Search in sources :

Example 6 with SSLConfigBuilder

use of org.apache.drill.exec.ssl.SSLConfigBuilder in project drill by axbaretto.

the class TestSSLConfig method testInvalidHadoopKeystore.

@Test
public void testInvalidHadoopKeystore() throws Exception {
    Configuration hadoopConfig = new Configuration();
    String hadoopSSLFileProp = MessageFormat.format(HADOOP_SSL_CONF_TPL_KEY, SSLConfig.Mode.SERVER.toString().toLowerCase());
    hadoopConfig.set(hadoopSSLFileProp, "ssl-server-invalid.xml");
    ConfigBuilder config = new ConfigBuilder();
    config.put(ExecConstants.USER_SSL_ENABLED, true);
    config.put(ExecConstants.SSL_USE_HADOOP_CONF, true);
    SSLConfig sslv;
    try {
        sslv = new SSLConfigBuilder().config(config.build()).mode(SSLConfig.Mode.SERVER).initializeSSLContext(false).validateKeyStore(true).hadoopConfig(hadoopConfig).build();
        fail();
    } catch (Exception e) {
        assertTrue(e instanceof DrillException);
    }
}
Also used : SSLConfig(org.apache.drill.exec.ssl.SSLConfig) Configuration(org.apache.hadoop.conf.Configuration) SSLConfigBuilder(org.apache.drill.exec.ssl.SSLConfigBuilder) ConfigBuilder(org.apache.drill.test.ConfigBuilder) SSLConfigBuilder(org.apache.drill.exec.ssl.SSLConfigBuilder) DrillException(org.apache.drill.common.exceptions.DrillException) DrillException(org.apache.drill.common.exceptions.DrillException) Test(org.junit.Test) SecurityTest(org.apache.drill.categories.SecurityTest)

Example 7 with SSLConfigBuilder

use of org.apache.drill.exec.ssl.SSLConfigBuilder in project drill by apache.

the class TestSSLConfig method testMissingKeystorePath.

@Test
public void testMissingKeystorePath() throws Exception {
    ConfigBuilder config = new ConfigBuilder();
    config.put(ExecConstants.HTTP_KEYSTORE_PATH, "");
    config.put(ExecConstants.HTTP_KEYSTORE_PASSWORD, "root");
    config.put(ExecConstants.SSL_USE_HADOOP_CONF, false);
    config.put(ExecConstants.USER_SSL_ENABLED, true);
    try {
        SSLConfig sslv = new SSLConfigBuilder().config(config.build()).mode(SSLConfig.Mode.SERVER).initializeSSLContext(false).validateKeyStore(true).build();
        fail();
    // Expected
    } catch (Exception e) {
        assertTrue(e instanceof DrillException);
    }
}
Also used : SSLConfig(org.apache.drill.exec.ssl.SSLConfig) SSLConfigBuilder(org.apache.drill.exec.ssl.SSLConfigBuilder) ConfigBuilder(org.apache.drill.test.ConfigBuilder) SSLConfigBuilder(org.apache.drill.exec.ssl.SSLConfigBuilder) DrillException(org.apache.drill.common.exceptions.DrillException) DrillException(org.apache.drill.common.exceptions.DrillException) Test(org.junit.Test) BaseTest(org.apache.drill.test.BaseTest) SecurityTest(org.apache.drill.categories.SecurityTest)

Example 8 with SSLConfigBuilder

use of org.apache.drill.exec.ssl.SSLConfigBuilder in project drill by apache.

the class TestSSLConfig method testForBackwardCompatability.

@Test
public void testForBackwardCompatability() throws Exception {
    ConfigBuilder config = new ConfigBuilder();
    config.put("javax.net.ssl.keyStore", "/root");
    config.put("javax.net.ssl.keyStorePassword", "root");
    SSLConfig sslv = new SSLConfigBuilder().config(config.build()).mode(SSLConfig.Mode.SERVER).initializeSSLContext(false).validateKeyStore(true).build();
    assertEquals("/root", sslv.getKeyStorePath());
    assertEquals("root", sslv.getKeyStorePassword());
}
Also used : SSLConfig(org.apache.drill.exec.ssl.SSLConfig) SSLConfigBuilder(org.apache.drill.exec.ssl.SSLConfigBuilder) ConfigBuilder(org.apache.drill.test.ConfigBuilder) SSLConfigBuilder(org.apache.drill.exec.ssl.SSLConfigBuilder) Test(org.junit.Test) BaseTest(org.apache.drill.test.BaseTest) SecurityTest(org.apache.drill.categories.SecurityTest)

Example 9 with SSLConfigBuilder

use of org.apache.drill.exec.ssl.SSLConfigBuilder in project drill by apache.

the class TestSSLConfig method testForKeystoreConfig.

@Test
public void testForKeystoreConfig() throws Exception {
    ConfigBuilder config = new ConfigBuilder();
    config.put(ExecConstants.HTTP_KEYSTORE_PATH, "/root");
    config.put(ExecConstants.HTTP_KEYSTORE_PASSWORD, "root");
    try {
        SSLConfig sslv = new SSLConfigBuilder().config(config.build()).mode(SSLConfig.Mode.SERVER).initializeSSLContext(false).validateKeyStore(true).build();
        assertEquals("/root", sslv.getKeyStorePath());
        assertEquals("root", sslv.getKeyStorePassword());
    } catch (Exception e) {
        fail();
    }
}
Also used : SSLConfig(org.apache.drill.exec.ssl.SSLConfig) SSLConfigBuilder(org.apache.drill.exec.ssl.SSLConfigBuilder) ConfigBuilder(org.apache.drill.test.ConfigBuilder) SSLConfigBuilder(org.apache.drill.exec.ssl.SSLConfigBuilder) DrillException(org.apache.drill.common.exceptions.DrillException) Test(org.junit.Test) BaseTest(org.apache.drill.test.BaseTest) SecurityTest(org.apache.drill.categories.SecurityTest)

Example 10 with SSLConfigBuilder

use of org.apache.drill.exec.ssl.SSLConfigBuilder in project drill by axbaretto.

the class WebServer method createHttpsConnector.

/**
 * Create an HTTPS connector for given jetty server instance. If the admin has specified keystore/truststore settings
 * they will be used else a self-signed certificate is generated and used.
 *
 * @return Initialized {@link ServerConnector} for HTTPS connections.
 * @throws Exception
 */
private ServerConnector createHttpsConnector(int port, int acceptors, int selectors) throws Exception {
    logger.info("Setting up HTTPS connector for web server");
    final SslContextFactory sslContextFactory = new SslContextFactory();
    SSLConfig ssl = new SSLConfigBuilder().config(config).mode(SSLConfig.Mode.SERVER).initializeSSLContext(false).validateKeyStore(true).build();
    if (ssl.isSslValid()) {
        logger.info("Using configured SSL settings for web server");
        sslContextFactory.setKeyStorePath(ssl.getKeyStorePath());
        sslContextFactory.setKeyStorePassword(ssl.getKeyStorePassword());
        sslContextFactory.setKeyManagerPassword(ssl.getKeyPassword());
        if (ssl.hasTrustStorePath()) {
            sslContextFactory.setTrustStorePath(ssl.getTrustStorePath());
            if (ssl.hasTrustStorePassword()) {
                sslContextFactory.setTrustStorePassword(ssl.getTrustStorePassword());
            }
        }
    } else {
        logger.info("Using generated self-signed SSL settings for web server");
        final SecureRandom random = new SecureRandom();
        // Generate a private-public key pair
        final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(1024, random);
        final KeyPair keyPair = keyPairGenerator.generateKeyPair();
        final DateTime now = DateTime.now();
        // Create builder for certificate attributes
        final X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE).addRDN(BCStyle.OU, "Apache Drill (auth-generated)").addRDN(BCStyle.O, "Apache Software Foundation (auto-generated)").addRDN(BCStyle.CN, workManager.getContext().getEndpoint().getAddress());
        final Date notBefore = now.minusMinutes(1).toDate();
        final Date notAfter = now.plusYears(5).toDate();
        final BigInteger serialNumber = new BigInteger(128, random);
        // Create a certificate valid for 5years from now.
        final X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(// attributes
        nameBuilder.build(), serialNumber, notBefore, notAfter, nameBuilder.build(), keyPair.getPublic());
        // Sign the certificate using the private key
        final ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate());
        final X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(certificateBuilder.build(contentSigner));
        // Check the validity
        certificate.checkValidity(now.toDate());
        // Make sure the certificate is self-signed.
        certificate.verify(certificate.getPublicKey());
        // Generate a random password for keystore protection
        final String keyStorePasswd = RandomStringUtils.random(20);
        final KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, null);
        keyStore.setKeyEntry("DrillAutoGeneratedCert", keyPair.getPrivate(), keyStorePasswd.toCharArray(), new java.security.cert.Certificate[] { certificate });
        sslContextFactory.setKeyStore(keyStore);
        sslContextFactory.setKeyStorePassword(keyStorePasswd);
    }
    final HttpConfiguration httpsConfig = new HttpConfiguration();
    httpsConfig.addCustomizer(new SecureRequestCustomizer());
    // SSL Connector
    final ServerConnector sslConnector = new ServerConnector(embeddedJetty, null, null, null, acceptors, selectors, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(httpsConfig));
    sslConnector.setPort(port);
    return sslConnector;
}
Also used : X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) HttpConfiguration(org.eclipse.jetty.server.HttpConfiguration) SslConnectionFactory(org.eclipse.jetty.server.SslConnectionFactory) DateTime(org.joda.time.DateTime) ServerConnector(org.eclipse.jetty.server.ServerConnector) SslContextFactory(org.eclipse.jetty.util.ssl.SslContextFactory) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) SSLConfig(org.apache.drill.exec.ssl.SSLConfig) KeyPair(java.security.KeyPair) SecureRequestCustomizer(org.eclipse.jetty.server.SecureRequestCustomizer) HttpConnectionFactory(org.eclipse.jetty.server.HttpConnectionFactory) ContentSigner(org.bouncycastle.operator.ContentSigner) SecureRandom(java.security.SecureRandom) SSLConfigBuilder(org.apache.drill.exec.ssl.SSLConfigBuilder) KeyPairGenerator(java.security.KeyPairGenerator) KeyStore(java.security.KeyStore) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) BigInteger(java.math.BigInteger)

Aggregations

SSLConfig (org.apache.drill.exec.ssl.SSLConfig)14 SSLConfigBuilder (org.apache.drill.exec.ssl.SSLConfigBuilder)14 SecurityTest (org.apache.drill.categories.SecurityTest)12 ConfigBuilder (org.apache.drill.test.ConfigBuilder)12 Test (org.junit.Test)12 DrillException (org.apache.drill.common.exceptions.DrillException)8 BaseTest (org.apache.drill.test.BaseTest)6 Configuration (org.apache.hadoop.conf.Configuration)2 SslContextFactory (org.eclipse.jetty.util.ssl.SslContextFactory)2 BigInteger (java.math.BigInteger)1 KeyPair (java.security.KeyPair)1 KeyPairGenerator (java.security.KeyPairGenerator)1 KeyStore (java.security.KeyStore)1 SecureRandom (java.security.SecureRandom)1 X509Certificate (java.security.cert.X509Certificate)1 Date (java.util.Date)1 X500NameBuilder (org.bouncycastle.asn1.x500.X500NameBuilder)1 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)1 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)1 JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)1