Google Git
Sign in
apache / hbase / 2306820df8b41d9af5227465ee2cf9e18b8f0b5c / . / hbase-server / src / test / java / org / apache / hadoop / hbase / ipc / TestNettyTlsIPC.java
blob: 00a6b23336aba663797507eeff8e5fc304b54933 [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hbase.ipc;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import java.io.File;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.security.Security;
import java.util.ArrayList;
import java.util.List;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.HBaseCommonTestingUtil;
import org.apache.hadoop.hbase.HBaseServerBase;
import org.apache.hadoop.hbase.Server;
import org.apache.hadoop.hbase.client.ConnectionRegistryEndpoint;
import org.apache.hadoop.hbase.codec.Codec;
import org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType;
import org.apache.hadoop.hbase.io.crypto.tls.X509KeyType;
import org.apache.hadoop.hbase.io.crypto.tls.X509TestContext;
import org.apache.hadoop.hbase.io.crypto.tls.X509TestContextProvider;
import org.apache.hadoop.hbase.io.crypto.tls.X509Util;
import org.apache.hadoop.hbase.ipc.RpcServer.BlockingServiceAndInterface;
import org.apache.hadoop.hbase.testclassification.MediumTests;
import org.apache.hadoop.hbase.testclassification.RPCTests;
import org.apache.hadoop.hbase.util.NettyEventLoopGroupConfig;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.experimental.categories.Category;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
@RunWith(Parameterized.class)
@Category({ RPCTests.class, MediumTests.class })
public class TestNettyTlsIPC extends AbstractTestIPC {
@ClassRule
public static final HBaseClassTestRule CLASS_RULE =
HBaseClassTestRule.forClass(TestNettyTlsIPC.class);
private static final HBaseCommonTestingUtil UTIL = new HBaseCommonTestingUtil(CONF);
private static X509TestContextProvider PROVIDER;
private static NettyEventLoopGroupConfig EVENT_LOOP_GROUP_CONFIG;
@Parameterized.Parameter(1)
public X509KeyType caKeyType;
@Parameterized.Parameter(2)
public X509KeyType certKeyType;
@Parameterized.Parameter(3)
public char[] keyPassword;
@Parameterized.Parameter(4)
public boolean acceptPlainText;
@Parameterized.Parameter(5)
public boolean clientTlsEnabled;
private X509TestContext x509TestContext;
// only netty rpc server supports TLS, so here we will only test NettyRpcServer
@Parameterized.Parameters(
name = "{index}: rpcServerImpl={0}, caKeyType={1}, certKeyType={2}, keyPassword={3},"
+ " acceptPlainText={4}, clientTlsEnabled={5}")
public static List<Object[]> data() {
List<Object[]> params = new ArrayList<>();
for (X509KeyType caKeyType : X509KeyType.values()) {
for (X509KeyType certKeyType : X509KeyType.values()) {
for (char[] keyPassword : new char[][] { "".toCharArray(), "pa$$w0rd".toCharArray() }) {
// do not accept plain text
params.add(new Object[] { NettyRpcServer.class, caKeyType, certKeyType, keyPassword,
false, true });
// support plain text and client enables tls
params.add(
new Object[] { NettyRpcServer.class, caKeyType, certKeyType, keyPassword, true, true });
// support plain text and client disables tls
params.add(new Object[] { NettyRpcServer.class, caKeyType, certKeyType, keyPassword, true,
false });
}
}
}
return params;
}
@BeforeClass
public static void setUpBeforeClass() throws IOException {
Security.addProvider(new BouncyCastleProvider());
File dir = new File(UTIL.getDataTestDir(TestNettyTlsIPC.class.getSimpleName()).toString())
.getCanonicalFile();
FileUtils.forceMkdir(dir);
// server must enable tls
CONF.setBoolean(X509Util.HBASE_SERVER_NETTY_TLS_ENABLED, true);
PROVIDER = new X509TestContextProvider(CONF, dir);
EVENT_LOOP_GROUP_CONFIG =
NettyEventLoopGroupConfig.setup(CONF, TestNettyTlsIPC.class.getSimpleName());
}
@AfterClass
public static void tearDownAfterClass() throws InterruptedException {
Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
EVENT_LOOP_GROUP_CONFIG.group().shutdownGracefully().sync();
UTIL.cleanupTestDir();
}
@Before
public void setUp() throws IOException {
x509TestContext = PROVIDER.get(caKeyType, certKeyType, keyPassword);
x509TestContext.setConfigurations(KeyStoreFileType.JKS, KeyStoreFileType.JKS);
CONF.setBoolean(X509Util.HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT, acceptPlainText);
CONF.setBoolean(X509Util.HBASE_CLIENT_NETTY_TLS_ENABLED, clientTlsEnabled);
}
@After
public void tearDown() {
x509TestContext.clearConfigurations();
x509TestContext.getConf().unset(X509Util.TLS_CONFIG_OCSP);
x509TestContext.getConf().unset(X509Util.TLS_CONFIG_CLR);
x509TestContext.getConf().unset(X509Util.TLS_CONFIG_PROTOCOL);
System.clearProperty("com.sun.net.ssl.checkRevocation");
System.clearProperty("com.sun.security.enableCRLDP");
Security.setProperty("ocsp.enable", Boolean.FALSE.toString());
Security.setProperty("com.sun.security.enableCRLDP", Boolean.FALSE.toString());
}
@Override
protected RpcServer createRpcServer(Server server, String name,
List<BlockingServiceAndInterface> services, InetSocketAddress bindAddress, Configuration conf,
RpcScheduler scheduler) throws IOException {
HBaseServerBase<?> mockServer = mock(HBaseServerBase.class);
when(mockServer.getEventLoopGroupConfig()).thenReturn(EVENT_LOOP_GROUP_CONFIG);
if (server instanceof ConnectionRegistryEndpoint) {
String clusterId = ((ConnectionRegistryEndpoint) server).getClusterId();
when(mockServer.getClusterId()).thenReturn(clusterId);
}
return new NettyRpcServer(mockServer, name, services, bindAddress, conf, scheduler, true);
}
@Override
protected AbstractRpcClient<?> createRpcClientNoCodec(Configuration conf) {
return new NettyRpcClient(conf) {
@Override
protected Codec getCodec() {
return null;
}
};
}
@Override
protected AbstractRpcClient<?> createRpcClient(Configuration conf) {
return new NettyRpcClient(conf);
}
@Override
protected AbstractRpcClient<?> createRpcClientRTEDuringConnectionSetup(Configuration conf)
throws IOException {
return new NettyRpcClient(conf) {
@Override
protected boolean isTcpNoDelay() {
throw new RuntimeException("Injected fault");
}
};
}
@Override
protected RpcServer createTestFailingRpcServer(String name,
List<BlockingServiceAndInterface> services, InetSocketAddress bindAddress, Configuration conf,
RpcScheduler scheduler) throws IOException {
HBaseServerBase<?> mockServer = mock(HBaseServerBase.class);
when(mockServer.getEventLoopGroupConfig()).thenReturn(EVENT_LOOP_GROUP_CONFIG);
return new FailingNettyRpcServer(mockServer, name, services, bindAddress, conf, scheduler);
}
@Override
protected AbstractRpcClient<?> createBadAuthRpcClient(Configuration conf) {
return new NettyRpcClient(conf) {
@Override
protected NettyRpcConnection createConnection(ConnectionId remoteId) throws IOException {
return new BadAuthNettyRpcConnection(this, remoteId);
}
};
}
}