Github user arina-ielchiieva commented on a diff in the pull request:
https://github.com/apache/drill/pull/950#discussion_r142683194
--- Diff:
exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestUserBitSSL.java
---
@@ -0,0 +1,338 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import com.typesafe.config.ConfigValueFactory;
+import io.netty.handler.ssl.util.SelfSignedCertificate;
+import junit.framework.TestCase;
+import org.apache.drill.BaseTestQuery;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.common.config.DrillProperties;
+import org.apache.drill.exec.ExecConstants;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.net.InetAddress;
+import java.security.KeyStore;
+import java.util.Properties;
+
+import static junit.framework.TestCase.fail;
+import static org.junit.Assert.assertEquals;
+
+public class TestUserBitSSL extends BaseTestQuery {
+ private static final org.slf4j.Logger logger =
+ org.slf4j.LoggerFactory.getLogger(TestUserBitSSL.class);
+
+ private static DrillConfig newConfig;
+ private static Properties initProps; // initial client properties
+ private static ClassLoader classLoader;
+ private static String ksPath;
+ private static String tsPath;
+ private static String emptyTSPath;
+ private static String unknownKsPath;
+
+ @BeforeClass
+ public static void setupTest() throws Exception {
+
+ // Create a new DrillConfig
+ classLoader = TestUserBitSSL.class.getClassLoader();
+ ksPath = new
File(classLoader.getResource("ssl/keystore.ks").getFile()).getAbsolutePath();
+ unknownKsPath = new
File(classLoader.getResource("ssl/unknownkeystore.ks").getFile()).getAbsolutePath();
+ tsPath = new
File(classLoader.getResource("ssl/truststore.ks").getFile()).getAbsolutePath();
+ emptyTSPath = new
File(classLoader.getResource("ssl/emptytruststore.ks").getFile()).getAbsolutePath();
+ newConfig = new
DrillConfig(DrillConfig.create(cloneDefaultTestConfigProperties())
+ .withValue(ExecConstants.SSL_USE_HADOOP_CONF,
+ ConfigValueFactory.fromAnyRef(false))
+ .withValue(ExecConstants.USER_SSL_ENABLED,
+ ConfigValueFactory.fromAnyRef(true))
+ .withValue(ExecConstants.SSL_KEYSTORE_TYPE,
+ ConfigValueFactory.fromAnyRef("JKS"))
+ .withValue(ExecConstants.SSL_KEYSTORE_PATH,
+ ConfigValueFactory.fromAnyRef(ksPath))
+ .withValue(ExecConstants.SSL_KEYSTORE_PASSWORD,
+ ConfigValueFactory.fromAnyRef("drill123"))
+ .withValue(ExecConstants.SSL_KEY_PASSWORD,
+ ConfigValueFactory.fromAnyRef("drill123"))
+ .withValue(ExecConstants.SSL_TRUSTSTORE_TYPE,
+ ConfigValueFactory.fromAnyRef("JKS"))
+ .withValue(ExecConstants.SSL_TRUSTSTORE_PATH,
+ ConfigValueFactory.fromAnyRef(tsPath))
+ .withValue(ExecConstants.SSL_TRUSTSTORE_PASSWORD,
+ ConfigValueFactory.fromAnyRef("drill123"))
+ .withValue(ExecConstants.SSL_PROTOCOL,
+ ConfigValueFactory.fromAnyRef("TLSv1.2")),
+ false);
+
+ initProps = new Properties();
+ initProps.setProperty(DrillProperties.ENABLE_TLS, "true");
+ initProps.setProperty(DrillProperties.TRUSTSTORE_PATH, tsPath);
+ initProps.setProperty(DrillProperties.TRUSTSTORE_PASSWORD, "drill123");
+ initProps.setProperty(DrillProperties.DISABLE_HOST_VERIFICATION,
"true");
+
+ // Start an SSL enabled cluster
+ updateTestCluster(1, newConfig, initProps);
+ }
+
+ @AfterClass
+ public static void cleanTest() throws Exception {
+ DrillConfig restoreConfig =
+ new
DrillConfig(DrillConfig.create(cloneDefaultTestConfigProperties()), false);
+ updateTestCluster(1, restoreConfig);
+ }
+
+ @Test
+ public void testSSLConnection() throws Exception {
+ final Properties connectionProps = new Properties();
+ connectionProps.setProperty(DrillProperties.ENABLE_TLS, "true");
+ connectionProps.setProperty(DrillProperties.TRUSTSTORE_PATH, tsPath);
+ connectionProps.setProperty(DrillProperties.TRUSTSTORE_PASSWORD,
"drill123");
+ connectionProps.setProperty(DrillProperties.DISABLE_HOST_VERIFICATION,
"true");
+ try {
+ updateClient(connectionProps);
+ } catch (Exception e) {
+ TestCase.fail( new StringBuilder()
+ .append("SSL Connection failed with exception [" )
+ .append( e.getMessage() )
+ .append("]")
+ .toString());
+ }
+ }
+
+ @Test
+ public void testSSLConnectionWithKeystore() throws Exception {
+ final Properties connectionProps = new Properties();
+ connectionProps.setProperty(DrillProperties.ENABLE_TLS, "true");
+ connectionProps.setProperty(DrillProperties.TRUSTSTORE_PATH, ksPath);
+ connectionProps.setProperty(DrillProperties.TRUSTSTORE_PASSWORD,
"drill123");
+ connectionProps.setProperty(DrillProperties.DISABLE_HOST_VERIFICATION,
"true");
+ try {
+ updateClient(connectionProps);
+ } catch (Exception e) {
+ TestCase.fail( new StringBuilder()
+ .append("SSL Connection failed with exception [" )
+ .append( e.getMessage() )
+ .append("]")
+ .toString());
+ }
+ }
+
+ @Test
+ public void testSSLConnectionFailBadTrustStore() throws Exception {
+ final Properties connectionProps = new Properties();
+ connectionProps.setProperty(DrillProperties.ENABLE_TLS, "true");
+ connectionProps.setProperty(DrillProperties.TRUSTSTORE_PATH, ""); //
NO truststore
+ connectionProps.setProperty(DrillProperties.TRUSTSTORE_PASSWORD,
"drill123");
+ connectionProps.setProperty(DrillProperties.DISABLE_HOST_VERIFICATION,
"true");
+ boolean failureCaught = false;
+ try {
+ updateClient(connectionProps);
+ } catch (Exception e) {
+ failureCaught = true;
+ }
+ assertEquals(failureCaught, true);
+ }
+
+ @Test
+ public void testSSLConnectionFailBadPassword() throws Exception {
+ final Properties connectionProps = new Properties();
+ connectionProps.setProperty(DrillProperties.ENABLE_TLS, "true");
+ connectionProps.setProperty(DrillProperties.TRUSTSTORE_PATH, tsPath);
+ connectionProps.setProperty(DrillProperties.TRUSTSTORE_PASSWORD,
"bad_password");
+ connectionProps.setProperty(DrillProperties.DISABLE_HOST_VERIFICATION,
"true");
+ boolean failureCaught = false;
+ try {
+ updateClient(connectionProps);
+ } catch (Exception e) {
+ failureCaught = true;
+ }
+ assertEquals(failureCaught, true);
+ }
+
+ @Test
+ public void testSSLConnectionFailEmptyTrustStore() throws Exception {
+ final Properties connectionProps = new Properties();
+ connectionProps.setProperty(DrillProperties.ENABLE_TLS, "true");
+ connectionProps.setProperty(DrillProperties.TRUSTSTORE_PATH,
emptyTSPath);
+ connectionProps.setProperty(DrillProperties.TRUSTSTORE_PASSWORD,
"drill123");
+ connectionProps.setProperty(DrillProperties.DISABLE_HOST_VERIFICATION,
"true");
+ boolean failureCaught = false;
+ try {
+ updateClient(connectionProps);
+ } catch (Exception e) {
+ failureCaught = true;
+ }
+ assertEquals(failureCaught, true);
+ }
+
+ @Test
+ public void testSSLQuery() throws Exception {
+ final Properties connectionProps = new Properties();
+ connectionProps.setProperty(DrillProperties.ENABLE_TLS, "true");
+ connectionProps.setProperty(DrillProperties.TRUSTSTORE_PATH, tsPath);
+ connectionProps.setProperty(DrillProperties.TRUSTSTORE_PASSWORD,
"drill123");
+ connectionProps.setProperty(DrillProperties.DISABLE_HOST_VERIFICATION,
"true");
+ try {
+ updateClient(connectionProps);
+ } catch (Exception e) {
+ TestCase.fail( new StringBuilder()
+ .append("SSL Connection failed with exception [" )
+ .append( e.getMessage() )
+ .append("]")
+ .toString());
+ }
+ test("SELECT * FROM cp.`region.json`");
+ }
+
+ @Test
+ public void testClientConfigHostnameVerification() {
+ String password = "test_password";
+ String trustStoreFileName = "drillTestTrustStore";
+ String keyStoreFileName = "drillTestKeyStore";
+ KeyStore ts, ks;
+ File tempFile1, tempFile2;
+ String trustStorePath;
+ String keyStorePath;
+
+ try {
+ String fqdn = InetAddress.getLocalHost().getHostName();
+ SelfSignedCertificate certificate = new SelfSignedCertificate(fqdn);
+
+ tempFile1 = File.createTempFile(trustStoreFileName, ".ks");
+ tempFile1.deleteOnExit();
+ trustStorePath = tempFile1.getAbsolutePath();
+ //generate a truststore.
+ ts = KeyStore.getInstance(KeyStore.getDefaultType());
+ ts.load(null, password.toCharArray());
+ ts.setCertificateEntry("drillTest", certificate.cert());
+ // Store away the truststore.
+ FileOutputStream fos1 = new FileOutputStream(tempFile1);
+ ts.store(fos1, password.toCharArray());
+ fos1.close();
--- End diff --
It's better to use try with resources thus stream will be definitely closed
in case of exception.
---
