View Javadoc
1   /*
2    * Copyright (C) 2015, Andrei Pozolotin.
3    * and other copyright owners as documented in the project's IP log.
4    *
5    * This program and the accompanying materials are made available
6    * under the terms of the Eclipse Distribution License v1.0 which
7    * accompanies this distribution, is reproduced below, and is
8    * available at http://www.eclipse.org/org/documents/edl-v10.php
9    *
10   * All rights reserved.
11   *
12   * Redistribution and use in source and binary forms, with or
13   * without modification, are permitted provided that the following
14   * conditions are met:
15   *
16   * - Redistributions of source code must retain the above copyright
17   *   notice, this list of conditions and the following disclaimer.
18   *
19   * - Redistributions in binary form must reproduce the above
20   *   copyright notice, this list of conditions and the following
21   *   disclaimer in the documentation and/or other materials provided
22   *   with the distribution.
23   *
24   * - Neither the name of the Eclipse Foundation, Inc. nor the
25   *   names of its contributors may be used to endorse or promote
26   *   products derived from this software without specific prior
27   *   written permission.
28   *
29   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
30   * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
31   * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
34   * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
35   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
36   * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
37   * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
38   * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39   * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
41   * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
42   */
43  
44  package org.eclipse.jgit.transport;
45  
46  import static java.nio.charset.StandardCharsets.UTF_8;
47  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.cryptoCipherListPBE;
48  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.cryptoCipherListTrans;
49  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.folderDelete;
50  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.permitLongTests;
51  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.policySetup;
52  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.product;
53  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.proxySetup;
54  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.publicAddress;
55  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.reportPolicy;
56  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.securityProviderName;
57  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.textWrite;
58  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.transferStream;
59  import static org.eclipse.jgit.transport.WalkEncryptionTest.Util.verifyFileContent;
60  import static org.junit.Assert.assertEquals;
61  import static org.junit.Assert.assertFalse;
62  import static org.junit.Assert.assertNotNull;
63  import static org.junit.Assert.assertTrue;
64  import static org.junit.Assume.assumeTrue;
65  
66  import java.io.BufferedReader;
67  import java.io.ByteArrayInputStream;
68  import java.io.ByteArrayOutputStream;
69  import java.io.File;
70  import java.io.FileInputStream;
71  import java.io.IOException;
72  import java.io.InputStream;
73  import java.io.InputStreamReader;
74  import java.io.OutputStream;
75  import java.io.PrintWriter;
76  import java.net.SocketTimeoutException;
77  import java.net.URL;
78  import java.net.URLConnection;
79  import java.net.UnknownHostException;
80  import java.nio.file.Files;
81  import java.security.GeneralSecurityException;
82  import java.security.Provider;
83  import java.security.Security;
84  import java.util.ArrayList;
85  import java.util.Collection;
86  import java.util.List;
87  import java.util.Locale;
88  import java.util.Properties;
89  import java.util.Set;
90  import java.util.TreeSet;
91  import java.util.UUID;
92  
93  import javax.crypto.SecretKeyFactory;
94  
95  import org.eclipse.jgit.api.Git;
96  import org.eclipse.jgit.lib.StoredConfig;
97  import org.eclipse.jgit.test.resources.SampleDataRepositoryTestCase;
98  import org.eclipse.jgit.util.FileUtils;
99  import org.junit.After;
100 import org.junit.AfterClass;
101 import org.junit.Before;
102 import org.junit.BeforeClass;
103 import org.junit.FixMethodOrder;
104 import org.junit.Test;
105 import org.junit.runner.RunWith;
106 import org.junit.runners.MethodSorters;
107 import org.junit.runners.Parameterized;
108 import org.junit.runners.Parameterized.Parameters;
109 import org.junit.runners.Suite;
110 import org.slf4j.Logger;
111 import org.slf4j.LoggerFactory;
112 
113 /**
114  * Amazon S3 encryption pipeline test.
115  *
116  * See {@link AmazonS3} {@link WalkEncryption}
117  *
118  * Note: CI server must provide amazon credentials (access key, secret key,
119  * bucket name) via one of methods available in {@link Names}.
120  *
121  * Note: long running tests are activated by Maven profile "test.long". There is
122  * also a separate Eclipse m2e launcher for that. See 'pom.xml' and
123  * 'WalkEncryptionTest.launch'.
124  */
125 @RunWith(Suite.class)
126 @Suite.SuiteClasses({ //
127 		WalkEncryptionTest.Required.class, //
128 		WalkEncryptionTest.MinimalSet.class, //
129 		WalkEncryptionTest.TestablePBE.class, //
130 		WalkEncryptionTest.TestableTransformation.class, //
131 })
132 public class WalkEncryptionTest {
133 
134 	/**
135 	 * Logger setup: ${project_loc}/tst-rsrc/log4j.properties
136 	 */
137 	static final Logger logger = LoggerFactory.getLogger(WalkEncryptionTest.class);
138 
139 	/**
140 	 * Property names used in test session.
141 	 */
142 	interface Names {
143 
144 		// Names of discovered test properties.
145 
146 		String TEST_BUCKET = "test.bucket";
147 
148 		// Names of test environment variables for CI.
149 
150 		String ENV_ACCESS_KEY = "JGIT_S3_ACCESS_KEY";
151 
152 		String ENV_SECRET_KEY = "JGIT_S3_SECRET_KEY";
153 
154 		String ENV_BUCKET_NAME = "JGIT_S3_BUCKET_NAME";
155 
156 		// Name of test environment variable file path for CI.
157 
158 		String ENV_CONFIG_FILE = "JGIT_S3_CONFIG_FILE";
159 
160 		// Names of test system properties for CI.
161 
162 		String SYS_ACCESS_KEY = "jgit.s3.access.key";
163 
164 		String SYS_SECRET_KEY = "jgit.s3.secret.key";
165 
166 		String SYS_BUCKET_NAME = "jgit.s3.bucket.name";
167 
168 		// Name of test system property file path for CI.
169 		String SYS_CONFIG_FILE = "jgit.s3.config.file";
170 
171 		// Hard coded name of test properties file for CI.
172 		// File format follows AmazonS3.Keys:
173 		// #
174 		// # Required entries:
175 		// #
176 		// accesskey = your-amazon-access-key # default AmazonS3.Keys
177 		// secretkey = your-amazon-secret-key # default AmazonS3.Keys
178 		// test.bucket = your-bucket-for-testing # custom name, for this test
179 		String CONFIG_FILE = "jgit-s3-config.properties";
180 
181 		// Test properties file in [user home] of CI.
182 		String HOME_CONFIG_FILE = System.getProperty("user.home")
183 				+ File.separator + CONFIG_FILE;
184 
185 		// Test properties file in [project work directory] of CI.
186 		String WORK_CONFIG_FILE = System.getProperty("user.dir")
187 				+ File.separator + CONFIG_FILE;
188 
189 		// Test properties file in [project test source directory] of CI.
190 		String TEST_CONFIG_FILE = System.getProperty("user.dir")
191 				+ File.separator + "tst-rsrc" + File.separator + CONFIG_FILE;
192 
193 	}
194 
195 	/**
196 	 * Find test properties from various sources in order of priority.
197 	 */
198 	static class Props implements WalkEncryptionTest.Names, AmazonS3.Keys {
199 
200 		static boolean haveEnvVar(String name) {
201 			return System.getenv(name) != null;
202 		}
203 
204 		static boolean haveEnvVarFile(String name) {
205 			return haveEnvVar(name) && new File(name).exists();
206 		}
207 
208 		static boolean haveSysProp(String name) {
209 			return System.getProperty(name) != null;
210 		}
211 
212 		static boolean haveSysPropFile(String name) {
213 			return haveSysProp(name) && new File(name).exists();
214 		}
215 
216 		static void loadEnvVar(String source, String target, Properties props) {
217 			props.put(target, System.getenv(source));
218 		}
219 
220 		static void loadSysProp(String source, String target,
221 				Properties props) {
222 			props.put(target, System.getProperty(source));
223 		}
224 
225 		static boolean haveProp(String name, Properties props) {
226 			return props.containsKey(name);
227 		}
228 
229 		static boolean checkTestProps(Properties props) {
230 			return haveProp(ACCESS_KEY, props) && haveProp(SECRET_KEY, props)
231 					&& haveProp(TEST_BUCKET, props);
232 		}
233 
234 		static Properties fromEnvVars() {
235 			if (haveEnvVar(ENV_ACCESS_KEY) && haveEnvVar(ENV_SECRET_KEY)
236 					&& haveEnvVar(ENV_BUCKET_NAME)) {
237 				Properties props = new Properties();
238 				loadEnvVar(ENV_ACCESS_KEY, ACCESS_KEY, props);
239 				loadEnvVar(ENV_SECRET_KEY, SECRET_KEY, props);
240 				loadEnvVar(ENV_BUCKET_NAME, TEST_BUCKET, props);
241 				return props;
242 			} else {
243 				return null;
244 			}
245 		}
246 
247 		static Properties fromEnvFile() throws Exception {
248 			if (haveEnvVarFile(ENV_CONFIG_FILE)) {
249 				Properties props = new Properties();
250 				props.load(new FileInputStream(ENV_CONFIG_FILE));
251 				if (checkTestProps(props)) {
252 					return props;
253 				} else {
254 					throw new Error("Environment config file is incomplete.");
255 				}
256 			} else {
257 				return null;
258 			}
259 		}
260 
261 		static Properties fromSysProps() {
262 			if (haveSysProp(SYS_ACCESS_KEY) && haveSysProp(SYS_SECRET_KEY)
263 					&& haveSysProp(SYS_BUCKET_NAME)) {
264 				Properties props = new Properties();
265 				loadSysProp(SYS_ACCESS_KEY, ACCESS_KEY, props);
266 				loadSysProp(SYS_SECRET_KEY, SECRET_KEY, props);
267 				loadSysProp(SYS_BUCKET_NAME, TEST_BUCKET, props);
268 				return props;
269 			} else {
270 				return null;
271 			}
272 		}
273 
274 		static Properties fromSysFile() throws Exception {
275 			if (haveSysPropFile(SYS_CONFIG_FILE)) {
276 				Properties props = new Properties();
277 				props.load(new FileInputStream(SYS_CONFIG_FILE));
278 				if (checkTestProps(props)) {
279 					return props;
280 				} else {
281 					throw new Error("System props config file is incomplete.");
282 				}
283 			} else {
284 				return null;
285 			}
286 		}
287 
288 		static Properties fromConfigFile(String path) throws Exception {
289 			File file = new File(path);
290 			if (file.exists()) {
291 				Properties props = new Properties();
292 				props.load(new FileInputStream(file));
293 				if (checkTestProps(props)) {
294 					return props;
295 				} else {
296 					throw new Error("Props config file is incomplete: " + path);
297 				}
298 			} else {
299 				return null;
300 			}
301 		}
302 
303 		/**
304 		 * Find test properties from various sources in order of priority.
305 		 *
306 		 * @return result
307 		 * @throws Exception
308 		 */
309 		static Properties discover() throws Exception {
310 			Properties props;
311 			if ((props = fromEnvVars()) != null) {
312 				logger.debug(
313 						"Using test properties from environment variables.");
314 				return props;
315 			}
316 			if ((props = fromEnvFile()) != null) {
317 				logger.debug(
318 						"Using test properties from environment variable config file.");
319 				return props;
320 			}
321 			if ((props = fromSysProps()) != null) {
322 				logger.debug("Using test properties from system properties.");
323 				return props;
324 			}
325 			if ((props = fromSysFile()) != null) {
326 				logger.debug(
327 						"Using test properties from system property config file.");
328 				return props;
329 			}
330 			if ((props = fromConfigFile(HOME_CONFIG_FILE)) != null) {
331 				logger.debug(
332 						"Using test properties from hard coded ${user.home} file.");
333 				return props;
334 			}
335 			if ((props = fromConfigFile(WORK_CONFIG_FILE)) != null) {
336 				logger.debug(
337 						"Using test properties from hard coded ${user.dir} file.");
338 				return props;
339 			}
340 			if ((props = fromConfigFile(TEST_CONFIG_FILE)) != null) {
341 				logger.debug(
342 						"Using test properties from hard coded ${project.source} file.");
343 				return props;
344 			}
345 			throw new Error("Can not load test properties form any source.");
346 		}
347 
348 	}
349 
350 	/**
351 	 * Collection of test utility methods.
352 	 */
353 	static class Util {
354 
355 		/**
356 		 * Read UTF-8 encoded text file into string.
357 		 *
358 		 * @param file
359 		 * @return result
360 		 * @throws Exception
361 		 */
362 		static String textRead(File file) throws Exception {
363 			return new String(Files.readAllBytes(file.toPath()), UTF_8);
364 		}
365 
366 		/**
367 		 * Write string into UTF-8 encoded file.
368 		 *
369 		 * @param file
370 		 * @param text
371 		 * @throws Exception
372 		 */
373 		static void textWrite(File file, String text) throws Exception {
374 			Files.write(file.toPath(), text.getBytes(UTF_8));
375 		}
376 
377 		static void verifyFileContent(File fileOne, File fileTwo)
378 				throws Exception {
379 			assertTrue(fileOne.length() > 0);
380 			assertTrue(fileTwo.length() > 0);
381 			String textOne = textRead(fileOne);
382 			String textTwo = textRead(fileTwo);
383 			assertEquals(textOne, textTwo);
384 		}
385 
386 		/**
387 		 * Create local folder.
388 		 *
389 		 * @param folder
390 		 * @throws Exception
391 		 */
392 		static void folderCreate(String folder) throws Exception {
393 			File path = new File(folder);
394 			assertTrue(path.mkdirs());
395 		}
396 
397 		/**
398 		 * Delete local folder.
399 		 *
400 		 * @param folder
401 		 * @throws Exception
402 		 */
403 		static void folderDelete(String folder) throws Exception {
404 			File path = new File(folder);
405 			FileUtils.delete(path,
406 					FileUtils.RECURSIVE | FileUtils.SKIP_MISSING);
407 		}
408 
409 		/**
410 		 * Discover public address of CI server.
411 		 *
412 		 * @return result
413 		 * @throws Exception
414 		 */
415 		static String publicAddress() throws Exception {
416 			try {
417 				String service = "http://checkip.amazonaws.com";
418 				URL url = new URL(service);
419 				URLConnection c = url.openConnection();
420 				c.setConnectTimeout(500);
421 				c.setReadTimeout(500);
422 				try (BufferedReader reader = new BufferedReader(
423 						new InputStreamReader(c.getInputStream(), UTF_8))) {
424 					return reader.readLine();
425 				}
426 			} catch (UnknownHostException | SocketTimeoutException e) {
427 				return "Can't reach http://checkip.amazonaws.com to"
428 						+ " determine public address";
429 			}
430 		}
431 
432 		/**
433 		 * Discover Password-Based Encryption (PBE) engines providing both
434 		 * [SecretKeyFactory] and [AlgorithmParameters].
435 		 *
436 		 * @return result
437 		 */
438 		// https://www.bouncycastle.org/specifications.html
439 		// https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
440 		static List<String> cryptoCipherListPBE() {
441 			return cryptoCipherList(WalkEncryption.Vals.REGEX_PBE);
442 		}
443 
444 		// TODO returns inconsistent list.
445 		static List<String> cryptoCipherListTrans() {
446 			return cryptoCipherList(WalkEncryption.Vals.REGEX_TRANS);
447 		}
448 
449 		static String securityProviderName(String algorithm) throws Exception {
450 			return SecretKeyFactory.getInstance(algorithm).getProvider()
451 					.getName();
452 		}
453 
454 		static List<String> cryptoCipherList(String regex) {
455 			Set<String> source = Security.getAlgorithms("Cipher");
456 			Set<String> target = new TreeSet<>();
457 			for (String algo : source) {
458 				algo = algo.toUpperCase(Locale.ROOT);
459 				if (algo.matches(regex)) {
460 					target.add(algo);
461 				}
462 			}
463 			return new ArrayList<>(target);
464 		}
465 
466 		/**
467 		 * Stream copy.
468 		 *
469 		 * @param from
470 		 * @param into
471 		 * @return count
472 		 * @throws IOException
473 		 */
474 		static long transferStream(InputStream from, OutputStream into)
475 				throws IOException {
476 			byte[] array = new byte[1 * 1024];
477 			long total = 0;
478 			while (true) {
479 				int count = from.read(array);
480 				if (count == -1) {
481 					break;
482 				}
483 				into.write(array, 0, count);
484 				total += count;
485 			}
486 			return total;
487 		}
488 
489 		/**
490 		 * Setup proxy during CI build.
491 		 *
492 		 * @throws Exception
493 		 */
494 		// https://wiki.eclipse.org/Hudson#Accessing_the_Internet_using_Proxy
495 		// http://docs.oracle.com/javase/7/docs/api/java/net/doc-files/net-properties.html
496 		static void proxySetup() throws Exception {
497 			String keyNoProxy = "no_proxy";
498 			String keyHttpProxy = "http_proxy";
499 			String keyHttpsProxy = "https_proxy";
500 
501 			String no_proxy = System.getProperty(keyNoProxy,
502 					System.getenv(keyNoProxy));
503 			if (no_proxy != null) {
504 				System.setProperty("http.nonProxyHosts", no_proxy);
505 				logger.info("Proxy NOT: " + no_proxy);
506 			}
507 
508 			String http_proxy = System.getProperty(keyHttpProxy,
509 					System.getenv(keyHttpProxy));
510 			if (http_proxy != null) {
511 				URL url = new URL(http_proxy);
512 				System.setProperty("http.proxyHost", url.getHost());
513 				System.setProperty("http.proxyPort", "" + url.getPort());
514 				logger.info("Proxy HTTP: " + http_proxy);
515 			}
516 
517 			String https_proxy = System.getProperty(keyHttpsProxy,
518 					System.getenv(keyHttpsProxy));
519 			if (https_proxy != null) {
520 				URL url = new URL(https_proxy);
521 				System.setProperty("https.proxyHost", url.getHost());
522 				System.setProperty("https.proxyPort", "" + url.getPort());
523 				logger.info("Proxy HTTPS: " + https_proxy);
524 			}
525 
526 			if (no_proxy == null && http_proxy == null && https_proxy == null) {
527 				logger.info("Proxy not used.");
528 			}
529 
530 		}
531 
532 		/**
533 		 * Permit long tests on CI or with manual activation.
534 		 *
535 		 * @return result
536 		 */
537 		static boolean permitLongTests() {
538 			return isBuildCI() || isProfileActive();
539 		}
540 
541 		/**
542 		 * Using Maven profile activation, see pom.xml
543 		 *
544 		 * @return result
545 		 */
546 		static boolean isProfileActive() {
547 			return Boolean.parseBoolean(System.getProperty("jgit.test.long"));
548 		}
549 
550 		/**
551 		 * Detect if build is running on CI.
552 		 *
553 		 * @return result
554 		 */
555 		static boolean isBuildCI() {
556 			return System.getenv("HUDSON_HOME") != null;
557 		}
558 
559 		/**
560 		 * Setup JCE security policy restrictions. Can remove restrictions when
561 		 * restrictions are present, but can not impose them when restrictions
562 		 * are missing.
563 		 *
564 		 * @param restrictedOn
565 		 */
566 		// http://www.docjar.com/html/api/javax/crypto/JceSecurity.java.html
567 		static void policySetup(boolean restrictedOn) {
568 			try {
569 				java.lang.reflect.Field isRestricted = Class
570 						.forName("javax.crypto.JceSecurity")
571 						.getDeclaredField("isRestricted");
572 				isRestricted.setAccessible(true);
573 				isRestricted.set(null, Boolean.valueOf(restrictedOn));
574 			} catch (Throwable e) {
575 				logger.info(
576 						"Could not setup JCE security policy restrictions.");
577 			}
578 		}
579 
580 		static void reportPolicy() {
581 			try {
582 				java.lang.reflect.Field isRestricted = Class
583 						.forName("javax.crypto.JceSecurity")
584 						.getDeclaredField("isRestricted");
585 				isRestricted.setAccessible(true);
586 				logger.info("JCE security policy restricted="
587 						+ isRestricted.get(null));
588 			} catch (Throwable e) {
589 				logger.info(
590 						"Could not report JCE security policy restrictions.");
591 			}
592 		}
593 
594 		static List<Object[]> product(List<String> one, List<String> two) {
595 			List<Object[]> result = new ArrayList<>();
596 			for (String s1 : one) {
597 				for (String s2 : two) {
598 					result.add(new Object[] { s1, s2 });
599 				}
600 			}
601 			return result;
602 		}
603 
604 	}
605 
606 	/**
607 	 * Common base for encryption tests.
608 	 */
609 	@FixMethodOrder(MethodSorters.NAME_ASCENDING)
610 	public abstract static class Base extends SampleDataRepositoryTestCase {
611 
612 		/**
613 		 * S3 URI user used by JGIT to discover connection configuration file.
614 		 */
615 		static final String JGIT_USER = "tester-" + System.currentTimeMillis();
616 
617 		/**
618 		 * S3 content encoding password used for this test session.
619 		 */
620 		static final String JGIT_PASS = "secret-" + System.currentTimeMillis();
621 
622 		/**
623 		 * S3 repository configuration file expected by {@link AmazonS3}.
624 		 */
625 		static final String JGIT_CONF_FILE = System.getProperty("user.home")
626 				+ "/" + JGIT_USER;
627 
628 		/**
629 		 * Name representing remote or local JGIT repository.
630 		 */
631 		static final String JGIT_REPO_DIR = JGIT_USER + ".jgit";
632 
633 		/**
634 		 * Local JGIT repository for this test session.
635 		 */
636 		static final String JGIT_LOCAL_DIR = System.getProperty("user.dir")
637 				+ "/target/" + JGIT_REPO_DIR;
638 
639 		/**
640 		 * Remote JGIT repository for this test session.
641 		 */
642 		static final String JGIT_REMOTE_DIR = JGIT_REPO_DIR;
643 
644 		/**
645 		 * Generate JGIT S3 connection configuration file.
646 		 *
647 		 * @param algorithm
648 		 * @throws Exception
649 		 */
650 		static void configCreate(String algorithm) throws Exception {
651 			Properties props = Props.discover();
652 			props.put(AmazonS3.Keys.PASSWORD, JGIT_PASS);
653 			props.put(AmazonS3.Keys.CRYPTO_ALG, algorithm);
654 			try (PrintWriter writer = new PrintWriter(JGIT_CONF_FILE,
655 					UTF_8.name())) {
656 				props.store(writer, "JGIT S3 connection configuration file.");
657 			}
658 		}
659 
660 		/**
661 		 * Generate JGIT S3 connection configuration file.
662 		 *
663 		 * @param source
664 		 * @throws Exception
665 		 */
666 		static void configCreate(Properties source) throws Exception {
667 			Properties target = Props.discover();
668 			target.putAll(source);
669 			try (PrintWriter writer = new PrintWriter(JGIT_CONF_FILE,
670 					UTF_8.name())) {
671 				target.store(writer, "JGIT S3 connection configuration file.");
672 			}
673 		}
674 
675 		/**
676 		 * Remove JGIT connection configuration file.
677 		 *
678 		 * @throws Exception
679 		 */
680 		static void configDelete() throws Exception {
681 			File path = new File(JGIT_CONF_FILE);
682 			FileUtils.delete(path, FileUtils.SKIP_MISSING);
683 		}
684 
685 		/**
686 		 * Generate remote URI for the test session.
687 		 *
688 		 * @return result
689 		 * @throws Exception
690 		 */
691 		static String amazonURI() throws Exception {
692 			Properties props = Props.discover();
693 			String bucket = props.getProperty(Names.TEST_BUCKET);
694 			assertNotNull(bucket);
695 			return TransportAmazonS3.S3_SCHEME + "://" + JGIT_USER + "@"
696 					+ bucket + "/" + JGIT_REPO_DIR;
697 		}
698 
699 		/**
700 		 * Create S3 repository folder.
701 		 *
702 		 * @throws Exception
703 		 */
704 		static void remoteCreate() throws Exception {
705 			Properties props = Props.discover();
706 			props.remove(AmazonS3.Keys.PASSWORD); // Disable encryption.
707 			String bucket = props.getProperty(Names.TEST_BUCKET);
708 			AmazonS3 s3 = new AmazonS3(props);
709 			String path = JGIT_REMOTE_DIR + "/";
710 			s3.put(bucket, path, new byte[0]);
711 			logger.debug("remote create: " + JGIT_REMOTE_DIR);
712 		}
713 
714 		/**
715 		 * Delete S3 repository folder.
716 		 *
717 		 * @throws Exception
718 		 */
719 		static void remoteDelete() throws Exception {
720 			Properties props = Props.discover();
721 			props.remove(AmazonS3.Keys.PASSWORD); // Disable encryption.
722 			String bucket = props.getProperty(Names.TEST_BUCKET);
723 			AmazonS3 s3 = new AmazonS3(props);
724 			List<String> list = s3.list(bucket, JGIT_REMOTE_DIR);
725 			for (String path : list) {
726 				path = JGIT_REMOTE_DIR + "/" + path;
727 				s3.delete(bucket, path);
728 			}
729 			logger.debug("remote delete: " + JGIT_REMOTE_DIR);
730 		}
731 
732 		/**
733 		 * Verify if we can create/delete remote file.
734 		 *
735 		 * @throws Exception
736 		 */
737 		static void remoteVerify() throws Exception {
738 			Properties props = Props.discover();
739 			String bucket = props.getProperty(Names.TEST_BUCKET);
740 			AmazonS3 s3 = new AmazonS3(props);
741 			String file = JGIT_USER + "-" + UUID.randomUUID().toString();
742 			String path = JGIT_REMOTE_DIR + "/" + file;
743 			s3.put(bucket, path, file.getBytes(UTF_8));
744 			s3.delete(bucket, path);
745 		}
746 
747 		/**
748 		 * Verify if any security provider published the algorithm.
749 		 *
750 		 * @param algorithm
751 		 * @return result
752 		 */
753 		static boolean isAlgorithmPresent(String algorithm) {
754 			Set<String> cipherSet = Security.getAlgorithms("Cipher");
755 			for (String source : cipherSet) {
756 				// Standard names are not case-sensitive.
757 				// http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html
758 				String target = algorithm.toUpperCase(Locale.ROOT);
759 				if (source.equalsIgnoreCase(target)) {
760 					return true;
761 				}
762 			}
763 			return false;
764 		}
765 
766 		static boolean isAlgorithmPresent(Properties props) {
767 			String profile = props.getProperty(AmazonS3.Keys.CRYPTO_ALG);
768 			String version = props.getProperty(AmazonS3.Keys.CRYPTO_VER,
769 					WalkEncryption.Vals.DEFAULT_VERS);
770 			String cryptoAlgo;
771 			String keyAlgo;
772 			switch (version) {
773 			case WalkEncryption.Vals.DEFAULT_VERS:
774 			case WalkEncryption.JGitV1.VERSION:
775 				cryptoAlgo = profile;
776 				keyAlgo = profile;
777 				break;
778 			case WalkEncryption.JGitV2.VERSION:
779 				cryptoAlgo = props
780 						.getProperty(profile + WalkEncryption.Keys.X_ALGO);
781 				keyAlgo = props
782 						.getProperty(profile + WalkEncryption.Keys.X_KEY_ALGO);
783 				break;
784 			default:
785 				return false;
786 			}
787 			try {
788 				InsecureCipherFactory.create(cryptoAlgo);
789 				SecretKeyFactory.getInstance(keyAlgo);
790 				return true;
791 			} catch (Throwable e) {
792 				return false;
793 			}
794 		}
795 
796 		/**
797 		 * Verify if JRE security policy allows the algorithm.
798 		 *
799 		 * @param algorithm
800 		 * @return result
801 		 */
802 		static boolean isAlgorithmAllowed(String algorithm) {
803 			try {
804 				WalkEncryption crypto = new WalkEncryption.JetS3tV2(
805 						algorithm, JGIT_PASS);
806 				verifyCrypto(crypto);
807 				return true;
808 			} catch (IOException e) {
809 				return false; // Encryption failure.
810 			} catch (GeneralSecurityException e) {
811 				throw new Error(e); // Construction failure.
812 			}
813 		}
814 
815 		static boolean isAlgorithmAllowed(Properties props) {
816 			try {
817 				WalkEncryption.instance(props);
818 				return true;
819 			} catch (GeneralSecurityException e) {
820 				return false;
821 			}
822 		}
823 
824 		/**
825 		 * Verify round trip encryption.
826 		 *
827 		 * @param crypto
828 		 * @throws IOException
829 		 */
830 		static void verifyCrypto(WalkEncryption crypto) throws IOException {
831 			String charset = "UTF-8";
832 			String sourceText = "secret-message Свобода 老子";
833 			String targetText;
834 			byte[] cipherText;
835 			{
836 				byte[] origin = sourceText.getBytes(charset);
837 				ByteArrayOutputStream target = new ByteArrayOutputStream();
838 				try (OutputStream source = crypto.encrypt(target)) {
839 					source.write(origin);
840 					source.flush();
841 				}
842 				cipherText = target.toByteArray();
843 			}
844 			{
845 				InputStream source = new ByteArrayInputStream(cipherText);
846 				InputStream target = crypto.decrypt(source);
847 				ByteArrayOutputStream result = new ByteArrayOutputStream();
848 				transferStream(target, result);
849 				targetText = result.toString(charset);
850 			}
851 			assertEquals(sourceText, targetText);
852 		}
853 
854 		/**
855 		 * Algorithm is testable when it is present and allowed by policy.
856 		 *
857 		 * @param algorithm
858 		 * @return result
859 		 */
860 		static boolean isAlgorithmTestable(String algorithm) {
861 			return isAlgorithmPresent(algorithm)
862 					&& isAlgorithmAllowed(algorithm);
863 		}
864 
865 		static boolean isAlgorithmTestable(Properties props) {
866 			return isAlgorithmPresent(props) && isAlgorithmAllowed(props);
867 		}
868 
869 		/**
870 		 * Log algorithm, provider, testability.
871 		 *
872 		 * @param algorithm
873 		 * @throws Exception
874 		 */
875 		static void reportAlgorithmStatus(String algorithm) throws Exception {
876 			final boolean present = isAlgorithmPresent(algorithm);
877 			final boolean allowed = present && isAlgorithmAllowed(algorithm);
878 			final String provider = present ? securityProviderName(algorithm)
879 					: "N/A";
880 			String status = "Algorithm: " + algorithm + " @ " + provider + "; "
881 					+ "present/allowed : " + present + "/" + allowed;
882 			if (allowed) {
883 				logger.info("Testing " + status);
884 			} else {
885 				logger.warn("Missing " + status);
886 			}
887 		}
888 
889 		static void reportAlgorithmStatus(Properties props) throws Exception {
890 			final boolean present = isAlgorithmPresent(props);
891 			final boolean allowed = present && isAlgorithmAllowed(props);
892 
893 			String profile = props.getProperty(AmazonS3.Keys.CRYPTO_ALG);
894 			String version = props.getProperty(AmazonS3.Keys.CRYPTO_VER);
895 
896 			StringBuilder status = new StringBuilder();
897 			status.append(" Version: " + version);
898 			status.append(" Profile: " + profile);
899 			status.append(" Present: " + present);
900 			status.append(" Allowed: " + allowed);
901 
902 			if (allowed) {
903 				logger.info("Testing " + status);
904 			} else {
905 				logger.warn("Missing " + status);
906 			}
907 		}
908 
909 		/**
910 		 * Verify if we can perform remote tests.
911 		 *
912 		 * @return result
913 		 */
914 		static boolean isTestConfigPresent() {
915 			try {
916 				Props.discover();
917 				return true;
918 			} catch (Throwable e) {
919 				return false;
920 			}
921 		}
922 
923 		static void reportTestConfigPresent() {
924 			if (isTestConfigPresent()) {
925 				logger.info("Amazon S3 test configuration is present.");
926 			} else {
927 				logger.error(
928 						"Amazon S3 test configuration is missing, tests will not run.");
929 			}
930 		}
931 
932 		/**
933 		 * Log public address of CI.
934 		 *
935 		 * @throws Exception
936 		 */
937 		static void reportPublicAddress() throws Exception {
938 			logger.info("Public address: " + publicAddress());
939 		}
940 
941 		/**
942 		 * BouncyCastle provider class.
943 		 *
944 		 * Needs extra dependency, see pom.xml
945 		 */
946 		// http://search.maven.org/#artifactdetails%7Corg.bouncycastle%7Cbcprov-jdk15on%7C1.52%7Cjar
947 		static final String PROVIDER_BC = "org.bouncycastle.jce.provider.BouncyCastleProvider";
948 
949 		/**
950 		 * Load BouncyCastle provider if present.
951 		 */
952 		static void loadBouncyCastle() {
953 			try {
954 				Class<?> provider = Class.forName(PROVIDER_BC);
955 				Provider instance = (Provider) provider
956 						.getConstructor(new Class[] {})
957 						.newInstance(new Object[] {});
958 				Security.addProvider(instance);
959 				logger.info("Loaded " + PROVIDER_BC);
960 			} catch (Throwable e) {
961 				logger.warn("Failed to load " + PROVIDER_BC);
962 			}
963 		}
964 
965 		static void reportLongTests() {
966 			if (permitLongTests()) {
967 				logger.info("Long running tests are enabled.");
968 			} else {
969 				logger.warn("Long running tests are disabled.");
970 			}
971 		}
972 
973 		/**
974 		 * Non-PBE algorithm, for error check.
975 		 */
976 		static final String ALGO_ERROR = "PBKDF2WithHmacSHA1";
977 
978 		/**
979 		 * Default JetS3t algorithm present in most JRE.
980 		 */
981 		static final String ALGO_JETS3T = "PBEWithMD5AndDES";
982 
983 		/**
984 		 * Minimal strength AES based algorithm present in most JRE.
985 		 */
986 		static final String ALGO_MINIMAL_AES = "PBEWithHmacSHA1AndAES_128";
987 
988 		/**
989 		 * Selected non-AES algorithm present in BouncyCastle provider.
990 		 */
991 		static final String ALGO_BOUNCY_CASTLE_CBC = "PBEWithSHAAndTwofish-CBC";
992 
993 		//////////////////////////////////////////////////
994 
995 		@BeforeClass
996 		public static void initialize() throws Exception {
997 			Transport.register(TransportAmazonS3.PROTO_S3);
998 			proxySetup();
999 			reportPolicy();
1000 			reportLongTests();
1001 			reportPublicAddress();
1002 			reportTestConfigPresent();
1003 			loadBouncyCastle();
1004 			if (isTestConfigPresent()) {
1005 				remoteCreate();
1006 			}
1007 		}
1008 
1009 		@AfterClass
1010 		public static void terminate() throws Exception {
1011 			configDelete();
1012 			folderDelete(JGIT_LOCAL_DIR);
1013 			if (isTestConfigPresent()) {
1014 				remoteDelete();
1015 			}
1016 		}
1017 
1018 		@Before
1019 		@Override
1020 		public void setUp() throws Exception {
1021 			super.setUp();
1022 		}
1023 
1024 		@After
1025 		@Override
1026 		public void tearDown() throws Exception {
1027 			super.tearDown();
1028 		}
1029 
1030 		/**
1031 		 * Optional encrypted amazon remote JGIT life cycle test.
1032 		 *
1033 		 * @param props
1034 		 * @throws Exception
1035 		 */
1036 		void cryptoTestIfCan(Properties props) throws Exception {
1037 			reportAlgorithmStatus(props);
1038 			assumeTrue(isTestConfigPresent());
1039 			assumeTrue(isAlgorithmTestable(props));
1040 			cryptoTest(props);
1041 		}
1042 
1043 		/**
1044 		 * Required encrypted amazon remote JGIT life cycle test.
1045 		 *
1046 		 * @param props
1047 		 * @throws Exception
1048 		 */
1049 		void cryptoTest(Properties props) throws Exception {
1050 
1051 			remoteDelete();
1052 			configCreate(props);
1053 			folderDelete(JGIT_LOCAL_DIR);
1054 
1055 			String uri = amazonURI();
1056 
1057 			// Local repositories.
1058 			File dirOne = db.getWorkTree(); // Provided by setup.
1059 			File dirTwo = new File(JGIT_LOCAL_DIR);
1060 
1061 			// Local verification files.
1062 			String nameStatic = "master.txt"; // Provided by setup.
1063 			String nameDynamic = JGIT_USER + "-" + UUID.randomUUID().toString();
1064 
1065 			String remote = "remote";
1066 			RefSpec specs = new RefSpec("refs/heads/master:refs/heads/master");
1067 
1068 			{ // Push into remote from local one.
1069 
1070 				StoredConfig config = db.getConfig();
1071 				RemoteConfig remoteConfig = new RemoteConfig(config, remote);
1072 				remoteConfig.addURI(new URIish(uri));
1073 				remoteConfig.update(config);
1074 				config.save();
1075 
1076 				try (Git git = Git.open(dirOne)) {
1077 					git.checkout().setName("master").call();
1078 					git.push().setRemote(remote).setRefSpecs(specs).call();
1079 				}
1080 
1081 				File fileStatic = new File(dirOne, nameStatic);
1082 				assertTrue("Provided by setup", fileStatic.exists());
1083 
1084 			}
1085 
1086 			{ // Clone from remote into local two.
1087 
1088 				File fileStatic = new File(dirTwo, nameStatic);
1089 				assertFalse("Not Provided by setup", fileStatic.exists());
1090 
1091 				try (Git git = Git.cloneRepository().setURI(uri)
1092 						.setDirectory(dirTwo).call()) {
1093 					assertTrue("Provided by clone", fileStatic.exists());
1094 				}
1095 
1096 			}
1097 
1098 			{ // Verify static file content.
1099 				File fileOne = new File(dirOne, nameStatic);
1100 				File fileTwo = new File(dirTwo, nameStatic);
1101 				verifyFileContent(fileOne, fileTwo);
1102 			}
1103 
1104 			{ // Verify new file commit and push from local one.
1105 
1106 				File fileDynamic = new File(dirOne, nameDynamic);
1107 				assertFalse("Not Provided by setup", fileDynamic.exists());
1108 				FileUtils.createNewFile(fileDynamic);
1109 				textWrite(fileDynamic, nameDynamic);
1110 				assertTrue("Provided by create", fileDynamic.exists());
1111 				assertTrue("Need content to encrypt", fileDynamic.length() > 0);
1112 
1113 				try (Git git = Git.open(dirOne)) {
1114 					git.add().addFilepattern(nameDynamic).call();
1115 					git.commit().setMessage(nameDynamic).call();
1116 					git.push().setRemote(remote).setRefSpecs(specs).call();
1117 				}
1118 
1119 			}
1120 
1121 			{ // Verify new file pull from remote into local two.
1122 
1123 				File fileDynamic = new File(dirTwo, nameDynamic);
1124 				assertFalse("Not Provided by setup", fileDynamic.exists());
1125 
1126 				try (Git git = Git.open(dirTwo)) {
1127 					git.pull().call();
1128 				}
1129 
1130 				assertTrue("Provided by pull", fileDynamic.exists());
1131 			}
1132 
1133 			{ // Verify dynamic file content.
1134 				File fileOne = new File(dirOne, nameDynamic);
1135 				File fileTwo = new File(dirTwo, nameDynamic);
1136 				verifyFileContent(fileOne, fileTwo);
1137 			}
1138 
1139 		}
1140 
1141 	}
1142 
1143 	/**
1144 	 * Verify prerequisites.
1145 	 */
1146 	@FixMethodOrder(MethodSorters.NAME_ASCENDING)
1147 	public static class Required extends Base {
1148 
1149 		@Test
1150 		public void test_A1_ValidURI() throws Exception {
1151 			assumeTrue(isTestConfigPresent());
1152 			URIish uri = new URIish(amazonURI());
1153 			assertTrue("uri=" + uri, TransportAmazonS3.PROTO_S3.canHandle(uri));
1154 		}
1155 
1156 		@Test(expected = Exception.class)
1157 		public void test_A2_CryptoError() throws Exception {
1158 			assumeTrue(isTestConfigPresent());
1159 			Properties props = new Properties();
1160 			props.put(AmazonS3.Keys.CRYPTO_ALG, ALGO_ERROR);
1161 			props.put(AmazonS3.Keys.PASSWORD, JGIT_PASS);
1162 			cryptoTest(props);
1163 		}
1164 
1165 	}
1166 
1167 	/**
1168 	 * Test minimal set of algorithms.
1169 	 */
1170 	@FixMethodOrder(MethodSorters.NAME_ASCENDING)
1171 	public static class MinimalSet extends Base {
1172 
1173 		@Test
1174 		public void test_V0_Java7_JET() throws Exception {
1175 			assumeTrue(isTestConfigPresent());
1176 			Properties props = new Properties();
1177 			props.put(AmazonS3.Keys.CRYPTO_ALG, ALGO_JETS3T);
1178 			// Do not set version.
1179 			props.put(AmazonS3.Keys.PASSWORD, JGIT_PASS);
1180 			cryptoTestIfCan(props);
1181 		}
1182 
1183 		@Test
1184 		public void test_V1_Java7_GIT() throws Exception {
1185 			assumeTrue(isTestConfigPresent());
1186 			Properties props = new Properties();
1187 			props.put(AmazonS3.Keys.CRYPTO_ALG, ALGO_JETS3T);
1188 			props.put(AmazonS3.Keys.CRYPTO_VER, "1");
1189 			props.put(AmazonS3.Keys.PASSWORD, JGIT_PASS);
1190 			cryptoTestIfCan(props);
1191 		}
1192 
1193 		@Test
1194 		public void test_V2_Java7_AES() throws Exception {
1195 			assumeTrue(isTestConfigPresent());
1196 			// String profile = "default";
1197 			String profile = "AES/CBC/PKCS5Padding+PBKDF2WithHmacSHA1";
1198 			Properties props = new Properties();
1199 			props.put(AmazonS3.Keys.CRYPTO_ALG, profile);
1200 			props.put(AmazonS3.Keys.CRYPTO_VER, "2");
1201 			props.put(AmazonS3.Keys.PASSWORD, JGIT_PASS);
1202 			props.put(profile + WalkEncryption.Keys.X_ALGO, "AES/CBC/PKCS5Padding");
1203 			props.put(profile + WalkEncryption.Keys.X_KEY_ALGO, "PBKDF2WithHmacSHA1");
1204 			props.put(profile + WalkEncryption.Keys.X_KEY_SIZE, "128");
1205 			props.put(profile + WalkEncryption.Keys.X_KEY_ITER, "10000");
1206 			props.put(profile + WalkEncryption.Keys.X_KEY_SALT, "e2 55 89 67 8e 8d e8 4c");
1207 			cryptoTestIfCan(props);
1208 		}
1209 
1210 		@Test
1211 		public void test_V2_Java8_PBE_AES() throws Exception {
1212 			assumeTrue(isTestConfigPresent());
1213 			String profile = "PBEWithHmacSHA512AndAES_256";
1214 			Properties props = new Properties();
1215 			props.put(AmazonS3.Keys.CRYPTO_ALG, profile);
1216 			props.put(AmazonS3.Keys.CRYPTO_VER, "2");
1217 			props.put(AmazonS3.Keys.PASSWORD, JGIT_PASS);
1218 			props.put(profile + WalkEncryption.Keys.X_ALGO, "PBEWithHmacSHA512AndAES_256");
1219 			props.put(profile + WalkEncryption.Keys.X_KEY_ALGO, "PBEWithHmacSHA512AndAES_256");
1220 			props.put(profile + WalkEncryption.Keys.X_KEY_SIZE, "256");
1221 			props.put(profile + WalkEncryption.Keys.X_KEY_ITER, "10000");
1222 			props.put(profile + WalkEncryption.Keys.X_KEY_SALT, "e2 55 89 67 8e 8d e8 4c");
1223 			policySetup(false);
1224 			cryptoTestIfCan(props);
1225 		}
1226 
1227 	}
1228 
1229 	/**
1230 	 * Test all present and allowed PBE algorithms.
1231 	 */
1232 	// https://github.com/junit-team/junit/wiki/Parameterized-tests
1233 	@RunWith(Parameterized.class)
1234 	@FixMethodOrder(MethodSorters.NAME_ASCENDING)
1235 	public static class TestablePBE extends Base {
1236 
1237 		@Parameters(name = "Profile: {0}   Version: {1}")
1238 		public static Collection<Object[]> argsList() {
1239 			List<String> algorithmList = new ArrayList<>();
1240 			algorithmList.addAll(cryptoCipherListPBE());
1241 
1242 			List<String> versionList = new ArrayList<>();
1243 			versionList.add("0");
1244 			versionList.add("1");
1245 
1246 			return product(algorithmList, versionList);
1247 		}
1248 
1249 		final String profile;
1250 
1251 		final String version;
1252 
1253 		final String password = JGIT_PASS;
1254 
1255 		public TestablePBE(String profile, String version) {
1256 			this.profile = profile;
1257 			this.version = version;
1258 		}
1259 
1260 		@Test
1261 		public void testCrypto() throws Exception {
1262 			assumeTrue(permitLongTests());
1263 			Properties props = new Properties();
1264 			props.put(AmazonS3.Keys.CRYPTO_ALG, profile);
1265 			props.put(AmazonS3.Keys.CRYPTO_VER, version);
1266 			props.put(AmazonS3.Keys.PASSWORD, password);
1267 			cryptoTestIfCan(props);
1268 		}
1269 
1270 	}
1271 
1272 	/**
1273 	 * Test all present and allowed transformation algorithms.
1274 	 */
1275 	// https://github.com/junit-team/junit/wiki/Parameterized-tests
1276 	@RunWith(Parameterized.class)
1277 	@FixMethodOrder(MethodSorters.NAME_ASCENDING)
1278 	public static class TestableTransformation extends Base {
1279 
1280 		@Parameters(name = "Profile: {0}   Version: {1}")
1281 		public static Collection<Object[]> argsList() {
1282 			List<String> algorithmList = new ArrayList<>();
1283 			algorithmList.addAll(cryptoCipherListTrans());
1284 
1285 			List<String> versionList = new ArrayList<>();
1286 			versionList.add("1");
1287 
1288 			return product(algorithmList, versionList);
1289 		}
1290 
1291 		final String profile;
1292 
1293 		final String version;
1294 
1295 		final String password = JGIT_PASS;
1296 
1297 		public TestableTransformation(String profile, String version) {
1298 			this.profile = profile;
1299 			this.version = version;
1300 		}
1301 
1302 		@Test
1303 		public void testCrypto() throws Exception {
1304 			assumeTrue(permitLongTests());
1305 			Properties props = new Properties();
1306 			props.put(AmazonS3.Keys.CRYPTO_ALG, profile);
1307 			props.put(AmazonS3.Keys.CRYPTO_VER, version);
1308 			props.put(AmazonS3.Keys.PASSWORD, password);
1309 			cryptoTestIfCan(props);
1310 		}
1311 
1312 	}
1313 
1314 }