qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kw...@apache.org
Subject [6/6] qpid-broker-j git commit: QPID-7869: [Java Broker] [Truststore] Make certificates within truststore warn about their impending expiry as keystores already do
Date Sun, 30 Jul 2017 19:49:17 GMT
QPID-7869: [Java Broker] [Truststore] Make certificates within truststore warn about their impending expiry as keystores already do

Pulled up common implementation into an abstract base-class


Project: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/commit/f218a1dd
Tree: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/tree/f218a1dd
Diff: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/diff/f218a1dd

Branch: refs/heads/master
Commit: f218a1dd811fec4cff3852bfa559b42791d97bbf
Parents: 391f0b8
Author: Keith Wall <kwall@apache.org>
Authored: Sun Jul 30 17:37:29 2017 +0100
Committer: Keith Wall <kwall@apache.org>
Committed: Sun Jul 30 19:32:46 2017 +0100

----------------------------------------------------------------------
 .../logging/messages/TrustStoreMessages.java    |  62 +++++
 .../messages/TrustStore_logmessages.properties  |   2 +
 .../org/apache/qpid/server/model/KeyStore.java  |   5 +
 .../apache/qpid/server/model/TrustStore.java    |  20 ++
 .../qpid/server/security/AbstractKeyStore.java  |  44 ++--
 .../server/security/AbstractTrustStore.java     | 251 +++++++++++++++++++
 .../AutoGeneratedSelfSignedKeyStoreImpl.java    |  27 +-
 .../server/security/FileTrustStoreImpl.java     | 121 +++------
 .../ManagedPeerCertificateTrustStoreImpl.java   | 124 ++-------
 .../server/security/NonJavaTrustStoreImpl.java  | 115 ++-------
 .../security/SiteSpecificTrustStoreImpl.java    | 103 ++------
 11 files changed, 469 insertions(+), 405 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStoreMessages.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStoreMessages.java b/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStoreMessages.java
index d3315dc..8fd1e9d 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStoreMessages.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStoreMessages.java
@@ -66,6 +66,7 @@ public class TrustStoreMessages
     public static final String CLOSE_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "truststore.close";
     public static final String CREATE_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "truststore.create";
     public static final String DELETE_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "truststore.delete";
+    public static final String EXPIRING_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "truststore.expiring";
     public static final String OPEN_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "truststore.open";
     public static final String OPERATION_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "truststore.operation";
 
@@ -75,6 +76,7 @@ public class TrustStoreMessages
         LoggerFactory.getLogger(CLOSE_LOG_HIERARCHY);
         LoggerFactory.getLogger(CREATE_LOG_HIERARCHY);
         LoggerFactory.getLogger(DELETE_LOG_HIERARCHY);
+        LoggerFactory.getLogger(EXPIRING_LOG_HIERARCHY);
         LoggerFactory.getLogger(OPEN_LOG_HIERARCHY);
         LoggerFactory.getLogger(OPERATION_LOG_HIERARCHY);
 
@@ -258,6 +260,66 @@ public class TrustStoreMessages
 
     /**
      * Log a TrustStore message of the Format:
+     * <pre>TST-1005 : TrustStore {0} Certificate expires in {1} days : {2}</pre>
+     * Optional values are contained in [square brackets] and are numbered
+     * sequentially in the method call.
+     *
+     */
+    public static LogMessage EXPIRING(String param1, String param2, String param3)
+    {
+        String rawMessage = _messages.getString("EXPIRING");
+
+        final Object[] messageArguments = {param1, param2, param3};
+        // Create a new MessageFormat to ensure thread safety.
+        // Sharing a MessageFormat and using applyPattern is not thread safe
+        MessageFormat formatter = new MessageFormat(rawMessage, _currentLocale);
+
+        final String message = formatter.format(messageArguments);
+
+        return new LogMessage()
+        {
+            @Override
+            public String toString()
+            {
+                return message;
+            }
+
+            @Override
+            public String getLogHierarchy()
+            {
+                return EXPIRING_LOG_HIERARCHY;
+            }
+
+            @Override
+            public boolean equals(final Object o)
+            {
+                if (this == o)
+                {
+                    return true;
+                }
+                if (o == null || getClass() != o.getClass())
+                {
+                    return false;
+                }
+
+                final LogMessage that = (LogMessage) o;
+
+                return getLogHierarchy().equals(that.getLogHierarchy()) && toString().equals(that.toString());
+
+            }
+
+            @Override
+            public int hashCode()
+            {
+                int result = toString().hashCode();
+                result = 31 * result + getLogHierarchy().hashCode();
+                return result;
+            }
+        };
+    }
+
+    /**
+     * Log a TrustStore message of the Format:
      * <pre>TST-1002 : Open</pre>
      * Optional values are contained in [square brackets] and are numbered
      * sequentially in the method call.

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStore_logmessages.properties
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStore_logmessages.properties b/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStore_logmessages.properties
index feccef2..494f832 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStore_logmessages.properties
+++ b/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStore_logmessages.properties
@@ -24,4 +24,6 @@ CLOSE = TST-1003 : Close
 DELETE = TST-1004 : Delete "{0}"
 # 0 - operation name
 OPERATION = TST-1005 : Operation : {0}
+EXPIRING = TST-1005 : TrustStore {0} Certificate expires in {1} days : {2}
+
 

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/model/KeyStore.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/KeyStore.java b/broker-core/src/main/java/org/apache/qpid/server/model/KeyStore.java
index 953709f..efbe6d5 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/KeyStore.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/KeyStore.java
@@ -36,6 +36,11 @@ public interface KeyStore<X extends KeyStore<X>> extends ConfiguredObject<X>
     @ManagedContextDefault(name = CERTIFICATE_EXPIRY_CHECK_FREQUENCY)
     int DEFAULT_CERTIFICATE_EXPIRY_CHECK_FREQUENCY = 1;
 
+    @DerivedAttribute
+    int getCertificateExpiryWarnPeriod();
+
+    @DerivedAttribute
+    int getCertificateExpiryCheckFrequency();
 
     KeyManager[] getKeyManagers() throws GeneralSecurityException;
 }

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java b/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java
index 10a59d6..53bb1f0 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java
@@ -31,6 +31,20 @@ import org.apache.qpid.server.security.CertificateDetails;
 @ManagedObject( defaultType = "FileTrustStore" )
 public interface TrustStore<X extends TrustStore<X>> extends ConfiguredObject<X>
 {
+    String CERTIFICATE_EXPIRY_WARN_PERIOD = "qpid.truststore.certificateExpiryWarnPeriod";
+
+    @ManagedContextDefault(name = CERTIFICATE_EXPIRY_WARN_PERIOD)
+    int DEFAULT_CERTIFICATE_EXPIRY_WARN_PERIOD = 30;
+
+    String CERTIFICATE_EXPIRY_CHECK_FREQUENCY = "qpid.truststore.certificateExpiryCheckFrequency";
+
+    @ManagedContextDefault(name = CERTIFICATE_EXPIRY_CHECK_FREQUENCY)
+    int DEFAULT_CERTIFICATE_EXPIRY_CHECK_FREQUENCY = 1;
+
+    @Override
+    @ManagedAttribute(immutable = true)
+    String getName();
+
     @ManagedAttribute( defaultValue = "false", description = "If true the Trust Store will expose its certificates as a special artificial message source.")
     boolean isExposedAsMessageSource();
 
@@ -43,6 +57,12 @@ public interface TrustStore<X extends TrustStore<X>> extends ConfiguredObject<X>
     @DerivedAttribute(description = "List of details about the certificates like validity dates, SANs, issuer and subject names, etc.")
     List<CertificateDetails> getCertificateDetails();
 
+    @DerivedAttribute
+    int getCertificateExpiryWarnPeriod();
+
+    @DerivedAttribute
+    int getCertificateExpiryCheckFrequency();
+
     TrustManager[] getTrustManagers() throws GeneralSecurityException;
 
     Certificate[] getCertificates() throws GeneralSecurityException;

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java b/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java
index f931d2f..21a9564 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java
@@ -51,7 +51,7 @@ public abstract class AbstractKeyStore<X extends AbstractKeyStore<X>>
 {
     private static Logger LOGGER = LoggerFactory.getLogger(AbstractKeyStore.class);
 
-    protected static final long ONE_DAY = 24l * 60l * 60l * 1000l;
+    protected static final long ONE_DAY = 24L * 60L * 60L * 1000L;
 
     private final Broker<?> _broker;
     private final EventLogger _eventLogger;
@@ -97,16 +97,7 @@ public abstract class AbstractKeyStore<X extends AbstractKeyStore<X>>
 
     protected void initializeExpiryChecking()
     {
-        int checkFrequency;
-        try
-        {
-            checkFrequency = getContextValue(Integer.class, CERTIFICATE_EXPIRY_CHECK_FREQUENCY);
-        }
-        catch (IllegalArgumentException | NullPointerException e)
-        {
-            LOGGER.warn("Cannot parse the context variable {} ", CERTIFICATE_EXPIRY_CHECK_FREQUENCY, e);
-            checkFrequency = DEFAULT_CERTIFICATE_EXPIRY_CHECK_FREQUENCY;
-        }
+        int checkFrequency = getCertificateExpiryCheckFrequency();
         if(getBroker().getState() == State.ACTIVE)
         {
             _checkExpiryTaskFuture = getBroker().scheduleHouseKeepingTask(checkFrequency, TimeUnit.DAYS, new Runnable()
@@ -129,14 +120,8 @@ public abstract class AbstractKeyStore<X extends AbstractKeyStore<X>>
                     if (newState == State.ACTIVE)
                     {
                         _checkExpiryTaskFuture =
-                                getBroker().scheduleHouseKeepingTask(frequency, TimeUnit.DAYS, new Runnable()
-                                {
-                                    @Override
-                                    public void run()
-                                    {
-                                        checkCertificateExpiry();
-                                    }
-                                });
+                                getBroker().scheduleHouseKeepingTask(frequency, TimeUnit.DAYS,
+                                                                     () -> checkCertificateExpiry());
                         getBroker().removeChangeListener(this);
                     }
                 }
@@ -149,7 +134,7 @@ public abstract class AbstractKeyStore<X extends AbstractKeyStore<X>>
         // verify that it is not in use
         String storeName = getName();
 
-        Collection<Port> ports = new ArrayList<Port>(getBroker().getPorts());
+        Collection<Port> ports = new ArrayList<>(getBroker().getPorts());
         for (Port port : ports)
         {
             if (port.getKeyStore() == this)
@@ -192,7 +177,8 @@ public abstract class AbstractKeyStore<X extends AbstractKeyStore<X>>
         }
     }
 
-    protected final int getCertificateExpiryWarnPeriod()
+    @Override
+    public final int getCertificateExpiryWarnPeriod()
     {
         try
         {
@@ -204,4 +190,20 @@ public abstract class AbstractKeyStore<X extends AbstractKeyStore<X>>
             return DEFAULT_CERTIFICATE_EXPIRY_WARN_PERIOD;
         }
     }
+
+    @Override
+    public int getCertificateExpiryCheckFrequency()
+    {
+        int checkFrequency;
+        try
+        {
+            checkFrequency = getContextValue(Integer.class, CERTIFICATE_EXPIRY_CHECK_FREQUENCY);
+        }
+        catch (IllegalArgumentException | NullPointerException e)
+        {
+            LOGGER.warn("Cannot parse the context variable {} ", CERTIFICATE_EXPIRY_CHECK_FREQUENCY, e);
+            checkFrequency = DEFAULT_CERTIFICATE_EXPIRY_CHECK_FREQUENCY;
+        }
+        return checkFrequency;
+    }
 }

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java b/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java
new file mode 100644
index 0000000..db42d3b
--- /dev/null
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java
@@ -0,0 +1,251 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security;
+
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Date;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ScheduledFuture;
+import java.util.concurrent.TimeUnit;
+
+import com.google.common.util.concurrent.Futures;
+import com.google.common.util.concurrent.ListenableFuture;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.qpid.server.logging.EventLogger;
+import org.apache.qpid.server.logging.messages.TrustStoreMessages;
+import org.apache.qpid.server.model.AbstractConfigurationChangeListener;
+import org.apache.qpid.server.model.AbstractConfiguredObject;
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.ConfiguredObject;
+import org.apache.qpid.server.model.IntegrityViolationException;
+import org.apache.qpid.server.model.ManagedAttributeField;
+import org.apache.qpid.server.model.Port;
+import org.apache.qpid.server.model.State;
+import org.apache.qpid.server.model.TrustStore;
+import org.apache.qpid.server.model.VirtualHostNode;
+import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
+
+public abstract class AbstractTrustStore<X extends AbstractTrustStore<X>>
+        extends AbstractConfiguredObject<X> implements TrustStore<X>
+{
+    private static Logger LOGGER = LoggerFactory.getLogger(AbstractTrustStore.class);
+
+    protected static final long ONE_DAY = 24L * 60L * 60L * 1000L;
+
+    private final Broker<?> _broker;
+    private final EventLogger _eventLogger;
+
+    @ManagedAttributeField
+    private boolean _exposedAsMessageSource;
+    @ManagedAttributeField
+    private List<VirtualHostNode<?>> _includedVirtualHostNodeMessageSources;
+    @ManagedAttributeField
+    private List<VirtualHostNode<?>> _excludedVirtualHostNodeMessageSources;
+
+    private ScheduledFuture<?> _checkExpiryTaskFuture;
+
+    public AbstractTrustStore(Map<String, Object> attributes, Broker<?> broker)
+    {
+        super(broker, attributes);
+
+        _broker = broker;
+        _eventLogger = broker.getEventLogger();
+        _eventLogger.message(TrustStoreMessages.CREATE(getName()));
+    }
+
+    public final Broker<?> getBroker()
+    {
+        return _broker;
+    }
+
+    final EventLogger getEventLogger()
+    {
+        return _eventLogger;
+    }
+
+    @Override
+    protected ListenableFuture<Void> onClose()
+    {
+        if(_checkExpiryTaskFuture != null)
+        {
+            _checkExpiryTaskFuture.cancel(false);
+            _checkExpiryTaskFuture = null;
+        }
+        return Futures.immediateFuture(null);
+    }
+
+    @Override
+    protected void logOperation(final String operation)
+    {
+        _broker.getEventLogger().message(TrustStoreMessages.OPERATION(operation));
+    }
+
+    protected void initializeExpiryChecking()
+    {
+        int checkFrequency = getCertificateExpiryCheckFrequency();
+        if(getBroker().getState() == State.ACTIVE)
+        {
+            _checkExpiryTaskFuture = getBroker().scheduleHouseKeepingTask(checkFrequency, TimeUnit.DAYS,
+                                                                          this::checkCertificateExpiry);
+        }
+        else
+        {
+            final int frequency = checkFrequency;
+            getBroker().addChangeListener(new AbstractConfigurationChangeListener()
+            {
+                @Override
+                public void stateChanged(final ConfiguredObject<?> object, final State oldState, final State newState)
+                {
+                    if (newState == State.ACTIVE)
+                    {
+                        _checkExpiryTaskFuture =
+                                getBroker().scheduleHouseKeepingTask(frequency, TimeUnit.DAYS,
+                                                                     () -> checkCertificateExpiry());
+                        getBroker().removeChangeListener(this);
+                    }
+                }
+            });
+        }
+    }
+
+    protected final ListenableFuture<Void> deleteIfNotInUse()
+    {
+        // verify that it is not in use
+        String storeName = getName();
+
+        Collection<Port<?>> ports = new ArrayList<>(_broker.getPorts());
+        for (Port port : ports)
+        {
+            Collection<TrustStore> trustStores = port.getTrustStores();
+            if(trustStores != null)
+            {
+                for (TrustStore store : trustStores)
+                {
+                    if(storeName.equals(store.getAttribute(TrustStore.NAME)))
+                    {
+                        throw new IntegrityViolationException("Trust store '"
+                                                              + storeName
+                                                              + "' can't be deleted as it is in use by a port: "
+                                                              + port.getName());
+                    }
+                }
+            }
+        }
+
+        Collection<AuthenticationProvider> authenticationProviders = new ArrayList<>(_broker.getAuthenticationProviders());
+        for (AuthenticationProvider authProvider : authenticationProviders)
+        {
+            if (authProvider instanceof SimpleLDAPAuthenticationManager)
+            {
+                SimpleLDAPAuthenticationManager simpleLdap = (SimpleLDAPAuthenticationManager) authProvider;
+                if (simpleLdap.getTrustStore() == this)
+                {
+                    throw new IntegrityViolationException("Trust store '"
+                                                          + storeName
+                                                          + "' can't be deleted as it is in use by an authentication manager: "
+                                                          + authProvider.getName());
+                }
+            }
+        }
+        deleted();
+        setState(State.DELETED);
+        _eventLogger.message(TrustStoreMessages.DELETE(getName()));
+        return Futures.immediateFuture(null);
+    }
+
+    protected abstract void checkCertificateExpiry();
+
+    protected void checkCertificateExpiry(final long currentTime,
+                                          final Date expiryTestDate,
+                                          final X509Certificate cert)
+    {
+        try
+        {
+            cert.checkValidity(expiryTestDate);
+        }
+        catch(CertificateExpiredException e)
+        {
+            long timeToExpiry = cert.getNotAfter().getTime() - currentTime;
+            int days = Math.max(0,(int)(timeToExpiry / (ONE_DAY)));
+
+            getEventLogger().message(TrustStoreMessages.EXPIRING(getName(), String.valueOf(days), cert.getSubjectDN().toString()));
+        }
+        catch(CertificateNotYetValidException e)
+        {
+            // ignore
+        }
+    }
+
+    @Override
+    public final int getCertificateExpiryWarnPeriod()
+    {
+        try
+        {
+            return getContextValue(Integer.class, CERTIFICATE_EXPIRY_WARN_PERIOD);
+        }
+        catch (NullPointerException | IllegalArgumentException e)
+        {
+            LOGGER.warn("The value of the context variable '{}' for truststore {} cannot be converted to an integer. The value {} will be used as a default", CERTIFICATE_EXPIRY_WARN_PERIOD, getName(), DEFAULT_CERTIFICATE_EXPIRY_WARN_PERIOD);
+            return DEFAULT_CERTIFICATE_EXPIRY_WARN_PERIOD;
+        }
+    }
+
+    @Override
+    public int getCertificateExpiryCheckFrequency()
+    {
+        int checkFrequency;
+        try
+        {
+            checkFrequency = getContextValue(Integer.class, CERTIFICATE_EXPIRY_CHECK_FREQUENCY);
+        }
+        catch (IllegalArgumentException | NullPointerException e)
+        {
+            LOGGER.warn("Cannot parse the context variable {} ", CERTIFICATE_EXPIRY_CHECK_FREQUENCY, e);
+            checkFrequency = DEFAULT_CERTIFICATE_EXPIRY_CHECK_FREQUENCY;
+        }
+        return checkFrequency;
+    }
+
+    @Override
+    public boolean isExposedAsMessageSource()
+    {
+        return _exposedAsMessageSource;
+    }
+
+    @Override
+    public List<VirtualHostNode<?>> getIncludedVirtualHostNodeMessageSources()
+    {
+        return _includedVirtualHostNodeMessageSources;
+    }
+
+    @Override
+    public List<VirtualHostNode<?>> getExcludedVirtualHostNodeMessageSources()
+    {
+        return _excludedVirtualHostNodeMessageSources;
+    }
+}

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java
index eb0f3a3..d9cd0ee 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java
@@ -63,7 +63,6 @@ import com.google.common.util.concurrent.ListenableFuture;
 import org.apache.qpid.server.configuration.IllegalConfigurationException;
 import org.apache.qpid.server.logging.EventLogger;
 import org.apache.qpid.server.logging.messages.KeyStoreMessages;
-import org.apache.qpid.server.model.AbstractConfiguredObject;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.Content;
 import org.apache.qpid.server.model.CustomRestHeaders;
@@ -78,7 +77,7 @@ import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
 import org.apache.qpid.server.util.Strings;
 
 public class AutoGeneratedSelfSignedKeyStoreImpl
-        extends AbstractConfiguredObject<AutoGeneratedSelfSignedKeyStoreImpl>
+        extends AbstractKeyStore<AutoGeneratedSelfSignedKeyStoreImpl>
         implements AutoGeneratedSelfSignedKeyStore<AutoGeneratedSelfSignedKeyStoreImpl>
 {
 
@@ -124,7 +123,7 @@ public class AutoGeneratedSelfSignedKeyStoreImpl
     @ManagedObjectFactoryConstructor(conditionallyAvailable = true)
     public AutoGeneratedSelfSignedKeyStoreImpl(final Map<String, Object> attributes, Broker<?> broker)
     {
-        super(broker, attributes);
+        super(attributes, broker);
         _broker = broker;
         _eventLogger = _broker.getEventLogger();
         _eventLogger.message(KeyStoreMessages.CREATE(getName()));
@@ -229,6 +228,13 @@ public class AutoGeneratedSelfSignedKeyStoreImpl
         _created = true;
     }
 
+    @Override
+    protected void onOpen()
+    {
+        super.onOpen();
+        initializeExpiryChecking();
+    }
+
     @StateTransition(currentState = { State.UNINITIALIZED, State.STOPPED, State.ERRORED}, desiredState = State.ACTIVE)
     protected ListenableFuture<Void> activate()
     {
@@ -349,6 +355,21 @@ public class AutoGeneratedSelfSignedKeyStoreImpl
         }
     }
 
+    @Override
+    protected void checkCertificateExpiry()
+    {
+        int expiryWarning = getCertificateExpiryWarnPeriod();
+        if(expiryWarning > 0)
+        {
+            long currentTime = System.currentTimeMillis();
+            Date expiryTestDate = new Date(currentTime + (ONE_DAY * (long) expiryWarning));
+
+            checkCertificatesExpiry(currentTime, expiryTestDate,
+                                    new X509Certificate[]{_certificate});
+        }
+    }
+
+
     private void generateKeyManagers()
     {
         try

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
index ae7e781..c1cd588 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
@@ -33,6 +33,7 @@ import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Date;
 import java.util.Enumeration;
 import java.util.List;
 import java.util.Map;
@@ -47,30 +48,20 @@ import com.google.common.util.concurrent.Futures;
 import com.google.common.util.concurrent.ListenableFuture;
 
 import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.logging.EventLogger;
-import org.apache.qpid.server.logging.messages.TrustStoreMessages;
-import org.apache.qpid.server.model.AbstractConfiguredObject;
-import org.apache.qpid.server.model.AuthenticationProvider;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.ConfiguredObject;
-import org.apache.qpid.server.model.IntegrityViolationException;
 import org.apache.qpid.server.model.ManagedAttributeField;
 import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
-import org.apache.qpid.server.model.Port;
 import org.apache.qpid.server.model.State;
 import org.apache.qpid.server.model.StateTransition;
 import org.apache.qpid.server.model.TrustStore;
-import org.apache.qpid.server.model.VirtualHostNode;
-import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
-import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
 import org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager;
 import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
 import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
+import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
 
-public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreImpl> implements FileTrustStore<FileTrustStoreImpl>
+public class FileTrustStoreImpl extends AbstractTrustStore<FileTrustStoreImpl> implements FileTrustStore<FileTrustStoreImpl>
 {
-    private final Broker<?> _broker;
-    private final EventLogger _eventLogger;
 
     @ManagedAttributeField
     private String _trustStoreType;
@@ -84,13 +75,6 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI
     @ManagedAttributeField
     private String _password;
 
-    @ManagedAttributeField
-    private boolean _exposedAsMessageSource;
-    @ManagedAttributeField
-    private List<VirtualHostNode<?>> _includedVirtualHostNodeMessageSources;
-    @ManagedAttributeField
-    private List<VirtualHostNode<?>> _excludedVirtualHostNodeMessageSources;
-
     static
     {
         Handler.register();
@@ -99,10 +83,7 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI
     @ManagedObjectFactoryConstructor
     public FileTrustStoreImpl(Map<String, Object> attributes, Broker<?> broker)
     {
-        super(broker, attributes);
-        _broker = broker;
-        _eventLogger = _broker.getEventLogger();
-        _eventLogger.message(TrustStoreMessages.CREATE(getName()));
+        super(attributes, broker);
     }
 
     @Override
@@ -119,52 +100,13 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI
     @StateTransition(currentState = {State.ACTIVE, State.ERRORED}, desiredState = State.DELETED)
     protected ListenableFuture<Void> doDelete()
     {
-        // verify that it is not in use
-        String storeName = getName();
-
-        Collection<Port<?>> ports = new ArrayList<>(_broker.getPorts());
-        for (Port port : ports)
-        {
-            Collection<TrustStore> trustStores = port.getTrustStores();
-            if(trustStores != null)
-            {
-                for (TrustStore store : trustStores)
-                {
-                    if(storeName.equals(store.getAttribute(TrustStore.NAME)))
-                    {
-                        throw new IntegrityViolationException("Trust store '"
-                                + storeName
-                                + "' can't be deleted as it is in use by a port: "
-                                + port.getName());
-                    }
-                }
-            }
-        }
-
-        Collection<AuthenticationProvider> authenticationProviders = new ArrayList<>(_broker.getAuthenticationProviders());
-        for (AuthenticationProvider authProvider : authenticationProviders)
-        {
-            if (authProvider instanceof SimpleLDAPAuthenticationManager)
-            {
-                SimpleLDAPAuthenticationManager simpleLdap = (SimpleLDAPAuthenticationManager) authProvider;
-                if (simpleLdap.getTrustStore() == this)
-                {
-                    throw new IntegrityViolationException("Trust store '"
-                            + storeName
-                            + "' can't be deleted as it is in use by an authentication manager: "
-                            + authProvider.getName());
-                }
-            }
-        }
-        deleted();
-        setState(State.DELETED);
-        _eventLogger.message(TrustStoreMessages.DELETE(getName()));
-        return Futures.immediateFuture(null);
+        return deleteIfNotInUse();
     }
 
     @StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
     protected ListenableFuture<Void> doActivate()
     {
+        initializeExpiryChecking();
         setState(State.ACTIVE);
         return Futures.immediateFuture(null);
     }
@@ -179,10 +121,6 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI
         {
             return;
         }
-        if(changedAttributes.contains(TrustStore.NAME) && !getName().equals(updated.getName()))
-        {
-            throw new IllegalConfigurationException("Changing the trust store name is not allowed");
-        }
         validateTrustStore(updated);
     }
 
@@ -347,7 +285,6 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI
         }
     }
 
-
     @Override
     public List<CertificateDetails> getCertificateDetails()
     {
@@ -364,6 +301,28 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI
         }
     }
 
+    @Override
+    protected void checkCertificateExpiry()
+    {
+        int expiryWarning = getCertificateExpiryWarnPeriod();
+        if(expiryWarning > 0)
+        {
+            long currentTime = System.currentTimeMillis();
+            Date expiryTestDate = new Date(currentTime + (ONE_DAY * (long) expiryWarning));
+
+            try
+            {
+                Arrays.stream(getCertificates())
+                      .filter(cert -> cert instanceof X509Certificate)
+                      .forEach(x509cert -> checkCertificateExpiry(currentTime, expiryTestDate,
+                                                                  (X509Certificate) x509cert));
+            }
+            catch (GeneralSecurityException e)
+            {
+            }
+        }
+    }
+
     private static URL getUrlFromString(String urlString) throws MalformedURLException
     {
         URL url;
@@ -392,28 +351,4 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI
             _path = null;
         }
     }
-
-    @Override
-    public boolean isExposedAsMessageSource()
-    {
-        return _exposedAsMessageSource;
-    }
-
-    @Override
-    public List<VirtualHostNode<?>> getIncludedVirtualHostNodeMessageSources()
-    {
-        return _includedVirtualHostNodeMessageSources;
-    }
-
-    @Override
-    public List<VirtualHostNode<?>> getExcludedVirtualHostNodeMessageSources()
-    {
-        return _excludedVirtualHostNodeMessageSources;
-    }
-
-    @Override
-    protected void logOperation(final String operation)
-    {
-        _broker.getEventLogger().message(TrustStoreMessages.OPERATION(operation));
-    }
 }

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java
index 6133192..5042915 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java
@@ -28,6 +28,7 @@ import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -46,41 +47,21 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.logging.EventLogger;
-import org.apache.qpid.server.logging.messages.TrustStoreMessages;
-import org.apache.qpid.server.model.AbstractConfiguredObject;
-import org.apache.qpid.server.model.AuthenticationProvider;
 import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.ConfiguredObject;
-import org.apache.qpid.server.model.IntegrityViolationException;
 import org.apache.qpid.server.model.ManagedAttributeField;
 import org.apache.qpid.server.model.ManagedObject;
 import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
-import org.apache.qpid.server.model.Port;
 import org.apache.qpid.server.model.State;
 import org.apache.qpid.server.model.StateTransition;
-import org.apache.qpid.server.model.TrustStore;
-import org.apache.qpid.server.model.VirtualHostNode;
-import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
 import org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager;
 import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
 
 @ManagedObject( category = false )
 public class ManagedPeerCertificateTrustStoreImpl
-        extends AbstractConfiguredObject<ManagedPeerCertificateTrustStoreImpl> implements ManagedPeerCertificateTrustStore<ManagedPeerCertificateTrustStoreImpl>
+        extends AbstractTrustStore<ManagedPeerCertificateTrustStoreImpl> implements ManagedPeerCertificateTrustStore<ManagedPeerCertificateTrustStoreImpl>
 {
     private static final Logger LOGGER = LoggerFactory.getLogger(ManagedPeerCertificateTrustStoreImpl.class);
 
-    private final Broker<?> _broker;
-    private final EventLogger _eventLogger;
-
-    @ManagedAttributeField
-    private boolean _exposedAsMessageSource;
-    @ManagedAttributeField
-    private List<VirtualHostNode<?>> _includedVirtualHostNodeMessageSources;
-    @ManagedAttributeField
-    private List<VirtualHostNode<?>> _excludedVirtualHostNodeMessageSources;
-
     private volatile TrustManager[] _trustManagers = new TrustManager[0];
 
     @ManagedAttributeField( afterSet = "updateTrustManagers")
@@ -89,10 +70,7 @@ public class ManagedPeerCertificateTrustStoreImpl
     @ManagedObjectFactoryConstructor
     public ManagedPeerCertificateTrustStoreImpl(final Map<String, Object> attributes, Broker<?> broker)
     {
-        super(broker, attributes);
-        _broker = broker;
-        _eventLogger = _broker.getEventLogger();
-        _eventLogger.message(TrustStoreMessages.CREATE(getName()));
+        super(attributes, broker);
     }
 
     @Override
@@ -114,71 +92,17 @@ public class ManagedPeerCertificateTrustStoreImpl
     @StateTransition(currentState = {State.ACTIVE, State.ERRORED}, desiredState = State.DELETED)
     protected ListenableFuture<Void> doDelete()
     {
-        // verify that it is not in use
-        String storeName = getName();
-
-        Collection<Port<?>> ports = new ArrayList<>(_broker.getPorts());
-        for (Port port : ports)
-        {
-            Collection<TrustStore> trustStores = port.getTrustStores();
-            if(trustStores != null)
-            {
-                for (TrustStore store : trustStores)
-                {
-                    if(storeName.equals(store.getAttribute(TrustStore.NAME)))
-                    {
-                        throw new IntegrityViolationException("Trust store '"
-                                + storeName
-                                + "' can't be deleted as it is in use by a port: "
-                                + port.getName());
-                    }
-                }
-            }
-        }
-
-        Collection<AuthenticationProvider> authenticationProviders = new ArrayList<AuthenticationProvider>(_broker.getAuthenticationProviders());
-        for (AuthenticationProvider authProvider : authenticationProviders)
-        {
-            if(authProvider.getAttributeNames().contains(SimpleLDAPAuthenticationManager.TRUST_STORE))
-            {
-                Object attributeType = authProvider.getAttribute(AuthenticationProvider.TYPE);
-                Object attributeValue = authProvider.getAttribute(SimpleLDAPAuthenticationManager.TRUST_STORE);
-                if (SimpleLDAPAuthenticationManager.PROVIDER_TYPE.equals(attributeType)
-                        && storeName.equals(attributeValue))
-                {
-                    throw new IntegrityViolationException("Trust store '"
-                            + storeName
-                            + "' can't be deleted as it is in use by an authentication manager: "
-                            + authProvider.getName());
-                }
-            }
-        }
-        deleted();
-        setState(State.DELETED);
-        _eventLogger.message(TrustStoreMessages.DELETE(getName()));
-        return Futures.immediateFuture(null);
+        return deleteIfNotInUse();
     }
 
     @StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
     protected ListenableFuture<Void> doActivate()
     {
+        initializeExpiryChecking();
         setState(State.ACTIVE);
         return Futures.immediateFuture(null);
     }
 
-
-    @Override
-    protected void validateChange(final ConfiguredObject<?> proxyForValidation, final Set<String> changedAttributes)
-    {
-        super.validateChange(proxyForValidation, changedAttributes);
-        ManagedPeerCertificateTrustStore<?> changedStore = (ManagedPeerCertificateTrustStore) proxyForValidation;
-        if (changedAttributes.contains(NAME) && !getName().equals(changedStore.getName()))
-        {
-            throw new IllegalConfigurationException("Changing the key store name is not allowed");
-        }
-    }
-
-
     @SuppressWarnings("unused")
     private void updateTrustManagers()
     {
@@ -235,25 +159,6 @@ public class ManagedPeerCertificateTrustStoreImpl
         }
     }
 
-
-    @Override
-    public boolean isExposedAsMessageSource()
-    {
-        return _exposedAsMessageSource;
-    }
-
-    @Override
-    public List<VirtualHostNode<?>> getIncludedVirtualHostNodeMessageSources()
-    {
-        return _includedVirtualHostNodeMessageSources;
-    }
-
-    @Override
-    public List<VirtualHostNode<?>> getExcludedVirtualHostNodeMessageSources()
-    {
-        return _excludedVirtualHostNodeMessageSources;
-    }
-
     @Override
     public List<Certificate> getStoredCertificates()
     {
@@ -266,7 +171,7 @@ public class ManagedPeerCertificateTrustStoreImpl
         final Set<Certificate> certificates = new LinkedHashSet<>(_storedCertificates);
         if (certificates.add(cert))
         {
-            setAttributes(Collections.<String, Object>singletonMap("storedCertificates", certificates));
+            setAttributes(Collections.singletonMap("storedCertificates", certificates));
         }
     }
 
@@ -318,14 +223,23 @@ public class ManagedPeerCertificateTrustStoreImpl
 
         if (updated)
         {
-            setAttributes(Collections.<String, Object>singletonMap("storedCertificates", currentCerts));
+            setAttributes(Collections.singletonMap("storedCertificates", currentCerts));
         }
     }
 
-
     @Override
-    protected void logOperation(final String operation)
+    protected void checkCertificateExpiry()
     {
-        _broker.getEventLogger().message(TrustStoreMessages.OPERATION(operation));
+        int expiryWarning = getCertificateExpiryWarnPeriod();
+        if(expiryWarning > 0)
+        {
+            long currentTime = System.currentTimeMillis();
+            Date expiryTestDate = new Date(currentTime + (ONE_DAY * (long) expiryWarning));
+
+            _storedCertificates.stream()
+                               .filter(cert -> cert instanceof X509Certificate)
+                               .forEach(x509cert -> checkCertificateExpiry(currentTime, expiryTestDate,
+                                                                           (X509Certificate) x509cert));
+        }
     }
 }

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
index 385ea02..d98c821 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
@@ -27,10 +27,9 @@ import java.net.URL;
 import java.security.GeneralSecurityException;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
-import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collection;
 import java.util.Collections;
+import java.util.Date;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -45,42 +44,25 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.logging.EventLogger;
-import org.apache.qpid.server.logging.messages.TrustStoreMessages;
-import org.apache.qpid.server.model.AbstractConfiguredObject;
-import org.apache.qpid.server.model.AuthenticationProvider;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.ConfiguredObject;
-import org.apache.qpid.server.model.IntegrityViolationException;
 import org.apache.qpid.server.model.ManagedAttributeField;
 import org.apache.qpid.server.model.ManagedObject;
 import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
-import org.apache.qpid.server.model.Port;
 import org.apache.qpid.server.model.State;
 import org.apache.qpid.server.model.StateTransition;
-import org.apache.qpid.server.model.TrustStore;
 import org.apache.qpid.server.model.VirtualHostNode;
-import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
 import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
 import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
 
 @ManagedObject( category = false )
 public class NonJavaTrustStoreImpl
-        extends AbstractConfiguredObject<NonJavaTrustStoreImpl> implements NonJavaTrustStore<NonJavaTrustStoreImpl>
+        extends AbstractTrustStore<NonJavaTrustStoreImpl> implements NonJavaTrustStore<NonJavaTrustStoreImpl>
 {
     private static final Logger LOGGER = LoggerFactory.getLogger(NonJavaTrustStoreImpl.class);
 
-    private final Broker<?> _broker;
-    private final EventLogger _eventLogger;
-
     @ManagedAttributeField( afterSet = "updateTrustManagers" )
     private String _certificatesUrl;
-    @ManagedAttributeField
-    private boolean _exposedAsMessageSource;
-    @ManagedAttributeField
-    private List<VirtualHostNode<?>> _includedVirtualHostNodeMessageSources;
-    @ManagedAttributeField
-    private List<VirtualHostNode<?>> _excludedVirtualHostNodeMessageSources;
 
     private volatile TrustManager[] _trustManagers = new TrustManager[0];
 
@@ -96,10 +78,7 @@ public class NonJavaTrustStoreImpl
     @ManagedObjectFactoryConstructor
     public NonJavaTrustStoreImpl(final Map<String, Object> attributes, Broker<?> broker)
     {
-        super(broker, attributes);
-        _broker = broker;
-        _eventLogger = _broker.getEventLogger();
-        _eventLogger.message(TrustStoreMessages.CREATE(getName()));
+        super(attributes, broker);
     }
 
     @Override
@@ -152,54 +131,13 @@ public class NonJavaTrustStoreImpl
     @StateTransition(currentState = {State.ACTIVE, State.ERRORED}, desiredState = State.DELETED)
     protected ListenableFuture<Void> doDelete()
     {
-        // verify that it is not in use
-        String storeName = getName();
-
-        Collection<Port<?>> ports = new ArrayList<Port<?>>(_broker.getPorts());
-        for (Port port : ports)
-        {
-            Collection<TrustStore> trustStores = port.getTrustStores();
-            if(trustStores != null)
-            {
-                for (TrustStore store : trustStores)
-                {
-                    if(storeName.equals(store.getAttribute(TrustStore.NAME)))
-                    {
-                        throw new IntegrityViolationException("Trust store '"
-                                + storeName
-                                + "' can't be deleted as it is in use by a port: "
-                                + port.getName());
-                    }
-                }
-            }
-        }
-
-        Collection<AuthenticationProvider> authenticationProviders = new ArrayList<AuthenticationProvider>(_broker.getAuthenticationProviders());
-        for (AuthenticationProvider authProvider : authenticationProviders)
-        {
-            if(authProvider.getAttributeNames().contains(SimpleLDAPAuthenticationManager.TRUST_STORE))
-            {
-                Object attributeType = authProvider.getAttribute(AuthenticationProvider.TYPE);
-                Object attributeValue = authProvider.getAttribute(SimpleLDAPAuthenticationManager.TRUST_STORE);
-                if (SimpleLDAPAuthenticationManager.PROVIDER_TYPE.equals(attributeType)
-                        && storeName.equals(attributeValue))
-                {
-                    throw new IntegrityViolationException("Trust store '"
-                            + storeName
-                            + "' can't be deleted as it is in use by an authentication manager: "
-                            + authProvider.getName());
-                }
-            }
-        }
-        deleted();
-        setState(State.DELETED);
-        _eventLogger.message(TrustStoreMessages.DELETE(getName()));
-        return Futures.immediateFuture(null);
+        return deleteIfNotInUse();
     }
 
     @StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
     protected ListenableFuture<Void> doActivate()
     {
+        initializeExpiryChecking();
         setState(State.ACTIVE);
         return Futures.immediateFuture(null);
     }
@@ -209,11 +147,23 @@ public class NonJavaTrustStoreImpl
     {
         super.validateChange(proxyForValidation, changedAttributes);
         NonJavaTrustStore changedStore = (NonJavaTrustStore) proxyForValidation;
-        if (changedAttributes.contains(NAME) && !getName().equals(changedStore.getName()))
+        validateTrustStoreAttributes(changedStore);
+    }
+
+    @Override
+    protected void checkCertificateExpiry()
+    {
+        int expiryWarning = getCertificateExpiryWarnPeriod();
+        if(expiryWarning > 0)
         {
-            throw new IllegalConfigurationException("Changing the key store name is not allowed");
+            long currentTime = System.currentTimeMillis();
+            Date expiryTestDate = new Date(currentTime + (ONE_DAY * (long) expiryWarning));
+
+            Arrays.stream(_certificates)
+                  .filter(cert -> cert instanceof X509Certificate)
+                  .forEach(x509cert -> checkCertificateExpiry(currentTime, expiryTestDate,
+                                                              x509cert));
         }
-        validateTrustStoreAttributes(changedStore);
     }
 
     private void validateTrustStoreAttributes(NonJavaTrustStore<?> keyStore)
@@ -276,29 +226,4 @@ public class NonJavaTrustStoreImpl
         }
         return url;
     }
-
-
-    @Override
-    public boolean isExposedAsMessageSource()
-    {
-        return _exposedAsMessageSource;
-    }
-
-    @Override
-    public List<VirtualHostNode<?>> getIncludedVirtualHostNodeMessageSources()
-    {
-        return _includedVirtualHostNodeMessageSources;
-    }
-
-    @Override
-    public List<VirtualHostNode<?>> getExcludedVirtualHostNodeMessageSources()
-    {
-        return _excludedVirtualHostNodeMessageSources;
-    }
-
-    @Override
-    protected void logOperation(final String operation)
-    {
-        _broker.getEventLogger().message(TrustStoreMessages.OPERATION(operation));
-    }
 }

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
index 891403b..bb93101 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
@@ -31,9 +31,8 @@ import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collection;
 import java.util.Collections;
+import java.util.Date;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.Callable;
@@ -58,41 +57,23 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.logging.EventLogger;
-import org.apache.qpid.server.logging.messages.TrustStoreMessages;
-import org.apache.qpid.server.model.AbstractConfiguredObject;
-import org.apache.qpid.server.model.AuthenticationProvider;
 import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.IntegrityViolationException;
 import org.apache.qpid.server.model.ManagedAttributeField;
 import org.apache.qpid.server.model.ManagedObject;
 import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
-import org.apache.qpid.server.model.Port;
 import org.apache.qpid.server.model.State;
 import org.apache.qpid.server.model.StateTransition;
-import org.apache.qpid.server.model.TrustStore;
-import org.apache.qpid.server.model.VirtualHostNode;
-import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
 import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
 import org.apache.qpid.server.util.Strings;
 
 @ManagedObject( category = false )
 public class SiteSpecificTrustStoreImpl
-        extends AbstractConfiguredObject<SiteSpecificTrustStoreImpl> implements SiteSpecificTrustStore<SiteSpecificTrustStoreImpl>
+        extends AbstractTrustStore<SiteSpecificTrustStoreImpl> implements SiteSpecificTrustStore<SiteSpecificTrustStoreImpl>
 {
     private static final Logger LOGGER = LoggerFactory.getLogger(SiteSpecificTrustStoreImpl.class);
 
-    private final Broker<?> _broker;
-    private final EventLogger _eventLogger;
-
     @ManagedAttributeField
     private String _siteUrl;
-    @ManagedAttributeField
-    private boolean _exposedAsMessageSource;
-    @ManagedAttributeField
-    private List<VirtualHostNode<?>> _includedVirtualHostNodeMessageSources;
-    @ManagedAttributeField
-    private List<VirtualHostNode<?>> _excludedVirtualHostNodeMessageSources;
 
     private volatile TrustManager[] _trustManagers = new TrustManager[0];
 
@@ -103,10 +84,7 @@ public class SiteSpecificTrustStoreImpl
     @ManagedObjectFactoryConstructor
     public SiteSpecificTrustStoreImpl(final Map<String, Object> attributes, Broker<?> broker)
     {
-        super(broker, attributes);
-        _broker = broker;
-        _eventLogger = _broker.getEventLogger();
-        _eventLogger.message(TrustStoreMessages.CREATE(getName()));
+        super(attributes, broker);
     }
 
     @Override
@@ -189,54 +167,14 @@ public class SiteSpecificTrustStoreImpl
     @StateTransition(currentState = {State.ACTIVE, State.ERRORED}, desiredState = State.DELETED)
     protected ListenableFuture<Void> doDelete()
     {
-        // verify that it is not in use
-        String storeName = getName();
-
-        Collection<Port<?>> ports = new ArrayList<>(_broker.getPorts());
-        for (Port port : ports)
-        {
-            Collection<TrustStore> trustStores = port.getTrustStores();
-            if(trustStores != null)
-            {
-                for (TrustStore store : trustStores)
-                {
-                    if(storeName.equals(store.getAttribute(TrustStore.NAME)))
-                    {
-                        throw new IntegrityViolationException("Trust store '"
-                                + storeName
-                                + "' can't be deleted as it is in use by a port: "
-                                + port.getName());
-                    }
-                }
-            }
-        }
-
-        Collection<AuthenticationProvider> authenticationProviders = new ArrayList<AuthenticationProvider>(_broker.getAuthenticationProviders());
-        for (AuthenticationProvider authProvider : authenticationProviders)
-        {
-            if(authProvider.getAttributeNames().contains(SimpleLDAPAuthenticationManager.TRUST_STORE))
-            {
-                Object attributeType = authProvider.getAttribute(AuthenticationProvider.TYPE);
-                Object attributeValue = authProvider.getAttribute(SimpleLDAPAuthenticationManager.TRUST_STORE);
-                if (SimpleLDAPAuthenticationManager.PROVIDER_TYPE.equals(attributeType)
-                        && storeName.equals(attributeValue))
-                {
-                    throw new IntegrityViolationException("Trust store '"
-                            + storeName
-                            + "' can't be deleted as it is in use by an authentication manager: "
-                            + authProvider.getName());
-                }
-            }
-        }
-        deleted();
-        setState(State.DELETED);
-        _eventLogger.message(TrustStoreMessages.DELETE(getName()));
-        return Futures.immediateFuture(null);
+        return deleteIfNotInUse();
     }
 
     @StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
     protected ListenableFuture<Void> doActivate()
     {
+        initializeExpiryChecking();
+
         final SettableFuture<Void> result = SettableFuture.create();
         if(_x509Certificate == null)
         {
@@ -386,24 +324,6 @@ public class SiteSpecificTrustStoreImpl
     }
 
     @Override
-    public boolean isExposedAsMessageSource()
-    {
-        return _exposedAsMessageSource;
-    }
-
-    @Override
-    public List<VirtualHostNode<?>> getIncludedVirtualHostNodeMessageSources()
-    {
-        return _includedVirtualHostNodeMessageSources;
-    }
-
-    @Override
-    public List<VirtualHostNode<?>> getExcludedVirtualHostNodeMessageSources()
-    {
-        return _excludedVirtualHostNodeMessageSources;
-    }
-
-    @Override
     public List<CertificateDetails> getCertificateDetails()
     {
         return Collections.singletonList(new CertificateDetailsImpl(_x509Certificate));
@@ -428,9 +348,16 @@ public class SiteSpecificTrustStoreImpl
     }
 
     @Override
-    protected void logOperation(final String operation)
+    protected void checkCertificateExpiry()
     {
-        _broker.getEventLogger().message(TrustStoreMessages.OPERATION(operation));
+        int expiryWarning = getCertificateExpiryWarnPeriod();
+        if(expiryWarning > 0)
+        {
+            long currentTime = System.currentTimeMillis();
+            Date expiryTestDate = new Date(currentTime + (ONE_DAY * (long) expiryWarning));
+
+            checkCertificateExpiry(currentTime, expiryTestDate, _x509Certificate);
+        }
     }
 
     private static class AlwaysTrustManager implements X509TrustManager


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message