wildfly-security-incubator · darranl · Mar 2, 2017 · Mar 2, 2017
diff --git a/...test/java/org/wildfly/test/integration/elytron/ssl/UndertowSslSecurityDomainTestCase.java b/...test/java/org/wildfly/test/integration/elytron/ssl/UndertowSslSecurityDomainTestCase.java
@@ -24,7 +24,6 @@
 
 import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static javax.servlet.http.HttpServletResponse.SC_OK;
-import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
 import static org.jboss.as.test.integration.security.common.SSLTruststoreUtil.HTTPS_PORT;
 
 import java.io.File;
@@ -33,12 +32,14 @@
 import java.net.URISyntaxException;
 import java.net.URL;
 import org.apache.http.client.HttpClient;
+import org.apache.http.impl.client.CloseableHttpClient;
 import org.codehaus.plexus.util.FileUtils;
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.arquillian.container.test.api.RunAsClient;
 import org.jboss.arquillian.junit.Arquillian;
 import org.jboss.as.arquillian.api.ServerSetup;
 import org.jboss.as.controller.client.ModelControllerClient;
+import org.jboss.as.test.categories.CommonCriteria;
 import org.jboss.as.test.integration.security.common.CoreUtils;
 import org.jboss.as.test.integration.security.common.SSLTruststoreUtil;
 import org.jboss.as.test.integration.security.common.SecurityTestConstants;
@@ -49,8 +50,8 @@
 import org.jboss.shrinkwrap.api.spec.WebArchive;
 import org.junit.Assert;
 import org.junit.BeforeClass;
-import org.junit.Ignore;
 import org.junit.Test;
+import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
 import org.wildfly.test.security.common.AbstractElytronSetupTask;
 import org.wildfly.test.security.common.elytron.ClientCertUndertowDomainMapper;
@@ -70,13 +71,19 @@
 import org.wildfly.test.security.common.elytron.UserWithRoles;
 
 /**
- * Smoke test for two way SSL authentication using Elytron server-ssl-context added to default server configuration.
+ * Smoke tests for certificate based authentication using Elytron server-ssl-context, security domain,
+ * and key store realm.
+ *
+ * This test case is preparation and temporary replacement for
+ * testsuite/integration/web/src/test/java/org/jboss/as/test/integration/web/security/cert/WebSecurityCERTTestCase.java
+ * before making it work with Elytron.
  *
  * @author Ondrej Kotek
  */
 @RunWith(Arquillian.class)
 @ServerSetup({ UndertowSslSecurityDomainTestCase.ElytronSslContextInUndertowSetupTask.class })
 @RunAsClient
+@Category(CommonCriteria.class)
 public class UndertowSslSecurityDomainTestCase {
 
     private static final String NAME = UndertowSslSecurityDomainTestCase.class.getSimpleName();
@@ -122,17 +129,18 @@ public void testUnprotectedAccess() {
         HttpClient client = SSLTruststoreUtil
                 .getHttpClientWithSSL(CLIENT_KEYSTORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
         assertUnprotectedAccess(client);
+        closeClient(client);
     }
 
     /**
      * Tests access to resource that requires authentication and authorization.
      */
     @Test
-    @Ignore("ELY-978")
     public void testProtectedAccess() {
         HttpClient client = SSLTruststoreUtil
                 .getHttpClientWithSSL(CLIENT_KEYSTORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
         assertProtectedAccess(client, SC_OK);
+        closeClient(client);
     }
 
     /**
@@ -143,17 +151,18 @@ public void testForbidden() {
         HttpClient client = SSLTruststoreUtil
                 .getHttpClientWithSSL(CLIENT_KEYSTORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
         assertAccessForbidden(client);
+        closeClient(client);
     }
 
     /**
      * Tests access to resource that requires authentication and authorization. Client has not trusted certificate.
      */
     @Test
-    @Ignore("ELY-978")
     public void testUntrustedCertificate() {
         HttpClient client = SSLTruststoreUtil
                 .getHttpClientWithSSL(UNTRUSTED_STORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
-        assertProtectedAccess(client, SC_UNAUTHORIZED);
+        assertProtectedAccess(client, SC_FORBIDDEN);
+        closeClient(client);
     }
 
     private void assertUnprotectedAccess(HttpClient client) {
@@ -180,6 +189,14 @@ private void assertAccessForbidden(HttpClient client) {
         }
     }
 
+    private void closeClient(HttpClient client) {
+        try {
+            ((CloseableHttpClient) client).close();
+        } catch (IOException ex) {
+            throw new IllegalStateException("Unable to close HTTP client", ex);
+        }
+    }
+
     /**
      * Creates Elytron server-ssl-context and key/trust stores.
      */

diff --git a/...ava/org/wildfly/test/integration/elytron/ssl/UndertowTwoWaySslNeedClientAuthTestCase.java b/...ava/org/wildfly/test/integration/elytron/ssl/UndertowTwoWaySslNeedClientAuthTestCase.java
@@ -34,6 +34,7 @@
 import java.net.URL;
 import javax.net.ssl.SSLHandshakeException;
 import org.apache.http.client.HttpClient;
+import org.apache.http.impl.client.CloseableHttpClient;
 import org.codehaus.plexus.util.FileUtils;
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.arquillian.container.test.api.RunAsClient;
@@ -63,8 +64,10 @@
 import org.wildfly.test.security.common.elytron.UndertowSslContext;
 
 /**
- * Smoke test for two way SSL authentication using Elytron server-ssl-context with need-client-auth=true
- * added to default server configuration.
+ * Smoke test for two way SSL connection with Undertow HTTPS listener backed by Elytron server-ssl-context
+ * with need-client-auth=true (client certificate is required).
+ *
+ * In case the client certificate is not trusted or present, the SSL handshake should fail.
  *
  * @author Ondrej Kotek
  */
@@ -105,19 +108,22 @@ public void testSendingTrustedClientCertificate() {
         HttpClient client = SSLTruststoreUtil
                 .getHttpClientWithSSL(CLIENT_KEYSTORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
         assertConnectionToServer(client, SC_OK);
+        closeClient(client);
     }
 
     @Test
     public void testSendingNonTrustedClientCertificateFails() {
         HttpClient client = SSLTruststoreUtil
                 .getHttpClientWithSSL(UNTRUSTED_STORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
         assertSslHandshakeFails(client);
+        closeClient(client);
     }
 
     @Test
     public void testSendingNoClientCertificateFails() {
         HttpClient client = SSLTruststoreUtil.getHttpClientWithSSL(CLIENT_TRUSTSTORE_FILE, PASSWORD);
         assertSslHandshakeFails(client);
+        closeClient(client);
     }
 
     private void assertConnectionToServer(HttpClient client, int expectedStatusCode) {
@@ -140,6 +146,14 @@ private void assertSslHandshakeFails(HttpClient client) {
         fail("SSL handshake should fail");
     }
 
+    private void closeClient(HttpClient client) {
+        try {
+            ((CloseableHttpClient) client).close();
+        } catch (IOException ex) {
+            throw new IllegalStateException("Unable to close HTTP client", ex);
+        }
+    }
+
     /**
      * Creates Elytron server-ssl-context and key/trust stores.
      */

diff --git a/...ron/src/test/java/org/wildfly/test/integration/elytron/ssl/UndertowTwoWaySslTestCase.java b/...ron/src/test/java/org/wildfly/test/integration/elytron/ssl/UndertowTwoWaySslTestCase.java
@@ -31,6 +31,7 @@
 import java.net.URISyntaxException;
 import java.net.URL;
 import org.apache.http.client.HttpClient;
+import org.apache.http.impl.client.CloseableHttpClient;
 import org.codehaus.plexus.util.FileUtils;
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.arquillian.container.test.api.RunAsClient;
@@ -60,7 +61,10 @@
 import org.wildfly.test.security.common.elytron.UndertowSslContext;
 
 /**
- * Smoke test for two way SSL authentication using Elytron server-ssl-context added to default server configuration.
+ * Smoke test for two way SSL connection with Undertow HTTPS listener backed by Elytron server-ssl-context with default
+ * settings (client certificate is not required).
+ *
+ * In case the client certificate is not trusted or present, the request should be successful.
  *
  * @author Ondrej Kotek
  */
@@ -101,19 +105,22 @@ public void testSendingTrustedClientCertificate() {
         HttpClient client = SSLTruststoreUtil
                 .getHttpClientWithSSL(CLIENT_KEYSTORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
         assertConnectionToServer(client, SC_OK);
+        closeClient(client);
     }
 
     @Test
     public void testSendingNonTrustedClientCertificate() {
         HttpClient client = SSLTruststoreUtil
                 .getHttpClientWithSSL(UNTRUSTED_STORE_FILE, PASSWORD, CLIENT_TRUSTSTORE_FILE, PASSWORD);
         assertConnectionToServer(client, SC_OK);
+        closeClient(client);
     }
 
     @Test
     public void testSendingNoClientCertificate() {
         HttpClient client = SSLTruststoreUtil.getHttpClientWithSSL(CLIENT_TRUSTSTORE_FILE, PASSWORD);
         assertConnectionToServer(client, SC_OK);
+        closeClient(client);
     }
 
     private void assertConnectionToServer(HttpClient client, int expectedStatusCode) {
@@ -124,6 +131,14 @@ private void assertConnectionToServer(HttpClient client, int expectedStatusCode)
         }
     }
 
+    private void closeClient(HttpClient client) {
+        try {
+            ((CloseableHttpClient) client).close();
+        } catch (IOException ex) {
+            throw new IllegalStateException("Unable to close HTTP client", ex);
+        }
+    }
+
     /**
      * Creates Elytron server-ssl-context and key/trust stores.
      */

diff --git a/...rc/main/java/org/wildfly/test/security/common/elytron/ClientCertUndertowDomainMapper.java b/...rc/main/java/org/wildfly/test/security/common/elytron/ClientCertUndertowDomainMapper.java
@@ -52,7 +52,7 @@ public void create(CLIWrapper cli) throws Exception {
         // mechanism-configurations=[{mechanism-name=CLIENT-CERT,mechanism-realm-configurations=[{realm-name=test}]}])
         cli.sendLine(String.format("/subsystem=elytron/http-authentication-factory=%1$s:add(security-domain=%2$s,"
                 + "http-server-mechanism-factory=%1$s,"
-                + "mechanism-configurations=[{mechanism-name=CLIENT-CERT,mechanism-realm-configurations=[{realm-name=%1$s}]}])",
+                + "mechanism-configurations=[{mechanism-name=CLIENT_CERT,mechanism-realm-configurations=[{realm-name=%1$s}]}])",
                 name, securityDomain));
 
         // /subsystem=undertow/application-security-domain=test:add(http-authentication-factory=test)