Added environment variable to allow RMI SSL but disable use of SSL for the RMI registry (#952)

Signed-off-by: dhoard <doug.hoard@gmail.com>

Author: dhoard

.gitignore

@@ -15,3 +15,6 @@ pom.xml.versionsBackup
 integration_test_suite/integration_tests/src/test/resources/common/**.jar
 output.log
 stress-test.log
+test.sh
+test.log
+.antublue-test-engine.properties

collector/src/main/java/io/prometheus/jmx/JmxScraper.java

@@ -120,7 +120,10 @@ public void doScrape() throws Exception {
                 environment.put(
                         RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE,
                         clientSocketFactory);
-                environment.put("com.sun.jndi.rmi.factory.socket", clientSocketFactory);
+
+                if (!"true".equalsIgnoreCase(System.getenv("RMI_REGISTRY_SSL_DISABLED"))) {
+                    environment.put("com.sun.jndi.rmi.factory.socket", clientSocketFactory);
+                }
             }
 
             jmxc = JMXConnectorFactory.connect(new JMXServiceURL(jmxUrl), environment);

integration_test_suite/integration_tests/src/test/java/io/prometheus/jmx/test/rmi/ssl/MinimalTest.java renamed to integration_test_suite/integration_tests/src/test/java/io/prometheus/jmx/test/rmi/ssl/MinimalRMISSLTest.java

@@ -36,7 +36,7 @@
 import java.util.stream.Stream;
 import org.antublue.test.engine.api.TestEngine;
 
-public class MinimalTest extends AbstractTest implements Consumer<HttpResponse> {
+public class MinimalRMISSLTest extends AbstractTest implements Consumer<HttpResponse> {
 
     /**
      * Method to get the list of TestArguments

integration_test_suite/integration_tests/src/test/java/io/prometheus/jmx/test/rmi/ssl/RMIRegistrySSLDisabledTest.java

@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) 2023 The Prometheus jmx_exporter Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.prometheus.jmx.test.rmi.ssl;
+
+import static io.prometheus.jmx.test.support.http.HttpResponseAssertions.assertHttpMetricsResponse;
+
+import io.prometheus.jmx.test.AbstractTest;
+import io.prometheus.jmx.test.support.Mode;
+import io.prometheus.jmx.test.support.TestArgument;
+import io.prometheus.jmx.test.support.http.HttpHealthyRequest;
+import io.prometheus.jmx.test.support.http.HttpMetricsRequest;
+import io.prometheus.jmx.test.support.http.HttpOpenMetricsRequest;
+import io.prometheus.jmx.test.support.http.HttpPrometheusMetricsRequest;
+import io.prometheus.jmx.test.support.http.HttpPrometheusProtobufMetricsRequest;
+import io.prometheus.jmx.test.support.http.HttpResponse;
+import io.prometheus.jmx.test.support.http.HttpResponseAssertions;
+import io.prometheus.jmx.test.support.metrics.DoubleValueMetricAssertion;
+import io.prometheus.jmx.test.support.metrics.Metric;
+import io.prometheus.jmx.test.support.metrics.MetricsParser;
+import java.util.Collection;
+import java.util.function.Consumer;
+import java.util.stream.Stream;
+import org.antublue.test.engine.api.TestEngine;
+
+public class RMIRegistrySSLDisabledTest extends AbstractTest implements Consumer<HttpResponse> {
+
+    /**
+     * Method to get the list of TestArguments
+     *
+     * @return the return value
+     */
+    @TestEngine.ArgumentSupplier
+    protected static Stream<TestArgument> arguments() {
+        // Filter the arguments..
+        //
+        // 1. only run the Standalone exporter
+        // 2. filter out the GraalVM 1.8 JVM - exception is that SunJSSE is not found
+        // 3. filter out all ibmjava* JVMs - exception is that SunJSSE is not found
+        //
+        return AbstractTest.arguments()
+                .filter(testArgument -> testArgument.name().contains("Standalone"))
+                .filter(
+                        testArgument1 ->
+                                !testArgument1.dockerImageName().contains("graalvm/jdk:java8"))
+                .filter(testArgument1 -> !testArgument1.dockerImageName().contains("ibmjava"));
+    }
+
+    @TestEngine.Test
+    public void testHealthy() {
+        new HttpHealthyRequest()
+                .send(testContext.httpClient())
+                .accept(HttpResponseAssertions::assertHttpHealthyResponse);
+    }
+
+    @TestEngine.Test
+    public void testMetrics() {
+        new HttpMetricsRequest().send(testContext.httpClient()).accept(this);
+    }
+
+    @TestEngine.Test
+    public void testMetricsOpenMetricsFormat() {
+        new HttpOpenMetricsRequest().send(testContext.httpClient()).accept(this);
+    }
+
+    @TestEngine.Test
+    public void testMetricsPrometheusFormat() {
+        new HttpPrometheusMetricsRequest().send(testContext.httpClient()).accept(this);
+    }
+
+    @TestEngine.Test
+    public void testMetricsPrometheusProtobufFormat() {
+        new HttpPrometheusProtobufMetricsRequest().send(testContext.httpClient()).accept(this);
+    }
+
+    @Override
+    public void accept(HttpResponse httpResponse) {
+        assertHttpMetricsResponse(httpResponse);
+
+        Collection<Metric> metrics = MetricsParser.parse(httpResponse);
+
+        String buildInfoName =
+                testArgument.mode() == Mode.JavaAgent
+                        ? "jmx_prometheus_javaagent"
+                        : "jmx_prometheus_httpserver";
+
+        new DoubleValueMetricAssertion(metrics)
+                .type("GAUGE")
+                .name("jmx_exporter_build_info")
+                .label("name", buildInfoName)
+                .value(1d)
+                .isPresent();
+
+        new DoubleValueMetricAssertion(metrics)
+                .type("GAUGE")
+                .name("jmx_scrape_error")
+                .value(0d)
+                .isPresent();
+
+        new DoubleValueMetricAssertion(metrics)
+                .type("COUNTER")
+                .name("jmx_config_reload_success_total")
+                .value(0d)
+                .isPresent();
+
+        new DoubleValueMetricAssertion(metrics)
+                .type("GAUGE")
+                .name("jvm_memory_used_bytes")
+                .label("area", "nonheap")
+                .isPresent(testArgument.mode() == Mode.JavaAgent);
+
+        new DoubleValueMetricAssertion(metrics)
+                .type("GAUGE")
+                .name("jvm_memory_used_bytes")
+                .label("area", "heap")
+                .isPresent(testArgument.mode() == Mode.JavaAgent);
+
+        new DoubleValueMetricAssertion(metrics)
+                .type("GAUGE")
+                .name("jvm_memory_used_bytes")
+                .label("area", "nonheap")
+                .isNotPresent(testArgument.mode() == Mode.Standalone);
+
+        new DoubleValueMetricAssertion(metrics)
+                .type("GAUGE")
+                .name("jvm_memory_used_bytes")
+                .label("area", "heap")
+                .isNotPresent(testArgument.mode() == Mode.Standalone);
+
+        new DoubleValueMetricAssertion(metrics)
+                .type("UNTYPED")
+                .name("io_prometheus_jmx_tabularData_Server_1_Disk_Usage_Table_size")
+                .label("source", "/dev/sda1")
+                .value(7.516192768E9d)
+                .isPresent();
+
+        new DoubleValueMetricAssertion(metrics)
+                .type("UNTYPED")
+                .name("io_prometheus_jmx_tabularData_Server_2_Disk_Usage_Table_pcent")
+                .label("source", "/dev/sda2")
+                .value(0.8d)
+                .isPresent();
+    }
+}

integration_test_suite/integration_tests/src/test/resources/io/prometheus/jmx/test/rmi/ssl/MinimalTest/Standalone/application.sh

@@ -16,8 +16,6 @@
 JMXREMOTE_ACCESS=jmxremote.access
 JMXREMOTE_PASSWORD=jmxremote.password
 
-whoami
-
 WHOAMI=$(whoami)
 if [ "${WHOAMI}" = "jboss" ] || [ "${WHOAMI}" = "default" ];
 then

integration_test_suite/integration_tests/src/test/resources/io/prometheus/jmx/test/rmi/ssl/RMIRegistrySSLDisabledTest/Standalone/application.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+#
+# Code to run the test with RedHat UBI images
+#
+# When running on RedHat UBI images, testcontainers maps
+# the files as the current user, but the application runs
+# as "jboss" on UBI8 images and "default" on UBI9 images
+# preventing the chmod commands to change permissions on
+# the jmxremote.access and jmxremote.password files.
+#
+# The code copies the files to /tmp as the current user
+# then performs a chmod to change permissions.
+#
+
+JMXREMOTE_ACCESS=jmxremote.access
+JMXREMOTE_PASSWORD=jmxremote.password
+
+WHOAMI=$(whoami)
+if [ "${WHOAMI}" = "jboss" ] || [ "${WHOAMI}" = "default" ];
+then
+  cp ${JMXREMOTE_ACCESS} /tmp/jmxremote.access
+  cp ${JMXREMOTE_PASSWORD} /tmp/jmxremote.password
+  chmod go-rwx /tmp/jmxremote.access
+  chmod go-rwx /tmp/jmxremote.password
+  JMXREMOTE_ACCESS=/tmp/jmxremote.access
+  JMXREMOTE_PASSWORD=/tmp/jmxremote.password
+else
+  chmod go-rwx jmxremote.access
+  chmod go-rwx jmxremote.password
+fi
+
+export RMI_REGISTRY_SSL_DISABLED=true
+
+java \
+  -Xmx512M \
+  -Dcom.sun.management.jmxremote=true \
+  -Dcom.sun.management.jmxremote.authenticate=true \
+  -Dcom.sun.management.jmxremote.password.file=${JMXREMOTE_PASSWORD} \
+  -Dcom.sun.management.jmxremote.port=9999 \
+  -Dcom.sun.management.jmxremote.access.file=${JMXREMOTE_ACCESS} \
+  -Dcom.sun.management.jmxremote.ssl=true \
+  -Dcom.sun.management.jmxremote.rmi.port=8888 \
+  -Djavax.net.ssl.keyStore=localhost.pkcs12 \
+  -Djavax.net.ssl.keyStorePassword=changeit \
+  -Djavax.net.ssl.keyStoreType=pkcs12 \
+  -Djavax.net.ssl.trustStore=localhost.pkcs12 \
+  -Djavax.net.ssl.trustStorePassword=changeit \
+  -Djavax.net.ssl.trustStoreType=pkcs12 \
+  -jar jmx_example_application.jar

integration_test_suite/integration_tests/src/test/resources/io/prometheus/jmx/test/rmi/ssl/RMIRegistrySSLDisabledTest/Standalone/exporter.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+export RMI_REGISTRY_SSL_DISABLED=true
+
+java \
+  -Xmx512M \
+  -Djavax.net.ssl.keyStore=localhost.pkcs12 \
+  -Djavax.net.ssl.keyStorePassword=changeit \
+  -Djavax.net.ssl.keyStoreType=pkcs12 \
+  -Djavax.net.ssl.trustStore=localhost.pkcs12 \
+  -Djavax.net.ssl.trustStorePassword=changeit \
+  -Djavax.net.ssl.trustStoreType=pkcs12 \
+  -jar jmx_prometheus_httpserver.jar 8888 exporter.yaml

integration_test_suite/integration_tests/src/test/resources/io/prometheus/jmx/test/rmi/ssl/RMIRegistrySSLDisabledTest/Standalone/exporter.yaml

@@ -0,0 +1,6 @@
+hostPort: application:9999
+ssl: true
+username: Prometheus
+password: secret
+rules:
+  - pattern: ".*"

integration_test_suite/integration_tests/src/test/resources/io/prometheus/jmx/test/rmi/ssl/RMIRegistrySSLDisabledTest/Standalone/jmxremote.access

@@ -0,0 +1 @@
+Prometheus readonly

integration_test_suite/integration_tests/src/test/resources/io/prometheus/jmx/test/rmi/ssl/RMIRegistrySSLDisabledTest/Standalone/jmxremote.password

@@ -0,0 +1 @@
+Prometheus secret