knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kmin...@apache.org
Subject knox git commit: [KNOX-674] - Expose Jetty's SSL cipher suite configuration via gateway-site.xml
Date Mon, 29 Feb 2016 23:42:10 GMT
Repository: knox
Updated Branches:
  refs/heads/master a70a3b56c -> 3f5670db4


[KNOX-674] - Expose Jetty's SSL cipher suite configuration via gateway-site.xml


Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/3f5670db
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/3f5670db
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/3f5670db

Branch: refs/heads/master
Commit: 3f5670db42ef684d814b0fb31794c6771f574c9f
Parents: a70a3b5
Author: Kevin Minder <kminder@apache.org>
Authored: Mon Feb 29 18:42:05 2016 -0500
Committer: Kevin Minder <kminder@apache.org>
Committed: Mon Feb 29 18:42:05 2016 -0500

----------------------------------------------------------------------
 CHANGES                                         |   1 +
 .../gateway/config/impl/GatewayConfigImpl.java  |  22 ++
 .../services/security/impl/JettySSLService.java |  15 +-
 .../config/impl/GatewayConfigImplTest.java      |  58 ++++
 .../hadoop/gateway/config/GatewayConfig.java    |   4 +
 .../hadoop/gateway/GatewayTestConfig.java       |  10 +
 .../hadoop/gateway/GatewaySslFuncTest.java      | 343 +++++++++++++++++++
 .../hadoop/gateway/GatewayTestConfig.java       |  56 ++-
 .../GatewaySslFuncTest/test-admin-topology.xml  |  53 +++
 .../gateway/GatewaySslFuncTest/users.ldif       |  42 +++
 10 files changed, 589 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/3f5670db/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 8f364c3..bccc54e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,7 @@ Release Notes - Apache Knox - Version 0.9.0
 ------------------------------------------------------------------------------
 ** New Feature
     * [KNOX-670] - Knox should be able to sost simple web apps
+    * [KNOX-674] - Expose Jetty's SSL cipher suite configuration via gateway-site.xml
 ** Improvement
 ** Bug
 

http://git-wip-us.apache.org/repos/asf/knox/blob/3f5670db/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
index cdaa96d..4c0d769 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
@@ -133,6 +133,8 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig
{
   // LET'S NOT CONTINUE THIS PATTERN BUT LEAVE THEM FOR NOW.
   private static final String SSL_ENABLED = "ssl.enabled";
   private static final String SSL_EXCLUDE_PROTOCOLS = "ssl.exclude.protocols";
+  private static final String SSL_INCLUDE_CIPHERS = "ssl.include.ciphers";
+  private static final String SSL_EXCLUDE_CIPHERS = "ssl.exclude.ciphers";
   // END BACKWARD COMPATIBLE BLOCK
   
   public static final String DEFAULT_HTTP_PORT = "8888";
@@ -414,6 +416,26 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig
{
     return protocols;
   }
 
+  @Override
+  public List<String> getIncludedSSLCiphers() {
+    List<String> list = null;
+    String value = get(SSL_INCLUDE_CIPHERS);
+    if (value != null && !value.isEmpty() && !"none".equalsIgnoreCase(value.trim()))
{
+      list = Arrays.asList(value.trim().split("\\s*,\\s*"));
+    }
+    return list;
+  }
+
+  @Override
+  public List<String> getExcludedSSLCiphers() {
+    List<String> list = null;
+    String value = get(SSL_EXCLUDE_CIPHERS);
+    if (value != null && !value.isEmpty() && !"none".equalsIgnoreCase(value.trim()))
{
+      list = Arrays.asList(value.trim().split("\\s*,\\s*"));
+    }
+    return list;
+  }
+
   /* (non-Javadoc)
    * @see org.apache.hadoop.gateway.config.GatewayConfig#isClientAuthNeeded()
    */

http://git-wip-us.apache.org/repos/asf/knox/blob/3f5670db/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
index 58a699f..cb69509 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
@@ -24,7 +24,6 @@ import java.security.cert.X509Certificate;
 import java.util.Date;
 import java.util.List;
 import java.util.Map;
-
 import javax.security.auth.x500.X500Principal;
 
 import org.apache.hadoop.gateway.GatewayMessages;
@@ -51,6 +50,8 @@ public class JettySSLService implements SSLService {
   private MasterService ms;
   private KeystoreService ks;
   private AliasService as;
+  private List<String> sslIncludeCiphers = null;
+  private List<String> sslExcludeCiphers = null;
   private List<String> sslExcludeProtocols = null;
   private boolean clientAuthNeeded;
   private boolean trustAllCerts;
@@ -116,6 +117,8 @@ public class JettySSLService implements SSLService {
     }
 
     keystoreType = config.getKeystoreType();
+    sslIncludeCiphers = config.getIncludedSSLCiphers();
+    sslExcludeCiphers = config.getExcludedSSLCiphers();
     sslExcludeProtocols = config.getExcludedSSLProtocols();
     clientAuthNeeded = config.isClientAuthNeeded();
     truststorePath = config.getTruststorePath();
@@ -206,8 +209,14 @@ public class JettySSLService implements SSLService {
     }
     sslContextFactory.setNeedClientAuth( clientAuthNeeded );
     sslContextFactory.setTrustAll( trustAllCerts );
-    if (sslExcludeProtocols != null) {
-      sslContextFactory.setExcludeProtocols((String[]) sslExcludeProtocols.toArray());
+    if (sslIncludeCiphers != null && !sslIncludeCiphers.isEmpty()) {
+      sslContextFactory.setIncludeCipherSuites( sslIncludeCiphers.toArray(new String[sslIncludeCiphers.size()])
);
+    }
+    if (sslExcludeCiphers != null && !sslExcludeCiphers.isEmpty()) {
+      sslContextFactory.setExcludeCipherSuites( sslExcludeCiphers.toArray(new String[sslExcludeCiphers.size()])
);
+    }
+    if (sslExcludeProtocols != null && !sslExcludeProtocols.isEmpty()) {
+      sslContextFactory.setExcludeProtocols( sslExcludeProtocols.toArray(new String[sslExcludeProtocols.size()])
);
     }
     SslConnector sslConnector = new SslSelectChannelConnector( sslContextFactory );
 

http://git-wip-us.apache.org/repos/asf/knox/blob/3f5670db/gateway-server/src/test/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImplTest.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/test/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImplTest.java
b/gateway-server/src/test/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImplTest.java
index 8b94b56..22e4503 100644
--- a/gateway-server/src/test/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImplTest.java
+++ b/gateway-server/src/test/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImplTest.java
@@ -1,10 +1,14 @@
 package org.apache.hadoop.gateway.config.impl;
 
+import java.util.List;
+
 import org.apache.hadoop.test.TestUtils;
 import org.junit.Test;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.hasItems;
+import static org.hamcrest.Matchers.nullValue;
 
 /**
  * Licensed to the Apache Software Foundation (ASF) under one
@@ -93,4 +97,58 @@ public class GatewayConfigImplTest {
   }
 
 
+  @Test
+  public void testSSLCiphers() {
+    GatewayConfigImpl config = new GatewayConfigImpl();
+    List<String> list;
+
+    list = config.getIncludedSSLCiphers();
+    assertThat( list, is(nullValue()) );
+
+    config.set( "ssl.include.ciphers", "none" );
+    assertThat( config.getIncludedSSLCiphers(), is(nullValue()) );
+
+    config.set( "ssl.include.ciphers", "" );
+    assertThat( config.getIncludedSSLCiphers(), is(nullValue()) );
+
+    config.set( "ssl.include.ciphers", "ONE" );
+    assertThat( config.getIncludedSSLCiphers(), is(hasItems("ONE")) );
+
+    config.set( "ssl.include.ciphers", " ONE " );
+    assertThat( config.getIncludedSSLCiphers(), is(hasItems("ONE")) );
+
+    config.set( "ssl.include.ciphers", "ONE,TWO" );
+    assertThat( config.getIncludedSSLCiphers(), is(hasItems("ONE","TWO")) );
+
+    config.set( "ssl.include.ciphers", "ONE,TWO,THREE" );
+    assertThat( config.getIncludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.ciphers", " ONE , TWO , THREE " );
+    assertThat( config.getIncludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    list = config.getExcludedSSLCiphers();
+    assertThat( list, is(nullValue()) );
+
+    config.set( "ssl.exclude.ciphers", "none" );
+    assertThat( config.getExcludedSSLCiphers(), is(nullValue()) );
+
+    config.set( "ssl.exclude.ciphers", "" );
+    assertThat( config.getExcludedSSLCiphers(), is(nullValue()) );
+
+    config.set( "ssl.exclude.ciphers", "ONE" );
+    assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE")) );
+
+    config.set( "ssl.exclude.ciphers", " ONE " );
+    assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE")) );
+
+    config.set( "ssl.exclude.ciphers", "ONE,TWO" );
+    assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO")) );
+
+    config.set( "ssl.exclude.ciphers", "ONE,TWO,THREE" );
+    assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.ciphers", " ONE , TWO , THREE " );
+    assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+  }
+
 }

http://git-wip-us.apache.org/repos/asf/knox/blob/3f5670db/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
index 475649d..91bd64c 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
@@ -85,6 +85,10 @@ public interface GatewayConfig {
   
   List<String> getExcludedSSLProtocols();
 
+  List<String> getIncludedSSLCiphers();
+
+  List<String> getExcludedSSLCiphers();
+
   boolean isHadoopKerberosSecured();
 
   String getKerberosConfig();

http://git-wip-us.apache.org/repos/asf/knox/blob/3f5670db/gateway-test-release/webhdfs-kerb-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
----------------------------------------------------------------------
diff --git a/gateway-test-release/webhdfs-kerb-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
b/gateway-test-release/webhdfs-kerb-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
index 950952c..03ce5dc 100644
--- a/gateway-test-release/webhdfs-kerb-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
+++ b/gateway-test-release/webhdfs-kerb-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
@@ -189,6 +189,16 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig
{
     return protocols;
   }
 
+  @Override
+  public List getIncludedSSLCiphers() {
+    return null;
+  }
+
+  @Override
+  public List getExcludedSSLCiphers() {
+    return null;
+  }
+
   public void setFrontendUrl( String frontendUrl ) {
     this.frontendUrl = frontendUrl;
   }

http://git-wip-us.apache.org/repos/asf/knox/blob/3f5670db/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewaySslFuncTest.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewaySslFuncTest.java
b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewaySslFuncTest.java
new file mode 100644
index 0000000..b419231
--- /dev/null
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewaySslFuncTest.java
@@ -0,0 +1,343 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URL;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Properties;
+import java.util.ServiceLoader;
+import java.util.UUID;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import javax.xml.transform.stream.StreamSource;
+
+import com.jayway.restassured.RestAssured;
+import org.apache.commons.io.FileUtils;
+import org.apache.directory.server.protocol.shared.transport.TcpTransport;
+import org.apache.hadoop.gateway.security.ldap.SimpleLdapDirectoryServer;
+import org.apache.hadoop.gateway.services.DefaultGatewayServices;
+import org.apache.hadoop.gateway.services.GatewayServices;
+import org.apache.hadoop.gateway.services.ServiceLifecycleException;
+import org.apache.hadoop.gateway.services.topology.TopologyService;
+import org.apache.hadoop.test.TestUtils;
+import org.apache.hadoop.test.category.ReleaseTest;
+import org.apache.hadoop.test.mock.MockServer;
+import org.apache.http.HttpHost;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.http.client.AuthCache;
+import org.apache.http.client.CredentialsProvider;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.protocol.HttpClientContext;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.conn.ssl.X509HostnameVerifier;
+import org.apache.http.impl.auth.BasicScheme;
+import org.apache.http.impl.client.BasicAuthCache;
+import org.apache.http.impl.client.BasicCredentialsProvider;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.apache.log4j.Appender;
+import org.hamcrest.MatcherAssert;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import static com.jayway.restassured.config.ConnectionConfig.connectionConfig;
+import static com.jayway.restassured.config.RestAssuredConfig.newConfig;
+import static org.apache.hadoop.test.TestUtils.LOG_ENTER;
+import static org.apache.hadoop.test.TestUtils.LOG_EXIT;
+import static org.hamcrest.CoreMatchers.notNullValue;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
+import static org.xmlmatchers.transform.XmlConverters.the;
+import static org.xmlmatchers.xpath.HasXPath.hasXPath;
+
+@Category( ReleaseTest.class )
+public class GatewaySslFuncTest {
+
+  private static Logger LOG = LoggerFactory.getLogger( GatewaySslFuncTest.class );
+  private static Class DAT = GatewaySslFuncTest.class;
+
+  private static Enumeration<Appender> appenders;
+  private static GatewayTestConfig config;
+  private static DefaultGatewayServices services;
+  private static GatewayServer gateway;
+  private static String gatewayScheme;
+  private static int gatewayPort;
+  private static String gatewayUrl;
+  private static SimpleLdapDirectoryServer ldap;
+  private static TcpTransport ldapTransport;
+  private static int ldapPort;
+  private static Properties params;
+  private static TopologyService topos;
+  private static MockServer mockWebHdfs;
+
+  @BeforeClass
+  public static void setupSuite() throws Exception {
+    LOG_ENTER();
+    RestAssured.config = newConfig().connectionConfig(connectionConfig().closeIdleConnectionsAfterEachResponse());
+    //appenders = NoOpAppender.setUp();
+    setupLdap();
+    setupGateway();
+    LOG_EXIT();
+  }
+
+  @AfterClass
+  public static void cleanupSuite() throws Exception {
+    LOG_ENTER();
+    gateway.stop();
+    ldap.stop( true );
+    FileUtils.deleteQuietly( new File( config.getGatewayHomeDir() ) );
+    //NoOpAppender.tearDown( appenders );
+    LOG_EXIT();
+  }
+
+  @After
+  public void cleanupTest() throws Exception {
+    FileUtils.cleanDirectory( new File( config.getGatewayTopologyDir() ) );
+    FileUtils.cleanDirectory( new File( config.getGatewayDeploymentDir() ) );
+  }
+
+  public static void setupLdap() throws Exception {
+    URL usersUrl = TestUtils.getResourceUrl( DAT, "users.ldif" );
+    ldapPort = TestUtils.findFreePort();
+    ldapTransport = new TcpTransport( ldapPort );
+    ldap = new SimpleLdapDirectoryServer( "dc=hadoop,dc=apache,dc=org", new File( usersUrl.toURI()
), ldapTransport );
+    ldap.start();
+    LOG.info( "LDAP port = " + ldapTransport.getPort() );
+  }
+
+  public static void setupGateway() throws Exception {
+
+    File targetDir = new File( System.getProperty( "user.dir" ), "target" );
+    File gatewayDir = new File( targetDir, "gateway-home-" + UUID.randomUUID() );
+    gatewayDir.mkdirs();
+
+    config = new GatewayTestConfig();
+    config.setGatewayHomeDir( gatewayDir.getAbsolutePath() );
+
+    File topoDir = new File( config.getGatewayTopologyDir() );
+    topoDir.mkdirs();
+
+    File deployDir = new File( config.getGatewayDeploymentDir() );
+    deployDir.mkdirs();
+
+    File securityDir = new File( config.getGatewaySecurityDir() );
+    securityDir.mkdirs();
+
+    config.setSSLEnabled( true );
+
+    setupMockServers();
+    startGatewayServer();
+  }
+
+  public static void setupMockServers() throws Exception {
+    mockWebHdfs = new MockServer( "WEBHDFS", true );
+  }
+
+  private static GatewayServices instantiateGatewayServices() {
+    ServiceLoader<GatewayServices> loader = ServiceLoader.load( GatewayServices.class
);
+    Iterator<GatewayServices> services = loader.iterator();
+    if (services.hasNext()) {
+      return services.next();
+    }
+    return null;
+  }
+
+  public static void startGatewayServer() throws Exception {
+    instantiateGatewayServices();
+    services = new DefaultGatewayServices();
+    Map<String,String> options = new HashMap<String,String>();
+    options.put( "persist-master", "false" );
+    options.put( "master", "password" );
+    try {
+      services.init( config, options );
+    } catch ( ServiceLifecycleException e ) {
+      e.printStackTrace(); // I18N not required.
+    }
+    topos = services.getService(GatewayServices.TOPOLOGY_SERVICE);
+
+    gateway = GatewayServer.startGateway( config, services );
+    MatcherAssert.assertThat( "Failed to start gateway.", gateway, notNullValue() );
+
+    gatewayScheme = config.isSSLEnabled() ? "https" : "http";
+    gatewayPort = gateway.getAddresses()[0].getPort();
+    gatewayUrl = gatewayScheme + "://localhost:" + gatewayPort + "/" + config.getGatewayPath();
+
+    LOG.info( "Gateway port = " + gateway.getAddresses()[ 0 ].getPort() );
+
+    params = new Properties();
+    params.put( "LDAP_URL", "ldap://localhost:" + ldapTransport.getPort() );
+    params.put( "WEBHDFS_URL", "http://localhost:" + mockWebHdfs.getPort() );
+  }
+
+  @Test( timeout = TestUtils.MEDIUM_TIMEOUT )
+  public void testKnox674SslCipherSuiteConfig() throws Exception {
+    LOG_ENTER();
+
+    String topoStr = TestUtils.merge( DAT, "test-admin-topology.xml", params );
+    File topoFile = new File( config.getGatewayTopologyDir(), "test-topology.xml" );
+    FileUtils.writeStringToFile( topoFile, topoStr );
+
+    topos.reloadTopologies();
+
+    String username = "guest";
+    String password = "guest-password";
+    String serviceUrl = gatewayUrl + "/test-topology/api/v1/version";
+
+    HttpHost targetHost = new HttpHost( "localhost", gatewayPort, gatewayScheme );
+    CredentialsProvider credsProvider = new BasicCredentialsProvider();
+    credsProvider.setCredentials(
+        new AuthScope( targetHost.getHostName(), targetHost.getPort() ),
+        new UsernamePasswordCredentials( username, password ) );
+
+    AuthCache authCache = new BasicAuthCache();
+    BasicScheme basicAuth = new BasicScheme();
+    authCache.put( targetHost, basicAuth );
+
+    HttpClientContext context = HttpClientContext.create();
+    context.setCredentialsProvider( credsProvider );
+    context.setAuthCache( authCache );
+
+    CloseableHttpClient client = HttpClients.custom()
+        .setHostnameVerifier( new TrustAllHosts() )
+        .setSslcontext( createInsecureSslContext() )
+        .setSSLSocketFactory(
+            new SSLConnectionSocketFactory(
+                createInsecureSslContext(),
+                new String[]{"TLSv1.2"},
+                new String[]{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
+
+                new TrustAllHosts() ) )
+        .build();
+    HttpGet request = new HttpGet( serviceUrl );
+    CloseableHttpResponse response = client.execute( request, context );
+    assertThat( the( new StreamSource( response.getEntity().getContent() ) ), hasXPath( "/ServerVersion/version"
) );
+    response.close();
+    client.close();
+
+    gateway.stop();
+    config.setExcludedSSLCiphers( Arrays.asList( new String[]{ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
} ) );
+    config.setIncludedSSLCiphers( Arrays.asList( new String[]{ "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
} ) );
+
+    startGatewayServer();
+    serviceUrl = gatewayUrl + "/test-topology/api/v1/version";
+
+    try {
+      client = HttpClients.custom()
+          .setHostnameVerifier( new TrustAllHosts() )
+          .setSslcontext( createInsecureSslContext() )
+          .setSSLSocketFactory(
+              new SSLConnectionSocketFactory(
+                  createInsecureSslContext(),
+                  new String[]{ "TLSv1.2" },
+                  new String[]{ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
+                  new TrustAllHosts() ) ).build();
+      request = new HttpGet( serviceUrl );
+      client.execute( request, context );
+      fail( "Expected SSLHandshakeException" );
+    } catch ( SSLHandshakeException e ) {
+      // Expected.
+      client.close();
+    }
+
+    client = HttpClients.custom()
+        .setHostnameVerifier( new TrustAllHosts() )
+        .setSslcontext( createInsecureSslContext() )
+        .setSSLSocketFactory(
+            new SSLConnectionSocketFactory(
+                createInsecureSslContext(),
+                new String[]{ "TLSv1.2" },
+                new String[]{ "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
+                new TrustAllHosts() ) ).build();
+    request = new HttpGet( serviceUrl );
+    response = client.execute( request, context );
+    assertThat( the( new StreamSource( response.getEntity().getContent() ) ), hasXPath( "/ServerVersion/version"
) );
+    response.close();
+    client.close();
+
+    LOG_EXIT();
+  }
+
+  public static class TrustAllHosts implements X509HostnameVerifier {
+    @Override
+    public void verify( String host, SSLSocket ssl ) throws IOException {
+      // Trust all hostnames.
+    }
+
+    @Override
+    public void verify( String host, X509Certificate cert ) throws SSLException {
+      // Trust all hostnames.
+    }
+
+    @Override
+    public void verify( String host, String[] cns, String[] subjectAlts ) throws SSLException
{
+      // Trust all hostnames.
+    }
+
+    @Override
+    public boolean verify( String host, SSLSession sslSession ) {
+      // Trust all hostnames.
+      return false;
+    }
+  }
+
+  public static class TrustAllCerts implements X509TrustManager {
+
+    public void checkClientTrusted( X509Certificate[] x509Certificates, String s ) throws
CertificateException {
+      // Trust all certificates.
+    }
+
+    public void checkServerTrusted( X509Certificate[] x509Certificates, String s ) throws
CertificateException {
+      // Trust all certificates.
+    }
+
+    public X509Certificate[] getAcceptedIssuers() {
+      return null;
+    }
+
+  }
+
+  public static SSLContext createInsecureSslContext() throws NoSuchAlgorithmException, KeyManagementException
{
+    SSLContext sslContext = SSLContext.getInstance( "SSL" );
+    sslContext.init( null, new TrustManager[]{ new TrustAllCerts() }, new SecureRandom()
);
+    return sslContext;
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/3f5670db/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
index 29e8a15..1d97a54 100644
--- a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
@@ -41,6 +41,11 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig
{
   private String gatewayApplicationsDir = null;
   private String gatewayServicesDir;
   private String defaultTopologyName = "default";
+  private List<String> includedSSLCiphers = null;
+  private List<String> excludedSSLCiphers = null;
+  private boolean sslEnabled = false;
+  private String truststoreType = "jks";
+  private String keystoreType = "jks";
 
   public void setGatewayHomeDir( String gatewayHomeDir ) {
     this.gatewayHomeDir = gatewayHomeDir;
@@ -122,8 +127,11 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig
{
 
   @Override
   public boolean isSSLEnabled() {
-    // TODO Auto-generated method stub
-    return false;
+    return sslEnabled;
+  }
+
+  public void setSSLEnabled( boolean sslEnabled ) {
+    this.sslEnabled = sslEnabled;
   }
 
   @Override
@@ -182,6 +190,10 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig
{
   @Override
   public String getFrontendUrl() { return frontendUrl; }
 
+  public void setFrontendUrl( String frontendUrl ) {
+    this.frontendUrl = frontendUrl;
+  }
+
   /* (non-Javadoc)
    * @see org.apache.hadoop.gateway.config.GatewayConfig#getExcludedSSLProtocols()
    */
@@ -192,8 +204,22 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig
{
     return protocols;
   }
 
-  public void setFrontendUrl( String frontendUrl ) {
-    this.frontendUrl = frontendUrl;
+  @Override
+  public List getIncludedSSLCiphers() {
+    return includedSSLCiphers;
+  }
+
+  public void setIncludedSSLCiphers( List<String> list ) {
+    includedSSLCiphers = list;
+  }
+
+  @Override
+  public List getExcludedSSLCiphers() {
+    return excludedSSLCiphers;
+  }
+
+  public void setExcludedSSLCiphers( List<String> list ) {
+    excludedSSLCiphers = list;
   }
 
   /* (non-Javadoc)
@@ -228,25 +254,31 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig
{
    */
   @Override
   public String getTruststoreType() {
-    // TODO Auto-generated method stub
-    return null;
+    return truststoreType;
   }
-  
+
+  public void setTruststoreType( String truststoreType ) {
+    this.truststoreType = truststoreType;
+  }
+
   /* (non-Javadoc)
    * @see org.apache.hadoop.gateway.config.GatewayConfig#getKeystoreType()
    */
   @Override
   public String getKeystoreType() {
-    // TODO Auto-generated method stub
-    return null;
+    return keystoreType;
+  }
+
+  public void setKeystoreType( String keystoreType ) {
+    this.keystoreType = keystoreType;
   }
 
 //  public void setKerberosLoginConfig(String kerberosLoginConfig) {
 //   this.kerberosLoginConfig = kerberosLoginConfig;
 //  }
 
-  @Override
-  public String getGatewayServicesDir() {
+   @Override
+   public String getGatewayServicesDir() {
     if( gatewayServicesDir != null ) {
       return gatewayServicesDir;
     } else {
@@ -269,7 +301,7 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig
{
 
   public void setGatewayApplicationsDir( String gatewayApplicationsDir ) {
     this.gatewayApplicationsDir = gatewayApplicationsDir;
-  }
+   }
 
   @Override
   public boolean isXForwardedEnabled() {

http://git-wip-us.apache.org/repos/asf/knox/blob/3f5670db/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewaySslFuncTest/test-admin-topology.xml
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewaySslFuncTest/test-admin-topology.xml
b/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewaySslFuncTest/test-admin-topology.xml
new file mode 100644
index 0000000..745f8d2
--- /dev/null
+++ b/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewaySslFuncTest/test-admin-topology.xml
@@ -0,0 +1,53 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+<topology>
+    <gateway>
+        <provider>
+            <role>authentication</role>
+            <name>ShiroProvider</name>
+            <enabled>true</enabled>
+            <param>
+                <name>main.ldapRealm</name>
+                <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
+            </param>
+            <param>
+                <name>main.ldapRealm.userDnTemplate</name>
+                <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
+            </param>
+            <param>
+                <name>main.ldapRealm.contextFactory.url</name>
+                <value>$LDAP_URL</value>
+            </param>
+            <param>
+                <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
+                <value>simple</value>
+            </param>
+            <param>
+                <name>urls./**</name>
+                <value>authcBasic</value>
+            </param>
+        </provider>
+        <provider>
+            <role>identity-assertion</role>
+            <name>Default</name>
+            <enabled>true</enabled>
+        </provider>
+    </gateway>
+    <service>
+        <role>KNOX</role>
+    </service>
+</topology>

http://git-wip-us.apache.org/repos/asf/knox/blob/3f5670db/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewaySslFuncTest/users.ldif
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewaySslFuncTest/users.ldif
b/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewaySslFuncTest/users.ldif
new file mode 100644
index 0000000..b982cb3
--- /dev/null
+++ b/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewaySslFuncTest/users.ldif
@@ -0,0 +1,42 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: 1
+
+dn: dc=hadoop,dc=apache,dc=org
+objectclass: organization
+objectclass: dcObject
+o: Hadoop
+dc: hadoop
+
+# entry for a sample people container
+# please replace with site specific values
+dn: ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou: people
+
+# entry for a sample end user
+# please replace with site specific values
+dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: Guest
+sn: User
+uid: guest
+userPassword:guest-password
\ No newline at end of file


Mime
View raw message