From 4d9e8d0c8894cf45048a77c1ccc8d40e8abfe5df Mon Sep 17 00:00:00 2001 From: Yuxin Tan Date: Wed, 15 Feb 2023 14:00:19 +0800 Subject: [PATCH 1/2] [FLINK-30983][runtime] Migrate SSLUtilsTest to junit5 --- .../flink/runtime/net/SSLUtilsTest.java | 222 +++++++++--------- 1 file changed, 112 insertions(+), 110 deletions(-) diff --git a/flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java b/flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java index 2419501646570..5c048c41fd193 100644 --- a/flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java +++ b/flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java @@ -22,15 +22,14 @@ import org.apache.flink.configuration.IllegalConfigurationException; import org.apache.flink.configuration.SecurityOptions; import org.apache.flink.runtime.io.network.netty.SSLHandlerFactory; -import org.apache.flink.util.TestLogger; import org.apache.flink.shaded.netty4.io.netty.buffer.UnpooledByteBufAllocator; import org.apache.flink.shaded.netty4.io.netty.handler.ssl.OpenSsl; import org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.Parameterized; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.MethodSource; import javax.net.ssl.SSLServerSocket; @@ -48,22 +47,17 @@ import java.util.List; import java.util.Locale; -import static org.hamcrest.Matchers.arrayContainingInAnyOrder; -import static org.hamcrest.Matchers.containsString; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertThat; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; +import static org.apache.flink.util.Preconditions.checkNotNull; +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.fail; /** Tests for the {@link SSLUtils}. */ -@RunWith(Parameterized.class) -public class SSLUtilsTest extends TestLogger { +public class SSLUtilsTest { private static final String TRUST_STORE_PATH = - SSLUtilsTest.class.getResource("/local127.truststore").getFile(); + checkNotNull(SSLUtilsTest.class.getResource("/local127.truststore")).getFile(); private static final String KEY_STORE_PATH = - SSLUtilsTest.class.getResource("/local127.keystore").getFile(); + checkNotNull(SSLUtilsTest.class.getResource("/local127.keystore")).getFile(); private static final String TRUST_STORE_PASSWORD = "password"; private static final String KEY_STORE_PASSWORD = "password"; @@ -73,24 +67,22 @@ public class SSLUtilsTest extends TestLogger { static { if (System.getProperty("flink.tests.with-openssl") != null) { - assertTrue( - "openSSL not available but required (property 'flink.tests.with-openssl' is set)", - OpenSsl.isAvailable()); + if (!OpenSsl.isAvailable()) { + fail( + "openSSL not available but required (property 'flink.tests.with-openssl' is set)"); + } AVAILABLE_SSL_PROVIDERS = Arrays.asList("JDK", "OPENSSL"); } else { AVAILABLE_SSL_PROVIDERS = Collections.singletonList("JDK"); } } - @Parameterized.Parameter public String sslProvider; - - @Parameterized.Parameters(name = "SSL provider = {0}") - public static List parameters() { + private static List parameters() { return AVAILABLE_SSL_PROVIDERS; } @Test - public void testSocketFactoriesWhenSslDisabled() throws Exception { + void testSocketFactoriesWhenSslDisabled() throws Exception { Configuration config = new Configuration(); try { @@ -109,18 +101,20 @@ public void testSocketFactoriesWhenSslDisabled() throws Exception { // ------------------------ REST client -------------------------- /** Tests if REST Client SSL is created given a valid SSL configuration. */ - @Test - public void testRESTClientSSL() throws Exception { - Configuration clientConfig = createRestSslConfigWithTrustStore(); + @ParameterizedTest + @MethodSource("parameters") + void testRESTClientSSL(String sslProvider) throws Exception { + Configuration clientConfig = createRestSslConfigWithTrustStore(sslProvider); SSLHandlerFactory ssl = SSLUtils.createRestClientSSLEngineFactory(clientConfig); - assertNotNull(ssl); + assertThat(ssl).isNotNull(); } /** Tests that REST Client SSL Client is not created if SSL is not configured. */ - @Test - public void testRESTClientSSLDisabled() throws Exception { - Configuration clientConfig = createRestSslConfigWithTrustStore(); + @ParameterizedTest + @MethodSource("parameters") + void testRESTClientSSLDisabled(String sslProvider) throws Exception { + Configuration clientConfig = createRestSslConfigWithTrustStore(sslProvider); clientConfig.setBoolean(SecurityOptions.SSL_REST_ENABLED, false); try { @@ -132,7 +126,7 @@ public void testRESTClientSSLDisabled() throws Exception { /** Tests that REST Client SSL creation fails with bad SSL configuration. */ @Test - public void testRESTClientSSLMissingTrustStore() throws Exception { + void testRESTClientSSLMissingTrustStore() throws Exception { Configuration config = new Configuration(); config.setBoolean(SecurityOptions.SSL_REST_ENABLED, true); config.setString(SecurityOptions.SSL_REST_TRUSTSTORE_PASSWORD, "some password"); @@ -146,7 +140,7 @@ public void testRESTClientSSLMissingTrustStore() throws Exception { /** Tests that REST Client SSL creation fails with bad SSL configuration. */ @Test - public void testRESTClientSSLMissingPassword() throws Exception { + void testRESTClientSSLMissingPassword() throws Exception { Configuration config = new Configuration(); config.setBoolean(SecurityOptions.SSL_REST_ENABLED, true); config.setString(SecurityOptions.SSL_REST_TRUSTSTORE, TRUST_STORE_PATH); @@ -159,9 +153,10 @@ public void testRESTClientSSLMissingPassword() throws Exception { } /** Tests that REST Client SSL creation fails with bad SSL configuration. */ - @Test - public void testRESTClientSSLWrongPassword() throws Exception { - Configuration clientConfig = createRestSslConfigWithTrustStore(); + @ParameterizedTest + @MethodSource("parameters") + void testRESTClientSSLWrongPassword(String sslProvider) { + Configuration clientConfig = createRestSslConfigWithTrustStore(sslProvider); clientConfig.setString(SecurityOptions.SSL_REST_TRUSTSTORE_PASSWORD, "badpassword"); try { @@ -174,18 +169,20 @@ public void testRESTClientSSLWrongPassword() throws Exception { // ------------------------ server -------------------------- /** Tests that REST Server SSL Engine is created given a valid SSL configuration. */ - @Test - public void testRESTServerSSL() throws Exception { - Configuration serverConfig = createRestSslConfigWithKeyStore(); + @ParameterizedTest + @MethodSource("parameters") + void testRESTServerSSL(String sslProvider) throws Exception { + Configuration serverConfig = createRestSslConfigWithKeyStore(sslProvider); SSLHandlerFactory ssl = SSLUtils.createRestServerSSLEngineFactory(serverConfig); - assertNotNull(ssl); + assertThat(ssl).isNotNull(); } /** Tests that REST Server SSL Engine is not created if SSL is disabled. */ - @Test - public void testRESTServerSSLDisabled() throws Exception { - Configuration serverConfig = createRestSslConfigWithKeyStore(); + @ParameterizedTest + @MethodSource("parameters") + void testRESTServerSSLDisabled(String sslProvider) throws Exception { + Configuration serverConfig = createRestSslConfigWithKeyStore(sslProvider); serverConfig.setBoolean(SecurityOptions.SSL_REST_ENABLED, false); try { @@ -196,9 +193,10 @@ public void testRESTServerSSLDisabled() throws Exception { } /** Tests that REST Server SSL Engine creation fails with bad SSL configuration. */ - @Test - public void testRESTServerSSLBadKeystorePassword() { - Configuration serverConfig = createRestSslConfigWithKeyStore(); + @ParameterizedTest + @MethodSource("parameters") + void testRESTServerSSLBadKeystorePassword(String sslProvider) { + Configuration serverConfig = createRestSslConfigWithKeyStore(sslProvider); serverConfig.setString(SecurityOptions.SSL_REST_KEYSTORE_PASSWORD, "badpassword"); try { @@ -209,9 +207,10 @@ public void testRESTServerSSLBadKeystorePassword() { } /** Tests that REST Server SSL Engine creation fails with bad SSL configuration. */ - @Test - public void testRESTServerSSLBadKeyPassword() { - Configuration serverConfig = createRestSslConfigWithKeyStore(); + @ParameterizedTest + @MethodSource("parameters") + void testRESTServerSSLBadKeyPassword(String sslProvider) { + Configuration serverConfig = createRestSslConfigWithKeyStore(sslProvider); serverConfig.setString(SecurityOptions.SSL_REST_KEY_PASSWORD, "badpassword"); try { @@ -223,27 +222,30 @@ public void testRESTServerSSLBadKeyPassword() { // ----------------------- mutual auth contexts -------------------------- - @Test - public void testInternalSSL() throws Exception { - final Configuration config = createInternalSslConfigWithKeyAndTrustStores(); - assertNotNull(SSLUtils.createInternalServerSSLEngineFactory(config)); - assertNotNull(SSLUtils.createInternalClientSSLEngineFactory(config)); + @ParameterizedTest + @MethodSource("parameters") + void testInternalSSL(String sslProvider) throws Exception { + final Configuration config = createInternalSslConfigWithKeyAndTrustStores(sslProvider); + assertThat(SSLUtils.createInternalServerSSLEngineFactory(config)).isNotNull(); + assertThat(SSLUtils.createInternalClientSSLEngineFactory(config)).isNotNull(); } - @Test - public void testInternalSSLWithSSLPinning() throws Exception { - final Configuration config = createInternalSslConfigWithKeyAndTrustStores(); + @ParameterizedTest + @MethodSource("parameters") + void testInternalSSLWithSSLPinning(String sslProvider) throws Exception { + final Configuration config = createInternalSslConfigWithKeyAndTrustStores(sslProvider); config.setString( SecurityOptions.SSL_INTERNAL_CERT_FINGERPRINT, getCertificateFingerprint(config, "flink.test")); - assertNotNull(SSLUtils.createInternalServerSSLEngineFactory(config)); - assertNotNull(SSLUtils.createInternalClientSSLEngineFactory(config)); + assertThat(SSLUtils.createInternalServerSSLEngineFactory(config)).isNotNull(); + assertThat(SSLUtils.createInternalClientSSLEngineFactory(config)).isNotNull(); } - @Test - public void testInternalSSLDisables() throws Exception { - final Configuration config = createInternalSslConfigWithKeyAndTrustStores(); + @ParameterizedTest + @MethodSource("parameters") + void testInternalSSLDisables(String sslProvider) { + final Configuration config = createInternalSslConfigWithKeyAndTrustStores(sslProvider); config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, false); try { @@ -259,9 +261,10 @@ public void testInternalSSLDisables() throws Exception { } } - @Test - public void testInternalSSLKeyStoreOnly() throws Exception { - final Configuration config = createInternalSslConfigWithKeyStore(); + @ParameterizedTest + @MethodSource("parameters") + void testInternalSSLKeyStoreOnly(String sslProvider) { + final Configuration config = createInternalSslConfigWithKeyStore(sslProvider); try { SSLUtils.createInternalServerSSLEngineFactory(config); @@ -276,9 +279,10 @@ public void testInternalSSLKeyStoreOnly() throws Exception { } } - @Test - public void testInternalSSLTrustStoreOnly() throws Exception { - final Configuration config = createInternalSslConfigWithTrustStore(); + @ParameterizedTest + @MethodSource("parameters") + void testInternalSSLTrustStoreOnly(String sslProvider) { + final Configuration config = createInternalSslConfigWithTrustStore(sslProvider); try { SSLUtils.createInternalServerSSLEngineFactory(config); @@ -293,9 +297,10 @@ public void testInternalSSLTrustStoreOnly() throws Exception { } } - @Test - public void testInternalSSLWrongKeystorePassword() throws Exception { - final Configuration config = createInternalSslConfigWithKeyAndTrustStores(); + @ParameterizedTest + @MethodSource("parameters") + void testInternalSSLWrongKeystorePassword(String sslProvider) { + final Configuration config = createInternalSslConfigWithKeyAndTrustStores(sslProvider); config.setString(SecurityOptions.SSL_INTERNAL_KEYSTORE_PASSWORD, "badpw"); try { @@ -311,9 +316,10 @@ public void testInternalSSLWrongKeystorePassword() throws Exception { } } - @Test - public void testInternalSSLWrongTruststorePassword() throws Exception { - final Configuration config = createInternalSslConfigWithKeyAndTrustStores(); + @ParameterizedTest + @MethodSource("parameters") + void testInternalSSLWrongTruststorePassword(String sslProvider) { + final Configuration config = createInternalSslConfigWithKeyAndTrustStores(sslProvider); config.setString(SecurityOptions.SSL_INTERNAL_TRUSTSTORE_PASSWORD, "badpw"); try { @@ -329,9 +335,10 @@ public void testInternalSSLWrongTruststorePassword() throws Exception { } } - @Test - public void testInternalSSLWrongKeyPassword() throws Exception { - final Configuration config = createInternalSslConfigWithKeyAndTrustStores(); + @ParameterizedTest + @MethodSource("parameters") + void testInternalSSLWrongKeyPassword(String sslProvider) { + final Configuration config = createInternalSslConfigWithKeyAndTrustStores(sslProvider); config.setString(SecurityOptions.SSL_INTERNAL_KEY_PASSWORD, "badpw"); try { @@ -350,9 +357,10 @@ public void testInternalSSLWrongKeyPassword() throws Exception { // -------------------- protocols and cipher suites ----------------------- /** Tests if SSLUtils set the right ssl version and cipher suites for SSLServerSocket. */ - @Test - public void testSetSSLVersionAndCipherSuitesForSSLServerSocket() throws Exception { - Configuration serverConfig = createInternalSslConfigWithKeyAndTrustStores(); + @ParameterizedTest + @MethodSource("parameters") + void testSetSSLVersionAndCipherSuitesForSSLServerSocket(String sslProvider) throws Exception { + Configuration serverConfig = createInternalSslConfigWithKeyAndTrustStores(sslProvider); // set custom protocol and cipher suites serverConfig.setString(SecurityOptions.SSL_PROTOCOL, "TLSv1.1"); @@ -362,26 +370,25 @@ public void testSetSSLVersionAndCipherSuitesForSSLServerSocket() throws Exceptio try (ServerSocket socket = SSLUtils.createSSLServerSocketFactory(serverConfig).createServerSocket(0)) { - assertTrue(socket instanceof SSLServerSocket); + assertThat(socket instanceof SSLServerSocket).isTrue(); final SSLServerSocket sslSocket = (SSLServerSocket) socket; String[] protocols = sslSocket.getEnabledProtocols(); String[] algorithms = sslSocket.getEnabledCipherSuites(); - assertEquals(1, protocols.length); - assertEquals("TLSv1.1", protocols[0]); - assertEquals(2, algorithms.length); - assertThat( - algorithms, - arrayContainingInAnyOrder( - "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256")); + assertThat(protocols.length).isEqualTo(1); + assertThat(protocols[0]).isEqualTo("TLSv1.1"); + assertThat(algorithms.length).isEqualTo(2); + assertThat(algorithms) + .contains("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256"); } } /** Tests that {@link SSLHandlerFactory} is created correctly. */ - @Test - public void testCreateSSLEngineFactory() throws Exception { - Configuration serverConfig = createInternalSslConfigWithKeyAndTrustStores(); + @ParameterizedTest + @MethodSource("parameters") + void testCreateSSLEngineFactory(String sslProvider) throws Exception { + Configuration serverConfig = createInternalSslConfigWithKeyAndTrustStores(sslProvider); final String[] sslAlgorithms; final String[] expectedSslProtocols; if (sslProvider.equalsIgnoreCase("OPENSSL")) { @@ -408,20 +415,19 @@ public void testCreateSSLEngineFactory() throws Exception { final SslHandler sslHandler = serverSSLHandlerFactory.createNettySSLHandler(UnpooledByteBufAllocator.DEFAULT); - assertEquals(expectedSslProtocols.length, sslHandler.engine().getEnabledProtocols().length); - assertThat( - sslHandler.engine().getEnabledProtocols(), - arrayContainingInAnyOrder(expectedSslProtocols)); + assertThat(sslHandler.engine().getEnabledProtocols().length) + .isEqualTo(expectedSslProtocols.length); + assertThat(sslHandler.engine().getEnabledProtocols()).contains(expectedSslProtocols); - assertEquals(sslAlgorithms.length, sslHandler.engine().getEnabledCipherSuites().length); - assertThat( - sslHandler.engine().getEnabledCipherSuites(), - arrayContainingInAnyOrder(sslAlgorithms)); + assertThat(sslHandler.engine().getEnabledCipherSuites().length) + .isEqualTo(sslAlgorithms.length); + assertThat(sslHandler.engine().getEnabledCipherSuites()).contains(sslAlgorithms); } - @Test - public void testInvalidFingerprintParsing() throws Exception { - final Configuration config = createInternalSslConfigWithKeyAndTrustStores(); + @ParameterizedTest + @MethodSource("parameters") + void testInvalidFingerprintParsing(String sslProvider) throws Exception { + final Configuration config = createInternalSslConfigWithKeyAndTrustStores(sslProvider); final String fingerprint = getCertificateFingerprint(config, "flink.test"); config.setString( @@ -432,13 +438,13 @@ public void testInvalidFingerprintParsing() throws Exception { SSLUtils.createInternalServerSSLEngineFactory(config); fail("expected exception"); } catch (IllegalArgumentException e) { - assertThat(e.getMessage(), containsString("malformed fingerprint")); + assertThat(e.getMessage()).contains("malformed fingerprint"); } } // ------------------------------- utils ---------------------------------- - private Configuration createRestSslConfigWithKeyStore() { + private Configuration createRestSslConfigWithKeyStore(String sslProvider) { final Configuration config = new Configuration(); config.setBoolean(SecurityOptions.SSL_REST_ENABLED, true); addSslProviderConfig(config, sslProvider); @@ -446,7 +452,7 @@ private Configuration createRestSslConfigWithKeyStore() { return config; } - private Configuration createRestSslConfigWithTrustStore() { + private Configuration createRestSslConfigWithTrustStore(String sslProvider) { final Configuration config = new Configuration(); config.setBoolean(SecurityOptions.SSL_REST_ENABLED, true); addSslProviderConfig(config, sslProvider); @@ -463,7 +469,7 @@ public static Configuration createRestSslConfigWithKeyAndTrustStores(String sslP return config; } - private Configuration createInternalSslConfigWithKeyStore() { + private Configuration createInternalSslConfigWithKeyStore(String sslProvider) { final Configuration config = new Configuration(); config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true); addSslProviderConfig(config, sslProvider); @@ -471,7 +477,7 @@ private Configuration createInternalSslConfigWithKeyStore() { return config; } - private Configuration createInternalSslConfigWithTrustStore() { + private Configuration createInternalSslConfigWithTrustStore(String sslProvider) { final Configuration config = new Configuration(); config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true); addSslProviderConfig(config, sslProvider); @@ -479,10 +485,6 @@ private Configuration createInternalSslConfigWithTrustStore() { return config; } - private Configuration createInternalSslConfigWithKeyAndTrustStores() { - return createInternalSslConfigWithKeyAndTrustStores(sslProvider); - } - public static Configuration createInternalSslConfigWithKeyAndTrustStores(String sslProvider) { final Configuration config = new Configuration(); config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true); From 8ce5ceecce326e6dc777821a3f1dc332bb740cf5 Mon Sep 17 00:00:00 2001 From: Yuxin Tan Date: Wed, 15 Feb 2023 12:37:48 +0800 Subject: [PATCH 2/2] [FLINK-30983][runtime] Support configured ssl algorithms for external REST SSL --- .../apache/flink/runtime/net/SSLUtils.java | 2 + .../flink/runtime/net/SSLUtilsTest.java | 202 +++++++----------- 2 files changed, 76 insertions(+), 128 deletions(-) diff --git a/flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java b/flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java index 99614baa0828d..74000c58c949a 100644 --- a/flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java +++ b/flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java @@ -382,6 +382,7 @@ public static SslContext createRestNettySSLContext( } String[] sslProtocols = getEnabledProtocols(config); + List ciphers = Arrays.asList(getEnabledCipherSuites(config)); final SslContextBuilder sslContextBuilder; if (clientMode) { @@ -403,6 +404,7 @@ public static SslContext createRestNettySSLContext( return sslContextBuilder .sslProvider(provider) .protocols(sslProtocols) + .ciphers(ciphers) .clientAuth(clientAuth) .build(); } diff --git a/flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java b/flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java index 5c048c41fd193..2a71e4e965001 100644 --- a/flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java +++ b/flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java @@ -24,6 +24,8 @@ import org.apache.flink.runtime.io.network.netty.SSLHandlerFactory; import org.apache.flink.shaded.netty4.io.netty.buffer.UnpooledByteBufAllocator; +import org.apache.flink.shaded.netty4.io.netty.handler.ssl.ClientAuth; +import org.apache.flink.shaded.netty4.io.netty.handler.ssl.JdkSslContext; import org.apache.flink.shaded.netty4.io.netty.handler.ssl.OpenSsl; import org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler; @@ -47,9 +49,10 @@ import java.util.List; import java.util.Locale; +import static org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslProvider.JDK; import static org.apache.flink.util.Preconditions.checkNotNull; import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.fail; +import static org.assertj.core.api.Assertions.assertThatThrownBy; /** Tests for the {@link SSLUtils}. */ public class SSLUtilsTest { @@ -67,10 +70,7 @@ public class SSLUtilsTest { static { if (System.getProperty("flink.tests.with-openssl") != null) { - if (!OpenSsl.isAvailable()) { - fail( - "openSSL not available but required (property 'flink.tests.with-openssl' is set)"); - } + assertThat(OpenSsl.isAvailable()).isTrue(); AVAILABLE_SSL_PROVIDERS = Arrays.asList("JDK", "OPENSSL"); } else { AVAILABLE_SSL_PROVIDERS = Collections.singletonList("JDK"); @@ -82,20 +82,14 @@ private static List parameters() { } @Test - void testSocketFactoriesWhenSslDisabled() throws Exception { + void testSocketFactoriesWhenSslDisabled() { Configuration config = new Configuration(); - try { - SSLUtils.createSSLServerSocketFactory(config); - fail("exception expected"); - } catch (IllegalConfigurationException ignored) { - } + assertThatThrownBy(() -> SSLUtils.createSSLServerSocketFactory(config)) + .isInstanceOf(IllegalConfigurationException.class); - try { - SSLUtils.createSSLClientSocketFactory(config); - fail("exception expected"); - } catch (IllegalConfigurationException ignored) { - } + assertThatThrownBy(() -> SSLUtils.createSSLClientSocketFactory(config)) + .isInstanceOf(IllegalConfigurationException.class); } // ------------------------ REST client -------------------------- @@ -113,43 +107,34 @@ void testRESTClientSSL(String sslProvider) throws Exception { /** Tests that REST Client SSL Client is not created if SSL is not configured. */ @ParameterizedTest @MethodSource("parameters") - void testRESTClientSSLDisabled(String sslProvider) throws Exception { + void testRESTClientSSLDisabled(String sslProvider) { Configuration clientConfig = createRestSslConfigWithTrustStore(sslProvider); clientConfig.setBoolean(SecurityOptions.SSL_REST_ENABLED, false); - try { - SSLUtils.createRestClientSSLEngineFactory(clientConfig); - fail("exception expected"); - } catch (IllegalConfigurationException ignored) { - } + assertThatThrownBy(() -> SSLUtils.createRestClientSSLEngineFactory(clientConfig)) + .isInstanceOf(IllegalConfigurationException.class); } /** Tests that REST Client SSL creation fails with bad SSL configuration. */ @Test - void testRESTClientSSLMissingTrustStore() throws Exception { + void testRESTClientSSLMissingTrustStore() { Configuration config = new Configuration(); config.setBoolean(SecurityOptions.SSL_REST_ENABLED, true); config.setString(SecurityOptions.SSL_REST_TRUSTSTORE_PASSWORD, "some password"); - try { - SSLUtils.createRestClientSSLEngineFactory(config); - fail("exception expected"); - } catch (IllegalConfigurationException ignored) { - } + assertThatThrownBy(() -> SSLUtils.createRestClientSSLEngineFactory(config)) + .isInstanceOf(IllegalConfigurationException.class); } /** Tests that REST Client SSL creation fails with bad SSL configuration. */ @Test - void testRESTClientSSLMissingPassword() throws Exception { + void testRESTClientSSLMissingPassword() { Configuration config = new Configuration(); config.setBoolean(SecurityOptions.SSL_REST_ENABLED, true); config.setString(SecurityOptions.SSL_REST_TRUSTSTORE, TRUST_STORE_PATH); - try { - SSLUtils.createRestClientSSLEngineFactory(config); - fail("exception expected"); - } catch (IllegalConfigurationException ignored) { - } + assertThatThrownBy(() -> SSLUtils.createRestClientSSLEngineFactory(config)) + .isInstanceOf(IllegalConfigurationException.class); } /** Tests that REST Client SSL creation fails with bad SSL configuration. */ @@ -159,11 +144,23 @@ void testRESTClientSSLWrongPassword(String sslProvider) { Configuration clientConfig = createRestSslConfigWithTrustStore(sslProvider); clientConfig.setString(SecurityOptions.SSL_REST_TRUSTSTORE_PASSWORD, "badpassword"); - try { - SSLUtils.createRestClientSSLEngineFactory(clientConfig); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createRestClientSSLEngineFactory(clientConfig)) + .isInstanceOf(Exception.class); + } + + @ParameterizedTest + @MethodSource("parameters") + public void testRESTSSLConfigCipherAlgorithms(String sslProvider) throws Exception { + String testSSLAlgorithms = "test_algorithm1,test_algorithm2"; + Configuration config = createRestSslConfigWithTrustStore(sslProvider); + config.setBoolean(SecurityOptions.SSL_REST_ENABLED, true); + config.setString(SecurityOptions.SSL_ALGORITHMS.key(), testSSLAlgorithms); + JdkSslContext nettySSLContext = + (JdkSslContext) + SSLUtils.createRestNettySSLContext(config, true, ClientAuth.NONE, JDK); + List cipherSuites = checkNotNull(nettySSLContext).cipherSuites(); + assertThat(cipherSuites).hasSize(2); + assertThat(cipherSuites).containsExactlyInAnyOrder(testSSLAlgorithms.split(",")); } // ------------------------ server -------------------------- @@ -181,15 +178,12 @@ void testRESTServerSSL(String sslProvider) throws Exception { /** Tests that REST Server SSL Engine is not created if SSL is disabled. */ @ParameterizedTest @MethodSource("parameters") - void testRESTServerSSLDisabled(String sslProvider) throws Exception { + void testRESTServerSSLDisabled(String sslProvider) { Configuration serverConfig = createRestSslConfigWithKeyStore(sslProvider); serverConfig.setBoolean(SecurityOptions.SSL_REST_ENABLED, false); - try { - SSLUtils.createRestServerSSLEngineFactory(serverConfig); - fail("exception expected"); - } catch (IllegalConfigurationException ignored) { - } + assertThatThrownBy(() -> SSLUtils.createRestServerSSLEngineFactory(serverConfig)) + .isInstanceOf(IllegalConfigurationException.class); } /** Tests that REST Server SSL Engine creation fails with bad SSL configuration. */ @@ -199,11 +193,8 @@ void testRESTServerSSLBadKeystorePassword(String sslProvider) { Configuration serverConfig = createRestSslConfigWithKeyStore(sslProvider); serverConfig.setString(SecurityOptions.SSL_REST_KEYSTORE_PASSWORD, "badpassword"); - try { - SSLUtils.createRestServerSSLEngineFactory(serverConfig); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createRestServerSSLEngineFactory(serverConfig)) + .isInstanceOf(Exception.class); } /** Tests that REST Server SSL Engine creation fails with bad SSL configuration. */ @@ -213,11 +204,8 @@ void testRESTServerSSLBadKeyPassword(String sslProvider) { Configuration serverConfig = createRestSslConfigWithKeyStore(sslProvider); serverConfig.setString(SecurityOptions.SSL_REST_KEY_PASSWORD, "badpassword"); - try { - SSLUtils.createRestServerSSLEngineFactory(serverConfig); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createRestServerSSLEngineFactory(serverConfig)) + .isInstanceOf(Exception.class); } // ----------------------- mutual auth contexts -------------------------- @@ -248,17 +236,11 @@ void testInternalSSLDisables(String sslProvider) { final Configuration config = createInternalSslConfigWithKeyAndTrustStores(sslProvider); config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, false); - try { - SSLUtils.createInternalServerSSLEngineFactory(config); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createInternalServerSSLEngineFactory(config)) + .isInstanceOf(Exception.class); - try { - SSLUtils.createInternalClientSSLEngineFactory(config); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createInternalClientSSLEngineFactory(config)) + .isInstanceOf(Exception.class); } @ParameterizedTest @@ -266,17 +248,11 @@ void testInternalSSLDisables(String sslProvider) { void testInternalSSLKeyStoreOnly(String sslProvider) { final Configuration config = createInternalSslConfigWithKeyStore(sslProvider); - try { - SSLUtils.createInternalServerSSLEngineFactory(config); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createInternalServerSSLEngineFactory(config)) + .isInstanceOf(Exception.class); - try { - SSLUtils.createInternalClientSSLEngineFactory(config); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createInternalClientSSLEngineFactory(config)) + .isInstanceOf(Exception.class); } @ParameterizedTest @@ -284,17 +260,11 @@ void testInternalSSLKeyStoreOnly(String sslProvider) { void testInternalSSLTrustStoreOnly(String sslProvider) { final Configuration config = createInternalSslConfigWithTrustStore(sslProvider); - try { - SSLUtils.createInternalServerSSLEngineFactory(config); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createInternalServerSSLEngineFactory(config)) + .isInstanceOf(Exception.class); - try { - SSLUtils.createInternalClientSSLEngineFactory(config); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createInternalClientSSLEngineFactory(config)) + .isInstanceOf(Exception.class); } @ParameterizedTest @@ -303,17 +273,11 @@ void testInternalSSLWrongKeystorePassword(String sslProvider) { final Configuration config = createInternalSslConfigWithKeyAndTrustStores(sslProvider); config.setString(SecurityOptions.SSL_INTERNAL_KEYSTORE_PASSWORD, "badpw"); - try { - SSLUtils.createInternalServerSSLEngineFactory(config); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createInternalServerSSLEngineFactory(config)) + .isInstanceOf(Exception.class); - try { - SSLUtils.createInternalClientSSLEngineFactory(config); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createInternalClientSSLEngineFactory(config)) + .isInstanceOf(Exception.class); } @ParameterizedTest @@ -322,17 +286,11 @@ void testInternalSSLWrongTruststorePassword(String sslProvider) { final Configuration config = createInternalSslConfigWithKeyAndTrustStores(sslProvider); config.setString(SecurityOptions.SSL_INTERNAL_TRUSTSTORE_PASSWORD, "badpw"); - try { - SSLUtils.createInternalServerSSLEngineFactory(config); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createInternalServerSSLEngineFactory(config)) + .isInstanceOf(Exception.class); - try { - SSLUtils.createInternalClientSSLEngineFactory(config); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createInternalClientSSLEngineFactory(config)) + .isInstanceOf(Exception.class); } @ParameterizedTest @@ -341,17 +299,11 @@ void testInternalSSLWrongKeyPassword(String sslProvider) { final Configuration config = createInternalSslConfigWithKeyAndTrustStores(sslProvider); config.setString(SecurityOptions.SSL_INTERNAL_KEY_PASSWORD, "badpw"); - try { - SSLUtils.createInternalServerSSLEngineFactory(config); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createInternalServerSSLEngineFactory(config)) + .isInstanceOf(Exception.class); - try { - SSLUtils.createInternalClientSSLEngineFactory(config); - fail("exception expected"); - } catch (Exception ignored) { - } + assertThatThrownBy(() -> SSLUtils.createInternalClientSSLEngineFactory(config)) + .isInstanceOf(Exception.class); } // -------------------- protocols and cipher suites ----------------------- @@ -370,15 +322,15 @@ void testSetSSLVersionAndCipherSuitesForSSLServerSocket(String sslProvider) thro try (ServerSocket socket = SSLUtils.createSSLServerSocketFactory(serverConfig).createServerSocket(0)) { - assertThat(socket instanceof SSLServerSocket).isTrue(); + assertThat(socket).isInstanceOf(SSLServerSocket.class); final SSLServerSocket sslSocket = (SSLServerSocket) socket; String[] protocols = sslSocket.getEnabledProtocols(); String[] algorithms = sslSocket.getEnabledCipherSuites(); - assertThat(protocols.length).isEqualTo(1); + assertThat(protocols).hasSize(1); assertThat(protocols[0]).isEqualTo("TLSv1.1"); - assertThat(algorithms.length).isEqualTo(2); + assertThat(algorithms).hasSize(2); assertThat(algorithms) .contains("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256"); } @@ -415,12 +367,10 @@ void testCreateSSLEngineFactory(String sslProvider) throws Exception { final SslHandler sslHandler = serverSSLHandlerFactory.createNettySSLHandler(UnpooledByteBufAllocator.DEFAULT); - assertThat(sslHandler.engine().getEnabledProtocols().length) - .isEqualTo(expectedSslProtocols.length); + assertThat(sslHandler.engine().getEnabledProtocols()).hasSameSizeAs(expectedSslProtocols); assertThat(sslHandler.engine().getEnabledProtocols()).contains(expectedSslProtocols); - assertThat(sslHandler.engine().getEnabledCipherSuites().length) - .isEqualTo(sslAlgorithms.length); + assertThat(sslHandler.engine().getEnabledCipherSuites()).hasSameSizeAs(sslAlgorithms); assertThat(sslHandler.engine().getEnabledCipherSuites()).contains(sslAlgorithms); } @@ -434,12 +384,8 @@ void testInvalidFingerprintParsing(String sslProvider) throws Exception { SecurityOptions.SSL_INTERNAL_CERT_FINGERPRINT, fingerprint.substring(0, fingerprint.length() - 3)); - try { - SSLUtils.createInternalServerSSLEngineFactory(config); - fail("expected exception"); - } catch (IllegalArgumentException e) { - assertThat(e.getMessage()).contains("malformed fingerprint"); - } + assertThatThrownBy(() -> SSLUtils.createInternalServerSSLEngineFactory(config)) + .isInstanceOf(IllegalArgumentException.class); } // ------------------------------- utils ----------------------------------