org.apache.hadoop.security.alias.JavaKeyStoreProvider Java Examples

@BeforeClass
public void setUp() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    setupCredentials();
    final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);
    String persistDir = writeConfiguration(configuration);
    persistSSLClientConfiguration(configuration);

    originalConf = System.getProperty("atlas.conf");
    System.setProperty("atlas.conf", persistDir);

    originalHomeDir = System.getProperty("atlas.home");
    System.setProperty("atlas.home", TestUtils.getTargetDirectory());

    atlasClient = new AtlasClient(configuration, new String[]{DGI_URL},new String[]{"admin","admin"});

    secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
        @Override
        public org.apache.commons.configuration.Configuration getConfiguration() {
            return configuration;
        }
    };
    secureEmbeddedServer.getServer().start();
}
 

public void setUp() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    setupCredentials();
    final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);
    String persistDir = writeConfiguration(configuration);
    persistSSLClientConfiguration(configuration);

    originalConf = System.getProperty("atlas.conf");
    System.setProperty("atlas.conf", persistDir);

    originalHomeDir = System.getProperty("atlas.home");
    System.setProperty("atlas.home", TestUtils.getTargetDirectory());

    atlasClient = new AtlasClient(configuration, new String[]{DGI_URL},new String[]{"admin","admin"});

    secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
        @Override
        public org.apache.commons.configuration.Configuration getConfiguration() {
            return configuration;
        }
    };
    secureEmbeddedServer.getServer().start();
}
 

@BeforeMethod
public void setup() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    String baseUrl = String.format("https://localhost:%d/", securePort);

    DefaultClientConfig config = new DefaultClientConfig();
    Client client = Client.create(config);
    client.resource(UriBuilder.fromUri(baseUrl).build());

    service = client.resource(UriBuilder.fromUri(baseUrl).build());
}
 

@BeforeMethod
public void setup() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    String baseUrl = String.format("https://localhost:%d/", securePort);

    DefaultClientConfig config = new DefaultClientConfig();
    Client client = Client.create(config);
    client.resource(UriBuilder.fromUri(baseUrl).build());

    service = client.resource(UriBuilder.fromUri(baseUrl).build());
}
 

public static void provisionPasswordsToCredentialProvider() throws Exception {
  File testDir = new File(System.getProperty("test.build.data",
      "target/test-dir"));

  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
  JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};

  // create new aliases
  try {
    provider.createCredentialEntry(
        FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER,
            FileBasedKeyStoresFactory.SSL_KEYSTORE_PASSWORD_TPL_KEY),
            storepass);

    provider.createCredentialEntry(
        FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER,
            FileBasedKeyStoresFactory.SSL_KEYSTORE_KEYPASSWORD_TPL_KEY),
            keypass);

    // write out so that it can be found in checks
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
}
 

public static void provisionPasswordsToCredentialProvider() throws Exception {
  File testDir = new File(System.getProperty("test.build.data",
      "target/test-dir"));

  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
  JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};

  // create new aliases
  try {
    provider.createCredentialEntry(
        FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER,
            FileBasedKeyStoresFactory.SSL_KEYSTORE_PASSWORD_TPL_KEY),
            storepass);

    provider.createCredentialEntry(
        FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER,
            FileBasedKeyStoresFactory.SSL_KEYSTORE_KEYPASSWORD_TPL_KEY),
            keypass);

    // write out so that it can be found in checks
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
}
 

@Test
public void testGetPassword() throws Exception {
  File testDir = new File(System.getProperty("test.build.data",
      "target/test-dir"));

  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
  JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};
  char[] trustpass = {'t', 'r', 'u', 's', 't', 'p', 'a', 's', 's'};

  // ensure that we get nulls when the key isn't there
  assertEquals(null, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYPASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY));

  // create new aliases
  try {
    provider.createCredentialEntry(
        DFS_SERVER_HTTPS_KEYPASSWORD_KEY, keypass);

    provider.createCredentialEntry(
        DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY, storepass);

    provider.createCredentialEntry(
        DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY, trustpass);

    // write out so that it can be found in checks
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
  // make sure we get back the right key directly from api
  assertArrayEquals(keypass, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYPASSWORD_KEY).getCredential());
  assertArrayEquals(storepass, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY).getCredential());
  assertArrayEquals(trustpass, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY).getCredential());

  // use WebAppUtils as would be used by loadSslConfiguration
  Assert.assertEquals("keypass",
      DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_KEYPASSWORD_KEY));
  Assert.assertEquals("storepass",
      DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY));
  Assert.assertEquals("trustpass",
      DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY));

  // let's make sure that a password that doesn't exist returns null
  Assert.assertEquals(null, DFSUtil.getPassword(conf,"invalid-alias"));
}
 

public static String getDecryptedString(String CrendentialProviderPath,String alias) {
 String credential=null;
 try{
  if(CrendentialProviderPath==null || alias==null||CrendentialProviderPath.trim().isEmpty()||alias.trim().isEmpty()){
	  return null;
  }		  		
  char[] pass = null;
  Configuration conf = new Configuration();
  String crendentialProviderPrefixJceks=JavaKeyStoreProvider.SCHEME_NAME + "://file";
  String crendentialProviderPrefixLocalJceks="localjceks://file";
  crendentialProviderPrefixJceks=crendentialProviderPrefixJceks.toLowerCase();
  CrendentialProviderPath=CrendentialProviderPath.trim();
  alias=alias.trim();
  if(CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixJceks) ||  CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixLocalJceks)){
	  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
			   //UserProvider.SCHEME_NAME + ":///," +
	  CrendentialProviderPath);
  }else{
	  if(CrendentialProviderPath.startsWith("/")){
		  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
				   //UserProvider.SCHEME_NAME + ":///," +
		  JavaKeyStoreProvider.SCHEME_NAME + "://file" + CrendentialProviderPath);
	  }else{
		  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
				   //UserProvider.SCHEME_NAME + ":///," +
		  JavaKeyStoreProvider.SCHEME_NAME + "://file/" + CrendentialProviderPath);
	  }
  }	 	
  List<CredentialProvider> providers = CredentialProviderFactory.getProviders(conf);
  List<String> aliasesList=new ArrayList<String>();
  CredentialProvider.CredentialEntry credEntry=null;
  for(CredentialProvider provider: providers) {
            //System.out.println("Credential Provider :" + provider);
	  aliasesList=provider.getAliases();
	  if(aliasesList!=null && aliasesList.contains(alias.toLowerCase())){
		  credEntry=null;
		  credEntry= provider.getCredentialEntry(alias);
		  pass = credEntry.getCredential();
		  if(pass!=null && pass.length>0){
			  credential=String.valueOf(pass);
			  break;
		  }				
	  }
  }
 }catch(Exception ex){
  ex.printStackTrace();
  credential=null;
 }
 return credential;
}
 

public static String getDecryptedString(String CrendentialProviderPath,String alias) {
 String credential=null;
 try{
  if(CrendentialProviderPath==null || alias==null){
	  return null;
  }		  		
  char[] pass = null;
  Configuration conf = new Configuration();
  String crendentialProviderPrefixJceks=JavaKeyStoreProvider.SCHEME_NAME + "://file";
  String crendentialProviderPrefixLocalJceks="localjceks://file";
  crendentialProviderPrefixJceks=crendentialProviderPrefixJceks.toLowerCase();
  CrendentialProviderPath=CrendentialProviderPath.trim();
  alias=alias.trim();
  if(CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixJceks) || CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixLocalJceks)){
	  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
			   //UserProvider.SCHEME_NAME + ":///," +
	  CrendentialProviderPath);
  }else{
	  if(CrendentialProviderPath.startsWith("/")){
		  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
				   //UserProvider.SCHEME_NAME + ":///," +
		  JavaKeyStoreProvider.SCHEME_NAME + "://file" + CrendentialProviderPath);
	  }else{
		  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
				   //UserProvider.SCHEME_NAME + ":///," +
				  JavaKeyStoreProvider.SCHEME_NAME + "://file/" + CrendentialProviderPath);
	  }
  }
  List<CredentialProvider> providers = CredentialProviderFactory.getProviders(conf);
  List<String> aliasesList=new ArrayList<String>();
  CredentialProvider.CredentialEntry credEntry=null;
  for(CredentialProvider provider: providers) {
            //System.out.println("Credential Provider :" + provider);
	  aliasesList=provider.getAliases();
	  if(aliasesList!=null && aliasesList.contains(alias.toLowerCase())){
		  credEntry=null;
		  credEntry= provider.getCredentialEntry(alias);
		  pass = credEntry.getCredential();
		  if(pass!=null && pass.length>0){
			  credential=String.valueOf(pass);
			  break;
		  }				
	  }
  }
 }catch(Exception ex){
  ex.printStackTrace();
  credential=null;
 }
 return credential;
}
 

@BeforeClass
public void setUp() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    String persistDir = TestUtils.getTempDirectory();

    setupKDCAndPrincipals();
    setupCredentials();

    // client will actually only leverage subset of these properties
    final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);

    persistSSLClientConfiguration(configuration);

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
        ApplicationProperties.APPLICATION_PROPERTIES);

    String confLocation = System.getProperty("atlas.conf");
    URL url;
    if (confLocation == null) {
        url = SSLAndKerberosTest.class.getResource("/" + ApplicationProperties.APPLICATION_PROPERTIES);
    } else {
        url = new File(confLocation, ApplicationProperties.APPLICATION_PROPERTIES).toURI().toURL();
    }
    configuration.load(url);
    configuration.setProperty(TLS_ENABLED, true);
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.keytab",userKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.principal","dgi/localhost@"+kdc.getRealm());

    configuration.setProperty("atlas.authentication.method.file", "false");
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.method.kerberos.principal", "HTTP/localhost@" + kdc.getRealm());
    configuration.setProperty("atlas.authentication.method.kerberos.keytab", httpKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.method.kerberos.name.rules",
            "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT");

    configuration.setProperty("atlas.authentication.method.file", "true");
    configuration.setProperty("atlas.authentication.method.file.filename", persistDir
            + "/users-credentials");
    configuration.setProperty("atlas.auth.policy.file",persistDir
            + "/policy-store.txt" );

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
      "atlas-application.properties");

    setupUserCredential(persistDir);
    setUpPolicyStore(persistDir);

    subject = loginTestUser();
    UserGroupInformation.loginUserFromSubject(subject);
    UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(
        "testUser",
        UserGroupInformation.getLoginUser());

    // save original setting
    originalConf = System.getProperty("atlas.conf");
    System.setProperty("atlas.conf", persistDir);

    originalHomeDir = System.getProperty("atlas.home");
    System.setProperty("atlas.home", TestUtils.getTargetDirectory());

    dgiCLient = proxyUser.doAs(new PrivilegedExceptionAction<AtlasClient>() {
        @Override
        public AtlasClient run() throws Exception {
            return new AtlasClient(configuration, DGI_URL);
        }
    });


    secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
        @Override
        public PropertiesConfiguration getConfiguration() {
            return configuration;
        }
    };
    secureEmbeddedServer.getServer().start();
}
 

@BeforeClass
public void setUp() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    String persistDir = TestUtils.getTempDirectory();

    setupKDCAndPrincipals();
    setupCredentials();

    // client will actually only leverage subset of these properties
    final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);

    persistSSLClientConfiguration(configuration);

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
        ApplicationProperties.APPLICATION_PROPERTIES);

    String confLocation = System.getProperty("atlas.conf");
    URL url;
    if (confLocation == null) {
        url = NegativeSSLAndKerberosTest.class.getResource("/" + ApplicationProperties.APPLICATION_PROPERTIES);
    } else {
        url = new File(confLocation, ApplicationProperties.APPLICATION_PROPERTIES).toURI().toURL();
    }
    configuration.load(url);

    configuration.setProperty(TLS_ENABLED, true);
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.keytab",userKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.principal","dgi/localhost@"+kdc.getRealm());

    configuration.setProperty("atlas.authentication.method.file", "false");
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.method.kerberos.principal", "HTTP/localhost@" + kdc.getRealm());
    configuration.setProperty("atlas.authentication.method.kerberos.keytab", httpKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.method.kerberos.name.rules",
            "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT");

    configuration.setProperty("atlas.authentication.method.file", "true");
    configuration.setProperty("atlas.authentication.method.file.filename", persistDir
            + "/users-credentials");
    configuration.setProperty("atlas.auth.policy.file",persistDir
            + "/policy-store.txt" );

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
            ApplicationProperties.APPLICATION_PROPERTIES);

    setupUserCredential(persistDir);
    setUpPolicyStore(persistDir);

    // save original setting
    originalConf = System.getProperty("atlas.conf");
    System.setProperty("atlas.conf", persistDir);

    dgiClient = new AtlasClient(configuration, DGI_URL);


    secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
        @Override
        public Configuration getConfiguration() {
            return configuration;
        }
    };
    secureEmbeddedServer.getServer().start();
}
 

@Test
public void testConfGetPassword() throws Exception {
  File testDir = new File(System.getProperty("test.build.data",
                                             "target/test-dir"));
  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
      JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] bindpass = {'b', 'i', 'n', 'd', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};

  // ensure that we get nulls when the key isn't there
  assertEquals(null, provider.getCredentialEntry(
      LdapGroupsMapping.BIND_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry
      (LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY));

  // create new aliases
  try {
    provider.createCredentialEntry(
        LdapGroupsMapping.BIND_PASSWORD_KEY, bindpass);

    provider.createCredentialEntry(
        LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY, storepass);
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
  // make sure we get back the right key
  assertArrayEquals(bindpass, provider.getCredentialEntry(
      LdapGroupsMapping.BIND_PASSWORD_KEY).getCredential());
  assertArrayEquals(storepass, provider.getCredentialEntry(
      LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY).getCredential());

  LdapGroupsMapping mapping = new LdapGroupsMapping();
  Assert.assertEquals("bindpass",
      mapping.getPassword(conf, LdapGroupsMapping.BIND_PASSWORD_KEY, ""));
  Assert.assertEquals("storepass",
      mapping.getPassword(conf, LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY,
         ""));
  // let's make sure that a password that doesn't exist returns an
  // empty string as currently expected and used to trigger a call to
  // extract password
  Assert.assertEquals("", mapping.getPassword(conf,"invalid-alias", ""));
}
 

/**
 * Checks that SSLFactory initialization is successful with the given
 * arguments.  This is a helper method for writing test cases that cover
 * different combinations of settings for the store password and key password.
 * It takes care of bootstrapping a keystore, a truststore, and SSL client or
 * server configuration.  Then, it initializes an SSLFactory.  If no exception
 * is thrown, then initialization was successful.
 *
 * @param mode SSLFactory.Mode mode to test
 * @param password String store password to set on keystore
 * @param keyPassword String key password to set on keystore
 * @param confPassword String store password to set in SSL config file, or null
 *   to avoid setting in SSL config file
 * @param confKeyPassword String key password to set in SSL config file, or
 *   null to avoid setting in SSL config file
 * @param useCredProvider boolean to indicate whether passwords should be set
 * into the config or not. When set to true nulls are set and aliases are
 * expected to be resolved through credential provider API through the
 * Configuration.getPassword method
 * @throws Exception for any error
 */
private void checkSSLFactoryInitWithPasswords(SSLFactory.Mode mode,
    String password, String keyPassword, String confPassword,
    String confKeyPassword, boolean useCredProvider) throws Exception {
  String keystore = new File(KEYSTORES_DIR, "keystore.jks").getAbsolutePath();
  String truststore = new File(KEYSTORES_DIR, "truststore.jks")
    .getAbsolutePath();
  String trustPassword = "trustP";

  // Create keys, certs, keystore, and truststore.
  KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
  X509Certificate cert = KeyStoreTestUtil.generateCertificate("CN=Test",
    keyPair, 30, "SHA1withRSA");
  KeyStoreTestUtil.createKeyStore(keystore, password, keyPassword, "Test",
    keyPair.getPrivate(), cert);
  Map<String, X509Certificate> certs = Collections.singletonMap("server",
    cert);
  KeyStoreTestUtil.createTrustStore(truststore, trustPassword, certs);

  // Create SSL configuration file, for either server or client.
  final String sslConfFileName;
  final Configuration sslConf;

  // if the passwords are provisioned in a cred provider then don't set them
  // in the configuration properly - expect them to be resolved through the
  // provider
  if (useCredProvider) {
    confPassword = null;
    confKeyPassword = null;
  }
  if (mode == SSLFactory.Mode.SERVER) {
    sslConfFileName = "ssl-server.xml";
    sslConf = KeyStoreTestUtil.createServerSSLConfig(keystore, confPassword,
      confKeyPassword, truststore);
    if (useCredProvider) {
      File testDir = new File(System.getProperty("test.build.data",
          "target/test-dir"));
      final Path jksPath = new Path(testDir.toString(), "test.jks");
      final String ourUrl =
          JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();
      sslConf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
    }
  } else {
    sslConfFileName = "ssl-client.xml";
    sslConf = KeyStoreTestUtil.createClientSSLConfig(keystore, confPassword,
      confKeyPassword, truststore);
  }
  KeyStoreTestUtil.saveConfig(new File(sslConfsDir, sslConfFileName), sslConf);

  // Create the master configuration for use by the SSLFactory, which by
  // default refers to the ssl-server.xml or ssl-client.xml created above.
  Configuration conf = new Configuration();
  conf.setBoolean(SSLFactory.SSL_REQUIRE_CLIENT_CERT_KEY, true);

  // Try initializing an SSLFactory.
  SSLFactory sslFactory = new SSLFactory(mode, conf);
  try {
    sslFactory.init();
  } finally {
    sslFactory.destroy();
  }
}
 

protected Configuration provisionCredentialsForSSL() throws IOException,
    Exception {
  File testDir = new File(System.getProperty("test.build.data",
      "target/test-dir"));

  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
  JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};
  char[] trustpass = {'t', 'r', 'u', 's', 't', 'p', 'a', 's', 's'};

  // ensure that we get nulls when the key isn't there
  assertEquals(null, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEY_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY));

  // create new aliases
  try {
    provider.createCredentialEntry(
        WebAppUtils.WEB_APP_KEY_PASSWORD_KEY, keypass);

    provider.createCredentialEntry(
        WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY, storepass);

    provider.createCredentialEntry(
        WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY, trustpass);

    // write out so that it can be found in checks
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
  // make sure we get back the right key directly from api
  assertArrayEquals(keypass, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEY_PASSWORD_KEY).getCredential());
  assertArrayEquals(storepass, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY).getCredential());
  assertArrayEquals(trustpass, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY).getCredential());
  return conf;
}
 

@Test
public void testConfGetPassword() throws Exception {
  File testDir = new File(System.getProperty("test.build.data",
                                             "target/test-dir"));
  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
      JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] bindpass = {'b', 'i', 'n', 'd', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};

  // ensure that we get nulls when the key isn't there
  assertEquals(null, provider.getCredentialEntry(
      LdapGroupsMapping.BIND_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry
      (LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY));

  // create new aliases
  try {
    provider.createCredentialEntry(
        LdapGroupsMapping.BIND_PASSWORD_KEY, bindpass);

    provider.createCredentialEntry(
        LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY, storepass);
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
  // make sure we get back the right key
  assertArrayEquals(bindpass, provider.getCredentialEntry(
      LdapGroupsMapping.BIND_PASSWORD_KEY).getCredential());
  assertArrayEquals(storepass, provider.getCredentialEntry(
      LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY).getCredential());

  LdapGroupsMapping mapping = new LdapGroupsMapping();
  Assert.assertEquals("bindpass",
      mapping.getPassword(conf, LdapGroupsMapping.BIND_PASSWORD_KEY, ""));
  Assert.assertEquals("storepass",
      mapping.getPassword(conf, LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY,
         ""));
  // let's make sure that a password that doesn't exist returns an
  // empty string as currently expected and used to trigger a call to
  // extract password
  Assert.assertEquals("", mapping.getPassword(conf,"invalid-alias", ""));
}
 

/**
 * Checks that SSLFactory initialization is successful with the given
 * arguments.  This is a helper method for writing test cases that cover
 * different combinations of settings for the store password and key password.
 * It takes care of bootstrapping a keystore, a truststore, and SSL client or
 * server configuration.  Then, it initializes an SSLFactory.  If no exception
 * is thrown, then initialization was successful.
 *
 * @param mode SSLFactory.Mode mode to test
 * @param password String store password to set on keystore
 * @param keyPassword String key password to set on keystore
 * @param confPassword String store password to set in SSL config file, or null
 *   to avoid setting in SSL config file
 * @param confKeyPassword String key password to set in SSL config file, or
 *   null to avoid setting in SSL config file
 * @param useCredProvider boolean to indicate whether passwords should be set
 * into the config or not. When set to true nulls are set and aliases are
 * expected to be resolved through credential provider API through the
 * Configuration.getPassword method
 * @throws Exception for any error
 */
private void checkSSLFactoryInitWithPasswords(SSLFactory.Mode mode,
    String password, String keyPassword, String confPassword,
    String confKeyPassword, boolean useCredProvider) throws Exception {
  String keystore = new File(KEYSTORES_DIR, "keystore.jks").getAbsolutePath();
  String truststore = new File(KEYSTORES_DIR, "truststore.jks")
    .getAbsolutePath();
  String trustPassword = "trustP";

  // Create keys, certs, keystore, and truststore.
  KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
  X509Certificate cert = KeyStoreTestUtil.generateCertificate("CN=Test",
    keyPair, 30, "SHA1withRSA");
  KeyStoreTestUtil.createKeyStore(keystore, password, keyPassword, "Test",
    keyPair.getPrivate(), cert);
  Map<String, X509Certificate> certs = Collections.singletonMap("server",
    cert);
  KeyStoreTestUtil.createTrustStore(truststore, trustPassword, certs);

  // Create SSL configuration file, for either server or client.
  final String sslConfFileName;
  final Configuration sslConf;

  // if the passwords are provisioned in a cred provider then don't set them
  // in the configuration properly - expect them to be resolved through the
  // provider
  if (useCredProvider) {
    confPassword = null;
    confKeyPassword = null;
  }
  if (mode == SSLFactory.Mode.SERVER) {
    sslConfFileName = "ssl-server.xml";
    sslConf = KeyStoreTestUtil.createServerSSLConfig(keystore, confPassword,
      confKeyPassword, truststore);
    if (useCredProvider) {
      File testDir = new File(System.getProperty("test.build.data",
          "target/test-dir"));
      final Path jksPath = new Path(testDir.toString(), "test.jks");
      final String ourUrl =
          JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();
      sslConf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
    }
  } else {
    sslConfFileName = "ssl-client.xml";
    sslConf = KeyStoreTestUtil.createClientSSLConfig(keystore, confPassword,
      confKeyPassword, truststore);
  }
  KeyStoreTestUtil.saveConfig(new File(sslConfsDir, sslConfFileName), sslConf);

  // Create the master configuration for use by the SSLFactory, which by
  // default refers to the ssl-server.xml or ssl-client.xml created above.
  Configuration conf = new Configuration();
  conf.setBoolean(SSLFactory.SSL_REQUIRE_CLIENT_CERT_KEY, true);

  // Try initializing an SSLFactory.
  SSLFactory sslFactory = new SSLFactory(mode, conf);
  try {
    sslFactory.init();
  } finally {
    sslFactory.destroy();
  }
}
 

@Test
public void testGetPassword() throws Exception {
  File testDir = new File(System.getProperty("test.build.data",
      "target/test-dir"));

  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
  JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};
  char[] trustpass = {'t', 'r', 'u', 's', 't', 'p', 'a', 's', 's'};

  // ensure that we get nulls when the key isn't there
  assertEquals(null, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYPASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY));

  // create new aliases
  try {
    provider.createCredentialEntry(
        DFS_SERVER_HTTPS_KEYPASSWORD_KEY, keypass);

    provider.createCredentialEntry(
        DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY, storepass);

    provider.createCredentialEntry(
        DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY, trustpass);

    // write out so that it can be found in checks
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
  // make sure we get back the right key directly from api
  assertArrayEquals(keypass, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYPASSWORD_KEY).getCredential());
  assertArrayEquals(storepass, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY).getCredential());
  assertArrayEquals(trustpass, provider.getCredentialEntry(
      DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY).getCredential());

  // use WebAppUtils as would be used by loadSslConfiguration
  Assert.assertEquals("keypass",
      DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_KEYPASSWORD_KEY));
  Assert.assertEquals("storepass",
      DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY));
  Assert.assertEquals("trustpass",
      DFSUtil.getPassword(conf, DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY));

  // let's make sure that a password that doesn't exist returns null
  Assert.assertEquals(null, DFSUtil.getPassword(conf,"invalid-alias"));
}
 

protected Configuration provisionCredentialsForSSL() throws IOException,
    Exception {
  File testDir = new File(System.getProperty("test.build.data",
      "target/test-dir"));

  Configuration conf = new Configuration();
  final Path jksPath = new Path(testDir.toString(), "test.jks");
  final String ourUrl =
  JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();

  File file = new File(testDir, "test.jks");
  file.delete();
  conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

  CredentialProvider provider =
      CredentialProviderFactory.getProviders(conf).get(0);
  char[] keypass = {'k', 'e', 'y', 'p', 'a', 's', 's'};
  char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};
  char[] trustpass = {'t', 'r', 'u', 's', 't', 'p', 'a', 's', 's'};

  // ensure that we get nulls when the key isn't there
  assertEquals(null, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEY_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY));
  assertEquals(null, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY));

  // create new aliases
  try {
    provider.createCredentialEntry(
        WebAppUtils.WEB_APP_KEY_PASSWORD_KEY, keypass);

    provider.createCredentialEntry(
        WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY, storepass);

    provider.createCredentialEntry(
        WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY, trustpass);

    // write out so that it can be found in checks
    provider.flush();
  } catch (Exception e) {
    e.printStackTrace();
    throw e;
  }
  // make sure we get back the right key directly from api
  assertArrayEquals(keypass, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEY_PASSWORD_KEY).getCredential());
  assertArrayEquals(storepass, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY).getCredential());
  assertArrayEquals(trustpass, provider.getCredentialEntry(
      WebAppUtils.WEB_APP_TRUSTSTORE_PASSWORD_KEY).getCredential());
  return conf;
}
 

public void setUp() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    String persistDir = TestUtils.getTempDirectory();

    setupKDCAndPrincipals();
    setupCredentials();

    // client will actually only leverage subset of these properties
    final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);

    persistSSLClientConfiguration(configuration);

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
        ApplicationProperties.APPLICATION_PROPERTIES);

    String confLocation = System.getProperty("atlas.conf");
    URL url;
    if (confLocation == null) {
        url = SSLAndKerberosTest.class.getResource("/" + ApplicationProperties.APPLICATION_PROPERTIES);
    } else {
        url = new File(confLocation, ApplicationProperties.APPLICATION_PROPERTIES).toURI().toURL();
    }
    configuration.load(url);
    configuration.setProperty(TLS_ENABLED, true);
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.keytab",userKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.principal","dgi/localhost@"+kdc.getRealm());

    configuration.setProperty("atlas.authentication.method.file", "false");
    configuration.setProperty("atlas.authentication.method.trustedproxy", "false");
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.method.kerberos.principal", "HTTP/localhost@" + kdc.getRealm());
    configuration.setProperty("atlas.authentication.method.kerberos.keytab", httpKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.method.kerberos.name.rules",
            "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT");

    configuration.setProperty("atlas.authentication.method.file", "true");
    configuration.setProperty("atlas.authentication.method.file.filename", persistDir
            + "/users-credentials");
    configuration.setProperty("atlas.auth.policy.file",persistDir
            + "/policy-store.txt" );
    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
      "atlas-application.properties");

    setupUserCredential(persistDir);
    setUpPolicyStore(persistDir);

    subject = loginTestUser();
    UserGroupInformation.loginUserFromSubject(subject);
    UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(
        "testUser",
        UserGroupInformation.getLoginUser());

    // save original setting
    originalConf = System.getProperty("atlas.conf");
    System.setProperty("atlas.conf", persistDir);

    originalHomeDir = System.getProperty("atlas.home");
    System.setProperty("atlas.home", TestUtils.getTargetDirectory());

    dgiCLient = proxyUser.doAs(new PrivilegedExceptionAction<AtlasClient>() {
        @Override
        public AtlasClient run() throws Exception {
            return new AtlasClient(configuration, DGI_URL);
        }
    });


    secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
        @Override
        public PropertiesConfiguration getConfiguration() {
            return configuration;
        }
    };
    secureEmbeddedServer.getServer().start();
}
 

public void setUp() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    String persistDir = TestUtils.getTempDirectory();

    setupKDCAndPrincipals();
    setupCredentials();

    // client will actually only leverage subset of these properties
    final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);

    persistSSLClientConfiguration(configuration);

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
        ApplicationProperties.APPLICATION_PROPERTIES);

    String confLocation = System.getProperty("atlas.conf");
    URL url;
    if (confLocation == null) {
        url = NegativeSSLAndKerberosTest.class.getResource("/" + ApplicationProperties.APPLICATION_PROPERTIES);
    } else {
        url = new File(confLocation, ApplicationProperties.APPLICATION_PROPERTIES).toURI().toURL();
    }
    configuration.load(url);

    configuration.setProperty(TLS_ENABLED, true);
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.keytab",userKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.principal","dgi/localhost@"+kdc.getRealm());

    configuration.setProperty("atlas.authentication.method.file", "false");
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.method.kerberos.principal", "HTTP/localhost@" + kdc.getRealm());
    configuration.setProperty("atlas.authentication.method.kerberos.keytab", httpKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.method.kerberos.name.rules",
            "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT");

    configuration.setProperty("atlas.authentication.method.file", "true");
    configuration.setProperty("atlas.authentication.method.file.filename", persistDir
            + "/users-credentials");
    configuration.setProperty("atlas.auth.policy.file",persistDir
            + "/policy-store.txt" );
    configuration.setProperty("atlas.authentication.method.trustedproxy", "false");

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
            ApplicationProperties.APPLICATION_PROPERTIES);

    setupUserCredential(persistDir);
    setUpPolicyStore(persistDir);

    // save original setting
    originalConf = System.getProperty("atlas.conf");
    System.setProperty("atlas.conf", persistDir);

    dgiClient = new AtlasClient(configuration, DGI_URL);


    secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
        @Override
        public Configuration getConfiguration() {
            return configuration;
        }
    };
    secureEmbeddedServer.getServer().start();
}