QPID-4636: expand testing of the new TrustManagers

- Removes the 'app2' cert from the test broker peer store so it only contains the 'app1' cert. - Add a java broker trust store (currently continues to match client trust store, contans the test CA). - Add a java client keystore with a completely untrusted cert. - Add additional unit testing of QpidPeersOnlyTrustManager inc use of otherwise trusted certs, and completely untrusted certs. - Add additional unit testing of QpidMultipleTrustManager and its behaviour when wrapping a regular TrustManager, a QpidPeersOnlyTrustManager, and both at once. - Add system tests showing a client with untrusted SSL cert failing to connect, then succeeding when adding it to the peerStore on the broker. Work by myself and Michal Zerola. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1457599 13f79535-47bb-0310-9956-ffa450edef68
author: Robert Gemmell <robbie@apache.org> 2013-03-17 23:47:36 +0000
committer: Robert Gemmell <robbie@apache.org> 2013-03-17 23:47:36 +0000
commit: 4c2f59492e4e2d19bbf5d8e4020cb9a4401b16f6 (patch)
tree: 05c090353fbd30b39cecbb3f25e9507b0c8965fe /qpid/java/systests
parent: e907b48c21bb9cbbda8f0c12528015aeb631e983 (diff)
download: qpid-python-4c2f59492e4e2d19bbf5d8e4020cb9a4401b16f6.tar.gz
3 files changed, 62 insertions, 1 deletions
diff --git a/qpid/java/systests/etc/config-systests.json b/qpid/java/systests/etc/config-systests.json
index 36e6f61d43..b06b469891 100644
--- a/qpid/java/systests/etc/config-systests.json
+++ b/qpid/java/systests/etc/config-systests.json
@@ -24,7 +24,7 @@
   "defaultVirtualHost" : "test",
   "keyStorePath": "${QPID_HOME}/../test-profiles/test_resources/ssl/java_broker_keystore.jks",
   "keyStorePassword": "password",
-  "trustStorePath": "${QPID_HOME}/../test-profiles/test_resources/ssl/java_client_truststore.jks",
+  "trustStorePath": "${QPID_HOME}/../test-profiles/test_resources/ssl/java_broker_truststore.jks",
   "trustStorePassword": "password",
   "authenticationproviders" : [ {
     "name" : "plain",
diff --git a/qpid/java/systests/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationTest.java b/qpid/java/systests/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationTest.java
index b90f56daf6..e9e6f93ab6 100644
--- a/qpid/java/systests/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationTest.java
+++ b/qpid/java/systests/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationTest.java
@@ -21,6 +21,7 @@
 package org.apache.qpid.server.security.auth.manager;
 
 import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE;
+import static org.apache.qpid.test.utils.TestSSLConstants.UNTRUSTED_KEYSTORE;
 import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE_PASSWORD;
 import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE;
 import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE_PASSWORD;
@@ -139,6 +140,59 @@ public class ExternalAuthenticationTest extends QpidBrokerTestCase
         }
     }
 
+    /**
+     * Tests that when using the EXTERNAL authentication provider and needing client auth, clients with
+     * untrusted certificates are unable to connect to the SSL port.
+     */
+    public void testExternalAuthenticationDeniesUntrustedClientCert() throws Exception
+    {
+        setCommonBrokerSSLProperties(true);
+        getBrokerConfiguration().setBrokerAttribute(Broker.DEFAULT_AUTHENTICATION_PROVIDER, TestBrokerConfiguration.ENTRY_NAME_EXTERNAL_PROVIDER);
+        super.setUp();
+
+        setUntrustedClientKeystoreProperties();
+        setClientTrustoreProperties();
+
+        try
+        {
+            getExternalSSLConnection(false);
+            fail("Connection should not succeed");
+        }
+        catch (JMSException e)
+        {
+            // pass
+        }
+    }
+
+    /**
+     * Tests that when using the EXTERNAL auth provide and the broker 'peerstore' is configured to contain a certificate that is
+     * otherwise untrusted by the broker [truststore], clients using that certificate will then be able to connect.
+     */
+    public void testExternalAuthenticationWithPeerStoreAllowsOtherwiseUntrustedClientCert() throws Exception
+    {
+        setCommonBrokerSSLProperties(true);
+        getBrokerConfiguration().setObjectAttribute(TestBrokerConfiguration.ENTRY_NAME_SSL_PORT, Port.AUTHENTICATION_PROVIDER, TestBrokerConfiguration.ENTRY_NAME_EXTERNAL_PROVIDER);
+
+        //Use the untrusted client keystore as the brokers peerstore to make the broker trust the cert.
+        getBrokerConfiguration().setBrokerAttribute(Broker.PEER_STORE_PATH, UNTRUSTED_KEYSTORE);
+        getBrokerConfiguration().setBrokerAttribute(Broker.PEER_STORE_PASSWORD, KEYSTORE_PASSWORD);
+
+        super.setUp();
+
+        setUntrustedClientKeystoreProperties();
+        setClientTrustoreProperties();
+
+        try
+        {
+            getExternalSSLConnection(false);
+            fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
+        }
+        catch (JMSException e)
+        {
+            // expected
+        }
+    }
+
     private Connection getExternalSSLConnection(boolean includeUserNameAndPassword) throws Exception
     {
         String url = "amqp://%s@test/?brokerlist='tcp://localhost:%s?ssl='true'&sasl_mechs='EXTERNAL''";
@@ -169,6 +223,12 @@ public class ExternalAuthenticationTest extends QpidBrokerTestCase
         config.addAuthenticationProviderConfiguration(externalAuthProviderAttributes);
     }
 
+    private void setUntrustedClientKeystoreProperties()
+    {
+        setSystemProperty("javax.net.ssl.keyStore", UNTRUSTED_KEYSTORE);
+        setSystemProperty("javax.net.ssl.keyStorePassword", KEYSTORE_PASSWORD);
+    }
+
     private void setClientKeystoreProperties()
     {
         setSystemProperty("javax.net.ssl.keyStore", KEYSTORE);
diff --git a/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java b/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java
index 9d5be775dc..5664e94bd9 100644
--- a/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java
+++ b/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java
@@ -21,6 +21,7 @@ package org.apache.qpid.test.utils;
 public interface TestSSLConstants
 {
     String KEYSTORE = "test-profiles/test_resources/ssl/java_client_keystore.jks";
+    String UNTRUSTED_KEYSTORE = "test-profiles/test_resources/ssl/java_client_untrusted_keystore.jks";
     String KEYSTORE_PASSWORD = "password";
     String TRUSTSTORE = "test-profiles/test_resources/ssl/java_client_truststore.jks";
     String TRUSTSTORE_PASSWORD = "password";
author	Robert Gemmell <robbie@apache.org>	2013-03-17 23:47:36 +0000
committer	Robert Gemmell <robbie@apache.org>	2013-03-17 23:47:36 +0000
commit	4c2f59492e4e2d19bbf5d8e4020cb9a4401b16f6 (patch)
tree	05c090353fbd30b39cecbb3f25e9507b0c8965fe /qpid/java/systests
parent	e907b48c21bb9cbbda8f0c12528015aeb631e983 (diff)
download	qpid-python-4c2f59492e4e2d19bbf5d8e4020cb9a4401b16f6.tar.gz