You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2021/09/21 04:12:38 UTC
[GitHub] [nifi] exceptionfactory opened a new pull request #5401: NIFI-9228 Refactored tests to use generated KeyStores
exceptionfactory opened a new pull request #5401:
URL: https://github.com/apache/nifi/pull/5401
#### Description of PR
NIFI-9228 Refactors multiple unit tests and integration tests to use `KeyStoreUtils` to generate temporary KeyStore and TrustStore files in order to support TLS communication. This approach removes the need for files in the repository with certificate expiration dates leading to current and future build failures.
Changes include removing JKS and PKCS12 test files from multiple modules, as well as removing multiple unnecessary Logback test configuration files. Additional adjustments include removing logging from some impacted unit tests, and removing several integration tests that relied on hard-coded KeyStores.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [X] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [X] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [X] Has your PR been rebased against the latest commit within the target branch (typically `main`)?
- [X] Is your initial contribution a single, squashed commit? _Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not `squash` or use `--force` when pushing to allow for clean monitoring of changes._
### For code changes:
- [X] Have you ensured that the full suite of tests is executed via `mvn -Pcontrib-check clean install` at the root `nifi` folder?
- [X] Have you written or updated unit tests to verify your changes?
- [X] Have you verified that the full build is successful on JDK 8?
- [ ] Have you verified that the full build is successful on JDK 11?
- [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE` file, including the main `LICENSE` file under `nifi-assembly`?
- [ ] If applicable, have you updated the `NOTICE` file, including the main `NOTICE` file found under `nifi-assembly`?
- [ ] If adding new Properties, have you added `.displayName` in addition to .name (programmatic access) for each of the new properties?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in which it is rendered?
### Note:
Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] gresockj commented on a change in pull request #5401: NIFI-9228 Refactor tests to use generated KeyStores
Posted by GitBox <gi...@apache.org>.
gresockj commented on a change in pull request #5401:
URL: https://github.com/apache/nifi/pull/5401#discussion_r712941338
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/groovy/org/apache/nifi/web/server/JettyServerGroovyTest.groovy
##########
@@ -81,44 +78,41 @@ class JettyServerGroovyTest extends GroovyTestCase {
private static final int HTTPS_PORT = NetworkUtils.getAvailableTcpPort()
private static final String HTTPS_HOSTNAME = "localhost"
- private static final String KEYSTORE_PATH = "src/test/resources/keystore.jks"
- private static final String TRUSTSTORE_PATH = "src/test/resources/truststore.jks"
- private static final String STORE_PASSWORD = "passwordpassword"
- private static final String STORE_TYPE = "JKS"
-
private static final String TLS_1_3_PROTOCOL = "TLSv1.3"
private static final List<String> TLS_1_3_CIPHER_SUITES = ["TLS_AES_128_GCM_SHA256"]
+ private static final TlsConfiguration TLS_CONFIGURATION = KeyStoreUtils.createTlsConfigAndNewKeystoreTruststore()
+
// These protocol versions should not ever be supported
static private final List<String> LEGACY_TLS_PROTOCOLS = ["TLS", "TLSv1", "TLSv1.1", "SSL", "SSLv2", "SSLv2Hello", "SSLv3"]
NiFiProperties httpsProps = new NiFiProperties(new Properties([
(NiFiProperties.WEB_HTTPS_PORT) : HTTPS_PORT as String,
(NiFiProperties.WEB_HTTPS_HOST) : HTTPS_HOSTNAME,
- (NiFiProperties.SECURITY_KEYSTORE) : KEYSTORE_PATH,
- (NiFiProperties.SECURITY_KEYSTORE_PASSWD) : STORE_PASSWORD,
- (NiFiProperties.SECURITY_KEYSTORE_TYPE) : STORE_TYPE,
- (NiFiProperties.SECURITY_TRUSTSTORE) : TRUSTSTORE_PATH,
- (NiFiProperties.SECURITY_TRUSTSTORE_PASSWD): STORE_PASSWORD,
- (NiFiProperties.SECURITY_TRUSTSTORE_TYPE) : STORE_TYPE,
+ (NiFiProperties.SECURITY_KEYSTORE) : TLS_CONFIGURATION.keystorePath,
+ (NiFiProperties.SECURITY_KEYSTORE_PASSWD) : TLS_CONFIGURATION.keystorePassword,
+ (NiFiProperties.SECURITY_KEYSTORE_TYPE) : TLS_CONFIGURATION.keystoreType.type,
+ (NiFiProperties.SECURITY_TRUSTSTORE) : TLS_CONFIGURATION.truststorePath,
+ (NiFiProperties.SECURITY_TRUSTSTORE_PASSWD): TLS_CONFIGURATION.truststorePassword,
+ (NiFiProperties.SECURITY_TRUSTSTORE_TYPE) : TLS_CONFIGURATION.truststoreType.type,
]))
@BeforeClass
static void setUpOnce() throws Exception {
+ new File(TLS_CONFIGURATION.keystorePath).deleteOnExit()
+ new File(TLS_CONFIGURATION.truststorePath).deleteOnExit()
+
Security.addProvider(new BouncyCastleProvider())
Review comment:
Is this still needed here?
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/groovy/org/apache/nifi/web/server/JettyServerGroovyTest.groovy
##########
@@ -143,12 +137,9 @@ class JettyServerGroovyTest extends GroovyTestCase {
// Act
boolean bothConfigsPresent = JettyServer.bothHttpAndHttpsConnectorsConfigured(mockProps)
logger.info("Both configs present: ${bothConfigsPresent}")
- def log = TestAppender.getLogLines()
// Assert
assert bothConfigsPresent
- assert !log.isEmpty()
- assert log.first() =~ "Both the HTTP and HTTPS connectors are configured in nifi.properties. Only one of these connectors should be configured. See the NiFi Admin Guide for more details"
Review comment:
It looks like the spirit of this was to ensure that the user is warned -- so although you're still testing the return value, someone could theoretically remove the `logger.warn` statement from the code and this would still pass. I agree that checking log statements in unit tests is a bit suspect, and if desired should at least be in an integration test, but just wanted to acknowledge here that we'd be losing some of the intended regression test functionality here.
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/src/test/groovy/org/apache/nifi/cluster/coordination/http/replication/okhttp/OkHttpReplicationClientTest.groovy
##########
@@ -18,49 +18,41 @@
package org.apache.nifi.cluster.coordination.http.replication.okhttp
-
+import org.apache.nifi.security.util.KeyStoreUtils
+import org.apache.nifi.security.util.TlsConfiguration
import org.apache.nifi.util.NiFiProperties
import org.junit.BeforeClass
import org.junit.Test
import org.junit.runner.RunWith
import org.junit.runners.JUnit4
-import org.slf4j.Logger
-import org.slf4j.LoggerFactory
@RunWith(JUnit4.class)
class OkHttpReplicationClientTest extends GroovyTestCase {
- private static final Logger logger = LoggerFactory.getLogger(OkHttpReplicationClientTest.class)
+ private static TlsConfiguration tlsConfiguration
@BeforeClass
static void setUpOnce() throws Exception {
- logger.metaClass.methodMissing = { String name, args ->
- logger.info("[${name?.toUpperCase()}] ${(args as List).join(" ")}")
- }
+ tlsConfiguration = KeyStoreUtils.createTlsConfigAndNewKeystoreTruststore()
Review comment:
I notice these 3 lines in many of the refactored test classes. What do you think about repeating these lines vs. creating a test utility method that encapsulates them? It may be equally annoying to have to add another test-scoped dependency, but I wanted to pose the question.
##########
File path: nifi-nar-bundles/nifi-grpc-bundle/nifi-grpc-processors/src/test/java/org/apache/nifi/processors/grpc/ITListenGRPC.java
##########
@@ -200,195 +168,4 @@ public void testExceedMaxMessageSize() throws Exception {
channel.shutdown();
}
}
-
- @Test
- public void testSecureTwoWaySSL() throws Exception {
Review comment:
What was the rationale for removing these tests?
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/src/test/groovy/org/apache/nifi/cluster/coordination/http/replication/okhttp/OkHttpReplicationClientTest.groovy
##########
@@ -18,49 +18,41 @@
package org.apache.nifi.cluster.coordination.http.replication.okhttp
-
+import org.apache.nifi.security.util.KeyStoreUtils
+import org.apache.nifi.security.util.TlsConfiguration
import org.apache.nifi.util.NiFiProperties
import org.junit.BeforeClass
import org.junit.Test
import org.junit.runner.RunWith
import org.junit.runners.JUnit4
-import org.slf4j.Logger
-import org.slf4j.LoggerFactory
@RunWith(JUnit4.class)
class OkHttpReplicationClientTest extends GroovyTestCase {
- private static final Logger logger = LoggerFactory.getLogger(OkHttpReplicationClientTest.class)
+ private static TlsConfiguration tlsConfiguration
@BeforeClass
static void setUpOnce() throws Exception {
- logger.metaClass.methodMissing = { String name, args ->
- logger.info("[${name?.toUpperCase()}] ${(args as List).join(" ")}")
- }
+ tlsConfiguration = KeyStoreUtils.createTlsConfigAndNewKeystoreTruststore()
+ new File(tlsConfiguration.keystorePath).deleteOnExit()
+ new File(tlsConfiguration.truststorePath).deleteOnExit()
}
private static NiFiProperties mockNiFiProperties() {
- [getClusterNodeConnectionTimeout: { -> "10 ms" },
Review comment:
Out of curiosity, why were these removed? Did this cause intermittent failures because the timeouts were so small?
##########
File path: nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/test/java/org/apache/nifi/processors/email/TestListenSMTP.java
##########
@@ -19,28 +19,70 @@
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertThrows;
import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import java.io.File;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
import java.util.Properties;
import javax.mail.Message;
import javax.mail.MessagingException;
import javax.mail.Session;
import javax.mail.Transport;
import javax.mail.internet.InternetAddress;
import javax.mail.internet.MimeMessage;
+import javax.net.ssl.SSLContext;
+
import org.apache.nifi.remote.io.socket.NetworkUtils;
import org.apache.nifi.reporting.InitializationException;
import org.apache.nifi.security.util.ClientAuth;
+import org.apache.nifi.security.util.KeyStoreUtils;
+import org.apache.nifi.security.util.SslContextFactory;
+import org.apache.nifi.security.util.StandardTlsConfiguration;
import org.apache.nifi.security.util.TlsConfiguration;
+import org.apache.nifi.ssl.RestrictedSSLContextService;
import org.apache.nifi.ssl.SSLContextService;
-import org.apache.nifi.ssl.StandardRestrictedSSLContextService;
-import org.apache.nifi.ssl.StandardSSLContextService;
import org.apache.nifi.util.TestRunner;
import org.apache.nifi.util.TestRunners;
+import org.junit.BeforeClass;
import org.junit.Test;
public class TestListenSMTP {
private static final String SSL_SERVICE_IDENTIFIER = "ssl-context";
+ private static TlsConfiguration tlsConfiguration;
+
+ private static SSLContextService sslContextService;
+
+ private static final int MESSAGES = 2;
+
+ @BeforeClass
+ public static void setTlsConfiguration() throws IOException, GeneralSecurityException {
+ final TlsConfiguration testTlsConfiguration = KeyStoreUtils.createTlsConfigAndNewKeystoreTruststore();
+ new File(testTlsConfiguration.getKeystorePath()).deleteOnExit();
+ new File(testTlsConfiguration.getTruststorePath()).deleteOnExit();
+
+ tlsConfiguration = new StandardTlsConfiguration(
+ testTlsConfiguration.getKeystorePath(),
+ testTlsConfiguration.getKeystorePassword(),
+ testTlsConfiguration.getKeyPassword(),
+ testTlsConfiguration.getKeystoreType(),
+ testTlsConfiguration.getTruststorePath(),
+ testTlsConfiguration.getTruststorePassword(),
+ testTlsConfiguration.getTruststoreType(),
+ TlsConfiguration.TLS_1_2_PROTOCOL
+ );
+
+ final SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration);
+ sslContextService = mock(RestrictedSSLContextService.class);
+ when(sslContextService.getIdentifier()).thenReturn(SSL_SERVICE_IDENTIFIER);
+ when(sslContextService.createContext()).thenReturn(sslContext);
+
+
Review comment:
Extra line
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] mattyb149 closed pull request #5401: NIFI-9228 Refactor tests to use generated KeyStores
Posted by GitBox <gi...@apache.org>.
mattyb149 closed pull request #5401:
URL: https://github.com/apache/nifi/pull/5401
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] mattyb149 commented on pull request #5401: NIFI-9228 Refactor tests to use generated KeyStores
Posted by GitBox <gi...@apache.org>.
mattyb149 commented on pull request #5401:
URL: https://github.com/apache/nifi/pull/5401#issuecomment-924080068
+1 LGTM, I understand there is some follow-up work to be done. Thanks for the fixes and improvements! Merging to main
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on pull request #5401: NIFI-9228 Refactor tests to use generated KeyStores
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on pull request #5401:
URL: https://github.com/apache/nifi/pull/5401#issuecomment-924510862
Thanks for the feedback @gresockj! I address some of these issues on the follow-on PR #5406.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org