diff options
12 files changed, 922 insertions, 306 deletions
diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java index 08fc815fab..31a4b473ed 100644 --- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java +++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java @@ -20,11 +20,15 @@ */ package org.apache.qpid.server.security; +import java.io.File; import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; import java.security.AccessControlException; import java.security.GeneralSecurityException; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableKeyException; import java.security.cert.Certificate; import java.util.ArrayList; import java.util.Collection; @@ -48,6 +52,7 @@ import org.apache.qpid.server.model.State; import org.apache.qpid.server.model.StateTransition; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.util.ServerScopedRuntimeException; +import org.apache.qpid.server.util.urlstreamhandler.data.Handler; import org.apache.qpid.transport.network.security.ssl.QpidClientX509KeyManager; import org.apache.qpid.transport.network.security.ssl.SSLUtil; @@ -69,7 +74,12 @@ public class FileKeyStoreImpl extends AbstractConfiguredObject<FileKeyStoreImpl> private String _password; - private Broker<?> _broker; + private final Broker<?> _broker; + + static + { + Handler.register(); + } @ManagedObjectFactoryConstructor public FileKeyStoreImpl(Map<String, Object> attributes, Broker<?> broker) @@ -152,14 +162,25 @@ public class FileKeyStoreImpl extends AbstractConfiguredObject<FileKeyStoreImpl> java.security.KeyStore keyStore; try { - String path = fileKeyStore.getPath(); + URL url = getUrlFromString(fileKeyStore.getPath()); String password = fileKeyStore.getPassword(); String keyStoreType = fileKeyStore.getKeyStoreType(); - keyStore = SSLUtil.getInitializedKeyStore(path, password, keyStoreType); + keyStore = SSLUtil.getInitializedKeyStore(url, password, keyStoreType); } + catch (Exception e) { - throw new IllegalConfigurationException("Cannot instantiate key store at " + fileKeyStore.getPath(), e); + final String message; + if (e instanceof IOException && e.getCause() != null && e.getCause() instanceof UnrecoverableKeyException) + { + message = "Check key store password. Cannot instantiate key store from '" + fileKeyStore.getPath() + "'."; + } + else + { + message = "Cannot instantiate key store from '" + fileKeyStore.getPath() + "'."; + } + + throw new IllegalConfigurationException(message, e); } if (fileKeyStore.getCertificateAlias() != null) @@ -176,8 +197,8 @@ public class FileKeyStoreImpl extends AbstractConfiguredObject<FileKeyStoreImpl> } if (cert == null) { - throw new IllegalConfigurationException("Cannot find a certificate with alias " + fileKeyStore.getCertificateAlias() - + "in key store : " + fileKeyStore.getPath()); + throw new IllegalConfigurationException("Cannot find a certificate with alias '" + fileKeyStore.getCertificateAlias() + + "' in key store : " + fileKeyStore.getPath()); } } @@ -237,17 +258,18 @@ public class FileKeyStoreImpl extends AbstractConfiguredObject<FileKeyStoreImpl> try { + URL url = getUrlFromString(_path); if (_certificateAlias != null) { return new KeyManager[] { - new QpidClientX509KeyManager( _certificateAlias, _path, _keyStoreType, getPassword(), + new QpidClientX509KeyManager( _certificateAlias, url, _keyStoreType, getPassword(), _keyManagerFactoryAlgorithm) }; } else { - final java.security.KeyStore ks = SSLUtil.getInitializedKeyStore(_path, getPassword(), _keyStoreType); + final java.security.KeyStore ks = SSLUtil.getInitializedKeyStore(url, getPassword(), _keyStoreType); char[] keyStoreCharPassword = getPassword() == null ? null : getPassword().toCharArray(); @@ -263,4 +285,20 @@ public class FileKeyStoreImpl extends AbstractConfiguredObject<FileKeyStoreImpl> throw new GeneralSecurityException(e); } } + + private static URL getUrlFromString(String urlString) throws MalformedURLException + { + URL url; + try + { + url = new URL(urlString); + } + catch (MalformedURLException e) + { + File file = new File(urlString); + url = file.toURI().toURL(); + + } + return url; + } } diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java index 044f15f8a7..66ae6fdb35 100644 --- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java +++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java @@ -20,11 +20,15 @@ */ package org.apache.qpid.server.security; +import java.io.File; import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; import java.security.AccessControlException; import java.security.GeneralSecurityException; import java.security.KeyStore; import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableKeyException; import java.util.ArrayList; import java.util.Collection; import java.util.Map; @@ -48,6 +52,7 @@ import org.apache.qpid.server.model.StateTransition; import org.apache.qpid.server.model.TrustStore; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager; +import org.apache.qpid.server.util.urlstreamhandler.data.Handler; import org.apache.qpid.transport.network.security.ssl.QpidMultipleTrustManager; import org.apache.qpid.transport.network.security.ssl.QpidPeersOnlyTrustManager; import org.apache.qpid.transport.network.security.ssl.SSLUtil; @@ -66,7 +71,12 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI @ManagedAttributeField private String _password; - private Broker<?> _broker; + private final Broker<?> _broker; + + static + { + Handler.register(); + } @ManagedObjectFactoryConstructor public FileTrustStoreImpl(Map<String, Object> attributes, Broker<?> broker) @@ -114,12 +124,10 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI Collection<AuthenticationProvider> authenticationProviders = new ArrayList<AuthenticationProvider>(_broker.getAuthenticationProviders()); for (AuthenticationProvider authProvider : authenticationProviders) { - if(authProvider.getAttributeNames().contains(SimpleLDAPAuthenticationManager.TRUST_STORE)) + if (authProvider instanceof SimpleLDAPAuthenticationManager) { - Object attributeType = authProvider.getAttribute(AuthenticationProvider.TYPE); - Object attributeValue = authProvider.getAttribute(SimpleLDAPAuthenticationManager.TRUST_STORE); - if (SimpleLDAPAuthenticationManager.PROVIDER_TYPE.equals(attributeType) - && storeName.equals(attributeValue)) + SimpleLDAPAuthenticationManager simpleLdap = (SimpleLDAPAuthenticationManager) authProvider; + if (simpleLdap.getTrustStore() == this) { throw new IntegrityViolationException("Trust store '" + storeName @@ -185,11 +193,22 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI { try { - SSLUtil.getInitializedKeyStore(trustStore.getPath(), trustStore.getPassword(), trustStore.getTrustStoreType()); + URL trustStoreUrl = getUrlFromString(trustStore.getPath()); + SSLUtil.getInitializedKeyStore(trustStoreUrl, trustStore.getPassword(), trustStore.getTrustStoreType()); } catch (Exception e) { - throw new IllegalConfigurationException("Cannot instantiate trust store at " + trustStore.getPath(), e); + final String message; + if (e instanceof IOException && e.getCause() != null && e.getCause() instanceof UnrecoverableKeyException) + { + message = "Check trust store password. Cannot instantiate trust store from '" + trustStore.getPath() + "'."; + } + else + { + message = "Cannot instantiate trust store from '" + trustStore.getPath() + "'."; + } + + throw new IllegalConfigurationException(message, e); } try @@ -238,14 +257,15 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI } public TrustManager[] getTrustManagers() throws GeneralSecurityException { - String trustStorePath = _path; String trustStorePassword = getPassword(); String trustStoreType = _trustStoreType; String trustManagerFactoryAlgorithm = _trustManagerFactoryAlgorithm; try { - KeyStore ts = SSLUtil.getInitializedKeyStore(trustStorePath, trustStorePassword, trustStoreType); + URL trustStoreUrl = getUrlFromString(_path); + + KeyStore ts = SSLUtil.getInitializedKeyStore(trustStoreUrl, trustStorePassword, trustStoreType); final TrustManagerFactory tmf = TrustManagerFactory .getInstance(trustManagerFactoryAlgorithm); tmf.init(ts); @@ -291,4 +311,21 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI throw new GeneralSecurityException(e); } } + + private static URL getUrlFromString(String urlString) throws MalformedURLException + { + URL url; + try + { + url = new URL(urlString); + } + catch (MalformedURLException e) + { + File file = new File(urlString); + url = file.toURI().toURL(); + + } + return url; + } + } diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java new file mode 100644 index 0000000000..aa6f1ca630 --- /dev/null +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java @@ -0,0 +1,347 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.qpid.server.security; + + +import static org.mockito.Matchers.any; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; + +import javax.net.ssl.KeyManager; + +import org.apache.qpid.server.configuration.IllegalConfigurationException; +import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor; +import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.model.BrokerModel; +import org.apache.qpid.server.model.ConfiguredObject; +import org.apache.qpid.server.model.IntegrityViolationException; +import org.apache.qpid.server.model.Port; +import org.apache.qpid.server.security.access.Operation; +import org.apache.qpid.test.utils.QpidTestCase; +import org.apache.qpid.test.utils.TestSSLConstants; +import org.apache.qpid.util.DataUrlUtils; +import org.apache.qpid.util.FileUtils; + +public class FileKeyStoreTest extends QpidTestCase +{ + private final Broker<?> _broker = mock(Broker.class); + private final CurrentThreadTaskExecutor _taskExecutor = new CurrentThreadTaskExecutor(); + private final SecurityManager _securityManager = mock(SecurityManager.class); + + public void setUp() throws Exception + { + super.setUp(); + + _taskExecutor.start(); + when(_broker.getTaskExecutor()).thenReturn(_taskExecutor); + when(_broker.getModel()).thenReturn(BrokerModel.getInstance()); + + when(_broker.getSecurityManager()).thenReturn(_securityManager); + } + + public void testCreateKeyStoreFromFile_Success() throws Exception + { + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileKeyStore.NAME, "myFileKeyStore"); + attributes.put(FileKeyStore.PATH, TestSSLConstants.BROKER_KEYSTORE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.BROKER_KEYSTORE_PASSWORD); + + FileKeyStoreImpl fileKeyStore = new FileKeyStoreImpl(attributes, _broker); + + fileKeyStore.create(); + + KeyManager[] keyManager = fileKeyStore.getKeyManagers(); + assertNotNull(keyManager); + assertEquals("Unexpected number of key managers", 1, keyManager.length); + assertNotNull("Key manager unexpected null", keyManager[0]); + } + + public void testCreateKeyStoreWithAliasFromFile_Success() throws Exception + { + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileKeyStore.NAME, "myFileKeyStore"); + attributes.put(FileKeyStore.PATH, TestSSLConstants.BROKER_KEYSTORE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.BROKER_KEYSTORE_PASSWORD); + attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS); + + FileKeyStoreImpl fileKeyStore = new FileKeyStoreImpl(attributes, _broker); + + fileKeyStore.create(); + + KeyManager[] keyManager = fileKeyStore.getKeyManagers(); + assertNotNull(keyManager); + assertEquals("Unexpected number of key managers", 1, keyManager.length); + assertNotNull("Key manager unexpected null", keyManager[0]); + } + + public void testCreateKeyStoreFromFile_WrongPassword() throws Exception + { + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileKeyStore.NAME, "myFileKeyStore"); + attributes.put(FileKeyStore.PATH, TestSSLConstants.BROKER_KEYSTORE); + attributes.put(FileKeyStore.PASSWORD, "wrong"); + + FileKeyStoreImpl fileKeyStore = new FileKeyStoreImpl(attributes, _broker); + + try + { + fileKeyStore.create(); + fail("Exception not thrown"); + } + catch (IllegalConfigurationException ice) + { + String message = ice.getMessage(); + assertTrue("Exception text not as unexpected:" + message, message.contains("Check key store password")); + } + } + + public void testCreateKeyStoreFromFile_UnknownAlias() throws Exception + { + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileKeyStore.NAME, "myFileKeyStore"); + attributes.put(FileKeyStore.PATH, TestSSLConstants.KEYSTORE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.KEYSTORE_PASSWORD); + attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown"); + + FileKeyStoreImpl fileKeyStore = new FileKeyStoreImpl(attributes, _broker); + + try + { + fileKeyStore.create(); + fail("Exception not thrown"); + } + catch (IllegalConfigurationException ice) + { + String message = ice.getMessage(); + assertTrue("Exception text not as unexpected:" + message, message.contains("Cannot find a certificate with alias 'notknown' in key store")); + } + } + + public void testCreateKeyStoreFromDataUrl_Success() throws Exception + { + String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileKeyStore.NAME, "myFileKeyStore"); + attributes.put(FileKeyStore.PATH, trustStoreAsDataUrl); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.BROKER_KEYSTORE_PASSWORD); + + FileKeyStoreImpl fileKeyStore = new FileKeyStoreImpl(attributes, _broker); + + fileKeyStore.create(); + + KeyManager[] keyManagers = fileKeyStore.getKeyManagers(); + assertNotNull(keyManagers); + assertEquals("Unexpected number of key managers", 1, keyManagers.length); + assertNotNull("Key manager unexpected null", keyManagers[0]); + } + + public void testCreateKeyStoreWithAliasFromDataUrl_Success() throws Exception + { + String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileKeyStore.NAME, "myFileKeyStore"); + attributes.put(FileKeyStore.PATH, trustStoreAsDataUrl); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.BROKER_KEYSTORE_PASSWORD); + attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS); + + FileKeyStoreImpl fileKeyStore = new FileKeyStoreImpl(attributes, _broker); + + fileKeyStore.create(); + + KeyManager[] keyManagers = fileKeyStore.getKeyManagers(); + assertNotNull(keyManagers); + assertEquals("Unexpected number of key managers", 1, keyManagers.length); + assertNotNull("Key manager unexpected null", keyManagers[0]); + } + + public void testCreateKeyStoreFromDataUrl_WrongPassword() throws Exception + { + String keyStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileKeyStore.NAME, "myFileKeyStore"); + attributes.put(FileKeyStore.PASSWORD, "wrong"); + attributes.put(FileKeyStore.PATH, keyStoreAsDataUrl); + + FileKeyStoreImpl fileKeyStore = new FileKeyStoreImpl(attributes, _broker); + + try + { + + fileKeyStore.create(); + fail("Exception not thrown"); + } + catch (IllegalConfigurationException ice) + { + String message = ice.getMessage(); + assertTrue("Exception text not as unexpected:" + message, message.contains("Check key store password")); + } + } + + public void testCreateKeyStoreFromDataUrl_BadKeystoreBytes() throws Exception + { + String keyStoreAsDataUrl = DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes()); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileKeyStore.NAME, "myFileKeyStore"); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.BROKER_KEYSTORE_PASSWORD); + attributes.put(FileKeyStore.PATH, keyStoreAsDataUrl); + + FileKeyStoreImpl fileKeyStore = new FileKeyStoreImpl(attributes, _broker); + + try + { + fileKeyStore.create(); + fail("Exception not thrown"); + } + catch (IllegalConfigurationException ice) + { + String message = ice.getMessage(); + assertTrue("Exception text not as unexpected:" + message, message.contains("Cannot instantiate key store")); + + } + } + + public void testCreateKeyStoreFromDataUrl_UnknownAlias() throws Exception + { + String keyStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileKeyStore.NAME, "myFileKeyStore"); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.BROKER_KEYSTORE_PASSWORD); + attributes.put(FileKeyStore.PATH, keyStoreAsDataUrl); + attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown"); + + FileKeyStoreImpl fileKeyStore = new FileKeyStoreImpl(attributes, _broker); + + try + { + fileKeyStore.create(); + fail("Exception not thrown"); + } + catch (IllegalConfigurationException ice) + { + String message = ice.getMessage(); + assertTrue("Exception text not as unexpected:" + message, message.contains("Cannot find a certificate with alias 'notknown' in key store")); + } + } + + public void testUpdateKeyStore_Success() throws Exception + { + + when(_securityManager.authoriseConfiguringBroker(any(String.class), (Class<? extends ConfiguredObject>)any(), any(Operation.class))).thenReturn(true); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileKeyStore.NAME, "myFileKeyStore"); + attributes.put(FileKeyStore.PATH, TestSSLConstants.BROKER_KEYSTORE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.BROKER_KEYSTORE_PASSWORD); + + FileKeyStoreImpl fileKeyStore = new FileKeyStoreImpl(attributes, _broker); + + fileKeyStore.create(); + + assertNull("Unexpected alias value before change", fileKeyStore.getCertificateAlias()); + + try + { + Map<String,Object> unacceptableAttributes = new HashMap<>(); + unacceptableAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown"); + + fileKeyStore.setAttributes(unacceptableAttributes); + fail("Exception not thrown"); + } + catch (IllegalConfigurationException ice) + { + String message = ice.getMessage(); + assertTrue("Exception text not as unexpected:" + message, message.contains("Cannot find a certificate with alias 'notknown' in key store")); + } + + assertNull("Unexpected alias value after failed change", fileKeyStore.getCertificateAlias()); + + Map<String,Object> changedAttributes = new HashMap<>(); + changedAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS); + + fileKeyStore.setAttributes(changedAttributes); + + assertEquals("Unexpected alias value after change that is expected to be successful", + TestSSLConstants.BROKER_KEYSTORE_ALIAS, + fileKeyStore.getCertificateAlias()); + + } + + public void testDeleteKeyStore_Success() throws Exception + { + + when(_securityManager.authoriseConfiguringBroker(any(String.class), (Class<? extends ConfiguredObject>)any(), any(Operation.class))).thenReturn(true); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileKeyStore.NAME, "myFileKeyStore"); + attributes.put(FileKeyStore.PATH, TestSSLConstants.BROKER_KEYSTORE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.BROKER_KEYSTORE_PASSWORD); + + FileKeyStoreImpl fileKeyStore = new FileKeyStoreImpl(attributes, _broker); + + fileKeyStore.create(); + fileKeyStore.delete(); + } + + public void testDeleteKeyStore_KeyManagerInUseByPort() throws Exception + { + when(_securityManager.authoriseConfiguringBroker(any(String.class), + any(Class.class), + any(Operation.class))).thenReturn(true); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileKeyStore.NAME, "myFileKeyStore"); + attributes.put(FileKeyStore.PATH, TestSSLConstants.BROKER_KEYSTORE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.BROKER_KEYSTORE_PASSWORD); + + FileKeyStoreImpl fileKeyStore = new FileKeyStoreImpl(attributes, _broker); + + fileKeyStore.create(); + + Port<?> port = mock(Port.class); + when(port.getKeyStore()).thenReturn(fileKeyStore); + + when(_broker.getPorts()).thenReturn(Collections.<Port<?>>singletonList(port)); + + try + { + fileKeyStore.delete(); + fail("Exception not thrown"); + } + catch (IntegrityViolationException ive) + { + // PASS + } + } + + private static String createDataUrlForFile(String filename) + { + byte[] fileAsBytes = FileUtils.readFileAsBytes(filename); + return DataUrlUtils.getDataUrlForBytes(fileAsBytes); + } +}
\ No newline at end of file diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java new file mode 100644 index 0000000000..85cda6cd80 --- /dev/null +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java @@ -0,0 +1,320 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.qpid.server.security; + + +import static org.mockito.Matchers.any; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +import java.util.Collection; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; + +import javax.net.ssl.TrustManager; + +import org.apache.qpid.server.configuration.IllegalConfigurationException; +import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor; +import org.apache.qpid.server.model.AuthenticationProvider; +import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.model.BrokerModel; +import org.apache.qpid.server.model.ConfiguredObject; +import org.apache.qpid.server.model.IntegrityViolationException; +import org.apache.qpid.server.model.Port; +import org.apache.qpid.server.model.TrustStore; +import org.apache.qpid.server.security.access.Operation; +import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager; +import org.apache.qpid.test.utils.QpidTestCase; +import org.apache.qpid.test.utils.TestSSLConstants; +import org.apache.qpid.transport.network.security.ssl.QpidMultipleTrustManager; +import org.apache.qpid.util.DataUrlUtils; +import org.apache.qpid.util.FileUtils; + +public class FileTrustStoreTest extends QpidTestCase +{ + private final Broker<?> _broker = mock(Broker.class); + private final CurrentThreadTaskExecutor _taskExecutor = new CurrentThreadTaskExecutor(); + private final SecurityManager _securityManager = mock(SecurityManager.class); + + public void setUp() throws Exception + { + super.setUp(); + + _taskExecutor.start(); + when(_broker.getTaskExecutor()).thenReturn(_taskExecutor); + when(_broker.getModel()).thenReturn(BrokerModel.getInstance()); + + when(_broker.getSecurityManager()).thenReturn(_securityManager); + } + + public void testCreateTrustStoreFromFile_Success() throws Exception + { + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileTrustStore.NAME, "myFileTrustStore"); + attributes.put(FileTrustStore.PATH, TestSSLConstants.TRUSTSTORE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD); + + FileTrustStoreImpl fileTrustStore = new FileTrustStoreImpl(attributes, _broker); + + fileTrustStore.create(); + + TrustManager[] trustManagers = fileTrustStore.getTrustManagers(); + assertNotNull(trustManagers); + assertEquals("Unexpected number of trust managers", 1, trustManagers.length); + assertNotNull("Trust manager unexpected null", trustManagers[0]); + } + + public void testCreateTrustStoreFromFile_WrongPassword() throws Exception + { + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileTrustStore.NAME, "myFileTrustStore"); + attributes.put(FileTrustStore.PATH, TestSSLConstants.TRUSTSTORE); + attributes.put(FileTrustStore.PASSWORD, "wrong"); + + FileTrustStoreImpl fileTrustStore = new FileTrustStoreImpl(attributes, _broker); + + try + { + fileTrustStore.create(); + fail("Exception not thrown"); + } + catch (IllegalConfigurationException ice) + { + String message = ice.getMessage(); + assertTrue("Exception text not as unexpected:" + message, message.contains("Check trust store password")); + } + } + + public void testCreatePeersOnlyTrustStoreFromFile_Success() throws Exception + { + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileTrustStore.NAME, "myFileTrustStore"); + attributes.put(FileTrustStore.PATH, TestSSLConstants.BROKER_PEERSTORE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.BROKER_PEERSTORE_PASSWORD); + attributes.put(FileTrustStore.PEERS_ONLY, true); + + FileTrustStoreImpl fileTrustStore = new FileTrustStoreImpl(attributes, _broker); + + fileTrustStore.create(); + + TrustManager[] trustManagers = fileTrustStore.getTrustManagers(); + assertNotNull(trustManagers); + assertEquals("Unexpected number of trust managers", 1, trustManagers.length); + assertNotNull("Trust manager unexpected null", trustManagers[0]); + assertTrue("Trust manager unexpected null", trustManagers[0] instanceof QpidMultipleTrustManager); + } + + + public void testCreateTrustStoreFromDataUrl_Success() throws Exception + { + String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.TRUSTSTORE); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileTrustStore.NAME, "myFileTrustStore"); + attributes.put(FileTrustStore.PATH, trustStoreAsDataUrl); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD); + + FileTrustStoreImpl fileTrustStore = new FileTrustStoreImpl(attributes, _broker); + + fileTrustStore.create(); + + TrustManager[] trustManagers = fileTrustStore.getTrustManagers(); + assertNotNull(trustManagers); + assertEquals("Unexpected number of trust managers", 1, trustManagers.length); + assertNotNull("Trust manager unexpected null", trustManagers[0]); + } + + public void testCreateTrustStoreFromDataUrl_WrongPassword() throws Exception + { + String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.TRUSTSTORE); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileTrustStore.NAME, "myFileTrustStore"); + attributes.put(FileTrustStore.PASSWORD, "wrong"); + attributes.put(FileTrustStore.PATH, trustStoreAsDataUrl); + + FileTrustStoreImpl fileTrustStore = new FileTrustStoreImpl(attributes, _broker); + + try + { + + fileTrustStore.create(); + fail("Exception not thrown"); + } + catch (IllegalConfigurationException ice) + { + String message = ice.getMessage(); + assertTrue("Exception text not as unexpected:" + message, message.contains("Check trust store password")); + } + } + + public void testCreateTrustStoreFromDataUrl_BadTruststoreBytes() throws Exception + { + String trustStoreAsDataUrl = DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes()); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileTrustStore.NAME, "myFileTrustStore"); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD); + attributes.put(FileTrustStore.PATH, trustStoreAsDataUrl); + + FileTrustStoreImpl fileTrustStore = new FileTrustStoreImpl(attributes, _broker); + + try + { + fileTrustStore.create(); + fail("Exception not thrown"); + } + catch (IllegalConfigurationException ice) + { + String message = ice.getMessage(); + assertTrue("Exception text not as unexpected:" + message, message.contains("Cannot instantiate trust store")); + + } + } + + public void testUpdateTrustStore_Success() throws Exception + { + + when(_securityManager.authoriseConfiguringBroker(any(String.class), (Class<? extends ConfiguredObject>)any(), any(Operation.class))).thenReturn(true); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileTrustStore.NAME, "myFileTrustStore"); + attributes.put(FileTrustStore.PATH, TestSSLConstants.TRUSTSTORE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD); + + FileTrustStoreImpl fileTrustStore = new FileTrustStoreImpl(attributes, _broker); + + fileTrustStore.create(); + + assertEquals("Unexpected path value before change", TestSSLConstants.TRUSTSTORE, fileTrustStore.getPath()); + + try + { + Map<String,Object> unacceptableAttributes = new HashMap<>(); + unacceptableAttributes.put(FileTrustStore.PATH, "/not/a/truststore"); + + fileTrustStore.setAttributes(unacceptableAttributes); + fail("Exception not thrown"); + } + catch (IllegalConfigurationException ice) + { + String message = ice.getMessage(); + assertTrue("Exception text not as unexpected:" + message, message.contains("Cannot instantiate trust store")); + } + + assertEquals("Unexpected path value after failed change", TestSSLConstants.TRUSTSTORE, fileTrustStore.getPath()); + + Map<String,Object> changedAttributes = new HashMap<>(); + changedAttributes.put(FileTrustStore.PATH, TestSSLConstants.BROKER_TRUSTSTORE); + changedAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD); + + fileTrustStore.setAttributes(changedAttributes); + + assertEquals("Unexpected path value after change that is expected to be successful", + TestSSLConstants.BROKER_TRUSTSTORE, + fileTrustStore.getPath()); + } + + public void testDeleteTrustStore_Success() throws Exception + { + + when(_securityManager.authoriseConfiguringBroker(any(String.class), (Class<? extends ConfiguredObject>)any(), any(Operation.class))).thenReturn(true); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileTrustStore.NAME, "myFileTrustStore"); + attributes.put(FileTrustStore.PATH, TestSSLConstants.TRUSTSTORE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD); + + FileTrustStoreImpl fileTrustStore = new FileTrustStoreImpl(attributes, _broker); + + fileTrustStore.create(); + fileTrustStore.delete(); + } + + public void testDeleteTrustStore_TrustManagerInUseByAuthProvider() throws Exception + { + when(_securityManager.authoriseConfiguringBroker(any(String.class), + any(Class.class), + any(Operation.class))).thenReturn(true); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileTrustStore.NAME, "myFileTrustStore"); + attributes.put(FileTrustStore.PATH, TestSSLConstants.TRUSTSTORE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD); + + FileTrustStoreImpl fileTrustStore = new FileTrustStoreImpl(attributes, _broker); + + fileTrustStore.create(); + + SimpleLDAPAuthenticationManager ldap = mock(SimpleLDAPAuthenticationManager.class); + when(ldap.getTrustStore()).thenReturn(fileTrustStore); + + Collection<AuthenticationProvider<?>> authenticationProviders = Collections.<AuthenticationProvider<?>>singletonList(ldap); + when(_broker.getAuthenticationProviders()).thenReturn(authenticationProviders); + + try + { + fileTrustStore.delete(); + fail("Exception not thrown"); + } + catch (IntegrityViolationException ive) + { + // PASS + } + } + + public void testDeleteTrustStore_TrustManagerInUseByPort() throws Exception + { + when(_securityManager.authoriseConfiguringBroker(any(String.class), + any(Class.class), + any(Operation.class))).thenReturn(true); + + Map<String,Object> attributes = new HashMap<>(); + attributes.put(FileTrustStore.NAME, "myFileTrustStore"); + attributes.put(FileTrustStore.PATH, TestSSLConstants.TRUSTSTORE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD); + + FileTrustStoreImpl fileTrustStore = new FileTrustStoreImpl(attributes, _broker); + + fileTrustStore.create(); + + Port<?> port = mock(Port.class); + when(port.getTrustStores()).thenReturn(Collections.<TrustStore>singletonList(fileTrustStore)); + + when(_broker.getPorts()).thenReturn(Collections.<Port<?>>singletonList(port)); + + try + { + fileTrustStore.delete(); + fail("Exception not thrown"); + } + catch (IntegrityViolationException ive) + { + // PASS + } + } + + private static String createDataUrlForFile(String filename) + { + byte[] fileAsBytes = FileUtils.readFileAsBytes(filename); + return DataUrlUtils.getDataUrlForBytes(fileAsBytes); + } +}
\ No newline at end of file diff --git a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/RestServlet.java b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/RestServlet.java index 883da04b3d..71ec6e786f 100644 --- a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/RestServlet.java +++ b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/RestServlet.java @@ -36,7 +36,6 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.Part; -import javax.xml.bind.DatatypeConverter; import org.apache.log4j.Logger; import org.codehaus.jackson.map.ObjectMapper; @@ -46,6 +45,7 @@ import org.apache.qpid.server.configuration.IllegalConfigurationException; import org.apache.qpid.server.model.Broker; import org.apache.qpid.server.model.ConfiguredObject; import org.apache.qpid.server.util.urlstreamhandler.data.Handler; +import org.apache.qpid.util.DataUrlUtils; public class RestServlet extends AbstractServlet { @@ -439,8 +439,7 @@ public class RestServlet extends AbstractServlet { byte[] data = new byte[(int) part.getSize()]; part.getInputStream().read(data); - StringBuilder inlineURL = new StringBuilder("data:;base64,"); - inlineURL.append(DatatypeConverter.printBase64Binary(data)); + String inlineURL = DataUrlUtils.getDataUrlForBytes(data); fileUploads.put(part.getName(),inlineURL.toString()); } } diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/QpidClientX509KeyManager.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/QpidClientX509KeyManager.java index 0dccf37979..c61684e2bb 100644 --- a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/QpidClientX509KeyManager.java +++ b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/QpidClientX509KeyManager.java @@ -27,6 +27,7 @@ import javax.net.ssl.SSLEngine; import javax.net.ssl.X509ExtendedKeyManager; import java.io.IOException; import java.net.Socket; +import java.net.URL; import java.security.GeneralSecurityException; import java.security.KeyStore; import java.security.Principal; @@ -50,6 +51,16 @@ public class QpidClientX509KeyManager extends X509ExtendedKeyManager this.delegate = (X509ExtendedKeyManager)kmf.getKeyManagers()[0]; } + public QpidClientX509KeyManager(String alias, URL keyStoreUrl, String keyStoreType, + String keyStorePassword, String keyManagerFactoryAlgorithmName) throws GeneralSecurityException, IOException + { + this.alias = alias; + KeyStore ks = SSLUtil.getInitializedKeyStore(keyStoreUrl,keyStorePassword,keyStoreType); + KeyManagerFactory kmf = KeyManagerFactory.getInstance(keyManagerFactoryAlgorithmName); + kmf.init(ks, keyStorePassword.toCharArray()); + this.delegate = (X509ExtendedKeyManager)kmf.getKeyManagers()[0]; + } + public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) { log.debug("chooseClientAlias:Returning alias " + alias); diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java index 98229fd2a1..b6ae2ab4a3 100644 --- a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java +++ b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java @@ -24,6 +24,7 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; +import java.net.URL; import java.security.GeneralSecurityException; import java.security.KeyStore; import java.security.Principal; @@ -248,6 +249,23 @@ public class SSLUtil return ks; } + public static KeyStore getInitializedKeyStore(URL storePath, String storePassword, String keyStoreType) throws GeneralSecurityException, IOException + { + KeyStore ks = KeyStore.getInstance(keyStoreType); + try(InputStream in = storePath.openStream()) + { + if (in == null && !"PKCS11".equalsIgnoreCase(keyStoreType)) // PKCS11 will not require an explicit path + { + throw new IOException("Unable to load keystore resource: " + storePath); + } + + char[] storeCharPassword = storePassword == null ? null : storePassword.toCharArray(); + + ks.load(in, storeCharPassword); + } + return ks; + } + public static void removeSSLv3Support(final SSLEngine engine) { List<String> enabledProtocols = Arrays.asList(engine.getEnabledProtocols()); diff --git a/qpid/java/common/src/main/java/org/apache/qpid/util/DataUrlUtils.java b/qpid/java/common/src/main/java/org/apache/qpid/util/DataUrlUtils.java new file mode 100644 index 0000000000..16c5012d88 --- /dev/null +++ b/qpid/java/common/src/main/java/org/apache/qpid/util/DataUrlUtils.java @@ -0,0 +1,32 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.qpid.util; + +import javax.xml.bind.DatatypeConverter; + +public class DataUrlUtils +{ + public static String getDataUrlForBytes(final byte[] bytes) + { + StringBuilder inlineURL = new StringBuilder("data:;base64,"); + inlineURL.append(DatatypeConverter.printBase64Binary(bytes)); + return inlineURL.toString(); + } +} diff --git a/qpid/java/common/src/main/java/org/apache/qpid/util/FileUtils.java b/qpid/java/common/src/main/java/org/apache/qpid/util/FileUtils.java index dd347b54eb..70607f49db 100644 --- a/qpid/java/common/src/main/java/org/apache/qpid/util/FileUtils.java +++ b/qpid/java/common/src/main/java/org/apache/qpid/util/FileUtils.java @@ -22,6 +22,7 @@ package org.apache.qpid.util; import java.io.BufferedInputStream; import java.io.BufferedReader; +import java.io.ByteArrayOutputStream; import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; @@ -51,39 +52,32 @@ public class FileUtils * * @return The contents of the file. */ - public static String readFileAsString(String filename) + public static byte[] readFileAsBytes(String filename) { - BufferedInputStream is = null; - try + try(BufferedInputStream is = new BufferedInputStream(new FileInputStream(filename))) { - try - { - is = new BufferedInputStream(new FileInputStream(filename)); - } - catch (FileNotFoundException e) - { - throw new RuntimeException(e); - } - return readStreamAsString(is); } - finally + catch (IOException e) { - if (is != null) - { - try - { - is.close(); - } - catch (IOException e) - { - throw new RuntimeException(e); - } - } + throw new RuntimeException(e); } } + + /** + * Reads a text file as a string. + * + * @param filename The name of the file. + * + * @return The contents of the file. + */ + public static String readFileAsString(String filename) + { + return new String(readFileAsBytes(filename)); + } + /** * Reads a text file as a string. * @@ -93,18 +87,15 @@ public class FileUtils */ public static String readFileAsString(File file) { - BufferedInputStream is = null; - - try + try(BufferedInputStream is = new BufferedInputStream(new FileInputStream(file))) { - is = new BufferedInputStream(new FileInputStream(file)); + + return new String(readStreamAsString(is)); } - catch (FileNotFoundException e) + catch (IOException e) { throw new RuntimeException(e); } - - return readStreamAsString(is); } /** @@ -115,23 +106,20 @@ public class FileUtils * * @return The contents of the reader. */ - private static String readStreamAsString(BufferedInputStream is) + private static byte[] readStreamAsString(BufferedInputStream is) { - try + try(ByteArrayOutputStream inBuffer = new ByteArrayOutputStream()) { byte[] data = new byte[4096]; - StringBuffer inBuffer = new StringBuffer(); - int read; while ((read = is.read(data)) != -1) { - String s = new String(data, 0, read); - inBuffer.append(s); + inBuffer.write(data, 0, read); } - return inBuffer.toString(); + return inBuffer.toByteArray(); } catch (IOException e) { diff --git a/qpid/java/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java b/qpid/java/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java index c48f164d98..96eef79694 100644 --- a/qpid/java/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java +++ b/qpid/java/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java @@ -28,6 +28,7 @@ public interface TestSSLConstants String BROKER_KEYSTORE = "test-profiles/test_resources/ssl/java_broker_keystore.jks"; String BROKER_KEYSTORE_PASSWORD = "password"; + Object BROKER_KEYSTORE_ALIAS = "rootca"; String BROKER_PEERSTORE = "test-profiles/test_resources/ssl/java_broker_peerstore.jks"; String BROKER_PEERSTORE_PASSWORD = "password"; diff --git a/qpid/java/systests/src/test/java/org/apache/qpid/systest/rest/KeyStoreRestTest.java b/qpid/java/systests/src/test/java/org/apache/qpid/systest/rest/KeyStoreRestTest.java index 169ece986e..03b0a7a304 100644 --- a/qpid/java/systests/src/test/java/org/apache/qpid/systest/rest/KeyStoreRestTest.java +++ b/qpid/java/systests/src/test/java/org/apache/qpid/systest/rest/KeyStoreRestTest.java @@ -20,23 +20,20 @@ */ package org.apache.qpid.systest.rest; -import java.io.IOException; -import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; -import org.codehaus.jackson.JsonGenerationException; -import org.codehaus.jackson.JsonParseException; -import org.codehaus.jackson.map.JsonMappingException; +import javax.servlet.http.HttpServletResponse; + import org.apache.qpid.server.model.AbstractConfiguredObject; import org.apache.qpid.server.model.KeyStore; -import org.apache.qpid.server.model.Port; -import org.apache.qpid.server.model.Transport; import org.apache.qpid.server.security.FileKeyStore; import org.apache.qpid.test.utils.TestBrokerConfiguration; import org.apache.qpid.test.utils.TestSSLConstants; +import org.apache.qpid.util.DataUrlUtils; +import org.apache.qpid.util.FileUtils; public class KeyStoreRestTest extends QpidRestTestCase { @@ -67,7 +64,7 @@ public class KeyStoreRestTest extends QpidRestTestCase String certAlias = "app2"; assertNumberOfKeyStores(1); - createKeyStore(name, certAlias); + createKeyStore(name, certAlias, TestSSLConstants.KEYSTORE, TestSSLConstants.KEYSTORE_PASSWORD); assertNumberOfKeyStores(2); List<Map<String, Object>> keyStores = getRestTestHelper().getJsonAsList("keystore/" + name); @@ -76,161 +73,72 @@ public class KeyStoreRestTest extends QpidRestTestCase assertKeyStoreAttributes(keyStores.get(0), name, TestSSLConstants.KEYSTORE, certAlias); } - public void testDelete() throws Exception + public void testCreateWithDataUrl() throws Exception { super.setUp(); String name = getTestName(); - String certAlias = "app2"; + byte[] keystoreAsBytes = FileUtils.readFileAsBytes(TestSSLConstants.KEYSTORE); + String dataUrlForKeyStore = DataUrlUtils.getDataUrlForBytes(keystoreAsBytes); assertNumberOfKeyStores(1); - createKeyStore(name, certAlias); - assertNumberOfKeyStores(2); - - int responseCode = getRestTestHelper().submitRequest("keystore/" + name , "DELETE"); - assertEquals("Unexpected response code for provider deletion", 200, responseCode); - - List<Map<String, Object>> keyStore = getRestTestHelper().getJsonAsList("keystore/" + name); - assertNotNull("details should not be null", keyStore); - assertTrue("details should be empty as the keystore no longer exists", keyStore.isEmpty()); - - //check only the default systests key store remains - List<Map<String, Object>> keyStores = assertNumberOfKeyStores(1); - Map<String, Object> keystore = keyStores.get(0); - assertKeyStoreAttributes(keystore, TestBrokerConfiguration.ENTRY_NAME_SSL_KEYSTORE, - QPID_HOME + "/../" + TestSSLConstants.BROKER_KEYSTORE, null); - } - - public void testDeleteFailsWhenKeyStoreInUse() throws Exception - { - String name = "testDeleteFailsWhenKeyStoreInUse"; - - //add a new key store config to use - Map<String, Object> sslKeyStoreAttributes = new HashMap<String, Object>(); - sslKeyStoreAttributes.put(KeyStore.NAME, name); - sslKeyStoreAttributes.put(FileKeyStore.PATH, TestSSLConstants.BROKER_KEYSTORE); - sslKeyStoreAttributes.put(FileKeyStore.PASSWORD, TestSSLConstants.BROKER_KEYSTORE_PASSWORD); - getBrokerConfiguration().addObjectConfiguration(KeyStore.class,sslKeyStoreAttributes); - - //add the SSL port using it - Map<String, Object> sslPortAttributes = new HashMap<String, Object>(); - sslPortAttributes.put(Port.TRANSPORTS, Collections.singleton(Transport.SSL)); - sslPortAttributes.put(Port.PORT, DEFAULT_SSL_PORT); - sslPortAttributes.put(Port.NAME, TestBrokerConfiguration.ENTRY_NAME_SSL_PORT); - sslPortAttributes.put(Port.AUTHENTICATION_PROVIDER, TestBrokerConfiguration.ENTRY_NAME_AUTHENTICATION_PROVIDER); - sslPortAttributes.put(Port.KEY_STORE, name); - getBrokerConfiguration().addObjectConfiguration(Port.class,sslPortAttributes); - - super.setUp(); - - //verify the keystore is there + createKeyStore(name, null, dataUrlForKeyStore, TestSSLConstants.KEYSTORE_PASSWORD); assertNumberOfKeyStores(2); - List<Map<String, Object>> keyStore = getRestTestHelper().getJsonAsList("keystore/" + name); - assertNotNull("details should not be null", keyStore); - assertKeyStoreAttributes(keyStore.get(0), name, TestSSLConstants.BROKER_KEYSTORE, null); - - //try to delete it, which should fail as it is in use - int responseCode = getRestTestHelper().submitRequest("keystore/" + name , "DELETE"); - assertEquals("Unexpected response code for provider deletion", 409, responseCode); + List<Map<String, Object>> keyStores = getRestTestHelper().getJsonAsList("keystore/" + name); + assertNotNull("details cannot be null", keyStores); - //check its still there - assertNumberOfKeyStores(2); - keyStore = getRestTestHelper().getJsonAsList("keystore/" + name); - assertNotNull("details should not be null", keyStore); - assertKeyStoreAttributes(keyStore.get(0), name, TestSSLConstants.BROKER_KEYSTORE, null); + assertKeyStoreAttributes(keyStores.get(0), name, dataUrlForKeyStore, null); } - public void testUpdateWithGoodPathSucceeds() throws Exception + public void testDelete() throws Exception { super.setUp(); String name = getTestName(); + String certAlias = "app2"; assertNumberOfKeyStores(1); - createKeyStore(name, null); + createKeyStore(name, certAlias, TestSSLConstants.KEYSTORE, TestSSLConstants.KEYSTORE_PASSWORD); assertNumberOfKeyStores(2); - Map<String, Object> attributes = new HashMap<String, Object>(); - attributes.put(KeyStore.NAME, name); - attributes.put(FileKeyStore.PATH, TestSSLConstants.UNTRUSTED_KEYSTORE); - - int responseCode = getRestTestHelper().submitRequest("keystore/" + name , "PUT", attributes); - assertEquals("Unexpected response code for keystore update", 200, responseCode); + getRestTestHelper().submitRequest("keystore/" + name, "DELETE", HttpServletResponse.SC_OK); List<Map<String, Object>> keyStore = getRestTestHelper().getJsonAsList("keystore/" + name); assertNotNull("details should not be null", keyStore); + assertTrue("details should be empty as the keystore no longer exists", keyStore.isEmpty()); - assertKeyStoreAttributes(keyStore.get(0), name, TestSSLConstants.UNTRUSTED_KEYSTORE, null); + //check only the default systests key store remains + List<Map<String, Object>> keyStores = assertNumberOfKeyStores(1); + Map<String, Object> keystore = keyStores.get(0); + assertKeyStoreAttributes(keystore, TestBrokerConfiguration.ENTRY_NAME_SSL_KEYSTORE, + QPID_HOME + "/../" + TestSSLConstants.BROKER_KEYSTORE, null); } - public void testUpdateWithNonExistentPathFails() throws Exception + public void testUpdate() throws Exception { super.setUp(); String name = getTestName(); assertNumberOfKeyStores(1); - createKeyStore(name, null); + createKeyStore(name, null, TestSSLConstants.KEYSTORE, TestSSLConstants.KEYSTORE_PASSWORD); assertNumberOfKeyStores(2); Map<String, Object> attributes = new HashMap<String, Object>(); attributes.put(KeyStore.NAME, name); - attributes.put(FileKeyStore.PATH, "does.not.exist"); + attributes.put(FileKeyStore.PATH, TestSSLConstants.UNTRUSTED_KEYSTORE); - int responseCode = getRestTestHelper().submitRequest("keystore/" + name , "PUT", attributes); - assertEquals("Unexpected response code for keystore update", 409, responseCode); + getRestTestHelper().submitRequest("keystore/" + name, "PUT", attributes, HttpServletResponse.SC_OK); List<Map<String, Object>> keyStore = getRestTestHelper().getJsonAsList("keystore/" + name); assertNotNull("details should not be null", keyStore); - //verify the details remain unchanged - assertKeyStoreAttributes(keyStore.get(0), name, TestSSLConstants.KEYSTORE, null); + assertKeyStoreAttributes(keyStore.get(0), name, TestSSLConstants.UNTRUSTED_KEYSTORE, null); } - public void testUpdateCertificateAlias() throws Exception - { - super.setUp(); - - String name = getTestName(); - - assertNumberOfKeyStores(1); - createKeyStore(name, "app1"); - assertNumberOfKeyStores(2); - - List<Map<String, Object>> keyStore = getRestTestHelper().getJsonAsList("keystore/" + name); - assertNotNull("details should not be null", keyStore); - assertKeyStoreAttributes(keyStore.get(0), name, TestSSLConstants.KEYSTORE, "app1"); - - //Update the certAlias from app1 to app2 - Map<String, Object> attributes = new HashMap<String, Object>(); - attributes.put(KeyStore.NAME, name); - attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "app2"); - - int responseCode = getRestTestHelper().submitRequest("keystore/" + name , "PUT", attributes); - assertEquals("Unexpected response code for keystore update", 200, responseCode); - - keyStore = getRestTestHelper().getJsonAsList("keystore/" + name); - assertNotNull("details should not be null", keyStore); - - assertKeyStoreAttributes(keyStore.get(0), name, TestSSLConstants.KEYSTORE, "app2"); - - //Update the certAlias to clear it (i.e go from from app1 to null) - attributes = new HashMap<String, Object>(); - attributes.put(KeyStore.NAME, name); - attributes.put(FileKeyStore.CERTIFICATE_ALIAS, null); - - responseCode = getRestTestHelper().submitRequest("keystore/" + name , "PUT", attributes); - assertEquals("Unexpected response code for keystore update", 200, responseCode); - keyStore = getRestTestHelper().getJsonAsList("keystore/" + name); - assertNotNull("details should not be null", keyStore); - - assertKeyStoreAttributes(keyStore.get(0), name, TestSSLConstants.KEYSTORE, null); - } - - private List<Map<String, Object>> assertNumberOfKeyStores(int numberOfKeystores) throws IOException, - JsonParseException, JsonMappingException + private List<Map<String, Object>> assertNumberOfKeyStores(int numberOfKeystores) throws Exception { List<Map<String, Object>> keyStores = getRestTestHelper().getJsonAsList("keystore"); assertNotNull("keystores should not be null", keyStores); @@ -239,16 +147,18 @@ public class KeyStoreRestTest extends QpidRestTestCase return keyStores; } - private void createKeyStore(String name, String certAlias) throws IOException, JsonGenerationException, JsonMappingException + private void createKeyStore(String name, String certAlias, final String keyStorePath, final String keystorePassword) throws Exception { - Map<String, Object> keyStoreAttributes = new HashMap<String, Object>(); + Map<String, Object> keyStoreAttributes = new HashMap<>(); keyStoreAttributes.put(KeyStore.NAME, name); - keyStoreAttributes.put(FileKeyStore.PATH, TestSSLConstants.KEYSTORE); - keyStoreAttributes.put(FileKeyStore.PASSWORD, TestSSLConstants.KEYSTORE_PASSWORD); - keyStoreAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, certAlias); + keyStoreAttributes.put(FileKeyStore.PATH, keyStorePath); + keyStoreAttributes.put(FileKeyStore.PASSWORD, keystorePassword); + if (certAlias != null) + { + keyStoreAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, certAlias); + } - int responseCode = getRestTestHelper().submitRequest("keystore/" + name, "PUT", keyStoreAttributes); - assertEquals("Unexpected response code", 201, responseCode); + getRestTestHelper().submitRequest("keystore/" + name, "PUT", keyStoreAttributes, HttpServletResponse.SC_CREATED); } private void assertKeyStoreAttributes(Map<String, Object> keystore, String name, String path, String certAlias) @@ -261,12 +171,16 @@ public class KeyStoreRestTest extends QpidRestTestCase AbstractConfiguredObject.SECURED_STRING_VALUE, keystore.get(FileKeyStore.PASSWORD)); assertEquals("unexpected type of default systests key store", java.security.KeyStore.getDefaultType(), keystore.get(FileKeyStore.KEY_STORE_TYPE)); - assertEquals("unexpected certificateAlias value", - certAlias, keystore.get(FileKeyStore.CERTIFICATE_ALIAS)); if(certAlias == null) { assertFalse("should not be a certificateAlias attribute", keystore.containsKey(FileKeyStore.CERTIFICATE_ALIAS)); } + else + { + assertEquals("unexpected certificateAlias value", + certAlias, keystore.get(FileKeyStore.CERTIFICATE_ALIAS)); + + } } } diff --git a/qpid/java/systests/src/test/java/org/apache/qpid/systest/rest/TrustStoreRestTest.java b/qpid/java/systests/src/test/java/org/apache/qpid/systest/rest/TrustStoreRestTest.java index 1aac22d0aa..6cca3fc12c 100644 --- a/qpid/java/systests/src/test/java/org/apache/qpid/systest/rest/TrustStoreRestTest.java +++ b/qpid/java/systests/src/test/java/org/apache/qpid/systest/rest/TrustStoreRestTest.java @@ -20,23 +20,19 @@ */ package org.apache.qpid.systest.rest; -import java.io.IOException; -import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; -import org.codehaus.jackson.JsonGenerationException; -import org.codehaus.jackson.JsonParseException; -import org.codehaus.jackson.map.JsonMappingException; +import javax.servlet.http.HttpServletResponse; import org.apache.qpid.server.model.AbstractConfiguredObject; -import org.apache.qpid.server.model.Port; -import org.apache.qpid.server.model.Transport; import org.apache.qpid.server.model.TrustStore; import org.apache.qpid.server.security.FileTrustStore; import org.apache.qpid.test.utils.TestBrokerConfiguration; import org.apache.qpid.test.utils.TestSSLConstants; +import org.apache.qpid.util.DataUrlUtils; +import org.apache.qpid.util.FileUtils; public class TrustStoreRestTest extends QpidRestTestCase { @@ -66,7 +62,7 @@ public class TrustStoreRestTest extends QpidRestTestCase String name = getTestName(); assertNumberOfTrustStores(1); - createTrustStore(name, true); + createTrustStore(name, true, TestSSLConstants.TRUSTSTORE, TestSSLConstants.TRUSTSTORE_PASSWORD); assertNumberOfTrustStores(2); List<Map<String, Object>> trustStores = getRestTestHelper().getJsonAsList("truststore/" + name); @@ -75,157 +71,73 @@ public class TrustStoreRestTest extends QpidRestTestCase assertTrustStoreAttributes(trustStores.get(0), name, TestSSLConstants.TRUSTSTORE, true); } - public void testDelete() throws Exception + public void testCreateUsingDataUrl() throws Exception { super.setUp(); String name = getTestName(); + byte[] trustStoreAsBytes = FileUtils.readFileAsBytes(TestSSLConstants.TRUSTSTORE); + String dataUrlForTruststore = DataUrlUtils.getDataUrlForBytes(trustStoreAsBytes); assertNumberOfTrustStores(1); - createTrustStore(name, false); - assertNumberOfTrustStores(2); - - int responseCode = getRestTestHelper().submitRequest("truststore/" + name , "DELETE"); - assertEquals("Unexpected response code for provider deletion", 200, responseCode); - - List<Map<String, Object>> trustStore = getRestTestHelper().getJsonAsList("truststore/" + name); - assertNotNull("details should not be null", trustStore); - assertTrue("details should be empty as the truststore no longer exists", trustStore.isEmpty()); - - //check only the default systests trust store remains - List<Map<String, Object>> trustStores = assertNumberOfTrustStores(1); - Map<String, Object> truststore = trustStores.get(0); - assertTrustStoreAttributes(truststore, TestBrokerConfiguration.ENTRY_NAME_SSL_TRUSTSTORE, - QPID_HOME + "/../" + TestSSLConstants.BROKER_TRUSTSTORE, false); - } - public void testDeleteFailsWhenTrustStoreInUse() throws Exception - { - String name = "testDeleteFailsWhenTrustStoreInUse"; - - //add a new trust store config to use - Map<String, Object> sslTrustStoreAttributes = new HashMap<String, Object>(); - sslTrustStoreAttributes.put(TrustStore.NAME, name); - sslTrustStoreAttributes.put(FileTrustStore.PATH, TestSSLConstants.TRUSTSTORE); - sslTrustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD); - getBrokerConfiguration().addObjectConfiguration(TrustStore.class,sslTrustStoreAttributes); - - //add the SSL port using it - Map<String, Object> sslPortAttributes = new HashMap<String, Object>(); - sslPortAttributes.put(Port.TRANSPORTS, Collections.singleton(Transport.SSL)); - sslPortAttributes.put(Port.PORT, DEFAULT_SSL_PORT); - sslPortAttributes.put(Port.NAME, TestBrokerConfiguration.ENTRY_NAME_SSL_PORT); - sslPortAttributes.put(Port.AUTHENTICATION_PROVIDER, TestBrokerConfiguration.ENTRY_NAME_AUTHENTICATION_PROVIDER); - sslPortAttributes.put(Port.KEY_STORE, TestBrokerConfiguration.ENTRY_NAME_SSL_KEYSTORE); - sslPortAttributes.put(Port.TRUST_STORES, Collections.singleton(name)); - getBrokerConfiguration().addObjectConfiguration(Port.class, sslPortAttributes); + createTrustStore(name, false, dataUrlForTruststore, TestSSLConstants.TRUSTSTORE_PASSWORD); - super.setUp(); - - //verify the truststore is there assertNumberOfTrustStores(2); - List<Map<String, Object>> trustStore = getRestTestHelper().getJsonAsList("truststore/" + name); - assertNotNull("details should not be null", trustStore); - assertTrustStoreAttributes(trustStore.get(0), name, TestSSLConstants.TRUSTSTORE, false); - - //try to delete it, which should fail as it is in use - int responseCode = getRestTestHelper().submitRequest("truststore/" + name , "DELETE"); - assertEquals("Unexpected response code for provider deletion", 409, responseCode); + List<Map<String, Object>> trustStores = getRestTestHelper().getJsonAsList("truststore/" + name); + assertNotNull("details cannot be null", trustStores); - //check its still there - assertNumberOfTrustStores(2); - trustStore = getRestTestHelper().getJsonAsList("truststore/" + name); - assertNotNull("details should not be null", trustStore); - assertTrustStoreAttributes(trustStore.get(0), name, TestSSLConstants.TRUSTSTORE, false); + assertTrustStoreAttributes(trustStores.get(0), name, dataUrlForTruststore, false); } - public void testUpdateWithGoodPathSucceeds() throws Exception + public void testDelete() throws Exception { super.setUp(); String name = getTestName(); assertNumberOfTrustStores(1); - createTrustStore(name, false); + createTrustStore(name, false, TestSSLConstants.TRUSTSTORE, TestSSLConstants.TRUSTSTORE_PASSWORD); assertNumberOfTrustStores(2); - Map<String, Object> attributes = new HashMap<String, Object>(); - attributes.put(TrustStore.NAME, name); - attributes.put(FileTrustStore.PATH, TestSSLConstants.TRUSTSTORE); - - int responseCode = getRestTestHelper().submitRequest("truststore/" + name , "PUT", attributes); - assertEquals("Unexpected response code for truststore update", 200, responseCode); + getRestTestHelper().submitRequest("truststore/" + name , "DELETE", HttpServletResponse.SC_OK); List<Map<String, Object>> trustStore = getRestTestHelper().getJsonAsList("truststore/" + name); assertNotNull("details should not be null", trustStore); + assertTrue("details should be empty as the truststore no longer exists", trustStore.isEmpty()); - assertTrustStoreAttributes(trustStore.get(0), name, TestSSLConstants.TRUSTSTORE, false); + //check only the default systests trust store remains + List<Map<String, Object>> trustStores = assertNumberOfTrustStores(1); + Map<String, Object> truststore = trustStores.get(0); + assertTrustStoreAttributes(truststore, TestBrokerConfiguration.ENTRY_NAME_SSL_TRUSTSTORE, + QPID_HOME + "/../" + TestSSLConstants.BROKER_TRUSTSTORE, false); } - public void testUpdateWithNonExistentPathFails() throws Exception - { - super.setUp(); - - String name = getTestName(); - - assertNumberOfTrustStores(1); - createTrustStore(name, false); - assertNumberOfTrustStores(2); - Map<String, Object> attributes = new HashMap<String, Object>(); - attributes.put(TrustStore.NAME, name); - attributes.put(FileTrustStore.PATH, "does.not.exist"); - - int responseCode = getRestTestHelper().submitRequest("truststore/" + name , "PUT", attributes); - assertEquals("Unexpected response code for trust store update", 409, responseCode); - - List<Map<String, Object>> trustStore = getRestTestHelper().getJsonAsList("truststore/" + name); - assertNotNull("details should not be null", trustStore); - - //verify the details remain unchanged - assertTrustStoreAttributes(trustStore.get(0), name, TestSSLConstants.TRUSTSTORE, false); - } - - public void testUpdatePeersOnly() throws Exception + public void testUpdate() throws Exception { super.setUp(); String name = getTestName(); assertNumberOfTrustStores(1); - createTrustStore(name, false); + createTrustStore(name, false, TestSSLConstants.TRUSTSTORE, TestSSLConstants.TRUSTSTORE_PASSWORD); assertNumberOfTrustStores(2); - //update the peersOnly attribute from false to true Map<String, Object> attributes = new HashMap<String, Object>(); attributes.put(TrustStore.NAME, name); - attributes.put(FileTrustStore.PEERS_ONLY, true); + attributes.put(FileTrustStore.PATH, TestSSLConstants.TRUSTSTORE); - int responseCode = getRestTestHelper().submitRequest("truststore/" + name , "PUT", attributes); - assertEquals("Unexpected response code for trust store update", 200, responseCode); + getRestTestHelper().submitRequest("truststore/" + name , "PUT", attributes, HttpServletResponse.SC_OK); List<Map<String, Object>> trustStore = getRestTestHelper().getJsonAsList("truststore/" + name); assertNotNull("details should not be null", trustStore); - assertTrustStoreAttributes(trustStore.get(0), name, TestSSLConstants.TRUSTSTORE, true); - - //Update peersOnly to clear it (i.e go from from true to null, which will default to false) - attributes = new HashMap<String, Object>(); - attributes.put(TrustStore.NAME, name); - attributes.put(FileTrustStore.PEERS_ONLY, null); - - responseCode = getRestTestHelper().submitRequest("truststore/" + name , "PUT", attributes); - assertEquals("Unexpected response code for trust store update", 200, responseCode); - - trustStore = getRestTestHelper().getJsonAsList("truststore/" + name); - assertNotNull("details should not be null", trustStore); - assertTrustStoreAttributes(trustStore.get(0), name, TestSSLConstants.TRUSTSTORE, false); } - private List<Map<String, Object>> assertNumberOfTrustStores(int numberOfTrustStores) throws IOException, - JsonParseException, JsonMappingException + private List<Map<String, Object>> assertNumberOfTrustStores(int numberOfTrustStores) throws Exception { List<Map<String, Object>> trustStores = getRestTestHelper().getJsonAsList("truststore"); assertNotNull("trust stores should not be null", trustStores); @@ -234,17 +146,16 @@ public class TrustStoreRestTest extends QpidRestTestCase return trustStores; } - private void createTrustStore(String name, boolean peersOnly) throws IOException, JsonGenerationException, JsonMappingException + private void createTrustStore(String name, boolean peersOnly, final String truststorePath, final String truststorePassword) throws Exception { Map<String, Object> trustStoreAttributes = new HashMap<String, Object>(); trustStoreAttributes.put(TrustStore.NAME, name); //deliberately using the client trust store to differentiate from the one we are already for broker - trustStoreAttributes.put(FileTrustStore.PATH, TestSSLConstants.TRUSTSTORE); - trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD); + trustStoreAttributes.put(FileTrustStore.PATH, truststorePath); + trustStoreAttributes.put(FileTrustStore.PASSWORD, truststorePassword); trustStoreAttributes.put(FileTrustStore.PEERS_ONLY, peersOnly); - int responseCode = getRestTestHelper().submitRequest("truststore/" + name, "PUT", trustStoreAttributes); - assertEquals("Unexpected response code", 201, responseCode); + getRestTestHelper().submitRequest("truststore/" + name, "PUT", trustStoreAttributes, HttpServletResponse.SC_CREATED); } private void assertTrustStoreAttributes(Map<String, Object> truststore, String name, String path, boolean peersOnly) |