You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kw...@apache.org on 2017/07/30 19:49:17 UTC
[6/6] qpid-broker-j git commit: QPID-7869: [Java Broker] [Truststore]
Make certificates within truststore warn about their impending expiry as
keystores already do
QPID-7869: [Java Broker] [Truststore] Make certificates within truststore warn about their impending expiry as keystores already do
Pulled up common implementation into an abstract base-class
Project: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/commit/f218a1dd
Tree: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/tree/f218a1dd
Diff: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/diff/f218a1dd
Branch: refs/heads/master
Commit: f218a1dd811fec4cff3852bfa559b42791d97bbf
Parents: 391f0b8
Author: Keith Wall <kw...@apache.org>
Authored: Sun Jul 30 17:37:29 2017 +0100
Committer: Keith Wall <kw...@apache.org>
Committed: Sun Jul 30 19:32:46 2017 +0100
----------------------------------------------------------------------
.../logging/messages/TrustStoreMessages.java | 62 +++++
.../messages/TrustStore_logmessages.properties | 2 +
.../org/apache/qpid/server/model/KeyStore.java | 5 +
.../apache/qpid/server/model/TrustStore.java | 20 ++
.../qpid/server/security/AbstractKeyStore.java | 44 ++--
.../server/security/AbstractTrustStore.java | 251 +++++++++++++++++++
.../AutoGeneratedSelfSignedKeyStoreImpl.java | 27 +-
.../server/security/FileTrustStoreImpl.java | 121 +++------
.../ManagedPeerCertificateTrustStoreImpl.java | 124 ++-------
.../server/security/NonJavaTrustStoreImpl.java | 115 ++-------
.../security/SiteSpecificTrustStoreImpl.java | 103 ++------
11 files changed, 469 insertions(+), 405 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStoreMessages.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStoreMessages.java b/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStoreMessages.java
index d3315dc..8fd1e9d 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStoreMessages.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStoreMessages.java
@@ -66,6 +66,7 @@ public class TrustStoreMessages
public static final String CLOSE_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "truststore.close";
public static final String CREATE_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "truststore.create";
public static final String DELETE_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "truststore.delete";
+ public static final String EXPIRING_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "truststore.expiring";
public static final String OPEN_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "truststore.open";
public static final String OPERATION_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "truststore.operation";
@@ -75,6 +76,7 @@ public class TrustStoreMessages
LoggerFactory.getLogger(CLOSE_LOG_HIERARCHY);
LoggerFactory.getLogger(CREATE_LOG_HIERARCHY);
LoggerFactory.getLogger(DELETE_LOG_HIERARCHY);
+ LoggerFactory.getLogger(EXPIRING_LOG_HIERARCHY);
LoggerFactory.getLogger(OPEN_LOG_HIERARCHY);
LoggerFactory.getLogger(OPERATION_LOG_HIERARCHY);
@@ -258,6 +260,66 @@ public class TrustStoreMessages
/**
* Log a TrustStore message of the Format:
+ * <pre>TST-1005 : TrustStore {0} Certificate expires in {1} days : {2}</pre>
+ * Optional values are contained in [square brackets] and are numbered
+ * sequentially in the method call.
+ *
+ */
+ public static LogMessage EXPIRING(String param1, String param2, String param3)
+ {
+ String rawMessage = _messages.getString("EXPIRING");
+
+ final Object[] messageArguments = {param1, param2, param3};
+ // Create a new MessageFormat to ensure thread safety.
+ // Sharing a MessageFormat and using applyPattern is not thread safe
+ MessageFormat formatter = new MessageFormat(rawMessage, _currentLocale);
+
+ final String message = formatter.format(messageArguments);
+
+ return new LogMessage()
+ {
+ @Override
+ public String toString()
+ {
+ return message;
+ }
+
+ @Override
+ public String getLogHierarchy()
+ {
+ return EXPIRING_LOG_HIERARCHY;
+ }
+
+ @Override
+ public boolean equals(final Object o)
+ {
+ if (this == o)
+ {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass())
+ {
+ return false;
+ }
+
+ final LogMessage that = (LogMessage) o;
+
+ return getLogHierarchy().equals(that.getLogHierarchy()) && toString().equals(that.toString());
+
+ }
+
+ @Override
+ public int hashCode()
+ {
+ int result = toString().hashCode();
+ result = 31 * result + getLogHierarchy().hashCode();
+ return result;
+ }
+ };
+ }
+
+ /**
+ * Log a TrustStore message of the Format:
* <pre>TST-1002 : Open</pre>
* Optional values are contained in [square brackets] and are numbered
* sequentially in the method call.
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStore_logmessages.properties
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStore_logmessages.properties b/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStore_logmessages.properties
index feccef2..494f832 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStore_logmessages.properties
+++ b/broker-core/src/main/java/org/apache/qpid/server/logging/messages/TrustStore_logmessages.properties
@@ -24,4 +24,6 @@ CLOSE = TST-1003 : Close
DELETE = TST-1004 : Delete "{0}"
# 0 - operation name
OPERATION = TST-1005 : Operation : {0}
+EXPIRING = TST-1005 : TrustStore {0} Certificate expires in {1} days : {2}
+
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/model/KeyStore.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/KeyStore.java b/broker-core/src/main/java/org/apache/qpid/server/model/KeyStore.java
index 953709f..efbe6d5 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/KeyStore.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/KeyStore.java
@@ -36,6 +36,11 @@ public interface KeyStore<X extends KeyStore<X>> extends ConfiguredObject<X>
@ManagedContextDefault(name = CERTIFICATE_EXPIRY_CHECK_FREQUENCY)
int DEFAULT_CERTIFICATE_EXPIRY_CHECK_FREQUENCY = 1;
+ @DerivedAttribute
+ int getCertificateExpiryWarnPeriod();
+
+ @DerivedAttribute
+ int getCertificateExpiryCheckFrequency();
KeyManager[] getKeyManagers() throws GeneralSecurityException;
}
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java b/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java
index 10a59d6..53bb1f0 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java
@@ -31,6 +31,20 @@ import org.apache.qpid.server.security.CertificateDetails;
@ManagedObject( defaultType = "FileTrustStore" )
public interface TrustStore<X extends TrustStore<X>> extends ConfiguredObject<X>
{
+ String CERTIFICATE_EXPIRY_WARN_PERIOD = "qpid.truststore.certificateExpiryWarnPeriod";
+
+ @ManagedContextDefault(name = CERTIFICATE_EXPIRY_WARN_PERIOD)
+ int DEFAULT_CERTIFICATE_EXPIRY_WARN_PERIOD = 30;
+
+ String CERTIFICATE_EXPIRY_CHECK_FREQUENCY = "qpid.truststore.certificateExpiryCheckFrequency";
+
+ @ManagedContextDefault(name = CERTIFICATE_EXPIRY_CHECK_FREQUENCY)
+ int DEFAULT_CERTIFICATE_EXPIRY_CHECK_FREQUENCY = 1;
+
+ @Override
+ @ManagedAttribute(immutable = true)
+ String getName();
+
@ManagedAttribute( defaultValue = "false", description = "If true the Trust Store will expose its certificates as a special artificial message source.")
boolean isExposedAsMessageSource();
@@ -43,6 +57,12 @@ public interface TrustStore<X extends TrustStore<X>> extends ConfiguredObject<X>
@DerivedAttribute(description = "List of details about the certificates like validity dates, SANs, issuer and subject names, etc.")
List<CertificateDetails> getCertificateDetails();
+ @DerivedAttribute
+ int getCertificateExpiryWarnPeriod();
+
+ @DerivedAttribute
+ int getCertificateExpiryCheckFrequency();
+
TrustManager[] getTrustManagers() throws GeneralSecurityException;
Certificate[] getCertificates() throws GeneralSecurityException;
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java b/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java
index f931d2f..21a9564 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java
@@ -51,7 +51,7 @@ public abstract class AbstractKeyStore<X extends AbstractKeyStore<X>>
{
private static Logger LOGGER = LoggerFactory.getLogger(AbstractKeyStore.class);
- protected static final long ONE_DAY = 24l * 60l * 60l * 1000l;
+ protected static final long ONE_DAY = 24L * 60L * 60L * 1000L;
private final Broker<?> _broker;
private final EventLogger _eventLogger;
@@ -97,16 +97,7 @@ public abstract class AbstractKeyStore<X extends AbstractKeyStore<X>>
protected void initializeExpiryChecking()
{
- int checkFrequency;
- try
- {
- checkFrequency = getContextValue(Integer.class, CERTIFICATE_EXPIRY_CHECK_FREQUENCY);
- }
- catch (IllegalArgumentException | NullPointerException e)
- {
- LOGGER.warn("Cannot parse the context variable {} ", CERTIFICATE_EXPIRY_CHECK_FREQUENCY, e);
- checkFrequency = DEFAULT_CERTIFICATE_EXPIRY_CHECK_FREQUENCY;
- }
+ int checkFrequency = getCertificateExpiryCheckFrequency();
if(getBroker().getState() == State.ACTIVE)
{
_checkExpiryTaskFuture = getBroker().scheduleHouseKeepingTask(checkFrequency, TimeUnit.DAYS, new Runnable()
@@ -129,14 +120,8 @@ public abstract class AbstractKeyStore<X extends AbstractKeyStore<X>>
if (newState == State.ACTIVE)
{
_checkExpiryTaskFuture =
- getBroker().scheduleHouseKeepingTask(frequency, TimeUnit.DAYS, new Runnable()
- {
- @Override
- public void run()
- {
- checkCertificateExpiry();
- }
- });
+ getBroker().scheduleHouseKeepingTask(frequency, TimeUnit.DAYS,
+ () -> checkCertificateExpiry());
getBroker().removeChangeListener(this);
}
}
@@ -149,7 +134,7 @@ public abstract class AbstractKeyStore<X extends AbstractKeyStore<X>>
// verify that it is not in use
String storeName = getName();
- Collection<Port> ports = new ArrayList<Port>(getBroker().getPorts());
+ Collection<Port> ports = new ArrayList<>(getBroker().getPorts());
for (Port port : ports)
{
if (port.getKeyStore() == this)
@@ -192,7 +177,8 @@ public abstract class AbstractKeyStore<X extends AbstractKeyStore<X>>
}
}
- protected final int getCertificateExpiryWarnPeriod()
+ @Override
+ public final int getCertificateExpiryWarnPeriod()
{
try
{
@@ -204,4 +190,20 @@ public abstract class AbstractKeyStore<X extends AbstractKeyStore<X>>
return DEFAULT_CERTIFICATE_EXPIRY_WARN_PERIOD;
}
}
+
+ @Override
+ public int getCertificateExpiryCheckFrequency()
+ {
+ int checkFrequency;
+ try
+ {
+ checkFrequency = getContextValue(Integer.class, CERTIFICATE_EXPIRY_CHECK_FREQUENCY);
+ }
+ catch (IllegalArgumentException | NullPointerException e)
+ {
+ LOGGER.warn("Cannot parse the context variable {} ", CERTIFICATE_EXPIRY_CHECK_FREQUENCY, e);
+ checkFrequency = DEFAULT_CERTIFICATE_EXPIRY_CHECK_FREQUENCY;
+ }
+ return checkFrequency;
+ }
}
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java b/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java
new file mode 100644
index 0000000..db42d3b
--- /dev/null
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java
@@ -0,0 +1,251 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security;
+
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Date;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ScheduledFuture;
+import java.util.concurrent.TimeUnit;
+
+import com.google.common.util.concurrent.Futures;
+import com.google.common.util.concurrent.ListenableFuture;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.qpid.server.logging.EventLogger;
+import org.apache.qpid.server.logging.messages.TrustStoreMessages;
+import org.apache.qpid.server.model.AbstractConfigurationChangeListener;
+import org.apache.qpid.server.model.AbstractConfiguredObject;
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.ConfiguredObject;
+import org.apache.qpid.server.model.IntegrityViolationException;
+import org.apache.qpid.server.model.ManagedAttributeField;
+import org.apache.qpid.server.model.Port;
+import org.apache.qpid.server.model.State;
+import org.apache.qpid.server.model.TrustStore;
+import org.apache.qpid.server.model.VirtualHostNode;
+import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
+
+public abstract class AbstractTrustStore<X extends AbstractTrustStore<X>>
+ extends AbstractConfiguredObject<X> implements TrustStore<X>
+{
+ private static Logger LOGGER = LoggerFactory.getLogger(AbstractTrustStore.class);
+
+ protected static final long ONE_DAY = 24L * 60L * 60L * 1000L;
+
+ private final Broker<?> _broker;
+ private final EventLogger _eventLogger;
+
+ @ManagedAttributeField
+ private boolean _exposedAsMessageSource;
+ @ManagedAttributeField
+ private List<VirtualHostNode<?>> _includedVirtualHostNodeMessageSources;
+ @ManagedAttributeField
+ private List<VirtualHostNode<?>> _excludedVirtualHostNodeMessageSources;
+
+ private ScheduledFuture<?> _checkExpiryTaskFuture;
+
+ public AbstractTrustStore(Map<String, Object> attributes, Broker<?> broker)
+ {
+ super(broker, attributes);
+
+ _broker = broker;
+ _eventLogger = broker.getEventLogger();
+ _eventLogger.message(TrustStoreMessages.CREATE(getName()));
+ }
+
+ public final Broker<?> getBroker()
+ {
+ return _broker;
+ }
+
+ final EventLogger getEventLogger()
+ {
+ return _eventLogger;
+ }
+
+ @Override
+ protected ListenableFuture<Void> onClose()
+ {
+ if(_checkExpiryTaskFuture != null)
+ {
+ _checkExpiryTaskFuture.cancel(false);
+ _checkExpiryTaskFuture = null;
+ }
+ return Futures.immediateFuture(null);
+ }
+
+ @Override
+ protected void logOperation(final String operation)
+ {
+ _broker.getEventLogger().message(TrustStoreMessages.OPERATION(operation));
+ }
+
+ protected void initializeExpiryChecking()
+ {
+ int checkFrequency = getCertificateExpiryCheckFrequency();
+ if(getBroker().getState() == State.ACTIVE)
+ {
+ _checkExpiryTaskFuture = getBroker().scheduleHouseKeepingTask(checkFrequency, TimeUnit.DAYS,
+ this::checkCertificateExpiry);
+ }
+ else
+ {
+ final int frequency = checkFrequency;
+ getBroker().addChangeListener(new AbstractConfigurationChangeListener()
+ {
+ @Override
+ public void stateChanged(final ConfiguredObject<?> object, final State oldState, final State newState)
+ {
+ if (newState == State.ACTIVE)
+ {
+ _checkExpiryTaskFuture =
+ getBroker().scheduleHouseKeepingTask(frequency, TimeUnit.DAYS,
+ () -> checkCertificateExpiry());
+ getBroker().removeChangeListener(this);
+ }
+ }
+ });
+ }
+ }
+
+ protected final ListenableFuture<Void> deleteIfNotInUse()
+ {
+ // verify that it is not in use
+ String storeName = getName();
+
+ Collection<Port<?>> ports = new ArrayList<>(_broker.getPorts());
+ for (Port port : ports)
+ {
+ Collection<TrustStore> trustStores = port.getTrustStores();
+ if(trustStores != null)
+ {
+ for (TrustStore store : trustStores)
+ {
+ if(storeName.equals(store.getAttribute(TrustStore.NAME)))
+ {
+ throw new IntegrityViolationException("Trust store '"
+ + storeName
+ + "' can't be deleted as it is in use by a port: "
+ + port.getName());
+ }
+ }
+ }
+ }
+
+ Collection<AuthenticationProvider> authenticationProviders = new ArrayList<>(_broker.getAuthenticationProviders());
+ for (AuthenticationProvider authProvider : authenticationProviders)
+ {
+ if (authProvider instanceof SimpleLDAPAuthenticationManager)
+ {
+ SimpleLDAPAuthenticationManager simpleLdap = (SimpleLDAPAuthenticationManager) authProvider;
+ if (simpleLdap.getTrustStore() == this)
+ {
+ throw new IntegrityViolationException("Trust store '"
+ + storeName
+ + "' can't be deleted as it is in use by an authentication manager: "
+ + authProvider.getName());
+ }
+ }
+ }
+ deleted();
+ setState(State.DELETED);
+ _eventLogger.message(TrustStoreMessages.DELETE(getName()));
+ return Futures.immediateFuture(null);
+ }
+
+ protected abstract void checkCertificateExpiry();
+
+ protected void checkCertificateExpiry(final long currentTime,
+ final Date expiryTestDate,
+ final X509Certificate cert)
+ {
+ try
+ {
+ cert.checkValidity(expiryTestDate);
+ }
+ catch(CertificateExpiredException e)
+ {
+ long timeToExpiry = cert.getNotAfter().getTime() - currentTime;
+ int days = Math.max(0,(int)(timeToExpiry / (ONE_DAY)));
+
+ getEventLogger().message(TrustStoreMessages.EXPIRING(getName(), String.valueOf(days), cert.getSubjectDN().toString()));
+ }
+ catch(CertificateNotYetValidException e)
+ {
+ // ignore
+ }
+ }
+
+ @Override
+ public final int getCertificateExpiryWarnPeriod()
+ {
+ try
+ {
+ return getContextValue(Integer.class, CERTIFICATE_EXPIRY_WARN_PERIOD);
+ }
+ catch (NullPointerException | IllegalArgumentException e)
+ {
+ LOGGER.warn("The value of the context variable '{}' for truststore {} cannot be converted to an integer. The value {} will be used as a default", CERTIFICATE_EXPIRY_WARN_PERIOD, getName(), DEFAULT_CERTIFICATE_EXPIRY_WARN_PERIOD);
+ return DEFAULT_CERTIFICATE_EXPIRY_WARN_PERIOD;
+ }
+ }
+
+ @Override
+ public int getCertificateExpiryCheckFrequency()
+ {
+ int checkFrequency;
+ try
+ {
+ checkFrequency = getContextValue(Integer.class, CERTIFICATE_EXPIRY_CHECK_FREQUENCY);
+ }
+ catch (IllegalArgumentException | NullPointerException e)
+ {
+ LOGGER.warn("Cannot parse the context variable {} ", CERTIFICATE_EXPIRY_CHECK_FREQUENCY, e);
+ checkFrequency = DEFAULT_CERTIFICATE_EXPIRY_CHECK_FREQUENCY;
+ }
+ return checkFrequency;
+ }
+
+ @Override
+ public boolean isExposedAsMessageSource()
+ {
+ return _exposedAsMessageSource;
+ }
+
+ @Override
+ public List<VirtualHostNode<?>> getIncludedVirtualHostNodeMessageSources()
+ {
+ return _includedVirtualHostNodeMessageSources;
+ }
+
+ @Override
+ public List<VirtualHostNode<?>> getExcludedVirtualHostNodeMessageSources()
+ {
+ return _excludedVirtualHostNodeMessageSources;
+ }
+}
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java
index eb0f3a3..d9cd0ee 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java
@@ -63,7 +63,6 @@ import com.google.common.util.concurrent.ListenableFuture;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.messages.KeyStoreMessages;
-import org.apache.qpid.server.model.AbstractConfiguredObject;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.Content;
import org.apache.qpid.server.model.CustomRestHeaders;
@@ -78,7 +77,7 @@ import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.Strings;
public class AutoGeneratedSelfSignedKeyStoreImpl
- extends AbstractConfiguredObject<AutoGeneratedSelfSignedKeyStoreImpl>
+ extends AbstractKeyStore<AutoGeneratedSelfSignedKeyStoreImpl>
implements AutoGeneratedSelfSignedKeyStore<AutoGeneratedSelfSignedKeyStoreImpl>
{
@@ -124,7 +123,7 @@ public class AutoGeneratedSelfSignedKeyStoreImpl
@ManagedObjectFactoryConstructor(conditionallyAvailable = true)
public AutoGeneratedSelfSignedKeyStoreImpl(final Map<String, Object> attributes, Broker<?> broker)
{
- super(broker, attributes);
+ super(attributes, broker);
_broker = broker;
_eventLogger = _broker.getEventLogger();
_eventLogger.message(KeyStoreMessages.CREATE(getName()));
@@ -229,6 +228,13 @@ public class AutoGeneratedSelfSignedKeyStoreImpl
_created = true;
}
+ @Override
+ protected void onOpen()
+ {
+ super.onOpen();
+ initializeExpiryChecking();
+ }
+
@StateTransition(currentState = { State.UNINITIALIZED, State.STOPPED, State.ERRORED}, desiredState = State.ACTIVE)
protected ListenableFuture<Void> activate()
{
@@ -349,6 +355,21 @@ public class AutoGeneratedSelfSignedKeyStoreImpl
}
}
+ @Override
+ protected void checkCertificateExpiry()
+ {
+ int expiryWarning = getCertificateExpiryWarnPeriod();
+ if(expiryWarning > 0)
+ {
+ long currentTime = System.currentTimeMillis();
+ Date expiryTestDate = new Date(currentTime + (ONE_DAY * (long) expiryWarning));
+
+ checkCertificatesExpiry(currentTime, expiryTestDate,
+ new X509Certificate[]{_certificate});
+ }
+ }
+
+
private void generateKeyManagers()
{
try
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
index ae7e781..c1cd588 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
@@ -33,6 +33,7 @@ import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
+import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import java.util.Map;
@@ -47,30 +48,20 @@ import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.logging.EventLogger;
-import org.apache.qpid.server.logging.messages.TrustStoreMessages;
-import org.apache.qpid.server.model.AbstractConfiguredObject;
-import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
-import org.apache.qpid.server.model.IntegrityViolationException;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
-import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.model.TrustStore;
-import org.apache.qpid.server.model.VirtualHostNode;
-import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
-import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
import org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager;
import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
+import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
-public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreImpl> implements FileTrustStore<FileTrustStoreImpl>
+public class FileTrustStoreImpl extends AbstractTrustStore<FileTrustStoreImpl> implements FileTrustStore<FileTrustStoreImpl>
{
- private final Broker<?> _broker;
- private final EventLogger _eventLogger;
@ManagedAttributeField
private String _trustStoreType;
@@ -84,13 +75,6 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI
@ManagedAttributeField
private String _password;
- @ManagedAttributeField
- private boolean _exposedAsMessageSource;
- @ManagedAttributeField
- private List<VirtualHostNode<?>> _includedVirtualHostNodeMessageSources;
- @ManagedAttributeField
- private List<VirtualHostNode<?>> _excludedVirtualHostNodeMessageSources;
-
static
{
Handler.register();
@@ -99,10 +83,7 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI
@ManagedObjectFactoryConstructor
public FileTrustStoreImpl(Map<String, Object> attributes, Broker<?> broker)
{
- super(broker, attributes);
- _broker = broker;
- _eventLogger = _broker.getEventLogger();
- _eventLogger.message(TrustStoreMessages.CREATE(getName()));
+ super(attributes, broker);
}
@Override
@@ -119,52 +100,13 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI
@StateTransition(currentState = {State.ACTIVE, State.ERRORED}, desiredState = State.DELETED)
protected ListenableFuture<Void> doDelete()
{
- // verify that it is not in use
- String storeName = getName();
-
- Collection<Port<?>> ports = new ArrayList<>(_broker.getPorts());
- for (Port port : ports)
- {
- Collection<TrustStore> trustStores = port.getTrustStores();
- if(trustStores != null)
- {
- for (TrustStore store : trustStores)
- {
- if(storeName.equals(store.getAttribute(TrustStore.NAME)))
- {
- throw new IntegrityViolationException("Trust store '"
- + storeName
- + "' can't be deleted as it is in use by a port: "
- + port.getName());
- }
- }
- }
- }
-
- Collection<AuthenticationProvider> authenticationProviders = new ArrayList<>(_broker.getAuthenticationProviders());
- for (AuthenticationProvider authProvider : authenticationProviders)
- {
- if (authProvider instanceof SimpleLDAPAuthenticationManager)
- {
- SimpleLDAPAuthenticationManager simpleLdap = (SimpleLDAPAuthenticationManager) authProvider;
- if (simpleLdap.getTrustStore() == this)
- {
- throw new IntegrityViolationException("Trust store '"
- + storeName
- + "' can't be deleted as it is in use by an authentication manager: "
- + authProvider.getName());
- }
- }
- }
- deleted();
- setState(State.DELETED);
- _eventLogger.message(TrustStoreMessages.DELETE(getName()));
- return Futures.immediateFuture(null);
+ return deleteIfNotInUse();
}
@StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
protected ListenableFuture<Void> doActivate()
{
+ initializeExpiryChecking();
setState(State.ACTIVE);
return Futures.immediateFuture(null);
}
@@ -179,10 +121,6 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI
{
return;
}
- if(changedAttributes.contains(TrustStore.NAME) && !getName().equals(updated.getName()))
- {
- throw new IllegalConfigurationException("Changing the trust store name is not allowed");
- }
validateTrustStore(updated);
}
@@ -347,7 +285,6 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI
}
}
-
@Override
public List<CertificateDetails> getCertificateDetails()
{
@@ -364,6 +301,28 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI
}
}
+ @Override
+ protected void checkCertificateExpiry()
+ {
+ int expiryWarning = getCertificateExpiryWarnPeriod();
+ if(expiryWarning > 0)
+ {
+ long currentTime = System.currentTimeMillis();
+ Date expiryTestDate = new Date(currentTime + (ONE_DAY * (long) expiryWarning));
+
+ try
+ {
+ Arrays.stream(getCertificates())
+ .filter(cert -> cert instanceof X509Certificate)
+ .forEach(x509cert -> checkCertificateExpiry(currentTime, expiryTestDate,
+ (X509Certificate) x509cert));
+ }
+ catch (GeneralSecurityException e)
+ {
+ }
+ }
+ }
+
private static URL getUrlFromString(String urlString) throws MalformedURLException
{
URL url;
@@ -392,28 +351,4 @@ public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreI
_path = null;
}
}
-
- @Override
- public boolean isExposedAsMessageSource()
- {
- return _exposedAsMessageSource;
- }
-
- @Override
- public List<VirtualHostNode<?>> getIncludedVirtualHostNodeMessageSources()
- {
- return _includedVirtualHostNodeMessageSources;
- }
-
- @Override
- public List<VirtualHostNode<?>> getExcludedVirtualHostNodeMessageSources()
- {
- return _excludedVirtualHostNodeMessageSources;
- }
-
- @Override
- protected void logOperation(final String operation)
- {
- _broker.getEventLogger().message(TrustStoreMessages.OPERATION(operation));
- }
}
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java
index 6133192..5042915 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java
@@ -28,6 +28,7 @@ import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
+import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
@@ -46,41 +47,21 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.logging.EventLogger;
-import org.apache.qpid.server.logging.messages.TrustStoreMessages;
-import org.apache.qpid.server.model.AbstractConfiguredObject;
-import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.ConfiguredObject;
-import org.apache.qpid.server.model.IntegrityViolationException;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObject;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
-import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
-import org.apache.qpid.server.model.TrustStore;
-import org.apache.qpid.server.model.VirtualHostNode;
-import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
import org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager;
import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
@ManagedObject( category = false )
public class ManagedPeerCertificateTrustStoreImpl
- extends AbstractConfiguredObject<ManagedPeerCertificateTrustStoreImpl> implements ManagedPeerCertificateTrustStore<ManagedPeerCertificateTrustStoreImpl>
+ extends AbstractTrustStore<ManagedPeerCertificateTrustStoreImpl> implements ManagedPeerCertificateTrustStore<ManagedPeerCertificateTrustStoreImpl>
{
private static final Logger LOGGER = LoggerFactory.getLogger(ManagedPeerCertificateTrustStoreImpl.class);
- private final Broker<?> _broker;
- private final EventLogger _eventLogger;
-
- @ManagedAttributeField
- private boolean _exposedAsMessageSource;
- @ManagedAttributeField
- private List<VirtualHostNode<?>> _includedVirtualHostNodeMessageSources;
- @ManagedAttributeField
- private List<VirtualHostNode<?>> _excludedVirtualHostNodeMessageSources;
-
private volatile TrustManager[] _trustManagers = new TrustManager[0];
@ManagedAttributeField( afterSet = "updateTrustManagers")
@@ -89,10 +70,7 @@ public class ManagedPeerCertificateTrustStoreImpl
@ManagedObjectFactoryConstructor
public ManagedPeerCertificateTrustStoreImpl(final Map<String, Object> attributes, Broker<?> broker)
{
- super(broker, attributes);
- _broker = broker;
- _eventLogger = _broker.getEventLogger();
- _eventLogger.message(TrustStoreMessages.CREATE(getName()));
+ super(attributes, broker);
}
@Override
@@ -114,71 +92,17 @@ public class ManagedPeerCertificateTrustStoreImpl
@StateTransition(currentState = {State.ACTIVE, State.ERRORED}, desiredState = State.DELETED)
protected ListenableFuture<Void> doDelete()
{
- // verify that it is not in use
- String storeName = getName();
-
- Collection<Port<?>> ports = new ArrayList<>(_broker.getPorts());
- for (Port port : ports)
- {
- Collection<TrustStore> trustStores = port.getTrustStores();
- if(trustStores != null)
- {
- for (TrustStore store : trustStores)
- {
- if(storeName.equals(store.getAttribute(TrustStore.NAME)))
- {
- throw new IntegrityViolationException("Trust store '"
- + storeName
- + "' can't be deleted as it is in use by a port: "
- + port.getName());
- }
- }
- }
- }
-
- Collection<AuthenticationProvider> authenticationProviders = new ArrayList<AuthenticationProvider>(_broker.getAuthenticationProviders());
- for (AuthenticationProvider authProvider : authenticationProviders)
- {
- if(authProvider.getAttributeNames().contains(SimpleLDAPAuthenticationManager.TRUST_STORE))
- {
- Object attributeType = authProvider.getAttribute(AuthenticationProvider.TYPE);
- Object attributeValue = authProvider.getAttribute(SimpleLDAPAuthenticationManager.TRUST_STORE);
- if (SimpleLDAPAuthenticationManager.PROVIDER_TYPE.equals(attributeType)
- && storeName.equals(attributeValue))
- {
- throw new IntegrityViolationException("Trust store '"
- + storeName
- + "' can't be deleted as it is in use by an authentication manager: "
- + authProvider.getName());
- }
- }
- }
- deleted();
- setState(State.DELETED);
- _eventLogger.message(TrustStoreMessages.DELETE(getName()));
- return Futures.immediateFuture(null);
+ return deleteIfNotInUse();
}
@StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
protected ListenableFuture<Void> doActivate()
{
+ initializeExpiryChecking();
setState(State.ACTIVE);
return Futures.immediateFuture(null);
}
-
- @Override
- protected void validateChange(final ConfiguredObject<?> proxyForValidation, final Set<String> changedAttributes)
- {
- super.validateChange(proxyForValidation, changedAttributes);
- ManagedPeerCertificateTrustStore<?> changedStore = (ManagedPeerCertificateTrustStore) proxyForValidation;
- if (changedAttributes.contains(NAME) && !getName().equals(changedStore.getName()))
- {
- throw new IllegalConfigurationException("Changing the key store name is not allowed");
- }
- }
-
-
@SuppressWarnings("unused")
private void updateTrustManagers()
{
@@ -235,25 +159,6 @@ public class ManagedPeerCertificateTrustStoreImpl
}
}
-
- @Override
- public boolean isExposedAsMessageSource()
- {
- return _exposedAsMessageSource;
- }
-
- @Override
- public List<VirtualHostNode<?>> getIncludedVirtualHostNodeMessageSources()
- {
- return _includedVirtualHostNodeMessageSources;
- }
-
- @Override
- public List<VirtualHostNode<?>> getExcludedVirtualHostNodeMessageSources()
- {
- return _excludedVirtualHostNodeMessageSources;
- }
-
@Override
public List<Certificate> getStoredCertificates()
{
@@ -266,7 +171,7 @@ public class ManagedPeerCertificateTrustStoreImpl
final Set<Certificate> certificates = new LinkedHashSet<>(_storedCertificates);
if (certificates.add(cert))
{
- setAttributes(Collections.<String, Object>singletonMap("storedCertificates", certificates));
+ setAttributes(Collections.singletonMap("storedCertificates", certificates));
}
}
@@ -318,14 +223,23 @@ public class ManagedPeerCertificateTrustStoreImpl
if (updated)
{
- setAttributes(Collections.<String, Object>singletonMap("storedCertificates", currentCerts));
+ setAttributes(Collections.singletonMap("storedCertificates", currentCerts));
}
}
-
@Override
- protected void logOperation(final String operation)
+ protected void checkCertificateExpiry()
{
- _broker.getEventLogger().message(TrustStoreMessages.OPERATION(operation));
+ int expiryWarning = getCertificateExpiryWarnPeriod();
+ if(expiryWarning > 0)
+ {
+ long currentTime = System.currentTimeMillis();
+ Date expiryTestDate = new Date(currentTime + (ONE_DAY * (long) expiryWarning));
+
+ _storedCertificates.stream()
+ .filter(cert -> cert instanceof X509Certificate)
+ .forEach(x509cert -> checkCertificateExpiry(currentTime, expiryTestDate,
+ (X509Certificate) x509cert));
+ }
}
}
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
index 385ea02..d98c821 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
@@ -27,10 +27,9 @@ import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
-import java.util.ArrayList;
import java.util.Arrays;
-import java.util.Collection;
import java.util.Collections;
+import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -45,42 +44,25 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.logging.EventLogger;
-import org.apache.qpid.server.logging.messages.TrustStoreMessages;
-import org.apache.qpid.server.model.AbstractConfiguredObject;
-import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
-import org.apache.qpid.server.model.IntegrityViolationException;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObject;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
-import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
-import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.model.VirtualHostNode;
-import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
@ManagedObject( category = false )
public class NonJavaTrustStoreImpl
- extends AbstractConfiguredObject<NonJavaTrustStoreImpl> implements NonJavaTrustStore<NonJavaTrustStoreImpl>
+ extends AbstractTrustStore<NonJavaTrustStoreImpl> implements NonJavaTrustStore<NonJavaTrustStoreImpl>
{
private static final Logger LOGGER = LoggerFactory.getLogger(NonJavaTrustStoreImpl.class);
- private final Broker<?> _broker;
- private final EventLogger _eventLogger;
-
@ManagedAttributeField( afterSet = "updateTrustManagers" )
private String _certificatesUrl;
- @ManagedAttributeField
- private boolean _exposedAsMessageSource;
- @ManagedAttributeField
- private List<VirtualHostNode<?>> _includedVirtualHostNodeMessageSources;
- @ManagedAttributeField
- private List<VirtualHostNode<?>> _excludedVirtualHostNodeMessageSources;
private volatile TrustManager[] _trustManagers = new TrustManager[0];
@@ -96,10 +78,7 @@ public class NonJavaTrustStoreImpl
@ManagedObjectFactoryConstructor
public NonJavaTrustStoreImpl(final Map<String, Object> attributes, Broker<?> broker)
{
- super(broker, attributes);
- _broker = broker;
- _eventLogger = _broker.getEventLogger();
- _eventLogger.message(TrustStoreMessages.CREATE(getName()));
+ super(attributes, broker);
}
@Override
@@ -152,54 +131,13 @@ public class NonJavaTrustStoreImpl
@StateTransition(currentState = {State.ACTIVE, State.ERRORED}, desiredState = State.DELETED)
protected ListenableFuture<Void> doDelete()
{
- // verify that it is not in use
- String storeName = getName();
-
- Collection<Port<?>> ports = new ArrayList<Port<?>>(_broker.getPorts());
- for (Port port : ports)
- {
- Collection<TrustStore> trustStores = port.getTrustStores();
- if(trustStores != null)
- {
- for (TrustStore store : trustStores)
- {
- if(storeName.equals(store.getAttribute(TrustStore.NAME)))
- {
- throw new IntegrityViolationException("Trust store '"
- + storeName
- + "' can't be deleted as it is in use by a port: "
- + port.getName());
- }
- }
- }
- }
-
- Collection<AuthenticationProvider> authenticationProviders = new ArrayList<AuthenticationProvider>(_broker.getAuthenticationProviders());
- for (AuthenticationProvider authProvider : authenticationProviders)
- {
- if(authProvider.getAttributeNames().contains(SimpleLDAPAuthenticationManager.TRUST_STORE))
- {
- Object attributeType = authProvider.getAttribute(AuthenticationProvider.TYPE);
- Object attributeValue = authProvider.getAttribute(SimpleLDAPAuthenticationManager.TRUST_STORE);
- if (SimpleLDAPAuthenticationManager.PROVIDER_TYPE.equals(attributeType)
- && storeName.equals(attributeValue))
- {
- throw new IntegrityViolationException("Trust store '"
- + storeName
- + "' can't be deleted as it is in use by an authentication manager: "
- + authProvider.getName());
- }
- }
- }
- deleted();
- setState(State.DELETED);
- _eventLogger.message(TrustStoreMessages.DELETE(getName()));
- return Futures.immediateFuture(null);
+ return deleteIfNotInUse();
}
@StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
protected ListenableFuture<Void> doActivate()
{
+ initializeExpiryChecking();
setState(State.ACTIVE);
return Futures.immediateFuture(null);
}
@@ -209,11 +147,23 @@ public class NonJavaTrustStoreImpl
{
super.validateChange(proxyForValidation, changedAttributes);
NonJavaTrustStore changedStore = (NonJavaTrustStore) proxyForValidation;
- if (changedAttributes.contains(NAME) && !getName().equals(changedStore.getName()))
+ validateTrustStoreAttributes(changedStore);
+ }
+
+ @Override
+ protected void checkCertificateExpiry()
+ {
+ int expiryWarning = getCertificateExpiryWarnPeriod();
+ if(expiryWarning > 0)
{
- throw new IllegalConfigurationException("Changing the key store name is not allowed");
+ long currentTime = System.currentTimeMillis();
+ Date expiryTestDate = new Date(currentTime + (ONE_DAY * (long) expiryWarning));
+
+ Arrays.stream(_certificates)
+ .filter(cert -> cert instanceof X509Certificate)
+ .forEach(x509cert -> checkCertificateExpiry(currentTime, expiryTestDate,
+ x509cert));
}
- validateTrustStoreAttributes(changedStore);
}
private void validateTrustStoreAttributes(NonJavaTrustStore<?> keyStore)
@@ -276,29 +226,4 @@ public class NonJavaTrustStoreImpl
}
return url;
}
-
-
- @Override
- public boolean isExposedAsMessageSource()
- {
- return _exposedAsMessageSource;
- }
-
- @Override
- public List<VirtualHostNode<?>> getIncludedVirtualHostNodeMessageSources()
- {
- return _includedVirtualHostNodeMessageSources;
- }
-
- @Override
- public List<VirtualHostNode<?>> getExcludedVirtualHostNodeMessageSources()
- {
- return _excludedVirtualHostNodeMessageSources;
- }
-
- @Override
- protected void logOperation(final String operation)
- {
- _broker.getEventLogger().message(TrustStoreMessages.OPERATION(operation));
- }
}
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/f218a1dd/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
index 891403b..bb93101 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
@@ -31,9 +31,8 @@ import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collection;
import java.util.Collections;
+import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Callable;
@@ -58,41 +57,23 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.logging.EventLogger;
-import org.apache.qpid.server.logging.messages.TrustStoreMessages;
-import org.apache.qpid.server.model.AbstractConfiguredObject;
-import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.IntegrityViolationException;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObject;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
-import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
-import org.apache.qpid.server.model.TrustStore;
-import org.apache.qpid.server.model.VirtualHostNode;
-import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.Strings;
@ManagedObject( category = false )
public class SiteSpecificTrustStoreImpl
- extends AbstractConfiguredObject<SiteSpecificTrustStoreImpl> implements SiteSpecificTrustStore<SiteSpecificTrustStoreImpl>
+ extends AbstractTrustStore<SiteSpecificTrustStoreImpl> implements SiteSpecificTrustStore<SiteSpecificTrustStoreImpl>
{
private static final Logger LOGGER = LoggerFactory.getLogger(SiteSpecificTrustStoreImpl.class);
- private final Broker<?> _broker;
- private final EventLogger _eventLogger;
-
@ManagedAttributeField
private String _siteUrl;
- @ManagedAttributeField
- private boolean _exposedAsMessageSource;
- @ManagedAttributeField
- private List<VirtualHostNode<?>> _includedVirtualHostNodeMessageSources;
- @ManagedAttributeField
- private List<VirtualHostNode<?>> _excludedVirtualHostNodeMessageSources;
private volatile TrustManager[] _trustManagers = new TrustManager[0];
@@ -103,10 +84,7 @@ public class SiteSpecificTrustStoreImpl
@ManagedObjectFactoryConstructor
public SiteSpecificTrustStoreImpl(final Map<String, Object> attributes, Broker<?> broker)
{
- super(broker, attributes);
- _broker = broker;
- _eventLogger = _broker.getEventLogger();
- _eventLogger.message(TrustStoreMessages.CREATE(getName()));
+ super(attributes, broker);
}
@Override
@@ -189,54 +167,14 @@ public class SiteSpecificTrustStoreImpl
@StateTransition(currentState = {State.ACTIVE, State.ERRORED}, desiredState = State.DELETED)
protected ListenableFuture<Void> doDelete()
{
- // verify that it is not in use
- String storeName = getName();
-
- Collection<Port<?>> ports = new ArrayList<>(_broker.getPorts());
- for (Port port : ports)
- {
- Collection<TrustStore> trustStores = port.getTrustStores();
- if(trustStores != null)
- {
- for (TrustStore store : trustStores)
- {
- if(storeName.equals(store.getAttribute(TrustStore.NAME)))
- {
- throw new IntegrityViolationException("Trust store '"
- + storeName
- + "' can't be deleted as it is in use by a port: "
- + port.getName());
- }
- }
- }
- }
-
- Collection<AuthenticationProvider> authenticationProviders = new ArrayList<AuthenticationProvider>(_broker.getAuthenticationProviders());
- for (AuthenticationProvider authProvider : authenticationProviders)
- {
- if(authProvider.getAttributeNames().contains(SimpleLDAPAuthenticationManager.TRUST_STORE))
- {
- Object attributeType = authProvider.getAttribute(AuthenticationProvider.TYPE);
- Object attributeValue = authProvider.getAttribute(SimpleLDAPAuthenticationManager.TRUST_STORE);
- if (SimpleLDAPAuthenticationManager.PROVIDER_TYPE.equals(attributeType)
- && storeName.equals(attributeValue))
- {
- throw new IntegrityViolationException("Trust store '"
- + storeName
- + "' can't be deleted as it is in use by an authentication manager: "
- + authProvider.getName());
- }
- }
- }
- deleted();
- setState(State.DELETED);
- _eventLogger.message(TrustStoreMessages.DELETE(getName()));
- return Futures.immediateFuture(null);
+ return deleteIfNotInUse();
}
@StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
protected ListenableFuture<Void> doActivate()
{
+ initializeExpiryChecking();
+
final SettableFuture<Void> result = SettableFuture.create();
if(_x509Certificate == null)
{
@@ -386,24 +324,6 @@ public class SiteSpecificTrustStoreImpl
}
@Override
- public boolean isExposedAsMessageSource()
- {
- return _exposedAsMessageSource;
- }
-
- @Override
- public List<VirtualHostNode<?>> getIncludedVirtualHostNodeMessageSources()
- {
- return _includedVirtualHostNodeMessageSources;
- }
-
- @Override
- public List<VirtualHostNode<?>> getExcludedVirtualHostNodeMessageSources()
- {
- return _excludedVirtualHostNodeMessageSources;
- }
-
- @Override
public List<CertificateDetails> getCertificateDetails()
{
return Collections.singletonList(new CertificateDetailsImpl(_x509Certificate));
@@ -428,9 +348,16 @@ public class SiteSpecificTrustStoreImpl
}
@Override
- protected void logOperation(final String operation)
+ protected void checkCertificateExpiry()
{
- _broker.getEventLogger().message(TrustStoreMessages.OPERATION(operation));
+ int expiryWarning = getCertificateExpiryWarnPeriod();
+ if(expiryWarning > 0)
+ {
+ long currentTime = System.currentTimeMillis();
+ Date expiryTestDate = new Date(currentTime + (ONE_DAY * (long) expiryWarning));
+
+ checkCertificateExpiry(currentTime, expiryTestDate, _x509Certificate);
+ }
}
private static class AlwaysTrustManager implements X509TrustManager
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org