2 * ============LICENSE_START=======================================================
3 * dcaegen2-collectors-veshv
4 * ================================================================================
5 * Copyright (C) 2018 NOKIA
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END=========================================================
20 package org.onap.dcae.collectors.veshv.ssl.boundary
22 import arrow.core.Some
23 import arrow.core.toOption
24 import io.netty.handler.ssl.ClientAuth
25 import io.netty.handler.ssl.JdkSslContext
26 import io.netty.handler.ssl.ReferenceCountedOpenSslContext
27 import io.netty.handler.ssl.SslContextBuilder
28 import org.assertj.core.api.Assertions
29 import org.assertj.core.api.Assertions.assertThat
30 import org.jetbrains.spek.api.Spek
31 import org.jetbrains.spek.api.dsl.describe
32 import org.jetbrains.spek.api.dsl.given
33 import org.jetbrains.spek.api.dsl.it
34 import org.jetbrains.spek.api.dsl.on
35 import org.onap.dcae.collectors.veshv.domain.JdkKeys
36 import org.onap.dcae.collectors.veshv.domain.OpenSslKeys
37 import org.onap.dcae.collectors.veshv.domain.SecurityConfiguration
38 import java.nio.file.Paths
39 import kotlin.test.assertTrue
42 * @author Piotr Jaszczyk <piotr.jaszczyk@nokia.com>
45 object ServerSslContextFactoryTest : Spek({
48 describe("SslContextFactory (OpenSSL)") {
49 val keys = OpenSslKeys(
50 privateKey = Paths.get("/", "tmp", "pk.pem"),
51 cert = Paths.get("/", "tmp", "cert.crt"),
52 trustedCert = Paths.get("/", "tmp", "clientCa.crt"))
54 given("config with security enabled") {
55 val sampleConfig = SecurityConfiguration(keys = Some(keys))
57 val cut = object : ServerSslContextFactory() {
58 override fun createSslContextWithConfiguredCerts(secConfig: SecurityConfiguration) =
59 SslContextBuilder.forServer(resource("/ssl/ca.crt"), resource("/ssl/server.key")).toOption()
61 private fun resource(path: String) = ServerSslContextFactoryTest.javaClass.getResourceAsStream(path)
64 on("creation of SSL context") {
65 val result = cut.createSslContext(sampleConfig)
67 it("should be server context") {
68 assertTrue(result.exists {
73 it("should use OpenSSL provider") {
74 assertTrue(result.isDefined())
78 * It is too important to leave it untested on unit level.
79 * Because of the Netty API design we need to do it this way.
81 it("should turn on client authentication") {
82 val clientAuth: ClientAuth = ReferenceCountedOpenSslContext::class.java
83 .getDeclaredField("clientAuth")
86 get(result.orNull()) as ClientAuth
88 Assertions.assertThat(clientAuth).isEqualTo(ClientAuth.REQUIRE)
93 given("config with SSL disabled") {
94 val securityConfiguration = SecurityConfiguration(
98 val cut = ServerSslContextFactory()
100 on("creation of SSL context") {
101 val result = cut.createSslContext(securityConfiguration)
103 it("should not create any SSL context ") {
104 assertThat(result.isDefined()).isFalse()
110 describe("SslContextFactory (JDK)") {
112 keyStore = resourceStreamProvider("/ssl/server.ks.pkcs12"),
113 keyStorePassword = PASSWORD.toCharArray(),
114 trustStore = resourceStreamProvider("/ssl/trust.pkcs12"),
115 trustStorePassword = PASSWORD.toCharArray()
118 given("config without disabled SSL") {
119 val sampleConfig = SecurityConfiguration(keys = Some(keys))
120 val cut = ServerSslContextFactory()
122 on("creation of SSL context") {
123 val result = cut.createSslContext(sampleConfig)
126 assertTrue(result.isDefined())
129 it("should be server context") {
130 assertTrue(result.exists {
136 * It is too important to leave it untested on unit level.
137 * Because of the Netty API design we need to do it this way.
139 it("should turn on client authentication") {
140 val clientAuth: ClientAuth = JdkSslContext::class.java
141 .getDeclaredField("clientAuth")
144 get(result.orNull()) as ClientAuth
146 Assertions.assertThat(clientAuth).isEqualTo(ClientAuth.REQUIRE)
149 it("should clear passwords so heap dumps won't contain them") {
150 val xedPassword = PASSWORD.toCharArray()
151 xedPassword.fill('x')
152 Assertions.assertThat(keys.keyStorePassword).isEqualTo(xedPassword)
153 Assertions.assertThat(keys.trustStorePassword).isEqualTo(xedPassword)
160 fun resourceStreamProvider(resource: String) = { ServerSslContextFactoryTest::class.java.getResourceAsStream(resource) }