Google Git
Sign in
apache / qpid-broker-j / 9c6440805791e21b8c9d8982f6790b16763a593e / . / broker-core / src / test / java / org / apache / qpid / server / security / FileTrustStoreTest.java
blob: 9d184bed0ccd5ba9e0ad7d0b156017dffe61509a [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.qpid.server.security;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
import org.apache.qpid.server.configuration.updater.TaskExecutor;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerModel;
import org.apache.qpid.server.model.ConfiguredObjectFactory;
import org.apache.qpid.server.model.IntegrityViolationException;
import org.apache.qpid.server.model.Model;
import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.DataUrlUtils;
import org.apache.qpid.server.util.FileUtils;
import org.apache.qpid.test.utils.QpidTestCase;
import org.apache.qpid.test.utils.TestSSLConstants;
public class FileTrustStoreTest extends QpidTestCase
{
private final Broker _broker = mock(Broker.class);
private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance();
private final Model _model = BrokerModel.getInstance();
private final ConfiguredObjectFactory _factory = _model.getObjectFactory();
@Override
public void setUp() throws Exception
{
super.setUp();
when(_broker.getTaskExecutor()).thenReturn(_taskExecutor);
when(_broker.getChildExecutor()).thenReturn(_taskExecutor);
when(_broker.getModel()).thenReturn(_model);
when(_broker.getCategoryClass()).thenReturn(Broker.class);
when(_broker.getEventLogger()).thenReturn(new EventLogger());
when(_broker.getTypeClass()).thenReturn(Broker.class);
}
public void testCreateTrustStoreFromFile_Success() throws Exception
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TRUSTSTORE);
attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD);
TrustStore<?> fileTrustStore = _factory.create(TrustStore.class, attributes, _broker);
TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
assertNotNull(trustManagers);
assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
assertNotNull("Trust manager unexpected null", trustManagers[0]);
}
public void testCreateTrustStoreFromFile_WrongPassword() throws Exception
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TRUSTSTORE);
attributes.put(FileTrustStore.PASSWORD, "wrong");
try
{
_factory.create(TrustStore.class, attributes, _broker);
fail("Exception not thrown");
}
catch (IllegalConfigurationException ice)
{
String message = ice.getMessage();
assertTrue("Exception text not as unexpected:" + message, message.contains("Check trust store password"));
}
}
public void testCreatePeersOnlyTrustStoreFromFile_Success() throws Exception
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.BROKER_PEERSTORE_PASSWORD);
attributes.put(FileTrustStore.PEERS_ONLY, true);
TrustStore<?> fileTrustStore = _factory.create(TrustStore.class, attributes, _broker);
TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
assertNotNull(trustManagers);
assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
assertNotNull("Trust manager unexpected null", trustManagers[0]);
assertTrue("Trust manager unexpected null", trustManagers[0] instanceof QpidPeersOnlyTrustManager);
}
public void testUseOfExpiredTrustAnchorAllowed() throws Exception
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_EXPIRED_TRUSTSTORE);
attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD);
TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
assertTrue("Unexpected trust manager type",trustManagers[0] instanceof X509TrustManager);
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
KeyStore clientStore = SSLUtil.getInitializedKeyStore(TestSSLConstants.EXPIRED_KEYSTORE,
TestSSLConstants.KEYSTORE_PASSWORD,
KeyStore.getDefaultType());
String alias = clientStore.aliases().nextElement();
X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
trustManager.checkClientTrusted(new X509Certificate[] {certificate}, "NULL");
}
public void testUseOfExpiredTrustAnchorDenied() throws Exception
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_EXPIRED_TRUSTSTORE);
attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD);
attributes.put(FileTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
assertTrue("Unexpected trust manager type",trustManagers[0] instanceof X509TrustManager);
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
KeyStore clientStore = SSLUtil.getInitializedKeyStore(TestSSLConstants.EXPIRED_KEYSTORE,
TestSSLConstants.KEYSTORE_PASSWORD,
KeyStore.getDefaultType());
String alias = clientStore.aliases().nextElement();
X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
try
{
trustManager.checkClientTrusted(new X509Certificate[] {certificate}, "NULL");
fail("Exception not thrown");
}
catch (CertificateException e)
{
if (e instanceof CertificateExpiredException || "Certificate expired".equals(e.getMessage()))
{
// IBMJSSE2 does not throw CertificateExpiredException, it throws a CertificateException
// PASS
}
else
{
throw e;
}
}
}
public void testCreateTrustStoreFromDataUrl_Success() throws Exception
{
String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.TRUSTSTORE);
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD);
TrustStore<?> fileTrustStore = _factory.create(TrustStore.class, attributes, _broker);
TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
assertNotNull(trustManagers);
assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
assertNotNull("Trust manager unexpected null", trustManagers[0]);
}
public void testCreateTrustStoreFromDataUrl_WrongPassword() throws Exception
{
String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.TRUSTSTORE);
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
attributes.put(FileTrustStore.PASSWORD, "wrong");
attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
try
{
_factory.create(TrustStore.class, attributes, _broker);
fail("Exception not thrown");
}
catch (IllegalConfigurationException ice)
{
String message = ice.getMessage();
assertTrue("Exception text not as unexpected:" + message, message.contains("Check trust store password"));
}
}
public void testCreateTrustStoreFromDataUrl_BadTruststoreBytes() throws Exception
{
String trustStoreAsDataUrl = DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes());
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD);
attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
try
{
_factory.create(TrustStore.class, attributes, _broker);
fail("Exception not thrown");
}
catch (IllegalConfigurationException ice)
{
String message = ice.getMessage();
assertTrue("Exception text not as unexpected:" + message, message.contains("Cannot instantiate trust store"));
}
}
public void testUpdateTrustStore_Success() throws Exception
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TRUSTSTORE);
attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD);
FileTrustStore<?> fileTrustStore = (FileTrustStore<?>) _factory.create(TrustStore.class, attributes, _broker);
assertEquals("Unexpected path value before change", TestSSLConstants.TRUSTSTORE, fileTrustStore.getStoreUrl());
try
{
Map<String,Object> unacceptableAttributes = new HashMap<>();
unacceptableAttributes.put(FileTrustStore.STORE_URL, "/not/a/truststore");
fileTrustStore.setAttributes(unacceptableAttributes);
fail("Exception not thrown");
}
catch (IllegalConfigurationException ice)
{
String message = ice.getMessage();
assertTrue("Exception text not as unexpected:" + message, message.contains("Cannot instantiate trust store"));
}
assertEquals("Unexpected path value after failed change", TestSSLConstants.TRUSTSTORE, fileTrustStore.getStoreUrl());
Map<String,Object> changedAttributes = new HashMap<>();
changedAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_TRUSTSTORE);
changedAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD);
fileTrustStore.setAttributes(changedAttributes);
assertEquals("Unexpected path value after change that is expected to be successful",
TestSSLConstants.BROKER_TRUSTSTORE,
fileTrustStore.getStoreUrl());
}
public void testDeleteTrustStore_Success() throws Exception
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TRUSTSTORE);
attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD);
TrustStore<?> fileTrustStore = _factory.create(TrustStore.class, attributes, _broker);
fileTrustStore.delete();
}
public void testDeleteTrustStore_TrustManagerInUseByAuthProvider() throws Exception
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TRUSTSTORE);
attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD);
TrustStore<?> fileTrustStore = _factory.create(TrustStore.class, attributes, _broker);
SimpleLDAPAuthenticationManager ldap = mock(SimpleLDAPAuthenticationManager.class);
when(ldap.getTrustStore()).thenReturn(fileTrustStore);
Collection<AuthenticationProvider<?>> authenticationProviders = Collections.<AuthenticationProvider<?>>singletonList(ldap);
when(_broker.getAuthenticationProviders()).thenReturn(authenticationProviders);
try
{
fileTrustStore.delete();
fail("Exception not thrown");
}
catch (IntegrityViolationException ive)
{
// PASS
}
}
public void testDeleteTrustStore_TrustManagerInUseByPort() throws Exception
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TRUSTSTORE);
attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.TRUSTSTORE_PASSWORD);
TrustStore<?> fileTrustStore = _factory.create(TrustStore.class, attributes, _broker);
Port<?> port = mock(Port.class);
when(port.getTrustStores()).thenReturn(Collections.<TrustStore>singletonList(fileTrustStore));
when(_broker.getPorts()).thenReturn(Collections.<Port<?>>singletonList(port));
try
{
fileTrustStore.delete();
fail("Exception not thrown");
}
catch (IntegrityViolationException ive)
{
// PASS
}
}
private static String createDataUrlForFile(String filename)
{
byte[] fileAsBytes = FileUtils.readFileAsBytes(filename);
return DataUrlUtils.getDataUrlForBytes(fileAsBytes);
}
}