName, "encryptQueryString", queryEncryptionPass); result = true; }