From 4a31e66ae77a78db65388fec748284eac51ffe8a Mon Sep 17 00:00:00 2001
From: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Date: Wed, 19 Jun 2024 16:48:51 -0500
Subject: [PATCH] Fixes #11892 - mtls not working with http/3. (#11900)

The client certificate is now exposed in QuicheConnection, so that it can be returned by QuicStreamEndPoint.getSslSessionData().

Not much else is exposed by Quiche, so not much else that we can provide to applications, for example no TLS session id, no cipher suite, etc.

Fixed --enable-native-access command line option to run tests, as the foreign dependency is in the class-path.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
---
 .../jetty-ee11-test-client-transports/pom.xml |  2 +-
 .../test/client/transport/AbstractTest.java   |  8 +++
 .../client/transport/NeedClientAuthTest.java  | 60 +++++++++++++++++++
 3 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 jetty-ee11/jetty-ee11-tests/jetty-ee11-test-client-transports/src/test/java/org/eclipse/jetty/ee11/test/client/transport/NeedClientAuthTest.java

diff --git a/jetty-ee11/jetty-ee11-tests/jetty-ee11-test-client-transports/pom.xml b/jetty-ee11/jetty-ee11-tests/jetty-ee11-test-client-transports/pom.xml
index dbcb21b1e109..cd22bd44bb25 100644
--- a/jetty-ee11/jetty-ee11-tests/jetty-ee11-test-client-transports/pom.xml
+++ b/jetty-ee11/jetty-ee11-tests/jetty-ee11-test-client-transports/pom.xml
@@ -112,7 +112,7 @@
             <configuration>
               <argLine>@{argLine}
                 ${jetty.surefire.argLine}
-                --enable-native-access org.eclipse.jetty.quic.quiche.foreign</argLine>
+                --enable-native-access=ALL-UNNAMED</argLine>
             </configuration>
           </plugin>
         </plugins>
diff --git a/jetty-ee11/jetty-ee11-tests/jetty-ee11-test-client-transports/src/test/java/org/eclipse/jetty/ee11/test/client/transport/AbstractTest.java b/jetty-ee11/jetty-ee11-tests/jetty-ee11-test-client-transports/src/test/java/org/eclipse/jetty/ee11/test/client/transport/AbstractTest.java
index de4cd9e8c49a..7922b116de4a 100644
--- a/jetty-ee11/jetty-ee11-tests/jetty-ee11-test-client-transports/src/test/java/org/eclipse/jetty/ee11/test/client/transport/AbstractTest.java
+++ b/jetty-ee11/jetty-ee11-tests/jetty-ee11-test-client-transports/src/test/java/org/eclipse/jetty/ee11/test/client/transport/AbstractTest.java
@@ -102,6 +102,14 @@ public static Collection<Transport> transportsWithPushSupport()
         return transports;
     }
 
+    public static Collection<Transport> transportsSecure()
+    {
+        EnumSet<Transport> transports = EnumSet.of(Transport.HTTPS, Transport.H2, Transport.H3);
+        if ("ci".equals(System.getProperty("env")))
+            transports.remove(Transport.H3);
+        return transports;
+    }
+
     @BeforeEach
     public void prepare()
     {
diff --git a/jetty-ee11/jetty-ee11-tests/jetty-ee11-test-client-transports/src/test/java/org/eclipse/jetty/ee11/test/client/transport/NeedClientAuthTest.java b/jetty-ee11/jetty-ee11-tests/jetty-ee11-test-client-transports/src/test/java/org/eclipse/jetty/ee11/test/client/transport/NeedClientAuthTest.java
new file mode 100644
index 000000000000..ade18cf668df
--- /dev/null
+++ b/jetty-ee11/jetty-ee11-tests/jetty-ee11-test-client-transports/src/test/java/org/eclipse/jetty/ee11/test/client/transport/NeedClientAuthTest.java
@@ -0,0 +1,60 @@
+//
+// ========================================================================
+// Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+// which is available at https://www.apache.org/licenses/LICENSE-2.0.
+//
+// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+// ========================================================================
+//
+
+package org.eclipse.jetty.ee11.test.client.transport;
+
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.eclipse.jetty.client.ContentResponse;
+import org.eclipse.jetty.ee11.servlet.ServletContextRequest;
+import org.eclipse.jetty.http.HttpStatus;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+
+public class NeedClientAuthTest extends AbstractTest
+{
+    @ParameterizedTest
+    @MethodSource("transportsSecure")
+    public void testNeedClientAuth(Transport transport) throws Exception
+    {
+        prepareServer(transport, new HttpServlet()
+        {
+            @Override
+            protected void service(HttpServletRequest request, HttpServletResponse response)
+            {
+                // Verify that the request attribute is present.
+                assertNotNull(request.getAttribute(ServletContextRequest.PEER_CERTIFICATES));
+            }
+        });
+        sslContextFactoryServer.setNeedClientAuth(true);
+        server.start();
+
+        startClient(transport, httpClient ->
+        {
+            // Configure the SslContextFactory to send a certificate to the server.
+            SslContextFactory.Client clientSSL = httpClient.getSslContextFactory();
+            clientSSL.setKeyStorePath("src/test/resources/keystore.p12");
+            clientSSL.setKeyStorePassword("storepwd");
+            clientSSL.setCertAlias("mykey");
+        });
+
+        ContentResponse response = client.newRequest(newURI(transport)).send();
+
+        assertEquals(HttpStatus.OK_200, response.getStatus());
+    }
+}