QPID-8499: [Broker-J] Prevent use of SiteSpecificTrustStore for mutual authentication
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java b/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
index 6946120..55098f4 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
@@ -39,6 +39,7 @@
import org.apache.qpid.server.logging.messages.PortMessages;
import org.apache.qpid.server.model.*;
import org.apache.qpid.server.security.ManagedPeerCertificateTrustStore;
+import org.apache.qpid.server.security.SiteSpecificTrustStore;
import org.apache.qpid.server.security.SubjectCreator;
import org.apache.qpid.server.util.ParameterizedTypes;
import org.apache.qpid.server.util.PortUtil;
@@ -184,6 +185,11 @@
throw new IllegalConfigurationException("Only trust stores of type " + ManagedPeerCertificateTrustStore.TYPE_NAME + " may be used as the client certificate recorder");
}
}
+ if (getTrustStores() != null && getTrustStores().stream().anyMatch(t -> t instanceof SiteSpecificTrustStore))
+ {
+ throw new IllegalConfigurationException(
+ "Can't use trust store of type SiteSpecificTrustStore for the mutual authentication.");
+ }
}
private void validateAuthenticationMechanisms(final AuthenticationProvider<?> authenticationProvider,
diff --git a/broker-core/src/test/java/org/apache/qpid/server/model/port/AmqpPortImplTest.java b/broker-core/src/test/java/org/apache/qpid/server/model/port/AmqpPortImplTest.java
index 4775334..df46bda 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/model/port/AmqpPortImplTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/model/port/AmqpPortImplTest.java
@@ -60,6 +60,7 @@
import org.apache.qpid.server.model.SystemConfig;
import org.apache.qpid.server.model.Transport;
import org.apache.qpid.server.model.TrustStore;
+import org.apache.qpid.server.security.SiteSpecificTrustStore;
import org.apache.qpid.test.utils.UnitTestBase;
public class AmqpPortImplTest extends UnitTestBase
@@ -166,6 +167,32 @@
}
@Test
+ public void testCreateTlsClientAuthUsingSiteTrustStore()
+ {
+ final String trustStoreName = "siteSpecificTrustStore";
+ final SiteSpecificTrustStore<?> trustStore = mock(SiteSpecificTrustStore.class);
+ when(trustStore.getName()).thenReturn(trustStoreName);
+ when(trustStore.getParent()).thenReturn(_broker);
+ when(_broker.getChildren(TrustStore.class)).thenReturn(Collections.singleton(trustStore));
+
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(AmqpPort.TRANSPORTS, Collections.singletonList(Transport.SSL));
+ attributes.put(AmqpPort.KEY_STORE, KEYSTORE_NAME);
+ attributes.put(AmqpPort.TRUST_STORES, Collections.singletonList(trustStoreName));
+ attributes.put(AmqpPort.NEED_CLIENT_AUTH, "true");
+
+ try
+ {
+ createPort(getTestName(), attributes);
+ fail("Exception not thrown");
+ }
+ catch (IllegalConfigurationException e)
+ {
+ // pass
+ }
+ }
+
+ @Test
public void testTlsWithoutKeyStore()
{
try