This is an automated email from the ASF dual-hosted git repository. zhouxj pushed a commit to branch feature/GEODE-8800 in repository https://gitbox.apache.org/repos/asf/geode.git
commit fec44adfdf573c5dac8f319c1f3e97eb71596fca Author: zhouxh <[email protected]> AuthorDate: Tue Jan 5 22:46:57 2021 -0800 GEODE-8800: Slower receiver is not allowed with cluster TLS/SSL Co-authored-by: Xiaojian Zhou <[email protected]> Co-authored-by: Bill Burcham <[email protected]> --- .../apache/geode/internal/SSLConfigJUnitTest.java | 54 ++++++++++++++++++++++ .../internal/DistributionConfigImpl.java | 21 ++++++++- 2 files changed, 74 insertions(+), 1 deletion(-) diff --git a/geode-core/src/integrationTest/java/org/apache/geode/internal/SSLConfigJUnitTest.java b/geode-core/src/integrationTest/java/org/apache/geode/internal/SSLConfigJUnitTest.java index 2a3ded9..df70349 100755 --- a/geode-core/src/integrationTest/java/org/apache/geode/internal/SSLConfigJUnitTest.java +++ b/geode-core/src/integrationTest/java/org/apache/geode/internal/SSLConfigJUnitTest.java @@ -14,6 +14,7 @@ */ package org.apache.geode.internal; +import static org.apache.geode.distributed.ConfigurationProperties.ASYNC_DISTRIBUTION_TIMEOUT; import static org.apache.geode.distributed.ConfigurationProperties.CLUSTER_SSL_CIPHERS; import static org.apache.geode.distributed.ConfigurationProperties.CLUSTER_SSL_ENABLED; import static org.apache.geode.distributed.ConfigurationProperties.CLUSTER_SSL_KEYSTORE; @@ -51,11 +52,13 @@ import static org.apache.geode.distributed.ConfigurationProperties.SERVER_SSL_PR import static org.apache.geode.distributed.ConfigurationProperties.SERVER_SSL_REQUIRE_AUTHENTICATION; import static org.apache.geode.distributed.ConfigurationProperties.SERVER_SSL_TRUSTSTORE; import static org.apache.geode.distributed.ConfigurationProperties.SERVER_SSL_TRUSTSTORE_PASSWORD; +import static org.apache.geode.distributed.ConfigurationProperties.SSL_ENABLED_COMPONENTS; import static org.apache.geode.distributed.ConfigurationProperties.SSL_ENDPOINT_IDENTIFICATION_ENABLED; import static org.apache.geode.internal.security.SecurableCommunicationChannel.ALL; import static org.assertj.core.api.Assertions.assertThat; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; +import static org.junit.Assert.fail; import java.util.Map.Entry; import java.util.Properties; @@ -154,6 +157,57 @@ public class SSLConfigJUnitTest { public void tearDownTest() {} @Test + public void slowerReceiverShouldThrowExceptionWhenEnabledClusterTLS() throws Exception { + Properties props = new Properties(); + props.setProperty(SSL_ENABLED_COMPONENTS, "cluster"); + props.setProperty(ASYNC_DISTRIBUTION_TIMEOUT, "1"); + + try { + new DistributionConfigImpl(props); + fail("Did not get expected excepion"); + } catch (IllegalArgumentException e) { + if (!e.toString().contains( + "async-distribution-timeout greater than 0 is not allowed with cluster TLS/SSL.")) { + throw new Exception("Did not get expected exception, got this instead...", e); + } + } + } + + @Test + public void slowerReceiverShouldThrowExceptionWhenEnabledAllTLS() throws Exception { + Properties props = new Properties(); + props.setProperty(SSL_ENABLED_COMPONENTS, "all"); + props.setProperty(ASYNC_DISTRIBUTION_TIMEOUT, "1"); + + try { + new DistributionConfigImpl(props); + fail("Did not get expected excepion"); + } catch (IllegalArgumentException e) { + if (!e.toString().contains( + "async-distribution-timeout greater than 0 is not allowed with cluster TLS/SSL.")) { + throw new Exception("Did not get expected exception, got this instead...", e); + } + } + } + + @Test + public void slowerReceiverShouldThrowExceptionWhenLegacyClusterTLS() throws Exception { + Properties props = new Properties(); + props.setProperty(CLUSTER_SSL_ENABLED, "true"); + props.setProperty(ASYNC_DISTRIBUTION_TIMEOUT, "1"); + + try { + new DistributionConfigImpl(props); + fail("Did not get expected excepion"); + } catch (IllegalArgumentException e) { + if (!e.toString().contains( + "async-distribution-timeout greater than 0 is not allowed with cluster TLS/SSL.")) { + throw new Exception("Did not get expected exception, got this instead...", e); + } + } + } + + @Test public void testMCastPortWithClusterSSL() throws Exception { Properties props = new Properties(); // default mcast-port is not 0. diff --git a/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfigImpl.java b/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfigImpl.java index 1b01dee..35ac545 100644 --- a/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfigImpl.java +++ b/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfigImpl.java @@ -63,6 +63,8 @@ import static org.apache.geode.distributed.ConfigurationProperties.SERVER_SSL_RE import static org.apache.geode.distributed.ConfigurationProperties.SERVER_SSL_TRUSTSTORE; import static org.apache.geode.distributed.ConfigurationProperties.SERVER_SSL_TRUSTSTORE_PASSWORD; import static org.apache.geode.distributed.ConfigurationProperties.SSL_ENABLED_COMPONENTS; +import static org.apache.geode.internal.security.SecurableCommunicationChannel.ALL; +import static org.apache.geode.internal.security.SecurableCommunicationChannel.CLUSTER; import java.io.File; import java.io.IOException; @@ -1030,6 +1032,20 @@ public class DistributionConfigImpl extends AbstractDistributionConfig implement modifiable = false; } + /* + * When ssl-enabled-components specified CLUSTER or ALL, the slower receiver is not allowed. + * In legacy code, if cluster-ssl-enabled is true, the slower receiver is not allowed. + */ + void validateSlowReceiversIncompatibleWithSSL( + SecurableCommunicationChannel[] sslEnabledComponents) { + if (getAsyncDistributionTimeout() > 0 + && (getClusterSSLEnabled() || Arrays.stream(sslEnabledComponents) + .anyMatch(component -> component == ALL || component == CLUSTER))) { + throw new IllegalArgumentException( + "async-distribution-timeout greater than 0 is not allowed with cluster TLS/SSL."); + } + } + private void validateSSLEnabledComponentsConfiguration() { Object value = null; try { @@ -1049,6 +1065,9 @@ public class DistributionConfigImpl extends AbstractDistributionConfig implement } } SecurableCommunicationChannel[] sslEnabledComponents = (SecurableCommunicationChannel[]) value; + + validateSlowReceiversIncompatibleWithSSL(sslEnabledComponents); + for (SecurableCommunicationChannel securableCommunicationChannel : sslEnabledComponents) { if (!isAliasCorrectlyConfiguredForComponents(securableCommunicationChannel)) { throw new IllegalArgumentException( @@ -1072,7 +1091,7 @@ public class DistributionConfigImpl extends AbstractDistributionConfig implement if (StringUtils.isEmpty(getSSLDefaultAlias())) { boolean correctAlias = true; correctAlias &= - isAliasCorrectlyConfiguredForComponents(SecurableCommunicationChannel.CLUSTER); + isAliasCorrectlyConfiguredForComponents(CLUSTER); correctAlias &= isAliasCorrectlyConfiguredForComponents(SecurableCommunicationChannel.GATEWAY); correctAlias &=
