From 4980740656ea0886615dc1b9f0b00fa12ae2fd0d Mon Sep 17 00:00:00 2001
From: Robert Godfrey <rgodfrey@apache.org>
Date: Wed, 6 Jun 2012 10:47:13 +0000
Subject: QPID-4042 : [Java Broker] Add SSL Client Auth support

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1346817 13f79535-47bb-0310-9956-ffa450edef68
---
 .../transport/NetworkTransportConfiguration.java   | 22 ++++++++++--------
 .../org/apache/qpid/transport/ServerDelegate.java  |  4 ++--
 .../qpid/transport/network/NetworkConnection.java  | 10 ++++++---
 .../transport/network/io/IoNetworkConnection.java  | 26 ++++++++++++++++------
 .../transport/network/io/IoNetworkTransport.java   | 23 +++++++++++++++++--
 .../qpid/transport/TestNetworkConnection.java      | 12 ++++++++++
 6 files changed, 74 insertions(+), 23 deletions(-)

(limited to 'java/common')

diff --git a/java/common/src/main/java/org/apache/qpid/transport/NetworkTransportConfiguration.java b/java/common/src/main/java/org/apache/qpid/transport/NetworkTransportConfiguration.java
index 472beb6bb1..20d6f98fa6 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/NetworkTransportConfiguration.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/NetworkTransportConfiguration.java
@@ -25,17 +25,17 @@ import java.net.InetSocketAddress;
 /**
  * This interface provides a means for NetworkDrivers to configure TCP options such as incoming and outgoing
  * buffer sizes and set particular options on the socket. NetworkDrivers should honour the values returned
- * from here if the underlying implementation supports them.  
- */ 
-public interface NetworkTransportConfiguration  
-{  
-    // Taken from Socket  
-    Boolean getTcpNoDelay(); 
+ * from here if the underlying implementation supports them.
+ */
+public interface NetworkTransportConfiguration
+{
+    // Taken from Socket
+    Boolean getTcpNoDelay();
 
-    // The amount of memory in bytes to allocate to the incoming buffer 
-    Integer getReceiveBufferSize();  
+    // The amount of memory in bytes to allocate to the incoming buffer
+    Integer getReceiveBufferSize();
 
-    // The amount of memory in bytes to allocate to the outgoing buffer 
+    // The amount of memory in bytes to allocate to the outgoing buffer
     Integer getSendBufferSize();
 
     Integer getPort();
@@ -47,4 +47,8 @@ public interface NetworkTransportConfiguration
     Integer getConnectorProcessors();
 
     InetSocketAddress getAddress();
+
+    boolean needClientAuth();
+
+    boolean wantClientAuth();
 }
diff --git a/java/common/src/main/java/org/apache/qpid/transport/ServerDelegate.java b/java/common/src/main/java/org/apache/qpid/transport/ServerDelegate.java
index ec409d1c72..e9a7d51456 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/ServerDelegate.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/ServerDelegate.java
@@ -78,7 +78,7 @@ public class ServerDelegate extends ConnectionDelegate
         try
         {
             
-            SaslServer ss = createSaslServer(mechanism);
+            SaslServer ss = createSaslServer(conn, mechanism);
             if (ss == null)
             {
                 conn.connectionClose(ConnectionCloseCode.CONNECTION_FORCED,
@@ -94,7 +94,7 @@ public class ServerDelegate extends ConnectionDelegate
         }
     }
 
-    protected SaslServer createSaslServer(String mechanism)
+    protected SaslServer createSaslServer(Connection conn, String mechanism)
             throws SaslException
     {
         SaslServer ss = Sasl.createSaslServer(mechanism, "AMQP", "localhost", null, null);
diff --git a/java/common/src/main/java/org/apache/qpid/transport/network/NetworkConnection.java b/java/common/src/main/java/org/apache/qpid/transport/network/NetworkConnection.java
index 2cc7c14f00..12c42d6643 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/network/NetworkConnection.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/network/NetworkConnection.java
@@ -20,10 +20,10 @@
  */
 package org.apache.qpid.transport.network;
 
-import org.apache.qpid.transport.Sender;
-
 import java.net.SocketAddress;
 import java.nio.ByteBuffer;
+import java.security.Principal;
+import org.apache.qpid.transport.Sender;
 
 public interface NetworkConnection
 {
@@ -46,4 +46,8 @@ public interface NetworkConnection
     void setMaxWriteIdle(int sec);
 
     void setMaxReadIdle(int sec);
-}
\ No newline at end of file
+
+    void setPeerPrincipal(Principal principal);
+
+    Principal getPeerPrincipal();
+}
diff --git a/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkConnection.java b/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkConnection.java
index 4046691779..2658296c5f 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkConnection.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkConnection.java
@@ -20,16 +20,15 @@
  */
 package org.apache.qpid.transport.network.io;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import org.apache.qpid.transport.Receiver;
-import org.apache.qpid.transport.Sender;
-import org.apache.qpid.transport.network.NetworkConnection;
-
 import java.net.Socket;
 import java.net.SocketAddress;
 import java.nio.ByteBuffer;
+import java.security.Principal;
+import org.apache.qpid.transport.Receiver;
+import org.apache.qpid.transport.Sender;
+import org.apache.qpid.transport.network.NetworkConnection;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class IoNetworkConnection implements NetworkConnection
 {
@@ -38,6 +37,7 @@ public class IoNetworkConnection implements NetworkConnection
     private final long _timeout;
     private final IoSender _ioSender;
     private final IoReceiver _ioReceiver;
+    private Principal _principal;
 
     public IoNetworkConnection(Socket socket, Receiver<ByteBuffer> delegate,
             int sendBufferSize, int receiveBufferSize, long timeout)
@@ -97,4 +97,16 @@ public class IoNetworkConnection implements NetworkConnection
         // TODO implement support for setting heartbeating config in this way
         // Currently a socket timeout is used in IoSender
     }
+
+    @Override
+    public void setPeerPrincipal(Principal principal)
+    {
+        _principal = principal;
+    }
+
+    @Override
+    public Principal getPeerPrincipal()
+    {
+        return _principal;
+    }
 }
diff --git a/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java b/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java
index 42c8334a5d..56f6989aae 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java
@@ -27,10 +27,12 @@ import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.SocketException;
 import java.nio.ByteBuffer;
-
+import java.security.Principal;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLServerSocketFactory;
-
+import javax.net.ssl.SSLSocket;
 import org.apache.qpid.protocol.ProtocolEngine;
 import org.apache.qpid.protocol.ProtocolEngineFactory;
 import org.apache.qpid.transport.ConnectionSettings;
@@ -167,6 +169,9 @@ public class IoNetworkTransport implements OutgoingNetworkTransport, IncomingNet
             {
                 SSLServerSocketFactory socketFactory = _sslContext.getServerSocketFactory();
                 _serverSocket = socketFactory.createServerSocket();
+                ((SSLServerSocket)_serverSocket).setNeedClientAuth(config.needClientAuth());
+                ((SSLServerSocket)_serverSocket).setWantClientAuth(config.wantClientAuth());
+
             }
 
             _serverSocket.setReuseAddress(true);
@@ -216,10 +221,24 @@ public class IoNetworkTransport implements OutgoingNetworkTransport, IncomingNet
                         socket.setSendBufferSize(sendBufferSize);
                         socket.setReceiveBufferSize(receiveBufferSize);
 
+
                         ProtocolEngine engine = _factory.newProtocolEngine();
 
                         NetworkConnection connection = new IoNetworkConnection(socket, engine, sendBufferSize, receiveBufferSize, _timeout);
 
+                        if(_sslContext != null)
+                        {
+                            try
+                            {
+                                Principal peerPrincipal = ((SSLSocket) socket).getSession().getPeerPrincipal();
+                                connection.setPeerPrincipal(peerPrincipal);
+                            }
+                            catch(SSLPeerUnverifiedException e)
+                            {
+                                // ignore
+                            }
+                        }
+
                         engine.setNetworkConnection(connection, connection.getSender());
 
                         connection.start();
diff --git a/java/common/src/test/java/org/apache/qpid/transport/TestNetworkConnection.java b/java/common/src/test/java/org/apache/qpid/transport/TestNetworkConnection.java
index 548e8dab12..893f66c5ff 100644
--- a/java/common/src/test/java/org/apache/qpid/transport/TestNetworkConnection.java
+++ b/java/common/src/test/java/org/apache/qpid/transport/TestNetworkConnection.java
@@ -20,6 +20,7 @@
  */
 package org.apache.qpid.transport;
 
+import java.security.Principal;
 import org.apache.qpid.protocol.ProtocolEngineFactory;
 import org.apache.qpid.ssl.SSLContextFactory;
 import org.apache.qpid.transport.network.NetworkConnection;
@@ -71,6 +72,17 @@ public class TestNetworkConnection implements NetworkConnection
 
     }
 
+    @Override
+    public void setPeerPrincipal(Principal principal)
+    {
+    }
+
+    @Override
+    public Principal getPeerPrincipal()
+    {
+        return null;
+    }
+
     public void setMaxWriteIdle(int idleTime)
     {
 
-- 
cgit v1.2.1