001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.security; 019 020import java.io.IOException; 021import java.security.GeneralSecurityException; 022import java.util.ArrayList; 023import java.util.List; 024import java.util.stream.Stream; 025import org.apache.hadoop.conf.Configuration; 026import org.apache.hadoop.hbase.HBaseParameterizedTestTemplate; 027import org.apache.hadoop.hbase.io.crypto.tls.X509KeyType; 028import org.apache.hadoop.hbase.io.crypto.tls.X509Util; 029import org.apache.hadoop.hbase.testclassification.RPCTests; 030import org.apache.hadoop.hbase.testclassification.SmallTests; 031import org.bouncycastle.operator.OperatorCreationException; 032import org.junit.jupiter.api.Tag; 033import org.junit.jupiter.params.provider.Arguments; 034 035/** 036 * Comprehensively tests all permutations of certificate and host verification on the client side. 037 * Tests each permutation of that against each value of {@link CertConfig}, i.e. passing a bad cert, 038 * etc. See inline comments in {@link #data()} below for what the expectations are 039 */ 040@Tag(RPCTests.TAG) 041@Tag(SmallTests.TAG) 042@HBaseParameterizedTestTemplate(name = "{index}: caKeyType={0}, certKeyType={1}, keyPassword={2}, " 043 + "validateServerHostnames={3}, testCase={4}, certConfig={5}") 044public class TestMutualTlsClientSide extends AbstractTestMutualTls { 045 046 public static Stream<Arguments> parameters() { 047 List<Arguments> params = new ArrayList<>(); 048 for (X509KeyType caKeyType : X509KeyType.values()) { 049 for (X509KeyType certKeyType : X509KeyType.values()) { 050 for (String keyPassword : new String[] { "", "pa$$w0rd" }) { 051 // we want to run with and without validating hostnames. we encode the expected success 052 // criteria in the TestCase config. See below. 053 for (boolean validateServerHostnames : new Boolean[] { true, false }) { 054 // fail for non-verifiable certs or certs with bad hostnames when validateServerHostname 055 // is true. otherwise succeed. 056 params.add(Arguments.of(caKeyType, certKeyType, keyPassword, false, 057 validateServerHostnames, CertConfig.NON_VERIFIABLE_CERT)); 058 params.add(Arguments.of(caKeyType, certKeyType, keyPassword, !validateServerHostnames, 059 validateServerHostnames, CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST)); 060 params.add(Arguments.of(caKeyType, certKeyType, keyPassword, true, 061 validateServerHostnames, CertConfig.GOOD_CERT)); 062 } 063 } 064 } 065 } 066 return params.stream(); 067 } 068 069 public TestMutualTlsClientSide(X509KeyType caKeyType, X509KeyType certKeyType, String keyPassword, 070 boolean expectSuccess, boolean validateHostnames, CertConfig certConfig) { 071 super(caKeyType, certKeyType, keyPassword, expectSuccess, validateHostnames, certConfig); 072 } 073 074 @Override 075 protected void initialize(Configuration serverConf, Configuration clientConf) 076 throws IOException, GeneralSecurityException, OperatorCreationException { 077 // client verifies server hostname, and injects bad certs into server conf 078 clientConf.setBoolean(X509Util.HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME, 079 validateHostnames); 080 handleCertConfig(serverConf); 081 } 082}