You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by bs...@apache.org on 2017/10/19 20:14:17 UTC
[geode] branch develop updated: Squashed commit of the following:
This is an automated email from the ASF dual-hosted git repository.
bschuchardt pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/geode.git
The following commit(s) were added to refs/heads/develop by this push:
new 8c873f9 Squashed commit of the following:
8c873f9 is described below
commit 8c873f9bbe827ec5ff82bbb974b5346668b2806f
Author: Bruce Schuchardt <bs...@pivotal.io>
AuthorDate: Thu Oct 19 13:13:10 2017 -0700
Squashed commit of the following:
commit 39e01dbec67c0bb8765735e6d4063a2fc4b98684
Author: Bruce Schuchardt <bs...@pivotal.io>
Date: Thu Oct 19 11:26:15 2017 -0700
GEODE-3867 mutual SSL authentication with a bad client cert is not being tested
Refactored the class to be parameterized & test both old and new
SSL settings in each unit test.
commit df7c4440d5a70031a5ed181f0d6c607aa74e453f
Author: Bruce Schuchardt <bs...@pivotal.io>
Date: Wed Oct 18 15:06:09 2017 -0700
GEODE-3867 mutual SSL authentication with a bad client cert is not being tested
new test added & old test revised. The old test had an odd try/catch
for an exception that should not be thrown. The new test uses pretty
much that same structure & expects the client to fail to connect. It
also expects that the server will not have received any updates from the
non-trusted client.
---
.../CacheServerSSLConnectionDUnitTest.java | 209 ++++++++++++++-------
.../client/internal/SSLNoClientAuthDUnitTest.java | 3 +-
2 files changed, 142 insertions(+), 70 deletions(-)
diff --git a/geode-core/src/test/java/org/apache/geode/cache/client/internal/CacheServerSSLConnectionDUnitTest.java b/geode-core/src/test/java/org/apache/geode/cache/client/internal/CacheServerSSLConnectionDUnitTest.java
index 2b93488..46a0914 100644
--- a/geode-core/src/test/java/org/apache/geode/cache/client/internal/CacheServerSSLConnectionDUnitTest.java
+++ b/geode-core/src/test/java/org/apache/geode/cache/client/internal/CacheServerSSLConnectionDUnitTest.java
@@ -22,7 +22,9 @@ import java.io.PrintWriter;
import java.io.StringWriter;
import java.net.InetSocketAddress;
import java.net.Socket;
-import java.sql.Time;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
@@ -35,36 +37,57 @@ import org.apache.geode.cache.client.ClientCache;
import org.apache.geode.cache.client.ClientCacheFactory;
import org.apache.geode.cache.client.ClientRegionFactory;
import org.apache.geode.cache.client.ClientRegionShortcut;
+import org.apache.geode.cache.client.NoAvailableServersException;
import org.apache.geode.cache.server.CacheServer;
import org.apache.geode.internal.security.SecurableCommunicationChannel;
import org.apache.geode.security.AuthenticationRequiredException;
import org.apache.geode.test.dunit.AsyncInvocation;
import org.apache.geode.test.dunit.Host;
import org.apache.geode.test.dunit.IgnoredException;
+import org.apache.geode.test.dunit.Invoke;
+import org.apache.geode.test.dunit.RMIException;
import org.apache.geode.test.dunit.VM;
import org.apache.geode.test.dunit.internal.JUnit4DistributedTestCase;
import org.apache.geode.test.junit.categories.ClientServerTest;
import org.apache.geode.test.junit.categories.DistributedTest;
import org.apache.geode.util.test.TestUtil;
-import org.junit.Ignore;
+
+import org.junit.AfterClass;
import org.junit.Test;
import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
/**
* Tests cacheserver ssl support added. See https://svn.gemstone.com/trac/gemfire/ticket/48995 for
* details
*/
@Category({DistributedTest.class, ClientServerTest.class})
+@RunWith(Parameterized.class)
public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase {
+ private static boolean useOldSSLSettings;
+
+ @Parameterized.Parameters
+ public static Collection<Boolean> data() {
+ List<Boolean> result = new ArrayList<>();
+ result.add(Boolean.TRUE);
+ result.add(Boolean.FALSE);
+ return result;
+ }
+
+ public CacheServerSSLConnectionDUnitTest(Boolean useOldSSLSettings) {
+ super();
+ CacheServerSSLConnectionDUnitTest.useOldSSLSettings = useOldSSLSettings.booleanValue();
+ }
+
private static final String TRUSTED_STORE = "trusted.keystore";
private static final String CLIENT_KEY_STORE = "client.keystore";
private static final String CLIENT_TRUST_STORE = "client.truststore";
private static final String SERVER_KEY_STORE = "cacheserver.keystore";
private static final String SERVER_TRUST_STORE = "cacheserver.truststore";
- private static CacheServerSSLConnectionDUnitTest instance =
- new CacheServerSSLConnectionDUnitTest(); // TODO: memory leak
+ private static CacheServerSSLConnectionDUnitTest instance;
private Cache cache;
private CacheServer cacheServer;
@@ -75,6 +98,15 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
@Override
public final void preSetUp() throws Exception {
disconnectAllFromDS();
+ instance = this;
+ Invoke
+ .invokeInEveryVM(() -> instance = new CacheServerSSLConnectionDUnitTest(useOldSSLSettings));
+ }
+
+ @AfterClass
+ public static void postClass() {
+ Invoke.invokeInEveryVM(() -> instance = null);
+ instance = null;
}
public Cache createCache(Properties props) throws Exception {
@@ -109,14 +141,13 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
}
@SuppressWarnings("rawtypes")
- public void setUpServerVM(final boolean cacheServerSslenabled, final boolean legacy)
- throws Exception {
+ public void setUpServerVM(final boolean cacheServerSslenabled) throws Exception {
Properties gemFireProps = new Properties();
String cacheServerSslprotocols = "any";
String cacheServerSslciphers = "any";
boolean cacheServerSslRequireAuth = true;
- if (!legacy) {
+ if (!useOldSSLSettings) {
gemFireProps.put(SSL_ENABLED_COMPONENTS,
SecurableCommunicationChannel.CLUSTER + "," + SecurableCommunicationChannel.SERVER);
gemFireProps.put(SSL_PROTOCOLS, cacheServerSslprotocols);
@@ -161,7 +192,8 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
}
public void setUpClientVM(String host, int port, boolean cacheServerSslenabled,
- boolean cacheServerSslRequireAuth, String keyStore, String trustStore, boolean subscription) {
+ boolean cacheServerSslRequireAuth, String keyStore, String trustStore, boolean subscription,
+ boolean clientHasTrustedKeystore) {
Properties gemFireProps = new Properties();
@@ -172,17 +204,46 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
TestUtil.getResourcePath(CacheServerSSLConnectionDUnitTest.class, keyStore);
String trustStorePath =
TestUtil.getResourcePath(CacheServerSSLConnectionDUnitTest.class, trustStore);
- // using new server-ssl-* properties
- gemFireProps.put(SERVER_SSL_ENABLED, String.valueOf(cacheServerSslenabled));
- gemFireProps.put(SERVER_SSL_PROTOCOLS, cacheServerSslprotocols);
- gemFireProps.put(SERVER_SSL_CIPHERS, cacheServerSslciphers);
- gemFireProps.put(SERVER_SSL_REQUIRE_AUTHENTICATION, String.valueOf(cacheServerSslRequireAuth));
-
- gemFireProps.put(SERVER_SSL_KEYSTORE_TYPE, "jks");
- gemFireProps.put(SERVER_SSL_KEYSTORE, keyStorePath);
- gemFireProps.put(SERVER_SSL_KEYSTORE_PASSWORD, "password");
- gemFireProps.put(SERVER_SSL_TRUSTSTORE, trustStorePath);
- gemFireProps.put(SERVER_SSL_TRUSTSTORE_PASSWORD, "password");
+
+ if (useOldSSLSettings) {
+ gemFireProps.put(SERVER_SSL_ENABLED, String.valueOf(cacheServerSslenabled));
+ gemFireProps.put(SERVER_SSL_PROTOCOLS, cacheServerSslprotocols);
+ gemFireProps.put(SERVER_SSL_CIPHERS, cacheServerSslciphers);
+ gemFireProps.put(SERVER_SSL_REQUIRE_AUTHENTICATION,
+ String.valueOf(cacheServerSslRequireAuth));
+ if (clientHasTrustedKeystore) {
+ gemFireProps.put(SERVER_SSL_KEYSTORE_TYPE, "jks");
+ gemFireProps.put(SERVER_SSL_KEYSTORE, keyStorePath);
+ gemFireProps.put(SERVER_SSL_KEYSTORE_PASSWORD, "password");
+ gemFireProps.put(SERVER_SSL_TRUSTSTORE, trustStorePath);
+ gemFireProps.put(SERVER_SSL_TRUSTSTORE_PASSWORD, "password");
+ } else {
+ gemFireProps.put(SERVER_SSL_KEYSTORE_TYPE, "jks");
+ gemFireProps.put(SERVER_SSL_KEYSTORE, "");
+ gemFireProps.put(SERVER_SSL_KEYSTORE_PASSWORD, "password");
+ gemFireProps.put(SERVER_SSL_TRUSTSTORE, trustStorePath);
+ gemFireProps.put(SERVER_SSL_TRUSTSTORE_PASSWORD, "password");
+ }
+ } else {
+ gemFireProps.put(SSL_ENABLED_COMPONENTS, "server");
+ gemFireProps.put(SSL_CIPHERS, cacheServerSslciphers);
+ gemFireProps.put(SSL_PROTOCOLS, cacheServerSslprotocols);
+ gemFireProps.put(SSL_REQUIRE_AUTHENTICATION, String.valueOf(cacheServerSslRequireAuth));
+ if (clientHasTrustedKeystore) {
+ gemFireProps.put(SSL_KEYSTORE_TYPE, "jks");
+ gemFireProps.put(SSL_KEYSTORE, keyStorePath);
+ gemFireProps.put(SSL_KEYSTORE_PASSWORD, "password");
+ gemFireProps.put(SSL_TRUSTSTORE, trustStorePath);
+ gemFireProps.put(SSL_TRUSTSTORE_PASSWORD, "password");
+ } else {
+ gemFireProps.put(SSL_KEYSTORE_TYPE, "jks");
+ gemFireProps.put(SSL_KEYSTORE, "");
+ gemFireProps.put(SSL_KEYSTORE_PASSWORD, "password");
+ gemFireProps.put(SSL_TRUSTSTORE, trustStorePath);
+ gemFireProps.put(SSL_TRUSTSTORE_PASSWORD, "password");
+ }
+ }
+
StringWriter sw = new StringWriter();
PrintWriter writer = new PrintWriter(sw);
@@ -213,9 +274,8 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
}
- public static void setUpServerVMTask(boolean cacheServerSslenabled, boolean legacy)
- throws Exception {
- instance.setUpServerVM(cacheServerSslenabled, legacy);
+ public static void setUpServerVMTask(boolean cacheServerSslenabled) throws Exception {
+ instance.setUpServerVM(cacheServerSslenabled);
}
public static int createServerTask() throws Exception {
@@ -223,22 +283,32 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
}
public static void setUpClientVMTask(String host, int port, boolean cacheServerSslenabled,
- boolean cacheServerSslRequireAuth, String keyStore, String trustStore) throws Exception {
+ boolean cacheServerSslRequireAuth, String keyStore, String trustStore,
+ boolean clientHasTrustedKeystore) throws Exception {
instance.setUpClientVM(host, port, cacheServerSslenabled, cacheServerSslRequireAuth, keyStore,
- trustStore, true);
+ trustStore, true, clientHasTrustedKeystore);
}
public static void setUpClientVMTaskNoSubscription(String host, int port,
boolean cacheServerSslenabled, boolean cacheServerSslRequireAuth, String keyStore,
String trustStore) throws Exception {
instance.setUpClientVM(host, port, cacheServerSslenabled, cacheServerSslRequireAuth, keyStore,
- trustStore, false);
+ trustStore, false, true);
}
public static void doClientRegionTestTask() {
instance.doClientRegionTest();
}
+ public static void verifyServerDoesNotReceiveClientUpdate() {
+ instance.doVerifyServerDoesNotReceiveClientUpdate();
+ }
+
+ private void doVerifyServerDoesNotReceiveClientUpdate() {
+ Region<String, String> region = cache.getRegion("serverRegion");
+ assertFalse(region.containsKey("clientkey"));
+ }
+
public static void doServerRegionTestTask() {
instance.doServerRegionTest();
}
@@ -263,27 +333,6 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
}
@Test
- public void testCacheServerLegacySSL() throws Exception {
- final Host host = Host.getHost(0);
- VM serverVM = host.getVM(1);
- VM clientVM = host.getVM(2);
-
- boolean cacheServerSslenabled = true;
- boolean cacheClientSslenabled = true;
- boolean cacheClientSslRequireAuth = true;
-
- serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled, true));
- int port = serverVM.invoke(() -> createServerTask());
-
- String hostName = host.getHostName();
-
- clientVM.invoke(() -> setUpClientVMTask(hostName, port, cacheClientSslenabled,
- cacheClientSslRequireAuth, CLIENT_KEY_STORE, CLIENT_TRUST_STORE));
- clientVM.invoke(() -> doClientRegionTestTask());
- serverVM.invoke(() -> doServerRegionTestTask());
- }
-
- @Test
public void testCacheServerSSL() throws Exception {
final Host host = Host.getHost(0);
VM serverVM = host.getVM(1);
@@ -293,13 +342,13 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
boolean cacheClientSslenabled = true;
boolean cacheClientSslRequireAuth = true;
- serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled, true));
+ serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled));
int port = serverVM.invoke(() -> createServerTask());
String hostName = host.getHostName();
clientVM.invoke(() -> setUpClientVMTask(hostName, port, cacheClientSslenabled,
- cacheClientSslRequireAuth, CLIENT_KEY_STORE, CLIENT_TRUST_STORE));
+ cacheClientSslRequireAuth, CLIENT_KEY_STORE, CLIENT_TRUST_STORE, true));
clientVM.invoke(() -> doClientRegionTestTask());
serverVM.invoke(() -> doServerRegionTestTask());
}
@@ -330,7 +379,7 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
boolean cacheClientSslenabled = true;
boolean cacheClientSslRequireAuth = true;
- serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled, true));
+ serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled));
int port = serverVM.invoke(() -> createServerTask());
String hostName = host.getHostName();
@@ -340,7 +389,7 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
getBlackboard().waitForGate("serverIsBlocked", 60, TimeUnit.SECONDS);
clientVM.invoke(() -> setUpClientVMTask(hostName, port, cacheClientSslenabled,
- cacheClientSslRequireAuth, CLIENT_KEY_STORE, CLIENT_TRUST_STORE));
+ cacheClientSslRequireAuth, CLIENT_KEY_STORE, CLIENT_TRUST_STORE, true));
clientVM.invoke(() -> doClientRegionTestTask());
serverVM.invoke(() -> doServerRegionTestTask());
@@ -381,7 +430,7 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
boolean cacheClientSslenabled = false;
boolean cacheClientSslRequireAuth = true;
- serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled, true));
+ serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled));
serverVM.invoke(() -> createServerTask());
Object array[] = (Object[]) serverVM.invoke(() -> getCacheServerEndPointTask());
@@ -425,31 +474,53 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
boolean cacheClientSslenabled = true;
boolean cacheClientSslRequireAuth = false;
- serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled, true));
+ IgnoredException.addIgnoredException("SSLHandshakeException");
+ IgnoredException.addIgnoredException("ValidatorException");
+
+ serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled));
serverVM.invoke(() -> createServerTask());
Object array[] = (Object[]) serverVM.invoke(() -> getCacheServerEndPointTask());
String hostName = (String) array[0];
int port = (Integer) array[1];
+ clientVM.invoke(() -> setUpClientVMTask(hostName, port, cacheClientSslenabled,
+ cacheClientSslRequireAuth, CLIENT_KEY_STORE, CLIENT_TRUST_STORE, true));
+ clientVM.invoke(() -> CacheServerSSLConnectionDUnitTest.doClientRegionTestTask());
+ serverVM.invoke(() -> CacheServerSSLConnectionDUnitTest.doServerRegionTestTask());
+ }
+
+ @Test
+ public void untrustedClientIsRejected() throws Throwable {
+ final Host host = Host.getHost(0);
+ VM serverVM = host.getVM(1);
+ VM clientVM = host.getVM(2);
+
+ boolean cacheServerSslenabled = true;
+ boolean cacheClientSslenabled = true;
+ boolean cacheClientSslRequireAuth = false;
+
+ serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled));
+ serverVM.invoke(() -> createServerTask());
+
+ Object array[] = (Object[]) serverVM.invoke(() -> getCacheServerEndPointTask());
+ String hostName = (String) array[0];
+ int port = (Integer) array[1];
+
+ IgnoredException.addIgnoredException("SSLHandshakeException");
+
+ clientVM.invoke(() -> setUpClientVMTask(hostName, port, cacheClientSslenabled,
+ cacheClientSslRequireAuth, "default.keystore", CLIENT_TRUST_STORE, false));
+
try {
- clientVM.invoke(() -> setUpClientVMTask(hostName, port, cacheClientSslenabled,
- cacheClientSslRequireAuth, CLIENT_KEY_STORE, CLIENT_TRUST_STORE));
clientVM.invoke(() -> CacheServerSSLConnectionDUnitTest.doClientRegionTestTask());
- serverVM.invoke(() -> CacheServerSSLConnectionDUnitTest.doServerRegionTestTask());
-
- } catch (Exception rmiException) {
- Throwable e = rmiException.getCause();
- // getLogWriter().info("ExceptionCause at clientVM " + e);
- if (e instanceof org.apache.geode.cache.client.ServerOperationException) {
- Throwable t = e.getCause();
- // getLogWriter().info("Cause is " + t);
- assertTrue(t instanceof org.apache.geode.security.AuthenticationRequiredException);
- } else {
- // getLogWriter().error("Unexpected exception ", e);
- fail("Unexpected Exception...expected " + AuthenticationRequiredException.class);
- }
+ fail("client should not have been able to execute a cache operation");
+ } catch (RMIException e) {
+ assertTrue("expected a NoAvailableServersException but received " + e.getCause(),
+ e.getCause() instanceof NoAvailableServersException);
}
+ serverVM
+ .invoke(() -> CacheServerSSLConnectionDUnitTest.verifyServerDoesNotReceiveClientUpdate());
}
@Test
@@ -462,7 +533,7 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
boolean cacheClientSslenabled = true;
boolean cacheClientSslRequireAuth = true;
- serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled, true));
+ serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled));
serverVM.invoke(() -> createServerTask());
Object array[] = (Object[]) serverVM.invoke(() -> getCacheServerEndPointTask());
@@ -473,7 +544,7 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
IgnoredException.addIgnoredException("javax.net.ssl.SSLHandshakeException", serverVM);
try {
clientVM.invoke(() -> setUpClientVMTask(hostName, port, cacheClientSslenabled,
- cacheClientSslRequireAuth, TRUSTED_STORE, TRUSTED_STORE));
+ cacheClientSslRequireAuth, TRUSTED_STORE, TRUSTED_STORE, true));
clientVM.invoke(() -> doClientRegionTestTask());
serverVM.invoke(() -> doServerRegionTestTask());
fail(
diff --git a/geode-core/src/test/java/org/apache/geode/cache/client/internal/SSLNoClientAuthDUnitTest.java b/geode-core/src/test/java/org/apache/geode/cache/client/internal/SSLNoClientAuthDUnitTest.java
index 87a915e..e1992d5 100644
--- a/geode-core/src/test/java/org/apache/geode/cache/client/internal/SSLNoClientAuthDUnitTest.java
+++ b/geode-core/src/test/java/org/apache/geode/cache/client/internal/SSLNoClientAuthDUnitTest.java
@@ -247,7 +247,8 @@ public class SSLNoClientAuthDUnitTest extends JUnit4DistributedTestCase {
params[5] = DEFAULT_STORE;
// getLogWriter().info("Starting client with server endpoint " + hostName + ":" + port);
try {
- clientVM.invoke(SSLNoClientAuthDUnitTest.class, "setUpClientVMTask", params);
+ clientVM.invoke(() -> SSLNoClientAuthDUnitTest.setUpClientVMTask(hostName, port,
+ cacheClientSslenabled, cacheClientSslRequireAuth, DEFAULT_STORE, DEFAULT_STORE));
clientVM.invoke(() -> SSLNoClientAuthDUnitTest.doClientRegionTestTask());
serverVM.invoke(() -> SSLNoClientAuthDUnitTest.doServerRegionTestTask());
} catch (Exception rmiException) {
--
To stop receiving notification emails like this one, please contact
['"commits@geode.apache.org" <co...@geode.apache.org>'].