Google Git
Sign in
apache / hbase-site / 0082cda45f48d1755543336c908ec6d80d4ec0a9 / . / testdevapidocs / src-html / org / apache / hadoop / hbase / security / TestMutualTlsServerSide.html
blob: a56de1e1464c08a380f7782f97f828da45a0105b [file] [log] [blame]
<!DOCTYPE HTML>
<html lang="en">
<head>
<!-- Generated by javadoc (17) -->
<title>Source code</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="source: package: org.apache.hadoop.hbase.security, class: TestMutualTlsServerSide">
<meta name="generator" content="javadoc/SourceToHTMLConverter">
<link rel="stylesheet" type="text/css" href="../../../../../../stylesheet.css" title="Style">
</head>
<body class="source-page">
<main role="main">
<div class="source-container">
<pre><span class="source-line-no">001</span><span id="line-1">/*</span>
<span class="source-line-no">002</span><span id="line-2"> * Licensed to the Apache Software Foundation (ASF) under one</span>
<span class="source-line-no">003</span><span id="line-3"> * or more contributor license agreements. See the NOTICE file</span>
<span class="source-line-no">004</span><span id="line-4"> * distributed with this work for additional information</span>
<span class="source-line-no">005</span><span id="line-5"> * regarding copyright ownership. The ASF licenses this file</span>
<span class="source-line-no">006</span><span id="line-6"> * to you under the Apache License, Version 2.0 (the</span>
<span class="source-line-no">007</span><span id="line-7"> * "License"); you may not use this file except in compliance</span>
<span class="source-line-no">008</span><span id="line-8"> * with the License. You may obtain a copy of the License at</span>
<span class="source-line-no">009</span><span id="line-9"> *</span>
<span class="source-line-no">010</span><span id="line-10"> * http://www.apache.org/licenses/LICENSE-2.0</span>
<span class="source-line-no">011</span><span id="line-11"> *</span>
<span class="source-line-no">012</span><span id="line-12"> * Unless required by applicable law or agreed to in writing, software</span>
<span class="source-line-no">013</span><span id="line-13"> * distributed under the License is distributed on an "AS IS" BASIS,</span>
<span class="source-line-no">014</span><span id="line-14"> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span>
<span class="source-line-no">015</span><span id="line-15"> * See the License for the specific language governing permissions and</span>
<span class="source-line-no">016</span><span id="line-16"> * limitations under the License.</span>
<span class="source-line-no">017</span><span id="line-17"> */</span>
<span class="source-line-no">018</span><span id="line-18">package org.apache.hadoop.hbase.security;</span>
<span class="source-line-no">019</span><span id="line-19"></span>
<span class="source-line-no">020</span><span id="line-20">import java.io.IOException;</span>
<span class="source-line-no">021</span><span id="line-21">import java.security.GeneralSecurityException;</span>
<span class="source-line-no">022</span><span id="line-22">import java.util.ArrayList;</span>
<span class="source-line-no">023</span><span id="line-23">import java.util.List;</span>
<span class="source-line-no">024</span><span id="line-24">import org.apache.hadoop.conf.Configuration;</span>
<span class="source-line-no">025</span><span id="line-25">import org.apache.hadoop.hbase.HBaseClassTestRule;</span>
<span class="source-line-no">026</span><span id="line-26">import org.apache.hadoop.hbase.io.crypto.tls.X509KeyType;</span>
<span class="source-line-no">027</span><span id="line-27">import org.apache.hadoop.hbase.io.crypto.tls.X509Util;</span>
<span class="source-line-no">028</span><span id="line-28">import org.apache.hadoop.hbase.testclassification.MediumTests;</span>
<span class="source-line-no">029</span><span id="line-29">import org.apache.hadoop.hbase.testclassification.RPCTests;</span>
<span class="source-line-no">030</span><span id="line-30">import org.bouncycastle.operator.OperatorCreationException;</span>
<span class="source-line-no">031</span><span id="line-31">import org.junit.ClassRule;</span>
<span class="source-line-no">032</span><span id="line-32">import org.junit.experimental.categories.Category;</span>
<span class="source-line-no">033</span><span id="line-33">import org.junit.runner.RunWith;</span>
<span class="source-line-no">034</span><span id="line-34">import org.junit.runners.Parameterized;</span>
<span class="source-line-no">035</span><span id="line-35"></span>
<span class="source-line-no">036</span><span id="line-36">/**</span>
<span class="source-line-no">037</span><span id="line-37"> * Comprehensively tests all permutations of ClientAuth modes and host verification</span>
<span class="source-line-no">038</span><span id="line-38"> * enabled/disabled. Tests each permutation of that against each relevant value of</span>
<span class="source-line-no">039</span><span id="line-39"> * {@link CertConfig}, i.e. passing no cert, a bad cert, etc. See inline comments in {@link #data()}</span>
<span class="source-line-no">040</span><span id="line-40"> * below for what the expectations are</span>
<span class="source-line-no">041</span><span id="line-41"> */</span>
<span class="source-line-no">042</span><span id="line-42">@RunWith(Parameterized.class)</span>
<span class="source-line-no">043</span><span id="line-43">@Category({ RPCTests.class, MediumTests.class })</span>
<span class="source-line-no">044</span><span id="line-44">public class TestMutualTlsServerSide extends AbstractTestMutualTls {</span>
<span class="source-line-no">045</span><span id="line-45"></span>
<span class="source-line-no">046</span><span id="line-46"> @ClassRule</span>
<span class="source-line-no">047</span><span id="line-47"> public static final HBaseClassTestRule CLASS_RULE =</span>
<span class="source-line-no">048</span><span id="line-48"> HBaseClassTestRule.forClass(TestMutualTlsServerSide.class);</span>
<span class="source-line-no">049</span><span id="line-49"> @Parameterized.Parameter(6)</span>
<span class="source-line-no">050</span><span id="line-50"> public X509Util.ClientAuth clientAuthMode;</span>
<span class="source-line-no">051</span><span id="line-51"></span>
<span class="source-line-no">052</span><span id="line-52"> @Parameterized.Parameters(name = "{index}: caKeyType={0}, certKeyType={1}, keyPassword={2}, "</span>
<span class="source-line-no">053</span><span id="line-53"> + "validateClientHostnames={3}, testCase={4}, clientAuthMode={5}")</span>
<span class="source-line-no">054</span><span id="line-54"> public static List&lt;Object[]&gt; data() {</span>
<span class="source-line-no">055</span><span id="line-55"> List&lt;Object[]&gt; params = new ArrayList&lt;&gt;();</span>
<span class="source-line-no">056</span><span id="line-56"> for (X509KeyType caKeyType : X509KeyType.values()) {</span>
<span class="source-line-no">057</span><span id="line-57"> for (X509KeyType certKeyType : X509KeyType.values()) {</span>
<span class="source-line-no">058</span><span id="line-58"> for (String keyPassword : new String[] { "", "pa$$w0rd" }) {</span>
<span class="source-line-no">059</span><span id="line-59"> // we want to run with and without validating hostnames. we encode the expected success</span>
<span class="source-line-no">060</span><span id="line-60"> // criteria</span>
<span class="source-line-no">061</span><span id="line-61"> // in the TestCase config. See below.</span>
<span class="source-line-no">062</span><span id="line-62"> for (boolean validateClientHostnames : new Boolean[] { true, false }) {</span>
<span class="source-line-no">063</span><span id="line-63"> // ClientAuth.NONE should succeed in all cases, because it never requests the</span>
<span class="source-line-no">064</span><span id="line-64"> // certificate for verification</span>
<span class="source-line-no">065</span><span id="line-65"> params.add(new Object[] { caKeyType, certKeyType, keyPassword, true,</span>
<span class="source-line-no">066</span><span id="line-66"> validateClientHostnames, CertConfig.NO_CLIENT_CERT, X509Util.ClientAuth.NONE });</span>
<span class="source-line-no">067</span><span id="line-67"> params.add(new Object[] { caKeyType, certKeyType, keyPassword, true,</span>
<span class="source-line-no">068</span><span id="line-68"> validateClientHostnames, CertConfig.NON_VERIFIABLE_CERT, X509Util.ClientAuth.NONE });</span>
<span class="source-line-no">069</span><span id="line-69"> params.add(</span>
<span class="source-line-no">070</span><span id="line-70"> new Object[] { caKeyType, certKeyType, keyPassword, true, validateClientHostnames,</span>
<span class="source-line-no">071</span><span id="line-71"> CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST, X509Util.ClientAuth.NONE });</span>
<span class="source-line-no">072</span><span id="line-72"></span>
<span class="source-line-no">073</span><span id="line-73"> // ClientAuth.WANT should succeed if no cert, but if the cert is provided it is</span>
<span class="source-line-no">074</span><span id="line-74"> // validated. So should fail on bad cert or good cert with bad host when host</span>
<span class="source-line-no">075</span><span id="line-75"> // verification is enabled</span>
<span class="source-line-no">076</span><span id="line-76"> params.add(new Object[] { caKeyType, certKeyType, keyPassword, true,</span>
<span class="source-line-no">077</span><span id="line-77"> validateClientHostnames, CertConfig.NO_CLIENT_CERT, X509Util.ClientAuth.WANT });</span>
<span class="source-line-no">078</span><span id="line-78"> params.add(new Object[] { caKeyType, certKeyType, keyPassword, false,</span>
<span class="source-line-no">079</span><span id="line-79"> validateClientHostnames, CertConfig.NON_VERIFIABLE_CERT, X509Util.ClientAuth.WANT });</span>
<span class="source-line-no">080</span><span id="line-80"> params.add(new Object[] { caKeyType, certKeyType, keyPassword, !validateClientHostnames,</span>
<span class="source-line-no">081</span><span id="line-81"> validateClientHostnames, CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST,</span>
<span class="source-line-no">082</span><span id="line-82"> X509Util.ClientAuth.WANT });</span>
<span class="source-line-no">083</span><span id="line-83"></span>
<span class="source-line-no">084</span><span id="line-84"> // ClientAuth.NEED is most restrictive, failing in all cases except "good cert/bad host"</span>
<span class="source-line-no">085</span><span id="line-85"> // when host verification is disabled</span>
<span class="source-line-no">086</span><span id="line-86"> params.add(new Object[] { caKeyType, certKeyType, keyPassword, false,</span>
<span class="source-line-no">087</span><span id="line-87"> validateClientHostnames, CertConfig.NO_CLIENT_CERT, X509Util.ClientAuth.NEED });</span>
<span class="source-line-no">088</span><span id="line-88"> params.add(new Object[] { caKeyType, certKeyType, keyPassword, false,</span>
<span class="source-line-no">089</span><span id="line-89"> validateClientHostnames, CertConfig.NON_VERIFIABLE_CERT, X509Util.ClientAuth.NEED });</span>
<span class="source-line-no">090</span><span id="line-90"> params.add(new Object[] { caKeyType, certKeyType, keyPassword, !validateClientHostnames,</span>
<span class="source-line-no">091</span><span id="line-91"> validateClientHostnames, CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST,</span>
<span class="source-line-no">092</span><span id="line-92"> X509Util.ClientAuth.NEED });</span>
<span class="source-line-no">093</span><span id="line-93"></span>
<span class="source-line-no">094</span><span id="line-94"> // additionally ensure that all modes succeed when a good cert is presented</span>
<span class="source-line-no">095</span><span id="line-95"> for (X509Util.ClientAuth mode : X509Util.ClientAuth.values()) {</span>
<span class="source-line-no">096</span><span id="line-96"> params.add(new Object[] { caKeyType, certKeyType, keyPassword, true,</span>
<span class="source-line-no">097</span><span id="line-97"> validateClientHostnames, CertConfig.GOOD_CERT, mode });</span>
<span class="source-line-no">098</span><span id="line-98"> }</span>
<span class="source-line-no">099</span><span id="line-99"> }</span>
<span class="source-line-no">100</span><span id="line-100"> }</span>
<span class="source-line-no">101</span><span id="line-101"> }</span>
<span class="source-line-no">102</span><span id="line-102"> }</span>
<span class="source-line-no">103</span><span id="line-103"> return params;</span>
<span class="source-line-no">104</span><span id="line-104"> }</span>
<span class="source-line-no">105</span><span id="line-105"></span>
<span class="source-line-no">106</span><span id="line-106"> @Override</span>
<span class="source-line-no">107</span><span id="line-107"> protected void initialize(Configuration serverConf, Configuration clientConf)</span>
<span class="source-line-no">108</span><span id="line-108"> throws IOException, GeneralSecurityException, OperatorCreationException {</span>
<span class="source-line-no">109</span><span id="line-109"> // server enables client auth mode and verifies client host names</span>
<span class="source-line-no">110</span><span id="line-110"> // inject bad certs into client side</span>
<span class="source-line-no">111</span><span id="line-111"> serverConf.set(X509Util.HBASE_SERVER_NETTY_TLS_CLIENT_AUTH_MODE, clientAuthMode.name());</span>
<span class="source-line-no">112</span><span id="line-112"> serverConf.setBoolean(X509Util.HBASE_SERVER_NETTY_TLS_VERIFY_CLIENT_HOSTNAME,</span>
<span class="source-line-no">113</span><span id="line-113"> validateHostnames);</span>
<span class="source-line-no">114</span><span id="line-114"> handleCertConfig(clientConf);</span>
<span class="source-line-no">115</span><span id="line-115"> }</span>
<span class="source-line-no">116</span><span id="line-116">}</span>
</pre>
</div>
</main>
</body>
</html>