Set client auth flags on start

Author: tommysitu

junit5/src/main/java/io/specto/hoverfly/junit5/HoverflyExtensionUtils.java

@@ -31,6 +31,7 @@ static io.specto.hoverfly.junit.core.HoverflyConfig getHoverflyConfigs(HoverflyC
                 configs = localConfigs()
                         .caCert(config.caCertPath(), config.caCertKeyPath())
                         .clientAuth(config.clientCertPath(), config.clientKeyPath(), config.clientAuthDestination())
+                        .clientAuthCaCertPath(config.clientCaCertPath())
                         .upstreamProxy(config.upstreamProxy())
                         .logLevel(config.logLevel());
                 if (config.plainHttpTunneling()) {

junit5/src/main/java/io/specto/hoverfly/junit5/api/HoverflyConfig.java

@@ -125,4 +125,9 @@
      * Destination filter to what target urls to enable mutual TLS authentication.
      */
     String[] clientAuthDestination() default {};
+
+    /**
+     * Client CA certificate file in classpath. Must be a PEM encoded certificate, with .crt or .pem extensions
+     */
+    String clientCaCertPath() default "";
 }

src/main/java/io/specto/hoverfly/junit/core/Hoverfly.java

@@ -70,7 +70,6 @@
 /**
  * A wrapper class for the Hoverfly binary.  Manage the lifecycle of the processes, and then manage Hoverfly itself by using it's API endpoints.
  */
-// TODO extract interface and create LocalHoverfly and RemoteHoverfly
 public class Hoverfly implements AutoCloseable {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(Hoverfly.class);
@@ -195,6 +194,27 @@ private void startHoverflyProcess() {
             commands.add("-key");
             commands.add("ca.key");
         }
+
+        if (StringUtils.isNotBlank(hoverflyConfig.getClientCertPath())) {
+            tempFileManager.copyClassPathResource(hoverflyConfig.getClientCertPath(), "client-auth.crt");
+            commands.add("-client-authentication-client-cert");
+            commands.add("client-auth.crt");
+        }
+        if (StringUtils.isNotBlank(hoverflyConfig.getClientKeyPath())) {
+            tempFileManager.copyClassPathResource(hoverflyConfig.getClientKeyPath(), "client-auth.key");
+            commands.add("-client-authentication-client-key");
+            commands.add("client-auth.key");
+        }
+        if (StringUtils.isNotBlank(hoverflyConfig.getClientAuthDestination())) {
+            commands.add("-client-authentication-destination");
+            commands.add(hoverflyConfig.getClientAuthDestination());
+        }
+        if (StringUtils.isNotBlank(hoverflyConfig.getClientCaCertPath())) {
+            tempFileManager.copyClassPathResource(hoverflyConfig.getClientCaCertPath(), "client-ca.crt");
+            commands.add("-client-authentication-ca-cert");
+            commands.add("client-ca.crt");
+        }
+
         if (hoverflyConfig.isPlainHttpTunneling()) {
             commands.add("-plain-http-tunneling");
         }

src/main/java/io/specto/hoverfly/junit/core/SslConfigurer.java

@@ -65,7 +65,7 @@ void setDefaultSslContext() {
     }
 
     /**
-     * Sets the JVM trust store so Hoverfly's SSL certificate is trusted
+     * Sets the JVM trust store so Hoverfly's CA certificate is trusted
      */
     void setDefaultSslContext(String pemFilename) {
         setDefaultSslContext(findResourceOnClasspath(pemFilename));
@@ -82,7 +82,7 @@ private void setDefaultSslContext(URL pemFile) {
             SSLContext.setDefault(sslContext);
             HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
         } catch (Exception e) {
-            throw new IllegalStateException("Failed to set SSLContext from hoverfly certificate " + pemFile.toString(), e);
+            throw new IllegalStateException("Failed to import Hoverfly certificate '" + pemFile.toString() + "' into keystore", e);
         }
     }
 

src/main/java/io/specto/hoverfly/junit/core/config/HoverflyConfiguration.java

@@ -44,6 +44,7 @@ public class HoverflyConfiguration {
     private String clientCertPath;
     private String clientKeyPath;
     private String clientAuthDestination;
+    private String clientCaCertPath;
 
     /**
      * Create configurations for external hoverfly
@@ -322,4 +323,12 @@ public String getClientAuthDestination() {
     public void setClientAuthDestination(String clientAuthDestination) {
         this.clientAuthDestination = clientAuthDestination;
     }
+
+    public String getClientCaCertPath() {
+        return clientCaCertPath;
+    }
+
+    public void setClientCaCertPath(String clientCaCertPath) {
+        this.clientCaCertPath = clientCaCertPath;
+    }
 }

src/main/java/io/specto/hoverfly/junit/core/config/LocalHoverflyConfig.java

@@ -14,13 +14,12 @@
 
 import io.specto.hoverfly.junit.core.Hoverfly;
 import io.specto.hoverfly.junit.core.HoverflyConfig;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import java.net.InetSocketAddress;
 import java.util.Arrays;
 import java.util.LinkedList;
 import java.util.List;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Config builder interface for settings specific to {@link Hoverfly} managed internally
@@ -40,6 +39,7 @@ public class LocalHoverflyConfig extends HoverflyConfig {
     private String clientCertPath;
     private String clientKeyPath;
     private String clientAuthDestination;
+    private String clientCaCertPath;
 
     /**
      * Sets the certificate file to override the default Hoverfly's CA cert
@@ -177,14 +177,26 @@ public HoverflyConfig binaryLocation(String binaryLocation) {
     public LocalHoverflyConfig clientAuth(String clientCertPath, String clientKeyPath, String... destinations) {
         this.clientCertPath = clientCertPath;
         this.clientKeyPath = clientKeyPath;
-        if (destinations.length == 0) {
-            this.clientAuthDestination = ".";
-        } else {
-            this.clientAuthDestination = String.join("|", destinations);
+        if (destinations != null) {
+            if (destinations.length == 0) {
+                this.clientAuthDestination = ".";
+            } else {
+                this.clientAuthDestination = String.join("|", destinations);
+            }
         }
         return this;
     }
 
+    /**
+     * Set client CA certificate for mutual TLS authentication
+     * @param clientCaCertPath CA certificate file in classpath. Must be any PEM encoded certificate, with .crt or .pem extensions
+     * @return the {@link LocalHoverflyConfig} for further customizations
+     */
+    public LocalHoverflyConfig clientAuthCaCertPath(String clientCaCertPath) {
+        this.clientCaCertPath = clientCaCertPath;
+        return this;
+    }
+
     @Override
     public HoverflyConfiguration build() {
         HoverflyConfiguration configs = new HoverflyConfiguration(proxyPort, adminPort, proxyLocalHost, destination,
@@ -200,6 +212,7 @@ public HoverflyConfiguration build() {
         configs.setClientCertPath(clientCertPath);
         configs.setClientKeyPath(clientKeyPath);
         configs.setClientAuthDestination(clientAuthDestination);
+        configs.setClientCaCertPath(clientCaCertPath);
         HoverflyConfigValidator validator = new HoverflyConfigValidator();
         return validator.validate(configs);
     }

src/test/java/io/specto/hoverfly/junit/core/HoverflyConfigTest.java

@@ -46,6 +46,7 @@ public void shouldHaveDefaultSettings() {
         assertThat(configs.getClientCertPath()).isNull();
         assertThat(configs.getClientKeyPath()).isNull();
         assertThat(configs.getClientAuthDestination()).isNull();
+        assertThat(configs.getClientCaCertPath()).isNull();
     }
 
     @Test
@@ -212,7 +213,7 @@ public void shouldSetClientAuth() {
             .build();
 
         assertThat(configs.getClientCertPath()).isEqualTo("ssl/cert.pem");
-        assertThat(configs.getClientKeyPath()).isEqualTo("ssl/key.pem");
+        assertThat(configs.getClientCertPath()).isEqualTo("ssl/cert.pem");
         assertThat(configs.getClientAuthDestination()).isEqualTo(".");
     }
 
@@ -227,4 +228,13 @@ public void shouldSetClientAuthWithDestinationFilter() {
         assertThat(configs.getClientAuthDestination()).isEqualTo("foo.com|bar.com");
     }
 
+    @Test
+    public void shouldSetClientAuthCaCert() {
+        HoverflyConfiguration configs = localConfigs()
+            .clientAuthCaCertPath("ssl/ca.pem")
+            .build();
+
+        assertThat(configs.getClientCaCertPath()).isEqualTo("ssl/ca.pem");
+    }
+
 }

src/test/java/io/specto/hoverfly/junit/core/HoverflyTest.java

@@ -18,6 +18,7 @@
 import io.specto.hoverfly.junit.core.model.RequestFieldMatcher;
 import io.specto.hoverfly.junit.core.model.RequestResponsePair;
 import io.specto.hoverfly.junit.core.model.Simulation;
+import java.util.Optional;
 import org.apache.http.HttpResponse;
 import org.apache.http.client.HttpClient;
 import org.apache.http.client.methods.HttpGet;
@@ -345,7 +346,7 @@ public void shouldSetTrustStoreWhenStartingHoverfly() {
     }
 
     @Test
-    public void shouldNotSetJVMTrustStoreIfSslCertificatePathExists() {
+    public void shouldConfigSslContextWithCustomCaCert() {
         // Given
         hoverfly = new Hoverfly(localConfigs().caCert("ssl/ca.crt", "ssl/ca.key"), SIMULATE);
         SslConfigurer sslConfigurer = mock(SslConfigurer.class);
@@ -356,6 +357,7 @@ public void shouldNotSetJVMTrustStoreIfSslCertificatePathExists() {
 
         // Then
         verify(sslConfigurer, never()).setDefaultSslContext();
+        verify(sslConfigurer).setDefaultSslContext("ssl/ca.crt");
     }
 
     @Test
@@ -421,6 +423,25 @@ public void shouldCopySslCertAndKeyToTempFolderIfPresent () {
         verify(tempFileManager).copyClassPathResource("ssl/ca.key", "ca.key");
     }
 
+    @Test
+    public void shouldCopyClientCertAndKeyToTempFolderIfPresent () {
+        // Given
+        hoverfly = new Hoverfly(localConfigs()
+            .clientAuth("ssl/ca.crt", "ssl/ca.key")
+            .clientAuthCaCertPath("ssl/client-ca.crt")
+            , SIMULATE);
+        TempFileManager tempFileManager = spy(TempFileManager.class);
+        Whitebox.setInternalState(hoverfly, "tempFileManager", tempFileManager);
+
+        // When
+        hoverfly.start();
+
+        // Then
+        verify(tempFileManager).copyClassPathResource("ssl/ca.crt", "client-auth.crt");
+        verify(tempFileManager).copyClassPathResource("ssl/ca.key", "client-auth.key");
+        verify(tempFileManager).copyClassPathResource("ssl/client-ca.crt", "client-ca.crt");
+    }
+
     @Test
     public void shouldCopyMiddlewareScriptToTempFolderIfLocalMiddlewareEnabled () {
         String rawFilename = "middleware.py";

src/test/resources/ssl/client-ca.crt

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEnjCCA4agAwIBAgIJAPvHolsYpVwPMA0GCSqGSIb3DQEBBQUAMIGQMQswCQYD
+VQQGEwJHQjEPMA0GA1UECBMGTG9uZG9uMQ8wDQYDVQQHEwZMb25kb24xEzARBgNV
+BAoTClNwZWN0b0xhYnMxETAPBgNVBAsTCGhvdmVyZmx5MRIwEAYDVQQDEwlzcGVj
+dG8uaW8xIzAhBgkqhkiG9w0BCQEWFHRvbW15LnNpdHVAc3BlY3RvLmlvMB4XDTE3
+MDIxNzExMzIwMVoXDTE4MDIxNzExMzIwMVowgZAxCzAJBgNVBAYTAkdCMQ8wDQYD
+VQQIEwZMb25kb24xDzANBgNVBAcTBkxvbmRvbjETMBEGA1UEChMKU3BlY3RvTGFi
+czERMA8GA1UECxMIaG92ZXJmbHkxEjAQBgNVBAMTCXNwZWN0by5pbzEjMCEGCSqG
+SIb3DQEJARYUdG9tbXkuc2l0dUBzcGVjdG8uaW8wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDPiXcHyFBOQawvsRwet9WVa4pjvywsCFFa2e2tGPLCSxvv
+P4e2Z4M7sDna9/MP8zwKVmWf9W8BZG2XcyVvHRxDbsFvMZa5xLmXMv1rk5zZpub9
+2eRNtj6v4kOFFbak5hKHcaGtW8m/MjyPMWkEhsqSeqInXE+pE4dK7tJ9J9SecoCI
+tnPk6jsj5r5wdG1ub4tWsTAS0TOHGZ6ArnQ7NXrxT+RvrQvqT2Uw1BCIgkBUfH+8
+gHsg46klR0y4X7ooUf4/91eaOnBdVe5w7kAu+dS+B2mBN/mS0nYvWw0RW0F7TJhH
+4FFuqXDiZC+dv862ywrYqyrvsCmkSnyinDUPddUHAgMBAAGjgfgwgfUwHQYDVR0O
+BBYEFEn/byeOo+ZOdKTdspEjVlNqf8xZMIHFBgNVHSMEgb0wgbqAFEn/byeOo+ZO
+dKTdspEjVlNqf8xZoYGWpIGTMIGQMQswCQYDVQQGEwJHQjEPMA0GA1UECBMGTG9u
+ZG9uMQ8wDQYDVQQHEwZMb25kb24xEzARBgNVBAoTClNwZWN0b0xhYnMxETAPBgNV
+BAsTCGhvdmVyZmx5MRIwEAYDVQQDEwlzcGVjdG8uaW8xIzAhBgkqhkiG9w0BCQEW
+FHRvbW15LnNpdHVAc3BlY3RvLmlvggkA+8eiWxilXA8wDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOCAQEAMVMQMws5q3HC/KGwVu7kNUKdqHOslklWpMTym5ii
+v2Z/1rReXvHszhoywwkP1pYt96XrzCYO2Th2JLMLpTihTJN7wrzBGeZZoGSxEWVW
+bop2y/qljb3KT3hN2NpTHd5gnO1udNp3OjxzHYKyxiTCV7fnoPAC1Lmn1r5QWLxz
+jfSroSb7h14dNjIgvq2H6rYopivdgAqea6CuElwvQioLIHaF2r0YKE0s4FXuiIBd
+wpAeGmwAQALiwuGUZqe1+piBdqGf3a1sqrdgGdQTTEPc6c04tMYFEL0SWATfQZQ4
+JosAQYC3eb6ltfPtZWGVdtCcpQtNEjjNBXOOniEQvcbBcQ==
+-----END CERTIFICATE-----