Search in sources :

Example 1 with NullGroupMembershipHandler

use of org.carapaceproxy.cluster.impl.NullGroupMembershipHandler in project carapaceproxy by diennea.

the class DynamicCertificatesManagerTest method testWidlcardCertificateStateManagement.

@Test
// E) challenge failed -> record deleted
@Parameters({ "challenge_creation_failed", "challenge_check_limit_expired", "challenge_ready", "challenge_verified", "challenge_failed" })
public void testWidlcardCertificateStateManagement(String runCase) throws Exception {
    System.setProperty("carapace.acme.dnschallengereachabilitycheck.limit", "2");
    // ACME mocking
    ACMEClient ac = mock(ACMEClient.class);
    Order o = mock(Order.class);
    when(o.getLocation()).thenReturn(new URL("https://localhost/index"));
    Login login = mock(Login.class);
    when(login.bindOrder(any())).thenReturn(o);
    when(ac.getLogin()).thenReturn(login);
    when(ac.createOrderForDomain(any())).thenReturn(o);
    Session session = mock(Session.class);
    Connection conn = mock(Connection.class);
    when(conn.readJsonResponse()).thenReturn(JSON.parse("{\"url\": \"https://localhost/index\", \"type\": \"dns-01\"}"));
    when(session.connect()).thenReturn(conn);
    when(login.getSession()).thenReturn(session);
    when(login.getKeyPair()).thenReturn(KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE));
    Dns01Challenge c = mock(Dns01Challenge.class);
    when(c.getDigest()).thenReturn("");
    when(c.getJSON()).thenReturn(JSON.parse("{\"url\": \"https://localhost/index\", \"type\": \"dns-01\", \"token\": \"mytoken\"}"));
    when(ac.getChallengeForOrder(any(), eq(true))).thenReturn(c);
    when(ac.checkResponseForChallenge(any())).thenReturn(runCase.equals("challenge_failed") ? INVALID : VALID);
    KeyPair keyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
    Certificate cert = mock(Certificate.class);
    X509Certificate _cert = (X509Certificate) generateSampleChain(keyPair, false)[0];
    when(cert.getCertificateChain()).thenReturn(Arrays.asList(_cert));
    when(ac.fetchCertificateForOrder(any())).thenReturn(cert);
    HttpProxyServer parent = mock(HttpProxyServer.class);
    when(parent.getListeners()).thenReturn(mock(Listeners.class));
    DynamicCertificatesManager man = new DynamicCertificatesManager(parent);
    man.attachGroupMembershipHandler(new NullGroupMembershipHandler());
    Whitebox.setInternalState(man, ac);
    // Route53Cliente mocking
    man.initAWSClient("access", "secret");
    Route53Client r53Client = mock(Route53Client.class);
    when(r53Client.createDnsChallengeForDomain(any(), any())).thenReturn(!runCase.startsWith("challenge_creation_failed"));
    when(r53Client.isDnsChallengeForDomainAvailable(any(), any())).thenReturn(!(runCase.equals("challenge_creation_failed_n_reboot") || runCase.equals("challenge_check_limit_expired")));
    Whitebox.setInternalState(man, r53Client);
    // Store mocking
    ConfigurationStore store = mock(ConfigurationStore.class);
    when(store.loadKeyPairForDomain(anyString())).thenReturn(keyPair);
    // certificate to order
    String domain = "*.localhost";
    CertificateData cd1 = new CertificateData(domain, "", "", WAITING, "", "");
    when(store.loadCertificateForDomain(eq(domain))).thenReturn(cd1);
    man.setConfigurationStore(store);
    // Manager setup
    Properties props = new Properties();
    props.setProperty("certificate.1.hostname", domain);
    props.setProperty("certificate.1.mode", "acme");
    props.setProperty("certificate.1.daysbeforerenewal", "0");
    props.setProperty("dynamiccertificatesmanager.domainschecker.ipaddresses", "127.0.0.1, 0:0:0:0:0:0:0:1");
    ConfigurationStore configStore = new PropertiesConfigurationStore(props);
    RuntimeServerConfiguration conf = new RuntimeServerConfiguration();
    conf.configure(configStore);
    man.reloadConfiguration(conf);
    CertificateData certData = man.getCertificateDataForDomain(domain);
    assertThat(certData.isWildcard(), is(true));
    // at every run the certificate has to be saved to the db (whether not AVAILABLE).
    int saveCounter = 0;
    // WAITING
    assertCertificateState(domain, WAITING, man);
    man.run();
    verify(store, times(++saveCounter)).saveCertificate(any());
    if (runCase.equals("challenge_creation_failed")) {
        // WAITING
        assertCertificateState(domain, WAITING, man);
    } else {
        // DNS_CHALLENGE_WAIT
        assertCertificateState(domain, DNS_CHALLENGE_WAIT, man);
        man.run();
        verify(store, times(++saveCounter)).saveCertificate(any());
        if (runCase.equals("challenge_check_limit_expired")) {
            assertCertificateState(domain, DNS_CHALLENGE_WAIT, man);
            man.run();
            verify(store, times(++saveCounter)).saveCertificate(any());
            assertCertificateState(domain, REQUEST_FAILED, man);
            // check dns-challenge-record deleted
            verify(r53Client, times(1)).deleteDnsChallengeForDomain(any(), any());
        } else {
            // VERIFYING
            assertCertificateState(domain, VERIFYING, man);
            man.run();
            verify(store, times(++saveCounter)).saveCertificate(any());
            if (runCase.equals("challenge_failed")) {
                // REQUEST_FAILED
                assertCertificateState(domain, REQUEST_FAILED, man);
                // check dns-challenge-record deleted
                verify(r53Client, times(1)).deleteDnsChallengeForDomain(any(), any());
            } else if (runCase.equals("challenge_verified")) {
                // VERIFIED
                assertCertificateState(domain, VERIFIED, man);
                // check dns-challenge-record deleted
                verify(r53Client, times(1)).deleteDnsChallengeForDomain(any(), any());
            }
        }
    }
}
Also used : Order(org.shredzone.acme4j.Order) KeyPair(java.security.KeyPair) HttpProxyServer(org.carapaceproxy.core.HttpProxyServer) PropertiesConfigurationStore(org.carapaceproxy.configstore.PropertiesConfigurationStore) ConfigurationStore(org.carapaceproxy.configstore.ConfigurationStore) PropertiesConfigurationStore(org.carapaceproxy.configstore.PropertiesConfigurationStore) RuntimeServerConfiguration(org.carapaceproxy.core.RuntimeServerConfiguration) Connection(org.shredzone.acme4j.connector.Connection) Login(org.shredzone.acme4j.Login) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Properties(java.util.Properties) URL(java.net.URL) X509Certificate(java.security.cert.X509Certificate) Listeners(org.carapaceproxy.core.Listeners) CertificateData(org.carapaceproxy.configstore.CertificateData) Dns01Challenge(org.shredzone.acme4j.challenge.Dns01Challenge) NullGroupMembershipHandler(org.carapaceproxy.cluster.impl.NullGroupMembershipHandler) Session(org.shredzone.acme4j.Session) X509Certificate(java.security.cert.X509Certificate) Certificate(org.shredzone.acme4j.Certificate) Parameters(junitparams.Parameters) Test(org.junit.Test)

Example 2 with NullGroupMembershipHandler

use of org.carapaceproxy.cluster.impl.NullGroupMembershipHandler in project carapaceproxy by diennea.

the class DynamicCertificatesManagerTest method testCertificateStateManagement.

@Test
@Parameters({ "challenge_null", "challenge_status_invalid", "order_already_valid", "order_finalization_error", "order_response_error", "available_to_expired", "all_ok" })
public void testCertificateStateManagement(String runCase) throws Exception {
    // ACME mocking
    ACMEClient ac = mock(ACMEClient.class);
    Order o = mock(Order.class);
    when(o.getLocation()).thenReturn(new URL("https://localhost/index"));
    if (runCase.equals("order_already_valid")) {
        when(o.getStatus()).thenReturn(Status.VALID);
    }
    Login login = mock(Login.class);
    when(login.bindOrder(any())).thenReturn(o);
    when(ac.getLogin()).thenReturn(login);
    when(ac.createOrderForDomain(any())).thenReturn(o);
    Http01Challenge c = mock(Http01Challenge.class);
    when(c.getToken()).thenReturn("");
    when(c.getJSON()).thenReturn(JSON.parse("{\"url\": \"https://localhost/index\", \"type\": \"http-01\", \"token\": \"mytoken\"}"));
    when(c.getAuthorization()).thenReturn("");
    when(ac.getChallengeForOrder(any(), eq(false))).thenReturn(runCase.equals("challenge_null") ? null : c);
    when(ac.checkResponseForChallenge(any())).thenReturn(runCase.equals("challenge_status_invalid") ? INVALID : VALID);
    when(ac.checkResponseForOrder(any())).thenReturn(runCase.equals("order_response_error") ? INVALID : VALID);
    if (runCase.equals("order_already_valid") || runCase.equals("order_finalization_error")) {
        doThrow(AcmeException.class).when(ac).orderCertificate(any(), any());
    }
    KeyPair keyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
    Certificate cert = mock(Certificate.class);
    X509Certificate _cert = (X509Certificate) generateSampleChain(keyPair, runCase.equals("available_to_expired"))[0];
    when(cert.getCertificateChain()).thenReturn(Arrays.asList(_cert));
    when(ac.fetchCertificateForOrder(any())).thenReturn(cert);
    HttpProxyServer parent = mock(HttpProxyServer.class);
    when(parent.getListeners()).thenReturn(mock(Listeners.class));
    DynamicCertificatesManager man = new DynamicCertificatesManager(parent);
    man.attachGroupMembershipHandler(new NullGroupMembershipHandler());
    Whitebox.setInternalState(man, ac);
    // Store mocking
    ConfigurationStore store = mock(ConfigurationStore.class);
    String chain = base64EncodeCertificateChain(generateSampleChain(keyPair, false), keyPair.getPrivate());
    when(store.loadKeyPairForDomain(anyString())).thenReturn(keyPair);
    // yet available certificate
    String d0 = "localhost0";
    CertificateData cd0 = new CertificateData(d0, "", chain, AVAILABLE, "", "");
    when(store.loadCertificateForDomain(eq(d0))).thenReturn(cd0);
    // certificate to order
    String d1 = "localhost1";
    CertificateData cd1 = new CertificateData(d1, "", "", WAITING, "", "");
    when(store.loadCertificateForDomain(eq(d1))).thenReturn(cd1);
    man.setConfigurationStore(store);
    // manual certificate
    String d2 = "manual";
    CertificateData cd2 = new CertificateData(d2, "", chain, AVAILABLE, "", "");
    when(store.loadCertificateForDomain(eq(d2))).thenReturn(cd2);
    // empty manual certificate
    String d3 = "emptymanual";
    CertificateData cd3 = new CertificateData(d3, "", "", AVAILABLE, "", "");
    when(store.loadCertificateForDomain(eq(d3))).thenReturn(cd3);
    man.setConfigurationStore(store);
    // Manager setup
    Properties props = new Properties();
    props.setProperty("certificate.0.hostname", d0);
    props.setProperty("certificate.0.mode", "acme");
    props.setProperty("certificate.0.daysbeforerenewal", "0");
    props.setProperty("certificate.1.hostname", d1);
    props.setProperty("certificate.1.mode", "acme");
    props.setProperty("certificate.1.daysbeforerenewal", "0");
    props.setProperty("certificate.2.hostname", d2);
    props.setProperty("certificate.2.mode", "manual");
    props.setProperty("certificate.2.daysbeforerenewal", "0");
    props.setProperty("certificate.3.hostname", d3);
    props.setProperty("certificate.3.mode", "manual");
    props.setProperty("certificate.3.daysbeforerenewal", "0");
    ConfigurationStore configStore = new PropertiesConfigurationStore(props);
    RuntimeServerConfiguration conf = new RuntimeServerConfiguration();
    conf.configure(configStore);
    man.reloadConfiguration(conf);
    assertCertificateState(d0, AVAILABLE, man);
    assertCertificateState(d2, AVAILABLE, man);
    assertCertificateState(d3, AVAILABLE, man);
    assertNotNull(man.getCertificateForDomain(d2));
    // empty
    assertNull(man.getCertificateForDomain(d3));
    // has not to be renewed by the manager (saveCounter = 1)
    man.setStateOfCertificate(d2, WAITING);
    assertCertificateState(d2, WAITING, man);
    // at every run the certificate has to be saved to the db (whether not AVAILABLE).
    int saveCounter = 1;
    // WAITING
    assertCertificateState(d1, WAITING, man);
    man.run();
    verify(store, times(++saveCounter)).saveCertificate(any());
    assertCertificateState(d1, runCase.equals("challenge_null") ? VERIFIED : VERIFYING, man);
    man.run();
    verify(store, times(++saveCounter)).saveCertificate(any());
    if (runCase.equals("challenge_null")) {
        // VERIFIED
        assertCertificateState(d1, ORDERING, man);
    } else {
        // VERIFYING
        assertCertificateState(d1, runCase.equals("challenge_status_invalid") ? REQUEST_FAILED : VERIFIED, man);
        man.run();
        verify(store, times(++saveCounter)).saveCertificate(any());
        if (runCase.equals("challenge_status_invalid")) {
            assertCertificateState(d1, WAITING, man);
            return;
        } else if (runCase.equals("order_finalization_error")) {
            assertCertificateState(d1, REQUEST_FAILED, man);
            man.run();
            verify(store, times(++saveCounter)).saveCertificate(any());
            assertCertificateState(d1, WAITING, man);
            return;
        } else {
            assertCertificateState(d1, ORDERING, man);
        }
    }
    // ORDERING
    man.run();
    verify(store, times(++saveCounter)).saveCertificate(any());
    assertCertificateState(d1, runCase.equals("order_response_error") ? REQUEST_FAILED : AVAILABLE, man);
    man.run();
    if (runCase.equals("order_response_error")) {
        // REQUEST_FAILED
        verify(store, times(++saveCounter)).saveCertificate(any());
        assertCertificateState(d1, WAITING, man);
    } else {
        // AVAILABLE
        DynamicCertificateState state = man.getStateOfCertificate(d1);
        // only with state AVAILABLE the certificate hasn't to be saved.
        saveCounter += AVAILABLE.equals(state) ? 0 : 1;
        verify(store, times(saveCounter)).saveCertificate(any());
        assertCertificateState(d1, runCase.equals("available_to_expired") ? EXPIRED : AVAILABLE, man);
        man.run();
        state = man.getStateOfCertificate(d1);
        // only with state AVAILABLE the certificate hasn't to be saved.
        saveCounter += AVAILABLE.equals(state) ? 0 : 1;
        verify(store, times(saveCounter)).saveCertificate(any());
        assertCertificateState(d1, runCase.equals("available_to_expired") ? WAITING : AVAILABLE, man);
    }
}
Also used : Order(org.shredzone.acme4j.Order) KeyPair(java.security.KeyPair) HttpProxyServer(org.carapaceproxy.core.HttpProxyServer) PropertiesConfigurationStore(org.carapaceproxy.configstore.PropertiesConfigurationStore) ConfigurationStore(org.carapaceproxy.configstore.ConfigurationStore) PropertiesConfigurationStore(org.carapaceproxy.configstore.PropertiesConfigurationStore) RuntimeServerConfiguration(org.carapaceproxy.core.RuntimeServerConfiguration) Login(org.shredzone.acme4j.Login) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Properties(java.util.Properties) URL(java.net.URL) X509Certificate(java.security.cert.X509Certificate) Listeners(org.carapaceproxy.core.Listeners) Http01Challenge(org.shredzone.acme4j.challenge.Http01Challenge) CertificateData(org.carapaceproxy.configstore.CertificateData) NullGroupMembershipHandler(org.carapaceproxy.cluster.impl.NullGroupMembershipHandler) X509Certificate(java.security.cert.X509Certificate) Certificate(org.shredzone.acme4j.Certificate) Parameters(junitparams.Parameters) Test(org.junit.Test)

Example 3 with NullGroupMembershipHandler

use of org.carapaceproxy.cluster.impl.NullGroupMembershipHandler in project carapaceproxy by diennea.

the class DynamicCertificatesManagerTest method testDomainReachabilityCheck.

@Test
@Parameters({ "localhost-no-ip-check", "localhost-ip-check-partial", "localhost-ip-check-full" })
public void testDomainReachabilityCheck(String domainCase) throws Exception {
    String domain = domainCase.contains("localhost") ? "localhost" : domainCase;
    // ACME mocking
    ACMEClient ac = mock(ACMEClient.class);
    Order o = mock(Order.class);
    when(o.getLocation()).thenReturn(new URL("https://localhost/index"));
    Login login = mock(Login.class);
    when(login.bindOrder(any())).thenReturn(o);
    when(ac.getLogin()).thenReturn(login);
    when(ac.createOrderForDomain(any())).thenReturn(o);
    Session session = mock(Session.class);
    when(session.connect()).thenReturn(mock(Connection.class));
    when(login.getSession()).thenReturn(session);
    when(login.getKeyPair()).thenReturn(KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE));
    Http01Challenge c = mock(Http01Challenge.class);
    when(c.getToken()).thenReturn("");
    when(c.getJSON()).thenReturn(JSON.parse("{\"url\": \"https://localhost/index\", \"type\": \"http-01\", \"token\": \"mytoken\"}"));
    when(c.getAuthorization()).thenReturn("");
    when(ac.getChallengeForOrder(any(), eq(true))).thenReturn(c);
    when(ac.checkResponseForChallenge(any())).thenReturn(VALID);
    KeyPair keyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
    Certificate cert = mock(Certificate.class);
    X509Certificate _cert = (X509Certificate) generateSampleChain(keyPair, false)[0];
    when(cert.getCertificateChain()).thenReturn(Arrays.asList(_cert));
    when(ac.fetchCertificateForOrder(any())).thenReturn(cert);
    HttpProxyServer parent = mock(HttpProxyServer.class);
    when(parent.getListeners()).thenReturn(mock(Listeners.class));
    DynamicCertificatesManager man = new DynamicCertificatesManager(parent);
    man.attachGroupMembershipHandler(new NullGroupMembershipHandler());
    Whitebox.setInternalState(man, ac);
    // Store mocking
    ConfigurationStore store = mock(ConfigurationStore.class);
    when(store.loadKeyPairForDomain(anyString())).thenReturn(keyPair);
    // certificate to order
    CertificateData cd1 = new CertificateData(domain, "", "", WAITING, "", "");
    when(store.loadCertificateForDomain(eq(domain))).thenReturn(cd1);
    man.setConfigurationStore(store);
    // Properties setup
    Properties props = new Properties();
    props.setProperty("certificate.1.hostname", domain);
    props.setProperty("certificate.1.mode", "acme");
    if (domainCase.equals("localhost-ip-check-partial")) {
        props.setProperty("dynamiccertificatesmanager.domainschecker.ipaddresses", "127.0.0.1");
    }
    if (domainCase.equals("localhost-ip-check-full")) {
        props.setProperty("dynamiccertificatesmanager.domainschecker.ipaddresses", "127.0.0.1, 0:0:0:0:0:0:0:1");
    }
    ConfigurationStore configStore = new PropertiesConfigurationStore(props);
    RuntimeServerConfiguration conf = new RuntimeServerConfiguration();
    conf.configure(configStore);
    man.reloadConfiguration(conf);
    // at every run the certificate has to be saved to the db (whether not AVAILABLE).
    int saveCounter = 0;
    // WAITING
    assertCertificateState(domain, WAITING, man);
    // checking domain
    man.run();
    verify(store, times(++saveCounter)).saveCertificate(any());
    if (domainCase.equals("localhost-ip-check-partial")) {
        assertCertificateState(domain, DOMAIN_UNREACHABLE, man);
        man.run();
        verify(store, times(++saveCounter)).saveCertificate(any());
        assertCertificateState(domain, DOMAIN_UNREACHABLE, man);
    } else {
        assertCertificateState(domain, VERIFIED, man);
    }
}
Also used : Order(org.shredzone.acme4j.Order) KeyPair(java.security.KeyPair) HttpProxyServer(org.carapaceproxy.core.HttpProxyServer) PropertiesConfigurationStore(org.carapaceproxy.configstore.PropertiesConfigurationStore) ConfigurationStore(org.carapaceproxy.configstore.ConfigurationStore) PropertiesConfigurationStore(org.carapaceproxy.configstore.PropertiesConfigurationStore) RuntimeServerConfiguration(org.carapaceproxy.core.RuntimeServerConfiguration) Connection(org.shredzone.acme4j.connector.Connection) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Login(org.shredzone.acme4j.Login) Properties(java.util.Properties) URL(java.net.URL) X509Certificate(java.security.cert.X509Certificate) Listeners(org.carapaceproxy.core.Listeners) Http01Challenge(org.shredzone.acme4j.challenge.Http01Challenge) CertificateData(org.carapaceproxy.configstore.CertificateData) NullGroupMembershipHandler(org.carapaceproxy.cluster.impl.NullGroupMembershipHandler) Session(org.shredzone.acme4j.Session) X509Certificate(java.security.cert.X509Certificate) Certificate(org.shredzone.acme4j.Certificate) Parameters(junitparams.Parameters) Test(org.junit.Test)

Example 4 with NullGroupMembershipHandler

use of org.carapaceproxy.cluster.impl.NullGroupMembershipHandler in project carapaceproxy by diennea.

the class HttpProxyServer method initGroupMembership.

private void initGroupMembership() throws ConfigurationNotValidException {
    if (cluster) {
        Map<String, String> peerInfo = new HashMap();
        peerInfo.put(PROPERTY_PEER_ADMIN_SERVER_HOST, adminAdvertisedServerHost);
        peerInfo.put(PROPERTY_PEER_ADMIN_SERVER_PORT, adminServerHttpPort + "");
        peerInfo.put(PROPERTY_PEER_ADMIN_SERVER_HTTPS_PORT, adminServerHttpsPort + "");
        this.groupMembershipHandler = new ZooKeeperGroupMembershipHandler(zkAddress, zkTimeout, zkSecure, peerId, peerInfo, zkProperties);
    } else {
        this.groupMembershipHandler = new NullGroupMembershipHandler();
    }
}
Also used : HashMap(java.util.HashMap) ZooKeeperGroupMembershipHandler(org.carapaceproxy.cluster.impl.ZooKeeperGroupMembershipHandler) NullGroupMembershipHandler(org.carapaceproxy.cluster.impl.NullGroupMembershipHandler)

Aggregations

NullGroupMembershipHandler (org.carapaceproxy.cluster.impl.NullGroupMembershipHandler)4 URL (java.net.URL)3 KeyPair (java.security.KeyPair)3 X509Certificate (java.security.cert.X509Certificate)3 Properties (java.util.Properties)3 Parameters (junitparams.Parameters)3 CertificateData (org.carapaceproxy.configstore.CertificateData)3 ConfigurationStore (org.carapaceproxy.configstore.ConfigurationStore)3 PropertiesConfigurationStore (org.carapaceproxy.configstore.PropertiesConfigurationStore)3 HttpProxyServer (org.carapaceproxy.core.HttpProxyServer)3 Listeners (org.carapaceproxy.core.Listeners)3 RuntimeServerConfiguration (org.carapaceproxy.core.RuntimeServerConfiguration)3 Test (org.junit.Test)3 ArgumentMatchers.anyString (org.mockito.ArgumentMatchers.anyString)3 Certificate (org.shredzone.acme4j.Certificate)3 Login (org.shredzone.acme4j.Login)3 Order (org.shredzone.acme4j.Order)3 Session (org.shredzone.acme4j.Session)2 Http01Challenge (org.shredzone.acme4j.challenge.Http01Challenge)2 Connection (org.shredzone.acme4j.connector.Connection)2