diff --git a/test/distributed/org/apache/cassandra/distributed/test/AbstractEncryptionOptionsImpl.java b/test/distributed/org/apache/cassandra/distributed/test/AbstractEncryptionOptionsImpl.java index b48886743308..ee0fab8b2f45 100644 --- a/test/distributed/org/apache/cassandra/distributed/test/AbstractEncryptionOptionsImpl.java +++ b/test/distributed/org/apache/cassandra/distributed/test/AbstractEncryptionOptionsImpl.java @@ -18,17 +18,22 @@ package org.apache.cassandra.distributed.test; +import java.net.InetAddress; +import java.security.NoSuchAlgorithmException; +import java.util.Arrays; import java.util.Collections; import java.util.List; import java.util.Map; +import java.util.Set; import java.util.concurrent.atomic.AtomicInteger; import java.util.concurrent.atomic.AtomicReference; - +import javax.net.ssl.SSLContext; import javax.net.ssl.SSLHandshakeException; import javax.net.ssl.SSLSession; +import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; -import org.apache.cassandra.utils.concurrent.Condition; +import com.google.common.collect.ImmutableSet; import org.junit.Assert; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -52,11 +57,15 @@ import org.apache.cassandra.exceptions.ConfigurationException; import org.apache.cassandra.security.ISslContextFactory; import org.apache.cassandra.security.SSLFactory; +import org.apache.cassandra.utils.concurrent.Condition; +import static com.google.common.collect.ImmutableList.toImmutableList; import static java.util.concurrent.TimeUnit.SECONDS; import static org.apache.cassandra.distributed.test.AbstractEncryptionOptionsImpl.ConnectResult.CONNECTING; import static org.apache.cassandra.distributed.test.AbstractEncryptionOptionsImpl.ConnectResult.UNINITIALIZED; import static org.apache.cassandra.utils.concurrent.Condition.newOneTimeCondition; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; public class AbstractEncryptionOptionsImpl extends TestBaseImpl { @@ -358,4 +367,48 @@ void assertCannotStartDueToConfigurationException(Cluster cluster) Assert.assertEquals(ConfigurationException.class.getName(), tr.getClass().getName()); } } + + protected static List getAcceptedProtocolsForNegotationTest() + { + Set supportedProtocols = null; + try + { + supportedProtocols = ImmutableSet.copyOf(Arrays.asList(SSLContext.getDefault().createSSLEngine().getEnabledProtocols())); + } + catch (NoSuchAlgorithmException e) + { + throw new RuntimeException(e); + } + List maybeAcceptedProtocolVersions = ImmutableList.of("TLSv1.2", "TLSv1.3"); + return maybeAcceptedProtocolVersions.stream().filter(supportedProtocols::contains).collect(toImmutableList()); + } + + protected void testProtocolNegotation(Cluster cluster, int port) throws Throwable + { + Set supportedProtocolVersions = ImmutableSet.copyOf(Arrays.asList(SSLContext.getDefault().createSSLEngine().getEnabledProtocols())); + List deprecatedProtocolVersions = ImmutableList.of("TLSv1", "TLSv1.1"); + List mandatoryProtocolVersions = ImmutableList.of("TLSv1.2", "TLSv1.3"); + List acceptedProtocolVersions = getAcceptedProtocolsForNegotationTest(); + assertTrue("Not all mandatory protocol versions are supported, mandatory " + mandatoryProtocolVersions + " accepted " + acceptedProtocolVersions, + acceptedProtocolVersions.containsAll(mandatoryProtocolVersions)); + assertFalse("Accepted protocol versions contains deprecated protocol versions, deprecated " + deprecatedProtocolVersions + " accepted " + supportedProtocolVersions, + acceptedProtocolVersions.stream().anyMatch(deprecatedProtocolVersions::contains)); + InetAddress address = cluster.get(1).config().broadcastAddress().getAddress(); + + for (String deprecatedProtocolVersion : deprecatedProtocolVersions) + { + TlsConnection tlsConnection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList(deprecatedProtocolVersion)); + Assert.assertEquals("Should not be possible to establish a " + deprecatedProtocolVersion + " connection", + ConnectResult.FAILED_TO_NEGOTIATE, tlsConnection.connect()); + tlsConnection.assertReceivedHandshakeException(); + } + + for (String protocolVersion : acceptedProtocolVersions) + { + TlsConnection tlsConnection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList(protocolVersion)); + Assert.assertEquals("Should be possible to establish a TLSv1.1 connection", + ConnectResult.NEGOTIATED, tlsConnection.connect()); + Assert.assertEquals(protocolVersion, tlsConnection.lastProtocol()); + } + } } diff --git a/test/distributed/org/apache/cassandra/distributed/test/InternodeEncryptionOptionsTest.java b/test/distributed/org/apache/cassandra/distributed/test/InternodeEncryptionOptionsTest.java index 83bcaaad3c14..6b5bdea681dc 100644 --- a/test/distributed/org/apache/cassandra/distributed/test/InternodeEncryptionOptionsTest.java +++ b/test/distributed/org/apache/cassandra/distributed/test/InternodeEncryptionOptionsTest.java @@ -21,7 +21,6 @@ import java.net.InetAddress; import java.util.Collections; -import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; import org.junit.Assert; import org.junit.Test; @@ -29,6 +28,8 @@ import org.apache.cassandra.distributed.Cluster; import org.apache.cassandra.distributed.api.Feature; +import static org.junit.Assert.assertTrue; + public class InternodeEncryptionOptionsTest extends AbstractEncryptionOptionsImpl { @Test @@ -213,7 +214,7 @@ public void allInternodeEncryptionEstablishedTest() throws Throwable Object[][] result = cluster.get(i).executeInternal("SELECT successful_connection_attempts, address, port FROM system_views.internode_outbound"); Assert.assertEquals(1, result.length); long successfulConnectionAttempts = (long) result[0][0]; - Assert.assertTrue("At least one connection: " + successfulConnectionAttempts, successfulConnectionAttempts > 0); + assertTrue("At least one connection: " + successfulConnectionAttempts, successfulConnectionAttempts > 0); } } } @@ -236,33 +237,12 @@ public void negotiatedProtocolMustBeAcceptedProtocolTest() throws Throwable c.set("server_encryption_options", ImmutableMap.builder().putAll(validKeystore) .put("internode_encryption", "all") - .put("accepted_protocols", ImmutableList.of("TLSv1.1", "TLSv1.2", "TLSv1.3")) + .put("accepted_protocols", getAcceptedProtocolsForNegotationTest()) .build()); }).start()) { - InetAddress address = cluster.get(1).config().broadcastAddress().getAddress(); int port = cluster.get(1).config().broadcastAddress().getPort(); - - // deprecated - TlsConnection tls10Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1")); - Assert.assertEquals("Should not be possible to establish a TLSv1 connection", - ConnectResult.FAILED_TO_NEGOTIATE, tls10Connection.connect()); - tls10Connection.assertReceivedHandshakeException(); - - TlsConnection tls11Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1.1")); - Assert.assertEquals("Should be possible to establish a TLSv1.1 connection", - ConnectResult.NEGOTIATED, tls11Connection.connect()); - Assert.assertEquals("TLSv1.1", tls11Connection.lastProtocol()); - - TlsConnection tls12Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1.2")); - Assert.assertEquals("Should be possible to establish a TLSv1.2 connection", - ConnectResult.NEGOTIATED, tls12Connection.connect()); - Assert.assertEquals("TLSv1.2", tls12Connection.lastProtocol()); - - TlsConnection tls13Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1.3")); - Assert.assertEquals("Should be possible to establish a TLSv1.3 connection", - ConnectResult.NEGOTIATED, tls13Connection.connect()); - Assert.assertEquals("TLSv1.3", tls13Connection.lastProtocol()); + testProtocolNegotation(cluster, port); } } diff --git a/test/distributed/org/apache/cassandra/distributed/test/NativeTransportEncryptionOptionsTest.java b/test/distributed/org/apache/cassandra/distributed/test/NativeTransportEncryptionOptionsTest.java index 3e8c92648099..ade60e840770 100644 --- a/test/distributed/org/apache/cassandra/distributed/test/NativeTransportEncryptionOptionsTest.java +++ b/test/distributed/org/apache/cassandra/distributed/test/NativeTransportEncryptionOptionsTest.java @@ -23,11 +23,9 @@ import java.net.InetAddress; import java.security.KeyStore; import java.util.Collections; - import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.TrustManagerFactory; -import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; import org.junit.Assert; import org.junit.Rule; @@ -170,32 +168,12 @@ public void negotiatedProtocolMustBeAcceptedProtocolTest() throws Throwable c.set("client_encryption_options", ImmutableMap.builder().putAll(validKeystore) .put("enabled", true) - .put("accepted_protocols", ImmutableList.of("TLSv1.1", "TLSv1.2", "TLSv1.3")) + .put("accepted_protocols", getAcceptedProtocolsForNegotationTest()) .build()); }).start()) { - InetAddress address = cluster.get(1).config().broadcastAddress().getAddress(); int port = (int) cluster.get(1).config().get("native_transport_port"); - - TlsConnection tls10Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1")); - Assert.assertEquals("Should not be possible to establish a TLSv1 connection", - ConnectResult.FAILED_TO_NEGOTIATE, tls10Connection.connect()); - tls10Connection.assertReceivedHandshakeException(); - - TlsConnection tls11Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1.1")); - Assert.assertEquals("Should be possible to establish a TLSv1.1 connection", - ConnectResult.NEGOTIATED, tls11Connection.connect()); - Assert.assertEquals("TLSv1.1", tls11Connection.lastProtocol()); - - TlsConnection tls12Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1.2")); - Assert.assertEquals("Should be possible to establish a TLSv1.2 connection", - ConnectResult.NEGOTIATED, tls12Connection.connect()); - Assert.assertEquals("TLSv1.2", tls12Connection.lastProtocol()); - - TlsConnection tls13Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1.3")); - Assert.assertEquals("Should be possible to establish a TLSv1.3 connection", - ConnectResult.NEGOTIATED, tls13Connection.connect()); - Assert.assertEquals("TLSv1.3", tls13Connection.lastProtocol()); + testProtocolNegotation(cluster, port); } }