Test for TLS channel pipeline handlers (#3303)

Adding tests for TLS-required handlers on NettyTLSConnectionInitializer Signed-off-by: Lucas Saldanha <lucascrsaldanha@gmail.com>
hyperledger · Jan 20, 2022 · 1b45cac · 1b45cac
1 parent 00a3875
commit 1b45cac
Show file tree

Hide file tree

Showing 5 changed files with 221 additions and 34 deletions.
diff --git a/ethereum/p2p/src/main/java/org/hyperledger/besu/ethereum/p2p/rlpx/RlpxAgent.java b/ethereum/p2p/src/main/java/org/hyperledger/besu/ethereum/p2p/rlpx/RlpxAgent.java
@@ -573,7 +573,12 @@ public RlpxAgent build() {
           LOG.debug("TLS Configuration found using NettyTLSConnectionInitializer");
           connectionInitializer =
               new NettyTLSConnectionInitializer(
-                  nodeKey, config, localNode, connectionEvents, metricsSystem, p2pTLSConfiguration);
+                  nodeKey,
+                  config,
+                  localNode,
+                  connectionEvents,
+                  metricsSystem,
+                  p2pTLSConfiguration.get());
         } else {
           LOG.debug("Using default NettyConnectionInitializer");
           connectionInitializer =

diff --git a/.../org/hyperledger/besu/ethereum/p2p/rlpx/connections/netty/NettyConnectionInitializer.java b/.../org/hyperledger/besu/ethereum/p2p/rlpx/connections/netty/NettyConnectionInitializer.java
@@ -267,10 +267,10 @@ private TimeoutHandler<Channel> timeoutHandler(
         () -> connectionFuture.completeExceptionally(new TimeoutException(s)));
   }
 
-  protected void addAdditionalOutboundHandlers(final SocketChannel ch)
+  void addAdditionalOutboundHandlers(final Channel ch)
       throws GeneralSecurityException, IOException {}
 
-  protected void addAdditionalInboundHandlers(final SocketChannel ch)
+  void addAdditionalInboundHandlers(final Channel ch)
       throws GeneralSecurityException, IOException {}
 
   private IntSupplier pendingTaskCounter(final EventLoopGroup eventLoopGroup) {

diff --git a/...g/hyperledger/besu/ethereum/p2p/rlpx/connections/netty/NettyTLSConnectionInitializer.java b/...g/hyperledger/besu/ethereum/p2p/rlpx/connections/netty/NettyTLSConnectionInitializer.java
@@ -28,11 +28,12 @@
 import org.hyperledger.besu.ethereum.p2p.rlpx.handshake.Handshaker;
 import org.hyperledger.besu.plugin.services.MetricsSystem;
 
-import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.util.Optional;
+import java.util.function.Supplier;
 
-import io.netty.channel.socket.SocketChannel;
+import com.google.common.annotations.VisibleForTesting;
+import io.netty.channel.Channel;
 import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
 import io.netty.handler.codec.LengthFieldPrepender;
 import io.netty.handler.codec.compression.SnappyFrameDecoder;
@@ -41,53 +42,65 @@
 
 public class NettyTLSConnectionInitializer extends NettyConnectionInitializer {
 
-  private final Optional<TLSConfiguration> p2pTLSConfiguration;
+  private final Optional<Supplier<TLSContextFactory>> tlsContextFactorySupplier;
 
   public NettyTLSConnectionInitializer(
       final NodeKey nodeKey,
       final RlpxConfiguration config,
       final LocalNode localNode,
       final PeerConnectionEventDispatcher eventDispatcher,
       final MetricsSystem metricsSystem,
-      final Optional<TLSConfiguration> p2pTLSConfiguration) {
+      final TLSConfiguration p2pTLSConfiguration) {
+    this(
+        nodeKey,
+        config,
+        localNode,
+        eventDispatcher,
+        metricsSystem,
+        defaultTlsContextFactorySupplier(p2pTLSConfiguration));
+  }
+
+  @VisibleForTesting
+  NettyTLSConnectionInitializer(
+      final NodeKey nodeKey,
+      final RlpxConfiguration config,
+      final LocalNode localNode,
+      final PeerConnectionEventDispatcher eventDispatcher,
+      final MetricsSystem metricsSystem,
+      final Supplier<TLSContextFactory> tlsContextFactorySupplier) {
     super(nodeKey, config, localNode, eventDispatcher, metricsSystem);
-    this.p2pTLSConfiguration = p2pTLSConfiguration;
+    this.tlsContextFactorySupplier = Optional.ofNullable(tlsContextFactorySupplier);
   }
 
   @Override
-  protected void addAdditionalOutboundHandlers(final SocketChannel ch)
-      throws GeneralSecurityException, IOException {
-    if (p2pTLSConfiguration.isPresent()) {
-      SslContext sslContext =
-          TLSContextFactory.buildFrom(p2pTLSConfiguration.get()).createNettyClientSslContext();
-      ch.pipeline().addLast("ssl", sslContext.newHandler(ch.alloc()));
-      ch.pipeline().addLast(new SnappyFrameDecoder());
-      ch.pipeline().addLast(new SnappyFrameEncoder());
-      ch.pipeline()
-          .addLast(
-              new LengthFieldBasedFrameDecoder(
-                  LENGTH_MAX_MESSAGE_FRAME, 0, LENGTH_FRAME_SIZE, 0, LENGTH_FRAME_SIZE));
-      ch.pipeline().addLast(new LengthFieldPrepender(LENGTH_FRAME_SIZE));
+  void addAdditionalOutboundHandlers(final Channel ch) throws GeneralSecurityException {
+    if (tlsContextFactorySupplier.isPresent()) {
+      final SslContext clientSslContext =
+          tlsContextFactorySupplier.get().get().createNettyClientSslContext();
+      addHandlersToChannelPipeline(ch, clientSslContext);
     }
   }
 
   @Override
-  protected void addAdditionalInboundHandlers(final SocketChannel ch)
-      throws GeneralSecurityException, IOException {
-    if (p2pTLSConfiguration.isPresent()) {
-      SslContext sslContext =
-          TLSContextFactory.buildFrom(p2pTLSConfiguration.get()).createNettyServerSslContext();
-      ch.pipeline().addLast("ssl", sslContext.newHandler(ch.alloc()));
-      ch.pipeline().addLast(new SnappyFrameDecoder());
-      ch.pipeline().addLast(new SnappyFrameEncoder());
-      ch.pipeline()
-          .addLast(
-              new LengthFieldBasedFrameDecoder(
-                  LENGTH_MAX_MESSAGE_FRAME, 0, LENGTH_FRAME_SIZE, 0, LENGTH_FRAME_SIZE));
-      ch.pipeline().addLast(new LengthFieldPrepender(LENGTH_FRAME_SIZE));
+  void addAdditionalInboundHandlers(final Channel ch) throws GeneralSecurityException {
+    if (tlsContextFactorySupplier.isPresent()) {
+      final SslContext serverSslContext =
+          tlsContextFactorySupplier.get().get().createNettyServerSslContext();
+      addHandlersToChannelPipeline(ch, serverSslContext);
     }
   }
 
+  private void addHandlersToChannelPipeline(final Channel ch, final SslContext sslContext) {
+    ch.pipeline().addLast(sslContext.newHandler(ch.alloc()));
+    ch.pipeline().addLast(new SnappyFrameDecoder());
+    ch.pipeline().addLast(new SnappyFrameEncoder());
+    ch.pipeline()
+        .addLast(
+            new LengthFieldBasedFrameDecoder(
+                LENGTH_MAX_MESSAGE_FRAME, 0, LENGTH_FRAME_SIZE, 0, LENGTH_FRAME_SIZE));
+    ch.pipeline().addLast(new LengthFieldPrepender(LENGTH_FRAME_SIZE));
+  }
+
   @Override
   public Handshaker buildInstance() {
     return new PlainHandshaker();
@@ -97,4 +110,20 @@ public Handshaker buildInstance() {
   public Framer buildFramer(final HandshakeSecrets secrets) {
     return new PlainFramer();
   }
+
+  @VisibleForTesting
+  static Supplier<TLSContextFactory> defaultTlsContextFactorySupplier(
+      final TLSConfiguration tlsConfiguration) {
+    if (tlsConfiguration == null) {
+      throw new IllegalStateException("TLSConfiguration cannot be null when using TLS");
+    }
+
+    return () -> {
+      try {
+        return TLSContextFactory.buildFrom(tlsConfiguration);
+      } catch (final Exception e) {
+        throw new IllegalStateException("Error creating TLSContextFactory", e);
+      }
+    };
+  }
 }
diff --git a/...perledger/besu/ethereum/p2p/rlpx/connections/netty/NettyTLSConnectionInitializerTest.java b/...perledger/besu/ethereum/p2p/rlpx/connections/netty/NettyTLSConnectionInitializerTest.java
@@ -0,0 +1,152 @@
+/*
+ * Copyright Hyperledger Besu Contributors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.hyperledger.besu.ethereum.p2p.rlpx.connections.netty;
+
+import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
+import static org.assertj.core.api.AssertionsForClassTypes.assertThatThrownBy;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import org.hyperledger.besu.crypto.NodeKey;
+import org.hyperledger.besu.ethereum.p2p.config.RlpxConfiguration;
+import org.hyperledger.besu.ethereum.p2p.peers.LocalNode;
+import org.hyperledger.besu.ethereum.p2p.rlpx.connections.PeerConnectionEventDispatcher;
+import org.hyperledger.besu.metrics.noop.NoOpMetricsSystem;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import com.google.common.collect.ImmutableList;
+import io.netty.channel.ChannelPipeline;
+import io.netty.channel.embedded.EmbeddedChannel;
+import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
+import io.netty.handler.codec.LengthFieldPrepender;
+import io.netty.handler.codec.compression.SnappyFrameDecoder;
+import io.netty.handler.codec.compression.SnappyFrameEncoder;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslHandler;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+@RunWith(MockitoJUnitRunner.class)
+public class NettyTLSConnectionInitializerTest {
+
+  @Mock private NodeKey nodeKey;
+  @Mock private RlpxConfiguration rlpxConfiguration;
+  @Mock private LocalNode localNode;
+  @Mock private PeerConnectionEventDispatcher eventDispatcher;
+  @Mock private TLSContextFactory tlsContextFactory;
+  @Mock private SslContext sslContext;
+  @Mock private SslHandler sslHandler;
+
+  private NettyTLSConnectionInitializer nettyTLSConnectionInitializer;
+
+  @Before
+  public void before() throws Exception {
+    nettyTLSConnectionInitializer =
+        new NettyTLSConnectionInitializer(
+            nodeKey,
+            rlpxConfiguration,
+            localNode,
+            eventDispatcher,
+            new NoOpMetricsSystem(),
+            () -> tlsContextFactory);
+
+    when(tlsContextFactory.createNettyServerSslContext()).thenReturn(sslContext);
+    when(tlsContextFactory.createNettyClientSslContext()).thenReturn(sslContext);
+    when(sslContext.newHandler(any())).thenReturn(sslHandler);
+  }
+
+  @Test
+  public void addAdditionalOutboundHandlersIncludesAllExpectedHandlersToChannelPipeline()
+      throws Exception {
+    final EmbeddedChannel embeddedChannel = new EmbeddedChannel();
+    nettyTLSConnectionInitializer.addAdditionalOutboundHandlers(embeddedChannel);
+
+    // TLS
+    assertThat(embeddedChannel.pipeline().get(SslHandler.class)).isNotNull();
+
+    // Snappy compression
+    assertThat(embeddedChannel.pipeline().get(SnappyFrameDecoder.class)).isNotNull();
+    assertThat(embeddedChannel.pipeline().get(SnappyFrameEncoder.class)).isNotNull();
+
+    // Message Framing
+    assertThat(embeddedChannel.pipeline().get(LengthFieldBasedFrameDecoder.class)).isNotNull();
+    assertThat(embeddedChannel.pipeline().get(LengthFieldPrepender.class)).isNotNull();
+
+    assertHandlersOrderInPipeline(embeddedChannel.pipeline());
+  }
+
+  @Test
+  public void addAdditionalInboundHandlersIncludesAllExpectedHandlersToChannelPipeline()
+      throws Exception {
+    final EmbeddedChannel embeddedChannel = new EmbeddedChannel();
+    nettyTLSConnectionInitializer.addAdditionalInboundHandlers(embeddedChannel);
+
+    // TLS
+    assertThat(embeddedChannel.pipeline().get(SslHandler.class)).isNotNull();
+
+    // Snappy compression
+    assertThat(embeddedChannel.pipeline().get(SnappyFrameDecoder.class)).isNotNull();
+    assertThat(embeddedChannel.pipeline().get(SnappyFrameEncoder.class)).isNotNull();
+
+    // Message Framing
+    assertThat(embeddedChannel.pipeline().get(LengthFieldBasedFrameDecoder.class)).isNotNull();
+    assertThat(embeddedChannel.pipeline().get(LengthFieldPrepender.class)).isNotNull();
+
+    assertHandlersOrderInPipeline(embeddedChannel.pipeline());
+  }
+
+  private void assertHandlersOrderInPipeline(final ChannelPipeline pipeline) {
+    // Appending '#0' because Netty adds it to the handler's names
+    final ArrayList<String> expectedHandlerNamesInOrder =
+        new ArrayList<>(
+            ImmutableList.of(
+                "SslHandler#0",
+                "SnappyFrameDecoder#0",
+                "SnappyFrameEncoder#0",
+                "LengthFieldBasedFrameDecoder#0",
+                "LengthFieldPrepender#0",
+                "DefaultChannelPipeline$TailContext#0")); // This final handler is Netty's default
+
+    final List<String> actualHandlerNamesInOrder = pipeline.names();
+    assertThat(actualHandlerNamesInOrder).isEqualTo(expectedHandlerNamesInOrder);
+  }
+
+  @Test
+  public void defaultTlsContextFactorySupplierThrowsErrorWithNullTLSConfiguration() {
+    assertThatThrownBy(() -> NettyTLSConnectionInitializer.defaultTlsContextFactorySupplier(null))
+        .isInstanceOf(IllegalStateException.class)
+        .hasMessage("TLSConfiguration cannot be null when using TLS");
+  }
+
+  @Test
+  public void defaultTlsContextFactorySupplierCapturesInternalError() {
+    final TLSConfiguration tlsConfiguration = mock(TLSConfiguration.class);
+    when(tlsConfiguration.getKeyStoreType()).thenThrow(new RuntimeException());
+
+    assertThatThrownBy(
+            () ->
+                NettyTLSConnectionInitializer.defaultTlsContextFactorySupplier(tlsConfiguration)
+                    .get())
+        .isInstanceOf(IllegalStateException.class)
+        .hasMessage("Error creating TLSContextFactory");
+  }
+}
diff --git a/ethereum/p2p/src/test/resources/mockito-extensions/org.mockito.plugins.MockMaker b/ethereum/p2p/src/test/resources/mockito-extensions/org.mockito.plugins.MockMaker
@@ -0,0 +1 @@
+mock-maker-inline