IGNITE-27216

Author: petrov-mg

modules/core/src/main/java/org/apache/ignite/internal/IgniteNodeAttributes.java

@@ -150,6 +150,9 @@ public final class IgniteNodeAttributes {
     /** V2 security subject for authenticated node. */
     public static final String ATTR_SECURITY_SUBJECT_V2 = ATTR_PREFIX + ".security.subject.v2";
 
+    /** Node certificates with which the connection was established.  */
+    public static final String ATTR_NODE_CERTIFICATES = ATTR_PREFIX + ".security.certificates";
+
     /** Client mode flag. */
     public static final String ATTR_CLIENT_MODE = ATTR_PREFIX + ".cache.client";
 

modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ClientImpl.java

@@ -2301,6 +2301,7 @@ private void processNodeAddFinishedMessage(TcpDiscoveryNodeAddFinishedMessage ms
                     }
 
                     locNode.setAttributes(msg.clientNodeAttributes());
+                    locNode.clearCertificates();
                     locNode.visible(true);
 
                     long topVer = msg.topologyVersion();
@@ -2357,6 +2358,7 @@ else if (log.isDebugEnabled())
 
                     if (!node.visible()) {
                         node.order(topVer);
+                        node.clearCertificates();
                         node.visible(true);
 
                         if (spi.locNodeVer.equals(node.version()))

modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java

@@ -5298,6 +5298,8 @@ private void processNodeAddFinishedMessage(TcpDiscoveryNodeAddFinishedMessage ms
             if (msg.verified()) {
                 assert topVer > 0 : "Invalid topology version: " + msg;
 
+                node.clearCertificates();
+
                 if (node.order() == 0)
                     node.order(topVer);
 
@@ -7072,6 +7074,11 @@ else if (e.hasCause(ObjectStreamException.class) ||
                         else if (msg instanceof TcpDiscoveryJoinRequestMessage) {
                             TcpDiscoveryJoinRequestMessage req = (TcpDiscoveryJoinRequestMessage)msg;
 
+                            // Current node holds connection with the node that is joining the cluster. Therefore, it can
+                            // save certificates with which the connection was established to joining node attributes.
+                            if (spi.nodeAuth != null && nodeId.equals(req.node().id()))
+                                req.node().setCertificates(ses.extractCertificates());
+
                             if (!req.responded()) {
                                 boolean ok = processJoinRequestMessage(req, clientMsgWrk);
 

modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/TcpDiscoveryIoSession.java

@@ -27,6 +27,9 @@
 import java.io.StreamCorruptedException;
 import java.net.Socket;
 import java.nio.ByteBuffer;
+import java.security.cert.Certificate;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLSocket;
 import org.apache.ignite.IgniteCheckedException;
 import org.apache.ignite.IgniteException;
 import org.apache.ignite.internal.direct.DirectMessageReader;
@@ -36,6 +39,7 @@
 import org.apache.ignite.plugin.extensions.communication.Message;
 import org.apache.ignite.plugin.extensions.communication.MessageSerializer;
 import org.apache.ignite.spi.discovery.tcp.messages.TcpDiscoveryAbstractMessage;
+import org.jetbrains.annotations.Nullable;
 
 import static org.apache.ignite.spi.communication.tcp.TcpCommunicationSpi.makeMessageType;
 
@@ -205,6 +209,21 @@ <T> T readMessage() throws IgniteCheckedException, IOException {
         }
     }
 
+    /** @return SSL certificate this session is established with. {@code null} if SSL is disabled or certificate validation failed. */
+    @Nullable Certificate[] extractCertificates() {
+        if (!spi.isSslEnabled())
+            return null;
+
+        try {
+            return ((SSLSocket)sock).getSession().getPeerCertificates();
+        }
+        catch (SSLPeerUnverifiedException e) {
+            U.error(spi.log, "Failed to extract discovery IO session certificates", e);
+
+            return null;
+        }
+    }
+
     /**
      * Serializes a discovery message into a byte array.
      *

modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/internal/TcpDiscoveryNode.java

@@ -23,6 +23,7 @@
 import java.io.ObjectOutput;
 import java.io.Serializable;
 import java.net.InetSocketAddress;
+import java.security.cert.Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -48,6 +49,7 @@
 import org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi;
 import org.jetbrains.annotations.Nullable;
 
+import static org.apache.ignite.internal.IgniteNodeAttributes.ATTR_NODE_CERTIFICATES;
 import static org.apache.ignite.internal.IgniteNodeAttributes.ATTR_NODE_CONSISTENT_ID;
 import static org.apache.ignite.internal.util.lang.ClusterNodeFunc.eqNodes;
 
@@ -251,6 +253,31 @@ public void lastSuccessfulAddress(InetSocketAddress lastSuccessfulAddr) {
         });
     }
 
+    /**
+     * Sets nodes SSL certificates with which connection was established.
+     *
+     * @param certificates SSL certificates.
+     */
+    public void setCertificates(@Nullable Certificate[] certificates) {
+        Map<String, Object> attrs = new HashMap<>(this.attrs);
+
+        attrs.put(IgniteNodeAttributes.ATTR_NODE_CERTIFICATES, certificates);
+
+        setAttributes(attrs);
+    }
+
+    /** Clears nodes SSL certificates with which connection was established. */
+    public void clearCertificates() {
+        if (!attrs.containsKey(ATTR_NODE_CERTIFICATES))
+            return;
+
+        Map<String, Object> attrs = new HashMap<>(this.attrs);
+
+        attrs.remove(IgniteNodeAttributes.ATTR_NODE_CERTIFICATES);
+
+        setAttributes(attrs);
+    }
+
     /**
      * Sets node attributes.
      *

modules/core/src/test/java/org/apache/ignite/internal/processors/security/NodeConnectionCertificateCapturingTest.java

@@ -0,0 +1,187 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.security;
+
+import java.security.Permissions;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.UUID;
+import java.util.concurrent.ConcurrentLinkedQueue;
+import java.util.concurrent.CountDownLatch;
+import org.apache.ignite.Ignite;
+import org.apache.ignite.IgniteCheckedException;
+import org.apache.ignite.cluster.ClusterNode;
+import org.apache.ignite.configuration.IgniteConfiguration;
+import org.apache.ignite.internal.GridKernalContext;
+import org.apache.ignite.internal.IgniteEx;
+import org.apache.ignite.internal.processors.security.impl.TestSecurityData;
+import org.apache.ignite.internal.processors.security.impl.TestSecurityPluginProvider;
+import org.apache.ignite.internal.processors.security.impl.TestSecurityProcessor;
+import org.apache.ignite.internal.util.typedef.G;
+import org.apache.ignite.plugin.security.SecurityCredentials;
+import org.apache.ignite.plugin.security.SecurityPermissionSet;
+import org.apache.ignite.testframework.GridTestUtils;
+import org.junit.Test;
+
+import static java.util.concurrent.TimeUnit.MILLISECONDS;
+import static org.apache.ignite.events.EventType.EVT_CLIENT_NODE_RECONNECTED;
+import static org.apache.ignite.internal.IgniteNodeAttributes.ATTR_NODE_CERTIFICATES;
+import static org.apache.ignite.plugin.security.SecurityPermission.JOIN_AS_SERVER;
+import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.NO_PERMISSIONS;
+import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.systemPermissions;
+
+/** */
+public class NodeConnectionCertificateCapturingTest extends AbstractSecurityTest {
+    /** */
+    private static final Collection<AuthenticationEvent> NODE_AUTHENTICATION_EVENTS = new ConcurrentLinkedQueue<>();
+
+    /** */
+    @Test
+    public void testNodeConnectionCertificateCapturing() throws Exception{
+        checkNewNodesAuthenticationByClusterNode(0, false, 1);
+        checkNewNodesAuthenticationByClusterNode(1, false, 2);
+        checkNewNodesAuthenticationByClusterNode(2, false, 3);
+        checkNewNodesAuthenticationByClusterNode(3, true, 3);
+
+        // Checks nodes restart.
+        stopGrid(2);
+        stopGrid(3);
+
+        checkNewNodesAuthenticationByClusterNode(3, true, 2);
+        checkNewNodesAuthenticationByClusterNode(2, false, 3);
+
+
+        // Checks client node reconnect.
+        NODE_AUTHENTICATION_EVENTS.clear();
+
+        CountDownLatch cliNodeReconnectedLatch = new CountDownLatch(1);
+
+        grid(3).events().localListen(evt -> {
+            cliNodeReconnectedLatch.countDown();
+
+            return true;
+        }, EVT_CLIENT_NODE_RECONNECTED);
+
+        grid(0).context().discovery().failNode(grid(3).localNode().id(), "test");
+
+        assertTrue(cliNodeReconnectedLatch.await(getTestTimeout(), MILLISECONDS));
+
+        checkNodeAuthenticationByClusterNode(3, grid(3).localNode().id(), true, 3);
+    }
+
+    /** */
+    private void checkNewNodesAuthenticationByClusterNode(int authNodeIdx, boolean isClient, int expAuthCnt) throws Exception {
+        NODE_AUTHENTICATION_EVENTS.clear();
+
+        UUID authNodeId = startGrid(authNodeIdx, isClient).cluster().localNode().id();
+
+        checkNodeAuthenticationByClusterNode(authNodeIdx, authNodeId, isClient, expAuthCnt);
+    }
+
+    /** */
+    private void checkNodeAuthenticationByClusterNode(int authNodeIdx, UUID authNodeId, boolean isClient, int expAuthCnt) {
+        assertEquals(expAuthCnt, NODE_AUTHENTICATION_EVENTS.size());
+
+        for (AuthenticationEvent auth : NODE_AUTHENTICATION_EVENTS) {
+            if (auth.clusterNodeId.equals(authNodeId))
+                assertNull(auth.certs);
+            else {
+                assertEquals(2, auth.certs.length);
+
+                X509Certificate cert = (X509Certificate)auth.certs[0];
+
+                assertEquals(isClient ? "CN=client" : "CN=node0" + (authNodeIdx + 1), cert.getSubjectDN().getName());
+            }
+        }
+
+        for (Ignite ignite : G.allGrids()) {
+            for (ClusterNode node : ignite.cluster().nodes())
+                assertNull(node.attribute(ATTR_NODE_CERTIFICATES));
+        }
+    }
+
+    /** */
+    private IgniteEx startGrid(int idx, boolean isClient) throws Exception {
+        String login = getTestIgniteInstanceName(idx);
+
+        IgniteConfiguration cfg = getConfiguration(
+            login,
+            new SecurityPluginProvider(
+                login,
+                "",
+                isClient ? NO_PERMISSIONS : systemPermissions(JOIN_AS_SERVER),
+                null,
+                true
+            )).setClientMode(isClient);
+
+        cfg.setSslContextFactory(GridTestUtils.sslTrustedFactory(isClient ? "client" : "node0" + (idx + 1), "trustboth"));
+
+        return startGrid(cfg);
+    }
+
+    /** */
+    private static class SecurityPluginProvider extends TestSecurityPluginProvider {
+        /** */
+        SecurityPluginProvider(
+            String login,
+            String pwd,
+            SecurityPermissionSet perms,
+            Permissions sandboxPerms,
+            boolean globalAuth,
+            TestSecurityData... clientData
+        ) {
+            super(login, pwd, perms, sandboxPerms, globalAuth, clientData);
+        }
+
+        /** {@inheritDoc} */
+        @Override protected GridSecurityProcessor securityProcessor(GridKernalContext ctx) {
+            return new TestSecurityProcessor(
+                ctx,
+                new TestSecurityData(login, pwd, perms, sandboxPerms),
+                Arrays.asList(clientData),
+                globalAuth
+            ) {
+                @Override public SecurityContext authenticateNode(
+                    ClusterNode node,
+                    SecurityCredentials cred
+                ) throws IgniteCheckedException {
+                    NODE_AUTHENTICATION_EVENTS.add(new AuthenticationEvent(ctx.localNodeId(), node.attribute(ATTR_NODE_CERTIFICATES)));
+
+                    return super.authenticateNode(node, cred);
+                }
+            };
+        }
+    }
+
+    /** */
+    private static class AuthenticationEvent {
+        /** */
+        UUID clusterNodeId;
+
+        /** */
+        Certificate[] certs;
+
+        /** */
+        AuthenticationEvent(UUID clusterNodeId, Certificate[] certs) {
+            this.clusterNodeId = clusterNodeId;
+            this.certs = certs;
+        }
+    }
+}

modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java

@@ -19,6 +19,7 @@
 
 import org.apache.ignite.internal.processors.security.IgniteSecurityProcessorTest;
 import org.apache.ignite.internal.processors.security.InvalidServerTest;
+import org.apache.ignite.internal.processors.security.NodeConnectionCertificateCapturingTest;
 import org.apache.ignite.internal.processors.security.NodeSecurityContextPropagationTest;
 import org.apache.ignite.internal.processors.security.SecurityContextInternalFuturePropagationTest;
 import org.apache.ignite.internal.processors.security.cache.CacheOperationPermissionCheckTest;
@@ -143,6 +144,7 @@
     NodeJoinPermissionsTest.class,
     ActivationOnJoinWithoutPermissionsWithPersistenceTest.class,
     SecurityContextInternalFuturePropagationTest.class,
+    NodeConnectionCertificateCapturingTest.class
 })
 public class SecurityTestSuite {
     /** */