basho · alexmoore · Mar 1, 2016 · Feb 19, 2016 · Feb 19, 2016 · Feb 19, 2016
diff --git a/.gitignore b/.gitignore
@@ -14,4 +14,4 @@ nb-configuration.xml
 dependency-reduced-pom.xml
 tags
 .java-version
-
+src/test/resources/*
diff --git a/README.md b/README.md
@@ -7,6 +7,8 @@ latency. Both Riak and this code are maintained by [Basho](http://www.basho.com/
 1. [Installation](#installation)
 2. [Documentation](#documentation)
 3. [Contributing](#contributing)
+    * [`riak_pb` dependency](#riak_pb-dependency)
+    * [Security Tests](security-tests)
 	* [An honest disclaimer](#an-honest-disclaimer)
 4. [Roadmap](#roadmap)
 5. [License and Authors](#license-and-authors)
@@ -52,6 +54,7 @@ Also see [the Javadoc site](http://basho.github.io/riak-java-client/) for more i
 
 ## Contributing
 
+#### `riak_pb` dependency
 To build the Riak Java Client, you must have the correct version of the riak_pb dependency installed to your local Maven repository.  
 
 ```
@@ -60,6 +63,48 @@ git checkout java-2.1.1.0
 mvn clean install
 ```
 
+#### Security tests
+To run the security-related integration tests, you will need to:
+
+ 1) Setup the certs by running the buildbot makefile's "configure-security-certs" target
+     cd buildbot;
+     make configure-security-certs;
+     cd ../;
+
+ 2) Copy the certs to your Riak's etc dir, and configure the riak.conf file to use them
+     resources_dir=./src/test/resources
+     riak_etc_dir=/fill/in/this/path/
+
+     # Shell
+     cp $resources_dir/cacert.pem $riak_etc_dir
+     cp $resources_dir/riak-test-cert.pem $riak_etc_dir
+     cp $resources_dir/riakuser-client-cert.pem $riak_etc_dir
+
+     # riak.conf file additions
+     ssl.certfile = (riak_etc_dir)/cert.pem
+     ssl.keyfile = (riak_etc_dir)/key.pem
+     ssl.cacertfile = (riak_etc_dir)/cacert.pem
+
+ 3) Enable Riak Security
+     riak-admin security enable
+
+ 4) create a user "riakuser" with the password "riak_cert_user" and configure it with certificate as a source
+     riak-admin security add-user riakuser
+     riak-admin security add-source riakuser 0.0.0.0/0 certificate
+
+ 5) create a user "riak_trust_user" with the password "riak_trust_user" and configure it with trust as a
+ source
+     riak-admin security add-user riak_trust_user password=riak_trust_user
+     riak-admin security add-source riak_trust_user 0.0.0.0/0 trust
+
+ 6) create a user "riakpass" with the password "riak_passwd_user" and configure it with password as a source
+     riak-admin security add-user riakpass password=Test1234
+     riak-admin security add-source riakpass 0.0.0.0/0 password
+
+ 7) Run the Test suit with the com.basho.riak.security and com.basho.riak.security.clientcert flags set to
+ true
+
+
 This repository's maintainers are engineers at Basho and we welcome your contribution to the project! Review the details in [CONTRIBUTING.md](CONTRIBUTING.md) in order to give back to this project.
 
 ### An honest disclaimer

diff --git a/buildbot/Makefile b/buildbot/Makefile
@@ -1,33 +1,54 @@
 
 PROJDIR = $(realpath $(CURDIR)/..)
-
+RESOURCES_DIR = $(PROJDIR)/src/test/resources/
 TOOLS_DIR = $(PROJDIR)/tools/devrel
+CA_DIR = $(PROJDIR)/tools/test-ca
+CERTS_DIR = $(CA_DIR)/certs
+PRIVATE_DIR = $(CA_DIR)/private
 RIAK_CONF = $(RIAK_DIR)/etc/riak.conf
 ADV_CONF = $(RIAK_DIR)/etc/advanced.config
 RIAK_ADMIN = $(RIAK_DIR)/bin/riak-admin
 
-preconfigure:
-	$(TOOLS_DIR)/gen-riak-conf $(RIAK_CONF) 8098 8087
-	$(TOOLS_DIR)/strong-consistency-conf $(RIAK_CONF)
+preconfigure: configure-security-certs
+	$(TOOLS_DIR)/gen-riak-conf $(RIAK_CONF) 8098 8087 18098 $(CERTS_DIR)/cacert.pem $(CERTS_DIR)/riak-test-cert.pem $(PRIVATE_DIR)/riak-test-key.pem
 	$(TOOLS_DIR)/gen-adv-conf $(ADV_CONF)
 
 configure:
-	$(TOOLS_DIR)/riak-cluster-config $(RIAK_ADMIN) 8098 true false
+	$(TOOLS_DIR)/riak-cluster-config $(RIAK_ADMIN) 8098 true true
+
+configure-security-certs:
+	mkdir -p $(RESOURCES_DIR)
+	# Copy certs
+	cp $(CERTS_DIR)/cacert.pem $(RESOURCES_DIR)
+	cp $(CERTS_DIR)/riak-test-cert.pem $(RESOURCES_DIR)
+	cp $(CERTS_DIR)/riakuser-client-cert.pem $(RESOURCES_DIR)
+
+	# PEM Truststore Setup
+	openssl pkcs8 -topk8 -inform PEM -outform PEM -in $(PRIVATE_DIR)/riakuser-client-cert-key.pem -out riakuser-client-cert-key_pkcs8.pem -nocrypt
+	mv riakuser-client-cert-key_pkcs8.pem $(RESOURCES_DIR)
+
+	# JKS Truststore Setup
+	keytool -noprompt -import -trustcacerts -keystore truststore.jks -file $(CERTS_DIR)/cacert.pem -alias cacert -storepass riak123
+	keytool -noprompt -import -trustcacerts -keystore truststore.jks -file $(CERTS_DIR)/riak-test-cert.pem -alias servercert -storepass riak123
+
+	keytool -importkeystore -srckeystore $(CERTS_DIR)/riakuser-client-cert.pfx -srcstoretype pkcs12 -srcstorepass '' -destkeystore riak_cert_user.jks -deststorepass riak123 -deststoretype JKS
+	keytool -noprompt -import -trustcacerts -keystore riak_cert_user.jks -file $(CERTS_DIR)/cacert.pem -alias cacert -storepass riak123
+
+	mv truststore.jks $(RESOURCES_DIR)
+	mv riak_cert_user.jks $(RESOURCES_DIR)
 
 compile:
-	@cd ..; mvn clean compile
+	cd ..; mvn clean compile
 
 lint:
 	@echo "No lint task"
 
-test: test-normal
+test: test-normal test-security
 
 test-normal:
-	@cd ..; mvn -Pitest,default -DargLine="-Dcom.basho.riak.2i=true -Dcom.basho.riak.yokozuna=true -Dcom.basho.riak.buckettype=true -Dcom.basho.riak.crdt=true" verify
+	$(RIAK_ADMIN) security disable
+	@cd ..; mvn -Pitest,default -Dcom.basho.riak.2i=true -Dcom.basho.riak.yokozuna=true -Dcom.basho.riak.buckettype=true -Dcom.basho.riak.crdt=true verify
 
 test-security:
-	${RIAK_ADMIN} security add-user tester password=tester
-	${RIAK_ADMIN} security add-source tester 127.0.0.1/32 password
-	${RIAK_ADMIN} security grant riak_kv.get,riak_kv.put,riak_kv.delete,riak_kv.index,riak_kv.list_keys,riak_kv.list_buckets,riak_core.get_bucket,riak_core.set_bucket,riak_core.get_bucket_type,riak_core.set_bucket_type,search.admin,search.query,riak_kv.mapreduce on any to tester
-	${RIAK_ADMIN} security enable
-	@cd ..; mvn -Pitest -DargLine="-Dcom.basho.riak.security=true" verify
+	$(RIAK_ADMIN) security enable
+	@cd ..; mvn -Pitest,test-debug-logging  -Dcom.basho.riak.security=true -Dcom.basho.riak.security.clientcert=true test-compile failsafe:integration-test
diff --git a/src/main/java/com/basho/riak/client/core/RiakNode.java b/src/main/java/com/basho/riak/client/core/RiakNode.java
@@ -742,6 +742,7 @@ else if (protocols.contains("TLSv1.1"))
             try
             {
                 DefaultPromise<Void> promise = decoder.getPromise();
+                logger.debug("Waiting on SSL Promise");
                 promise.await();
 
                 if (promise.isSuccess())

diff --git a/src/main/java/com/basho/riak/client/core/netty/RiakSecurityDecoder.java b/src/main/java/com/basho/riak/client/core/netty/RiakSecurityDecoder.java
@@ -30,12 +30,13 @@
 import io.netty.util.concurrent.DefaultPromise;
 import io.netty.util.concurrent.Future;
 import io.netty.util.concurrent.GenericFutureListener;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.net.ssl.SSLEngine;
 import java.io.IOException;
 import java.util.List;
 import java.util.concurrent.CountDownLatch;
-import javax.net.ssl.SSLEngine;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 /**
  *
@@ -65,6 +66,7 @@ public RiakSecurityDecoder(SSLEngine engine, String username, String password)
     @Override
     protected void decode(ChannelHandlerContext chc, ByteBuf in, List<Object> out) throws Exception
     {
+        logger.debug("RiakSecurityDecoder decode");
         // Make sure we have 4 bytes
         if (in.readableBytes() >= 4)
         {
@@ -155,13 +157,13 @@ private void init(ChannelHandlerContext ctx)
         promiseLatch.countDown();
         ctx.channel().writeAndFlush(new RiakMessage(RiakMessageCodes.MSG_StartTls, 
                                     new byte[0]));
-
     }
 
     @Override
     public void handlerAdded(ChannelHandlerContext ctx) throws Exception
     {
-        logger.debug("MyStartTlsDecoder Handler Added");
+
+        logger.debug("Handler Added");
         if (ctx.channel().isActive())
         {
             init(ctx);
@@ -170,13 +172,14 @@ public void handlerAdded(ChannelHandlerContext ctx) throws Exception
 
     @Override
     public void channelActive(final ChannelHandlerContext ctx) throws Exception {
-        logger.debug("MyStartTlsDecoder Channel Active");
-        init(ctx);
+        logger.debug("Channel Active");
     }
 
     @Override
     public void channelInactive(ChannelHandlerContext ctx) throws Exception
     {
+        logger.debug("Channel Inactive");
+
         promise.tryFailure(new IOException("Channel closed during auth"));
         ctx.fireChannelInactive();
 
@@ -186,6 +189,8 @@ public void channelInactive(ChannelHandlerContext ctx) throws Exception
     public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause)
             throws Exception 
     {
+        logger.debug("Exception Caught: {}", cause);
+
         if (cause.getCause() instanceof javax.net.ssl.SSLHandshakeException)
         {
             // consume
@@ -208,6 +213,7 @@ public void operationComplete(Future<Channel> future) throws Exception
         {
             if (future.isSuccess())
             {
+                logger.debug("SSL Handshake success!");
                 Channel c = future.getNow();
                 state = State.AUTH_WAIT;
                 RiakPB.RpbAuthReq authReq = 
@@ -221,6 +227,7 @@ public void operationComplete(Future<Channel> future) throws Exception
             }
             else
             {
+                logger.error("SSL Handshake failed: ", future.cause());
                 promise.tryFailure(future.cause());
             }
         }

diff --git a/src/test/java/com/basho/riak/client/api/commands/itest/ITestSearchMapReduce.java b/src/test/java/com/basho/riak/client/api/commands/itest/ITestSearchMapReduce.java
@@ -50,6 +50,9 @@ public void searchMR() throws InterruptedException, ExecutionException {
         Assume.assumeTrue(testYokozuna);
         Assume.assumeTrue(testBucketType);
 
+        // Search inputs to MR aren't allowed when security is enabled
+        Assume.assumeFalse(security);
+
         // First we have to create an index and attach it to a bucket
         // and the 'default' bucket type can't be used for search
 

diff --git a/src/test/java/com/basho/riak/client/core/RiakClusterFixtureTest.java b/src/test/java/com/basho/riak/client/core/RiakClusterFixtureTest.java
@@ -95,13 +95,14 @@ public void operationSuccess() throws UnknownHostException, InterruptedException
             assertEquals(response.getObjectList().get(0).getValue().toString(), "This is a value!");
             assertTrue(!response.isNotFound());
         }
-        catch(InterruptedException e)
+        catch(InterruptedException ignored)
         {
 
         }
-
-        cluster.shutdown().get();
-
+        finally
+        {
+            cluster.shutdown();
+        }
     }
 
     @Test(timeout = 10000)
@@ -138,7 +139,7 @@ public void operationFail() throws UnknownHostException, ExecutionException, Int
         }
         finally
         {
-            cluster.shutdown().get();
+            cluster.shutdown();
         }
     }
 
@@ -207,34 +208,46 @@ public void testOperationQueue() throws Exception {
 
         try
         {
+            // Verify that the third operation was rejected
+            operation3.await();
+
             assertFalse(operation3.isSuccess());
-            assertNotNull(operation3.cause());
 
-            // Add a node to process the queue backlog
+            Throwable cause = operation3.cause();
+            assertNotNull(cause != null && cause.getMessage() != null ? cause.getMessage() : "No message set?", cause);
+
+            // Add a node to start processing the queue backlog
             cluster.addNode(goodNode);
 
+            future1.await();
+
             // Process the first queue item
             assertEquals(future1.get().getObjectList().get(0).getValue().toString(), "This is a value!");
-            assertTrue(!future1.get().isNotFound());
+            assertFalse(future1.get().isNotFound());
 
             // Add another to fill it back up
             RiakFuture<FetchOperation.Response, Location> future4 = cluster.execute(operation4);
-
+
+            // Get next item in Queue
+            future2.await();
+
             assertEquals(future2.get().getObjectList().get(0).getValue().toString(), "This is a value!");
-            assertTrue(!future2.get().isNotFound());
+            assertFalse(future2.get().isNotFound());
+
+            // Get last item in Queue
+            future4.await();
+
             assertEquals(future4.get().getObjectList().get(0).getValue().toString(), "This is a value!");
-            assertTrue(!future4.get().isNotFound());
+            assertFalse(future4.get().isNotFound());
         }
         finally
         {
-            cluster.shutdown().get();
+            cluster.shutdown();
         }
-
     }
 
     public static class StateListener implements NodeStateListener
     {
-
         public int stateCreated;
         public int stateRunning;
         public int stateShuttingDown;
@@ -261,8 +274,5 @@ public void nodeStateChanged(RiakNode node, RiakNode.State state)
                     break;
             }
         }
-
     }
-
-
 }