001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.security; 019 020import java.io.File; 021import java.security.Security; 022import java.util.ArrayList; 023import java.util.List; 024import org.apache.commons.io.FileUtils; 025import org.apache.hadoop.conf.Configuration; 026import org.apache.hadoop.hbase.HBaseClassTestRule; 027import org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType; 028import org.apache.hadoop.hbase.io.crypto.tls.X509KeyType; 029import org.apache.hadoop.hbase.io.crypto.tls.X509TestContext; 030import org.apache.hadoop.hbase.io.crypto.tls.X509TestContextProvider; 031import org.apache.hadoop.hbase.io.crypto.tls.X509Util; 032import org.apache.hadoop.hbase.ipc.NettyRpcClient; 033import org.apache.hadoop.hbase.ipc.NettyRpcServer; 034import org.apache.hadoop.hbase.ipc.RpcClient; 035import org.apache.hadoop.hbase.ipc.RpcClientFactory; 036import org.apache.hadoop.hbase.ipc.RpcServer; 037import org.apache.hadoop.hbase.ipc.RpcServerFactory; 038import org.apache.hadoop.hbase.testclassification.LargeTests; 039import org.apache.hadoop.hbase.testclassification.SecurityTests; 040import org.bouncycastle.jce.provider.BouncyCastleProvider; 041import org.junit.After; 042import org.junit.AfterClass; 043import org.junit.Before; 044import org.junit.BeforeClass; 045import org.junit.ClassRule; 046import org.junit.experimental.categories.Category; 047import org.junit.runner.RunWith; 048import org.junit.runners.Parameterized; 049 050@RunWith(Parameterized.class) 051@Category({ SecurityTests.class, LargeTests.class }) 052public class TestSaslTlsIPC extends AbstractTestSecureIPC { 053 054 @ClassRule 055 public static final HBaseClassTestRule CLASS_RULE = 056 HBaseClassTestRule.forClass(TestSaslTlsIPC.class); 057 058 private static X509TestContextProvider PROVIDER; 059 060 @Parameterized.Parameter(0) 061 public X509KeyType caKeyType; 062 063 @Parameterized.Parameter(1) 064 public X509KeyType certKeyType; 065 066 @Parameterized.Parameter(2) 067 public char[] keyPassword; 068 069 @Parameterized.Parameter(3) 070 public boolean acceptPlainText; 071 072 @Parameterized.Parameter(4) 073 public boolean clientTlsEnabled; 074 075 private X509TestContext x509TestContext; 076 077 @Parameterized.Parameters( 078 name = "{index}: caKeyType={0}, certKeyType={1}, keyPassword={2}, acceptPlainText={3}," 079 + " clientTlsEnabled={4}") 080 public static List<Object[]> data() { 081 List<Object[]> params = new ArrayList<>(); 082 for (X509KeyType caKeyType : X509KeyType.values()) { 083 for (X509KeyType certKeyType : X509KeyType.values()) { 084 for (char[] keyPassword : new char[][] { "".toCharArray(), "pa$$w0rd".toCharArray() }) { 085 // do not accept plain text 086 params.add(new Object[] { caKeyType, certKeyType, keyPassword, false, true }); 087 // support plain text and client enables tls 088 params.add(new Object[] { caKeyType, certKeyType, keyPassword, true, true }); 089 // support plain text and client disables tls 090 params.add(new Object[] { caKeyType, certKeyType, keyPassword, true, false }); 091 } 092 } 093 } 094 return params; 095 } 096 097 @BeforeClass 098 public static void setUpBeforeClass() throws Exception { 099 Security.addProvider(new BouncyCastleProvider()); 100 File dir = new File(TEST_UTIL.getDataTestDir(TestSaslTlsIPC.class.getSimpleName()).toString()) 101 .getCanonicalFile(); 102 FileUtils.forceMkdir(dir); 103 initKDCAndConf(); 104 Configuration conf = TEST_UTIL.getConfiguration(); 105 // server must enable tls 106 conf.setBoolean(X509Util.HBASE_SERVER_NETTY_TLS_ENABLED, true); 107 // only netty support tls 108 conf.setClass(RpcClientFactory.CUSTOM_RPC_CLIENT_IMPL_CONF_KEY, NettyRpcClient.class, 109 RpcClient.class); 110 conf.setClass(RpcServerFactory.CUSTOM_RPC_SERVER_IMPL_CONF_KEY, NettyRpcServer.class, 111 RpcServer.class); 112 PROVIDER = new X509TestContextProvider(conf, dir); 113 } 114 115 @AfterClass 116 public static void tearDownAfterClass() throws InterruptedException { 117 stopKDC(); 118 Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME); 119 TEST_UTIL.cleanupTestDir(); 120 } 121 122 @Before 123 public void setUp() throws Exception { 124 x509TestContext = PROVIDER.get(caKeyType, certKeyType, keyPassword); 125 x509TestContext.setConfigurations(KeyStoreFileType.JKS, KeyStoreFileType.JKS); 126 Configuration conf = TEST_UTIL.getConfiguration(); 127 conf.setBoolean(X509Util.HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT, acceptPlainText); 128 conf.setBoolean(X509Util.HBASE_CLIENT_NETTY_TLS_ENABLED, clientTlsEnabled); 129 setUpPrincipalAndConf(); 130 } 131 132 @After 133 public void tearDown() { 134 x509TestContext.clearConfigurations(); 135 x509TestContext.getConf().unset(X509Util.TLS_CONFIG_OCSP); 136 x509TestContext.getConf().unset(X509Util.TLS_CONFIG_CLR); 137 x509TestContext.getConf().unset(X509Util.TLS_CONFIG_PROTOCOL); 138 System.clearProperty("com.sun.net.ssl.checkRevocation"); 139 System.clearProperty("com.sun.security.enableCRLDP"); 140 Security.setProperty("ocsp.enable", Boolean.FALSE.toString()); 141 Security.setProperty("com.sun.security.enableCRLDP", Boolean.FALSE.toString()); 142 } 143}