View Javadoc
1   /*
2    * Copyright (C) 2015, Andrei Pozolotin.
3    * and other copyright owners as documented in the project's IP log.
4    *
5    * This program and the accompanying materials are made available
6    * under the terms of the Eclipse Distribution License v1.0 which
7    * accompanies this distribution, is reproduced below, and is
8    * available at http://www.eclipse.org/org/documents/edl-v10.php
9    *
10   * All rights reserved.
11   *
12   * Redistribution and use in source and binary forms, with or
13   * without modification, are permitted provided that the following
14   * conditions are met:
15   *
16   * - Redistributions of source code must retain the above copyright
17   *   notice, this list of conditions and the following disclaimer.
18   *
19   * - Redistributions in binary form must reproduce the above
20   *   copyright notice, this list of conditions and the following
21   *   disclaimer in the documentation and/or other materials provided
22   *   with the distribution.
23   *
24   * - Neither the name of the Eclipse Foundation, Inc. nor the
25   *   names of its contributors may be used to endorse or promote
26   *   products derived from this software without specific prior
27   *   written permission.
28   *
29   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
30   * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
31   * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
34   * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
35   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
36   * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
37   * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
38   * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39   * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
41   * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
42   */
43  
44  package org.eclipse.jgit.transport;
45  
46  import static org.eclipse.jgit.lib.Constants.CHARSET;
47  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.cryptoCipherListPBE;
48  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.cryptoCipherListTrans;
49  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.folderDelete;
50  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.permitLongTests;
51  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.policySetup;
52  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.product;
53  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.proxySetup;
54  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.publicAddress;
55  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.reportPolicy;
56  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.securityProviderName;
57  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.textWrite;
58  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.transferStream;
59  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.verifyFileContent;
60  import static org.junit.Assert.assertEquals;
61  import static org.junit.Assert.assertFalse;
62  import static org.junit.Assert.assertNotNull;
63  import static org.junit.Assert.assertTrue;
64  import static org.junit.Assume.assumeTrue;
65  
66  import java.io.BufferedReader;
67  import java.io.ByteArrayInputStream;
68  import java.io.ByteArrayOutputStream;
69  import java.io.File;
70  import java.io.FileInputStream;
71  import java.io.IOException;
72  import java.io.InputStream;
73  import java.io.InputStreamReader;
74  import java.io.OutputStream;
75  import java.io.PrintWriter;
76  import java.net.SocketTimeoutException;
77  import java.net.URL;
78  import java.net.URLConnection;
79  import java.net.UnknownHostException;
80  import java.nio.file.Files;
81  import java.security.GeneralSecurityException;
82  import java.security.Provider;
83  import java.security.Security;
84  import java.util.ArrayList;
85  import java.util.Collection;
86  import java.util.List;
87  import java.util.Locale;
88  import java.util.Properties;
89  import java.util.Set;
90  import java.util.TreeSet;
91  import java.util.UUID;
92  
93  import javax.crypto.SecretKeyFactory;
94  
95  import org.eclipse.jgit.api.Git;
96  import org.eclipse.jgit.lib.StoredConfig;
97  import org.eclipse.jgit.test.resources.SampleDataRepositoryTestCase;
98  import org.eclipse.jgit.util.FileUtils;
99  import org.junit.After;
100 import org.junit.AfterClass;
101 import org.junit.Before;
102 import org.junit.BeforeClass;
103 import org.junit.FixMethodOrder;
104 import org.junit.Test;
105 import org.junit.runner.RunWith;
106 import org.junit.runners.MethodSorters;
107 import org.junit.runners.Parameterized;
108 import org.junit.runners.Parameterized.Parameters;
109 import org.junit.runners.Suite;
110 import org.slf4j.Logger;
111 import org.slf4j.LoggerFactory;
112 
113 /**
114  * Amazon S3 encryption pipeline test.
115  *
116  * See {@link AmazonS3} {@link WalkEncryption}
117  *
118  * Note: CI server must provide amazon credentials (access key, secret key,
119  * bucket name) via one of methods available in {@link Names}.
120  *
121  * Note: long running tests are activated by Maven profile "test.long". There is
122  * also a separate Eclipse m2e launcher for that. See 'pom.xml' and
123  * 'WalkEncryptionTest.launch'.
124  */
125 @RunWith(Suite.class)
126 @Suite.SuiteClasses({ //
127 		WalkEncryptionTest.Required.class, //
128 		WalkEncryptionTest.MinimalSet.class, //
129 		WalkEncryptionTest.TestablePBE.class, //
130 		WalkEncryptionTest.TestableTransformation.class, //
131 })
132 public class WalkEncryptionTest {
133 
134 	/**
135 	 * Logger setup: ${project_loc}/tst-rsrc/log4j.properties
136 	 */
137 	static final Logger logger = LoggerFactory.getLogger(WalkEncryptionTest.class);
138 
139 	/**
140 	 * Property names used in test session.
141 	 */
142 	interface Names {
143 
144 		// Names of discovered test properties.
145 
146 		String TEST_BUCKET = "test.bucket";
147 
148 		// Names of test environment variables for CI.
149 
150 		String ENV_ACCESS_KEY = "JGIT_S3_ACCESS_KEY";
151 
152 		String ENV_SECRET_KEY = "JGIT_S3_SECRET_KEY";
153 
154 		String ENV_BUCKET_NAME = "JGIT_S3_BUCKET_NAME";
155 
156 		// Name of test environment variable file path for CI.
157 
158 		String ENV_CONFIG_FILE = "JGIT_S3_CONFIG_FILE";
159 
160 		// Names of test system properties for CI.
161 
162 		String SYS_ACCESS_KEY = "jgit.s3.access.key";
163 
164 		String SYS_SECRET_KEY = "jgit.s3.secret.key";
165 
166 		String SYS_BUCKET_NAME = "jgit.s3.bucket.name";
167 
168 		// Name of test system property file path for CI.
169 		String SYS_CONFIG_FILE = "jgit.s3.config.file";
170 
171 		// Hard coded name of test properties file for CI.
172 		// File format follows AmazonS3.Keys:
173 		// #
174 		// # Required entries:
175 		// #
176 		// accesskey = your-amazon-access-key # default AmazonS3.Keys
177 		// secretkey = your-amazon-secret-key # default AmazonS3.Keys
178 		// test.bucket = your-bucket-for-testing # custom name, for this test
179 		String CONFIG_FILE = "jgit-s3-config.properties";
180 
181 		// Test properties file in [user home] of CI.
182 		String HOME_CONFIG_FILE = System.getProperty("user.home")
183 				+ File.separator + CONFIG_FILE;
184 
185 		// Test properties file in [project work directory] of CI.
186 		String WORK_CONFIG_FILE = System.getProperty("user.dir")
187 				+ File.separator + CONFIG_FILE;
188 
189 		// Test properties file in [project test source directory] of CI.
190 		String TEST_CONFIG_FILE = System.getProperty("user.dir")
191 				+ File.separator + "tst-rsrc" + File.separator + CONFIG_FILE;
192 
193 	}
194 
195 	/**
196 	 * Find test properties from various sources in order of priority.
197 	 */
198 	static class Props implements WalkEncryptionTest.Names, AmazonS3.Keys {
199 
200 		static boolean haveEnvVar(String name) {
201 			return System.getenv(name) != null;
202 		}
203 
204 		static boolean haveEnvVarFile(String name) {
205 			return haveEnvVar(name) && new File(name).exists();
206 		}
207 
208 		static boolean haveSysProp(String name) {
209 			return System.getProperty(name) != null;
210 		}
211 
212 		static boolean haveSysPropFile(String name) {
213 			return haveSysProp(name) && new File(name).exists();
214 		}
215 
216 		static void loadEnvVar(String source, String target, Properties props) {
217 			props.put(target, System.getenv(source));
218 		}
219 
220 		static void loadSysProp(String source, String target,
221 				Properties props) {
222 			props.put(target, System.getProperty(source));
223 		}
224 
225 		static boolean haveProp(String name, Properties props) {
226 			return props.containsKey(name);
227 		}
228 
229 		static boolean checkTestProps(Properties props) {
230 			return haveProp(ACCESS_KEY, props) && haveProp(SECRET_KEY, props)
231 					&& haveProp(TEST_BUCKET, props);
232 		}
233 
234 		static Properties fromEnvVars() {
235 			if (haveEnvVar(ENV_ACCESS_KEY) && haveEnvVar(ENV_SECRET_KEY)
236 					&& haveEnvVar(ENV_BUCKET_NAME)) {
237 				Properties props = new Properties();
238 				loadEnvVar(ENV_ACCESS_KEY, ACCESS_KEY, props);
239 				loadEnvVar(ENV_SECRET_KEY, SECRET_KEY, props);
240 				loadEnvVar(ENV_BUCKET_NAME, TEST_BUCKET, props);
241 				return props;
242 			} else {
243 				return null;
244 			}
245 		}
246 
247 		static Properties fromEnvFile() throws Exception {
248 			if (haveEnvVarFile(ENV_CONFIG_FILE)) {
249 				Properties props = new Properties();
250 				props.load(new FileInputStream(ENV_CONFIG_FILE));
251 				if (checkTestProps(props)) {
252 					return props;
253 				} else {
254 					throw new Error("Environment config file is incomplete.");
255 				}
256 			} else {
257 				return null;
258 			}
259 		}
260 
261 		static Properties fromSysProps() {
262 			if (haveSysProp(SYS_ACCESS_KEY) && haveSysProp(SYS_SECRET_KEY)
263 					&& haveSysProp(SYS_BUCKET_NAME)) {
264 				Properties props = new Properties();
265 				loadSysProp(SYS_ACCESS_KEY, ACCESS_KEY, props);
266 				loadSysProp(SYS_SECRET_KEY, SECRET_KEY, props);
267 				loadSysProp(SYS_BUCKET_NAME, TEST_BUCKET, props);
268 				return props;
269 			} else {
270 				return null;
271 			}
272 		}
273 
274 		static Properties fromSysFile() throws Exception {
275 			if (haveSysPropFile(SYS_CONFIG_FILE)) {
276 				Properties props = new Properties();
277 				props.load(new FileInputStream(SYS_CONFIG_FILE));
278 				if (checkTestProps(props)) {
279 					return props;
280 				} else {
281 					throw new Error("System props config file is incomplete.");
282 				}
283 			} else {
284 				return null;
285 			}
286 		}
287 
288 		static Properties fromConfigFile(String path) throws Exception {
289 			File file = new File(path);
290 			if (file.exists()) {
291 				Properties props = new Properties();
292 				props.load(new FileInputStream(file));
293 				if (checkTestProps(props)) {
294 					return props;
295 				} else {
296 					throw new Error("Props config file is incomplete: " + path);
297 				}
298 			} else {
299 				return null;
300 			}
301 		}
302 
303 		/**
304 		 * Find test properties from various sources in order of priority.
305 		 *
306 		 * @return result
307 		 * @throws Exception
308 		 */
309 		static Properties discover() throws Exception {
310 			Properties props;
311 			if ((props = fromEnvVars()) != null) {
312 				logger.debug(
313 						"Using test properties from environment variables.");
314 				return props;
315 			}
316 			if ((props = fromEnvFile()) != null) {
317 				logger.debug(
318 						"Using test properties from environment variable config file.");
319 				return props;
320 			}
321 			if ((props = fromSysProps()) != null) {
322 				logger.debug("Using test properties from system properties.");
323 				return props;
324 			}
325 			if ((props = fromSysFile()) != null) {
326 				logger.debug(
327 						"Using test properties from system property config file.");
328 				return props;
329 			}
330 			if ((props = fromConfigFile(HOME_CONFIG_FILE)) != null) {
331 				logger.debug(
332 						"Using test properties from hard coded ${user.home} file.");
333 				return props;
334 			}
335 			if ((props = fromConfigFile(WORK_CONFIG_FILE)) != null) {
336 				logger.debug(
337 						"Using test properties from hard coded ${user.dir} file.");
338 				return props;
339 			}
340 			if ((props = fromConfigFile(TEST_CONFIG_FILE)) != null) {
341 				logger.debug(
342 						"Using test properties from hard coded ${project.source} file.");
343 				return props;
344 			}
345 			throw new Error("Can not load test properties form any source.");
346 		}
347 
348 	}
349 
350 	/**
351 	 * Collection of test utility methods.
352 	 */
353 	static class Util {
354 
355 		/**
356 		 * Read UTF-8 encoded text file into string.
357 		 *
358 		 * @param file
359 		 * @return result
360 		 * @throws Exception
361 		 */
362 		static String textRead(File file) throws Exception {
363 			return new String(Files.readAllBytes(file.toPath()), CHARSET);
364 		}
365 
366 		/**
367 		 * Write string into UTF-8 encoded file.
368 		 *
369 		 * @param file
370 		 * @param text
371 		 * @throws Exception
372 		 */
373 		static void textWrite(File file, String text) throws Exception {
374 			Files.write(file.toPath(), text.getBytes(CHARSET));
375 		}
376 
377 		static void verifyFileContent(File fileOne, File fileTwo)
378 				throws Exception {
379 			assertTrue(fileOne.length() > 0);
380 			assertTrue(fileTwo.length() > 0);
381 			String textOne = textRead(fileOne);
382 			String textTwo = textRead(fileTwo);
383 			assertEquals(textOne, textTwo);
384 		}
385 
386 		/**
387 		 * Create local folder.
388 		 *
389 		 * @param folder
390 		 * @throws Exception
391 		 */
392 		static void folderCreate(String folder) throws Exception {
393 			File path = new File(folder);
394 			assertTrue(path.mkdirs());
395 		}
396 
397 		/**
398 		 * Delete local folder.
399 		 *
400 		 * @param folder
401 		 * @throws Exception
402 		 */
403 		static void folderDelete(String folder) throws Exception {
404 			File path = new File(folder);
405 			FileUtils.delete(path,
406 					FileUtils.RECURSIVE | FileUtils.SKIP_MISSING);
407 		}
408 
409 		/**
410 		 * Discover public address of CI server.
411 		 *
412 		 * @return result
413 		 * @throws Exception
414 		 */
415 		static String publicAddress() throws Exception {
416 			try {
417 				String service = "http://checkip.amazonaws.com";
418 				URL url = new URL(service);
419 				URLConnection c = url.openConnection();
420 				c.setConnectTimeout(500);
421 				c.setReadTimeout(500);
422 				try (BufferedReader reader = new BufferedReader(
423 						new InputStreamReader(c.getInputStream()))) {
424 					return reader.readLine();
425 				}
426 			} catch (UnknownHostException | SocketTimeoutException e) {
427 				return "Can't reach http://checkip.amazonaws.com to"
428 						+ " determine public address";
429 			}
430 		}
431 
432 		/**
433 		 * Discover Password-Based Encryption (PBE) engines providing both
434 		 * [SecretKeyFactory] and [AlgorithmParameters].
435 		 *
436 		 * @return result
437 		 */
438 		// https://www.bouncycastle.org/specifications.html
439 		// https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
440 		static List<String> cryptoCipherListPBE() {
441 			return cryptoCipherList(WalkEncryption.Vals.REGEX_PBE);
442 		}
443 
444 		// TODO returns inconsistent list.
445 		static List<String> cryptoCipherListTrans() {
446 			return cryptoCipherList(WalkEncryption.Vals.REGEX_TRANS);
447 		}
448 
449 		static String securityProviderName(String algorithm) throws Exception {
450 			return SecretKeyFactory.getInstance(algorithm).getProvider()
451 					.getName();
452 		}
453 
454 		static List<String> cryptoCipherList(String regex) {
455 			Set<String> source = Security.getAlgorithms("Cipher");
456 			Set<String> target = new TreeSet<>();
457 			for (String algo : source) {
458 				algo = algo.toUpperCase(Locale.ROOT);
459 				if (algo.matches(regex)) {
460 					target.add(algo);
461 				}
462 			}
463 			return new ArrayList<>(target);
464 		}
465 
466 		/**
467 		 * Stream copy.
468 		 *
469 		 * @param from
470 		 * @param into
471 		 * @return count
472 		 * @throws IOException
473 		 */
474 		static long transferStream(InputStream from, OutputStream into)
475 				throws IOException {
476 			byte[] array = new byte[1 * 1024];
477 			long total = 0;
478 			while (true) {
479 				int count = from.read(array);
480 				if (count == -1) {
481 					break;
482 				}
483 				into.write(array, 0, count);
484 				total += count;
485 			}
486 			return total;
487 		}
488 
489 		/**
490 		 * Setup proxy during CI build.
491 		 *
492 		 * @throws Exception
493 		 */
494 		// https://wiki.eclipse.org/Hudson#Accessing_the_Internet_using_Proxy
495 		// http://docs.oracle.com/javase/7/docs/api/java/net/doc-files/net-properties.html
496 		static void proxySetup() throws Exception {
497 			String keyNoProxy = "no_proxy";
498 			String keyHttpProxy = "http_proxy";
499 			String keyHttpsProxy = "https_proxy";
500 
501 			String no_proxy = System.getProperty(keyNoProxy,
502 					System.getenv(keyNoProxy));
503 			if (no_proxy != null) {
504 				System.setProperty("http.nonProxyHosts", no_proxy);
505 				logger.info("Proxy NOT: " + no_proxy);
506 			}
507 
508 			String http_proxy = System.getProperty(keyHttpProxy,
509 					System.getenv(keyHttpProxy));
510 			if (http_proxy != null) {
511 				URL url = new URL(http_proxy);
512 				System.setProperty("http.proxyHost", url.getHost());
513 				System.setProperty("http.proxyPort", "" + url.getPort());
514 				logger.info("Proxy HTTP: " + http_proxy);
515 			}
516 
517 			String https_proxy = System.getProperty(keyHttpsProxy,
518 					System.getenv(keyHttpsProxy));
519 			if (https_proxy != null) {
520 				URL url = new URL(https_proxy);
521 				System.setProperty("https.proxyHost", url.getHost());
522 				System.setProperty("https.proxyPort", "" + url.getPort());
523 				logger.info("Proxy HTTPS: " + https_proxy);
524 			}
525 
526 			if (no_proxy == null && http_proxy == null && https_proxy == null) {
527 				logger.info("Proxy not used.");
528 			}
529 
530 		}
531 
532 		/**
533 		 * Permit long tests on CI or with manual activation.
534 		 *
535 		 * @return result
536 		 */
537 		static boolean permitLongTests() {
538 			return isBuildCI() || isProfileActive();
539 		}
540 
541 		/**
542 		 * Using Maven profile activation, see pom.xml
543 		 *
544 		 * @return result
545 		 */
546 		static boolean isProfileActive() {
547 			return Boolean.parseBoolean(System.getProperty("jgit.test.long"));
548 		}
549 
550 		/**
551 		 * Detect if build is running on CI.
552 		 *
553 		 * @return result
554 		 */
555 		static boolean isBuildCI() {
556 			return System.getenv("HUDSON_HOME") != null;
557 		}
558 
559 		/**
560 		 * Setup JCE security policy restrictions. Can remove restrictions when
561 		 * restrictions are present, but can not impose them when restrictions
562 		 * are missing.
563 		 *
564 		 * @param restrictedOn
565 		 */
566 		// http://www.docjar.com/html/api/javax/crypto/JceSecurity.java.html
567 		static void policySetup(boolean restrictedOn) {
568 			try {
569 				java.lang.reflect.Field isRestricted = Class
570 						.forName("javax.crypto.JceSecurity")
571 						.getDeclaredField("isRestricted");
572 				isRestricted.setAccessible(true);
573 				isRestricted.set(null, Boolean.valueOf(restrictedOn));
574 			} catch (Throwable e) {
575 				logger.info(
576 						"Could not setup JCE security policy restrictions.");
577 			}
578 		}
579 
580 		static void reportPolicy() {
581 			try {
582 				java.lang.reflect.Field isRestricted = Class
583 						.forName("javax.crypto.JceSecurity")
584 						.getDeclaredField("isRestricted");
585 				isRestricted.setAccessible(true);
586 				logger.info("JCE security policy restricted="
587 						+ isRestricted.get(null));
588 			} catch (Throwable e) {
589 				logger.info(
590 						"Could not report JCE security policy restrictions.");
591 			}
592 		}
593 
594 		static List<Object[]> product(List<String> one, List<String> two) {
595 			List<Object[]> result = new ArrayList<>();
596 			for (String s1 : one) {
597 				for (String s2 : two) {
598 					result.add(new Object[] { s1, s2 });
599 				}
600 			}
601 			return result;
602 		}
603 
604 	}
605 
606 	/**
607 	 * Common base for encryption tests.
608 	 */
609 	@FixMethodOrder(MethodSorters.NAME_ASCENDING)
610 	public abstract static class Base extends SampleDataRepositoryTestCase {
611 
612 		/**
613 		 * S3 URI user used by JGIT to discover connection configuration file.
614 		 */
615 		static final String JGIT_USER = "tester-" + System.currentTimeMillis();
616 
617 		/**
618 		 * S3 content encoding password used for this test session.
619 		 */
620 		static final String JGIT_PASS = "secret-" + System.currentTimeMillis();
621 
622 		/**
623 		 * S3 repository configuration file expected by {@link AmazonS3}.
624 		 */
625 		static final String JGIT_CONF_FILE = System.getProperty("user.home")
626 				+ "/" + JGIT_USER;
627 
628 		/**
629 		 * Name representing remote or local JGIT repository.
630 		 */
631 		static final String JGIT_REPO_DIR = JGIT_USER + ".jgit";
632 
633 		/**
634 		 * Local JGIT repository for this test session.
635 		 */
636 		static final String JGIT_LOCAL_DIR = System.getProperty("user.dir")
637 				+ "/target/" + JGIT_REPO_DIR;
638 
639 		/**
640 		 * Remote JGIT repository for this test session.
641 		 */
642 		static final String JGIT_REMOTE_DIR = JGIT_REPO_DIR;
643 
644 		/**
645 		 * Generate JGIT S3 connection configuration file.
646 		 *
647 		 * @param algorithm
648 		 * @throws Exception
649 		 */
650 		static void configCreate(String algorithm) throws Exception {
651 			Properties props = Props.discover();
652 			props.put(AmazonS3.Keys.PASSWORD, JGIT_PASS);
653 			props.put(AmazonS3.Keys.CRYPTO_ALG, algorithm);
654 			try (PrintWriter writer = new PrintWriter(JGIT_CONF_FILE)) {
655 				props.store(writer, "JGIT S3 connection configuration file.");
656 			}
657 		}
658 
659 		/**
660 		 * Generate JGIT S3 connection configuration file.
661 		 *
662 		 * @param source
663 		 * @throws Exception
664 		 */
665 		static void configCreate(Properties source) throws Exception {
666 			Properties target = Props.discover();
667 			target.putAll(source);
668 			try (PrintWriter writer = new PrintWriter(JGIT_CONF_FILE)) {
669 				target.store(writer, "JGIT S3 connection configuration file.");
670 			}
671 		}
672 
673 		/**
674 		 * Remove JGIT connection configuration file.
675 		 *
676 		 * @throws Exception
677 		 */
678 		static void configDelete() throws Exception {
679 			File path = new File(JGIT_CONF_FILE);
680 			FileUtils.delete(path, FileUtils.SKIP_MISSING);
681 		}
682 
683 		/**
684 		 * Generate remote URI for the test session.
685 		 *
686 		 * @return result
687 		 * @throws Exception
688 		 */
689 		static String amazonURI() throws Exception {
690 			Properties props = Props.discover();
691 			String bucket = props.getProperty(Names.TEST_BUCKET);
692 			assertNotNull(bucket);
693 			return TransportAmazonS3.S3_SCHEME + "://" + JGIT_USER + "@"
694 					+ bucket + "/" + JGIT_REPO_DIR;
695 		}
696 
697 		/**
698 		 * Create S3 repository folder.
699 		 *
700 		 * @throws Exception
701 		 */
702 		static void remoteCreate() throws Exception {
703 			Properties props = Props.discover();
704 			props.remove(AmazonS3.Keys.PASSWORD); // Disable encryption.
705 			String bucket = props.getProperty(Names.TEST_BUCKET);
706 			AmazonS3 s3 = new AmazonS3(props);
707 			String path = JGIT_REMOTE_DIR + "/";
708 			s3.put(bucket, path, new byte[0]);
709 			logger.debug("remote create: " + JGIT_REMOTE_DIR);
710 		}
711 
712 		/**
713 		 * Delete S3 repository folder.
714 		 *
715 		 * @throws Exception
716 		 */
717 		static void remoteDelete() throws Exception {
718 			Properties props = Props.discover();
719 			props.remove(AmazonS3.Keys.PASSWORD); // Disable encryption.
720 			String bucket = props.getProperty(Names.TEST_BUCKET);
721 			AmazonS3 s3 = new AmazonS3(props);
722 			List<String> list = s3.list(bucket, JGIT_REMOTE_DIR);
723 			for (String path : list) {
724 				path = JGIT_REMOTE_DIR + "/" + path;
725 				s3.delete(bucket, path);
726 			}
727 			logger.debug("remote delete: " + JGIT_REMOTE_DIR);
728 		}
729 
730 		/**
731 		 * Verify if we can create/delete remote file.
732 		 *
733 		 * @throws Exception
734 		 */
735 		static void remoteVerify() throws Exception {
736 			Properties props = Props.discover();
737 			String bucket = props.getProperty(Names.TEST_BUCKET);
738 			AmazonS3 s3 = new AmazonS3(props);
739 			String file = JGIT_USER + "-" + UUID.randomUUID().toString();
740 			String path = JGIT_REMOTE_DIR + "/" + file;
741 			s3.put(bucket, path, file.getBytes(CHARSET));
742 			s3.delete(bucket, path);
743 		}
744 
745 		/**
746 		 * Verify if any security provider published the algorithm.
747 		 *
748 		 * @param algorithm
749 		 * @return result
750 		 */
751 		static boolean isAlgorithmPresent(String algorithm) {
752 			Set<String> cipherSet = Security.getAlgorithms("Cipher");
753 			for (String source : cipherSet) {
754 				// Standard names are not case-sensitive.
755 				// http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html
756 				String target = algorithm.toUpperCase(Locale.ROOT);
757 				if (source.equalsIgnoreCase(target)) {
758 					return true;
759 				}
760 			}
761 			return false;
762 		}
763 
764 		static boolean isAlgorithmPresent(Properties props) {
765 			String profile = props.getProperty(AmazonS3.Keys.CRYPTO_ALG);
766 			String version = props.getProperty(AmazonS3.Keys.CRYPTO_VER,
767 					WalkEncryption.Vals.DEFAULT_VERS);
768 			String cryptoAlgo;
769 			String keyAlgo;
770 			switch (version) {
771 			case WalkEncryption.Vals.DEFAULT_VERS:
772 			case WalkEncryption.JGitV1.VERSION:
773 				cryptoAlgo = profile;
774 				keyAlgo = profile;
775 				break;
776 			case WalkEncryption.JGitV2.VERSION:
777 				cryptoAlgo = props
778 						.getProperty(profile + WalkEncryption.Keys.X_ALGO);
779 				keyAlgo = props
780 						.getProperty(profile + WalkEncryption.Keys.X_KEY_ALGO);
781 				break;
782 			default:
783 				return false;
784 			}
785 			try {
786 				InsecureCipherFactory.create(cryptoAlgo);
787 				SecretKeyFactory.getInstance(keyAlgo);
788 				return true;
789 			} catch (Throwable e) {
790 				return false;
791 			}
792 		}
793 
794 		/**
795 		 * Verify if JRE security policy allows the algorithm.
796 		 *
797 		 * @param algorithm
798 		 * @return result
799 		 */
800 		static boolean isAlgorithmAllowed(String algorithm) {
801 			try {
802 				WalkEncryption crypto = new WalkEncryption.JetS3tV2(
803 						algorithm, JGIT_PASS);
804 				verifyCrypto(crypto);
805 				return true;
806 			} catch (IOException e) {
807 				return false; // Encryption failure.
808 			} catch (GeneralSecurityException e) {
809 				throw new Error(e); // Construction failure.
810 			}
811 		}
812 
813 		static boolean isAlgorithmAllowed(Properties props) {
814 			try {
815 				WalkEncryption.instance(props);
816 				return true;
817 			} catch (GeneralSecurityException e) {
818 				return false;
819 			}
820 		}
821 
822 		/**
823 		 * Verify round trip encryption.
824 		 *
825 		 * @param crypto
826 		 * @throws IOException
827 		 */
828 		static void verifyCrypto(WalkEncryption crypto) throws IOException {
829 			String charset = "UTF-8";
830 			String sourceText = "secret-message Свобода 老子";
831 			String targetText;
832 			byte[] cipherText;
833 			{
834 				byte[] origin = sourceText.getBytes(charset);
835 				ByteArrayOutputStream target = new ByteArrayOutputStream();
836 				try (OutputStream source = crypto.encrypt(target)) {
837 					source.write(origin);
838 					source.flush();
839 				}
840 				cipherText = target.toByteArray();
841 			}
842 			{
843 				InputStream source = new ByteArrayInputStream(cipherText);
844 				InputStream target = crypto.decrypt(source);
845 				ByteArrayOutputStream result = new ByteArrayOutputStream();
846 				transferStream(target, result);
847 				targetText = result.toString(charset);
848 			}
849 			assertEquals(sourceText, targetText);
850 		}
851 
852 		/**
853 		 * Algorithm is testable when it is present and allowed by policy.
854 		 *
855 		 * @param algorithm
856 		 * @return result
857 		 */
858 		static boolean isAlgorithmTestable(String algorithm) {
859 			return isAlgorithmPresent(algorithm)
860 					&& isAlgorithmAllowed(algorithm);
861 		}
862 
863 		static boolean isAlgorithmTestable(Properties props) {
864 			return isAlgorithmPresent(props) && isAlgorithmAllowed(props);
865 		}
866 
867 		/**
868 		 * Log algorithm, provider, testability.
869 		 *
870 		 * @param algorithm
871 		 * @throws Exception
872 		 */
873 		static void reportAlgorithmStatus(String algorithm) throws Exception {
874 			final boolean present = isAlgorithmPresent(algorithm);
875 			final boolean allowed = present && isAlgorithmAllowed(algorithm);
876 			final String provider = present ? securityProviderName(algorithm)
877 					: "N/A";
878 			String status = "Algorithm: " + algorithm + " @ " + provider + "; "
879 					+ "present/allowed : " + present + "/" + allowed;
880 			if (allowed) {
881 				logger.info("Testing " + status);
882 			} else {
883 				logger.warn("Missing " + status);
884 			}
885 		}
886 
887 		static void reportAlgorithmStatus(Properties props) throws Exception {
888 			final boolean present = isAlgorithmPresent(props);
889 			final boolean allowed = present && isAlgorithmAllowed(props);
890 
891 			String profile = props.getProperty(AmazonS3.Keys.CRYPTO_ALG);
892 			String version = props.getProperty(AmazonS3.Keys.CRYPTO_VER);
893 
894 			StringBuilder status = new StringBuilder();
895 			status.append(" Version: " + version);
896 			status.append(" Profile: " + profile);
897 			status.append(" Present: " + present);
898 			status.append(" Allowed: " + allowed);
899 
900 			if (allowed) {
901 				logger.info("Testing " + status);
902 			} else {
903 				logger.warn("Missing " + status);
904 			}
905 		}
906 
907 		/**
908 		 * Verify if we can perform remote tests.
909 		 *
910 		 * @return result
911 		 */
912 		static boolean isTestConfigPresent() {
913 			try {
914 				Props.discover();
915 				return true;
916 			} catch (Throwable e) {
917 				return false;
918 			}
919 		}
920 
921 		static void reportTestConfigPresent() {
922 			if (isTestConfigPresent()) {
923 				logger.info("Amazon S3 test configuration is present.");
924 			} else {
925 				logger.error(
926 						"Amazon S3 test configuration is missing, tests will not run.");
927 			}
928 		}
929 
930 		/**
931 		 * Log public address of CI.
932 		 *
933 		 * @throws Exception
934 		 */
935 		static void reportPublicAddress() throws Exception {
936 			logger.info("Public address: " + publicAddress());
937 		}
938 
939 		/**
940 		 * BouncyCastle provider class.
941 		 *
942 		 * Needs extra dependency, see pom.xml
943 		 */
944 		// http://search.maven.org/#artifactdetails%7Corg.bouncycastle%7Cbcprov-jdk15on%7C1.52%7Cjar
945 		static final String PROVIDER_BC = "org.bouncycastle.jce.provider.BouncyCastleProvider";
946 
947 		/**
948 		 * Load BouncyCastle provider if present.
949 		 */
950 		static void loadBouncyCastle() {
951 			try {
952 				Class<?> provider = Class.forName(PROVIDER_BC);
953 				Provider instance = (Provider) provider
954 						.getConstructor(new Class[] {})
955 						.newInstance(new Object[] {});
956 				Security.addProvider(instance);
957 				logger.info("Loaded " + PROVIDER_BC);
958 			} catch (Throwable e) {
959 				logger.warn("Failed to load " + PROVIDER_BC);
960 			}
961 		}
962 
963 		static void reportLongTests() {
964 			if (permitLongTests()) {
965 				logger.info("Long running tests are enabled.");
966 			} else {
967 				logger.warn("Long running tests are disabled.");
968 			}
969 		}
970 
971 		/**
972 		 * Non-PBE algorithm, for error check.
973 		 */
974 		static final String ALGO_ERROR = "PBKDF2WithHmacSHA1";
975 
976 		/**
977 		 * Default JetS3t algorithm present in most JRE.
978 		 */
979 		static final String ALGO_JETS3T = "PBEWithMD5AndDES";
980 
981 		/**
982 		 * Minimal strength AES based algorithm present in most JRE.
983 		 */
984 		static final String ALGO_MINIMAL_AES = "PBEWithHmacSHA1AndAES_128";
985 
986 		/**
987 		 * Selected non-AES algorithm present in BouncyCastle provider.
988 		 */
989 		static final String ALGO_BOUNCY_CASTLE_CBC = "PBEWithSHAAndTwofish-CBC";
990 
991 		//////////////////////////////////////////////////
992 
993 		@BeforeClass
994 		public static void initialize() throws Exception {
995 			Transport.register(TransportAmazonS3.PROTO_S3);
996 			proxySetup();
997 			reportPolicy();
998 			reportLongTests();
999 			reportPublicAddress();
1000 			reportTestConfigPresent();
1001 			loadBouncyCastle();
1002 			if (isTestConfigPresent()) {
1003 				remoteCreate();
1004 			}
1005 		}
1006 
1007 		@AfterClass
1008 		public static void terminate() throws Exception {
1009 			configDelete();
1010 			folderDelete(JGIT_LOCAL_DIR);
1011 			if (isTestConfigPresent()) {
1012 				remoteDelete();
1013 			}
1014 		}
1015 
1016 		@Before
1017 		@Override
1018 		public void setUp() throws Exception {
1019 			super.setUp();
1020 		}
1021 
1022 		@After
1023 		@Override
1024 		public void tearDown() throws Exception {
1025 			super.tearDown();
1026 		}
1027 
1028 		/**
1029 		 * Optional encrypted amazon remote JGIT life cycle test.
1030 		 *
1031 		 * @param props
1032 		 * @throws Exception
1033 		 */
1034 		void cryptoTestIfCan(Properties props) throws Exception {
1035 			reportAlgorithmStatus(props);
1036 			assumeTrue(isTestConfigPresent());
1037 			assumeTrue(isAlgorithmTestable(props));
1038 			cryptoTest(props);
1039 		}
1040 
1041 		/**
1042 		 * Required encrypted amazon remote JGIT life cycle test.
1043 		 *
1044 		 * @param props
1045 		 * @throws Exception
1046 		 */
1047 		void cryptoTest(Properties props) throws Exception {
1048 
1049 			remoteDelete();
1050 			configCreate(props);
1051 			folderDelete(JGIT_LOCAL_DIR);
1052 
1053 			String uri = amazonURI();
1054 
1055 			// Local repositories.
1056 			File dirOne = db.getWorkTree(); // Provided by setup.
1057 			File dirTwo = new File(JGIT_LOCAL_DIR);
1058 
1059 			// Local verification files.
1060 			String nameStatic = "master.txt"; // Provided by setup.
1061 			String nameDynamic = JGIT_USER + "-" + UUID.randomUUID().toString();
1062 
1063 			String remote = "remote";
1064 			RefSpec specs = new RefSpec("refs/heads/master:refs/heads/master");
1065 
1066 			{ // Push into remote from local one.
1067 
1068 				StoredConfig config = db.getConfig();
1069 				RemoteConfig remoteConfig = new RemoteConfig(config, remote);
1070 				remoteConfig.addURI(new URIish(uri));
1071 				remoteConfig.update(config);
1072 				config.save();
1073 
1074 				try (Git git = Git.open(dirOne)) {
1075 					git.checkout().setName("master").call();
1076 					git.push().setRemote(remote).setRefSpecs(specs).call();
1077 				}
1078 
1079 				File fileStatic = new File(dirOne, nameStatic);
1080 				assertTrue("Provided by setup", fileStatic.exists());
1081 
1082 			}
1083 
1084 			{ // Clone from remote into local two.
1085 
1086 				File fileStatic = new File(dirTwo, nameStatic);
1087 				assertFalse("Not Provided by setup", fileStatic.exists());
1088 
1089 				try (Git git = Git.cloneRepository().setURI(uri)
1090 						.setDirectory(dirTwo).call()) {
1091 					assertTrue("Provided by clone", fileStatic.exists());
1092 				}
1093 
1094 			}
1095 
1096 			{ // Verify static file content.
1097 				File fileOne = new File(dirOne, nameStatic);
1098 				File fileTwo = new File(dirTwo, nameStatic);
1099 				verifyFileContent(fileOne, fileTwo);
1100 			}
1101 
1102 			{ // Verify new file commit and push from local one.
1103 
1104 				File fileDynamic = new File(dirOne, nameDynamic);
1105 				assertFalse("Not Provided by setup", fileDynamic.exists());
1106 				FileUtils.createNewFile(fileDynamic);
1107 				textWrite(fileDynamic, nameDynamic);
1108 				assertTrue("Provided by create", fileDynamic.exists());
1109 				assertTrue("Need content to encrypt", fileDynamic.length() > 0);
1110 
1111 				try (Git git = Git.open(dirOne)) {
1112 					git.add().addFilepattern(nameDynamic).call();
1113 					git.commit().setMessage(nameDynamic).call();
1114 					git.push().setRemote(remote).setRefSpecs(specs).call();
1115 				}
1116 
1117 			}
1118 
1119 			{ // Verify new file pull from remote into local two.
1120 
1121 				File fileDynamic = new File(dirTwo, nameDynamic);
1122 				assertFalse("Not Provided by setup", fileDynamic.exists());
1123 
1124 				try (Git git = Git.open(dirTwo)) {
1125 					git.pull().call();
1126 				}
1127 
1128 				assertTrue("Provided by pull", fileDynamic.exists());
1129 			}
1130 
1131 			{ // Verify dynamic file content.
1132 				File fileOne = new File(dirOne, nameDynamic);
1133 				File fileTwo = new File(dirTwo, nameDynamic);
1134 				verifyFileContent(fileOne, fileTwo);
1135 			}
1136 
1137 		}
1138 
1139 	}
1140 
1141 	/**
1142 	 * Verify prerequisites.
1143 	 */
1144 	@FixMethodOrder(MethodSorters.NAME_ASCENDING)
1145 	public static class Required extends Base {
1146 
1147 		@Test
1148 		public void test_A1_ValidURI() throws Exception {
1149 			assumeTrue(isTestConfigPresent());
1150 			URIish uri = new URIish(amazonURI());
1151 			assertTrue("uri=" + uri, TransportAmazonS3.PROTO_S3.canHandle(uri));
1152 		}
1153 
1154 		@Test(expected = Exception.class)
1155 		public void test_A2_CryptoError() throws Exception {
1156 			assumeTrue(isTestConfigPresent());
1157 			Properties props = new Properties();
1158 			props.put(AmazonS3.Keys.CRYPTO_ALG, ALGO_ERROR);
1159 			props.put(AmazonS3.Keys.PASSWORD, JGIT_PASS);
1160 			cryptoTest(props);
1161 		}
1162 
1163 	}
1164 
1165 	/**
1166 	 * Test minimal set of algorithms.
1167 	 */
1168 	@FixMethodOrder(MethodSorters.NAME_ASCENDING)
1169 	public static class MinimalSet extends Base {
1170 
1171 		@Test
1172 		public void test_V0_Java7_JET() throws Exception {
1173 			assumeTrue(isTestConfigPresent());
1174 			Properties props = new Properties();
1175 			props.put(AmazonS3.Keys.CRYPTO_ALG, ALGO_JETS3T);
1176 			// Do not set version.
1177 			props.put(AmazonS3.Keys.PASSWORD, JGIT_PASS);
1178 			cryptoTestIfCan(props);
1179 		}
1180 
1181 		@Test
1182 		public void test_V1_Java7_GIT() throws Exception {
1183 			assumeTrue(isTestConfigPresent());
1184 			Properties props = new Properties();
1185 			props.put(AmazonS3.Keys.CRYPTO_ALG, ALGO_JETS3T);
1186 			props.put(AmazonS3.Keys.CRYPTO_VER, "1");
1187 			props.put(AmazonS3.Keys.PASSWORD, JGIT_PASS);
1188 			cryptoTestIfCan(props);
1189 		}
1190 
1191 		@Test
1192 		public void test_V2_Java7_AES() throws Exception {
1193 			assumeTrue(isTestConfigPresent());
1194 			// String profile = "default";
1195 			String profile = "AES/CBC/PKCS5Padding+PBKDF2WithHmacSHA1";
1196 			Properties props = new Properties();
1197 			props.put(AmazonS3.Keys.CRYPTO_ALG, profile);
1198 			props.put(AmazonS3.Keys.CRYPTO_VER, "2");
1199 			props.put(AmazonS3.Keys.PASSWORD, JGIT_PASS);
1200 			props.put(profile + WalkEncryption.Keys.X_ALGO, "AES/CBC/PKCS5Padding");
1201 			props.put(profile + WalkEncryption.Keys.X_KEY_ALGO, "PBKDF2WithHmacSHA1");
1202 			props.put(profile + WalkEncryption.Keys.X_KEY_SIZE, "128");
1203 			props.put(profile + WalkEncryption.Keys.X_KEY_ITER, "10000");
1204 			props.put(profile + WalkEncryption.Keys.X_KEY_SALT, "e2 55 89 67 8e 8d e8 4c");
1205 			cryptoTestIfCan(props);
1206 		}
1207 
1208 		@Test
1209 		public void test_V2_Java8_PBE_AES() throws Exception {
1210 			assumeTrue(isTestConfigPresent());
1211 			String profile = "PBEWithHmacSHA512AndAES_256";
1212 			Properties props = new Properties();
1213 			props.put(AmazonS3.Keys.CRYPTO_ALG, profile);
1214 			props.put(AmazonS3.Keys.CRYPTO_VER, "2");
1215 			props.put(AmazonS3.Keys.PASSWORD, JGIT_PASS);
1216 			props.put(profile + WalkEncryption.Keys.X_ALGO, "PBEWithHmacSHA512AndAES_256");
1217 			props.put(profile + WalkEncryption.Keys.X_KEY_ALGO, "PBEWithHmacSHA512AndAES_256");
1218 			props.put(profile + WalkEncryption.Keys.X_KEY_SIZE, "256");
1219 			props.put(profile + WalkEncryption.Keys.X_KEY_ITER, "10000");
1220 			props.put(profile + WalkEncryption.Keys.X_KEY_SALT, "e2 55 89 67 8e 8d e8 4c");
1221 			policySetup(false);
1222 			cryptoTestIfCan(props);
1223 		}
1224 
1225 	}
1226 
1227 	/**
1228 	 * Test all present and allowed PBE algorithms.
1229 	 */
1230 	// https://github.com/junit-team/junit/wiki/Parameterized-tests
1231 	@RunWith(Parameterized.class)
1232 	@FixMethodOrder(MethodSorters.NAME_ASCENDING)
1233 	public static class TestablePBE extends Base {
1234 
1235 		@Parameters(name = "Profile: {0}   Version: {1}")
1236 		public static Collection<Object[]> argsList() {
1237 			List<String> algorithmList = new ArrayList<>();
1238 			algorithmList.addAll(cryptoCipherListPBE());
1239 
1240 			List<String> versionList = new ArrayList<>();
1241 			versionList.add("0");
1242 			versionList.add("1");
1243 
1244 			return product(algorithmList, versionList);
1245 		}
1246 
1247 		final String profile;
1248 
1249 		final String version;
1250 
1251 		final String password = JGIT_PASS;
1252 
1253 		public TestablePBE(String profile, String version) {
1254 			this.profile = profile;
1255 			this.version = version;
1256 		}
1257 
1258 		@Test
1259 		public void testCrypto() throws Exception {
1260 			assumeTrue(permitLongTests());
1261 			Properties props = new Properties();
1262 			props.put(AmazonS3.Keys.CRYPTO_ALG, profile);
1263 			props.put(AmazonS3.Keys.CRYPTO_VER, version);
1264 			props.put(AmazonS3.Keys.PASSWORD, password);
1265 			cryptoTestIfCan(props);
1266 		}
1267 
1268 	}
1269 
1270 	/**
1271 	 * Test all present and allowed transformation algorithms.
1272 	 */
1273 	// https://github.com/junit-team/junit/wiki/Parameterized-tests
1274 	@RunWith(Parameterized.class)
1275 	@FixMethodOrder(MethodSorters.NAME_ASCENDING)
1276 	public static class TestableTransformation extends Base {
1277 
1278 		@Parameters(name = "Profile: {0}   Version: {1}")
1279 		public static Collection<Object[]> argsList() {
1280 			List<String> algorithmList = new ArrayList<>();
1281 			algorithmList.addAll(cryptoCipherListTrans());
1282 
1283 			List<String> versionList = new ArrayList<>();
1284 			versionList.add("1");
1285 
1286 			return product(algorithmList, versionList);
1287 		}
1288 
1289 		final String profile;
1290 
1291 		final String version;
1292 
1293 		final String password = JGIT_PASS;
1294 
1295 		public TestableTransformation(String profile, String version) {
1296 			this.profile = profile;
1297 			this.version = version;
1298 		}
1299 
1300 		@Test
1301 		public void testCrypto() throws Exception {
1302 			assumeTrue(permitLongTests());
1303 			Properties props = new Properties();
1304 			props.put(AmazonS3.Keys.CRYPTO_ALG, profile);
1305 			props.put(AmazonS3.Keys.CRYPTO_VER, version);
1306 			props.put(AmazonS3.Keys.PASSWORD, password);
1307 			cryptoTestIfCan(props);
1308 		}
1309 
1310 	}
1311 
1312 }