Fix examples/webserver/mutual-tls

examples/security/webserver-digest-auth/src/main/resources/logging.properties

@@ -18,6 +18,5 @@ handlers=io.helidon.logging.jul.HelidonConsoleHandler
 java.util.logging.SimpleFormatter.format=%1$tY.%1$tm.%1$td %1$tH:%1$tM:%1$tS %4$s %3$s !thread!: %5$s%6$s%n
 #All log level details
 .level=WARNING
-io.helidon.nima.webserver.level=FINEST
 io.helidon.security.level=FINEST
 AUDIT.level=FINEST

examples/webserver/mutual-tls/src/main/java/io/helidon/webserver/examples/mtls/CertificateHelper.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2023 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.helidon.webserver.examples.mtls;
+
+import java.util.Optional;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+class CertificateHelper {
+
+    private static final Pattern CN_PATTERN = Pattern.compile("(.*)CN=(.*?)(,.*)?");
+
+    private CertificateHelper() {
+    }
+
+    static Optional<String> clientCertificateName(String name) {
+        Matcher matcher = CN_PATTERN.matcher(name);
+        if (matcher.matches()) {
+            String cn = matcher.group(2);
+            if (!cn.isBlank()) {
+                return Optional.of(cn);
+            }
+        }
+        return Optional.empty();
+    }
+}

examples/webserver/mutual-tls/src/main/java/io/helidon/webserver/examples/mtls/ClientBuilderMain.java

@@ -16,6 +16,7 @@
 package io.helidon.webserver.examples.mtls;
 
 import io.helidon.common.configurable.Resource;
+import io.helidon.common.pki.Keys;
 import io.helidon.nima.common.tls.Tls;
 import io.helidon.nima.common.tls.TlsClientAuth;
 import io.helidon.nima.webclient.WebClient;
@@ -51,14 +52,19 @@ public static void main(String[] args) {
     }
 
     static Http1Client createClient() {
+        Keys keyConfig = Keys.builder()
+                .keystore(store -> store
+                        .trustStore(true)
+                        .keystore(Resource.create("client.p12"))
+                        .passphrase("password"))
+                .build();
         return Http1Client.builder()
                 .tls(Tls.builder()
+                        .endpointIdentificationAlgorithm("NONE")
                         .clientAuth(TlsClientAuth.REQUIRED)
-                        .privateKey(key -> key
-                                .keystore(store -> store
-                                        .trustStore(true)
-                                        .passphrase("password")
-                                        .keystore(Resource.create("client.p12")))))
+                        .privateKey(keyConfig)
+                        .privateKeyCertChain(keyConfig)
+                        .trust(keyConfig))
                 .build();
     }
 

examples/webserver/mutual-tls/src/main/java/io/helidon/webserver/examples/mtls/SecureService.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2023 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.helidon.webserver.examples.mtls;
+
+import java.security.Principal;
+
+import io.helidon.common.http.Http;
+import io.helidon.nima.webserver.http.HttpRules;
+import io.helidon.nima.webserver.http.HttpService;
+
+class SecureService implements HttpService {
+    @Override
+    public void routing(HttpRules rules) {
+        rules.any((req, res) -> {
+            String cn = req.remotePeer()
+                    .tlsPrincipal()
+                    .map(Principal::getName)
+                    .flatMap(CertificateHelper::clientCertificateName)
+                    .orElse("Unknown CN");
+
+            // close to avoid re-using cached connections on the client side
+            res.header(Http.HeaderValues.CONNECTION_CLOSE);
+            res.send("Hello " + cn + "!");
+        });
+    }
+}

examples/webserver/mutual-tls/src/main/java/io/helidon/webserver/examples/mtls/ServerBuilderMain.java

@@ -16,7 +16,6 @@
 package io.helidon.webserver.examples.mtls;
 
 import io.helidon.common.configurable.Resource;
-import io.helidon.common.http.Http;
 import io.helidon.common.pki.Keys;
 import io.helidon.nima.common.tls.TlsClientAuth;
 import io.helidon.nima.webserver.ListenerConfig;
@@ -74,15 +73,13 @@ private static void securedSocket(ListenerConfig.Builder socket) {
                         .passphrase("password"))
                 .build();
 
-        socket.port(443)
-                .tls(tls -> tls
+        socket.tls(tls -> tls
+                        .endpointIdentificationAlgorithm("NONE")
                         .clientAuth(TlsClientAuth.REQUIRED)
                         .trust(keyConfig)
-                        .privateKey(keyConfig))
+                        .privateKey(keyConfig)
+                        .privateKeyCertChain(keyConfig))
                 .routing(routing -> routing
-                        .get("/", (req, res) -> {
-                            String cn = req.headers().first(Http.Header.X_HELIDON_CN).orElse("Unknown CN");
-                            res.send("Hello " + cn + "!");
-                        }));
+                        .register("/", new SecureService()));
     }
 }

examples/webserver/mutual-tls/src/main/java/io/helidon/webserver/examples/mtls/ServerConfigMain.java

@@ -15,9 +15,7 @@
  */
 package io.helidon.webserver.examples.mtls;
 
-import io.helidon.common.http.Http;
 import io.helidon.config.Config;
-import io.helidon.nima.webserver.ListenerConfig;
 import io.helidon.nima.webserver.WebServer;
 import io.helidon.nima.webserver.WebServerConfig;
 import io.helidon.nima.webserver.http.HttpRouting;
@@ -57,18 +55,13 @@ public static void main(String[] args) {
     static void setup(WebServerConfig.Builder server, Config config) {
         server.config(config)
                 .routing(ServerConfigMain::plainRouting)
-                .putSocket("secured", ServerConfigMain::securedSocket);
+                .putSocket("secured", socket -> socket
+                        .from(server.sockets().get("secured"))
+                        .routing(routing -> routing
+                                .register("/", new SecureService())));
     }
 
     private static void plainRouting(HttpRouting.Builder routing) {
         routing.get("/", (req, res) -> res.send("Hello world unsecured!"));
     }
-
-    private static void securedSocket(ListenerConfig.Builder socket) {
-        socket.routing(routing -> routing
-                .get("/", (req, res) -> {
-                    String cn = req.headers().first(Http.Header.X_HELIDON_CN).orElse("Unknown CN");
-                    res.send("Hello " + cn + "!");
-                }));
-    }
 }

examples/webserver/mutual-tls/src/main/resources/application.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2020 Oracle and/or its affiliates.
+# Copyright (c) 2020, 2023 Oracle and/or its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,7 +20,8 @@ server:
     - name: "secured"
       port: 443
       tls:
-        client-auth: "REQUIRE"
+        client-auth: "REQUIRED"
+        endpoint-identification-algorithm: "NONE"
         trust:
           keystore:
             passphrase: "password"
@@ -35,15 +36,14 @@ server:
 
 client:
   tls:
-    server:
+    trust:
       keystore:
         passphrase: "password"
         trust-store: true
         resource:
           resource-path: "client.p12"
-    client:
+    private-key:
       keystore:
         passphrase: "password"
         resource:
           resource-path: "client.p12"
-

examples/webserver/mutual-tls/src/test/java/io/helidon/webserver/examples/mtls/MutualTlsExampleBuilderTest.java

@@ -23,6 +23,8 @@
 
 import org.junit.jupiter.api.Test;
 
+import static io.helidon.webserver.examples.mtls.ClientBuilderMain.callSecured;
+import static io.helidon.webserver.examples.mtls.ClientBuilderMain.callUnsecured;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
 
@@ -46,7 +48,7 @@ static void setup(WebServerConfig.Builder server) {
     @Test
     public void testBuilderAccessSuccessful() {
         Http1Client client = ClientBuilderMain.createClient();
-        assertThat(ClientBuilderMain.callUnsecured(client, server.port()), is("Hello world unsecured!"));
-        assertThat(ClientBuilderMain.callSecured(client, server.port("secured")), is("Hello Helidon-client!"));
+        assertThat(callUnsecured(client, server.port()), is("Hello world unsecured!"));
+        assertThat(callSecured(client, server.port("secured")), is("Hello Helidon-client!"));
     }
-}
+}

examples/webserver/mutual-tls/src/test/java/io/helidon/webserver/examples/mtls/MutualTlsExampleConfigTest.java

@@ -16,7 +16,6 @@
 package io.helidon.webserver.examples.mtls;
 
 import io.helidon.config.Config;
-import io.helidon.config.ConfigSources;
 import io.helidon.nima.testing.junit5.webserver.ServerTest;
 import io.helidon.nima.testing.junit5.webserver.SetUpServer;
 import io.helidon.nima.webclient.http1.Http1Client;
@@ -25,6 +24,8 @@
 
 import org.junit.jupiter.api.Test;
 
+import static io.helidon.webserver.examples.mtls.ClientConfigMain.callSecured;
+import static io.helidon.webserver.examples.mtls.ClientConfigMain.callUnsecured;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
 
@@ -34,23 +35,24 @@
 @ServerTest
 public class MutualTlsExampleConfigTest {
 
-    private final WebServer server;
     private static Config config;
+    private final WebServer server;
+    private final Http1Client client;
 
     public MutualTlsExampleConfigTest(WebServer server) {
         this.server = server;
+        this.client = Http1Client.builder().config(config.get("client")).build();
     }
 
     @SetUpServer
     static void setup(WebServerConfig.Builder server) {
-        config = Config.just(() -> ConfigSources.classpath("application-test.yaml").build());
+        config = Config.create();
         ServerConfigMain.setup(server, config);
     }
 
     @Test
     public void testConfigAccessSuccessful() {
-        Http1Client client = Http1Client.builder().config(config.get("client")).build();
-        assertThat(ClientConfigMain.callUnsecured(client, server.port()), is("Hello world unsecured!"));
-        assertThat(ClientConfigMain.callSecured(client, server.port("secured")), is("Hello Helidon-client!"));
+        assertThat(callUnsecured(client, server.port()), is("Hello world unsecured!"));
+        assertThat(callSecured(client, server.port("secured")), is("Hello Helidon-client!"));
     }
 }

examples/webserver/mutual-tls/src/test/resources/application-test.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2020 Oracle and/or its affiliates.
+# Copyright (c) 2020, 2023 Oracle and/or its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,31 +19,3 @@ server:
   sockets:
     - name: "secured"
       port: 0
-      tls:
-        client-auth: "REQUIRE"
-        trust:
-          keystore:
-            passphrase: "password"
-            trust-store: true
-            resource:
-              resource-path: "server.p12"
-        private-key:
-          keystore:
-            passphrase: "password"
-            resource:
-              resource-path: "server.p12"
-
-client:
-  tls:
-    server:
-      keystore:
-        passphrase: "password"
-        trust-store: true
-        resource:
-          resource-path: "client.p12"
-    client:
-      keystore:
-        passphrase: "password"
-        resource:
-          resource-path: "client.p12"
-

tests/integration/webclient/src/test/java/io/helidon/tests/integration/webclient/CertificateHelper.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2023 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.helidon.tests.integration.webclient;
+
+import java.util.Optional;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+class CertificateHelper {
+
+    private static final Pattern CN_PATTERN = Pattern.compile("(.*)CN=(.*?)(,.*)?");
+
+    private CertificateHelper() {
+    }
+
+    static Optional<String> clientCertificateName(String name) {
+        Matcher matcher = CN_PATTERN.matcher(name);
+        if (matcher.matches()) {
+            String cn = matcher.group(2);
+            if (!cn.isBlank()) {
+                return Optional.of(cn);
+            }
+        }
+        return Optional.empty();
+    }
+}