Source code

001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.ipc;
019
020import static org.mockito.Mockito.mock;
021import static org.mockito.Mockito.when;
022
023import java.io.File;
024import java.io.IOException;
025import java.net.InetSocketAddress;
026import java.security.Security;
027import java.util.ArrayList;
028import java.util.List;
029import java.util.stream.Stream;
030import org.apache.commons.io.FileUtils;
031import org.apache.hadoop.conf.Configuration;
032import org.apache.hadoop.hbase.HBaseCommonTestingUtil;
033import org.apache.hadoop.hbase.HBaseParameterizedTestTemplate;
034import org.apache.hadoop.hbase.HBaseServerBase;
035import org.apache.hadoop.hbase.Server;
036import org.apache.hadoop.hbase.client.ConnectionRegistryEndpoint;
037import org.apache.hadoop.hbase.codec.Codec;
038import org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType;
039import org.apache.hadoop.hbase.io.crypto.tls.X509KeyType;
040import org.apache.hadoop.hbase.io.crypto.tls.X509TestContext;
041import org.apache.hadoop.hbase.io.crypto.tls.X509TestContextProvider;
042import org.apache.hadoop.hbase.io.crypto.tls.X509Util;
043import org.apache.hadoop.hbase.ipc.RpcServer.BlockingServiceAndInterface;
044import org.apache.hadoop.hbase.testclassification.MediumTests;
045import org.apache.hadoop.hbase.testclassification.RPCTests;
046import org.apache.hadoop.hbase.util.NettyEventLoopGroupConfig;
047import org.bouncycastle.jce.provider.BouncyCastleProvider;
048import org.junit.jupiter.api.AfterAll;
049import org.junit.jupiter.api.AfterEach;
050import org.junit.jupiter.api.BeforeAll;
051import org.junit.jupiter.api.BeforeEach;
052import org.junit.jupiter.api.Tag;
053import org.junit.jupiter.params.provider.Arguments;
054
055@Tag(RPCTests.TAG)
056@Tag(MediumTests.TAG)
057@HBaseParameterizedTestTemplate(name = "{index}: rpcServerImpl={0}, caKeyType={1},"
058  + " certKeyType={2}, keyPassword={3}, acceptPlainText={4}, clientTlsEnabled={5}")
059public class TestNettyTlsIPC extends AbstractTestIPC {
060
061  private static final HBaseCommonTestingUtil UTIL = new HBaseCommonTestingUtil(CONF);
062
063  private static X509TestContextProvider PROVIDER;
064
065  private static NettyEventLoopGroupConfig EVENT_LOOP_GROUP_CONFIG;
066
067  private X509KeyType caKeyType;
068
069  private X509KeyType certKeyType;
070
071  private char[] keyPassword;
072
073  private boolean acceptPlainText;
074
075  private boolean clientTlsEnabled;
076
077  public TestNettyTlsIPC(Class<? extends RpcServer> rpcServerImpl, X509KeyType caKeyType,
078    X509KeyType certKeyType, char[] keyPassword, boolean acceptPlainText,
079    boolean clientTlsEnabled) {
080    super(rpcServerImpl);
081    this.caKeyType = caKeyType;
082    this.certKeyType = certKeyType;
083    this.keyPassword = keyPassword;
084    this.acceptPlainText = acceptPlainText;
085    this.clientTlsEnabled = clientTlsEnabled;
086  }
087
088  private X509TestContext x509TestContext;
089
090  // only netty rpc server supports TLS, so here we will only test NettyRpcServer
091  public static Stream<Arguments> parameters() {
092    List<Arguments> params = new ArrayList<>();
093    for (X509KeyType caKeyType : X509KeyType.values()) {
094      for (X509KeyType certKeyType : X509KeyType.values()) {
095        for (char[] keyPassword : new char[][] { "".toCharArray(), "pa$$w0rd".toCharArray() }) {
096          // do not accept plain text
097          params.add(
098            Arguments.of(NettyRpcServer.class, caKeyType, certKeyType, keyPassword, false, true));
099          // support plain text and client enables tls
100          params.add(
101            Arguments.of(NettyRpcServer.class, caKeyType, certKeyType, keyPassword, true, true));
102          // support plain text and client disables tls
103          params.add(
104            Arguments.of(NettyRpcServer.class, caKeyType, certKeyType, keyPassword, true, false));
105        }
106      }
107    }
108    return params.stream();
109  }
110
111  @BeforeAll
112  public static void setUpBeforeClass() throws IOException {
113    Security.addProvider(new BouncyCastleProvider());
114    File dir = new File(UTIL.getDataTestDir(TestNettyTlsIPC.class.getSimpleName()).toString())
115      .getCanonicalFile();
116    FileUtils.forceMkdir(dir);
117    // server must enable tls
118    CONF.setBoolean(X509Util.HBASE_SERVER_NETTY_TLS_ENABLED, true);
119    PROVIDER = new X509TestContextProvider(CONF, dir);
120    EVENT_LOOP_GROUP_CONFIG =
121      NettyEventLoopGroupConfig.setup(CONF, TestNettyTlsIPC.class.getSimpleName());
122  }
123
124  @AfterAll
125  public static void tearDownAfterClass() throws InterruptedException {
126    Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
127    EVENT_LOOP_GROUP_CONFIG.group().shutdownGracefully().sync();
128    UTIL.cleanupTestDir();
129  }
130
131  @BeforeEach
132  public void setUp() throws IOException {
133    x509TestContext = PROVIDER.get(caKeyType, certKeyType, keyPassword);
134    x509TestContext.setConfigurations(KeyStoreFileType.JKS, KeyStoreFileType.JKS);
135    CONF.setBoolean(X509Util.HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT, acceptPlainText);
136    CONF.setBoolean(X509Util.HBASE_CLIENT_NETTY_TLS_ENABLED, clientTlsEnabled);
137  }
138
139  @AfterEach
140  public void tearDown() {
141    x509TestContext.clearConfigurations();
142    x509TestContext.getConf().unset(X509Util.TLS_CONFIG_OCSP);
143    x509TestContext.getConf().unset(X509Util.TLS_CONFIG_CLR);
144    x509TestContext.getConf().unset(X509Util.TLS_CONFIG_PROTOCOL);
145    System.clearProperty("com.sun.net.ssl.checkRevocation");
146    System.clearProperty("com.sun.security.enableCRLDP");
147    Security.setProperty("ocsp.enable", Boolean.FALSE.toString());
148    Security.setProperty("com.sun.security.enableCRLDP", Boolean.FALSE.toString());
149  }
150
151  @Override
152  protected RpcServer createRpcServer(Server server, String name,
153    List<BlockingServiceAndInterface> services, InetSocketAddress bindAddress, Configuration conf,
154    RpcScheduler scheduler) throws IOException {
155    HBaseServerBase<?> mockServer = mock(HBaseServerBase.class);
156    when(mockServer.getEventLoopGroupConfig()).thenReturn(EVENT_LOOP_GROUP_CONFIG);
157    if (server instanceof ConnectionRegistryEndpoint) {
158      String clusterId = ((ConnectionRegistryEndpoint) server).getClusterId();
159      when(mockServer.getClusterId()).thenReturn(clusterId);
160    }
161    return new NettyRpcServer(mockServer, name, services, bindAddress, conf, scheduler, true);
162  }
163
164  @Override
165  protected AbstractRpcClient<?> createRpcClientNoCodec(Configuration conf) {
166    return new NettyRpcClient(conf) {
167
168      @Override
169      protected Codec getCodec() {
170        return null;
171      }
172    };
173  }
174
175  @Override
176  protected AbstractRpcClient<?> createRpcClient(Configuration conf) {
177    return new NettyRpcClient(conf);
178  }
179
180  @Override
181  protected AbstractRpcClient<?> createRpcClientRTEDuringConnectionSetup(Configuration conf)
182    throws IOException {
183    return new NettyRpcClient(conf) {
184
185      @Override
186      protected boolean isTcpNoDelay() {
187        throw new RuntimeException("Injected fault");
188      }
189    };
190  }
191
192  @Override
193  protected RpcServer createTestFailingRpcServer(String name,
194    List<BlockingServiceAndInterface> services, InetSocketAddress bindAddress, Configuration conf,
195    RpcScheduler scheduler) throws IOException {
196    HBaseServerBase<?> mockServer = mock(HBaseServerBase.class);
197    when(mockServer.getEventLoopGroupConfig()).thenReturn(EVENT_LOOP_GROUP_CONFIG);
198    return new FailingNettyRpcServer(mockServer, name, services, bindAddress, conf, scheduler);
199  }
200
201  @Override
202  protected AbstractRpcClient<?> createBadAuthRpcClient(Configuration conf) {
203    return new NettyRpcClient(conf) {
204
205      @Override
206      protected NettyRpcConnection createConnection(ConnectionId remoteId) throws IOException {
207        return new BadAuthNettyRpcConnection(this, remoteId);
208      }
209    };
210  }
211}