gateway-test/src/test/java/org/apache/knox/gateway/GatewaySslFuncTest.java - knox - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.knox.gateway;

 import java.io.File;
 import java.nio.charset.StandardCharsets;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
 import java.util.Properties;
 import java.util.ServiceLoader;
 import java.util.UUID;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 import javax.xml.transform.stream.StreamSource;

 import org.apache.commons.io.FileUtils;
 import org.apache.knox.gateway.services.DefaultGatewayServices;
 import org.apache.knox.gateway.services.ServiceType;
 import org.apache.knox.gateway.services.GatewayServices;
 import org.apache.knox.gateway.services.ServiceLifecycleException;
 import org.apache.knox.gateway.services.topology.TopologyService;
 import org.apache.knox.test.TestUtils;
 import org.apache.knox.test.category.ReleaseTest;
 import org.apache.knox.test.mock.MockServer;
 import org.apache.http.HttpHost;
 import org.apache.http.auth.AuthScope;
 import org.apache.http.auth.UsernamePasswordCredentials;
 import org.apache.http.client.AuthCache;
 import org.apache.http.client.CredentialsProvider;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.client.protocol.HttpClientContext;
 import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.impl.auth.BasicScheme;
 import org.apache.http.impl.client.BasicAuthCache;
 import org.apache.http.impl.client.BasicCredentialsProvider;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import static org.apache.knox.test.TestUtils.LOG_ENTER;
 import static org.apache.knox.test.TestUtils.LOG_EXIT;
 import static org.hamcrest.CoreMatchers.notNullValue;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.junit.Assert.fail;
 import static org.xmlmatchers.transform.XmlConverters.the;
 import static org.xmlmatchers.xpath.HasXPath.hasXPath;

 @Category( ReleaseTest.class )
 public class GatewaySslFuncTest {
   private static final Logger LOG = LoggerFactory.getLogger( GatewaySslFuncTest.class );
   private static final Class<?> DAT = GatewaySslFuncTest.class;

   private static GatewayTestConfig config;
   private static DefaultGatewayServices services;
   private static GatewayServer gateway;
   private static String gatewayScheme;
   private static int gatewayPort;
   private static String gatewayUrl;
   private static Properties params;
   private static TopologyService topos;
   private static MockServer mockWebHdfs;
   private static GatewayTestDriver driver = new GatewayTestDriver();

   @BeforeClass
   public static void setUpBeforeClass() throws Exception {
     LOG_ENTER();
     driver.setupLdap(0);
     setupGateway();
     LOG_EXIT();
   }

   @AfterClass
   public static void tearDownAfterClass() throws Exception {
     LOG_ENTER();
     gateway.stop();
     driver.cleanup();
     FileUtils.deleteQuietly( new File( config.getGatewayHomeDir() ) );
     LOG_EXIT();
   }

   @After
   public void cleanupTest() throws Exception {
     FileUtils.cleanDirectory( new File( config.getGatewayTopologyDir() ) );
     // Test run should not fail if deleting deployment files is not successful.
     // Deletion has been already done by TopologyService.
     FileUtils.deleteQuietly( new File( config.getGatewayDeploymentDir() ) );
   }

   public static void setupGateway() throws Exception {
     File targetDir = new File( System.getProperty( "user.dir" ), "target" );
     File gatewayDir = new File( targetDir, "gateway-home-" + UUID.randomUUID() );
     gatewayDir.mkdirs();

     config = new GatewayTestConfig();
     config.setGatewayHomeDir( gatewayDir.getAbsolutePath() );

     File topoDir = new File( config.getGatewayTopologyDir() );
     topoDir.mkdirs();

     File deployDir = new File( config.getGatewayDeploymentDir() );
     deployDir.mkdirs();

     File securityDir = new File( config.getGatewaySecurityDir() );
     securityDir.mkdirs();

     config.setSSLEnabled( true );

     setupMockServers();
     startGatewayServer();
   }

   public static void setupMockServers() throws Exception {
     mockWebHdfs = new MockServer( "WEBHDFS", true );
   }

   private static GatewayServices instantiateGatewayServices() {
     ServiceLoader<GatewayServices> loader = ServiceLoader.load( GatewayServices.class );
     Iterator<GatewayServices> services = loader.iterator();
     if (services.hasNext()) {
       return services.next();
     }
     return null;
   }

   public static void startGatewayServer() throws Exception {
     instantiateGatewayServices();
     services = new DefaultGatewayServices();
     Map<String,String> options = new HashMap<>();
     options.put( "persist-master", "false" );
     options.put( "master", "password" );
     try {
       services.init( config, options );
     } catch ( ServiceLifecycleException e ) {
       e.printStackTrace(); // I18N not required.
     }
     topos = services.getService(ServiceType.TOPOLOGY_SERVICE);

     gateway = GatewayServer.startGateway( config, services );
     assertThat( "Failed to start gateway.", gateway, notNullValue() );

     gatewayScheme = config.isSSLEnabled() ? "https" : "http";
     gatewayPort = gateway.getAddresses()[0].getPort();
     gatewayUrl = gatewayScheme + "://localhost:" + gatewayPort + "/" + config.getGatewayPath();

     LOG.info( "Gateway port = " + gateway.getAddresses()[ 0 ].getPort() );

     params = new Properties();
     params.put( "LDAP_URL", driver.getLdapUrl() );
     params.put( "WEBHDFS_URL", "http://localhost:" + mockWebHdfs.getPort() );
   }

   @Test( timeout = TestUtils.MEDIUM_TIMEOUT )
   public void testKnox674SslCipherSuiteConfig() throws Exception {
     LOG_ENTER();

     String topoStr = TestUtils.merge( DAT, "test-admin-topology.xml", params );
     File topoFile = new File( config.getGatewayTopologyDir(), "test-topology.xml" );
     FileUtils.writeStringToFile( topoFile, topoStr, StandardCharsets.UTF_8);

     topos.reloadTopologies();

     String username = "guest";
     String password = "guest-password";
     String serviceUrl = gatewayUrl + "/test-topology/api/v1/version";

     HttpHost targetHost = new HttpHost( "localhost", gatewayPort, gatewayScheme );
     CredentialsProvider credsProvider = new BasicCredentialsProvider();
     credsProvider.setCredentials(
         new AuthScope( targetHost.getHostName(), targetHost.getPort() ),
         new UsernamePasswordCredentials( username, password ) );

     AuthCache authCache = new BasicAuthCache();
     BasicScheme basicAuth = new BasicScheme();
     authCache.put( targetHost, basicAuth );

     HttpClientContext context = HttpClientContext.create();
     context.setCredentialsProvider( credsProvider );
     context.setAuthCache( authCache );

     CloseableHttpClient client = HttpClients.custom()
         .setSSLSocketFactory(
             new SSLConnectionSocketFactory(
                 createInsecureSslContext(),
                 new String[]{"TLSv1.2"},
                 new String[]{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
                 new TrustAllHosts() ) )
         .build();
     HttpGet request = new HttpGet( serviceUrl );
     CloseableHttpResponse response = client.execute( request, context );
     assertThat( the( new StreamSource( response.getEntity().getContent() ) ), hasXPath( "/ServerVersion/version" ) );
     response.close();
     client.close();

     gateway.stop();
     config.setExcludedSSLCiphers( Arrays.asList( new String[]{ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" } ) );
     config.setIncludedSSLCiphers( Arrays.asList( new String[]{ "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" } ) );

     startGatewayServer();
     serviceUrl = gatewayUrl + "/test-topology/api/v1/version";

     try {
       client = HttpClients.custom()
           .setSSLSocketFactory(
               new SSLConnectionSocketFactory(
                   createInsecureSslContext(),
                   new String[]{ "TLSv1.2" },
                   new String[]{ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
                   new TrustAllHosts() ) ).build();
       request = new HttpGet( serviceUrl );
       client.execute( request, context );
       fail( "Expected SSLHandshakeException" );
     } catch ( SSLHandshakeException e ) {
       // Expected.
       client.close();
     }

     client = HttpClients.custom()
         .setSSLSocketFactory(
             new SSLConnectionSocketFactory(
                 createInsecureSslContext(),
                 new String[]{ "TLSv1.2" },
                 new String[]{ "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
                 new TrustAllHosts() ) ).build();
     request = new HttpGet( serviceUrl );
     response = client.execute( request, context );
     assertThat( the( new StreamSource( response.getEntity().getContent() ) ), hasXPath( "/ServerVersion/version" ) );
     response.close();
     client.close();

     LOG_EXIT();
   }

   public static class TrustAllHosts implements HostnameVerifier {
     @Override
     public boolean verify( String host, SSLSession sslSession ) {
       // Trust all hostnames.
       return true;
     }
   }

   public static class TrustAllCerts implements X509TrustManager {
     @Override
     public void checkClientTrusted(X509Certificate[] x509Certificates, String s ) throws CertificateException {
       // Trust all certificates.
     }

     @Override
     public void checkServerTrusted(X509Certificate[] x509Certificates, String s ) throws CertificateException {
       // Trust all certificates.
     }

     @Override
     public X509Certificate[] getAcceptedIssuers() {
       return null;
     }

   }

   public static SSLContext createInsecureSslContext() throws NoSuchAlgorithmException, KeyManagementException {
     SSLContext sslContext = SSLContext.getInstance( "SSL" );
     sslContext.init( null, new TrustManager[]{ new TrustAllCerts() }, new SecureRandom() );
     return sslContext;
   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.knox.gateway;

	import java.io.File;
	import java.nio.charset.StandardCharsets;
	import java.security.KeyManagementException;
	import java.security.NoSuchAlgorithmException;
	import java.security.SecureRandom;
	import java.security.cert.CertificateException;
	import java.security.cert.X509Certificate;
	import java.util.Arrays;
	import java.util.HashMap;
	import java.util.Iterator;
	import java.util.Map;
	import java.util.Properties;
	import java.util.ServiceLoader;
	import java.util.UUID;
	import javax.net.ssl.HostnameVerifier;
	import javax.net.ssl.SSLContext;
	import javax.net.ssl.SSLHandshakeException;
	import javax.net.ssl.SSLSession;
	import javax.net.ssl.TrustManager;
	import javax.net.ssl.X509TrustManager;
	import javax.xml.transform.stream.StreamSource;

	import org.apache.commons.io.FileUtils;
	import org.apache.knox.gateway.services.DefaultGatewayServices;
	import org.apache.knox.gateway.services.ServiceType;
	import org.apache.knox.gateway.services.GatewayServices;
	import org.apache.knox.gateway.services.ServiceLifecycleException;
	import org.apache.knox.gateway.services.topology.TopologyService;
	import org.apache.knox.test.TestUtils;
	import org.apache.knox.test.category.ReleaseTest;
	import org.apache.knox.test.mock.MockServer;
	import org.apache.http.HttpHost;
	import org.apache.http.auth.AuthScope;
	import org.apache.http.auth.UsernamePasswordCredentials;
	import org.apache.http.client.AuthCache;
	import org.apache.http.client.CredentialsProvider;
	import org.apache.http.client.methods.CloseableHttpResponse;
	import org.apache.http.client.methods.HttpGet;
	import org.apache.http.client.protocol.HttpClientContext;
	import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
	import org.apache.http.impl.auth.BasicScheme;
	import org.apache.http.impl.client.BasicAuthCache;
	import org.apache.http.impl.client.BasicCredentialsProvider;
	import org.apache.http.impl.client.CloseableHttpClient;
	import org.apache.http.impl.client.HttpClients;
	import org.junit.After;
	import org.junit.AfterClass;
	import org.junit.BeforeClass;
	import org.junit.Test;
	import org.junit.experimental.categories.Category;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import static org.apache.knox.test.TestUtils.LOG_ENTER;
	import static org.apache.knox.test.TestUtils.LOG_EXIT;
	import static org.hamcrest.CoreMatchers.notNullValue;
	import static org.hamcrest.MatcherAssert.assertThat;
	import static org.junit.Assert.fail;
	import static org.xmlmatchers.transform.XmlConverters.the;
	import static org.xmlmatchers.xpath.HasXPath.hasXPath;

	@Category( ReleaseTest.class )
	public class GatewaySslFuncTest {
	private static final Logger LOG = LoggerFactory.getLogger( GatewaySslFuncTest.class );
	private static final Class<?> DAT = GatewaySslFuncTest.class;

	private static GatewayTestConfig config;
	private static DefaultGatewayServices services;
	private static GatewayServer gateway;
	private static String gatewayScheme;
	private static int gatewayPort;
	private static String gatewayUrl;
	private static Properties params;
	private static TopologyService topos;
	private static MockServer mockWebHdfs;
	private static GatewayTestDriver driver = new GatewayTestDriver();

	@BeforeClass
	public static void setUpBeforeClass() throws Exception {
	LOG_ENTER();
	driver.setupLdap(0);
	setupGateway();
	LOG_EXIT();
	}

	@AfterClass
	public static void tearDownAfterClass() throws Exception {
	LOG_ENTER();
	gateway.stop();
	driver.cleanup();
	FileUtils.deleteQuietly( new File( config.getGatewayHomeDir() ) );
	LOG_EXIT();
	}

	@After
	public void cleanupTest() throws Exception {
	FileUtils.cleanDirectory( new File( config.getGatewayTopologyDir() ) );
	// Test run should not fail if deleting deployment files is not successful.
	// Deletion has been already done by TopologyService.
	FileUtils.deleteQuietly( new File( config.getGatewayDeploymentDir() ) );
	}

	public static void setupGateway() throws Exception {
	File targetDir = new File( System.getProperty( "user.dir" ), "target" );
	File gatewayDir = new File( targetDir, "gateway-home-" + UUID.randomUUID() );
	gatewayDir.mkdirs();

	config = new GatewayTestConfig();
	config.setGatewayHomeDir( gatewayDir.getAbsolutePath() );

	File topoDir = new File( config.getGatewayTopologyDir() );
	topoDir.mkdirs();

	File deployDir = new File( config.getGatewayDeploymentDir() );
	deployDir.mkdirs();

	File securityDir = new File( config.getGatewaySecurityDir() );
	securityDir.mkdirs();

	config.setSSLEnabled( true );

	setupMockServers();
	startGatewayServer();
	}

	public static void setupMockServers() throws Exception {
	mockWebHdfs = new MockServer( "WEBHDFS", true );
	}

	private static GatewayServices instantiateGatewayServices() {
	ServiceLoader<GatewayServices> loader = ServiceLoader.load( GatewayServices.class );
	Iterator<GatewayServices> services = loader.iterator();
	if (services.hasNext()) {
	return services.next();
	}
	return null;
	}

	public static void startGatewayServer() throws Exception {
	instantiateGatewayServices();
	services = new DefaultGatewayServices();
	Map<String,String> options = new HashMap<>();
	options.put( "persist-master", "false" );
	options.put( "master", "password" );
	try {
	services.init( config, options );
	} catch ( ServiceLifecycleException e ) {
	e.printStackTrace(); // I18N not required.
	}
	topos = services.getService(ServiceType.TOPOLOGY_SERVICE);

	gateway = GatewayServer.startGateway( config, services );
	assertThat( "Failed to start gateway.", gateway, notNullValue() );

	gatewayScheme = config.isSSLEnabled() ? "https" : "http";
	gatewayPort = gateway.getAddresses()[0].getPort();
	gatewayUrl = gatewayScheme + "://localhost:" + gatewayPort + "/" + config.getGatewayPath();

	LOG.info( "Gateway port = " + gateway.getAddresses()[ 0 ].getPort() );

	params = new Properties();
	params.put( "LDAP_URL", driver.getLdapUrl() );
	params.put( "WEBHDFS_URL", "http://localhost:" + mockWebHdfs.getPort() );
	}

	@Test( timeout = TestUtils.MEDIUM_TIMEOUT )
	public void testKnox674SslCipherSuiteConfig() throws Exception {
	LOG_ENTER();

	String topoStr = TestUtils.merge( DAT, "test-admin-topology.xml", params );
	File topoFile = new File( config.getGatewayTopologyDir(), "test-topology.xml" );
	FileUtils.writeStringToFile( topoFile, topoStr, StandardCharsets.UTF_8);

	topos.reloadTopologies();

	String username = "guest";
	String password = "guest-password";
	String serviceUrl = gatewayUrl + "/test-topology/api/v1/version";

	HttpHost targetHost = new HttpHost( "localhost", gatewayPort, gatewayScheme );
	CredentialsProvider credsProvider = new BasicCredentialsProvider();
	credsProvider.setCredentials(
	new AuthScope( targetHost.getHostName(), targetHost.getPort() ),
	new UsernamePasswordCredentials( username, password ) );

	AuthCache authCache = new BasicAuthCache();
	BasicScheme basicAuth = new BasicScheme();
	authCache.put( targetHost, basicAuth );

	HttpClientContext context = HttpClientContext.create();
	context.setCredentialsProvider( credsProvider );
	context.setAuthCache( authCache );

	CloseableHttpClient client = HttpClients.custom()
	.setSSLSocketFactory(
	new SSLConnectionSocketFactory(
	createInsecureSslContext(),
	new String[]{"TLSv1.2"},
	new String[]{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
	new TrustAllHosts() ) )
	.build();
	HttpGet request = new HttpGet( serviceUrl );
	CloseableHttpResponse response = client.execute( request, context );
	assertThat( the( new StreamSource( response.getEntity().getContent() ) ), hasXPath( "/ServerVersion/version" ) );
	response.close();
	client.close();

	gateway.stop();
	config.setExcludedSSLCiphers( Arrays.asList( new String[]{ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" } ) );
	config.setIncludedSSLCiphers( Arrays.asList( new String[]{ "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" } ) );

	startGatewayServer();
	serviceUrl = gatewayUrl + "/test-topology/api/v1/version";

	try {
	client = HttpClients.custom()
	.setSSLSocketFactory(
	new SSLConnectionSocketFactory(
	createInsecureSslContext(),
	new String[]{ "TLSv1.2" },
	new String[]{ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
	new TrustAllHosts() ) ).build();
	request = new HttpGet( serviceUrl );
	client.execute( request, context );
	fail( "Expected SSLHandshakeException" );
	} catch ( SSLHandshakeException e ) {
	// Expected.
	client.close();
	}

	client = HttpClients.custom()
	.setSSLSocketFactory(
	new SSLConnectionSocketFactory(
	createInsecureSslContext(),
	new String[]{ "TLSv1.2" },
	new String[]{ "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
	new TrustAllHosts() ) ).build();
	request = new HttpGet( serviceUrl );
	response = client.execute( request, context );
	assertThat( the( new StreamSource( response.getEntity().getContent() ) ), hasXPath( "/ServerVersion/version" ) );
	response.close();
	client.close();

	LOG_EXIT();
	}

	public static class TrustAllHosts implements HostnameVerifier {
	@Override
	public boolean verify( String host, SSLSession sslSession ) {
	// Trust all hostnames.
	return true;
	}
	}

	public static class TrustAllCerts implements X509TrustManager {
	@Override
	public void checkClientTrusted(X509Certificate[] x509Certificates, String s ) throws CertificateException {
	// Trust all certificates.
	}

	@Override
	public void checkServerTrusted(X509Certificate[] x509Certificates, String s ) throws CertificateException {
	// Trust all certificates.
	}

	@Override
	public X509Certificate[] getAcceptedIssuers() {
	return null;
	}

	}

	public static SSLContext createInsecureSslContext() throws NoSuchAlgorithmException, KeyManagementException {
	SSLContext sslContext = SSLContext.getInstance( "SSL" );
	sslContext.init( null, new TrustManager[]{ new TrustAllCerts() }, new SecureRandom() );
	return sslContext;
	}
	}