| /* |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| * |
| * |
| */ |
| package org.apache.qpid.server.security.auth.manager; |
| |
| import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE; |
| import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE_PASSWORD; |
| import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE; |
| import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE_PASSWORD; |
| |
| import java.util.Collections; |
| import java.util.HashMap; |
| import java.util.Map; |
| |
| import javax.jms.Connection; |
| import javax.jms.JMSException; |
| |
| import org.apache.commons.configuration.ConfigurationException; |
| import org.apache.qpid.client.AMQConnectionURL; |
| import org.apache.qpid.server.model.AuthenticationProvider; |
| import org.apache.qpid.server.model.Broker; |
| import org.apache.qpid.server.model.Port; |
| import org.apache.qpid.server.model.Transport; |
| import org.apache.qpid.server.plugin.AuthenticationManagerFactory; |
| import org.apache.qpid.test.utils.QpidBrokerTestCase; |
| import org.apache.qpid.test.utils.TestBrokerConfiguration; |
| |
| public class ExternalAuthenticationTest extends QpidBrokerTestCase |
| { |
| @Override |
| protected void setUp() throws Exception |
| { |
| // not calling super.setUp() to avoid broker start-up |
| } |
| |
| /** |
| * Tests that when EXTERNAL authentication is used on the SSL port, clients presenting certificates are able to connect. |
| * Also, checks that default authentication manager PrincipalDatabaseAuthenticationManager is used on non SSL port. |
| */ |
| public void testExternalAuthenticationManagerOnSSLPort() throws Exception |
| { |
| setCommonBrokerSSLProperties(true); |
| getBrokerConfiguration().setObjectAttribute(TestBrokerConfiguration.ENTRY_NAME_SSL_PORT, Port.AUTHENTICATION_MANAGER, TestBrokerConfiguration.ENTRY_NAME_EXTERNAL_PROVIDER); |
| super.setUp(); |
| |
| setClientKeystoreProperties(); |
| setClientTrustoreProperties(); |
| |
| try |
| { |
| getExternalSSLConnection(false); |
| } |
| catch (JMSException e) |
| { |
| fail("Should be able to create a connection to the SSL port: " + e.getMessage()); |
| } |
| |
| try |
| { |
| getConnection(); |
| } |
| catch (JMSException e) |
| { |
| fail("Should be able to create a connection with credentials to the standard port: " + e.getMessage()); |
| } |
| |
| } |
| |
| /** |
| * Tests that when EXTERNAL authentication manager is set as the default, clients presenting certificates are able to connect. |
| * Also, checks a client with valid username and password but not using ssl is unable to connect to the non SSL port. |
| */ |
| public void testExternalAuthenticationManagerAsDefault() throws Exception |
| { |
| setCommonBrokerSSLProperties(true); |
| getBrokerConfiguration().setBrokerAttribute(Broker.DEFAULT_AUTHENTICATION_PROVIDER, TestBrokerConfiguration.ENTRY_NAME_EXTERNAL_PROVIDER); |
| super.setUp(); |
| |
| setClientKeystoreProperties(); |
| setClientTrustoreProperties(); |
| |
| try |
| { |
| getConnection(); |
| fail("Connection should not succeed"); |
| } |
| catch (JMSException e) |
| { |
| // pass |
| } |
| |
| try |
| { |
| getExternalSSLConnection(false); |
| } |
| catch (JMSException e) |
| { |
| fail("Should be able to create a connection to the SSL port. " + e.getMessage()); |
| } |
| } |
| |
| /** |
| * Tests that when EXTERNAL authentication manager is set as the default, clients without certificates are unable to connect to the SSL port |
| * even with valid username and password. |
| */ |
| public void testExternalAuthenticationManagerWithoutClientKeyStore() throws Exception |
| { |
| setCommonBrokerSSLProperties(false); |
| getBrokerConfiguration().setBrokerAttribute(Broker.DEFAULT_AUTHENTICATION_PROVIDER, TestBrokerConfiguration.ENTRY_NAME_EXTERNAL_PROVIDER); |
| super.setUp(); |
| |
| setClientTrustoreProperties(); |
| |
| try |
| { |
| getExternalSSLConnection(true); |
| fail("Connection should not succeed"); |
| } |
| catch (JMSException e) |
| { |
| // pass |
| } |
| } |
| |
| private Connection getExternalSSLConnection(boolean includeUserNameAndPassword) throws Exception |
| { |
| String url = "amqp://%s@test/?brokerlist='tcp://localhost:%s?ssl='true'&sasl_mechs='EXTERNAL''"; |
| if (includeUserNameAndPassword) |
| { |
| url = String.format(url, "guest:guest", String.valueOf(QpidBrokerTestCase.DEFAULT_SSL_PORT)); |
| } |
| else |
| { |
| url = String.format(url, ":", String.valueOf(QpidBrokerTestCase.DEFAULT_SSL_PORT)); |
| } |
| return getConnection(new AMQConnectionURL(url)); |
| } |
| |
| private void setCommonBrokerSSLProperties(boolean needClientAuth) throws ConfigurationException |
| { |
| TestBrokerConfiguration config = getBrokerConfiguration(); |
| Map<String, Object> sslPortAttributes = new HashMap<String, Object>(); |
| sslPortAttributes.put(Port.TRANSPORTS, Collections.singleton(Transport.SSL)); |
| sslPortAttributes.put(Port.PORT, DEFAULT_SSL_PORT); |
| sslPortAttributes.put(Port.NEED_CLIENT_AUTH, String.valueOf(needClientAuth)); |
| sslPortAttributes.put(Port.NAME, TestBrokerConfiguration.ENTRY_NAME_SSL_PORT); |
| config.addPortConfiguration(sslPortAttributes); |
| |
| Map<String, Object> externalAuthProviderAttributes = new HashMap<String, Object>(); |
| externalAuthProviderAttributes.put(AuthenticationManagerFactory.ATTRIBUTE_TYPE, ExternalAuthenticationManagerFactory.PROVIDER_TYPE); |
| externalAuthProviderAttributes.put(AuthenticationProvider.NAME, TestBrokerConfiguration.ENTRY_NAME_EXTERNAL_PROVIDER); |
| config.addAuthenticationProviderConfiguration(externalAuthProviderAttributes); |
| } |
| |
| private void setClientKeystoreProperties() |
| { |
| setSystemProperty("javax.net.ssl.keyStore", KEYSTORE); |
| setSystemProperty("javax.net.ssl.keyStorePassword", KEYSTORE_PASSWORD); |
| } |
| |
| private void setClientTrustoreProperties() |
| { |
| setSystemProperty("javax.net.ssl.trustStore", TRUSTSTORE); |
| setSystemProperty("javax.net.ssl.trustStorePassword", TRUSTSTORE_PASSWORD); |
| setSystemProperty("javax.net.debug", "ssl"); |
| } |
| } |