ARTEMIS-5778 Pass SSLSupport parameters to TrustManagerFactoryPlugin

Author: brusdev

artemis-core-client/src/main/java/org/apache/activemq/artemis/api/core/TrustManagerFactoryPlugin.java

@@ -20,9 +20,33 @@
 
 public interface TrustManagerFactoryPlugin {
 
+   /**
+    * Parameters used as input for TrustManagerFactory.
+    */
+   interface Parameters {
+      String getTruststoreProvider();
+
+      String getTruststoreType();
+
+      String getTruststorePath();
+
+      String getTruststorePassword();
+
+      String getCrlPath();
+   }
+
    /**
     * {@return the TrustManagerFactory used when invoking {@link javax.net.ssl.TrustManagerFactory#getTrustManagers()}
     * to initialize the {@code SSLContext}}
     */
    TrustManagerFactory getTrustManagerFactory();
+
+   /**
+    * @param parameters the parameters to be used to initialize the {@code TrustManagerFactory}
+    * {@return the TrustManagerFactory used when invoking {@link javax.net.ssl.TrustManagerFactory#getTrustManagers()}
+    * to initialize the {@code SSLContext}}
+    */
+   default TrustManagerFactory getTrustManagerFactory(TrustManagerFactoryPlugin.Parameters parameters) {
+      return getTrustManagerFactory();
+   }
 }

artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java

@@ -65,7 +65,7 @@
  * by default (see java.security.Security#getProviders()).  The main thing to keep in mind is that PKCS#11 keystores
  * will either use null, and empty string, or NONE for their keystore path.
  */
-public class SSLSupport {
+public class SSLSupport implements TrustManagerFactoryPlugin.Parameters {
 
    public static final String NONE = "NONE";
    private String keystoreProvider = TransportConstants.DEFAULT_KEYSTORE_PROVIDER;
@@ -278,7 +278,7 @@ public static String parseArrayIntoCommandSeparatedList(String[] suites) {
 
    private TrustManagerFactory loadTrustManagerFactory() throws Exception {
       if (trustManagerFactoryPlugin != null) {
-         return SecurityManagerShim.doPrivileged((PrivilegedAction<TrustManagerFactory>) () -> ((TrustManagerFactoryPlugin) ClassloadingUtil.newInstanceFromClassLoader(SSLSupport.class, trustManagerFactoryPlugin, TrustManagerFactoryPlugin.class)).getTrustManagerFactory());
+         return SecurityManagerShim.doPrivileged((PrivilegedAction<TrustManagerFactory>) () -> ((TrustManagerFactoryPlugin) ClassloadingUtil.newInstanceFromClassLoader(SSLSupport.class, trustManagerFactoryPlugin, TrustManagerFactoryPlugin.class)).getTrustManagerFactory(this));
       } else if (trustAll) {
          //This is useful for testing but not should be used outside of that purpose
          return InsecureTrustManagerFactory.INSTANCE;

docs/user-manual/configuring-transports.adoc

@@ -443,10 +443,14 @@ When used on a `connector` the `sniHost` value is used for the `server_name` ext
 trustManagerFactoryPlugin::
 This is valid on either an `acceptor` or `connector`.
 It defines the name of the class which implements `org.apache.activemq.artemis.api.core.TrustManagerFactoryPlugin`.
-This is a simple interface with a single method which returns a `javax.net.ssl.TrustManagerFactory`.
+This interface provides methods that return a `javax.net.ssl.TrustManagerFactory`.
 The `TrustManagerFactory` will be used when the underlying `javax.net.ssl.SSLContext` is initialized.
 This allows fine-grained customization of who/what the broker & client trusts.
 +
+The interface includes a default method `getTrustManagerFactory()` and an optional parametrized method `getTrustManagerFactory(Parameters parameters)`.
+If the plugin implements the parametrized version, it will receive the configured SSL trust parameters (`truststoreProvider`, `truststoreType`, `truststorePath`, `truststorePassword`, `crlPath`) which can be used to initialize the trust manager.
+If only the default method is implemented, the plugin will not receive these parameters.
++
 This value takes precedence of all other SSL parameters which apply to the trust manager (i.e. `trustAll`, `truststoreProvider`, `truststorePath`, `truststorePassword`, `crlPath`).
 +
 Any plugin specified will need to be placed on the xref:using-server.adoc#adding-runtime-dependencies[broker's classpath].

tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java

@@ -289,8 +289,31 @@ public void testOneWaySSLwithSNIOnlyOnTheBroker() throws Exception {
    }
 
    @TestTemplate
-   public void testOneWaySSLwithTrustManagerPlugin() throws Exception {
-      createCustomSslServer(null, null, false, null, TestTrustManagerFactoryPlugin.class.getName());
+   public void testOneWaySSLWithTrustManagerPlugin() throws Exception {
+      try {
+         testOneWaySSLWithTrustManagerPlugin(TestTrustManagerFactoryPlugin.class.getName());
+
+         assertTrue(TestTrustManagerFactoryPlugin.triggered.get());
+      } finally {
+         TestTrustManagerFactoryPlugin.triggered.set(false);
+      }
+   }
+
+   @TestTemplate
+   public void testOneWaySSLWithParametrizedTrustManagerPlugin() throws Exception {
+      try {
+         testOneWaySSLWithTrustManagerPlugin(TestParametrizedTrustManagerFactoryPlugin.class.getName());
+
+         assertTrue(TestParametrizedTrustManagerFactoryPlugin.wasInvokedWithParameters.get());
+         assertFalse(TestParametrizedTrustManagerFactoryPlugin.wasInvokedWithoutParameters.get());
+         assertNotNull(TestParametrizedTrustManagerFactoryPlugin.receivedParameters.get());
+      } finally {
+         TestParametrizedTrustManagerFactoryPlugin.reset();
+      }
+   }
+
+   private void testOneWaySSLWithTrustManagerPlugin(String trustManagerFactoryPlugin) throws Exception {
+      createCustomSslServer(null, null, false, null, trustManagerFactoryPlugin);
       String text = RandomUtil.randomUUIDString();
 
       tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
@@ -302,8 +325,6 @@ public void testOneWaySSLwithTrustManagerPlugin() throws Exception {
       ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
       ClientSessionFactory sf = addSessionFactory(createSessionFactory(locator));
 
-      assertTrue(TestTrustManagerFactoryPlugin.triggered.get());
-
       ClientSession session = addClientSession(sf.createSession(false, true, true));
       session.createQueue(QueueConfiguration.of(CoreClientOverOneWaySSLTest.QUEUE).setDurable(false));
       ClientProducer producer = addClientProducer(session.createProducer(CoreClientOverOneWaySSLTest.QUEUE));

tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/TestParametrizedTrustManagerFactoryPlugin.java

@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.ssl;
+
+import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+import org.apache.activemq.artemis.api.core.TrustManagerFactoryPlugin;
+
+import javax.net.ssl.TrustManagerFactory;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicReference;
+
+public class TestParametrizedTrustManagerFactoryPlugin implements TrustManagerFactoryPlugin {
+
+   public static AtomicBoolean wasInvokedWithParameters = new AtomicBoolean(false);
+   public static AtomicBoolean wasInvokedWithoutParameters = new AtomicBoolean(false);
+   public static AtomicReference<Parameters> receivedParameters = new AtomicReference<>(null);
+
+   public static void reset() {
+      wasInvokedWithParameters.set(false);
+      wasInvokedWithoutParameters.set(false);
+      receivedParameters.set(null);
+   }
+
+   @Override
+   public TrustManagerFactory getTrustManagerFactory() {
+      wasInvokedWithoutParameters.set(true);
+      return InsecureTrustManagerFactory.INSTANCE;
+   }
+
+   @Override
+   public TrustManagerFactory getTrustManagerFactory(Parameters parameters) {
+      wasInvokedWithParameters.set(true);
+      receivedParameters.set(parameters);
+      return InsecureTrustManagerFactory.INSTANCE;
+   }
+}

tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/ssl/SSLSupportTest.java

@@ -16,14 +16,23 @@
  */
 package org.apache.activemq.artemis.tests.unit.core.remoting.impl.ssl;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
 
 import java.io.File;
 import java.net.URL;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicReference;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.apache.activemq.artemis.api.core.TrustManagerFactoryPlugin;
 import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
 import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport;
 import org.apache.activemq.artemis.tests.extensions.parameterized.ParameterizedTestExtension;
@@ -287,4 +296,104 @@ public void testContextWithTrustAll() throws Exception {
          .setTrustAll(true)
          .createContext();
    }
+
+   @TestTemplate
+   public void testTrustManagerFactoryPlugin() throws Exception {
+      SSLContext context = new SSLSupport()
+         .setKeystoreProvider(storeProvider)
+         .setKeystoreType(storeType)
+         .setKeystorePath(keyStorePath)
+         .setKeystorePassword(keyStorePassword)
+         .setTruststoreProvider(storeProvider)
+         .setTruststoreType(storeType)
+         .setTruststorePath(trustStorePath)
+         .setTruststorePassword(trustStorePassword)
+         .setTrustAll(true) // This should be ignored when plugin is set
+         .setTrustManagerFactoryPlugin(TestTrustManagerFactoryPlugin.class.getName())
+         .createContext();
+
+      assertNotNull(context);
+      assertTrue(TestTrustManagerFactoryPlugin.wasInvoked.get());
+   }
+
+   @TestTemplate
+   public void testParametrizedTrustManagerFactoryPlugin() throws Exception {
+      TestParametrizedTrustManagerFactoryPlugin.reset();
+
+      final String crlPath = "test-crl-path";
+
+      SSLContext context = new SSLSupport()
+         .setKeystoreProvider(storeProvider)
+         .setKeystoreType(storeType)
+         .setKeystorePath(keyStorePath)
+         .setKeystorePassword(keyStorePassword)
+         .setTruststoreProvider(storeProvider)
+         .setTruststoreType(storeType)
+         .setTruststorePath(trustStorePath)
+         .setTruststorePassword(trustStorePassword)
+         .setCrlPath(crlPath)
+         .setTrustAll(true) // This should be ignored when plugin is set
+         .setTrustManagerFactoryPlugin(TestParametrizedTrustManagerFactoryPlugin.class.getName())
+         .createContext();
+
+      assertNotNull(context);
+      assertFalse(TestParametrizedTrustManagerFactoryPlugin.wasInvokedWithoutParameters.get());
+      assertTrue(TestParametrizedTrustManagerFactoryPlugin.wasInvokedWithParameters.get());
+
+      TrustManagerFactoryPlugin.Parameters receivedParameters =
+         TestParametrizedTrustManagerFactoryPlugin.receivedParameters.get();
+      assertNotNull(receivedParameters);
+
+      assertEquals(storeProvider, receivedParameters.getTruststoreProvider());
+      assertEquals(storeType, receivedParameters.getTruststoreType());
+      assertEquals(trustStorePath, receivedParameters.getTruststorePath());
+      assertEquals(trustStorePassword, receivedParameters.getTruststorePassword());
+      assertEquals(crlPath, receivedParameters.getCrlPath());
+   }
+
+   /**
+    * Test implementation of TrustManagerFactoryPlugin without parameters that tracks invocation
+    */
+   public static class TestTrustManagerFactoryPlugin implements TrustManagerFactoryPlugin {
+      public static AtomicBoolean wasInvoked = new AtomicBoolean(false);
+
+      public static void reset() {
+         wasInvoked.set(false);
+      }
+
+      @Override
+      public TrustManagerFactory getTrustManagerFactory() {
+         wasInvoked.set(true);
+         return null;
+      }
+   }
+
+   /**
+    * Test implementation of TrustManagerFactoryPlugin with parameters that tracks invocation
+    */
+   public static class TestParametrizedTrustManagerFactoryPlugin implements TrustManagerFactoryPlugin {
+
+      public static AtomicBoolean wasInvokedWithParameters = new AtomicBoolean(false);
+      public static AtomicBoolean wasInvokedWithoutParameters = new AtomicBoolean(false);
+      public static AtomicReference<Parameters> receivedParameters = new AtomicReference<>(null);
+
+      public static void reset() {
+         wasInvokedWithParameters.set(false);
+         wasInvokedWithoutParameters.set(false);
+         receivedParameters.set(null);
+      }
+
+      @Override
+      public TrustManagerFactory getTrustManagerFactory() {
+         wasInvokedWithoutParameters.set(true);
+         return null;
+      }
+
+      @Override
+      public TrustManagerFactory getTrustManagerFactory(Parameters parameters) {
+         wasInvokedWithParameters.set(true);
+         receivedParameters.set(parameters);
+         return null;
+      }
+   }
 }