-
Notifications
You must be signed in to change notification settings - Fork 282
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[ELY-2112] Automatic registration of client side / JVM wide default S…
…SLContext
- Loading branch information
Showing
11 changed files
with
367 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
89 changes: 89 additions & 0 deletions
89
auth/client/src/main/java/org/wildfly/security/auth/client/DefaultSSLContextSpi.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| /* | ||
| * JBoss, Home of Professional Open Source. | ||
| * Copyright 2021 Red Hat, Inc., and individual contributors | ||
| * as indicated by the @author tags. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.wildfly.security.auth.client; | ||
|
|
||
| import org.wildfly.client.config.ConfigXMLParseException; | ||
|
|
||
| import javax.net.ssl.KeyManager; | ||
| import javax.net.ssl.SSLContext; | ||
| import javax.net.ssl.SSLContextSpi; | ||
| import javax.net.ssl.SSLEngine; | ||
| import javax.net.ssl.SSLServerSocketFactory; | ||
| import javax.net.ssl.SSLSessionContext; | ||
| import javax.net.ssl.SSLSocketFactory; | ||
| import javax.net.ssl.TrustManager; | ||
| import java.net.URI; | ||
| import java.net.URISyntaxException; | ||
| import java.security.AccessController; | ||
| import java.security.GeneralSecurityException; | ||
| import java.security.PrivilegedAction; | ||
| import java.security.SecureRandom; | ||
|
|
||
| public class DefaultSSLContextSpi extends SSLContextSpi { | ||
|
|
||
| private SSLContext configuredDefaultClientSSLContext; | ||
|
|
||
| public DefaultSSLContextSpi() throws GeneralSecurityException { | ||
| this(AuthenticationContext.captureCurrent()); | ||
| } | ||
|
|
||
| public DefaultSSLContextSpi(String configPath) throws GeneralSecurityException, URISyntaxException, ConfigXMLParseException { | ||
| this(ElytronXmlParser.parseAuthenticationClientConfiguration(new URI(configPath)).create()); | ||
| } | ||
|
|
||
| public DefaultSSLContextSpi(AuthenticationContext authenticationContext) throws GeneralSecurityException { | ||
| AuthenticationContextConfigurationClient AUTH_CONTEXT_CLIENT = AccessController.doPrivileged((PrivilegedAction<AuthenticationContextConfigurationClient>) AuthenticationContextConfigurationClient::new); | ||
| this.configuredDefaultClientSSLContext = AUTH_CONTEXT_CLIENT.getSSLContext(authenticationContext); | ||
| } | ||
|
|
||
| @Override | ||
| protected void engineInit(KeyManager[] keyManagers, TrustManager[] trustManagers, SecureRandom secureRandom) { | ||
| // ignore | ||
| } | ||
|
|
||
| @Override | ||
| protected SSLSocketFactory engineGetSocketFactory() { | ||
| return this.configuredDefaultClientSSLContext.getSocketFactory(); | ||
| } | ||
|
|
||
| @Override | ||
| protected SSLServerSocketFactory engineGetServerSocketFactory() { | ||
| return this.configuredDefaultClientSSLContext.getServerSocketFactory(); | ||
| } | ||
|
|
||
| @Override | ||
| protected SSLEngine engineCreateSSLEngine() { | ||
| return this.configuredDefaultClientSSLContext.createSSLEngine(); | ||
| } | ||
|
|
||
| @Override | ||
| protected SSLEngine engineCreateSSLEngine(String s, int i) { | ||
| return this.configuredDefaultClientSSLContext.createSSLEngine(s, i); | ||
| } | ||
|
|
||
| @Override | ||
| protected SSLSessionContext engineGetServerSessionContext() { | ||
| return this.configuredDefaultClientSSLContext.getServerSessionContext(); | ||
| } | ||
|
|
||
| @Override | ||
| protected SSLSessionContext engineGetClientSessionContext() { | ||
| return this.configuredDefaultClientSSLContext.getClientSessionContext(); | ||
| } | ||
|
|
||
| } |
96 changes: 96 additions & 0 deletions
96
...rc/main/java/org/wildfly/security/auth/client/ElytronClientDefaultSSLContextProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,96 @@ | ||
| /* | ||
| * JBoss, Home of Professional Open Source. | ||
| * Copyright 2021 Red Hat, Inc., and individual contributors | ||
| * as indicated by the @author tags. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.wildfly.security.auth.client; | ||
|
|
||
| import org.wildfly.client.config.ConfigXMLParseException; | ||
| import org.wildfly.security.auth.client._private.ElytronMessages; | ||
|
|
||
| import java.net.URISyntaxException; | ||
| import java.security.GeneralSecurityException; | ||
| import java.security.NoSuchAlgorithmException; | ||
| import java.security.Provider; | ||
| import java.util.List; | ||
| import java.util.Map; | ||
|
|
||
| public final class ElytronClientDefaultSSLContextProvider extends Provider { | ||
|
|
||
| public ElytronClientDefaultSSLContextProvider() { | ||
| this(null); | ||
| } | ||
|
|
||
| public ElytronClientDefaultSSLContextProvider(String configPath) { | ||
| super("ElytronClientDefaultSSLContextProvider", 1.0, "Elytron client provider for default SSLContext"); | ||
| putService(new ClientSSLContextProviderService(this, "SSLContext", "Default", "org.wildfly.security.auth.client.DefaultSSLContextSpi", null, null, configPath)); | ||
| } | ||
|
|
||
| private static final class ClientSSLContextProviderService extends Provider.Service { | ||
| String configPath; | ||
| // this is Integer because we need to count the number of times entered | ||
| // entered.get()==2 means we requested this provider second time, creating a loop, so we throw an sslContextForSecurityProviderCreatesInfiniteLoop exception | ||
| // AuthenticationContextConfigurationClient receives sslContextForSecurityProviderCreatesInfiniteLoop exception during obtaining of default SSL context and will therefore request default SSL context from other providers | ||
| // after default SSL context from other provider is returned, we must check the entered variable again and throw an exception to inform users that this provider was unsuccessful because of invalid configuration | ||
| private final ThreadLocal<Integer> entered = new ThreadLocal<>(); | ||
|
|
||
| ClientSSLContextProviderService(Provider provider, String type, String algorithm, String className, List<String> aliases, | ||
| Map<String, String> attributes, String configPath) { | ||
| super(provider, type, algorithm, className, aliases, attributes); | ||
| this.configPath = configPath; | ||
| } | ||
|
|
||
| /** | ||
| * There is a risk of looping if the Elytron client configuration is invalid. | ||
| * Loop will happen when Elytron client provider has configured default SSL context to be SSLContext::getDefault. | ||
| * Entered variable counts the number of entrances in order to avoid this loop. | ||
| * When it is equal or higher than 2 the NoSuchAlgorithmException will be thrown. | ||
| * When this exception is encountered, JVM tries to obtain default SSLContext from providers of lower priority | ||
| * and returns it to Elytron client as the default SSL context. | ||
| * Since we do not want to wrap the SSL context from other provider with this provider, we will throw an exception again | ||
| * which makes JVM escape this provider entirely and continue in the list of other providers. | ||
| */ | ||
| @Override | ||
| public Object newInstance(Object ignored) throws NoSuchAlgorithmException { | ||
| Integer enteredCountTmp = entered.get(); | ||
| entered.set(enteredCountTmp == null ? 1 : enteredCountTmp + 1); | ||
| if (entered.get() >= 2) { | ||
| // we do not do clean up entered variable here because it is needed for the second check and possible throwing of second exception below | ||
| throw ElytronMessages.log.sslContextForSecurityProviderCreatesInfiniteLoop(); | ||
| } | ||
|
|
||
| DefaultSSLContextSpi sslContext; | ||
| try { | ||
| if (configPath == null) { | ||
| sslContext = new DefaultSSLContextSpi(AuthenticationContext.captureCurrent()); | ||
| } else { | ||
| sslContext = new DefaultSSLContextSpi(this.configPath); | ||
| } | ||
| // if we had an exception previously, then default SSLContext was still returned from other security provider of lower priority in | ||
| // AuthenticationContextConfigurationClient#getSSLContextFactory method. | ||
| // Since we do not want to wrap SSLContext from other provider with this provider, we need to check entered variable again | ||
| // and throw an exception which makes JVM ignore this provider and probe other providers again | ||
| if (entered.get() >= 2) { | ||
| throw ElytronMessages.log.sslContextForSecurityProviderCreatesInfiniteLoop(); | ||
| } | ||
| } catch (GeneralSecurityException | URISyntaxException | ConfigXMLParseException e) { | ||
| throw new NoSuchAlgorithmException(e); | ||
| } finally { | ||
| entered.remove(); | ||
| } | ||
| return sslContext; | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
.../wildfly/security/auth/client/DefaultSSLContextFromFileWorksAndHasPrecedenceTestCase.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| package org.wildfly.security.auth.client; | ||
|
|
||
| import org.junit.Assert; | ||
| import org.junit.Test; | ||
|
|
||
| import javax.net.ssl.SSLContext; | ||
| import java.security.NoSuchAlgorithmException; | ||
| import java.security.Security; | ||
|
|
||
| public class DefaultSSLContextFromFileWorksAndHasPrecedenceTestCase { | ||
| private static final String CONFIG_FILE = "file:./src/test/resources/org/wildfly/security/auth/client/test-wildfly-config-client-default-sslcontext.xml"; | ||
|
|
||
| @Test | ||
| public void testDefaultSSLContextFromFileWorksAndHasPrecedence() { | ||
| Security.insertProviderAt(new ElytronClientDefaultSSLContextProvider(CONFIG_FILE), 1); | ||
| Assert.assertNotNull(Security.getProvider("ElytronClientDefaultSSLContextProvider")); | ||
| AuthenticationContext.empty().run(() -> { // provider will not use current auth context but will use authentication context from the file passed to provider. File passed to provider has precedence | ||
| SSLContext cip = null; | ||
| try { | ||
| cip = SSLContext.getDefault(); | ||
| } catch (NoSuchAlgorithmException e) { | ||
| Assert.fail(); | ||
| } | ||
| Assert.assertNotNull(cip); | ||
| Assert.assertEquals(cip.getProvider().getName(), ElytronClientDefaultSSLContextProvider.class.getSimpleName()); | ||
| Assert.assertNotNull(cip.getSocketFactory()); | ||
| }); | ||
| } | ||
| } |
28 changes: 28 additions & 0 deletions
28
...security/auth/client/DefaultSSLContextProviderCanDelegateWhenConfigIsMissingTestCase.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| package org.wildfly.security.auth.client; | ||
|
|
||
| import org.junit.Assert; | ||
| import org.junit.Test; | ||
|
|
||
| import javax.net.ssl.SSLContext; | ||
| import java.security.NoSuchAlgorithmException; | ||
| import java.security.Security; | ||
|
|
||
| public class DefaultSSLContextProviderCanDelegateWhenConfigIsMissingTestCase { | ||
|
|
||
| @Test | ||
| public void testDefaultSSLContextProviderWillDelegateIfNoConfigured() { | ||
| Security.insertProviderAt(new ElytronClientDefaultSSLContextProvider(), 1); | ||
| Assert.assertEquals(ElytronClientDefaultSSLContextProvider.class.getSimpleName(), Security.getProvider("ElytronClientDefaultSSLContextProvider").getName()); | ||
| AuthenticationContext.empty().run(() -> { | ||
| SSLContext cip = null; | ||
| try { | ||
| cip = SSLContext.getDefault(); | ||
| } catch (NoSuchAlgorithmException e) { | ||
| Assert.fail(); | ||
| } | ||
| Assert.assertNotNull(cip); | ||
| Assert.assertNotEquals(cip.getProvider().getName(), ElytronClientDefaultSSLContextProvider.class.getSimpleName()); // different provider was used since no default SSL context configured in Elytron client | ||
| Assert.assertNotNull(cip.getSocketFactory()); | ||
| }); | ||
| } | ||
| } |
33 changes: 33 additions & 0 deletions
33
...t/java/org/wildfly/security/auth/client/DefaultSSLContextProviderDoesNotLoopTestCase.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| package org.wildfly.security.auth.client; | ||
|
|
||
| import org.junit.Assert; | ||
| import org.junit.Test; | ||
| import org.wildfly.client.config.ConfigXMLParseException; | ||
|
|
||
| import javax.net.ssl.SSLContext; | ||
| import java.net.URI; | ||
| import java.net.URISyntaxException; | ||
| import java.security.GeneralSecurityException; | ||
| import java.security.NoSuchAlgorithmException; | ||
| import java.security.Security; | ||
|
|
||
| public class DefaultSSLContextProviderDoesNotLoopTestCase { | ||
| private static final String CONFIG_FILE = "file:./src/test/resources/org/wildfly/security/auth/client/test-wildfly-config-default-ssl-context-invalid-looping.xml"; | ||
|
|
||
| @Test | ||
| public void testDefaultSSLContextProviderDoesNotLoopTestCase() throws GeneralSecurityException, URISyntaxException, ConfigXMLParseException { | ||
| Security.insertProviderAt(new ElytronClientDefaultSSLContextProvider(), 1); | ||
| AuthenticationContext authenticationContext = ElytronXmlParser.parseAuthenticationClientConfiguration(new URI(CONFIG_FILE)).create(); | ||
| authenticationContext.run(() -> { | ||
| SSLContext cip = null; | ||
| try { | ||
| cip = SSLContext.getDefault(); | ||
| } catch (NoSuchAlgorithmException e) { | ||
| Assert.fail(); | ||
| } | ||
| Assert.assertNotNull(cip); | ||
| Assert.assertNotEquals(cip.getProvider().getName(), ElytronClientDefaultSSLContextProvider.class.getSimpleName()); // diff provider was used since elytron provider is looping | ||
| Assert.assertNotNull(cip.getSocketFactory()); | ||
| }); | ||
| } | ||
| } |
33 changes: 33 additions & 0 deletions
33
...wildfly/security/auth/client/DefaultSSLContextProviderFromCurrentAuthContextTestCase.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| package org.wildfly.security.auth.client; | ||
|
|
||
| import org.junit.Assert; | ||
| import org.junit.Test; | ||
| import org.wildfly.client.config.ConfigXMLParseException; | ||
|
|
||
| import javax.net.ssl.SSLContext; | ||
| import java.net.URI; | ||
| import java.net.URISyntaxException; | ||
| import java.security.GeneralSecurityException; | ||
| import java.security.NoSuchAlgorithmException; | ||
| import java.security.Security; | ||
|
|
||
| public class DefaultSSLContextProviderFromCurrentAuthContextTestCase { | ||
| private static final String CONFIG_FILE = "file:./src/test/resources/org/wildfly/security/auth/client/test-wildfly-config-client-default-sslcontext.xml"; | ||
|
|
||
| @Test | ||
| public void testDefaultSSLContextTakenFromCurrentContext() throws GeneralSecurityException, URISyntaxException, ConfigXMLParseException { | ||
| Security.insertProviderAt(new ElytronClientDefaultSSLContextProvider(), 1); | ||
| AuthenticationContext authenticationContext = ElytronXmlParser.parseAuthenticationClientConfiguration(new URI(CONFIG_FILE)).create(); | ||
| authenticationContext.run(() -> { | ||
| SSLContext cip = null; | ||
| try { | ||
| cip = SSLContext.getDefault(); | ||
| } catch (NoSuchAlgorithmException e) { | ||
| Assert.fail(); | ||
| } | ||
| Assert.assertNotNull(cip); | ||
| Assert.assertEquals(cip.getProvider().getName(), ElytronClientDefaultSSLContextProvider.class.getSimpleName()); | ||
| Assert.assertNotNull(cip.getSocketFactory()); | ||
| }); | ||
| } | ||
| } |
30 changes: 30 additions & 0 deletions
30
...ources/org/wildfly/security/auth/client/test-wildfly-config-client-default-sslcontext.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
|
|
||
| <configuration> | ||
| <authentication-client xmlns="urn:elytron:client:1.5"> | ||
| <key-stores> | ||
| <key-store name="keystore1" type="JKS"> | ||
| <file name="src/test/resources/client.keystore"/> | ||
| <key-store-clear-password password="password"/> | ||
| </key-store> | ||
| </key-stores> | ||
| <ssl-contexts> | ||
| <default-ssl-context name="other-provider-default-sslcontext"/> | ||
| <ssl-context name="default-context"> | ||
| <providers> | ||
| <global/> | ||
| </providers> | ||
| <key-store-ssl-certificate key-store-name="keystore1"> | ||
| <key-store-clear-password password="password"/> | ||
| </key-store-ssl-certificate> | ||
| </ssl-context> | ||
| </ssl-contexts> | ||
| <ssl-context-rules> | ||
| <rule use-ssl-context="other-provider-default-sslcontext"> | ||
| <match-port number="12345"/> | ||
| </rule> | ||
| <rule use-ssl-context="default-context"> | ||
| </rule> | ||
| </ssl-context-rules> | ||
| </authentication-client> | ||
| </configuration> |
Oops, something went wrong.