GEODE-8144: endpoint identification in servers is not working (apache…

…#5131) * GEODE-8144: endpoint identification in servers is not working Set the SNI server-name field in SSL parameters for p2p communications, allowing endpoint identification to work properly. I modified one of the SNI haproxy tests to have keystores with the proper subject-alternative-names for p2p communications in the docker containers and for client/server off-platform communications. I used Sai's keystore/truststore construction CertificateMaterial/CertStores classes to generate the stores... .sanDnsName("geode") // for inside the docker container .sanDnsName("localhost") // for inside the docker container .sanIpAddress(InetAddress.getByName("0.0.0.0")) // for inside the docker container .sanDnsName(certName) // for client endpoint validation (locator-maeve for instance) * modified SocketCreator to look for a hostname if one is not present and endpoint verification is enabled This fixes some problems when running in docker containers * removed test shell script * sanction used of getCanonicalHostName() in SocketCreator
shjgiser · May 26, 2020 · b22df8c · b22df8c
1 parent e432855
commit b22df8c
Show file tree

Hide file tree

Showing 13 changed files with 41 additions and 16 deletions.
diff --git a/...mbly/src/acceptanceTest/java/org/apache/geode/client/sni/DualServerSNIAcceptanceTest.java b/...mbly/src/acceptanceTest/java/org/apache/geode/client/sni/DualServerSNIAcceptanceTest.java
@@ -26,7 +26,6 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
-import java.io.IOException;
 import java.net.URL;
 import java.util.Properties;
 
@@ -74,7 +73,7 @@ public class DualServerSNIAcceptanceTest {
   private ClientCache cache;
 
   @BeforeClass
-  public static void beforeClass() throws IOException, InterruptedException {
+  public static void beforeClass() throws Exception {
     docker.get().exec(options("-T"), "geode",
         arguments("gfsh", "run", "--file=/geode/scripts/geode-starter-2.gfsh"));
 

diff --git a/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/docker-compose.yml b/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/docker-compose.yml
@@ -19,6 +19,7 @@ services:
   geode:
     container_name: 'geode'
     image: 'geode:develop'
+    hostname: geode
     expose:
       - '10334'
       - '40404'

diff --git a/.../src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/gemfire.properties b/.../src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/gemfire.properties
@@ -17,3 +17,4 @@
 
 statistic-sampling-enabled=true
 statistic-archive-file=statArchive.gfs
+
diff --git a/...c/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/gfsecurity.properties b/...c/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/gfsecurity.properties
@@ -23,5 +23,5 @@ ssl-truststore-password=geode
 ssl-require-authentication=false
 ssl-web-require-authentication=false
 ssl-enabled-components=all
-ssl-endpoint-identification-enabled=false
+ssl-endpoint-identification-enabled=true
 
diff --git a/...eptanceTest/resources/org/apache/geode/client/sni/geode-config/locator-maeve-keystore.jks b/...eptanceTest/resources/org/apache/geode/client/sni/geode-config/locator-maeve-keystore.jks
diff --git a/...nceTest/resources/org/apache/geode/client/sni/geode-config/server-clementine-keystore.jks b/...nceTest/resources/org/apache/geode/client/sni/geode-config/server-clementine-keystore.jks
diff --git a/...ptanceTest/resources/org/apache/geode/client/sni/geode-config/server-dolores-keystore.jks b/...ptanceTest/resources/org/apache/geode/client/sni/geode-config/server-dolores-keystore.jks
diff --git a/...mbly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/truststore.jks b/...mbly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/truststore.jks
diff --git a/...bly/src/acceptanceTest/resources/org/apache/geode/client/sni/scripts/geode-starter-2.gfsh b/...bly/src/acceptanceTest/resources/org/apache/geode/client/sni/scripts/geode-starter-2.gfsh
@@ -15,9 +15,9 @@
 # limitations under the License.
 #
 
-start locator --name=locator-maeve --hostname-for-clients=locator-maeve --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/locator-maeve-keystore.jks
-start server --name=server-dolores --group=group-dolores --hostname-for-clients=server-dolores --locators=localhost[10334] --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/server-dolores-keystore.jks
-start server --name=server-clementine --group=group-clementine --hostname-for-clients=server-clementine --server-port=40405 --locators=localhost[10334] --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/server-clementine-keystore.jks
-connect --locator=localhost[10334] --use-ssl=true --security-properties-file=/geode/config/gfsecurity.properties
+start locator --name=locator-maeve --connect=false --redirect-output --hostname-for-clients=locator-maeve --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/locator-maeve-keystore.jks
+start server --name=server-dolores --group=group-dolores --hostname-for-clients=server-dolores --locators=geode[10334] --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/server-dolores-keystore.jks
+start server --name=server-clementine --group=group-clementine --hostname-for-clients=server-clementine --server-port=40405 --locators=geode[10334] --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/server-clementine-keystore.jks
+connect --locator=geode[10334] --use-ssl=true --security-properties-file=/geode/config/gfsecurity.properties
 create region --name=region-dolores --group=group-dolores --type=REPLICATE
 create region --name=region-clementine --group=group-clementine --type=REPLICATE
diff --git a/...embly/src/acceptanceTest/resources/org/apache/geode/client/sni/scripts/geode-starter.gfsh b/...embly/src/acceptanceTest/resources/org/apache/geode/client/sni/scripts/geode-starter.gfsh
@@ -15,8 +15,8 @@
 # limitations under the License.
 #
 
-start locator --name=locator-maeve --hostname-for-clients=locator-maeve --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/locator-maeve-keystore.jks
-start server --name=server-dolores --max-heap=256m --hostname-for-clients=server-dolores --locators=localhost[10334] --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/server-dolores-keystore.jks
-connect --locator=localhost[10334] --use-ssl=true --security-properties-file=/geode/config/gfsecurity.properties
+start locator --name=locator-maeve --connect=false --hostname-for-clients=locator-maeve --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/locator-maeve-keystore.jks
+start server --name=server-dolores --max-heap=256m --hostname-for-clients=server-dolores --locators=geode[10334] --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/server-dolores-keystore.jks
+connect --locator=geode[10334] --use-ssl=true --security-properties-file=/geode/config/gfsecurity.properties
 create region --name=jellyfish --type=REPLICATE
 
diff --git a/...integrationTest/java/org/apache/geode/codeAnalysis/RestrictUseOfInetAddressJUnitTest.java b/...integrationTest/java/org/apache/geode/codeAnalysis/RestrictUseOfInetAddressJUnitTest.java
@@ -203,6 +203,7 @@ private HashSet<String> getSanctionedReferencersOfInetAddress() {
         // server-side locator parsing
         "org/apache/geode/internal/admin/remote/DistributionLocatorId",
         // sanctioned comms class used by every communications component
+        "org/apache/geode/internal/net/SocketCreator",
         "org/apache/geode/internal/net/SCAdvancedSocketCreator",
         // new management API
         "org/apache/geode/management/internal/JmxManagerLocatorResponse",

diff --git a/geode-core/src/main/java/org/apache/geode/distributed/internal/InternalLocator.java b/geode-core/src/main/java/org/apache/geode/distributed/internal/InternalLocator.java
@@ -701,7 +701,7 @@ private void startDistributedSystem() throws IOException {
       if (bindAddress != null) {
         sb.append(bindAddress.getHostAddress());
       } else {
-        sb.append(LocalHostUtil.getLocalHost().getHostAddress());
+        sb.append(LocalHostUtil.getLocalHost().getCanonicalHostName());
       }
       sb.append('[').append(getPort()).append(']');
       String thisLocator = sb.toString();

diff --git a/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java b/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java
@@ -62,6 +62,7 @@
 import javax.net.ssl.X509ExtendedKeyManager;
 
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.validator.routines.InetAddressValidator;
 import org.apache.logging.log4j.Logger;
 
 import org.apache.geode.GemFireConfigException;
@@ -544,7 +545,13 @@ protected boolean useSSL() {
    * Returns an SSLEngine that can be used to perform TLS handshakes and communication
    */
   public SSLEngine createSSLEngine(String hostName, int port) {
-    return getSslContext().createSSLEngine(hostName, port);
+    SSLEngine engine = getSslContext().createSSLEngine(hostName, port);
+    SSLParameters parameters = engine.getSSLParameters();
+    // set server-names so that endpoint identification algorithms can find what's expected
+    if (setServerNames(parameters, new HostAndPort(hostName, port))) {
+      engine.setSSLParameters(parameters);
+    }
+    return engine;
   }
 
   /**
@@ -709,7 +716,7 @@ public ServerSocket createServerSocket(int nport, int backlog, InetAddress bindA
 
 
   /**
-   * When a socket is accepted from a server socket, it should be passed to this method for SSL
+   * When a socket is connected to a server socket, it should be passed to this method for SSL
    * configuration.
    */
   void configureClientSSLSocket(Socket socket, HostAndPort addr, int timeout) throws IOException {
@@ -770,7 +777,10 @@ void configureClientSSLSocket(Socket socket, HostAndPort addr, int timeout) thro
     }
   }
 
-  private void setServerNames(SSLParameters modifiedParams, HostAndPort addr) {
+  /**
+   * returns true if the SSLParameters are altered, false if not
+   */
+  private boolean setServerNames(SSLParameters modifiedParams, HostAndPort addr) {
     List<SNIServerName> oldNames = modifiedParams.getServerNames();
     oldNames = oldNames == null ? Collections.emptyList() : oldNames;
     final List<SNIServerName> serverNames = new ArrayList<>(oldNames);
@@ -779,11 +789,24 @@ private void setServerNames(SSLParameters modifiedParams, HostAndPort addr) {
         .mapToInt(SNIServerName::getType)
         .anyMatch(type -> type == StandardConstants.SNI_HOST_NAME)) {
       // we already have a SNI hostname set. Do nothing.
-      return;
+      return false;
     }
 
-    serverNames.add(new SNIHostName(addr.getHostName()));
+    String hostName = addr.getHostName();
+    if (this.sslConfig.doEndpointIdentification()
+        && InetAddressValidator.getInstance().isValid(hostName)) {
+      // endpoint validation typically uses a hostname in the sniServer parameter that the handshake
+      // will compare against the subject alternative addresses in the server's certificate. Here
+      // we attempt to get a hostname instead of the proffered numeric address
+      try {
+        hostName = InetAddress.getByName(hostName).getCanonicalHostName();
+      } catch (UnknownHostException e) {
+        // ignore - we'll see what happens with endpoint validation using a numeric address...
+      }
+    }
+    serverNames.add(new SNIHostName(hostName));
     modifiedParams.setServerNames(serverNames);
+    return true;
   }
 
   /**
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,6 +19,7 @@ services: @@
       geode:
         container_name: 'geode'
         image: 'geode:develop'
+        hostname: geode
         expose:
           - '10334'
           - '40404'
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
Expand Up		@@ -17,3 +17,4 @@

		statistic-sampling-enabled=true
		statistic-archive-file=statArchive.gfs