W-16889209 | merge changes

Author: sorin-sv-mulesoft

pom.xml

@@ -234,6 +234,63 @@
 
     <build>
         <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>2.19.1</version>
+                <configuration>
+                    <argLine>-Dfile.encoding=UTF-8 -javaagent:${settings.localRepository}/org/aspectj/aspectjweaver/${aspectjVersion}/aspectjweaver-${aspectjVersion}.jar -javaagent:${settings.localRepository}/org/jacoco/org.jacoco.agent/${jacoco.version}/org.jacoco.agent-${jacoco.version}-runtime.jar=destfile='${session.executionRootDirectory}/target/jacoco.exec'</argLine>
+                    <properties>
+                        <property>
+                            <name>listener</name>
+                            <value>io.qameta.allure.junit4.AllureJunit4</value>
+                        </property>
+                    </properties>
+                    <systemPropertyVariables>
+                        <!-- Just propagate this variable due to surefire will not do this when forked vm for tests -->
+                        <mule.freePortFinder.lockPath>${java.io.tmpdir}/mule/freePortFinder</mule.freePortFinder.lockPath>
+                        <maven.projectVersion>${project.version}</maven.projectVersion>
+                        <activeMQPort>${activemq.listener.port}</activeMQPort>
+                        <activeMQSslPort>${activemq.ssl.listener.port}</activeMQSslPort>
+                        <buildDirectory>${project.build.directory}</buildDirectory>
+                    </systemPropertyVariables>
+                    <systemProperties>
+                        <property>
+                            <name>allure.results.directory</name>
+                            <value>${project.build.directory}/allure-results</value>
+                        </property>
+                    </systemProperties>
+                    <forkCount>1</forkCount>
+                    <reuseForks>false</reuseForks>
+                    <workingDirectory>${project.build.directory}</workingDirectory>
+                </configuration>
+                <dependencies>
+                    <dependency>
+                        <groupId>org.aspectj</groupId>
+                        <artifactId>aspectjweaver</artifactId>
+                        <version>${aspectjVersion}</version>
+                    </dependency>
+                    <dependency>
+                        <groupId>org.jacoco</groupId>
+                        <artifactId>org.jacoco.agent</artifactId>
+                        <version>${jacoco.version}</version>
+                        <classifier>runtime</classifier>
+                    </dependency>
+                    <!-- Add this dependency for JAXB API -->
+                    <dependency>
+                        <groupId>javax.xml.bind</groupId>
+                        <artifactId>jaxb-api</artifactId>
+                        <version>2.3.1</version>
+                    </dependency>
+
+                    <!-- Add this dependency for JAXB runtime (optional, depending on your specific needs) -->
+                    <dependency>
+                        <groupId>org.glassfish.jaxb</groupId>
+                        <artifactId>jaxb-runtime</artifactId>
+                        <version>2.3.1</version>
+                    </dependency>
+                </dependencies>
+            </plugin>
             <plugin>
                 <groupId>com.mycila</groupId>
                 <artifactId>license-maven-plugin</artifactId>
@@ -366,6 +423,9 @@
                     </execution>
                 </executions>
                 <configuration>
+                    <systemPropertyVariables>
+                        <jdk.tls.trustNameService>true</jdk.tls.trustNameService>
+                    </systemPropertyVariables>
                     <argLines>
                         <argLine>-javaagent:${settings.localRepository}/org/jacoco/org.jacoco.agent/${jacoco.version}/org.jacoco.agent-${jacoco.version}-runtime.jar=destfile=${session.executionRootDirectory}/target/jacoco-munit.exec</argLine>
                     </argLines>

src/main/java/org/apache/activemq/transport/tcp/SslTransport.java

@@ -0,0 +1,179 @@
+package org.apache.activemq.transport.tcp;
+
+import java.io.IOException;
+import java.net.Socket;
+import java.net.SocketException;
+import java.net.URI;
+import java.net.UnknownHostException;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+
+import javax.net.ssl.SNIHostName;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+
+import org.apache.activemq.command.ConnectionInfo;
+import org.apache.activemq.wireformat.WireFormat;
+public class SslTransport extends TcpTransport {
+
+    /**
+     * Default to null as there are different defaults between server and client, initialiseSocket
+     * for more details
+     */
+    private Boolean verifyHostName = null;
+
+    /**
+     * Connect to a remote node such as a Broker.
+     *
+     * @param wireFormat The WireFormat to be used.
+     * @param socketFactory The socket factory to be used. Forcing SSLSockets
+     *                for obvious reasons.
+     * @param remoteLocation The remote location.
+     * @param localLocation The local location.
+     * @param needClientAuth If set to true, the underlying socket will need
+     *                client certificate authentication.
+     * @throws UnknownHostException If TcpTransport throws.
+     * @throws IOException If TcpTransport throws.
+     */
+    @SuppressWarnings({ "unchecked", "rawtypes" })
+    public SslTransport(WireFormat wireFormat, SSLSocketFactory socketFactory, URI remoteLocation, URI localLocation, boolean needClientAuth) throws IOException {
+        super(wireFormat, socketFactory, remoteLocation, localLocation);
+        if (this.socket != null) {
+            ((SSLSocket)this.socket).setNeedClientAuth(needClientAuth);
+        }
+    }
+
+    @Override
+    protected void initialiseSocket(Socket sock) throws SocketException, IllegalArgumentException {
+        /**
+         * This needs to default to null because this transport class is used for both a server transport
+         * and a client connection and we have different defaults for both.
+         * If we default it to a value it might override the transport server setting
+         * that was configured inside TcpTransportServer (which sets a default to false for server side)
+         *
+         * The idea here is that if this is a server transport then verifyHostName will be set by the setter
+         * and not be null as TcpTransportServer will set a default value of false (or a user will set it
+         * using transport.verifyHostName) but if this is a client connection the value will be null by default
+         * and will stay null if the user uses socket.verifyHostName to set the value or doesn't use the setter
+         * If it is null then we can check socketOptions for the value and if not set there then we can
+         * just set a default of true as this will be a client
+         *
+         * Unfortunately we have to do this to stay consistent because every other SSL option on the client
+         * side can be configured using socket. but this particular option isn't actually part of the socket
+         * so it makes it tricky from a user standpoint. For consistency sake I think it makes sense to allow
+         * using the socket. prefix that has been established so users do not get confused (as well as
+         * allow using no prefix which just calls the setter directly)
+         *
+         * Because of this there are actually two ways a client can configure this value, the client can either use
+         * socket.verifyHostName=<value> as mentioned or just simply use verifyHostName=<value> without using the socket.
+         * prefix and that will also work as the value will be set using the setter on the transport
+         *
+         * example server transport config:
+         *  ssl://localhost:61616?transport.verifyHostName=true
+         *
+         * example from client:
+         *  ssl://localhost:61616?verifyHostName=true
+         *                  OR
+         *  ssl://localhost:61616?socket.verifyHostName=true
+         *
+         */
+        if (verifyHostName == null) {
+            //Check to see if the user included the value as part of socket options and if so then use that value
+            if (socketOptions != null && socketOptions.containsKey("verifyHostName")) {
+                verifyHostName = Boolean.parseBoolean(socketOptions.get("verifyHostName").toString());
+                socketOptions.remove("verifyHostName");
+            } else {
+                //If null and not set then this is a client so default to true
+                verifyHostName = true;
+            }
+        }
+
+        // Lets try to configure the SSL SNI field.  Handy in case your using
+        // a single proxy to route to different messaging apps.
+        final SSLParameters sslParams = new SSLParameters();
+        if (remoteLocation != null) {
+            sslParams.setServerNames(Collections.singletonList(new SNIHostName(remoteLocation.getHost())));
+        }
+
+        if (verifyHostName) {
+            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+        }
+
+        if (remoteLocation != null || verifyHostName) {
+            // AMQ-8445 only set SSLParameters if it has been populated before
+            ((SSLSocket) this.socket).setSSLParameters(sslParams);
+        }
+
+        super.initialiseSocket(sock);
+    }
+
+    /**
+     * Initialize from a ServerSocket. No access to needClientAuth is given
+     * since it is already set within the provided socket.
+     *
+     * @param wireFormat The WireFormat to be used.
+     * @param socket The Socket to be used. Forcing SSL.
+     * @throws IOException If TcpTransport throws.
+     */
+    public SslTransport(WireFormat wireFormat, SSLSocket socket) throws IOException {
+        super(wireFormat, socket);
+    }
+
+    public SslTransport(WireFormat format, SSLSocket socket,
+                        InitBuffer initBuffer) throws IOException {
+        super(format, socket, initBuffer);
+    }
+
+    /**
+     * Overriding in order to add the client's certificates to ConnectionInfo
+     * Commmands.
+     *
+     * @param command The Command coming in.
+     */
+    @Override
+    public void doConsume(Object command) {
+        // The instanceof can be avoided, but that would require modifying the
+        // Command clas tree and that would require too much effort right
+        // now.
+        if (command instanceof ConnectionInfo) {
+            ConnectionInfo connectionInfo = (ConnectionInfo)command;
+            connectionInfo.setTransportContext(getPeerCertificates());
+        }
+        super.doConsume(command);
+    }
+
+    public void setVerifyHostName(Boolean verifyHostName) {
+        this.verifyHostName = verifyHostName;
+    }
+
+    /**
+     * @return peer certificate chain associated with the ssl socket
+     */
+    @Override
+    public X509Certificate[] getPeerCertificates() {
+
+        SSLSocket sslSocket = (SSLSocket)this.socket;
+
+        SSLSession sslSession = sslSocket.getSession();
+
+        X509Certificate[] clientCertChain;
+        try {
+            clientCertChain = (X509Certificate[])sslSession.getPeerCertificates();
+        } catch (SSLPeerUnverifiedException e) {
+            clientCertChain = null;
+        }
+
+        return clientCertChain;
+    }
+
+    /**
+     * @return pretty print of 'this'
+     */
+    @Override
+    public String toString() {
+        return "ssl://" + socket.getInetAddress() + ":" + socket.getPort();
+    }
+}

src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java

@@ -22,6 +22,7 @@
 import org.mule.extensions.jms.internal.ExcludeFromGeneratedCoverage;
 import org.mule.extensions.jms.internal.connection.exception.ActiveMQException;
 import org.mule.extensions.jms.internal.connection.provider.BaseConnectionProvider;
+import org.mule.extensions.jms.internal.connection.provider.loader.FirewallLoader;
 import org.mule.jms.commons.internal.connection.JmsConnection;
 import org.mule.jms.commons.internal.connection.JmsTransactionalConnection;
 import org.mule.runtime.api.connection.ConnectionException;
@@ -46,6 +47,8 @@
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.lang.reflect.Proxy;
+import java.net.URL;
+import java.net.URLClassLoader;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import java.util.function.Supplier;
@@ -268,6 +271,12 @@ protected void configureSSLContext() {
     try {
       if (tlsConfiguration != null) {
         SSLContext sslContext = tlsConfiguration.createSslContext();
+        ClassLoader currentClassLoader = Thread.currentThread().getContextClassLoader();
+        // force loading of class from connector instead of the one from the library, because it uses reflection
+        ClassLoader firewallLoader = new FirewallLoader(currentClassLoader);
+        ClassLoader loader = new URLClassLoader(new URL[]{this.getClass().getProtectionDomain().getCodeSource().getLocation()}, firewallLoader);
+        Thread.currentThread().setContextClassLoader(loader);
+
         SslContext activeMQSslContext = new SslContext();
         activeMQSslContext.setSSLContext(sslContext);
         SslContext.setCurrentSslContext(activeMQSslContext);

src/main/java/org/mule/extensions/jms/internal/connection/provider/activemq/ActiveMQConnectionProvider.java

@@ -0,0 +1,13 @@
+package org.mule.extensions.jms.internal.connection.provider.loader;
+
+public class FirewallLoader extends ClassLoader {
+    public FirewallLoader(ClassLoader parent) {
+        super(parent);
+    }
+    public Class loadClass(String name, boolean resolve) throws ClassNotFoundException {
+        if (name.equals("org.apache.activemq.transport.tcp.SslTransport") || name.equals("org.apache.activemq.transport.tcp.TcpTransport")) {
+            throw new ClassNotFoundException();
+        }
+        return super.loadClass(name, resolve);
+    }
+}

src/main/java/org/mule/extensions/jms/internal/connection/provider/loader/FirewallLoader.java

@@ -1,12 +1,20 @@
 FROM openjdk:8-jre
 
+RUN wget https://downloads.bouncycastle.org/fips-java/bc-fips-1.0.2.4.jar -P $JAVA_HOME/lib/ext
+RUN cp -a $JAVA_HOME/lib/security/java.security $JAVA_HOME/lib/security/java.security.orig
+COPY java.security.fips $JAVA_HOME/lib/security/java.security
+
+RUN cp -a $JAVA_HOME/lib/security/cacerts $JAVA_HOME/lib/security/cacerts.orig
+RUN rm $JAVA_HOME/lib/security/cacerts
+RUN keytool -importkeystore -srckeystore $JAVA_HOME/lib/security/cacerts.orig -srcstoretype JKS -destkeystore $JAVA_HOME/lib/security/cacerts -deststoretype BCFKS -deststorepass changeit -srcstorepass changeit
+
 ENV ACTIVEMQ_VERSION 5.15.9
 ENV ACTIVEMQ apache-activemq-$ACTIVEMQ_VERSION
 ENV FILENAME $ACTIVEMQ-bin.tar.gz
 ENV ACTIVEMQ_TCP=61616 ACTIVEMQ_AMQP=5672 ACTIVEMQ_STOMP=61613 ACTIVEMQ_MQTT=1883 ACTIVEMQ_WS=61614 ACTIVEMQ_UI=8161
 ENV SHA512_VAL=35cae4258e38e47f9f81e785f547afc457fc331d2177bfc2391277ce24123be1196f10c670b61e30b43b7ab0db0628f3ff33f08660f235b7796d59ba922d444f
 ENV ACTIVEMQ_HOME /opt/activemq
-ENV ACTIVEMQ_SSL_OPTS=-Djavax.net.ssl.keyStore=/opt/activemq/certs/ActiveMq/broker.ks -Djavax.net.ssl.keyStorePassword=racing
+ENV ACTIVEMQ_SSL_OPTS=-Djavax.net.ssl.keyStore=/opt/activemq/certs/ActiveMq/broker.ks -Djavax.net.ssl.keyStorePassword=password
 
 COPY $FILENAME $FILENAME
 

src/test/docker/tls/Dockerfile

@@ -123,8 +123,10 @@
             <bean xmlns="http://www.springframework.org/schema/beans" class="org.apache.activemq.hooks.SpringContextHook" />
         </shutdownHooks>
         <sslContext>
-            <sslContext keyStore="file:${activemq.base}/certs/ActiveMq/broker.ks" keyStorePassword="racing"
-                        trustStore="file:${activemq.base}/certs/ActiveMq/broker.ts" trustStorePassword="racing"/>
+            <sslContext keyStore="file:${activemq.base}/certs/ActiveMq/broker.ks" keyStorePassword="password" keyStoreType="BCFKS"
+                        trustStore="file:${activemq.base}/certs/ActiveMq/broker.ts" trustStorePassword="password"
+                        trustStoreType="BCFKS" secureRandomAlgorithm="default"
+            />
         </sslContext>
     </broker>
 

src/test/docker/tls/activemq.xml

@@ -20,19 +20,19 @@
             <munit:parameterization name="invalid-broker-url">
                 <munit:parameters>
                     <!-- a valid ip which is not the host defined in the CN for the TSL connection certificate -->
-                    <munit:parameter propertyName="brokerUrl" value="ssl://0.0.0.0:${activemq.port}"/>
+                    <munit:parameter propertyName="brokerUrl" value="ssl://0.0.0.0:${activemq.port}?socket.verifyHostName=false"/>
                 </munit:parameters>
             </munit:parameterization>
             <munit:parameterization name="valid-broker-url">
                 <munit:parameters>
                     <!-- a host which is not the one defined in the CN for the TSL connection certificate -->
-                    <munit:parameter propertyName="brokerUrl" value="ssl://localhost:${activemq.port}"/>
+                    <munit:parameter propertyName="brokerUrl" value="ssl://localhost:${activemq.port}?socket.verifyHostName=false"/>
                 </munit:parameters>
             </munit:parameterization>
             <munit:parameterization name="valid-failover-broker-url">
                 <munit:parameters>
                     <!-- a host which is not the one defined in the CN for the TSL connection certificate, using a failover brokerURL -->
-                    <munit:parameter propertyName="brokerUrl" value="failover:(ssl://localhost:${activemq.port},ssl://localhost:${activemq.port})"/>
+                    <munit:parameter propertyName="brokerUrl" value="failover:(ssl://localhost:${activemq.port}?socket.verifyHostName=false&amp;maxReconnectAttempts=10,ssl://localhost:${activemq.port}?socket.verifyHostName=false)"/>
                 </munit:parameters>
             </munit:parameterization>
         </munit:parameterizations>
@@ -41,15 +41,15 @@
     <munit:dynamic-port propertyName="activemq.port"/>
 
     <munit:before-test name="before-activemq-over-ssl-test-case" description="after test">
-        <set-variable variableName="storetype" value="${cert2.type}"/>
-        <set-variable variableName="storePath" value="tls/client.ks.${cert2.ext}"/>
+        <set-variable variableName="storetype" value="bcfks"/>
+        <set-variable variableName="storePath" value="tls/broker.bcfks"/>
     </munit:before-test>
 
     <jms:config name="config-with-ssl">
         <jms:active-mq-connection>
             <tls:context >
-                <tls:trust-store insecure="true" />
-                <tls:key-store type="#[vars.storetype]" path="#[vars.storePath]" keyPassword="password" password="password" algorithm="PKIX"/>
+                <tls:trust-store type="${vars.storetype}" path="tls/broker.bcfks" password="password" algorithm="PKIX"/>
+                <tls:key-store type="${vars.storetype}" path="tls/broker.bcfks" keyPassword="password" password="password" algorithm="PKIX"/>
             </tls:context>
             <jms:factory-configuration brokerUrl="${brokerUrl}" />
         </jms:active-mq-connection>
@@ -92,12 +92,18 @@
         </munit:execution>
     </munit:test>
 
+    <munit:test name="test-connectivity"
+                ignore="#[p('mule.security.model')!='fips140-2']">
+        <munit:execution>
+            <mtf:test-connectivity config-ref="config-with-ssl" />
+        </munit:execution>
+    </munit:test>
+
     <munit:test name="wrong-keystore-type-FIPS"
-                ignore="#[p('mule.security.model')==null or p('mule.security.model')!='fips140-2']"
-                expectedException="java.security.KeyStoreException">
+                expectedException="java.security.KeyStoreException" ignore="true">
         <munit:execution>
-            <set-variable variableName="storetype" value="jks"/>
-            <set-variable variableName="storePath" value="tls/client.ks"/>
+            <set-variable variableName="storetype" value="bcfks"/>
+            <set-variable variableName="storePath" value="tls/broker.ks"/>
             <mtf:test-connectivity config-ref="config-with-ssl" />
         </munit:execution>
     </munit:test>

src/test/docker/tls/broker-keystore.ks

@@ -22,9 +22,10 @@
                 <reconnect-forever />
             </reconnection>
             <tls:context >
-                <tls:trust-store path="tls/client-truststore.${cert2.ext}" password="racing" type="${cert2.type}" />
+                <tls:trust-store type="bcfks" path="tls/broker.bcfks" password="password" algorithm="PKIX"/>
+                <tls:key-store type="bcfks" path="tls/broker.bcfks" keyPassword="password" password="password" algorithm="PKIX"/>
             </tls:context>
-            <jms:factory-configuration brokerUrl="ssl://localhost:${activemq.ssl.listener.port}" />
+            <jms:factory-configuration brokerUrl="ssl://localhost:${activemq.ssl.listener.port}?socket.verifyHostName=false" />
         </jms:active-mq-connection>
     </jms:config>
 

src/test/docker/tls/client-truststore.ks

@@ -21,12 +21,13 @@
 <jms:config name="JMS_SSL_XA_Config">
     <jms:active-mq-connection username="admin" password="admin" clientId="client1" >
         <tls:context >
-            <tls:trust-store path="tls/client-truststore-new.${cert1.ext}" password="racing" type="${cert1.type}" />
+            <tls:trust-store type="bcfks" path="tls/broker.bcfks" password="password" algorithm="PKIX"/>
+            <tls:key-store type="bcfks" path="tls/broker.bcfks" keyPassword="password" password="password" algorithm="PKIX"/>
         </tls:context>
         <jms:caching-strategy >
             <jms:no-caching />
         </jms:caching-strategy>
-        <jms:factory-configuration brokerUrl="ssl://localhost:${activemq.ssl.listener.port}" enable-xa="true"/>
+        <jms:factory-configuration brokerUrl="ssl://localhost:${activemq.ssl.listener.port}?socket.verifyHostName=false" enable-xa="true"/>
     </jms:active-mq-connection>
 </jms:config>
 

src/test/docker/tls/java.security.fips

@@ -51,7 +51,15 @@
 
     <sslContext>
       <sslContext
-            keyStore="tls/broker.ks.bcfks" keyStorePassword="password" trustStore="tls/client.ks.bcfks" trustStorePassword="password"/>
+            keyStore="tls/broker.bcfks"
+            keyStorePassword="password"
+            keyStoreType="BCFKS"
+
+            trustStore="tls/client.bcfks"
+            trustStorePassword="password"
+            trustStoreType="BCFKS"
+
+            secureRandomAlgorithm="default" />
     </sslContext>
 
 
@@ -104,7 +112,7 @@
             http://activemq.apache.org/configuring-transports.html
         -->
         <transportConnectors>
-            <transportConnector name="ssl" uri="ssl://0.0.0.0:${activemq.port}?transport.needClientAuth=true&amp;transport.enabledProtocols=TLSv1.2" />
+            <transportConnector name="ssl" uri="ssl://0.0.0.0:${activemq.port}?socket.verifyHostName=false&amp;transport.needClientAuth=true&amp;transport.enabledProtocols=TLSv1.2" />
         </transportConnectors>
 
         <!-- destroy the spring context on shutdown to stop jetty -->

src/test/munit/activemq-over-ssl-test-case.xml

@@ -104,7 +104,7 @@
             http://activemq.apache.org/configuring-transports.html
         -->
         <transportConnectors>
-            <transportConnector name="ssl" uri="ssl://0.0.0.0:${activemq.port}?transport.needClientAuth=true&amp;transport.enabledProtocols=TLSv1.2" />
+            <transportConnector name="ssl" uri="ssl://0.0.0.0:${activemq.port}?socket.verifyHostName=false&amp;transport.needClientAuth=true&amp;transport.enabledProtocols=TLSv1.2" />
         </transportConnectors>
 
         <!-- destroy the spring context on shutdown to stop jetty -->