From 3007b77f1b33d31c6bfc5ddf6e5434ca87f40078 Mon Sep 17 00:00:00 2001 From: Henry Avetisyan Date: Fri, 24 May 2024 13:29:35 -0700 Subject: [PATCH] remove dependency on jetty from client libraries Signed-off-by: Henry Avetisyan --- libs/java/client_common/pom.xml | 6 - .../yahoo/athenz/common/utils/SSLUtils.java | 2 +- .../athenz/common/utils/SSLUtilsTest.java | 201 ++++-------------- 3 files changed, 42 insertions(+), 167 deletions(-) diff --git a/libs/java/client_common/pom.xml b/libs/java/client_common/pom.xml index db7ee846211..c32ab2b22fb 100644 --- a/libs/java/client_common/pom.xml +++ b/libs/java/client_common/pom.xml @@ -63,12 +63,6 @@ jackson-databind ${jackson-databind.version} - - org.eclipse.jetty - jetty-server - ${jetty.version} - test - commons-codec commons-codec diff --git a/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java b/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java index 9da1b631e41..39f70760278 100644 --- a/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java +++ b/libs/java/client_common/src/main/java/com/yahoo/athenz/common/utils/SSLUtils.java @@ -166,7 +166,7 @@ private static KeyStore loadStore(String store, String storeType, char[] storePa return keystore; } - private static KeyManager[] getAliasedKeyManagers(KeyManager[] managers, String alias) { + static KeyManager[] getAliasedKeyManagers(KeyManager[] managers, String alias) { if (managers != null) { if (alias != null) { for (int idx = 0; idx < managers.length; idx++) { diff --git a/libs/java/client_common/src/test/java/com/yahoo/athenz/common/utils/SSLUtilsTest.java b/libs/java/client_common/src/test/java/com/yahoo/athenz/common/utils/SSLUtilsTest.java index d2099f8936f..3cb49c7a8c5 100644 --- a/libs/java/client_common/src/test/java/com/yahoo/athenz/common/utils/SSLUtilsTest.java +++ b/libs/java/client_common/src/test/java/com/yahoo/athenz/common/utils/SSLUtilsTest.java @@ -1,41 +1,15 @@ package com.yahoo.athenz.common.utils; -import java.io.BufferedReader; -import java.io.File; -import java.io.FileNotFoundException; -import java.io.IOException; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.net.HttpURLConnection; -import java.net.ServerSocket; -import java.net.URL; - -import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.SSLContext; -import javax.net.ssl.X509ExtendedKeyManager; - +import javax.net.ssl.*; import com.yahoo.athenz.auth.impl.FilePrivateKeyStore; -import org.eclipse.jetty.http.HttpVersion; -import org.eclipse.jetty.server.Connector; -import org.eclipse.jetty.server.Handler; -import org.eclipse.jetty.server.HttpConfiguration; -import org.eclipse.jetty.server.HttpConnectionFactory; -import org.eclipse.jetty.server.Server; -import org.eclipse.jetty.server.ServerConnector; -import org.eclipse.jetty.server.SslConnectionFactory; -import org.eclipse.jetty.server.handler.DefaultHandler; -import org.eclipse.jetty.server.handler.HandlerList; -import org.eclipse.jetty.server.handler.ResourceHandler; -import org.eclipse.jetty.util.resource.Resource; -import org.eclipse.jetty.util.ssl.SslContextFactory; import org.mockito.Mockito; import org.testng.Assert; -import org.testng.annotations.DataProvider; import org.testng.annotations.Test; - import com.yahoo.athenz.auth.PrivateKeyStore; import com.yahoo.athenz.common.utils.SSLUtils.ClientSSLContextBuilder; +import java.security.PrivateKey; + import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyString; import static org.mockito.Mockito.when; @@ -121,6 +95,7 @@ public void testClientSSLContextBuilder() { .keyManagerPasswordAppName(KEY_MANAGER_PASSWORD_APP_NAME) .trustStorePasswordAppName(TRUSTSTORE_PASSWORD_APP_NAME) .privateKeyStore(new FilePrivateKeyStore()) + .certAlias("test") .build(); assertEquals(sslContext.getProtocol(), protocol); @@ -208,138 +183,44 @@ public void testLoadServicePrivateKey() { Assert.assertNotNull(keyStore); } - @DataProvider(name = "ClientSSLContext") - public static Object[][] clientSSLContext() { - return new Object[][] { - { false, DEFAULT_SSL_PROTOCOL, DEFAULT_CA_TRUST_STORE, "src/test/resources/certs/client/client.pkcs12", "", null }, - { true, "TLS", DEFAULT_CA_TRUST_STORE, "src/test/resources/certs/client/client.pkcs12", "", null }, - { true, DEFAULT_SSL_PROTOCOL, DEFAULT_CA_TRUST_STORE, "src/test/resources/certs/client/client.pkcs12", "", null }, - { true, DEFAULT_SSL_PROTOCOL, DEFAULT_CA_TRUST_STORE, null, "bad_certificate", null }, - { true, DEFAULT_SSL_PROTOCOL, DEFAULT_CA_TRUST_STORE, "src/test/resources/certs/client/client_wrong_ca.pkcs12", "bad_certificate", null }, - { true, DEFAULT_SSL_PROTOCOL, DEFAULT_CA_TRUST_STORE, "src/test/resources/certs/client/client_multiple_keys.pkcs12", "", "client1" }, - { true, DEFAULT_SSL_PROTOCOL, DEFAULT_CA_TRUST_STORE, "src/test/resources/certs/client/client_multiple_keys.pkcs12", "bad_certificate", "client2" }, - }; - } - - @Test(dataProvider = "ClientSSLContext") - public void testSSLUtilsClient(boolean clientAuth, String sslProtocol, String trustPath, String keyStorePath, String expectedFailureMessage, String alias) throws Exception { - JettyServer jettyServer = createHttpsJettyServer(clientAuth); - jettyServer.server.start(); - ClientSSLContextBuilder builder = new SSLUtils.ClientSSLContextBuilder(sslProtocol) - .trustStorePath(trustPath) - .trustStorePassword(DEFAULT_CERT_PWD.toCharArray()); - if (null != keyStorePath) { - builder.keyStorePath(keyStorePath) - .keyStorePassword(DEFAULT_CERT_PWD.toCharArray()) - .keyManagerPassword("test".toCharArray()); - } - if (null != alias && !alias.isEmpty()) { - builder.certAlias(alias); - } - SSLContext sslContext = builder.build(); - String httpsUrl = "https://localhost:" + jettyServer.port + "/"; - URL url = new URL(httpsUrl); - HttpsURLConnection con = (HttpsURLConnection)url.openConnection(); - con.setDoOutput(true); - con.setSSLSocketFactory(sslContext.getSocketFactory()); - try { - handleInputStream(con); - if (!expectedFailureMessage.isEmpty()) { - Assert.fail("Expected failure"); - } - } catch (Throwable t) { - Assert.assertFalse(expectedFailureMessage.isEmpty()); - } finally { - jettyServer.server.stop(); - } - } - - private static String handleInputStream(HttpURLConnection con) throws IOException { - StringBuilder outPut = new StringBuilder(); - String line; - - try (InputStream errorStream = con.getErrorStream()) { - if (null != errorStream) { - try (BufferedReader br = new BufferedReader(new InputStreamReader(errorStream))) { - while (null != (line = br.readLine())) { - outPut.append(line); - } - return null; - } - } - } - - try (InputStream in = con.getInputStream()) { - if (null != in) { - try (BufferedReader br = new BufferedReader(new InputStreamReader(in))) { - while (null != (line = br.readLine())) { - outPut.append(line); - } - } - } - } - - return outPut.toString(); - } - - private static JettyServer createHttpsJettyServer(boolean clientAuth) throws IOException { - Server server = new Server(); - HttpConfiguration https_config = new HttpConfiguration(); - https_config.setSecureScheme("https"); - int port; - try (ServerSocket socket = new ServerSocket(0)) { - port = socket.getLocalPort(); - } - https_config.setSecurePort(port); - https_config.setOutputBufferSize(32768); - - SslContextFactory.Server sslContextFactory = new SslContextFactory.Server(); - File keystoreFile = new File(DEFAULT_SERVER_KEY_STORE); - if (!keystoreFile.exists()) { - throw new FileNotFoundException(); - } - - String trustStorePath = DEFAULT_CA_TRUST_STORE; - File trustStoreFile = new File(trustStorePath); - if (!trustStoreFile.exists()) { - throw new FileNotFoundException(); - } - - sslContextFactory.setEndpointIdentificationAlgorithm(null); - - sslContextFactory.setTrustStorePath(trustStorePath); - sslContextFactory.setTrustStoreType(DEFAULT_SSL_STORE_TYPE); - sslContextFactory.setTrustStorePassword(DEFAULT_CERT_PWD); - - sslContextFactory.setKeyStorePath(keystoreFile.getAbsolutePath()); - sslContextFactory.setKeyStoreType(DEFAULT_SSL_STORE_TYPE); - sslContextFactory.setKeyStorePassword(DEFAULT_CERT_PWD); - - sslContextFactory.setProtocol(DEFAULT_SSL_PROTOCOL); - sslContextFactory.setNeedClientAuth(clientAuth); - - ServerConnector https = new ServerConnector(server, - new SslConnectionFactory(sslContextFactory,HttpVersion.HTTP_1_1.asString()), - new HttpConnectionFactory(https_config)); - https.setPort(port); - https.setIdleTimeout(500000); - server.setConnectors(new Connector[] { https }); - HandlerList handlers = new HandlerList(); - ResourceHandler resourceHandler = new ResourceHandler(); - resourceHandler.setBaseResource(Resource.newResource(".")); - handlers.setHandlers(new Handler[] - { resourceHandler, new DefaultHandler() }); - server.setHandler(handlers); - return new JettyServer(server, port); + @Test + public void testGetAliasedKeyManagers() { + assertNull(ClientSSLContextBuilder.getAliasedKeyManagers(null, null)); + KeyManager[] keyManagers = new KeyManager[2]; + X509ExtendedKeyManager keyManager1 = Mockito.mock(X509ExtendedKeyManager.class); + keyManagers[0] = keyManager1; + X509KeyManager keyManager2 = Mockito.mock(X509KeyManager.class); + keyManagers[1] = keyManager2; + + KeyManager[] keyManagersRes = ClientSSLContextBuilder.getAliasedKeyManagers(keyManagers, null); + assertEquals(keyManagersRes.length, 2); + assertEquals(keyManagersRes[0], keyManager1); + assertEquals(keyManagersRes[1], keyManager2); + + keyManagersRes = ClientSSLContextBuilder.getAliasedKeyManagers(keyManagers, "testAlias"); + assertEquals(keyManagersRes.length, 2); + assertNotEquals(keyManagersRes[0], keyManager1); + assertTrue(keyManagersRes[0] instanceof SSLUtils.ClientAliasedX509ExtendedKeyManager); + assertEquals(keyManagersRes[1], keyManager2); } - static class JettyServer { - public Server server; - public int port; - public JettyServer(Server server, int port) { - this.server = server; - this.port = port; - } + @Test + public void testClientAliasedX509ExtendedManager() { + + X509ExtendedKeyManager keyManager = Mockito.mock(X509ExtendedKeyManager.class); + Mockito.when(keyManager.getClientAliases(any(), any())).thenReturn(new String[]{"testAlias"}); + PrivateKey privateKey = Mockito.mock(PrivateKey.class); + Mockito.when(keyManager.getPrivateKey("testAlias")).thenReturn(privateKey); + Mockito.when(keyManager.getPrivateKey("testAlias2")).thenReturn(null); + Mockito.when(keyManager.getCertificateChain("testAlias")).thenReturn(null); + + SSLUtils.ClientAliasedX509ExtendedKeyManager aliasedKeyManager = + new SSLUtils.ClientAliasedX509ExtendedKeyManager(keyManager, "testAlias"); + + assertEquals(aliasedKeyManager.chooseEngineClientAlias(new String[]{"keyType"}, null, null), "testAlias"); + assertEquals(aliasedKeyManager.chooseClientAlias(new String[]{"keyType"}, null, null), "testAlias"); + assertNotNull(aliasedKeyManager.getPrivateKey("testAlias")); + assertNull(aliasedKeyManager.getPrivateKey("testAlias2")); + assertNull(aliasedKeyManager.getCertificateChain("testAlias")); } - }