| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package org.apache.ignite.jdbc.thin; |
| |
| import java.security.Permissions; |
| import java.sql.Connection; |
| import java.sql.DriverManager; |
| import java.sql.ResultSet; |
| import java.sql.SQLException; |
| import java.sql.Statement; |
| import java.util.concurrent.Callable; |
| import javax.cache.configuration.Factory; |
| import javax.net.ssl.SSLContext; |
| import org.apache.ignite.configuration.ClientConnectorConfiguration; |
| import org.apache.ignite.configuration.IgniteConfiguration; |
| import org.apache.ignite.internal.binary.BinaryMarshaller; |
| import org.apache.ignite.internal.processors.security.impl.TestAdditionalSecurityPluginProvider; |
| import org.apache.ignite.internal.processors.security.impl.TestSecurityData; |
| import org.apache.ignite.internal.util.typedef.internal.U; |
| import org.apache.ignite.plugin.security.SecurityPermissionSetBuilder; |
| import org.apache.ignite.ssl.SslContextFactory; |
| import org.apache.ignite.testframework.GridTestUtils; |
| import org.junit.Test; |
| |
| import static org.apache.ignite.internal.processors.security.impl.TestAdditionalSecurityProcessor.CLIENT; |
| import static org.apache.ignite.plugin.security.SecurityPermission.ADMIN_OPS; |
| import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALLOW_ALL; |
| |
| /** |
| * SSL connection test with security plugin. |
| */ |
| @SuppressWarnings("ThrowableNotThrown") |
| public class JdbcThinConnectionAdditionalSecurityTest extends JdbcThinAbstractSelfTest { |
| /** Client key store path. */ |
| private static final String CLI_KEY_STORE_PATH = U.getIgniteHome() + |
| "/modules/clients/src/test/keystore/client.jks"; |
| |
| /** Server key store path. */ |
| private static final String SRV_KEY_STORE_PATH = U.getIgniteHome() + |
| "/modules/clients/src/test/keystore/server.jks"; |
| |
| /** Trust key store path. */ |
| private static final String TRUST_KEY_STORE_PATH = U.getIgniteHome() + |
| "/modules/clients/src/test/keystore/trust-one.jks"; |
| |
| /** SSL context factory. */ |
| private static Factory<SSLContext> sslCtxFactory; |
| |
| /** Set SSL context factory to client listener. */ |
| private static boolean setSslCtxFactoryToCli; |
| |
| /** Set SSL context factory to ignite. */ |
| private static boolean setSslCtxFactoryToIgnite; |
| |
| /** {@inheritDoc} */ |
| @SuppressWarnings("deprecation") |
| @Override protected IgniteConfiguration getConfiguration(String igniteInstanceName) throws Exception { |
| IgniteConfiguration cfg = super.getConfiguration(igniteInstanceName); |
| |
| cfg.setMarshaller(new BinaryMarshaller()); |
| |
| cfg.setPluginProviders(new TestAdditionalSecurityPluginProvider("srv_" + igniteInstanceName, null, ALLOW_ALL, |
| false, true, clientData())); |
| |
| cfg.setClientConnectorConfiguration( |
| new ClientConnectorConfiguration() |
| .setSslEnabled(true) |
| .setUseIgniteSslContextFactory(setSslCtxFactoryToIgnite) |
| .setSslClientAuth(true) |
| .setSslContextFactory(setSslCtxFactoryToCli ? sslCtxFactory : null)); |
| |
| cfg.setSslContextFactory(setSslCtxFactoryToIgnite ? sslCtxFactory : null); |
| |
| return cfg; |
| } |
| |
| /** |
| * @return Test data. |
| */ |
| protected TestSecurityData[] clientData() { |
| return new TestSecurityData[]{new TestSecurityData(CLIENT, |
| "pwd", |
| SecurityPermissionSetBuilder.create().defaultAllowAll(false) |
| .appendSystemPermissions(ADMIN_OPS) |
| .build(), |
| new Permissions() |
| )}; |
| } |
| |
| /** |
| * @throws Exception If failed. |
| */ |
| @Test |
| public void testConnection() throws Exception { |
| setSslCtxFactoryToCli = true; |
| sslCtxFactory = getTestSslContextFactory(); |
| |
| startGrids(1); |
| |
| try { |
| try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" + |
| "&user=client_admin_oper" + |
| "&password=pwd" + |
| "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH + |
| "&sslClientCertificateKeyStorePassword=123456" + |
| "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH + |
| "&sslTrustCertificateKeyStorePassword=123456" + |
| "&userAttributesFactory=" + |
| "org.apache.ignite.internal.processors.security.UserAttributesFactory")) { |
| checkConnection(conn); |
| } |
| } |
| finally { |
| stopAllGrids(); |
| } |
| } |
| |
| /** |
| * @throws Exception If failed. |
| */ |
| @Test |
| public void testConnectionNoClientVersion() throws Exception { |
| setSslCtxFactoryToIgnite = true; |
| sslCtxFactory = getTestSslContextFactory(); |
| |
| startGrids(1); |
| |
| try { |
| GridTestUtils.assertThrows(log, new Callable<Object>() { |
| @Override public Object call() throws Exception { |
| DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" + |
| "&user=client_admin_oper" + |
| "&password=pwd" + |
| "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH + |
| "&sslClientCertificateKeyStorePassword=123456" + |
| "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH + |
| "&sslTrustCertificateKeyStorePassword=123456"); |
| |
| return null; |
| } |
| }, SQLException.class, "Client version is not found."); |
| } |
| finally { |
| stopAllGrids(); |
| } |
| } |
| |
| /** |
| * @throws Exception If failed. |
| */ |
| @Test |
| public void testConnectionWrongLogin() throws Exception { |
| setSslCtxFactoryToIgnite = true; |
| sslCtxFactory = getTestSslContextFactory(); |
| |
| startGrids(1); |
| |
| try { |
| GridTestUtils.assertThrows(log, new Callable<Object>() { |
| @Override public Object call() throws Exception { |
| DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" + |
| "&user=server" + |
| "&password=pwd" + |
| "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH + |
| "&sslClientCertificateKeyStorePassword=123456" + |
| "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH + |
| "&sslTrustCertificateKeyStorePassword=123456" + |
| "&userAttributesFactory=" + |
| "org.apache.ignite.internal.processors.security.UserAttributesFactory"); |
| |
| return null; |
| } |
| }, SQLException.class, "User isn't allowed to use client"); |
| } |
| finally { |
| stopAllGrids(); |
| } |
| } |
| |
| /** |
| * @throws Exception If failed. |
| */ |
| @Test |
| public void testConnectionUseIgniteFactory() throws Exception { |
| setSslCtxFactoryToIgnite = true; |
| sslCtxFactory = getTestSslContextFactory(); |
| |
| startGrids(1); |
| |
| try { |
| GridTestUtils.assertThrows(log, new Callable<Object>() { |
| @Override public Object call() throws Exception { |
| DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" + |
| "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH + |
| "&sslClientCertificateKeyStorePassword=123456" + |
| "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH + |
| "&sslTrustCertificateKeyStorePassword=123456" + |
| "&userAttributesFactory=" + |
| "org.apache.ignite.internal.processors.security.UserAttributesFactory"); |
| |
| return null; |
| } |
| }, SQLException.class, "User isn't allowed to use client"); |
| } |
| finally { |
| stopAllGrids(); |
| } |
| } |
| |
| /** |
| * @param conn Connection to check. |
| * @throws SQLException On failed. |
| */ |
| public void checkConnection(Connection conn) throws SQLException { |
| assertEquals("PUBLIC", conn.getSchema()); |
| |
| try (Statement stmt = conn.createStatement()) { |
| ResultSet rs = stmt.executeQuery("SELECT 1"); |
| |
| assertTrue(rs.next()); |
| |
| assertEquals(1, rs.getInt(1)); |
| } |
| } |
| |
| /** |
| * @return Test SSL context factory. |
| */ |
| private static Factory<SSLContext> getTestSslContextFactory() { |
| SslContextFactory factory = new SslContextFactory(); |
| |
| factory.setKeyStoreFilePath(SRV_KEY_STORE_PATH); |
| factory.setKeyStorePassword("123456".toCharArray()); |
| factory.setTrustStoreFilePath(TRUST_KEY_STORE_PATH); |
| factory.setTrustStorePassword("123456".toCharArray()); |
| |
| return factory; |
| } |
| } |