ARTEMIS-3038: unwind effect of defunct changes from ARTEMIS-1264

Follows earlier test removal in a3de3d4c75
2021-10-05 17:17:35 +01:00 · 2021-10-05 17:17:35 +01:00 · a5b5a504e0
parent 15c2dbb1c3
commit a5b5a504e0
6 changed files with 19 additions and 115 deletions
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java
@ -56,7 +56,6 @@ public class FederationDownstreamConfiguration extends FederationStreamConfigura
      //The federated server that creates the upstream back will rely on its config from the acceptor for TLS
      stripParam(params, TransportConstants.SSL_ENABLED_PROP_NAME);
      stripParam(params, TransportConstants.SSL_PROVIDER);
-      stripParam(params, TransportConstants.SSL_KRB5_CONFIG_PROP_NAME);
      stripParam(params, TransportConstants.KEYSTORE_PATH_PROP_NAME);
      stripParam(params, TransportConstants.KEYSTORE_PASSWORD_PROP_NAME);
      stripParam(params, TransportConstants.KEYSTORE_PROVIDER_PROP_NAME);
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
@ -20,8 +20,6 @@ import javax.net.ssl.SNIHostName;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
-import javax.security.auth.Subject;
-import javax.security.auth.login.LoginContext;
 import java.io.IOException;
 import java.net.ConnectException;
 import java.net.InetAddress;
@ -33,7 +31,6 @@ import java.net.UnknownHostException;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
-import java.security.PrivilegedExceptionAction;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
@ -265,8 +262,6 @@ public class NettyConnector extends AbstractConnector {

   private String sniHost;

-   private String kerb5Config;
-
   private boolean useDefaultSslContext;

   private boolean tcpNoDelay;
@ -433,8 +428,6 @@ public class NettyConnector extends AbstractConnector {

         sniHost = ConfigurationHelper.getStringProperty(TransportConstants.SNIHOST_PROP_NAME, TransportConstants.DEFAULT_SNIHOST_CONFIG, configuration);

-         kerb5Config = ConfigurationHelper.getStringProperty(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, TransportConstants.DEFAULT_SSL_KRB5_CONFIG, configuration);
-
         useDefaultSslContext = ConfigurationHelper.getBooleanProperty(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME, TransportConstants.DEFAULT_USE_DEFAULT_SSL_CONTEXT, configuration);

         trustManagerFactoryPlugin = ConfigurationHelper.getStringProperty(TransportConstants.TRUST_MANAGER_FACTORY_PLUGIN_PROP_NAME, TransportConstants.DEFAULT_TRUST_MANAGER_FACTORY_PLUGIN, configuration);
@ -759,50 +752,22 @@ public class NettyConnector extends AbstractConnector {
      final SSLContext context = SSLContextFactoryProvider.getSSLContextFactory()
         .getSSLContext(sslContextConfig, configuration);

-      Subject subject = null;
-      if (kerb5Config != null) {
-         LoginContext loginContext = new LoginContext(kerb5Config);
-         loginContext.login();
-         subject = loginContext.getSubject();
-         verifyHost = true;
+      if (host != null && port != -1) {
+         return context.createSSLEngine(host, port);
+      } else {
+         return context.createSSLEngine();
      }
-
-      SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
-         @Override
-         public SSLEngine run() {
-            if (host != null && port != -1) {
-               return context.createSSLEngine(host, port);
-            } else {
-               return context.createSSLEngine();
-            }
-         }
-      });
-      return engine;
   }

   private SSLEngine loadOpenSslEngine(final ByteBufAllocator alloc, final SSLContextConfig sslContextConfig) throws Exception {
      final SslContext context = OpenSSLContextFactoryProvider.getOpenSSLContextFactory()
         .getClientSslContext(sslContextConfig, configuration);

-      Subject subject = null;
-      if (kerb5Config != null) {
-         LoginContext loginContext = new LoginContext(kerb5Config);
-         loginContext.login();
-         subject = loginContext.getSubject();
-         verifyHost = true;
+      if (host != null && port != -1) {
+         return context.newEngine(alloc, host, port);
+      } else {
+         return context.newEngine(alloc);
      }
-
-      SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
-         @Override
-         public SSLEngine run() {
-            if (host != null && port != -1) {
-               return context.newEngine(alloc, host, port);
-            } else {
-               return context.newEngine(alloc);
-            }
-         }
-      });
-      return engine;
   }

   @Override
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
@ -33,8 +33,6 @@ public class TransportConstants {

   public static final String SSL_ENABLED_PROP_NAME = "sslEnabled";

-   public static final String SSL_KRB5_CONFIG_PROP_NAME = "sslKrb5Config";
-
   public static final String HTTP_ENABLED_PROP_NAME = "httpEnabled";

   public static final String HTTP_CLIENT_IDLE_PROP_NAME = "httpClientIdleTime";
@ -196,8 +194,6 @@ public class TransportConstants {

   public static final boolean DEFAULT_SSL_ENABLED = false;

-   public static final String DEFAULT_SSL_KRB5_CONFIG = null;
-
   public static final String DEFAULT_SNIHOST_CONFIG = null;

   public static final boolean DEFAULT_USE_GLOBAL_WORKER_POOL = true;
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
@ -21,13 +21,10 @@ import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLParameters;
-import javax.security.auth.Subject;
-import javax.security.auth.login.LoginContext;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
-import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
@ -189,8 +186,6 @@ public class NettyAcceptor extends AbstractAcceptor {

   private final String trustManagerFactoryPlugin;

-   private final String kerb5Config;
-
   private String sniHost;

   private final boolean tcpNoDelay;
@ -269,8 +264,6 @@ public class NettyAcceptor extends AbstractAcceptor {

      sslEnabled = ConfigurationHelper.getBooleanProperty(TransportConstants.SSL_ENABLED_PROP_NAME, TransportConstants.DEFAULT_SSL_ENABLED, configuration);

-      kerb5Config = ConfigurationHelper.getStringProperty(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, TransportConstants.DEFAULT_SSL_KRB5_CONFIG, configuration);
-
      remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.NIO_REMOTING_THREADS_PROPNAME, -1, configuration);
      remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.REMOTING_THREADS_PROPNAME, remotingThreads, configuration);

@ -674,55 +667,31 @@ public class NettyAcceptor extends AbstractAcceptor {

   private SSLEngine loadJdkSslEngine(String peerHost, int peerPort) throws Exception {
      final SSLContext context = (SSLContext) providerAgnosticSslContext;
-      Subject subject = null;
-      if (kerb5Config != null) {
-         LoginContext loginContext = new LoginContext(kerb5Config);
-         loginContext.login();
-         subject = loginContext.getSubject();
-      }

-      SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
-         @Override
-         public SSLEngine run() {
-            if (peerHost != null && peerPort != 0) {
-               return context.createSSLEngine(peerHost, peerPort);
-            } else {
-               return context.createSSLEngine();
-            }
-         }
-      });
-      return engine;
+      if (peerHost != null && peerPort != 0) {
+         return context.createSSLEngine(peerHost, peerPort);
+      } else {
+         return context.createSSLEngine();
+      }
   }

   private void checkSSLConfiguration() throws IllegalArgumentException {
      if (configuration.containsKey(TransportConstants.SSL_CONTEXT_PROP_NAME)) {
         return;
      }
-      if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) {
+      if (keyStorePath == null && TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) {
         throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified.");
      }
   }

   private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc, String peerHost, int peerPort) throws Exception {
      final SslContext context = (SslContext) providerAgnosticSslContext;
-      Subject subject = null;
-      if (kerb5Config != null) {
-         LoginContext loginContext = new LoginContext(kerb5Config);
-         loginContext.login();
-         subject = loginContext.getSubject();
-      }

-      SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
-         @Override
-         public SSLEngine run() {
-            if (peerHost != null && peerPort != 0) {
-               return context.newEngine(alloc, peerHost, peerPort);
-            } else {
-               return context.newEngine(alloc);
-            }
-         }
-      });
-      return engine;
+      if (peerHost != null && peerPort != 0) {
+         return context.newEngine(alloc, peerHost, peerPort);
+      } else {
+         return context.newEngine(alloc);
+      }
   }

   private void startServerChannels() {
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@ -1159,16 +1159,6 @@ amqp-sasl-gssapi {
 };
 ```

-##### TLS Kerberos Cipher Suites
-
-The legacy [rfc2712](https://www.ietf.org/rfc/rfc2712.txt) defines TLS Kerberos
-cipher suites that can be used by TLS to negotiate Kerberos authentication. The
-cypher suites offered by rfc2712 are dated and insecure and rfc2712 has been
-superseded by SASL GSSAPI. However, for clients that don't support SASL (core
-client), using TLS can provide Kerberos authentication over an *unsecure*
-channel.
-
-
 ### Role Mapping

 On the server, a Kerberos or SCRAM-SHA JAAS authenticated Principal must be added to the
--- a/tests/integration-tests/src/test/resources/login.config
+++ b/tests/integration-tests/src/test/resources/login.config
@ -282,21 +282,6 @@ Krb5PlusLdapMemberOfNoRoleName {
        ;
 };

-core-tls-krb5-server {
-    com.sun.security.auth.module.Krb5LoginModule required
-    isInitiator=false
-    storeKey=true
-    useKeyTab=true
-    principal="host/sni.host"
-    debug=true;
-};
-
-core-tls-krb5-client {
-    com.sun.security.auth.module.Krb5LoginModule required
-    principal="client"
-    useKeyTab=true;
-};
-
 amqp-sasl-gssapi {
    com.sun.security.auth.module.Krb5LoginModule required
    isInitiator=false