001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security;
019
020import java.util.ArrayList;
021import java.util.List;
022import java.util.stream.Stream;
023import org.apache.hadoop.conf.Configuration;
024import org.apache.hadoop.hbase.HBaseParameterizedTestTemplate;
025import org.apache.hadoop.hbase.io.crypto.tls.X509KeyType;
026import org.apache.hadoop.hbase.io.crypto.tls.X509Util;
027import org.apache.hadoop.hbase.testclassification.RPCTests;
028import org.apache.hadoop.hbase.testclassification.SmallTests;
029import org.junit.jupiter.api.Tag;
030import org.junit.jupiter.params.provider.Arguments;
031
032/**
033 * Comprehensively tests all permutations of certificate and host verification on the client side.
034 * Tests each permutation of that against each value of {@link CertConfig}, i.e. passing a bad cert,
035 * etc. See inline comments in {@link #data()} below for what the expectations are
036 */
037@Tag(RPCTests.TAG)
038@Tag(SmallTests.TAG)
039@HBaseParameterizedTestTemplate(name = "{index}: caKeyType={0}, certKeyType={1}, keyPassword={2}, "
040  + "validateServerHostnames={3}, testCase={4}, certConfig={5}")
041public class TestMutualTlsClientSide extends AbstractTestMutualTls {
042
043  public static Stream<Arguments> parameters() {
044    List<Arguments> params = new ArrayList<>();
045    for (X509KeyType caKeyType : X509KeyType.values()) {
046      for (X509KeyType certKeyType : X509KeyType.values()) {
047        for (String keyPassword : new String[] { "", "pa$$w0rd" }) {
048          // we want to run with and without validating hostnames. we encode the expected success
049          // criteria in the TestCase config. See below.
050          for (boolean validateServerHostnames : new Boolean[] { true, false }) {
051            // fail for non-verifiable certs or certs with bad hostnames when validateServerHostname
052            // is true. otherwise succeed.
053            params.add(Arguments.of(caKeyType, certKeyType, keyPassword, false,
054              validateServerHostnames, CertConfig.NON_VERIFIABLE_CERT));
055            params.add(Arguments.of(caKeyType, certKeyType, keyPassword, !validateServerHostnames,
056              validateServerHostnames, CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST));
057            params.add(Arguments.of(caKeyType, certKeyType, keyPassword, true,
058              validateServerHostnames, CertConfig.GOOD_CERT));
059          }
060        }
061      }
062    }
063    return params.stream();
064  }
065
066  public TestMutualTlsClientSide(X509KeyType caKeyType, X509KeyType certKeyType, String keyPassword,
067    boolean expectSuccess, boolean validateHostnames, CertConfig certConfig) {
068    super(caKeyType, certKeyType, keyPassword, expectSuccess, validateHostnames, certConfig);
069  }
070
071  @Override
072  protected void initialize(Configuration serverConf, Configuration clientConf) throws Exception {
073    // client verifies server hostname, and injects bad certs into server conf
074    clientConf.setBoolean(X509Util.HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME,
075      validateHostnames);
076    handleCertConfig(serverConf);
077  }
078}