smiklosovic commented on code in PR #3638: URL: https://github.com/apache/cassandra/pull/3638#discussion_r1824844805
########## test/distributed/org/apache/cassandra/distributed/test/JMXSslConfigDistributedTest.java: ########## @@ -0,0 +1,205 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.cassandra.distributed.test; + +import java.util.Arrays; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import javax.management.remote.rmi.RMIConnectorServer; +import javax.net.ssl.SSLException; +import javax.rmi.ssl.SslRMIClientSocketFactory; + +import com.google.common.collect.ImmutableMap; +import org.junit.After; +import org.junit.Test; + +import org.apache.cassandra.distributed.Cluster; +import org.apache.cassandra.distributed.api.Feature; +import org.apache.cassandra.distributed.impl.JmxTestClientSslContextFactory; +import org.apache.cassandra.distributed.impl.JmxTestClientSslSocketFactory; +import org.apache.cassandra.distributed.shared.WithProperties; +import org.apache.cassandra.distributed.test.jmx.JMXGetterCheckTest; + +import static org.apache.cassandra.config.CassandraRelevantProperties.COM_SUN_MANAGEMENT_JMXREMOTE_SSL; +import static org.apache.cassandra.config.CassandraRelevantProperties.COM_SUN_MANAGEMENT_JMXREMOTE_SSL_ENABLED_CIPHER_SUITES; +import static org.apache.cassandra.config.CassandraRelevantProperties.COM_SUN_MANAGEMENT_JMXREMOTE_SSL_ENABLED_PROTOCOLS; +import static org.apache.cassandra.config.CassandraRelevantProperties.COM_SUN_MANAGEMENT_JMXREMOTE_SSL_NEED_CLIENT_AUTH; +import static org.apache.cassandra.config.CassandraRelevantProperties.JAVAX_RMI_SSL_CLIENT_ENABLED_CIPHER_SUITES; +import static org.apache.cassandra.config.CassandraRelevantProperties.JAVAX_RMI_SSL_CLIENT_ENABLED_PROTOCOLS; + +/** + * Distributed tests for JMX SSL configuration via the system properties OR the encryption options in the cassandra.yaml. + */ +public class JMXSslConfigDistributedTest extends AbstractEncryptionOptionsImpl +{ + @After + public void resetJmxSslSystemProperties() + { + COM_SUN_MANAGEMENT_JMXREMOTE_SSL.reset(); + COM_SUN_MANAGEMENT_JMXREMOTE_SSL_NEED_CLIENT_AUTH.reset(); + COM_SUN_MANAGEMENT_JMXREMOTE_SSL_ENABLED_PROTOCOLS.reset(); + COM_SUN_MANAGEMENT_JMXREMOTE_SSL_ENABLED_CIPHER_SUITES.reset(); + JAVAX_RMI_SSL_CLIENT_ENABLED_PROTOCOLS.reset(); + JAVAX_RMI_SSL_CLIENT_ENABLED_CIPHER_SUITES.reset(); + } + + @Test + public void testDefaultEncryptionOptions() throws Throwable + { + // We must set the keystore in the system variable to make sure that the call to SSLContext.getDefault() + // uses it when Client SSL Socketfactory is initialized even if we don't need it here. + // The same default SSLContext.getDefault() will be used by other methods like testSystemSettings() in this test + // for the Server SSL Socketfactory and at that time we will need the keystore to be available + // All of the above is the issue because we run everything (JMX Server, Client) in the same JVM, multiple times + // and the SSLContext.getDefault() relies on static initialization that is reused + try(WithProperties withProperties = new WithProperties().with("javax.net.ssl.trustStore", (String)validKeystore.get("truststore"), + "javax.net.ssl.trustStorePassword", (String)validKeystore.get("truststore_password"), + "javax.net.ssl.keyStore", (String)validKeystore.get("keystore"), + "javax.net.ssl.keyStorePassword", (String)validKeystore.get("keystore_password")) + ) + { + ImmutableMap<String, Object> encryptionOptionsMap = ImmutableMap.<String, Object>builder().putAll(validKeystore) + .put("enabled", true) + .put("accepted_protocols", Arrays.asList("TLSv1.2", "TLSv1.3", "TLSv1.1")) + .build(); + + try (Cluster cluster = builder().withNodes(1).withConfig(c -> { + c.with(Feature.JMX); + c.set("jmx_encryption_options", encryptionOptionsMap); + }).start()) + { + Map<String, Object> jmxEnv = new HashMap<>(); + configureClientSocketFactory(jmxEnv, encryptionOptionsMap); + // Invoke the same code vs duplicating any code from the JMXGetterCheckTest + JMXGetterCheckTest.testAllValidGetters(cluster, jmxEnv); + } + } + } + + @Test + public void testClientAuth() throws Throwable + { + try(WithProperties withProperties = new WithProperties().with("javax.net.ssl.trustStore", (String)validKeystore.get("truststore"), + "javax.net.ssl.trustStorePassword", (String)validKeystore.get("truststore_password"), + "javax.net.ssl.keyStore", (String)validKeystore.get("keystore"), + "javax.net.ssl.keyStorePassword", (String)validKeystore.get("keystore_password")) + ) + { + ImmutableMap<String, Object> encryptionOptionsMap = ImmutableMap.<String, Object>builder().putAll(validKeystore) + .put("enabled", true) + .put("require_client_auth", true) + .put("accepted_protocols", Arrays.asList("TLSv1.2", "TLSv1.3", "TLSv1.1")) + .build(); + + try (Cluster cluster = builder().withNodes(1).withConfig(c -> { + c.with(Feature.JMX); + c.set("jmx_encryption_options", encryptionOptionsMap); + }).start()) + { + Map<String, Object> jmxEnv = new HashMap<>(); + configureClientSocketFactory(jmxEnv, encryptionOptionsMap); + // Invoke the same code vs duplicating any code from the JMXGetterCheckTest + JMXGetterCheckTest.testAllValidGetters(cluster, jmxEnv); + } + } + } + + @Test + public void testSystemSettings() throws Throwable + { + COM_SUN_MANAGEMENT_JMXREMOTE_SSL.setBoolean(true); + COM_SUN_MANAGEMENT_JMXREMOTE_SSL_NEED_CLIENT_AUTH.setBoolean(false); + COM_SUN_MANAGEMENT_JMXREMOTE_SSL_ENABLED_PROTOCOLS.setString("TLSv1.2,TLSv1.3,TLSv1.1"); + COM_SUN_MANAGEMENT_JMXREMOTE_SSL_ENABLED_CIPHER_SUITES.reset(); + try(WithProperties withProperties = new WithProperties().with("javax.net.ssl.trustStore", (String)validKeystore.get("truststore"), + "javax.net.ssl.trustStorePassword", (String)validKeystore.get("truststore_password"), + "javax.net.ssl.keyStore", (String)validKeystore.get("keystore"), + "javax.net.ssl.keyStorePassword", (String)validKeystore.get("keystore_password")) + ) + { + try (Cluster cluster = builder().withNodes(1).withConfig(c -> { + c.with(Feature.JMX); + }).start()) + { + Map<String, Object> jmxEnv = new HashMap<>(); + SslRMIClientSocketFactory clientFactory = new SslRMIClientSocketFactory(); + jmxEnv.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, clientFactory); + jmxEnv.put("com.sun.jndi.rmi.factory.socket", clientFactory); + // Invoke the same code vs duplicating any code from the JMXGetterCheckTest + JMXGetterCheckTest.testAllValidGetters(cluster, jmxEnv); + } + } + } + + @Test + public void testInvalidKeystorePath() throws Throwable + { + ImmutableMap<String, Object> encryptionOptionsMap = ImmutableMap.<String, Object>builder() Review Comment: just put `encryptionOptionsMap` into c.set(...), just inline it all and everywhere -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: pr-unsubscr...@cassandra.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: pr-unsubscr...@cassandra.apache.org For additional commands, e-mail: pr-h...@cassandra.apache.org
