Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B5B94200D0A for ; Wed, 4 Oct 2017 16:48:19 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B4023160BD7; Wed, 4 Oct 2017 14:48:19 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D23681609D6 for ; Wed, 4 Oct 2017 16:48:18 +0200 (CEST) Received: (qmail 45020 invoked by uid 500); 4 Oct 2017 14:48:15 -0000 Mailing-List: contact dev-help@drill.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@drill.apache.org Delivered-To: mailing list dev@drill.apache.org Received: (qmail 44872 invoked by uid 99); 4 Oct 2017 14:48:15 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Oct 2017 14:48:15 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 24102E8F24; Wed, 4 Oct 2017 14:48:15 +0000 (UTC) From: arina-ielchiieva To: dev@drill.apache.org Reply-To: dev@drill.apache.org References: In-Reply-To: Subject: [GitHub] drill pull request #950: DRILL-5431: SSL Support Content-Type: text/plain Message-Id: <20171004144815.24102E8F24@git1-us-west.apache.org> Date: Wed, 4 Oct 2017 14:48:15 +0000 (UTC) archived-at: Wed, 04 Oct 2017 14:48:19 -0000 Github user arina-ielchiieva commented on a diff in the pull request: https://github.com/apache/drill/pull/950#discussion_r142683194 --- Diff: exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestUserBitSSL.java --- @@ -0,0 +1,338 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.drill.exec.rpc.user.security; + +import com.typesafe.config.ConfigValueFactory; +import io.netty.handler.ssl.util.SelfSignedCertificate; +import junit.framework.TestCase; +import org.apache.drill.BaseTestQuery; +import org.apache.drill.common.config.DrillConfig; +import org.apache.drill.common.config.DrillProperties; +import org.apache.drill.exec.ExecConstants; +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; + +import java.io.File; +import java.io.FileOutputStream; +import java.net.InetAddress; +import java.security.KeyStore; +import java.util.Properties; + +import static junit.framework.TestCase.fail; +import static org.junit.Assert.assertEquals; + +public class TestUserBitSSL extends BaseTestQuery { + private static final org.slf4j.Logger logger = + org.slf4j.LoggerFactory.getLogger(TestUserBitSSL.class); + + private static DrillConfig newConfig; + private static Properties initProps; // initial client properties + private static ClassLoader classLoader; + private static String ksPath; + private static String tsPath; + private static String emptyTSPath; + private static String unknownKsPath; + + @BeforeClass + public static void setupTest() throws Exception { + + // Create a new DrillConfig + classLoader = TestUserBitSSL.class.getClassLoader(); + ksPath = new File(classLoader.getResource("ssl/keystore.ks").getFile()).getAbsolutePath(); + unknownKsPath = new File(classLoader.getResource("ssl/unknownkeystore.ks").getFile()).getAbsolutePath(); + tsPath = new File(classLoader.getResource("ssl/truststore.ks").getFile()).getAbsolutePath(); + emptyTSPath = new File(classLoader.getResource("ssl/emptytruststore.ks").getFile()).getAbsolutePath(); + newConfig = new DrillConfig(DrillConfig.create(cloneDefaultTestConfigProperties()) + .withValue(ExecConstants.SSL_USE_HADOOP_CONF, + ConfigValueFactory.fromAnyRef(false)) + .withValue(ExecConstants.USER_SSL_ENABLED, + ConfigValueFactory.fromAnyRef(true)) + .withValue(ExecConstants.SSL_KEYSTORE_TYPE, + ConfigValueFactory.fromAnyRef("JKS")) + .withValue(ExecConstants.SSL_KEYSTORE_PATH, + ConfigValueFactory.fromAnyRef(ksPath)) + .withValue(ExecConstants.SSL_KEYSTORE_PASSWORD, + ConfigValueFactory.fromAnyRef("drill123")) + .withValue(ExecConstants.SSL_KEY_PASSWORD, + ConfigValueFactory.fromAnyRef("drill123")) + .withValue(ExecConstants.SSL_TRUSTSTORE_TYPE, + ConfigValueFactory.fromAnyRef("JKS")) + .withValue(ExecConstants.SSL_TRUSTSTORE_PATH, + ConfigValueFactory.fromAnyRef(tsPath)) + .withValue(ExecConstants.SSL_TRUSTSTORE_PASSWORD, + ConfigValueFactory.fromAnyRef("drill123")) + .withValue(ExecConstants.SSL_PROTOCOL, + ConfigValueFactory.fromAnyRef("TLSv1.2")), + false); + + initProps = new Properties(); + initProps.setProperty(DrillProperties.ENABLE_TLS, "true"); + initProps.setProperty(DrillProperties.TRUSTSTORE_PATH, tsPath); + initProps.setProperty(DrillProperties.TRUSTSTORE_PASSWORD, "drill123"); + initProps.setProperty(DrillProperties.DISABLE_HOST_VERIFICATION, "true"); + + // Start an SSL enabled cluster + updateTestCluster(1, newConfig, initProps); + } + + @AfterClass + public static void cleanTest() throws Exception { + DrillConfig restoreConfig = + new DrillConfig(DrillConfig.create(cloneDefaultTestConfigProperties()), false); + updateTestCluster(1, restoreConfig); + } + + @Test + public void testSSLConnection() throws Exception { + final Properties connectionProps = new Properties(); + connectionProps.setProperty(DrillProperties.ENABLE_TLS, "true"); + connectionProps.setProperty(DrillProperties.TRUSTSTORE_PATH, tsPath); + connectionProps.setProperty(DrillProperties.TRUSTSTORE_PASSWORD, "drill123"); + connectionProps.setProperty(DrillProperties.DISABLE_HOST_VERIFICATION, "true"); + try { + updateClient(connectionProps); + } catch (Exception e) { + TestCase.fail( new StringBuilder() + .append("SSL Connection failed with exception [" ) + .append( e.getMessage() ) + .append("]") + .toString()); + } + } + + @Test + public void testSSLConnectionWithKeystore() throws Exception { + final Properties connectionProps = new Properties(); + connectionProps.setProperty(DrillProperties.ENABLE_TLS, "true"); + connectionProps.setProperty(DrillProperties.TRUSTSTORE_PATH, ksPath); + connectionProps.setProperty(DrillProperties.TRUSTSTORE_PASSWORD, "drill123"); + connectionProps.setProperty(DrillProperties.DISABLE_HOST_VERIFICATION, "true"); + try { + updateClient(connectionProps); + } catch (Exception e) { + TestCase.fail( new StringBuilder() + .append("SSL Connection failed with exception [" ) + .append( e.getMessage() ) + .append("]") + .toString()); + } + } + + @Test + public void testSSLConnectionFailBadTrustStore() throws Exception { + final Properties connectionProps = new Properties(); + connectionProps.setProperty(DrillProperties.ENABLE_TLS, "true"); + connectionProps.setProperty(DrillProperties.TRUSTSTORE_PATH, ""); // NO truststore + connectionProps.setProperty(DrillProperties.TRUSTSTORE_PASSWORD, "drill123"); + connectionProps.setProperty(DrillProperties.DISABLE_HOST_VERIFICATION, "true"); + boolean failureCaught = false; + try { + updateClient(connectionProps); + } catch (Exception e) { + failureCaught = true; + } + assertEquals(failureCaught, true); + } + + @Test + public void testSSLConnectionFailBadPassword() throws Exception { + final Properties connectionProps = new Properties(); + connectionProps.setProperty(DrillProperties.ENABLE_TLS, "true"); + connectionProps.setProperty(DrillProperties.TRUSTSTORE_PATH, tsPath); + connectionProps.setProperty(DrillProperties.TRUSTSTORE_PASSWORD, "bad_password"); + connectionProps.setProperty(DrillProperties.DISABLE_HOST_VERIFICATION, "true"); + boolean failureCaught = false; + try { + updateClient(connectionProps); + } catch (Exception e) { + failureCaught = true; + } + assertEquals(failureCaught, true); + } + + @Test + public void testSSLConnectionFailEmptyTrustStore() throws Exception { + final Properties connectionProps = new Properties(); + connectionProps.setProperty(DrillProperties.ENABLE_TLS, "true"); + connectionProps.setProperty(DrillProperties.TRUSTSTORE_PATH, emptyTSPath); + connectionProps.setProperty(DrillProperties.TRUSTSTORE_PASSWORD, "drill123"); + connectionProps.setProperty(DrillProperties.DISABLE_HOST_VERIFICATION, "true"); + boolean failureCaught = false; + try { + updateClient(connectionProps); + } catch (Exception e) { + failureCaught = true; + } + assertEquals(failureCaught, true); + } + + @Test + public void testSSLQuery() throws Exception { + final Properties connectionProps = new Properties(); + connectionProps.setProperty(DrillProperties.ENABLE_TLS, "true"); + connectionProps.setProperty(DrillProperties.TRUSTSTORE_PATH, tsPath); + connectionProps.setProperty(DrillProperties.TRUSTSTORE_PASSWORD, "drill123"); + connectionProps.setProperty(DrillProperties.DISABLE_HOST_VERIFICATION, "true"); + try { + updateClient(connectionProps); + } catch (Exception e) { + TestCase.fail( new StringBuilder() + .append("SSL Connection failed with exception [" ) + .append( e.getMessage() ) + .append("]") + .toString()); + } + test("SELECT * FROM cp.`region.json`"); + } + + @Test + public void testClientConfigHostnameVerification() { + String password = "test_password"; + String trustStoreFileName = "drillTestTrustStore"; + String keyStoreFileName = "drillTestKeyStore"; + KeyStore ts, ks; + File tempFile1, tempFile2; + String trustStorePath; + String keyStorePath; + + try { + String fqdn = InetAddress.getLocalHost().getHostName(); + SelfSignedCertificate certificate = new SelfSignedCertificate(fqdn); + + tempFile1 = File.createTempFile(trustStoreFileName, ".ks"); + tempFile1.deleteOnExit(); + trustStorePath = tempFile1.getAbsolutePath(); + //generate a truststore. + ts = KeyStore.getInstance(KeyStore.getDefaultType()); + ts.load(null, password.toCharArray()); + ts.setCertificateEntry("drillTest", certificate.cert()); + // Store away the truststore. + FileOutputStream fos1 = new FileOutputStream(tempFile1); + ts.store(fos1, password.toCharArray()); + fos1.close(); --- End diff -- It's better to use try with resources thus stream will be definitely closed in case of exception. ---