/** * Configure SSL authentication only if it is not configured. * * @throws ConfigException * If authentication scheme is configured but authentication * provider is not configured. */ private void configureSSLAuth() throws ConfigException { try (ClientX509Util clientX509Util = new ClientX509Util()) { String sslAuthProp = "zookeeper.authProvider." + System.getProperty(clientX509Util.getSslAuthProviderProperty(), "x509"); if (System.getProperty(sslAuthProp) == null) { if ("zookeeper.authProvider.x509".equals(sslAuthProp)) { System.setProperty("zookeeper.authProvider.x509", "org.apache.zookeeper.server.auth.X509AuthenticationProvider"); } else { throw new ConfigException("No auth provider configured for the SSL authentication scheme '" + System.getProperty(clientX509Util.getSslAuthProviderProperty()) + "'."); } } } }
/** * Now onwards client code will use properties from this class but older * clients still be setting properties through system properties. So to make * this change backward compatible we should set old system properties in * this configuration. */ protected void handleBackwardCompatibility() { properties.put(JUTE_MAXBUFFER, System.getProperty(JUTE_MAXBUFFER)); properties.put(KINIT_COMMAND, System.getProperty(KINIT_COMMAND)); properties.put(JGSS_NATIVE, System.getProperty(JGSS_NATIVE)); try (ClientX509Util clientX509Util = new ClientX509Util()) { putSSLProperties(clientX509Util); properties.put(clientX509Util.getSslAuthProviderProperty(), System.getProperty(clientX509Util.getSslAuthProviderProperty())); } try (X509Util x509Util = new QuorumX509Util()) { putSSLProperties(x509Util); } }
private synchronized void initSSL(ChannelPipeline p) throws X509Exception, KeyManagementException, NoSuchAlgorithmException { String authProviderProp = System.getProperty(x509Util.getSslAuthProviderProperty()); SSLContext sslContext; if (authProviderProp == null) { sslContext = x509Util.getDefaultSSLContext(); } else { sslContext = SSLContext.getInstance("TLSv1"); X509AuthenticationProvider authProvider = (X509AuthenticationProvider)ProviderRegistry.getProvider( System.getProperty(x509Util.getSslAuthProviderProperty(), "x509")); if (authProvider == null) { LOG.error("Auth provider not found: {}", authProviderProp); throw new SSLContextException( "Could not create SSLContext with specified auth provider: " + authProviderProp); } sslContext.init(new X509KeyManager[] { authProvider.getKeyManager() }, new X509TrustManager[] { authProvider.getTrustManager() }, null); } SSLEngine sslEngine = sslContext.createSSLEngine(); sslEngine.setUseClientMode(false); sslEngine.setNeedClientAuth(true); p.addLast("ssl", new SslHandler(sslEngine)); LOG.info("SSL handler added for channel: {}", p.channel()); }
= System.getProperty(x509Util.getSslAuthProviderProperty(), "x509");
@After public void teardown() throws Exception { System.clearProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY); System.clearProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET); System.clearProperty(ZKClientConfig.SECURE_CLIENT); System.clearProperty(clientX509Util.getSslAuthProviderProperty()); System.clearProperty(clientX509Util.getSslKeystoreLocationProperty()); System.clearProperty(clientX509Util.getSslKeystorePasswdProperty()); System.clearProperty(clientX509Util.getSslTruststoreLocationProperty()); System.clearProperty(clientX509Util.getSslTruststorePasswdProperty()); System.clearProperty("javax.net.debug"); System.clearProperty("zookeeper.authProvider.x509"); clientX509Util.close(); }
@Test public void testMisconfiguration() throws Exception { System.clearProperty(clientX509Util.getSslAuthProviderProperty()); System.clearProperty(clientX509Util.getSslKeystoreLocationProperty()); System.clearProperty(clientX509Util.getSslKeystorePasswdProperty()); System.clearProperty(clientX509Util.getSslTruststoreLocationProperty()); System.clearProperty(clientX509Util.getSslTruststorePasswdProperty()); CountdownWatcher watcher = new CountdownWatcher(); new TestableZooKeeper(hostPort, CONNECTION_TIMEOUT, watcher); Assert.assertFalse("Missing SSL configuration should not result in successful connection", watcher.clientConnected.await(1000, TimeUnit.MILLISECONDS)); } }
@Before public void setUp() throws Exception { clientX509Util = new ClientX509Util(); String testDataPath = System.getProperty("test.data.dir", "src/test/resources/data"); System.setProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY, "org.apache.zookeeper.server.NettyServerCnxnFactory"); System.setProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty"); System.setProperty(ZKClientConfig.SECURE_CLIENT, "true"); System.setProperty(clientX509Util.getSslAuthProviderProperty(), "x509"); System.setProperty(clientX509Util.getSslKeystoreLocationProperty(), testDataPath + "/ssl/testKeyStore.jks"); System.setProperty(clientX509Util.getSslKeystorePasswdProperty(), "testpass"); System.setProperty(clientX509Util.getSslTruststoreLocationProperty(), testDataPath + "/ssl/testTrustStore.jks"); System.setProperty(clientX509Util.getSslTruststorePasswdProperty(), "testpass"); System.setProperty("javax.net.debug", "ssl"); System.setProperty("zookeeper.authProvider.x509", "org.apache.zookeeper.server.auth.X509AuthenticationProvider"); String host = "localhost"; int port = PortAssignment.unique(); hostPort = host + ":" + port; serverFactory = ServerCnxnFactory.createFactory(); serverFactory.configure(new InetSocketAddress(host, port), maxCnxns, true); super.setUp(); }
/** * https://issues.apache.org/jira/browse/ZOOKEEPER-2297 */ @Test public void testCustomSSLAuth() throws IOException { try (ClientX509Util x509Util = new ClientX509Util()) { System.setProperty(x509Util.getSslAuthProviderProperty(), "y509"); QuorumPeerConfig quorumPeerConfig = new QuorumPeerConfig(); try { Properties zkProp = getDefaultZKProperties(); zkProp.setProperty("secureClientPort", "12345"); quorumPeerConfig.parseProperties(zkProp); fail("ConfigException is expected"); } catch (ConfigException e) { assertNotNull(e.getMessage()); } } }