NIFI-7730 Added regression tests for multiple certificate keystores.

Cleaned up JettyServer code.
Changed test logging severity to include debug statements.
Added test resources.

This closes #4498.

Co-authored-by: Kotaro Terada <kotarot@apache.org>
This commit is contained in:
Kotaro Terada 2020-08-11 18:19:23 +09:00 committed by Andy LoPresto
parent 1e6619b91f
commit c3cab48325
No known key found for this signature in database
GPG Key ID: 6EC293152D90B61D
18 changed files with 136 additions and 98 deletions

View File

@ -453,7 +453,7 @@ public class TestHttpClient {
final ServletHandler wrongPathServletHandler = new ServletHandler();
wrongPathContextHandler.insertHandler(wrongPathServletHandler);
final SslContextFactory sslContextFactory = new SslContextFactory();
final SslContextFactory sslContextFactory = new SslContextFactory.Server();
sslContextFactory.setKeyStorePath("src/test/resources/certs/keystore.jks");
sslContextFactory.setKeyStorePassword("passwordpassword");
sslContextFactory.setKeyStoreType("JKS");

View File

@ -975,19 +975,13 @@ public class JettyServer implements NiFiServer, ExtensionUiLoader {
}
private SslContextFactory createSslContextFactory() {
final SslContextFactory contextFactory = new SslContextFactory();
configureSslContextFactory(contextFactory, props);
return contextFactory;
final SslContextFactory.Server serverContextFactory = new SslContextFactory.Server();
configureSslContextFactory(serverContextFactory, props);
return serverContextFactory;
}
protected static void configureSslContextFactory(SslContextFactory contextFactory, NiFiProperties props) {
// Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
// not a client. Server does not need to perform hostname verification on the client.
// Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
contextFactory.setEndpointIdentificationAlgorithm(null);
protected static void configureSslContextFactory(SslContextFactory.Server contextFactory, NiFiProperties props) {
// Explicitly exclude legacy TLS protocol versions
// contextFactory.setProtocol(CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion());
contextFactory.setIncludeProtocols(CertificateUtils.getCurrentSupportedTlsProtocolVersions());
contextFactory.setExcludeProtocols("TLS", "TLSv1", "TLSv1.1", "SSL", "SSLv2", "SSLv2Hello", "SSLv3");

View File

@ -19,6 +19,9 @@ package org.apache.nifi.web.server
import org.apache.log4j.AppenderSkeleton
import org.apache.log4j.spi.LoggingEvent
import org.apache.nifi.bundle.Bundle
import org.apache.nifi.nar.ExtensionManagerHolder
import org.apache.nifi.nar.ExtensionMapping
import org.apache.nifi.nar.SystemBundle
import org.apache.nifi.processor.DataUnit
import org.apache.nifi.properties.StandardNiFiProperties
import org.apache.nifi.security.util.CertificateUtils
@ -121,6 +124,8 @@ class JettyServerGroovyTest extends GroovyTestCase {
@After
void tearDown() throws Exception {
// Cleans up the EMH so it can be reinitialized when a new Jetty server starts
ExtensionManagerHolder.INSTANCE = null
TestAppender.reset()
}
@ -196,10 +201,9 @@ class JettyServerGroovyTest extends GroovyTestCase {
assert !bothConfigsPresentForHttp
assert !bothConfigsPresentForHttps
// Verifies that the warning was not logged
assert log.size() == 2
assert log.first() == "Both configs present for HTTP properties: false"
assert log.last() == "Both configs present for HTTPS properties: false"
// Verifies that the warning was not logged (messages are duplicated because of log4j.properties settings)
assert log.size() == 4
assert log.every { it =~ "Both configs present for HTTPS? properties: false" }
}
@Test
@ -242,10 +246,84 @@ class JettyServerGroovyTest extends GroovyTestCase {
// Assertions defined above
}
/**
* Regression test added after NiFi 1.12.0 because Jetty upgrade to 9.4.26 no longer works
* with multiple certificate keystores.
*/
@Test
void testShouldStartWithMultipleCertificatePKCS12Keystore() {
// Arrange
final String externalHostname = "localhost"
NiFiProperties httpsProps = new StandardNiFiProperties(rawProperties: new Properties([
(NiFiProperties.WEB_HTTPS_PORT): HTTPS_PORT as String,
(NiFiProperties.WEB_HTTPS_HOST): externalHostname,
(NiFiProperties.SECURITY_KEYSTORE): "src/test/resources/multiple_cert_keystore.p12",
(NiFiProperties.SECURITY_KEYSTORE_PASSWD): "passwordpassword",
(NiFiProperties.SECURITY_KEYSTORE_TYPE): "PKCS12",
(NiFiProperties.NAR_LIBRARY_DIRECTORY): "target/"
]))
JettyServer jetty = createJettyServer(httpsProps)
Server internalServer = jetty.server
List<Connector> connectors = Arrays.asList(internalServer.connectors)
// Act
jetty.start()
// Assert
assertServerConnector(connectors, "TLS", CURRENT_TLS_PROTOCOL_VERSIONS, CURRENT_TLS_PROTOCOL_VERSIONS, externalHostname, HTTPS_PORT)
// Clean up
jetty.stop()
}
/**
* Regression test added after NiFi 1.12.0 because Jetty upgrade to 9.4.26 no longer works
* with multiple certificate keystores.
*/
@Test
void testShouldStartWithMultipleCertificateJKSKeystore() {
// Arrange
final String externalHostname = "localhost"
NiFiProperties httpsProps = new StandardNiFiProperties(rawProperties: new Properties([
(NiFiProperties.WEB_HTTPS_PORT): HTTPS_PORT as String,
(NiFiProperties.WEB_HTTPS_HOST): externalHostname,
(NiFiProperties.SECURITY_KEYSTORE): "src/test/resources/multiple_cert_keystore.jks",
(NiFiProperties.SECURITY_KEYSTORE_PASSWD): "passwordpassword",
(NiFiProperties.SECURITY_KEYSTORE_TYPE): "JKS",
(NiFiProperties.NAR_LIBRARY_DIRECTORY): "target/"
]))
JettyServer jetty = createJettyServer(httpsProps)
Server internalServer = jetty.server
List<Connector> connectors = Arrays.asList(internalServer.connectors)
// Act
jetty.start()
// Assert
assertServerConnector(connectors, "TLS", CURRENT_TLS_PROTOCOL_VERSIONS, CURRENT_TLS_PROTOCOL_VERSIONS, externalHostname, HTTPS_PORT)
// Clean up
jetty.stop()
}
private static JettyServer createJettyServer(StandardNiFiProperties httpsProps) {
Server internalServer = new Server()
JettyServer jetty = new JettyServer(internalServer, httpsProps)
jetty.systemBundle = SystemBundle.create(httpsProps)
jetty.bundles = [] as Set<Bundle>
jetty.extensionMapping = [size: { -> 0 }] as ExtensionMapping
jetty.configureHttpsConnector(internalServer, new HttpConfiguration())
jetty
}
@Test
void testShouldConfigureHTTPSConnector() {
// Arrange
final String externalHostname = "secure.host.com"
final String externalHostname = "localhost"
NiFiProperties httpsProps = new StandardNiFiProperties(rawProperties: new Properties([
(NiFiProperties.WEB_HTTPS_PORT): HTTPS_PORT as String,
@ -260,9 +338,7 @@ class JettyServerGroovyTest extends GroovyTestCase {
List<Connector> connectors = Arrays.asList(internalServer.connectors)
// Assert
// Set the expected TLS protocols to null because no actual keystore/truststore is loaded here
assertServerConnector(connectors, "TLS", null, null, externalHostname, HTTPS_PORT)
assertServerConnector(connectors, "TLS", CURRENT_TLS_PROTOCOL_VERSIONS, CURRENT_TLS_PROTOCOL_VERSIONS, externalHostname, HTTPS_PORT)
}
@Test
@ -411,16 +487,13 @@ class JettyServerGroovyTest extends GroovyTestCase {
assert connector.port == EXPECTED_PORT
assert connector.getProtocols() == ['ssl', 'http/1.1']
// This kind of testing is not ideal as it breaks encapsulation, but is necessary to enforce verification of the TLS protocol versions specified
SslConnectionFactory connectionFactory = connector.getConnectionFactory("ssl") as SslConnectionFactory
SslContextFactory sslContextFactory = connectionFactory._sslContextFactory as SslContextFactory
SslContextFactory sslContextFactory = connectionFactory.getSslContextFactory()
logger.debug("SSL Context Factory: ${sslContextFactory.dump()}")
// Using the getters is subject to NPE due to blind array copies
assert sslContextFactory._sslProtocol == EXPECTED_TLS_PROTOCOL
assert sslContextFactory._includeProtocols.containsAll(EXPECTED_INCLUDED_PROTOCOLS ?: Collections.emptySet())
assert (sslContextFactory._excludeProtocols as List<String>).containsAll(LEGACY_TLS_PROTOCOLS)
assert sslContextFactory._selectedProtocols == EXPECTED_SELECTED_PROTOCOLS as String[]
assert sslContextFactory.getProtocol() == EXPECTED_TLS_PROTOCOL
assert Arrays.asList(sslContextFactory.getIncludeProtocols()).containsAll(EXPECTED_INCLUDED_PROTOCOLS ?: Collections.emptySet())
assert (sslContextFactory.getExcludeProtocols() as List<String>).containsAll(LEGACY_TLS_PROTOCOLS)
}
@Test

View File

@ -43,12 +43,12 @@ public class JettyServerTest {
addProps.put(NiFiProperties.SECURITY_KEYSTORE_PASSWD, testKeystorePassword);
addProps.put(NiFiProperties.SECURITY_KEY_PASSWD, testKeyPassword);
NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
SslContextFactory contextFactory = mock(SslContextFactory.class);
SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
JettyServer.configureSslContextFactory(contextFactory, nifiProperties);
JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
verify(contextFactory).setKeyStorePassword(testKeystorePassword);
verify(contextFactory).setKeyManagerPassword(testKeyPassword);
verify(mockSCF).setKeyStorePassword(testKeystorePassword);
verify(mockSCF).setKeyManagerPassword(testKeyPassword);
}
@Test
@ -59,12 +59,12 @@ public class JettyServerTest {
final Map<String, String> addProps = new HashMap<>();
addProps.put(NiFiProperties.SECURITY_KEY_PASSWD, testKeyPassword);
NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
SslContextFactory contextFactory = mock(SslContextFactory.class);
SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
JettyServer.configureSslContextFactory(contextFactory, nifiProperties);
JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
verify(contextFactory).setKeyManagerPassword(testKeyPassword);
verify(contextFactory, never()).setKeyStorePassword(anyString());
verify(mockSCF).setKeyManagerPassword(testKeyPassword);
verify(mockSCF, never()).setKeyStorePassword(anyString());
}
@Test
@ -75,12 +75,12 @@ public class JettyServerTest {
final Map<String, String> addProps = new HashMap<>();
addProps.put(NiFiProperties.SECURITY_KEYSTORE_PASSWD, testKeystorePassword);
NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
SslContextFactory contextFactory = mock(SslContextFactory.class);
SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
JettyServer.configureSslContextFactory(contextFactory, nifiProperties);
JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
verify(contextFactory).setKeyStorePassword(testKeystorePassword);
verify(contextFactory).setKeyManagerPassword(testKeystorePassword);
verify(mockSCF).setKeyStorePassword(testKeystorePassword);
verify(mockSCF).setKeyManagerPassword(testKeystorePassword);
}
@Test
@ -90,12 +90,12 @@ public class JettyServerTest {
String keyStoreType = KeystoreType.JKS.toString();
addProps.put(NiFiProperties.SECURITY_KEYSTORE_TYPE, keyStoreType);
NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
SslContextFactory contextFactory = mock(SslContextFactory.class);
SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
JettyServer.configureSslContextFactory(contextFactory, nifiProperties);
JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
verify(contextFactory).setKeyStoreType(keyStoreType);
verify(contextFactory).setKeyStoreProvider(SUN_PROVIDER_NAME);
verify(mockSCF).setKeyStoreType(keyStoreType);
verify(mockSCF).setKeyStoreProvider(SUN_PROVIDER_NAME);
}
@Test
@ -105,12 +105,12 @@ public class JettyServerTest {
String keyStoreType = KeystoreType.PKCS12.toString();
addProps.put(NiFiProperties.SECURITY_KEYSTORE_TYPE, keyStoreType);
NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
SslContextFactory contextFactory = mock(SslContextFactory.class);
SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
JettyServer.configureSslContextFactory(contextFactory, nifiProperties);
JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
verify(contextFactory).setKeyStoreType(keyStoreType);
verify(contextFactory).setKeyStoreProvider(BouncyCastleProvider.PROVIDER_NAME);
verify(mockSCF).setKeyStoreType(keyStoreType);
verify(mockSCF).setKeyStoreProvider(BouncyCastleProvider.PROVIDER_NAME);
}
@Test
@ -120,12 +120,12 @@ public class JettyServerTest {
String trustStoreType = KeystoreType.JKS.toString();
addProps.put(NiFiProperties.SECURITY_TRUSTSTORE_TYPE, trustStoreType);
NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
SslContextFactory contextFactory = mock(SslContextFactory.class);
SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
JettyServer.configureSslContextFactory(contextFactory, nifiProperties);
JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
verify(contextFactory).setTrustStoreType(trustStoreType);
verify(contextFactory).setTrustStoreProvider(SUN_PROVIDER_NAME);
verify(mockSCF).setTrustStoreType(trustStoreType);
verify(mockSCF).setTrustStoreProvider(SUN_PROVIDER_NAME);
}
@Test
@ -135,11 +135,11 @@ public class JettyServerTest {
String trustStoreType = KeystoreType.PKCS12.toString();
addProps.put(NiFiProperties.SECURITY_TRUSTSTORE_TYPE, trustStoreType);
NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
SslContextFactory contextFactory = mock(SslContextFactory.class);
SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
JettyServer.configureSslContextFactory(contextFactory, nifiProperties);
JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
verify(contextFactory).setTrustStoreType(trustStoreType);
verify(contextFactory).setTrustStoreProvider(BouncyCastleProvider.PROVIDER_NAME);
verify(mockSCF).setTrustStoreType(trustStoreType);
verify(mockSCF).setTrustStoreProvider(BouncyCastleProvider.PROVIDER_NAME);
}
}

View File

@ -16,6 +16,7 @@
#
log4j.rootLogger=INFO,console,test
log4j.logger.org.apache.nifi.web=DEBUG,console,test
log4j.appender.console=org.apache.log4j.ConsoleAppender
log4j.appender.console.Target=System.err

View File

@ -77,12 +77,7 @@ public class NiFiTestServer {
// TODO: Refactor this method to use proper factory methods
private void createSecureConnector() {
org.eclipse.jetty.util.ssl.SslContextFactory contextFactory = new org.eclipse.jetty.util.ssl.SslContextFactory();
// Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
// not a client. Server does not need to perform hostname verification on the client.
// Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
contextFactory.setEndpointIdentificationAlgorithm(null);
org.eclipse.jetty.util.ssl.SslContextFactory contextFactory = new org.eclipse.jetty.util.ssl.SslContextFactory.Server();
// require client auth when not supporting login or anonymous access
if (StringUtils.isBlank(properties.getProperty(NiFiProperties.SECURITY_USER_LOGIN_IDENTITY_PROVIDER))) {

View File

@ -113,7 +113,7 @@ public class PrometheusServer {
}
private SslContextFactory createSslFactory(final SSLContextService sslService, boolean needClientAuth, boolean wantClientAuth) {
SslContextFactory sslFactory = new SslContextFactory();
SslContextFactory sslFactory = new SslContextFactory.Server();
sslFactory.setNeedClientAuth(needClientAuth);
sslFactory.setWantClientAuth(wantClientAuth);

View File

@ -520,18 +520,13 @@ public class HandleHttpRequest extends AbstractProcessor {
}
private SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth) {
final SslContextFactory sslFactory = new SslContextFactory();
final SslContextFactory sslFactory = new SslContextFactory.Server();
sslFactory.setNeedClientAuth(needClientAuth);
sslFactory.setWantClientAuth(wantClientAuth);
sslFactory.setProtocol(sslService.getSslAlgorithm());
// Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
// not a client. Server does not need to perform hostname verification on the client.
// Previous to Jetty 9.4.15.v20190215, this defaulted to null.
sslFactory.setEndpointIdentificationAlgorithm(null);
if (sslService.isKeyStoreConfigured()) {
sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());

View File

@ -256,14 +256,9 @@ public class ListenHTTP extends AbstractSessionFactoryProcessor {
final boolean needClientAuth = sslContextService != null && sslContextService.getTrustStoreFile() != null;
final SslContextFactory contextFactory = new SslContextFactory();
final SslContextFactory contextFactory = new SslContextFactory.Server();
contextFactory.setNeedClientAuth(needClientAuth);
// Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
// not a client. Server does not need to perform hostname verification on the client.
// Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
contextFactory.setEndpointIdentificationAlgorithm(null);
if (needClientAuth) {
contextFactory.setTrustStorePath(sslContextService.getTrustStoreFile());
contextFactory.setTrustStoreType(sslContextService.getTrustStoreType());

View File

@ -141,7 +141,7 @@ class TestGetHTTPGroovy extends GroovyTestCase {
private
static SslContextFactory createSslContextFactory(List supportedProtocols = DEFAULT_PROTOCOLS, List supportedCipherSuites = DEFAULT_CIPHER_SUITES) {
final SslContextFactory contextFactory = new SslContextFactory()
final SslContextFactory contextFactory = new SslContextFactory.Server()
contextFactory.needClientAuth = false
contextFactory.wantClientAuth = false

View File

@ -133,7 +133,7 @@ class TestPostHTTPGroovy extends GroovyTestCase {
private
static SslContextFactory createSslContextFactory(List supportedProtocols = DEFAULT_PROTOCOLS, List supportedCipherSuites = DEFAULT_CIPHER_SUITES) {
final SslContextFactory contextFactory = new SslContextFactory()
final SslContextFactory contextFactory = new SslContextFactory.Server()
contextFactory.needClientAuth = false
contextFactory.wantClientAuth = false

View File

@ -76,7 +76,7 @@ public class TestServer {
}
private void createSecureConnector(final Map<String, String> sslProperties) {
SslContextFactory ssl = new SslContextFactory();
SslContextFactory ssl = new SslContextFactory.Server();
if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) {
ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName()));
@ -97,11 +97,6 @@ public class TestServer {
ssl.setNeedClientAuth(Boolean.parseBoolean(clientAuth));
}
// Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
// not a client. Server does not need to perform hostname verification on the client.
// Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
ssl.setEndpointIdentificationAlgorithm(null);
// build the connector
final ServerConnector https = new ServerConnector(jetty, ssl);

View File

@ -67,7 +67,7 @@ public abstract class AbstractJettyWebSocketService extends AbstractWebSocketSer
protected SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth, final String endpointIdentificationAlgorithm) {
final SslContextFactory sslFactory = new SslContextFactory();
final SslContextFactory sslFactory = new SslContextFactory.Server();
sslFactory.setNeedClientAuth(needClientAuth);
sslFactory.setWantClientAuth(wantClientAuth);

View File

@ -46,7 +46,7 @@ public class WebSocketClientExample {
String destUri = "wss://localhost:50010/test";
final CountDownLatch replyLatch = new CountDownLatch(1);
final SslContextFactory sslContextFactory = new SslContextFactory();
final SslContextFactory sslContextFactory = new SslContextFactory.Client();
sslContextFactory.setKeyStorePath("src/test/resources/certs/keystore.jks");
sslContextFactory.setKeyStorePassword("passwordpassword");
sslContextFactory.setKeyStoreType("JKS");

View File

@ -152,16 +152,11 @@ public class WebSocketServerExample {
httpConnector = new ServerConnector(server);
httpConnector.setPort(50010);
final SslContextFactory sslContextFactory = new SslContextFactory();
final SslContextFactory sslContextFactory = new SslContextFactory.Server();
sslContextFactory.setKeyStorePath("src/test/resources/certs/keystore.jks");
sslContextFactory.setKeyStorePassword("passwordpassword");
sslContextFactory.setKeyStoreType("JKS");
// Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
// not a client. Server does not need to perform hostname verification on the client.
// Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
sslContextFactory.setEndpointIdentificationAlgorithm(null);
final HttpConfiguration https = new HttpConfiguration();
https.addCustomizer(new SecureRequestCustomizer());
sslConnector = new ServerConnector(server,

View File

@ -62,16 +62,11 @@ public class TlsCertificateAuthorityService {
private static Server createServer(Handler handler, int port, KeyStore keyStore, String keyPassword) throws Exception {
Server server = new Server();
SslContextFactory sslContextFactory = new SslContextFactory();
SslContextFactory sslContextFactory = new SslContextFactory.Server();
sslContextFactory.setIncludeProtocols(CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion());
sslContextFactory.setKeyStore(keyStore);
sslContextFactory.setKeyManagerPassword(keyPassword);
// Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
// not a client. Server does not need to perform hostname verification on the client.
// Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
sslContextFactory.setEndpointIdentificationAlgorithm(null);
HttpConfiguration httpsConfig = new HttpConfiguration();
httpsConfig.addCustomizer(new SecureRequestCustomizer());