Example 1 with TrustStore
use of org.apache.qpid.server.model.TrustStore in project qpid-broker-j by apache.
the class HttpManagement method getSslContextFactory.
private SslContextFactory getSslContextFactory(final HttpPort<?> port) {
KeyStore keyStore = port.getKeyStore();
if (keyStore == null) {
throw new IllegalConfigurationException("Key store is not configured. Cannot start management on HTTPS port without keystore");
}
boolean needClientCert = port.getNeedClientAuth() || port.getWantClientAuth();
Collection<TrustStore> trustStores = port.getTrustStores();
if (needClientCert && trustStores.isEmpty()) {
throw new IllegalConfigurationException(String.format("Client certificate authentication is enabled on HTTPS port '%s' but no trust store defined", this.getName()));
}
SSLContext sslContext = SSLUtil.createSslContext(keyStore, trustStores, port.getName());
SSLSessionContext serverSessionContext = sslContext.getServerSessionContext();
if (port.getTLSSessionCacheSize() > 0) {
serverSessionContext.setSessionCacheSize(port.getTLSSessionCacheSize());
}
if (port.getTLSSessionTimeout() > 0) {
serverSessionContext.setSessionTimeout(port.getTLSSessionTimeout());
}
SslContextFactory factory = new SslContextFactory() {
@Override
public void customize(final SSLEngine sslEngine) {
super.customize(sslEngine);
if (port.getTlsCipherSuiteWhiteList() != null && !port.getTlsCipherSuiteWhiteList().isEmpty()) {
SSLParameters sslParameters = sslEngine.getSSLParameters();
sslParameters.setUseCipherSuitesOrder(true);
sslEngine.setSSLParameters(sslParameters);
}
SSLUtil.updateEnabledCipherSuites(sslEngine, port.getTlsCipherSuiteWhiteList(), port.getTlsCipherSuiteBlackList());
SSLUtil.updateEnabledTlsProtocols(sslEngine, port.getTlsProtocolWhiteList(), port.getTlsProtocolBlackList());
}
};
factory.setSslContext(sslContext);
if (port.getNeedClientAuth()) {
factory.setNeedClientAuth(true);
} else if (port.getWantClientAuth()) {
factory.setWantClientAuth(true);
}
return factory;
}
Also used :
SslContextFactory(org.eclipse.jetty.util.ssl.SslContextFactory)
SSLSessionContext(javax.net.ssl.SSLSessionContext)
SSLParameters(javax.net.ssl.SSLParameters)
SSLEngine(javax.net.ssl.SSLEngine)
IllegalConfigurationException(org.apache.qpid.server.configuration.IllegalConfigurationException)
TrustStore(org.apache.qpid.server.model.TrustStore)
SSLContext(javax.net.ssl.SSLContext)
KeyStore(org.apache.qpid.server.model.KeyStore)
Example 2 with TrustStore
use of org.apache.qpid.server.model.TrustStore in project qpid-broker-j by apache.
the class SimpleLDAPAuthenticationManagerImpl method validateChange.
@Override
protected void validateChange(final ConfiguredObject<?> proxyForValidation, final Set<String> changedAttributes) {
super.validateChange(proxyForValidation, changedAttributes);
if (!disjoint(changedAttributes, CONNECTIVITY_ATTRS)) {
SimpleLDAPAuthenticationManager changed = (SimpleLDAPAuthenticationManager) proxyForValidation;
TrustStore changedTruststore = changed.getTrustStore();
Class<? extends SocketFactory> sslSocketFactoryOverrideClass = createSslSocketFactoryOverrideClass(changedTruststore);
validateInitialDirContext(sslSocketFactoryOverrideClass, changed.getProviderUrl(), changed.getSearchUsername(), changed.getSearchPassword());
}
}
Also used :
TrustStore(org.apache.qpid.server.model.TrustStore)
Example 3 with TrustStore
use of org.apache.qpid.server.model.TrustStore in project qpid-broker-j by apache.
the class NonJavaTrustStoreTest method testCreationOfTrustStoreFromValidCertificate.
public void testCreationOfTrustStoreFromValidCertificate() throws Exception {
Map<String, Object> attributes = new HashMap<>();
attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
attributes.put(NonJavaTrustStore.CERTIFICATES_URL, getClass().getResource("/java_broker.crt").toExternalForm());
attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
assertNotNull("Trust manager unexpected null", trustManagers[0]);
}
Also used :
HashMap(java.util.HashMap)
TrustStore(org.apache.qpid.server.model.TrustStore)
TrustManager(javax.net.ssl.TrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
Example 4 with TrustStore
use of org.apache.qpid.server.model.TrustStore in project qpid-broker-j by apache.
the class TrustStoreMessageSourceCreator method register.
@Override
public void register(final SystemNodeRegistry registry) {
final VirtualHost<?> vhost = registry.getVirtualHost();
VirtualHostNode<?> virtualHostNode = (VirtualHostNode<?>) vhost.getParent();
final Broker<?> broker = (Broker<?>) virtualHostNode.getParent();
final Collection<TrustStore> trustStores = broker.getChildren(TrustStore.class);
final TrustStoreChangeListener trustStoreChangeListener = new TrustStoreChangeListener(registry);
for (final TrustStore trustStore : trustStores) {
updateTrustStoreSourceRegistration(registry, trustStore);
trustStore.addChangeListener(trustStoreChangeListener);
}
AbstractConfigurationChangeListener brokerListener = new AbstractConfigurationChangeListener() {
@Override
public void childAdded(final ConfiguredObject<?> object, final ConfiguredObject<?> child) {
if (child instanceof TrustStore) {
TrustStore<?> trustStore = (TrustStore<?>) child;
updateTrustStoreSourceRegistration(registry, trustStore);
trustStore.addChangeListener(trustStoreChangeListener);
}
}
@Override
public void childRemoved(final ConfiguredObject<?> object, final ConfiguredObject<?> child) {
if (child instanceof TrustStore) {
TrustStore<?> trustStore = (TrustStore<?>) child;
trustStore.removeChangeListener(trustStoreChangeListener);
registry.removeSystemNode(TrustStoreMessageSource.getSourceNameFromTrustStore(trustStore));
} else if (child == virtualHostNode) {
object.removeChangeListener(this);
broker.getChildren(TrustStore.class).forEach(t -> t.removeChangeListener(trustStoreChangeListener));
}
}
};
broker.addChangeListener(brokerListener);
virtualHostNode.addChangeListener(new AbstractConfigurationChangeListener() {
@Override
public void childRemoved(final ConfiguredObject<?> object, final ConfiguredObject<?> child) {
if (child == vhost) {
broker.removeChangeListener(brokerListener);
object.removeChangeListener(this);
broker.getChildren(TrustStore.class).forEach(t -> t.removeChangeListener(trustStoreChangeListener));
}
}
});
}
Also used :
TrustStore(org.apache.qpid.server.model.TrustStore)
VirtualHost(org.apache.qpid.server.model.VirtualHost)
PluggableService(org.apache.qpid.server.plugin.PluggableService)
Collection(java.util.Collection)
Broker(org.apache.qpid.server.model.Broker)
ConfiguredObject(org.apache.qpid.server.model.ConfiguredObject)
State(org.apache.qpid.server.model.State)
SystemNodeCreator(org.apache.qpid.server.plugin.SystemNodeCreator)
AbstractConfigurationChangeListener(org.apache.qpid.server.model.AbstractConfigurationChangeListener)
VirtualHostNode(org.apache.qpid.server.model.VirtualHostNode)
Broker(org.apache.qpid.server.model.Broker)
TrustStore(org.apache.qpid.server.model.TrustStore)
AbstractConfigurationChangeListener(org.apache.qpid.server.model.AbstractConfigurationChangeListener)
ConfiguredObject(org.apache.qpid.server.model.ConfiguredObject)
VirtualHostNode(org.apache.qpid.server.model.VirtualHostNode)
Example 5 with TrustStore
use of org.apache.qpid.server.model.TrustStore in project qpid-broker-j by apache.
the class CloudFoundryOAuth2IdentityResolverService method getUserPrincipal.
@Override
public Principal getUserPrincipal(final OAuth2AuthenticationProvider<?> authenticationProvider, final String accessToken, final NamedAddressSpace addressSpace) throws IOException, IdentityResolverException {
URL checkTokenEndpoint = authenticationProvider.getIdentityResolverEndpointURI(addressSpace).toURL();
TrustStore trustStore = authenticationProvider.getTrustStore();
String clientId = authenticationProvider.getClientId();
String clientSecret = authenticationProvider.getClientSecret();
ConnectionBuilder connectionBuilder = new ConnectionBuilder(checkTokenEndpoint);
connectionBuilder.setConnectTimeout(authenticationProvider.getConnectTimeout()).setReadTimeout(authenticationProvider.getReadTimeout());
if (trustStore != null) {
try {
connectionBuilder.setTrustMangers(trustStore.getTrustManagers());
} catch (GeneralSecurityException e) {
throw new ServerScopedRuntimeException("Cannot initialise TLS", e);
}
}
connectionBuilder.setTlsProtocolAllowList(authenticationProvider.getTlsProtocolAllowList()).setTlsProtocolDenyList(authenticationProvider.getTlsProtocolDenyList()).setTlsCipherSuiteAllowList(authenticationProvider.getTlsCipherSuiteAllowList()).setTlsCipherSuiteDenyList(authenticationProvider.getTlsCipherSuiteDenyList());
LOGGER.debug("About to call identity service '{}'", checkTokenEndpoint);
HttpURLConnection connection = connectionBuilder.build();
// makes sure to use POST
connection.setDoOutput(true);
connection.setRequestProperty("Accept-Charset", UTF_8.name());
connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded;charset=" + UTF_8.name());
connection.setRequestProperty("Accept", "application/json");
String encoded = Base64.getEncoder().encodeToString((clientId + ":" + clientSecret).getBytes(UTF_8));
connection.setRequestProperty("Authorization", "Basic " + encoded);
final Map<String, String> requestParameters = Collections.singletonMap("token", accessToken);
connection.connect();
try (OutputStream output = connection.getOutputStream()) {
output.write(OAuth2Utils.buildRequestQuery(requestParameters).getBytes(UTF_8));
output.close();
try (InputStream input = OAuth2Utils.getResponseStream(connection)) {
int responseCode = connection.getResponseCode();
LOGGER.debug("Call to identity service '{}' complete, response code : {}", checkTokenEndpoint, responseCode);
Map<String, String> responseMap = null;
try {
responseMap = _objectMapper.readValue(input, Map.class);
} catch (JsonProcessingException e) {
throw new IOException(String.format("Identity resolver '%s' did not return json", checkTokenEndpoint), e);
}
if (responseCode != 200) {
throw new IdentityResolverException(String.format("Identity resolver '%s' failed, response code %d, error '%s', description '%s'", checkTokenEndpoint, responseCode, responseMap.get("error"), responseMap.get("error_description")));
}
final String userName = responseMap.get("user_name");
if (userName == null) {
throw new IdentityResolverException(String.format("Identity resolver '%s' failed, response did not include 'user_name'", checkTokenEndpoint));
}
return new UsernamePrincipal(userName, authenticationProvider);
}
}
}
Also used :
InputStream(java.io.InputStream)
GeneralSecurityException(java.security.GeneralSecurityException)
OutputStream(java.io.OutputStream)
IdentityResolverException(org.apache.qpid.server.security.auth.manager.oauth2.IdentityResolverException)
ConnectionBuilder(org.apache.qpid.server.util.ConnectionBuilder)
TrustStore(org.apache.qpid.server.model.TrustStore)
IOException(java.io.IOException)
URL(java.net.URL)
ServerScopedRuntimeException(org.apache.qpid.server.util.ServerScopedRuntimeException)
UsernamePrincipal(org.apache.qpid.server.security.auth.UsernamePrincipal)
HttpURLConnection(java.net.HttpURLConnection)
Map(java.util.Map)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
Aggregations
TrustStore (org.apache.qpid.server.model.TrustStore)15
GeneralSecurityException (java.security.GeneralSecurityException)7
JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)6
IOException (java.io.IOException)6
InputStream (java.io.InputStream)6
HttpURLConnection (java.net.HttpURLConnection)6
URL (java.net.URL)6
Map (java.util.Map)6
UsernamePrincipal (org.apache.qpid.server.security.auth.UsernamePrincipal)6
IdentityResolverException (org.apache.qpid.server.security.auth.manager.oauth2.IdentityResolverException)6
ConnectionBuilder (org.apache.qpid.server.util.ConnectionBuilder)6
ServerScopedRuntimeException (org.apache.qpid.server.util.ServerScopedRuntimeException)6
SSLContext (javax.net.ssl.SSLContext)4
IllegalConfigurationException (org.apache.qpid.server.configuration.IllegalConfigurationException)4
SSLSessionContext (javax.net.ssl.SSLSessionContext)3
KeyStore (org.apache.qpid.server.model.KeyStore)3
Collection (java.util.Collection)2
TrustManager (javax.net.ssl.TrustManager)2
X509TrustManager (javax.net.ssl.X509TrustManager)2
ConfiguredObject (org.apache.qpid.server.model.ConfiguredObject)2
