activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From clebertsuco...@apache.org
Subject [2/2] activemq-artemis git commit: ARTEMIS-478 Improve Openwire SslBrokerServiceTest
Date Tue, 12 Apr 2016 21:27:20 GMT
ARTEMIS-478 Improve Openwire SslBrokerServiceTest

Some of the SSL tests in openwire requires to pass in more options like
enabledCipherSuites. It needs to refactor the test util to allow passing
of those options to broker.
And some of the cipher suite is obsolete in recent jre. Meaning they
are disabled by default for security reasons
(e.g. SSL_RSA_WITH_RC4_128_SHA). This will cause SSL handshake failure.
It can be fixed by using a more secure (not disabled) one, like
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256


Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/ee202484
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/ee202484
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/ee202484

Branch: refs/heads/master
Commit: ee202484046117bf5ce3b0e4ccfde2f873a63cd5
Parents: 03642fc
Author: Howard Gao <howard.gao@gmail.com>
Authored: Tue Apr 12 21:25:16 2016 +0800
Committer: Clebert Suconic <clebertsuconic@apache.org>
Committed: Tue Apr 12 17:26:51 2016 -0400

----------------------------------------------------------------------
 .../apache/activemq/broker/BrokerService.java   | 106 ++++++++++++++++---
 .../artemiswrapper/ArtemisBrokerWrapper.java    |  21 +---
 .../src/test/java/client.keystore               | Bin 2237 -> 2236 bytes
 .../transport/tcp/SslBrokerServiceTest.java     |  28 ++++-
 .../transport/tcp/SslTransportBrokerTest.java   |   2 +
 .../src/test/resources/client.keystore          | Bin 2237 -> 2236 bytes
 6 files changed, 118 insertions(+), 39 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/ee202484/tests/activemq5-unit-tests/src/main/java/org/apache/activemq/broker/BrokerService.java
----------------------------------------------------------------------
diff --git a/tests/activemq5-unit-tests/src/main/java/org/apache/activemq/broker/BrokerService.java
b/tests/activemq5-unit-tests/src/main/java/org/apache/activemq/broker/BrokerService.java
index 23fd584..224498e 100644
--- a/tests/activemq5-unit-tests/src/main/java/org/apache/activemq/broker/BrokerService.java
+++ b/tests/activemq5-unit-tests/src/main/java/org/apache/activemq/broker/BrokerService.java
@@ -39,6 +39,7 @@ import java.util.concurrent.atomic.AtomicInteger;
 
 import org.apache.activemq.ActiveMQConnectionMetaData;
 import org.apache.activemq.Service;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
 import org.apache.activemq.broker.artemiswrapper.ArtemisBrokerWrapper;
 import org.apache.activemq.broker.jmx.BrokerView;
 import org.apache.activemq.broker.jmx.ManagementContext;
@@ -578,22 +579,22 @@ public class BrokerService implements Service {
 
       }
 
-      System.out.println("Now host is: " + host);
       bindAddress = new URI(bindAddress.getScheme(), bindAddress.getUserInfo(),
               host, port, bindAddress.getPath(), bindAddress.getQuery(), bindAddress.getFragment());
 
       connector = new FakeTransportConnector(bindAddress);
       this.transportConnectors.add(connector);
-      this.extraConnectors.add(new ConnectorInfo(port));
+      this.extraConnectors.add(new ConnectorInfo(bindAddress));
 
       return connector;
    }
 
-   private int getPseudoRandomPort() {
-      int port = RANDOM_PORT_BASE.getAndIncrement();
+   private static int getPseudoRandomPort() {
+      int currentRandomPort = RANDOM_PORT_BASE.getAndIncrement();
       int maxTry = 20;
-      while (!checkPort(port)) {
-         port = RANDOM_PORT_BASE.getAndIncrement();
+      while (!checkPort(currentRandomPort)) {
+         currentRandomPort = RANDOM_PORT_BASE.getAndIncrement();
+         System.out.println("for port: " + currentRandomPort);
          maxTry--;
          if (maxTry == 0) {
             LOG.error("Too many port used");
@@ -605,7 +606,7 @@ public class BrokerService implements Service {
          catch (InterruptedException e) {
          }
       }
-      return port;
+      return currentRandomPort;
    }
 
    public static boolean checkPort(final int port) {
@@ -782,7 +783,7 @@ public class BrokerService implements Service {
       try {
          if (this.extraConnectors.size() > 0) {
             ConnectorInfo info = extraConnectors.iterator().next();
-            Integer port = info.port;
+            Integer port = info.uri.getPort();
             String schema = info.ssl ? "ssl" : "tcp";
             uri = new URI(schema + "://localhost:" + port);
          } else {
@@ -796,27 +797,104 @@ public class BrokerService implements Service {
 
    public static class ConnectorInfo {
 
-      public int port;
+      public static final String defaultKeyStore = "server.keystore";
+      public static final String defaultKeyStorePassword = "password";
+      public static final String defaultKeyStoreType = "jks";
+      public static final String defaultTrustStore = "client.keystore";
+      public static final String defaultTrustStorePassword = "password";
+      public static final String defaultTrustStoreType = "jks";
+
+      public URI uri;
       public boolean ssl;
 
-      public ConnectorInfo(int port) {
+      public String keyStore;
+      public String keyStorePassword;
+      public String keyStoreType;
+
+      public String trustStore;
+      public String trustStorePassword;
+      public String trustStoreType;
+
+      public boolean clientAuth;
+
+      public ConnectorInfo(int port) throws URISyntaxException {
          this(port, false);
       }
 
-      public ConnectorInfo(int port, boolean ssl) {
-         this.port = port;
+      public ConnectorInfo(int port, boolean ssl) throws URISyntaxException {
+         this(port, ssl, false);
+      }
+
+      public ConnectorInfo(int port, boolean ssl, boolean clientAuth) throws URISyntaxException
{
          this.ssl = ssl;
+         if (port == 0) {
+            port = getPseudoRandomPort();
+         }
+
+         String baseUri = "tcp://localhost:" + port + "?protocols=OPENWIRE,CORE";
+         if (ssl) {
+            baseUri = baseUri + "&" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "="
+ defaultKeyStore + "&"
+                    + TransportConstants.KEYSTORE_PASSWORD_PROP_NAME + "=" + defaultKeyStorePassword
+ "&"
+                    + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "=" + defaultKeyStoreType;
+            if (clientAuth) {
+               baseUri = baseUri  + "&" + TransportConstants.NEED_CLIENT_AUTH_PROP_NAME
+ "=true" + "&"
+                       + TransportConstants.TRUSTSTORE_PATH_PROP_NAME + "=" + defaultTrustStore
+ "&"
+                       + TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME + "=" + defaultTrustStorePassword
+ "&"
+                       + TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME + "=" + defaultTrustStoreType;
+            }
+         }
+         this.uri = new URI(baseUri);
+      }
+
+      //bindAddress must be Artemis compliant, except
+      //scheme
+      public ConnectorInfo(URI bindAddress) throws URISyntaxException {
+
+         Integer port = bindAddress.getPort();
+         String host = bindAddress.getHost();
+         this.ssl = "ssl".equals(bindAddress.getScheme());
+
+         host = (host == null || host.length() == 0) ? "localhost" : host;
+         if ("0.0.0.0".equals(host)) {
+            host = "localhost";
+         }
+
+         if (port == 0) {
+            port = getPseudoRandomPort();
+         }
+
+         String query = bindAddress.getQuery();
+         if (!ssl || query != null && query.contains(TransportConstants.SSL_ENABLED_PROP_NAME))
{
+            //it means the uri is already configured ssl
+            uri = new URI("tcp", bindAddress.getUserInfo(),
+                    host, port, bindAddress.getPath(), bindAddress.getQuery(), bindAddress.getFragment());
+         }
+         else {
+            String baseUri = "tcp://" + host + ":" + port + "?protocols=OPENWIRE,CORE&"
+                    + TransportConstants.SSL_ENABLED_PROP_NAME + "=true&"
+                    + TransportConstants.KEYSTORE_PATH_PROP_NAME + "=" + defaultKeyStore
+ "&"
+                    + TransportConstants.KEYSTORE_PASSWORD_PROP_NAME + "=" + defaultKeyStorePassword
+ "&"
+                    + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "=" + defaultKeyStoreType;
+            if (clientAuth) {
+               baseUri = baseUri + "&" + TransportConstants.NEED_CLIENT_AUTH_PROP_NAME
+ "=true" + "&"
+                       + TransportConstants.TRUSTSTORE_PATH_PROP_NAME + "=" + defaultTrustStore
+ "&"
+                       + TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME + "=" + defaultTrustStorePassword
+ "&"
+                       + TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME + "=" + defaultTrustStoreType;
+            }
+            uri = new URI(baseUri);
+         }
+         System.out.println("server uri:::::::::::: " + uri.toString());
       }
 
       @Override
       public int hashCode() {
-         return port;
+         return uri.getPort();
       }
 
       @Override
       public boolean equals(Object obj) {
          if (obj instanceof ConnectorInfo) {
-            return this.port == ((ConnectorInfo)obj).port;
+            return uri.getPort() == ((ConnectorInfo)obj).uri.getPort();
          }
          return false;
       }

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/ee202484/tests/activemq5-unit-tests/src/main/java/org/apache/activemq/broker/artemiswrapper/ArtemisBrokerWrapper.java
----------------------------------------------------------------------
diff --git a/tests/activemq5-unit-tests/src/main/java/org/apache/activemq/broker/artemiswrapper/ArtemisBrokerWrapper.java
b/tests/activemq5-unit-tests/src/main/java/org/apache/activemq/broker/artemiswrapper/ArtemisBrokerWrapper.java
index 94faf26..61c6d87 100644
--- a/tests/activemq5-unit-tests/src/main/java/org/apache/activemq/broker/artemiswrapper/ArtemisBrokerWrapper.java
+++ b/tests/activemq5-unit-tests/src/main/java/org/apache/activemq/broker/artemiswrapper/ArtemisBrokerWrapper.java
@@ -31,7 +31,6 @@ import org.apache.activemq.artemis.core.config.Configuration;
 import org.apache.activemq.artemis.core.config.impl.SecurityConfiguration;
 import org.apache.activemq.artemis.core.postoffice.Binding;
 import org.apache.activemq.artemis.core.registry.JndiBindingRegistry;
-import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
 import org.apache.activemq.artemis.core.security.Role;
 import org.apache.activemq.artemis.core.server.impl.QueueImpl;
 import org.apache.activemq.artemis.core.settings.impl.AddressFullMessagePolicy;
@@ -165,25 +164,7 @@ public class ArtemisBrokerWrapper extends ArtemisBrokerBase {
    }
 
    private void addServerAcceptor(Configuration serverConfig, BrokerService.ConnectorInfo
info) throws Exception {
-      if (info.ssl) {
-         HashMap<String, Object> params = new HashMap<String, Object>();
-         params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-         params.put(TransportConstants.PORT_PROP_NAME, info.port);
-         params.put(TransportConstants.PROTOCOLS_PROP_NAME, "OPENWIRE");
-         params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, bservice.SERVER_SIDE_KEYSTORE);
-         params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, bservice.KEYSTORE_PASSWORD);
-         params.put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, bservice.storeType);
-         if (bservice.SERVER_SIDE_TRUSTSTORE != null) {
-            params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, bservice.SERVER_SIDE_TRUSTSTORE);
-            params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, bservice.TRUSTSTORE_PASSWORD);
-            params.put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, bservice.storeType);
-         }
-         TransportConfiguration sslTransportConfig = new TransportConfiguration(NETTY_ACCEPTOR_FACTORY,
params);
-         serverConfig.getAcceptorConfigurations().add(sslTransportConfig);
-      }
-      else {
-         serverConfig.addAcceptorConfiguration("homePort" + info.port, "tcp://localhost:"
+ info.port + "?protocols=OPENWIRE,CORE");
-      }
+      serverConfig.addAcceptorConfiguration("homePort" + info.uri.getPort(), info.uri.toString());
    }
 
    private void translatePolicyMap(Configuration serverConfig, PolicyMap policyMap) {

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/ee202484/tests/activemq5-unit-tests/src/test/java/client.keystore
----------------------------------------------------------------------
diff --git a/tests/activemq5-unit-tests/src/test/java/client.keystore b/tests/activemq5-unit-tests/src/test/java/client.keystore
index a6f3396..f5a6760 100644
Binary files a/tests/activemq5-unit-tests/src/test/java/client.keystore and b/tests/activemq5-unit-tests/src/test/java/client.keystore
differ

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/ee202484/tests/activemq5-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslBrokerServiceTest.java
----------------------------------------------------------------------
diff --git a/tests/activemq5-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslBrokerServiceTest.java
b/tests/activemq5-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslBrokerServiceTest.java
index d380246..5df0a9f 100644
--- a/tests/activemq5-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslBrokerServiceTest.java
+++ b/tests/activemq5-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslBrokerServiceTest.java
@@ -21,6 +21,7 @@ import java.io.ByteArrayOutputStream;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.net.SocketException;
+import java.net.URI;
 import java.net.UnknownHostException;
 import java.security.KeyStore;
 
@@ -37,7 +38,9 @@ import junit.framework.Test;
 
 import junit.textui.TestRunner;
 
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
 import org.apache.activemq.broker.BrokerService;
+import org.apache.activemq.broker.FakeTransportConnector;
 import org.apache.activemq.broker.SslBrokerService;
 import org.apache.activemq.broker.SslContext;
 import org.apache.activemq.broker.TransportConnector;
@@ -68,11 +71,27 @@ public class SslBrokerServiceTest extends TransportBrokerTestSupport {
       SslBrokerService service = new SslBrokerService();
       service.setPersistent(false);
 
+      String baseUri = getBindLocation();
+      String uri0 = baseUri + "?" + TransportConstants.SSL_ENABLED_PROP_NAME + "=true&"
+              + TransportConstants.KEYSTORE_PATH_PROP_NAME + "=" + SslTransportBrokerTest.SERVER_KEYSTORE
+ "&"
+              + TransportConstants.KEYSTORE_PASSWORD_PROP_NAME + "=" + SslTransportBrokerTest.PASSWORD
+ "&"
+              + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "=" + SslTransportBrokerTest.KEYSTORE_TYPE;
+      String uri1 = uri0 + "&" + TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME +
"=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA";
+      String uri2 = uri0 + "&" + TransportConstants.NEED_CLIENT_AUTH_PROP_NAME + "=true&"
+              + TransportConstants.TRUSTSTORE_PATH_PROP_NAME + "=" + SslTransportBrokerTest.TRUST_KEYSTORE
+ "&"
+              + TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME + "=" + SslTransportBrokerTest.PASSWORD
+ "&"
+              + TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME + "=" + SslTransportBrokerTest.KEYSTORE_TYPE;
+
+      //broker side
+      TransportConnector serverConnector0 = service.addConnector(new URI(uri0));
+      connector = new FakeTransportConnector(new URI("ssl://localhost:" + serverConnector0.getUri().getPort()));
+      TransportConnector serverConnector1 = service.addConnector(new URI(uri1));
+      limitedCipherSuites = new FakeTransportConnector(new URI("ssl://localhost:" + serverConnector1.getUri().getPort()
+ "?transport.enabledCipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA"));
+      TransportConnector serverConnector2 = service.addConnector(new URI(uri2));
+      needClientAuthConnector = new FakeTransportConnector(new URI("ssl://localhost:" + serverConnector2.getUri().getPort()
+ "?transport.needClientAuth=true"));
+
       KeyManager[] km = getKeyManager();
       TrustManager[] tm = getTrustManager();
-      connector = service.addSslConnector(getBindLocation(), km, tm, null);
-      limitedCipherSuites = service.addSslConnector("ssl://localhost:0?transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
km, tm, null);
-      needClientAuthConnector = service.addSslConnector("ssl://localhost:0?transport.needClientAuth=true",
km, tm, null);
 
       // for client side
       SslTransportFactory sslFactory = new SslTransportFactory();
@@ -118,13 +137,12 @@ public class SslBrokerServiceTest extends TransportBrokerTestSupport
{
       }
 
       // ok with the enabled one
-      makeSSLConnection(context, new String[]{"SSL_RSA_WITH_RC4_128_SHA"}, limitedCipherSuites);
+      makeSSLConnection(context, new String[]{"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}, limitedCipherSuites);
    }
 
    private void makeSSLConnection(SSLContext context,
                                   String enabledSuites[],
                                   TransportConnector connector) throws Exception, UnknownHostException,
SocketException {
-      System.out.println("-----connector: " + connector);
       SSLSocket sslSocket = (SSLSocket) context.getSocketFactory().createSocket("localhost",
connector.getUri().getPort());
 
       if (enabledSuites != null) {

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/ee202484/tests/activemq5-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportBrokerTest.java
----------------------------------------------------------------------
diff --git a/tests/activemq5-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportBrokerTest.java
b/tests/activemq5-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportBrokerTest.java
index d1f15ec..468b279 100644
--- a/tests/activemq5-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportBrokerTest.java
+++ b/tests/activemq5-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportBrokerTest.java
@@ -22,6 +22,7 @@ import java.net.URISyntaxException;
 import junit.framework.Test;
 
 import junit.textui.TestRunner;
+import org.apache.activemq.broker.BrokerService;
 import org.apache.activemq.transport.TransportBrokerTestSupport;
 
 public class SslTransportBrokerTest extends TransportBrokerTestSupport {
@@ -43,6 +44,7 @@ public class SslTransportBrokerTest extends TransportBrokerTestSupport {
 
    @Override
    protected void setUp() throws Exception {
+      BrokerService.disableWrapper = true;
       System.setProperty("javax.net.ssl.trustStore", TRUST_KEYSTORE);
       System.setProperty("javax.net.ssl.trustStorePassword", PASSWORD);
       System.setProperty("javax.net.ssl.trustStoreType", KEYSTORE_TYPE);

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/ee202484/tests/activemq5-unit-tests/src/test/resources/client.keystore
----------------------------------------------------------------------
diff --git a/tests/activemq5-unit-tests/src/test/resources/client.keystore b/tests/activemq5-unit-tests/src/test/resources/client.keystore
index a6f3396..f5a6760 100644
Binary files a/tests/activemq5-unit-tests/src/test/resources/client.keystore and b/tests/activemq5-unit-tests/src/test/resources/client.keystore
differ


Mime
View raw message