Support SSLContext configured with only CA cert

2014-04-05 20:04:03 -07:00 · 2014-04-05 20:04:03 -07:00 · cc3633b428
commit cc3633b428
parent f9168c55d3
5 changed files with 72 additions and 2 deletions
--- a/project.clj
+++ b/project.clj
@ -8,7 +8,7 @@

  :dependencies [[org.clojure/clojure "1.5.1"]
                 [http-kit "2.1.16"]
-                 [puppetlabs/certificate-authority "0.1.3"]
+                 [puppetlabs/certificate-authority "0.1.4"]
                 [org.clojure/tools.logging "0.2.6"]
                 [org.slf4j/slf4j-api "1.7.6"]]

--- a/src/clj/puppetlabs/http/client/async.clj
+++ b/src/clj/puppetlabs/http/client/async.clj
@ -28,6 +28,13 @@
                          (:ssl-ca-cert req)))
    (dissoc :ssl-cert :ssl-key :ssl-ca-cert)))

+(defn- initialize-ssl-context-from-ca-pem
+  [req]
+  (-> req
+      (assoc :ssl-context (ssl/ca-cert-pem->ssl-context
+                            (:ssl-ca-cert req)))
+      (dissoc :ssl-ca-cert)))
+
 (defn- configure-ssl-from-context
  "Configures an SSLEngine in the request starting from an SSLContext"
  [req]
@ -42,6 +49,13 @@
    initialize-ssl-context-from-pems
    configure-ssl-from-context))

+(defn- configure-ssl-from-ca-pem
+  "Configures an SSLEngine in the request starting from a CA PEM file"
+  [req]
+  (-> req
+      initialize-ssl-context-from-ca-pem
+      configure-ssl-from-context))
+
 (defn configure-ssl
  "Configures a request map to have an SSLEngine. It will use an existing one
  if already present, , then use an SSLContext (stored in :ssl-context) if
@ -53,6 +67,7 @@
    (:sslengine req) req
    (:ssl-context req) (configure-ssl-from-context req)
    (every? (partial req) [:ssl-cert :ssl-key :ssl-ca-cert]) (configure-ssl-from-pems req)
+    (:ssl-ca-cert req) (configure-ssl-from-ca-pem req)
    :else req))

 (defn- check-url! [url]
--- a/src/java/com/puppetlabs/http/client/SyncHttpClient.java
+++ b/src/java/com/puppetlabs/http/client/SyncHttpClient.java
@ -68,6 +68,27 @@ public class SyncHttpClient {
            return configureSslFromContext(options);
        }

+        if (options.getSslCaCert() != null) {
+            try {
+                options.setSslContext(
+                        CertificateAuthority.caCertPemToSSLContext(
+                                new FileReader(options.getSslCaCert()))
+                );
+            } catch (KeyStoreException e) {
+                logAndRethrow("Error while configuring SSL", e);
+            } catch (CertificateException e) {
+                logAndRethrow("Error while configuring SSL", e);
+            } catch (IOException e) {
+                logAndRethrow("Error while configuring SSL", e);
+            } catch (NoSuchAlgorithmException e) {
+                logAndRethrow("Error while configuring SSL", e);
+            } catch (KeyManagementException e) {
+                logAndRethrow("Error while configuring SSL", e);
+            }
+            options.setSslCaCert(null);
+            return configureSslFromContext(options);
+        }
+
        return options;
    }

--- a/test/puppetlabs/http/client/async_test.clj
+++ b/test/puppetlabs/http/client/async_test.clj
@ -21,6 +21,18 @@
      (is (not (:ssl-key configured-req)))
      (is (not (:ssl-ca-cert configured-req))))))

+(deftest ssl-config-with-ca-file
+  (let [req {:url "http://localhost"
+             :method :get
+             :ssl-ca-cert (resource "ssl/ca.pem")}
+        configured-req (http/configure-ssl req)]
+
+    (testing "configure-ssl sets up an SSLEngine when given ca-cert"
+      (is (instance? SSLEngine (:sslengine configured-req))))
+
+    (testing "removes ssl-ca-cert"
+      (is (not (:ssl-ca-cert configured-req))))))
+
 (deftest ssl-config-without-ssl-params
  (let [req {:url "http://localhost"
             :method :get}
--- a/test/puppetlabs/http/client/sync_test.clj
+++ b/test/puppetlabs/http/client/sync_test.clj
@ -18,7 +18,7 @@
        (add-ring-handler app "/hello")
        context))

-(deftest sync-client-test
+(deftest sync-client-test-from-pems
  (testlogging/with-test-logging
    (testutils/with-app-with-config app
      [jetty9/jetty9-service test-web-service]
@ -42,3 +42,25 @@
                                  :ssl-ca-cert "./dev-resources/ssl/ca.pem"})]
          (is (= 200 (:status response)))
          (is (= "Hello, World!" (slurp (:body response)))))))))
+
+(deftest sync-client-test-from-ca-cert
+  (testlogging/with-test-logging
+    (testutils/with-app-with-config app
+      [jetty9/jetty9-service test-web-service]
+      {:webserver {:ssl-host    "0.0.0.0"
+                   :ssl-port    10080
+                   :ssl-ca-cert "./dev-resources/ssl/ca.pem"
+                   :ssl-cert    "./dev-resources/ssl/cert.pem"
+                   :ssl-key     "./dev-resources/ssl/key.pem"
+                   :client-auth "want"}}
+      (testing "java sync client"
+        (let [options (.. (RequestOptions. "https://localhost:10080/hello/")
+                          (setSslCaCert "./dev-resources/ssl/ca.pem"))
+              response (SyncHttpClient/get options)]
+          (is (= 200 (.getStatus response)))
+          (is (= "Hello, World!" (slurp (.getBody response))))))
+      (testing "clojure sync client"
+        (let [response (sync/get "https://localhost:10080/hello/"
+                                 {:ssl-ca-cert "./dev-resources/ssl/ca.pem"})]
+          (is (= 200 (:status response)))
+          (is (= "Hello, World!" (slurp (:body response)))))))))