fix: remove client certificate rotate callback (#64)

It is not necessary to disconnect the MQTT Bridge when the client
certificate rotates. This change removes that logic, but still ensures
that the new client certificate is used the next time the bridge
connects.

CA rotation still results in a disconnect, as that indicates that the
client should no longer trust the server.

Author: jbutler

src/main/java/com/aws/greengrass/mqttbridge/auth/MQTTClientKeyStore.java

@@ -56,7 +56,7 @@ public class MQTTClientKeyStore {
 
     @FunctionalInterface
     public interface UpdateListener {
-        void onUpdate();
+        void onCAUpdate();
     }
 
     /**
@@ -108,9 +108,8 @@ private KeyPair newRSAKeyPair() throws NoSuchAlgorithmException {
 
     private void updateCert(X509Certificate... certChain) {
         try {
+            LOGGER.atDebug().log("Storing new client certificate to be used on next connect attempt");
             keyStore.setKeyEntry(KEY_ALIAS, keyPair.getPrivate(), DEFAULT_KEYSTORE_PASSWORD, certChain);
-
-            updateListeners.forEach(UpdateListener::onUpdate); //notify MQTTClient
         } catch (KeyStoreException e) {
             LOGGER.atError("Unable to store generated cert", e);
         }
@@ -139,7 +138,7 @@ public void updateCA(List<String> caCerts) throws IOException, CertificateExcept
             keyStore.setCertificateEntry("CA" + i, caCert);
         }
 
-        updateListeners.forEach(UpdateListener::onUpdate); //notify MQTTClient
+        updateListeners.forEach(UpdateListener::onCAUpdate); //notify MQTTClient
     }
 
     private X509Certificate pemToX509Certificate(String certPem) throws IOException, CertificateException {
@@ -156,7 +155,7 @@ private X509Certificate pemToX509Certificate(String certPem) throws IOException,
      * Add listener to listen to KeyStore updates.
      * @param listener listener method
      */
-    public synchronized void listenToUpdates(UpdateListener listener) {
+    public synchronized void listenToCAUpdates(UpdateListener listener) {
         updateListeners.add(listener);
     }
 
@@ -177,7 +176,7 @@ public SSLSocketFactory getSSLSocketFactory() throws KeyStoreException {
             SSLContext sc = SSLContext.getInstance("TLS");
             sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
             return sc.getSocketFactory();
-        } catch (NoSuchAlgorithmException | KeyStoreException | UnrecoverableKeyException | KeyManagementException e) {
+        } catch (NoSuchAlgorithmException | UnrecoverableKeyException | KeyManagementException e) {
             throw new KeyStoreException("Unable to create SocketFactory from KeyStore", e);
         }
     }

src/main/java/com/aws/greengrass/mqttbridge/clients/MQTTClient.java

@@ -38,7 +38,6 @@ public class MQTTClient implements MessageClient {
     private static final int MIN_WAIT_RETRY_IN_SECONDS = 1;
     private static final int MAX_WAIT_RETRY_IN_SECONDS = 120;
 
-    private final MqttConnectOptions connOpts = new MqttConnectOptions();
     private Consumer<Message> messageHandler;
     private final URI brokerUri;
     private final String clientId;
@@ -104,7 +103,7 @@ protected MQTTClient(@NonNull URI brokerUri, @NonNull String clientId, MQTTClien
         this.mqttClientInternal = mqttClient;
         this.dataStore = new MemoryPersistence();
         this.mqttClientKeyStore = mqttClientKeyStore;
-        this.mqttClientKeyStore.listenToUpdates(this::reset);
+        this.mqttClientKeyStore.listenToCAUpdates(this::reset);
         this.executorService = executorService;
     }
 
@@ -231,19 +230,23 @@ private synchronized void updateSubscriptionsInternal() {
         });
     }
 
-    private synchronized void connectAndSubscribe() throws KeyStoreException {
-        if (connectFuture != null) {
-            connectFuture.cancel(true);
-        }
-
-        //TODO: persistent session could be used
+    private MqttConnectOptions getConnectionOptions() throws KeyStoreException {
+        MqttConnectOptions connOpts = new MqttConnectOptions();
         connOpts.setCleanSession(true);
 
         if ("ssl".equalsIgnoreCase(brokerUri.getScheme())) {
             SSLSocketFactory ssf = mqttClientKeyStore.getSSLSocketFactory();
             connOpts.setSocketFactory(ssf);
         }
 
+        return connOpts;
+    }
+
+    private synchronized void connectAndSubscribe() throws KeyStoreException {
+        if (connectFuture != null) {
+            connectFuture.cancel(true);
+        }
+
         LOGGER.atInfo()
                 .kv(BridgeConfig.KEY_BROKER_URI, brokerUri)
                 .kv(BridgeConfig.KEY_CLIENT_ID, clientId)
@@ -252,9 +255,9 @@ private synchronized void connectAndSubscribe() throws KeyStoreException {
         connectFuture = executorService.submit(this::reconnectAndResubscribe);
     }
 
-    private synchronized void doConnect() throws MqttException {
+    private synchronized void doConnect() throws MqttException, KeyStoreException {
         if (!mqttClientInternal.isConnected()) {
-            mqttClientInternal.connect(connOpts);
+            mqttClientInternal.connect(getConnectionOptions());
             LOGGER.atInfo()
                     .kv(BridgeConfig.KEY_BROKER_URI, brokerUri)
                     .kv(BridgeConfig.KEY_CLIENT_ID, clientId)
@@ -269,7 +272,7 @@ private void reconnectAndResubscribe() {
             try {
                 // TODO: Clean up this loop
                 doConnect();
-            } catch (MqttException e) {
+            } catch (MqttException | KeyStoreException e) {
                 LOGGER.atDebug().setCause(e)
                         .log("Unable to connect. Will be retried after {} seconds", waitBeforeRetry);
                 try {

src/test/java/com/aws/greengrass/mqttbridge/auth/MQTTClientKeyStoreTest.java

@@ -43,7 +43,7 @@
 
 @ExtendWith({MockitoExtension.class, GGExtension.class})
 public class MQTTClientKeyStoreTest {
-    public static final String CERTIFICATE = "-----BEGIN CERTIFICATE-----\r\n"
+    private static final String CERTIFICATE = "-----BEGIN CERTIFICATE-----\r\n"
             + "MIICujCCAaICCQCQcEEQmGoJqjANBgkqhkiG9w0BAQUFADAfMR0wGwYDVQQDDBRt\r\n"
             + "b3F1ZXR0ZS5lY2xpcHNlLm9yZzAeFw0yMDA3MjExODA2MzdaFw0yMTA3MTYxODA2\r\n"
             + "MzdaMB8xHTAbBgNVBAMMFG1vcXVldHRlLmVjbGlwc2Uub3JnMIIBIjANBgkqhkiG\r\n"
@@ -67,11 +67,9 @@ public class MQTTClientKeyStoreTest {
     private CertificateManager mockCertificateManager;
 
     @Test
-    void GIVEN_MQTTClientKeyStore_WHEN_initialized_THEN_key_and_cert_generated() throws Exception {
+    void GIVEN_MQTTClientKeyStore_WHEN_initialized_THEN_keyAndCertGenerated() throws Exception {
         MQTTClientKeyStore mqttClientKeyStore = new MQTTClientKeyStore(mockCertificateManager);
         mqttClientKeyStore.init();
-        CountDownLatch updateLatch = new CountDownLatch(1);
-        mqttClientKeyStore.listenToUpdates(updateLatch::countDown);
 
         ArgumentCaptor<Consumer<X509Certificate[]>> cbArgumentCaptor = ArgumentCaptor.forClass(Consumer.class);
         verify(mockCertificateManager, times(1))
@@ -84,7 +82,6 @@ void GIVEN_MQTTClientKeyStore_WHEN_initialized_THEN_key_and_cert_generated() thr
         X509Certificate certificate = pemToX509Certificate(CERTIFICATE);
         X509Certificate[] chain = {certificate, certificate};
         certCallback.accept(chain);
-        assertThat(updateLatch.await(100, TimeUnit.MILLISECONDS), is(true));
         assertThat(keyStore.size(), is(1));
 
         PrivateKey privateKey = (PrivateKey) keyStore.getKey(KEY_ALIAS, DEFAULT_KEYSTORE_PASSWORD);
@@ -106,7 +103,7 @@ void GIVEN_MQTTClientKeyStore_WHEN_called_updateCA_THEN_CA_stored() throws Excep
         MQTTClientKeyStore mqttClientKeyStore = new MQTTClientKeyStore(mockCertificateManager);
         mqttClientKeyStore.init();
         CountDownLatch updateLatch = new CountDownLatch(1);
-        mqttClientKeyStore.listenToUpdates(updateLatch::countDown);
+        mqttClientKeyStore.listenToCAUpdates(updateLatch::countDown);
 
         KeyStore keyStore = mqttClientKeyStore.getKeyStore();
         assertThat(keyStore.size(), is(0));
@@ -122,11 +119,11 @@ void GIVEN_MQTTClientKeyStore_WHEN_called_updateCA_THEN_CA_stored() throws Excep
     }
 
     @Test
-    void GIVEN_MQTTClientKeyStore_WHEN_called_getSSLSocketFactory_THEN_returns_SSLSocketFactory() throws Exception {
+    void GIVEN_MQTTClientKeyStore_WHEN_getSSLSocketFactory_THEN_returns_SSLSocketFactory() throws Exception {
         MQTTClientKeyStore mqttClientKeyStore = new MQTTClientKeyStore(mockCertificateManager);
         mqttClientKeyStore.init();
-        CountDownLatch updateLatch = new CountDownLatch(2);
-        mqttClientKeyStore.listenToUpdates(updateLatch::countDown);
+        CountDownLatch updateLatch = new CountDownLatch(1);
+        mqttClientKeyStore.listenToCAUpdates(updateLatch::countDown);
 
         ArgumentCaptor<Consumer<X509Certificate[]>> cbArgumentCaptor = ArgumentCaptor.forClass(Consumer.class);
         verify(mockCertificateManager, times(1))

src/test/java/com/aws/greengrass/mqttbridge/clients/MQTTClientTest.java

@@ -8,6 +8,7 @@
 import com.aws.greengrass.mqttbridge.Message;
 import com.aws.greengrass.mqttbridge.auth.MQTTClientKeyStore;
 import com.aws.greengrass.testcommons.testutilities.GGExtension;
+import org.eclipse.paho.client.mqttv3.MqttConnectOptions;
 import org.eclipse.paho.client.mqttv3.MqttMessage;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
@@ -206,7 +207,7 @@ void GIVEN_mqttClient_WHEN_connectionLost_THEN_clientReconnectsAndResubscribes()
     }
 
     @Test
-    void GIVEN_mqttClient_WHEN_reset_THEN_connectsWithUpdatedSslContext() throws Exception {
+    void GIVEN_mqttClient_WHEN_caRotates_THEN_connectsWithUpdatedSslContext() throws Exception {
         MQTTClientKeyStore mockKeyStore = mock(MQTTClientKeyStore.class);
         MQTTClient mqttClient = new MQTTClient(ENCRYPTED_URI, CLIENT_ID, mockKeyStore, ses, fakeMqttClient);
         mqttClient.start();
@@ -223,4 +224,27 @@ void GIVEN_mqttClient_WHEN_reset_THEN_connectsWithUpdatedSslContext() throws Exc
         assertThat(fakeMqttClient.getConnectOptions().getSocketFactory(), is(mockSocketFactory));
         assertThat(fakeMqttClient.getConnectCount(), is(2));
     }
+
+    @Test
+    void GIVEN_mqttClient_WHEN_clientCertRotates_THEN_newCertIsUsedUponSubsequentReconnects() throws Exception {
+        SSLSocketFactory mockSocketFactory1 = mock(SSLSocketFactory.class);
+        SSLSocketFactory mockSocketFactory2 = mock(SSLSocketFactory.class);
+        when(mockMqttClientKeyStore.getSSLSocketFactory()).thenReturn(mockSocketFactory1);
+
+        MQTTClient mqttClient = new MQTTClient(ENCRYPTED_URI, CLIENT_ID, mockMqttClientKeyStore, ses, fakeMqttClient);
+        mqttClient.start();
+        fakeMqttClient.waitForConnect(1000);
+
+        assertThat(fakeMqttClient.isConnected(), is(true));
+        MqttConnectOptions connectOptions = fakeMqttClient.getConnectOptions();
+        assertThat(connectOptions.getSocketFactory(), is(mockSocketFactory1));
+
+        // Update socket factory and inject a connection loss
+        when(mockMqttClientKeyStore.getSSLSocketFactory()).thenReturn(mockSocketFactory2);
+        fakeMqttClient.injectConnectionLoss();
+
+        assertThat(fakeMqttClient.isConnected(), is(true));
+        connectOptions = fakeMqttClient.getConnectOptions();
+        assertThat(connectOptions.getSocketFactory(), is(mockSocketFactory2));
+    }
 }