From feb22f360ed9e38f32b80ec2c6aa942a704f6b05 Mon Sep 17 00:00:00 2001 From: John W Date: Thu, 13 Mar 2014 21:36:54 -0400 Subject: Adding properties/comments for truststore configuration --- .../src/main/assembly/conf/sonar.properties | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'sonar-application') diff --git a/sonar-application/src/main/assembly/conf/sonar.properties b/sonar-application/src/main/assembly/conf/sonar.properties index b97e9e3da21..d6aa431d730 100644 --- a/sonar-application/src/main/assembly/conf/sonar.properties +++ b/sonar-application/src/main/assembly/conf/sonar.properties @@ -116,6 +116,23 @@ sonar.jdbc.timeBetweenEvictionRunsMillis=30000 # and the first provider that supports the keystore type is used (see sonar.web.https.keystoreType). #sonar.web.https.keystoreProvider= +# HTTPS - the pathname of the truststore file which contains trusted certificate authorities. +# By default, this would be the cacerts file in your JRE. +# If truststoreFile doesn't need a file use empty value. +#sonar.web.https.truststoreFile= + +# HTTPS - the password used to access the specified truststore file. +#sonar.web.https.truststorePass= + +# HTTPS - the type of truststore file to be used. +# The default value is JKS (Java KeyStore). +#sonar.web.https.truststoreType=JKS + +# HTTPS - the name of the truststore provider to be used for the server certificate. +# If not specified, the list of registered providers is traversed in preference order +# and the first provider that supports the truststore type is used (see sonar.web.https.truststoreType). +#sonar.web.https.truststoreProvider= + # The maximum number of connections that the server will accept and process at any given time. # When this number has been reached, the server will not accept any more connections until # the number of connections falls below this value. The operating system may still accept connections -- cgit v1.2.3 From f264a8ec40e64689e41a60087838fb3cc513f1b1 Mon Sep 17 00:00:00 2001 From: John W Date: Thu, 13 Mar 2014 21:41:05 -0400 Subject: Adding truststore properties; making clientAuth configurable --- .../src/main/java/org/sonar/application/Connectors.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'sonar-application') diff --git a/sonar-application/src/main/java/org/sonar/application/Connectors.java b/sonar-application/src/main/java/org/sonar/application/Connectors.java index 2fdb9c8ebe7..a6cfd1f0bb0 100644 --- a/sonar-application/src/main/java/org/sonar/application/Connectors.java +++ b/sonar-application/src/main/java/org/sonar/application/Connectors.java @@ -102,7 +102,11 @@ class Connectors { setConnectorAttribute(connector, "keystoreFile", props.of("sonar.web.https.keystoreFile")); setConnectorAttribute(connector, "keystoreType", props.of("sonar.web.https.keystoreType", "JKS")); setConnectorAttribute(connector, "keystoreProvider", props.of("sonar.web.https.keystoreProvider")); - setConnectorAttribute(connector, "clientAuth", false); + setConnectorAttribute(connector, "truststorePass", props.of("sonar.web.https.truststorePass", "changeit")); + setConnectorAttribute(connector, "truststoreFile", props.of("sonar.web.https.truststoreFile")); + setConnectorAttribute(connector, "truststoreType", props.of("sonar.web.https.truststoreType", "JKS")); + setConnectorAttribute(connector, "truststoreProvider", props.of("sonar.web.https.truststoreProvider")); + setConnectorAttribute(connector, "clientAuth", props.of("sonar.web.https.clientAuth", "false")); setConnectorAttribute(connector, "sslProtocol", "TLS"); setConnectorAttribute(connector, "SSLEnabled", true); info("HTTPS connector is enabled on port " + port); -- cgit v1.2.3 From 0b346f7c683e0da7e9a8dda695df92838322bb54 Mon Sep 17 00:00:00 2001 From: John W Date: Thu, 13 Mar 2014 21:41:40 -0400 Subject: Adding clientauth tests --- .../java/org/sonar/application/ConnectorsTest.java | 49 +++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) (limited to 'sonar-application') diff --git a/sonar-application/src/test/java/org/sonar/application/ConnectorsTest.java b/sonar-application/src/test/java/org/sonar/application/ConnectorsTest.java index 4d8e9b4773c..20c2bfca4f9 100644 --- a/sonar-application/src/test/java/org/sonar/application/ConnectorsTest.java +++ b/sonar-application/src/test/java/org/sonar/application/ConnectorsTest.java @@ -124,7 +124,8 @@ public class ConnectorsTest { @Override public boolean matches(Object o) { Connector c = (Connector) o; - return c.getScheme().equals("https") && c.getPort() == 9443; + return c.getScheme().equals("https") && c.getPort() == 9443 + && c.getProperty("clientAuth").equals("false"); } })); } @@ -256,6 +257,52 @@ public class ConnectorsTest { verify(tomcat.getServer(), never()).setShutdown(anyString()); } + @Test + public void enable_client_auth() throws Exception { + + Properties p = new Properties(); + + p.setProperty("sonar.web.port", "-1"); + p.setProperty("sonar.web.https.port", "9443"); + p.setProperty("sonar.web.https.clientAuth", "want"); + + Props props = new Props(p); + + Connectors.configure(tomcat, props); + + verify(tomcat).setConnector(argThat(new ArgumentMatcher() { + @Override + public boolean matches(Object o) { + Connector c = (Connector) o; + return c.getScheme().equals("https") && c.getProperty("clientAuth").equals("want"); + } + })); + } + + @Test + public void require_client_auth() throws Exception { + + Properties p = new Properties(); + + p.setProperty("sonar.web.port", "-1"); + p.setProperty("sonar.web.https.port", "9443"); + p.setProperty("sonar.web.https.clientAuth", "true"); + + Props props = new Props(p); + + Connectors.configure(tomcat, props); + + verify(tomcat).setConnector(argThat(new ArgumentMatcher() { + @Override + public boolean matches(Object o) { + Connector c = (Connector) o; + return c.getScheme().equals("https") && c.getProperty("clientAuth").equals("true"); + } + })); + } + + + private static class PropertiesMatcher extends ArgumentMatcher { private final Map expected; -- cgit v1.2.3 From 2e7d7dc516b88eed2515eebe41117a220c16dd63 Mon Sep 17 00:00:00 2001 From: John W Date: Thu, 13 Mar 2014 21:41:57 -0400 Subject: adding clientAuth comment --- sonar-application/src/main/assembly/conf/sonar.properties | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'sonar-application') diff --git a/sonar-application/src/main/assembly/conf/sonar.properties b/sonar-application/src/main/assembly/conf/sonar.properties index d6aa431d730..c9de3398980 100644 --- a/sonar-application/src/main/assembly/conf/sonar.properties +++ b/sonar-application/src/main/assembly/conf/sonar.properties @@ -133,6 +133,12 @@ sonar.jdbc.timeBetweenEvictionRunsMillis=30000 # and the first provider that supports the truststore type is used (see sonar.web.https.truststoreType). #sonar.web.https.truststoreProvider= +# HTTPS - whether to enable client certificate authentication. +# The default is false (client certificates disabled). +# Other possible values are 'want' (certificates will be requested, but not required), +# and 'true' (certificates are required). +#sonar.web.https.clientAuth=false + # The maximum number of connections that the server will accept and process at any given time. # When this number has been reached, the server will not accept any more connections until # the number of connections falls below this value. The operating system may still accept connections -- cgit v1.2.3