ssl bug fix and tests

roberttoyonaga · roberttoyonaga · commit 9d25674bb878 · 2023-03-24T11:36:05.000-04:00
diff --git a/substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/jdk/JmxClientFeature.java b/substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/jdk/JmxClientFeature.java
@@ -61,9 +61,8 @@ private static void configureReflection(BeforeAnalysisAccess access) {
         RuntimeReflection.register(access.findClassByName("com.sun.jndi.url.rmi.rmiURLContextFactory"));
         RuntimeReflection.register(access.findClassByName("sun.rmi.server.UnicastRef"));
 
-        RuntimeReflection.register(access.findClassByName("sun.rmi.server.UnicastRef").getMethods());
-
         RuntimeReflection.register(access.findClassByName("com.sun.jndi.url.rmi.rmiURLContextFactory").getConstructors());
         RuntimeReflection.register(access.findClassByName("sun.rmi.server.UnicastRef").getConstructors());
+        RuntimeReflection.register(access.findClassByName("sun.rmi.server.UnicastRef2").getConstructors());
     }
 }
diff --git a/substratevm/src/com.oracle.svm.test/src/com/oracle/svm/test/jmx/JmxTest.java b/substratevm/src/com.oracle.svm.test/src/com/oracle/svm/test/jmx/JmxTest.java
@@ -28,6 +28,7 @@
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assume.assumeTrue;
 
+import java.io.File;
 import java.io.IOException;
 import java.lang.management.ClassLoadingMXBean;
 import java.lang.management.ManagementFactory;
@@ -39,9 +40,13 @@
 import java.lang.management.GarbageCollectorMXBean;
 import java.lang.management.MemoryPoolMXBean;
 import java.lang.management.MemoryUsage;
+import java.nio.file.Files;
+import java.nio.file.attribute.PosixFilePermission;
 import java.util.HashMap;
-import java.util.List;
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
+import java.util.List;
 
 import jdk.management.jfr.FlightRecorderMXBean;
 import org.graalvm.nativeimage.ImageInfo;
@@ -58,24 +63,55 @@
 import javax.management.remote.JMXConnector;
 import javax.management.remote.JMXConnectorFactory;
 import javax.management.remote.JMXServiceURL;
+import javax.rmi.ssl.SslRMIClientSocketFactory;
+
 import org.junit.Assert;
 
 @AddExports("jdk.management.agent/jdk.internal.agent")
 public class JmxTest {
     static final String PORT_PROPERTY = "com.sun.management.jmxremote.port";
+    static final String RMI_PORT_PROPERTY = "com.sun.management.jmxremote.rmi.port";
     static final String AUTH_PROPERTY = "com.sun.management.jmxremote.authenticate";
+    static final String CLIENT_AUTH_PROPERTY = "com.sun.management.jmxremote.ssl.need.client.auth";
+    static final String ACCESS_PROPERTY = "com.sun.management.jmxremote.access.file";
+    static final String PASSWORD_PROPERTY = "com.sun.management.jmxremote.password.file";
     static final String SSL_PROPERTY = "com.sun.management.jmxremote.ssl";
+    static final String KEYSTORE_PROPERTY = "javax.net.ssl.keyStore";
+    static final String KEYSTORE_PASSWORD_PROPERTY = "javax.net.ssl.keyStorePassword";
+    static final String TRUSTSTORE_PROPERTY = "javax.net.ssl.trustStore";
+    static final String TRUSTSTORE_PASSWORD_PROPERTY = "javax.net.ssl.trustStorePassword";
+    static final String REGISTRY_SSL_PROPERTY = "com.sun.management.jmxremote.registry.ssl";
     static final String TEST_PORT = "12345";
-    static final String FALSE = "false";
+    static final String TRUE = "true";
+    static final String JMX_REMOTE_RESOURCES = "src/com.oracle.svm.test/src/com/oracle/svm/test/jmx/jmxremoteresources";
 
     @BeforeClass
-    public static void checkForJFR() {
+    public static void checkForJFR() throws IOException {
         assumeTrue("skipping JMX tests", !ImageInfo.inImageCode() ||
                         (VMInspectionOptions.hasJmxClientSupport() && VMInspectionOptions.hasJmxServerSupport()));
 
         System.setProperty(PORT_PROPERTY, TEST_PORT);
-        System.setProperty(AUTH_PROPERTY, FALSE);
-        System.setProperty(SSL_PROPERTY, FALSE);
+        System.setProperty(RMI_PORT_PROPERTY, TEST_PORT);
+        System.setProperty(AUTH_PROPERTY, TRUE);
+        System.setProperty(CLIENT_AUTH_PROPERTY, TRUE);
+        System.setProperty(SSL_PROPERTY, TRUE);
+        System.setProperty(REGISTRY_SSL_PROPERTY, TRUE);
+        // The following are dummy password access, and SSL files required for testing
+        // authentication and SSL.
+        System.setProperty(ACCESS_PROPERTY, JMX_REMOTE_RESOURCES + "/jmxremote.access");
+        System.setProperty(PASSWORD_PROPERTY, JMX_REMOTE_RESOURCES + "/jmxremote.password");
+        System.setProperty(KEYSTORE_PROPERTY, JMX_REMOTE_RESOURCES + "/clientkeystore");
+        System.setProperty(KEYSTORE_PASSWORD_PROPERTY, "clientpass");
+        System.setProperty(TRUSTSTORE_PROPERTY, JMX_REMOTE_RESOURCES + "/servertruststore");
+        System.setProperty(TRUSTSTORE_PASSWORD_PROPERTY, "servertrustpass");
+
+        // Password file must have restricted access.
+        File file = new File(JMX_REMOTE_RESOURCES + "/jmxremote.password");
+        Set<PosixFilePermission> perms = new HashSet<>();
+        perms.add(PosixFilePermission.OWNER_READ);
+        perms.add(PosixFilePermission.OWNER_WRITE);
+        Files.setPosixFilePermissions(file.toPath(), perms);
+
         try {
             // We need to rerun the startup hook with the correct properties set.
             ManagementAgentStartupHook startupHook = new ManagementAgentStartupHook();
@@ -89,7 +125,10 @@ private static MBeanServerConnection getLocalMBeanServerConnectionStatic() {
         try {
             JMXServiceURL jmxUrl = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://" + "localhost" + ":" + TEST_PORT + "/jmxrmi");
             Map<String, Object> env = new HashMap<>();
-
+            String[] credentials = {"myrole", "MYP@SSWORD"}; // dummy password for testing
+            env.put(JMXConnector.CREDENTIALS, credentials);
+            // Include below if protecting registry with SSL
+            env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory());
             JMXConnector connector = JMXConnectorFactory.connect(jmxUrl, env);
             return connector.getMBeanServerConnection();
         } catch (IOException e) {
diff --git a/substratevm/src/com.oracle.svm.test/src/com/oracle/svm/test/jmx/jmxremoteresources/clientkeystore b/substratevm/src/com.oracle.svm.test/src/com/oracle/svm/test/jmx/jmxremoteresources/clientkeystore
diff --git a/substratevm/src/com.oracle.svm.test/src/com/oracle/svm/test/jmx/jmxremoteresources/jmxremote.access b/substratevm/src/com.oracle.svm.test/src/com/oracle/svm/test/jmx/jmxremoteresources/jmxremote.access
@@ -0,0 +1 @@
+myrole readwrite
diff --git a/substratevm/src/com.oracle.svm.test/src/com/oracle/svm/test/jmx/jmxremoteresources/jmxremote.password b/substratevm/src/com.oracle.svm.test/src/com/oracle/svm/test/jmx/jmxremoteresources/jmxremote.password
@@ -0,0 +1,6 @@
+# The passwords in this file are hashed.
+# In order to change the password for a role, replace the hashed password entry
+# with a clear text password or a new hashed password. If the new password is in clear,
+# it will be replaced with its hash when a new login attempt is made.
+
+myrole GfD4DqNr5DUGl/kAREAAInPST5FKFI5i8lRpkscwOLC/sf5U25M8zn5ppOJGOAE6cOMPrgy3o+9f2PyL2PkE7w== m4maFV8JvmL1kByz6gLLiWSdYgtb1ezEfPseDllMwnGmWFBT6jquuxqa9pqrSmpBdMGfxa9gYdCecffS29XSXQ== SHA3-512
diff --git a/substratevm/src/com.oracle.svm.test/src/com/oracle/svm/test/jmx/jmxremoteresources/servertruststore b/substratevm/src/com.oracle.svm.test/src/com/oracle/svm/test/jmx/jmxremoteresources/servertruststore

Original file line number	Diff line number	Diff line change
`@@ -61,9 +61,8 @@ private static void configureReflection(BeforeAnalysisAccess access) {`
`61`	`61`	`RuntimeReflection.register(access.findClassByName("com.sun.jndi.url.rmi.rmiURLContextFactory"));`
`62`	`62`	`RuntimeReflection.register(access.findClassByName("sun.rmi.server.UnicastRef"));`
`63`	`63`
`64`		`- RuntimeReflection.register(access.findClassByName("sun.rmi.server.UnicastRef").getMethods());`
`65`		`-`
`66`	`64`	`RuntimeReflection.register(access.findClassByName("com.sun.jndi.url.rmi.rmiURLContextFactory").getConstructors());`
`67`	`65`	`RuntimeReflection.register(access.findClassByName("sun.rmi.server.UnicastRef").getConstructors());`
	`66`	`+ RuntimeReflection.register(access.findClassByName("sun.rmi.server.UnicastRef2").getConstructors());`
`68`	`67`	`}`
`69`	`68`	`}`