From 1cfcd7151a3630123233ca1692d976fc07095ed4 Mon Sep 17 00:00:00 2001 From: Diana Krepinska Vilkolakova Date: Tue, 2 Mar 2021 14:59:19 +0100 Subject: [PATCH] [ELY-2112] Automatic registration of client side / JVM wide default SSLContext --- .../auth/client/AuthenticationContext.java | 11 ++- ...henticationContextConfigurationClient.java | 5 +- .../auth/client/DefaultSSLContextSpi.java | 72 +++++++++++++++++++ ...lytronClientDefaultSSLContextProvider.java | 67 +++++++++++++++++ .../auth/client/_private/ElytronMessages.java | 3 + ...FromFileWorksAndHasPrecedenceTestCase.java | 29 ++++++++ ...anDelegateWhenConfigIsMissingTestCase.java | 28 ++++++++ ...SSLContextProviderDoesNotLoopTestCase.java | 33 +++++++++ ...roviderFromCurrentAuthContextTestCase.java | 33 +++++++++ ...ldfly-config-client-default-sslcontext.xml | 30 ++++++++ ...ig-default-ssl-context-invalid-looping.xml | 13 ++++ 11 files changed, 321 insertions(+), 3 deletions(-) create mode 100644 auth/client/src/main/java/org/wildfly/security/auth/client/DefaultSSLContextSpi.java create mode 100644 auth/client/src/main/java/org/wildfly/security/auth/client/ElytronClientDefaultSSLContextProvider.java create mode 100644 auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextFromFileWorksAndHasPrecedenceTestCase.java create mode 100644 auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextProviderCanDelegateWhenConfigIsMissingTestCase.java create mode 100644 auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextProviderDoesNotLoopTestCase.java create mode 100644 auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextProviderFromCurrentAuthContextTestCase.java create mode 100644 auth/client/src/test/resources/org/wildfly/security/auth/client/test-wildfly-config-client-default-sslcontext.xml create mode 100644 auth/client/src/test/resources/org/wildfly/security/auth/client/test-wildfly-config-default-ssl-context-invalid-looping.xml diff --git a/auth/client/src/main/java/org/wildfly/security/auth/client/AuthenticationContext.java b/auth/client/src/main/java/org/wildfly/security/auth/client/AuthenticationContext.java index fc2c6b086b8..ba7e75a22bf 100644 --- a/auth/client/src/main/java/org/wildfly/security/auth/client/AuthenticationContext.java +++ b/auth/client/src/main/java/org/wildfly/security/auth/client/AuthenticationContext.java @@ -244,8 +244,15 @@ RuleNode authRuleMatching(URI uri, String abstractT RuleNode> sslRuleMatching(URI uri, String abstractType, String abstractTypeAuthority) { RuleNode> node = this.sslRules; while (node != null) { - if (node.getRule().matches(uri, abstractType, abstractTypeAuthority)) return node; - node = node.getNext(); + if (uri == null) { + if (node.getRule().equals(MatchRule.ALL)) { + return node; + } + node = node.getNext(); + } else { + if (node.getRule().matches(uri, abstractType, abstractTypeAuthority)) return node; + node = node.getNext(); + } } return null; } diff --git a/auth/client/src/main/java/org/wildfly/security/auth/client/AuthenticationContextConfigurationClient.java b/auth/client/src/main/java/org/wildfly/security/auth/client/AuthenticationContextConfigurationClient.java index 50cf8d87886..3939b71095d 100644 --- a/auth/client/src/main/java/org/wildfly/security/auth/client/AuthenticationContextConfigurationClient.java +++ b/auth/client/src/main/java/org/wildfly/security/auth/client/AuthenticationContextConfigurationClient.java @@ -196,6 +196,10 @@ private static AuthenticationConfiguration initializeConfiguration(final URI uri return configuration; } + public SSLContext getSSLContext(AuthenticationContext authenticationContext) throws GeneralSecurityException { + return getSSLContext(null, authenticationContext, null, null); + } + /** * Get the SSL context which matches the given URI, or {@link SSLContext#getDefault()} if there is none. * @@ -230,7 +234,6 @@ public SSLContext getSSLContext(URI uri, AuthenticationContext authenticationCon * @return the matching SSL context factory (not {@code null}) */ public SecurityFactory getSSLContextFactory(URI uri, AuthenticationContext authenticationContext, String abstractType, String abstractTypeAuthority) { - Assert.checkNotNullParam("uri", uri); Assert.checkNotNullParam("authenticationContext", authenticationContext); final RuleNode> node = authenticationContext.sslRuleMatching(uri, abstractType, abstractTypeAuthority); if (node == null) return SSLContext::getDefault; diff --git a/auth/client/src/main/java/org/wildfly/security/auth/client/DefaultSSLContextSpi.java b/auth/client/src/main/java/org/wildfly/security/auth/client/DefaultSSLContextSpi.java new file mode 100644 index 00000000000..18ae0a62992 --- /dev/null +++ b/auth/client/src/main/java/org/wildfly/security/auth/client/DefaultSSLContextSpi.java @@ -0,0 +1,72 @@ +package org.wildfly.security.auth.client; + +import org.wildfly.client.config.ConfigXMLParseException; + +import javax.net.ssl.KeyManager; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLContextSpi; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLServerSocketFactory; +import javax.net.ssl.SSLSessionContext; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; +import java.net.URI; +import java.net.URISyntaxException; +import java.security.AccessController; +import java.security.GeneralSecurityException; +import java.security.PrivilegedAction; +import java.security.SecureRandom; + +public class DefaultSSLContextSpi extends SSLContextSpi { + + private SSLContext configuredDefaultClientSSLContext; + + public DefaultSSLContextSpi() throws GeneralSecurityException { + this(AuthenticationContext.captureCurrent()); + } + + public DefaultSSLContextSpi(String configPath) throws GeneralSecurityException, URISyntaxException, ConfigXMLParseException { + this(ElytronXmlParser.parseAuthenticationClientConfiguration(new URI(configPath)).create()); + } + + public DefaultSSLContextSpi(AuthenticationContext authenticationContext) throws GeneralSecurityException { + AuthenticationContextConfigurationClient AUTH_CONTEXT_CLIENT = AccessController.doPrivileged((PrivilegedAction) AuthenticationContextConfigurationClient::new); + this.configuredDefaultClientSSLContext = AUTH_CONTEXT_CLIENT.getSSLContext(authenticationContext); + } + + @Override + protected void engineInit(KeyManager[] keyManagers, TrustManager[] trustManagers, SecureRandom secureRandom) { + // ignore + } + + @Override + protected SSLSocketFactory engineGetSocketFactory() { + return this.configuredDefaultClientSSLContext.getSocketFactory(); + } + + @Override + protected SSLServerSocketFactory engineGetServerSocketFactory() { + return this.configuredDefaultClientSSLContext.getServerSocketFactory(); + } + + @Override + protected SSLEngine engineCreateSSLEngine() { + return this.configuredDefaultClientSSLContext.createSSLEngine(); + } + + @Override + protected SSLEngine engineCreateSSLEngine(String s, int i) { + return this.configuredDefaultClientSSLContext.createSSLEngine(s, i); + } + + @Override + protected SSLSessionContext engineGetServerSessionContext() { + return this.configuredDefaultClientSSLContext.getServerSessionContext(); + } + + @Override + protected SSLSessionContext engineGetClientSessionContext() { + return this.configuredDefaultClientSSLContext.getClientSessionContext(); + } + +} diff --git a/auth/client/src/main/java/org/wildfly/security/auth/client/ElytronClientDefaultSSLContextProvider.java b/auth/client/src/main/java/org/wildfly/security/auth/client/ElytronClientDefaultSSLContextProvider.java new file mode 100644 index 00000000000..0ed826652ed --- /dev/null +++ b/auth/client/src/main/java/org/wildfly/security/auth/client/ElytronClientDefaultSSLContextProvider.java @@ -0,0 +1,67 @@ +package org.wildfly.security.auth.client; + +import org.wildfly.client.config.ConfigXMLParseException; +import org.wildfly.security.auth.client._private.ElytronMessages; + +import java.net.URISyntaxException; +import java.security.GeneralSecurityException; +import java.security.NoSuchAlgorithmException; +import java.security.Provider; +import java.util.List; +import java.util.Map; + +public final class ElytronClientDefaultSSLContextProvider extends Provider { + + public ElytronClientDefaultSSLContextProvider() { + this(null); + } + + public ElytronClientDefaultSSLContextProvider(String configPath) { + super("ElytronClientDefaultSSLContextProvider", 1.0, "Elytron client provider for default SSLContext"); + putService(new ClientSSLContextProviderService(this, "SSLContext", "Default", "org.wildfly.security.auth.client.DefaultSSLContextSpi", null, null, configPath)); + } + + private static final class ClientSSLContextProviderService extends Provider.Service { + String configPath; + // this is Integer because we need to count the number of times entered + // entered.get()==2 means we requested this provider second time, creating a loop, so we throw an sslContextForSecurityProviderCreatesInfiniteLoop exception + // AuthenticationContextConfigurationClient receives sslContextForSecurityProviderCreatesInfiniteLoop exception during obtaining of default SSL context and will therefore request default SSL context from other providers + // after default SSL context from other provider is returned, we must check the entered variable again and throw an exception to inform users that this provider was unsuccessful because of invalid configuration + private final ThreadLocal entered = new ThreadLocal<>(); + + ClientSSLContextProviderService(Provider provider, String type, String algorithm, String className, List aliases, + Map attributes, String configPath) { + super(provider, type, algorithm, className, aliases, attributes); + this.configPath = configPath; + } + + @Override + public Object newInstance(Object ignored) throws NoSuchAlgorithmException { + Integer enteredCountTmp = entered.get(); + entered.set(enteredCountTmp == null ? 1 : enteredCountTmp + 1); + if (entered.get() >= 2) { + // we do not do clean up entered variable here because it is needed for the second check and possible throwing of second exception below + throw ElytronMessages.log.sslContextForSecurityProviderCreatesInfiniteLoop(); + } + + DefaultSSLContextSpi sslContext; + try { + if (configPath == null) { + sslContext = new DefaultSSLContextSpi(AuthenticationContext.captureCurrent()); + } else { + sslContext = new DefaultSSLContextSpi(this.configPath); + } + // if we had an exception previously, then default ssl context was still returned from other security provider + // which is why we need to check entered variable again + if (entered.get() >= 2) { + throw ElytronMessages.log.sslContextForSecurityProviderCreatesInfiniteLoop(); + } + } catch (GeneralSecurityException | URISyntaxException | ConfigXMLParseException e) { + throw new NoSuchAlgorithmException(e); + } finally { + entered.remove(); + } + return sslContext; + } + } +} diff --git a/auth/client/src/main/java/org/wildfly/security/auth/client/_private/ElytronMessages.java b/auth/client/src/main/java/org/wildfly/security/auth/client/_private/ElytronMessages.java index 16ef34ce9cc..545eed35d51 100644 --- a/auth/client/src/main/java/org/wildfly/security/auth/client/_private/ElytronMessages.java +++ b/auth/client/src/main/java/org/wildfly/security/auth/client/_private/ElytronMessages.java @@ -201,4 +201,7 @@ ConfigXMLParseException xmlUnableToIdentifyProvider(@Param Location location, St @Message(id = 14004, value = "Password callback handling was unsuccessful") ConfigXMLParseException passwordCallbackHandlingWasUnsuccessful(); + + @Message(id = 14005, value = "SSL context for security provider creates infinite loop") + NoSuchAlgorithmException sslContextForSecurityProviderCreatesInfiniteLoop(); } diff --git a/auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextFromFileWorksAndHasPrecedenceTestCase.java b/auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextFromFileWorksAndHasPrecedenceTestCase.java new file mode 100644 index 00000000000..e07c145442b --- /dev/null +++ b/auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextFromFileWorksAndHasPrecedenceTestCase.java @@ -0,0 +1,29 @@ +package org.wildfly.security.auth.client; + +import org.junit.Assert; +import org.junit.Test; + +import javax.net.ssl.SSLContext; +import java.security.NoSuchAlgorithmException; +import java.security.Security; + +public class DefaultSSLContextFromFileWorksAndHasPrecedenceTestCase { + private static final String CONFIG_FILE = "file:./src/test/resources/org/wildfly/security/auth/client/test-wildfly-config-client-default-sslcontext.xml"; + + @Test + public void testDefaultSSLContextFromFileWorksAndHasPrecedence() { + Security.insertProviderAt(new ElytronClientDefaultSSLContextProvider(CONFIG_FILE), 1); + Assert.assertNotNull(Security.getProvider("ElytronClientDefaultSSLContextProvider")); + AuthenticationContext.empty().run(() -> { // provider will not use current auth context but will use authentication context from the file passed to provider. File passed to provider has precedence + SSLContext cip = null; + try { + cip = SSLContext.getDefault(); + } catch (NoSuchAlgorithmException e) { + Assert.fail(); + } + Assert.assertNotNull(cip); + Assert.assertEquals(cip.getProvider().getName(), ElytronClientDefaultSSLContextProvider.class.getSimpleName()); + Assert.assertNotNull(cip.getSocketFactory()); + }); + } +} diff --git a/auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextProviderCanDelegateWhenConfigIsMissingTestCase.java b/auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextProviderCanDelegateWhenConfigIsMissingTestCase.java new file mode 100644 index 00000000000..b3b4e5fc3bc --- /dev/null +++ b/auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextProviderCanDelegateWhenConfigIsMissingTestCase.java @@ -0,0 +1,28 @@ +package org.wildfly.security.auth.client; + +import org.junit.Assert; +import org.junit.Test; + +import javax.net.ssl.SSLContext; +import java.security.NoSuchAlgorithmException; +import java.security.Security; + +public class DefaultSSLContextProviderCanDelegateWhenConfigIsMissingTestCase { + + @Test + public void testDefaultSSLContextProviderWillDelegateIfNoConfigured() { + Security.insertProviderAt(new ElytronClientDefaultSSLContextProvider(), 1); + Assert.assertEquals(ElytronClientDefaultSSLContextProvider.class.getSimpleName(), Security.getProvider("ElytronClientDefaultSSLContextProvider").getName()); + AuthenticationContext.empty().run(() -> { + SSLContext cip = null; + try { + cip = SSLContext.getDefault(); + } catch (NoSuchAlgorithmException e) { + Assert.fail(); + } + Assert.assertNotNull(cip); + Assert.assertNotEquals(cip.getProvider().getName(), ElytronClientDefaultSSLContextProvider.class.getSimpleName()); // different provider was used since no default SSL context configured in Elytron client + Assert.assertNotNull(cip.getSocketFactory()); + }); + } +} diff --git a/auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextProviderDoesNotLoopTestCase.java b/auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextProviderDoesNotLoopTestCase.java new file mode 100644 index 00000000000..5424ad773b1 --- /dev/null +++ b/auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextProviderDoesNotLoopTestCase.java @@ -0,0 +1,33 @@ +package org.wildfly.security.auth.client; + +import org.junit.Assert; +import org.junit.Test; +import org.wildfly.client.config.ConfigXMLParseException; + +import javax.net.ssl.SSLContext; +import java.net.URI; +import java.net.URISyntaxException; +import java.security.GeneralSecurityException; +import java.security.NoSuchAlgorithmException; +import java.security.Security; + +public class DefaultSSLContextProviderDoesNotLoopTestCase { + private static final String CONFIG_FILE = "file:./src/test/resources/org/wildfly/security/auth/client/test-wildfly-config-default-ssl-context-invalid-looping.xml"; + + @Test + public void testDefaultSSLContextProviderDoesNotLoopTestCase() throws GeneralSecurityException, URISyntaxException, ConfigXMLParseException { + Security.insertProviderAt(new ElytronClientDefaultSSLContextProvider(), 1); + AuthenticationContext authenticationContext = ElytronXmlParser.parseAuthenticationClientConfiguration(new URI(CONFIG_FILE)).create(); + authenticationContext.run(() -> { + SSLContext cip = null; + try { + cip = SSLContext.getDefault(); + } catch (NoSuchAlgorithmException e) { + Assert.fail(); + } + Assert.assertNotNull(cip); + Assert.assertNotEquals(cip.getProvider().getName(), ElytronClientDefaultSSLContextProvider.class.getSimpleName()); // diff provider was used since elytron provider is looping + Assert.assertNotNull(cip.getSocketFactory()); + }); + } +} diff --git a/auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextProviderFromCurrentAuthContextTestCase.java b/auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextProviderFromCurrentAuthContextTestCase.java new file mode 100644 index 00000000000..f842ad5ec9e --- /dev/null +++ b/auth/client/src/test/java/org/wildfly/security/auth/client/DefaultSSLContextProviderFromCurrentAuthContextTestCase.java @@ -0,0 +1,33 @@ +package org.wildfly.security.auth.client; + +import org.junit.Assert; +import org.junit.Test; +import org.wildfly.client.config.ConfigXMLParseException; + +import javax.net.ssl.SSLContext; +import java.net.URI; +import java.net.URISyntaxException; +import java.security.GeneralSecurityException; +import java.security.NoSuchAlgorithmException; +import java.security.Security; + +public class DefaultSSLContextProviderFromCurrentAuthContextTestCase { + private static final String CONFIG_FILE = "file:./src/test/resources/org/wildfly/security/auth/client/test-wildfly-config-client-default-sslcontext.xml"; + + @Test + public void testDefaultSSLContextTakenFromCurrentContext() throws GeneralSecurityException, URISyntaxException, ConfigXMLParseException { + Security.insertProviderAt(new ElytronClientDefaultSSLContextProvider(), 1); + AuthenticationContext authenticationContext = ElytronXmlParser.parseAuthenticationClientConfiguration(new URI(CONFIG_FILE)).create(); + authenticationContext.run(() -> { + SSLContext cip = null; + try { + cip = SSLContext.getDefault(); + } catch (NoSuchAlgorithmException e) { + Assert.fail(); + } + Assert.assertNotNull(cip); + Assert.assertEquals(cip.getProvider().getName(), ElytronClientDefaultSSLContextProvider.class.getSimpleName()); + Assert.assertNotNull(cip.getSocketFactory()); + }); + } +} diff --git a/auth/client/src/test/resources/org/wildfly/security/auth/client/test-wildfly-config-client-default-sslcontext.xml b/auth/client/src/test/resources/org/wildfly/security/auth/client/test-wildfly-config-client-default-sslcontext.xml new file mode 100644 index 00000000000..5bb58e1eadf --- /dev/null +++ b/auth/client/src/test/resources/org/wildfly/security/auth/client/test-wildfly-config-client-default-sslcontext.xml @@ -0,0 +1,30 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/auth/client/src/test/resources/org/wildfly/security/auth/client/test-wildfly-config-default-ssl-context-invalid-looping.xml b/auth/client/src/test/resources/org/wildfly/security/auth/client/test-wildfly-config-default-ssl-context-invalid-looping.xml new file mode 100644 index 00000000000..e918e09a4ae --- /dev/null +++ b/auth/client/src/test/resources/org/wildfly/security/auth/client/test-wildfly-config-default-ssl-context-invalid-looping.xml @@ -0,0 +1,13 @@ + + + + + + + + + + + + +