Search in sources :

Example 1 with SecurityConfig

use of org.apache.hadoop.hdds.security.x509.SecurityConfig in project ozone by apache.

the class TestSecureOzoneManager method testSecureOmInitFailures.

/**
 * Test failure cases for secure OM initialization.
 */
@Test
public void testSecureOmInitFailures() throws Exception {
    PrivateKey privateKey;
    PublicKey publicKey;
    LogCapturer omLogs = LogCapturer.captureLogs(OzoneManager.getLogger());
    OMStorage omStorage = new OMStorage(conf);
    omStorage.setClusterId(clusterId);
    omStorage.setOmId(omId);
    omLogs.clearOutput();
    // Case 1: When keypair as well as certificate is missing. Initial keypair
    // boot-up. Get certificate will fail when SCM is not running.
    SecurityConfig securityConfig = new SecurityConfig(conf);
    CertificateClient client = new OMCertificateClient(securityConfig, omStorage.getOmCertSerialId());
    Assert.assertEquals(CertificateClient.InitResponse.GETCERT, client.init());
    privateKey = client.getPrivateKey();
    publicKey = client.getPublicKey();
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 2: If key pair already exist than response should be RECOVER.
    client = new OMCertificateClient(securityConfig, omStorage.getOmCertSerialId());
    Assert.assertEquals(CertificateClient.InitResponse.RECOVER, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 3: When public key as well as certificate is missing.
    client = new OMCertificateClient(securityConfig);
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
    Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 4: When private key and certificate is missing.
    client = new OMCertificateClient(securityConfig);
    KeyCodec keyCodec = new KeyCodec(securityConfig, COMPONENT);
    keyCodec.writePublicKey(publicKey);
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPrivateKeyFileName()).toFile());
    Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
    Assert.assertNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 5: When only certificate is present.
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
    CertificateCodec certCodec = new CertificateCodec(securityConfig, COMPONENT);
    X509Certificate x509Certificate = KeyStoreTestUtil.generateCertificate("CN=Test", new KeyPair(publicKey, privateKey), 10, securityConfig.getSignatureAlgo());
    certCodec.writeCertificate(new X509CertificateHolder(x509Certificate.getEncoded()));
    client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
    omStorage.setOmCertSerialId(x509Certificate.getSerialNumber().toString());
    Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
    Assert.assertNull(client.getPrivateKey());
    Assert.assertNull(client.getPublicKey());
    Assert.assertNotNull(client.getCertificate());
    // Case 6: When private key and certificate is present.
    client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
    keyCodec.writePrivateKey(privateKey);
    Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNotNull(client.getCertificate());
    // Case 7 When keypair and certificate is present.
    client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
    Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNotNull(client.getCertificate());
}
Also used : OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient) CertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient) KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) PublicKey(java.security.PublicKey) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) LogCapturer(org.apache.ozone.test.GenericTestUtils.LogCapturer) CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec) KeyCodec(org.apache.hadoop.hdds.security.x509.keys.KeyCodec) OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 2 with SecurityConfig

use of org.apache.hadoop.hdds.security.x509.SecurityConfig in project ozone by apache.

the class TestOzoneContainerWithTLS method setup.

@Before
public void setup() throws Exception {
    conf = new OzoneConfiguration();
    String ozoneMetaPath = GenericTestUtils.getTempPath("ozoneMeta");
    File ozoneMetaFile = new File(ozoneMetaPath);
    conf.set(OZONE_METADATA_DIRS, ozoneMetaPath);
    FileUtil.fullyDelete(ozoneMetaFile);
    String keyDirName = conf.get(HDDS_KEY_DIR_NAME, HDDS_KEY_DIR_NAME_DEFAULT);
    File ozoneKeyDir = new File(ozoneMetaFile, keyDirName);
    ozoneKeyDir.mkdirs();
    conf.setBoolean(OZONE_SECURITY_ENABLED_KEY, true);
    conf.setBoolean(HddsConfigKeys.HDDS_GRPC_TLS_ENABLED, true);
    conf.setBoolean(HddsConfigKeys.HDDS_GRPC_TLS_TEST_CERT, true);
    long expiryTime = conf.getTimeDuration(HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME, HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT, TimeUnit.MILLISECONDS);
    caClient = new CertificateClientTestImpl(conf);
    secretManager = new OzoneBlockTokenSecretManager(new SecurityConfig(conf), expiryTime, caClient.getCertificate().getSerialNumber().toString());
}
Also used : CertificateClientTestImpl(org.apache.hadoop.ozone.client.CertificateClientTestImpl) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration) File(java.io.File) OzoneBlockTokenSecretManager(org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager) Before(org.junit.Before)

Example 3 with SecurityConfig

use of org.apache.hadoop.hdds.security.x509.SecurityConfig in project ozone by apache.

the class TestSecureOzoneContainer method setup.

@Before
public void setup() throws Exception {
    DefaultMetricsSystem.setMiniClusterMode(true);
    ExitUtils.disableSystemExit();
    conf = new OzoneConfiguration();
    String ozoneMetaPath = GenericTestUtils.getTempPath("ozoneMeta");
    conf.set(OZONE_METADATA_DIRS, ozoneMetaPath);
    secConfig = new SecurityConfig(conf);
    caClient = new CertificateClientTestImpl(conf);
    secretManager = new ContainerTokenSecretManager(new SecurityConfig(conf), TimeUnit.DAYS.toMillis(1), caClient.getCertificate().getSerialNumber().toString());
}
Also used : SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) CertificateClientTestImpl(org.apache.hadoop.ozone.client.CertificateClientTestImpl) OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration) ContainerTokenSecretManager(org.apache.hadoop.hdds.security.token.ContainerTokenSecretManager) Before(org.junit.Before)

Example 4 with SecurityConfig

use of org.apache.hadoop.hdds.security.x509.SecurityConfig in project ozone by apache.

the class TestDefaultCAServer method testRequestCertificate.

/**
 * The most important test of this test suite. This tests that we are able
 * to create a Test CA, creates it own self-Signed CA and then issue a
 * certificate based on a CSR.
 * @throws SCMSecurityException - on ERROR.
 * @throws ExecutionException - on ERROR.
 * @throws InterruptedException - on ERROR.
 * @throws NoSuchProviderException - on ERROR.
 * @throws NoSuchAlgorithmException - on ERROR.
 */
@Test
public void testRequestCertificate() throws IOException, ExecutionException, InterruptedException, NoSuchProviderException, NoSuchAlgorithmException {
    String scmId = RandomStringUtils.randomAlphabetic(4);
    String clusterId = RandomStringUtils.randomAlphabetic(4);
    KeyPair keyPair = new HDDSKeyGenerator(conf).generateKey();
    PKCS10CertificationRequest csr = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").addServiceName("OzoneMarketingCluster002").setCA(false).setClusterID(clusterId).setScmID(scmId).setSubject("Ozone Cluster").setConfiguration(conf).setKey(keyPair).build();
    // Let us convert this to a string to mimic the common use case.
    String csrString = CertificateSignRequest.getEncodedString(csr);
    CertificateServer testCA = new DefaultCAServer("testCA", clusterId, scmId, caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
    testCA.init(new SecurityConfig(conf), SELF_SIGNED_CA);
    Future<X509CertificateHolder> holder = testCA.requestCertificate(csrString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, SCM);
    // Right now our calls are synchronous. Eventually this will have to wait.
    assertTrue(holder.isDone());
    assertNotNull(holder.get());
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile) KeyPair(java.security.KeyPair) HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) Test(org.junit.Test)

Example 5 with SecurityConfig

use of org.apache.hadoop.hdds.security.x509.SecurityConfig in project ozone by apache.

the class TestDefaultCAServer method testMissingCertificate.

@Test
public void testMissingCertificate() {
    SecurityConfig securityConfig = new SecurityConfig(conf);
    CertificateServer testCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
    Consumer<SecurityConfig> caInitializer = ((DefaultCAServer) testCA).processVerificationStatus(DefaultCAServer.VerificationStatus.MISSING_CERTIFICATE, SELF_SIGNED_CA);
    try {
        caInitializer.accept(securityConfig);
        fail("code should not reach here, exception should have been thrown.");
    } catch (IllegalStateException e) {
        // This also is a runtime exception. Hence not caught by junit expected
        // exception.
        assertTrue(e.toString().contains("Missing Root Certs"));
    }
}
Also used : DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) Test(org.junit.Test)

Aggregations

SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)47 Test (org.junit.Test)25 HDDSKeyGenerator (org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)18 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)17 Before (org.junit.Before)17 KeyPair (java.security.KeyPair)15 OzoneConfiguration (org.apache.hadoop.hdds.conf.OzoneConfiguration)15 IOException (java.io.IOException)12 DefaultProfile (org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)11 CertificateCodec (org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)11 File (java.io.File)9 X509Certificate (java.security.cert.X509Certificate)9 LocalDate (java.time.LocalDate)8 CertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)7 KeyCodec (org.apache.hadoop.hdds.security.x509.keys.KeyCodec)7 PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)7 Path (java.nio.file.Path)5 Date (java.util.Date)5 CertificateClientTestImpl (org.apache.hadoop.ozone.client.CertificateClientTestImpl)5 BeforeClass (org.junit.BeforeClass)5