[cleanup][tls] Unified management of JKS certificates (apache#15456)

teaey · May 16, 2022 · 73520c3 · 73520c3
1 parent f89698c
commit 73520c3
Show file tree

Hide file tree

Showing 41 changed files with 367 additions and 301 deletions.
diff --git a/build/generate_keystores_for_tests.sh b/build/generate_keystores_for_tests.sh
diff --git a/pulsar-broker-common/pom.xml b/pulsar-broker-common/pom.xml
@@ -110,6 +110,29 @@
           </execution>
         </executions>
       </plugin>
+
+      <plugin>
+        <artifactId>maven-resources-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>copy-resources</id>
+            <phase>test-compile</phase>
+            <goals>
+              <goal>copy-resources</goal>
+            </goals>
+            <configuration>
+              <outputDirectory>${project.build.testOutputDirectory}/certificate-authority</outputDirectory>
+              <overwrite>true</overwrite>
+              <resources>
+                <resource>
+                  <directory>${project.parent.basedir}/tests/certificate-authority</directory>
+                  <filtering>false</filtering>
+                </resource>
+              </resources>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
   </build>
 </project>
diff --git a/...mon/src/test/java/org/apache/pulsar/jetty/tls/JettySslContextFactoryWithKeyStoreTest.java b/...mon/src/test/java/org/apache/pulsar/jetty/tls/JettySslContextFactoryWithKeyStoreTest.java
@@ -49,16 +49,24 @@
 
 @Slf4j
 public class JettySslContextFactoryWithKeyStoreTest {
+    final static String brokerKeyStorePath =
+            Resources.getResource("certificate-authority/jks/broker.keystore.jks").getPath();
+    final static String brokerTrustStorePath =
+            Resources.getResource("certificate-authority/jks/broker.truststore.jks").getPath();
+    final static String clientKeyStorePath =
+            Resources.getResource("certificate-authority/jks/client.keystore.jks").getPath();
+    final static String clientTrustStorePath =
+            Resources.getResource("certificate-authority/jks/client.truststore.jks").getPath();
+    final static String keyStoreType = "JKS";
+    final static String keyStorePassword = "111111";
 
     @Test
     public void testJettyTlsServerTls() throws Exception {
         Server server = new Server();
         List<ServerConnector> connectors = new ArrayList<>();
         SslContextFactory.Server factory = JettySslContextFactory.createServerSslContextWithKeystore(null,
-                "JKS", Resources.getResource("ssl/jetty_server_key.jks").getPath(),
-                "jetty_server_pwd", false, "JKS",
-                Resources.getResource("ssl/jetty_server_trust.jks").getPath(),
-                "jetty_server_pwd", true, null,
+                keyStoreType, brokerKeyStorePath, keyStorePassword, false, keyStoreType,
+                clientTrustStorePath, keyStorePassword, true, null,
                 null, 600);
         factory.setHostnameVerifier((s, sslSession) -> true);
         ServerConnector connector = new ServerConnector(server, factory);
@@ -86,10 +94,8 @@ public void testJettyTlsServerInvalidTlsProtocol() throws Exception {
         Server server = new Server();
         List<ServerConnector> connectors = new ArrayList<>();
         SslContextFactory.Server factory = JettySslContextFactory.createServerSslContextWithKeystore(null,
-                "JKS", Resources.getResource("ssl/jetty_server_key.jks").getPath(),
-                "jetty_server_pwd", false, "JKS",
-                Resources.getResource("ssl/jetty_server_trust.jks").getPath(),
-                "jetty_server_pwd", true, null,
+                keyStoreType, brokerKeyStorePath, keyStorePassword, false, keyStoreType, clientTrustStorePath,
+                keyStorePassword, true, null,
                 new HashSet<String>() {
                     {
                         this.add("TLSv1.3");
@@ -120,10 +126,8 @@ public void testJettyTlsServerInvalidCipher() throws Exception {
         Server server = new Server();
         List<ServerConnector> connectors = new ArrayList<>();
         SslContextFactory.Server factory = JettySslContextFactory.createServerSslContextWithKeystore(null,
-                "JKS", Resources.getResource("ssl/jetty_server_key.jks").getPath(),
-                "jetty_server_pwd", false, "JKS",
-                Resources.getResource("ssl/jetty_server_trust.jks").getPath(),
-                "jetty_server_pwd", true, new HashSet<String>() {
+                keyStoreType, brokerKeyStorePath, keyStorePassword, false, keyStoreType, clientTrustStorePath,
+                keyStorePassword, true, new HashSet<String>() {
                     {
                         this.add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
                     }
@@ -155,10 +159,7 @@ public void testJettyTlsServerInvalidCipher() throws Exception {
     }
 
     private static SSLContext getClientSslContext() {
-        return getSslContext(Resources.getResource("ssl/jetty_client_key.jks").getPath(),
-                "jetty_client_pwd",
-                Resources.getResource("ssl/jetty_client_trust.jks").getPath(),
-                "jetty_client_pwd");
+        return getSslContext(clientKeyStorePath, keyStorePassword, brokerTrustStorePath, keyStorePassword);
     }
 
     private static SSLContext getSslContext(String keyStorePath, String keyStorePassword,
@@ -189,5 +190,4 @@ private static SSLContext getSslContext(String keyStorePath, String keyStorePass
             return null;
         }
     }
-
-}
+}
diff --git a/pulsar-broker-common/src/test/resources/ssl/jetty_client_key.jks b/pulsar-broker-common/src/test/resources/ssl/jetty_client_key.jks
diff --git a/pulsar-broker-common/src/test/resources/ssl/jetty_client_trust.jks b/pulsar-broker-common/src/test/resources/ssl/jetty_client_trust.jks
diff --git a/pulsar-broker-common/src/test/resources/ssl/jetty_server_key.jks b/pulsar-broker-common/src/test/resources/ssl/jetty_server_key.jks
diff --git a/pulsar-broker-common/src/test/resources/ssl/jetty_server_trust.jks b/pulsar-broker-common/src/test/resources/ssl/jetty_server_trust.jks
diff --git a/pulsar-broker/pom.xml b/pulsar-broker/pom.xml
@@ -541,6 +541,29 @@
           </execution>
         </executions>
       </plugin>
+
+      <plugin>
+        <artifactId>maven-resources-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>copy-resources</id>
+            <phase>test-compile</phase>
+            <goals>
+              <goal>copy-resources</goal>
+            </goals>
+            <configuration>
+              <outputDirectory>${project.build.testOutputDirectory}/certificate-authority</outputDirectory>
+              <overwrite>true</overwrite>
+              <resources>
+                <resource>
+                  <directory>${project.parent.basedir}/tests/certificate-authority</directory>
+                  <filtering>false</filtering>
+                </resource>
+              </resources>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
     <resources>
       <resource>

diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockedPulsarServiceBaseTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockedPulsarServiceBaseTest.java
@@ -25,6 +25,7 @@
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.when;
 import com.google.common.collect.Sets;
+import com.google.common.io.Resources;
 import com.google.common.util.concurrent.MoreExecutors;
 import io.netty.channel.EventLoopGroup;
 import java.lang.reflect.Field;
@@ -81,6 +82,26 @@
  * Base class for all tests that need a Pulsar instance without a ZK and BK cluster.
  */
 public abstract class MockedPulsarServiceBaseTest extends TestRetrySupport {
+    public final static String BROKER_KEYSTORE_FILE_PATH =
+            Resources.getResource("certificate-authority/jks/broker.keystore.jks").getPath();
+    public final static String BROKER_TRUSTSTORE_FILE_PATH =
+            Resources.getResource("certificate-authority/jks/broker.truststore.jks").getPath();
+    public final static String BROKER_TRUSTSTORE_NO_PASSWORD_FILE_PATH =
+            Resources.getResource("certificate-authority/jks/broker.truststore.nopassword.jks").getPath();
+    public final static String BROKER_KEYSTORE_PW = "111111";
+    public final static String BROKER_TRUSTSTORE_PW = "111111";
+
+    public final static String CLIENT_KEYSTORE_FILE_PATH =
+            Resources.getResource("certificate-authority/jks/client.keystore.jks").getPath();
+    public final static String CLIENT_TRUSTSTORE_FILE_PATH =
+            Resources.getResource("certificate-authority/jks/client.truststore.jks").getPath();
+    public final static String CLIENT_TRUSTSTORE_NO_PASSWORD_FILE_PATH =
+            Resources.getResource("certificate-authority/jks/client.truststore.nopassword.jks").getPath();
+    public final static String CLIENT_KEYSTORE_PW = "111111";
+    public final static String CLIENT_TRUSTSTORE_PW = "111111";
+
+    public final static String CLIENT_KEYSTORE_CN = "clientuser";
+    public final static String KEYSTORE_TYPE = "JKS";
 
     protected final String DUMMY_VALUE = "DUMMY_VALUE";
     protected final String GLOBAL_DUMMY_VALUE = "GLOBAL_DUMMY_VALUE";

diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/AdminApiKeyStoreTlsAuthTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/AdminApiKeyStoreTlsAuthTest.java
@@ -62,24 +62,6 @@
 @Slf4j
 @Test(groups = "broker-impl")
 public class AdminApiKeyStoreTlsAuthTest extends ProducerConsumerBase {
-
-    protected final String BROKER_KEYSTORE_FILE_PATH =
-            "./src/test/resources/authentication/keystoretls/broker.keystore.jks";
-    protected final String BROKER_TRUSTSTORE_FILE_PATH =
-            "./src/test/resources/authentication/keystoretls/broker.truststore.jks";
-    protected final String BROKER_KEYSTORE_PW = "111111";
-    protected final String BROKER_TRUSTSTORE_PW = "111111";
-
-    protected final String CLIENT_KEYSTORE_FILE_PATH =
-            "./src/test/resources/authentication/keystoretls/client.keystore.jks";
-    protected final String CLIENT_TRUSTSTORE_FILE_PATH =
-            "./src/test/resources/authentication/keystoretls/client.truststore.jks";
-    protected final String CLIENT_KEYSTORE_PW = "111111";
-    protected final String CLIENT_TRUSTSTORE_PW = "111111";
-
-    protected final String CLIENT_KEYSTORE_CN = "clientuser";
-    protected final String KEYSTORE_TYPE = "JKS";
-
     private final String clusterName = "test";
     Set<String> tlsProtocols = Sets.newConcurrentHashSet();
 

diff --git a/.../test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithAuthTest.java b/.../test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithAuthTest.java
@@ -51,23 +51,6 @@
 @Test(groups = "broker-impl")
 public class KeyStoreTlsProducerConsumerTestWithAuthTest extends ProducerConsumerBase {
 
-    protected final String BROKER_KEYSTORE_FILE_PATH =
-            "./src/test/resources/authentication/keystoretls/broker.keystore.jks";
-    protected final String BROKER_TRUSTSTORE_FILE_PATH =
-            "./src/test/resources/authentication/keystoretls/broker.truststore.jks";
-    protected final String BROKER_KEYSTORE_PW = "111111";
-    protected final String BROKER_TRUSTSTORE_PW = "111111";
-
-    protected final String CLIENT_KEYSTORE_FILE_PATH =
-            "./src/test/resources/authentication/keystoretls/client.keystore.jks";
-    protected final String CLIENT_TRUSTSTORE_FILE_PATH =
-            "./src/test/resources/authentication/keystoretls/client.truststore.jks";
-    protected final String CLIENT_KEYSTORE_PW = "111111";
-    protected final String CLIENT_TRUSTSTORE_PW = "111111";
-
-    protected final String CLIENT_KEYSTORE_CN = "clientuser";
-    protected final String KEYSTORE_TYPE = "JKS";
-
     private final String clusterName = "use";
 
     @BeforeMethod
@@ -162,7 +145,7 @@ protected void internalSetUpForNamespace() throws Exception {
                 .brokerServiceUrlTls(pulsar.getBrokerServiceUrlTls())
                 .build());
         admin.tenants().createTenant("my-property",
-                new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("use")));
+                new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet(clusterName)));
         admin.namespaces().createNamespace("my-property/my-ns");
     }
 

diff --git a/...st/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithoutAuthTest.java b/...st/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithoutAuthTest.java
@@ -48,22 +48,6 @@
 @Slf4j
 @Test(groups = "broker-impl")
 public class KeyStoreTlsProducerConsumerTestWithoutAuthTest extends ProducerConsumerBase {
-    protected final String BROKER_KEYSTORE_FILE_PATH =
-            "./src/test/resources/authentication/keystoretls/broker.keystore.jks";
-    protected final String BROKER_TRUSTSTORE_FILE_PATH =
-            "./src/test/resources/authentication/keystoretls/broker.truststore.jks";
-    protected final String BROKER_KEYSTORE_PW = "111111";
-    protected final String BROKER_TRUSTSTORE_PW = "111111";
-
-    protected final String CLIENT_KEYSTORE_FILE_PATH =
-            "./src/test/resources/authentication/keystoretls/client.keystore.jks";
-    protected final String CLIENT_TRUSTSTORE_FILE_PATH =
-            "./src/test/resources/authentication/keystoretls/client.truststore.jks";
-    protected final String CLIENT_KEYSTORE_PW = "111111";
-    protected final String CLIENT_TRUSTSTORE_PW = "111111";
-
-    protected final String KEYSTORE_TYPE = "JKS";
-
     private final String clusterName = "use";
     Set<String> tlsProtocols = Sets.newConcurrentHashSet();
 
@@ -148,7 +132,7 @@ protected void internalSetUpForNamespace() throws Exception {
                 .brokerServiceUrlTls(pulsar.getBrokerServiceUrlTls())
                 .build());
         admin.tenants().createTenant("my-property",
-                new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("use")));
+                new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet(clusterName)));
         admin.namespaces().createNamespace("my-property/my-ns");
     }