@Before public void setup() { clientX509Util = new ClientX509Util(); String testDataPath = System.getProperty("test.data.dir", "src/test/resources/data"); System.setProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY, "org.apache.zookeeper.server.NettyServerCnxnFactory"); System.setProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty"); System.setProperty(ZKClientConfig.SECURE_CLIENT, "true"); System.setProperty(clientX509Util.getSslKeystoreLocationProperty(), testDataPath + "/ssl/testKeyStore.jks"); System.setProperty(clientX509Util.getSslKeystorePasswdProperty(), "testpass"); System.setProperty(clientX509Util.getSslTruststoreLocationProperty(), testDataPath + "/ssl/testTrustStore.jks"); System.setProperty(clientX509Util.getSslTruststorePasswdProperty(), "testpass"); }
/** * Configure SSL authentication only if it is not configured. * * @throws ConfigException * If authentication scheme is configured but authentication * provider is not configured. */ private void configureSSLAuth() throws ConfigException { try (ClientX509Util clientX509Util = new ClientX509Util()) { String sslAuthProp = "zookeeper.authProvider." + System.getProperty(clientX509Util.getSslAuthProviderProperty(), "x509"); if (System.getProperty(sslAuthProp) == null) { if ("zookeeper.authProvider.x509".equals(sslAuthProp)) { System.setProperty("zookeeper.authProvider.x509", "org.apache.zookeeper.server.auth.X509AuthenticationProvider"); } else { throw new ConfigException("No auth provider configured for the SSL authentication scheme '" + System.getProperty(clientX509Util.getSslAuthProviderProperty()) + "'."); } } } }
@Test(expected = X509Exception.SSLContextException.class) public void testCreateSSLContext_invalidCustomSSLContextClass() throws Exception { ZKConfig zkConfig = new ZKConfig(); ClientX509Util clientX509Util = new ClientX509Util(); zkConfig.setProperty(clientX509Util.getSslContextSupplierClassProperty(), String.class.getCanonicalName()); clientX509Util.createSSLContext(zkConfig); }
@After public void teardown() throws Exception { System.clearProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY); System.clearProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET); System.clearProperty(ZKClientConfig.SECURE_CLIENT); System.clearProperty(clientX509Util.getSslKeystoreLocationProperty()); System.clearProperty(clientX509Util.getSslKeystorePasswdProperty()); System.clearProperty(clientX509Util.getSslTruststoreLocationProperty()); System.clearProperty(clientX509Util.getSslTruststorePasswdProperty()); clientX509Util.close(); }
private synchronized void initSSL(ChannelPipeline p) throws X509Exception, KeyManagementException, NoSuchAlgorithmException { String authProviderProp = System.getProperty(x509Util.getSslAuthProviderProperty()); SSLContext sslContext; if (authProviderProp == null) { sslContext = x509Util.getDefaultSSLContext(); } else { sslContext = SSLContext.getInstance("TLSv1"); X509AuthenticationProvider authProvider = (X509AuthenticationProvider)ProviderRegistry.getProvider( System.getProperty(x509Util.getSslAuthProviderProperty(), "x509")); if (authProvider == null) { LOG.error("Auth provider not found: {}", authProviderProp); throw new SSLContextException( "Could not create SSLContext with specified auth provider: " + authProviderProp); } sslContext.init(new X509KeyManager[] { authProvider.getKeyManager() }, new X509TrustManager[] { authProvider.getTrustManager() }, null); } SSLEngine sslEngine = sslContext.createSSLEngine(); sslEngine.setUseClientMode(false); sslEngine.setNeedClientAuth(true); p.addLast("ssl", new SslHandler(sslEngine)); LOG.info("SSL handler added for channel: {}", p.channel()); }
private synchronized void initSSL(ChannelPipeline pipeline) throws SSLContextException { if (sslContext == null || sslEngine == null) { try (X509Util x509Util = new ClientX509Util()) { sslContext = x509Util.createSSLContext(clientConfig); sslEngine = sslContext.createSSLEngine(host, port); sslEngine.setUseClientMode(true); } } pipeline.addLast("ssl", new SslHandler(sslEngine)); LOG.info("SSL handler added for channel: {}", pipeline.channel()); } }
@Test public void testRejection() throws Exception { String testDataPath = System.getProperty("test.data.dir", "src/test/resources/data"); // Replace trusted keys with a valid key that is not trusted by the server System.setProperty(clientX509Util.getSslKeystoreLocationProperty(), testDataPath + "/ssl/testUntrustedKeyStore.jks"); System.setProperty(clientX509Util.getSslKeystorePasswdProperty(), "testpass"); CountdownWatcher watcher = new CountdownWatcher(); // Handshake will take place, and then X509AuthenticationProvider should reject the untrusted cert new TestableZooKeeper(hostPort, CONNECTION_TIMEOUT, watcher); Assert.assertFalse("Untrusted certificate should not result in successful connection", watcher.clientConnected.await(1000, TimeUnit.MILLISECONDS)); }
x509Util.close();
= System.getProperty(x509Util.getSslAuthProviderProperty(), "x509");
if (secure) { LOG.info("using secure socket"); try (X509Util x509Util = new ClientX509Util()) { SSLContext sslContext = x509Util.getDefaultSSLContext(); SSLSocketFactory socketFactory = sslContext.getSocketFactory();
@After public void teardown() throws Exception { System.clearProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY); System.clearProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET); System.clearProperty(ZKClientConfig.SECURE_CLIENT); System.clearProperty(clientX509Util.getSslAuthProviderProperty()); System.clearProperty(clientX509Util.getSslKeystoreLocationProperty()); System.clearProperty(clientX509Util.getSslKeystorePasswdProperty()); System.clearProperty(clientX509Util.getSslTruststoreLocationProperty()); System.clearProperty(clientX509Util.getSslTruststorePasswdProperty()); System.clearProperty("javax.net.debug"); System.clearProperty("zookeeper.authProvider.x509"); clientX509Util.close(); }
/** * Now onwards client code will use properties from this class but older * clients still be setting properties through system properties. So to make * this change backward compatible we should set old system properties in * this configuration. */ protected void handleBackwardCompatibility() { properties.put(JUTE_MAXBUFFER, System.getProperty(JUTE_MAXBUFFER)); properties.put(KINIT_COMMAND, System.getProperty(KINIT_COMMAND)); properties.put(JGSS_NATIVE, System.getProperty(JGSS_NATIVE)); try (ClientX509Util clientX509Util = new ClientX509Util()) { putSSLProperties(clientX509Util); properties.put(clientX509Util.getSslAuthProviderProperty(), System.getProperty(clientX509Util.getSslAuthProviderProperty())); } try (X509Util x509Util = new QuorumX509Util()) { putSSLProperties(x509Util); } }
NettyServerCnxnFactory() { x509Util = new ClientX509Util(); EventLoopGroup bossGroup = NettyUtils.newNioOrEpollEventLoopGroup(); EventLoopGroup workerGroup = NettyUtils.newNioOrEpollEventLoopGroup(); ServerBootstrap bootstrap = new ServerBootstrap() .group(bossGroup, workerGroup) .channel(NettyUtils.nioOrEpollServerSocketChannel()) // parent channel options .option(ChannelOption.SO_REUSEADDR, true) // child channels options .childOption(ChannelOption.TCP_NODELAY, true) .childOption(ChannelOption.SO_LINGER, -1) .childHandler(new ChannelInitializer<SocketChannel>() { @Override protected void initChannel(SocketChannel ch) throws Exception { ChannelPipeline pipeline = ch.pipeline(); if (secure) { initSSL(pipeline); } pipeline.addLast("servercnxnfactory", channelHandler); } }); this.bootstrap = configureBootstrapAllocator(bootstrap); this.bootstrap.validate(); }
@Test public void testCreateSSLContext_validCustomSSLContextClass() throws Exception { ZKConfig zkConfig = new ZKConfig(); ClientX509Util clientX509Util = new ClientX509Util(); zkConfig.setProperty(clientX509Util.getSslContextSupplierClassProperty(), SslContextSupplier.class.getName()); final SSLContext sslContext = clientX509Util.createSSLContext(zkConfig); Assert.assertEquals(SSLContext.getDefault(), sslContext); }
/** * https://issues.apache.org/jira/browse/ZOOKEEPER-2297 */ @Test public void testCustomSSLAuth() throws IOException { try (ClientX509Util x509Util = new ClientX509Util()) { System.setProperty(x509Util.getSslAuthProviderProperty(), "y509"); QuorumPeerConfig quorumPeerConfig = new QuorumPeerConfig(); try { Properties zkProp = getDefaultZKProperties(); zkProp.setProperty("secureClientPort", "12345"); quorumPeerConfig.parseProperties(zkProp); fail("ConfigException is expected"); } catch (ConfigException e) { assertNotNull(e.getMessage()); } } }
@Before public void setUp() throws Exception { try (X509Util x509util = new ClientX509Util()) { x509TestContext.setSystemProperties(x509util, KeyStoreFileType.JKS, KeyStoreFileType.JKS); } System.setProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY, "org.apache.zookeeper.server.NettyServerCnxnFactory"); System.setProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty"); x509Util = new ClientX509Util(); }
@Test public void testMisconfiguration() throws Exception { System.clearProperty(clientX509Util.getSslAuthProviderProperty()); System.clearProperty(clientX509Util.getSslKeystoreLocationProperty()); System.clearProperty(clientX509Util.getSslKeystorePasswdProperty()); System.clearProperty(clientX509Util.getSslTruststoreLocationProperty()); System.clearProperty(clientX509Util.getSslTruststorePasswdProperty()); CountdownWatcher watcher = new CountdownWatcher(); new TestableZooKeeper(hostPort, CONNECTION_TIMEOUT, watcher); Assert.assertFalse("Missing SSL configuration should not result in successful connection", watcher.clientConnected.await(1000, TimeUnit.MILLISECONDS)); } }
private void setCustomCipherSuites() { System.setProperty(x509Util.getCipherSuitesProperty(), customCipherSuites[0] + "," + customCipherSuites[1]); x509Util.close(); // remember to close old instance before replacing it x509Util = new ClientX509Util(); }
@Before public void setUp() throws Exception { clientX509Util = new ClientX509Util(); String testDataPath = System.getProperty("test.data.dir", "src/test/resources/data"); System.setProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY, "org.apache.zookeeper.server.NettyServerCnxnFactory"); System.setProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty"); System.setProperty(ZKClientConfig.SECURE_CLIENT, "true"); System.setProperty(clientX509Util.getSslAuthProviderProperty(), "x509"); System.setProperty(clientX509Util.getSslKeystoreLocationProperty(), testDataPath + "/ssl/testKeyStore.jks"); System.setProperty(clientX509Util.getSslKeystorePasswdProperty(), "testpass"); System.setProperty(clientX509Util.getSslTruststoreLocationProperty(), testDataPath + "/ssl/testTrustStore.jks"); System.setProperty(clientX509Util.getSslTruststorePasswdProperty(), "testpass"); System.setProperty("javax.net.debug", "ssl"); System.setProperty("zookeeper.authProvider.x509", "org.apache.zookeeper.server.auth.X509AuthenticationProvider"); String host = "localhost"; int port = PortAssignment.unique(); hostPort = host + ":" + port; serverFactory = ServerCnxnFactory.createFactory(); serverFactory.configure(new InetSocketAddress(host, port), maxCnxns, true); super.setUp(); }
@Before public void setUp() throws Exception { localServerAddress = new InetSocketAddress(InetAddress.getLoopbackAddress(), PortAssignment.unique()); x509Util = new ClientX509Util(); x509TestContext.setSystemProperties(x509Util, KeyStoreFileType.JKS, KeyStoreFileType.JKS); }