NO-JIRA Add console mutual ssl smoke test

tests/smoke-tests/pom.xml

@@ -245,6 +245,22 @@
                      <configuration>${basedir}/target/classes/servers/console</configuration>
                   </configuration>
                </execution>
+               <execution>
+                  <phase>test-compile</phase>
+                  <id>create-create-console-mutual-ssl</id>
+                  <goals>
+                     <goal>create</goal>
+                  </goals>
+                  <configuration>
+                     <role>amq</role>
+                     <user>admin</user>
+                     <password>admin</password>
+                     <allowAnonymous>false</allowAnonymous>
+                     <noWeb>false</noWeb>
+                     <instance>${basedir}/target/console-mutual-ssl</instance>
+                     <configuration>${basedir}/target/classes/servers/console-mutual-ssl</configuration>
+                  </configuration>
+               </execution>
                <execution>
                   <phase>test-compile</phase>
                   <id>create0</id>

tests/smoke-tests/src/main/resources/servers/console-mutual-ssl/bootstrap.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements. See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License. You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<broker xmlns="http://activemq.org/schema">
+
+   <jaas-security domain="activemq"/>
+
+
+   <!-- artemis.URI.instance is parsed from artemis.instance by the CLI startup.
+        This is to avoid situations where you could have spaces or special characters on this URI -->
+   <server configuration="file:/home/dbruscin/Workspace/temp/apache-artemis-2.19.0/broker-guest/etc//broker.xml"/>
+
+   <!-- The web server is only bound to localhost by default -->
+   <web bind="https://localhost:8443"
+        path="web"
+        keyStorePath="../../test-classes/server-keystore.p12"
+        keyStorePassword="securepass"
+        clientAuth="true"
+        trustStorePath="../../test-classes/client-ca-truststore.p12"
+        trustStorePassword="securepass">
+       <app url="activemq-branding" war="activemq-branding.war"/>
+       <app url="artemis-plugin" war="artemis-plugin.war"/>
+       <app url="console" war="console.war"/>
+   </web>
+
+
+</broker>
+

tests/smoke-tests/src/main/resources/servers/console-mutual-ssl/cert-roles.properties

@@ -0,0 +1,18 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+amq = admin

tests/smoke-tests/src/main/resources/servers/console-mutual-ssl/cert-users.properties

@@ -0,0 +1,18 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+admin=CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ

tests/smoke-tests/src/main/resources/servers/console-mutual-ssl/jolokia-access.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<!-- This policy file controls the Jolokia JMX-HTTP bridge security options for the web console.
+   see: https://jolokia.org/reference/html/security.html -->
+<restrict>
+
+    <cors>
+        <!-- Allow cross origin access from localhost ... -->
+        <allow-origin>*://localhost*</allow-origin>
+        <allow-origin>*://host.testcontainers.internal*</allow-origin>
+
+
+        <!-- Options from this point on are auto-generated by Create.java from the Artemis CLI -->
+        <!-- Check for the proper origin on the server side, too -->
+        <strict-checking/>
+    </cors>
+
+</restrict>

tests/smoke-tests/src/main/resources/servers/console-mutual-ssl/login.config

@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+activemq {
+   org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient
+       debug=false
+       reload=true
+       org.apache.activemq.jaas.properties.user="artemis-users.properties"
+       org.apache.activemq.jaas.properties.role="artemis-roles.properties";
+
+    org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule sufficient
+        debug=true
+        org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
+        org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
+};

tests/smoke-tests/src/test/java/org/apache/activemq/artemis/tests/smoke/console/ConsoleMutualSSLTest.java

@@ -0,0 +1,90 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.activemq.artemis.tests.smoke.console;
+
+import com.github.dockerjava.zerodep.shaded.org.apache.hc.core5.ssl.SSLContexts;
+import org.apache.activemq.artemis.tests.smoke.common.SmokeTestBase;
+import org.apache.activemq.artemis.util.ServerUtil;
+import org.apache.activemq.artemis.utils.Wait;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.junit.Before;
+import org.junit.Test;
+
+import javax.net.ssl.SSLContext;
+import java.io.File;
+
+public class ConsoleMutualSSLTest extends SmokeTestBase {
+
+   protected static final String SERVER_NAME = "console-mutual-ssl";
+   protected static final String SERVER_ADMIN_USERNAME = "admin";
+   protected static final String SERVER_ADMIN_PASSWORD = "admin";
+
+   @Before
+   public void before() throws Exception {
+      cleanupData(SERVER_NAME);
+      disableCheckThread();
+      startServer(SERVER_NAME, 0, 0);
+      ServerUtil.waitForServerToStart(0, SERVER_ADMIN_USERNAME, SERVER_ADMIN_PASSWORD, 30000);
+   }
+
+   @Test
+   public void testLoginWithValidCertificate() throws Exception {
+      File keyStoreFile = new File(this.getClass().getClassLoader().getResource("client-keystore.p12").getFile());
+      File trustStoreFile = new File(this.getClass().getClassLoader().getResource("server-ca-truststore.p12").getFile());
+      SSLContext sslContext = SSLContexts.custom()
+         .loadKeyMaterial(keyStoreFile, "securepass".toCharArray(), "securepass".toCharArray())
+         .loadTrustMaterial(trustStoreFile, "securepass".toCharArray())
+         .build();
+      try (CloseableHttpClient httpClient = HttpClients.custom().disableRedirectHandling().setSSLContext(sslContext).build()) {
+         Wait.assertTrue(() -> {
+            try {
+               try (CloseableHttpResponse response = httpClient.execute(new HttpGet("https://localhost:8443/console/"))) {
+                  return response.getStatusLine().getStatusCode() == 200;
+               }
+            } catch (Exception ignore) {
+               return false;
+            }
+         }, 5000);
+      }
+   }
+
+   @Test
+   public void testLoginWithInvalidCertificate() throws Exception {
+      File keyStoreFile = new File(this.getClass().getClassLoader().getResource("other-client-keystore.p12").getFile());
+      File trustStoreFile = new File(this.getClass().getClassLoader().getResource("server-ca-truststore.p12").getFile());
+      SSLContext sslContext = SSLContexts.custom()
+         .loadKeyMaterial(keyStoreFile, "securepass".toCharArray(), "securepass".toCharArray())
+         .loadTrustMaterial(trustStoreFile, "securepass".toCharArray())
+         .build();
+      try (CloseableHttpClient httpClient = HttpClients.custom().disableRedirectHandling().setSSLContext(sslContext).build()) {
+         Wait.assertTrue(() -> {
+            try {
+               try (CloseableHttpResponse response = httpClient.execute(new HttpGet("https://localhost:8443/console/"))) {
+                  return response.getStatusLine().getStatusCode() == 302 &&
+                     response.getFirstHeader("Location").getValue().endsWith("auth/login");
+               }
+            } catch (Exception ignore) {
+               return false;
+            }
+         }, 5000);
+      }
+   }
+}