US887031: Use secure Trust Manager when connecting to RabbitMQ via TLS (#180)

jonny-mccoubrey · web-flow · commit 1210696e5692 · 2024-03-08T15:34:04.000Z
diff --git a/release-notes-8.1.0.md b/release-notes-8.1.0.md
@@ -5,4 +5,8 @@ ${version-number}
 
 #### New Features
 
+#### Bug Fixes
+- **I887031:** Replace use of the TrustEverythingTrustManager with a TrustManager provided by the
+  `javax.net.ssl.TrustManagerFactory`.
+
 #### Known Issues
diff --git a/util-rabbitmq/src/main/java/com/hpe/caf/util/rabbitmq/RabbitUtil.java b/util-rabbitmq/src/main/java/com/hpe/caf/util/rabbitmq/RabbitUtil.java
@@ -24,10 +24,14 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -105,6 +109,21 @@ public static Connection createRabbitConnection(final RabbitConfiguration rc,
         factory.setUsername(rc.getRabbitUser());
         factory.setPassword(rc.getRabbitPassword());
 
+        if (rc.getRabbitProtocol().equalsIgnoreCase("amqps")) {
+            try {
+                final String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
+                final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(tmfAlgorithm);
+                trustManagerFactory.init((KeyStore) null);
+
+                final SSLContext context = SSLContext.getInstance("TLS");
+                context.init(null, trustManagerFactory.getTrustManagers(), null);
+
+                factory.useSslProtocol(context);
+            } catch (final KeyStoreException e) {
+                throw new IllegalStateException("Trust Manager Initialization Failed", e);
+            }
+        }
+
         final URI rabbitUrl = new URI(String.format("%s://%s:%s", rc.getRabbitProtocol(), rc.getRabbitHost(), 
                 rc.getRabbitPort()));
         factory.setUri(rabbitUrl);
diff --git a/worker-test/pom.xml b/worker-test/pom.xml
@@ -170,6 +170,28 @@
                     <startParallel>true</startParallel>
                     <containerNamePattern>%a-%t</containerNamePattern>
                     <images>
+                        <image>
+                            <alias>keystore</alias>
+                            <name>${project.artifactId}-keystore:${project.version}</name>
+                            <build>
+                                <from>${dockerHubPublic}/cafapi/opensuse-jre11:3.0.0</from>
+                                <runCmds>
+                                    <runCmd>mkdir /test-keystore</runCmd>
+                                    <runCmd>openssl genrsa -out /test-keystore/ca_key.pem 2048</runCmd>
+                                    <runCmd>openssl req -x509 -new -key /test-keystore/ca_key.pem -out /test-keystore/ca_certificate.pem -days 3650 -subj "/CN=myname/OU=myorganisational.unit/O=myorganisation/L=mycity/S=myprovince/C=GB"</runCmd>
+                                    <runCmd>openssl genrsa -out /test-keystore/server_key.pem 2048</runCmd>
+                                    <runCmd>openssl req -new -key /test-keystore/server_key.pem -out /test-keystore/server.csr -subj "/CN=myname/OU=myorganisational.unit/O=myorganisation/L=mycity/S=myprovince/C=GB"</runCmd>
+                                    <runCmd>chmod 664 /test-keystore/server_key.pem</runCmd>
+                                    <runCmd>openssl x509 -req -in /test-keystore/server.csr -CA /test-keystore/ca_certificate.pem -CAkey /test-keystore/ca_key.pem -CAcreateserial -out /test-keystore/server_certificate.pem -days 3650</runCmd>
+                                </runCmds>
+                                <volumes>
+                                    <volume>/test-keystore</volume>
+                                </volumes>
+                            </build>
+                            <run>
+                                <platform>linux/amd64</platform>
+                            </run>
+                        </image>
                         <image>
                             <alias>webdav</alias>
                             <name>${dockerHubPublic}/cloudesire/webdav</name>
@@ -201,7 +223,10 @@
                         </image>
                         <image>
                             <alias>rabbitmq</alias>
-                            <name>${dockerHubPublic}/library/rabbitmq:3-management</name>
+                            <name>${project.artifactId}-rabbitmq:${project.version}</name>
+                            <build>
+                                <contextDir>${project.basedir}/src/test/docker</contextDir>
+                            </build>
                             <run>
                                 <ports>
                                     <port>${rabbitmq.ctrl.port}:15672</port>
@@ -218,6 +243,11 @@
                                 <log>
                                     <enabled>true</enabled>
                                 </log>
+                                <volumes>
+                                    <from>
+                                        <image>keystore</image>
+                                    </from>
+                                </volumes>
                             </run>
                         </image>
                         <image>
@@ -276,10 +306,15 @@
                                         -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005
                                     </CAF_WORKER_JAVA_OPTS>
                                     <CAF_WORKER_RETRY_LIMIT>2</CAF_WORKER_RETRY_LIMIT>
+                                    <CAF_RABBITMQ_PROTOCOL>amqps</CAF_RABBITMQ_PROTOCOL>
+                                    <CAF_RABBITMQ_PORT>5671</CAF_RABBITMQ_PORT>
+                                    <SSL_CA_CRT_DIR>/test-keystore</SSL_CA_CRT_DIR>
+                                    <SSL_CA_CRT>ca_certificate.pem</SSL_CA_CRT>
                                 </env>
                                 <volumes>
                                     <from>
                                         <image>webdav</image>
+                                        <image>keystore</image>
                                     </from>
                                 </volumes>
                                 <links>
@@ -312,10 +347,15 @@
                                         -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005
                                     </CAF_WORKER_JAVA_OPTS>
                                     <CAF_WORKER_RETRY_LIMIT>2</CAF_WORKER_RETRY_LIMIT>
+                                    <CAF_RABBITMQ_PROTOCOL>amqps</CAF_RABBITMQ_PROTOCOL>
+                                    <CAF_RABBITMQ_PORT>5671</CAF_RABBITMQ_PORT>
+                                    <SSL_CA_CRT_DIR>/test-keystore</SSL_CA_CRT_DIR>
+                                    <SSL_CA_CRT>ca_certificate.pem</SSL_CA_CRT>
                                 </env>
                                 <volumes>
                                     <from>
                                         <image>webdav</image>
+                                        <image>keystore</image>
                                     </from>
                                 </volumes>
                                 <links>
@@ -348,10 +388,15 @@
                                         -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005
                                     </CAF_WORKER_JAVA_OPTS>
                                     <CAF_WORKER_RETRY_LIMIT>2</CAF_WORKER_RETRY_LIMIT>
+                                    <CAF_RABBITMQ_PROTOCOL>amqps</CAF_RABBITMQ_PROTOCOL>
+                                    <CAF_RABBITMQ_PORT>5671</CAF_RABBITMQ_PORT>
+                                    <SSL_CA_CRT_DIR>/test-keystore</SSL_CA_CRT_DIR>
+                                    <SSL_CA_CRT>ca_certificate.pem</SSL_CA_CRT>
                                 </env>
                                 <volumes>
                                     <from>
                                         <image>webdav</image>
+                                        <image>keystore</image>
                                     </from>
                                 </volumes>
                                 <links>
@@ -369,6 +414,47 @@
                                 </wait>
                             </run>
                         </image>
+                        <!--Worker to test SSL certificate trust manager when connecting to RabbitMQ-->
+                        <image>
+                            <alias>worker-test-no-valid-cert</alias>
+                            <name>${targetDockerRegistryPath}/worker-test:${project.version}</name>
+                            <run>
+                                <platform>linux/amd64</platform>
+                                <ports>
+                                    <port>${worker.testadminport4}:8081</port>
+                                    <port>${worker.testdebugport4}:5005</port>
+                                </ports>
+                                <env>
+                                    <CAF_WORKER_DATASTORE_PATH>/srv/common/webdav</CAF_WORKER_DATASTORE_PATH>
+                                    <CAF_WORKER_JAVA_OPTS>
+                                        -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005
+                                    </CAF_WORKER_JAVA_OPTS>
+                                    <CAF_WORKER_RETRY_LIMIT>2</CAF_WORKER_RETRY_LIMIT>
+                                    <CAF_RABBITMQ_PROTOCOL>amqps</CAF_RABBITMQ_PROTOCOL>
+                                    <CAF_RABBITMQ_PORT>5671</CAF_RABBITMQ_PORT>
+                                </env>
+                                <volumes>
+                                    <from>
+                                        <image>webdav</image>
+                                    </from>
+                                </volumes>
+                                <links>
+                                    <link>rabbitmq</link>
+                                </links>
+                                <log>
+                                    <enabled>true</enabled>
+                                </log>
+                                <!--Expect healthcheck to return 500 as trying to use SSL without valid certificate-->
+                                <wait>
+                                    <http>
+                                        <url>http://${docker.host.address}:${worker.testadminport4}/healthcheck</url>
+                                        <status>500</status>
+                                    </http>
+                                    <time>120000</time>
+                                    <shutdown>500</shutdown>
+                                </wait>
+                            </run>
+                        </image>
                     </images>
                 </configuration>
             </plugin>
@@ -386,8 +472,10 @@
                 <worker.debugport>5005</worker.debugport>
                 <worker.testadminport2>8082</worker.testadminport2>
                 <worker.testadminport3>8083</worker.testadminport3>
+                <worker.testadminport4>8084</worker.testadminport4>
                 <worker.testdebugport2>5006</worker.testdebugport2>
                 <worker.testdebugport3>5007</worker.testdebugport3>
+                <worker.testdebugport4>5008</worker.testdebugport4>
             </properties>
         </profile>
     </profiles>
diff --git a/worker-test/src/test/docker/Dockerfile b/worker-test/src/test/docker/Dockerfile
@@ -0,0 +1,21 @@
+#
+# Copyright 2015-2024 Open Text.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+ARG DOCKER_HUB_PUBLIC=dockerhub-public.svsartifactory.swinfra.net
+
+FROM ${DOCKER_HUB_PUBLIC}/library/rabbitmq:3-management
+
+COPY rabbitmq.conf /etc/rabbitmq
diff --git a/worker-test/src/test/docker/rabbitmq.conf b/worker-test/src/test/docker/rabbitmq.conf
@@ -0,0 +1,22 @@
+#
+# Copyright 2015-2024 Open Text.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+listeners.ssl.default = 5671
+ssl_options.cacertfile = /test-keystore/ca_certificate.pem
+ssl_options.certfile = /test-keystore/server_certificate.pem
+ssl_options.keyfile = /test-keystore/server_key.pem
+ssl_options.verify = verify_none
+ssl_options.fail_if_no_peer_cert = false
