001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.security; 019 020import java.io.IOException; 021import java.security.GeneralSecurityException; 022import java.util.ArrayList; 023import java.util.List; 024import org.apache.hadoop.conf.Configuration; 025import org.apache.hadoop.hbase.HBaseClassTestRule; 026import org.apache.hadoop.hbase.io.crypto.tls.X509KeyType; 027import org.apache.hadoop.hbase.io.crypto.tls.X509Util; 028import org.apache.hadoop.hbase.testclassification.MediumTests; 029import org.apache.hadoop.hbase.testclassification.RPCTests; 030import org.bouncycastle.operator.OperatorCreationException; 031import org.junit.ClassRule; 032import org.junit.experimental.categories.Category; 033import org.junit.runner.RunWith; 034import org.junit.runners.Parameterized; 035 036/** 037 * Comprehensively tests all permutations of certificate and host verification on the client side. 038 * Tests each permutation of that against each value of {@link CertConfig}, i.e. passing a bad cert, 039 * etc. See inline comments in {@link #data()} below for what the expectations are 040 */ 041@RunWith(Parameterized.class) 042@Category({ RPCTests.class, MediumTests.class }) 043public class TestMutualTlsClientSide extends AbstractTestMutualTls { 044 045 @ClassRule 046 public static final HBaseClassTestRule CLASS_RULE = 047 HBaseClassTestRule.forClass(TestMutualTlsClientSide.class); 048 049 @Parameterized.Parameters(name = "{index}: caKeyType={0}, certKeyType={1}, keyPassword={2}, " 050 + "validateServerHostnames={3}, testCase={4}") 051 public static List<Object[]> data() { 052 List<Object[]> params = new ArrayList<>(); 053 for (X509KeyType caKeyType : X509KeyType.values()) { 054 for (X509KeyType certKeyType : X509KeyType.values()) { 055 for (String keyPassword : new String[] { "", "pa$$w0rd" }) { 056 // we want to run with and without validating hostnames. we encode the expected success 057 // criteria in the TestCase config. See below. 058 for (boolean validateServerHostnames : new Boolean[] { true, false }) { 059 // fail for non-verifiable certs or certs with bad hostnames when validateServerHostname 060 // is true. otherwise succeed. 061 params.add(new Object[] { caKeyType, certKeyType, keyPassword, false, 062 validateServerHostnames, CertConfig.NON_VERIFIABLE_CERT }); 063 params.add(new Object[] { caKeyType, certKeyType, keyPassword, !validateServerHostnames, 064 validateServerHostnames, CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST }); 065 params.add(new Object[] { caKeyType, certKeyType, keyPassword, true, 066 validateServerHostnames, CertConfig.GOOD_CERT }); 067 } 068 } 069 } 070 } 071 return params; 072 } 073 074 @Override 075 protected void initialize(Configuration serverConf, Configuration clientConf) 076 throws IOException, GeneralSecurityException, OperatorCreationException { 077 // client verifies server hostname, and injects bad certs into server conf 078 clientConf.setBoolean(X509Util.HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME, 079 validateHostnames); 080 handleCertConfig(serverConf); 081 } 082}