Source code

001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.ipc;
019
020import static org.mockito.Mockito.mock;
021import static org.mockito.Mockito.when;
022
023import java.io.File;
024import java.io.IOException;
025import java.net.InetSocketAddress;
026import java.security.Security;
027import java.util.ArrayList;
028import java.util.List;
029import org.apache.commons.io.FileUtils;
030import org.apache.hadoop.conf.Configuration;
031import org.apache.hadoop.hbase.HBaseClassTestRule;
032import org.apache.hadoop.hbase.HBaseCommonTestingUtility;
033import org.apache.hadoop.hbase.Server;
034import org.apache.hadoop.hbase.codec.Codec;
035import org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType;
036import org.apache.hadoop.hbase.io.crypto.tls.X509KeyType;
037import org.apache.hadoop.hbase.io.crypto.tls.X509TestContext;
038import org.apache.hadoop.hbase.io.crypto.tls.X509TestContextProvider;
039import org.apache.hadoop.hbase.io.crypto.tls.X509Util;
040import org.apache.hadoop.hbase.ipc.RpcServer.BlockingServiceAndInterface;
041import org.apache.hadoop.hbase.regionserver.HRegionServer;
042import org.apache.hadoop.hbase.testclassification.MediumTests;
043import org.apache.hadoop.hbase.testclassification.RPCTests;
044import org.apache.hadoop.hbase.util.NettyEventLoopGroupConfig;
045import org.apache.hadoop.hbase.wal.NettyAsyncFSWALConfigHelper;
046import org.bouncycastle.jce.provider.BouncyCastleProvider;
047import org.junit.After;
048import org.junit.AfterClass;
049import org.junit.Before;
050import org.junit.BeforeClass;
051import org.junit.ClassRule;
052import org.junit.experimental.categories.Category;
053import org.junit.runner.RunWith;
054import org.junit.runners.Parameterized;
055
056@RunWith(Parameterized.class)
057@Category({ RPCTests.class, MediumTests.class })
058public class TestNettyTlsIPC extends AbstractTestIPC {
059
060  @ClassRule
061  public static final HBaseClassTestRule CLASS_RULE =
062    HBaseClassTestRule.forClass(TestNettyTlsIPC.class);
063
064  private static final HBaseCommonTestingUtility UTIL = new HBaseCommonTestingUtility(CONF);
065
066  private static X509TestContextProvider PROVIDER;
067
068  private static NettyEventLoopGroupConfig EVENT_LOOP_GROUP_CONFIG;
069
070  @Parameterized.Parameter(1)
071  public X509KeyType caKeyType;
072
073  @Parameterized.Parameter(2)
074  public X509KeyType certKeyType;
075
076  @Parameterized.Parameter(3)
077  public char[] keyPassword;
078
079  @Parameterized.Parameter(4)
080  public boolean acceptPlainText;
081
082  @Parameterized.Parameter(5)
083  public boolean clientTlsEnabled;
084
085  private X509TestContext x509TestContext;
086
087  // only netty rpc server supports TLS, so here we will only test NettyRpcServer
088  @Parameterized.Parameters(
089      name = "{index}: rpcServerImpl={0}, caKeyType={1}, certKeyType={2}, keyPassword={3},"
090        + " acceptPlainText={4}, clientTlsEnabled={5}")
091  public static List<Object[]> data() {
092    List<Object[]> params = new ArrayList<>();
093    for (X509KeyType caKeyType : X509KeyType.values()) {
094      for (X509KeyType certKeyType : X509KeyType.values()) {
095        for (char[] keyPassword : new char[][] { "".toCharArray(), "pa$$w0rd".toCharArray() }) {
096          // do not accept plain text
097          params.add(new Object[] { NettyRpcServer.class, caKeyType, certKeyType, keyPassword,
098            false, true });
099          // support plain text and client enables tls
100          params.add(
101            new Object[] { NettyRpcServer.class, caKeyType, certKeyType, keyPassword, true, true });
102          // support plain text and client disables tls
103          params.add(new Object[] { NettyRpcServer.class, caKeyType, certKeyType, keyPassword, true,
104            false });
105        }
106      }
107    }
108    return params;
109  }
110
111  @BeforeClass
112  public static void setUpBeforeClass() throws IOException {
113    Security.addProvider(new BouncyCastleProvider());
114    File dir = new File(UTIL.getDataTestDir(TestNettyTlsIPC.class.getSimpleName()).toString())
115      .getCanonicalFile();
116    FileUtils.forceMkdir(dir);
117    // server must enable tls
118    CONF.setBoolean(X509Util.HBASE_SERVER_NETTY_TLS_ENABLED, true);
119    PROVIDER = new X509TestContextProvider(CONF, dir);
120    EVENT_LOOP_GROUP_CONFIG =
121      new NettyEventLoopGroupConfig(CONF, TestNettyTlsIPC.class.getSimpleName());
122    NettyRpcClientConfigHelper.setEventLoopConfig(CONF, EVENT_LOOP_GROUP_CONFIG.group(),
123      EVENT_LOOP_GROUP_CONFIG.clientChannelClass());
124    NettyAsyncFSWALConfigHelper.setEventLoopConfig(CONF, EVENT_LOOP_GROUP_CONFIG.group(),
125      EVENT_LOOP_GROUP_CONFIG.clientChannelClass());
126  }
127
128  @AfterClass
129  public static void tearDownAfterClass() throws InterruptedException {
130    Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
131    EVENT_LOOP_GROUP_CONFIG.group().shutdownGracefully().sync();
132    UTIL.cleanupTestDir();
133  }
134
135  @Before
136  public void setUp() throws IOException {
137    x509TestContext = PROVIDER.get(caKeyType, certKeyType, keyPassword);
138    x509TestContext.setConfigurations(KeyStoreFileType.JKS, KeyStoreFileType.JKS);
139    CONF.setBoolean(X509Util.HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT, acceptPlainText);
140    CONF.setBoolean(X509Util.HBASE_CLIENT_NETTY_TLS_ENABLED, clientTlsEnabled);
141  }
142
143  @After
144  public void tearDown() {
145    x509TestContext.clearConfigurations();
146    x509TestContext.getConf().unset(X509Util.TLS_CONFIG_OCSP);
147    x509TestContext.getConf().unset(X509Util.TLS_CONFIG_CLR);
148    x509TestContext.getConf().unset(X509Util.TLS_CONFIG_PROTOCOL);
149    System.clearProperty("com.sun.net.ssl.checkRevocation");
150    System.clearProperty("com.sun.security.enableCRLDP");
151    Security.setProperty("ocsp.enable", Boolean.FALSE.toString());
152    Security.setProperty("com.sun.security.enableCRLDP", Boolean.FALSE.toString());
153  }
154
155  @Override
156  protected RpcServer createRpcServer(Server server, String name,
157    List<BlockingServiceAndInterface> services, InetSocketAddress bindAddress, Configuration conf,
158    RpcScheduler scheduler) throws IOException {
159    HRegionServer mockServer = mock(HRegionServer.class);
160    when(mockServer.getEventLoopGroupConfig()).thenReturn(EVENT_LOOP_GROUP_CONFIG);
161    if (server instanceof HRegionServer) {
162      String clusterId = ((HRegionServer) server).getClusterId();
163      when(mockServer.getClusterId()).thenReturn(clusterId);
164    }
165    return new NettyRpcServer(mockServer, name, services, bindAddress, conf, scheduler, true);
166  }
167
168  @Override
169  protected AbstractRpcClient<?> createRpcClientNoCodec(Configuration conf) {
170    return new NettyRpcClient(conf) {
171
172      @Override
173      protected Codec getCodec() {
174        return null;
175      }
176    };
177  }
178
179  @Override
180  protected AbstractRpcClient<?> createRpcClient(Configuration conf) {
181    return new NettyRpcClient(conf);
182  }
183
184  @Override
185  protected AbstractRpcClient<?> createRpcClientRTEDuringConnectionSetup(Configuration conf)
186    throws IOException {
187    return new NettyRpcClient(conf) {
188
189      @Override
190      protected boolean isTcpNoDelay() {
191        throw new RuntimeException("Injected fault");
192      }
193    };
194  }
195
196  @Override
197  protected RpcServer createTestFailingRpcServer(String name,
198    List<BlockingServiceAndInterface> services, InetSocketAddress bindAddress, Configuration conf,
199    RpcScheduler scheduler) throws IOException {
200    HRegionServer mockServer = mock(HRegionServer.class);
201    when(mockServer.getEventLoopGroupConfig()).thenReturn(EVENT_LOOP_GROUP_CONFIG);
202    return new FailingNettyRpcServer(mockServer, name, services, bindAddress, conf, scheduler);
203  }
204
205  @Override
206  protected AbstractRpcClient<?> createBadAuthRpcClient(Configuration conf) {
207    return new NettyRpcClient(conf) {
208
209      @Override
210      protected NettyRpcConnection createConnection(ConnectionId remoteId) throws IOException {
211        return new BadAuthNettyRpcConnection(this, remoteId);
212      }
213    };
214  }
215}