EAP7-1121 POC

auth/client/pom.xml

@@ -52,6 +52,10 @@
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-credential-store</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wildfly.security</groupId>
+            <artifactId>wildfly-elytron-dynamic-ssl</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-keystore</artifactId>
@@ -76,7 +80,7 @@
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-x500-cert</artifactId>
         </dependency>
-                                
+
         <dependency>
             <groupId>org.jboss.logging</groupId>
             <artifactId>jboss-logging-annotations</artifactId>
@@ -146,6 +150,14 @@
             <artifactId>jmockit</artifactId>
             <scope>test</scope>
         </dependency>
+
+        <!-- https://mvnrepository.com/artifact/org.mockito/mockito-all -->
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-all</artifactId>
+            <version>1.9.5</version>
+            <scope>test</scope>
+        </dependency>
+
     </dependencies>
-
 </project>

auth/client/src/main/java/org/wildfly/security/auth/client/AuthenticationContext.java

@@ -354,6 +354,10 @@ public <T, E extends Exception> T runAsSupplierEx(ExceptionSupplier<T, E> action
         return runExFunction(ExceptionSupplier::get, action);
     }
 
+    RuleNode<SecurityFactory<SSLContext>> getSslRules() {
+        return this.sslRules;
+    }
+
     public ContextManager<AuthenticationContext> getInstanceContextManager() {
         return getContextManager();
     }

auth/client/src/main/java/org/wildfly/security/auth/client/AuthenticationContextConfigurationClient.java

@@ -27,10 +27,13 @@
 import java.net.URI;
 import java.security.AccessControlContext;
 import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
 import java.security.Principal;
 import java.security.PrivilegedAction;
 import java.security.Provider;
+import java.util.ArrayList;
 import java.util.Collection;
+import java.util.List;
 import java.util.function.Supplier;
 import java.util.function.UnaryOperator;
 
@@ -196,6 +199,37 @@ private static AuthenticationConfiguration initializeConfiguration(final URI uri
         return configuration;
     }
 
+
+    List<SSLContext> getConfiguredSSLContexts(AuthenticationContext authenticationContext) {
+        List<SSLContext> sslContexts = new ArrayList<>();
+        RuleNode<SecurityFactory<SSLContext>> node = authenticationContext.getSslRules();
+        while (node != null) {
+            try {
+                sslContexts.add(node.getConfiguration().create());
+            } catch (GeneralSecurityException ignored) {
+                ignored.printStackTrace();
+            }
+            node = node.getNext();
+        }
+        return sslContexts;
+    }
+
+    public SSLContext getDefaultSSLContext(AuthenticationContext authenticationContext) throws NoSuchAlgorithmException {
+        SSLContext defaultSSLContext = null;
+        RuleNode<SecurityFactory<SSLContext>> node = authenticationContext.getSslRules();
+        while (node != null) {
+            try {
+                if(node.getRule().equals(MatchRule.ALL)) {
+                    defaultSSLContext = node.getConfiguration().create();
+                }
+            } catch (GeneralSecurityException ignored) {
+                ignored.printStackTrace();
+            }
+            node = node.getNext();
+        }
+        return defaultSSLContext == null ? SSLContext.getDefault() : defaultSSLContext;
+    }
+
     /**
      * Get the SSL context which matches the given URI, or {@link SSLContext#getDefault()} if there is none.
      *

auth/client/src/main/java/org/wildfly/security/auth/client/DynamicSSLContextImpl.java

@@ -0,0 +1,46 @@
+package org.wildfly.security.auth.client;
+
+import org.kohsuke.MetaInfServices;
+import org.wildfly.security.dynamic.ssl.DynamicSSLContextSPI;
+
+import javax.net.ssl.SSLContext;
+import java.net.URI;
+import java.security.AccessController;
+import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivilegedAction;
+import java.util.List;
+
+@MetaInfServices(value = DynamicSSLContextSPI.class)
+public class DynamicSSLContextImpl implements DynamicSSLContextSPI {
+
+    private final AuthenticationContextConfigurationClient AUTH_CONTEXT_CLIENT =
+            AccessController.doPrivileged((PrivilegedAction<AuthenticationContextConfigurationClient>) AuthenticationContextConfigurationClient::new);
+    private AuthenticationContext authenticationContext = AuthenticationContext.captureCurrent();
+    private SSLContext configuredDefaultSSLContext;
+    private List<SSLContext> configuredSSLContexts;
+
+    public DynamicSSLContextImpl() throws NoSuchAlgorithmException {
+        this.configuredSSLContexts = AUTH_CONTEXT_CLIENT.getConfiguredSSLContexts(authenticationContext);
+        this.configuredDefaultSSLContext = AUTH_CONTEXT_CLIENT.getDefaultSSLContext(authenticationContext);
+    }
+
+    @Override
+    public SSLContext getConfiguredDefault() {
+        return this.configuredDefaultSSLContext;
+    }
+
+    @Override
+    public List<SSLContext> getConfiguredSSLContexts() {
+        return this.configuredSSLContexts;
+    }
+
+    @Override
+    public SSLContext getSSLContext(URI uri) {
+        try {
+            return AUTH_CONTEXT_CLIENT.getSSLContext(uri, authenticationContext);
+        } catch (GeneralSecurityException e) {
+            throw new IllegalArgumentException(e);
+        }
+    }
+}

auth/client/src/test/java/org/wildfly/security/auth/client/DynamicSSLContextIntersectionTest.java

@@ -0,0 +1,105 @@
+package org.wildfly.security.auth.client;
+
+//import org.junit.Assert;
+//import org.junit.Test;
+//import org.wildfly.security.dynamic.ssl.DynamicSSLContext;
+//import org.wildfly.security.SecurityFactory;
+//import org.wildfly.security.auth.client.mocks.MockSSLContext;
+//import org.wildfly.security.auth.client.mocks.MockSSLContextSPI;
+//import org.wildfly.security.auth.client.mocks.MockSSLSocketFactory;
+//
+//import javax.net.ssl.SSLContext;
+//import javax.net.ssl.SSLSocketFactory;
+//import java.security.GeneralSecurityException;
+//
+//import static org.mockito.Mockito.mock;
+//import static org.mockito.Mockito.when;
+
+public class DynamicSSLContextIntersectionTest { // test with sockets properly
+//
+//    @Test
+//    public void testIntersectionOfSupportedCipherSuites() throws GeneralSecurityException {
+//
+//        SSLSocketFactory sslSocketFactory0Ciphers = new MockSSLSocketFactory() {
+//            @Override
+//            public String[] getSupportedCipherSuites() {
+//                return new String[0];
+//            }
+//        };
+//
+//        SSLSocketFactory sslSocketFactory3Ciphers = new MockSSLSocketFactory() {
+//            @Override
+//            public String[] getSupportedCipherSuites() {
+//                return new String[]{"TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_CIPHER_SUITE_NOT_COMMON"};
+//            }
+//        };
+//
+//        SSLSocketFactory sslSocketFactory4Ciphers = new MockSSLSocketFactory() {
+//            @Override
+//            public String[] getSupportedCipherSuites() {
+//                return new String[]{"TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_8_SHA256", "TLS_AES_128_GCM_SHA256", "TLS_AES_128_CCM_SHA256"};
+//            }
+//        };
+//
+//        SSLContext sslContext0Ciphers = new MockSSLContext(new MockSSLContextSPI() {
+//            @Override
+//            protected SSLSocketFactory engineGetSocketFactory() {
+//                return sslSocketFactory0Ciphers;
+//            }
+//        });
+//
+//        SSLContext sslContext3Ciphers = new MockSSLContext(new MockSSLContextSPI() {
+//            @Override
+//            protected SSLSocketFactory engineGetSocketFactory() {
+//                return sslSocketFactory3Ciphers;
+//            }
+//        });
+//
+//        SSLContext sslContext4Ciphers = new MockSSLContext(new MockSSLContextSPI() {
+//            @Override
+//            protected SSLSocketFactory engineGetSocketFactory() {
+//                return sslSocketFactory4Ciphers;
+//            }
+//        });
+//
+//
+//        SecurityFactory<SSLContext> sslContextSecurityFactory0Ciphers = mock(SecurityFactory.class);
+//        SecurityFactory<SSLContext> sslContextSecurityFactoryt3Ciphers = mock(SecurityFactory.class);
+//        SecurityFactory<SSLContext> sslContextSecurityFactory4Ciphers = mock(SecurityFactory.class);
+//
+//        when(sslContextSecurityFactory0Ciphers.create()).thenReturn(sslContext0Ciphers);
+//        when(sslContextSecurityFactoryt3Ciphers.create()).thenReturn(sslContext3Ciphers);
+//        when(sslContextSecurityFactory4Ciphers.create()).thenReturn(sslContext4Ciphers);
+//
+//        AuthenticationContext ctx = AuthenticationContext.empty()
+//                .withSsl(MatchRule.ALL.matchHost("host1"), sslContextSecurityFactory4Ciphers)
+//                .withSsl(MatchRule.ALL.matchHost("host2"), sslContextSecurityFactoryt3Ciphers);
+//        ctx.run(checkResultIntersectionSizeIs(2));
+//        ctx = AuthenticationContext.empty()
+//                .withSsl(MatchRule.ALL.matchHost("host1"), sslContextSecurityFactory4Ciphers)
+//                .withSsl(MatchRule.ALL.matchHost("host2"), sslContextSecurityFactoryt3Ciphers)
+//                .withSsl(MatchRule.ALL.matchHost("host3"), sslContextSecurityFactory0Ciphers);
+//        ctx.run(checkResultIntersectionSizeIs(0));
+//        ctx = AuthenticationContext.empty()
+//                .withSsl(MatchRule.ALL.matchHost("host3"), sslContextSecurityFactory0Ciphers)
+//                .withSsl(MatchRule.ALL.matchHost("host3"), sslContextSecurityFactory0Ciphers);
+//        ctx.run(checkResultIntersectionSizeIs(0));
+//        ctx = AuthenticationContext.empty()
+//                .withSsl(MatchRule.ALL.matchHost("host1"), sslContextSecurityFactory4Ciphers)
+//                .withSsl(MatchRule.ALL.matchHost("host1"), sslContextSecurityFactory4Ciphers);
+//        ctx.run(checkResultIntersectionSizeIs(4));
+//    }
+
+//    private Runnable checkResultIntersectionSizeIs(int intersectionSize) {
+//        return () -> {
+//            try {
+//                DynamicSSLContextSpiImpl dynamicSSLContextSpiImpl = new DynamicSSLContextSpiImpl(SSLContext.getDefault());
+//                SSLContext dynamicSSLContext = new DynamicSSLContext(dynamicSSLContextSpiImpl, null, null);
+//                Assert.assertEquals(dynamicSSLContext.getSocketFactory().getSupportedCipherSuites().length, intersectionSize);
+//            } catch (Exception e) {
+//                e.printStackTrace();
+//                Assert.fail();
+//            }
+//        };
+//    }
+}

auth/client/src/test/java/org/wildfly/security/auth/client/mocks/MockSSLContext.java

@@ -0,0 +1,10 @@
+package org.wildfly.security.auth.client.mocks;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLContextSpi;
+
+public class MockSSLContext extends SSLContext {
+    public MockSSLContext(final SSLContextSpi mockContextSpi) {
+        super(mockContextSpi, null, null);
+    }
+}

auth/client/src/test/java/org/wildfly/security/auth/client/mocks/MockSSLContextSPI.java

@@ -0,0 +1,40 @@
+package org.wildfly.security.auth.client.mocks;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContextSpi;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSessionContext;
+import javax.net.ssl.TrustManager;
+import java.security.SecureRandom;
+
+public abstract class MockSSLContextSPI extends SSLContextSpi {
+    @Override
+    protected void engineInit(KeyManager[] keyManagers, TrustManager[] trustManagers, SecureRandom secureRandom) {
+    }
+
+    @Override
+    protected SSLServerSocketFactory engineGetServerSocketFactory() {
+        return null;
+    }
+
+    @Override
+    protected SSLEngine engineCreateSSLEngine() {
+        return null;
+    }
+
+    @Override
+    protected SSLEngine engineCreateSSLEngine(String s, int i) {
+        return null;
+    }
+
+    @Override
+    protected SSLSessionContext engineGetServerSessionContext() {
+        return null;
+    }
+
+    @Override
+    protected SSLSessionContext engineGetClientSessionContext() {
+        return null;
+    }
+}

auth/client/src/test/java/org/wildfly/security/auth/client/mocks/MockSSLSocketFactory.java

@@ -0,0 +1,39 @@
+package org.wildfly.security.auth.client.mocks;
+
+import javax.net.ssl.SSLSocketFactory;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+
+public abstract class MockSSLSocketFactory extends SSLSocketFactory {
+    @Override
+    public Socket createSocket(Socket socket, String s, int i, boolean b) throws IOException {
+        return null;
+    }
+
+    @Override
+    public Socket createSocket(String s, int i) throws IOException, UnknownHostException {
+        return null;
+    }
+
+    @Override
+    public Socket createSocket(String s, int i, InetAddress inetAddress, int i1) throws IOException, UnknownHostException {
+        return null;
+    }
+
+    @Override
+    public Socket createSocket(InetAddress inetAddress, int i) throws IOException {
+        return null;
+    }
+
+    @Override
+    public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress1, int i1) throws IOException {
+        return null;
+    }
+
+    @Override
+    public String[] getDefaultCipherSuites() {
+        return new String[0];
+    }
+}

dynamic-ssl/pom.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <groupId>org.wildfly.security</groupId>
+        <artifactId>wildfly-elytron-parent</artifactId>
+        <version>1.11.4.CR1-SNAPSHOT</version>
+    </parent>
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>wildfly-elytron-dynamic-ssl</artifactId>
+
+    <name>WildFly Elytron - Dynamic SSL</name>
+    <description>WildFly Security Dynamic SSL Implementation</description>
+</project>

dynamic-ssl/src/main/java/org/wildfly/security/dynamic/ssl/DynamicSSLContext.java

@@ -0,0 +1,11 @@
+package org.wildfly.security.dynamic.ssl;
+
+import javax.net.ssl.SSLContext;
+import java.security.NoSuchAlgorithmException;
+
+public final class DynamicSSLContext extends SSLContext {
+
+    public DynamicSSLContext() throws NoSuchAlgorithmException {
+        super(new DynamicSSLContextSpiImpl(SSLContext.getDefault()), SSLContext.getDefault().getProvider(), SSLContext.getDefault().getProtocol());
+    }
+}

dynamic-ssl/src/main/java/org/wildfly/security/dynamic/ssl/DynamicSSLContextException.java

@@ -0,0 +1,20 @@
+package org.wildfly.security.dynamic.ssl;
+
+public class DynamicSSLContextException extends Exception {
+    private static final long serialVersionUID = 894798122053539237L;
+
+    public DynamicSSLContextException() {
+    }
+
+    public DynamicSSLContextException(String msg) {
+        super(msg);
+    }
+
+    public DynamicSSLContextException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public DynamicSSLContextException(Throwable cause) {
+        super(cause);
+    }
+}