New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[#643] Add support for client certificate based authentication #744
[#643] Add support for client certificate based authentication #744
Conversation
df0f093
to
058674f
Compare
@sophokles73: can you please take a look at this? |
if (socket.isSsl()) { | ||
LOG.debug("Client connected through a secured port. Ignoring peer certificates (not supported)"); | ||
LOG.debug("Client connected through a secured port"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
trace
try { | ||
peerCertificateChain = socket.sslSession().getPeerCertificates(); | ||
clientCertAuthProvider = new X509AuthProvider(credentialsServiceClient, config); | ||
certValidator = new DeviceCertificateValidator(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we need to create new instances for each device connecting?
@@ -358,6 +359,7 @@ public void testUploadingXnumberOfMessages(final TestContext context) throws Int | |||
|
|||
final Future<ProtonConnection> result = Future.future(); | |||
final ProtonClientOptions options = new ProtonClientOptions(); | |||
options.addEnabledSaslMechanism(ProtonSaslPlainImpl.MECH_NAME); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about a test for a client using SASL_EXTERNAL?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i want to add that later for a device that wants to authenticate using a client certificate. the current test code base does not use any certificate..
SASL_PLAIN
is added mainly so that the current ITs passes. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that it would be good to have an integration test that uses SASL_EXTERNAL :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BTW you should rebase so that the Travis build works again ...
058674f
to
775d23f
Compare
ok, i will include that in this PR
just rebased, thanks! |
775d23f
to
c340b99
Compare
@sophokles73: patch updated with 899010a. this commit also includes minor refactoring of the HTTP adapter code to reuse its trust options config. |
c340b99
to
899010a
Compare
return null; | ||
} | ||
}); | ||
return getTrustOptions(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not see why we need to introduce another level of indirection. Can't we simply pull up this method as is?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if you say "pull up", you mean having it as a default implementation for all protocol adapters?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't you think that would be a reasonable default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, makes sense
@@ -101,6 +106,7 @@ | |||
public static final int MQTT_PORT = Integer.getInteger(PROPERTY_MQTT_PORT, DEFAULT_MQTT_PORT); | |||
public static final String AMQP_HOST = System.getProperty(PROPERTY_AMQP_HOST, DEFAULT_HOST); | |||
public static final int AMQP_PORT = Integer.getInteger(PROPERTY_AMQP_PORT, DEFAULT_AMQP_PORT); | |||
public static final int AMQPS_PORT = Integer.getInteger(PROPERTY_AMQPS_PORT, 4041); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for consistency, can we use a constant for the default AMQPS port as well?
@@ -130,14 +136,14 @@ | |||
|
|||
private final Set<String> tenantsToDelete = new HashSet<>(); | |||
private final Map<String, Set<String>> devicesToDelete = new HashMap<>(); | |||
private final Vertx vertx; | |||
private static Vertx VERTX; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we use upper case naming for constants only
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
@Alfusainey why doesn't the Travis build succeed? |
humm... looks like the vertx thread has been blocked for a long time... am suspecting that it does not directly relate to my changes:
i think when deleting the temp devices, the call to |
@sophokles73: patch updated with f4ca7ce. now the |
@sophokles73: something very strange is happening with the jdk10 travis build. it takes longer to run and the MQTT adapter ITs is failing the build. i was thinking that my changes to the |
f4ca7ce
to
2a6561f
Compare
@sophokles73: i rebased this patch with current master to include 008e20c. hopefully the fix passes the build 👍 |
yeah, let's hope so ... |
@sophokles73: the build passes 🕺 |
connection.open(); | ||
} | ||
}); | ||
if (!Strings.isNullOrEmpty(username) && !Strings.isNullOrEmpty(password)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please split this up into two methods: connectToAdapter(String, String) and connectToAdapter(SelfSignedCertificate) to make it more transparent in the client code which mechanism is used. There is basically no duplicated code so it shouldn't be an issue ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sophokles73 patch updated
@Alfusainey can you squash and rebase? |
…ation Signed-off-by: Alfusainey Jallow <alf.jallow@gmail.com>
17d24e0
to
16a0b14
Compare
@sophokles73 : done! |
@sophokles73: this patch adds support for client certificate authentication. now the auth providers are known only to the SaslAuthenticator class. i plan to test feature in the ITs.
Signed-off-by: Alfusainey Jallow alf.jallow@gmail.com