Skip to content

Commit

Permalink
WFLY-8270 Fix and improve Undertow* tests in elytron module
Browse files Browse the repository at this point in the history
  • Loading branch information
@OndrejKotek
OndrejKotek committed Mar 2, 2017
1 parent 509c3ef commit 50c7124
Show file tree
Hide file tree
Showing 4 changed files with 56 additions and 10 deletions.
29 changes: 23 additions & 6 deletions ...test/java/org/wildfly/test/integration/elytron/ssl/UndertowSslSecurityDomainTestCase.java
View file
Expand Up @@ -24,7 +24,6 @@

import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
import static javax.servlet.http.HttpServletResponse.SC_OK;
import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
import static org.jboss.as.test.integration.security.common.SSLTruststoreUtil.HTTPS_PORT;

import java.io.File;
Expand All @@ -33,12 +32,14 @@
import java.net.URISyntaxException;
import java.net.URL;
import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.CloseableHttpClient;
import org.codehaus.plexus.util.FileUtils;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.container.test.api.RunAsClient;
import org.jboss.arquillian.junit.Arquillian;
import org.jboss.as.arquillian.api.ServerSetup;
import org.jboss.as.controller.client.ModelControllerClient;
import org.jboss.as.test.categories.CommonCriteria;
import org.jboss.as.test.integration.security.common.CoreUtils;
import org.jboss.as.test.integration.security.common.SSLTruststoreUtil;
import org.jboss.as.test.integration.security.common.SecurityTestConstants;
Expand All @@ -49,8 +50,8 @@
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Ignore;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.runner.RunWith;
import org.wildfly.test.security.common.AbstractElytronSetupTask;
import org.wildfly.test.security.common.elytron.ClientCertUndertowDomainMapper;
Expand All @@ -70,13 +71,19 @@
import org.wildfly.test.security.common.elytron.UserWithRoles;

/**
* Smoke test for two way SSL authentication using Elytron server-ssl-context added to default server configuration.
* Smoke tests for certificate based authentication using Elytron server-ssl-context, security domain,
* and key store realm.
*
* This test case is preparation and temporary replacement for
* testsuite/integration/web/src/test/java/org/jboss/as/test/integration/web/security/cert/WebSecurityCERTTestCase.java
* before making it work with Elytron.
*
* @author Ondrej Kotek
*/
@RunWith(Arquillian.class)
@ServerSetup({ UndertowSslSecurityDomainTestCase.ElytronSslContextInUndertowSetupTask.class })
@RunAsClient
@Category(CommonCriteria.class)
public class UndertowSslSecurityDomainTestCase {

private static final String NAME = UndertowSslSecurityDomainTestCase.class.getSimpleName();
Expand Down Expand Up @@ -122,17 +129,18 @@ public void testUnprotectedAccess() {
HttpClient client = SSLTruststoreUtil
.getHttpClientWithSSL(CLIENT_KEYSTORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
assertUnprotectedAccess(client);
closeClient(client);
}

/**
* Tests access to resource that requires authentication and authorization.
*/
@Test
@Ignore("ELY-978")
public void testProtectedAccess() {
HttpClient client = SSLTruststoreUtil
.getHttpClientWithSSL(CLIENT_KEYSTORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
assertProtectedAccess(client, SC_OK);
closeClient(client);
}

/**
Expand All @@ -143,17 +151,18 @@ public void testForbidden() {
HttpClient client = SSLTruststoreUtil
.getHttpClientWithSSL(CLIENT_KEYSTORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
assertAccessForbidden(client);
closeClient(client);
}

/**
* Tests access to resource that requires authentication and authorization. Client has not trusted certificate.
*/
@Test
@Ignore("ELY-978")
public void testUntrustedCertificate() {
HttpClient client = SSLTruststoreUtil
.getHttpClientWithSSL(UNTRUSTED_STORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
assertProtectedAccess(client, SC_UNAUTHORIZED);
assertProtectedAccess(client, SC_FORBIDDEN);
closeClient(client);
}

private void assertUnprotectedAccess(HttpClient client) {
Expand All @@ -180,6 +189,14 @@ private void assertAccessForbidden(HttpClient client) {
}
}

private void closeClient(HttpClient client) {
try {
((CloseableHttpClient) client).close();
} catch (IOException ex) {
throw new IllegalStateException("Unable to close HTTP client", ex);
}
}

/**
* Creates Elytron server-ssl-context and key/trust stores.
*/
Expand Down
18 changes: 16 additions & 2 deletions ...ava/org/wildfly/test/integration/elytron/ssl/UndertowTwoWaySslNeedClientAuthTestCase.java
View file
Expand Up @@ -34,6 +34,7 @@
import java.net.URL;
import javax.net.ssl.SSLHandshakeException;
import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.CloseableHttpClient;
import org.codehaus.plexus.util.FileUtils;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.container.test.api.RunAsClient;
Expand Down Expand Up @@ -63,8 +64,10 @@
import org.wildfly.test.security.common.elytron.UndertowSslContext;

/**
* Smoke test for two way SSL authentication using Elytron server-ssl-context with need-client-auth=true
* added to default server configuration.
* Smoke test for two way SSL connection with Undertow HTTPS listener backed by Elytron server-ssl-context
* with need-client-auth=true (client certificate is required).
*
* In case the client certificate is not trusted or present, the SSL handshake should fail.
*
* @author Ondrej Kotek
*/
Expand Down Expand Up @@ -105,19 +108,22 @@ public void testSendingTrustedClientCertificate() {
HttpClient client = SSLTruststoreUtil
.getHttpClientWithSSL(CLIENT_KEYSTORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
assertConnectionToServer(client, SC_OK);
closeClient(client);
}

@Test
public void testSendingNonTrustedClientCertificateFails() {
HttpClient client = SSLTruststoreUtil
.getHttpClientWithSSL(UNTRUSTED_STORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
assertSslHandshakeFails(client);
closeClient(client);
}

@Test
public void testSendingNoClientCertificateFails() {
HttpClient client = SSLTruststoreUtil.getHttpClientWithSSL(CLIENT_TRUSTSTORE_FILE, PASSWORD);
assertSslHandshakeFails(client);
closeClient(client);
}

private void assertConnectionToServer(HttpClient client, int expectedStatusCode) {
Expand All @@ -140,6 +146,14 @@ private void assertSslHandshakeFails(HttpClient client) {
fail("SSL handshake should fail");
}

private void closeClient(HttpClient client) {
try {
((CloseableHttpClient) client).close();
} catch (IOException ex) {
throw new IllegalStateException("Unable to close HTTP client", ex);
}
}

/**
* Creates Elytron server-ssl-context and key/trust stores.
*/
Expand Down
17 changes: 16 additions & 1 deletion ...ron/src/test/java/org/wildfly/test/integration/elytron/ssl/UndertowTwoWaySslTestCase.java
View file
Expand Up @@ -31,6 +31,7 @@
import java.net.URISyntaxException;
import java.net.URL;
import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.CloseableHttpClient;
import org.codehaus.plexus.util.FileUtils;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.container.test.api.RunAsClient;
Expand Down Expand Up @@ -60,7 +61,10 @@
import org.wildfly.test.security.common.elytron.UndertowSslContext;

/**
* Smoke test for two way SSL authentication using Elytron server-ssl-context added to default server configuration.
* Smoke test for two way SSL connection with Undertow HTTPS listener backed by Elytron server-ssl-context with default
* settings (client certificate is not required).
*
* In case the client certificate is not trusted or present, the request should be successful.
*
* @author Ondrej Kotek
*/
Expand Down Expand Up @@ -101,19 +105,22 @@ public void testSendingTrustedClientCertificate() {
HttpClient client = SSLTruststoreUtil
.getHttpClientWithSSL(CLIENT_KEYSTORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
assertConnectionToServer(client, SC_OK);
closeClient(client);
}

@Test
public void testSendingNonTrustedClientCertificate() {
HttpClient client = SSLTruststoreUtil
.getHttpClientWithSSL(UNTRUSTED_STORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
assertConnectionToServer(client, SC_OK);
closeClient(client);
}

@Test
public void testSendingNoClientCertificate() {
HttpClient client = SSLTruststoreUtil.getHttpClientWithSSL(CLIENT_TRUSTSTORE_FILE, PASSWORD);
assertConnectionToServer(client, SC_OK);
closeClient(client);
}

private void assertConnectionToServer(HttpClient client, int expectedStatusCode) {
Expand All @@ -124,6 +131,14 @@ private void assertConnectionToServer(HttpClient client, int expectedStatusCode)
}
}

private void closeClient(HttpClient client) {
try {
((CloseableHttpClient) client).close();
} catch (IOException ex) {
throw new IllegalStateException("Unable to close HTTP client", ex);
}
}

/**
* Creates Elytron server-ssl-context and key/trust stores.
*/
Expand Down
2 changes: 1 addition & 1 deletion ...rc/main/java/org/wildfly/test/security/common/elytron/ClientCertUndertowDomainMapper.java
View file
Expand Up @@ -52,7 +52,7 @@ public void create(CLIWrapper cli) throws Exception {
// mechanism-configurations=[{mechanism-name=CLIENT-CERT,mechanism-realm-configurations=[{realm-name=test}]}])
cli.sendLine(String.format("/subsystem=elytron/http-authentication-factory=%1$s:add(security-domain=%2$s,"
+ "http-server-mechanism-factory=%1$s,"
+ "mechanism-configurations=[{mechanism-name=CLIENT-CERT,mechanism-realm-configurations=[{realm-name=%1$s}]}])",
+ "mechanism-configurations=[{mechanism-name=CLIENT_CERT,mechanism-realm-configurations=[{realm-name=%1$s}]}])",
name, securityDomain));

// /subsystem=undertow/application-security-domain=test:add(http-authentication-factory=test)
Expand Down

0 comments on commit 50c7124

Please sign in to comment.