cxf-services-sts-systests-basic: organize TLSClientParameters

aonnikov · Nov 13, 2019 · 71b0cee · 71b0cee
1 parent 2a30443
commit 71b0cee
Show file tree

Hide file tree

Showing 6 changed files with 79 additions and 107 deletions.
diff --git a/...sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/TLSClientParametersUtils.java b/...sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/TLSClientParametersUtils.java
@@ -0,0 +1,62 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.apache.cxf.configuration.jsse.TLSClientParameters;
+import org.apache.cxf.rt.security.crypto.CryptoUtils;
+import org.apache.xml.security.utils.ClassLoaderUtils;
+
+public final class TLSClientParametersUtils {
+
+    private static final String CLIENTSTORE = "/keys/clientstore.jks";
+    private static final String KEYSTORE_PASS = "cspass";
+    private static final String KEY_PASS = "ckpass";
+
+    private TLSClientParametersUtils() {
+    }
+
+    public static TLSClientParameters getTLSClientParameters() throws GeneralSecurityException, IOException {
+        final TLSClientParameters tlsCP = new TLSClientParameters();
+        tlsCP.setDisableCNCheck(true);
+
+        final KeyStore keyStore;
+        try (InputStream is = ClassLoaderUtils.getResourceAsStream(CLIENTSTORE, TLSClientParametersUtils.class)) {
+            keyStore = CryptoUtils.loadKeyStore(is, KEYSTORE_PASS.toCharArray(), null);
+        }
+
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+        kmf.init(keyStore, KEY_PASS.toCharArray());
+        tlsCP.setKeyManagers(kmf.getKeyManagers());
+
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        tmf.init(keyStore);
+        tlsCP.setTrustManagers(tmf.getTrustManagers());
+
+        return tlsCP;
+    }
+
+}
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java
@@ -21,12 +21,9 @@
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
-import java.security.KeyStore;
 import java.security.cert.X509Certificate;
 import java.util.List;
 
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.TrustManagerFactory;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import javax.xml.bind.JAXBElement;
@@ -39,18 +36,17 @@
 
 import org.apache.cxf.common.util.Base64Utility;
 import org.apache.cxf.common.util.CompressionUtils;
-import org.apache.cxf.configuration.jsse.TLSClientParameters;
 import org.apache.cxf.jaxrs.client.WebClient;
 import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
 import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rt.security.claims.Claim;
 import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.crypto.CryptoUtils;
 import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
 import org.apache.cxf.staxutils.StaxUtils;
 import org.apache.cxf.staxutils.W3CDOMStreamWriter;
 import org.apache.cxf.sts.STSConstants;
+import org.apache.cxf.systest.sts.TLSClientParametersUtils;
 import org.apache.cxf.systest.sts.common.SecurityTestUtil;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
 import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType;
@@ -66,7 +62,6 @@
 import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.processor.SAMLTokenProcessor;
-import org.apache.xml.security.utils.ClassLoaderUtils;
 
 import static org.apache.cxf.ws.security.trust.STSUtils.WST_NS_05_12;
 import static org.junit.Assert.assertEquals;
@@ -91,7 +86,6 @@ public class STSRESTTest extends AbstractBusClientServerTestBase {
     private static final String DEFAULT_ADDRESS =
         "https://localhost:8081/doubleit/services/doubleittransportsaml1";
 
-    private static TLSClientParameters tlsClientParameters = new TLSClientParameters();
     private static Crypto serviceCrypto;
 
     private WebClient webClient;
@@ -105,7 +99,6 @@ public static void startServers() throws Exception {
                    launchServer(STSRESTServer.class, true)
         );
 
-        tlsClientParameters = getTLSClientParameters();
         serviceCrypto = CryptoFactory.getInstance("serviceKeystore.properties");
     }
 
@@ -114,7 +107,6 @@ public static void cleanup() throws Exception {
         SecurityTestUtil.cleanup();
         stopAllServers();
 
-        tlsClientParameters = null;
         serviceCrypto = null;
     }
 
@@ -881,28 +873,9 @@ private WebClient webClient() throws Exception {
         closeClient();
 
         webClient = WebClient.create("https://localhost:" + STSPORT + "/SecurityTokenService/token");
-        webClient.getConfiguration().getHttpConduit().setTlsClientParameters(tlsClientParameters);
+        webClient.getConfiguration().getHttpConduit()
+            .setTlsClientParameters(TLSClientParametersUtils.getTLSClientParameters());
         return webClient;
     }
 
-    private static TLSClientParameters getTLSClientParameters() throws Exception {
-        final TLSClientParameters tlsCP = new TLSClientParameters();
-        tlsCP.setDisableCNCheck(true);
-
-        final KeyStore keyStore;
-        try (InputStream is = ClassLoaderUtils.getResourceAsStream("keys/clientstore.jks", STSRESTTest.class)) {
-            keyStore = CryptoUtils.loadKeyStore(is, "cspass".toCharArray(), null);
-        }
-
-        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-        kmf.init(keyStore, "ckpass".toCharArray());
-        tlsCP.setKeyManagers(kmf.getKeyManagers());
-
-        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-        tmf.init(keyStore);
-        tlsCP.setTrustManagers(tmf.getTrustManagers());
-
-        return tlsCP;
-    }
-
 }
diff --git a/...stests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/AbstractSTSTokenTest.java b/...stests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/AbstractSTSTokenTest.java
@@ -19,22 +19,16 @@
 package org.apache.cxf.systest.sts.stsclient;
 
 import java.io.IOException;
-import java.io.InputStream;
 import java.security.GeneralSecurityException;
-import java.security.KeyStore;
 import java.time.Instant;
 import java.util.HashMap;
 import java.util.Map;
 
 import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
 import javax.xml.namespace.QName;
 
 import org.apache.cxf.Bus;
-import org.apache.cxf.configuration.jsse.TLSClientParameters;
 import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.endpoint.EndpointException;
 import org.apache.cxf.endpoint.EndpointImpl;
@@ -49,9 +43,11 @@
 import org.apache.cxf.service.model.BindingInfo;
 import org.apache.cxf.service.model.EndpointInfo;
 import org.apache.cxf.service.model.ServiceInfo;
+import org.apache.cxf.systest.sts.TLSClientParametersUtils;
 import org.apache.cxf.systest.sts.common.SecurityTestUtil;
 import org.apache.cxf.systest.sts.deployment.STSServer;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.transport.https.SSLUtils;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.trust.STSClient;
@@ -84,10 +80,6 @@ public abstract class AbstractSTSTokenTest extends AbstractBusClientServerTestBa
     private static final String TOKEN_TYPE_SAML_2_0 =
             "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
 
-    private static final String CLIENTSTORE = "/keys/clientstore.jks";
-    private static final String KEYSTORE_PASS = "cspass";
-    private static final String KEY_PASS = "ckpass";
-
     @BeforeClass
     public static void startServers() throws Exception {
         STSServer stsServer = new STSServer();
@@ -178,13 +170,7 @@ public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) {
             }
         });
 
-        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory
-            .getDefaultAlgorithm());
-        KeyStore keyStore = loadClientKeystore();
-        trustManagerFactory.init(keyStore);
-        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
-        SSLContext sc = SSLContext.getInstance("TLS");
-        sc.init(null, trustManagers, new java.security.SecureRandom());
+        SSLContext sc = SSLUtils.getSSLContext(TLSClientParametersUtils.getTLSClientParameters());
         HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
 
         // Needed to prevent test failure using IBM JDK
@@ -193,30 +179,6 @@ public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) {
         }
     }
 
-    static TLSClientParameters prepareTLSParams() throws GeneralSecurityException, IOException {
-        TLSClientParameters tlsParams = new TLSClientParameters();
-        tlsParams.setDisableCNCheck(true);
-
-        KeyStore trustStore = loadClientKeystore();
-        TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-        trustFactory.init(trustStore);
-        tlsParams.setTrustManagers(trustFactory.getTrustManagers());
-
-        KeyStore keyStore = loadClientKeystore();
-        KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-        keyFactory.init(keyStore, KEY_PASS.toCharArray());
-        tlsParams.setKeyManagers(keyFactory.getKeyManagers());
-        return tlsParams;
-    }
-
-    static KeyStore loadClientKeystore() throws GeneralSecurityException, IOException {
-        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
-        try (InputStream keystoreStream = AbstractSTSTokenTest.class.getResourceAsStream(CLIENTSTORE)) {
-            keystore.load(keystoreStream, KEYSTORE_PASS.toCharArray());
-        }
-        return keystore;
-    }
-
     static void validateSecurityToken(SecurityToken token) {
         assertNotNull(token);
         assertEquals(TOKEN_TYPE_SAML_2_0, token.getTokenType());

diff --git a/.../basic/src/test/java/org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java b/.../basic/src/test/java/org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java
@@ -20,9 +20,8 @@
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
-import org.apache.cxf.configuration.jsse.TLSClientParameters;
 import org.apache.cxf.message.MessageImpl;
-import org.apache.cxf.transport.http.HTTPConduit;
+import org.apache.cxf.systest.sts.TLSClientParametersUtils;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.interceptors.STSTokenOutInterceptor;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
@@ -79,9 +78,7 @@ public void testBasicTransportBinding() throws Exception {
                     "https://localhost:" + STSPORT + STS_TRANSPORT_WSDL_LOCATION_RELATIVE,
                     bus);
 
-        TLSClientParameters tlsParams = prepareTLSParams();
-        STSClient stsClient = interceptor.getSTSClient();
-        ((HTTPConduit)stsClient.getClient().getConduit()).setTlsClientParameters(tlsParams);
+        interceptor.getSTSClient().setTlsClientParameters(TLSClientParametersUtils.getTLSClientParameters());
 
         MessageImpl message = prepareMessage(bus, null, SERVICE_ENDPOINT_TRANSPORT);
 
@@ -113,12 +110,10 @@ public void testSTSClientTransportBinding() throws Exception {
 
         Bus bus = BusFactory.getThreadDefaultBus();
         STSClient stsClient = initStsClientTransportBinding(bus);
+        stsClient.setTlsClientParameters(TLSClientParametersUtils.getTLSClientParameters());
 
         STSTokenOutInterceptor interceptor = new STSTokenOutInterceptor(stsClient);
 
-        TLSClientParameters tlsParams = prepareTLSParams();
-        ((HTTPConduit)stsClient.getClient().getConduit()).setTlsClientParameters(tlsParams);
-
         MessageImpl message = prepareMessage(bus, null, SERVICE_ENDPOINT_TRANSPORT);
 
         interceptor.handleMessage(message);

diff --git a/...tests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/STSTokenRetrieverTest.java b/...tests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/STSTokenRetrieverTest.java
@@ -20,9 +20,8 @@
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
-import org.apache.cxf.configuration.jsse.TLSClientParameters;
 import org.apache.cxf.message.MessageImpl;
-import org.apache.cxf.transport.http.HTTPConduit;
+import org.apache.cxf.systest.sts.TLSClientParametersUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.trust.STSClient;
 import org.apache.cxf.ws.security.trust.STSTokenRetriever;
@@ -53,9 +52,7 @@ public void testSTSTransportBinding() throws Exception {
 
         Bus bus = BusFactory.getThreadDefaultBus();
         STSClient stsClient = initStsClientTransportBinding(bus);
-
-        TLSClientParameters tlsParams = prepareTLSParams();
-        ((HTTPConduit)stsClient.getClient().getConduit()).setTlsClientParameters(tlsParams);
+        stsClient.setTlsClientParameters(TLSClientParametersUtils.getTLSClientParameters());
 
         MessageImpl message = prepareMessage(bus, stsClient, SERVICE_ENDPOINT_TRANSPORT);
         STSTokenRetriever.TokenRequestParams params = new STSTokenRetriever.TokenRequestParams();

diff --git a/...stests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java b/...stests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
@@ -18,16 +18,12 @@
  */
 package org.apache.cxf.systest.sts.transport;
 
-import java.io.InputStream;
 import java.net.URL;
-import java.security.KeyStore;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.Map;
 
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.TrustManagerFactory;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -43,11 +39,11 @@
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
 import org.apache.cxf.bus.spring.SpringBusFactory;
-import org.apache.cxf.common.classloader.ClassLoaderUtils;
 import org.apache.cxf.configuration.jsse.TLSClientParameters;
 import org.apache.cxf.endpoint.Client;
 import org.apache.cxf.frontend.ClientProxy;
 import org.apache.cxf.jaxws.DispatchImpl;
+import org.apache.cxf.systest.sts.TLSClientParametersUtils;
 import org.apache.cxf.systest.sts.common.SecurityTestUtil;
 import org.apache.cxf.systest.sts.common.TestParam;
 import org.apache.cxf.systest.sts.common.TokenTestUtils;
@@ -210,22 +206,7 @@ public void testSAML2ViaCode() throws Exception {
         }
 
         // TLS configuration
-        TrustManagerFactory tmf =
-            TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-        KeyManagerFactory kmf =
-            KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-        final KeyStore ts = KeyStore.getInstance("JKS");
-        try (InputStream trustStore =
-            ClassLoaderUtils.getResourceAsStream("keys/clientstore.jks", TransportBindingTest.class)) {
-            ts.load(trustStore, "cspass".toCharArray());
-        }
-        tmf.init(ts);
-        kmf.init(ts, "ckpass".toCharArray());
-
-        TLSClientParameters tlsParams = new TLSClientParameters();
-        tlsParams.setTrustManagers(tmf.getTrustManagers());
-        tlsParams.setKeyManagers(kmf.getKeyManagers());
-        tlsParams.setDisableCNCheck(true);
+        TLSClientParameters tlsParams = TLSClientParametersUtils.getTLSClientParameters();
 
         Client client = ClientProxy.getClient(transportSaml2Port);
         HTTPConduit http = (HTTPConduit) client.getConduit();
@@ -235,6 +216,9 @@ public void testSAML2ViaCode() throws Exception {
         Bus clientBus = BusFactory.newInstance().createBus();
         STSClient stsClient = new STSClient(clientBus);
 
+        // HTTPS configuration for the STSClient
+        stsClient.setTlsClientParameters(tlsParams);
+
         // Use a local WSDL or else we run into problems retrieving the WSDL over HTTPS
         // due to lack of TLS config when creating the client
         URL stsWsdl = TransportBindingTest.class.getResource("../deployment/ws-trust-1.4-service.wsdl");
@@ -252,9 +236,8 @@ public void testSAML2ViaCode() throws Exception {
 
         ((BindingProvider)transportSaml2Port).getRequestContext().put("security.sts.client", stsClient);
 
-        // Update ports + HTTPS configuration for the STSClient
+        // Update ports
         updateAddressPort(stsClient.getClient(), test.getStsPort());
-        ((HTTPConduit) stsClient.getClient().getConduit()).setTlsClientParameters(tlsParams);
 
         doubleIt(transportSaml2Port, 25);