I've been working on patch for this issue. Root cause is : knoxcli doesn't use the ALIAS_SERVICE to translate the alias into the password. By following the implementation of KnoxLdapContextFactory::setSystemPassword(), I was able to work out the fix for system-user-auth-test. The user-auth-test is bit tricky.
Though the fix would be straight forward but there are multiple issues with the existing system-user-auth-test and user-auth-test implementation. I'm seeking suggestion on how should I go about these:
1. The system-user-auth-test doesn't make use of topology config to get the complete shiro.ini. Instead it just creates a bare minimum shiro.ini and tries to authenticate the system user. There is no provision to handle the system password alias.
2. The user-auth-test uses the topology config and correct shiro.ini. The call to KnoxLdapContextFactory::setSystemPassword() fails silently with NullPointerException due to GatewayServer.getGatewayServices() returning null. Later the getSubject() call fails while setting the contextFactory.systemPassword in the configuration.
My questions are:
1. The system-user-auth-test can replicate what KnoxLdapContextFactory::setSystemPassword() is doing by using the CLIGatewayServices(). Would that be a right thing to do?
2. For user-auth-test, how could the GatewayServer.getGatewayServices() return the available services if they are not initialized?
IMO both system-user-auth-test and user-auth-test should be able to translate password alias by using KnoxLdapContextFactory::setSystemPassword() and without having to follow any shortcut.
Opinion / suggestions?