Source code

001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security;
019
020import static org.apache.hadoop.hbase.ipc.TestProtobufRpcServiceImpl.SERVICE;
021import static org.hamcrest.MatcherAssert.assertThat;
022import static org.hamcrest.Matchers.instanceOf;
023import static org.junit.Assert.assertThrows;
024
025import java.io.File;
026import java.io.IOException;
027import java.net.InetSocketAddress;
028import java.security.Security;
029import java.util.ArrayList;
030import java.util.List;
031import org.apache.commons.io.FileUtils;
032import org.apache.hadoop.conf.Configuration;
033import org.apache.hadoop.hbase.HBaseCommonTestingUtil;
034import org.apache.hadoop.hbase.exceptions.ConnectionClosedException;
035import org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType;
036import org.apache.hadoop.hbase.io.crypto.tls.X509KeyType;
037import org.apache.hadoop.hbase.io.crypto.tls.X509TestContext;
038import org.apache.hadoop.hbase.io.crypto.tls.X509TestContextProvider;
039import org.apache.hadoop.hbase.io.crypto.tls.X509Util;
040import org.apache.hadoop.hbase.ipc.FifoRpcScheduler;
041import org.apache.hadoop.hbase.ipc.NettyRpcClient;
042import org.apache.hadoop.hbase.ipc.NettyRpcServer;
043import org.apache.hadoop.hbase.ipc.RpcClient;
044import org.apache.hadoop.hbase.ipc.RpcClientFactory;
045import org.apache.hadoop.hbase.ipc.RpcServer;
046import org.apache.hadoop.hbase.ipc.RpcServerFactory;
047import org.bouncycastle.jce.provider.BouncyCastleProvider;
048import org.junit.After;
049import org.junit.Before;
050import org.junit.Test;
051import org.junit.runners.Parameterized;
052
053import org.apache.hbase.thirdparty.com.google.common.collect.Lists;
054import org.apache.hbase.thirdparty.com.google.common.io.Closeables;
055import org.apache.hbase.thirdparty.com.google.protobuf.ServiceException;
056
057import org.apache.hadoop.hbase.shaded.ipc.protobuf.generated.TestProtos.EchoRequestProto;
058import org.apache.hadoop.hbase.shaded.ipc.protobuf.generated.TestRpcServiceProtos.TestProtobufRpcProto.BlockingInterface;
059
060public abstract class AbstractTestTlsRejectPlainText {
061
062  protected static HBaseCommonTestingUtil UTIL;
063
064  protected static File DIR;
065
066  protected static X509TestContextProvider PROVIDER;
067
068  @Parameterized.Parameter(0)
069  public X509KeyType caKeyType;
070
071  @Parameterized.Parameter(1)
072  public X509KeyType certKeyType;
073
074  @Parameterized.Parameter(2)
075  public char[] keyPassword;
076
077  private X509TestContext x509TestContext;
078
079  protected RpcServer rpcServer;
080
081  protected RpcClient rpcClient;
082
083  @Parameterized.Parameters(name = "{index}: caKeyType={0}, certKeyType={1}, keyPassword={2}")
084  public static List<Object[]> data() {
085    List<Object[]> params = new ArrayList<>();
086    for (X509KeyType caKeyType : X509KeyType.values()) {
087      for (X509KeyType certKeyType : X509KeyType.values()) {
088        for (char[] keyPassword : new char[][] { "".toCharArray(), "pa$$w0rd".toCharArray() }) {
089          params.add(new Object[] { caKeyType, certKeyType, keyPassword });
090        }
091      }
092    }
093    return params;
094  }
095
096  protected static void initialize() throws IOException {
097    Security.addProvider(new BouncyCastleProvider());
098    DIR =
099      new File(UTIL.getDataTestDir(AbstractTestTlsRejectPlainText.class.getSimpleName()).toString())
100        .getCanonicalFile();
101    FileUtils.forceMkdir(DIR);
102    Configuration conf = UTIL.getConfiguration();
103    conf.setClass(RpcClientFactory.CUSTOM_RPC_CLIENT_IMPL_CONF_KEY, NettyRpcClient.class,
104      RpcClient.class);
105    conf.setClass(RpcServerFactory.CUSTOM_RPC_SERVER_IMPL_CONF_KEY, NettyRpcServer.class,
106      RpcServer.class);
107    conf.setBoolean(X509Util.HBASE_SERVER_NETTY_TLS_ENABLED, true);
108    conf.setBoolean(X509Util.HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT, false);
109    conf.setBoolean(X509Util.HBASE_CLIENT_NETTY_TLS_ENABLED, false);
110    PROVIDER = new X509TestContextProvider(conf, DIR);
111  }
112
113  protected static void cleanUp() {
114    Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
115    UTIL.cleanupTestDir();
116  }
117
118  @Before
119  public void setUp() throws Exception {
120    x509TestContext = PROVIDER.get(caKeyType, certKeyType, keyPassword);
121    x509TestContext.setConfigurations(KeyStoreFileType.JKS, KeyStoreFileType.JKS);
122    Configuration conf = UTIL.getConfiguration();
123    rpcServer = new NettyRpcServer(null, "testRpcServer",
124      Lists.newArrayList(new RpcServer.BlockingServiceAndInterface(SERVICE, null)),
125      new InetSocketAddress("localhost", 0), conf, new FifoRpcScheduler(conf, 1), true);
126    rpcServer.start();
127    rpcClient = new NettyRpcClient(conf);
128  }
129
130  @After
131  public void tearDown() throws IOException {
132    if (rpcServer != null) {
133      rpcServer.stop();
134    }
135    Closeables.close(rpcClient, true);
136    x509TestContext.clearConfigurations();
137    x509TestContext.getConf().unset(X509Util.TLS_CONFIG_OCSP);
138    x509TestContext.getConf().unset(X509Util.TLS_CONFIG_CLR);
139    x509TestContext.getConf().unset(X509Util.TLS_CONFIG_PROTOCOL);
140    System.clearProperty("com.sun.net.ssl.checkRevocation");
141    System.clearProperty("com.sun.security.enableCRLDP");
142    Security.setProperty("ocsp.enable", Boolean.FALSE.toString());
143    Security.setProperty("com.sun.security.enableCRLDP", Boolean.FALSE.toString());
144  }
145
146  protected abstract BlockingInterface createStub() throws Exception;
147
148  @Test
149  public void testReject() throws Exception {
150    BlockingInterface stub = createStub();
151    ServiceException se = assertThrows(ServiceException.class,
152      () -> stub.echo(null, EchoRequestProto.newBuilder().setMessage("hello world").build()));
153    assertThat(se.getCause(), instanceOf(ConnectionClosedException.class));
154  }
155}