broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java - qpid-jms-amqp-0-x - Git at Google

 /*
  *
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  *
  */
 package org.apache.qpid.server.security;


 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;

 import java.io.Closeable;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.security.KeyStore;
 import java.security.SecureRandom;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.atomic.AtomicBoolean;

 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLServerSocketFactory;

 import org.apache.qpid.server.configuration.IllegalConfigurationException;
 import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
 import org.apache.qpid.server.configuration.updater.TaskExecutor;
 import org.apache.qpid.server.logging.EventLogger;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.BrokerModel;
 import org.apache.qpid.server.model.ConfiguredObjectFactory;
 import org.apache.qpid.server.model.Model;
 import org.apache.qpid.server.model.TrustStore;
 import org.apache.qpid.test.utils.QpidTestCase;
 import org.apache.qpid.test.utils.TestSSLConstants;

 public class SiteSpecificTrustStoreTest extends QpidTestCase
 {
     private static final String EXPECTED_SUBJECT = "CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown";
     private static final String EXPECTED_ISSUER = "CN=MyRootCA, O=ACME, ST=Ontario, C=CA";
     private final Broker<?> _broker = mock(Broker.class);
     private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance();
     private final Model _model = BrokerModel.getInstance();
     private final ConfiguredObjectFactory _factory = _model.getObjectFactory();
     private TestPeer _testPeer;

     @Override
     public void setUp() throws Exception
     {
         super.setUp();
         int connectTimeout = Integer.getInteger("SiteSpecificTrustStoreTest.connectTimeout", 100);
         int readTimeout = Integer.getInteger("SiteSpecificTrustStoreTest.readTimeout", 100);
         setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_CONNECT_TIMEOUT, String.valueOf(connectTimeout));
         setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_READ_TIMEOUT, String.valueOf(readTimeout));

         when(_broker.getTaskExecutor()).thenReturn(_taskExecutor);
         when(_broker.getChildExecutor()).thenReturn(_taskExecutor);
         when(_broker.getModel()).thenReturn(_model);
         when(_broker.getEventLogger()).thenReturn(new EventLogger());
         when(((Broker) _broker).getCategoryClass()).thenReturn(Broker.class);
     }

     @Override
     public void tearDown() throws Exception
     {
         try
         {
             super.tearDown();
         }
         finally
         {
             if (_testPeer != null)
             {
                 _testPeer.close();
             }
         }
     }

     public void testMalformedSiteUrl() throws Exception
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
         attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
         attributes.put("siteUrl", "notaurl:541");

         try
         {
             _factory.create(TrustStore.class, attributes, _broker);
             fail("Exception not thrown");
         }
         catch (IllegalConfigurationException e)
         {
             // PASS
         }
     }

     public void testSiteUrlDoesNotSupplyHostPort() throws Exception
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
         attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
         attributes.put("siteUrl", "file:/not/a/host");

         try
         {
             _factory.create(TrustStore.class, attributes, _broker);
             fail("Exception not thrown");
         }
         catch (IllegalConfigurationException e)
         {
             // PASS
         }
     }

     public void testUnresponsiveSite() throws Exception
     {
         _testPeer = new TestPeer();
         _testPeer.setAccept(false);
         int listeningPort = _testPeer.start();

         Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);

         try
         {
             _factory.create(TrustStore.class, attributes, _broker);
             fail("Exception not thrown");
         }
         catch (IllegalConfigurationException e)
         {
             // PASS
         }
     }

     public void testValidSiteUrl() throws Exception
     {
         _testPeer = new TestPeer();
         int listeningPort = _testPeer.start();

         Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);

         final SiteSpecificTrustStore trustStore =
                 (SiteSpecificTrustStore) _factory.create(TrustStore.class, attributes, _broker);

         assertEquals("Unexpected certificate subject", EXPECTED_SUBJECT, trustStore.getCertificateSubject());
         assertEquals("Unexpected certificate issuer", EXPECTED_ISSUER, trustStore.getCertificateIssuer());
     }

     public void testRefreshCertificate() throws Exception
     {
         _testPeer = new TestPeer();
         int listeningPort = _testPeer.start();

         Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);

         final SiteSpecificTrustStore trustStore =
                 (SiteSpecificTrustStore) _factory.create(TrustStore.class, attributes, _broker);

         assertEquals("Unexpected certificate subject", EXPECTED_SUBJECT, trustStore.getCertificateSubject());
         assertEquals("Unexpected certificate issuer", EXPECTED_ISSUER, trustStore.getCertificateIssuer());

         trustStore.refreshCertificate();

         assertEquals("Unexpected certificate subject", EXPECTED_SUBJECT, trustStore.getCertificateSubject());
         assertEquals("Unexpected certificate issuer", EXPECTED_ISSUER, trustStore.getCertificateIssuer());
     }

     private Map<String, Object> getTrustStoreAttributes(final int listeningPort)
     {
         Map<String,Object> attributes = new HashMap<>();
         attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
         attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
         attributes.put("siteUrl", String.format("https://localhost:%d", listeningPort));
         return attributes;
     }

     private class TestPeer implements Closeable
     {
         private final ExecutorService _socketAcceptExecutor = Executors.newSingleThreadExecutor();
         private ServerSocket _serverSocket;
         private final AtomicBoolean _shutdown = new AtomicBoolean();
         private boolean _accept = true;

         public void setAccept(final boolean accept)
         {
             _accept = accept;
         }

         public int start() throws Exception
         {
             _serverSocket = createTestSSLServerSocket();
             if (_accept)
             {
                 _socketAcceptExecutor.execute(new AcceptingRunnable());
             }

             return _serverSocket.getLocalPort();
         }

         @Override
         public void close() throws IOException
         {
             _shutdown.set(true);
             try
             {
                 if (_serverSocket != null)
                 {
                     _serverSocket.close();
                 }
             }
             finally
             {
                 _socketAcceptExecutor.shutdown();
             }
         }

         private ServerSocket createTestSSLServerSocket() throws Exception
         {
             char[] keyPassword = TestSSLConstants.KEYSTORE_PASSWORD.toCharArray();
             try(InputStream inputStream = getClass().getResourceAsStream("/java_broker_keystore.jks"))
             {
                 KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                 KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                 keyStore.load(inputStream, keyPassword);
                 keyManagerFactory.init(keyStore, keyPassword);
                 KeyManager keyManagers[] = keyManagerFactory.getKeyManagers();
                 SSLContext sslContext = SSLContext.getInstance("SSL");
                 sslContext.init(keyManagers, null, new SecureRandom());
                 SSLServerSocketFactory socketFactory = sslContext.getServerSocketFactory();
                 ServerSocket serverSocket = socketFactory.createServerSocket(0);
                 serverSocket.setSoTimeout(100);

                 return serverSocket;
             }
         }

         private class AcceptingRunnable implements Runnable
         {
             @Override
             public void run()
             {
                 do
                 {
                     try (Socket sock = _serverSocket.accept())
                     {
                         final InputStream inputStream = sock.getInputStream();
                         while (inputStream.read() != -1)
                         {
                         }
                     }
                     catch (IOException e)
                     {
                         // Ignore
                     }
                 }
                 while (!_shutdown.get());
             }
         }
     }
 }
	/*
	*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*
	*/
	package org.apache.qpid.server.security;


	import static org.mockito.Mockito.mock;
	import static org.mockito.Mockito.when;

	import java.io.Closeable;
	import java.io.IOException;
	import java.io.InputStream;
	import java.net.ServerSocket;
	import java.net.Socket;
	import java.security.KeyStore;
	import java.security.SecureRandom;
	import java.util.HashMap;
	import java.util.Map;
	import java.util.concurrent.ExecutorService;
	import java.util.concurrent.Executors;
	import java.util.concurrent.atomic.AtomicBoolean;

	import javax.net.ssl.KeyManager;
	import javax.net.ssl.KeyManagerFactory;
	import javax.net.ssl.SSLContext;
	import javax.net.ssl.SSLServerSocketFactory;

	import org.apache.qpid.server.configuration.IllegalConfigurationException;
	import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
	import org.apache.qpid.server.configuration.updater.TaskExecutor;
	import org.apache.qpid.server.logging.EventLogger;
	import org.apache.qpid.server.model.Broker;
	import org.apache.qpid.server.model.BrokerModel;
	import org.apache.qpid.server.model.ConfiguredObjectFactory;
	import org.apache.qpid.server.model.Model;
	import org.apache.qpid.server.model.TrustStore;
	import org.apache.qpid.test.utils.QpidTestCase;
	import org.apache.qpid.test.utils.TestSSLConstants;

	public class SiteSpecificTrustStoreTest extends QpidTestCase
	{
	private static final String EXPECTED_SUBJECT = "CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown";
	private static final String EXPECTED_ISSUER = "CN=MyRootCA, O=ACME, ST=Ontario, C=CA";
	private final Broker<?> _broker = mock(Broker.class);
	private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance();
	private final Model _model = BrokerModel.getInstance();
	private final ConfiguredObjectFactory _factory = _model.getObjectFactory();
	private TestPeer _testPeer;

	@Override
	public void setUp() throws Exception
	{
	super.setUp();
	int connectTimeout = Integer.getInteger("SiteSpecificTrustStoreTest.connectTimeout", 100);
	int readTimeout = Integer.getInteger("SiteSpecificTrustStoreTest.readTimeout", 100);
	setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_CONNECT_TIMEOUT, String.valueOf(connectTimeout));
	setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_READ_TIMEOUT, String.valueOf(readTimeout));

	when(_broker.getTaskExecutor()).thenReturn(_taskExecutor);
	when(_broker.getChildExecutor()).thenReturn(_taskExecutor);
	when(_broker.getModel()).thenReturn(_model);
	when(_broker.getEventLogger()).thenReturn(new EventLogger());
	when(((Broker) _broker).getCategoryClass()).thenReturn(Broker.class);
	}

	@Override
	public void tearDown() throws Exception
	{
	try
	{
	super.tearDown();
	}
	finally
	{
	if (_testPeer != null)
	{
	_testPeer.close();
	}
	}
	}

	public void testMalformedSiteUrl() throws Exception
	{
	Map<String,Object> attributes = new HashMap<>();
	attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
	attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
	attributes.put("siteUrl", "notaurl:541");

	try
	{
	_factory.create(TrustStore.class, attributes, _broker);
	fail("Exception not thrown");
	}
	catch (IllegalConfigurationException e)
	{
	// PASS
	}
	}

	public void testSiteUrlDoesNotSupplyHostPort() throws Exception
	{
	Map<String,Object> attributes = new HashMap<>();
	attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
	attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
	attributes.put("siteUrl", "file:/not/a/host");

	try
	{
	_factory.create(TrustStore.class, attributes, _broker);
	fail("Exception not thrown");
	}
	catch (IllegalConfigurationException e)
	{
	// PASS
	}
	}

	public void testUnresponsiveSite() throws Exception
	{
	_testPeer = new TestPeer();
	_testPeer.setAccept(false);
	int listeningPort = _testPeer.start();

	Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);

	try
	{
	_factory.create(TrustStore.class, attributes, _broker);
	fail("Exception not thrown");
	}
	catch (IllegalConfigurationException e)
	{
	// PASS
	}
	}

	public void testValidSiteUrl() throws Exception
	{
	_testPeer = new TestPeer();
	int listeningPort = _testPeer.start();

	Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);

	final SiteSpecificTrustStore trustStore =
	(SiteSpecificTrustStore) _factory.create(TrustStore.class, attributes, _broker);

	assertEquals("Unexpected certificate subject", EXPECTED_SUBJECT, trustStore.getCertificateSubject());
	assertEquals("Unexpected certificate issuer", EXPECTED_ISSUER, trustStore.getCertificateIssuer());
	}

	public void testRefreshCertificate() throws Exception
	{
	_testPeer = new TestPeer();
	int listeningPort = _testPeer.start();

	Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);

	final SiteSpecificTrustStore trustStore =
	(SiteSpecificTrustStore) _factory.create(TrustStore.class, attributes, _broker);

	assertEquals("Unexpected certificate subject", EXPECTED_SUBJECT, trustStore.getCertificateSubject());
	assertEquals("Unexpected certificate issuer", EXPECTED_ISSUER, trustStore.getCertificateIssuer());

	trustStore.refreshCertificate();

	assertEquals("Unexpected certificate subject", EXPECTED_SUBJECT, trustStore.getCertificateSubject());
	assertEquals("Unexpected certificate issuer", EXPECTED_ISSUER, trustStore.getCertificateIssuer());
	}

	private Map<String, Object> getTrustStoreAttributes(final int listeningPort)
	{
	Map<String,Object> attributes = new HashMap<>();
	attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
	attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
	attributes.put("siteUrl", String.format("https://localhost:%d", listeningPort));
	return attributes;
	}

	private class TestPeer implements Closeable
	{
	private final ExecutorService _socketAcceptExecutor = Executors.newSingleThreadExecutor();
	private ServerSocket _serverSocket;
	private final AtomicBoolean _shutdown = new AtomicBoolean();
	private boolean _accept = true;

	public void setAccept(final boolean accept)
	{
	_accept = accept;
	}

	public int start() throws Exception
	{
	_serverSocket = createTestSSLServerSocket();
	if (_accept)
	{
	_socketAcceptExecutor.execute(new AcceptingRunnable());
	}

	return _serverSocket.getLocalPort();
	}

	@Override
	public void close() throws IOException
	{
	_shutdown.set(true);
	try
	{
	if (_serverSocket != null)
	{
	_serverSocket.close();
	}
	}
	finally
	{
	_socketAcceptExecutor.shutdown();
	}
	}

	private ServerSocket createTestSSLServerSocket() throws Exception
	{
	char[] keyPassword = TestSSLConstants.KEYSTORE_PASSWORD.toCharArray();
	try(InputStream inputStream = getClass().getResourceAsStream("/java_broker_keystore.jks"))
	{
	KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
	KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
	keyStore.load(inputStream, keyPassword);
	keyManagerFactory.init(keyStore, keyPassword);
	KeyManager keyManagers[] = keyManagerFactory.getKeyManagers();
	SSLContext sslContext = SSLContext.getInstance("SSL");
	sslContext.init(keyManagers, null, new SecureRandom());
	SSLServerSocketFactory socketFactory = sslContext.getServerSocketFactory();
	ServerSocket serverSocket = socketFactory.createServerSocket(0);
	serverSocket.setSoTimeout(100);

	return serverSocket;
	}
	}

	private class AcceptingRunnable implements Runnable
	{
	@Override
	public void run()
	{
	do
	{
	try (Socket sock = _serverSocket.accept())
	{
	final InputStream inputStream = sock.getInputStream();
	while (inputStream.read() != -1)
	{
	}
	}
	catch (IOException e)
	{
	// Ignore
	}
	}
	while (!_shutdown.get());
	}
	}
	}
	}