Search in sources :

Example 1 with ConfigurationStore

use of org.carapaceproxy.configstore.ConfigurationStore in project carapaceproxy by diennea.

the class CertificatesTest method testUploadTypedCertificatesWithDaysBeforeRenewal.

@Test
@Parameters({ "acme", "manual" })
public void testUploadTypedCertificatesWithDaysBeforeRenewal(String type) throws Exception {
    configureAndStartServer();
    int port = server.getLocalPort();
    DynamicCertificatesManager dynCertsMan = server.getDynamicCertificatesManager();
    KeyPair endUserKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
    Certificate[] chain = generateSampleChain(endUserKeyPair, false);
    byte[] chainData = createKeystore(chain, endUserKeyPair.getPrivate());
    try (RawHttpClient client = new RawHttpClient("localhost", DEFAULT_ADMIN_PORT)) {
        // Create
        HttpResponse resp = uploadCertificate("localhost2", "type=" + type + "&daysbeforerenewal=10", chainData, client, credentials);
        if (type.equals("manual")) {
            assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
        } else {
            CertificateData data = dynCertsMan.getCertificateDataForDomain("localhost2");
            assertNotNull(data);
            assertEquals(10, data.getDaysBeforeRenewal());
        }
        // negative value
        resp = uploadCertificate("localhost-negative", "type=" + type + "&daysbeforerenewal=-10", chainData, client, credentials);
        if (type.equals("manual")) {
            assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
        } else {
            assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' has to be a positive number"));
        }
        // default value
        uploadCertificate("localhost-default", "type=" + type, chainData, client, credentials);
        CertificateData data = dynCertsMan.getCertificateDataForDomain("localhost-default");
        assertNotNull(data);
        assertEquals(type.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, data.getDaysBeforeRenewal());
        // Update
        uploadCertificate("localhost2", "type=" + type + "&daysbeforerenewal=45", chainData, client, credentials);
        if (type.equals("manual")) {
            assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
        } else {
            data = dynCertsMan.getCertificateDataForDomain("localhost2");
            assertNotNull(data);
            assertEquals(45, data.getDaysBeforeRenewal());
        }
        // negative value
        resp = uploadCertificate("localhost2", "type=" + type + "&daysbeforerenewal=-10", chainData, client, credentials);
        if (type.equals("manual")) {
            assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
        } else {
            assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' has to be a positive number"));
        }
        // default value
        uploadCertificate("localhost2", "type=" + type, chainData, client, credentials);
        data = dynCertsMan.getCertificateDataForDomain("localhost2");
        assertNotNull(data);
        assertEquals(type.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, data.getDaysBeforeRenewal());
        // changing the type (acme <-> manual)
        String other = type.equals("manual") ? "acme" : "manual";
        uploadCertificate("localhost2", "type=" + other, chainData, client, credentials);
        data = dynCertsMan.getCertificateDataForDomain("localhost2");
        assertNotNull(data);
        assertEquals(other.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, data.getDaysBeforeRenewal());
        SSLCertificateConfiguration config = server.getCurrentConfiguration().getCertificates().get("localhost2");
        assertEquals(other.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, config.getDaysBeforeRenewal());
        // checking for "certificate.X.daysbeforerenewal" property delete
        ConfigurationStore store = server.getDynamicConfigurationStore();
        assertEquals(other.equals("acme"), store.anyPropertyMatches((k, v) -> {
            if (k.matches("certificate\\.[0-9]+\\.hostname") && v.equals("localhost2")) {
                return store.getProperty(k.replace("hostname", "daysbeforerenewal"), null) != null;
            }
            return false;
        }));
    }
}
Also used : RawHttpClient(org.carapaceproxy.utils.RawHttpClient) X509Certificate(java.security.cert.X509Certificate) KeyPair(java.security.KeyPair) Arrays(java.util.Arrays) OcspStaplingManager(org.carapaceproxy.server.certificates.ocsp.OcspStaplingManager) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) Date(java.util.Date) ConfigurationStore(org.carapaceproxy.configstore.ConfigurationStore) CertificatesUtils.createKeystore(org.carapaceproxy.utils.CertificatesUtils.createKeystore) Order(org.shredzone.acme4j.Order) UseAdminServer(org.carapaceproxy.api.UseAdminServer) JUnitParamsRunner(junitparams.JUnitParamsRunner) WireMock.aResponse(com.github.tomakehurst.wiremock.client.WireMock.aResponse) RawHttpClient(org.carapaceproxy.utils.RawHttpClient) BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder) List(java.util.List) Base64(java.util.Base64) Certificate(java.security.cert.Certificate) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) Assert.assertFalse(org.junit.Assert.assertFalse) OCSPRespBuilder(org.bouncycastle.cert.ocsp.OCSPRespBuilder) Login(org.shredzone.acme4j.Login) ExtendedSSLSession(javax.net.ssl.ExtendedSSLSession) Mockito.mock(org.mockito.Mockito.mock) Parameters(junitparams.Parameters) KeyPairUtils(org.shredzone.acme4j.util.KeyPairUtils) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) Whitebox(org.powermock.reflect.Whitebox) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) HttpResponse(org.carapaceproxy.utils.RawHttpClient.HttpResponse) CertificatesUtils(org.carapaceproxy.utils.CertificatesUtils) CertificatesTestUtils.uploadCertificate(org.carapaceproxy.utils.CertificatesTestUtils.uploadCertificate) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) RunWith(org.junit.runner.RunWith) BcDigestCalculatorProvider(org.bouncycastle.operator.bc.BcDigestCalculatorProvider) WireMockRule(com.github.tomakehurst.wiremock.junit.WireMockRule) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) DEFAULT_KEYPAIRS_SIZE(org.carapaceproxy.server.certificates.DynamicCertificatesManager.DEFAULT_KEYPAIRS_SIZE) CertificateData(org.carapaceproxy.configstore.CertificateData) CertificatesTestUtils.generateSampleChain(org.carapaceproxy.utils.CertificatesTestUtils.generateSampleChain) HttpTestUtils(org.carapaceproxy.utils.HttpTestUtils) SSLCertificateConfiguration(org.carapaceproxy.server.config.SSLCertificateConfiguration) WireMock.get(com.github.tomakehurst.wiremock.client.WireMock.get) Properties(java.util.Properties) CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus) TestUtils(org.carapaceproxy.utils.TestUtils) Assert.assertNotNull(org.junit.Assert.assertNotNull) VALID(org.shredzone.acme4j.Status.VALID) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) Assert.assertTrue(org.junit.Assert.assertTrue) DEFAULT_ADMIN_PORT(org.carapaceproxy.api.UseAdminServer.DEFAULT_ADMIN_PORT) Test(org.junit.Test) Mockito.when(org.mockito.Mockito.when) CertificateException(java.security.cert.CertificateException) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) Rule(org.junit.Rule) DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider) WireMock.stubFor(com.github.tomakehurst.wiremock.client.WireMock.stubFor) WireMock.urlEqualTo(com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo) DEFAULT_DAYS_BEFORE_RENEWAL(org.carapaceproxy.server.certificates.DynamicCertificatesManager.DEFAULT_DAYS_BEFORE_RENEWAL) Assert.assertEquals(org.junit.Assert.assertEquals) KeyPair(java.security.KeyPair) ConfigurationStore(org.carapaceproxy.configstore.ConfigurationStore) HttpResponse(org.carapaceproxy.utils.RawHttpClient.HttpResponse) SSLCertificateConfiguration(org.carapaceproxy.server.config.SSLCertificateConfiguration) CertificateData(org.carapaceproxy.configstore.CertificateData) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate) CertificatesTestUtils.uploadCertificate(org.carapaceproxy.utils.CertificatesTestUtils.uploadCertificate) Parameters(junitparams.Parameters) Test(org.junit.Test)

Example 2 with ConfigurationStore

use of org.carapaceproxy.configstore.ConfigurationStore in project carapaceproxy by diennea.

the class DynamicCertificatesManagerTest method testWidlcardCertificateStateManagement.

@Test
// E) challenge failed -> record deleted
@Parameters({ "challenge_creation_failed", "challenge_check_limit_expired", "challenge_ready", "challenge_verified", "challenge_failed" })
public void testWidlcardCertificateStateManagement(String runCase) throws Exception {
    System.setProperty("carapace.acme.dnschallengereachabilitycheck.limit", "2");
    // ACME mocking
    ACMEClient ac = mock(ACMEClient.class);
    Order o = mock(Order.class);
    when(o.getLocation()).thenReturn(new URL("https://localhost/index"));
    Login login = mock(Login.class);
    when(login.bindOrder(any())).thenReturn(o);
    when(ac.getLogin()).thenReturn(login);
    when(ac.createOrderForDomain(any())).thenReturn(o);
    Session session = mock(Session.class);
    Connection conn = mock(Connection.class);
    when(conn.readJsonResponse()).thenReturn(JSON.parse("{\"url\": \"https://localhost/index\", \"type\": \"dns-01\"}"));
    when(session.connect()).thenReturn(conn);
    when(login.getSession()).thenReturn(session);
    when(login.getKeyPair()).thenReturn(KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE));
    Dns01Challenge c = mock(Dns01Challenge.class);
    when(c.getDigest()).thenReturn("");
    when(c.getJSON()).thenReturn(JSON.parse("{\"url\": \"https://localhost/index\", \"type\": \"dns-01\", \"token\": \"mytoken\"}"));
    when(ac.getChallengeForOrder(any(), eq(true))).thenReturn(c);
    when(ac.checkResponseForChallenge(any())).thenReturn(runCase.equals("challenge_failed") ? INVALID : VALID);
    KeyPair keyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
    Certificate cert = mock(Certificate.class);
    X509Certificate _cert = (X509Certificate) generateSampleChain(keyPair, false)[0];
    when(cert.getCertificateChain()).thenReturn(Arrays.asList(_cert));
    when(ac.fetchCertificateForOrder(any())).thenReturn(cert);
    HttpProxyServer parent = mock(HttpProxyServer.class);
    when(parent.getListeners()).thenReturn(mock(Listeners.class));
    DynamicCertificatesManager man = new DynamicCertificatesManager(parent);
    man.attachGroupMembershipHandler(new NullGroupMembershipHandler());
    Whitebox.setInternalState(man, ac);
    // Route53Cliente mocking
    man.initAWSClient("access", "secret");
    Route53Client r53Client = mock(Route53Client.class);
    when(r53Client.createDnsChallengeForDomain(any(), any())).thenReturn(!runCase.startsWith("challenge_creation_failed"));
    when(r53Client.isDnsChallengeForDomainAvailable(any(), any())).thenReturn(!(runCase.equals("challenge_creation_failed_n_reboot") || runCase.equals("challenge_check_limit_expired")));
    Whitebox.setInternalState(man, r53Client);
    // Store mocking
    ConfigurationStore store = mock(ConfigurationStore.class);
    when(store.loadKeyPairForDomain(anyString())).thenReturn(keyPair);
    // certificate to order
    String domain = "*.localhost";
    CertificateData cd1 = new CertificateData(domain, "", "", WAITING, "", "");
    when(store.loadCertificateForDomain(eq(domain))).thenReturn(cd1);
    man.setConfigurationStore(store);
    // Manager setup
    Properties props = new Properties();
    props.setProperty("certificate.1.hostname", domain);
    props.setProperty("certificate.1.mode", "acme");
    props.setProperty("certificate.1.daysbeforerenewal", "0");
    props.setProperty("dynamiccertificatesmanager.domainschecker.ipaddresses", "127.0.0.1, 0:0:0:0:0:0:0:1");
    ConfigurationStore configStore = new PropertiesConfigurationStore(props);
    RuntimeServerConfiguration conf = new RuntimeServerConfiguration();
    conf.configure(configStore);
    man.reloadConfiguration(conf);
    CertificateData certData = man.getCertificateDataForDomain(domain);
    assertThat(certData.isWildcard(), is(true));
    // at every run the certificate has to be saved to the db (whether not AVAILABLE).
    int saveCounter = 0;
    // WAITING
    assertCertificateState(domain, WAITING, man);
    man.run();
    verify(store, times(++saveCounter)).saveCertificate(any());
    if (runCase.equals("challenge_creation_failed")) {
        // WAITING
        assertCertificateState(domain, WAITING, man);
    } else {
        // DNS_CHALLENGE_WAIT
        assertCertificateState(domain, DNS_CHALLENGE_WAIT, man);
        man.run();
        verify(store, times(++saveCounter)).saveCertificate(any());
        if (runCase.equals("challenge_check_limit_expired")) {
            assertCertificateState(domain, DNS_CHALLENGE_WAIT, man);
            man.run();
            verify(store, times(++saveCounter)).saveCertificate(any());
            assertCertificateState(domain, REQUEST_FAILED, man);
            // check dns-challenge-record deleted
            verify(r53Client, times(1)).deleteDnsChallengeForDomain(any(), any());
        } else {
            // VERIFYING
            assertCertificateState(domain, VERIFYING, man);
            man.run();
            verify(store, times(++saveCounter)).saveCertificate(any());
            if (runCase.equals("challenge_failed")) {
                // REQUEST_FAILED
                assertCertificateState(domain, REQUEST_FAILED, man);
                // check dns-challenge-record deleted
                verify(r53Client, times(1)).deleteDnsChallengeForDomain(any(), any());
            } else if (runCase.equals("challenge_verified")) {
                // VERIFIED
                assertCertificateState(domain, VERIFIED, man);
                // check dns-challenge-record deleted
                verify(r53Client, times(1)).deleteDnsChallengeForDomain(any(), any());
            }
        }
    }
}
Also used : Order(org.shredzone.acme4j.Order) KeyPair(java.security.KeyPair) HttpProxyServer(org.carapaceproxy.core.HttpProxyServer) PropertiesConfigurationStore(org.carapaceproxy.configstore.PropertiesConfigurationStore) ConfigurationStore(org.carapaceproxy.configstore.ConfigurationStore) PropertiesConfigurationStore(org.carapaceproxy.configstore.PropertiesConfigurationStore) RuntimeServerConfiguration(org.carapaceproxy.core.RuntimeServerConfiguration) Connection(org.shredzone.acme4j.connector.Connection) Login(org.shredzone.acme4j.Login) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Properties(java.util.Properties) URL(java.net.URL) X509Certificate(java.security.cert.X509Certificate) Listeners(org.carapaceproxy.core.Listeners) CertificateData(org.carapaceproxy.configstore.CertificateData) Dns01Challenge(org.shredzone.acme4j.challenge.Dns01Challenge) NullGroupMembershipHandler(org.carapaceproxy.cluster.impl.NullGroupMembershipHandler) Session(org.shredzone.acme4j.Session) X509Certificate(java.security.cert.X509Certificate) Certificate(org.shredzone.acme4j.Certificate) Parameters(junitparams.Parameters) Test(org.junit.Test)

Example 3 with ConfigurationStore

use of org.carapaceproxy.configstore.ConfigurationStore in project carapaceproxy by diennea.

the class StartAPIServerTest method testCertificates.

@Test
public void testCertificates() throws Exception {
    final String dynDomain = "dynamic.test.tld";
    Properties properties = new Properties(HTTP_ADMIN_SERVER_CONFIG);
    KeyPair endUserKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
    Certificate[] originalChain = generateSampleChain(endUserKeyPair, false);
    X509Certificate certificate = (X509Certificate) originalChain[0];
    String serialNumber1 = certificate.getSerialNumber().toString(16).toUpperCase();
    String expiringDate1 = certificate.getNotAfter().toString();
    byte[] keystoreData = createKeystore(originalChain, endUserKeyPair.getPrivate());
    File mock1 = tmpFolder.newFile("mock1.p12");
    Files.write(mock1.toPath(), keystoreData);
    properties.put("certificate.1.hostname", "localhost");
    properties.put("certificate.1.file", mock1.getAbsolutePath());
    properties.put("certificate.1.password", KEYSTORE_PW);
    endUserKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
    originalChain = generateSampleChain(endUserKeyPair, true);
    certificate = (X509Certificate) originalChain[0];
    String serialNumber2 = certificate.getSerialNumber().toString(16).toUpperCase();
    String expiringDate2 = certificate.getNotAfter().toString();
    keystoreData = createKeystore(originalChain, endUserKeyPair.getPrivate());
    File mock2 = tmpFolder.newFile("mock2.p12");
    Files.write(mock2.toPath(), keystoreData);
    properties.put("certificate.2.hostname", "127.0.0.1");
    properties.put("certificate.2.file", mock2.getAbsolutePath());
    properties.put("certificate.2.password", KEYSTORE_PW);
    // Acme certificate
    properties.put("certificate.3.hostname", dynDomain);
    properties.put("certificate.3.mode", "acme");
    startServer(properties);
    DynamicCertificatesManager man = server.getDynamicCertificatesManager();
    // need to explicitly add 'cause DynamicCertificatesManager never run
    ConfigurationStore store = server.getDynamicConfigurationStore();
    endUserKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
    originalChain = generateSampleChain(endUserKeyPair, false);
    certificate = (X509Certificate) originalChain[0];
    String serialNumber = certificate.getSerialNumber().toString(16).toUpperCase();
    String expiringDate = certificate.getNotAfter().toString();
    String dynChain = Base64.getEncoder().encodeToString(createKeystore(originalChain, endUserKeyPair.getPrivate()));
    store.saveCertificate(new CertificateData(dynDomain, "", dynChain, WAITING, "", ""));
    // this reloads certificates from the store
    man.setStateOfCertificate(dynDomain, WAITING);
    // Static certificates
    try (RawHttpClient client = new RawHttpClient("localhost", 8761)) {
        // full list request
        RawHttpClient.HttpResponse response = client.get("/api/certificates", credentials);
        String json = response.getBodyString();
        assertThat(json, containsString("localhost"));
        assertThat(json, containsString("\"mode\":\"static\""));
        assertThat(json, containsString("\"dynamic\":false"));
        assertThat(json, containsString("\"status\":\"available\""));
        assertThat(json, containsString("\"sslCertificateFile\":\"" + mock1.getAbsolutePath() + "\""));
        assertThat(json, containsString("\"serialNumber\":\"" + serialNumber1 + "\""));
        assertThat(json, containsString("\"expiringDate\":\"" + expiringDate1 + "\""));
        assertThat(json, containsString("127.0.0.1"));
        assertThat(json, containsString("\"mode\":\"static\""));
        assertThat(json, containsString("\"dynamic\":false"));
        assertThat(json, containsString("\"status\":\"expired\""));
        assertThat(json, containsString("\"sslCertificateFile\":\"" + mock2.getAbsolutePath() + "\""));
        assertThat(json, containsString("\"serialNumber\":\"" + serialNumber2 + "\""));
        assertThat(json, containsString("\"expiringDate\":\"" + expiringDate2 + "\""));
        // single cert request to /{certId}
        response = client.get("/api/certificates/127.0.0.1", credentials);
        json = response.getBodyString();
        assertThat(json, not(containsString("localhost")));
        assertThat(json, containsString("\"mode\":\"static\""));
        assertThat(json, containsString("\"dynamic\":false"));
        assertThat(json, containsString("\"status\":\"expired\""));
        assertThat(json, containsString("\"sslCertificateFile\":\"" + mock2.getAbsolutePath() + "\""));
        assertThat(json, containsString("\"serialNumber\":\"" + serialNumber2 + "\""));
        assertThat(json, containsString("\"expiringDate\":\"" + expiringDate2 + "\""));
    }
    // Acme certificate
    try (RawHttpClient client = new RawHttpClient("localhost", 8761)) {
        // full list request
        RawHttpClient.HttpResponse response = client.get("/api/certificates", credentials);
        String json = response.getBodyString();
        assertThat(json, containsString(dynDomain));
        assertThat(json, containsString("\"mode\":\"acme\""));
        assertThat(json, containsString("\"dynamic\":true"));
        assertThat(json, containsString("\"status\":\"waiting\""));
        assertThat(json, containsString("\"serialNumber\":\"" + serialNumber + "\""));
        assertThat(json, containsString("\"expiringDate\":\"" + expiringDate + "\""));
        // single cert request to /{certId}
        response = client.get("/api/certificates/" + dynDomain, credentials);
        json = response.getBodyString();
        assertThat(json, containsString(dynDomain));
        assertThat(json, containsString("\"mode\":\"acme\""));
        assertThat(json, containsString("\"dynamic\":true"));
        assertThat(json, containsString("\"status\":\"waiting\""));
        assertThat(json, containsString("\"serialNumber\":\"" + serialNumber + "\""));
        assertThat(json, containsString("\"expiringDate\":\"" + expiringDate + "\""));
        // Changing dynamic certificate state
        for (DynamicCertificateState state : DynamicCertificateState.values()) {
            man.setStateOfCertificate(dynDomain, state);
            response = client.get("/api/certificates", credentials);
            json = response.getBodyString();
            assertThat(json, containsString(dynDomain));
            assertThat(json, containsString("\"mode\":\"acme\""));
            assertThat(json, containsString("\"dynamic\":true"));
            assertThat(json, containsString("\"status\":\"" + certificateStateToString(state) + "\""));
            response = client.get("/api/certificates/" + dynDomain, credentials);
            json = response.getBodyString();
            assertThat(json, containsString(dynDomain));
            assertThat(json, containsString("\"mode\":\"acme\""));
            assertThat(json, containsString("\"dynamic\":true"));
            assertThat(json, containsString("\"status\":\"" + certificateStateToString(state) + "\""));
        }
        // Downloading
        CertificateData cert = store.loadCertificateForDomain(dynDomain);
        byte[] newKeystore = createKeystore(generateSampleChain(endUserKeyPair, false), KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE).getPrivate());
        cert.setChain(Base64.getEncoder().encodeToString(newKeystore));
        store.saveCertificate(cert);
        man.setStateOfCertificate(dynDomain, DynamicCertificateState.AVAILABLE);
        response = client.get("/api/certificates/" + dynDomain + "/download", credentials);
        assertTrue(Arrays.equals(newKeystore, response.getBody()));
    }
    // Manual certificate
    try (RawHttpClient client = new RawHttpClient("localhost", 8761)) {
        String manualDomain = "manual.test.tld";
        int certsCount = server.getCurrentConfiguration().getCertificates().size();
        // Uploading trash-stuff
        RawHttpClient.HttpResponse resp = uploadCertificate(manualDomain, null, "fake-chain".getBytes(), client, credentials);
        String s = resp.getBodyString();
        assertTrue(s.contains("ERROR"));
        // Uploading real certificate
        endUserKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
        originalChain = generateSampleChain(endUserKeyPair, false);
        certificate = (X509Certificate) originalChain[0];
        serialNumber = certificate.getSerialNumber().toString(16).toUpperCase();
        expiringDate = certificate.getNotAfter().toString();
        byte[] chain1 = createKeystore(originalChain, endUserKeyPair.getPrivate());
        resp = uploadCertificate(manualDomain, null, chain1, client, credentials);
        s = resp.getBodyString();
        assertTrue(s.contains("SUCCESS"));
        int certsCount2 = server.getCurrentConfiguration().getCertificates().size();
        assertEquals(certsCount + 1, certsCount2);
        // full list request
        RawHttpClient.HttpResponse response = client.get("/api/certificates", credentials);
        String json = response.getBodyString();
        assertThat(json, containsString(manualDomain));
        assertThat(json, containsString("\"mode\":\"manual\""));
        assertThat(json, containsString("\"dynamic\":true"));
        assertThat(json, containsString("\"status\":\"available\""));
        assertThat(json, containsString("\"serialNumber\":\"" + serialNumber + "\""));
        assertThat(json, containsString("\"expiringDate\":\"" + expiringDate + "\""));
        // single cert request to /{certId}
        response = client.get("/api/certificates/" + manualDomain, credentials);
        json = response.getBodyString();
        assertThat(json, containsString(manualDomain));
        assertThat(json, containsString("\"mode\":\"manual\""));
        assertThat(json, containsString("\"dynamic\":true"));
        assertThat(json, containsString("\"status\":\"available\""));
        assertThat(json, containsString("\"serialNumber\":\"" + serialNumber + "\""));
        assertThat(json, containsString("\"expiringDate\":\"" + expiringDate + "\""));
        // Downloading
        response = client.get("/api/certificates/" + manualDomain + "/download", credentials);
        assertTrue(Arrays.equals(chain1, response.getBody()));
        // Certificate updating
        // Uploading
        endUserKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
        originalChain = generateSampleChain(endUserKeyPair, true);
        certificate = (X509Certificate) originalChain[0];
        serialNumber = certificate.getSerialNumber().toString(16).toUpperCase();
        expiringDate = certificate.getNotAfter().toString();
        byte[] chain2 = createKeystore(originalChain, endUserKeyPair.getPrivate());
        assertFalse(Arrays.equals(chain1, chain2));
        resp = uploadCertificate(manualDomain, null, chain2, client, credentials);
        s = resp.getBodyString();
        assertTrue(s.contains("SUCCESS"));
        // check properties (certificate) not duplicated
        int certsCount3 = server.getCurrentConfiguration().getCertificates().size();
        assertEquals(certsCount2, certsCount3);
        // full list request
        response = client.get("/api/certificates", credentials);
        json = response.getBodyString();
        assertThat(json, containsString(manualDomain));
        assertThat(json, containsString("\"mode\":\"manual\""));
        assertThat(json, containsString("\"dynamic\":true"));
        assertThat(json, containsString("\"status\":\"expired\""));
        assertThat(json, containsString("\"serialNumber\":\"" + serialNumber + "\""));
        assertThat(json, containsString("\"expiringDate\":\"" + expiringDate + "\""));
        // single cert request to /{certId}
        response = client.get("/api/certificates/" + manualDomain, credentials);
        json = response.getBodyString();
        assertThat(json, containsString(manualDomain));
        assertThat(json, containsString("\"mode\":\"manual\""));
        assertThat(json, containsString("\"dynamic\":true"));
        assertThat(json, containsString("\"status\":\"expired\""));
        assertThat(json, containsString("\"serialNumber\":\"" + serialNumber + "\""));
        assertThat(json, containsString("\"expiringDate\":\"" + expiringDate + "\""));
        // Downloading
        response = client.get("/api/certificates/" + manualDomain + "/download", credentials);
        assertTrue(Arrays.equals(chain2, response.getBody()));
    }
}
Also used : RawHttpClient(org.carapaceproxy.utils.RawHttpClient) DynamicCertificateState(org.carapaceproxy.server.certificates.DynamicCertificateState) KeyPair(java.security.KeyPair) DynamicCertificatesManager(org.carapaceproxy.server.certificates.DynamicCertificatesManager) ConfigurationStore(org.carapaceproxy.configstore.ConfigurationStore) CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString) APIUtils.certificateStateToString(org.carapaceproxy.utils.APIUtils.certificateStateToString) Properties(java.util.Properties) X509Certificate(java.security.cert.X509Certificate) CertificateData(org.carapaceproxy.configstore.CertificateData) File(java.io.File) X509Certificate(java.security.cert.X509Certificate) CertificatesTestUtils.uploadCertificate(org.carapaceproxy.utils.CertificatesTestUtils.uploadCertificate) Certificate(java.security.cert.Certificate) Test(org.junit.Test)

Example 4 with ConfigurationStore

use of org.carapaceproxy.configstore.ConfigurationStore in project carapaceproxy by diennea.

the class ServerMain method main.

public static void main(String... args) {
    try {
        Properties configuration = new Properties();
        File basePath = new File(System.getProperty("user.dir", "."));
        boolean configFileFromParameter = false;
        for (String arg : args) {
            if (!arg.isEmpty()) {
                File configFile = new File(arg).getAbsoluteFile();
                LOG.log(Level.SEVERE, "Reading configuration from {0}", configFile);
                try (InputStreamReader reader = new InputStreamReader(new FileInputStream(configFile), StandardCharsets.UTF_8)) {
                    configuration.load(reader);
                }
                basePath = configFile.getParentFile().getParentFile();
                configFileFromParameter = true;
            }
        }
        if (!configFileFromParameter) {
            File configFile = new File("conf/server.properties").getAbsoluteFile();
            System.out.println("Reading configuration from " + configFile);
            if (configFile.isFile()) {
                try (InputStreamReader reader = new InputStreamReader(new FileInputStream(configFile), StandardCharsets.UTF_8)) {
                    configuration.load(reader);
                }
                basePath = configFile.getParentFile().getParentFile();
            }
        }
        LogManager.getLogManager().readConfiguration();
        Thread.setDefaultUncaughtExceptionHandler((Thread arg0, Throwable arg1) -> {
            LOG.log(Level.SEVERE, "Uncaught error, thread " + arg0, arg1);
        });
        Runtime.getRuntime().addShutdownHook(new Thread("ctrlc-hook") {

            @Override
            public void run() {
                System.out.println("Ctrl-C trapped. Shutting down");
                ServerMain _brokerMain = runningInstance;
                if (_brokerMain != null) {
                    _brokerMain.close();
                }
            }
        });
        ConfigurationStore configurationStore = new PropertiesConfigurationStore(configuration);
        runningInstance = new ServerMain(configurationStore, basePath);
        runningInstance.start();
        runningInstance.join();
    } catch (Exception t) {
        System.exit(1);
    }
}
Also used : PropertiesConfigurationStore(org.carapaceproxy.configstore.PropertiesConfigurationStore) ConfigurationStore(org.carapaceproxy.configstore.ConfigurationStore) PropertiesConfigurationStore(org.carapaceproxy.configstore.PropertiesConfigurationStore) InputStreamReader(java.io.InputStreamReader) Properties(java.util.Properties) FileInputStream(java.io.FileInputStream) File(java.io.File)

Example 5 with ConfigurationStore

use of org.carapaceproxy.configstore.ConfigurationStore in project carapaceproxy by diennea.

the class HttpProxyServer method applyDynamicConfiguration.

private void applyDynamicConfiguration(ConfigurationStore newConfigurationStore, boolean atBoot) throws InterruptedException, ConfigurationChangeInProgressException {
    if (atBoot && newConfigurationStore != null) {
        throw new IllegalStateException();
    }
    if (!atBoot && newConfigurationStore == null) {
        throw new IllegalStateException();
    }
    // at boot we are constructing a configuration from the database
    // if the system is already "up" we have to only apply the new config
    ConfigurationStore storeWithConfig = atBoot ? dynamicConfigurationStore : newConfigurationStore;
    if (!configurationLock.tryLock()) {
        throw new ConfigurationChangeInProgressException();
    }
    try {
        RuntimeServerConfiguration newConfiguration = buildValidConfiguration(storeWithConfig);
        EndpointMapper newMapper = buildMapper(newConfiguration.getMapperClassname(), storeWithConfig);
        newMapper.setParent(this);
        UserRealm newRealm = buildRealm(userRealmClassname, storeWithConfig);
        this.filters = buildFilters(newConfiguration);
        this.backendHealthManager.reloadConfiguration(newConfiguration, newMapper);
        this.dynamicCertificatesManager.reloadConfiguration(newConfiguration);
        this.ocspStaplingManager.reloadConfiguration(newConfiguration);
        this.listeners.reloadConfiguration(newConfiguration);
        this.cache.reloadConfiguration(newConfiguration);
        this.requestsLogger.reloadConfiguration(newConfiguration);
        this.realm = newRealm;
        Map<String, BackendConfiguration> currentBackends = mapper != null ? mapper.getBackends() : Collections.emptyMap();
        Map<String, BackendConfiguration> newBackends = newMapper.getBackends();
        this.mapper = newMapper;
        if (atBoot || !newBackends.equals(currentBackends) || isConnectionsConfigurationChanged(newConfiguration)) {
            prometheusRegistry.clear();
            Metrics.globalRegistry.clear();
            proxyRequestsManager.reloadConfiguration(newConfiguration, newBackends.values());
        }
        if (!atBoot) {
            dynamicConfigurationStore.commitConfiguration(newConfigurationStore);
        }
        this.currentConfiguration = newConfiguration;
    } catch (ConfigurationNotValidException err) {
        // impossible to have a non valid configuration here
        throw new IllegalStateException(err);
    } finally {
        configurationLock.unlock();
    }
}
Also used : ConfigurationNotValidException(org.carapaceproxy.server.config.ConfigurationNotValidException) PropertiesConfigurationStore(org.carapaceproxy.configstore.PropertiesConfigurationStore) ConfigurationStore(org.carapaceproxy.configstore.ConfigurationStore) HerdDBConfigurationStore(org.carapaceproxy.configstore.HerdDBConfigurationStore) EndpointMapper(org.carapaceproxy.server.mapper.EndpointMapper) UserRealm(org.carapaceproxy.user.UserRealm) SimpleUserRealm(org.carapaceproxy.user.SimpleUserRealm) ConfigurationChangeInProgressException(org.carapaceproxy.server.config.ConfigurationChangeInProgressException) BackendConfiguration(org.carapaceproxy.server.config.BackendConfiguration)

Aggregations

ConfigurationStore (org.carapaceproxy.configstore.ConfigurationStore)13 Properties (java.util.Properties)10 PropertiesConfigurationStore (org.carapaceproxy.configstore.PropertiesConfigurationStore)10 Test (org.junit.Test)9 HttpProxyServer (org.carapaceproxy.core.HttpProxyServer)7 File (java.io.File)6 KeyPair (java.security.KeyPair)6 X509Certificate (java.security.cert.X509Certificate)6 CertificateData (org.carapaceproxy.configstore.CertificateData)6 Login (org.shredzone.acme4j.Login)5 Order (org.shredzone.acme4j.Order)5 Parameters (junitparams.Parameters)4 URL (java.net.URL)3 Certificate (java.security.cert.Certificate)3 FileUserRealm (org.carapaceproxy.user.FileUserRealm)3 UserRealm (org.carapaceproxy.user.UserRealm)3 CertificatesTestUtils.uploadCertificate (org.carapaceproxy.utils.CertificatesTestUtils.uploadCertificate)3 RawHttpClient (org.carapaceproxy.utils.RawHttpClient)3 TestEndpointMapper (org.carapaceproxy.utils.TestEndpointMapper)3 FileInputStream (java.io.FileInputStream)2