Example 1 with SettingsBasedSSLConfigurator
use of com.amazon.dlic.util.SettingsBasedSSLConfigurator in project security by opensearch-project.
the class SettingsBasedSSLConfiguratorTest method testPemClientAuthFailure.
@Test
public void testPemClientAuthFailure() throws Exception {
try (TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", "sslConfigurator/pem/node1-keystore.jks", "secret", true)) {
Path rootCaPemPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem");
Settings settings = Settings.builder().put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()).put("prefix.enable_ssl", "true").put("path.home", rootCaPemPath.getParent().toString()).put("prefix.enable_ssl_client_auth", "true").put("prefix.pemcert_filepath", "wrong-kirk.pem").put("prefix.pemkey_filepath", "wrong-kirk.key").put("prefix.pemkey_password", "G0CVtComen4a").build();
Path configPath = rootCaPemPath.getParent();
SettingsBasedSSLConfigurator sbsc = new SettingsBasedSSLConfigurator(settings, configPath, "prefix");
SSLConfig sslConfig = sbsc.buildSSLConfig();
try (CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build()) {
// Due to some race condition in Java's internal network stack, this can be one
// of the following exceptions
thrown.expect(either(instanceOf(SocketException.class)).or(instanceOf(SSLHandshakeException.class)).or(// Java 11: javax.net.ssl.SSLException: readHandshakeRecord
instanceOf(SSLException.class)));
try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) {
Assert.fail("Connection should have failed due to wrong client cert");
}
}
}
}
Also used :
Path(java.nio.file.Path)
SSLConfig(com.amazon.dlic.util.SettingsBasedSSLConfigurator.SSLConfig)
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
HttpGet(org.apache.http.client.methods.HttpGet)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
SettingsBasedSSLConfigurator(com.amazon.dlic.util.SettingsBasedSSLConfigurator)
Settings(org.opensearch.common.settings.Settings)
SSLHandshakeException(javax.net.ssl.SSLHandshakeException)
Test(org.junit.Test)
Example 2 with SettingsBasedSSLConfigurator
use of com.amazon.dlic.util.SettingsBasedSSLConfigurator in project security by opensearch-project.
the class SettingsBasedSSLConfiguratorTest method testPemHostnameVerificationFailure.
@Test
public void testPemHostnameVerificationFailure() throws Exception {
try (TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", "sslConfigurator/pem/node-wrong-hostname-keystore.jks", "secret", false)) {
Path rootCaPemPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem");
Settings settings = Settings.builder().put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()).put("prefix.enable_ssl", "true").put("prefix.verify_hostnames", "true").put("path.home", rootCaPemPath.getParent().toString()).build();
Path configPath = rootCaPemPath.getParent();
SettingsBasedSSLConfigurator sbsc = new SettingsBasedSSLConfigurator(settings, configPath, "prefix");
SSLConfig sslConfig = sbsc.buildSSLConfig();
try (CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build()) {
thrown.expect(SSLPeerUnverifiedException.class);
try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) {
Assert.fail("Connection should have failed due to wrong hostname");
}
}
}
}
Also used :
Path(java.nio.file.Path)
SSLConfig(com.amazon.dlic.util.SettingsBasedSSLConfigurator.SSLConfig)
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
HttpGet(org.apache.http.client.methods.HttpGet)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
SettingsBasedSSLConfigurator(com.amazon.dlic.util.SettingsBasedSSLConfigurator)
Settings(org.opensearch.common.settings.Settings)
Test(org.junit.Test)
Example 3 with SettingsBasedSSLConfigurator
use of com.amazon.dlic.util.SettingsBasedSSLConfigurator in project security by opensearch-project.
the class SettingsBasedSSLConfiguratorTest method testPemHostnameVerificationOff.
@Test
public void testPemHostnameVerificationOff() throws Exception {
try (TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", "sslConfigurator/pem/node-wrong-hostname-keystore.jks", "secret", false)) {
Path rootCaPemPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem");
Settings settings = Settings.builder().put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()).put("prefix.enable_ssl", "true").put("prefix.verify_hostnames", "false").put("path.home", rootCaPemPath.getParent().toString()).build();
Path configPath = rootCaPemPath.getParent();
SettingsBasedSSLConfigurator sbsc = new SettingsBasedSSLConfigurator(settings, configPath, "prefix");
SSLConfig sslConfig = sbsc.buildSSLConfig();
try (CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build()) {
try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) {
// Success
}
}
}
}
Also used :
Path(java.nio.file.Path)
SSLConfig(com.amazon.dlic.util.SettingsBasedSSLConfigurator.SSLConfig)
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
HttpGet(org.apache.http.client.methods.HttpGet)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
SettingsBasedSSLConfigurator(com.amazon.dlic.util.SettingsBasedSSLConfigurator)
Settings(org.opensearch.common.settings.Settings)
Test(org.junit.Test)
Example 4 with SettingsBasedSSLConfigurator
use of com.amazon.dlic.util.SettingsBasedSSLConfigurator in project security by opensearch-project.
the class SettingsBasedSSLConfiguratorTest method testPemClientAuth.
@Test
public void testPemClientAuth() throws Exception {
try (TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", "sslConfigurator/pem/node1-keystore.jks", "secret", true)) {
Path rootCaPemPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem");
Settings settings = Settings.builder().put("prefix.pemtrustedcas_filepath", rootCaPemPath.getFileName().toString()).put("prefix.enable_ssl", "true").put("path.home", rootCaPemPath.getParent().toString()).put("prefix.enable_ssl_client_auth", "true").put("prefix.pemcert_filepath", "kirk.pem").put("prefix.pemkey_filepath", "kirk.key").put("prefix.pemkey_password", "secret").build();
Path configPath = rootCaPemPath.getParent();
SettingsBasedSSLConfigurator sbsc = new SettingsBasedSSLConfigurator(settings, configPath, "prefix");
SSLConfig sslConfig = sbsc.buildSSLConfig();
try (CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build()) {
try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) {
// Success
}
}
}
}
Also used :
Path(java.nio.file.Path)
SSLConfig(com.amazon.dlic.util.SettingsBasedSSLConfigurator.SSLConfig)
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
HttpGet(org.apache.http.client.methods.HttpGet)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
SettingsBasedSSLConfigurator(com.amazon.dlic.util.SettingsBasedSSLConfigurator)
Settings(org.opensearch.common.settings.Settings)
Test(org.junit.Test)
Example 5 with SettingsBasedSSLConfigurator
use of com.amazon.dlic.util.SettingsBasedSSLConfigurator in project security by opensearch-project.
the class SettingsBasedSSLConfiguratorTest method testJksTrust.
@Test
public void testJksTrust() throws Exception {
try (TestServer testServer = new TestServer("sslConfigurator/jks/truststore.jks", "sslConfigurator/jks/node1-keystore.jks", "secret", false)) {
Path rootCaJksPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/jks/truststore.jks");
Settings settings = Settings.builder().put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, rootCaJksPath.getFileName().toString()).put("plugins.security.ssl.transport.truststore_password", "secret").put("prefix.enable_ssl", "true").put("path.home", rootCaJksPath.getParent().toString()).build();
Path configPath = rootCaJksPath.getParent();
SettingsBasedSSLConfigurator sbsc = new SettingsBasedSSLConfigurator(settings, configPath, "prefix");
SSLConfig sslConfig = sbsc.buildSSLConfig();
try (CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build()) {
try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) {
// Success
}
}
}
}
Also used :
Path(java.nio.file.Path)
SSLConfig(com.amazon.dlic.util.SettingsBasedSSLConfigurator.SSLConfig)
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
HttpGet(org.apache.http.client.methods.HttpGet)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
SettingsBasedSSLConfigurator(com.amazon.dlic.util.SettingsBasedSSLConfigurator)
Settings(org.opensearch.common.settings.Settings)
Test(org.junit.Test)
Aggregations
SettingsBasedSSLConfigurator (com.amazon.dlic.util.SettingsBasedSSLConfigurator)9
SSLConfig (com.amazon.dlic.util.SettingsBasedSSLConfigurator.SSLConfig)9
Path (java.nio.file.Path)9
CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)9
HttpGet (org.apache.http.client.methods.HttpGet)9
CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)9
Test (org.junit.Test)9
Settings (org.opensearch.common.settings.Settings)9
SSLHandshakeException (javax.net.ssl.SSLHandshakeException)1
