001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.rest;
019
020import static org.junit.Assert.assertEquals;
021
022import java.io.File;
023import java.lang.reflect.Method;
024import java.security.KeyPair;
025import java.security.cert.X509Certificate;
026import java.util.Optional;
027import org.apache.hadoop.conf.Configuration;
028import org.apache.hadoop.hbase.HBaseClassTestRule;
029import org.apache.hadoop.hbase.HBaseTestingUtil;
030import org.apache.hadoop.hbase.http.ssl.KeyStoreTestUtil;
031import org.apache.hadoop.hbase.rest.client.Client;
032import org.apache.hadoop.hbase.rest.client.Cluster;
033import org.apache.hadoop.hbase.rest.client.Response;
034import org.apache.hadoop.hbase.testclassification.MediumTests;
035import org.apache.hadoop.hbase.testclassification.RestTests;
036import org.junit.After;
037import org.junit.AfterClass;
038import org.junit.Before;
039import org.junit.BeforeClass;
040import org.junit.ClassRule;
041import org.junit.Test;
042import org.junit.experimental.categories.Category;
043import org.slf4j.Logger;
044import org.slf4j.LoggerFactory;
045
046@Category({ RestTests.class, MediumTests.class })
047public class TestRESTServerSSL {
048
049  @ClassRule
050  public static final HBaseClassTestRule CLASS_RULE =
051    HBaseClassTestRule.forClass(TestRESTServerSSL.class);
052
053  private static final Logger LOG = LoggerFactory.getLogger(TestRESTServerSSL.class);
054
055  private static final String KEY_STORE_PASSWORD = "myKSPassword";
056  private static final String TRUST_STORE_PASSWORD = "myTSPassword";
057
058  private static final HBaseTestingUtil TEST_UTIL = new HBaseTestingUtil();
059  private static final HBaseRESTTestingUtility REST_TEST_UTIL = new HBaseRESTTestingUtility();
060  private static Client sslClient;
061  private static File keyDir;
062  private Configuration conf;
063
064  // Workaround for jdk8 292 bug. See https://github.com/bcgit/bc-java/issues/941
065  // Below is a workaround described in above URL. Issue fingered first in comments in
066  // HBASE-25920 Support Hadoop 3.3.1
067  private static void initializeAlgorithmId() {
068    try {
069      Class<?> algoId = Class.forName("sun.security.x509.AlgorithmId");
070      Method method = algoId.getMethod("get", String.class);
071      method.setAccessible(true);
072      method.invoke(null, "PBEWithSHA1AndDESede");
073    } catch (Exception e) {
074      LOG.warn("failed to initialize AlgorithmId", e);
075    }
076  }
077
078  @BeforeClass
079  public static void beforeClass() throws Exception {
080    initializeAlgorithmId();
081    keyDir = initKeystoreDir();
082    KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
083    X509Certificate serverCertificate =
084      KeyStoreTestUtil.generateCertificate("CN=localhost, O=server", keyPair, 30, "SHA1withRSA");
085
086    generateTrustStore("jks", serverCertificate);
087    generateTrustStore("jceks", serverCertificate);
088    generateTrustStore("pkcs12", serverCertificate);
089
090    generateKeyStore("jks", keyPair, serverCertificate);
091    generateKeyStore("jceks", keyPair, serverCertificate);
092    generateKeyStore("pkcs12", keyPair, serverCertificate);
093
094    TEST_UTIL.startMiniCluster();
095  }
096
097  @AfterClass
098  public static void afterClass() throws Exception {
099    // this will also delete the generated test keystore / teststore files,
100    // as we were placing them under the dataTestDir used by the minicluster
101    TEST_UTIL.shutdownMiniCluster();
102  }
103
104  @Before
105  public void beforeEachTest() {
106    conf = new Configuration(TEST_UTIL.getConfiguration());
107    conf.set(Constants.REST_SSL_ENABLED, "true");
108    conf.set(Constants.REST_SSL_KEYSTORE_KEYPASSWORD, KEY_STORE_PASSWORD);
109    conf.set(Constants.REST_SSL_KEYSTORE_PASSWORD, KEY_STORE_PASSWORD);
110    conf.set(Constants.REST_SSL_TRUSTSTORE_PASSWORD, TRUST_STORE_PASSWORD);
111  }
112
113  @After
114  public void tearDownAfterTest() {
115    REST_TEST_UTIL.shutdownServletContainer();
116  }
117
118  @Test
119  public void testSslConnection() throws Exception {
120    startRESTServerWithDefaultKeystoreType();
121
122    Response response = sslClient.get("/version", Constants.MIMETYPE_TEXT);
123    assertEquals(200, response.getCode());
124
125    // Default security headers
126    assertEquals("max-age=63072000;includeSubDomains;preload",
127      response.getHeader("Strict-Transport-Security"));
128    assertEquals("default-src https: data: 'unsafe-inline' 'unsafe-eval'",
129      response.getHeader("Content-Security-Policy"));
130  }
131
132  @Test(expected = org.apache.http.client.ClientProtocolException.class)
133  public void testNonSslClientDenied() throws Exception {
134    startRESTServerWithDefaultKeystoreType();
135
136    Cluster localCluster = new Cluster().add("localhost", REST_TEST_UTIL.getServletPort());
137    Client nonSslClient = new Client(localCluster, false);
138
139    nonSslClient.get("/version");
140  }
141
142  @Test
143  public void testSslConnectionUsingKeystoreFormatJKS() throws Exception {
144    startRESTServer("jks");
145
146    Response response = sslClient.get("/version", Constants.MIMETYPE_TEXT);
147    assertEquals(200, response.getCode());
148  }
149
150  @Test
151  public void testSslConnectionUsingKeystoreFormatJCEKS() throws Exception {
152    startRESTServer("jceks");
153
154    Response response = sslClient.get("/version", Constants.MIMETYPE_TEXT);
155    assertEquals(200, response.getCode());
156  }
157
158  @Test
159  public void testSslConnectionUsingKeystoreFormatPKCS12() throws Exception {
160    startRESTServer("pkcs12");
161
162    Response response = sslClient.get("/version", Constants.MIMETYPE_TEXT);
163    assertEquals(200, response.getCode());
164  }
165
166  private static File initKeystoreDir() {
167    String dataTestDir = TEST_UTIL.getDataTestDir().toString();
168    File keystoreDir = new File(dataTestDir, TestRESTServerSSL.class.getSimpleName() + "_keys");
169    keystoreDir.mkdirs();
170    return keystoreDir;
171  }
172
173  private static void generateKeyStore(String keyStoreType, KeyPair keyPair,
174    X509Certificate serverCertificate) throws Exception {
175    String keyStorePath = getKeystoreFilePath(keyStoreType);
176    KeyStoreTestUtil.createKeyStore(keyStorePath, KEY_STORE_PASSWORD, KEY_STORE_PASSWORD,
177      "serverKS", keyPair.getPrivate(), serverCertificate, keyStoreType);
178  }
179
180  private static void generateTrustStore(String trustStoreType, X509Certificate serverCertificate)
181    throws Exception {
182    String trustStorePath = getTruststoreFilePath(trustStoreType);
183    KeyStoreTestUtil.createTrustStore(trustStorePath, TRUST_STORE_PASSWORD, "serverTS",
184      serverCertificate, trustStoreType);
185  }
186
187  private static String getKeystoreFilePath(String keyStoreType) {
188    return String.format("%s/serverKS.%s", keyDir.getAbsolutePath(), keyStoreType);
189  }
190
191  private static String getTruststoreFilePath(String trustStoreType) {
192    return String.format("%s/serverTS.%s", keyDir.getAbsolutePath(), trustStoreType);
193  }
194
195  private void startRESTServerWithDefaultKeystoreType() throws Exception {
196    conf.set(Constants.REST_SSL_KEYSTORE_STORE, getKeystoreFilePath("jks"));
197    conf.set(Constants.REST_SSL_TRUSTSTORE_STORE, getTruststoreFilePath("jks"));
198
199    REST_TEST_UTIL.startServletContainer(conf);
200    Cluster localCluster = new Cluster().add("localhost", REST_TEST_UTIL.getServletPort());
201    sslClient = new Client(localCluster, getTruststoreFilePath("jks"),
202      Optional.of(TRUST_STORE_PASSWORD), Optional.empty());
203  }
204
205  private void startRESTServer(String storeType) throws Exception {
206    conf.set(Constants.REST_SSL_KEYSTORE_TYPE, storeType);
207    conf.set(Constants.REST_SSL_KEYSTORE_STORE, getKeystoreFilePath(storeType));
208
209    conf.set(Constants.REST_SSL_TRUSTSTORE_STORE, getTruststoreFilePath(storeType));
210    conf.set(Constants.REST_SSL_TRUSTSTORE_TYPE, storeType);
211
212    REST_TEST_UTIL.startServletContainer(conf);
213    Cluster localCluster = new Cluster().add("localhost", REST_TEST_UTIL.getServletPort());
214    sslClient = new Client(localCluster, getTruststoreFilePath(storeType),
215      Optional.of(TRUST_STORE_PASSWORD), Optional.of(storeType));
216  }
217
218}