001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.security; 019 020import java.util.ArrayList; 021import java.util.List; 022import java.util.stream.Stream; 023import org.apache.hadoop.conf.Configuration; 024import org.apache.hadoop.hbase.HBaseParameterizedTestTemplate; 025import org.apache.hadoop.hbase.io.crypto.tls.X509KeyType; 026import org.apache.hadoop.hbase.io.crypto.tls.X509Util; 027import org.apache.hadoop.hbase.testclassification.RPCTests; 028import org.apache.hadoop.hbase.testclassification.SmallTests; 029import org.junit.jupiter.api.Tag; 030import org.junit.jupiter.params.provider.Arguments; 031 032/** 033 * Comprehensively tests all permutations of certificate and host verification on the client side. 034 * Tests each permutation of that against each value of {@link CertConfig}, i.e. passing a bad cert, 035 * etc. See inline comments in {@link #data()} below for what the expectations are 036 */ 037@Tag(RPCTests.TAG) 038@Tag(SmallTests.TAG) 039@HBaseParameterizedTestTemplate(name = "{index}: caKeyType={0}, certKeyType={1}, keyPassword={2}, " 040 + "validateServerHostnames={3}, testCase={4}, certConfig={5}") 041public class TestMutualTlsClientSide extends AbstractTestMutualTls { 042 043 public static Stream<Arguments> parameters() { 044 List<Arguments> params = new ArrayList<>(); 045 for (X509KeyType caKeyType : X509KeyType.values()) { 046 for (X509KeyType certKeyType : X509KeyType.values()) { 047 for (String keyPassword : new String[] { "", "pa$$w0rd" }) { 048 // we want to run with and without validating hostnames. we encode the expected success 049 // criteria in the TestCase config. See below. 050 for (boolean validateServerHostnames : new Boolean[] { true, false }) { 051 // fail for non-verifiable certs or certs with bad hostnames when validateServerHostname 052 // is true. otherwise succeed. 053 params.add(Arguments.of(caKeyType, certKeyType, keyPassword, false, 054 validateServerHostnames, CertConfig.NON_VERIFIABLE_CERT)); 055 params.add(Arguments.of(caKeyType, certKeyType, keyPassword, !validateServerHostnames, 056 validateServerHostnames, CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST)); 057 params.add(Arguments.of(caKeyType, certKeyType, keyPassword, true, 058 validateServerHostnames, CertConfig.GOOD_CERT)); 059 } 060 } 061 } 062 } 063 return params.stream(); 064 } 065 066 public TestMutualTlsClientSide(X509KeyType caKeyType, X509KeyType certKeyType, String keyPassword, 067 boolean expectSuccess, boolean validateHostnames, CertConfig certConfig) { 068 super(caKeyType, certKeyType, keyPassword, expectSuccess, validateHostnames, certConfig); 069 } 070 071 @Override 072 protected void initialize(Configuration serverConf, Configuration clientConf) throws Exception { 073 // client verifies server hostname, and injects bad certs into server conf 074 clientConf.setBoolean(X509Util.HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME, 075 validateHostnames); 076 handleCertConfig(serverConf); 077 } 078}