Example 1 with CRLInfo
use of org.apache.hadoop.hdds.security.x509.crl.CRLInfo in project ozone by apache.
the class CRLClientUpdateHandler method handleServerUpdate.
@Override
public void handleServerUpdate(UpdateResponse updateResponse) {
SCMUpdateServiceProtos.CRLInfoProto crlInfo = updateResponse.getCrlUpdateResponse().getCrlInfo();
long receivedCrlId = crlInfo.getCrlSequenceID();
long localCrlId = clientStore.getLatestCrlId();
LOG.debug("## Client: clientId {} clientCrlId {} receivedCrlId {}", clientUuid, localCrlId, receivedCrlId);
if (localCrlId == receivedCrlId) {
return;
}
// send a client update to refresh stale server
if (localCrlId > receivedCrlId) {
LOG.warn("Received stale crlId {} lower than client crlId {}", receivedCrlId, localCrlId);
sendClientUpdate();
return;
}
CRLInfo crl;
try {
crl = CRLInfo.fromCRLProto3(crlInfo);
} catch (Exception e) {
LOG.error("Can't parse server CRL update, skip...", e);
return;
}
clientStore.onRevokeCerts(crl);
// send client update.
sendClientUpdate();
}
Also used :
SCMUpdateServiceProtos(org.apache.hadoop.hdds.protocol.scm.proto.SCMUpdateServiceProtos)
CRLInfo(org.apache.hadoop.hdds.security.x509.crl.CRLInfo)
Example 2 with CRLInfo
use of org.apache.hadoop.hdds.security.x509.crl.CRLInfo in project ozone by apache.
the class SCMSecurityProtocolServerSideTranslatorPB method getCrls.
public SCMGetCrlsResponseProto getCrls(SCMGetCrlsRequestProto request) throws IOException {
List<CRLInfo> crls = impl.getCrls(request.getCrlIdList());
SCMGetCrlsResponseProto.Builder builder = SCMGetCrlsResponseProto.newBuilder();
for (CRLInfo crl : crls) {
try {
builder.addCrlInfos(crl.getProtobuf());
} catch (SCMSecurityException e) {
LOG.error("Fail in parsing CRL info", e);
throw new SCMSecurityException("Fail in parsing CRL info", e);
}
}
return builder.build();
}
Also used :
SCMSecurityException(org.apache.hadoop.hdds.security.exception.SCMSecurityException)
CRLInfo(org.apache.hadoop.hdds.security.x509.crl.CRLInfo)
SCMGetCrlsResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCrlsResponseProto)
Example 3 with CRLInfo
use of org.apache.hadoop.hdds.security.x509.crl.CRLInfo in project ozone by apache.
the class TestReportPublisher method testCRLStatusReportPublisher.
@Test
public void testCRLStatusReportPublisher() throws IOException {
StateContext dummyContext = Mockito.mock(StateContext.class);
DatanodeStateMachine dummyStateMachine = Mockito.mock(DatanodeStateMachine.class);
ReportPublisher publisher = new CRLStatusReportPublisher();
DatanodeCRLStore dnCrlStore = Mockito.mock(DatanodeCRLStore.class);
when(dnCrlStore.getLatestCRLSequenceID()).thenReturn(3L);
List<CRLInfo> pendingCRLs = new ArrayList<>();
pendingCRLs.add(Mockito.mock(CRLInfo.class));
pendingCRLs.add(Mockito.mock(CRLInfo.class));
when(dnCrlStore.getPendingCRLs()).thenReturn(pendingCRLs);
when(dummyStateMachine.getDnCRLStore()).thenReturn(dnCrlStore);
when(dummyContext.getParent()).thenReturn(dummyStateMachine);
publisher.setConf(config);
ScheduledExecutorService executorService = HadoopExecutors.newScheduledThreadPool(1, new ThreadFactoryBuilder().setDaemon(true).setNameFormat("Unit test ReportManager Thread - %d").build());
publisher.init(dummyContext, executorService);
GeneratedMessage report = ((CRLStatusReportPublisher) publisher).getReport();
Assert.assertNotNull(report);
for (Descriptors.FieldDescriptor descriptor : report.getDescriptorForType().getFields()) {
if (descriptor.getNumber() == CRLStatusReport.RECEIVEDCRLID_FIELD_NUMBER) {
Assert.assertEquals(3L, report.getField(descriptor));
}
}
executorService.shutdown();
}
Also used :
ScheduledExecutorService(java.util.concurrent.ScheduledExecutorService)
StateContext(org.apache.hadoop.ozone.container.common.statemachine.StateContext)
ArrayList(java.util.ArrayList)
DatanodeCRLStore(org.apache.hadoop.hdds.datanode.metadata.DatanodeCRLStore)
CRLInfo(org.apache.hadoop.hdds.security.x509.crl.CRLInfo)
ThreadFactoryBuilder(com.google.common.util.concurrent.ThreadFactoryBuilder)
DatanodeStateMachine(org.apache.hadoop.ozone.container.common.statemachine.DatanodeStateMachine)
Descriptors(com.google.protobuf.Descriptors)
GeneratedMessage(com.google.protobuf.GeneratedMessage)
Test(org.junit.Test)
Example 4 with CRLInfo
use of org.apache.hadoop.hdds.security.x509.crl.CRLInfo in project ozone by apache.
the class TestDatanodeCRLStoreImpl method testCRLStore.
@Test
public void testCRLStore() throws Exception {
assertNotNull(dnCRLStore.getStore());
dnCRLStore.getCRLSequenceIdTable().put(OzoneConsts.CRL_SEQUENCE_ID_KEY, 5L);
Date now = new Date();
X509Certificate x509Certificate = generateX509Cert();
X509CertificateHolder caCertificateHolder = new X509CertificateHolder(generateX509Cert().getEncoded());
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(caCertificateHolder.getIssuer(), now);
crlBuilder.addCRLEntry(x509Certificate.getSerialNumber(), now, CRLReason.lookup(CRLReason.PRIVILEGE_WITHDRAWN).getValue().intValue());
dnCRLStore.getPendingCRLsTable().put(1L, new CRLInfo.Builder().setCrlSequenceID(1L).setCreationTimestamp(now.getTime()).setX509CRL(crlApprover.sign(crlBuilder)).build());
assertEquals(5L, (long) dnCRLStore.getLatestCRLSequenceID());
assertEquals(1L, dnCRLStore.getPendingCRLs().size());
CRLInfo crlInfo = dnCRLStore.getPendingCRLs().get(0);
assertEquals(1L, crlInfo.getCrlSequenceID());
assertEquals(x509Certificate.getSerialNumber(), crlInfo.getX509CRL().getRevokedCertificates().iterator().next().getSerialNumber());
// Test that restarting the store does not affect the data already persisted
dnCRLStore.stop();
dnCRLStore = new DatanodeCRLStoreImpl(conf);
assertEquals(5L, (long) dnCRLStore.getLatestCRLSequenceID());
assertEquals(1L, dnCRLStore.getPendingCRLs().size());
dnCRLStore.stop();
}
Also used :
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
CRLInfo(org.apache.hadoop.hdds.security.x509.crl.CRLInfo)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.Test)
Example 5 with CRLInfo
use of org.apache.hadoop.hdds.security.x509.crl.CRLInfo in project ozone by apache.
the class TestSCMCertStore method testRevokeCertificates.
@Test
public void testRevokeCertificates() throws Exception {
BigInteger serialID = x509Certificate.getSerialNumber();
scmCertStore.storeValidCertificate(serialID, x509Certificate, SCM);
Date now = new Date();
assertNotNull(scmCertStore.getCertificateByID(serialID, VALID_CERTS));
X509CertificateHolder caCertificateHolder = new X509CertificateHolder(generateX509Cert().getEncoded());
List<BigInteger> certs = new ArrayList<>();
certs.add(x509Certificate.getSerialNumber());
Optional<Long> sequenceId = scmCertStore.revokeCertificates(certs, caCertificateHolder, CRLReason.lookup(CRLReason.keyCompromise), now, crlApprover);
assertTrue(sequenceId.isPresent());
assertEquals(INITIAL_SEQUENCE_ID + 1L, (long) sequenceId.get());
assertNull(scmCertStore.getCertificateByID(serialID, VALID_CERTS));
CertInfo certInfo = scmCertStore.getRevokedCertificateInfoByID(serialID);
assertNotNull(certInfo);
assertNotNull(certInfo.getX509Certificate());
assertTrue("Timestamp should be greater than 0", certInfo.getTimestamp() > 0L);
long crlId = scmCertStore.getLatestCrlId();
assertEquals(sequenceId.get().longValue(), crlId);
List<CRLInfo> crls = scmCertStore.getCrls(Arrays.asList(crlId));
assertEquals(1, crls.size());
// CRL Info table should have a CRL with sequence id
assertNotNull(scmMetadataStore.getCRLInfoTable().get(sequenceId.get()));
// Check the sequence ID table for latest sequence id
assertEquals(INITIAL_SEQUENCE_ID + 1L, (long) scmMetadataStore.getCRLSequenceIdTable().get(CRL_SEQUENCE_ID_KEY));
CRLInfo crlInfo = crls.get(0);
assertEquals(crlInfo.getCrlSequenceID(), sequenceId.get().longValue());
Set<? extends X509CRLEntry> revokedCertificates = crlInfo.getX509CRL().getRevokedCertificates();
assertEquals(1L, revokedCertificates.size());
assertEquals(x509Certificate.getSerialNumber(), revokedCertificates.iterator().next().getSerialNumber());
// Now trying to revoke the already revoked certificate should result in
// a warning message and no-op. It should not create a new CRL.
sequenceId = scmCertStore.revokeCertificates(certs, caCertificateHolder, CRLReason.lookup(CRLReason.unspecified), now, crlApprover);
assertFalse(sequenceId.isPresent());
assertEquals(1L, getTableSize(scmMetadataStore.getCRLInfoTable().iterator()));
// Generate 3 more certificates and revoke 2 of them
List<BigInteger> newSerialIDs = new ArrayList<>();
for (int i = 0; i < 3; i++) {
X509Certificate cert = generateX509Cert();
scmCertStore.storeValidCertificate(cert.getSerialNumber(), cert, SCM);
newSerialIDs.add(cert.getSerialNumber());
}
// Add the first 2 certificates to the revocation list
sequenceId = scmCertStore.revokeCertificates(newSerialIDs.subList(0, 2), caCertificateHolder, CRLReason.lookup(CRLReason.aACompromise), now, crlApprover);
// This should create a CRL with sequence id INITIAL_SEQUENCE_ID + 2
// And contain 2 certificates in it
assertTrue(sequenceId.isPresent());
assertEquals(sequenceId.get().longValue(), scmCertStore.getLatestCrlId());
assertEquals(INITIAL_SEQUENCE_ID + 2L, (long) sequenceId.get());
// Check the sequence ID table for latest sequence id
assertEquals(INITIAL_SEQUENCE_ID + 2L, (long) scmMetadataStore.getCRLSequenceIdTable().get(CRL_SEQUENCE_ID_KEY));
CRLInfo newCrlInfo = scmCertStore.getCrls(Arrays.asList(INITIAL_SEQUENCE_ID + 2)).get(0);
revokedCertificates = newCrlInfo.getX509CRL().getRevokedCertificates();
assertEquals(2L, revokedCertificates.size());
assertNotNull(revokedCertificates.stream().filter(c -> c.getSerialNumber().equals(newSerialIDs.get(0))).findAny());
assertNotNull(revokedCertificates.stream().filter(c -> c.getSerialNumber().equals(newSerialIDs.get(1))).findAny());
assertEquals(newCrlInfo.getCrlSequenceID(), sequenceId.get().longValue());
// Valid certs table should have 1 cert
assertEquals(1L, getTableSize(scmMetadataStore.getValidCertsTable().iterator()));
// Make sure that the last certificate that was not revoked is the one
// in the valid certs table.
assertEquals(newSerialIDs.get(2), scmMetadataStore.getValidCertsTable().iterator().next().getKey());
// Revoked certs table should have 3 certs
assertEquals(3L, getTableSize(scmMetadataStore.getRevokedCertsV2Table().iterator()));
}
Also used :
CertInfo(org.apache.hadoop.hdds.security.x509.certificate.CertInfo)
ArrayList(java.util.ArrayList)
CRLInfo(org.apache.hadoop.hdds.security.x509.crl.CRLInfo)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
Test(org.junit.Test)
Aggregations
CRLInfo (org.apache.hadoop.hdds.security.x509.crl.CRLInfo)9
ArrayList (java.util.ArrayList)5
SCMSecurityException (org.apache.hadoop.hdds.security.exception.SCMSecurityException)5
X509Certificate (java.security.cert.X509Certificate)3
Date (java.util.Date)3
Test (org.junit.Test)3
BigInteger (java.math.BigInteger)2
CRLException (java.security.cert.CRLException)2
AtomicLong (java.util.concurrent.atomic.AtomicLong)2
CertInfo (org.apache.hadoop.hdds.security.x509.certificate.CertInfo)2
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)2
X509v2CRLBuilder (org.bouncycastle.cert.X509v2CRLBuilder)2
ThreadFactoryBuilder (com.google.common.util.concurrent.ThreadFactoryBuilder)1
Descriptors (com.google.protobuf.Descriptors)1
GeneratedMessage (com.google.protobuf.GeneratedMessage)1
IOException (java.io.IOException)1
CertificateException (java.security.cert.CertificateException)1
X509CRL (java.security.cert.X509CRL)1
ScheduledExecutorService (java.util.concurrent.ScheduledExecutorService)1
DatanodeCRLStore (org.apache.hadoop.hdds.datanode.metadata.DatanodeCRLStore)1
