BUILD-759 Update ITs to use PKCS12 certificates instead of JKS

Author: henryju

api/src/test/java/org/sonarsource/scanner/api/internal/OkHttpClientFactoryTest.java

@@ -26,13 +26,10 @@
 import java.nio.file.Paths;
 import java.security.KeyStore;
 import java.security.SecureRandom;
-import java.util.List;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLHandshakeException;
-import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManagerFactory;
-import okhttp3.ConnectionSpec;
 import okhttp3.OkHttpClient;
 import okhttp3.Request;
 import okhttp3.Response;
@@ -41,32 +38,28 @@
 import okhttp3.mockwebserver.MockWebServer;
 import okhttp3.mockwebserver.RecordedRequest;
 import org.junit.After;
-import org.junit.Ignore;
 import org.junit.Rule;
 import org.junit.Test;
-import org.junit.experimental.theories.DataPoint;
-import org.junit.experimental.theories.Theories;
 import org.junit.experimental.theories.Theory;
 import org.junit.rules.ExpectedException;
-import org.junit.runner.RunWith;
 import org.sonarsource.scanner.api.internal.cache.Logger;
 
 import static java.lang.String.format;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
-import static org.assertj.core.api.Assertions.fail;
+import static org.junit.Assert.fail;
 import static org.mockito.Mockito.mock;
 
-@RunWith(Theories.class)
 public class OkHttpClientFactoryTest {
 
-  @DataPoint
-  public static final String KEYSTORE_CLIENT_WITH_CA = "/client-with-ca.jks";
-  @DataPoint
-  public static final String KEYSTORE_CLIENT_WITH_CERTIFICATE = "/client-with-certificate.jks";
+  private static final String KEYSTORE_CLIENT_WITH_CA = "/client-with-ca.p12";
+  private static final String CLIENT_WITH_CA_KEYSTORE_PASSWORD = "pwdClientCAP12";
 
-  private static final String KEYSTORE_PASSWORD = "abcdef";
-  private static final String KEYSTORE_FILE = "/server.jks";
+  private static final String KEYSTORE_CLIENT_WITH_CERTIFICATE = "/client-with-certificate.p12";
+  private static final String CLIENT_WITH_CERTIFICATE_KEYSTORE_PASSWORD = "pwdClientP12";
+
+  private static final String SERVER_KEYSTORE_PASSWORD = "pwdServerP12";
+  private static final String SERVER_KEYSTORE_FILE = "/server.p12";
   private static final Logger logger = mock(Logger.class);
   private static final String SONAR_WS_TIMEOUT = "sonar.ws.timeout";
   private static final String COOKIE = "BIGipServerpool_sonarqube.example.com_8443=123456789.12345.0000";
@@ -79,14 +72,6 @@ public void cleanSystemProperty() {
     System.clearProperty(SONAR_WS_TIMEOUT);
   }
 
-  @Test
-  public void support_tls_versions_of_java8() {
-    OkHttpClient underTest = OkHttpClientFactory.create(logger);
-
-    assertTlsAndClearTextSpecifications(underTest);
-    assertThat(underTest.sslSocketFactory()).isInstanceOf(SSLSocketFactory.getDefault().getClass());
-  }
-
   @Test
   public void support_custom_timeouts() {
     int readTimeoutSec = 2000;
@@ -106,19 +91,6 @@ public void support_custom_timeouts_throws_exception_on_non_number() {
     assertThatThrownBy(() -> OkHttpClientFactory.create(logger)).isInstanceOf(NumberFormatException.class);
   }
 
-  private void assertTlsAndClearTextSpecifications(OkHttpClient client) {
-    List<ConnectionSpec> connectionSpecs = client.connectionSpecs();
-    assertThat(connectionSpecs).hasSize(2);
-
-    // TLS. tlsVersions()==null means all TLS versions
-    assertThat(connectionSpecs.get(0).tlsVersions()).isNull();
-    assertThat(connectionSpecs.get(0).isTls()).isTrue();
-
-    // HTTP
-    assertThat(connectionSpecs.get(1).tlsVersions()).isNull();
-    assertThat(connectionSpecs.get(1).isTls()).isFalse();
-  }
-
   @Test
   public void test_with_external_http_server() throws IOException {
     Response response = call("http://www.google.com");
@@ -138,7 +110,7 @@ public void when_overriding_truststore_known_websites_are_failing(String clientK
     try {
       Path clientTruststore = Paths.get(getClass().getResource(clientKeyStore).toURI()).toAbsolutePath();
       System.setProperty("javax.net.ssl.trustStore", clientTruststore.toString());
-      System.setProperty("javax.net.ssl.trustStorePassword", KEYSTORE_PASSWORD);
+      System.setProperty("javax.net.ssl.trustStorePassword", SERVER_KEYSTORE_PASSWORD);
 
       expectedException.expect(SSLHandshakeException.class);
       call("https://www.google.com");
@@ -149,9 +121,18 @@ public void when_overriding_truststore_known_websites_are_failing(String clientK
     }
   }
 
-  @Ignore // ignore to test cirrus QA
-  @Theory
-  public void test_with_custom_https_server(String clientKeyStore) throws Exception {
+  @Test
+  public void test_with_custom_https_server_using_ca_in_truststore() throws Exception {
+    test_with_custom_https_server(KEYSTORE_CLIENT_WITH_CA, CLIENT_WITH_CA_KEYSTORE_PASSWORD);
+  }
+
+  @Test
+  public void test_with_custom_https_server_using_server_certificate_in_truststore() throws Exception {
+    test_with_custom_https_server(KEYSTORE_CLIENT_WITH_CERTIFICATE, CLIENT_WITH_CERTIFICATE_KEYSTORE_PASSWORD);
+  }
+
+  private void test_with_custom_https_server(String clientKeyStore, String keyStorePassword) throws Exception {
+    System.setProperty("javax.net.debug", "ssl,handshake,record");
     try (MockWebServer server = buildTLSServer()) {
       String url = format("https://localhost:%d/", server.getPort());
 
@@ -166,7 +147,7 @@ public void test_with_custom_https_server(String clientKeyStore) throws Exceptio
       // Add the truststore
       Path clientTruststore = Paths.get(getClass().getResource(clientKeyStore).toURI()).toAbsolutePath();
       System.setProperty("javax.net.ssl.trustStore", clientTruststore.toString());
-      System.setProperty("javax.net.ssl.trustStorePassword", KEYSTORE_PASSWORD);
+      System.setProperty("javax.net.ssl.trustStorePassword", keyStorePassword);
 
       Response response = call(url);
       assertThat(response.code()).isEqualTo(200);
@@ -178,22 +159,30 @@ public void test_with_custom_https_server(String clientKeyStore) throws Exceptio
     }
   }
 
-  @Ignore // ignore to test cirrus QA
-  @Theory
-  public void test_with_cookie(String clientKeyStore) throws Exception {
+  @Test
+  public void test_with_cookie_using_ca_in_truststore() throws Exception {
+    test_with_cookie(KEYSTORE_CLIENT_WITH_CA, CLIENT_WITH_CA_KEYSTORE_PASSWORD);
+  }
+
+  @Test
+  public void test_with_cookie_using_server_certificate_in_truststore() throws Exception {
+    test_with_cookie(KEYSTORE_CLIENT_WITH_CERTIFICATE, CLIENT_WITH_CERTIFICATE_KEYSTORE_PASSWORD);
+  }
+
+  private void test_with_cookie(String clientKeyStore, String keyStorePassword) throws Exception {
     try (MockWebServer server = buildTLSServer()) {
       String url = format("https://localhost:%d/", server.getPort());
 
       // Add the truststore
       Path clientTruststore = Paths.get(getClass().getResource(clientKeyStore).toURI()).toAbsolutePath();
       System.setProperty("javax.net.ssl.trustStore", clientTruststore.toString());
-      System.setProperty("javax.net.ssl.trustStorePassword", KEYSTORE_PASSWORD);
+      System.setProperty("javax.net.ssl.trustStorePassword", keyStorePassword);
 
-      OkHttpClientFactory.COOKIE_MANAGER.getCookieStore().removeAll();  // Clear any existing cookies
+      OkHttpClientFactory.COOKIE_MANAGER.getCookieStore().removeAll(); // Clear any existing cookies
 
       Response response = call(url);
-     assertThat(response.header("Set-Cookie")).isEqualTo(COOKIE);  // The server should have asked us to set a cookie
-     assertThat(response.body().string()).doesNotContain(COOKIE);
+      assertThat(response.header("Set-Cookie")).isEqualTo(COOKIE); // The server should have asked us to set a cookie
+      assertThat(response.body().string()).doesNotContain(COOKIE);
 
       response = call(url);
       assertThat(response.body().string()).contains(COOKIE);
@@ -205,7 +194,6 @@ public void test_with_cookie(String clientKeyStore) throws Exception {
     }
   }
 
-
   private static Response call(String url) throws IOException {
     return OkHttpClientFactory.create(logger).newCall(
       new Request.Builder()
@@ -240,17 +228,17 @@ public MockResponse dispatch(RecordedRequest request) {
     });
 
     // JKS file storing the private key and TLS certificate
-    Path serverCertificate = Paths.get(getClass().getResource(KEYSTORE_FILE).toURI()).toAbsolutePath();
+    Path serverCertificate = Paths.get(getClass().getResource(SERVER_KEYSTORE_FILE).toURI()).toAbsolutePath();
 
     // Load the KeyStore
-    KeyStore serverKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+    KeyStore serverKeyStore = KeyStore.getInstance("pkcs12");
     FileInputStream stream = new FileInputStream(serverCertificate.toFile());
-    serverKeyStore.load(stream, KEYSTORE_PASSWORD.toCharArray());
+    serverKeyStore.load(stream, SERVER_KEYSTORE_PASSWORD.toCharArray());
 
     // Load the KeyManager from the KeyStore
     String kmfAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
     KeyManagerFactory kmf = KeyManagerFactory.getInstance(kmfAlgorithm);
-    kmf.init(serverKeyStore, "".toCharArray());
+    kmf.init(serverKeyStore, SERVER_KEYSTORE_PASSWORD.toCharArray());
 
     // Add the "Keys" (ie. private key and TLS certificate to the TrustManager
     TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(kmfAlgorithm);

api/src/test/resources/client-with-ca.jks

@@ -11,7 +11,7 @@
   <description>Integration tests</description>
 
   <properties>
-    <jetty.version>9.3.11.v20160721</jetty.version>
+    <jetty.version>9.4.27.v20200227</jetty.version>
     <logback.version>1.1.7</logback.version>
     <sonar.skip>true</sonar.skip>
     <skipTests>true</skipTests>