Review fixes, simplify test config a bit

Author: bbeaudreault

hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/HBaseTrustManager.java

@@ -49,7 +49,7 @@ public class HBaseTrustManager extends X509ExtendedTrustManager {
   private final HBaseHostnameVerifier hostnameVerifier;
 
   /**
-   * Instantiate a new ZKTrustManager.
+   * Instantiate a new HBaseTrustManager.
    * @param x509ExtendedTrustManager          The trustmanager to use for
    *                                          checkClientTrusted/checkServerTrusted logic
    * @param serverHostnameVerificationEnabled If true, this TrustManager should verify hostnames of

hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java

@@ -80,13 +80,13 @@ public final class X509Util {
   private static final String TLS_ENABLED_PROTOCOLS = CONFIG_PREFIX + "enabledProtocols";
   private static final String TLS_CIPHER_SUITES = CONFIG_PREFIX + "ciphersuites";
 
-  public static final String TLS_CONFIG_VERIFY_CLIENT_HOSTNAMES =
-    CONFIG_PREFIX + "verify.client.hostnames";
-  public static final String TLS_CONFIG_VERIFY_SERVER_HOSTNAMES =
-    CONFIG_PREFIX + "verify.server.hostnames";
-
   public static final String TLS_CONFIG_CLIENT_AUTH_MODE = CONFIG_PREFIX + "client.auth.mode";
 
+  public static final String HBASE_SERVER_NETTY_TLS_VERIFY_CLIENT_HOSTNAME =
+    "hbase.server.netty.tls.verify.client.hostname";
+  public static final String HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME =
+    "hbase.client.netty.tls.verify.server.hostname";
+
   public static final String HBASE_CLIENT_NETTY_TLS_ENABLED = "hbase.client.netty.tls.enabled";
   public static final String HBASE_SERVER_NETTY_TLS_ENABLED = "hbase.server.netty.tls.enabled";
 
@@ -210,13 +210,14 @@ public static SslContext createSslContextForClient(Configuration config)
     boolean sslCrlEnabled = config.getBoolean(TLS_CONFIG_CLR, false);
     boolean sslOcspEnabled = config.getBoolean(TLS_CONFIG_OCSP, false);
 
-    boolean verifyServerHostnames = config.getBoolean(TLS_CONFIG_VERIFY_SERVER_HOSTNAMES, true);
+    boolean verifyServerHostname =
+      config.getBoolean(HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME, true);
 
     if (trustStoreLocation.isEmpty()) {
       LOG.warn(TLS_CONFIG_TRUSTSTORE_LOCATION + " not specified");
     } else {
       sslContextBuilder.trustManager(createTrustManager(trustStoreLocation, trustStorePassword,
-        trustStoreType, sslCrlEnabled, sslOcspEnabled, verifyServerHostnames, false));
+        trustStoreType, sslCrlEnabled, sslOcspEnabled, verifyServerHostname, false));
     }
 
     sslContextBuilder.enableOcsp(sslOcspEnabled);
@@ -252,13 +253,14 @@ public static SslContext createSslContextForServer(Configuration config)
     boolean sslOcspEnabled = config.getBoolean(TLS_CONFIG_OCSP, false);
 
     ClientAuth clientAuth = ClientAuth.fromPropertyValue(config.get(TLS_CONFIG_CLIENT_AUTH_MODE));
-    boolean verifyClientHostnames = config.getBoolean(TLS_CONFIG_VERIFY_CLIENT_HOSTNAMES, true);
+    boolean verifyClientHostname =
+      config.getBoolean(HBASE_SERVER_NETTY_TLS_VERIFY_CLIENT_HOSTNAME, true);
 
     if (trustStoreLocation.isEmpty()) {
       LOG.warn(TLS_CONFIG_TRUSTSTORE_LOCATION + " not specified");
     } else {
       sslContextBuilder.trustManager(createTrustManager(trustStoreLocation, trustStorePassword,
-        trustStoreType, sslCrlEnabled, sslOcspEnabled, false, verifyClientHostnames));
+        trustStoreType, sslCrlEnabled, sslOcspEnabled, false, verifyClientHostname));
     }
 
     sslContextBuilder.enableOcsp(sslOcspEnabled);
@@ -317,22 +319,22 @@ static X509KeyManager createKeyManager(String keyStoreLocation, String keyStoreP
   /**
    * Creates a trust manager by loading the trust store from the given file of the given type,
    * optionally decrypting it using the given password.
-   * @param trustStoreLocation    the location of the trust store file.
-   * @param trustStorePassword    optional password to decrypt the trust store (only applies to JKS
-   *                              trust stores). If empty, assumes the trust store is not encrypted.
-   * @param trustStoreType        must be JKS, PEM, PKCS12, BCFKS or null. If null, attempts to
-   *                              autodetect the trust store type from the file extension (e.g. .jks
-   *                              / .pem).
-   * @param crlEnabled            enable CRL (certificate revocation list) checks.
-   * @param ocspEnabled           enable OCSP (online certificate status protocol) checks.
-   * @param verifyClientHostnames if true, client hostname must match name in certificate
-   * @param verifyServerHostnames if true, server hostname must match name in certificate
+   * @param trustStoreLocation   the location of the trust store file.
+   * @param trustStorePassword   optional password to decrypt the trust store (only applies to JKS
+   *                             trust stores). If empty, assumes the trust store is not encrypted.
+   * @param trustStoreType       must be JKS, PEM, PKCS12, BCFKS or null. If null, attempts to
+   *                             autodetect the trust store type from the file extension (e.g. .jks
+   *                             / .pem).
+   * @param crlEnabled           enable CRL (certificate revocation list) checks.
+   * @param ocspEnabled          enable OCSP (online certificate status protocol) checks.
+   * @param verifyClientHostname if true, client hostname must match name in certificate
+   * @param verifyServerHostname if true, server hostname must match name in certificate
    * @return the trust manager.
    * @throws TrustManagerException if something goes wrong.
    */
   static X509TrustManager createTrustManager(String trustStoreLocation, String trustStorePassword,
-    String trustStoreType, boolean crlEnabled, boolean ocspEnabled, boolean verifyServerHostnames,
-    boolean verifyClientHostnames) throws TrustManagerException {
+    String trustStoreType, boolean crlEnabled, boolean ocspEnabled, boolean verifyServerHostname,
+    boolean verifyClientHostname) throws TrustManagerException {
 
     if (trustStorePassword == null) {
       trustStorePassword = "";
@@ -370,8 +372,8 @@ static X509TrustManager createTrustManager(String trustStoreLocation, String tru
 
       for (final TrustManager tm : tmf.getTrustManagers()) {
         if (tm instanceof X509ExtendedTrustManager) {
-          return new HBaseTrustManager((X509ExtendedTrustManager) tm, verifyServerHostnames,
-            verifyClientHostnames);
+          return new HBaseTrustManager((X509ExtendedTrustManager) tm, verifyServerHostname,
+            verifyClientHostname);
         }
       }
       throw new TrustManagerException("Couldn't find X509TrustManager");

hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestMutualTls.java

@@ -86,12 +86,14 @@ public abstract class AbstractTestMutualTls {
 
   @Parameterized.Parameter(2)
   public String keyPassword;
-
   @Parameterized.Parameter(3)
-  public boolean validateHostnames;
+  public boolean expectSuccess;
 
   @Parameterized.Parameter(4)
-  public TestCase testCase;
+  public boolean validateHostnames;
+
+  @Parameterized.Parameter(5)
+  public CertConfig certConfig;
 
   public enum CertConfig {
     // For no cert, we literally pass no certificate to the server. It's possible (assuming server
@@ -110,30 +112,6 @@ public enum CertConfig {
     VERIFIABLE_CERT_WITH_BAD_HOST
   }
 
-  public static class TestCase {
-    public final CertConfig certConfig;
-    public final boolean expectSuccessWithVerifyHost;
-    public final boolean expectSuccessWithoutVerifyHost;
-
-    public TestCase(CertConfig certConfig, boolean expectSuccess) {
-      this(certConfig, expectSuccess, expectSuccess);
-    }
-
-    public TestCase(CertConfig certConfig, boolean expectSuccessWithVerifyHost,
-      boolean expectSuccessWithoutVerifyHost) {
-      this.certConfig = certConfig;
-      this.expectSuccessWithVerifyHost = expectSuccessWithVerifyHost;
-      this.expectSuccessWithoutVerifyHost = expectSuccessWithoutVerifyHost;
-    }
-
-    @Override
-    public String toString() {
-      return "TestCase{" + "certConfig=" + certConfig + ", expectSuccessWithVerifyHost="
-        + expectSuccessWithVerifyHost + ", expectSuccessWithoutVerifyHost="
-        + expectSuccessWithoutVerifyHost + '}';
-    }
-  }
-
   @BeforeClass
   public static void setUpBeforeClass() throws IOException {
     UTIL = new HBaseCommonTestingUtil();
@@ -159,11 +137,6 @@ public static void cleanUp() {
     UTIL.cleanupTestDir();
   }
 
-  public enum PeerType {
-    CLIENT,
-    SERVER
-  }
-
   protected abstract void initialize(Configuration serverConf, Configuration clientConf)
     throws IOException, GeneralSecurityException, OperatorCreationException;
 
@@ -188,7 +161,7 @@ public void setUp() throws Exception {
 
   protected void handleCertConfig(Configuration confToSet)
     throws GeneralSecurityException, IOException, OperatorCreationException {
-    switch (testCase.certConfig) {
+    switch (certConfig) {
       case NO_CLIENT_CERT:
         // clearing out the keystore location will cause no cert to be sent.
         confToSet.set(X509Util.TLS_CONFIG_KEYSTORE_LOCATION, "");
@@ -234,20 +207,15 @@ public void tearDown() throws IOException {
 
   @Test
   public void testClientAuth() throws Exception {
-    if (shouldThrow()) {
-      ServiceException se = assertThrows(ServiceException.class, this::submitRequest);
-      assertThat(se.getCause(), instanceOf(SSLHandshakeException.class));
-    } else {
+    if (expectSuccess) {
       // we expect no exception, so if one is thrown the test will fail
       submitRequest();
+    } else {
+      ServiceException se = assertThrows(ServiceException.class, this::submitRequest);
+      assertThat(se.getCause(), instanceOf(SSLHandshakeException.class));
     }
   }
 
-  private boolean shouldThrow() {
-    return validateHostnames && !testCase.expectSuccessWithVerifyHost
-      || !testCase.expectSuccessWithoutVerifyHost;
-  }
-
   private void submitRequest() throws ServiceException {
     stub.echo(null, TestProtos.EchoRequestProto.newBuilder().setMessage("hello world").build());
   }

hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestMutualTlsClientSide.java

@@ -56,14 +56,14 @@ public static List<Object[]> data() {
           // we want to run with and without validating hostnames. we encode the expected success
           // criteria in the TestCase config. See below.
           for (boolean validateServerHostnames : new Boolean[] { true, false }) {
-            // fail in all cases except "good cert/bad host" when host verification is disabled
-            params.add(new Object[] { caKeyType, certKeyType, keyPassword, validateServerHostnames,
-              new TestCase(CertConfig.NON_VERIFIABLE_CERT, false) });
-            params.add(new Object[] { caKeyType, certKeyType, keyPassword, validateServerHostnames,
-              new TestCase(CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST, false, true) });
-            // additionally ensure that it succeeds when a good cert is presented
-            params.add(new Object[] { caKeyType, certKeyType, keyPassword, validateServerHostnames,
-              new TestCase(CertConfig.GOOD_CERT, true) });
+            // fail for non-verifiable certs or certs with bad hostnames when validateServerHostname
+            // is true. otherwise succeed.
+            params.add(new Object[] { caKeyType, certKeyType, keyPassword, false,
+              validateServerHostnames, CertConfig.NON_VERIFIABLE_CERT });
+            params.add(new Object[] { caKeyType, certKeyType, keyPassword, !validateServerHostnames,
+              validateServerHostnames, CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST });
+            params.add(new Object[] { caKeyType, certKeyType, keyPassword, true,
+              validateServerHostnames, CertConfig.GOOD_CERT });
           }
         }
       }
@@ -75,7 +75,8 @@ public static List<Object[]> data() {
   protected void initialize(Configuration serverConf, Configuration clientConf)
     throws IOException, GeneralSecurityException, OperatorCreationException {
     // client verifies server hostname, and injects bad certs into server conf
-    clientConf.setBoolean(X509Util.TLS_CONFIG_VERIFY_SERVER_HOSTNAMES, validateHostnames);
+    clientConf.setBoolean(X509Util.HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME,
+      validateHostnames);
     handleCertConfig(serverConf);
   }
 }

hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestMutualTlsServerSide.java

@@ -46,7 +46,7 @@ public class TestMutualTlsServerSide extends AbstractTestMutualTls {
   @ClassRule
   public static final HBaseClassTestRule CLASS_RULE =
     HBaseClassTestRule.forClass(TestMutualTlsServerSide.class);
-  @Parameterized.Parameter(5)
+  @Parameterized.Parameter(6)
   public X509Util.ClientAuth clientAuthMode;
 
   @Parameterized.Parameters(
@@ -62,39 +62,39 @@ public static List<Object[]> data() {
           for (boolean validateClientHostnames : new Boolean[] { true, false }) {
             // ClientAuth.NONE should succeed in all cases, because it never requests the
             // certificate for verification
-            params.add(new Object[] { caKeyType, certKeyType, keyPassword, validateClientHostnames,
-              new TestCase(CertConfig.NO_CLIENT_CERT, true), X509Util.ClientAuth.NONE });
-            params.add(new Object[] { caKeyType, certKeyType, keyPassword, validateClientHostnames,
-              new TestCase(CertConfig.NON_VERIFIABLE_CERT, true), X509Util.ClientAuth.NONE });
-            params.add(new Object[] { caKeyType, certKeyType, keyPassword, validateClientHostnames,
-              new TestCase(CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST, true),
-              X509Util.ClientAuth.NONE });
+            params.add(new Object[] { caKeyType, certKeyType, keyPassword, true,
+              validateClientHostnames, CertConfig.NO_CLIENT_CERT, X509Util.ClientAuth.NONE });
+            params.add(new Object[] { caKeyType, certKeyType, keyPassword, true,
+              validateClientHostnames, CertConfig.NON_VERIFIABLE_CERT, X509Util.ClientAuth.NONE });
+            params.add(
+              new Object[] { caKeyType, certKeyType, keyPassword, true, validateClientHostnames,
+                CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST, X509Util.ClientAuth.NONE });
 
             // ClientAuth.WANT should succeed if no cert, but if the cert is provided it is
-            // validated. So should fail on
-            // bad cert or good cert with bad host when host verification is enabled
-            params.add(new Object[] { caKeyType, certKeyType, keyPassword, validateClientHostnames,
-              new TestCase(CertConfig.NO_CLIENT_CERT, true), X509Util.ClientAuth.WANT });
-            params.add(new Object[] { caKeyType, certKeyType, keyPassword, validateClientHostnames,
-              new TestCase(CertConfig.NON_VERIFIABLE_CERT, false), X509Util.ClientAuth.WANT });
-            params.add(new Object[] { caKeyType, certKeyType, keyPassword, validateClientHostnames,
-              new TestCase(CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST, false, true),
+            // validated. So should fail on bad cert or good cert with bad host when host
+            // verification is enabled
+            params.add(new Object[] { caKeyType, certKeyType, keyPassword, true,
+              validateClientHostnames, CertConfig.NO_CLIENT_CERT, X509Util.ClientAuth.WANT });
+            params.add(new Object[] { caKeyType, certKeyType, keyPassword, false,
+              validateClientHostnames, CertConfig.NON_VERIFIABLE_CERT, X509Util.ClientAuth.WANT });
+            params.add(new Object[] { caKeyType, certKeyType, keyPassword, !validateClientHostnames,
+              validateClientHostnames, CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST,
               X509Util.ClientAuth.WANT });
 
             // ClientAuth.NEED is most restrictive, failing in all cases except "good cert/bad host"
             // when host verification is disabled
-            params.add(new Object[] { caKeyType, certKeyType, keyPassword, validateClientHostnames,
-              new TestCase(CertConfig.NO_CLIENT_CERT, false), X509Util.ClientAuth.NEED });
-            params.add(new Object[] { caKeyType, certKeyType, keyPassword, validateClientHostnames,
-              new TestCase(CertConfig.NON_VERIFIABLE_CERT, false), X509Util.ClientAuth.NEED });
-            params.add(new Object[] { caKeyType, certKeyType, keyPassword, validateClientHostnames,
-              new TestCase(CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST, false, true),
+            params.add(new Object[] { caKeyType, certKeyType, keyPassword, false,
+              validateClientHostnames, CertConfig.NO_CLIENT_CERT, X509Util.ClientAuth.NEED });
+            params.add(new Object[] { caKeyType, certKeyType, keyPassword, false,
+              validateClientHostnames, CertConfig.NON_VERIFIABLE_CERT, X509Util.ClientAuth.NEED });
+            params.add(new Object[] { caKeyType, certKeyType, keyPassword, !validateClientHostnames,
+              validateClientHostnames, CertConfig.VERIFIABLE_CERT_WITH_BAD_HOST,
               X509Util.ClientAuth.NEED });
 
             // additionally ensure that all modes succeed when a good cert is presented
             for (X509Util.ClientAuth mode : X509Util.ClientAuth.values()) {
-              params.add(new Object[] { caKeyType, certKeyType, keyPassword,
-                validateClientHostnames, new TestCase(CertConfig.GOOD_CERT, true), mode });
+              params.add(new Object[] { caKeyType, certKeyType, keyPassword, true,
+                validateClientHostnames, CertConfig.GOOD_CERT, mode });
             }
           }
         }
@@ -109,7 +109,8 @@ protected void initialize(Configuration serverConf, Configuration clientConf)
     // server enables client auth mode and verifies client host names
     // inject bad certs into client side
     serverConf.set(X509Util.TLS_CONFIG_CLIENT_AUTH_MODE, clientAuthMode.name());
-    serverConf.setBoolean(X509Util.TLS_CONFIG_VERIFY_CLIENT_HOSTNAMES, validateHostnames);
+    serverConf.setBoolean(X509Util.HBASE_SERVER_NETTY_TLS_VERIFY_CLIENT_HOSTNAME,
+      validateHostnames);
     handleCertConfig(clientConf);
   }
 }