[
https://issues.apache.org/jira/browse/ARTEMIS-3794?focusedWorklogId=787643&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-787643
]
ASF GitHub Bot logged work on ARTEMIS-3794:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 04/Jul/22 15:03
Start Date: 04/Jul/22 15:03
Worklog Time Spent: 10m
Work Description: ryan-highley commented on code in PR #4135:
URL: https://github.com/apache/activemq-artemis/pull/4135#discussion_r913085469
##########
tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/netty/NettyConnectorTest.java:
##########
@@ -171,6 +173,70 @@ public void bufferReceived(final Object connectionID,
final ActiveMQBuffer buffe
}
+ /**
+ * that encrypted java system properties are read
+ */
+ @Test
+ public void testEncryptedJavaSystemProperty() throws Exception {
+ BufferHandler handler = new BufferHandler() {
+ @Override
+ public void bufferReceived(final Object connectionID, final
ActiveMQBuffer buffer) {
+ }
+ };
+
+ DefaultSensitiveStringCodec codec = new DefaultSensitiveStringCodec();
+
+ System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME,
"client-keystore.jks");
+ System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME,
PasswordMaskingUtil.wrap(codec.encode("securepass")));
+ System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PATH_PROP_NAME,
"server-ca-truststore.jks");
+ System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME,
PasswordMaskingUtil.wrap(codec.encode("securepass")));
+
+ Map<String, Object> params = new HashMap<>();
+ params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+
+ NettyConnector connector = new NettyConnector(params, handler, listener,
executorService,
Executors.newCachedThreadPool(ActiveMQThreadFactory.defaultThreadFactory()),
Executors.newScheduledThreadPool(5,
ActiveMQThreadFactory.defaultThreadFactory()));
+
+ connector.start();
+ Assert.assertTrue(connector.isStarted());
+ Connection c = connector.createConnection();
+ assertNotNull(c);
+ c.close();
+ connector.close();
+ Assert.assertFalse(connector.isStarted());
+
+ }
+
+ /**
+ * that bad value encrypted java system properties are read but fail
+ */
+ @Test
+ public void testEncryptedJavaSystemPropertyFail() throws Exception {
+ BufferHandler handler = new BufferHandler() {
+ @Override
+ public void bufferReceived(final Object connectionID, final
ActiveMQBuffer buffer) {
+ }
+ };
+
+ DefaultSensitiveStringCodec codec = new DefaultSensitiveStringCodec();
+
+ System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME,
"client-keystore.jks");
+ System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME,
PasswordMaskingUtil.wrap(codec.encode("bad password")));
+ System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PATH_PROP_NAME,
"server-ca-truststore.jks");
+ System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME,
PasswordMaskingUtil.wrap(codec.encode("bad password")));
Review Comment:
The very helpful CleanupSystemPropertiesRule inherited from ActiveMQTestBase
takes care of this between every test.
##########
tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/netty/NettyConnectorTest.java:
##########
@@ -334,6 +400,59 @@ public void bufferReceived(final Object connectionID,
final ActiveMQBuffer buffe
Assert.assertFalse(connector.isStarted());
}
+ @Test
+ public void testEncryptedActiveMQSystemProperties() throws Exception {
+ BufferHandler handler = new BufferHandler() {
+ @Override
+ public void bufferReceived(final Object connectionID, final
ActiveMQBuffer buffer) {
+ }
+ };
+ Map<String, Object> params = new HashMap<>();
+ params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+
+ NettyConnector connector = new NettyConnector(params, handler, listener,
executorService,
Executors.newCachedThreadPool(ActiveMQThreadFactory.defaultThreadFactory()),
Executors.newScheduledThreadPool(5,
ActiveMQThreadFactory.defaultThreadFactory()));
+
+ DefaultSensitiveStringCodec codec = new DefaultSensitiveStringCodec();
+
+ System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PATH_PROP_NAME,
"client-keystore.jks");
+ System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME,
PasswordMaskingUtil.wrap(codec.encode("securepass")));
+ System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PATH_PROP_NAME,
"server-ca-truststore.jks");
+
System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PASSWORD_PROP_NAME,
PasswordMaskingUtil.wrap(codec.encode("securepass")));
Review Comment:
The very helpful CleanupSystemPropertiesRule inherited from ActiveMQTestBase
takes care of this between every test.
Issue Time Tracking
-------------------
Worklog Id: (was: 787643)
Time Spent: 1.5h (was: 1h 20m)
> "org.apache.activemq.ssl.keyStorePassword" and
> "org.apache.activemq.ssl.trustStorePassword" system properties should support
> ENC(...) format
> --------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ARTEMIS-3794
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3794
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: Configuration
> Affects Versions: 2.19.1
> Reporter: Apache Dev
> Priority: Major
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> In order to set client keyStore/trustStore passwords, overriding those
> obtained by topology updates from brokers (see ARTEMIS-1157), we need to set
> system properties.
> Such properties could be logged in traces or be present in dumps.
> It would be a more secure practice to handle ENC(...) format to mask them.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
