geode-core/src/integrationTest/java/org/apache/geode/distributed/internal/tcpserver/TCPClientSSLIntegrationTest.java - geode - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
  * agreements. See the NOTICE file distributed with this work for additional information regarding
  * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance with the License. You may obtain a
  * copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License
  * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
  * or implied. See the License for the specific language governing permissions and limitations under
  * the License.
  */
 package org.apache.geode.distributed.internal.tcpserver;

 import static org.apache.geode.security.SecurableCommunicationChannels.LOCATOR;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.when;

 import java.io.IOException;
 import java.net.InetAddress;
 import java.security.GeneralSecurityException;
 import java.util.Properties;

 import javax.net.ssl.SSLHandshakeException;

 import org.junit.After;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.contrib.java.lang.system.RestoreSystemProperties;
 import org.junit.experimental.categories.Category;
 import org.mockito.Mockito;

 import org.apache.geode.cache.ssl.CertStores;
 import org.apache.geode.cache.ssl.TestSSLUtils.CertificateBuilder;
 import org.apache.geode.distributed.internal.DistributionConfig;
 import org.apache.geode.distributed.internal.DistributionConfigImpl;
 import org.apache.geode.distributed.internal.PoolStatHelper;
 import org.apache.geode.internal.AvailablePort;
 import org.apache.geode.internal.admin.SSLConfig;
 import org.apache.geode.internal.net.SSLConfigurationFactory;
 import org.apache.geode.internal.net.SocketCreator;
 import org.apache.geode.internal.net.SocketCreatorFactory;
 import org.apache.geode.internal.security.SecurableCommunicationChannel;
 import org.apache.geode.test.junit.categories.MembershipTest;

 @Category({MembershipTest.class})
 public class TCPClientSSLIntegrationTest {

   private InetAddress localhost;
   private int port;
   private FakeTcpServer server;
   private TcpClient client;

   @Rule
   public RestoreSystemProperties restoreSystemProperties = new RestoreSystemProperties();

   @Before
   public void setup() {
     SocketCreatorFactory.setDistributionConfig(new DistributionConfigImpl(new Properties()));
   }

   private void startServerAndClient(CertificateBuilder serverCertificate,
       CertificateBuilder clientCertificate, boolean enableHostNameValidation)
       throws GeneralSecurityException, IOException {

     CertStores serverStore = CertStores.locatorStore();
     serverStore.withCertificate(serverCertificate);

     CertStores clientStore = CertStores.clientStore();
     clientStore.withCertificate(clientCertificate);

     Properties serverProperties = serverStore
         .trustSelf()
         .trust(clientStore.alias(), clientStore.certificate())
         .propertiesWith(LOCATOR, true, enableHostNameValidation);

     Properties clientProperties = clientStore
         .trust(serverStore.alias(), serverStore.certificate())
         .propertiesWith(LOCATOR, true, enableHostNameValidation);

     startTcpServer(serverProperties);

     client = new TcpClient(clientProperties);
   }

   @After
   public void teardown() {
     SocketCreatorFactory.close();
   }

   private void startTcpServer(Properties sslProperties) throws IOException {
     localhost = InetAddress.getLocalHost();
     port = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);

     TcpHandler tcpHandler = Mockito.mock(TcpHandler.class);
     when(tcpHandler.processRequest(any())).thenReturn("Running!");

     server = new FakeTcpServer(port, localhost, sslProperties, null,
         tcpHandler, Mockito.mock(PoolStatHelper.class),
         "server thread");
     server.start();
   }

   @Test
   public void clientConnectsIfServerCertificateHasHostname() throws Exception {
     CertificateBuilder serverCertificate = new CertificateBuilder()
         .commonName("tcp-server")
         .sanDnsName(InetAddress.getLocalHost().getHostName());

     CertificateBuilder clientCertificate = new CertificateBuilder()
         .commonName("tcp-client");

     startServerAndClient(serverCertificate, clientCertificate, true);
     String response =
         (String) client.requestToServer(localhost, port, Boolean.valueOf(false), 5 * 1000);
     assertThat(response).isEqualTo("Running!");
   }

   @Test
   public void clientChooseToDisableHasHostnameValidation() throws Exception {
     // no host name in server cert
     CertificateBuilder serverCertificate = new CertificateBuilder()
         .commonName("tcp-server");

     CertificateBuilder clientCertificate = new CertificateBuilder()
         .commonName("tcp-client");

     startServerAndClient(serverCertificate, clientCertificate, false);
     String response =
         (String) client.requestToServer(localhost, port, Boolean.valueOf(false), 5 * 1000);
     assertThat(response).isEqualTo("Running!");
   }

   @Test
   public void clientFailsToConnectIfServerCertificateNoHostname() throws Exception {
     CertificateBuilder serverCertificate = new CertificateBuilder()
         .commonName("tcp-server");

     CertificateBuilder clientCertificate = new CertificateBuilder()
         .commonName("tcp-client");

     startServerAndClient(serverCertificate, clientCertificate, true);

     assertThatExceptionOfType(LocatorCancelException.class)
         .isThrownBy(() -> client.requestToServer(localhost, port, Boolean.valueOf(false), 5 * 1000))
         .withCauseInstanceOf(SSLHandshakeException.class)
         .withStackTraceContaining("No name matching " + localhost.getHostName() + " found");
   }

   @Test
   public void clientFailsToConnectIfServerCertificateWrongHostname() throws Exception {
     CertificateBuilder serverCertificate = new CertificateBuilder()
         .commonName("tcp-server")
         .sanDnsName("example.com");

     CertificateBuilder clientCertificate = new CertificateBuilder()
         .commonName("tcp-client");

     startServerAndClient(serverCertificate, clientCertificate, true);

     assertThatExceptionOfType(LocatorCancelException.class)
         .isThrownBy(() -> client.requestToServer(localhost, port, Boolean.valueOf(false), 5 * 1000))
         .withCauseInstanceOf(SSLHandshakeException.class)
         .withStackTraceContaining("No subject alternative DNS name matching "
             + localhost.getHostName() + " found.");
   }

   private static class FakeTcpServer extends TcpServer {
     private DistributionConfig distributionConfig;

     public FakeTcpServer(int port, InetAddress bind_address, Properties sslConfig,
         DistributionConfigImpl cfg, TcpHandler handler, PoolStatHelper poolHelper,
         String threadName) {
       super(port, bind_address, sslConfig, cfg, handler, poolHelper, threadName, null, null);
       if (cfg == null) {
         cfg = new DistributionConfigImpl(sslConfig);
       }
       this.distributionConfig = cfg;
     }

     @Override
     protected SocketCreator getSocketCreator() {
       if (this.socketCreator == null) {
         SSLConfigurationFactory.setDistributionConfig(distributionConfig);
         SSLConfig sslConfig =
             SSLConfigurationFactory.getSSLConfigForComponent(SecurableCommunicationChannel.LOCATOR);
         this.socketCreator = new SocketCreator(sslConfig);
       }
       return socketCreator;
     }
   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more contributor license
	* agreements. See the NOTICE file distributed with this work for additional information regarding
	* copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance with the License. You may obtain a
	* copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software distributed under the License
	* is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
	* or implied. See the License for the specific language governing permissions and limitations under
	* the License.
	*/
	package org.apache.geode.distributed.internal.tcpserver;

	import static org.apache.geode.security.SecurableCommunicationChannels.LOCATOR;
	import static org.assertj.core.api.Assertions.assertThat;
	import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
	import static org.mockito.ArgumentMatchers.any;
	import static org.mockito.Mockito.when;

	import java.io.IOException;
	import java.net.InetAddress;
	import java.security.GeneralSecurityException;
	import java.util.Properties;

	import javax.net.ssl.SSLHandshakeException;

	import org.junit.After;
	import org.junit.Before;
	import org.junit.Rule;
	import org.junit.Test;
	import org.junit.contrib.java.lang.system.RestoreSystemProperties;
	import org.junit.experimental.categories.Category;
	import org.mockito.Mockito;

	import org.apache.geode.cache.ssl.CertStores;
	import org.apache.geode.cache.ssl.TestSSLUtils.CertificateBuilder;
	import org.apache.geode.distributed.internal.DistributionConfig;
	import org.apache.geode.distributed.internal.DistributionConfigImpl;
	import org.apache.geode.distributed.internal.PoolStatHelper;
	import org.apache.geode.internal.AvailablePort;
	import org.apache.geode.internal.admin.SSLConfig;
	import org.apache.geode.internal.net.SSLConfigurationFactory;
	import org.apache.geode.internal.net.SocketCreator;
	import org.apache.geode.internal.net.SocketCreatorFactory;
	import org.apache.geode.internal.security.SecurableCommunicationChannel;
	import org.apache.geode.test.junit.categories.MembershipTest;

	@Category({MembershipTest.class})
	public class TCPClientSSLIntegrationTest {

	private InetAddress localhost;
	private int port;
	private FakeTcpServer server;
	private TcpClient client;

	@Rule
	public RestoreSystemProperties restoreSystemProperties = new RestoreSystemProperties();

	@Before
	public void setup() {
	SocketCreatorFactory.setDistributionConfig(new DistributionConfigImpl(new Properties()));
	}

	private void startServerAndClient(CertificateBuilder serverCertificate,
	CertificateBuilder clientCertificate, boolean enableHostNameValidation)
	throws GeneralSecurityException, IOException {

	CertStores serverStore = CertStores.locatorStore();
	serverStore.withCertificate(serverCertificate);

	CertStores clientStore = CertStores.clientStore();
	clientStore.withCertificate(clientCertificate);

	Properties serverProperties = serverStore
	.trustSelf()
	.trust(clientStore.alias(), clientStore.certificate())
	.propertiesWith(LOCATOR, true, enableHostNameValidation);

	Properties clientProperties = clientStore
	.trust(serverStore.alias(), serverStore.certificate())
	.propertiesWith(LOCATOR, true, enableHostNameValidation);

	startTcpServer(serverProperties);

	client = new TcpClient(clientProperties);
	}

	@After
	public void teardown() {
	SocketCreatorFactory.close();
	}

	private void startTcpServer(Properties sslProperties) throws IOException {
	localhost = InetAddress.getLocalHost();
	port = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);

	TcpHandler tcpHandler = Mockito.mock(TcpHandler.class);
	when(tcpHandler.processRequest(any())).thenReturn("Running!");

	server = new FakeTcpServer(port, localhost, sslProperties, null,
	tcpHandler, Mockito.mock(PoolStatHelper.class),
	"server thread");
	server.start();
	}

	@Test
	public void clientConnectsIfServerCertificateHasHostname() throws Exception {
	CertificateBuilder serverCertificate = new CertificateBuilder()
	.commonName("tcp-server")
	.sanDnsName(InetAddress.getLocalHost().getHostName());

	CertificateBuilder clientCertificate = new CertificateBuilder()
	.commonName("tcp-client");

	startServerAndClient(serverCertificate, clientCertificate, true);
	String response =
	(String) client.requestToServer(localhost, port, Boolean.valueOf(false), 5 * 1000);
	assertThat(response).isEqualTo("Running!");
	}

	@Test
	public void clientChooseToDisableHasHostnameValidation() throws Exception {
	// no host name in server cert
	CertificateBuilder serverCertificate = new CertificateBuilder()
	.commonName("tcp-server");

	CertificateBuilder clientCertificate = new CertificateBuilder()
	.commonName("tcp-client");

	startServerAndClient(serverCertificate, clientCertificate, false);
	String response =
	(String) client.requestToServer(localhost, port, Boolean.valueOf(false), 5 * 1000);
	assertThat(response).isEqualTo("Running!");
	}

	@Test
	public void clientFailsToConnectIfServerCertificateNoHostname() throws Exception {
	CertificateBuilder serverCertificate = new CertificateBuilder()
	.commonName("tcp-server");

	CertificateBuilder clientCertificate = new CertificateBuilder()
	.commonName("tcp-client");

	startServerAndClient(serverCertificate, clientCertificate, true);

	assertThatExceptionOfType(LocatorCancelException.class)
	.isThrownBy(() -> client.requestToServer(localhost, port, Boolean.valueOf(false), 5 * 1000))
	.withCauseInstanceOf(SSLHandshakeException.class)
	.withStackTraceContaining("No name matching " + localhost.getHostName() + " found");
	}

	@Test
	public void clientFailsToConnectIfServerCertificateWrongHostname() throws Exception {
	CertificateBuilder serverCertificate = new CertificateBuilder()
	.commonName("tcp-server")
	.sanDnsName("example.com");

	CertificateBuilder clientCertificate = new CertificateBuilder()
	.commonName("tcp-client");

	startServerAndClient(serverCertificate, clientCertificate, true);

	assertThatExceptionOfType(LocatorCancelException.class)
	.isThrownBy(() -> client.requestToServer(localhost, port, Boolean.valueOf(false), 5 * 1000))
	.withCauseInstanceOf(SSLHandshakeException.class)
	.withStackTraceContaining("No subject alternative DNS name matching "
	+ localhost.getHostName() + " found.");
	}

	private static class FakeTcpServer extends TcpServer {
	private DistributionConfig distributionConfig;

	public FakeTcpServer(int port, InetAddress bind_address, Properties sslConfig,
	DistributionConfigImpl cfg, TcpHandler handler, PoolStatHelper poolHelper,
	String threadName) {
	super(port, bind_address, sslConfig, cfg, handler, poolHelper, threadName, null, null);
	if (cfg == null) {
	cfg = new DistributionConfigImpl(sslConfig);
	}
	this.distributionConfig = cfg;
	}

	@Override
	protected SocketCreator getSocketCreator() {
	if (this.socketCreator == null) {
	SSLConfigurationFactory.setDistributionConfig(distributionConfig);
	SSLConfig sslConfig =
	SSLConfigurationFactory.getSSLConfigForComponent(SecurableCommunicationChannel.LOCATOR);
	this.socketCreator = new SocketCreator(sslConfig);
	}
	return socketCreator;
	}
	}
	}