geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bschucha...@apache.org
Subject [geode] branch develop updated: Squashed commit of the following:
Date Thu, 19 Oct 2017 20:14:17 GMT
This is an automated email from the ASF dual-hosted git repository.

bschuchardt pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/geode.git


The following commit(s) were added to refs/heads/develop by this push:
     new 8c873f9  Squashed commit of the following:
8c873f9 is described below

commit 8c873f9bbe827ec5ff82bbb974b5346668b2806f
Author: Bruce Schuchardt <bschuchardt@pivotal.io>
AuthorDate: Thu Oct 19 13:13:10 2017 -0700

    Squashed commit of the following:
    
    commit 39e01dbec67c0bb8765735e6d4063a2fc4b98684
    Author: Bruce Schuchardt <bschuchardt@pivotal.io>
    Date:   Thu Oct 19 11:26:15 2017 -0700
    
        GEODE-3867 mutual SSL authentication with a bad client cert is not being tested
    
        Refactored the class to be parameterized & test both old and new
        SSL settings in each unit test.
    
    commit df7c4440d5a70031a5ed181f0d6c607aa74e453f
    Author: Bruce Schuchardt <bschuchardt@pivotal.io>
    Date:   Wed Oct 18 15:06:09 2017 -0700
    
        GEODE-3867 mutual SSL authentication with a bad client cert is not being tested
    
        new test added & old test revised.  The old test had an odd try/catch
        for an exception that should not be thrown.  The new test uses pretty
        much that same structure & expects the client to fail to connect.  It
        also expects that the server will not have received any updates from the
        non-trusted client.
---
 .../CacheServerSSLConnectionDUnitTest.java         | 209 ++++++++++++++-------
 .../client/internal/SSLNoClientAuthDUnitTest.java  |   3 +-
 2 files changed, 142 insertions(+), 70 deletions(-)

diff --git a/geode-core/src/test/java/org/apache/geode/cache/client/internal/CacheServerSSLConnectionDUnitTest.java
b/geode-core/src/test/java/org/apache/geode/cache/client/internal/CacheServerSSLConnectionDUnitTest.java
index 2b93488..46a0914 100644
--- a/geode-core/src/test/java/org/apache/geode/cache/client/internal/CacheServerSSLConnectionDUnitTest.java
+++ b/geode-core/src/test/java/org/apache/geode/cache/client/internal/CacheServerSSLConnectionDUnitTest.java
@@ -22,7 +22,9 @@ import java.io.PrintWriter;
 import java.io.StringWriter;
 import java.net.InetSocketAddress;
 import java.net.Socket;
-import java.sql.Time;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
 import java.util.Properties;
 import java.util.concurrent.TimeUnit;
 
@@ -35,36 +37,57 @@ import org.apache.geode.cache.client.ClientCache;
 import org.apache.geode.cache.client.ClientCacheFactory;
 import org.apache.geode.cache.client.ClientRegionFactory;
 import org.apache.geode.cache.client.ClientRegionShortcut;
+import org.apache.geode.cache.client.NoAvailableServersException;
 import org.apache.geode.cache.server.CacheServer;
 import org.apache.geode.internal.security.SecurableCommunicationChannel;
 import org.apache.geode.security.AuthenticationRequiredException;
 import org.apache.geode.test.dunit.AsyncInvocation;
 import org.apache.geode.test.dunit.Host;
 import org.apache.geode.test.dunit.IgnoredException;
+import org.apache.geode.test.dunit.Invoke;
+import org.apache.geode.test.dunit.RMIException;
 import org.apache.geode.test.dunit.VM;
 import org.apache.geode.test.dunit.internal.JUnit4DistributedTestCase;
 import org.apache.geode.test.junit.categories.ClientServerTest;
 import org.apache.geode.test.junit.categories.DistributedTest;
 import org.apache.geode.util.test.TestUtil;
-import org.junit.Ignore;
+
+import org.junit.AfterClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
 
 /**
  * Tests cacheserver ssl support added. See https://svn.gemstone.com/trac/gemfire/ticket/48995
for
  * details
  */
 @Category({DistributedTest.class, ClientServerTest.class})
+@RunWith(Parameterized.class)
 public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase {
 
+  private static boolean useOldSSLSettings;
+
+  @Parameterized.Parameters
+  public static Collection<Boolean> data() {
+    List<Boolean> result = new ArrayList<>();
+    result.add(Boolean.TRUE);
+    result.add(Boolean.FALSE);
+    return result;
+  }
+
+  public CacheServerSSLConnectionDUnitTest(Boolean useOldSSLSettings) {
+    super();
+    CacheServerSSLConnectionDUnitTest.useOldSSLSettings = useOldSSLSettings.booleanValue();
+  }
+
   private static final String TRUSTED_STORE = "trusted.keystore";
   private static final String CLIENT_KEY_STORE = "client.keystore";
   private static final String CLIENT_TRUST_STORE = "client.truststore";
   private static final String SERVER_KEY_STORE = "cacheserver.keystore";
   private static final String SERVER_TRUST_STORE = "cacheserver.truststore";
 
-  private static CacheServerSSLConnectionDUnitTest instance =
-      new CacheServerSSLConnectionDUnitTest(); // TODO: memory leak
+  private static CacheServerSSLConnectionDUnitTest instance;
 
   private Cache cache;
   private CacheServer cacheServer;
@@ -75,6 +98,15 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
   @Override
   public final void preSetUp() throws Exception {
     disconnectAllFromDS();
+    instance = this;
+    Invoke
+        .invokeInEveryVM(() -> instance = new CacheServerSSLConnectionDUnitTest(useOldSSLSettings));
+  }
+
+  @AfterClass
+  public static void postClass() {
+    Invoke.invokeInEveryVM(() -> instance = null);
+    instance = null;
   }
 
   public Cache createCache(Properties props) throws Exception {
@@ -109,14 +141,13 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
   }
 
   @SuppressWarnings("rawtypes")
-  public void setUpServerVM(final boolean cacheServerSslenabled, final boolean legacy)
-      throws Exception {
+  public void setUpServerVM(final boolean cacheServerSslenabled) throws Exception {
     Properties gemFireProps = new Properties();
 
     String cacheServerSslprotocols = "any";
     String cacheServerSslciphers = "any";
     boolean cacheServerSslRequireAuth = true;
-    if (!legacy) {
+    if (!useOldSSLSettings) {
       gemFireProps.put(SSL_ENABLED_COMPONENTS,
           SecurableCommunicationChannel.CLUSTER + "," + SecurableCommunicationChannel.SERVER);
       gemFireProps.put(SSL_PROTOCOLS, cacheServerSslprotocols);
@@ -161,7 +192,8 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
   }
 
   public void setUpClientVM(String host, int port, boolean cacheServerSslenabled,
-      boolean cacheServerSslRequireAuth, String keyStore, String trustStore, boolean subscription)
{
+      boolean cacheServerSslRequireAuth, String keyStore, String trustStore, boolean subscription,
+      boolean clientHasTrustedKeystore) {
 
     Properties gemFireProps = new Properties();
 
@@ -172,17 +204,46 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
         TestUtil.getResourcePath(CacheServerSSLConnectionDUnitTest.class, keyStore);
     String trustStorePath =
         TestUtil.getResourcePath(CacheServerSSLConnectionDUnitTest.class, trustStore);
-    // using new server-ssl-* properties
-    gemFireProps.put(SERVER_SSL_ENABLED, String.valueOf(cacheServerSslenabled));
-    gemFireProps.put(SERVER_SSL_PROTOCOLS, cacheServerSslprotocols);
-    gemFireProps.put(SERVER_SSL_CIPHERS, cacheServerSslciphers);
-    gemFireProps.put(SERVER_SSL_REQUIRE_AUTHENTICATION, String.valueOf(cacheServerSslRequireAuth));
-
-    gemFireProps.put(SERVER_SSL_KEYSTORE_TYPE, "jks");
-    gemFireProps.put(SERVER_SSL_KEYSTORE, keyStorePath);
-    gemFireProps.put(SERVER_SSL_KEYSTORE_PASSWORD, "password");
-    gemFireProps.put(SERVER_SSL_TRUSTSTORE, trustStorePath);
-    gemFireProps.put(SERVER_SSL_TRUSTSTORE_PASSWORD, "password");
+
+    if (useOldSSLSettings) {
+      gemFireProps.put(SERVER_SSL_ENABLED, String.valueOf(cacheServerSslenabled));
+      gemFireProps.put(SERVER_SSL_PROTOCOLS, cacheServerSslprotocols);
+      gemFireProps.put(SERVER_SSL_CIPHERS, cacheServerSslciphers);
+      gemFireProps.put(SERVER_SSL_REQUIRE_AUTHENTICATION,
+          String.valueOf(cacheServerSslRequireAuth));
+      if (clientHasTrustedKeystore) {
+        gemFireProps.put(SERVER_SSL_KEYSTORE_TYPE, "jks");
+        gemFireProps.put(SERVER_SSL_KEYSTORE, keyStorePath);
+        gemFireProps.put(SERVER_SSL_KEYSTORE_PASSWORD, "password");
+        gemFireProps.put(SERVER_SSL_TRUSTSTORE, trustStorePath);
+        gemFireProps.put(SERVER_SSL_TRUSTSTORE_PASSWORD, "password");
+      } else {
+        gemFireProps.put(SERVER_SSL_KEYSTORE_TYPE, "jks");
+        gemFireProps.put(SERVER_SSL_KEYSTORE, "");
+        gemFireProps.put(SERVER_SSL_KEYSTORE_PASSWORD, "password");
+        gemFireProps.put(SERVER_SSL_TRUSTSTORE, trustStorePath);
+        gemFireProps.put(SERVER_SSL_TRUSTSTORE_PASSWORD, "password");
+      }
+    } else {
+      gemFireProps.put(SSL_ENABLED_COMPONENTS, "server");
+      gemFireProps.put(SSL_CIPHERS, cacheServerSslciphers);
+      gemFireProps.put(SSL_PROTOCOLS, cacheServerSslprotocols);
+      gemFireProps.put(SSL_REQUIRE_AUTHENTICATION, String.valueOf(cacheServerSslRequireAuth));
+      if (clientHasTrustedKeystore) {
+        gemFireProps.put(SSL_KEYSTORE_TYPE, "jks");
+        gemFireProps.put(SSL_KEYSTORE, keyStorePath);
+        gemFireProps.put(SSL_KEYSTORE_PASSWORD, "password");
+        gemFireProps.put(SSL_TRUSTSTORE, trustStorePath);
+        gemFireProps.put(SSL_TRUSTSTORE_PASSWORD, "password");
+      } else {
+        gemFireProps.put(SSL_KEYSTORE_TYPE, "jks");
+        gemFireProps.put(SSL_KEYSTORE, "");
+        gemFireProps.put(SSL_KEYSTORE_PASSWORD, "password");
+        gemFireProps.put(SSL_TRUSTSTORE, trustStorePath);
+        gemFireProps.put(SSL_TRUSTSTORE_PASSWORD, "password");
+      }
+    }
+
 
     StringWriter sw = new StringWriter();
     PrintWriter writer = new PrintWriter(sw);
@@ -213,9 +274,8 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
   }
 
 
-  public static void setUpServerVMTask(boolean cacheServerSslenabled, boolean legacy)
-      throws Exception {
-    instance.setUpServerVM(cacheServerSslenabled, legacy);
+  public static void setUpServerVMTask(boolean cacheServerSslenabled) throws Exception {
+    instance.setUpServerVM(cacheServerSslenabled);
   }
 
   public static int createServerTask() throws Exception {
@@ -223,22 +283,32 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
   }
 
   public static void setUpClientVMTask(String host, int port, boolean cacheServerSslenabled,
-      boolean cacheServerSslRequireAuth, String keyStore, String trustStore) throws Exception
{
+      boolean cacheServerSslRequireAuth, String keyStore, String trustStore,
+      boolean clientHasTrustedKeystore) throws Exception {
     instance.setUpClientVM(host, port, cacheServerSslenabled, cacheServerSslRequireAuth,
keyStore,
-        trustStore, true);
+        trustStore, true, clientHasTrustedKeystore);
   }
 
   public static void setUpClientVMTaskNoSubscription(String host, int port,
       boolean cacheServerSslenabled, boolean cacheServerSslRequireAuth, String keyStore,
       String trustStore) throws Exception {
     instance.setUpClientVM(host, port, cacheServerSslenabled, cacheServerSslRequireAuth,
keyStore,
-        trustStore, false);
+        trustStore, false, true);
   }
 
   public static void doClientRegionTestTask() {
     instance.doClientRegionTest();
   }
 
+  public static void verifyServerDoesNotReceiveClientUpdate() {
+    instance.doVerifyServerDoesNotReceiveClientUpdate();
+  }
+
+  private void doVerifyServerDoesNotReceiveClientUpdate() {
+    Region<String, String> region = cache.getRegion("serverRegion");
+    assertFalse(region.containsKey("clientkey"));
+  }
+
   public static void doServerRegionTestTask() {
     instance.doServerRegionTest();
   }
@@ -263,27 +333,6 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
   }
 
   @Test
-  public void testCacheServerLegacySSL() throws Exception {
-    final Host host = Host.getHost(0);
-    VM serverVM = host.getVM(1);
-    VM clientVM = host.getVM(2);
-
-    boolean cacheServerSslenabled = true;
-    boolean cacheClientSslenabled = true;
-    boolean cacheClientSslRequireAuth = true;
-
-    serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled, true));
-    int port = serverVM.invoke(() -> createServerTask());
-
-    String hostName = host.getHostName();
-
-    clientVM.invoke(() -> setUpClientVMTask(hostName, port, cacheClientSslenabled,
-        cacheClientSslRequireAuth, CLIENT_KEY_STORE, CLIENT_TRUST_STORE));
-    clientVM.invoke(() -> doClientRegionTestTask());
-    serverVM.invoke(() -> doServerRegionTestTask());
-  }
-
-  @Test
   public void testCacheServerSSL() throws Exception {
     final Host host = Host.getHost(0);
     VM serverVM = host.getVM(1);
@@ -293,13 +342,13 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
     boolean cacheClientSslenabled = true;
     boolean cacheClientSslRequireAuth = true;
 
-    serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled, true));
+    serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled));
     int port = serverVM.invoke(() -> createServerTask());
 
     String hostName = host.getHostName();
 
     clientVM.invoke(() -> setUpClientVMTask(hostName, port, cacheClientSslenabled,
-        cacheClientSslRequireAuth, CLIENT_KEY_STORE, CLIENT_TRUST_STORE));
+        cacheClientSslRequireAuth, CLIENT_KEY_STORE, CLIENT_TRUST_STORE, true));
     clientVM.invoke(() -> doClientRegionTestTask());
     serverVM.invoke(() -> doServerRegionTestTask());
   }
@@ -330,7 +379,7 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
     boolean cacheClientSslenabled = true;
     boolean cacheClientSslRequireAuth = true;
 
-    serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled, true));
+    serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled));
     int port = serverVM.invoke(() -> createServerTask());
 
     String hostName = host.getHostName();
@@ -340,7 +389,7 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
       getBlackboard().waitForGate("serverIsBlocked", 60, TimeUnit.SECONDS);
 
       clientVM.invoke(() -> setUpClientVMTask(hostName, port, cacheClientSslenabled,
-          cacheClientSslRequireAuth, CLIENT_KEY_STORE, CLIENT_TRUST_STORE));
+          cacheClientSslRequireAuth, CLIENT_KEY_STORE, CLIENT_TRUST_STORE, true));
       clientVM.invoke(() -> doClientRegionTestTask());
       serverVM.invoke(() -> doServerRegionTestTask());
 
@@ -381,7 +430,7 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
     boolean cacheClientSslenabled = false;
     boolean cacheClientSslRequireAuth = true;
 
-    serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled, true));
+    serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled));
     serverVM.invoke(() -> createServerTask());
 
     Object array[] = (Object[]) serverVM.invoke(() -> getCacheServerEndPointTask());
@@ -425,31 +474,53 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
     boolean cacheClientSslenabled = true;
     boolean cacheClientSslRequireAuth = false;
 
-    serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled, true));
+    IgnoredException.addIgnoredException("SSLHandshakeException");
+    IgnoredException.addIgnoredException("ValidatorException");
+
+    serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled));
     serverVM.invoke(() -> createServerTask());
 
     Object array[] = (Object[]) serverVM.invoke(() -> getCacheServerEndPointTask());
     String hostName = (String) array[0];
     int port = (Integer) array[1];
 
+    clientVM.invoke(() -> setUpClientVMTask(hostName, port, cacheClientSslenabled,
+        cacheClientSslRequireAuth, CLIENT_KEY_STORE, CLIENT_TRUST_STORE, true));
+    clientVM.invoke(() -> CacheServerSSLConnectionDUnitTest.doClientRegionTestTask());
+    serverVM.invoke(() -> CacheServerSSLConnectionDUnitTest.doServerRegionTestTask());
+  }
+
+  @Test
+  public void untrustedClientIsRejected() throws Throwable {
+    final Host host = Host.getHost(0);
+    VM serverVM = host.getVM(1);
+    VM clientVM = host.getVM(2);
+
+    boolean cacheServerSslenabled = true;
+    boolean cacheClientSslenabled = true;
+    boolean cacheClientSslRequireAuth = false;
+
+    serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled));
+    serverVM.invoke(() -> createServerTask());
+
+    Object array[] = (Object[]) serverVM.invoke(() -> getCacheServerEndPointTask());
+    String hostName = (String) array[0];
+    int port = (Integer) array[1];
+
+    IgnoredException.addIgnoredException("SSLHandshakeException");
+
+    clientVM.invoke(() -> setUpClientVMTask(hostName, port, cacheClientSslenabled,
+        cacheClientSslRequireAuth, "default.keystore", CLIENT_TRUST_STORE, false));
+
     try {
-      clientVM.invoke(() -> setUpClientVMTask(hostName, port, cacheClientSslenabled,
-          cacheClientSslRequireAuth, CLIENT_KEY_STORE, CLIENT_TRUST_STORE));
       clientVM.invoke(() -> CacheServerSSLConnectionDUnitTest.doClientRegionTestTask());
-      serverVM.invoke(() -> CacheServerSSLConnectionDUnitTest.doServerRegionTestTask());
-
-    } catch (Exception rmiException) {
-      Throwable e = rmiException.getCause();
-      // getLogWriter().info("ExceptionCause at clientVM " + e);
-      if (e instanceof org.apache.geode.cache.client.ServerOperationException) {
-        Throwable t = e.getCause();
-        // getLogWriter().info("Cause is " + t);
-        assertTrue(t instanceof org.apache.geode.security.AuthenticationRequiredException);
-      } else {
-        // getLogWriter().error("Unexpected exception ", e);
-        fail("Unexpected Exception...expected " + AuthenticationRequiredException.class);
-      }
+      fail("client should not have been able to execute a cache operation");
+    } catch (RMIException e) {
+      assertTrue("expected a NoAvailableServersException but received " + e.getCause(),
+          e.getCause() instanceof NoAvailableServersException);
     }
+    serverVM
+        .invoke(() -> CacheServerSSLConnectionDUnitTest.verifyServerDoesNotReceiveClientUpdate());
   }
 
   @Test
@@ -462,7 +533,7 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
     boolean cacheClientSslenabled = true;
     boolean cacheClientSslRequireAuth = true;
 
-    serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled, true));
+    serverVM.invoke(() -> setUpServerVMTask(cacheServerSslenabled));
     serverVM.invoke(() -> createServerTask());
 
     Object array[] = (Object[]) serverVM.invoke(() -> getCacheServerEndPointTask());
@@ -473,7 +544,7 @@ public class CacheServerSSLConnectionDUnitTest extends JUnit4DistributedTestCase
         IgnoredException.addIgnoredException("javax.net.ssl.SSLHandshakeException", serverVM);
     try {
       clientVM.invoke(() -> setUpClientVMTask(hostName, port, cacheClientSslenabled,
-          cacheClientSslRequireAuth, TRUSTED_STORE, TRUSTED_STORE));
+          cacheClientSslRequireAuth, TRUSTED_STORE, TRUSTED_STORE, true));
       clientVM.invoke(() -> doClientRegionTestTask());
       serverVM.invoke(() -> doServerRegionTestTask());
       fail(
diff --git a/geode-core/src/test/java/org/apache/geode/cache/client/internal/SSLNoClientAuthDUnitTest.java
b/geode-core/src/test/java/org/apache/geode/cache/client/internal/SSLNoClientAuthDUnitTest.java
index 87a915e..e1992d5 100644
--- a/geode-core/src/test/java/org/apache/geode/cache/client/internal/SSLNoClientAuthDUnitTest.java
+++ b/geode-core/src/test/java/org/apache/geode/cache/client/internal/SSLNoClientAuthDUnitTest.java
@@ -247,7 +247,8 @@ public class SSLNoClientAuthDUnitTest extends JUnit4DistributedTestCase
{
     params[5] = DEFAULT_STORE;
     // getLogWriter().info("Starting client with server endpoint " + hostName + ":" + port);
     try {
-      clientVM.invoke(SSLNoClientAuthDUnitTest.class, "setUpClientVMTask", params);
+      clientVM.invoke(() -> SSLNoClientAuthDUnitTest.setUpClientVMTask(hostName, port,
+          cacheClientSslenabled, cacheClientSslRequireAuth, DEFAULT_STORE, DEFAULT_STORE));
       clientVM.invoke(() -> SSLNoClientAuthDUnitTest.doClientRegionTestTask());
       serverVM.invoke(() -> SSLNoClientAuthDUnitTest.doServerRegionTestTask());
     } catch (Exception rmiException) {

-- 
To stop receiving notification emails like this one, please contact
['"commits@geode.apache.org" <commits@geode.apache.org>'].

Mime
View raw message