java/systests/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationTest.java - qpid - Git at Google

 /*
  *  Licensed to the Apache Software Foundation (ASF) under one
  *  or more contributor license agreements.  See the NOTICE file
  *  distributed with this work for additional information
  *  regarding copyright ownership.  The ASF licenses this file
  *  to you under the Apache License, Version 2.0 (the
  *  "License"); you may not use this file except in compliance
  *  with the License.  You may obtain a copy of the License at
  *
  *    http://www.apache.org/licenses/LICENSE-2.0
  *
  *  Unless required by applicable law or agreed to in writing,
  *  software distributed under the License is distributed on an
  *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  *  KIND, either express or implied.  See the License for the
  *  specific language governing permissions and limitations
  *  under the License.
  *
  *
  */
 package org.apache.qpid.server.security.auth.manager;

 import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE;
 import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE_PASSWORD;
 import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE;
 import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE_PASSWORD;

 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;

 import javax.jms.Connection;
 import javax.jms.JMSException;

 import org.apache.commons.configuration.ConfigurationException;
 import org.apache.qpid.client.AMQConnectionURL;
 import org.apache.qpid.server.model.AuthenticationProvider;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.Port;
 import org.apache.qpid.server.model.Transport;
 import org.apache.qpid.server.plugin.AuthenticationManagerFactory;
 import org.apache.qpid.test.utils.QpidBrokerTestCase;
 import org.apache.qpid.test.utils.TestBrokerConfiguration;

 public class ExternalAuthenticationTest extends QpidBrokerTestCase
 {
     @Override
     protected void setUp() throws Exception
     {
         // not calling super.setUp() to avoid broker start-up
     }

     /**
      * Tests that when EXTERNAL authentication is used on the SSL port, clients presenting certificates are able to connect.
      * Also, checks that default authentication manager PrincipalDatabaseAuthenticationManager is used on non SSL port.
      */
     public void testExternalAuthenticationManagerOnSSLPort() throws Exception
     {
         setCommonBrokerSSLProperties(true);
         getBrokerConfiguration().setObjectAttribute(TestBrokerConfiguration.ENTRY_NAME_SSL_PORT, Port.AUTHENTICATION_MANAGER, TestBrokerConfiguration.ENTRY_NAME_EXTERNAL_PROVIDER);
         super.setUp();

         setClientKeystoreProperties();
         setClientTrustoreProperties();

         try
         {
             getExternalSSLConnection(false);
         }
         catch (JMSException e)
         {
             fail("Should be able to create a connection to the SSL port: " + e.getMessage());
         }

         try
         {
             getConnection();
         }
         catch (JMSException e)
         {
             fail("Should be able to create a connection with credentials to the standard port: " + e.getMessage());
         }

     }

     /**
      * Tests that when EXTERNAL authentication manager is set as the default, clients presenting certificates are able to connect.
      * Also, checks a client with valid username and password but not using ssl is unable to connect to the non SSL port.
      */
     public void testExternalAuthenticationManagerAsDefault() throws Exception
     {
         setCommonBrokerSSLProperties(true);
         getBrokerConfiguration().setBrokerAttribute(Broker.DEFAULT_AUTHENTICATION_PROVIDER, TestBrokerConfiguration.ENTRY_NAME_EXTERNAL_PROVIDER);
         super.setUp();

         setClientKeystoreProperties();
         setClientTrustoreProperties();

         try
         {
             getConnection();
             fail("Connection should not succeed");
         }
         catch (JMSException e)
         {
             // pass
         }

         try
         {
             getExternalSSLConnection(false);
         }
         catch (JMSException e)
         {
             fail("Should be able to create a connection to the SSL port. " + e.getMessage());
         }
     }

     /**
      * Tests that when EXTERNAL authentication manager is set as the default, clients without certificates are unable to connect to the SSL port
      * even with valid username and password.
      */
     public void testExternalAuthenticationManagerWithoutClientKeyStore() throws Exception
     {
         setCommonBrokerSSLProperties(false);
         getBrokerConfiguration().setBrokerAttribute(Broker.DEFAULT_AUTHENTICATION_PROVIDER, TestBrokerConfiguration.ENTRY_NAME_EXTERNAL_PROVIDER);
         super.setUp();

         setClientTrustoreProperties();

         try
         {
             getExternalSSLConnection(true);
             fail("Connection should not succeed");
         }
         catch (JMSException e)
         {
             // pass
         }
     }

     private Connection getExternalSSLConnection(boolean includeUserNameAndPassword) throws Exception
     {
         String url = "amqp://%s@test/?brokerlist='tcp://localhost:%s?ssl='true'&sasl_mechs='EXTERNAL''";
         if (includeUserNameAndPassword)
         {
             url = String.format(url, "guest:guest", String.valueOf(QpidBrokerTestCase.DEFAULT_SSL_PORT));
         }
         else
         {
             url = String.format(url, ":", String.valueOf(QpidBrokerTestCase.DEFAULT_SSL_PORT));
         }
         return getConnection(new AMQConnectionURL(url));
     }

     private void setCommonBrokerSSLProperties(boolean needClientAuth) throws ConfigurationException
     {
         TestBrokerConfiguration config = getBrokerConfiguration();
         Map<String, Object> sslPortAttributes = new HashMap<String, Object>();
         sslPortAttributes.put(Port.TRANSPORTS, Collections.singleton(Transport.SSL));
         sslPortAttributes.put(Port.PORT, DEFAULT_SSL_PORT);
         sslPortAttributes.put(Port.NEED_CLIENT_AUTH, String.valueOf(needClientAuth));
         sslPortAttributes.put(Port.NAME, TestBrokerConfiguration.ENTRY_NAME_SSL_PORT);
         config.addPortConfiguration(sslPortAttributes);

         Map<String, Object> externalAuthProviderAttributes = new HashMap<String, Object>();
         externalAuthProviderAttributes.put(AuthenticationManagerFactory.ATTRIBUTE_TYPE, ExternalAuthenticationManagerFactory.PROVIDER_TYPE);
         externalAuthProviderAttributes.put(AuthenticationProvider.NAME, TestBrokerConfiguration.ENTRY_NAME_EXTERNAL_PROVIDER);
         config.addAuthenticationProviderConfiguration(externalAuthProviderAttributes);
     }

     private void setClientKeystoreProperties()
     {
         setSystemProperty("javax.net.ssl.keyStore", KEYSTORE);
         setSystemProperty("javax.net.ssl.keyStorePassword", KEYSTORE_PASSWORD);
     }

     private void setClientTrustoreProperties()
     {
         setSystemProperty("javax.net.ssl.trustStore", TRUSTSTORE);
         setSystemProperty("javax.net.ssl.trustStorePassword", TRUSTSTORE_PASSWORD);
         setSystemProperty("javax.net.debug", "ssl");
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*
	*
	*/
	package org.apache.qpid.server.security.auth.manager;

	import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE;
	import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE_PASSWORD;
	import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE;
	import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE_PASSWORD;

	import java.util.Collections;
	import java.util.HashMap;
	import java.util.Map;

	import javax.jms.Connection;
	import javax.jms.JMSException;

	import org.apache.commons.configuration.ConfigurationException;
	import org.apache.qpid.client.AMQConnectionURL;
	import org.apache.qpid.server.model.AuthenticationProvider;
	import org.apache.qpid.server.model.Broker;
	import org.apache.qpid.server.model.Port;
	import org.apache.qpid.server.model.Transport;
	import org.apache.qpid.server.plugin.AuthenticationManagerFactory;
	import org.apache.qpid.test.utils.QpidBrokerTestCase;
	import org.apache.qpid.test.utils.TestBrokerConfiguration;

	public class ExternalAuthenticationTest extends QpidBrokerTestCase
	{
	@Override
	protected void setUp() throws Exception
	{
	// not calling super.setUp() to avoid broker start-up
	}

	/**
	* Tests that when EXTERNAL authentication is used on the SSL port, clients presenting certificates are able to connect.
	* Also, checks that default authentication manager PrincipalDatabaseAuthenticationManager is used on non SSL port.
	*/
	public void testExternalAuthenticationManagerOnSSLPort() throws Exception
	{
	setCommonBrokerSSLProperties(true);
	getBrokerConfiguration().setObjectAttribute(TestBrokerConfiguration.ENTRY_NAME_SSL_PORT, Port.AUTHENTICATION_MANAGER, TestBrokerConfiguration.ENTRY_NAME_EXTERNAL_PROVIDER);
	super.setUp();

	setClientKeystoreProperties();
	setClientTrustoreProperties();

	try
	{
	getExternalSSLConnection(false);
	}
	catch (JMSException e)
	{
	fail("Should be able to create a connection to the SSL port: " + e.getMessage());
	}

	try
	{
	getConnection();
	}
	catch (JMSException e)
	{
	fail("Should be able to create a connection with credentials to the standard port: " + e.getMessage());
	}

	}

	/**
	* Tests that when EXTERNAL authentication manager is set as the default, clients presenting certificates are able to connect.
	* Also, checks a client with valid username and password but not using ssl is unable to connect to the non SSL port.
	*/
	public void testExternalAuthenticationManagerAsDefault() throws Exception
	{
	setCommonBrokerSSLProperties(true);
	getBrokerConfiguration().setBrokerAttribute(Broker.DEFAULT_AUTHENTICATION_PROVIDER, TestBrokerConfiguration.ENTRY_NAME_EXTERNAL_PROVIDER);
	super.setUp();

	setClientKeystoreProperties();
	setClientTrustoreProperties();

	try
	{
	getConnection();
	fail("Connection should not succeed");
	}
	catch (JMSException e)
	{
	// pass
	}

	try
	{
	getExternalSSLConnection(false);
	}
	catch (JMSException e)
	{
	fail("Should be able to create a connection to the SSL port. " + e.getMessage());
	}
	}

	/**
	* Tests that when EXTERNAL authentication manager is set as the default, clients without certificates are unable to connect to the SSL port
	* even with valid username and password.
	*/
	public void testExternalAuthenticationManagerWithoutClientKeyStore() throws Exception
	{
	setCommonBrokerSSLProperties(false);
	getBrokerConfiguration().setBrokerAttribute(Broker.DEFAULT_AUTHENTICATION_PROVIDER, TestBrokerConfiguration.ENTRY_NAME_EXTERNAL_PROVIDER);
	super.setUp();

	setClientTrustoreProperties();

	try
	{
	getExternalSSLConnection(true);
	fail("Connection should not succeed");
	}
	catch (JMSException e)
	{
	// pass
	}
	}

	private Connection getExternalSSLConnection(boolean includeUserNameAndPassword) throws Exception
	{
	String url = "amqp://%s@test/?brokerlist='tcp://localhost:%s?ssl='true'&sasl_mechs='EXTERNAL''";
	if (includeUserNameAndPassword)
	{
	url = String.format(url, "guest:guest", String.valueOf(QpidBrokerTestCase.DEFAULT_SSL_PORT));
	}
	else
	{
	url = String.format(url, ":", String.valueOf(QpidBrokerTestCase.DEFAULT_SSL_PORT));
	}
	return getConnection(new AMQConnectionURL(url));
	}

	private void setCommonBrokerSSLProperties(boolean needClientAuth) throws ConfigurationException
	{
	TestBrokerConfiguration config = getBrokerConfiguration();
	Map<String, Object> sslPortAttributes = new HashMap<String, Object>();
	sslPortAttributes.put(Port.TRANSPORTS, Collections.singleton(Transport.SSL));
	sslPortAttributes.put(Port.PORT, DEFAULT_SSL_PORT);
	sslPortAttributes.put(Port.NEED_CLIENT_AUTH, String.valueOf(needClientAuth));
	sslPortAttributes.put(Port.NAME, TestBrokerConfiguration.ENTRY_NAME_SSL_PORT);
	config.addPortConfiguration(sslPortAttributes);

	Map<String, Object> externalAuthProviderAttributes = new HashMap<String, Object>();
	externalAuthProviderAttributes.put(AuthenticationManagerFactory.ATTRIBUTE_TYPE, ExternalAuthenticationManagerFactory.PROVIDER_TYPE);
	externalAuthProviderAttributes.put(AuthenticationProvider.NAME, TestBrokerConfiguration.ENTRY_NAME_EXTERNAL_PROVIDER);
	config.addAuthenticationProviderConfiguration(externalAuthProviderAttributes);
	}

	private void setClientKeystoreProperties()
	{
	setSystemProperty("javax.net.ssl.keyStore", KEYSTORE);
	setSystemProperty("javax.net.ssl.keyStorePassword", KEYSTORE_PASSWORD);
	}

	private void setClientTrustoreProperties()
	{
	setSystemProperty("javax.net.ssl.trustStore", TRUSTSTORE);
	setSystemProperty("javax.net.ssl.trustStorePassword", TRUSTSTORE_PASSWORD);
	setSystemProperty("javax.net.debug", "ssl");
	}
	}