Add test for SASL external

acogoluegnes · acogoluegnes · commit 82f2904e06d2 · 2023-06-06T11:47:24.000+02:00
Disabled for now. References rabbitmq/rabbitmq-server#8488
diff --git a/ci/start-broker.sh b/ci/start-broker.sh
@@ -18,7 +18,7 @@ mkdir -p rabbitmq-configuration/tls
 cp -R "${PWD}"/tls-gen/basic/result/* rabbitmq-configuration/tls
 chmod o+r rabbitmq-configuration/tls/*
 
-echo "[rabbitmq_stream,rabbitmq_mqtt,rabbitmq_stomp,rabbitmq_amqp1_0]." >> rabbitmq-configuration/enabled_plugins
+echo "[rabbitmq_stream,rabbitmq_mqtt,rabbitmq_stomp,rabbitmq_amqp1_0,rabbitmq_auth_mechanism_ssl]." >> rabbitmq-configuration/enabled_plugins
 
 echo "loopback_users = none
 
@@ -29,6 +29,10 @@ ssl_options.certfile   = /etc/rabbitmq/tls/server_$(hostname)_certificate.pem
 ssl_options.keyfile    = /etc/rabbitmq/tls/server_$(hostname)_key.pem
 ssl_options.verify     = verify_peer
 ssl_options.fail_if_no_peer_cert = false
+ssl_options.depth = 1
+
+auth_mechanisms.1 = PLAIN
+auth_mechanisms.2 = EXTERNAL
 
 stream.listeners.ssl.1 = 5551" >> rabbitmq-configuration/rabbitmq.conf
 
diff --git a/src/test/java/com/rabbitmq/stream/impl/TestUtils.java b/src/test/java/com/rabbitmq/stream/impl/TestUtils.java
@@ -13,6 +13,7 @@
 // info@rabbitmq.com.
 package com.rabbitmq.stream.impl;
 
+import static java.lang.String.format;
 import static java.util.concurrent.TimeUnit.SECONDS;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.fail;
@@ -64,6 +65,7 @@
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Consumer;
 import java.util.function.Function;
+import java.util.function.Predicate;
 import java.util.function.Supplier;
 import java.util.stream.IntStream;
 import org.assertj.core.api.AssertDelegateTarget;
@@ -336,7 +338,7 @@ private static String streamName(ExtensionContext context) {
 
   private static String streamName(Class<?> testClass, Method testMethod) {
     String uuid = UUID.randomUUID().toString();
-    return String.format(
+    return format(
         "%s_%s%s",
         testClass.getSimpleName(), testMethod.getName(), uuid.substring(uuid.length() / 2));
   }
@@ -480,6 +482,12 @@ static boolean atLeastVersion(String expectedVersion, String currentVersion) {
   @ExtendWith(DisabledIfAmqp10NotEnabledCondition.class)
   @interface DisabledIfAmqp10NotEnabled {}
 
+  @Target({ElementType.TYPE, ElementType.METHOD})
+  @Retention(RetentionPolicy.RUNTIME)
+  @Documented
+  @ExtendWith(DisabledIfAuthMechanismSslNotEnabledCondition.class)
+  @interface DisabledIfAuthMechanismSslNotEnabled {}
+
   @Target({ElementType.TYPE, ElementType.METHOD})
   @Retention(RetentionPolicy.RUNTIME)
   @Documented
@@ -707,75 +715,72 @@ public ConditionEvaluationResult evaluateExecutionCondition(ExtensionContext con
     }
   }
 
-  static class DisabledIfMqttNotEnabledCondition implements ExecutionCondition {
+  abstract static class DisabledIfPluginNotEnabledCondition implements ExecutionCondition {
+
+    private final String pluginLabel;
+    private final Predicate<String> condition;
+
+    DisabledIfPluginNotEnabledCondition(String pluginLabel, Predicate<String> condition) {
+      this.pluginLabel = pluginLabel;
+      this.condition = condition;
+    }
 
     @Override
     public ConditionEvaluationResult evaluateExecutionCondition(ExtensionContext context) {
       if (Host.rabbitmqctlCommand() == null) {
         return ConditionEvaluationResult.disabled(
-            "rabbitmqctl.bin system property not set, cannot check if MQTT plugin is enabled");
+            format(
+                "rabbitmqctl.bin system property not set, cannot check if %s plugin is enabled",
+                pluginLabel));
       } else {
         try {
           Process process = Host.rabbitmqctl("status");
           String output = capture(process.getInputStream());
-          if (output.contains("rabbitmq_mqtt") && output.contains("protocol: mqtt")) {
-            return ConditionEvaluationResult.enabled("MQTT plugin enabled");
+          if (condition.test(output)) {
+            return ConditionEvaluationResult.enabled(format("%s plugin enabled", pluginLabel));
           } else {
-            return ConditionEvaluationResult.disabled("MQTT plugin disabled");
+            return ConditionEvaluationResult.disabled(format("%s plugin disabled", pluginLabel));
           }
         } catch (Exception e) {
           return ConditionEvaluationResult.disabled(
-              "Error while trying to detect MQTT plugin: " + e.getMessage());
+              format("Error while trying to detect %s plugin: " + e.getMessage(), pluginLabel));
         }
       }
     }
   }
 
-  static class DisabledIfStompNotEnabledCondition implements ExecutionCondition {
+  static class DisabledIfMqttNotEnabledCondition extends DisabledIfPluginNotEnabledCondition {
 
-    @Override
-    public ConditionEvaluationResult evaluateExecutionCondition(ExtensionContext context) {
-      if (Host.rabbitmqctlCommand() == null) {
-        return ConditionEvaluationResult.disabled(
-            "rabbitmqctl.bin system property not set, cannot check if STOMP plugin is enabled");
-      } else {
-        try {
-          Process process = Host.rabbitmqctl("status");
-          String output = capture(process.getInputStream());
-          if (output.contains("rabbitmq_stomp") && output.contains("protocol: stomp")) {
-            return ConditionEvaluationResult.enabled("STOMP plugin enabled");
-          } else {
-            return ConditionEvaluationResult.disabled("STOMP plugin disabled");
-          }
-        } catch (Exception e) {
-          return ConditionEvaluationResult.disabled(
-              "Error while trying to detect STOMP plugin: " + e.getMessage());
-        }
-      }
+    DisabledIfMqttNotEnabledCondition() {
+      super(
+          "MQTT", output -> output.contains("rabbitmq_mqtt") && output.contains("protocol: mqtt"));
     }
   }
 
-  static class DisabledIfAmqp10NotEnabledCondition implements ExecutionCondition {
+  static class DisabledIfStompNotEnabledCondition extends DisabledIfPluginNotEnabledCondition {
 
-    @Override
-    public ConditionEvaluationResult evaluateExecutionCondition(ExtensionContext context) {
-      if (Host.rabbitmqctlCommand() == null) {
-        return ConditionEvaluationResult.disabled(
-            "rabbitmqctl.bin system property not set, cannot check if STOMP plugin is enabled");
-      } else {
-        try {
-          Process process = Host.rabbitmqctl("status");
-          String output = capture(process.getInputStream());
-          if (output.contains("rabbitmq_amqp1_0") && output.contains("AMQP 1.0")) {
-            return ConditionEvaluationResult.enabled("STOMP plugin enabled");
-          } else {
-            return ConditionEvaluationResult.disabled("STOMP plugin disabled");
-          }
-        } catch (Exception e) {
-          return ConditionEvaluationResult.disabled(
-              "Error while trying to detect STOMP plugin: " + e.getMessage());
-        }
-      }
+    DisabledIfStompNotEnabledCondition() {
+      super(
+          "STOMP",
+          output -> output.contains("rabbitmq_stomp") && output.contains("protocol: stomp"));
+    }
+  }
+
+  static class DisabledIfAuthMechanismSslNotEnabledCondition
+      extends DisabledIfPluginNotEnabledCondition {
+
+    DisabledIfAuthMechanismSslNotEnabledCondition() {
+      super(
+          "X509 authentication mechanism",
+          output -> output.contains("rabbitmq_auth_mechanism_ssl"));
+    }
+  }
+
+  static class DisabledIfAmqp10NotEnabledCondition extends DisabledIfPluginNotEnabledCondition {
+
+    DisabledIfAmqp10NotEnabledCondition() {
+      super(
+          "AMQP 1.0", output -> output.contains("rabbitmq_amqp1_0") && output.contains("AMQP 1.0"));
     }
   }
 
diff --git a/src/test/java/com/rabbitmq/stream/impl/TlsTest.java b/src/test/java/com/rabbitmq/stream/impl/TlsTest.java
@@ -16,6 +16,7 @@
 import static com.rabbitmq.stream.impl.TestUtils.b;
 import static com.rabbitmq.stream.impl.TestUtils.latchAssert;
 import static com.rabbitmq.stream.impl.Utils.TRUST_EVERYTHING_TRUST_MANAGER;
+import static java.lang.String.format;
 import static java.time.Duration.ofSeconds;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
@@ -28,7 +29,9 @@
 import com.rabbitmq.stream.Producer;
 import com.rabbitmq.stream.StreamException;
 import com.rabbitmq.stream.impl.Client.ClientParameters;
+import com.rabbitmq.stream.impl.TestUtils.DisabledIfAuthMechanismSslNotEnabled;
 import com.rabbitmq.stream.impl.TestUtils.DisabledIfTlsNotEnabled;
+import com.rabbitmq.stream.sasl.DefaultSaslConfiguration;
 import io.netty.channel.Channel;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
@@ -48,6 +51,7 @@
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.Base64;
 import java.util.Collections;
+import java.util.UUID;
 import java.util.concurrent.CountDownLatch;
 import java.util.function.Consumer;
 import java.util.stream.IntStream;
@@ -57,6 +61,7 @@
 import javax.net.ssl.SSLParameters;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
@@ -252,6 +257,33 @@ void verifiedConnectionWithCorrectClientPrivateKey() throws Exception {
     cf.get(new ClientParameters().sslContext(context));
   }
 
+  @Test
+  @DisabledIfAuthMechanismSslNotEnabled
+  @Disabled
+  void verifiedConnectionWithCorrectClientPrivateKeyAndSaslExternal() throws Exception {
+    X509Certificate clientCertificate = clientCertificate();
+    SslContext context =
+        SslContextBuilder.forClient()
+            .trustManager(caCertificate())
+            .keyManager(clientKey(), clientCertificate)
+            .build();
+
+    String username = clientCertificate.getSubjectX500Principal().getName();
+    Host.rabbitmqctl(format("delete_user %s", username));
+    Host.rabbitmqctl(format("add_user %s foo", username));
+    try {
+      Host.rabbitmqctl(format("set_permissions %s '.*' '.*' '.*'", username));
+
+      cf.get(
+          new ClientParameters()
+              .username(UUID.randomUUID().toString())
+              .sslContext(context)
+              .saslConfiguration(DefaultSaslConfiguration.EXTERNAL));
+    } finally {
+      Host.rabbitmqctl(format("delete_user %s", username));
+    }
+  }
+
   @Test
   void hostnameVerificationShouldFailWhenSettingHostToLoopbackInterface() throws Exception {
     SslContext context = SslContextBuilder.forClient().trustManager(caCertificate()).build();
