Source code

001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.thrift;
019
020import static org.apache.hadoop.hbase.thrift.TestThriftServerCmdLine.createBoundServer;
021import static org.junit.jupiter.api.Assertions.assertEquals;
022
023import java.io.BufferedInputStream;
024import java.io.File;
025import java.io.IOException;
026import java.io.InputStream;
027import java.lang.reflect.Method;
028import java.net.HttpURLConnection;
029import java.nio.file.Files;
030import java.security.KeyPair;
031import java.security.KeyStore;
032import java.security.cert.X509Certificate;
033import javax.net.ssl.SSLContext;
034import org.apache.hadoop.conf.Configuration;
035import org.apache.hadoop.hbase.HBaseTestingUtil;
036import org.apache.hadoop.hbase.HConstants;
037import org.apache.hadoop.hbase.testclassification.ClientTests;
038import org.apache.hadoop.hbase.testclassification.LargeTests;
039import org.apache.hadoop.hbase.thrift.generated.Hbase;
040import org.apache.hadoop.hbase.util.EnvironmentEdgeManager;
041import org.apache.hadoop.hbase.util.EnvironmentEdgeManagerTestHelper;
042import org.apache.hadoop.hbase.util.IncrementingEnvironmentEdge;
043import org.apache.hadoop.hbase.util.TableDescriptorChecker;
044import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
045import org.apache.http.client.methods.CloseableHttpResponse;
046import org.apache.http.client.methods.HttpPost;
047import org.apache.http.entity.ByteArrayEntity;
048import org.apache.http.impl.client.CloseableHttpClient;
049import org.apache.http.impl.client.HttpClientBuilder;
050import org.apache.http.impl.client.HttpClients;
051import org.apache.http.ssl.SSLContexts;
052import org.apache.thrift.protocol.TBinaryProtocol;
053import org.apache.thrift.protocol.TProtocol;
054import org.apache.thrift.transport.TMemoryBuffer;
055import org.junit.jupiter.api.AfterAll;
056import org.junit.jupiter.api.AfterEach;
057import org.junit.jupiter.api.BeforeAll;
058import org.junit.jupiter.api.BeforeEach;
059import org.junit.jupiter.api.Tag;
060import org.junit.jupiter.api.Test;
061import org.slf4j.Logger;
062import org.slf4j.LoggerFactory;
063
064@Tag(ClientTests.TAG)
065@Tag(LargeTests.TAG)
066public class TestThriftHttpServerSSL {
067
068  private static final Logger LOG = LoggerFactory.getLogger(TestThriftHttpServerSSL.class);
069  private static final HBaseTestingUtil TEST_UTIL = new HBaseTestingUtil();
070  private static final String KEY_STORE_PASSWORD = "myKSPassword";
071  private static final String TRUST_STORE_PASSWORD = "myTSPassword";
072
073  private File keyDir;
074  private HttpClientBuilder httpClientBuilder;
075  private ThriftServerRunner tsr;
076  private HttpPost httpPost = null;
077
078  @BeforeAll
079  public static void setUpBeforeClass() throws Exception {
080    TEST_UTIL.getConfiguration().setBoolean(Constants.USE_HTTP_CONF_KEY, true);
081    TEST_UTIL.getConfiguration().setBoolean(TableDescriptorChecker.TABLE_SANITY_CHECKS, false);
082    TEST_UTIL.startMiniCluster();
083    // ensure that server time increments every time we do an operation, otherwise
084    // successive puts having the same timestamp will override each other
085    EnvironmentEdgeManagerTestHelper.injectEdge(new IncrementingEnvironmentEdge());
086  }
087
088  @AfterAll
089  public static void tearDownAfterClass() throws Exception {
090    TEST_UTIL.shutdownMiniCluster();
091    EnvironmentEdgeManager.reset();
092  }
093
094  @BeforeEach
095  public void setUp() throws Exception {
096    initializeAlgorithmId();
097    keyDir = initKeystoreDir();
098    keyDir.deleteOnExit();
099    KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
100
101    X509Certificate serverCertificate =
102      KeyStoreTestUtil.generateCertificate("CN=localhost, O=server", keyPair, 30, "SHA1withRSA");
103
104    generateTrustStore(serverCertificate);
105    generateKeyStore(keyPair, serverCertificate);
106
107    Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
108    conf.setBoolean(Constants.THRIFT_SSL_ENABLED_KEY, true);
109    conf.set(Constants.THRIFT_SSL_KEYSTORE_STORE_KEY, getKeystoreFilePath());
110    conf.set(Constants.THRIFT_SSL_KEYSTORE_PASSWORD_KEY, KEY_STORE_PASSWORD);
111    conf.set(Constants.THRIFT_SSL_KEYSTORE_KEYPASSWORD_KEY, KEY_STORE_PASSWORD);
112
113    tsr = createBoundServer(() -> new ThriftServer(conf));
114    String url = "https://" + HConstants.LOCALHOST + ":" + tsr.getThriftServer().listenPort;
115
116    KeyStore trustStore;
117    trustStore = KeyStore.getInstance("JKS");
118    try (InputStream inputStream =
119      new BufferedInputStream(Files.newInputStream(new File(getTruststoreFilePath()).toPath()))) {
120      trustStore.load(inputStream, TRUST_STORE_PASSWORD.toCharArray());
121    }
122
123    httpClientBuilder = HttpClients.custom();
124    SSLContext sslcontext = SSLContexts.custom().loadTrustMaterial(trustStore, null).build();
125    httpClientBuilder.setSSLContext(sslcontext);
126
127    httpPost = new HttpPost(url);
128    httpPost.setHeader("Content-Type", "application/x-thrift");
129    httpPost.setHeader("Accept", "application/x-thrift");
130    httpPost.setHeader("User-Agent", "Java/THttpClient/HC");
131  }
132
133  @AfterEach
134  public void tearDown() throws IOException {
135    if (httpPost != null) {
136      httpPost.releaseConnection();
137    }
138    if (tsr != null) {
139      tsr.close();
140    }
141  }
142
143  @Test
144  public void testSecurityHeaders() throws Exception {
145    try (CloseableHttpClient httpClient = httpClientBuilder.build()) {
146      TMemoryBuffer memoryBuffer = new TMemoryBuffer(100);
147      TProtocol prot = new TBinaryProtocol(memoryBuffer);
148      Hbase.Client client = new Hbase.Client(prot);
149      client.send_getClusterId();
150
151      httpPost.setEntity(new ByteArrayEntity(memoryBuffer.getArray()));
152      CloseableHttpResponse httpResponse = httpClient.execute(httpPost);
153
154      assertEquals(HttpURLConnection.HTTP_OK, httpResponse.getStatusLine().getStatusCode());
155      assertEquals("DENY", httpResponse.getFirstHeader("X-Frame-Options").getValue());
156
157      assertEquals("nosniff", httpResponse.getFirstHeader("X-Content-Type-Options").getValue());
158      assertEquals("1; mode=block", httpResponse.getFirstHeader("X-XSS-Protection").getValue());
159
160      assertEquals("default-src https: data: 'unsafe-inline' 'unsafe-eval'",
161        httpResponse.getFirstHeader("Content-Security-Policy").getValue());
162      assertEquals("max-age=63072000;includeSubDomains;preload",
163        httpResponse.getFirstHeader("Strict-Transport-Security").getValue());
164    }
165  }
166
167  // Workaround for jdk8 292 bug. See https://github.com/bcgit/bc-java/issues/941
168  // Below is a workaround described in above URL. Issue fingered first in comments in
169  // HBASE-25920 Support Hadoop 3.3.1
170  private static void initializeAlgorithmId() {
171    try {
172      Class<?> algoId = Class.forName("sun.security.x509.AlgorithmId");
173      Method method = algoId.getMethod("get", String.class);
174      method.setAccessible(true);
175      method.invoke(null, "PBEWithSHA1AndDESede");
176    } catch (Exception e) {
177      LOG.warn("failed to initialize AlgorithmId", e);
178    }
179  }
180
181  private File initKeystoreDir() {
182    String dataTestDir = TEST_UTIL.getDataTestDir().toString();
183    File keystoreDir = new File(dataTestDir, TestThriftHttpServer.class.getSimpleName() + "_keys");
184    keystoreDir.mkdirs();
185    return keystoreDir;
186  }
187
188  private void generateKeyStore(KeyPair keyPair, X509Certificate serverCertificate)
189    throws Exception {
190    String keyStorePath = getKeystoreFilePath();
191    KeyStoreTestUtil.createKeyStore(keyStorePath, KEY_STORE_PASSWORD, KEY_STORE_PASSWORD,
192      "serverKS", keyPair.getPrivate(), serverCertificate);
193  }
194
195  private void generateTrustStore(X509Certificate serverCertificate) throws Exception {
196    String trustStorePath = getTruststoreFilePath();
197    KeyStoreTestUtil.createTrustStore(trustStorePath, TRUST_STORE_PASSWORD, "serverTS",
198      serverCertificate);
199  }
200
201  private String getKeystoreFilePath() {
202    return String.format("%s/serverKS.%s", keyDir.getAbsolutePath(), "jks");
203  }
204
205  private String getTruststoreFilePath() {
206    return String.format("%s/serverTS.%s", keyDir.getAbsolutePath(), "jks");
207  }
208}