Compare commits
5 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
225f156864
|
|||
|
696cb74740
|
|||
|
59f267426c
|
|||
|
608a9d18de
|
|||
|
d2c00402df
|
@@ -5,8 +5,6 @@ on:
|
||||
- '*'
|
||||
jobs:
|
||||
build:
|
||||
env:
|
||||
RUNNER_TOOL_CACHE: /toolcache
|
||||
runs-on: hostinger
|
||||
steps:
|
||||
- name: Checkout sources
|
||||
@@ -19,49 +17,53 @@ jobs:
|
||||
- name: Setup Gradle
|
||||
uses: gradle/actions/setup-gradle@v3
|
||||
- name: Execute Gradle build
|
||||
env:
|
||||
PUBLISHER_TOKEN: ${{ secrets.PUBLISHER_TOKEN }}
|
||||
run: ./gradlew build
|
||||
- name: Publish artifacts
|
||||
env:
|
||||
PUBLISHER_TOKEN: ${{ secrets.PUBLISHER_TOKEN }}
|
||||
run: ./gradlew publish
|
||||
build-docker:
|
||||
name: "Build Docker images"
|
||||
runs-on: hostinger
|
||||
steps:
|
||||
-
|
||||
name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3.4.0
|
||||
- name: Prepare Docker image build
|
||||
run: ./gradlew prepareDockerBuild
|
||||
- name: Get project version
|
||||
id: retrieve-version
|
||||
run: ./gradlew -q version >> "$GITHUB_OUTPUT"
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v3
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
with:
|
||||
driver: docker-container
|
||||
-
|
||||
name: Login to Gitea container registry
|
||||
- name: Login to Gitea container registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: gitea.woggioni.net
|
||||
username: woggioni
|
||||
password: ${{ secrets.PUBLISHER_TOKEN }}
|
||||
-
|
||||
name: Build and push gbcs images
|
||||
uses: docker/build-push-action@v6
|
||||
name: Build gbcs Docker image
|
||||
uses: docker/build-push-action@v5.3.0
|
||||
with:
|
||||
context: "docker/build/docker"
|
||||
platforms: linux/amd64,linux/arm64
|
||||
push: true
|
||||
pull: true
|
||||
tags: |
|
||||
"gitea.woggioni.net/woggioni/gbcs:slim"
|
||||
cache-from: type=registry,ref=gitea.woggioni.net/woggioni/gbcs:buildx
|
||||
cache-to: type=registry,mode=max,compression=zstd,image-manifest=true,oci-mediatypes=true,ref=gitea.woggioni.net/woggioni/gbcs:buildx
|
||||
gitea.woggioni.net/woggioni/gbcs:latest
|
||||
gitea.woggioni.net/woggioni/gbcs:${{ steps.retrieve-version.outputs.VERSION }}
|
||||
target: release
|
||||
cache-from: type=registry,ref=gitea.woggioni.net/woggioni/gbcs:buildx
|
||||
-
|
||||
name: Build and push gbcs memcached image
|
||||
uses: docker/build-push-action@v6
|
||||
name: Build gbcs memcached Docker image
|
||||
uses: docker/build-push-action@v5.3.0
|
||||
with:
|
||||
context: "docker/build/docker"
|
||||
platforms: linux/amd64,linux/arm64
|
||||
push: true
|
||||
pull: true
|
||||
tags: |
|
||||
"gitea.woggioni.net/woggioni/gbcs:latest"
|
||||
"gitea.woggioni.net/woggioni/gbcs:memcached"
|
||||
gitea.woggioni.net/woggioni/gbcs:memcached
|
||||
gitea.woggioni.net/woggioni/gbcs:memcached-${{ steps.retrieve-version.outputs.VERSION }}
|
||||
target: release-memcached
|
||||
cache-from: type=registry,ref=gitea.woggioni.net/woggioni/gbcs:buildx
|
||||
cache-to: type=registry,mode=max,compression=zstd,image-manifest=true,oci-mediatypes=true,ref=gitea.woggioni.net/woggioni/gbcs:buildx
|
||||
target: release-memcached
|
||||
- name: Publish artifacts
|
||||
env:
|
||||
PUBLISHER_TOKEN: ${{ secrets.PUBLISHER_TOKEN }}
|
||||
run: ./gradlew publish
|
||||
|
||||
|
||||
46
Dockerfile
46
Dockerfile
@@ -1,46 +1,2 @@
|
||||
FROM container-registry.oracle.com/graalvm/native-image:21 AS oracle
|
||||
|
||||
FROM ubuntu:24.04 AS build
|
||||
COPY --from=oracle /usr/lib64/graalvm/ /usr/lib64/graalvm/
|
||||
ENV JAVA_HOME=/usr/lib64/graalvm/graalvm-java21
|
||||
USER ubuntu
|
||||
WORKDIR /home/ubuntu
|
||||
|
||||
RUN mkdir gbcs
|
||||
WORKDIR /home/ubuntu/gbcs
|
||||
|
||||
COPY --chown=ubuntu:users .git .git
|
||||
COPY --chown=ubuntu:users gbcs-base gbcs-base
|
||||
COPY --chown=ubuntu:users gbcs-api gbcs-api
|
||||
COPY --chown=ubuntu:users gbcs-memcached gbcs-memcached
|
||||
COPY --chown=ubuntu:users gbcs-cli gbcs-cli
|
||||
COPY --chown=ubuntu:users src src
|
||||
COPY --chown=ubuntu:users settings.gradle settings.gradle
|
||||
COPY --chown=ubuntu:users build.gradle build.gradle
|
||||
COPY --chown=ubuntu:users gradle.properties gradle.properties
|
||||
COPY --chown=ubuntu:users gradle gradle
|
||||
COPY --chown=ubuntu:users gradlew gradlew
|
||||
|
||||
RUN --mount=type=cache,target=/home/ubuntu/.gradle,uid=1000,gid=1000 ./gradlew --no-daemon assemble
|
||||
|
||||
FROM alpine:latest AS base-release
|
||||
RUN --mount=type=cache,target=/var/cache/apk apk update
|
||||
RUN --mount=type=cache,target=/var/cache/apk apk add openjdk21-jre
|
||||
RUN adduser -D luser
|
||||
USER luser
|
||||
WORKDIR /home/luser
|
||||
|
||||
FROM base-release AS release
|
||||
RUN --mount=type=bind,from=build,source=/home/ubuntu/gbcs/gbcs-cli/build,target=/home/luser/build cp build/libs/gbcs-cli-envelope-*.jar gbcs.jar
|
||||
ENTRYPOINT ["java", "-jar", "/home/luser/gbcs.jar"]
|
||||
|
||||
FROM base-release AS release-memcached
|
||||
RUN --mount=type=bind,from=build,source=/home/ubuntu/gbcs/gbcs-cli/build,target=/home/luser/build cp build/libs/gbcs-cli-envelope-*.jar gbcs.jar
|
||||
RUN mkdir plugins
|
||||
WORKDIR /home/luser/plugins
|
||||
RUN --mount=type=bind,from=build,source=/home/ubuntu/gbcs/gbcs-memcached/build/distributions,target=/build/distributions tar -xf /build/distributions/gbcs-memcached*.tar
|
||||
WORKDIR /home/luser
|
||||
ENTRYPOINT ["java", "-jar", "/home/luser/gbcs.jar"]
|
||||
|
||||
FROM release-memcached as compose
|
||||
FROM gitea.woggioni.net/woggioni/gbcs:memcached
|
||||
COPY --chown=luser:luser conf/gbcs-memcached.xml /home/luser/.config/gbcs/gbcs.xml
|
||||
26
benchmark/build.gradle
Normal file
26
benchmark/build.gradle
Normal file
@@ -0,0 +1,26 @@
|
||||
plugins {
|
||||
alias catalog.plugins.gradle.jmh
|
||||
alias catalog.plugins.lombok
|
||||
}
|
||||
|
||||
import me.champeau.jmh.JMHTask
|
||||
|
||||
dependencies {
|
||||
implementation rootProject
|
||||
|
||||
implementation catalog.jwo
|
||||
implementation catalog.xz
|
||||
implementation catalog.jackson.databind
|
||||
|
||||
jmhAnnotationProcessor catalog.lombok
|
||||
}
|
||||
|
||||
jmh {
|
||||
threads = 4
|
||||
iterations = 2
|
||||
fork = 1
|
||||
warmupIterations = 1
|
||||
warmupForks = 0
|
||||
resultFormat = 'JSON'
|
||||
}
|
||||
|
||||
262
benchmark/src/jmh/java/net/woggioni/gbcs/benchmark/Main.java
Normal file
262
benchmark/src/jmh/java/net/woggioni/gbcs/benchmark/Main.java
Normal file
@@ -0,0 +1,262 @@
|
||||
package net.woggioni.gbcs.benchmark;
|
||||
|
||||
import lombok.Getter;
|
||||
import lombok.SneakyThrows;
|
||||
import net.woggioni.jwo.Fun;
|
||||
import org.openjdk.jmh.annotations.Benchmark;
|
||||
import org.openjdk.jmh.annotations.BenchmarkMode;
|
||||
import org.openjdk.jmh.annotations.Level;
|
||||
import org.openjdk.jmh.annotations.Mode;
|
||||
import org.openjdk.jmh.annotations.OutputTimeUnit;
|
||||
import org.openjdk.jmh.annotations.Scope;
|
||||
import org.openjdk.jmh.annotations.Setup;
|
||||
import org.openjdk.jmh.annotations.State;
|
||||
import org.openjdk.jmh.annotations.TearDown;
|
||||
|
||||
import javax.net.ssl.KeyManagerFactory;
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.TrustManager;
|
||||
import javax.net.ssl.TrustManagerFactory;
|
||||
import java.net.URI;
|
||||
import java.net.http.HttpClient;
|
||||
import java.net.http.HttpRequest;
|
||||
import java.net.http.HttpResponse;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.security.KeyStore;
|
||||
import java.util.Arrays;
|
||||
import java.util.Base64;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.Iterator;
|
||||
import java.util.Map;
|
||||
import java.util.Optional;
|
||||
import java.util.Properties;
|
||||
import java.util.Random;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
import java.util.function.Predicate;
|
||||
|
||||
public class Main {
|
||||
|
||||
@SneakyThrows
|
||||
private static Properties loadProperties() {
|
||||
Properties properties = new Properties();
|
||||
try (final var is = Main.class.getResourceAsStream("/benchmark.properties")) {
|
||||
properties.load(is);
|
||||
}
|
||||
return properties;
|
||||
}
|
||||
|
||||
private static final Properties properties = loadProperties();
|
||||
|
||||
@State(Scope.Thread)
|
||||
public static class ExecutionPlan {
|
||||
private final Random random = new Random(101325);
|
||||
|
||||
@Getter
|
||||
private final HttpClient client = createHttpClient();
|
||||
|
||||
private final Map<String, byte[]> entries = new HashMap<>();
|
||||
|
||||
|
||||
private HttpClient createHttpClient() {
|
||||
final var clientBuilder = HttpClient.newBuilder();
|
||||
getSslContext().ifPresent(clientBuilder::sslContext);
|
||||
return clientBuilder.build();
|
||||
}
|
||||
|
||||
public final Map<String, byte[]> getEntries() {
|
||||
return Collections.unmodifiableMap(entries);
|
||||
}
|
||||
|
||||
public Map.Entry<String, byte[]> newEntry() {
|
||||
final var keyBuffer = new byte[0x20];
|
||||
random.nextBytes(keyBuffer);
|
||||
final var key = Base64.getUrlEncoder().encodeToString(keyBuffer);
|
||||
final var value = new byte[0x1000];
|
||||
random.nextBytes(value);
|
||||
return Map.entry(key, value);
|
||||
}
|
||||
|
||||
@SneakyThrows
|
||||
public HttpRequest.Builder newRequestBuilder(String key) {
|
||||
final var requestBuilder = HttpRequest.newBuilder()
|
||||
.uri(getServerURI().resolve(key));
|
||||
String user = getUser();
|
||||
if (user != null) {
|
||||
requestBuilder.header("Authorization", buildAuthorizationHeader(user, getPassword()));
|
||||
}
|
||||
return requestBuilder;
|
||||
}
|
||||
|
||||
@SneakyThrows
|
||||
public URI getServerURI() {
|
||||
return new URI(properties.getProperty("gbcs.server.url"));
|
||||
}
|
||||
|
||||
@SneakyThrows
|
||||
public Optional<String> getClientTrustStorePassword() {
|
||||
return Optional.ofNullable(properties.getProperty("gbcs.client.ssl.truststore.password"))
|
||||
.filter(Predicate.not(String::isEmpty));
|
||||
|
||||
}
|
||||
|
||||
@SneakyThrows
|
||||
public Optional<KeyStore> getClientTrustStore() {
|
||||
return Optional.ofNullable(properties.getProperty("gbcs.client.ssl.truststore.file"))
|
||||
.filter(Predicate.not(String::isEmpty))
|
||||
.map(Path::of)
|
||||
.map((Fun<Path, KeyStore>) keyStoreFile -> {
|
||||
final var keyStore = KeyStore.getInstance("PKCS12");
|
||||
try (final var is = Files.newInputStream(keyStoreFile)) {
|
||||
keyStore.load(is, getClientTrustStorePassword().map(String::toCharArray).orElse(null));
|
||||
}
|
||||
return keyStore;
|
||||
});
|
||||
|
||||
}
|
||||
|
||||
@SneakyThrows
|
||||
public Optional<KeyStore> getClientKeyStore() {
|
||||
return Optional.ofNullable(properties.getProperty("gbcs.client.ssl.keystore.file"))
|
||||
.filter(Predicate.not(String::isEmpty))
|
||||
.map(Path::of)
|
||||
.map((Fun<Path, KeyStore>) keyStoreFile -> {
|
||||
final var keyStore = KeyStore.getInstance("PKCS12");
|
||||
try (final var is = Files.newInputStream(keyStoreFile)) {
|
||||
keyStore.load(is, getClientKeyStorePassword().map(String::toCharArray).orElse(null));
|
||||
}
|
||||
return keyStore;
|
||||
});
|
||||
|
||||
}
|
||||
|
||||
@SneakyThrows
|
||||
public Optional<String> getClientKeyStorePassword() {
|
||||
return Optional.ofNullable(properties.getProperty("gbcs.client.ssl.keystore.password"))
|
||||
.filter(Predicate.not(String::isEmpty));
|
||||
|
||||
}
|
||||
|
||||
@SneakyThrows
|
||||
public Optional<String> getClientKeyPassword() {
|
||||
return Optional.ofNullable(properties.getProperty("gbcs.client.ssl.key.password"))
|
||||
.filter(Predicate.not(String::isEmpty));
|
||||
|
||||
}
|
||||
|
||||
@SneakyThrows
|
||||
public String getUser() {
|
||||
return Optional.ofNullable(properties.getProperty("gbcs.server.username"))
|
||||
.filter(Predicate.not(String::isEmpty))
|
||||
.orElse(null);
|
||||
|
||||
}
|
||||
|
||||
@SneakyThrows
|
||||
public String getPassword() {
|
||||
return Optional.ofNullable(properties.getProperty("gbcs.server.password"))
|
||||
.filter(Predicate.not(String::isEmpty))
|
||||
.orElse(null);
|
||||
}
|
||||
|
||||
private String buildAuthorizationHeader(String user, String password) {
|
||||
final var b64 = Base64.getEncoder().encode(String.format("%s:%s", user, password).getBytes(StandardCharsets.UTF_8));
|
||||
return "Basic " + new String(b64);
|
||||
}
|
||||
|
||||
@SneakyThrows
|
||||
private Optional<SSLContext> getSslContext() {
|
||||
return getClientKeyStore().map((Fun<KeyStore, SSLContext>) clientKeyStore -> {
|
||||
final var kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
|
||||
kmf.init(clientKeyStore, getClientKeyStorePassword().map(String::toCharArray).orElse(null));
|
||||
|
||||
|
||||
// Set up trust manager factory with the truststore
|
||||
final var trustManagers = getClientTrustStore().map((Fun<KeyStore, TrustManager[]>) ts -> {
|
||||
final var tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
|
||||
tmf.init(ts);
|
||||
return tmf.getTrustManagers();
|
||||
}).orElse(new TrustManager[0]);
|
||||
|
||||
// Create SSL context with the key and trust managers
|
||||
final var sslContext = SSLContext.getInstance("TLS");
|
||||
sslContext.init(kmf.getKeyManagers(), trustManagers, null);
|
||||
return sslContext;
|
||||
});
|
||||
}
|
||||
|
||||
@SneakyThrows
|
||||
@Setup(Level.Trial)
|
||||
public void setUp() {
|
||||
final var client = getClient();
|
||||
for (int i = 0; i < 1000; i++) {
|
||||
final var pair = newEntry();
|
||||
final var requestBuilder = newRequestBuilder(pair.getKey())
|
||||
.header("Content-Type", "application/octet-stream")
|
||||
.PUT(HttpRequest.BodyPublishers.ofByteArray(pair.getValue()));
|
||||
final var response = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString());
|
||||
if (201 != response.statusCode()) {
|
||||
throw new IllegalStateException(Integer.toString(response.statusCode()));
|
||||
} else {
|
||||
entries.put(pair.getKey(), pair.getValue());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@TearDown
|
||||
public void tearDown() {
|
||||
client.close();
|
||||
}
|
||||
|
||||
|
||||
private Iterator<Map.Entry<String, byte[]>> it = null;
|
||||
|
||||
private Map.Entry<String, byte[]> nextEntry() {
|
||||
if (it == null || !it.hasNext()) {
|
||||
it = getEntries().entrySet().iterator();
|
||||
}
|
||||
return it.next();
|
||||
}
|
||||
}
|
||||
|
||||
@SneakyThrows
|
||||
@Benchmark
|
||||
@BenchmarkMode(Mode.Throughput)
|
||||
@OutputTimeUnit(TimeUnit.SECONDS)
|
||||
public void get(ExecutionPlan plan) {
|
||||
final var client = plan.getClient();
|
||||
final var entry = plan.nextEntry();
|
||||
final var requestBuilder = plan.newRequestBuilder(entry.getKey())
|
||||
.header("Accept", "application/octet-stream")
|
||||
.GET();
|
||||
final var response = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray());
|
||||
if (200 != response.statusCode()) {
|
||||
throw new IllegalStateException(Integer.toString(response.statusCode()));
|
||||
} else {
|
||||
if (!Arrays.equals(entry.getValue(), response.body())) {
|
||||
throw new IllegalStateException("Retrieved unexpected value");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@SneakyThrows
|
||||
@Benchmark
|
||||
@BenchmarkMode(Mode.Throughput)
|
||||
@OutputTimeUnit(TimeUnit.SECONDS)
|
||||
public void put(Main.ExecutionPlan plan) {
|
||||
final var client = plan.getClient();
|
||||
final var entry = plan.nextEntry();
|
||||
|
||||
final var requestBuilder = plan.newRequestBuilder(entry.getKey())
|
||||
.header("Content-Type", "application/octet-stream")
|
||||
.PUT(HttpRequest.BodyPublishers.ofByteArray(entry.getValue()));
|
||||
|
||||
final var response = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray());
|
||||
if (201 != response.statusCode()) {
|
||||
throw new IllegalStateException(Integer.toString(response.statusCode()));
|
||||
}
|
||||
}
|
||||
}
|
||||
1
benchmark/src/jmh/resources/benchmark.properties
Normal file
1
benchmark/src/jmh/resources/benchmark.properties
Normal file
@@ -0,0 +1 @@
|
||||
gbcs.server.url= http://localhost:8080
|
||||
@@ -130,3 +130,9 @@ publishing {
|
||||
}
|
||||
}
|
||||
|
||||
tasks.register('version') {
|
||||
doLast {
|
||||
println("VERSION=$version")
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||
<gbcs:server useVirtualThreads="false" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
|
||||
<gbcs:server useVirtualThreads="true" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xmlns:gbcs="urn:net.woggioni.gbcs"
|
||||
xmlns:gbcs-memcached="urn:net.woggioni.gbcs-memcached"
|
||||
xs:schemaLocation="urn:net.woggioni.gbcs-memcached jpms://net.woggioni.gbcs.memcached/net/woggioni/gbcs/memcached/schema/gbcs-memcached.xsd urn:net.woggioni.gbcs jpms://net.woggioni.gbcs/net/woggioni/gbcs/schema/gbcs.xsd">
|
||||
|
||||
21
conf/logback.xml
Normal file
21
conf/logback.xml
Normal file
@@ -0,0 +1,21 @@
|
||||
<?xml version="1.0" encoding="UTF-8" ?>
|
||||
<!DOCTYPE configuration>
|
||||
|
||||
<configuration>
|
||||
<import class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"/>
|
||||
<import class="ch.qos.logback.core.ConsoleAppender"/>
|
||||
|
||||
<appender name="console" class="ConsoleAppender">
|
||||
<target>System.err</target>
|
||||
<encoder class="PatternLayoutEncoder">
|
||||
<pattern>%d [%highlight(%-5level)] \(%thread\) %logger{36} -%kvp- %msg %n</pattern>
|
||||
</encoder>
|
||||
</appender>
|
||||
|
||||
<root level="info">
|
||||
<appender-ref ref="console"/>
|
||||
</root>
|
||||
<logger name="io.netty" level="debug"/>
|
||||
<logger name="com.google.code.yanf4j" level="warn"/>
|
||||
<logger name="net.rubyeye.xmemcached" level="warn"/>
|
||||
</configuration>
|
||||
@@ -11,7 +11,6 @@ services:
|
||||
gbcs:
|
||||
build:
|
||||
context: .
|
||||
target: compose
|
||||
container_name: gbcs
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
|
||||
21
docker/Dockerfile
Normal file
21
docker/Dockerfile
Normal file
@@ -0,0 +1,21 @@
|
||||
FROM alpine:latest AS base-release
|
||||
RUN --mount=type=cache,target=/var/cache/apk apk update
|
||||
RUN --mount=type=cache,target=/var/cache/apk apk add openjdk21-jre
|
||||
RUN adduser -D luser
|
||||
USER luser
|
||||
WORKDIR /home/luser
|
||||
|
||||
FROM base-release AS release
|
||||
ADD gbcs-cli-envelope-*.jar gbcs.jar
|
||||
ENTRYPOINT ["java", "-jar", "/home/luser/gbcs.jar"]
|
||||
|
||||
FROM base-release AS release-memcached
|
||||
ADD --chown=luser:luser gbcs-cli-envelope-*.jar gbcs.jar
|
||||
RUN mkdir plugins
|
||||
WORKDIR /home/luser/plugins
|
||||
RUN --mount=type=bind,source=.,target=/build/distributions tar -xf /build/distributions/gbcs-memcached*.tar
|
||||
WORKDIR /home/luser
|
||||
ENTRYPOINT ["java", "-jar", "/home/luser/gbcs.jar"]
|
||||
|
||||
FROM release-memcached as compose
|
||||
COPY --chown=luser:luser conf/gbcs-memcached.xml /home/luser/.config/gbcs/gbcs.xml
|
||||
67
docker/build.gradle
Normal file
67
docker/build.gradle
Normal file
@@ -0,0 +1,67 @@
|
||||
plugins {
|
||||
id 'base'
|
||||
alias(catalog.plugins.gradle.docker)
|
||||
}
|
||||
|
||||
import com.bmuschko.gradle.docker.tasks.image.DockerBuildImage
|
||||
import com.bmuschko.gradle.docker.tasks.image.DockerPushImage
|
||||
import com.bmuschko.gradle.docker.tasks.image.DockerTagImage
|
||||
|
||||
|
||||
configurations {
|
||||
docker {
|
||||
canBeResolved = true
|
||||
transitive = false
|
||||
visible = false
|
||||
canBeConsumed = false
|
||||
}
|
||||
}
|
||||
|
||||
dependencies {
|
||||
docker project(path: ':gbcs-cli', configuration: 'release')
|
||||
docker project(path: ':gbcs-memcached', configuration: 'release')
|
||||
}
|
||||
|
||||
Provider<Task> cleanTaskProvider = tasks.named(BasePlugin.CLEAN_TASK_NAME) {}
|
||||
|
||||
Provider<Copy> prepareDockerBuild = tasks.register('prepareDockerBuild', Copy) {
|
||||
dependsOn cleanTaskProvider
|
||||
group = 'docker'
|
||||
into project.layout.buildDirectory.file('docker')
|
||||
from(configurations.docker)
|
||||
from(file('Dockerfile'))
|
||||
}
|
||||
|
||||
Provider<DockerBuildImage> dockerBuild = tasks.register('dockerBuildImage', DockerBuildImage) {
|
||||
group = 'docker'
|
||||
dependsOn prepareDockerBuild
|
||||
images.add('gitea.woggioni.net/woggioni/gbcs:latest')
|
||||
images.add("gitea.woggioni.net/woggioni/gbcs:${version}")
|
||||
}
|
||||
|
||||
Provider<DockerTagImage> dockerTag = tasks.register('dockerTagImage', DockerTagImage) {
|
||||
group = 'docker'
|
||||
repository = 'gitea.woggioni.net/woggioni/gbcs'
|
||||
imageId = 'gitea.woggioni.net/woggioni/gbcs:latest'
|
||||
tag = version
|
||||
}
|
||||
|
||||
Provider<DockerTagImage> dockerTagMemcached = tasks.register('dockerTagMemcachedImage', DockerTagImage) {
|
||||
group = 'docker'
|
||||
repository = 'gitea.woggioni.net/woggioni/gbcs'
|
||||
imageId = 'gitea.woggioni.net/woggioni/gbcs:memcached'
|
||||
tag = "${version}-memcached"
|
||||
}
|
||||
|
||||
Provider<DockerPushImage> dockerPush = tasks.register('dockerPushImage', DockerPushImage) {
|
||||
group = 'docker'
|
||||
dependsOn dockerTag, dockerTagMemcached
|
||||
registryCredentials {
|
||||
url = getProperty('docker.registry.url')
|
||||
username = 'woggioni'
|
||||
password = System.getenv().get("PUBLISHER_TOKEN")
|
||||
}
|
||||
images = [dockerTag.flatMap{ it.tag }, dockerTagMemcached.flatMap{ it.tag }]
|
||||
}
|
||||
|
||||
|
||||
@@ -146,29 +146,29 @@ class Xml(val doc: Document, val element: Element) {
|
||||
dbf.isExpandEntityReferences = true
|
||||
dbf.isIgnoringComments = true
|
||||
dbf.isNamespaceAware = true
|
||||
dbf.isValidating = false
|
||||
dbf.setFeature("http://apache.org/xml/features/validation/schema", true);
|
||||
dbf.isValidating = schemaResourceURL == null
|
||||
dbf.setFeature("http://apache.org/xml/features/validation/schema", true)
|
||||
schemaResourceURL?.let {
|
||||
dbf.schema = getSchema(it)
|
||||
}
|
||||
return dbf
|
||||
}
|
||||
|
||||
fun newDocumentBuilder(resource: URL, schemaResourceURL: URL?): DocumentBuilder {
|
||||
val db = newDocumentBuilderFactory(schemaResourceURL).newDocumentBuilder()
|
||||
db.setErrorHandler(ErrorHandler(resource))
|
||||
return db
|
||||
}
|
||||
fun newDocumentBuilder(resource: URL, schemaResourceURL: URL?): DocumentBuilder {
|
||||
val db = newDocumentBuilderFactory(schemaResourceURL).newDocumentBuilder()
|
||||
db.setErrorHandler(ErrorHandler(resource))
|
||||
return db
|
||||
}
|
||||
|
||||
fun parseXmlResource(resource: URL, schemaResourceURL: URL?): Document {
|
||||
val db = newDocumentBuilder(resource, schemaResourceURL)
|
||||
return resource.openStream().use(db::parse)
|
||||
}
|
||||
fun parseXmlResource(resource: URL, schemaResourceURL: URL?): Document {
|
||||
val db = newDocumentBuilder(resource, schemaResourceURL)
|
||||
return resource.openStream().use(db::parse)
|
||||
}
|
||||
|
||||
fun parseXml(sourceURL : URL, sourceStream: InputStream? = null, schemaResourceURL: URL? = null): Document {
|
||||
val db = newDocumentBuilder(sourceURL, schemaResourceURL)
|
||||
return sourceStream?.let(db::parse) ?: sourceURL.openStream().use(db::parse)
|
||||
}
|
||||
fun parseXml(sourceURL: URL, sourceStream: InputStream? = null, schemaResourceURL: URL? = null): Document {
|
||||
val db = newDocumentBuilder(sourceURL, schemaResourceURL)
|
||||
return sourceStream?.let(db::parse) ?: sourceURL.openStream().use(db::parse)
|
||||
}
|
||||
|
||||
fun write(doc: Document, output: OutputStream) {
|
||||
val transformerFactory = TransformerFactory.newInstance()
|
||||
@@ -183,7 +183,12 @@ class Xml(val doc: Document, val element: Element) {
|
||||
transformer.transform(source, result)
|
||||
}
|
||||
|
||||
fun of(namespaceURI: String, qualifiedName: String, schemaResourceURL: URL? = null, cb: Xml.(el: Element) -> Unit): Document {
|
||||
fun of(
|
||||
namespaceURI: String,
|
||||
qualifiedName: String,
|
||||
schemaResourceURL: URL? = null,
|
||||
cb: Xml.(el: Element) -> Unit
|
||||
): Document {
|
||||
val dbf = newDocumentBuilderFactory(schemaResourceURL)
|
||||
val db = dbf.newDocumentBuilder()
|
||||
val doc = db.newDocument()
|
||||
@@ -207,7 +212,7 @@ class Xml(val doc: Document, val element: Element) {
|
||||
|
||||
fun node(
|
||||
name: String,
|
||||
namespaceURI : String? = null,
|
||||
namespaceURI: String? = null,
|
||||
attrs: Map<String, String> = emptyMap(),
|
||||
cb: Xml.(el: Element) -> Unit = {}
|
||||
): Element {
|
||||
@@ -222,7 +227,7 @@ class Xml(val doc: Document, val element: Element) {
|
||||
}
|
||||
}
|
||||
|
||||
fun attr(key: String, value: String, namespaceURI : String? = null) {
|
||||
fun attr(key: String, value: String, namespaceURI: String? = null) {
|
||||
element.setAttributeNS(namespaceURI, key, value)
|
||||
}
|
||||
|
||||
|
||||
@@ -21,6 +21,15 @@ tasks.named(JavaPlugin.COMPILE_JAVA_TASK_NAME, JavaCompile) {
|
||||
options.javaModuleMainClass = mainClassName
|
||||
}
|
||||
|
||||
configurations {
|
||||
release {
|
||||
transitive = false
|
||||
canBeConsumed = true
|
||||
canBeResolved = true
|
||||
visible = true
|
||||
}
|
||||
}
|
||||
|
||||
envelopeJar {
|
||||
mainModule = 'net.woggioni.gbcs.cli'
|
||||
mainClass = mainClassName
|
||||
@@ -56,6 +65,10 @@ tasks.named(NativeImagePlugin.NATIVE_IMAGE_TASK_NAME, NativeImageTask) {
|
||||
buildStaticImage = true
|
||||
}
|
||||
|
||||
artifacts {
|
||||
release(envelopeJarTaskProvider)
|
||||
}
|
||||
|
||||
publishing {
|
||||
publications {
|
||||
maven(MavenPublication) {
|
||||
@@ -64,3 +77,4 @@ publishing {
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -92,7 +92,8 @@ class GradleBuildCacheServerCli(application : Application, private val log : Log
|
||||
"Server configuration:\n${String(it.toByteArray())}"
|
||||
}
|
||||
}
|
||||
GradleBuildCacheServer(configuration).run().use {
|
||||
val server = GradleBuildCacheServer(configuration)
|
||||
server.run().use {
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -5,9 +5,9 @@ import net.woggioni.gbcs.cli.impl.GbcsCommand
|
||||
import net.woggioni.gbcs.cli.impl.converters.OutputStreamConverter
|
||||
import net.woggioni.jwo.UncloseableOutputStream
|
||||
import picocli.CommandLine
|
||||
import java.io.BufferedWriter
|
||||
import java.io.OutputStream
|
||||
import java.io.OutputStreamWriter
|
||||
import java.io.PrintWriter
|
||||
|
||||
|
||||
@CommandLine.Command(
|
||||
@@ -20,7 +20,7 @@ class PasswordHashCommand : GbcsCommand() {
|
||||
names = ["-o", "--output-file"],
|
||||
description = ["Write the output to a file instead of stdout"],
|
||||
converter = [OutputStreamConverter::class],
|
||||
defaultValue = "stdout",
|
||||
showDefaultValue = CommandLine.Help.Visibility.NEVER,
|
||||
paramLabel = "OUTPUT_FILE"
|
||||
)
|
||||
private var outputStream: OutputStream = UncloseableOutputStream(System.out)
|
||||
@@ -30,9 +30,8 @@ class PasswordHashCommand : GbcsCommand() {
|
||||
val password2 = String(System.console().readPassword("Type your password again for confirmation:"))
|
||||
if(password1 != password2) throw IllegalArgumentException("Passwords do not match")
|
||||
|
||||
BufferedWriter(OutputStreamWriter(outputStream, Charsets.UTF_8)).use {
|
||||
it.write(hashPassword(password1))
|
||||
it.newLine()
|
||||
PrintWriter(OutputStreamWriter(outputStream, Charsets.UTF_8)).use {
|
||||
it.println(hashPassword(password1))
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -12,10 +12,11 @@
|
||||
</encoder>
|
||||
</appender>
|
||||
|
||||
<root level="debug">
|
||||
<root level="info">
|
||||
<appender-ref ref="console"/>
|
||||
</root>
|
||||
<logger name="io.netty" level="debug"/>
|
||||
<logger name="io.netty.handler.ssl.BouncyCastlePemReader" level="info"/>
|
||||
<logger name="com.google.code.yanf4j" level="warn"/>
|
||||
<logger name="net.rubyeye.xmemcached" level="warn"/>
|
||||
</configuration>
|
||||
@@ -22,7 +22,15 @@ configurations {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
release {
|
||||
transitive = false
|
||||
canBeConsumed = true
|
||||
canBeResolved = true
|
||||
visible = true
|
||||
}
|
||||
}
|
||||
|
||||
dependencies {
|
||||
compileOnly project(':gbcs-base')
|
||||
compileOnly project(':gbcs-api')
|
||||
@@ -40,6 +48,10 @@ tasks.named(BasePlugin.ASSEMBLE_TASK_NAME) {
|
||||
dependsOn(bundleTask)
|
||||
}
|
||||
|
||||
artifacts {
|
||||
release(bundleTask)
|
||||
}
|
||||
|
||||
publishing {
|
||||
publications {
|
||||
maven(MavenPublication) {
|
||||
|
||||
@@ -9,14 +9,16 @@ import net.woggioni.gbcs.base.Xml.Companion.asIterable
|
||||
import org.w3c.dom.Document
|
||||
import org.w3c.dom.Element
|
||||
import java.time.Duration
|
||||
import java.util.zip.Deflater
|
||||
|
||||
class MemcachedCacheProvider : CacheProvider<MemcachedCacheConfiguration> {
|
||||
override fun getXmlSchemaLocation() = "classpath:net/woggioni/gbcs/memcached/schema/gbcs-memcached.xsd"
|
||||
|
||||
override fun getXmlType() = "memcachedCacheType"
|
||||
|
||||
override fun getXmlNamespace()= "urn:net.woggioni.gbcs-memcached"
|
||||
override fun getXmlNamespace() = "urn:net.woggioni.gbcs-memcached"
|
||||
|
||||
val xmlNamespacePrefix : String
|
||||
get() = "gbcs-memcached"
|
||||
|
||||
override fun deserialize(el: Element): MemcachedCacheConfiguration {
|
||||
val servers = mutableListOf<HostAndPort>()
|
||||
@@ -35,7 +37,7 @@ class MemcachedCacheProvider : CacheProvider<MemcachedCacheConfiguration> {
|
||||
val compressionMode = el.getAttribute("compression-mode")
|
||||
.takeIf(String::isNotEmpty)
|
||||
?.let {
|
||||
when(it) {
|
||||
when (it) {
|
||||
"gzip" -> CompressionMode.GZIP
|
||||
"zip" -> CompressionMode.ZIP
|
||||
else -> CompressionMode.ZIP
|
||||
@@ -60,12 +62,14 @@ class MemcachedCacheProvider : CacheProvider<MemcachedCacheConfiguration> {
|
||||
)
|
||||
}
|
||||
|
||||
override fun serialize(doc: Document, cache : MemcachedCacheConfiguration) = cache.run {
|
||||
val result = doc.createElementNS(xmlNamespace,"cache")
|
||||
override fun serialize(doc: Document, cache: MemcachedCacheConfiguration) = cache.run {
|
||||
val result = doc.createElement("cache")
|
||||
Xml.of(doc, result) {
|
||||
attr("xs:type", xmlType, GBCS.XML_SCHEMA_NAMESPACE_URI)
|
||||
attr("xmlns:${xmlNamespacePrefix}", xmlNamespace, namespaceURI = "http://www.w3.org/2000/xmlns/")
|
||||
|
||||
attr("xs:type", "${xmlNamespacePrefix}:$xmlType", GBCS.XML_SCHEMA_NAMESPACE_URI)
|
||||
for (server in servers) {
|
||||
node("server", xmlNamespace) {
|
||||
node("server") {
|
||||
attr("host", server.host)
|
||||
attr("port", server.port.toString())
|
||||
}
|
||||
@@ -75,10 +79,12 @@ class MemcachedCacheProvider : CacheProvider<MemcachedCacheConfiguration> {
|
||||
digestAlgorithm?.let { digestAlgorithm ->
|
||||
attr("digest", digestAlgorithm)
|
||||
}
|
||||
attr("compression-mode", when(compressionMode) {
|
||||
CompressionMode.GZIP -> "gzip"
|
||||
CompressionMode.ZIP -> "zip"
|
||||
})
|
||||
attr(
|
||||
"compression-mode", when (compressionMode) {
|
||||
CompressionMode.GZIP -> "gzip"
|
||||
CompressionMode.ZIP -> "zip"
|
||||
}
|
||||
)
|
||||
}
|
||||
result
|
||||
}
|
||||
|
||||
@@ -20,14 +20,14 @@
|
||||
<xs:attribute name="max-age" type="xs:duration" default="P1D"/>
|
||||
<xs:attribute name="max-size" type="xs:unsignedInt" default="1048576"/>
|
||||
<xs:attribute name="digest" type="xs:token" />
|
||||
<xs:attribute name="compression-type" type="gbcs-memcached:compressionType" default="deflate"/>
|
||||
<xs:attribute name="compression-mode" type="gbcs-memcached:compressionType" default="zip"/>
|
||||
</xs:extension>
|
||||
</xs:complexContent>
|
||||
</xs:complexType>
|
||||
|
||||
<xs:simpleType name="compressionType">
|
||||
<xs:restriction base="xs:token">
|
||||
<xs:enumeration value="deflate"/>
|
||||
<xs:enumeration value="zip"/>
|
||||
<xs:enumeration value="gzip"/>
|
||||
</xs:restriction>
|
||||
</xs:simpleType>
|
||||
|
||||
@@ -4,6 +4,7 @@ org.gradle.caching=true
|
||||
|
||||
gbcs.version = 0.0.1
|
||||
|
||||
lys.version = 2025.01.09
|
||||
lys.version = 2025.01.10
|
||||
|
||||
gitea.maven.url = https://gitea.woggioni.net/api/packages/woggioni/maven
|
||||
docker.registry.url=gitea.woggioni.net
|
||||
|
||||
@@ -30,5 +30,6 @@ include 'gbcs-api'
|
||||
include 'gbcs-base'
|
||||
include 'gbcs-memcached'
|
||||
include 'gbcs-cli'
|
||||
|
||||
include 'docker'
|
||||
include 'benchmark'
|
||||
|
||||
|
||||
@@ -12,7 +12,6 @@ import io.netty.channel.ChannelInitializer
|
||||
import io.netty.channel.ChannelOption
|
||||
import io.netty.channel.ChannelPromise
|
||||
import io.netty.channel.DefaultFileRegion
|
||||
import io.netty.channel.EventLoopGroup
|
||||
import io.netty.channel.SimpleChannelInboundHandler
|
||||
import io.netty.channel.nio.NioEventLoopGroup
|
||||
import io.netty.channel.socket.nio.NioServerSocketChannel
|
||||
@@ -55,6 +54,7 @@ import net.woggioni.gbcs.base.PasswordSecurity.decodePasswordHash
|
||||
import net.woggioni.gbcs.base.PasswordSecurity.hashPassword
|
||||
import net.woggioni.gbcs.base.Xml
|
||||
import net.woggioni.gbcs.base.contextLogger
|
||||
import net.woggioni.gbcs.base.info
|
||||
import net.woggioni.gbcs.configuration.Parser
|
||||
import net.woggioni.gbcs.configuration.Serializer
|
||||
import net.woggioni.jwo.JWO
|
||||
@@ -69,7 +69,6 @@ import java.security.PrivateKey
|
||||
import java.security.cert.X509Certificate
|
||||
import java.util.Arrays
|
||||
import java.util.Base64
|
||||
import java.util.concurrent.Executors
|
||||
import java.util.regex.Matcher
|
||||
import java.util.regex.Pattern
|
||||
import javax.naming.ldap.LdapName
|
||||
@@ -103,6 +102,7 @@ class GradleBuildCacheServer(private val cfg: Configuration) {
|
||||
private class ClientCertificateAuthenticator(
|
||||
authorizer: Authorizer,
|
||||
private val sslEngine: SSLEngine,
|
||||
private val anonymousUserRoles: Set<Role>?,
|
||||
private val userExtractor: Configuration.UserExtractor?,
|
||||
private val groupExtractor: Configuration.GroupExtractor?,
|
||||
) : AbstractNettyHttpAuthenticator(authorizer) {
|
||||
@@ -113,16 +113,16 @@ class GradleBuildCacheServer(private val cfg: Configuration) {
|
||||
|
||||
override fun authenticate(ctx: ChannelHandlerContext, req: HttpRequest): Set<Role>? {
|
||||
return try {
|
||||
sslEngine.session.peerCertificates
|
||||
sslEngine.session.peerCertificates.takeIf {
|
||||
it.isNotEmpty()
|
||||
}?.let { peerCertificates ->
|
||||
val clientCertificate = peerCertificates.first() as X509Certificate
|
||||
val user = userExtractor?.extract(clientCertificate)
|
||||
val group = groupExtractor?.extract(clientCertificate)
|
||||
(group?.roles ?: emptySet()) + (user?.roles ?: emptySet())
|
||||
} ?: anonymousUserRoles
|
||||
} catch (es: SSLPeerUnverifiedException) {
|
||||
null
|
||||
}?.takeIf {
|
||||
it.isNotEmpty()
|
||||
}?.let { peerCertificates ->
|
||||
val clientCertificate = peerCertificates.first() as X509Certificate
|
||||
val user = userExtractor?.extract(clientCertificate)
|
||||
val group = groupExtractor?.extract(clientCertificate)
|
||||
(group?.roles ?: emptySet()) + (user?.roles ?: emptySet())
|
||||
anonymousUserRoles
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -140,21 +140,21 @@ class GradleBuildCacheServer(private val cfg: Configuration) {
|
||||
log.debug(ctx) {
|
||||
"Missing Authorization header"
|
||||
}
|
||||
return null
|
||||
return users[""]?.roles
|
||||
}
|
||||
val cursor = authorizationHeader.indexOf(' ')
|
||||
if (cursor < 0) {
|
||||
log.debug(ctx) {
|
||||
"Invalid Authorization header: '$authorizationHeader'"
|
||||
}
|
||||
return null
|
||||
return users[""]?.roles
|
||||
}
|
||||
val authenticationType = authorizationHeader.substring(0, cursor)
|
||||
if ("Basic" != authenticationType) {
|
||||
log.debug(ctx) {
|
||||
"Invalid authentication type header: '$authenticationType'"
|
||||
}
|
||||
return null
|
||||
return users[""]?.roles
|
||||
}
|
||||
val (username, password) = Base64.getDecoder().decode(authorizationHeader.substring(cursor + 1))
|
||||
.let(::String)
|
||||
@@ -178,40 +178,38 @@ class GradleBuildCacheServer(private val cfg: Configuration) {
|
||||
}
|
||||
}
|
||||
|
||||
private class ServerInitializer(private val cfg: Configuration) : ChannelInitializer<Channel>() {
|
||||
|
||||
private fun createSslCtx(tls: Configuration.Tls): SslContext {
|
||||
val keyStore = tls.keyStore
|
||||
return if (keyStore == null) {
|
||||
throw IllegalArgumentException("No keystore configured")
|
||||
} else {
|
||||
val javaKeyStore = loadKeystore(keyStore.file, keyStore.password)
|
||||
val serverKey = javaKeyStore.getKey(
|
||||
keyStore.keyAlias, keyStore.keyPassword?.let(String::toCharArray)
|
||||
) as PrivateKey
|
||||
val serverCert: Array<X509Certificate> =
|
||||
Arrays.stream(javaKeyStore.getCertificateChain(keyStore.keyAlias))
|
||||
.map { it as X509Certificate }
|
||||
.toArray { size -> Array<X509Certificate?>(size) { null } }
|
||||
SslContextBuilder.forServer(serverKey, *serverCert).apply {
|
||||
if (tls.isVerifyClients) {
|
||||
clientAuth(ClientAuth.OPTIONAL)
|
||||
val trustStore = tls.trustStore
|
||||
if (trustStore != null) {
|
||||
val ts = loadKeystore(trustStore.file, trustStore.password)
|
||||
trustManager(
|
||||
ClientCertificateValidator.getTrustManager(ts, trustStore.isCheckCertificateStatus)
|
||||
)
|
||||
}
|
||||
}
|
||||
}.build()
|
||||
}
|
||||
}
|
||||
|
||||
private val sslContext: SslContext? = cfg.tls?.let(this::createSslCtx)
|
||||
private val group: EventExecutorGroup = DefaultEventExecutorGroup(Runtime.getRuntime().availableProcessors())
|
||||
private class ServerInitializer(
|
||||
private val cfg: Configuration,
|
||||
private val eventExecutorGroup: EventExecutorGroup
|
||||
) : ChannelInitializer<Channel>() {
|
||||
|
||||
companion object {
|
||||
private fun createSslCtx(tls: Configuration.Tls): SslContext {
|
||||
val keyStore = tls.keyStore
|
||||
return if (keyStore == null) {
|
||||
throw IllegalArgumentException("No keystore configured")
|
||||
} else {
|
||||
val javaKeyStore = loadKeystore(keyStore.file, keyStore.password)
|
||||
val serverKey = javaKeyStore.getKey(
|
||||
keyStore.keyAlias, (keyStore.keyPassword ?: "").let(String::toCharArray)
|
||||
) as PrivateKey
|
||||
val serverCert: Array<X509Certificate> =
|
||||
Arrays.stream(javaKeyStore.getCertificateChain(keyStore.keyAlias))
|
||||
.map { it as X509Certificate }
|
||||
.toArray { size -> Array<X509Certificate?>(size) { null } }
|
||||
SslContextBuilder.forServer(serverKey, *serverCert).apply {
|
||||
if (tls.isVerifyClients) {
|
||||
clientAuth(ClientAuth.OPTIONAL)
|
||||
tls.trustStore?.let { trustStore ->
|
||||
val ts = loadKeystore(trustStore.file, trustStore.password)
|
||||
trustManager(
|
||||
ClientCertificateValidator.getTrustManager(ts, trustStore.isCheckCertificateStatus)
|
||||
)
|
||||
}
|
||||
}
|
||||
}.build()
|
||||
}
|
||||
}
|
||||
|
||||
fun loadKeystore(file: Path, password: String?): KeyStore {
|
||||
val ext = JWO.splitExtension(file)
|
||||
@@ -235,6 +233,8 @@ class GradleBuildCacheServer(private val cfg: Configuration) {
|
||||
}
|
||||
}
|
||||
|
||||
private val sslContext: SslContext? = cfg.tls?.let(Companion::createSslCtx)
|
||||
|
||||
private fun userExtractor(authentication: Configuration.ClientCertificateAuthentication) =
|
||||
authentication.userExtractor?.let { extractor ->
|
||||
val pattern = Pattern.compile(extractor.pattern)
|
||||
@@ -268,18 +268,17 @@ class GradleBuildCacheServer(private val cfg: Configuration) {
|
||||
val auth = cfg.authentication
|
||||
var authenticator: AbstractNettyHttpAuthenticator? = null
|
||||
if (auth is Configuration.BasicAuthentication) {
|
||||
val roleAuthorizer = RoleAuthorizer()
|
||||
authenticator = (NettyHttpBasicAuthenticator(cfg.users, roleAuthorizer))
|
||||
authenticator = (NettyHttpBasicAuthenticator(cfg.users, RoleAuthorizer()))
|
||||
}
|
||||
if (sslContext != null) {
|
||||
val sslHandler = sslContext.newHandler(ch.alloc())
|
||||
pipeline.addLast(sslHandler)
|
||||
|
||||
if (auth is Configuration.ClientCertificateAuthentication) {
|
||||
val roleAuthorizer = RoleAuthorizer()
|
||||
authenticator = ClientCertificateAuthenticator(
|
||||
roleAuthorizer,
|
||||
RoleAuthorizer(),
|
||||
sslHandler.engine(),
|
||||
cfg.users[""]?.roles,
|
||||
userExtractor(auth),
|
||||
groupExtractor(auth)
|
||||
)
|
||||
@@ -294,7 +293,7 @@ class GradleBuildCacheServer(private val cfg: Configuration) {
|
||||
}
|
||||
val cacheImplementation = cfg.cache.materialize()
|
||||
val prefix = Path.of("/").resolve(Path.of(cfg.serverPath ?: "/"))
|
||||
pipeline.addLast(group, ServerHandler(cacheImplementation, prefix))
|
||||
pipeline.addLast(eventExecutorGroup, ServerHandler(cacheImplementation, prefix))
|
||||
pipeline.addLast(ExceptionHandler())
|
||||
}
|
||||
}
|
||||
@@ -446,8 +445,7 @@ class GradleBuildCacheServer(private val cfg: Configuration) {
|
||||
|
||||
class ServerHandle(
|
||||
httpChannelFuture: ChannelFuture,
|
||||
private val bossGroup: EventLoopGroup,
|
||||
private val workerGroup: EventLoopGroup
|
||||
private val executorGroups: Iterable<EventExecutorGroup>
|
||||
) : AutoCloseable {
|
||||
private val httpChannel: Channel = httpChannelFuture.channel()
|
||||
|
||||
@@ -461,31 +459,35 @@ class GradleBuildCacheServer(private val cfg: Configuration) {
|
||||
try {
|
||||
closeFuture.sync()
|
||||
} finally {
|
||||
val fut1 = workerGroup.shutdownGracefully()
|
||||
val fut2 = if (bossGroup !== workerGroup) {
|
||||
bossGroup.shutdownGracefully()
|
||||
} else null
|
||||
fut1.sync()
|
||||
fut2?.sync()
|
||||
executorGroups.forEach {
|
||||
it.shutdownGracefully().sync()
|
||||
}
|
||||
}
|
||||
log.info {
|
||||
"GradleBuildCacheServer has been gracefully shut down"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
fun run(): ServerHandle {
|
||||
// Create the multithreaded event loops for the server
|
||||
val bossGroup = NioEventLoopGroup(0, Executors.defaultThreadFactory())
|
||||
val bossGroup = NioEventLoopGroup(0)
|
||||
val serverSocketChannel = NioServerSocketChannel::class.java
|
||||
val workerGroup = if (cfg.isUseVirtualThread) {
|
||||
NioEventLoopGroup(0, Executors.newVirtualThreadPerTaskExecutor())
|
||||
} else {
|
||||
bossGroup
|
||||
val workerGroup = bossGroup
|
||||
val eventExecutorGroup = run {
|
||||
val threadFactory = if (cfg.isUseVirtualThread) {
|
||||
Thread.ofVirtual().factory()
|
||||
} else {
|
||||
null
|
||||
}
|
||||
DefaultEventExecutorGroup(Runtime.getRuntime().availableProcessors(), threadFactory)
|
||||
}
|
||||
// A helper class that simplifies server configuration
|
||||
val bootstrap = ServerBootstrap().apply {
|
||||
// Configure the server
|
||||
group(bossGroup, workerGroup)
|
||||
channel(serverSocketChannel)
|
||||
childHandler(ServerInitializer(cfg))
|
||||
childHandler(ServerInitializer(cfg, eventExecutorGroup))
|
||||
option(ChannelOption.SO_BACKLOG, 128)
|
||||
childOption(ChannelOption.SO_KEEPALIVE, true)
|
||||
}
|
||||
@@ -494,7 +496,10 @@ class GradleBuildCacheServer(private val cfg: Configuration) {
|
||||
// Bind and start to accept incoming connections.
|
||||
val bindAddress = InetSocketAddress(cfg.host, cfg.port)
|
||||
val httpChannel = bootstrap.bind(bindAddress).sync()
|
||||
return ServerHandle(httpChannel, bossGroup, workerGroup)
|
||||
log.info {
|
||||
"GradleBuildCacheServer is listening on ${cfg.host}:${cfg.port}"
|
||||
}
|
||||
return ServerHandle(httpChannel, setOf(bossGroup, workerGroup, eventExecutorGroup))
|
||||
}
|
||||
|
||||
companion object {
|
||||
@@ -508,8 +513,10 @@ class GradleBuildCacheServer(private val cfg: Configuration) {
|
||||
return Parser.parse(doc)
|
||||
}
|
||||
|
||||
fun dumpConfiguration(conf : Configuration, outputStream: OutputStream) {
|
||||
fun dumpConfiguration(conf: Configuration, outputStream: OutputStream) {
|
||||
Xml.write(Serializer.serialize(conf), outputStream)
|
||||
}
|
||||
|
||||
private val log = contextLogger()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,16 +1,18 @@
|
||||
package net.woggioni.gbcs.auth
|
||||
|
||||
import io.netty.channel.ChannelHandlerContext
|
||||
import io.netty.channel.ChannelInboundHandlerAdapter
|
||||
import io.netty.handler.ssl.SslHandler
|
||||
import io.netty.handler.ssl.SslHandshakeCompletionEvent
|
||||
import java.security.KeyStore
|
||||
import java.security.cert.CertPathValidator
|
||||
import java.security.cert.CertPathValidatorException
|
||||
import java.security.cert.CertificateException
|
||||
import java.security.cert.CertificateFactory
|
||||
import java.security.cert.PKIXParameters
|
||||
import java.security.cert.PKIXRevocationChecker
|
||||
import java.security.cert.X509Certificate
|
||||
import java.util.EnumSet
|
||||
import io.netty.channel.ChannelHandlerContext
|
||||
import io.netty.channel.ChannelInboundHandlerAdapter
|
||||
import io.netty.handler.ssl.SslHandler
|
||||
import io.netty.handler.ssl.SslHandshakeCompletionEvent
|
||||
import javax.net.ssl.SSLSession
|
||||
import javax.net.ssl.TrustManagerFactory
|
||||
import javax.net.ssl.X509TrustManager
|
||||
@@ -48,7 +50,11 @@ class ClientCertificateValidator private constructor(
|
||||
object : X509TrustManager {
|
||||
override fun checkClientTrusted(chain: Array<out X509Certificate>, authType: String) {
|
||||
val clientCertificateChain = certificateFactory.generateCertPath(chain.toList())
|
||||
validator.validate(clientCertificateChain, params)
|
||||
try {
|
||||
validator.validate(clientCertificateChain, params)
|
||||
} catch (ex : CertPathValidatorException) {
|
||||
throw CertificateException(ex)
|
||||
}
|
||||
}
|
||||
|
||||
override fun checkServerTrusted(chain: Array<out X509Certificate>, authType: String) {
|
||||
|
||||
@@ -23,28 +23,30 @@ object Parser {
|
||||
|
||||
fun parse(document: Document): Configuration {
|
||||
val root = document.documentElement
|
||||
val anonymousUser = User("", null, emptySet())
|
||||
var cache: Cache? = null
|
||||
var host = "127.0.0.1"
|
||||
var port = 11080
|
||||
var users = emptyMap<String, User>()
|
||||
var users : Map<String, User> = mapOf(anonymousUser.name to anonymousUser)
|
||||
var groups = emptyMap<String, Group>()
|
||||
var tls: Tls? = null
|
||||
val serverPath = root.getAttribute("path")
|
||||
val useVirtualThread = root.getAttribute("useVirtualThreads")
|
||||
.takeIf(String::isNotEmpty)
|
||||
?.let(String::toBoolean) ?: false
|
||||
?.let(String::toBoolean) ?: true
|
||||
var authentication: Authentication? = null
|
||||
for (child in root.asIterable()) {
|
||||
when (child.localName) {
|
||||
val tagName = child.localName
|
||||
when (tagName) {
|
||||
"authorization" -> {
|
||||
var knownUsers = sequenceOf(anonymousUser)
|
||||
for (gchild in child.asIterable()) {
|
||||
when (child.localName) {
|
||||
when (gchild.localName) {
|
||||
"users" -> {
|
||||
users = parseUsers(child)
|
||||
knownUsers += parseUsers(gchild)
|
||||
}
|
||||
|
||||
"groups" -> {
|
||||
val pair = parseGroups(child, users)
|
||||
val pair = parseGroups(gchild, knownUsers)
|
||||
users = pair.first
|
||||
groups = pair.second
|
||||
}
|
||||
@@ -76,17 +78,17 @@ object Parser {
|
||||
"client-certificate" -> {
|
||||
var tlsExtractorUser: TlsCertificateExtractor? = null
|
||||
var tlsExtractorGroup: TlsCertificateExtractor? = null
|
||||
for (gchild in child.asIterable()) {
|
||||
when (gchild.localName) {
|
||||
for (ggchild in gchild.asIterable()) {
|
||||
when (ggchild.localName) {
|
||||
"group-extractor" -> {
|
||||
val attrName = gchild.getAttribute("attribute-name")
|
||||
val pattern = gchild.getAttribute("pattern")
|
||||
val attrName = ggchild.getAttribute("attribute-name")
|
||||
val pattern = ggchild.getAttribute("pattern")
|
||||
tlsExtractorGroup = TlsCertificateExtractor(attrName, pattern)
|
||||
}
|
||||
|
||||
"user-extractor" -> {
|
||||
val attrName = gchild.getAttribute("attribute-name")
|
||||
val pattern = gchild.getAttribute("pattern")
|
||||
val attrName = ggchild.getAttribute("attribute-name")
|
||||
val pattern = ggchild.getAttribute("pattern")
|
||||
tlsExtractorUser = TlsCertificateExtractor(attrName, pattern)
|
||||
}
|
||||
}
|
||||
@@ -151,23 +153,22 @@ object Parser {
|
||||
}
|
||||
}.toSet()
|
||||
|
||||
private fun parseUserRefs(root: Element) = root.asIterable().asSequence().filter {
|
||||
it.localName == "user"
|
||||
}.map {
|
||||
private fun parseUserRefs(root: Element) = root.asIterable().asSequence().map {
|
||||
it.getAttribute("ref")
|
||||
}.toSet()
|
||||
|
||||
private fun parseUsers(root: Element): Map<String, User> {
|
||||
private fun parseUsers(root: Element): Sequence<User> {
|
||||
return root.asIterable().asSequence().filter {
|
||||
it.localName == "user"
|
||||
}.map { el ->
|
||||
val username = el.getAttribute("name")
|
||||
val password = el.getAttribute("password").takeIf(String::isNotEmpty)
|
||||
username to User(username, password, emptySet())
|
||||
}.toMap()
|
||||
User(username, password, emptySet())
|
||||
}
|
||||
}
|
||||
|
||||
private fun parseGroups(root: Element, knownUsers: Map<String, User>): Pair<Map<String, User>, Map<String, Group>> {
|
||||
private fun parseGroups(root: Element, knownUsers: Sequence<User>): Pair<Map<String, User>, Map<String, Group>> {
|
||||
val knownUsersMap = knownUsers.associateBy(User::getName)
|
||||
val userGroups = mutableMapOf<String, MutableSet<String>>()
|
||||
val groups = root.asIterable().asSequence().filter {
|
||||
it.localName == "group"
|
||||
@@ -177,7 +178,7 @@ object Parser {
|
||||
for (child in el.asIterable()) {
|
||||
when (child.localName) {
|
||||
"users" -> {
|
||||
parseUserRefs(child).mapNotNull(knownUsers::get).forEach { user ->
|
||||
parseUserRefs(child).mapNotNull(knownUsersMap::get).forEach { user ->
|
||||
userGroups.computeIfAbsent(user.name) {
|
||||
mutableSetOf()
|
||||
}.add(groupName)
|
||||
@@ -191,7 +192,7 @@ object Parser {
|
||||
}
|
||||
groupName to Group(groupName, roles)
|
||||
}.toMap()
|
||||
val users = knownUsers.map { (name, user) ->
|
||||
val users = knownUsersMap.map { (name, user) ->
|
||||
name to User(name, user.password, userGroups[name]?.mapNotNull { groups[it] }?.toSet() ?: emptySet())
|
||||
}.toMap()
|
||||
return users to groups
|
||||
|
||||
@@ -17,7 +17,7 @@ object Serializer {
|
||||
attr("useVirtualThreads", conf.isUseVirtualThread.toString())
|
||||
// attr("xmlns:xs", GradleBuildCacheServer.XML_SCHEMA_NAMESPACE_URI)
|
||||
val value = schemaLocations.asSequence().map { (k, v) -> "$k $v" }.joinToString(" ")
|
||||
attr("xs:schemaLocation",value , namespaceURI = GBCS.XML_SCHEMA_NAMESPACE_URI)
|
||||
attr("xs:schemaLocation", value , namespaceURI = GBCS.XML_SCHEMA_NAMESPACE_URI)
|
||||
|
||||
conf.serverPath
|
||||
?.takeIf(String::isNotEmpty)
|
||||
@@ -35,10 +35,12 @@ object Serializer {
|
||||
node("authorization") {
|
||||
node("users") {
|
||||
for(user in conf.users.values) {
|
||||
node("user") {
|
||||
attr("name", user.name)
|
||||
user.password?.let { password ->
|
||||
attr("password", password)
|
||||
if(user.name.isNotEmpty()) {
|
||||
node("user") {
|
||||
attr("name", user.name)
|
||||
user.password?.let { password ->
|
||||
attr("password", password)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -55,11 +57,19 @@ object Serializer {
|
||||
attr("name", group.name)
|
||||
if(users.isNotEmpty()) {
|
||||
node("users") {
|
||||
var anonymousUser : Configuration.User? = null
|
||||
for(user in users) {
|
||||
node("user") {
|
||||
attr("ref", user.name)
|
||||
if(user.name.isNotEmpty()) {
|
||||
node("user") {
|
||||
attr("ref", user.name)
|
||||
}
|
||||
} else {
|
||||
anonymousUser = user
|
||||
}
|
||||
}
|
||||
if(anonymousUser != null) {
|
||||
node("anonymous")
|
||||
}
|
||||
}
|
||||
}
|
||||
if(group.roles.isNotEmpty()) {
|
||||
@@ -82,6 +92,12 @@ object Serializer {
|
||||
}
|
||||
is Configuration.ClientCertificateAuthentication -> {
|
||||
node("client-certificate") {
|
||||
authentication.groupExtractor?.let { extractor ->
|
||||
node("group-extractor") {
|
||||
attr("attribute-name", extractor.rdnType)
|
||||
attr("pattern", extractor.pattern)
|
||||
}
|
||||
}
|
||||
authentication.userExtractor?.let { extractor ->
|
||||
node("user-extractor") {
|
||||
attr("attribute-name", extractor.rdnType)
|
||||
|
||||
@@ -10,9 +10,6 @@
|
||||
<xs:sequence minOccurs="0">
|
||||
<xs:element name="bind" type="gbcs:bindType" maxOccurs="1"/>
|
||||
<xs:element name="cache" type="gbcs:cacheType" maxOccurs="1"/>
|
||||
<!-- <xs:choice>-->
|
||||
<!-- <xs:element name="fileSystemCache" type="fileSystemCacheType"/>-->
|
||||
<!-- </xs:choice>-->
|
||||
<xs:element name="authorization" type="gbcs:authorizationType" minOccurs="0">
|
||||
<xs:key name="userId">
|
||||
<xs:selector xpath="users/user"/>
|
||||
@@ -24,11 +21,10 @@
|
||||
</xs:keyref>
|
||||
</xs:element>
|
||||
<xs:element name="authentication" type="gbcs:authenticationType" minOccurs="0" maxOccurs="1"/>
|
||||
<xs:element name="tls-certificate-authorization" type="gbcs:tlsCertificateAuthorizationType" minOccurs="0" maxOccurs="1"/>
|
||||
<xs:element name="tls" type="gbcs:tlsType" minOccurs="0" maxOccurs="1"/>
|
||||
</xs:sequence>
|
||||
<xs:attribute name="path" type="xs:string" use="optional"/>
|
||||
<xs:attribute name="useVirtualThreads" type="xs:boolean" use="optional"/>
|
||||
<xs:attribute name="useVirtualThreads" type="xs:boolean" use="optional" default="true"/>
|
||||
</xs:complexType>
|
||||
|
||||
<xs:complexType name="bindType">
|
||||
@@ -130,7 +126,8 @@
|
||||
|
||||
<xs:complexType name="userRefsType">
|
||||
<xs:sequence>
|
||||
<xs:element name="user" type="gbcs:userRefType" maxOccurs="unbounded" minOccurs="0"/>
|
||||
<xs:element name="user" type="gbcs:userRefType" maxOccurs="unbounded" minOccurs="0"/>
|
||||
<xs:element name="anonymous" minOccurs="0" maxOccurs="1"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
|
||||
|
||||
@@ -0,0 +1,76 @@
|
||||
package net.woggioni.gbcs.test
|
||||
|
||||
import net.woggioni.gbcs.api.Configuration
|
||||
import net.woggioni.gbcs.api.Role
|
||||
import net.woggioni.gbcs.base.Xml
|
||||
import net.woggioni.gbcs.cache.FileSystemCacheConfiguration
|
||||
import net.woggioni.gbcs.configuration.Serializer
|
||||
import net.woggioni.gbcs.utils.NetworkUtils
|
||||
import java.net.URI
|
||||
import java.net.http.HttpRequest
|
||||
import java.nio.charset.StandardCharsets
|
||||
import java.nio.file.Path
|
||||
import java.time.Duration
|
||||
import java.util.Base64
|
||||
import java.util.zip.Deflater
|
||||
import kotlin.random.Random
|
||||
|
||||
|
||||
abstract class AbstractBasicAuthServerTest : AbstractServerTest() {
|
||||
|
||||
private lateinit var cacheDir : Path
|
||||
|
||||
protected val random = Random(101325)
|
||||
protected val keyValuePair = newEntry(random)
|
||||
protected val serverPath = "gbcs"
|
||||
protected val readersGroup = Configuration.Group("readers", setOf(Role.Reader))
|
||||
protected val writersGroup = Configuration.Group("writers", setOf(Role.Writer))
|
||||
|
||||
abstract protected val users : List<Configuration.User>
|
||||
|
||||
override fun setUp() {
|
||||
this.cacheDir = testDir.resolve("cache")
|
||||
cfg = Configuration(
|
||||
"127.0.0.1",
|
||||
NetworkUtils.getFreePort(),
|
||||
serverPath,
|
||||
users.asSequence().map { it.name to it}.toMap(),
|
||||
sequenceOf(writersGroup, readersGroup).map { it.name to it}.toMap(),
|
||||
FileSystemCacheConfiguration(this.cacheDir,
|
||||
maxAge = Duration.ofSeconds(3600 * 24),
|
||||
digestAlgorithm = "MD5",
|
||||
compressionLevel = Deflater.DEFAULT_COMPRESSION,
|
||||
compressionEnabled = false
|
||||
),
|
||||
Configuration.BasicAuthentication(),
|
||||
null,
|
||||
true,
|
||||
)
|
||||
Xml.write(Serializer.serialize(cfg), System.out)
|
||||
}
|
||||
|
||||
override fun tearDown() {
|
||||
}
|
||||
|
||||
protected fun buildAuthorizationHeader(user : Configuration.User, password : String) : String {
|
||||
val b64 = Base64.getEncoder().encode("${user.name}:${password}".toByteArray(Charsets.UTF_8)).let{
|
||||
String(it, StandardCharsets.UTF_8)
|
||||
}
|
||||
return "Basic $b64"
|
||||
}
|
||||
|
||||
protected fun newRequestBuilder(key : String) = HttpRequest.newBuilder()
|
||||
.uri(URI.create("http://${cfg.host}:${cfg.port}/$serverPath/$key"))
|
||||
|
||||
|
||||
protected fun newEntry(random : Random) : Pair<String, ByteArray> {
|
||||
val key = ByteArray(0x10).let {
|
||||
random.nextBytes(it)
|
||||
Base64.getUrlEncoder().encodeToString(it)
|
||||
}
|
||||
val value = ByteArray(0x1000).also {
|
||||
random.nextBytes(it)
|
||||
}
|
||||
return key to value
|
||||
}
|
||||
}
|
||||
192
src/test/kotlin/net/woggioni/gbcs/test/AbstractTlsServerTest.kt
Normal file
192
src/test/kotlin/net/woggioni/gbcs/test/AbstractTlsServerTest.kt
Normal file
@@ -0,0 +1,192 @@
|
||||
package net.woggioni.gbcs.test
|
||||
|
||||
import io.netty.handler.codec.http.HttpResponseStatus
|
||||
import net.woggioni.gbcs.api.Configuration
|
||||
import net.woggioni.gbcs.api.Role
|
||||
import net.woggioni.gbcs.base.Xml
|
||||
import net.woggioni.gbcs.cache.FileSystemCacheConfiguration
|
||||
import net.woggioni.gbcs.configuration.Serializer
|
||||
import net.woggioni.gbcs.utils.CertificateUtils
|
||||
import net.woggioni.gbcs.utils.CertificateUtils.X509Credentials
|
||||
import net.woggioni.gbcs.utils.NetworkUtils
|
||||
import org.bouncycastle.asn1.x500.X500Name
|
||||
import org.junit.jupiter.api.Assertions
|
||||
import org.junit.jupiter.api.Order
|
||||
import org.junit.jupiter.api.Test
|
||||
import java.net.URI
|
||||
import java.net.http.HttpClient
|
||||
import java.net.http.HttpRequest
|
||||
import java.net.http.HttpResponse
|
||||
import java.nio.charset.StandardCharsets
|
||||
import java.nio.file.Files
|
||||
import java.nio.file.Path
|
||||
import java.security.KeyStore
|
||||
import java.security.KeyStore.PasswordProtection
|
||||
import java.time.Duration
|
||||
import java.util.Base64
|
||||
import java.util.zip.Deflater
|
||||
import javax.net.ssl.KeyManagerFactory
|
||||
import javax.net.ssl.SSLContext
|
||||
import javax.net.ssl.TrustManagerFactory
|
||||
import kotlin.random.Random
|
||||
|
||||
|
||||
abstract class AbstractTlsServerTest : AbstractServerTest() {
|
||||
|
||||
companion object {
|
||||
private const val CA_CERTIFICATE_ENTRY = "gbcs-ca"
|
||||
private const val CLIENT_CERTIFICATE_ENTRY = "gbcs-client"
|
||||
private const val SERVER_CERTIFICATE_ENTRY = "gbcs-server"
|
||||
private const val PASSWORD = "password"
|
||||
}
|
||||
|
||||
private lateinit var cacheDir: Path
|
||||
private lateinit var serverKeyStoreFile: Path
|
||||
private lateinit var clientKeyStoreFile: Path
|
||||
private lateinit var trustStoreFile: Path
|
||||
private lateinit var serverKeyStore: KeyStore
|
||||
private lateinit var clientKeyStore: KeyStore
|
||||
private lateinit var trustStore: KeyStore
|
||||
protected lateinit var ca: X509Credentials
|
||||
|
||||
protected val readersGroup = Configuration.Group("readers", setOf(Role.Reader))
|
||||
protected val writersGroup = Configuration.Group("writers", setOf(Role.Writer))
|
||||
protected val random = Random(101325)
|
||||
protected val keyValuePair = newEntry(random)
|
||||
private val serverPath : String? = null
|
||||
|
||||
protected abstract val users : List<Configuration.User>
|
||||
|
||||
protected fun createKeyStoreAndTrustStore() {
|
||||
ca = CertificateUtils.createCertificateAuthority(CA_CERTIFICATE_ENTRY, 30)
|
||||
val serverCert = CertificateUtils.createServerCertificate(ca, X500Name("CN=$SERVER_CERTIFICATE_ENTRY"), 30)
|
||||
val clientCert = CertificateUtils.createClientCertificate(ca, X500Name("CN=$CLIENT_CERTIFICATE_ENTRY"), 30)
|
||||
|
||||
serverKeyStore = KeyStore.getInstance("PKCS12").apply {
|
||||
load(null, null)
|
||||
setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
|
||||
setEntry(
|
||||
SERVER_CERTIFICATE_ENTRY,
|
||||
KeyStore.PrivateKeyEntry(
|
||||
serverCert.keyPair().private,
|
||||
arrayOf(serverCert.certificate(), ca.certificate)
|
||||
),
|
||||
PasswordProtection(PASSWORD.toCharArray())
|
||||
)
|
||||
}
|
||||
Files.newOutputStream(this.serverKeyStoreFile).use {
|
||||
serverKeyStore.store(it, null)
|
||||
}
|
||||
|
||||
clientKeyStore = KeyStore.getInstance("PKCS12").apply {
|
||||
load(null, null)
|
||||
setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
|
||||
setEntry(
|
||||
CLIENT_CERTIFICATE_ENTRY,
|
||||
KeyStore.PrivateKeyEntry(
|
||||
clientCert.keyPair().private,
|
||||
arrayOf(clientCert.certificate(), ca.certificate)
|
||||
),
|
||||
PasswordProtection(PASSWORD.toCharArray())
|
||||
)
|
||||
}
|
||||
Files.newOutputStream(this.clientKeyStoreFile).use {
|
||||
clientKeyStore.store(it, null)
|
||||
}
|
||||
|
||||
trustStore = KeyStore.getInstance("PKCS12").apply {
|
||||
load(null, null)
|
||||
setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
|
||||
}
|
||||
Files.newOutputStream(this.trustStoreFile).use {
|
||||
trustStore.store(it, null)
|
||||
}
|
||||
}
|
||||
|
||||
protected fun getClientKeyStore(ca: X509Credentials, subject: X500Name) = KeyStore.getInstance("PKCS12").apply {
|
||||
val clientCert = CertificateUtils.createClientCertificate(ca, subject, 30)
|
||||
|
||||
load(null, null)
|
||||
setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
|
||||
setEntry(
|
||||
CLIENT_CERTIFICATE_ENTRY,
|
||||
KeyStore.PrivateKeyEntry(clientCert.keyPair().private, arrayOf(clientCert.certificate(), ca.certificate)),
|
||||
PasswordProtection(PASSWORD.toCharArray())
|
||||
)
|
||||
}
|
||||
|
||||
protected fun getHttpClient(clientKeyStore: KeyStore?): HttpClient {
|
||||
val kmf = clientKeyStore?.let {
|
||||
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()).apply {
|
||||
init(it, PASSWORD.toCharArray())
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Set up trust manager factory with the truststore
|
||||
val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
|
||||
tmf.init(trustStore)
|
||||
|
||||
// Create SSL context with the key and trust managers
|
||||
val sslContext = SSLContext.getInstance("TLS").apply {
|
||||
init(kmf?.keyManagers ?: emptyArray(), tmf.trustManagers, null)
|
||||
}
|
||||
return HttpClient.newBuilder().sslContext(sslContext).build()
|
||||
}
|
||||
|
||||
override fun setUp() {
|
||||
this.clientKeyStoreFile = testDir.resolve("client-keystore.p12")
|
||||
this.serverKeyStoreFile = testDir.resolve("server-keystore.p12")
|
||||
this.trustStoreFile = testDir.resolve("truststore.p12")
|
||||
this.cacheDir = testDir.resolve("cache")
|
||||
createKeyStoreAndTrustStore()
|
||||
cfg = Configuration(
|
||||
"127.0.0.1",
|
||||
NetworkUtils.getFreePort(),
|
||||
serverPath,
|
||||
users.asSequence().map { it.name to it }.toMap(),
|
||||
sequenceOf(writersGroup, readersGroup).map { it.name to it }.toMap(),
|
||||
FileSystemCacheConfiguration(this.cacheDir,
|
||||
maxAge = Duration.ofSeconds(3600 * 24),
|
||||
compressionEnabled = true,
|
||||
compressionLevel = Deflater.DEFAULT_COMPRESSION,
|
||||
digestAlgorithm = "MD5"
|
||||
),
|
||||
Configuration.ClientCertificateAuthentication(
|
||||
Configuration.TlsCertificateExtractor("CN", "(.*)"),
|
||||
null
|
||||
),
|
||||
Configuration.Tls(
|
||||
Configuration.KeyStore(this.serverKeyStoreFile, null, SERVER_CERTIFICATE_ENTRY, PASSWORD),
|
||||
Configuration.TrustStore(this.trustStoreFile, null, false),
|
||||
true
|
||||
),
|
||||
false,
|
||||
)
|
||||
Xml.write(Serializer.serialize(cfg), System.out)
|
||||
}
|
||||
|
||||
override fun tearDown() {
|
||||
}
|
||||
|
||||
protected fun newRequestBuilder(key: String) = HttpRequest.newBuilder()
|
||||
.uri(URI.create("https://${cfg.host}:${cfg.port}/${serverPath ?: ""}/$key"))
|
||||
|
||||
private fun buildAuthorizationHeader(user: Configuration.User, password: String): String {
|
||||
val b64 = Base64.getEncoder().encode("${user.name}:${password}".toByteArray(Charsets.UTF_8)).let {
|
||||
String(it, StandardCharsets.UTF_8)
|
||||
}
|
||||
return "Basic $b64"
|
||||
}
|
||||
|
||||
protected fun newEntry(random: Random): Pair<String, ByteArray> {
|
||||
val key = ByteArray(0x10).let {
|
||||
random.nextBytes(it)
|
||||
Base64.getUrlEncoder().encodeToString(it)
|
||||
}
|
||||
val value = ByteArray(0x1000).also {
|
||||
random.nextBytes(it)
|
||||
}
|
||||
return key to value
|
||||
}
|
||||
}
|
||||
@@ -4,90 +4,26 @@ import io.netty.handler.codec.http.HttpResponseStatus
|
||||
import net.woggioni.gbcs.api.Configuration
|
||||
import net.woggioni.gbcs.api.Role
|
||||
import net.woggioni.gbcs.base.PasswordSecurity.hashPassword
|
||||
import net.woggioni.gbcs.base.Xml
|
||||
import net.woggioni.gbcs.cache.FileSystemCacheConfiguration
|
||||
import net.woggioni.gbcs.configuration.Serializer
|
||||
import net.woggioni.gbcs.utils.NetworkUtils
|
||||
import org.junit.jupiter.api.Assertions
|
||||
import org.junit.jupiter.api.Order
|
||||
import org.junit.jupiter.api.Test
|
||||
import java.io.IOException
|
||||
import java.net.ServerSocket
|
||||
import java.net.URI
|
||||
import java.net.http.HttpClient
|
||||
import java.net.http.HttpRequest
|
||||
import java.net.http.HttpResponse
|
||||
import java.nio.charset.StandardCharsets
|
||||
import java.nio.file.Path
|
||||
import java.time.Duration
|
||||
import java.util.Base64
|
||||
import java.util.zip.Deflater
|
||||
import kotlin.random.Random
|
||||
|
||||
|
||||
class BasicAuthServerTest : AbstractServerTest() {
|
||||
class BasicAuthServerTest : AbstractBasicAuthServerTest() {
|
||||
|
||||
companion object {
|
||||
private const val PASSWORD = "password"
|
||||
}
|
||||
|
||||
private lateinit var cacheDir : Path
|
||||
|
||||
private val random = Random(101325)
|
||||
private val keyValuePair = newEntry(random)
|
||||
private val serverPath = "gbcs"
|
||||
|
||||
override fun setUp() {
|
||||
this.cacheDir = testDir.resolve("cache")
|
||||
val readersGroup = Configuration.Group("readers", setOf(Role.Reader))
|
||||
val writersGroup = Configuration.Group("writers", setOf(Role.Writer))
|
||||
cfg = Configuration(
|
||||
"127.0.0.1",
|
||||
NetworkUtils.getFreePort(),
|
||||
serverPath,
|
||||
listOf(
|
||||
Configuration.User("user1", hashPassword(PASSWORD), setOf(readersGroup)),
|
||||
Configuration.User("user2", hashPassword(PASSWORD), setOf(writersGroup)),
|
||||
Configuration.User("user3", hashPassword(PASSWORD), setOf(readersGroup, writersGroup))
|
||||
).asSequence().map { it.name to it}.toMap(),
|
||||
sequenceOf(writersGroup, readersGroup).map { it.name to it}.toMap(),
|
||||
FileSystemCacheConfiguration(this.cacheDir,
|
||||
maxAge = Duration.ofSeconds(3600 * 24),
|
||||
digestAlgorithm = "MD5",
|
||||
compressionLevel = Deflater.DEFAULT_COMPRESSION,
|
||||
compressionEnabled = false
|
||||
),
|
||||
Configuration.BasicAuthentication(),
|
||||
null,
|
||||
true,
|
||||
)
|
||||
Xml.write(Serializer.serialize(cfg), System.out)
|
||||
}
|
||||
|
||||
override fun tearDown() {
|
||||
}
|
||||
|
||||
fun buildAuthorizationHeader(user : Configuration.User, password : String) : String {
|
||||
val b64 = Base64.getEncoder().encode("${user.name}:${password}".toByteArray(Charsets.UTF_8)).let{
|
||||
String(it, StandardCharsets.UTF_8)
|
||||
}
|
||||
return "Basic $b64"
|
||||
}
|
||||
|
||||
fun newRequestBuilder(key : String) = HttpRequest.newBuilder()
|
||||
.uri(URI.create("http://${cfg.host}:${cfg.port}/$serverPath/$key"))
|
||||
|
||||
|
||||
fun newEntry(random : Random) : Pair<String, ByteArray> {
|
||||
val key = ByteArray(0x10).let {
|
||||
random.nextBytes(it)
|
||||
Base64.getUrlEncoder().encodeToString(it)
|
||||
}
|
||||
val value = ByteArray(0x1000).also {
|
||||
random.nextBytes(it)
|
||||
}
|
||||
return key to value
|
||||
}
|
||||
override val users = listOf(
|
||||
Configuration.User("user1", hashPassword(PASSWORD), setOf(readersGroup)),
|
||||
Configuration.User("user2", hashPassword(PASSWORD), setOf(writersGroup)),
|
||||
Configuration.User("user3", hashPassword(PASSWORD), setOf(readersGroup, writersGroup)),
|
||||
Configuration.User("", null, setOf(readersGroup))
|
||||
)
|
||||
|
||||
@Test
|
||||
@Order(1)
|
||||
@@ -100,7 +36,7 @@ class BasicAuthServerTest : AbstractServerTest() {
|
||||
.PUT(HttpRequest.BodyPublishers.ofByteArray(value))
|
||||
|
||||
val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
|
||||
Assertions.assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), response.statusCode())
|
||||
Assertions.assertEquals(HttpResponseStatus.FORBIDDEN.code(), response.statusCode())
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -179,6 +115,20 @@ class BasicAuthServerTest : AbstractServerTest() {
|
||||
|
||||
@Test
|
||||
@Order(6)
|
||||
fun getAsAnonymousUser() {
|
||||
val client: HttpClient = HttpClient.newHttpClient()
|
||||
val (key, value) = keyValuePair
|
||||
|
||||
val requestBuilder = newRequestBuilder(key)
|
||||
.GET()
|
||||
|
||||
val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
|
||||
Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
|
||||
Assertions.assertArrayEquals(value, response.body())
|
||||
}
|
||||
|
||||
@Test
|
||||
@Order(7)
|
||||
fun getMissingKeyAsAReaderUser() {
|
||||
val client: HttpClient = HttpClient.newHttpClient()
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
package net.woggioni.gbcs.test
|
||||
|
||||
import net.woggioni.gbcs.base.GbcsUrlStreamHandlerFactory
|
||||
import net.woggioni.gbcs.base.GBCS.toUrl
|
||||
import net.woggioni.gbcs.base.GbcsUrlStreamHandlerFactory
|
||||
import net.woggioni.gbcs.base.Xml
|
||||
import net.woggioni.gbcs.configuration.Parser
|
||||
import net.woggioni.gbcs.configuration.Serializer
|
||||
@@ -18,6 +18,7 @@ class ConfigurationTest {
|
||||
strings = [
|
||||
"classpath:net/woggioni/gbcs/test/gbcs-default.xml",
|
||||
"classpath:net/woggioni/gbcs/test/gbcs-memcached.xml",
|
||||
"classpath:net/woggioni/gbcs/test/gbcs-tls.xml",
|
||||
]
|
||||
)
|
||||
@ParameterizedTest
|
||||
|
||||
@@ -0,0 +1,53 @@
|
||||
package net.woggioni.gbcs.test
|
||||
|
||||
import io.netty.handler.codec.http.HttpResponseStatus
|
||||
import net.woggioni.gbcs.api.Configuration
|
||||
import net.woggioni.gbcs.api.Role
|
||||
import net.woggioni.gbcs.base.PasswordSecurity.hashPassword
|
||||
import org.junit.jupiter.api.Assertions
|
||||
import org.junit.jupiter.api.Order
|
||||
import org.junit.jupiter.api.Test
|
||||
import java.net.http.HttpClient
|
||||
import java.net.http.HttpRequest
|
||||
import java.net.http.HttpResponse
|
||||
|
||||
|
||||
class NoAnonymousUserBasicAuthServerTest : AbstractBasicAuthServerTest() {
|
||||
|
||||
companion object {
|
||||
private const val PASSWORD = "anotherPassword"
|
||||
}
|
||||
|
||||
override val users = listOf(
|
||||
Configuration.User("user1", hashPassword(PASSWORD), setOf(readersGroup)),
|
||||
Configuration.User("user2", hashPassword(PASSWORD), setOf(writersGroup)),
|
||||
Configuration.User("user3", hashPassword(PASSWORD), setOf(readersGroup, writersGroup)),
|
||||
)
|
||||
|
||||
@Test
|
||||
@Order(1)
|
||||
fun putWithNoAuthorizationHeader() {
|
||||
val client: HttpClient = HttpClient.newHttpClient()
|
||||
val (key, value) = keyValuePair
|
||||
|
||||
val requestBuilder = newRequestBuilder(key)
|
||||
.header("Content-Type", "application/octet-stream")
|
||||
.PUT(HttpRequest.BodyPublishers.ofByteArray(value))
|
||||
|
||||
val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
|
||||
Assertions.assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), response.statusCode())
|
||||
}
|
||||
|
||||
@Test
|
||||
@Order(2)
|
||||
fun getWithNoAuthorizationHeader() {
|
||||
val client: HttpClient = HttpClient.newHttpClient()
|
||||
val (key, value) = keyValuePair
|
||||
|
||||
val requestBuilder = newRequestBuilder(key)
|
||||
.GET()
|
||||
|
||||
val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
|
||||
Assertions.assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), response.statusCode())
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,47 @@
|
||||
package net.woggioni.gbcs.test
|
||||
|
||||
import io.netty.handler.codec.http.HttpResponseStatus
|
||||
import net.woggioni.gbcs.api.Configuration
|
||||
import org.junit.jupiter.api.Assertions
|
||||
import org.junit.jupiter.api.Order
|
||||
import org.junit.jupiter.api.Test
|
||||
import java.net.http.HttpClient
|
||||
import java.net.http.HttpRequest
|
||||
import java.net.http.HttpResponse
|
||||
|
||||
class NoAnonymousUserTlsServerTest : AbstractTlsServerTest() {
|
||||
|
||||
override val users = listOf(
|
||||
Configuration.User("user1", null, setOf(readersGroup)),
|
||||
Configuration.User("user2", null, setOf(writersGroup)),
|
||||
Configuration.User("user3", null, setOf(readersGroup, writersGroup)),
|
||||
)
|
||||
|
||||
@Test
|
||||
@Order(1)
|
||||
fun getAsAnonymousUser() {
|
||||
val (key, _) = keyValuePair
|
||||
val client: HttpClient = getHttpClient(null)
|
||||
|
||||
val requestBuilder = newRequestBuilder(key)
|
||||
.header("Content-Type", "application/octet-stream")
|
||||
.GET()
|
||||
|
||||
val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
|
||||
Assertions.assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), response.statusCode())
|
||||
}
|
||||
|
||||
@Test
|
||||
@Order(2)
|
||||
fun putAsAnonymousUser() {
|
||||
val (key, value) = keyValuePair
|
||||
val client: HttpClient = getHttpClient(null)
|
||||
|
||||
val requestBuilder = newRequestBuilder(key)
|
||||
.header("Content-Type", "application/octet-stream")
|
||||
.PUT(HttpRequest.BodyPublishers.ofByteArray(value))
|
||||
|
||||
val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
|
||||
Assertions.assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), response.statusCode())
|
||||
}
|
||||
}
|
||||
@@ -105,4 +105,28 @@ class NoAuthServerTest : AbstractServerTest() {
|
||||
val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
|
||||
Assertions.assertEquals(HttpResponseStatus.NOT_FOUND.code(), response.statusCode())
|
||||
}
|
||||
|
||||
// @Test
|
||||
// @Order(4)
|
||||
// fun manyRequestsTest() {
|
||||
// val client: HttpClient = HttpClient.newHttpClient()
|
||||
//
|
||||
// for(i in 0 until 100000) {
|
||||
//
|
||||
// val newEntry = random.nextBoolean()
|
||||
// val (key, _) = if(newEntry) {
|
||||
// newEntry(random)
|
||||
// } else {
|
||||
// keyValuePair
|
||||
// }
|
||||
// val requestBuilder = newRequestBuilder(key).GET()
|
||||
//
|
||||
// val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
|
||||
// if(newEntry) {
|
||||
// Assertions.assertEquals(HttpResponseStatus.NOT_FOUND.code(), response.statusCode())
|
||||
// } else {
|
||||
// Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
}
|
||||
@@ -32,185 +32,17 @@ import javax.net.ssl.TrustManagerFactory
|
||||
import kotlin.random.Random
|
||||
|
||||
|
||||
class TlsServerTest : AbstractServerTest() {
|
||||
class TlsServerTest : AbstractTlsServerTest() {
|
||||
|
||||
companion object {
|
||||
private const val CA_CERTIFICATE_ENTRY = "gbcs-ca"
|
||||
private const val CLIENT_CERTIFICATE_ENTRY = "gbcs-client"
|
||||
private const val SERVER_CERTIFICATE_ENTRY = "gbcs-server"
|
||||
private const val PASSWORD = "password"
|
||||
}
|
||||
|
||||
private lateinit var cacheDir: Path
|
||||
private lateinit var serverKeyStoreFile: Path
|
||||
private lateinit var clientKeyStoreFile: Path
|
||||
private lateinit var trustStoreFile: Path
|
||||
private lateinit var serverKeyStore: KeyStore
|
||||
private lateinit var clientKeyStore: KeyStore
|
||||
private lateinit var trustStore: KeyStore
|
||||
private lateinit var ca: X509Credentials
|
||||
|
||||
private val readersGroup = Configuration.Group("readers", setOf(Role.Reader))
|
||||
private val writersGroup = Configuration.Group("writers", setOf(Role.Writer))
|
||||
private val random = Random(101325)
|
||||
private val keyValuePair = newEntry(random)
|
||||
private val serverPath : String? = null
|
||||
|
||||
private val users = listOf(
|
||||
override val users = listOf(
|
||||
Configuration.User("user1", null, setOf(readersGroup)),
|
||||
Configuration.User("user2", null, setOf(writersGroup)),
|
||||
Configuration.User("user3", null, setOf(readersGroup, writersGroup))
|
||||
Configuration.User("user3", null, setOf(readersGroup, writersGroup)),
|
||||
Configuration.User("", null, setOf(readersGroup))
|
||||
)
|
||||
|
||||
fun createKeyStoreAndTrustStore() {
|
||||
ca = CertificateUtils.createCertificateAuthority(CA_CERTIFICATE_ENTRY, 30)
|
||||
val serverCert = CertificateUtils.createServerCertificate(ca, X500Name("CN=$SERVER_CERTIFICATE_ENTRY"), 30)
|
||||
val clientCert = CertificateUtils.createClientCertificate(ca, X500Name("CN=$CLIENT_CERTIFICATE_ENTRY"), 30)
|
||||
|
||||
serverKeyStore = KeyStore.getInstance("PKCS12").apply {
|
||||
load(null, null)
|
||||
setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
|
||||
setEntry(
|
||||
SERVER_CERTIFICATE_ENTRY,
|
||||
KeyStore.PrivateKeyEntry(
|
||||
serverCert.keyPair().private,
|
||||
arrayOf(serverCert.certificate(), ca.certificate)
|
||||
),
|
||||
PasswordProtection(PASSWORD.toCharArray())
|
||||
)
|
||||
}
|
||||
Files.newOutputStream(this.serverKeyStoreFile).use {
|
||||
serverKeyStore.store(it, null)
|
||||
}
|
||||
|
||||
clientKeyStore = KeyStore.getInstance("PKCS12").apply {
|
||||
load(null, null)
|
||||
setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
|
||||
setEntry(
|
||||
CLIENT_CERTIFICATE_ENTRY,
|
||||
KeyStore.PrivateKeyEntry(
|
||||
clientCert.keyPair().private,
|
||||
arrayOf(clientCert.certificate(), ca.certificate)
|
||||
),
|
||||
PasswordProtection(PASSWORD.toCharArray())
|
||||
)
|
||||
}
|
||||
Files.newOutputStream(this.clientKeyStoreFile).use {
|
||||
clientKeyStore.store(it, null)
|
||||
}
|
||||
|
||||
trustStore = KeyStore.getInstance("PKCS12").apply {
|
||||
load(null, null)
|
||||
setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
|
||||
}
|
||||
Files.newOutputStream(this.trustStoreFile).use {
|
||||
trustStore.store(it, null)
|
||||
}
|
||||
}
|
||||
|
||||
fun getClientKeyStore(ca: X509Credentials, subject: X500Name) = KeyStore.getInstance("PKCS12").apply {
|
||||
val clientCert = CertificateUtils.createClientCertificate(ca, subject, 30)
|
||||
|
||||
load(null, null)
|
||||
setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
|
||||
setEntry(
|
||||
CLIENT_CERTIFICATE_ENTRY,
|
||||
KeyStore.PrivateKeyEntry(clientCert.keyPair().private, arrayOf(clientCert.certificate(), ca.certificate)),
|
||||
PasswordProtection(PASSWORD.toCharArray())
|
||||
)
|
||||
}
|
||||
|
||||
fun getHttpClient(clientKeyStore: KeyStore?): HttpClient {
|
||||
val kmf = clientKeyStore?.let {
|
||||
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()).apply {
|
||||
init(it, PASSWORD.toCharArray())
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Set up trust manager factory with the truststore
|
||||
val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
|
||||
tmf.init(trustStore)
|
||||
|
||||
// Create SSL context with the key and trust managers
|
||||
val sslContext = SSLContext.getInstance("TLS").apply {
|
||||
init(kmf?.keyManagers ?: emptyArray(), tmf.trustManagers, null)
|
||||
}
|
||||
return HttpClient.newBuilder().sslContext(sslContext).build()
|
||||
}
|
||||
|
||||
override fun setUp() {
|
||||
this.clientKeyStoreFile = testDir.resolve("client-keystore.p12")
|
||||
this.serverKeyStoreFile = testDir.resolve("server-keystore.p12")
|
||||
this.trustStoreFile = testDir.resolve("truststore.p12")
|
||||
this.cacheDir = testDir.resolve("cache")
|
||||
createKeyStoreAndTrustStore()
|
||||
cfg = Configuration(
|
||||
"127.0.0.1",
|
||||
NetworkUtils.getFreePort(),
|
||||
serverPath,
|
||||
users.asSequence().map { it.name to it }.toMap(),
|
||||
sequenceOf(writersGroup, readersGroup).map { it.name to it }.toMap(),
|
||||
FileSystemCacheConfiguration(this.cacheDir,
|
||||
maxAge = Duration.ofSeconds(3600 * 24),
|
||||
compressionEnabled = true,
|
||||
compressionLevel = Deflater.DEFAULT_COMPRESSION,
|
||||
digestAlgorithm = "MD5"
|
||||
),
|
||||
Configuration.ClientCertificateAuthentication(
|
||||
Configuration.TlsCertificateExtractor("CN", "(.*)"),
|
||||
null
|
||||
),
|
||||
Configuration.Tls(
|
||||
Configuration.KeyStore(this.serverKeyStoreFile, null, SERVER_CERTIFICATE_ENTRY, PASSWORD),
|
||||
Configuration.TrustStore(this.trustStoreFile, null, false),
|
||||
true
|
||||
),
|
||||
false,
|
||||
)
|
||||
Xml.write(Serializer.serialize(cfg), System.out)
|
||||
}
|
||||
|
||||
override fun tearDown() {
|
||||
}
|
||||
|
||||
fun newRequestBuilder(key: String) = HttpRequest.newBuilder()
|
||||
.uri(URI.create("https://${cfg.host}:${cfg.port}/${serverPath ?: ""}/$key"))
|
||||
|
||||
fun buildAuthorizationHeader(user: Configuration.User, password: String): String {
|
||||
val b64 = Base64.getEncoder().encode("${user.name}:${password}".toByteArray(Charsets.UTF_8)).let {
|
||||
String(it, StandardCharsets.UTF_8)
|
||||
}
|
||||
return "Basic $b64"
|
||||
}
|
||||
|
||||
fun newEntry(random: Random): Pair<String, ByteArray> {
|
||||
val key = ByteArray(0x10).let {
|
||||
random.nextBytes(it)
|
||||
Base64.getUrlEncoder().encodeToString(it)
|
||||
}
|
||||
val value = ByteArray(0x1000).also {
|
||||
random.nextBytes(it)
|
||||
}
|
||||
return key to value
|
||||
}
|
||||
|
||||
@Test
|
||||
@Order(1)
|
||||
fun putWithNoClientCertificate() {
|
||||
val client: HttpClient = getHttpClient(null)
|
||||
val (key, value) = keyValuePair
|
||||
|
||||
val requestBuilder = newRequestBuilder(key)
|
||||
.header("Content-Type", "application/octet-stream")
|
||||
.PUT(HttpRequest.BodyPublishers.ofByteArray(value))
|
||||
|
||||
val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
|
||||
Assertions.assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), response.statusCode())
|
||||
}
|
||||
|
||||
@Test
|
||||
@Order(2)
|
||||
fun putAsAReaderUser() {
|
||||
val (key, value) = keyValuePair
|
||||
val user = cfg.users.values.find {
|
||||
@@ -226,7 +58,7 @@ class TlsServerTest : AbstractServerTest() {
|
||||
}
|
||||
|
||||
@Test
|
||||
@Order(3)
|
||||
@Order(2)
|
||||
fun getAsAWriterUser() {
|
||||
val (key, _) = keyValuePair
|
||||
val user = cfg.users.values.find {
|
||||
@@ -235,7 +67,6 @@ class TlsServerTest : AbstractServerTest() {
|
||||
val client: HttpClient = getHttpClient(getClientKeyStore(ca, X500Name("CN=${user.name}")))
|
||||
|
||||
val requestBuilder = newRequestBuilder(key)
|
||||
.header("Authorization", buildAuthorizationHeader(user, PASSWORD))
|
||||
.GET()
|
||||
|
||||
val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
|
||||
@@ -243,7 +74,7 @@ class TlsServerTest : AbstractServerTest() {
|
||||
}
|
||||
|
||||
@Test
|
||||
@Order(4)
|
||||
@Order(3)
|
||||
fun putAsAWriterUser() {
|
||||
val (key, value) = keyValuePair
|
||||
val user = cfg.users.values.find {
|
||||
@@ -253,7 +84,6 @@ class TlsServerTest : AbstractServerTest() {
|
||||
|
||||
val requestBuilder = newRequestBuilder(key)
|
||||
.header("Content-Type", "application/octet-stream")
|
||||
.header("Authorization", buildAuthorizationHeader(user, PASSWORD))
|
||||
.PUT(HttpRequest.BodyPublishers.ofByteArray(value))
|
||||
|
||||
val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
|
||||
@@ -261,7 +91,7 @@ class TlsServerTest : AbstractServerTest() {
|
||||
}
|
||||
|
||||
@Test
|
||||
@Order(5)
|
||||
@Order(4)
|
||||
fun getAsAReaderUser() {
|
||||
val (key, value) = keyValuePair
|
||||
val user = cfg.users.values.find {
|
||||
@@ -270,7 +100,6 @@ class TlsServerTest : AbstractServerTest() {
|
||||
val client: HttpClient = getHttpClient(getClientKeyStore(ca, X500Name("CN=${user.name}")))
|
||||
|
||||
val requestBuilder = newRequestBuilder(key)
|
||||
.header("Authorization", buildAuthorizationHeader(user, PASSWORD))
|
||||
.GET()
|
||||
|
||||
val response: HttpResponse<ByteArray> =
|
||||
@@ -280,7 +109,7 @@ class TlsServerTest : AbstractServerTest() {
|
||||
}
|
||||
|
||||
@Test
|
||||
@Order(6)
|
||||
@Order(5)
|
||||
fun getMissingKeyAsAReaderUser() {
|
||||
val (key, _) = newEntry(random)
|
||||
val user = cfg.users.values.find {
|
||||
@@ -289,11 +118,39 @@ class TlsServerTest : AbstractServerTest() {
|
||||
val client: HttpClient = getHttpClient(getClientKeyStore(ca, X500Name("CN=${user.name}")))
|
||||
|
||||
val requestBuilder = newRequestBuilder(key)
|
||||
.header("Authorization", buildAuthorizationHeader(user, PASSWORD))
|
||||
.GET()
|
||||
|
||||
val response: HttpResponse<ByteArray> =
|
||||
client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
|
||||
Assertions.assertEquals(HttpResponseStatus.NOT_FOUND.code(), response.statusCode())
|
||||
}
|
||||
|
||||
@Test
|
||||
@Order(6)
|
||||
fun getAsAnonymousUser() {
|
||||
val (key, value) = keyValuePair
|
||||
val client: HttpClient = getHttpClient(null)
|
||||
|
||||
val requestBuilder = newRequestBuilder(key)
|
||||
.header("Content-Type", "application/octet-stream")
|
||||
.GET()
|
||||
|
||||
val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
|
||||
Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
|
||||
Assertions.assertArrayEquals(value, response.body())
|
||||
}
|
||||
|
||||
@Test
|
||||
@Order(7)
|
||||
fun putAsAnonymousUser() {
|
||||
val (key, value) = keyValuePair
|
||||
val client: HttpClient = getHttpClient(null)
|
||||
|
||||
val requestBuilder = newRequestBuilder(key)
|
||||
.header("Content-Type", "application/octet-stream")
|
||||
.PUT(HttpRequest.BodyPublishers.ofByteArray(value))
|
||||
|
||||
val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
|
||||
Assertions.assertEquals(HttpResponseStatus.FORBIDDEN.code(), response.statusCode())
|
||||
}
|
||||
}
|
||||
21
src/test/resources/logback.xml
Normal file
21
src/test/resources/logback.xml
Normal file
@@ -0,0 +1,21 @@
|
||||
<?xml version="1.0" encoding="UTF-8" ?>
|
||||
<!DOCTYPE configuration>
|
||||
|
||||
<configuration>
|
||||
<import class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"/>
|
||||
<import class="ch.qos.logback.core.ConsoleAppender"/>
|
||||
|
||||
<appender name="console" class="ConsoleAppender">
|
||||
<target>System.err</target>
|
||||
<encoder class="PatternLayoutEncoder">
|
||||
<pattern>%d [%highlight(%-5level)] \(%thread\) %logger{36} -%kvp- %msg %n</pattern>
|
||||
</encoder>
|
||||
</appender>
|
||||
|
||||
<root level="info">
|
||||
<appender-ref ref="console"/>
|
||||
</root>
|
||||
<logger name="io.netty" level="debug"/>
|
||||
<logger name="com.google.code.yanf4j" level="warn"/>
|
||||
<logger name="net.rubyeye.xmemcached" level="warn"/>
|
||||
</configuration>
|
||||
@@ -4,7 +4,7 @@
|
||||
xmlns:gbcs-memcached="urn:net.woggioni.gbcs-memcached"
|
||||
xs:schemaLocation="urn:net.woggioni.gbcs-memcached jpms://net.woggioni.gbcs.memcached/net/woggioni/gbcs/memcached/schema/gbcs-memcached.xsd urn:net.woggioni.gbcs jpms://net.woggioni.gbcs/net/woggioni/gbcs/schema/gbcs.xsd">
|
||||
<bind host="127.0.0.1" port="11443" />
|
||||
<cache xs:type="gbcs-memcached:memcachedCacheType" max-age="P7D" max-size="101325" compression-mode="gzip" digest="SHA-256">
|
||||
<cache xs:type="gbcs-memcached:memcachedCacheType" max-age="P7D" max-size="101325" digest="SHA-256">
|
||||
<server host="127.0.0.1" port="11211"/>
|
||||
</cache>
|
||||
<authentication>
|
||||
|
||||
53
src/test/resources/net/woggioni/gbcs/test/gbcs-tls.xml
Normal file
53
src/test/resources/net/woggioni/gbcs/test/gbcs-tls.xml
Normal file
@@ -0,0 +1,53 @@
|
||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||
<gbcs:server useVirtualThreads="false" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xmlns:gbcs="urn:net.woggioni.gbcs"
|
||||
xs:schemaLocation="urn:net.woggioni.gbcs jpms://net.woggioni.gbcs/net/woggioni/gbcs/schema/gbcs.xsd">
|
||||
<bind host="127.0.0.1" port="11443"/>
|
||||
<cache xs:type="gbcs:fileSystemCacheType" path="/tmp/gbcs" max-age="P7D"/>
|
||||
<authorization>
|
||||
<users>
|
||||
<user name="user1" password="password1"/>
|
||||
<user name="user2" password="password2"/>
|
||||
<user name="user3" password="password3"/>
|
||||
</users>
|
||||
<groups>
|
||||
<group name="readers">
|
||||
<users>
|
||||
<user ref="user1"/>
|
||||
<!-- <user ref="user5"/>-->
|
||||
<anonymous/>
|
||||
</users>
|
||||
<roles>
|
||||
<reader/>
|
||||
</roles>
|
||||
</group>
|
||||
<group name="writers">
|
||||
<users>
|
||||
<user ref="user2"/>
|
||||
</users>
|
||||
<roles>
|
||||
<writer/>
|
||||
</roles>
|
||||
</group>
|
||||
<group name="readers-writers">
|
||||
<users>
|
||||
<user ref="user3"/>
|
||||
</users>
|
||||
<roles>
|
||||
<reader/>
|
||||
<writer/>
|
||||
</roles>
|
||||
</group>
|
||||
</groups>
|
||||
</authorization>
|
||||
<authentication>
|
||||
<client-certificate>
|
||||
<group-extractor pattern="group-pattern" attribute-name="O"/>
|
||||
<user-extractor pattern="user-pattern" attribute-name="CN"/>
|
||||
</client-certificate>
|
||||
</authentication>
|
||||
<tls>
|
||||
<keystore file="keystore.pfx" key-alias="key1" password="password" key-password="key-password"/>
|
||||
<truststore file="truststore.pfx" password="password" check-certificate-status="true" />
|
||||
</tls>
|
||||
</gbcs:server>
|
||||
Reference in New Issue
Block a user