From 2994db6fef19d6fb09e2ed6e87b0d1b3b280f802 Mon Sep 17 00:00:00 2001 From: Piotr Jaszczyk Date: Tue, 9 Apr 2019 13:53:55 +0200 Subject: [PATCH] Write integration test for SslFactory Change-Id: I45e0f4b4bb17678d7a00287438e87215cbd0120d Issue-ID: DCAEGEN2-1409 Signed-off-by: Piotr Jaszczyk --- .../sdk/security/ssl/SecurityKeysStore.java | 4 + .../services/sdk/security/ssl/SslFactory.java | 24 ++++-- .../services/sdk/security/ssl/SslFactoryIT.java | 95 +++++++++++++++++++++ security/ssl/src/test/resources/sample/cert.jks | Bin 0 -> 4512 bytes .../ssl/src/test/resources/sample/invalid.pass | 1 + security/ssl/src/test/resources/sample/jks.pass | 1 + security/ssl/src/test/resources/sample/trust.jks | Bin 0 -> 1413 bytes security/ssl/src/test/resources/sample/trust.pass | 1 + 8 files changed, 120 insertions(+), 6 deletions(-) create mode 100644 security/ssl/src/test/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactoryIT.java create mode 100644 security/ssl/src/test/resources/sample/cert.jks create mode 100644 security/ssl/src/test/resources/sample/invalid.pass create mode 100644 security/ssl/src/test/resources/sample/jks.pass create mode 100644 security/ssl/src/test/resources/sample/trust.jks create mode 100644 security/ssl/src/test/resources/sample/trust.pass diff --git a/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SecurityKeysStore.java b/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SecurityKeysStore.java index 401055ca..d1c912b0 100644 --- a/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SecurityKeysStore.java +++ b/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SecurityKeysStore.java @@ -52,4 +52,8 @@ public interface SecurityKeysStore { return KeyStoreTypes.inferTypeFromExtension(path()) .getOrElseThrow(() -> new SecurityConfigurationException("Could not determine key store type by file name")); } + + static SecurityKeysStore fromPath(Path path) { + return ImmutableSecurityKeysStore.of(path); + } } diff --git a/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactory.java b/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactory.java index 076490a9..963484a1 100644 --- a/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactory.java +++ b/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactory.java @@ -63,16 +63,27 @@ public class SslFactory { } /** - * Creates Netty SSL server context using provided security keys. + * Creates Netty SSL server context using provided security keys. Will require client authentication. * - * @param keys - Security keys to be used + * @param keys - security keys to be used * @return configured SSL context */ public SslContext createSecureServerContext(final SecurityKeys keys) { + return createSecureServerContext(keys, ClientAuth.REQUIRE); + } + + /** + * Creates Netty SSL server context using provided security keys. + * + * @param keys - security keys to be used + * @param clientAuth - how to authenticate client + * @return configured SSL context + */ + public SslContext createSecureServerContext(final SecurityKeys keys, final ClientAuth clientAuth) { try { return SslContextBuilder.forServer(keyManagerFactory(keys)) .trustManager(trustManagerFactory(keys)) - .clientAuth(ClientAuth.REQUIRE) + .clientAuth(clientAuth) .build(); } catch (SSLException e) { throw new SecurityConfigurationException(EXCEPTION_MESSAGE, e); @@ -111,7 +122,8 @@ public class SslFactory { kmf.init(loadKeyStoreFromFile(store, passwordChars), passwordChars); return kmf; } catch (GeneralSecurityException | IOException ex) { - throw new ReadingSecurityKeysStoreException("Could not read private keys from store", ex); + throw new ReadingSecurityKeysStoreException( + "Could not read private keys from store: " + ex.getMessage(), ex); } }); } @@ -123,7 +135,8 @@ public class SslFactory { tmf.init(loadKeyStoreFromFile(store, passwordChars)); return tmf; } catch (GeneralSecurityException | IOException ex) { - throw new ReadingSecurityKeysStoreException("Could not read trusted keys from store", ex); + throw new ReadingSecurityKeysStoreException( + "Could not read trusted keys from store: " + ex.getMessage(), ex); } }); } @@ -133,6 +146,5 @@ public class SslFactory { KeyStore ks = KeyStore.getInstance(store.type()); ks.load(Files.newInputStream(store.path(), StandardOpenOption.READ), keyStorePassword); return ks; - } } diff --git a/security/ssl/src/test/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactoryIT.java b/security/ssl/src/test/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactoryIT.java new file mode 100644 index 00000000..966aa5cb --- /dev/null +++ b/security/ssl/src/test/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactoryIT.java @@ -0,0 +1,95 @@ +/* + * ============LICENSE_START==================================== + * DCAEGEN2-SERVICES-SDK + * ========================================================= + * Copyright (C) 2019 Nokia. All rights reserved. + * ========================================================= + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END===================================== + */ +package org.onap.dcaegen2.services.sdk.security.ssl; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.onap.dcaegen2.services.sdk.security.ssl.Passwords.fromResource; + +import io.netty.handler.ssl.SslContext; +import java.net.URISyntaxException; +import java.nio.file.Paths; +import org.assertj.core.api.Assertions; +import org.jetbrains.annotations.NotNull; +import org.junit.jupiter.api.Test; +import org.onap.dcaegen2.services.sdk.security.ssl.exceptions.ReadingSecurityKeysStoreException; + +/** + * @author Piotr Jaszczyk + * @since April 2019 + */ +class SslFactoryIT { + + private SslFactory sut = new SslFactory(); + + @Test + void testSuccessCase() throws Exception { + // given + final SecurityKeys securityKeys = ImmutableSecurityKeys.builder() + .keyStore(keyStoreFromResource("/sample/cert.jks")) + .keyStorePassword(fromResource("/sample/jks.pass")) + .trustStore(keyStoreFromResource("/sample/trust.jks")) + .trustStorePassword(fromResource("/sample/trust.pass")) + .build(); + + // when + final SslContext ctx = sut.createSecureServerContext(securityKeys); + + // then + assertThat(ctx.isServer()).describedAs("is server ssl context").isTrue(); + } + + @Test + void testInvalidKeyStorePasswordCase() throws Exception { + // given + final SecurityKeys securityKeys = ImmutableSecurityKeys.builder() + .keyStore(keyStoreFromResource("/sample/cert.jks")) + .keyStorePassword(fromResource("/sample/invalid.pass")) + .trustStore(keyStoreFromResource("/sample/trust.jks")) + .trustStorePassword(fromResource("/sample/trust.pass")) + .build(); + + // when & then + assertThatThrownBy(() -> sut.createSecureServerContext(securityKeys)) + .isInstanceOf(ReadingSecurityKeysStoreException.class) + .hasMessageContaining("Keystore was tampered with, or password was incorrect"); + } + + @Test + void testInvalidTrustStorePasswordCase() throws Exception { + // given + final SecurityKeys securityKeys = ImmutableSecurityKeys.builder() + .keyStore(keyStoreFromResource("/sample/cert.jks")) + .keyStorePassword(fromResource("/sample/jks.pass")) + .trustStore(keyStoreFromResource("/sample/trust.jks")) + .trustStorePassword(fromResource("/sample/invalid.pass")) + .build(); + + // when & then + assertThatThrownBy(() -> sut.createSecureServerContext(securityKeys)) + .isInstanceOf(ReadingSecurityKeysStoreException.class) + .hasMessageContaining("Keystore was tampered with, or password was incorrect"); + } + + private @NotNull SecurityKeysStore keyStoreFromResource(String resource) throws URISyntaxException { + return SecurityKeysStore.fromPath( + Paths.get(Passwords.class.getResource(resource).toURI())); + } +} diff --git a/security/ssl/src/test/resources/sample/cert.jks b/security/ssl/src/test/resources/sample/cert.jks new file mode 100644 index 0000000000000000000000000000000000000000..e74ce64f4b680b9f7b226086ff7632ad594a7174 GIT binary patch literal 4512 zcmb`JcT|(f8piXbQ6oqwB1M!UC}F=)MWspaC?HMg2?>ORE{I|bg33~qvVwF7h|(2M z5Gk^t2!cvcY2vydWx;?-lX8RH-Ghqvo_o&y<4fj!X685byw9votxiE85GeBlzJ5IJ zZZ0^@^&dG3*~LeW;^)Dv!bjeXScE_j07!$cfZLGl`;h<~*azJX00;=21|L_t_`qVp zF)iQ!rfR-6Vh5CR(YcaWapx;pi9Z;&XZ6g{qR%us7uIYpoCJ)ca_DQf1y@1}D-zzR zvKU2%2D>_#Fr2S~o@r)veDO||BZu<1anFD8jY^pT-Z-3NWQ>I!5|CiCOY_cgm_k!a zTrH{>r_9P$e=|QzcjwWF%`_?8{qg`y1TOiaXWm4)*!ke@xMpXO-3PA*pXt8Cp)8E% zzuFupiKi!z;Xhu-EedK#NBS$M2&;@J3|!)>nqcAnBBhv_WWLa^Z9v^=Z)w;R#p3;0 zDlv8Zd_n~M8Gdph?-1F8H%crm{ZT|UnRAFK$;ld0}iXw=UB ztx@G8q6L+c(k+1hEFR6^E+3rXW8Xd_;Z<|tRbs%rc#qz^FWS_v?0GY`uXss%xcglz zB~AHNlMM`LR)eNr)a{fs)(k5bd&!bn`~LUE(jJ(9^ZEVD5=x?H7Zzemr6xsRiTN+t zv=Lfi^kzLaUD+?gVc~%#ekt5KE^p~pd~?>sPq8akGLla6yS@URiTiUO--c;l8tISm zZ^icJCS08kMH1tH zhdJ2EUNk(}rMa3gsa4-;rT3n;p!{4gx?YuL&xQEY3dfC3QrvUe71w8FK}6iMz7sr4 z+Pb+f8c2)`#WtZ7XCV&{OG-U)mNZ3M%1gie_~!NdlGpae$W&WRAMjl`@2*WtR?M0g zwcq=CN_)1`fV2XRYMdW(CL9o-5HWw*vid|IL9ipR@U2eCU;)_HNFDpEHv07+${P z_>A!c>2q$osu7mmXB6P@+u@bftS3=BO|qN_iw$)LNH7#js(XKe;jp#Ttr^`%lZ-yF zmpjJOuB-qp?>pJB`fR#FJ-x<43&SXS&&v^Yr489AydW7s$*kFkpuhc|^URm8TNpIYrWo1!dhnzHP}!e4#u(3rs*3=&wz zDv!ay0xNhI3iaeZ-Ey+vF&>^37MKseP*K)l7tA*AXz(CizNbq#H^lc!wT#MjBN21w zhDLw}*=BmxvVWd$<*`=VIK6k`k!LQ+>{wXL?Du>0RRUA0_tNqKsF@I8jeImtu3)AkYhby=Y*S^X<1;mft>3h2PeYZQcFt@ zD+mg#$1qNAA~^u(=Z$kGx&+{~wVdQZQ2`Y802W;T%1)YL>=rx!GC z^FFq^J+?gRA@71BeQckR<3NpIN!HUpUT5`5H`TV6d1+6bA!ihft7mQ#Q!!hPQrfxb z6!Kz;tlgy8qje*_5F#01TO<7}(B`?}m~vokiO+BMCVP)+%(WRAY1(r=>_{8#vF^8$ z=O30ykF>~fpGR;9RD5E$?DHB#wYIRJ7ix)BBJBl#26Hrwog4u2#f4jJt8Y>z8ELx@yGcE5#4ZN zTgzYH5&x-9&OgXa&W#l4&%Ek#B#N60No@V*V%$iSKzAZO1mo>OcJaXZZLMzLx9qU- zg82#E-6g;UPb4vip^!*8w*bn&`9JELM)*nP&sIPP!UW;`zaQaybrXNfs-Mw){0JLc z!YpiJ{2l$QTY#GjhPk1nkN~2a{|4Y2X%p&4{b$fEmidje3HqbH6%^+~qJ((k$N?CF z3)!8te)>O1|Aua@ZviDxNZ!ojz>z(OWE{rZ!#hCiM`;846aD8w2o~S`p0Zs^a7=Iez$ehsj>Uo9xSXJ7ke8_>s-$_47 z=nO?Z7^6B5PHcaFtk7ws2z~O4^GDvyxX+H;T=3T+H;TztnicLI(-hkEG zpjvw31c+3-Cmnynt3~%3-q&sCDT7g)UBBYdLwowU%yZ7D3q7vouNm?kt0{*3?fGz9 zW;(Y5Y0$$Pp3lsq-+BH2l!rGA9aNQ9#9|fYvFnB|udpfn|Ggakn_cG~wxLGGHdYcE zhYcA`v)8zcEo&~?FWU*{E|>NrW0c#&=%dJhG?d7%PmSxJ%WfZ-)r?tGev%$}8e$&W zpl052_YjbA=2r5AYF(dMhTH&^(@xa(pyq6>bSf)6522WTElphY2m4D81)@X- zDO5hLoYTQhPm|NKD)k@nS7w+XIr6V4o+{O{(-B+@5aVF&0IOm)>>3ZcZ}P>hycXQG zVa7W^ek$*je{-rhwT&TI!)9B%HdAE2uT}}mp027p>R(1QL(w7<%3K_}Rbyra=nF0tJk1SPb)*py80!*>M)K~G z$L~2jF3a8FX4H=kwjSIq04DBGn~Ov3mwu3$VI)*>r0-p7@4bBfqT?;{C-KvT*z*ROK8*C-Zi@7=zXq)aUjT z)$WcyyS5^yvI1&`sq_^&9(TAG4bgMrCU_m0s*%JsVp~WN`^h3&T-WfcI&#Li1{3Fk zJx26cr-QDNf0_dOY@{W)-6?y!PH997e75vvA(Sq75a!m}-F3%>zW;#sIy+Xv^Xe*nQMV&dJvy>S3--w=2d(pP|M-nU(|jnQgO(o|{-mQr-*~Z{;Y!IJnmS{4 T=H#ViMFn!SC%a)<6wki^WqwD} literal 0 HcmV?d00001 diff --git a/security/ssl/src/test/resources/sample/invalid.pass b/security/ssl/src/test/resources/sample/invalid.pass new file mode 100644 index 00000000..6003d102 --- /dev/null +++ b/security/ssl/src/test/resources/sample/invalid.pass @@ -0,0 +1 @@ +invalid password \ No newline at end of file diff --git a/security/ssl/src/test/resources/sample/jks.pass b/security/ssl/src/test/resources/sample/jks.pass new file mode 100644 index 00000000..39823872 --- /dev/null +++ b/security/ssl/src/test/resources/sample/jks.pass @@ -0,0 +1 @@ +mYHC98!qX}7h?W}jRv}MIXTJ \ No newline at end of file diff --git a/security/ssl/src/test/resources/sample/trust.jks b/security/ssl/src/test/resources/sample/trust.jks new file mode 100644 index 0000000000000000000000000000000000000000..10103cfbcd527d081f04dacd1a06f6ddffb72d3c GIT binary patch literal 1413 zcmezO_TO6u1_mY|W(3n*$%*kf`N@en@diMlw6^W7zZqB~^h^yb85mfd44PQ&44RnL z7BDk0GBI&7oX9Nt_VNGu0|vZooLX%jZQpqr8M#>*40H_n40za>Ls__aSp9N(=GOS+72357DP=i!-K^Rqq5M%?u9>qeiv#iByTy93PJszM^)N*e!?*^)eC zkHcz4-|s8l9sZr-*0gWdirF`o*=!7%-^ElQjWcmQH42s#kjuQys~2bwzvlqMD>m&<(e6%8dxVb@t^0I zfB4XO>p#wJ$sfvowC|4(l{ohK@0qy_o!8gdeffU<)ce@}nN@L~LVIs~RXV;QQ`zXt zbs1^73v2v7xqN1P5$P}|`SFEiCu2%ap3+`yQ_>{v@K1JU?RrsbQ2}WtW=00a#mNSV z2C~2;D9gtp#v<~z_~>lqhSMJ;cX3AS`Tuc^zt$d819_0NGK++PSOazi{2&FwjEw(T zSPhtglmQ<|fFC5l0?Z(7$jK0xD}c$6ks-QC;&kwpwecThcX~*K99%r-w}9;TbrbJ1 z%(>0yrFpBaz$$X#`%@{E!qHcay9yOg+Vk?1`G~T7GCh=k$!g*iyQIm{k?X9Ngv^P! z`TERWKGmq#2GjluxK`xe|Kzjb7+1euW~uLvC2o%ygT3ciuD=~Szs5epN6+J$AA5sK z%3=q#-_Ba|#0|I1_}Q?tZnKeH;i2h8HnPTCEpD;v4=N_=Ct0Xu3fl?4&v4DIe<66` z(HqmNat|2e?0vO&uWXL@Iho43=;WpTud7{HuP@&*GuGwdtHZTPOV@o>ZBT3HmKV75 z>Gz_~7JXKiO*o#%d+j`Sb+)+YQZ=EJKiAIl?t93zA^*{@+PEg+lcHPq9=rFw!VGw`$B(MnXF=3yf{~5{RZ{D z#hq%;SNY$1e&9bB|2g@YkC&=!f2l347;s>DfWwYTyLmTuN#C7%|L4T}Jl^TA3IsFH z8wB;g$O~Pw;gw<1vqeu8we(t4bBetVuKIa@C(DIH=|`2qZ^?*U>Z@4)#5^f?qOQ?0 ziMZHM_SP%1)|Dj>+jU&O9sXYV`P^a0pewmcxn@Vs_dNE0&yQnGe*4$H+p}t|)H;>Z S3!ZDgSsuSksc^Oa0tNs)*<1kt literal 0 HcmV?d00001 diff --git a/security/ssl/src/test/resources/sample/trust.pass b/security/ssl/src/test/resources/sample/trust.pass new file mode 100644 index 00000000..168e64bd --- /dev/null +++ b/security/ssl/src/test/resources/sample/trust.pass @@ -0,0 +1 @@ +*TQH?Lnszprs4LmlAj38yds( \ No newline at end of file -- 2.16.6