org.apache.hadoop.security.alias.JavaKeyStoreProvider Java Examples

The following examples show how to use org.apache.hadoop.security.alias.JavaKeyStoreProvider. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: SSLTest.java    From incubator-atlas with Apache License 2.0 6 votes vote down vote up
@BeforeClass
public void setUp() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    setupCredentials();
    final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);
    String persistDir = writeConfiguration(configuration);
    persistSSLClientConfiguration(configuration);

    originalConf = System.getProperty("atlas.conf");
    System.setProperty("atlas.conf", persistDir);

    originalHomeDir = System.getProperty("atlas.home");
    System.setProperty("atlas.home", TestUtils.getTargetDirectory());

    atlasClient = new AtlasClient(configuration, new String[]{DGI_URL},new String[]{"admin","admin"});

    secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
        @Override
        public org.apache.commons.configuration.Configuration getConfiguration() {
            return configuration;
        }
    };
    secureEmbeddedServer.getServer().start();
}
 
Example #2
Source File: SSLTest.java    From atlas with Apache License 2.0 6 votes vote down vote up
public void setUp() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    setupCredentials();
    final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);
    String persistDir = writeConfiguration(configuration);
    persistSSLClientConfiguration(configuration);

    originalConf = System.getProperty("atlas.conf");
    System.setProperty("atlas.conf", persistDir);

    originalHomeDir = System.getProperty("atlas.home");
    System.setProperty("atlas.home", TestUtils.getTargetDirectory());

    atlasClient = new AtlasClient(configuration, new String[]{DGI_URL},new String[]{"admin","admin"});

    secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
        @Override
        public org.apache.commons.configuration.Configuration getConfiguration() {
            return configuration;
        }
    };
    secureEmbeddedServer.getServer().start();
}
 
Example #3
Source File: SecureEmbeddedServerTestBase.java    From atlas with Apache License 2.0 5 votes vote down vote up
@BeforeMethod
public void setup() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    String baseUrl = String.format("https://localhost:%d/", securePort);

    DefaultClientConfig config = new DefaultClientConfig();
    Client client = Client.create(config);
    client.resource(UriBuilder.fromUri(baseUrl).build());

    service = client.resource(UriBuilder.fromUri(baseUrl).build());
}
 
Example #4
Source File: SecureEmbeddedServerTestBase.java    From incubator-atlas with Apache License 2.0 5 votes vote down vote up
@BeforeMethod
public void setup() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    String baseUrl = String.format("https://localhost:%d/", securePort);

    DefaultClientConfig config = new DefaultClientConfig();
    Client client = Client.create(config);
    client.resource(UriBuilder.fromUri(baseUrl).build());

    service = client.resource(UriBuilder.fromUri(baseUrl).build());
}
 
Example #5
Source File: KeyStoreTestUtil.java    From hadoop with Apache License 2.0 5 votes vote down vote up
public static void provisionPasswordsToCredentialProvider() throws Exception {
  File testDir = new File(System.getProperty("test.build.data",
      "target/test-dir"));

  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
  JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};

  // create new aliases
  try {
    provider.createCredentialEntry(
        FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER,
            FileBasedKeyStoresFactory.SSL_KEYSTORE_PASSWORD_TPL_KEY),
            storepass);

    provider.createCredentialEntry(
        FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER,
            FileBasedKeyStoresFactory.SSL_KEYSTORE_KEYPASSWORD_TPL_KEY),
            keypass);

    // write out so that it can be found in checks
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
}
 
Example #6
Source File: KeyStoreTestUtil.java    From big-c with Apache License 2.0 5 votes vote down vote up
public static void provisionPasswordsToCredentialProvider() throws Exception {
  File testDir = new File(System.getProperty("test.build.data",
      "target/test-dir"));

  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
  JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};

  // create new aliases
  try {
    provider.createCredentialEntry(
        FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER,
            FileBasedKeyStoresFactory.SSL_KEYSTORE_PASSWORD_TPL_KEY),
            storepass);

    provider.createCredentialEntry(
        FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER,
            FileBasedKeyStoresFactory.SSL_KEYSTORE_KEYPASSWORD_TPL_KEY),
            keypass);

    // write out so that it can be found in checks
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
}
 
Example #7
Source File: TestDFSUtil.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test
public void testGetPassword() throws Exception {
  File testDir = new File(System.getProperty("test.build.data",
      "target/test-dir"));

  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
  JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};
  char[] trustpass = {'t', 'r', 'u', 's', 't', 'p', 'a', 's', 's'};

  // ensure that we get nulls when the key isn't there
  assertEquals(null, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYPASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY));

  // create new aliases
  try {
    provider.createCredentialEntry(
        DFS_SERVER_HTTPS_KEYPASSWORD_KEY, keypass);

    provider.createCredentialEntry(
        DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY, storepass);

    provider.createCredentialEntry(
        DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY, trustpass);

    // write out so that it can be found in checks
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
  // make sure we get back the right key directly from api
  assertArrayEquals(keypass, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYPASSWORD_KEY).getCredential());
  assertArrayEquals(storepass, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY).getCredential());
  assertArrayEquals(trustpass, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY).getCredential());

  // use WebAppUtils as would be used by loadSslConfiguration
  Assert.assertEquals("keypass",
      DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_KEYPASSWORD_KEY));
  Assert.assertEquals("storepass",
      DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY));
  Assert.assertEquals("trustpass",
      DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY));

  // let's make sure that a password that doesn't exist returns null
  Assert.assertEquals(null, DFSUtil.getPassword(conf,"invalid-alias"));
}
 
Example #8
Source File: CredentialReader.java    From ranger with Apache License 2.0 4 votes vote down vote up
public static String getDecryptedString(String CrendentialProviderPath,String alias) {
 String credential=null;
 try{
  if(CrendentialProviderPath==null || alias==null||CrendentialProviderPath.trim().isEmpty()||alias.trim().isEmpty()){
	  return null;
  }		  		
  char[] pass = null;
  Configuration conf = new Configuration();
  String crendentialProviderPrefixJceks=JavaKeyStoreProvider.SCHEME_NAME + "://file";
  String crendentialProviderPrefixLocalJceks="localjceks://file";
  crendentialProviderPrefixJceks=crendentialProviderPrefixJceks.toLowerCase();
  CrendentialProviderPath=CrendentialProviderPath.trim();
  alias=alias.trim();
  if(CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixJceks) ||  CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixLocalJceks)){
	  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
			   //UserProvider.SCHEME_NAME + ":///," +
	  CrendentialProviderPath);
  }else{
	  if(CrendentialProviderPath.startsWith("/")){
		  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
				   //UserProvider.SCHEME_NAME + ":///," +
		  JavaKeyStoreProvider.SCHEME_NAME + "://file" + CrendentialProviderPath);
	  }else{
		  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
				   //UserProvider.SCHEME_NAME + ":///," +
		  JavaKeyStoreProvider.SCHEME_NAME + "://file/" + CrendentialProviderPath);
	  }
  }	 	
  List<CredentialProvider> providers = CredentialProviderFactory.getProviders(conf);
  List<String> aliasesList=new ArrayList<String>();
  CredentialProvider.CredentialEntry credEntry=null;
  for(CredentialProvider provider: providers) {
            //System.out.println("Credential Provider :" + provider);
	  aliasesList=provider.getAliases();
	  if(aliasesList!=null && aliasesList.contains(alias.toLowerCase())){
		  credEntry=null;
		  credEntry= provider.getCredentialEntry(alias);
		  pass = credEntry.getCredential();
		  if(pass!=null && pass.length>0){
			  credential=String.valueOf(pass);
			  break;
		  }				
	  }
  }
 }catch(Exception ex){
  ex.printStackTrace();
  credential=null;
 }
 return credential;
}
 
Example #9
Source File: CredentialReader.java    From ranger with Apache License 2.0 4 votes vote down vote up
public static String getDecryptedString(String CrendentialProviderPath,String alias) {
 String credential=null;
 try{
  if(CrendentialProviderPath==null || alias==null){
	  return null;
  }		  		
  char[] pass = null;
  Configuration conf = new Configuration();
  String crendentialProviderPrefixJceks=JavaKeyStoreProvider.SCHEME_NAME + "://file";
  String crendentialProviderPrefixLocalJceks="localjceks://file";
  crendentialProviderPrefixJceks=crendentialProviderPrefixJceks.toLowerCase();
  CrendentialProviderPath=CrendentialProviderPath.trim();
  alias=alias.trim();
  if(CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixJceks) || CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixLocalJceks)){
	  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
			   //UserProvider.SCHEME_NAME + ":///," +
	  CrendentialProviderPath);
  }else{
	  if(CrendentialProviderPath.startsWith("/")){
		  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
				   //UserProvider.SCHEME_NAME + ":///," +
		  JavaKeyStoreProvider.SCHEME_NAME + "://file" + CrendentialProviderPath);
	  }else{
		  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
				   //UserProvider.SCHEME_NAME + ":///," +
				  JavaKeyStoreProvider.SCHEME_NAME + "://file/" + CrendentialProviderPath);
	  }
  }
  List<CredentialProvider> providers = CredentialProviderFactory.getProviders(conf);
  List<String> aliasesList=new ArrayList<String>();
  CredentialProvider.CredentialEntry credEntry=null;
  for(CredentialProvider provider: providers) {
            //System.out.println("Credential Provider :" + provider);
	  aliasesList=provider.getAliases();
	  if(aliasesList!=null && aliasesList.contains(alias.toLowerCase())){
		  credEntry=null;
		  credEntry= provider.getCredentialEntry(alias);
		  pass = credEntry.getCredential();
		  if(pass!=null && pass.length>0){
			  credential=String.valueOf(pass);
			  break;
		  }				
	  }
  }
 }catch(Exception ex){
  ex.printStackTrace();
  credential=null;
 }
 return credential;
}
 
Example #10
Source File: SSLAndKerberosTest.java    From incubator-atlas with Apache License 2.0 4 votes vote down vote up
@BeforeClass
public void setUp() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    String persistDir = TestUtils.getTempDirectory();

    setupKDCAndPrincipals();
    setupCredentials();

    // client will actually only leverage subset of these properties
    final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);

    persistSSLClientConfiguration(configuration);

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
        ApplicationProperties.APPLICATION_PROPERTIES);

    String confLocation = System.getProperty("atlas.conf");
    URL url;
    if (confLocation == null) {
        url = SSLAndKerberosTest.class.getResource("/" + ApplicationProperties.APPLICATION_PROPERTIES);
    } else {
        url = new File(confLocation, ApplicationProperties.APPLICATION_PROPERTIES).toURI().toURL();
    }
    configuration.load(url);
    configuration.setProperty(TLS_ENABLED, true);
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.keytab",userKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.principal","dgi/localhost@"+kdc.getRealm());

    configuration.setProperty("atlas.authentication.method.file", "false");
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.method.kerberos.principal", "HTTP/localhost@" + kdc.getRealm());
    configuration.setProperty("atlas.authentication.method.kerberos.keytab", httpKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.method.kerberos.name.rules",
            "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT");

    configuration.setProperty("atlas.authentication.method.file", "true");
    configuration.setProperty("atlas.authentication.method.file.filename", persistDir
            + "/users-credentials");
    configuration.setProperty("atlas.auth.policy.file",persistDir
            + "/policy-store.txt" );

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
      "atlas-application.properties");

    setupUserCredential(persistDir);
    setUpPolicyStore(persistDir);

    subject = loginTestUser();
    UserGroupInformation.loginUserFromSubject(subject);
    UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(
        "testUser",
        UserGroupInformation.getLoginUser());

    // save original setting
    originalConf = System.getProperty("atlas.conf");
    System.setProperty("atlas.conf", persistDir);

    originalHomeDir = System.getProperty("atlas.home");
    System.setProperty("atlas.home", TestUtils.getTargetDirectory());

    dgiCLient = proxyUser.doAs(new PrivilegedExceptionAction<AtlasClient>() {
        @Override
        public AtlasClient run() throws Exception {
            return new AtlasClient(configuration, DGI_URL);
        }
    });


    secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
        @Override
        public PropertiesConfiguration getConfiguration() {
            return configuration;
        }
    };
    secureEmbeddedServer.getServer().start();
}
 
Example #11
Source File: NegativeSSLAndKerberosTest.java    From incubator-atlas with Apache License 2.0 4 votes vote down vote up
@BeforeClass
public void setUp() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    String persistDir = TestUtils.getTempDirectory();

    setupKDCAndPrincipals();
    setupCredentials();

    // client will actually only leverage subset of these properties
    final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);

    persistSSLClientConfiguration(configuration);

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
        ApplicationProperties.APPLICATION_PROPERTIES);

    String confLocation = System.getProperty("atlas.conf");
    URL url;
    if (confLocation == null) {
        url = NegativeSSLAndKerberosTest.class.getResource("/" + ApplicationProperties.APPLICATION_PROPERTIES);
    } else {
        url = new File(confLocation, ApplicationProperties.APPLICATION_PROPERTIES).toURI().toURL();
    }
    configuration.load(url);

    configuration.setProperty(TLS_ENABLED, true);
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.keytab",userKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.principal","dgi/localhost@"+kdc.getRealm());

    configuration.setProperty("atlas.authentication.method.file", "false");
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.method.kerberos.principal", "HTTP/localhost@" + kdc.getRealm());
    configuration.setProperty("atlas.authentication.method.kerberos.keytab", httpKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.method.kerberos.name.rules",
            "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT");

    configuration.setProperty("atlas.authentication.method.file", "true");
    configuration.setProperty("atlas.authentication.method.file.filename", persistDir
            + "/users-credentials");
    configuration.setProperty("atlas.auth.policy.file",persistDir
            + "/policy-store.txt" );

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
            ApplicationProperties.APPLICATION_PROPERTIES);

    setupUserCredential(persistDir);
    setUpPolicyStore(persistDir);

    // save original setting
    originalConf = System.getProperty("atlas.conf");
    System.setProperty("atlas.conf", persistDir);

    dgiClient = new AtlasClient(configuration, DGI_URL);


    secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
        @Override
        public Configuration getConfiguration() {
            return configuration;
        }
    };
    secureEmbeddedServer.getServer().start();
}
 
Example #12
Source File: TestLdapGroupsMapping.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test
public void testConfGetPassword() throws Exception {
  File testDir = new File(System.getProperty("test.build.data",
                                             "target/test-dir"));
  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
      JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] bindpass = {'b', 'i', 'n', 'd', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};

  // ensure that we get nulls when the key isn't there
  assertEquals(null, provider.getCredentialEntry(
      LdapGroupsMapping.BIND_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry
      (LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY));

  // create new aliases
  try {
    provider.createCredentialEntry(
        LdapGroupsMapping.BIND_PASSWORD_KEY, bindpass);

    provider.createCredentialEntry(
        LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY, storepass);
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
  // make sure we get back the right key
  assertArrayEquals(bindpass, provider.getCredentialEntry(
      LdapGroupsMapping.BIND_PASSWORD_KEY).getCredential());
  assertArrayEquals(storepass, provider.getCredentialEntry(
      LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY).getCredential());

  LdapGroupsMapping mapping = new LdapGroupsMapping();
  Assert.assertEquals("bindpass",
      mapping.getPassword(conf, LdapGroupsMapping.BIND_PASSWORD_KEY, ""));
  Assert.assertEquals("storepass",
      mapping.getPassword(conf, LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY,
         ""));
  // let's make sure that a password that doesn't exist returns an
  // empty string as currently expected and used to trigger a call to
  // extract password
  Assert.assertEquals("", mapping.getPassword(conf,"invalid-alias", ""));
}
 
Example #13
Source File: TestSSLFactory.java    From big-c with Apache License 2.0 4 votes vote down vote up
/**
 * Checks that SSLFactory initialization is successful with the given
 * arguments.  This is a helper method for writing test cases that cover
 * different combinations of settings for the store password and key password.
 * It takes care of bootstrapping a keystore, a truststore, and SSL client or
 * server configuration.  Then, it initializes an SSLFactory.  If no exception
 * is thrown, then initialization was successful.
 *
 * @param mode SSLFactory.Mode mode to test
 * @param password String store password to set on keystore
 * @param keyPassword String key password to set on keystore
 * @param confPassword String store password to set in SSL config file, or null
 *   to avoid setting in SSL config file
 * @param confKeyPassword String key password to set in SSL config file, or
 *   null to avoid setting in SSL config file
 * @param useCredProvider boolean to indicate whether passwords should be set
 * into the config or not. When set to true nulls are set and aliases are
 * expected to be resolved through credential provider API through the
 * Configuration.getPassword method
 * @throws Exception for any error
 */
private void checkSSLFactoryInitWithPasswords(SSLFactory.Mode mode,
    String password, String keyPassword, String confPassword,
    String confKeyPassword, boolean useCredProvider) throws Exception {
  String keystore = new File(KEYSTORES_DIR, "keystore.jks").getAbsolutePath();
  String truststore = new File(KEYSTORES_DIR, "truststore.jks")
    .getAbsolutePath();
  String trustPassword = "trustP";

  // Create keys, certs, keystore, and truststore.
  KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
  X509Certificate cert = KeyStoreTestUtil.generateCertificate("CN=Test",
    keyPair, 30, "SHA1withRSA");
  KeyStoreTestUtil.createKeyStore(keystore, password, keyPassword, "Test",
    keyPair.getPrivate(), cert);
  Map<String, X509Certificate> certs = Collections.singletonMap("server",
    cert);
  KeyStoreTestUtil.createTrustStore(truststore, trustPassword, certs);

  // Create SSL configuration file, for either server or client.
  final String sslConfFileName;
  final Configuration sslConf;

  // if the passwords are provisioned in a cred provider then don't set them
  // in the configuration properly - expect them to be resolved through the
  // provider
  if (useCredProvider) {
    confPassword = null;
    confKeyPassword = null;
  }
  if (mode == SSLFactory.Mode.SERVER) {
    sslConfFileName = "ssl-server.xml";
    sslConf = KeyStoreTestUtil.createServerSSLConfig(keystore, confPassword,
      confKeyPassword, truststore);
    if (useCredProvider) {
      File testDir = new File(System.getProperty("test.build.data",
          "target/test-dir"));
      final Path jksPath = new Path(testDir.toString(), "test.jks");
      final String ourUrl =
          JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();
      sslConf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
    }
  } else {
    sslConfFileName = "ssl-client.xml";
    sslConf = KeyStoreTestUtil.createClientSSLConfig(keystore, confPassword,
      confKeyPassword, truststore);
  }
  KeyStoreTestUtil.saveConfig(new File(sslConfsDir, sslConfFileName), sslConf);

  // Create the master configuration for use by the SSLFactory, which by
  // default refers to the ssl-server.xml or ssl-client.xml created above.
  Configuration conf = new Configuration();
  conf.setBoolean(SSLFactory.SSL_REQUIRE_CLIENT_CERT_KEY, true);

  // Try initializing an SSLFactory.
  SSLFactory sslFactory = new SSLFactory(mode, conf);
  try {
    sslFactory.init();
  } finally {
    sslFactory.destroy();
  }
}
 
Example #14
Source File: TestWebAppUtils.java    From big-c with Apache License 2.0 4 votes vote down vote up
protected Configuration provisionCredentialsForSSL() throws IOException,
    Exception {
  File testDir = new File(System.getProperty("test.build.data",
      "target/test-dir"));

  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
  JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};
  char[] trustpass = {'t', 'r', 'u', 's', 't', 'p', 'a', 's', 's'};

  // ensure that we get nulls when the key isn't there
  assertEquals(null, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEY_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY));

  // create new aliases
  try {
    provider.createCredentialEntry(
        WebAppUtils.WEB_APP_KEY_PASSWORD_KEY, keypass);

    provider.createCredentialEntry(
        WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY, storepass);

    provider.createCredentialEntry(
        WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY, trustpass);

    // write out so that it can be found in checks
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
  // make sure we get back the right key directly from api
  assertArrayEquals(keypass, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEY_PASSWORD_KEY).getCredential());
  assertArrayEquals(storepass, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY).getCredential());
  assertArrayEquals(trustpass, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY).getCredential());
  return conf;
}
 
Example #15
Source File: TestLdapGroupsMapping.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Test
public void testConfGetPassword() throws Exception {
  File testDir = new File(System.getProperty("test.build.data",
                                             "target/test-dir"));
  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
      JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] bindpass = {'b', 'i', 'n', 'd', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};

  // ensure that we get nulls when the key isn't there
  assertEquals(null, provider.getCredentialEntry(
      LdapGroupsMapping.BIND_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry
      (LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY));

  // create new aliases
  try {
    provider.createCredentialEntry(
        LdapGroupsMapping.BIND_PASSWORD_KEY, bindpass);

    provider.createCredentialEntry(
        LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY, storepass);
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
  // make sure we get back the right key
  assertArrayEquals(bindpass, provider.getCredentialEntry(
      LdapGroupsMapping.BIND_PASSWORD_KEY).getCredential());
  assertArrayEquals(storepass, provider.getCredentialEntry(
      LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY).getCredential());

  LdapGroupsMapping mapping = new LdapGroupsMapping();
  Assert.assertEquals("bindpass",
      mapping.getPassword(conf, LdapGroupsMapping.BIND_PASSWORD_KEY, ""));
  Assert.assertEquals("storepass",
      mapping.getPassword(conf, LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY,
         ""));
  // let's make sure that a password that doesn't exist returns an
  // empty string as currently expected and used to trigger a call to
  // extract password
  Assert.assertEquals("", mapping.getPassword(conf,"invalid-alias", ""));
}
 
Example #16
Source File: TestSSLFactory.java    From hadoop with Apache License 2.0 4 votes vote down vote up
/**
 * Checks that SSLFactory initialization is successful with the given
 * arguments.  This is a helper method for writing test cases that cover
 * different combinations of settings for the store password and key password.
 * It takes care of bootstrapping a keystore, a truststore, and SSL client or
 * server configuration.  Then, it initializes an SSLFactory.  If no exception
 * is thrown, then initialization was successful.
 *
 * @param mode SSLFactory.Mode mode to test
 * @param password String store password to set on keystore
 * @param keyPassword String key password to set on keystore
 * @param confPassword String store password to set in SSL config file, or null
 *   to avoid setting in SSL config file
 * @param confKeyPassword String key password to set in SSL config file, or
 *   null to avoid setting in SSL config file
 * @param useCredProvider boolean to indicate whether passwords should be set
 * into the config or not. When set to true nulls are set and aliases are
 * expected to be resolved through credential provider API through the
 * Configuration.getPassword method
 * @throws Exception for any error
 */
private void checkSSLFactoryInitWithPasswords(SSLFactory.Mode mode,
    String password, String keyPassword, String confPassword,
    String confKeyPassword, boolean useCredProvider) throws Exception {
  String keystore = new File(KEYSTORES_DIR, "keystore.jks").getAbsolutePath();
  String truststore = new File(KEYSTORES_DIR, "truststore.jks")
    .getAbsolutePath();
  String trustPassword = "trustP";

  // Create keys, certs, keystore, and truststore.
  KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
  X509Certificate cert = KeyStoreTestUtil.generateCertificate("CN=Test",
    keyPair, 30, "SHA1withRSA");
  KeyStoreTestUtil.createKeyStore(keystore, password, keyPassword, "Test",
    keyPair.getPrivate(), cert);
  Map<String, X509Certificate> certs = Collections.singletonMap("server",
    cert);
  KeyStoreTestUtil.createTrustStore(truststore, trustPassword, certs);

  // Create SSL configuration file, for either server or client.
  final String sslConfFileName;
  final Configuration sslConf;

  // if the passwords are provisioned in a cred provider then don't set them
  // in the configuration properly - expect them to be resolved through the
  // provider
  if (useCredProvider) {
    confPassword = null;
    confKeyPassword = null;
  }
  if (mode == SSLFactory.Mode.SERVER) {
    sslConfFileName = "ssl-server.xml";
    sslConf = KeyStoreTestUtil.createServerSSLConfig(keystore, confPassword,
      confKeyPassword, truststore);
    if (useCredProvider) {
      File testDir = new File(System.getProperty("test.build.data",
          "target/test-dir"));
      final Path jksPath = new Path(testDir.toString(), "test.jks");
      final String ourUrl =
          JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();
      sslConf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
    }
  } else {
    sslConfFileName = "ssl-client.xml";
    sslConf = KeyStoreTestUtil.createClientSSLConfig(keystore, confPassword,
      confKeyPassword, truststore);
  }
  KeyStoreTestUtil.saveConfig(new File(sslConfsDir, sslConfFileName), sslConf);

  // Create the master configuration for use by the SSLFactory, which by
  // default refers to the ssl-server.xml or ssl-client.xml created above.
  Configuration conf = new Configuration();
  conf.setBoolean(SSLFactory.SSL_REQUIRE_CLIENT_CERT_KEY, true);

  // Try initializing an SSLFactory.
  SSLFactory sslFactory = new SSLFactory(mode, conf);
  try {
    sslFactory.init();
  } finally {
    sslFactory.destroy();
  }
}
 
Example #17
Source File: TestDFSUtil.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Test
public void testGetPassword() throws Exception {
  File testDir = new File(System.getProperty("test.build.data",
      "target/test-dir"));

  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
  JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};
  char[] trustpass = {'t', 'r', 'u', 's', 't', 'p', 'a', 's', 's'};

  // ensure that we get nulls when the key isn't there
  assertEquals(null, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYPASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY));

  // create new aliases
  try {
    provider.createCredentialEntry(
        DFS_SERVER_HTTPS_KEYPASSWORD_KEY, keypass);

    provider.createCredentialEntry(
        DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY, storepass);

    provider.createCredentialEntry(
        DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY, trustpass);

    // write out so that it can be found in checks
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
  // make sure we get back the right key directly from api
  assertArrayEquals(keypass, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYPASSWORD_KEY).getCredential());
  assertArrayEquals(storepass, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY).getCredential());
  assertArrayEquals(trustpass, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY).getCredential());

  // use WebAppUtils as would be used by loadSslConfiguration
  Assert.assertEquals("keypass",
      DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_KEYPASSWORD_KEY));
  Assert.assertEquals("storepass",
      DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY));
  Assert.assertEquals("trustpass",
      DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY));

  // let's make sure that a password that doesn't exist returns null
  Assert.assertEquals(null, DFSUtil.getPassword(conf,"invalid-alias"));
}
 
Example #18
Source File: TestWebAppUtils.java    From hadoop with Apache License 2.0 4 votes vote down vote up
protected Configuration provisionCredentialsForSSL() throws IOException,
    Exception {
  File testDir = new File(System.getProperty("test.build.data",
      "target/test-dir"));

  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
  JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};
  char[] trustpass = {'t', 'r', 'u', 's', 't', 'p', 'a', 's', 's'};

  // ensure that we get nulls when the key isn't there
  assertEquals(null, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEY_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY));

  // create new aliases
  try {
    provider.createCredentialEntry(
        WebAppUtils.WEB_APP_KEY_PASSWORD_KEY, keypass);

    provider.createCredentialEntry(
        WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY, storepass);

    provider.createCredentialEntry(
        WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY, trustpass);

    // write out so that it can be found in checks
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
  // make sure we get back the right key directly from api
  assertArrayEquals(keypass, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEY_PASSWORD_KEY).getCredential());
  assertArrayEquals(storepass, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY).getCredential());
  assertArrayEquals(trustpass, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY).getCredential());
  return conf;
}
 
Example #19
Source File: SSLAndKerberosTest.java    From atlas with Apache License 2.0 4 votes vote down vote up
public void setUp() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    String persistDir = TestUtils.getTempDirectory();

    setupKDCAndPrincipals();
    setupCredentials();

    // client will actually only leverage subset of these properties
    final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);

    persistSSLClientConfiguration(configuration);

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
        ApplicationProperties.APPLICATION_PROPERTIES);

    String confLocation = System.getProperty("atlas.conf");
    URL url;
    if (confLocation == null) {
        url = SSLAndKerberosTest.class.getResource("/" + ApplicationProperties.APPLICATION_PROPERTIES);
    } else {
        url = new File(confLocation, ApplicationProperties.APPLICATION_PROPERTIES).toURI().toURL();
    }
    configuration.load(url);
    configuration.setProperty(TLS_ENABLED, true);
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.keytab",userKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.principal","dgi/localhost@"+kdc.getRealm());

    configuration.setProperty("atlas.authentication.method.file", "false");
    configuration.setProperty("atlas.authentication.method.trustedproxy", "false");
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.method.kerberos.principal", "HTTP/localhost@" + kdc.getRealm());
    configuration.setProperty("atlas.authentication.method.kerberos.keytab", httpKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.method.kerberos.name.rules",
            "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT");

    configuration.setProperty("atlas.authentication.method.file", "true");
    configuration.setProperty("atlas.authentication.method.file.filename", persistDir
            + "/users-credentials");
    configuration.setProperty("atlas.auth.policy.file",persistDir
            + "/policy-store.txt" );
    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
      "atlas-application.properties");

    setupUserCredential(persistDir);
    setUpPolicyStore(persistDir);

    subject = loginTestUser();
    UserGroupInformation.loginUserFromSubject(subject);
    UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(
        "testUser",
        UserGroupInformation.getLoginUser());

    // save original setting
    originalConf = System.getProperty("atlas.conf");
    System.setProperty("atlas.conf", persistDir);

    originalHomeDir = System.getProperty("atlas.home");
    System.setProperty("atlas.home", TestUtils.getTargetDirectory());

    dgiCLient = proxyUser.doAs(new PrivilegedExceptionAction<AtlasClient>() {
        @Override
        public AtlasClient run() throws Exception {
            return new AtlasClient(configuration, DGI_URL);
        }
    });


    secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
        @Override
        public PropertiesConfiguration getConfiguration() {
            return configuration;
        }
    };
    secureEmbeddedServer.getServer().start();
}
 
Example #20
Source File: NegativeSSLAndKerberosTest.java    From atlas with Apache License 2.0 4 votes vote down vote up
public void setUp() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    String persistDir = TestUtils.getTempDirectory();

    setupKDCAndPrincipals();
    setupCredentials();

    // client will actually only leverage subset of these properties
    final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);

    persistSSLClientConfiguration(configuration);

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
        ApplicationProperties.APPLICATION_PROPERTIES);

    String confLocation = System.getProperty("atlas.conf");
    URL url;
    if (confLocation == null) {
        url = NegativeSSLAndKerberosTest.class.getResource("/" + ApplicationProperties.APPLICATION_PROPERTIES);
    } else {
        url = new File(confLocation, ApplicationProperties.APPLICATION_PROPERTIES).toURI().toURL();
    }
    configuration.load(url);

    configuration.setProperty(TLS_ENABLED, true);
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.keytab",userKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.principal","dgi/localhost@"+kdc.getRealm());

    configuration.setProperty("atlas.authentication.method.file", "false");
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.method.kerberos.principal", "HTTP/localhost@" + kdc.getRealm());
    configuration.setProperty("atlas.authentication.method.kerberos.keytab", httpKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.method.kerberos.name.rules",
            "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT");

    configuration.setProperty("atlas.authentication.method.file", "true");
    configuration.setProperty("atlas.authentication.method.file.filename", persistDir
            + "/users-credentials");
    configuration.setProperty("atlas.auth.policy.file",persistDir
            + "/policy-store.txt" );
    configuration.setProperty("atlas.authentication.method.trustedproxy", "false");

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
            ApplicationProperties.APPLICATION_PROPERTIES);

    setupUserCredential(persistDir);
    setUpPolicyStore(persistDir);

    // save original setting
    originalConf = System.getProperty("atlas.conf");
    System.setProperty("atlas.conf", persistDir);

    dgiClient = new AtlasClient(configuration, DGI_URL);


    secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
        @Override
        public Configuration getConfiguration() {
            return configuration;
        }
    };
    secureEmbeddedServer.getServer().start();
}