-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1267 from michalvavrik/feature/add-tls-registry-s…
…upport Support TLS registry and certificate reloading
- Loading branch information
Showing
21 changed files
with
633 additions
and
73 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
77 changes: 77 additions & 0 deletions
77
examples/https/src/test/java/io/quarkus/qe/HttpsTlsRegistryNamedConfigIT.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
package io.quarkus.qe; | ||
|
||
import static org.junit.jupiter.api.Assertions.assertEquals; | ||
|
||
import org.apache.http.HttpStatus; | ||
import org.junit.jupiter.api.Assertions; | ||
import org.junit.jupiter.api.Test; | ||
|
||
import io.quarkus.test.bootstrap.RestService; | ||
import io.quarkus.test.scenarios.QuarkusScenario; | ||
import io.quarkus.test.services.Certificate; | ||
import io.quarkus.test.services.QuarkusApplication; | ||
|
||
@QuarkusScenario | ||
public class HttpsTlsRegistryNamedConfigIT { | ||
|
||
static final String CLIENT_CN_1 = "my-client-1"; | ||
static final String CLIENT_CN_2 = "my-client-2"; | ||
static final String CLIENT_CN_3 = "my-client-3"; | ||
|
||
@QuarkusApplication(ssl = true, certificates = @Certificate(configureKeystore = true, clientCertificates = { | ||
@Certificate.ClientCertificate(cnAttribute = CLIENT_CN_1), | ||
@Certificate.ClientCertificate(cnAttribute = CLIENT_CN_2), | ||
@Certificate.ClientCertificate(cnAttribute = CLIENT_CN_3, unknownToServer = true) | ||
}, configureTruststore = true, configureHttpServer = true, tlsConfigName = "my-name")) | ||
static final RestService app = new RestService() | ||
.withProperty("quarkus.http.ssl.client-auth", "request") | ||
.withProperty("quarkus.http.insecure-requests", "DISABLED"); | ||
|
||
@Test | ||
public void testTLS() { | ||
// mTLS auth is not required, but the communication must be secured | ||
sayHello(); | ||
} | ||
|
||
@Test | ||
public void testMutualTLS() { | ||
// mTLS required | ||
sayHello(CLIENT_CN_1); | ||
sayHello(CLIENT_CN_2); | ||
} | ||
|
||
@Test | ||
public void testFailureAsServerUnknownToClient() { | ||
try { | ||
app.mutinyHttps(true, CLIENT_CN_1, false).get("/greeting/mutual-tls").sendAndAwait(); | ||
} catch (Exception e) { | ||
return; | ||
} | ||
Assertions.fail("HTTP request should had failed as server is unknown to the client"); | ||
} | ||
|
||
@Test | ||
public void testAuthNFailureAsClientUnknownToServer() { | ||
var resp = app.mutinyHttps(CLIENT_CN_3).get("/greeting/mutual-tls").sendAndAwait(); | ||
assertEquals(401, resp.statusCode()); | ||
} | ||
|
||
private static void sayHello() { | ||
sayHello(CLIENT_CN_1, false); | ||
} | ||
|
||
private static void sayHello(String clientCn) { | ||
sayHello(clientCn, true); | ||
} | ||
|
||
private static void sayHello(String clientCn, boolean requireMutualTLS) { | ||
var path = "/greeting" + (requireMutualTLS ? "/mutual-tls" : ""); | ||
var response = app.mutinyHttps(clientCn).get(path).sendAndAwait(); | ||
assertEquals(HttpStatus.SC_OK, response.statusCode()); | ||
if (requireMutualTLS) { | ||
assertEquals("Hello CN=%s!".formatted(clientCn), response.bodyAsString()); | ||
} else { | ||
assertEquals("Hello World!", response.bodyAsString()); | ||
} | ||
} | ||
} |
50 changes: 50 additions & 0 deletions
50
examples/https/src/test/java/io/quarkus/qe/TlsRegistryCertificateReloadingIT.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
package io.quarkus.qe; | ||
|
||
import static io.quarkus.qe.HttpsTlsRegistryNamedConfigIT.CLIENT_CN_1; | ||
import static org.junit.jupiter.api.Assertions.assertEquals; | ||
|
||
import org.apache.http.HttpStatus; | ||
import org.junit.jupiter.api.Test; | ||
|
||
import io.quarkus.test.bootstrap.RestService; | ||
import io.quarkus.test.scenarios.QuarkusScenario; | ||
import io.quarkus.test.security.certificate.CertificateBuilder; | ||
import io.quarkus.test.security.certificate.ClientCertificateRequest; | ||
import io.quarkus.test.services.Certificate; | ||
import io.quarkus.test.services.QuarkusApplication; | ||
import io.quarkus.test.utils.AwaitilityUtils; | ||
|
||
@QuarkusScenario | ||
public class TlsRegistryCertificateReloadingIT { | ||
|
||
private static final String CERT_PREFIX = "reload-test"; | ||
private static final String NEW_CLIENT_CN = "my-new-client"; | ||
|
||
@QuarkusApplication(ssl = true, certificates = @Certificate(clientCertificates = { | ||
@Certificate.ClientCertificate(cnAttribute = CLIENT_CN_1) | ||
}, configureTruststore = true, configureHttpServer = true, configureKeystore = true, prefix = CERT_PREFIX)) | ||
static RestService app = new RestService() | ||
.withProperty("quarkus.http.ssl.client-auth", "request") | ||
.withProperty("quarkus.http.insecure-requests", "DISABLED") | ||
.withProperty("quarkus.tls.reload-period", "2s"); | ||
|
||
@Test | ||
public void testCertificateReload() { | ||
var path = "/greeting/mutual-tls"; | ||
|
||
var response = app.mutinyHttps(CLIENT_CN_1).get(path).sendAndAwait(); | ||
assertEquals(HttpStatus.SC_OK, response.statusCode()); | ||
assertEquals("Hello CN=%s!".formatted(CLIENT_CN_1), response.bodyAsString()); | ||
|
||
var clientReq = new ClientCertificateRequest(NEW_CLIENT_CN, false); | ||
app | ||
.<CertificateBuilder> getPropertyFromContext(CertificateBuilder.INSTANCE_KEY) | ||
.regenerateCertificate(CERT_PREFIX, certReq -> certReq.withClientRequests(clientReq)); | ||
|
||
AwaitilityUtils.untilAsserted(() -> { | ||
var response1 = app.mutinyHttps(NEW_CLIENT_CN).get(path).sendAndAwait(); | ||
assertEquals(HttpStatus.SC_OK, response1.statusCode()); | ||
assertEquals("Hello CN=%s!".formatted(NEW_CLIENT_CN), response1.bodyAsString()); | ||
}); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
32 changes: 32 additions & 0 deletions
32
examples/management/src/test/java/io/quarkus/qe/LocalTlsRegistryIT.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
package io.quarkus.qe; | ||
|
||
import static org.junit.jupiter.api.Assertions.assertEquals; | ||
|
||
import org.junit.jupiter.api.Test; | ||
|
||
import io.quarkus.test.bootstrap.RestService; | ||
import io.quarkus.test.scenarios.QuarkusScenario; | ||
import io.quarkus.test.services.Certificate; | ||
import io.quarkus.test.services.QuarkusApplication; | ||
import io.restassured.response.Response; | ||
|
||
@QuarkusScenario | ||
public class LocalTlsRegistryIT { | ||
|
||
@QuarkusApplication(certificates = @Certificate(configureManagementInterface = true, configureKeystore = true)) | ||
static final RestService service = new RestService() | ||
.withProperty("quarkus.management.port", "9003"); | ||
|
||
@Test | ||
public void greeting() { | ||
Response response = service.given().get("/ping"); | ||
assertEquals(200, response.statusCode()); | ||
assertEquals("pong", response.body().asString()); | ||
} | ||
|
||
@Test | ||
public void tls() { | ||
var statusCode = service.mutinyHttps().get("/q/health").sendAndAwait().statusCode(); | ||
assertEquals(200, statusCode); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.