Source code

001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security;
019
020import static org.mockito.Mockito.mock;
021import static org.mockito.Mockito.when;
022
023import java.io.File;
024import java.io.IOException;
025import java.net.InetSocketAddress;
026import java.security.Security;
027import java.util.ArrayList;
028import java.util.List;
029import org.apache.commons.io.FileUtils;
030import org.apache.hadoop.conf.Configuration;
031import org.apache.hadoop.hbase.HBaseClassTestRule;
032import org.apache.hadoop.hbase.HBaseCommonTestingUtil;
033import org.apache.hadoop.hbase.HBaseServerBase;
034import org.apache.hadoop.hbase.codec.Codec;
035import org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType;
036import org.apache.hadoop.hbase.io.crypto.tls.X509KeyType;
037import org.apache.hadoop.hbase.io.crypto.tls.X509TestContext;
038import org.apache.hadoop.hbase.io.crypto.tls.X509TestContextProvider;
039import org.apache.hadoop.hbase.io.crypto.tls.X509Util;
040import org.apache.hadoop.hbase.ipc.AbstractRpcClient;
041import org.apache.hadoop.hbase.ipc.AbstractTestIPC;
042import org.apache.hadoop.hbase.ipc.FailingNettyRpcServer;
043import org.apache.hadoop.hbase.ipc.NettyRpcClient;
044import org.apache.hadoop.hbase.ipc.NettyRpcServer;
045import org.apache.hadoop.hbase.ipc.RpcScheduler;
046import org.apache.hadoop.hbase.ipc.RpcServer;
047import org.apache.hadoop.hbase.ipc.RpcServer.BlockingServiceAndInterface;
048import org.apache.hadoop.hbase.testclassification.MediumTests;
049import org.apache.hadoop.hbase.testclassification.RPCTests;
050import org.apache.hadoop.hbase.util.NettyEventLoopGroupConfig;
051import org.bouncycastle.jce.provider.BouncyCastleProvider;
052import org.junit.After;
053import org.junit.AfterClass;
054import org.junit.Before;
055import org.junit.BeforeClass;
056import org.junit.ClassRule;
057import org.junit.experimental.categories.Category;
058import org.junit.runner.RunWith;
059import org.junit.runners.Parameterized;
060
061@RunWith(Parameterized.class)
062@Category({ RPCTests.class, MediumTests.class })
063public class TestNettyTlsIPC extends AbstractTestIPC {
064
065  @ClassRule
066  public static final HBaseClassTestRule CLASS_RULE =
067    HBaseClassTestRule.forClass(TestNettyTlsIPC.class);
068
069  private static final HBaseCommonTestingUtil UTIL = new HBaseCommonTestingUtil(CONF);
070
071  private static X509TestContextProvider PROVIDER;
072
073  private static NettyEventLoopGroupConfig EVENT_LOOP_GROUP_CONFIG;
074
075  private static HBaseServerBase<?> SERVER;
076
077  @Parameterized.Parameter(0)
078  public X509KeyType caKeyType;
079
080  @Parameterized.Parameter(1)
081  public X509KeyType certKeyType;
082
083  @Parameterized.Parameter(2)
084  public char[] keyPassword;
085
086  @Parameterized.Parameter(3)
087  public boolean acceptPlainText;
088
089  @Parameterized.Parameter(4)
090  public boolean clientTlsEnabled;
091
092  private X509TestContext x509TestContext;
093
094  @Parameterized.Parameters(
095      name = "{index}: caKeyType={0}, certKeyType={1}, keyPassword={2}, acceptPlainText={3},"
096        + " clientTlsEnabled={4}")
097  public static List<Object[]> data() {
098    List<Object[]> params = new ArrayList<>();
099    for (X509KeyType caKeyType : X509KeyType.values()) {
100      for (X509KeyType certKeyType : X509KeyType.values()) {
101        for (char[] keyPassword : new char[][] { "".toCharArray(), "pa$$w0rd".toCharArray() }) {
102          // do not accept plain text
103          params.add(new Object[] { caKeyType, certKeyType, keyPassword, false, true });
104          // support plain text and client enables tls
105          params.add(new Object[] { caKeyType, certKeyType, keyPassword, true, true });
106          // support plain text and client disables tls
107          params.add(new Object[] { caKeyType, certKeyType, keyPassword, true, false });
108        }
109      }
110    }
111    return params;
112  }
113
114  @BeforeClass
115  public static void setUpBeforeClass() throws IOException {
116    Security.addProvider(new BouncyCastleProvider());
117    File dir = new File(UTIL.getDataTestDir(TestNettyTlsIPC.class.getSimpleName()).toString())
118      .getCanonicalFile();
119    FileUtils.forceMkdir(dir);
120    // server must enable tls
121    CONF.setBoolean(X509Util.HBASE_SERVER_NETTY_TLS_ENABLED, true);
122    PROVIDER = new X509TestContextProvider(CONF, dir);
123    EVENT_LOOP_GROUP_CONFIG =
124      NettyEventLoopGroupConfig.setup(CONF, TestNettyTlsIPC.class.getSimpleName());
125    SERVER = mock(HBaseServerBase.class);
126    when(SERVER.getEventLoopGroupConfig()).thenReturn(EVENT_LOOP_GROUP_CONFIG);
127  }
128
129  @AfterClass
130  public static void tearDownAfterClass() throws InterruptedException {
131    Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
132    EVENT_LOOP_GROUP_CONFIG.group().shutdownGracefully().sync();
133    UTIL.cleanupTestDir();
134  }
135
136  @Before
137  public void setUp() throws IOException {
138    x509TestContext = PROVIDER.get(caKeyType, certKeyType, keyPassword);
139    x509TestContext.setConfigurations(KeyStoreFileType.JKS, KeyStoreFileType.JKS);
140    CONF.setBoolean(X509Util.HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT, acceptPlainText);
141    CONF.setBoolean(X509Util.HBASE_CLIENT_NETTY_TLS_ENABLED, clientTlsEnabled);
142  }
143
144  @After
145  public void tearDown() {
146    x509TestContext.clearConfigurations();
147    x509TestContext.getConf().unset(X509Util.TLS_CONFIG_OCSP);
148    x509TestContext.getConf().unset(X509Util.TLS_CONFIG_CLR);
149    x509TestContext.getConf().unset(X509Util.TLS_CONFIG_PROTOCOL);
150    System.clearProperty("com.sun.net.ssl.checkRevocation");
151    System.clearProperty("com.sun.security.enableCRLDP");
152    Security.setProperty("ocsp.enable", Boolean.FALSE.toString());
153    Security.setProperty("com.sun.security.enableCRLDP", Boolean.FALSE.toString());
154  }
155
156  @Override
157  protected RpcServer createRpcServer(String name, List<BlockingServiceAndInterface> services,
158    InetSocketAddress bindAddress, Configuration conf, RpcScheduler scheduler) throws IOException {
159    return new NettyRpcServer(SERVER, name, services, bindAddress, conf, scheduler, true);
160  }
161
162  @Override
163  protected AbstractRpcClient<?> createRpcClientNoCodec(Configuration conf) {
164    return new NettyRpcClient(conf) {
165
166      @Override
167      protected Codec getCodec() {
168        return null;
169      }
170    };
171  }
172
173  @Override
174  protected AbstractRpcClient<?> createRpcClient(Configuration conf) {
175    return new NettyRpcClient(conf);
176  }
177
178  @Override
179  protected AbstractRpcClient<?> createRpcClientRTEDuringConnectionSetup(Configuration conf)
180    throws IOException {
181    return new NettyRpcClient(conf) {
182
183      @Override
184      protected boolean isTcpNoDelay() {
185        throw new RuntimeException("Injected fault");
186      }
187    };
188  }
189
190  @Override
191  protected RpcServer createTestFailingRpcServer(String name,
192    List<BlockingServiceAndInterface> services, InetSocketAddress bindAddress, Configuration conf,
193    RpcScheduler scheduler) throws IOException {
194    return new FailingNettyRpcServer(SERVER, name, services, bindAddress, conf, scheduler);
195  }
196}