This is an automated email from the ASF dual-hosted git repository.

zhouxj pushed a commit to branch feature/GEODE-8800
in repository https://gitbox.apache.org/repos/asf/geode.git

commit fec44adfdf573c5dac8f319c1f3e97eb71596fca
Author: zhouxh <[email protected]>
AuthorDate: Tue Jan 5 22:46:57 2021 -0800

    GEODE-8800: Slower receiver is not allowed with cluster TLS/SSL
    
        Co-authored-by: Xiaojian Zhou <[email protected]>
        Co-authored-by: Bill Burcham <[email protected]>
---
 .../apache/geode/internal/SSLConfigJUnitTest.java  | 54 ++++++++++++++++++++++
 .../internal/DistributionConfigImpl.java           | 21 ++++++++-
 2 files changed, 74 insertions(+), 1 deletion(-)

diff --git 
a/geode-core/src/integrationTest/java/org/apache/geode/internal/SSLConfigJUnitTest.java
 
b/geode-core/src/integrationTest/java/org/apache/geode/internal/SSLConfigJUnitTest.java
index 2a3ded9..df70349 100755
--- 
a/geode-core/src/integrationTest/java/org/apache/geode/internal/SSLConfigJUnitTest.java
+++ 
b/geode-core/src/integrationTest/java/org/apache/geode/internal/SSLConfigJUnitTest.java
@@ -14,6 +14,7 @@
  */
 package org.apache.geode.internal;
 
+import static 
org.apache.geode.distributed.ConfigurationProperties.ASYNC_DISTRIBUTION_TIMEOUT;
 import static 
org.apache.geode.distributed.ConfigurationProperties.CLUSTER_SSL_CIPHERS;
 import static 
org.apache.geode.distributed.ConfigurationProperties.CLUSTER_SSL_ENABLED;
 import static 
org.apache.geode.distributed.ConfigurationProperties.CLUSTER_SSL_KEYSTORE;
@@ -51,11 +52,13 @@ import static 
org.apache.geode.distributed.ConfigurationProperties.SERVER_SSL_PR
 import static 
org.apache.geode.distributed.ConfigurationProperties.SERVER_SSL_REQUIRE_AUTHENTICATION;
 import static 
org.apache.geode.distributed.ConfigurationProperties.SERVER_SSL_TRUSTSTORE;
 import static 
org.apache.geode.distributed.ConfigurationProperties.SERVER_SSL_TRUSTSTORE_PASSWORD;
+import static 
org.apache.geode.distributed.ConfigurationProperties.SSL_ENABLED_COMPONENTS;
 import static 
org.apache.geode.distributed.ConfigurationProperties.SSL_ENDPOINT_IDENTIFICATION_ENABLED;
 import static 
org.apache.geode.internal.security.SecurableCommunicationChannel.ALL;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.fail;
 
 import java.util.Map.Entry;
 import java.util.Properties;
@@ -154,6 +157,57 @@ public class SSLConfigJUnitTest {
   public void tearDownTest() {}
 
   @Test
+  public void slowerReceiverShouldThrowExceptionWhenEnabledClusterTLS() throws 
Exception {
+    Properties props = new Properties();
+    props.setProperty(SSL_ENABLED_COMPONENTS, "cluster");
+    props.setProperty(ASYNC_DISTRIBUTION_TIMEOUT, "1");
+
+    try {
+      new DistributionConfigImpl(props);
+      fail("Did not get expected excepion");
+    } catch (IllegalArgumentException e) {
+      if (!e.toString().contains(
+          "async-distribution-timeout greater than 0 is not allowed with 
cluster TLS/SSL.")) {
+        throw new Exception("Did not get expected exception, got this 
instead...", e);
+      }
+    }
+  }
+
+  @Test
+  public void slowerReceiverShouldThrowExceptionWhenEnabledAllTLS() throws 
Exception {
+    Properties props = new Properties();
+    props.setProperty(SSL_ENABLED_COMPONENTS, "all");
+    props.setProperty(ASYNC_DISTRIBUTION_TIMEOUT, "1");
+
+    try {
+      new DistributionConfigImpl(props);
+      fail("Did not get expected excepion");
+    } catch (IllegalArgumentException e) {
+      if (!e.toString().contains(
+          "async-distribution-timeout greater than 0 is not allowed with 
cluster TLS/SSL.")) {
+        throw new Exception("Did not get expected exception, got this 
instead...", e);
+      }
+    }
+  }
+
+  @Test
+  public void slowerReceiverShouldThrowExceptionWhenLegacyClusterTLS() throws 
Exception {
+    Properties props = new Properties();
+    props.setProperty(CLUSTER_SSL_ENABLED, "true");
+    props.setProperty(ASYNC_DISTRIBUTION_TIMEOUT, "1");
+
+    try {
+      new DistributionConfigImpl(props);
+      fail("Did not get expected excepion");
+    } catch (IllegalArgumentException e) {
+      if (!e.toString().contains(
+          "async-distribution-timeout greater than 0 is not allowed with 
cluster TLS/SSL.")) {
+        throw new Exception("Did not get expected exception, got this 
instead...", e);
+      }
+    }
+  }
+
+  @Test
   public void testMCastPortWithClusterSSL() throws Exception {
     Properties props = new Properties();
     // default mcast-port is not 0.
diff --git 
a/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfigImpl.java
 
b/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfigImpl.java
index 1b01dee..35ac545 100644
--- 
a/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfigImpl.java
+++ 
b/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfigImpl.java
@@ -63,6 +63,8 @@ import static 
org.apache.geode.distributed.ConfigurationProperties.SERVER_SSL_RE
 import static 
org.apache.geode.distributed.ConfigurationProperties.SERVER_SSL_TRUSTSTORE;
 import static 
org.apache.geode.distributed.ConfigurationProperties.SERVER_SSL_TRUSTSTORE_PASSWORD;
 import static 
org.apache.geode.distributed.ConfigurationProperties.SSL_ENABLED_COMPONENTS;
+import static 
org.apache.geode.internal.security.SecurableCommunicationChannel.ALL;
+import static 
org.apache.geode.internal.security.SecurableCommunicationChannel.CLUSTER;
 
 import java.io.File;
 import java.io.IOException;
@@ -1030,6 +1032,20 @@ public class DistributionConfigImpl extends 
AbstractDistributionConfig implement
     modifiable = false;
   }
 
+  /*
+   * When ssl-enabled-components specified CLUSTER or ALL, the slower receiver 
is not allowed.
+   * In legacy code, if cluster-ssl-enabled is true, the slower receiver is 
not allowed.
+   */
+  void validateSlowReceiversIncompatibleWithSSL(
+      SecurableCommunicationChannel[] sslEnabledComponents) {
+    if (getAsyncDistributionTimeout() > 0
+        && (getClusterSSLEnabled() || Arrays.stream(sslEnabledComponents)
+            .anyMatch(component -> component == ALL || component == CLUSTER))) 
{
+      throw new IllegalArgumentException(
+          "async-distribution-timeout greater than 0 is not allowed with 
cluster TLS/SSL.");
+    }
+  }
+
   private void validateSSLEnabledComponentsConfiguration() {
     Object value = null;
     try {
@@ -1049,6 +1065,9 @@ public class DistributionConfigImpl extends 
AbstractDistributionConfig implement
       }
     }
     SecurableCommunicationChannel[] sslEnabledComponents = 
(SecurableCommunicationChannel[]) value;
+
+    validateSlowReceiversIncompatibleWithSSL(sslEnabledComponents);
+
     for (SecurableCommunicationChannel securableCommunicationChannel : 
sslEnabledComponents) {
       if 
(!isAliasCorrectlyConfiguredForComponents(securableCommunicationChannel)) {
         throw new IllegalArgumentException(
@@ -1072,7 +1091,7 @@ public class DistributionConfigImpl extends 
AbstractDistributionConfig implement
         if (StringUtils.isEmpty(getSSLDefaultAlias())) {
           boolean correctAlias = true;
           correctAlias &=
-              
isAliasCorrectlyConfiguredForComponents(SecurableCommunicationChannel.CLUSTER);
+              isAliasCorrectlyConfiguredForComponents(CLUSTER);
           correctAlias &=
               
isAliasCorrectlyConfiguredForComponents(SecurableCommunicationChannel.GATEWAY);
           correctAlias &=

Reply via email to