001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security;
019
020import java.io.IOException;
021import java.security.GeneralSecurityException;
022import java.util.ArrayList;
023import java.util.List;
024import org.apache.hadoop.conf.Configuration;
025import org.apache.hadoop.hbase.HBaseClassTestRule;
026import org.apache.hadoop.hbase.io.crypto.tls.X509KeyType;
027import org.apache.hadoop.hbase.io.crypto.tls.X509Util;
028import org.apache.hadoop.hbase.testclassification.MediumTests;
029import org.apache.hadoop.hbase.testclassification.RPCTests;
030import org.bouncycastle.operator.OperatorCreationException;
031import org.junit.ClassRule;
032import org.junit.experimental.categories.Category;
033import org.junit.runner.RunWith;
034import org.junit.runners.Parameterized;
035
036/**
037 * Comprehensively tests all permutations of certificate and host verification on the client side.
038 * Tests each permutation of that against each value of {@link CertConfig}, i.e. passing a bad cert,
039 * etc. See inline comments in {@link #data()} below for what the expectations are
040 */
041@RunWith(Parameterized.class)
042@Category({ RPCTests.class, MediumTests.class })
043public class TestMutualTlsClientSide extends AbstractTestMutualTls {
044
045  @ClassRule
046  public static final HBaseClassTestRule CLASS_RULE =
047    HBaseClassTestRule.forClass(TestMutualTlsClientSide.class);
048
049  @Parameterized.Parameters(name = "{index}: caKeyType={0}, certKeyType={1}, keyPassword={2}, "
050    + "validateServerHostnames={3}, testCase={4}")
051  public static List<Object[]> data() {
052    List<Object[]> params = new ArrayList<>();
053    for (X509KeyType caKeyType : X509KeyType.values()) {
054      for (X509KeyType certKeyType : X509KeyType.values()) {
055        for (String keyPassword : new String[] { "", "pa$$w0rd" }) {
056          // we want to run with and without validating hostnames. we encode the expected success
057          // criteria in the TestCase config. See below.
058          for (boolean validateServerHostnames : new Boolean[] { true, false }) {
059            // fail for non-verifiable certs or certs with bad hostnames when validateServerHostname
060            // is true. otherwise succeed.
061            params.add(new Object[] { caKeyType, certKeyType, keyPassword, false,
062              validateServerHostnames, CertConfig.NON_VERIFIABLE_CERT });
063            params.add(new Object[] { caKeyType, certKeyType, keyPassword, !validateServerHostnames,
064              validateServerHostnames, CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST });
065            params.add(new Object[] { caKeyType, certKeyType, keyPassword, true,
066              validateServerHostnames, CertConfig.GOOD_CERT });
067          }
068        }
069      }
070    }
071    return params;
072  }
073
074  @Override
075  protected void initialize(Configuration serverConf, Configuration clientConf)
076    throws IOException, GeneralSecurityException, OperatorCreationException {
077    // client verifies server hostname, and injects bad certs into server conf
078    clientConf.setBoolean(X509Util.HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME,
079      validateHostnames);
080    handleCertConfig(serverConf);
081  }
082}