/// <exception cref="System.Exception"/>
public virtual void CheckPermissionRetention(Configuration conf, string ourUrl, Path
path)
{
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
// let's add a new key and flush and check that permissions are still set to 777
byte[] key = new byte[16];
for (int i = 0; i < key.Length; ++i)
{
key[i] = unchecked ((byte)i);
}
// create a new key
try
{
provider.CreateKey("key5", key, KeyProvider.Options(conf));
}
catch (Exception e)
{
Runtime.PrintStackTrace(e);
throw;
}
provider.Flush();
// get a new instance of the provider to ensure it was saved correctly
provider = KeyProviderFactory.GetProviders(conf)[0];
Assert.AssertArrayEquals(key, provider.GetCurrentKey("key5").GetMaterial());
FileSystem fs = path.GetFileSystem(conf);
FileStatus s = fs.GetFileStatus(path);
Assert.True("Permissions should have been retained from the preexisting keystore."
, s.GetPermission().ToString().Equals("rwxrwxrwx"));
}
protected internal virtual KeyProvider GetKeyProvider()
{
KeyProvider provider = null;
IList <KeyProvider> providers;
try
{
providers = KeyProviderFactory.GetProviders(this._enclosing.GetConf());
if (this._enclosing.userSuppliedProvider)
{
provider = providers[0];
}
else
{
foreach (KeyProvider p in providers)
{
if (!p.IsTransient())
{
provider = p;
break;
}
}
}
}
catch (IOException e)
{
Runtime.PrintStackTrace(e, this._enclosing.err);
}
return(provider);
}
public virtual void TestJksProviderPasswordViaConfig()
{
Configuration conf = new Configuration();
Path jksPath = new Path(testRootDir.ToString(), "test.jks");
string ourUrl = JavaKeyStoreProvider.SchemeName + "://file" + jksPath.ToUri();
FilePath file = new FilePath(testRootDir, "test.jks");
file.Delete();
try
{
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl);
conf.Set(JavaKeyStoreProvider.KeystorePasswordFileKey, "javakeystoreprovider.password"
);
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
provider.CreateKey("key3", new byte[16], KeyProvider.Options(conf));
provider.Flush();
}
catch (Exception)
{
NUnit.Framework.Assert.Fail("could not create keystore with password file");
}
KeyProvider provider_1 = KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.IsNotNull(provider_1.GetCurrentKey("key3"));
try
{
conf.Set(JavaKeyStoreProvider.KeystorePasswordFileKey, "bar");
KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.Fail("using non existing password file, it should fail");
}
catch (IOException)
{
}
//NOP
try
{
conf.Set(JavaKeyStoreProvider.KeystorePasswordFileKey, "core-site.xml");
KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.Fail("using different password file, it should fail");
}
catch (IOException)
{
}
//NOP
try
{
conf.Unset(JavaKeyStoreProvider.KeystorePasswordFileKey);
KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.Fail("No password file property, env not set, it should fail"
);
}
catch (IOException)
{
}
}
public virtual void TestGetProviderViaURI()
{
Configuration conf = new Configuration(false);
Path jksPath = new Path(testRootDir.ToString(), "test.jks");
URI uri = new URI(JavaKeyStoreProvider.SchemeName + "://file" + jksPath.ToUri());
KeyProvider kp = KeyProviderFactory.Get(uri, conf);
NUnit.Framework.Assert.IsNotNull(kp);
Assert.Equal(typeof(JavaKeyStoreProvider), kp.GetType());
uri = new URI("foo://bar");
kp = KeyProviderFactory.Get(uri, conf);
NUnit.Framework.Assert.IsNull(kp);
}
public virtual void TestUriErrors()
{
Configuration conf = new Configuration();
conf.Set(KeyProviderFactory.KeyProviderPath, "unkn@own:/x/y");
try
{
IList <KeyProvider> providers = KeyProviderFactory.GetProviders(conf);
Assert.True("should throw!", false);
}
catch (IOException e)
{
Assert.Equal("Bad configuration of " + KeyProviderFactory.KeyProviderPath
+ " at unkn@own:/x/y", e.Message);
}
}
public virtual void TestFactoryErrors()
{
Configuration conf = new Configuration();
conf.Set(KeyProviderFactory.KeyProviderPath, "unknown:///");
try
{
IList <KeyProvider> providers = KeyProviderFactory.GetProviders(conf);
Assert.True("should throw!", false);
}
catch (IOException e)
{
Assert.Equal("No KeyProviderFactory for unknown:/// in " + KeyProviderFactory
.KeyProviderPath, e.Message);
}
}
public virtual void TestJksProviderWithKeytoolKeys()
{
Configuration conf = new Configuration();
string keystoreDirAbsolutePath = conf.GetResource("hdfs7067.keystore").AbsolutePath;
string ourUrl = JavaKeyStoreProvider.SchemeName + "://file@/" + keystoreDirAbsolutePath;
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl);
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
// Sanity check that we are using the right keystore
KeyProvider.KeyVersion keyVersion = provider.GetKeyVersion("testkey5@0");
try
{
KeyProvider.KeyVersion keyVersionWrongKeyNameFormat = provider.GetKeyVersion("testkey2"
);
NUnit.Framework.Assert.Fail("should have thrown an exception");
}
catch (IOException e)
{
// No version in key path testkey2/
GenericTestUtils.AssertExceptionContains("No version in key path", e);
}
try
{
KeyProvider.KeyVersion keyVersionCurrentKeyNotWrongKeyNameFormat = provider.GetCurrentKey
("testkey5@0");
NUnit.Framework.Assert.Fail("should have thrown an exception getting testkey5@0");
}
catch (IOException e)
{
// javax.crypto.spec.SecretKeySpec cannot be cast to
// org.apache.hadoop.crypto.key.JavaKeyStoreProvider$KeyMetadata
GenericTestUtils.AssertExceptionContains("other non-Hadoop method", e);
}
try
{
KeyProvider.KeyVersion keyVersionCurrentKeyNotReally = provider.GetCurrentKey("testkey2"
);
NUnit.Framework.Assert.Fail("should have thrown an exception getting testkey2");
}
catch (IOException e)
{
// javax.crypto.spec.SecretKeySpec cannot be cast to
// org.apache.hadoop.crypto.key.JavaKeyStoreProvider$KeyMetadata
GenericTestUtils.AssertExceptionContains("other non-Hadoop method", e);
}
}
public virtual void TestFactory()
{
Configuration conf = new Configuration();
string userUri = UserProvider.SchemeName + ":///";
Path jksPath = new Path(testRootDir.ToString(), "test.jks");
string jksUri = JavaKeyStoreProvider.SchemeName + "://file" + jksPath.ToUri().ToString
();
conf.Set(KeyProviderFactory.KeyProviderPath, userUri + "," + jksUri);
IList <KeyProvider> providers = KeyProviderFactory.GetProviders(conf);
Assert.Equal(2, providers.Count);
Assert.Equal(typeof(UserProvider), providers[0].GetType());
Assert.Equal(typeof(JavaKeyStoreProvider), providers[1].GetType
());
Assert.Equal(userUri, providers[0].ToString());
Assert.Equal(jksUri, providers[1].ToString());
}
/// <exception cref="System.Exception"/>
internal static void CheckSpecificProvider(Configuration conf, string ourUrl)
{
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
byte[] key1 = new byte[16];
byte[] key2 = new byte[16];
byte[] key3 = new byte[16];
for (int i = 0; i < key1.Length; ++i)
{
key1[i] = unchecked ((byte)i);
key2[i] = unchecked ((byte)(i * 2));
key3[i] = unchecked ((byte)(i * 3));
}
// ensure that we get nulls when the key isn't there
Assert.Equal(null, provider.GetKeyVersion("no-such-key"));
Assert.Equal(null, provider.GetMetadata("key"));
// create a new key
try
{
provider.CreateKey("key3", key3, KeyProvider.Options(conf));
}
catch (Exception e)
{
Runtime.PrintStackTrace(e);
throw;
}
// check the metadata for key3
KeyProvider.Metadata meta = provider.GetMetadata("key3");
Assert.Equal(KeyProvider.DefaultCipher, meta.GetCipher());
Assert.Equal(KeyProvider.DefaultBitlength, meta.GetBitLength()
);
Assert.Equal(1, meta.GetVersions());
// make sure we get back the right key
Assert.AssertArrayEquals(key3, provider.GetCurrentKey("key3").GetMaterial());
Assert.Equal("key3@0", provider.GetCurrentKey("key3").GetVersionName
());
// try recreating key3
try
{
provider.CreateKey("key3", key3, KeyProvider.Options(conf));
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Key key3 already exists in " + ourUrl, e.Message
);
}
provider.DeleteKey("key3");
try
{
provider.DeleteKey("key3");
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Key key3 does not exist in " + ourUrl, e.Message
);
}
provider.CreateKey("key3", key3, KeyProvider.Options(conf));
try
{
provider.CreateKey("key4", key3, KeyProvider.Options(conf).SetBitLength(8));
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Wrong key length. Required 8, but got 128", e.Message
);
}
provider.CreateKey("key4", new byte[] { 1 }, KeyProvider.Options(conf).SetBitLength
(8));
provider.RollNewVersion("key4", new byte[] { 2 });
meta = provider.GetMetadata("key4");
Assert.Equal(2, meta.GetVersions());
Assert.AssertArrayEquals(new byte[] { 2 }, provider.GetCurrentKey("key4").GetMaterial
());
Assert.AssertArrayEquals(new byte[] { 1 }, provider.GetKeyVersion("key4@0").GetMaterial
());
Assert.Equal("key4@1", provider.GetCurrentKey("key4").GetVersionName
());
try
{
provider.RollNewVersion("key4", key1);
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Wrong key length. Required 8, but got 128", e.Message
);
}
try
{
provider.RollNewVersion("no-such-key", key1);
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Key no-such-key not found", e.Message);
}
provider.Flush();
// get a new instance of the provider to ensure it was saved correctly
provider = KeyProviderFactory.GetProviders(conf)[0];
Assert.AssertArrayEquals(new byte[] { 2 }, provider.GetCurrentKey("key4").GetMaterial
());
Assert.AssertArrayEquals(key3, provider.GetCurrentKey("key3").GetMaterial());
Assert.Equal("key3@0", provider.GetCurrentKey("key3").GetVersionName
());
IList <string> keys = provider.GetKeys();
Assert.True("Keys should have been returned.", keys.Count == 2);
Assert.True("Returned Keys should have included key3.", keys.Contains
("key3"));
Assert.True("Returned Keys should have included key4.", keys.Contains
("key4"));
IList <KeyProvider.KeyVersion> kvl = provider.GetKeyVersions("key3");
Assert.True("KeyVersions should have been returned for key3.",
kvl.Count == 1);
Assert.True("KeyVersions should have included key3@0.", kvl[0].
GetVersionName().Equals("key3@0"));
Assert.AssertArrayEquals(key3, kvl[0].GetMaterial());
}
public virtual void TestJksProvider()
{
Configuration conf = new Configuration();
Path jksPath = new Path(testRootDir.ToString(), "test.jks");
string ourUrl = JavaKeyStoreProvider.SchemeName + "://file" + jksPath.ToUri();
FilePath file = new FilePath(testRootDir, "test.jks");
file.Delete();
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl);
CheckSpecificProvider(conf, ourUrl);
// START : Test flush error by failure injection
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl.Replace(JavaKeyStoreProvider.
SchemeName, FailureInjectingJavaKeyStoreProvider.SchemeName));
// get a new instance of the provider to ensure it was saved correctly
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
// inject failure during keystore write
FailureInjectingJavaKeyStoreProvider fProvider = (FailureInjectingJavaKeyStoreProvider
)provider;
fProvider.SetWriteFail(true);
provider.CreateKey("key5", new byte[] { 1 }, KeyProvider.Options(conf).SetBitLength
(8));
NUnit.Framework.Assert.IsNotNull(provider.GetCurrentKey("key5"));
try
{
provider.Flush();
NUnit.Framework.Assert.Fail("Should not succeed");
}
catch (Exception)
{
}
// Ignore
// SHould be reset to pre-flush state
NUnit.Framework.Assert.IsNull(provider.GetCurrentKey("key5"));
// Un-inject last failure and
// inject failure during keystore backup
fProvider.SetWriteFail(false);
fProvider.SetBackupFail(true);
provider.CreateKey("key6", new byte[] { 1 }, KeyProvider.Options(conf).SetBitLength
(8));
NUnit.Framework.Assert.IsNotNull(provider.GetCurrentKey("key6"));
try
{
provider.Flush();
NUnit.Framework.Assert.Fail("Should not succeed");
}
catch (Exception)
{
}
// Ignore
// SHould be reset to pre-flush state
NUnit.Framework.Assert.IsNull(provider.GetCurrentKey("key6"));
// END : Test flush error by failure injection
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl.Replace(FailureInjectingJavaKeyStoreProvider
.SchemeName, JavaKeyStoreProvider.SchemeName));
Path path = ProviderUtils.UnnestUri(new URI(ourUrl));
FileSystem fs = path.GetFileSystem(conf);
FileStatus s = fs.GetFileStatus(path);
Assert.True(s.GetPermission().ToString().Equals("rwx------"));
Assert.True(file + " should exist", file.IsFile());
// Corrupt file and Check if JKS can reload from _OLD file
FilePath oldFile = new FilePath(file.GetPath() + "_OLD");
file.RenameTo(oldFile);
file.Delete();
file.CreateNewFile();
Assert.True(oldFile.Exists());
provider = KeyProviderFactory.GetProviders(conf)[0];
Assert.True(file.Exists());
Assert.True(oldFile + "should be deleted", !oldFile.Exists());
VerifyAfterReload(file, provider);
Assert.True(!oldFile.Exists());
// _NEW and current file should not exist together
FilePath newFile = new FilePath(file.GetPath() + "_NEW");
newFile.CreateNewFile();
try
{
provider = KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.Fail("_NEW and current file should not exist together !!");
}
catch (Exception)
{
}
finally
{
// Ignore
if (newFile.Exists())
{
newFile.Delete();
}
}
// Load from _NEW file
file.RenameTo(newFile);
file.Delete();
try
{
provider = KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.IsFalse(newFile.Exists());
NUnit.Framework.Assert.IsFalse(oldFile.Exists());
}
catch (Exception)
{
NUnit.Framework.Assert.Fail("JKS should load from _NEW file !!");
}
// Ignore
VerifyAfterReload(file, provider);
// _NEW exists but corrupt.. must load from _OLD
newFile.CreateNewFile();
file.RenameTo(oldFile);
file.Delete();
try
{
provider = KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.IsFalse(newFile.Exists());
NUnit.Framework.Assert.IsFalse(oldFile.Exists());
}
catch (Exception)
{
NUnit.Framework.Assert.Fail("JKS should load from _OLD file !!");
}
finally
{
// Ignore
if (newFile.Exists())
{
newFile.Delete();
}
}
VerifyAfterReload(file, provider);
// check permission retention after explicit change
fs.SetPermission(path, new FsPermission("777"));
CheckPermissionRetention(conf, ourUrl, path);
// Check that an uppercase keyname results in an error
provider = KeyProviderFactory.GetProviders(conf)[0];
try
{
provider.CreateKey("UPPERCASE", KeyProvider.Options(conf));
NUnit.Framework.Assert.Fail("Expected failure on creating key name with uppercase "
+ "characters");
}
catch (ArgumentException e)
{
GenericTestUtils.AssertExceptionContains("Uppercase key names", e);
}
}
