Merge branch 'master' into OF-2559_mina-to-netty

# Conflicts:
#	xmppserver/src/test/java/org/jivesoftware/openfire/nio/XMLLightweightParserTest.java

build/updateTLSTruststore

@@ -0,0 +1,91 @@
+#!/bin/bash
+
+# Get the location of this script
+SCRIPTPATH="$(
+    cd "$(dirname "$0")"
+    pwd -P
+)"
+
+# Define the truststore path in relation to this script
+TRUSTSTOREPATH="$SCRIPTPATH/../distribution/src/security/truststore"
+
+# Create a temporary directory
+TEMPDIR=$(mktemp -d)
+
+# Download the mozilla trusted root certificates
+# See https://www.ccadb.org/resources (linked to from https://blog.mozilla.org/security/2021/05/10/beware-of-applications-misusing-root-stores/)
+curl -o $TEMPDIR/cacerts.txt https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites
+
+# Parse the certificates into individual files
+csplit --prefix "$TEMPDIR/cert" --suffix-format %02d.pem "$TEMPDIR/cacerts.txt" '/-----BEGIN CERTIFICATE-----/' '{*}' --elide-empty-files --quiet
+
+# Remove the existing trust store
+rm "$TRUSTSTOREPATH"
+
+# Import the certificates into the trust store
+for CERTFILE in $TEMPDIR/cert*.pem; do
+    # Get the certificate name from some properties
+    CERTNAME_CN=$(openssl x509 -noout -subject -nameopt lname,sep_multiline,utf8 -in "$CERTFILE" | grep commonName | sed 's/.*commonName=//')
+    CERTNAME_OUN=$(openssl x509 -noout -subject -nameopt lname,sep_multiline,utf8 -in "$CERTFILE" | grep organizationalUnitName | sed 's/.*organizationalUnitName=//')
+
+    if [[ "$CERTNAME_CN" == "" ]] && [[ "$CERTNAME_OUN" == "" ]]; then # If there is no CN or OUN, use the filename
+        CERTNAME=$(basename "$CERTFILE" .pem)
+    elif [[ "$CERTNAME_CN" == "" ]] && [[ "$CERTNAME_OUN" != "" ]]; then
+        CERTNAME=$CERTNAME_OUN
+    elif [[ "$CERTNAME_OUN" == "Certum Certification Authority" ]]; then # Certum has a unique CN, but the OUN isn't
+        CERTNAME=$CERTNAME_CN
+    elif [[ "$CERTNAME_CN" == "Certigna"* ]]; then # Certigna certs have a string of numbers in the OUN
+        CERTNAME=$CERTNAME_CN
+    elif [[ "$CERTNAME_CN" == "GlobalSign" ]]; then # GlobalSign has a unique OUN, but the CN isn't
+        CERTNAME=$CERTNAME_OUN
+    elif [[ "$CERTNAME_CN" == "Entrust"* ]]; then # Entrust OUNs are links to legal terms
+        CERTNAME=$CERTNAME_CN
+    elif [[ "$CERTNAME_CN" =~ ^See.www.* ]]; then # Some certificates have a CN that is a link to legal terms
+        CERTNAME=$CERTNAME_OUN
+    elif [[ ${#CERTNAME_CN} -gt ${#CERTNAME_OUN} ]]; then # Pick the more descriptive
+        CERTNAME=$CERTNAME_CN
+    else
+        CERTNAME=$CERTNAME_OUN
+    fi
+
+    echo Importing "$CERTFILE" as '"'"$CERTNAME"'"'
+    keytool -import -storepass changeit -keystore "$TRUSTSTOREPATH" -alias "$CERTNAME" -file "$CERTFILE" -noprompt >/tmp/keytool.out 2>&1
+    EXITCODE=$?
+    if [ $EXITCODE -ne 0 ]; then
+        # Find out why the import failed by reading the keytool output
+        KEYTOOLERROR=$(cat /tmp/keytool.out)
+
+        # If the import failed because the certificate was invalid, abort
+        if [[ "$KEYTOOLERROR" == *"Input not an X.509 certificate"* ]]; then
+            echo "==> Failed to import $CERTFILE as $CERTNAME - certificate isn't valid"
+            continue
+        fi
+
+        # If the import failed because the alias already exists, try again with a deduplicated alias
+        if [[ "$KEYTOOLERROR" == *"Certificate not imported, alias <$CERTNAME> already exists"* ]]; then
+
+            NEWEXITCODE=1
+            ATTEMPTCOUNT=0
+
+            while [ $NEWEXITCODE -ne 0 ] && [ $ATTEMPTCOUNT -lt 10 ]; do
+                ATTEMPTCOUNT=$((ATTEMPTCOUNT + 1))
+                DEDUPLICATED_ALIAS="$CERTNAME $ATTEMPTCOUNT"
+                echo "==> Failed to import $CERTFILE as $CERTNAME - alias already exists, trying $DEDUPLICATED_ALIAS"
+                keytool -import -storepass changeit -keystore "$TRUSTSTOREPATH" -alias "$DEDUPLICATED_ALIAS" -file "$CERTFILE" -noprompt >/tmp/keytool.out 2>&1
+                NEWEXITCODE=$?
+                if [ $NEWEXITCODE -ne 0 ]; then
+                    # Check if more attempts are needed
+                    NEWKEYTOOLERROR=$(cat /tmp/keytool.out)
+                    if [[ "$KEYTOOLERROR" == *"Certificate not imported, alias <$CERTNAME> already exists"* ]]; then
+                        continue
+                    else
+                        echo "==> Failed to import $CERTFILE as $DEDUPLICATED_ALIAS - $NEWKEYTOOLERROR"
+                        continue 2
+                    fi
+                else
+                    echo "==> Successfully imported $CERTFILE as $DEDUPLICATED_ALIAS"
+                fi
+            done
+        fi
+    fi
+done

xmppserver/pom.xml

@@ -46,7 +46,7 @@
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-surefire-plugin</artifactId>
-                        <version>3.0.0-M3</version>
+                        <version>3.1.2</version>
                         <configuration>
                             <systemPropertyVariables>
                                 <log4j.configurationFile>${project.build.directory}/test-classes/log4j2-test-mvn.xml</log4j.configurationFile>
@@ -159,7 +159,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.0.0-M3</version>
+                <version>3.1.2</version>
                 <configuration>
                     <systemPropertyVariables>
                         <log4j.configurationFile>${project.build.directory}/test-classes/log4j2-test-mvn.xml</log4j.configurationFile>
@@ -172,6 +172,25 @@
         </plugins>
     </build>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.junit</groupId>
+                <artifactId>junit-bom</artifactId>
+                <version>5.9.3</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.mockito</groupId>
+                <artifactId>mockito-bom</artifactId>
+                <version>5.4.0</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <!-- Ignite Realtime -->
         <dependency>
@@ -460,7 +479,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>30.1-jre</version>
+            <version>32.0.1-jre</version>
         </dependency>
         <dependency>
             <groupId>com.github.jgonian</groupId>
@@ -469,39 +488,30 @@
         </dependency>
         <!-- Test Scope -->
         <dependency>
-            <groupId>junit</groupId>
-            <artifactId>junit</artifactId>
-            <version>4.13.1</version>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter</artifactId>
             <scope>test</scope>
         </dependency>
         <dependency>
-            <groupId>org.mockito</groupId>
-            <artifactId>mockito-inline</artifactId>
-            <version>4.9.0</version>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-params</artifactId>
             <scope>test</scope>
         </dependency>
         <dependency>
-            <!-- Without explicitly defining this dependency of org.mockito:mockity-inline:4.9.0, the mockito code fails for reasons that are beyond me. -->
-            <groupId>net.bytebuddy</groupId>
-            <artifactId>byte-buddy</artifactId>
-            <version>1.12.16</version>
+            <groupId>org.junit.vintage</groupId>
+            <artifactId>junit-vintage-engine</artifactId>
             <scope>test</scope>
         </dependency>
         <dependency>
-            <!-- Without explicitly defining this dependency of org.mockito:mockity-inline:4.9.0, the mockito code fails for reasons that are beyond me. -->
-            <groupId>net.bytebuddy</groupId>
-            <artifactId>byte-buddy-agent</artifactId>
-            <version>1.12.16</version>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
             <scope>test</scope>
         </dependency>
         <dependency>
-            <!-- Without explicitly defining this dependency of org.mockito:mockity-inline:4.9.0, the mockito code fails for reasons that are beyond me. -->
-            <groupId>org.objenesis</groupId>
-            <artifactId>objenesis</artifactId>
-            <version>3.3</version>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-junit-jupiter</artifactId>
             <scope>test</scope>
         </dependency>
-
         <dependency>
             <groupId>org.hamcrest</groupId>
             <artifactId>hamcrest-all</artifactId>
@@ -514,12 +524,6 @@
             <version>3.1.6</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.zapodot</groupId>
-            <artifactId>embedded-ldap-junit</artifactId>
-            <version>0.7</version>
-            <scope>test</scope>
-        </dependency>
         <dependency>
             <groupId>org.dbunit</groupId>
             <artifactId>dbunit</artifactId>

xmppserver/src/main/java/org/jivesoftware/openfire/ConnectionManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008 Jive Software, 2022 Ignite Realtime Foundation. All rights reserved.
+ * Copyright (C) 2004-2008 Jive Software, 2022-2023 Ignite Realtime Foundation. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,8 +16,11 @@
 
 package org.jivesoftware.openfire;
 
+import org.jivesoftware.openfire.spi.ConnectionListener;
 import org.jivesoftware.openfire.spi.ConnectionType;
 
+import java.util.Set;
+
 /**
  * Coordinates connections (accept, read, termination) on the server.
  *
@@ -113,4 +116,33 @@ public interface ConnectionManager {
      * @param port a port number.
      */
     void setPort(ConnectionType type, boolean startInSslMode, int port);
+
+    /**
+     * Returns all connection listeners.
+     *
+     * @return All connection listeners (never null).
+     */
+    Set<ConnectionListener> getListeners();
+
+    /**
+     * Returns al connection listeners for the provided type.
+     *
+     * @param type The connection type for which a listener is to be configured.
+     * @return The connection listener (never null).
+     */
+    Set<ConnectionListener> getListeners( ConnectionType type );
+
+    /**
+     * Returns a connection listener.
+     *
+     * The #startInSslMode parameter is used to distinguish between listeners that expect to receive SSL encrypted data
+     * immediately, as opposed to connections that initially accept plain text data (the latter are typically subject to
+     * StartTLS for in-band encryption configuration). When for a particular connection type only one of these options
+     * is implemented, the parameter value is ignored.
+     *
+     * @param type The connection type for which a listener is to be configured.
+     * @param startInSslMode true when the listener to be configured is in legacy SSL mode, otherwise false.
+     * @return The connection listener (never null).
+     */
+    ConnectionListener getListener(ConnectionType type, boolean startInSslMode);
 }

xmppserver/src/main/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008 Jive Software, 2022 Ignite Realtime Foundation. All rights reserved.
+ * Copyright (C) 2004-2008 Jive Software, 2022-2023 Ignite Realtime Foundation. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,13 +32,13 @@
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
 import org.eclipse.jetty.webapp.*;
+import org.jivesoftware.openfire.ConnectionManager;
 import org.jivesoftware.admin.AuthCheckFilter;
 import org.jivesoftware.openfire.JMXManager;
 import org.jivesoftware.openfire.XMPPServer;
 import org.jivesoftware.openfire.keystore.CertificateStore;
 import org.jivesoftware.openfire.keystore.IdentityStore;
 import org.jivesoftware.openfire.spi.ConnectionConfiguration;
-import org.jivesoftware.openfire.spi.ConnectionManagerImpl;
 import org.jivesoftware.openfire.spi.ConnectionType;
 import org.jivesoftware.openfire.spi.EncryptionArtifactFactory;
 import org.jivesoftware.util.*;
@@ -209,7 +209,7 @@ protected void startup() {
                         Log.warn( "Admin console: Using certificates but they are not valid for the hosted domain" );
                     }
 
-                    final ConnectionManagerImpl connectionManager = ( (ConnectionManagerImpl) XMPPServer.getInstance().getConnectionManager() );
+                    final ConnectionManager connectionManager = XMPPServer.getInstance().getConnectionManager();
                     final ConnectionConfiguration configuration = connectionManager.getListener( ConnectionType.WEBADMIN, true ).generateConnectionConfiguration();
                     final SslContextFactory sslContextFactory = new EncryptionArtifactFactory( configuration ).getSslContextFactory();
 
@@ -254,7 +254,7 @@ protected void startup() {
 
         try {
             adminServer.start(); // excludes initialised
-        
+
             if(XMPPServer.getInstance().isSetupMode()) {
                 AuthCheckFilter.loadSetupExcludes();
             }

xmppserver/src/main/java/org/jivesoftware/openfire/http/HttpBindManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2008 Jive Software, Ignite Realtime Foundation 2022. All rights reserved.
+ * Copyright (C) 2005-2008 Jive Software, Ignite Realtime Foundation 2022-2023. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -33,12 +33,12 @@
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
 import org.eclipse.jetty.webapp.WebAppContext;
 import org.jivesoftware.openfire.Connection;
+import org.jivesoftware.openfire.ConnectionManager;
 import org.jivesoftware.openfire.JMXManager;
 import org.jivesoftware.openfire.XMPPServer;
 import org.jivesoftware.openfire.keystore.CertificateStore;
 import org.jivesoftware.openfire.keystore.IdentityStore;
 import org.jivesoftware.openfire.spi.ConnectionConfiguration;
-import org.jivesoftware.openfire.spi.ConnectionManagerImpl;
 import org.jivesoftware.openfire.spi.ConnectionType;
 import org.jivesoftware.openfire.spi.EncryptionArtifactFactory;
 import org.jivesoftware.openfire.websocket.OpenfireWebSocketServlet;
@@ -477,7 +477,7 @@ private Connector createSSLConnector( final Server httpBindServer ) {
                     Log.warn("HTTP binding: Using certificates but they are not valid for the hosted domain");
                 }
 
-                final ConnectionManagerImpl connectionManager = ((ConnectionManagerImpl) XMPPServer.getInstance().getConnectionManager());
+                final ConnectionManager connectionManager = XMPPServer.getInstance().getConnectionManager();
                 final ConnectionConfiguration configuration = connectionManager.getListener( ConnectionType.BOSH_C2S, true ).generateConnectionConfiguration();
                 final SslContextFactory sslContextFactory = new EncryptionArtifactFactory(configuration).getSslContextFactory();
 
@@ -696,7 +696,7 @@ protected Handler createWebsocketHandler()
 
     // NOTE: enabled by default
     private boolean isHttpCompressionEnabled() {
-        final ConnectionManagerImpl connectionManager = ((ConnectionManagerImpl) XMPPServer.getInstance().getConnectionManager());
+        final ConnectionManager connectionManager = XMPPServer.getInstance().getConnectionManager();
         final ConnectionConfiguration configuration = connectionManager.getListener( ConnectionType.BOSH_C2S, true ).generateConnectionConfiguration();
         return configuration.getCompressionPolicy() == null || configuration.getCompressionPolicy().equals( Connection.CompressionPolicy.optional );
     }

xmppserver/src/main/java/org/jivesoftware/openfire/http/HttpSession.java

@@ -22,18 +22,14 @@
 import org.dom4j.Namespace;
 import org.dom4j.QName;
 import org.dom4j.io.XMPPPacketReader;
-import org.jivesoftware.openfire.PacketDeliverer;
-import org.jivesoftware.openfire.SessionPacketRouter;
-import org.jivesoftware.openfire.StreamID;
-import org.jivesoftware.openfire.XMPPServer;
+import org.jivesoftware.openfire.*;
 import org.jivesoftware.openfire.auth.UnauthorizedException;
 import org.jivesoftware.openfire.multiplex.UnknownStanzaException;
 import org.jivesoftware.openfire.net.MXParser;
 import org.jivesoftware.openfire.net.SASLAuthentication;
 import org.jivesoftware.openfire.net.VirtualConnection;
 import org.jivesoftware.openfire.session.LocalClientSession;
 import org.jivesoftware.openfire.spi.ConnectionConfiguration;
-import org.jivesoftware.openfire.spi.ConnectionManagerImpl;
 import org.jivesoftware.openfire.spi.ConnectionType;
 import org.jivesoftware.util.JiveGlobals;
 import org.jivesoftware.util.SystemProperty;
@@ -1312,7 +1308,7 @@ public Optional<String> getCipherSuiteName() {
         @Override
         public ConnectionConfiguration getConfiguration() {
             if (configuration == null) {
-                final ConnectionManagerImpl connectionManager = ((ConnectionManagerImpl) XMPPServer.getInstance().getConnectionManager());
+                final ConnectionManager connectionManager = XMPPServer.getInstance().getConnectionManager();
                 configuration = connectionManager.getListener( connectionType, true ).generateConnectionConfiguration();
             }
             return configuration;