You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by or...@apache.org on 2020/09/12 21:30:41 UTC
[qpid-broker-j] 08/17: QPID-8455: [Broker-J] Add allow/deny list
alternatives for existing black/whilte list attributes and context
variables
This is an automated email from the ASF dual-hosted git repository.
orudyy pushed a commit to branch 8.0.x
in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git
commit 5b219da33c8592fa4ee485070ffddf4c9eae34e2
Author: Alex Rudyy <or...@apache.org>
AuthorDate: Wed Sep 2 17:11:55 2020 +0100
QPID-8455: [Broker-J] Add allow/deny list alternatives for existing black/whilte list attributes and context variables
(cherry picked from commit ec885c06e367739e5741d15d12ea6124c30e199d)
---
.../server/configuration/CommonProperties.java | 5 ++
.../server/model/AbstractConfiguredObject.java | 15 ++++
.../java/org/apache/qpid/server/model/Port.java | 17 ++++
.../qpid/server/model/port/AbstractPort.java | 32 +++++++-
.../manager/SimpleLDAPAuthenticationManager.java | 16 ++++
.../SimpleLDAPAuthenticationManagerImpl.java | 32 +++++++-
.../oauth2/OAuth2AuthenticationProvider.java | 18 +++++
.../oauth2/OAuth2AuthenticationProviderImpl.java | 32 +++++++-
...oudFoundryDashboardManagementGroupProvider.java | 14 ++++
...oundryDashboardManagementGroupProviderImpl.java | 37 ++++++++-
.../apache/qpid/server/util/ConnectionBuilder.java | 24 ++++++
.../qpid/server/model/port/AmqpPortImplTest.java | 87 +++++++++++++++++++++
.../SimpleLDAPAuthenticationManagerTest.java | 69 ++++++++++++++++
.../OAuth2AuthenticationProviderImplTest.java | 91 +++++++++++++++++++---
.../qpid/systests/admin/SpawnBrokerAdmin.java | 26 ++++---
.../qpid/systests/admin/SpawnBrokerAdminTest.java | 16 +++-
16 files changed, 490 insertions(+), 41 deletions(-)
diff --git a/broker-core/src/main/java/org/apache/qpid/server/configuration/CommonProperties.java b/broker-core/src/main/java/org/apache/qpid/server/configuration/CommonProperties.java
index 600f985..171d897 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/configuration/CommonProperties.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/configuration/CommonProperties.java
@@ -64,6 +64,11 @@ public class CommonProperties
public static final String QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST = "qpid.security.tls.cipherSuiteBlackList";
public static final String QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST_DEFAULT = "";
+ public static final String QPID_SECURITY_TLS_PROTOCOL_ALLOW_LIST = "qpid.security.tls.protocolAllowList";
+ public static final String QPID_SECURITY_TLS_PROTOCOL_DENY_LIST = "qpid.security.tls.protocolDenyList";
+ public static final String QPID_SECURITY_TLS_CIPHER_SUITE_ALLOW_LIST = "qpid.security.tls.cipherSuiteAllowList";
+ public static final String QPID_SECURITY_TLS_CIPHER_SUITE_DENY_LIST = "qpid.security.tls.cipherSuiteDenyList";
+
private static final String MANIFEST_HEADER_IMPLEMENTATION_BUILD = "Implementation-Build";
/** Defines the name of the version suffix property. */
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java b/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java
index 267356c..38d7135 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java
@@ -3498,6 +3498,21 @@ public abstract class AbstractConfiguredObject<X extends ConfiguredObject<X>> im
return converter.convert("${" + propertyName + "}", this);
}
+ protected <T> T getContextValue(final Class<T> clazz, final Type type, final String propertyName, final String fallbackName)
+ {
+ final Set<String> keys = getContextKeys(false);
+ String name;
+ if (keys.contains(propertyName))
+ {
+ name = propertyName;
+ }
+ else
+ {
+ name = fallbackName;
+ }
+ return getContextValue(clazz, type, name);
+ }
+
@Override
public Set<String> getContextKeys(final boolean excludeSystem)
{
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/Port.java b/broker-core/src/main/java/org/apache/qpid/server/model/Port.java
index 510d4d5..a5aac32 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/Port.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/Port.java
@@ -90,18 +90,35 @@ public interface Port<X extends Port<X>> extends ConfiguredObject<X>
@ManagedAttribute
Collection<TrustStore> getTrustStores();
+ @Deprecated
@DerivedAttribute
List<String> getTlsProtocolWhiteList();
+ @Deprecated
@DerivedAttribute
List<String> getTlsProtocolBlackList();
+ @Deprecated
@DerivedAttribute
List<String> getTlsCipherSuiteWhiteList();
+ @Deprecated
@DerivedAttribute
List<String> getTlsCipherSuiteBlackList();
+ @DerivedAttribute
+ List<String> getTlsProtocolAllowList();
+
+ @DerivedAttribute
+ List<String> getTlsProtocolDenyList();
+
+ @DerivedAttribute
+ List<String> getTlsCipherSuiteAllowList();
+
+ @DerivedAttribute
+ List<String> getTlsCipherSuiteDenyList();
+
+
@ManagedAttribute(defaultValue = "*",
description = "The network interface this port binds to expressed as an IP address or a"
+ "hostname. If null or * then bind to all interfaces.")
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java b/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
index a5fb3d2..f8d0b05 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
@@ -109,10 +109,10 @@ public abstract class AbstractPort<X extends AbstractPort<X>> extends AbstractCo
protected void onOpen()
{
super.onOpen();
- _tlsProtocolWhiteList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
- _tlsProtocolBlackList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
- _tlsCipherSuiteWhiteList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST);
- _tlsCipherSuiteBlackList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST);
+ _tlsProtocolWhiteList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_ALLOW_LIST, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
+ _tlsProtocolBlackList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_DENY_LIST, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
+ _tlsCipherSuiteWhiteList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_ALLOW_LIST, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST);
+ _tlsCipherSuiteBlackList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_DENY_LIST, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST);
}
@Override
@@ -447,6 +447,30 @@ public abstract class AbstractPort<X extends AbstractPort<X>> extends AbstractCo
}
@Override
+ public List<String> getTlsProtocolAllowList()
+ {
+ return getTlsProtocolWhiteList();
+ }
+
+ @Override
+ public List<String> getTlsProtocolDenyList()
+ {
+ return getTlsProtocolBlackList();
+ }
+
+ @Override
+ public List<String> getTlsCipherSuiteAllowList()
+ {
+ return getTlsCipherSuiteWhiteList();
+ }
+
+ @Override
+ public List<String> getTlsCipherSuiteDenyList()
+ {
+ return getTlsCipherSuiteBlackList();
+ }
+
+ @Override
public KeyStore getKeyStore()
{
return _keyStore;
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java b/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java
index fe650f7..8c0e0f7 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java
@@ -104,16 +104,32 @@ public interface SimpleLDAPAuthenticationManager<X extends SimpleLDAPAuthenticat
defaultValue = LOGIN_CONFIG_SCOPE_DEFAULT)
String getLoginConfigScope();
+ @Deprecated
@DerivedAttribute
List<String> getTlsProtocolWhiteList();
+ @Deprecated
@DerivedAttribute
List<String> getTlsProtocolBlackList();
+ @Deprecated
@DerivedAttribute
List<String> getTlsCipherSuiteWhiteList();
+ @Deprecated
@DerivedAttribute
List<String> getTlsCipherSuiteBlackList();
+ @DerivedAttribute
+ List<String> getTlsProtocolAllowList();
+
+ @DerivedAttribute
+ List<String> getTlsProtocolDenyList();
+
+ @DerivedAttribute
+ List<String> getTlsCipherSuiteAllowList();
+
+ @DerivedAttribute
+ List<String> getTlsCipherSuiteDenyList();
+
}
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
index 46846a5..19cc388 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
@@ -189,10 +189,10 @@ public class SimpleLDAPAuthenticationManagerImpl
{
super.onOpen();
- _tlsProtocolWhiteList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
- _tlsProtocolBlackList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
- _tlsCipherSuiteWhiteList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST);
- _tlsCipherSuiteBlackList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST);
+ _tlsProtocolWhiteList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_ALLOW_LIST, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
+ _tlsProtocolBlackList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_DENY_LIST, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
+ _tlsCipherSuiteWhiteList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_ALLOW_LIST, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST);
+ _tlsCipherSuiteBlackList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_DENY_LIST, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST);
Integer cacheMaxSize = getContextValue(Integer.class, AUTHENTICATION_CACHE_MAX_SIZE);
Long cacheExpirationTime = getContextValue(Long.class, AUTHENTICATION_CACHE_EXPIRATION_TIME);
@@ -784,6 +784,30 @@ public class SimpleLDAPAuthenticationManagerImpl
return _tlsCipherSuiteBlackList;
}
+ @Override
+ public List<String> getTlsProtocolAllowList()
+ {
+ return getTlsProtocolWhiteList();
+ }
+
+ @Override
+ public List<String> getTlsProtocolDenyList()
+ {
+ return getTlsProtocolBlackList();
+ }
+
+ @Override
+ public List<String> getTlsCipherSuiteAllowList()
+ {
+ return getTlsCipherSuiteWhiteList();
+ }
+
+ @Override
+ public List<String> getTlsCipherSuiteDenyList()
+ {
+ return getTlsCipherSuiteBlackList();
+ }
+
private void closeSafely(InitialDirContext ctx)
{
try
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java b/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java
index 9cbbcdf..1a9c95d 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java
@@ -102,18 +102,36 @@ public interface OAuth2AuthenticationProvider<T extends OAuth2AuthenticationProv
@DerivedAttribute( description = "Default OAuth access token scope passed to the authorization endpoint")
String getDefaultScope();
+ @Deprecated
@DerivedAttribute
List<String> getTlsProtocolWhiteList();
+ @Deprecated
@DerivedAttribute
List<String> getTlsProtocolBlackList();
+ @Deprecated
@DerivedAttribute
List<String> getTlsCipherSuiteWhiteList();
+ @Deprecated
@DerivedAttribute
List<String> getTlsCipherSuiteBlackList();
+ @DerivedAttribute
+ List<String> getTlsProtocolAllowList();
+
+ @DerivedAttribute
+ List<String> getTlsProtocolDenyList();
+
+ @DerivedAttribute
+ List<String> getTlsCipherSuiteAllowList();
+
+ @DerivedAttribute
+ List<String> getTlsCipherSuiteDenyList();
+
+
+
int getConnectTimeout();
int getReadTimeout();
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
index 6854bd5..583263c 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
@@ -130,10 +130,10 @@ public class OAuth2AuthenticationProviderImpl
super.onOpen();
String type = getIdentityResolverType();
_identityResolverService = new QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(type);
- _tlsProtocolWhiteList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
- _tlsProtocolBlackList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
- _tlsCipherSuiteWhiteList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST);
- _tlsCipherSuiteBlackList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST);
+ _tlsProtocolWhiteList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_ALLOW_LIST, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
+ _tlsProtocolBlackList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_DENY_LIST, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
+ _tlsCipherSuiteWhiteList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_ALLOW_LIST, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST);
+ _tlsCipherSuiteBlackList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_DENY_LIST, CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST);
_connectTimeout = getContextValue(Integer.class, AUTHENTICATION_OAUTH2_CONNECT_TIMEOUT);
_readTimeout = getContextValue(Integer.class, AUTHENTICATION_OAUTH2_READ_TIMEOUT);
@@ -520,6 +520,30 @@ public class OAuth2AuthenticationProviderImpl
}
@Override
+ public List<String> getTlsProtocolAllowList()
+ {
+ return getTlsProtocolWhiteList();
+ }
+
+ @Override
+ public List<String> getTlsProtocolDenyList()
+ {
+ return getTlsProtocolBlackList();
+ }
+
+ @Override
+ public List<String> getTlsCipherSuiteAllowList()
+ {
+ return getTlsCipherSuiteWhiteList();
+ }
+
+ @Override
+ public List<String> getTlsCipherSuiteDenyList()
+ {
+ return getTlsCipherSuiteBlackList();
+ }
+
+ @Override
public int getConnectTimeout()
{
return _connectTimeout;
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/group/cloudfoundry/CloudFoundryDashboardManagementGroupProvider.java b/broker-core/src/main/java/org/apache/qpid/server/security/group/cloudfoundry/CloudFoundryDashboardManagementGroupProvider.java
index fd1c5a0..2a7dd73 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/group/cloudfoundry/CloudFoundryDashboardManagementGroupProvider.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/group/cloudfoundry/CloudFoundryDashboardManagementGroupProvider.java
@@ -51,12 +51,26 @@ public interface CloudFoundryDashboardManagementGroupProvider<X extends CloudFou
@ManagedAttribute( description = "A service instance id to qpid management group mapping. If the CloudFoundry endpoint grants a user permission to manage a service instance the user will be associated with the corresponding management group.", mandatory = true )
Map<String, String> getServiceToManagementGroupMapping();
+ @Deprecated
@DerivedAttribute
List<String> getTlsProtocolWhiteList();
+ @Deprecated
@DerivedAttribute
List<String> getTlsProtocolBlackList();
+ @Deprecated
@DerivedAttribute
List<String> getTlsCipherSuiteWhiteList();
+ @Deprecated
@DerivedAttribute
List<String> getTlsCipherSuiteBlackList();
+
+ @DerivedAttribute
+ List<String> getTlsProtocolAllowList();
+ @DerivedAttribute
+ List<String> getTlsProtocolDenyList();
+ @DerivedAttribute
+ List<String> getTlsCipherSuiteAllowList();
+ @DerivedAttribute
+ List<String> getTlsCipherSuiteDenyList();
+
}
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/group/cloudfoundry/CloudFoundryDashboardManagementGroupProviderImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/group/cloudfoundry/CloudFoundryDashboardManagementGroupProviderImpl.java
index 0e551d1..205ae46 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/group/cloudfoundry/CloudFoundryDashboardManagementGroupProviderImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/group/cloudfoundry/CloudFoundryDashboardManagementGroupProviderImpl.java
@@ -21,8 +21,12 @@
package org.apache.qpid.server.security.group.cloudfoundry;
import static org.apache.qpid.server.configuration.CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST;
+import static org.apache.qpid.server.configuration.CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_DENY_LIST;
+import static org.apache.qpid.server.configuration.CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_ALLOW_LIST;
import static org.apache.qpid.server.configuration.CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST;
import static org.apache.qpid.server.configuration.CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST;
+import static org.apache.qpid.server.configuration.CommonProperties.QPID_SECURITY_TLS_PROTOCOL_DENY_LIST;
+import static org.apache.qpid.server.configuration.CommonProperties.QPID_SECURITY_TLS_PROTOCOL_ALLOW_LIST;
import static org.apache.qpid.server.configuration.CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST;
import static org.apache.qpid.server.util.ParameterizedTypes.LIST_OF_STRINGS;
@@ -104,10 +108,10 @@ public class CloudFoundryDashboardManagementGroupProviderImpl extends AbstractCo
public void onOpen()
{
super.onOpen();
- _tlsProtocolWhiteList = getContextValue(List.class, LIST_OF_STRINGS, QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
- _tlsProtocolBlackList = getContextValue(List.class, LIST_OF_STRINGS, QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
- _tlsCipherSuiteWhiteList = getContextValue(List.class, LIST_OF_STRINGS, QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST);
- _tlsCipherSuiteBlackList = getContextValue(List.class, LIST_OF_STRINGS, QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST);
+ _tlsProtocolWhiteList = getContextValue(List.class, LIST_OF_STRINGS, QPID_SECURITY_TLS_PROTOCOL_ALLOW_LIST, QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
+ _tlsProtocolBlackList = getContextValue(List.class, LIST_OF_STRINGS, QPID_SECURITY_TLS_PROTOCOL_DENY_LIST, QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
+ _tlsCipherSuiteWhiteList = getContextValue(List.class, LIST_OF_STRINGS, QPID_SECURITY_TLS_CIPHER_SUITE_ALLOW_LIST, QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST);
+ _tlsCipherSuiteBlackList = getContextValue(List.class, LIST_OF_STRINGS, QPID_SECURITY_TLS_CIPHER_SUITE_DENY_LIST, QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST);
_connectTimeout = getContextValue(Integer.class, QPID_GROUPPROVIDER_CLOUDFOUNDRY_CONNECT_TIMEOUT);
_readTimeout = getContextValue(Integer.class, QPID_GROUPPROVIDER_CLOUDFOUNDRY_READ_TIMEOUT);
}
@@ -311,4 +315,29 @@ public class CloudFoundryDashboardManagementGroupProviderImpl extends AbstractCo
return _tlsCipherSuiteBlackList;
}
+ @Override
+ public List<String> getTlsProtocolAllowList()
+ {
+ return getTlsProtocolWhiteList();
+ }
+
+ @Override
+ public List<String> getTlsProtocolDenyList()
+ {
+ return getTlsProtocolBlackList();
+ }
+
+ @Override
+ public List<String> getTlsCipherSuiteAllowList()
+ {
+ return getTlsCipherSuiteWhiteList();
+ }
+
+ @Override
+ public List<String> getTlsCipherSuiteDenyList()
+ {
+ return getTlsCipherSuiteBlackList();
+ }
+
+
}
diff --git a/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java b/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java
index a418e76..f00d8d6 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java
@@ -77,30 +77,54 @@ public class ConnectionBuilder
return this;
}
+ @Deprecated
public ConnectionBuilder setTlsProtocolWhiteList(final List<String> tlsProtocolWhiteList)
{
_tlsProtocolWhiteList = tlsProtocolWhiteList;
return this;
}
+ @Deprecated
public ConnectionBuilder setTlsProtocolBlackList(final List<String> tlsProtocolBlackList)
{
_tlsProtocolBlackList = tlsProtocolBlackList;
return this;
}
+ @Deprecated
public ConnectionBuilder setTlsCipherSuiteWhiteList(final List<String> tlsCipherSuiteWhiteList)
{
_tlsCipherSuiteWhiteList = tlsCipherSuiteWhiteList;
return this;
}
+ @Deprecated
public ConnectionBuilder setTlsCipherSuiteBlackList(final List<String> tlsCipherSuiteBlackList)
{
_tlsCipherSuiteBlackList = tlsCipherSuiteBlackList;
return this;
}
+ public ConnectionBuilder setTlsProtocolAllowList(final List<String> tlsProtocolAllowList)
+ {
+ return setTlsProtocolWhiteList(tlsProtocolAllowList);
+ }
+
+ public ConnectionBuilder setTlsProtocolDenyList(final List<String> tlsProtocolDenyList)
+ {
+ return setTlsProtocolBlackList(tlsProtocolDenyList);
+ }
+
+ public ConnectionBuilder setTlsCipherSuiteAllowList(final List<String> tlsCipherSuiteAllowList)
+ {
+ return setTlsCipherSuiteWhiteList(tlsCipherSuiteAllowList);
+ }
+
+ public ConnectionBuilder setTlsCipherSuiteDenyList(final List<String> tlsCipherSuiteDenyList)
+ {
+ return setTlsCipherSuiteBlackList(tlsCipherSuiteDenyList);
+ }
+
public HttpURLConnection build() throws IOException
{
HttpURLConnection connection = (HttpURLConnection) _url.openConnection();
diff --git a/broker-core/src/test/java/org/apache/qpid/server/model/port/AmqpPortImplTest.java b/broker-core/src/test/java/org/apache/qpid/server/model/port/AmqpPortImplTest.java
index 4775334..21c0b8d 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/model/port/AmqpPortImplTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/model/port/AmqpPortImplTest.java
@@ -19,8 +19,11 @@
package org.apache.qpid.server.model.port;
+import static org.hamcrest.CoreMatchers.equalTo;
+import static org.hamcrest.CoreMatchers.is;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.mockito.ArgumentMatchers.any;
@@ -37,6 +40,7 @@ import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import java.util.UUID;
@@ -44,6 +48,7 @@ import org.junit.After;
import org.junit.Before;
import org.junit.Test;
+import org.apache.qpid.server.configuration.CommonProperties;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
import org.apache.qpid.server.configuration.updater.TaskExecutor;
@@ -327,6 +332,88 @@ public class AmqpPortImplTest extends UnitTestBase
assertFalse(_port.canAcceptNewConnection(new InetSocketAddress("example.org", 0)));
}
+ @Test
+ public void testTlProtocolsAndCypherSuitesUsingAllowDenyListContextVariable()
+ {
+ final Map<String, String> brokerContext = new HashMap<>();
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_ALLOW_LIST, "[\"TLSv1.3\"]");
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_DENY_LIST, "[\"Ssl.*\",\"TLSv1\",\"TLSv1.1\",\"TLSv1.2\"]");
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_ALLOW_LIST, "[\"(TLS|SSL)_AES_128_GCM_SHA256\", \"(TLS|SSL)_AES_256_GCM_SHA384\"]");
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_DENY_LIST, "[\".*CBC.*\"]");
+
+ when(_broker.getContext()).thenReturn(brokerContext);
+
+ _port = createPort(getTestName());
+ final List<String> expectedAllowedTlsProtocols = Collections.singletonList("TLSv1.3");
+ final List<String> expectedDeniedTlsProtocols = Arrays.asList("Ssl.*","TLSv1","TLSv1.1","TLSv1.2");
+ final List<String> expectedAllowedTlsCypherSuites = Arrays.asList("(TLS|SSL)_AES_128_GCM_SHA256", "(TLS|SSL)_AES_256_GCM_SHA384");
+ final List<String> expectedDeniedTlsCypherSuites = Collections.singletonList(".*CBC.*");
+ assertThat(_port.getTlsProtocolAllowList(), is(equalTo(expectedAllowedTlsProtocols)));
+ assertThat(_port.getTlsProtocolWhiteList(), is(equalTo(expectedAllowedTlsProtocols)));
+ assertThat(_port.getTlsProtocolDenyList(), is(equalTo(expectedDeniedTlsProtocols)));
+ assertThat(_port.getTlsProtocolBlackList(), is(equalTo(expectedDeniedTlsProtocols)));
+ assertThat(_port.getTlsCipherSuiteAllowList(), is(equalTo(expectedAllowedTlsCypherSuites)));
+ assertThat(_port.getTlsCipherSuiteWhiteList(), is(equalTo(expectedAllowedTlsCypherSuites)));
+ assertThat(_port.getTlsCipherSuiteDenyList(), is(equalTo(expectedDeniedTlsCypherSuites)));
+ assertThat(_port.getTlsCipherSuiteBlackList(), is(equalTo(expectedDeniedTlsCypherSuites)));
+ }
+
+ @Test
+ public void testTlProtocolsAndCypherSuitesUsingWhiteBlackListContextVariable()
+ {
+ final Map<String, String> brokerContext = new HashMap<>();
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST, "[\"TLSv1.3\"]");
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST, "[\"Ssl.*\",\"TLSv1\",\"TLSv1.1\",\"TLSv1.2\"]");
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST, "[\"(TLS|SSL)_AES_128_GCM_SHA256\", \"(TLS|SSL)_AES_256_GCM_SHA384\"]");
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST, "[\".*CBC.*\"]");
+
+ when(_broker.getContext()).thenReturn(brokerContext);
+
+ _port = createPort(getTestName());
+ final List<String> expectedAllowedTlsProtocols = Collections.singletonList("TLSv1.3");
+ final List<String> expectedDeniedTlsProtocols = Arrays.asList("Ssl.*","TLSv1","TLSv1.1","TLSv1.2");
+ final List<String> expectedAllowedTlsCypherSuites = Arrays.asList("(TLS|SSL)_AES_128_GCM_SHA256", "(TLS|SSL)_AES_256_GCM_SHA384");
+ final List<String> expectedDeniedTlsCypherSuites = Collections.singletonList(".*CBC.*");
+ assertThat(_port.getTlsProtocolAllowList(), is(equalTo(expectedAllowedTlsProtocols)));
+ assertThat(_port.getTlsProtocolWhiteList(), is(equalTo(expectedAllowedTlsProtocols)));
+ assertThat(_port.getTlsProtocolDenyList(), is(equalTo(expectedDeniedTlsProtocols)));
+ assertThat(_port.getTlsProtocolBlackList(), is(equalTo(expectedDeniedTlsProtocols)));
+ assertThat(_port.getTlsCipherSuiteAllowList(), is(equalTo(expectedAllowedTlsCypherSuites)));
+ assertThat(_port.getTlsCipherSuiteWhiteList(), is(equalTo(expectedAllowedTlsCypherSuites)));
+ assertThat(_port.getTlsCipherSuiteDenyList(), is(equalTo(expectedDeniedTlsCypherSuites)));
+ assertThat(_port.getTlsCipherSuiteBlackList(), is(equalTo(expectedDeniedTlsCypherSuites)));
+ }
+
+ @Test
+ public void testTlProtocolsAndCypherSuitesUsingAllowDenyAndWhiteBlackListContextVariable()
+ {
+ final Map<String, String> brokerContext = new HashMap<>();
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_ALLOW_LIST, "[\"TLSv1.3\"]");
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_DENY_LIST, "[\"Ssl.*\",\"TLSv1\",\"TLSv1.1\",\"TLSv1.2\"]");
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_ALLOW_LIST, "[\"(TLS|SSL)_AES_128_GCM_SHA256\", \"(TLS|SSL)_AES_256_GCM_SHA384\"]");
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_DENY_LIST, "[\".*CBC.*\"]");
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST, "[\"TLSv1.2\"]");
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST, "[\"Ssl.*\",\"TLSv1\",\"TLSv1.1\",\"TLSv1.3\"]");
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST, "[\".*CBC.*\"]");
+ brokerContext.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST, "[\".*GCM.*\"]");
+
+ when(_broker.getContext()).thenReturn(brokerContext);
+
+ _port = createPort(getTestName());
+ final List<String> expectedAllowedTlsProtocols = Collections.singletonList("TLSv1.3");
+ final List<String> expectedDeniedTlsProtocols = Arrays.asList("Ssl.*","TLSv1","TLSv1.1","TLSv1.2");
+ final List<String> expectedAllowedTlsCypherSuites = Arrays.asList("(TLS|SSL)_AES_128_GCM_SHA256", "(TLS|SSL)_AES_256_GCM_SHA384");
+ final List<String> expectedDeniedTlsCypherSuites = Collections.singletonList(".*CBC.*");
+ assertThat(_port.getTlsProtocolAllowList(), is(equalTo(expectedAllowedTlsProtocols)));
+ assertThat(_port.getTlsProtocolWhiteList(), is(equalTo(expectedAllowedTlsProtocols)));
+ assertThat(_port.getTlsProtocolDenyList(), is(equalTo(expectedDeniedTlsProtocols)));
+ assertThat(_port.getTlsProtocolBlackList(), is(equalTo(expectedDeniedTlsProtocols)));
+ assertThat(_port.getTlsCipherSuiteAllowList(), is(equalTo(expectedAllowedTlsCypherSuites)));
+ assertThat(_port.getTlsCipherSuiteWhiteList(), is(equalTo(expectedAllowedTlsCypherSuites)));
+ assertThat(_port.getTlsCipherSuiteDenyList(), is(equalTo(expectedDeniedTlsCypherSuites)));
+ assertThat(_port.getTlsCipherSuiteBlackList(), is(equalTo(expectedDeniedTlsCypherSuites)));
+ }
+
private AmqpPortImpl createPort(final String portName)
{
return createPort(portName, Collections.emptyMap());
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java
index ed33947..17e6eb8 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java
@@ -20,9 +20,12 @@ package org.apache.qpid.server.security.auth.manager;
import static java.nio.charset.StandardCharsets.UTF_8;
import static org.apache.qpid.server.security.auth.manager.CachingAuthenticationProvider.AUTHENTICATION_CACHE_MAX_SIZE;
+import static org.hamcrest.CoreMatchers.equalTo;
+import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.CoreMatchers.not;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThat;
import static org.junit.Assert.fail;
import static org.junit.Assume.assumeThat;
import static org.mockito.Mockito.mock;
@@ -36,6 +39,7 @@ import java.nio.file.Path;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
@@ -80,6 +84,7 @@ import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.server.configuration.CommonProperties;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerTestHelper;
@@ -330,6 +335,70 @@ public class SimpleLDAPAuthenticationManagerTest extends UnitTestBase
assertEquals(USER_1_DN, result.getMainPrincipal().getName());
}
+ @Test
+ public void testTlProtocolsAndCypherSuitesUsingAllowDenyListContextVariable()
+ {
+ if (_authenticationProvider != null)
+ {
+ _authenticationProvider.close();
+ }
+
+ final Map<String, String> context = new HashMap<>();
+ context.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_ALLOW_LIST, "[\"TLSv1.3\"]");
+ context.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_DENY_LIST, "[\"Ssl.*\",\"TLSv1\",\"TLSv1.1\",\"TLSv1.2\"]");
+ context.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_ALLOW_LIST, "[\"(TLS|SSL)_AES_128_GCM_SHA256\", \"(TLS|SSL)_AES_256_GCM_SHA384\"]");
+ context.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_DENY_LIST, "[\".*CBC.*\"]");
+
+ final Map<String, Object> attributes =
+ Collections.singletonMap(SimpleLDAPAuthenticationManager.CONTEXT, context);
+ _authenticationProvider = createAuthenticationProvider(attributes);
+
+ final List<String> expectedAllowedTlsProtocols = Collections.singletonList("TLSv1.3");
+ final List<String> expectedDeniedTlsProtocols = Arrays.asList("Ssl.*", "TLSv1", "TLSv1.1", "TLSv1.2");
+ final List<String> expectedAllowedTlsCypherSuites = Arrays.asList("(TLS|SSL)_AES_128_GCM_SHA256", "(TLS|SSL)_AES_256_GCM_SHA384");
+ final List<String> expectedDeniedTlsCypherSuites = Collections.singletonList(".*CBC.*");
+ assertThat(_authenticationProvider.getTlsProtocolAllowList(), is(equalTo(expectedAllowedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsProtocolWhiteList(), is(equalTo(expectedAllowedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsProtocolDenyList(), is(equalTo(expectedDeniedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsProtocolBlackList(), is(equalTo(expectedDeniedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteAllowList(), is(equalTo(expectedAllowedTlsCypherSuites)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteWhiteList(), is(equalTo(expectedAllowedTlsCypherSuites)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteDenyList(), is(equalTo(expectedDeniedTlsCypherSuites)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteBlackList(), is(equalTo(expectedDeniedTlsCypherSuites)));
+ }
+
+ @Test
+ public void testTlProtocolsAndCypherSuitesUsingBlackWhiteListContextVariable()
+ {
+ if (_authenticationProvider != null)
+ {
+ _authenticationProvider.close();
+ }
+
+ final Map<String, String> context = new HashMap<>();
+ context.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST, "[\"TLSv1.3\"]");
+ context.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST, "[\"Ssl.*\",\"TLSv1\",\"TLSv1.1\",\"TLSv1.2\"]");
+ context.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST, "[\"(TLS|SSL)_AES_128_GCM_SHA256\", \"(TLS|SSL)_AES_256_GCM_SHA384\"]");
+ context.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST, "[\".*CBC.*\"]");
+
+ final Map<String, Object> attributes =
+ Collections.singletonMap(SimpleLDAPAuthenticationManager.CONTEXT, context);
+ _authenticationProvider = createAuthenticationProvider(attributes);
+
+ final List<String> expectedAllowedTlsProtocols = Collections.singletonList("TLSv1.3");
+ final List<String> expectedDeniedTlsProtocols = Arrays.asList("Ssl.*", "TLSv1", "TLSv1.1", "TLSv1.2");
+ final List<String> expectedAllowedTlsCypherSuites = Arrays.asList("(TLS|SSL)_AES_128_GCM_SHA256", "(TLS|SSL)_AES_256_GCM_SHA384");
+ final List<String> expectedDeniedTlsCypherSuites = Collections.singletonList(".*CBC.*");
+ assertThat(_authenticationProvider.getTlsProtocolAllowList(), is(equalTo(expectedAllowedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsProtocolWhiteList(), is(equalTo(expectedAllowedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsProtocolDenyList(), is(equalTo(expectedDeniedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsProtocolBlackList(), is(equalTo(expectedDeniedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteAllowList(), is(equalTo(expectedAllowedTlsCypherSuites)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteWhiteList(), is(equalTo(expectedAllowedTlsCypherSuites)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteDenyList(), is(equalTo(expectedDeniedTlsCypherSuites)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteBlackList(), is(equalTo(expectedDeniedTlsCypherSuites)));
+ }
+
private SimpleLDAPAuthenticationManagerImpl createAuthenticationProvider()
{
return createAuthenticationProvider(Collections.emptyMap());
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest.java
index e52942b..19b101f 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest.java
@@ -20,15 +20,20 @@
*/
package org.apache.qpid.server.security.auth.manager.oauth2;
+import static org.hamcrest.CoreMatchers.equalTo;
+import static org.hamcrest.CoreMatchers.is;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
+import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import javax.net.ssl.HostnameVerifier;
@@ -43,6 +48,7 @@ import org.junit.Before;
import org.junit.ClassRule;
import org.junit.Test;
+import org.apache.qpid.server.configuration.CommonProperties;
import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
import org.apache.qpid.server.configuration.updater.TaskExecutor;
import org.apache.qpid.server.model.Broker;
@@ -52,6 +58,7 @@ import org.apache.qpid.server.model.NamedAddressSpace;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.manager.CachingAuthenticationProvider;
+import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
import org.apache.qpid.server.security.auth.manager.oauth2.cloudfoundry.CloudFoundryOAuth2IdentityResolverService;
import org.apache.qpid.server.security.auth.sasl.SaslNegotiator;
import org.apache.qpid.server.security.auth.sasl.oauth2.OAuth2Negotiator;
@@ -102,6 +109,20 @@ public class OAuth2AuthenticationProviderImplTest extends UnitTestBase
TLS_RESOURCE.getKeyStoreType());
_server.start();
+ _authProvider = createAuthenticationProvider(Collections.emptyMap());
+
+ assertEquals("Could not successfully open authProvider", State.ACTIVE, _authProvider.getState());
+
+ final TrustManager[] trustingTrustManager = new TrustManager[] {new TrustingTrustManager() };
+
+ final SSLContext sc = SSLContext.getInstance("SSL");
+ sc.init(null, trustingTrustManager, new java.security.SecureRandom());
+ HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
+ HttpsURLConnection.setDefaultHostnameVerifier(new BlindHostnameVerifier());
+ }
+
+ private OAuth2AuthenticationProvider<?> createAuthenticationProvider(Map<String, Object> attributes)
+ {
Broker broker = BrokerTestHelper.createBrokerMock();
TaskExecutor taskExecutor = CurrentThreadTaskExecutor.newStartedInstance();
when(broker.getTaskExecutor()).thenReturn(taskExecutor);
@@ -134,18 +155,13 @@ public class OAuth2AuthenticationProviderImplTest extends UnitTestBase
TEST_POST_LOGOUT_PATH));
authProviderAttributes.put("scope", TEST_SCOPE);
authProviderAttributes.put("trustStore", TEST_TRUST_STORE_NAME);
+ authProviderAttributes.putAll(attributes);
setTestSystemProperty(CachingAuthenticationProvider.AUTHENTICATION_CACHE_MAX_SIZE, "0");
- _authProvider = new OAuth2AuthenticationProviderImpl(authProviderAttributes, broker);
- _authProvider.open();
- assertEquals("Could not successfully open authProvider", State.ACTIVE, _authProvider.getState());
-
- final TrustManager[] trustingTrustManager = new TrustManager[] {new TrustingTrustManager() };
-
- final SSLContext sc = SSLContext.getInstance("SSL");
- sc.init(null, trustingTrustManager, new java.security.SecureRandom());
- HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
- HttpsURLConnection.setDefaultHostnameVerifier(new BlindHostnameVerifier());
+ final OAuth2AuthenticationProviderImpl authenticationProvider =
+ new OAuth2AuthenticationProviderImpl(authProviderAttributes, broker);
+ authenticationProvider.open();
+ return authenticationProvider;
}
@After
@@ -259,6 +275,61 @@ public class OAuth2AuthenticationProviderImplTest extends UnitTestBase
assertFailure(authenticationResult, "invalid_token");
}
+ @Test
+ public void testTlProtocolsAndCypherSuitesUsingAllowDenyListContextVariable()
+ {
+ final Map<String, String> context = new HashMap<>();
+ context.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_ALLOW_LIST, "[\"TLSv1.3\"]");
+ context.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_DENY_LIST, "[\"Ssl.*\",\"TLSv1\",\"TLSv1.1\",\"TLSv1.2\"]");
+ context.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_ALLOW_LIST, "[\"(TLS|SSL)_AES_128_GCM_SHA256\", \"(TLS|SSL)_AES_256_GCM_SHA384\"]");
+ context.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_DENY_LIST, "[\".*CBC.*\"]");
+
+ final Map<String, Object> attributes =
+ Collections.singletonMap(SimpleLDAPAuthenticationManager.CONTEXT, context);
+ final OAuth2AuthenticationProvider<?> _authenticationProvider = createAuthenticationProvider(attributes);
+
+ final List<String> expectedAllowedTlsProtocols = Collections.singletonList("TLSv1.3");
+ final List<String> expectedDeniedTlsProtocols = Arrays.asList("Ssl.*", "TLSv1", "TLSv1.1", "TLSv1.2");
+ final List<String> expectedAllowedTlsCypherSuites = Arrays.asList("(TLS|SSL)_AES_128_GCM_SHA256", "(TLS|SSL)_AES_256_GCM_SHA384");
+ final List<String> expectedDeniedTlsCypherSuites = Collections.singletonList(".*CBC.*");
+ assertThat(_authenticationProvider.getTlsProtocolAllowList(), is(equalTo(expectedAllowedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsProtocolWhiteList(), is(equalTo(expectedAllowedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsProtocolDenyList(), is(equalTo(expectedDeniedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsProtocolBlackList(), is(equalTo(expectedDeniedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteAllowList(), is(equalTo(expectedAllowedTlsCypherSuites)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteWhiteList(), is(equalTo(expectedAllowedTlsCypherSuites)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteDenyList(), is(equalTo(expectedDeniedTlsCypherSuites)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteBlackList(), is(equalTo(expectedDeniedTlsCypherSuites)));
+ }
+
+ @Test
+ public void testTlProtocolsAndCypherSuitesUsingBlackWhiteListContextVariable()
+ {
+ final Map<String, String> context = new HashMap<>();
+ context.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST, "[\"TLSv1.3\"]");
+ context.put(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST, "[\"Ssl.*\",\"TLSv1\",\"TLSv1.1\",\"TLSv1.2\"]");
+ context.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST, "[\"(TLS|SSL)_AES_128_GCM_SHA256\", \"(TLS|SSL)_AES_256_GCM_SHA384\"]");
+ context.put(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST, "[\".*CBC.*\"]");
+
+ final Map<String, Object> attributes =
+ Collections.singletonMap(SimpleLDAPAuthenticationManager.CONTEXT, context);
+ final OAuth2AuthenticationProvider<?> _authenticationProvider = createAuthenticationProvider(attributes);
+
+ final List<String> expectedAllowedTlsProtocols = Collections.singletonList("TLSv1.3");
+ final List<String> expectedDeniedTlsProtocols = Arrays.asList("Ssl.*", "TLSv1", "TLSv1.1", "TLSv1.2");
+ final List<String> expectedAllowedTlsCypherSuites = Arrays.asList("(TLS|SSL)_AES_128_GCM_SHA256", "(TLS|SSL)_AES_256_GCM_SHA384");
+ final List<String> expectedDeniedTlsCypherSuites = Collections.singletonList(".*CBC.*");
+ assertThat(_authenticationProvider.getTlsProtocolAllowList(), is(equalTo(expectedAllowedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsProtocolWhiteList(), is(equalTo(expectedAllowedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsProtocolDenyList(), is(equalTo(expectedDeniedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsProtocolBlackList(), is(equalTo(expectedDeniedTlsProtocols)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteAllowList(), is(equalTo(expectedAllowedTlsCypherSuites)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteWhiteList(), is(equalTo(expectedAllowedTlsCypherSuites)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteDenyList(), is(equalTo(expectedDeniedTlsCypherSuites)));
+ assertThat(_authenticationProvider.getTlsCipherSuiteBlackList(), is(equalTo(expectedDeniedTlsCypherSuites)));
+ }
+
+
private void assertSuccess(final AuthenticationResult authenticationResult)
{
assertEquals("Authentication was not successful: " + authenticationResult.getCause(),
diff --git a/systests/qpid-systests-spawn-admin/src/main/java/org/apache/qpid/systests/admin/SpawnBrokerAdmin.java b/systests/qpid-systests-spawn-admin/src/main/java/org/apache/qpid/systests/admin/SpawnBrokerAdmin.java
index a70c3c9..5be5872 100644
--- a/systests/qpid-systests-spawn-admin/src/main/java/org/apache/qpid/systests/admin/SpawnBrokerAdmin.java
+++ b/systests/qpid-systests-spawn-admin/src/main/java/org/apache/qpid/systests/admin/SpawnBrokerAdmin.java
@@ -752,8 +752,6 @@ public class SpawnBrokerAdmin implements BrokerAdmin, Closeable
List<String> jvmArguments = new ArrayList<>();
jvmArguments.add("java");
- jvmArguments.add("-cp");
- jvmArguments.add(classpath);
jvmArguments.add("-Djava.io.tmpdir=" + escape(System.getProperty("java.io.tmpdir")));
jvmArguments.add("-Dlogback.configurationFile=default-broker-logback.xml");
jvmArguments.add("-Dqpid.tests.mms.messagestore.persistence=true");
@@ -791,7 +789,9 @@ public class SpawnBrokerAdmin implements BrokerAdmin, Closeable
String[] cmd = jvmArguments.toArray(new String[jvmArguments.size()]);
LOGGER.debug("command line:" + String.join(" ", jvmArguments));
- return new ProcessBuilder(cmd);
+ ProcessBuilder ps = new ProcessBuilder(cmd);
+ ps.environment().put("CLASSPATH", classpath);
+ return ps;
}
private String escape(String value)
@@ -849,16 +849,18 @@ public class SpawnBrokerAdmin implements BrokerAdmin, Closeable
private void doWindowsKill()
{
- try
+ if (_pid != null)
{
-
- Process p;
- p = Runtime.getRuntime().exec(new String[]{"taskkill", "/PID", Integer.toString(_pid), "/T", "/F"});
- consumeAllOutput(p);
- }
- catch (IOException e)
- {
- LOGGER.error("Error whilst killing process " + _pid, e);
+ try
+ {
+ Process p;
+ p = Runtime.getRuntime().exec(new String[]{"taskkill", "/PID", Integer.toString(_pid), "/T", "/F"});
+ consumeAllOutput(p);
+ }
+ catch (IOException e)
+ {
+ LOGGER.error("Error whilst killing process " + _pid, e);
+ }
}
}
diff --git a/systests/qpid-systests-spawn-admin/src/test/java/org/apache/qpid/systests/admin/SpawnBrokerAdminTest.java b/systests/qpid-systests-spawn-admin/src/test/java/org/apache/qpid/systests/admin/SpawnBrokerAdminTest.java
index d8e929b..d2694fe 100644
--- a/systests/qpid-systests-spawn-admin/src/test/java/org/apache/qpid/systests/admin/SpawnBrokerAdminTest.java
+++ b/systests/qpid-systests-spawn-admin/src/test/java/org/apache/qpid/systests/admin/SpawnBrokerAdminTest.java
@@ -34,10 +34,8 @@ import static org.junit.Assert.fail;
import static org.junit.Assume.assumeThat;
import java.io.File;
-import java.io.IOException;
import java.net.InetSocketAddress;
import java.nio.file.Files;
-import java.util.Arrays;
import javax.jms.Connection;
import javax.jms.DeliveryMode;
@@ -157,7 +155,8 @@ public class SpawnBrokerAdminTest extends UnitTestBase
@Test
public void afterTestClass() throws Exception
{
- try (SpawnBrokerAdmin admin = new SpawnBrokerAdmin())
+ SpawnBrokerAdmin admin = new SpawnBrokerAdmin();
+ try
{
admin.beforeTestClass(SpawnBrokerAdminTest.class);
admin.beforeTestMethod(SpawnBrokerAdminTest.class, getClass().getMethod("afterTestClass"));
@@ -180,6 +179,17 @@ public class SpawnBrokerAdminTest extends UnitTestBase
{
// pass
}
+ finally
+ {
+ admin = null;
+ }
+ }
+ finally
+ {
+ if (admin != null)
+ {
+ admin.close();
+ }
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org