add the ability to lookup by hostname, if exists. add tests. remove todo

Author: bbeaudreault

hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/HBaseHostnameVerifier.java

@@ -58,7 +58,7 @@
 @InterfaceAudience.Private
 final class HBaseHostnameVerifier implements HostnameVerifier {
 
-  private final Logger LOG = LoggerFactory.getLogger(HBaseHostnameVerifier.class);
+  private static final Logger LOG = LoggerFactory.getLogger(HBaseHostnameVerifier.class);
 
   /**
    * Note: copied from Apache httpclient with some minor modifications. We want host verification,
@@ -269,9 +269,11 @@ private static List<SubjectName> getSubjectAltNames(final X509Certificate cert)
         if (type != null) {
           if (type == SubjectName.DNS || type == SubjectName.IP) {
             final Object o = entry.get(1);
-            // TODO ASN.1 DER encoded form when instanceof byte[]
             if (o instanceof String) {
               result.add(new SubjectName((String) o, type));
+            } else {
+              LOG.debug("non-string Subject Alt Name type detected, not currently supported: {}",
+                o);
             }
           }
         }

hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/HBaseTrustManager.java

@@ -142,17 +142,31 @@ private void performHostVerification(InetAddress inetAddress, X509Certificate ce
       hostAddress = inetAddress.getHostAddress();
       hostnameVerifier.verify(hostAddress, certificate);
     } catch (SSLException addressVerificationException) {
-      if (!allowReverseDnsLookup) {
+      // If we fail with hostAddress, we should try the hostname.
+      // The inetAddress may have been created with a hostname, in which case getHostName() will
+      // return quickly below. If not, a reverse lookup will happen, which can be expensive.
+      // We provide the option to skip the reverse lookup if preferring to fail fast.
+
+      // Handle logging here to aid debugging. The easiest way to check for an existing
+      // hostname is through toString, see javadoc.
+      String inetAddressString = inetAddress.toString();
+      if (!inetAddressString.startsWith("/")) {
+        LOG.debug(
+          "Failed to verify host address: {}, but inetAddress {} has a hostname, trying that",
+          hostAddress, inetAddressString, addressVerificationException);
+      } else if (allowReverseDnsLookup) {
+        LOG.debug(
+          "Failed to verify host address: {}, attempting to verify host name with reverse dns",
+          hostAddress, addressVerificationException);
+      } else {
         LOG.debug("Failed to verify host address: {}, but reverse dns lookup is disabled",
           hostAddress, addressVerificationException);
-        throw new CertificateException("Failed to verify host address",
+        throw new CertificateException(
+          "Failed to verify host address, and reverse lookup is disabled",
           addressVerificationException);
       }
 
       try {
-        LOG.debug(
-          "Failed to verify host address: {} attempting to verify host name with reverse dns",
-          hostAddress, addressVerificationException);
         hostName = inetAddress.getHostName();
         hostnameVerifier.verify(hostName, certificate);
       } catch (SSLException hostnameVerificationException) {

hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestHBaseTrustManager.java

@@ -59,7 +59,6 @@
 import org.junit.ClassRule;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
-import org.mockito.invocation.InvocationOnMock;
 import org.mockito.stubbing.Answer;
 
 //
@@ -83,8 +82,10 @@ public class TestHBaseTrustManager {
   private static final String IP_ADDRESS = "127.0.0.1";
   private static final String HOSTNAME = "localhost";
 
-  private InetAddress mockInetAddress;
-  private Socket mockSocket;
+  private InetAddress mockInetAddressWithoutHostname;
+  private InetAddress mockInetAddressWithHostname;
+  private Socket mockSocketWithoutHostname;
+  private Socket mockSocketWithHostname;
 
   @BeforeClass
   public static void createKeyPair() throws Exception {
@@ -104,28 +105,27 @@ public static void removeBouncyCastleProvider() throws Exception {
   public void setup() throws Exception {
     mockX509ExtendedTrustManager = mock(X509ExtendedTrustManager.class);
 
-    mockInetAddress = mock(InetAddress.class);
-    when(mockInetAddress.getHostAddress()).thenAnswer(new Answer() {
-      @Override
-      public Object answer(InvocationOnMock invocationOnMock) throws Throwable {
-        return IP_ADDRESS;
-      }
-    });
-
-    when(mockInetAddress.getHostName()).thenAnswer(new Answer() {
-      @Override
-      public Object answer(InvocationOnMock invocationOnMock) throws Throwable {
-        return HOSTNAME;
-      }
-    });
-
-    mockSocket = mock(Socket.class);
-    when(mockSocket.getInetAddress()).thenAnswer(new Answer() {
-      @Override
-      public Object answer(InvocationOnMock invocationOnMock) throws Throwable {
-        return mockInetAddress;
-      }
-    });
+    mockInetAddressWithoutHostname = mock(InetAddress.class);
+    when(mockInetAddressWithoutHostname.getHostAddress())
+      .thenAnswer((Answer<?>) invocationOnMock -> IP_ADDRESS);
+    when(mockInetAddressWithoutHostname.toString())
+      .thenAnswer((Answer<?>) invocationOnMock -> "/" + IP_ADDRESS);
+
+    mockInetAddressWithHostname = mock(InetAddress.class);
+    when(mockInetAddressWithHostname.getHostAddress())
+      .thenAnswer((Answer<?>) invocationOnMock -> IP_ADDRESS);
+    when(mockInetAddressWithHostname.getHostName())
+      .thenAnswer((Answer<?>) invocationOnMock -> HOSTNAME);
+    when(mockInetAddressWithHostname.toString())
+      .thenAnswer((Answer<?>) invocationOnMock -> HOSTNAME + "/" + IP_ADDRESS);
+
+    mockSocketWithoutHostname = mock(Socket.class);
+    when(mockSocketWithoutHostname.getInetAddress())
+      .thenAnswer((Answer<?>) invocationOnMock -> mockInetAddressWithoutHostname);
+
+    mockSocketWithHostname = mock(Socket.class);
+    when(mockSocketWithHostname.getInetAddress())
+      .thenAnswer((Answer<?>) invocationOnMock -> mockInetAddressWithHostname);
   }
 
   @SuppressWarnings("JavaUtilDate")
@@ -173,13 +173,13 @@ public void testServerHostnameVerificationWithHostnameVerificationDisabled() thr
       new HBaseTrustManager(mockX509ExtendedTrustManager, false, false);
 
     X509Certificate[] certificateChain = createSelfSignedCertificateChain(IP_ADDRESS, HOSTNAME);
-    trustManager.checkServerTrusted(certificateChain, null, mockSocket);
+    trustManager.checkServerTrusted(certificateChain, null, mockSocketWithHostname);
 
-    verify(mockInetAddress, times(0)).getHostAddress();
-    verify(mockInetAddress, times(0)).getHostName();
+    verify(mockInetAddressWithHostname, times(0)).getHostAddress();
+    verify(mockInetAddressWithHostname, times(0)).getHostName();
 
     verify(mockX509ExtendedTrustManager, times(1)).checkServerTrusted(certificateChain, null,
-      mockSocket);
+      mockSocketWithHostname);
   }
 
   @SuppressWarnings("checkstyle:linelength")
@@ -189,13 +189,13 @@ public void testServerTrustedWithHostnameVerificationDisabled() throws Exception
       new HBaseTrustManager(mockX509ExtendedTrustManager, false, false);
 
     X509Certificate[] certificateChain = createSelfSignedCertificateChain(IP_ADDRESS, HOSTNAME);
-    trustManager.checkServerTrusted(certificateChain, null, mockSocket);
+    trustManager.checkServerTrusted(certificateChain, null, mockSocketWithHostname);
 
-    verify(mockInetAddress, times(0)).getHostAddress();
-    verify(mockInetAddress, times(0)).getHostName();
+    verify(mockInetAddressWithHostname, times(0)).getHostAddress();
+    verify(mockInetAddressWithHostname, times(0)).getHostName();
 
     verify(mockX509ExtendedTrustManager, times(1)).checkServerTrusted(certificateChain, null,
-      mockSocket);
+      mockSocketWithHostname);
   }
 
   @Test
@@ -204,13 +204,13 @@ public void testServerTrustedWithHostnameVerificationEnabled() throws Exception
       new HBaseTrustManager(mockX509ExtendedTrustManager, true, true);
 
     X509Certificate[] certificateChain = createSelfSignedCertificateChain(null, HOSTNAME);
-    trustManager.checkServerTrusted(certificateChain, null, mockSocket);
+    trustManager.checkServerTrusted(certificateChain, null, mockSocketWithHostname);
 
-    verify(mockInetAddress, times(1)).getHostAddress();
-    verify(mockInetAddress, times(1)).getHostName();
+    verify(mockInetAddressWithHostname, times(1)).getHostAddress();
+    verify(mockInetAddressWithHostname, times(1)).getHostName();
 
     verify(mockX509ExtendedTrustManager, times(1)).checkServerTrusted(certificateChain, null,
-      mockSocket);
+      mockSocketWithHostname);
   }
 
   @Test
@@ -219,13 +219,13 @@ public void testServerTrustedWithHostnameVerificationEnabledUsingIpAddress() thr
       new HBaseTrustManager(mockX509ExtendedTrustManager, true, true);
 
     X509Certificate[] certificateChain = createSelfSignedCertificateChain(IP_ADDRESS, null);
-    trustManager.checkServerTrusted(certificateChain, null, mockSocket);
+    trustManager.checkServerTrusted(certificateChain, null, mockSocketWithHostname);
 
-    verify(mockInetAddress, times(1)).getHostAddress();
-    verify(mockInetAddress, times(0)).getHostName();
+    verify(mockInetAddressWithHostname, times(1)).getHostAddress();
+    verify(mockInetAddressWithHostname, times(0)).getHostName();
 
     verify(mockX509ExtendedTrustManager, times(1)).checkServerTrusted(certificateChain, null,
-      mockSocket);
+      mockSocketWithHostname);
   }
 
   @Test
@@ -239,13 +239,32 @@ public void testServerTrustedWithHostnameVerificationEnabledNoReverseLookup() th
     // This mismatch would succeed if reverse lookup is enabled, but here fails since it's
     // not enabled.
     assertThrows(CertificateException.class,
-      () -> trustManager.checkServerTrusted(certificateChain, null, mockSocket));
+      () -> trustManager.checkServerTrusted(certificateChain, null, mockSocketWithoutHostname));
 
-    verify(mockInetAddress, times(1)).getHostAddress();
-    verify(mockInetAddress, times(0)).getHostName();
+    verify(mockInetAddressWithoutHostname, times(1)).getHostAddress();
+    verify(mockInetAddressWithoutHostname, times(0)).getHostName();
 
     verify(mockX509ExtendedTrustManager, times(1)).checkServerTrusted(certificateChain, null,
-      mockSocket);
+      mockSocketWithoutHostname);
+  }
+
+  @Test
+  public void testServerTrustedWithHostnameVerificationEnabledWithHostnameNoReverseLookup()
+    throws Exception {
+    HBaseTrustManager trustManager =
+      new HBaseTrustManager(mockX509ExtendedTrustManager, true, false);
+
+    X509Certificate[] certificateChain = createSelfSignedCertificateChain(null, HOSTNAME);
+
+    // since the socket inetAddress already has a hostname, we don't need reverse lookup.
+    // so this succeeds
+    trustManager.checkServerTrusted(certificateChain, null, mockSocketWithHostname);
+
+    verify(mockInetAddressWithHostname, times(1)).getHostAddress();
+    verify(mockInetAddressWithHostname, times(1)).getHostName();
+
+    verify(mockX509ExtendedTrustManager, times(1)).checkServerTrusted(certificateChain, null,
+      mockSocketWithHostname);
   }
 
   @Test
@@ -254,13 +273,13 @@ public void testClientTrustedWithHostnameVerificationDisabled() throws Exception
       new HBaseTrustManager(mockX509ExtendedTrustManager, false, false);
 
     X509Certificate[] certificateChain = createSelfSignedCertificateChain(null, HOSTNAME);
-    trustManager.checkClientTrusted(certificateChain, null, mockSocket);
+    trustManager.checkClientTrusted(certificateChain, null, mockSocketWithHostname);
 
-    verify(mockInetAddress, times(0)).getHostAddress();
-    verify(mockInetAddress, times(0)).getHostName();
+    verify(mockInetAddressWithHostname, times(0)).getHostAddress();
+    verify(mockInetAddressWithHostname, times(0)).getHostName();
 
     verify(mockX509ExtendedTrustManager, times(1)).checkClientTrusted(certificateChain, null,
-      mockSocket);
+      mockSocketWithHostname);
   }
 
   @Test
@@ -269,13 +288,13 @@ public void testClientTrustedWithHostnameVerificationEnabled() throws Exception
       new HBaseTrustManager(mockX509ExtendedTrustManager, true, true);
 
     X509Certificate[] certificateChain = createSelfSignedCertificateChain(null, HOSTNAME);
-    trustManager.checkClientTrusted(certificateChain, null, mockSocket);
+    trustManager.checkClientTrusted(certificateChain, null, mockSocketWithHostname);
 
-    verify(mockInetAddress, times(1)).getHostAddress();
-    verify(mockInetAddress, times(1)).getHostName();
+    verify(mockInetAddressWithHostname, times(1)).getHostAddress();
+    verify(mockInetAddressWithHostname, times(1)).getHostName();
 
     verify(mockX509ExtendedTrustManager, times(1)).checkClientTrusted(certificateChain, null,
-      mockSocket);
+      mockSocketWithHostname);
   }
 
   @Test
@@ -284,13 +303,13 @@ public void testClientTrustedWithHostnameVerificationEnabledUsingIpAddress() thr
       new HBaseTrustManager(mockX509ExtendedTrustManager, true, true);
 
     X509Certificate[] certificateChain = createSelfSignedCertificateChain(IP_ADDRESS, null);
-    trustManager.checkClientTrusted(certificateChain, null, mockSocket);
+    trustManager.checkClientTrusted(certificateChain, null, mockSocketWithHostname);
 
-    verify(mockInetAddress, times(1)).getHostAddress();
-    verify(mockInetAddress, times(0)).getHostName();
+    verify(mockInetAddressWithHostname, times(1)).getHostAddress();
+    verify(mockInetAddressWithHostname, times(0)).getHostName();
 
     verify(mockX509ExtendedTrustManager, times(1)).checkClientTrusted(certificateChain, null,
-      mockSocket);
+      mockSocketWithHostname);
   }
 
   @Test
@@ -305,13 +324,32 @@ public void testClientTrustedWithHostnameVerificationEnabledWithoutReverseLookup
     // This mismatch would succeed if reverse lookup is enabled, but here fails since it's
     // not enabled.
     assertThrows(CertificateException.class,
-      () -> trustManager.checkClientTrusted(certificateChain, null, mockSocket));
+      () -> trustManager.checkClientTrusted(certificateChain, null, mockSocketWithoutHostname));
+
+    verify(mockInetAddressWithoutHostname, times(1)).getHostAddress();
+    verify(mockInetAddressWithoutHostname, times(0)).getHostName();
+
+    verify(mockX509ExtendedTrustManager, times(1)).checkClientTrusted(certificateChain, null,
+      mockSocketWithoutHostname);
+  }
+
+  @Test
+  public void testClientTrustedWithHostnameVerificationEnabledWithHostnameNoReverseLookup()
+    throws Exception {
+    HBaseTrustManager trustManager =
+      new HBaseTrustManager(mockX509ExtendedTrustManager, true, false);
+
+    X509Certificate[] certificateChain = createSelfSignedCertificateChain(null, HOSTNAME);
+
+    // since the socket inetAddress already has a hostname, we don't need reverse lookup.
+    // so this succeeds
+    trustManager.checkClientTrusted(certificateChain, null, mockSocketWithHostname);
 
-    verify(mockInetAddress, times(1)).getHostAddress();
-    verify(mockInetAddress, times(0)).getHostName();
+    verify(mockInetAddressWithHostname, times(1)).getHostAddress();
+    verify(mockInetAddressWithHostname, times(1)).getHostName();
 
     verify(mockX509ExtendedTrustManager, times(1)).checkClientTrusted(certificateChain, null,
-      mockSocket);
+      mockSocketWithHostname);
   }
 
 }