broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingOutboundConnection.java

/*
 *
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 *
 */
package org.apache.qpid.server.transport;

import java.nio.channels.SocketChannel;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Collection;

import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import org.apache.qpid.server.federation.OutboundProtocolEngine;
import org.apache.qpid.server.model.Container;
import org.apache.qpid.server.model.KeyStore;
import org.apache.qpid.server.model.RemoteHostAddress;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.model.port.AmqpPort;
import org.apache.qpid.server.plugin.OutboundProtocolEngineCreator;
import org.apache.qpid.server.plugin.QpidServiceLoader;
import org.apache.qpid.server.util.Action;
import org.apache.qpid.server.virtualhost.AbstractVirtualHost;
import org.apache.qpid.transport.network.security.ssl.QpidMultipleTrustManager;
import org.apache.qpid.transport.network.security.ssl.SSLUtil;

public class NonBlockingOutboundConnection extends NonBlockingConnection
{
    private static final Logger LOGGER = LoggerFactory.getLogger(NonBlockingOutboundConnection.class);

    private final AbstractVirtualHost<?> _virtualHost;
    private final RemoteHostAddress<?> _address;
    private final int _networkBufferSize;
    private final long _outboundMessageBufferLimit;
    private volatile boolean _connected;

    public NonBlockingOutboundConnection(SocketChannel socketChannel,
                                         final RemoteHostAddress<?> address,
                                         final NetworkConnectionScheduler networkConnectionScheduler,
                                         final AbstractVirtualHost<?> virtualHost,
                                         final Action<Boolean> onConnectionLoss)
    {
        super(socketChannel, createProtocolEngine(address, virtualHost), networkConnectionScheduler, address.getAddress()+":"+address.getPort());
        OutboundProtocolEngine protocolEngine = (OutboundProtocolEngine) getProtocolEngine();
        protocolEngine.setConnection(this);
        protocolEngine.setOnClosedTask(onConnectionLoss);
        _virtualHost = virtualHost;
        _address = address;
        _networkBufferSize = virtualHost.getAncestor(Container.class).getNetworkBufferSize();
        _outboundMessageBufferLimit = (long) virtualHost.getContextValue(Long.class,
                                                                   AmqpPort.PORT_AMQP_OUTBOUND_MESSAGE_BUFFER_SIZE);

        final NonBlockingConnectionDelegate delegate;
        switch(address.getTransport())
        {
            case TCP:
                delegate = new NonBlockingConnectionPlainDelegate(this, getNetworkBufferSize());
                break;
            case SSL:
                delegate = new NonBlockingConnectionTLSDelegate(this, getNetworkBufferSize(), createSSLEngine(address));
                break;
            default:
                throw new IllegalArgumentException("Transport '"+address.getTransport()+"' is not supported");
        }
        setDelegate(delegate);
    }

    private static ProtocolEngine createProtocolEngine(final RemoteHostAddress<?> address, final AbstractVirtualHost<?> virtualHost)
    {
        for(OutboundProtocolEngineCreator engineCreator : (new QpidServiceLoader()).instancesOf(OutboundProtocolEngineCreator.class))
        {
            if(engineCreator.getVersion().equals(address.getProtocol()))
            {
                return engineCreator.newProtocolEngine(address, virtualHost);
            }
        }

        return null;
    }


    @Override
    protected long getOutboundMessageBufferLimit()
    {
        return _outboundMessageBufferLimit;
    }

    @Override
    protected int getNetworkBufferSize()
    {
        return _networkBufferSize;
    }


    @Override
    public boolean wantsConnect()
    {
        return !_connected && !(_connected = getSocketChannel().isConnected());
    }

    static SSLEngine createSSLEngine(RemoteHostAddress<?> address)
    {
        SSLEngine sslEngine = createSslContext(address).createSSLEngine();
        sslEngine.setUseClientMode(true);
        SSLUtil.updateEnabledTlsProtocols(sslEngine, address.getTlsProtocolWhiteList(), address.getTlsProtocolBlackList());
        SSLUtil.updateEnabledCipherSuites(sslEngine, address.getTlsCipherSuiteWhiteList(), address.getTlsCipherSuiteBlackList());
        if(address.getTlsCipherSuiteWhiteList() != null && !address.getTlsCipherSuiteWhiteList().isEmpty())
        {
            SSLUtil.useCipherOrderIfPossible(sslEngine);
        }

        return sslEngine;
    }

    private static SSLContext createSslContext(RemoteHostAddress<?> address)
    {
        KeyStore keyStore = address.getKeyStore();
        Collection<TrustStore> trustStores = address.getTrustStores();

        try
        {
            SSLContext sslContext = SSLUtil.tryGetSSLContext();

            KeyManager[] keyManagers = keyStore.getKeyManagers();

            TrustManager[] trustManagers;
            if(trustStores == null || trustStores.isEmpty())
            {
                trustManagers = null;
            }
            else if(trustStores.size() == 1)
            {
                trustManagers = trustStores.iterator().next().getTrustManagers();
            }
            else
            {
                Collection<TrustManager> trustManagerList = new ArrayList<>();
                final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();

                for(TrustStore ts : trustStores)
                {
                    TrustManager[] managers = ts.getTrustManagers();
                    if(managers != null)
                    {
                        for(TrustManager manager : managers)
                        {
                            if(manager instanceof X509TrustManager)
                            {
                                mulTrustManager.addTrustManager((X509TrustManager)manager);
                            }
                            else
                            {
                                trustManagerList.add(manager);
                            }
                        }
                    }
                }
                if(!mulTrustManager.isEmpty())
                {
                    trustManagerList.add(mulTrustManager);
                }
                trustManagers = trustManagerList.toArray(new TrustManager[trustManagerList.size()]);
            }
            sslContext.init(keyManagers, trustManagers, null);

            return sslContext;

        }
        catch (GeneralSecurityException e)
        {
            throw new IllegalArgumentException("Unable to create SSLContext for key or trust store", e);
        }
    }

}