From 57795bafcea290c6879bb288822435c480a9212d Mon Sep 17 00:00:00 2001
From: gtully <gary.tully@gmail.com>
Date: Thu, 27 Apr 2017 12:07:12 +0100
Subject: [PATCH] [AMQ-6665] - check for peercerts is now on tcp transport such
 that the bridge connection info can have the correct context

---
 .../DemandForwardingBridgeSupport.java        |   8 +-
 ...AuthenticationNetworkBridgeNioSslTest.java |  25 +++
 ...asDualAuthenticationNetworkBridgeTest.java |   9 +-
 .../JaasDualAuthenticationNetworkBridge.xml   |   4 +-
 ...sDualAuthenticationNetworkBridgeNioSsl.xml | 178 ++++++++++++++++++
 5 files changed, 217 insertions(+), 7 deletions(-)
 create mode 100644 activemq-unit-tests/src/test/java/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSslTest.java
 create mode 100644 activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml

diff --git a/activemq-broker/src/main/java/org/apache/activemq/network/DemandForwardingBridgeSupport.java b/activemq-broker/src/main/java/org/apache/activemq/network/DemandForwardingBridgeSupport.java
index e343ad6ae7..5070266b97 100644
--- a/activemq-broker/src/main/java/org/apache/activemq/network/DemandForwardingBridgeSupport.java
+++ b/activemq-broker/src/main/java/org/apache/activemq/network/DemandForwardingBridgeSupport.java
@@ -488,8 +488,8 @@ public abstract class DemandForwardingBridgeSupport implements NetworkBridge, Br
                     while (originalTransport instanceof TransportFilter) {
                         originalTransport = ((TransportFilter) originalTransport).getNext();
                     }
-                    if (originalTransport instanceof SslTransport) {
-                        X509Certificate[] peerCerts = ((SslTransport) originalTransport).getPeerCertificates();
+                    if (originalTransport instanceof TcpTransport) {
+                        X509Certificate[] peerCerts = originalTransport.getPeerCertificates();
                         localConnectionInfo.setTransportContext(peerCerts);
                     }
                     // sync requests that may fail
@@ -513,8 +513,8 @@ public abstract class DemandForwardingBridgeSupport implements NetworkBridge, Br
                         duplexLocalConnectionInfo.setUserName(configuration.getUserName());
                         duplexLocalConnectionInfo.setPassword(configuration.getPassword());
 
-                        if (originalTransport instanceof SslTransport) {
-                            X509Certificate[] peerCerts = ((SslTransport) originalTransport).getPeerCertificates();
+                        if (originalTransport instanceof TcpTransport) {
+                            X509Certificate[] peerCerts = originalTransport.getPeerCertificates();
                             duplexLocalConnectionInfo.setTransportContext(peerCerts);
                         }
                         // sync requests that may fail
diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSslTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSslTest.java
new file mode 100644
index 0000000000..96534337e9
--- /dev/null
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSslTest.java
@@ -0,0 +1,25 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+public class JaasDualAuthenticationNetworkBridgeNioSslTest extends JaasDualAuthenticationNetworkBridgeTest {
+    public JaasDualAuthenticationNetworkBridgeNioSslTest() {
+        super();
+        CONFIG_FILE="org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml";
+    }
+}
+
diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeTest.java
index e6dd562a5a..633c40f1a2 100644
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeTest.java
@@ -32,6 +32,7 @@ import org.junit.Assert;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import sun.nio.ch.Net;
 
 
 /**
@@ -50,7 +51,7 @@ import org.slf4j.LoggerFactory;
  * - ssl-domain-JaasDualAuthenticationNetworkBridgeTest.properties
  */
 public class JaasDualAuthenticationNetworkBridgeTest {
-    protected final static String CONFIG_FILE="org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml";
+    protected String CONFIG_FILE="org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml";
     protected static Logger LOG = LoggerFactory.getLogger(JaasDualAuthenticationNetworkBridgeTest.class);
     private BrokerService broker1 = null;
     private BrokerService broker2 = null;
@@ -78,6 +79,9 @@ public class JaasDualAuthenticationNetworkBridgeTest {
             LOG.error("Error: " + e.getMessage());
             throw e;
         }
+
+        broker2.start();
+        broker1.start();
     }
 
     /**
@@ -126,6 +130,9 @@ public class JaasDualAuthenticationNetworkBridgeTest {
             Collection<NetworkBridge> bridges = nc.activeBridges();
             Assert.assertFalse("Network bridge not established to broker 2", bridges.isEmpty());
             Assert.assertTrue("Network bridge not established to broker 2", bridges.size() == 1);
+            for (NetworkBridge nb : bridges) {
+                Assert.assertTrue(nb.getRemoteBrokerId() != null);
+            }
             LOG.info("Network bridge is correctly established.");
         } catch (java.lang.InterruptedException ex) {
             LOG.warn(ex.getMessage());
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml
index 7b810182c0..faae4dbf0c 100644
--- a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml
@@ -25,7 +25,7 @@
 
   <!-- first broker instance -->
   <broker xmlns="http://activemq.apache.org/schema/core" brokerName="broker1" id="broker1"
-   dataDirectory="./target/activemq-data-broker1" persistent="false">
+   dataDirectory="./target/activemq-data-broker1" persistent="false" start="false">
   
     <destinationPolicy>
      <policyMap>
@@ -105,7 +105,7 @@
 
   <!-- second broker instance -->
   <broker xmlns="http://activemq.apache.org/schema/core" brokerName="broker2" id="broker2"
-   dataDirectory="./target/activemq-data-broker2" persistent="false">
+   dataDirectory="./target/activemq-data-broker2" persistent="false" start="false">
 
     <destinationPolicy>
      <policyMap>
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml
new file mode 100644
index 0000000000..9e5e7d1f91
--- /dev/null
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml
@@ -0,0 +1,178 @@
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+ 
+    http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<beans
+  xmlns="http://www.springframework.org/schema/beans"
+  xmlns:amq="http://activemq.apache.org/schema/core"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.springframework.org/schema/beans 
+    http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+  http://activemq.apache.org/schema/core 
+    http://activemq.apache.org/schema/core/activemq-core-5.4.2.xsd">
+
+  <!-- first broker instance -->
+  <broker xmlns="http://activemq.apache.org/schema/core" brokerName="broker1" id="broker1"
+   dataDirectory="./target/activemq-data-broker1" persistent="false" start="false">
+  
+    <destinationPolicy>
+     <policyMap>
+       <policyEntries>
+         <policyEntry queue=">" memoryLimit="20mb">
+           <deadLetterStrategy>
+             <sharedDeadLetterStrategy processExpired="false" processNonPersistent="false"/>
+           </deadLetterStrategy>
+         </policyEntry>
+
+         <policyEntry topic=">" producerFlowControl="true" >
+         </policyEntry>
+       </policyEntries>
+     </policyMap>
+    </destinationPolicy>
+
+    <managementContext>
+      <managementContext createConnector="false" />
+    </managementContext>
+
+    <!-- network of brokers configuration -->
+    <networkConnectors>
+      <networkConnector decreaseNetworkConsumerPriority="true" duplex="true" dynamicOnly="true" name="to-A" networkTTL="2" uri="static://(ssl://localhost:61626)" >
+        <!-- userName="admin" password="admin" -->
+        <excludedDestinations>
+          <queue physicalName="MyQueue"/>
+        </excludedDestinations>
+      </networkConnector>
+    </networkConnectors>
+
+
+      <plugins>
+        <!--jaasAuthenticationPlugin configuration="activemq" /-->
+        <jaasDualAuthenticationPlugin configuration="activemq-domain" sslConfiguration="activemq-ssl-domain"/>
+        <authorizationPlugin>
+          <map>
+        <authorizationMap>
+          <authorizationEntries>
+            <authorizationEntry queue="&gt;" admin="administrators" read="administrators" write="administrators"/>
+            <authorizationEntry topic="&gt;" admin="administrators" read="administrators" write="administrators"/>
+            <authorizationEntry topic="ActiveMQ.Advisory.&gt;" admin="*" read="*" write="*"/>
+            <authorizationEntry queue="ActiveMQ.DLQ" admin="administrators" read="*" write="*"/>
+          </authorizationEntries>
+        </authorizationMap>
+          </map>
+        </authorizationPlugin>
+      </plugins>
+
+
+    <sslContext>
+      <sslContext
+          keyStore="server.keystore"
+          keyStorePassword="password"
+          trustStore="server.keystore"
+          trustStorePassword="password"
+          />
+    </sslContext>
+
+    <systemUsage>
+      <systemUsage>
+        <memoryUsage>
+          <memoryUsage limit="60 mb" />
+        </memoryUsage>
+        <storeUsage>
+          <storeUsage limit="1 mb" />
+        </storeUsage>
+        <tempUsage>
+          <tempUsage limit="50 mb" />
+        </tempUsage>
+      </systemUsage>
+    </systemUsage>
+
+    <transportConnectors>
+        <transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:62626?transport.closeAsync=false&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;transport.needClientAuth=true"/>
+    </transportConnectors>
+  </broker>
+
+  <!-- second broker instance -->
+  <broker xmlns="http://activemq.apache.org/schema/core" brokerName="broker2" id="broker2"
+   dataDirectory="./target/activemq-data-broker2" persistent="false" start="false">
+
+    <destinationPolicy>
+     <policyMap>
+       <policyEntries>
+         <policyEntry queue=">" memoryLimit="20mb">
+           <deadLetterStrategy>
+             <sharedDeadLetterStrategy processExpired="false" processNonPersistent="false"/>
+           </deadLetterStrategy>
+         </policyEntry>
+
+         <policyEntry topic=">" producerFlowControl="true" >
+           <deadLetterStrategy>
+             <sharedDeadLetterStrategy processExpired="false" processNonPersistent="false"/>
+           </deadLetterStrategy>
+         </policyEntry>
+       </policyEntries>
+     </policyMap>
+    </destinationPolicy>
+
+    <managementContext>
+      <managementContext createConnector="false" />
+    </managementContext>
+
+    <plugins>
+      <!--jaasAuthenticationPlugin configuration="activemq" /-->
+      <!--jaasCertificateAuthenticationPlugin configuration="activemq-ssl-domain" /-->
+      <jaasDualAuthenticationPlugin configuration="activemq-domain" sslConfiguration="activemq-ssl-domain"/>
+      <authorizationPlugin>
+        <map>
+          <authorizationMap>
+            <authorizationEntries> 
+              <authorizationEntry queue="&gt;" admin="administrators" read="administrators" write="administrators"/>
+              <authorizationEntry topic="&gt;" admin="administrators" read="administrators" write="administrators"/>
+              <authorizationEntry topic="ActiveMQ.Advisory.&gt;" admin="*" read="*" write="*"/>
+              <authorizationEntry queue="ActiveMQ.DLQ" admin="administrators" read="*" write="*"/>
+            </authorizationEntries>
+          </authorizationMap>
+        </map>
+      </authorizationPlugin>
+    </plugins>
+
+    <sslContext>
+      <sslContext
+          keyStore="server.keystore"
+          keyStorePassword="password"
+          trustStore="server.keystore"
+          trustStorePassword="password"
+          />
+    </sslContext>
+
+    <systemUsage>
+      <systemUsage>
+        <memoryUsage>
+          <memoryUsage limit="60 mb" />
+        </memoryUsage>
+        <storeUsage>
+          <storeUsage limit="1 mb" />
+        </storeUsage>
+        <tempUsage>
+          <tempUsage limit="50 mb" />
+        </tempUsage>
+      </systemUsage>
+    </systemUsage>
+
+    <transportConnectors>
+        <transportConnector name="openwire+nio-ssl-2" uri="nio+ssl://0.0.0.0:61626?transport.closeAsync=false&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;transport.needClientAuth=true"/>
+    </transportConnectors>
+  </broker>
+</beans>
+