Print JVM security properties in storediag and sysinfo

Author: steveloughran

src/main/java/org/apache/hadoop/fs/store/StoreEntryPoint.java

@@ -75,6 +75,8 @@
 import static org.apache.hadoop.fs.store.StoreExitCodes.E_USAGE;
 import static org.apache.hadoop.fs.store.StoreUtils.split;
 import static org.apache.hadoop.fs.store.diag.OptionSets.CLOUD_CONNECTOR_LOGS;
+import static org.apache.hadoop.fs.store.diag.OptionSets.JAVAX_NET_DEBUG;
+import static org.apache.hadoop.fs.store.diag.OptionSets.NET_DEBUG_SSL_HANDSHAKE;
 import static org.apache.hadoop.fs.store.diag.S3ADiagnosticsInfo.DIRECTORY_MARKER_RETENTION;
 import static org.apache.hadoop.fs.store.diag.S3ADiagnosticsInfo.FS_S3A_CONNECTION_MAXIMUM;
 import static org.apache.hadoop.fs.store.diag.S3ADiagnosticsInfo.FS_S3A_THREADS_MAX;
@@ -403,6 +405,7 @@ protected void maybeEnableDebugLogging() {
     if (hasOption(DEBUG)) {
       println("Enabling debug logging");
       enableJvmLogging();
+      enableSSLLogging();
       enableCloudConnectorLogging(getLogOverrides(), LogControl.LogLevel.DEBUG);
     }
   }
@@ -440,6 +443,11 @@ protected void enableJvmLogging() {
     log.setLevel(ALL);
   }
 
+  protected void enableSSLLogging() {
+    // javax.net.debug=ssl:handshake
+    System.setProperty(JAVAX_NET_DEBUG, NET_DEBUG_SSL_HANDSHAKE);
+  }
+
   /**
    * Enable cloud connector logging.
    * @param level desired level

src/main/java/org/apache/hadoop/fs/store/commands/TLSInfo.java

@@ -42,6 +42,7 @@
 import static java.util.Arrays.asList;
 import static org.apache.hadoop.fs.store.CommonParameters.STANDARD_OPTS;
 import static org.apache.hadoop.fs.store.diag.OptionSets.STANDARD_ENV_VARS;
+import static org.apache.hadoop.fs.store.diag.OptionSets.STANDARD_SECURITY_PROPS;
 import static org.apache.hadoop.fs.store.diag.OptionSets.TLS_ENV_VARS;
 import static org.apache.hadoop.fs.store.diag.OptionSets.TLS_SYSPROPS;
 
@@ -57,7 +58,7 @@ public class TLSInfo extends DiagnosticsEntryPoint {
       + STANDARD_OPTS;
 
   public TLSInfo() {
-    createCommandFormat(1,1);
+    createCommandFormat(0,1);
   }
 
   @Override
@@ -70,6 +71,7 @@ public int run(String[] args) throws Exception {
         System::getProperty);
 
     printEnvVars(TLS_ENV_VARS);
+    printSecurityProperties(STANDARD_SECURITY_PROPS);
 
     println();
     tlsInfo(this);
@@ -177,7 +179,7 @@ public static int certInfo(
       printout.heading(heading);
       for (X509Certificate cert : x509Certificates) {
         final X500Principal principal = cert.getSubjectX500Principal();
-        if (!match.isEmpty() && !principal.getName().toLowerCase(Locale.ROOT).contains(match)) {
+        if (!verbose && !match.isEmpty() && !principal.getName().toLowerCase(Locale.ROOT).contains(match)) {
           continue;
         }
         counter++;

src/main/java/org/apache/hadoop/fs/store/diag/DiagnosticsEntryPoint.java

@@ -28,12 +28,14 @@
 import java.security.CodeSource;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
 import java.util.TreeSet;
+import java.util.stream.Collectors;
 
 import com.google.common.base.Function;
 
@@ -176,21 +178,50 @@ public final void printSystemProperties(Object[][] vars) {
         System::getProperty);
   }
 
+  /**
+   * Print security properties (no obfuscation).
+   * @param properties properties.
+   */
+  public final void printSecurityProperties(final String[] properties) {
+
+    final List<Object[]> list = Arrays.stream(properties).sorted()
+        .map(k -> new Object[]{k, false})
+        .collect(Collectors.toList());
+
+    lookupAndPrint("JVM Security Properties", list, java.security.Security::getProperty);
+  }
+
   /**
    * Resolve and print values.
    * This is an array of (name, obfuscate) entries.
    * @param vars variables/properties.
    * @param section section name
    * @param lookup lookup function
    */
-  public final void lookupAndPrintSanitizedValues(Object[][] vars,
+  public final void lookupAndPrintSanitizedValues(
+      Object[][] vars,
       String section,
       Function<String, String> lookup) {
-    int index = 0;
 
-    if (vars.length > 0) {
+    lookupAndPrint(section, Arrays.asList(vars), lookup);
+  }
+
+  /**
+   * Resolve and print values.
+   * Takes a collection off (name, obfuscate) tuples..
+   * @param entries variables/properties.
+   * @param section section name
+   * @param lookup lookup function
+   */
+  private void lookupAndPrint(
+      final String section,
+      final Collection<Object[]> entries,
+      final Function<String, String> lookup) {
+
+    int index = 0;
+    if (!entries.isEmpty()) {
       heading(section);
-      for (final Object[] option : vars) {
+      for (final Object[] option : entries) {
         String var = (String) option[0];
         if (var == null || var.isEmpty()) {
           continue;

src/main/java/org/apache/hadoop/fs/store/diag/OptionSets.java

@@ -156,6 +156,20 @@ public class OptionSets {
       {"", false},
   };
 
+  /**
+   * Standard security properties.
+   */
+  public static final String[] STANDARD_SECURITY_PROPS = {
+      "jdk.certpath.disabledAlgorithms",
+      "jdk.tls.disabledAlgorithm",
+      "jdk.tls.keyLimits",
+      "networkaddress.cache.ttl",
+      "ssl.KeyManagerFactory",
+      "ssl.KeyManagerFactory.algorithm",
+      "ssl.TrustManagerFactory",
+      "",
+  };
+
 
   /** {@value}. */
   public static final String CLASSPATH = "java.class.path";
@@ -184,6 +198,7 @@ public class OptionSets {
       {"http.nonProxyHosts", false},
       {"java.net.preferIPv4Stack", false},
       {"java.net.preferIPv6Addresses", false},
+      {"jsse.enableSNIExtension", false},
       {"networkaddress.cache.ttl", false},
       {"networkaddress.cache.negative.ttl", false},
       {"socksProxyHost", false},
@@ -194,27 +209,37 @@ public class OptionSets {
       {"sun.net.inetaddr.negative.ttl", false},
   };
 
+  public static final String JAVAX_NET_DEBUG = "javax.net.debug";
+
+  public static final String JDK_TLS_CLIENT_PROTOCOLS = "jdk.tls.client.protocols";
+
   /**
    * TLS System properties.
+   * See https://www.java.com/en/configure_crypto.html
    */
   public static final Object[][] TLS_SYSPROPS = {
       {"java.version", false},
       {"java.library.path", false},
       {"com.sun.net.ssl.checkRevocation", false},
       {"https.protocols", false},
+      {JAVAX_NET_DEBUG, false},
       {"javax.net.ssl.keyStore", false},
       {"javax.net.ssl.keyStorePassword", true},
       {"javax.net.ssl.trustStore", false},
       {"javax.net.ssl.trustStorePassword", true},
       {"jdk.certpath.disabledAlgorithms", false},
       {"jdk.tls.client.cipherSuites", false},
-      {"jdk.tls.client.protocols", false},
+      {JDK_TLS_CLIENT_PROTOCOLS, false},
       {"jdk.tls.disabledAlgorithms", false},
       {"jdk.tls.legacyAlgorithms", false},
       {"jsse.enableSNIExtension", false},
       {"", false},
   };
 
+  public static final String NET_DEBUG_SSL_HANDSHAKE = "ssl:handshake";
+
+  public static final String NET_DEBUG_ALL = "all";
+
   public static final String MOZILLA_PUBLIC_SUFFIX_LIST =
       "mozilla/public-suffix-list.txt";
 

src/main/java/org/apache/hadoop/fs/store/diag/S3ADiagnosticsInfo.java

@@ -305,7 +305,11 @@ public class S3ADiagnosticsInfo extends StoreDiagnosticsInfo {
   public static final String FS_S3A_DOWNGRADE_SYNCABLE_EXCEPTIONS =
       "fs.s3a.downgrade.syncable.exceptions";
 
-  private static final Object[][] options = {
+  /**
+   * Each option is a triple of
+   * (key, secure, obfuscate)
+   */
+  private static final Object[][] S3A_OPTIONS = {
       /* Core auth */
       {ACCESS_KEY, true, true},
       {SECRET_KEY, true, true},
@@ -803,7 +807,7 @@ public String getHomepage() {
 
   @Override
   public Object[][] getFilesystemOptions() {
-    return options;
+    return S3A_OPTIONS;
   }
 
   @Override

src/main/java/org/apache/hadoop/fs/store/diag/StoreDiag.java

@@ -201,6 +201,9 @@ public int run(String[] args, PrintStream stream) throws Exception {
       // only print selected ones
       printSystemProperties(storeInfo.getSelectedSystemProperties());
     }
+
+    printSecurityProperties(storeInfo.getSecurityProperties());
+
     if (hasOption(ENVARS)) {
       dumpEnvVars();
     }

src/main/java/org/apache/hadoop/fs/store/diag/StoreDiagnosticsInfo.java

@@ -47,6 +47,7 @@
 import static org.apache.hadoop.fs.store.StoreEntryPoint.DEFAULT_HIDE_ALL_SENSITIVE_CHARS;
 import static org.apache.hadoop.fs.store.StoreEntryPoint.getOrigins;
 import static org.apache.hadoop.fs.store.StoreUtils.sanitize;
+import static org.apache.hadoop.fs.store.diag.OptionSets.STANDARD_SECURITY_PROPS;
 import static org.apache.hadoop.fs.store.diag.OptionSets.STANDARD_SYSPROPS;
 import static org.apache.hadoop.fs.store.diag.StoreDiag.sortKeys;
 
@@ -56,6 +57,9 @@
  */
 public class StoreDiagnosticsInfo {
 
+  /**
+   * Empty set for {@link #getFilesystemOptions()}.
+   */
   protected static final Object[][] EMPTY_OPTIONS = {};
 
   protected static final String[] EMPTY_CLASSNAMES = {};
@@ -215,6 +219,14 @@ public Object[][] getSelectedSystemProperties() {
     return STANDARD_SYSPROPS;
   }
 
+  /**
+   * Get security properties to log.
+   * @return an array of security properties.
+   */
+  public String[] getSecurityProperties() {
+    return STANDARD_SECURITY_PROPS;
+  }
+
   /**
    * should HTTPS/TLS binding info be printed?
    * default is true.