/// <exception cref="System.Exception"/>
public virtual void CheckPermissionRetention(Configuration conf, string ourUrl, Path
path)
{
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
// let's add a new key and flush and check that permissions are still set to 777
byte[] key = new byte[16];
for (int i = 0; i < key.Length; ++i)
{
key[i] = unchecked ((byte)i);
}
// create a new key
try
{
provider.CreateKey("key5", key, KeyProvider.Options(conf));
}
catch (Exception e)
{
Runtime.PrintStackTrace(e);
throw;
}
provider.Flush();
// get a new instance of the provider to ensure it was saved correctly
provider = KeyProviderFactory.GetProviders(conf)[0];
Assert.AssertArrayEquals(key, provider.GetCurrentKey("key5").GetMaterial());
FileSystem fs = path.GetFileSystem(conf);
FileStatus s = fs.GetFileStatus(path);
Assert.True("Permissions should have been retained from the preexisting keystore."
, s.GetPermission().ToString().Equals("rwxrwxrwx"));
}
public virtual void TestOptions()
{
Configuration conf = new Configuration();
conf.Set(KeyProvider.DefaultCipherName, "myCipher");
conf.SetInt(KeyProvider.DefaultBitlengthName, 512);
IDictionary <string, string> attributes = new Dictionary <string, string>();
attributes["a"] = "A";
KeyProvider.Options options = KeyProvider.Options(conf);
Assert.Equal("myCipher", options.GetCipher());
Assert.Equal(512, options.GetBitLength());
options.SetCipher("yourCipher");
options.SetDescription("description");
options.SetAttributes(attributes);
options.SetBitLength(128);
Assert.Equal("yourCipher", options.GetCipher());
Assert.Equal(128, options.GetBitLength());
Assert.Equal("description", options.GetDescription());
Assert.Equal(attributes, options.GetAttributes());
options = KeyProvider.Options(new Configuration());
Assert.Equal(KeyProvider.DefaultCipher, options.GetCipher());
Assert.Equal(KeyProvider.DefaultBitlength, options.GetBitLength
());
}
public virtual void TestJksProviderPasswordViaConfig()
{
Configuration conf = new Configuration();
Path jksPath = new Path(testRootDir.ToString(), "test.jks");
string ourUrl = JavaKeyStoreProvider.SchemeName + "://file" + jksPath.ToUri();
FilePath file = new FilePath(testRootDir, "test.jks");
file.Delete();
try
{
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl);
conf.Set(JavaKeyStoreProvider.KeystorePasswordFileKey, "javakeystoreprovider.password"
);
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
provider.CreateKey("key3", new byte[16], KeyProvider.Options(conf));
provider.Flush();
}
catch (Exception)
{
NUnit.Framework.Assert.Fail("could not create keystore with password file");
}
KeyProvider provider_1 = KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.IsNotNull(provider_1.GetCurrentKey("key3"));
try
{
conf.Set(JavaKeyStoreProvider.KeystorePasswordFileKey, "bar");
KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.Fail("using non existing password file, it should fail");
}
catch (IOException)
{
}
//NOP
try
{
conf.Set(JavaKeyStoreProvider.KeystorePasswordFileKey, "core-site.xml");
KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.Fail("using different password file, it should fail");
}
catch (IOException)
{
}
//NOP
try
{
conf.Unset(JavaKeyStoreProvider.KeystorePasswordFileKey);
KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.Fail("No password file property, env not set, it should fail"
);
}
catch (IOException)
{
}
}
/// <exception cref="System.Exception"/>
internal static void CheckSpecificProvider(Configuration conf, string ourUrl)
{
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
byte[] key1 = new byte[16];
byte[] key2 = new byte[16];
byte[] key3 = new byte[16];
for (int i = 0; i < key1.Length; ++i)
{
key1[i] = unchecked ((byte)i);
key2[i] = unchecked ((byte)(i * 2));
key3[i] = unchecked ((byte)(i * 3));
}
// ensure that we get nulls when the key isn't there
Assert.Equal(null, provider.GetKeyVersion("no-such-key"));
Assert.Equal(null, provider.GetMetadata("key"));
// create a new key
try
{
provider.CreateKey("key3", key3, KeyProvider.Options(conf));
}
catch (Exception e)
{
Runtime.PrintStackTrace(e);
throw;
}
// check the metadata for key3
KeyProvider.Metadata meta = provider.GetMetadata("key3");
Assert.Equal(KeyProvider.DefaultCipher, meta.GetCipher());
Assert.Equal(KeyProvider.DefaultBitlength, meta.GetBitLength()
);
Assert.Equal(1, meta.GetVersions());
// make sure we get back the right key
Assert.AssertArrayEquals(key3, provider.GetCurrentKey("key3").GetMaterial());
Assert.Equal("key3@0", provider.GetCurrentKey("key3").GetVersionName
());
// try recreating key3
try
{
provider.CreateKey("key3", key3, KeyProvider.Options(conf));
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Key key3 already exists in " + ourUrl, e.Message
);
}
provider.DeleteKey("key3");
try
{
provider.DeleteKey("key3");
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Key key3 does not exist in " + ourUrl, e.Message
);
}
provider.CreateKey("key3", key3, KeyProvider.Options(conf));
try
{
provider.CreateKey("key4", key3, KeyProvider.Options(conf).SetBitLength(8));
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Wrong key length. Required 8, but got 128", e.Message
);
}
provider.CreateKey("key4", new byte[] { 1 }, KeyProvider.Options(conf).SetBitLength
(8));
provider.RollNewVersion("key4", new byte[] { 2 });
meta = provider.GetMetadata("key4");
Assert.Equal(2, meta.GetVersions());
Assert.AssertArrayEquals(new byte[] { 2 }, provider.GetCurrentKey("key4").GetMaterial
());
Assert.AssertArrayEquals(new byte[] { 1 }, provider.GetKeyVersion("key4@0").GetMaterial
());
Assert.Equal("key4@1", provider.GetCurrentKey("key4").GetVersionName
());
try
{
provider.RollNewVersion("key4", key1);
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Wrong key length. Required 8, but got 128", e.Message
);
}
try
{
provider.RollNewVersion("no-such-key", key1);
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Key no-such-key not found", e.Message);
}
provider.Flush();
// get a new instance of the provider to ensure it was saved correctly
provider = KeyProviderFactory.GetProviders(conf)[0];
Assert.AssertArrayEquals(new byte[] { 2 }, provider.GetCurrentKey("key4").GetMaterial
());
Assert.AssertArrayEquals(key3, provider.GetCurrentKey("key3").GetMaterial());
Assert.Equal("key3@0", provider.GetCurrentKey("key3").GetVersionName
());
IList <string> keys = provider.GetKeys();
Assert.True("Keys should have been returned.", keys.Count == 2);
Assert.True("Returned Keys should have included key3.", keys.Contains
("key3"));
Assert.True("Returned Keys should have included key4.", keys.Contains
("key4"));
IList <KeyProvider.KeyVersion> kvl = provider.GetKeyVersions("key3");
Assert.True("KeyVersions should have been returned for key3.",
kvl.Count == 1);
Assert.True("KeyVersions should have included key3@0.", kvl[0].
GetVersionName().Equals("key3@0"));
Assert.AssertArrayEquals(key3, kvl[0].GetMaterial());
}
public virtual void TestJksProvider()
{
Configuration conf = new Configuration();
Path jksPath = new Path(testRootDir.ToString(), "test.jks");
string ourUrl = JavaKeyStoreProvider.SchemeName + "://file" + jksPath.ToUri();
FilePath file = new FilePath(testRootDir, "test.jks");
file.Delete();
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl);
CheckSpecificProvider(conf, ourUrl);
// START : Test flush error by failure injection
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl.Replace(JavaKeyStoreProvider.
SchemeName, FailureInjectingJavaKeyStoreProvider.SchemeName));
// get a new instance of the provider to ensure it was saved correctly
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
// inject failure during keystore write
FailureInjectingJavaKeyStoreProvider fProvider = (FailureInjectingJavaKeyStoreProvider
)provider;
fProvider.SetWriteFail(true);
provider.CreateKey("key5", new byte[] { 1 }, KeyProvider.Options(conf).SetBitLength
(8));
NUnit.Framework.Assert.IsNotNull(provider.GetCurrentKey("key5"));
try
{
provider.Flush();
NUnit.Framework.Assert.Fail("Should not succeed");
}
catch (Exception)
{
}
// Ignore
// SHould be reset to pre-flush state
NUnit.Framework.Assert.IsNull(provider.GetCurrentKey("key5"));
// Un-inject last failure and
// inject failure during keystore backup
fProvider.SetWriteFail(false);
fProvider.SetBackupFail(true);
provider.CreateKey("key6", new byte[] { 1 }, KeyProvider.Options(conf).SetBitLength
(8));
NUnit.Framework.Assert.IsNotNull(provider.GetCurrentKey("key6"));
try
{
provider.Flush();
NUnit.Framework.Assert.Fail("Should not succeed");
}
catch (Exception)
{
}
// Ignore
// SHould be reset to pre-flush state
NUnit.Framework.Assert.IsNull(provider.GetCurrentKey("key6"));
// END : Test flush error by failure injection
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl.Replace(FailureInjectingJavaKeyStoreProvider
.SchemeName, JavaKeyStoreProvider.SchemeName));
Path path = ProviderUtils.UnnestUri(new URI(ourUrl));
FileSystem fs = path.GetFileSystem(conf);
FileStatus s = fs.GetFileStatus(path);
Assert.True(s.GetPermission().ToString().Equals("rwx------"));
Assert.True(file + " should exist", file.IsFile());
// Corrupt file and Check if JKS can reload from _OLD file
FilePath oldFile = new FilePath(file.GetPath() + "_OLD");
file.RenameTo(oldFile);
file.Delete();
file.CreateNewFile();
Assert.True(oldFile.Exists());
provider = KeyProviderFactory.GetProviders(conf)[0];
Assert.True(file.Exists());
Assert.True(oldFile + "should be deleted", !oldFile.Exists());
VerifyAfterReload(file, provider);
Assert.True(!oldFile.Exists());
// _NEW and current file should not exist together
FilePath newFile = new FilePath(file.GetPath() + "_NEW");
newFile.CreateNewFile();
try
{
provider = KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.Fail("_NEW and current file should not exist together !!");
}
catch (Exception)
{
}
finally
{
// Ignore
if (newFile.Exists())
{
newFile.Delete();
}
}
// Load from _NEW file
file.RenameTo(newFile);
file.Delete();
try
{
provider = KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.IsFalse(newFile.Exists());
NUnit.Framework.Assert.IsFalse(oldFile.Exists());
}
catch (Exception)
{
NUnit.Framework.Assert.Fail("JKS should load from _NEW file !!");
}
// Ignore
VerifyAfterReload(file, provider);
// _NEW exists but corrupt.. must load from _OLD
newFile.CreateNewFile();
file.RenameTo(oldFile);
file.Delete();
try
{
provider = KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.IsFalse(newFile.Exists());
NUnit.Framework.Assert.IsFalse(oldFile.Exists());
}
catch (Exception)
{
NUnit.Framework.Assert.Fail("JKS should load from _OLD file !!");
}
finally
{
// Ignore
if (newFile.Exists())
{
newFile.Delete();
}
}
VerifyAfterReload(file, provider);
// check permission retention after explicit change
fs.SetPermission(path, new FsPermission("777"));
CheckPermissionRetention(conf, ourUrl, path);
// Check that an uppercase keyname results in an error
provider = KeyProviderFactory.GetProviders(conf)[0];
try
{
provider.CreateKey("UPPERCASE", KeyProvider.Options(conf));
NUnit.Framework.Assert.Fail("Expected failure on creating key name with uppercase "
+ "characters");
}
catch (ArgumentException e)
{
GenericTestUtils.AssertExceptionContains("Uppercase key names", e);
}
}
/// <summary>
/// Parse the command line arguments and initialize the data
/// <pre>
/// % hadoop key create keyName [-size size] [-cipher algorithm]
/// [-provider providerPath]
/// % hadoop key roll keyName [-provider providerPath]
/// % hadoop key list [-provider providerPath]
/// % hadoop key delete keyName [-provider providerPath] [-i]
/// </pre>
/// </summary>
/// <param name="args">Command line arguments.</param>
/// <returns>0 on success, 1 on failure.</returns>
/// <exception cref="System.IO.IOException"/>
private int Init(string[] args)
{
KeyProvider.Options options = KeyProvider.Options(GetConf());
IDictionary <string, string> attributes = new Dictionary <string, string>();
for (int i = 0; i < args.Length; i++)
{
// parse command line
bool moreTokens = (i < args.Length - 1);
if (args[i].Equals("create"))
{
string keyName = "-help";
if (moreTokens)
{
keyName = args[++i];
}
command = new KeyShell.CreateCommand(this, keyName, options);
if ("-help".Equals(keyName))
{
PrintKeyShellUsage();
return(1);
}
}
else
{
if (args[i].Equals("delete"))
{
string keyName = "-help";
if (moreTokens)
{
keyName = args[++i];
}
command = new KeyShell.DeleteCommand(this, keyName);
if ("-help".Equals(keyName))
{
PrintKeyShellUsage();
return(1);
}
}
else
{
if (args[i].Equals("roll"))
{
string keyName = "-help";
if (moreTokens)
{
keyName = args[++i];
}
command = new KeyShell.RollCommand(this, keyName);
if ("-help".Equals(keyName))
{
PrintKeyShellUsage();
return(1);
}
}
else
{
if ("list".Equals(args[i]))
{
command = new KeyShell.ListCommand(this);
}
else
{
if ("-size".Equals(args[i]) && moreTokens)
{
options.SetBitLength(System.Convert.ToInt32(args[++i]));
}
else
{
if ("-cipher".Equals(args[i]) && moreTokens)
{
options.SetCipher(args[++i]);
}
else
{
if ("-description".Equals(args[i]) && moreTokens)
{
options.SetDescription(args[++i]);
}
else
{
if ("-attr".Equals(args[i]) && moreTokens)
{
string[] attrval = args[++i].Split("=", 2);
string attr = attrval[0].Trim();
string val = attrval[1].Trim();
if (attr.IsEmpty() || val.IsEmpty())
{
@out.WriteLine("\nAttributes must be in attribute=value form, " + "or quoted\nlike \"attribute = value\"\n"
);
PrintKeyShellUsage();
return(1);
}
if (attributes.Contains(attr))
{
@out.WriteLine("\nEach attribute must correspond to only one value:\n" + "atttribute \""
+ attr + "\" was repeated\n");
PrintKeyShellUsage();
return(1);
}
attributes[attr] = val;
}
else
{
if ("-provider".Equals(args[i]) && moreTokens)
{
userSuppliedProvider = true;
GetConf().Set(KeyProviderFactory.KeyProviderPath, args[++i]);
}
else
{
if ("-metadata".Equals(args[i]))
{
GetConf().SetBoolean(ListMetadata, true);
}
else
{
if ("-f".Equals(args[i]) || ("-force".Equals(args[i])))
{
interactive = false;
}
else
{
if ("-help".Equals(args[i]))
{
PrintKeyShellUsage();
return(1);
}
else
{
PrintKeyShellUsage();
ToolRunner.PrintGenericCommandUsage(System.Console.Error);
return(1);
}
}
}
}
}
}
}
}
}
}
}
}
}
if (command == null)
{
PrintKeyShellUsage();
return(1);
}
if (!attributes.IsEmpty())
{
options.SetAttributes(attributes);
}
return(0);
}
