[#643] Add support for client certificate based authentication #744
Conversation
Alfusainey
force-pushed
the
amqp-adapter-certificate-auth
branch
from
df0f093
to
058674f
Compare
|
@sophokles73: can you please take a look at this? |
| if (socket.isSsl()) { | ||
| LOG.debug("Client connected through a secured port. Ignoring peer certificates (not supported)"); | ||
| LOG.debug("Client connected through a secured port"); |
| try { | ||
| peerCertificateChain = socket.sslSession().getPeerCertificates(); | ||
| clientCertAuthProvider = new X509AuthProvider(credentialsServiceClient, config); | ||
| certValidator = new DeviceCertificateValidator(); |
There was a problem hiding this comment.
do we need to create new instances for each device connecting?
| @@ -358,6 +359,7 @@ public void testUploadingXnumberOfMessages(final TestContext context) throws Int | |||
|
|
|||
| final Future<ProtonConnection> result = Future.future(); | |||
| final ProtonClientOptions options = new ProtonClientOptions(); | |||
| options.addEnabledSaslMechanism(ProtonSaslPlainImpl.MECH_NAME); | |||
There was a problem hiding this comment.
what about a test for a client using SASL_EXTERNAL?
There was a problem hiding this comment.
i want to add that later for a device that wants to authenticate using a client certificate. the current test code base does not use any certificate..
SASL_PLAIN is added mainly so that the current ITs passes. WDYT?
There was a problem hiding this comment.
I think that it would be good to have an integration test that uses SASL_EXTERNAL :-)
There was a problem hiding this comment.
BTW you should rebase so that the Travis build works again ...
Alfusainey
force-pushed
the
amqp-adapter-certificate-auth
branch
from
058674f
to
775d23f
Compare
ok, i will include that in this PR
just rebased, thanks! |
Alfusainey
force-pushed
the
amqp-adapter-certificate-auth
branch
from
775d23f
to
c340b99
Compare
|
@sophokles73: patch updated with 899010a. this commit also includes minor refactoring of the HTTP adapter code to reuse its trust options config. |
Alfusainey
force-pushed
the
amqp-adapter-certificate-auth
branch
from
c340b99
to
899010a
Compare
| return null; | ||
| } | ||
| }); | ||
| return getTrustOptions(); |
There was a problem hiding this comment.
I do not see why we need to introduce another level of indirection. Can't we simply pull up this method as is?
There was a problem hiding this comment.
if you say "pull up", you mean having it as a default implementation for all protocol adapters?
There was a problem hiding this comment.
Don't you think that would be a reasonable default?
There was a problem hiding this comment.
yes, makes sense
| @@ -101,6 +106,7 @@ | |||
| public static final int MQTT_PORT = Integer.getInteger(PROPERTY_MQTT_PORT, DEFAULT_MQTT_PORT); | |||
| public static final String AMQP_HOST = System.getProperty(PROPERTY_AMQP_HOST, DEFAULT_HOST); | |||
| public static final int AMQP_PORT = Integer.getInteger(PROPERTY_AMQP_PORT, DEFAULT_AMQP_PORT); | |||
| public static final int AMQPS_PORT = Integer.getInteger(PROPERTY_AMQPS_PORT, 4041); | |||
There was a problem hiding this comment.
for consistency, can we use a constant for the default AMQPS port as well?
| @@ -130,14 +136,14 @@ | |||
|
|
|||
| private final Set<String> tenantsToDelete = new HashSet<>(); | |||
| private final Map<String, Set<String>> devicesToDelete = new HashMap<>(); | |||
| private final Vertx vertx; | |||
| private static Vertx VERTX; | |||
There was a problem hiding this comment.
we use upper case naming for constants only
|
@Alfusainey why doesn't the Travis build succeed? |
humm... looks like the vertx thread has been blocked for a long time... am suspecting that it does not directly relate to my changes:
i think when deleting the temp devices, the call to |
|
@sophokles73: patch updated with f4ca7ce. now the |
|
@sophokles73: something very strange is happening with the jdk10 travis build. it takes longer to run and the MQTT adapter ITs is failing the build. i was thinking that my changes to the |
Alfusainey
force-pushed
the
amqp-adapter-certificate-auth
branch
from
f4ca7ce
to
2a6561f
Compare
|
@sophokles73: i rebased this patch with current master to include 008e20c. hopefully the fix passes the build 👍 |
|
yeah, let's hope so ... |
|
@sophokles73: the build passes 🕺 |
| connection.open(); | ||
| } | ||
| }); | ||
| if (!Strings.isNullOrEmpty(username) && !Strings.isNullOrEmpty(password)) { |
There was a problem hiding this comment.
please split this up into two methods: connectToAdapter(String, String) and connectToAdapter(SelfSignedCertificate) to make it more transparent in the client code which mechanism is used. There is basically no duplicated code so it shouldn't be an issue ...
There was a problem hiding this comment.
@sophokles73 patch updated
|
@Alfusainey can you squash and rebase? |
…ation Signed-off-by: Alfusainey Jallow <alf.jallow@gmail.com>
Alfusainey
force-pushed
the
amqp-adapter-certificate-auth
branch
from
17d24e0
to
16a0b14
Compare
|
@sophokles73 : done! |
@sophokles73: this patch adds support for client certificate authentication. now the auth providers are known only to the SaslAuthenticator class. i plan to test feature in the ITs.
Signed-off-by: Alfusainey Jallow alf.jallow@gmail.com