Search in sources :

Example 11 with TrustStore

use of org.apache.qpid.server.model.TrustStore in project qpid-broker-j by apache.

the class FileTrustStoreTest method testSymmetricKeyEntryIgnored.

public void testSymmetricKeyEntryIgnored() throws Exception {
    final URL keystoreUrl = getClass().getResource(SYMMETRIC_KEY_KEYSTORE_RESOURCE);
    assertNotNull("Symmetric key keystore not found", keystoreUrl);
    Map<String, Object> attributes = new HashMap<>();
    attributes.put(FileTrustStore.NAME, getTestName());
    attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.BROKER_KEYSTORE_PASSWORD);
    attributes.put(FileTrustStore.STORE_URL, keystoreUrl);
    attributes.put(FileTrustStore.TRUST_STORE_TYPE, "PKCS12");
    TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
    Certificate[] certificates = trustStore.getCertificates();
    assertEquals("Unexpected number of certificates", getNumberOfCertificates(keystoreUrl, "PKCS12"), certificates.length);
}
Also used : HashMap(java.util.HashMap) TrustStore(org.apache.qpid.server.model.TrustStore) URL(java.net.URL) X509Certificate(java.security.cert.X509Certificate) SSLUtil.generateSelfSignedCertificate(org.apache.qpid.server.transport.network.security.ssl.SSLUtil.generateSelfSignedCertificate) Certificate(java.security.cert.Certificate)

Example 12 with TrustStore

use of org.apache.qpid.server.model.TrustStore in project qpid-broker-j by apache.

the class FacebookIdentityResolverService method getUserPrincipal.

@Override
public Principal getUserPrincipal(final OAuth2AuthenticationProvider<?> authenticationProvider, String accessToken, final NamedAddressSpace addressSpace) throws IOException, IdentityResolverException {
    URL userInfoEndpoint = authenticationProvider.getIdentityResolverEndpointURI(addressSpace).toURL();
    TrustStore trustStore = authenticationProvider.getTrustStore();
    ConnectionBuilder connectionBuilder = new ConnectionBuilder(userInfoEndpoint);
    connectionBuilder.setConnectTimeout(authenticationProvider.getConnectTimeout()).setReadTimeout(authenticationProvider.getReadTimeout());
    if (trustStore != null) {
        try {
            connectionBuilder.setTrustMangers(trustStore.getTrustManagers());
        } catch (GeneralSecurityException e) {
            throw new ServerScopedRuntimeException("Cannot initialise TLS", e);
        }
    }
    connectionBuilder.setTlsProtocolWhiteList(authenticationProvider.getTlsProtocolWhiteList()).setTlsProtocolBlackList(authenticationProvider.getTlsProtocolBlackList()).setTlsCipherSuiteWhiteList(authenticationProvider.getTlsCipherSuiteWhiteList()).setTlsCipherSuiteBlackList(authenticationProvider.getTlsCipherSuiteBlackList());
    LOGGER.debug("About to call identity service '{}'", userInfoEndpoint);
    HttpURLConnection connection = connectionBuilder.build();
    connection.setRequestProperty("Accept-Charset", UTF8);
    connection.setRequestProperty("Accept", "application/json");
    connection.setRequestProperty("Authorization", "Bearer " + accessToken);
    connection.connect();
    try (InputStream input = OAuth2Utils.getResponseStream(connection)) {
        int responseCode = connection.getResponseCode();
        LOGGER.debug("Call to identity service '{}' complete, response code : {}", userInfoEndpoint, responseCode);
        Map<String, String> responseMap;
        try {
            responseMap = _objectMapper.readValue(input, Map.class);
        } catch (JsonProcessingException e) {
            throw new IOException(String.format("Identity resolver '%s' did not return json", userInfoEndpoint), e);
        }
        if (responseCode != 200) {
            throw new IdentityResolverException(String.format("Identity resolver '%s' failed, response code %d", userInfoEndpoint, responseCode));
        }
        final String facebookId = responseMap.get("id");
        if (facebookId == null) {
            throw new IdentityResolverException(String.format("Identity resolver '%s' failed, response did not include 'id'", userInfoEndpoint));
        }
        return new UsernamePrincipal(facebookId, authenticationProvider);
    }
}
Also used : InputStream(java.io.InputStream) GeneralSecurityException(java.security.GeneralSecurityException) IdentityResolverException(org.apache.qpid.server.security.auth.manager.oauth2.IdentityResolverException) ConnectionBuilder(org.apache.qpid.server.util.ConnectionBuilder) TrustStore(org.apache.qpid.server.model.TrustStore) IOException(java.io.IOException) URL(java.net.URL) ServerScopedRuntimeException(org.apache.qpid.server.util.ServerScopedRuntimeException) UsernamePrincipal(org.apache.qpid.server.security.auth.UsernamePrincipal) HttpURLConnection(java.net.HttpURLConnection) Map(java.util.Map) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)

Example 13 with TrustStore

use of org.apache.qpid.server.model.TrustStore in project qpid-broker-j by apache.

the class GoogleOAuth2IdentityResolverService method getUserPrincipal.

@Override
public Principal getUserPrincipal(final OAuth2AuthenticationProvider<?> authenticationProvider, String accessToken, final NamedAddressSpace addressSpace) throws IOException, IdentityResolverException {
    URL userInfoEndpoint = authenticationProvider.getIdentityResolverEndpointURI(addressSpace).toURL();
    TrustStore trustStore = authenticationProvider.getTrustStore();
    ConnectionBuilder connectionBuilder = new ConnectionBuilder(userInfoEndpoint);
    connectionBuilder.setConnectTimeout(authenticationProvider.getConnectTimeout()).setReadTimeout(authenticationProvider.getReadTimeout());
    if (trustStore != null) {
        try {
            connectionBuilder.setTrustMangers(trustStore.getTrustManagers());
        } catch (GeneralSecurityException e) {
            throw new ServerScopedRuntimeException("Cannot initialise TLS", e);
        }
    }
    connectionBuilder.setTlsProtocolWhiteList(authenticationProvider.getTlsProtocolWhiteList()).setTlsProtocolBlackList(authenticationProvider.getTlsProtocolBlackList()).setTlsCipherSuiteWhiteList(authenticationProvider.getTlsCipherSuiteWhiteList()).setTlsCipherSuiteBlackList(authenticationProvider.getTlsCipherSuiteBlackList());
    LOGGER.debug("About to call identity service '{}'", userInfoEndpoint);
    HttpURLConnection connection = connectionBuilder.build();
    connection.setRequestProperty("Accept-Charset", UTF8);
    connection.setRequestProperty("Accept", "application/json");
    connection.setRequestProperty("Authorization", "Bearer " + accessToken);
    connection.connect();
    try (InputStream input = OAuth2Utils.getResponseStream(connection)) {
        int responseCode = connection.getResponseCode();
        LOGGER.debug("Call to identity service '{}' complete, response code : {}", userInfoEndpoint, responseCode);
        Map<String, String> responseMap;
        try {
            responseMap = _objectMapper.readValue(input, Map.class);
        } catch (JsonProcessingException e) {
            throw new IOException(String.format("Identity resolver '%s' did not return json", userInfoEndpoint), e);
        }
        if (responseCode != 200) {
            throw new IdentityResolverException(String.format("Identity resolver '%s' failed, response code %d", userInfoEndpoint, responseCode));
        }
        final String googleId = responseMap.get("sub");
        if (googleId == null) {
            throw new IdentityResolverException(String.format("Identity resolver '%s' failed, response did not include 'sub'", userInfoEndpoint));
        }
        return new UsernamePrincipal(googleId, authenticationProvider);
    }
}
Also used : InputStream(java.io.InputStream) GeneralSecurityException(java.security.GeneralSecurityException) IdentityResolverException(org.apache.qpid.server.security.auth.manager.oauth2.IdentityResolverException) ConnectionBuilder(org.apache.qpid.server.util.ConnectionBuilder) TrustStore(org.apache.qpid.server.model.TrustStore) IOException(java.io.IOException) URL(java.net.URL) ServerScopedRuntimeException(org.apache.qpid.server.util.ServerScopedRuntimeException) UsernamePrincipal(org.apache.qpid.server.security.auth.UsernamePrincipal) HttpURLConnection(java.net.HttpURLConnection) Map(java.util.Map) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)

Example 14 with TrustStore

use of org.apache.qpid.server.model.TrustStore in project qpid-broker-j by apache.

the class KeycloakOAuth2IdentityResolverService method getUserPrincipal.

@Override
public Principal getUserPrincipal(final OAuth2AuthenticationProvider<?> authenticationProvider, String accessToken, final NamedAddressSpace addressSpace) throws IOException, IdentityResolverException {
    URL userInfoEndpoint = authenticationProvider.getIdentityResolverEndpointURI(addressSpace).toURL();
    TrustStore trustStore = authenticationProvider.getTrustStore();
    ConnectionBuilder connectionBuilder = new ConnectionBuilder(userInfoEndpoint);
    connectionBuilder.setConnectTimeout(authenticationProvider.getConnectTimeout()).setReadTimeout(authenticationProvider.getReadTimeout());
    if (trustStore != null) {
        try {
            connectionBuilder.setTrustMangers(trustStore.getTrustManagers());
        } catch (GeneralSecurityException e) {
            throw new ServerScopedRuntimeException("Cannot initialise TLS", e);
        }
    }
    connectionBuilder.setTlsProtocolWhiteList(authenticationProvider.getTlsProtocolWhiteList()).setTlsProtocolBlackList(authenticationProvider.getTlsProtocolBlackList()).setTlsCipherSuiteWhiteList(authenticationProvider.getTlsCipherSuiteWhiteList()).setTlsCipherSuiteBlackList(authenticationProvider.getTlsCipherSuiteBlackList());
    LOGGER.debug("About to call identity service '{}'", userInfoEndpoint);
    HttpURLConnection connection = connectionBuilder.build();
    connection.setRequestProperty("Accept-Charset", UTF8);
    connection.setRequestProperty("Accept", "application/json");
    connection.setRequestProperty("Authorization", "Bearer " + accessToken);
    connection.connect();
    try (InputStream input = OAuth2Utils.getResponseStream(connection)) {
        int responseCode = connection.getResponseCode();
        LOGGER.debug("Call to identity service '{}' complete, response code : {}", userInfoEndpoint, responseCode);
        Map<String, String> responseMap;
        try {
            responseMap = _objectMapper.readValue(input, Map.class);
        } catch (JsonProcessingException e) {
            throw new IOException(String.format("Identity resolver '%s' did not return json", userInfoEndpoint), e);
        }
        if (responseCode != 200) {
            throw new IdentityResolverException(String.format("Identity resolver '%s' failed, response code %d", userInfoEndpoint, responseCode));
        }
        String username = responseMap.get("preferred_username");
        if (username == null) {
            username = responseMap.get("sub");
            if (username == null) {
                throw new IdentityResolverException(String.format("Identity resolver '%s' failed, response did not include 'sub'", userInfoEndpoint));
            }
        }
        return new UsernamePrincipal(username, authenticationProvider);
    }
}
Also used : InputStream(java.io.InputStream) GeneralSecurityException(java.security.GeneralSecurityException) IdentityResolverException(org.apache.qpid.server.security.auth.manager.oauth2.IdentityResolverException) ConnectionBuilder(org.apache.qpid.server.util.ConnectionBuilder) TrustStore(org.apache.qpid.server.model.TrustStore) IOException(java.io.IOException) URL(java.net.URL) ServerScopedRuntimeException(org.apache.qpid.server.util.ServerScopedRuntimeException) UsernamePrincipal(org.apache.qpid.server.security.auth.UsernamePrincipal) HttpURLConnection(java.net.HttpURLConnection) Map(java.util.Map) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)

Example 15 with TrustStore

use of org.apache.qpid.server.model.TrustStore in project qpid-broker-j by apache.

the class FileTrustStoreTest method testPrivateKeyEntryIgnored.

public void testPrivateKeyEntryIgnored() throws Exception {
    final URL keystoreUrl = getClass().getResource(KEYSTORE_RESOURCE);
    assertNotNull("Keystore not found", keystoreUrl);
    Map<String, Object> attributes = new HashMap<>();
    attributes.put(FileTrustStore.NAME, getTestName());
    attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.BROKER_KEYSTORE_PASSWORD);
    attributes.put(FileTrustStore.STORE_URL, keystoreUrl);
    TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
    Certificate[] certificates = trustStore.getCertificates();
    assertEquals("Unexpected number of certificates", getNumberOfCertificates(keystoreUrl, "jks"), certificates.length);
}
Also used : HashMap(java.util.HashMap) TrustStore(org.apache.qpid.server.model.TrustStore) URL(java.net.URL) X509Certificate(java.security.cert.X509Certificate) SSLUtil.generateSelfSignedCertificate(org.apache.qpid.server.transport.network.security.ssl.SSLUtil.generateSelfSignedCertificate) Certificate(java.security.cert.Certificate)

Aggregations

TrustStore (org.apache.qpid.server.model.TrustStore)18 URL (java.net.URL)8 GeneralSecurityException (java.security.GeneralSecurityException)7 JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)6 IOException (java.io.IOException)6 InputStream (java.io.InputStream)6 HttpURLConnection (java.net.HttpURLConnection)6 HashMap (java.util.HashMap)6 Map (java.util.Map)6 UsernamePrincipal (org.apache.qpid.server.security.auth.UsernamePrincipal)6 IdentityResolverException (org.apache.qpid.server.security.auth.manager.oauth2.IdentityResolverException)6 ConnectionBuilder (org.apache.qpid.server.util.ConnectionBuilder)6 ServerScopedRuntimeException (org.apache.qpid.server.util.ServerScopedRuntimeException)6 X509Certificate (java.security.cert.X509Certificate)5 TrustManager (javax.net.ssl.TrustManager)5 X509TrustManager (javax.net.ssl.X509TrustManager)5 KeyStore (java.security.KeyStore)3 Certificate (java.security.cert.Certificate)3 SSLContext (javax.net.ssl.SSLContext)3 CertificateException (java.security.cert.CertificateException)2