geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dschnei...@apache.org
Subject [1/3] incubator-geode git commit: GEODE-396: Fix server to use server/gateway ssl config
Date Fri, 16 Oct 2015 20:58:15 GMT
Repository: incubator-geode
Updated Branches:
  refs/heads/develop 21743ec13 -> e45f5e3aa


GEODE-396: Fix server to use server/gateway ssl config

The AcceptorImpl now keeps the non-default SocketCreator it makes
with the server/gateway ssl and uses it for all connections
from the client instead of the default cluster ssl config.

The extra logging done by the server that included the keystore
and truststore passwords (in clear text) has been removed.

Added unit test that reproduced this bug.


Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/03e593de
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/03e593de
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/03e593de

Branch: refs/heads/develop
Commit: 03e593dee378aad86ac31b524dd30ccad8405bfb
Parents: 21743ec
Author: Darrel Schneider <dschneider@pivotal.io>
Authored: Tue Oct 6 15:31:49 2015 -0700
Committer: Darrel Schneider <dschneider@pivotal.io>
Committed: Fri Oct 16 11:26:24 2015 -0700

----------------------------------------------------------------------
 .../cache/tier/sockets/AcceptorImpl.java        |  36 +--
 .../internal/SSLNoClientAuthDUnitTest.java      | 271 +++++++++++++++++++
 .../cache/client/internal/default.keystore      | Bin 0 -> 1115 bytes
 3 files changed, 277 insertions(+), 30 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/03e593de/gemfire-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/AcceptorImpl.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/AcceptorImpl.java
b/gemfire-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/AcceptorImpl.java
index 74cdfa9..b5fd228 100755
--- a/gemfire-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/AcceptorImpl.java
+++ b/gemfire-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/AcceptorImpl.java
@@ -11,8 +11,6 @@ package com.gemstone.gemfire.internal.cache.tier.sockets;
 import java.io.EOFException;
 import java.io.IOException;
 import java.io.InterruptedIOException;
-import java.io.PrintWriter;
-import java.io.StringWriter;
 import java.net.BindException;
 import java.net.Inet6Address;
 import java.net.InetAddress;
@@ -270,6 +268,7 @@ public class AcceptorImpl extends Acceptor implements Runnable
 
   private boolean isGatewayReceiver;
   private List<GatewayTransportFilter> gatewayTransportFilters;
+  private final SocketCreator socketCreator; 
   /**
    * Initializes this acceptor thread to listen for connections on the given
    * port.
@@ -386,43 +385,20 @@ public class AcceptorImpl extends Acceptor implements Runnable
 
     {
       final int backLog = Integer.getInteger(BACKLOG_PROPERTY_NAME, DEFAULT_BACKLOG).intValue();
-      SocketCreator sc = null;
       DistributionConfig config = ((InternalDistributedSystem)c.getDistributedSystem()).getConfig();
       if(!isGatewayReceiver) {
         //If configured use SSL properties for cache-server
-        sc = SocketCreator.createNonDefaultInstance(config.getServerSSLEnabled(),
+        this.socketCreator = SocketCreator.createNonDefaultInstance(config.getServerSSLEnabled(),
             config.getServerSSLRequireAuthentication(),
             config.getServerSSLProtocols(),
             config.getServerSSLCiphers(),
             config.getServerSSLProperties());
-        if(config.getServerSSLEnabled()) {
-          StringWriter sw = new StringWriter();
-          PrintWriter writer = new PrintWriter(sw);
-          config.getServerSSLProperties().list(writer);          
-          logger.info(
-              "Starting CacheServer with SSL config : Authentication Required {} Ciphers
{} Protocols {} Other Properties {} ",
-                  config.getServerSSLRequireAuthentication(),
-                  config.getServerSSLCiphers(),
-                  config.getServerSSLProtocols(),
-                  sw.toString());
-        }
       } else {
-        sc = SocketCreator.createNonDefaultInstance(config.getGatewaySSLEnabled(),
+        this.socketCreator = SocketCreator.createNonDefaultInstance(config.getGatewaySSLEnabled(),
             config.getGatewaySSLRequireAuthentication(),
             config.getGatewaySSLProtocols(),
             config.getGatewaySSLCiphers(),
             config.getGatewaySSLProperties());
-        if(config.getGatewaySSLEnabled()) {
-          StringWriter sw = new StringWriter();
-          PrintWriter writer = new PrintWriter(sw);
-          config.getGatewaySSLProperties().list(writer);          
-          logger.info(
-              "Starting Gateway with SSL config : Authentication Required {} Ciphers {} Protocols
{} Other Properties {} ",
-                  config.getGatewaySSLRequireAuthentication(),
-                  config.getGatewaySSLCiphers(),
-                  config.getGatewaySSLProtocols(),
-                  sw.toString());
-        }
       }
       
       final GemFireCacheImpl gc;
@@ -435,7 +411,7 @@ public class AcceptorImpl extends Acceptor implements Runnable
       final long tilt = System.currentTimeMillis() + 120 * 1000;
 
       if (isSelector()) {
-        if (sc.useSSL()) {
+        if (this.socketCreator.useSSL()) {
           throw new IllegalArgumentException(LocalizedStrings.AcceptorImpl_SELECTOR_THREAD_POOLING_CAN_NOT_BE_USED_WITH_CLIENTSERVER_SSL_THE_SELECTOR_CAN_BE_DISABLED_BY_SETTING_MAXTHREADS0.toLocalizedString());
         }
         ServerSocketChannel channel = ServerSocketChannel.open();
@@ -486,7 +462,7 @@ public class AcceptorImpl extends Acceptor implements Runnable
         // immediately restarted, which sometimes results in a bind exception
         for (;;) {
           try {
-            this.serverSock = sc.createServerSocket(port, backLog,
+            this.serverSock = this.socketCreator.createServerSocket(port, backLog,
                 getBindAddress(), this.gatewayTransportFilters,
                 socketBufferSize);
             break;
@@ -1323,7 +1299,7 @@ public class AcceptorImpl extends Acceptor implements Runnable
             break;
           }
         }
-        SocketCreator.getDefaultInstance().configureServerSSLSocket(s);
+        this.socketCreator.configureServerSSLSocket(s);
         this.loggedAcceptError = false;
 
         handOffNewClientConnection(s);

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/03e593de/gemfire-core/src/test/java/com/gemstone/gemfire/cache/client/internal/SSLNoClientAuthDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/cache/client/internal/SSLNoClientAuthDUnitTest.java
b/gemfire-core/src/test/java/com/gemstone/gemfire/cache/client/internal/SSLNoClientAuthDUnitTest.java
new file mode 100644
index 0000000..390c285
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/cache/client/internal/SSLNoClientAuthDUnitTest.java
@@ -0,0 +1,271 @@
+/*=========================================================================
+ * Copyright (c) 2010-2014 Pivotal Software, Inc. All Rights Reserved.
+ * This product is protected by U.S. and international copyright
+ * and intellectual property laws. Pivotal products are covered by
+ * one or more patents listed at http://www.pivotal.io/patents.
+ *=========================================================================
+ */
+package com.gemstone.gemfire.cache.client.internal;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import java.util.Properties;
+import com.gemstone.gemfire.cache.Cache;
+import com.gemstone.gemfire.cache.CacheFactory;
+import com.gemstone.gemfire.cache.Region;
+import com.gemstone.gemfire.cache.RegionFactory;
+import com.gemstone.gemfire.cache.RegionShortcut;
+import com.gemstone.gemfire.cache.client.ClientCache;
+import com.gemstone.gemfire.cache.client.ClientCacheFactory;
+import com.gemstone.gemfire.cache.client.ClientRegionFactory;
+import com.gemstone.gemfire.cache.client.ClientRegionShortcut;
+import com.gemstone.gemfire.cache.server.CacheServer;
+import com.gemstone.gemfire.distributed.internal.DistributionConfig;
+import com.gemstone.gemfire.internal.AvailablePortHelper;
+import com.gemstone.gemfire.security.AuthenticationRequiredException;
+import com.gemstone.gemfire.util.test.TestUtil;
+
+import dunit.DistributedTestCase;
+import dunit.Host;
+import dunit.VM;
+
+/**
+ * Test for GEODE-396
+ */
+public class SSLNoClientAuthDUnitTest extends DistributedTestCase {
+  
+  private static final long serialVersionUID = 1L;
+  private Cache cache;
+  private CacheServer cacheServer;
+  private ClientCache clientCache;
+  private int cacheServerPort;
+  private String hostName;
+  
+  private static final String DEFAULT_STORE = "default.keystore";
+  
+  private static SSLNoClientAuthDUnitTest instance = new SSLNoClientAuthDUnitTest("SSLNoClientAuthDUnitTest");
+  
+  
+  public void setUp() throws Exception {
+    disconnectAllFromDS();
+    super.setUp();
+  }
+
+  public SSLNoClientAuthDUnitTest(String name) {
+    super(name);
+  }  
+
+  public Cache createCache(Properties props) throws Exception
+  {
+    props.setProperty("mcast-port", "0");
+    props.setProperty("locators", "");
+    cache = new CacheFactory(props).create();
+    if (cache == null) {
+      throw new Exception("CacheFactory.create() returned null ");
+    }
+    return cache;
+  }
+  
+  private void createServer() throws IOException{
+    cacheServerPort = AvailablePortHelper.getRandomAvailableTCPPort();
+    cacheServer = cache.addCacheServer();
+    cacheServer.setPort(cacheServerPort);
+    cacheServer.start();
+    hostName = cacheServer.getHostnameForClients();
+  }
+  
+  public int getCacheServerPort(){
+    return cacheServerPort;
+  }
+  
+  public String getCacheServerHost(){
+    return hostName;
+  }
+  
+  public void stopCacheServer(){
+    this.cacheServer.stop();
+  }
+  
+  
+  @SuppressWarnings("rawtypes")
+  public void setUpServerVM(boolean cacheServerSslenabled) throws Exception {
+    Properties gemFireProps = new Properties();
+
+    String cacheServerSslprotocols = "any";
+    String cacheServerSslciphers = "any";
+    boolean cacheServerSslRequireAuth = false;
+    gemFireProps.put(DistributionConfig.SERVER_SSL_ENABLED_NAME,
+        String.valueOf(cacheServerSslenabled));
+    gemFireProps.put(DistributionConfig.SERVER_SSL_PROTOCOLS_NAME,
+        cacheServerSslprotocols);
+    gemFireProps.put(DistributionConfig.SERVER_SSL_CIPHERS_NAME,
+        cacheServerSslciphers);
+    gemFireProps.put(
+        DistributionConfig.SERVER_SSL_REQUIRE_AUTHENTICATION_NAME,
+        String.valueOf(cacheServerSslRequireAuth));
+
+    String keyStore = TestUtil.getResourcePath(SSLNoClientAuthDUnitTest.class, DEFAULT_STORE);
+    String trustStore = TestUtil.getResourcePath(SSLNoClientAuthDUnitTest.class, DEFAULT_STORE);
+    gemFireProps.put(DistributionConfig.SERVER_SSL_KEYSTORE_TYPE_NAME, "jks");
+    gemFireProps.put(DistributionConfig.SERVER_SSL_KEYSTORE_NAME, keyStore);
+    gemFireProps.put(DistributionConfig.SERVER_SSL_KEYSTORE_PASSWORD_NAME, "password");
+    gemFireProps.put(DistributionConfig.SERVER_SSL_TRUSTSTORE_NAME, trustStore);
+    gemFireProps.put(DistributionConfig.SERVER_SSL_TRUSTSTORE_PASSWORD_NAME, "password");
+    
+    StringWriter sw = new StringWriter();
+    PrintWriter writer = new PrintWriter(sw);
+    gemFireProps.list(writer);
+    System.out.println("Starting cacheserver ds with following properties \n" + sw);
+    createCache(gemFireProps);
+    
+    RegionFactory factory = cache.createRegionFactory(RegionShortcut.REPLICATE);
+    Region r = factory.create("serverRegion");
+    r.put("serverkey", "servervalue");
+  }
+  
+  public void setUpClientVM(String host, int port,
+      boolean cacheServerSslenabled, boolean cacheServerSslRequireAuth,
+      String keyStore, String trustStore) {
+
+    Properties gemFireProps = new Properties();
+
+    String cacheServerSslprotocols = "any";
+    String cacheServerSslciphers = "any";
+
+    String keyStorePath = TestUtil.getResourcePath(SSLNoClientAuthDUnitTest.class, keyStore);
+    String trustStorePath = TestUtil.getResourcePath(SSLNoClientAuthDUnitTest.class, trustStore);
+    //using new server-ssl-* properties
+    gemFireProps.put(DistributionConfig.SERVER_SSL_ENABLED_NAME,
+        String.valueOf(cacheServerSslenabled));
+    gemFireProps.put(DistributionConfig.SERVER_SSL_PROTOCOLS_NAME,
+        cacheServerSslprotocols);
+    gemFireProps.put(DistributionConfig.SERVER_SSL_CIPHERS_NAME,
+        cacheServerSslciphers);
+    gemFireProps.put(
+        DistributionConfig.SERVER_SSL_REQUIRE_AUTHENTICATION_NAME,
+        String.valueOf(cacheServerSslRequireAuth));
+
+    gemFireProps.put(DistributionConfig.SERVER_SSL_KEYSTORE_TYPE_NAME, "jks");
+    gemFireProps.put(DistributionConfig.SERVER_SSL_KEYSTORE_NAME, keyStorePath);
+    gemFireProps.put(DistributionConfig.SERVER_SSL_KEYSTORE_PASSWORD_NAME, "password");
+    gemFireProps.put(DistributionConfig.SERVER_SSL_TRUSTSTORE_NAME, trustStorePath);
+    gemFireProps.put(DistributionConfig.SERVER_SSL_TRUSTSTORE_PASSWORD_NAME, "password");
+
+    StringWriter sw = new StringWriter();
+    PrintWriter writer = new PrintWriter(sw);
+    gemFireProps.list(writer);
+    System.out.println("Starting client ds with following properties \n" + sw.getBuffer());
+    
+    ClientCacheFactory clientCacheFactory = new ClientCacheFactory(gemFireProps);
+    clientCacheFactory.addPoolServer(host, port);
+    clientCache = clientCacheFactory.create();
+    
+    ClientRegionFactory<String,String> regionFactory = clientCache.createClientRegionFactory(ClientRegionShortcut.PROXY);
+    Region<String, String> region = regionFactory.create("serverRegion");  
+    assertNotNull(region);
+  }
+  
+  public void doClientRegionTest(){
+    Region<String, String> region = clientCache.getRegion("serverRegion");
+    assertEquals("servervalue",region.get("serverkey"));
+    region.put("clientkey", "clientvalue");
+    assertEquals("clientvalue",region.get("clientkey"));
+  }
+  
+  public void doServerRegionTest(){
+    Region<String, String> region = cache.getRegion("serverRegion");
+    assertEquals("servervalue",region.get("serverkey"));    
+    assertEquals("clientvalue",region.get("clientkey"));
+  }
+  
+  
+  public static void setUpServerVMTask(boolean cacheServerSslenabled) throws Exception{
+    instance.setUpServerVM(cacheServerSslenabled);
+  }
+  
+  public static void createServerTask() throws Exception {
+    instance.createServer();
+  }
+  
+  public static void setUpClientVMTask(String host, int port,
+      boolean cacheServerSslenabled, boolean cacheServerSslRequireAuth, String keyStore,
String trustStore)
+      throws Exception {
+    instance.setUpClientVM(host, port, cacheServerSslenabled, cacheServerSslRequireAuth,
keyStore, trustStore);
+  }
+  
+  public static void doClientRegionTestTask() {
+    instance.doClientRegionTest();
+  }
+  
+  public static void doServerRegionTestTask() {
+    instance.doServerRegionTest();
+  }
+  
+  public static Object[] getCacheServerEndPointTask() {
+    Object[] array = new Object[2];
+    array[0] = instance.getCacheServerHost();
+    array[1] = instance.getCacheServerPort();
+    return array;
+  }
+  
+  public static void closeCacheTask(){
+    if (instance != null && instance.cache != null) {
+      instance.cache.close();
+    }
+  }
+  
+  public static void closeClientCacheTask(){
+    if (instance != null && instance.clientCache != null) {
+      instance.clientCache.close();
+    }
+  }
+  
+  /**
+   * Test for GEODE-396
+   */
+  public void testSSLServerWithNoAuth() throws Exception {
+    final Host host = Host.getHost(0);
+    VM serverVM = host.getVM(1);
+    VM clientVM = host.getVM(2);
+
+    boolean cacheServerSslenabled = true;
+    boolean cacheClientSslenabled = true;
+    boolean cacheClientSslRequireAuth = true;
+
+    serverVM.invoke(SSLNoClientAuthDUnitTest.class, "setUpServerVMTask", new Object[]{cacheServerSslenabled});
+    serverVM.invoke(SSLNoClientAuthDUnitTest.class, "createServerTask");
+
+    Object array[] = (Object[])serverVM.invoke(SSLNoClientAuthDUnitTest.class, "getCacheServerEndPointTask");

+    String hostName = (String)array[0];
+    int port = (Integer) array[1];
+    Object params[] = new Object[6];
+    params[0] = hostName;
+    params[1] = port;
+    params[2] = cacheClientSslenabled;
+    params[3] = cacheClientSslRequireAuth;
+    params[4] = DEFAULT_STORE;
+    params[5] = DEFAULT_STORE;
+    //getLogWriter().info("Starting client with server endpoint " + hostName + ":" + port);
+    try {
+      clientVM.invoke(SSLNoClientAuthDUnitTest.class, "setUpClientVMTask", params);
+      clientVM.invoke(SSLNoClientAuthDUnitTest.class, "doClientRegionTestTask");
+      serverVM.invoke(SSLNoClientAuthDUnitTest.class, "doServerRegionTestTask");
+    } catch (Exception rmiException) {
+      Throwable e = rmiException.getCause();
+      //getLogWriter().info("ExceptionCause at clientVM " + e);
+      fail("Unexpected Exception " + e);
+    }
+  }
+  
+  public void tearDown2() throws Exception
+  {
+    final Host host = Host.getHost(0);
+    VM serverVM = host.getVM(1);
+    VM clientVM = host.getVM(2);
+    clientVM.invoke(SSLNoClientAuthDUnitTest.class, "closeClientCacheTask");
+    serverVM.invoke(SSLNoClientAuthDUnitTest.class, "closeCacheTask");
+    super.tearDown2();
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/03e593de/gemfire-core/src/test/resources/com/gemstone/gemfire/cache/client/internal/default.keystore
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/resources/com/gemstone/gemfire/cache/client/internal/default.keystore
b/gemfire-core/src/test/resources/com/gemstone/gemfire/cache/client/internal/default.keystore
new file mode 100644
index 0000000..9dbc135
Binary files /dev/null and b/gemfire-core/src/test/resources/com/gemstone/gemfire/cache/client/internal/default.keystore
differ


Mime
View raw message