EAP7-1121 POC

auth/client/pom.xml

@@ -52,6 +52,10 @@
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-credential-store</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wildfly.security</groupId>
+            <artifactId>wildfly-elytron-dynamic-ssl</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-keystore</artifactId>
@@ -76,7 +80,7 @@
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-x500-cert</artifactId>
         </dependency>
-                                
+
         <dependency>
             <groupId>org.jboss.logging</groupId>
             <artifactId>jboss-logging-annotations</artifactId>
@@ -146,6 +150,14 @@
             <artifactId>jmockit</artifactId>
             <scope>test</scope>
         </dependency>
+
+        <!-- https://mvnrepository.com/artifact/org.mockito/mockito-all -->
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-all</artifactId>
+            <version>1.9.5</version>
+            <scope>test</scope>
+        </dependency>
+
     </dependencies>
-
 </project>

auth/client/src/main/java/org/wildfly/security/auth/client/AuthenticationContext.java

@@ -354,6 +354,10 @@ public <T, E extends Exception> T runAsSupplierEx(ExceptionSupplier<T, E> action
         return runExFunction(ExceptionSupplier::get, action);
     }
 
+    RuleNode<SecurityFactory<SSLContext>> getSslRules() {
+        return this.sslRules;
+    }
+
     public ContextManager<AuthenticationContext> getInstanceContextManager() {
         return getContextManager();
     }

auth/client/src/main/java/org/wildfly/security/auth/client/AuthenticationContextConfigurationClient.java

@@ -27,10 +27,13 @@
 import java.net.URI;
 import java.security.AccessControlContext;
 import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
 import java.security.Principal;
 import java.security.PrivilegedAction;
 import java.security.Provider;
+import java.util.ArrayList;
 import java.util.Collection;
+import java.util.List;
 import java.util.function.Supplier;
 import java.util.function.UnaryOperator;
 
@@ -196,6 +199,37 @@ private static AuthenticationConfiguration initializeConfiguration(final URI uri
         return configuration;
     }
 
+
+    List<SSLContext> getConfiguredSSLContexts(AuthenticationContext authenticationContext) {
+        List<SSLContext> sslContexts = new ArrayList<>();
+        RuleNode<SecurityFactory<SSLContext>> node = authenticationContext.getSslRules();
+        while (node != null) {
+            try {
+                sslContexts.add(node.getConfiguration().create());
+            } catch (GeneralSecurityException ignored) {
+                ignored.printStackTrace();
+            }
+            node = node.getNext();
+        }
+        return sslContexts;
+    }
+
+    public SSLContext getDefaultSSLContext(AuthenticationContext authenticationContext) throws NoSuchAlgorithmException {
+        SSLContext defaultSSLContext = null;
+        RuleNode<SecurityFactory<SSLContext>> node = authenticationContext.getSslRules();
+        while (node != null) {
+            try {
+                if(node.getRule().equals(MatchRule.ALL)) {
+                    defaultSSLContext = node.getConfiguration().create();
+                }
+            } catch (GeneralSecurityException ignored) {
+                ignored.printStackTrace();
+            }
+            node = node.getNext();
+        }
+        return defaultSSLContext == null ? SSLContext.getDefault() : defaultSSLContext;
+    }
+
     /**
      * Get the SSL context which matches the given URI, or {@link SSLContext#getDefault()} if there is none.
      *

auth/client/src/main/java/org/wildfly/security/auth/client/DynamicSSLContextImpl.java

@@ -0,0 +1,46 @@
+package org.wildfly.security.auth.client;
+
+import org.kohsuke.MetaInfServices;
+import org.wildfly.security.dynamic.ssl.DynamicSSLContextSPI;
+
+import javax.net.ssl.SSLContext;
+import java.net.URI;
+import java.security.AccessController;
+import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivilegedAction;
+import java.util.List;
+
+@MetaInfServices(value = DynamicSSLContextSPI.class)
+public class DynamicSSLContextImpl implements DynamicSSLContextSPI {
+
+    private final AuthenticationContextConfigurationClient AUTH_CONTEXT_CLIENT =
+            AccessController.doPrivileged((PrivilegedAction<AuthenticationContextConfigurationClient>) AuthenticationContextConfigurationClient::new);
+    private AuthenticationContext authenticationContext = AuthenticationContext.captureCurrent();
+    private SSLContext configuredDefaultSSLContext;
+    private List<SSLContext> configuredSSLContexts;
+
+    public DynamicSSLContextImpl() throws NoSuchAlgorithmException {
+        this.configuredSSLContexts = AUTH_CONTEXT_CLIENT.getConfiguredSSLContexts(authenticationContext);
+        this.configuredDefaultSSLContext = AUTH_CONTEXT_CLIENT.getDefaultSSLContext(authenticationContext);
+    }
+
+    @Override
+    public SSLContext getConfiguredDefault() {
+        return this.configuredDefaultSSLContext;
+    }
+
+    @Override
+    public List<SSLContext> getConfiguredSSLContexts() {
+        return this.configuredSSLContexts;
+    }
+
+    @Override
+    public SSLContext getSSLContext(URI uri) {
+        try {
+            return AUTH_CONTEXT_CLIENT.getSSLContext(uri, authenticationContext);
+        } catch (GeneralSecurityException e) {
+            throw new IllegalArgumentException(e);
+        }
+    }
+}

dynamic-ssl/pom.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <groupId>org.wildfly.security</groupId>
+        <artifactId>wildfly-elytron-parent</artifactId>
+        <version>1.11.4.CR1-SNAPSHOT</version>
+    </parent>
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>wildfly-elytron-dynamic-ssl</artifactId>
+
+    <name>WildFly Elytron - Dynamic SSL</name>
+    <description>WildFly Security Dynamic SSL Implementation</description>
+</project>

dynamic-ssl/src/main/java/org/wildfly/security/dynamic/ssl/DynamicSSLContext.java

@@ -0,0 +1,11 @@
+package org.wildfly.security.dynamic.ssl;
+
+import javax.net.ssl.SSLContext;
+import java.security.NoSuchAlgorithmException;
+
+public final class DynamicSSLContext extends SSLContext {
+
+    public DynamicSSLContext() throws NoSuchAlgorithmException {
+        super(new DynamicSSLContextSpiImpl(SSLContext.getDefault()), SSLContext.getDefault().getProvider(), SSLContext.getDefault().getProtocol());
+    }
+}

dynamic-ssl/src/main/java/org/wildfly/security/dynamic/ssl/DynamicSSLContextException.java

@@ -0,0 +1,20 @@
+package org.wildfly.security.dynamic.ssl;
+
+public class DynamicSSLContextException extends Exception {
+    private static final long serialVersionUID = 894798122053539237L;
+
+    public DynamicSSLContextException() {
+    }
+
+    public DynamicSSLContextException(String msg) {
+        super(msg);
+    }
+
+    public DynamicSSLContextException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public DynamicSSLContextException(Throwable cause) {
+        super(cause);
+    }
+}

dynamic-ssl/src/main/java/org/wildfly/security/dynamic/ssl/DynamicSSLContextSPI.java

@@ -0,0 +1,12 @@
+package org.wildfly.security.dynamic.ssl;
+
+import javax.net.ssl.SSLContext;
+import java.net.URI;
+import java.util.List;
+
+public interface DynamicSSLContextSPI {
+
+    SSLContext getConfiguredDefault();
+    List<SSLContext> getConfiguredSSLContexts();
+    SSLContext getSSLContext(URI uri) throws DynamicSSLContextException;
+}

dynamic-ssl/src/main/java/org/wildfly/security/dynamic/ssl/DynamicSSLContextSpiImpl.java

@@ -0,0 +1,97 @@
+package org.wildfly.security.dynamic.ssl;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLContextSpi;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSessionContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.Iterator;
+import java.util.ServiceLoader;
+
+final class DynamicSSLContextSpiImpl extends SSLContextSpi {
+
+    private final DynamicSSLContextSPI dynamicSSLContextImpl;
+    private final SSLContext configuredDefaultSSLContext;
+    private volatile SSLSocketFactory sslSocketFactory;
+
+    DynamicSSLContextSpiImpl(SSLContext fallbackSslContext) throws NoSuchAlgorithmException {
+        SSLContext configuredDefaultSSLContextTemp;
+        Iterator<DynamicSSLContextSPI> dynamicSSLContextSPIIterator = ServiceLoader.load(DynamicSSLContextSPI.class).iterator();
+        if (dynamicSSLContextSPIIterator.hasNext()) {
+            dynamicSSLContextImpl = dynamicSSLContextSPIIterator.next();
+            configuredDefaultSSLContextTemp = dynamicSSLContextImpl.getConfiguredDefault() == null ? SSLContext.getDefault() : dynamicSSLContextImpl.getConfiguredDefault();
+        } else {
+            dynamicSSLContextImpl = null;
+            configuredDefaultSSLContextTemp = fallbackSslContext;
+        }
+        this.configuredDefaultSSLContext = configuredDefaultSSLContextTemp;
+    }
+
+    @Override
+    protected void engineInit(KeyManager[] keyManagers, TrustManager[] trustManagers, SecureRandom secureRandom) {
+        // ignore
+    }
+
+    @Override
+    protected SSLSocketFactory engineGetSocketFactory() {
+        if (dynamicSSLContextImpl == null) {
+            return configuredDefaultSSLContext.getSocketFactory();
+        }
+        if (sslSocketFactory == null) {
+            synchronized (this) {
+                if (sslSocketFactory == null) {
+                    sslSocketFactory = new DynamicSslSocketFactory(configuredDefaultSSLContext.getSocketFactory(), dynamicSSLContextImpl);
+                }
+            }
+        }
+        return sslSocketFactory;
+    }
+
+    @Override
+    protected SSLServerSocketFactory engineGetServerSocketFactory() {
+        return this.configuredDefaultSSLContext.getServerSocketFactory();
+    }
+
+    @Override
+    protected SSLEngine engineCreateSSLEngine() {
+        return this.configuredDefaultSSLContext.createSSLEngine();
+    }
+
+    @Override
+    protected SSLEngine engineCreateSSLEngine(String host, int port) throws IllegalStateException {
+        if (dynamicSSLContextImpl == null) {
+            return configuredDefaultSSLContext.createSSLEngine(host, port);
+        }
+        try {
+            SSLContext sslContext = dynamicSSLContextImpl
+                    .getSSLContext(new URI(null, null, host, port, null, null, null));
+            return sslContext == null ? configuredDefaultSSLContext.createSSLEngine(host, port) : sslContext.createSSLEngine(host, port);
+        } catch (URISyntaxException | DynamicSSLContextException e) {
+            throw new IllegalStateException(e);
+        }
+    }
+
+    @Override
+    protected SSLSessionContext engineGetServerSessionContext() {
+        throw new UnsupportedOperationException("Dynamic SSLContext does not support sessions");
+    }
+
+    @Override
+    protected SSLSessionContext engineGetClientSessionContext() {
+        throw new UnsupportedOperationException("Dynamic SSLContext does not support sessions");
+
+    }
+
+    @Override
+    protected SSLParameters engineGetSupportedSSLParameters() {
+        return this.configuredDefaultSSLContext.getSupportedSSLParameters();
+    }
+}