diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2018-09-12 12:15:25 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-09-12 12:15:25 +0200 |
commit | c65822c82b71dfbcd49fc403d3a503914e044de3 (patch) | |
tree | d5693fd58bca2367ae053293e6e05717c209945d | |
parent | 9f404a93ef9a986c1ef8afb2f05630d97f3dccf5 (diff) | |
parent | 3ac0420f32e9841bd53705603ab7f9a67a8c8700 (diff) |
Merge pull request #6920 from vespa-engine/bjorncs/ssl-cleanup
Remove SslKeyStoreConfigurator/SslTrustStoreConfigurator concept
17 files changed, 105 insertions, 491 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java index 8bfd0b1e4da..1365eb43a30 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java @@ -4,16 +4,12 @@ package com.yahoo.vespa.model.container.http; import com.yahoo.component.ComponentId; import com.yahoo.container.bundle.BundleInstantiationSpecification; import com.yahoo.jdisc.http.ConnectorConfig; -import com.yahoo.jdisc.http.ssl.DefaultSslKeyStoreConfigurator; -import com.yahoo.jdisc.http.ssl.DefaultSslTrustStoreConfigurator; import com.yahoo.osgi.provider.model.ComponentModel; import com.yahoo.text.XML; import com.yahoo.vespa.model.container.component.SimpleComponent; import com.yahoo.vespa.model.container.http.ssl.DummySslProvider; import org.w3c.dom.Element; -import java.util.Optional; - import static com.yahoo.component.ComponentSpecification.fromString; import static com.yahoo.jdisc.http.ConnectorConfig.Ssl.KeyStoreType; @@ -29,14 +25,12 @@ public class ConnectorFactory extends SimpleComponent implements ConnectorConfig private final Element legacyConfig; public ConnectorFactory(String name, int listenPort) { - this(name, listenPort, null, null, null, new DummySslProvider(name)); + this(name, listenPort, null, new DummySslProvider(name)); } public ConnectorFactory(String name, int listenPort, Element legacyConfig, - Element sslKeystoreConfigurator, - Element sslTruststoreConfigurator, SimpleComponent sslProviderComponent) { super(new ComponentModel( new BundleInstantiationSpecification(new ComponentId(name), @@ -47,8 +41,6 @@ public class ConnectorFactory extends SimpleComponent implements ConnectorConfig this.legacyConfig = legacyConfig; addChild(sslProviderComponent); inject(sslProviderComponent); - addSslKeyStoreConfigurator(name, sslKeystoreConfigurator); - addSslTrustStoreConfigurator(name, sslTruststoreConfigurator); } @Override @@ -159,30 +151,4 @@ public class ConnectorFactory extends SimpleComponent implements ConnectorConfig } } } - - - private void addSslKeyStoreConfigurator(String name, Element sslKeystoreConfigurator) { - addSslConfigurator("ssl-keystore-configurator@" + name, - DefaultSslKeyStoreConfigurator.class, - sslKeystoreConfigurator); - } - - private void addSslTrustStoreConfigurator(String name, Element sslKeystoreConfigurator) { - addSslConfigurator("ssl-truststore-configurator@" + name, - DefaultSslTrustStoreConfigurator.class, - sslKeystoreConfigurator); - } - - private void addSslConfigurator(String idSpec, Class<?> defaultImplementation, Element configuratorElement) { - SimpleComponent configuratorComponent; - if (configuratorElement != null) { - String className = configuratorElement.getAttribute("class"); - String bundleName = configuratorElement.getAttribute("bundle"); - configuratorComponent = new SimpleComponent(new ComponentModel(idSpec, className, bundleName)); - } else { - configuratorComponent = new SimpleComponent(new ComponentModel(idSpec, defaultImplementation.getName(), "jdisc_http_service")); - } - addChild(configuratorComponent); - inject(configuratorComponent); - } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java index 6061ce45ce4..91cf25002e6 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java @@ -38,10 +38,8 @@ public class JettyConnectorBuilder extends VespaDomBuilder.DomConfigProducerBuil legacyServerConfig = null; } } - Element sslKeystoreConfigurator = XML.getChild(serverSpec, "ssl-keystore-configurator"); - Element sslTruststoreConfigurator = XML.getChild(serverSpec, "ssl-truststore-configurator"); SimpleComponent sslProviderComponent = getSslConfigComponents(name, serverSpec); - return new ConnectorFactory(name, port, legacyServerConfig, sslKeystoreConfigurator, sslTruststoreConfigurator, sslProviderComponent); + return new ConnectorFactory(name, port, legacyServerConfig, sslProviderComponent); } SimpleComponent getSslConfigComponents(String serverName, Element serverSpec) { diff --git a/config-model/src/main/resources/schema/containercluster.rnc b/config-model/src/main/resources/schema/containercluster.rnc index 991bd13f4a0..4934ce113bb 100644 --- a/config-model/src/main/resources/schema/containercluster.rnc +++ b/config-model/src/main/resources/schema/containercluster.rnc @@ -64,8 +64,6 @@ HttpServer = element server { attribute port { xsd:nonNegativeInteger } & ComponentId & (Ssl | SslProvider)? & - element ssl-keystore-configurator { BundleSpec }? & # FOR INTERNAL USE ONLY - SUBJECT TO CHANGE - element ssl-truststore-configurator { BundleSpec }? & # FOR INTERNAL USE ONLY - SUBJECT TO CHANGE GenericConfig* } diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java index ff50acce3f0..1815befab88 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java @@ -3,30 +3,21 @@ package com.yahoo.vespa.model.container.xml; import com.yahoo.config.model.builder.xml.test.DomBuilderTest; import com.yahoo.container.ComponentsConfig; -import com.yahoo.container.bundle.BundleInstantiationSpecification; import com.yahoo.container.jdisc.FilterBindingsProvider; import com.yahoo.jdisc.http.ConnectorConfig; -import com.yahoo.jdisc.http.ssl.DefaultSslKeyStoreConfigurator; -import com.yahoo.jdisc.http.ssl.DefaultSslTrustStoreConfigurator; import com.yahoo.vespa.model.container.ContainerCluster; import com.yahoo.vespa.model.container.component.SimpleComponent; import com.yahoo.vespa.model.container.http.ConnectorFactory; import com.yahoo.vespa.model.container.http.JettyHttpServer; - import com.yahoo.vespa.model.container.http.ssl.DefaultSslProvider; import org.junit.Test; import org.w3c.dom.Element; -import org.xml.sax.SAXException; -import java.io.IOException; -import java.util.Arrays; import java.util.List; import java.util.Optional; -import java.util.Set; import static com.yahoo.jdisc.http.ConnectorConfig.Ssl.KeyStoreType; import static org.hamcrest.CoreMatchers.equalTo; -import static org.hamcrest.CoreMatchers.hasItem; import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.CoreMatchers.not; import static org.hamcrest.CoreMatchers.nullValue; @@ -197,44 +188,6 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas } @Test - public void ssl_keystore_and_truststore_configurator_can_be_overriden() throws IOException, SAXException { - Element clusterElem = DomBuilderTest.parse( - "<jdisc id='default' version='1.0' jetty='true'>", - " <http>", - " <server port='9000' id='foo'>", - " <ssl-keystore-configurator class='com.yahoo.MySslKeyStoreConfigurator' bundle='mybundle'/>", - " <ssl-truststore-configurator class='com.yahoo.MySslTrustStoreConfigurator' bundle='mybundle'/>", - " </server>", - " <server port='9001' id='bar'/>", - " </http>", - nodesXml, - "</jdisc>"); - createModel(root, clusterElem); - ContainerCluster cluster = (ContainerCluster) root.getChildren().get("default"); - List<ConnectorFactory> connectorFactories = cluster.getChildrenByTypeRecursive(ConnectorFactory.class); - { - ConnectorFactory firstConnector = connectorFactories.get(0); - assertConnectorHasInjectedComponents(firstConnector, "ssl-keystore-configurator@foo", "ssl-truststore-configurator@foo", "dummy-ssl-provider@foo"); - assertComponentHasClassNameAndBundle(getChildComponent(firstConnector, 0), - "com.yahoo.MySslKeyStoreConfigurator", - "mybundle"); - assertComponentHasClassNameAndBundle(getChildComponent(firstConnector, 1), - "com.yahoo.MySslTrustStoreConfigurator", - "mybundle"); - } - { - ConnectorFactory secondConnector = connectorFactories.get(1); - assertConnectorHasInjectedComponents(secondConnector, "ssl-keystore-configurator@bar", "ssl-truststore-configurator@bar", "dummy-ssl-provider@bar"); - assertComponentHasClassNameAndBundle(getChildComponent(secondConnector, 0), - DefaultSslKeyStoreConfigurator.class.getName(), - "jdisc_http_service"); - assertComponentHasClassNameAndBundle(getChildComponent(secondConnector, 1), - DefaultSslTrustStoreConfigurator.class.getName(), - "jdisc_http_service"); - } - } - - @Test public void verify_that_ssl_element_generates_connector_config_and_inject_provider_component() { Element clusterElem = DomBuilderTest.parse( "<jdisc id='default' version='1.0' jetty='true'>", @@ -315,25 +268,6 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas assertChildComponentExists(connectorFactory, "com.yahoo.CustomSslProvider"); } - private static void assertConnectorHasInjectedComponents(ConnectorFactory connectorFactory, String... componentNames) { - Set<String> injectedComponentIds = connectorFactory.getInjectedComponentIds(); - assertThat(injectedComponentIds.size(), equalTo(componentNames.length)); - Arrays.stream(componentNames) - .forEach(name -> assertThat(injectedComponentIds, hasItem(name))); - } - - private static SimpleComponent getChildComponent(ConnectorFactory connectorFactory, int index) { - return connectorFactory.getChildrenByTypeRecursive(SimpleComponent.class).get(index); - } - - private static void assertComponentHasClassNameAndBundle(SimpleComponent simpleComponent, - String className, - String bundleName) { - BundleInstantiationSpecification spec = simpleComponent.model.bundleInstantiationSpec; - assertThat(spec.classId.toString(), is(className)); - assertThat(spec.bundle.toString(), is(bundleName)); - } - private static void assertChildComponentExists(ConnectorFactory connectorFactory, String className) { Optional<SimpleComponent> simpleComponent = connectorFactory.getChildren().values().stream() .map(z -> (SimpleComponent) z) diff --git a/config-model/src/test/schema-test-files/services.xml b/config-model/src/test/schema-test-files/services.xml index 21d6693720e..632abe68ab7 100644 --- a/config-model/src/test/schema-test-files/services.xml +++ b/config-model/src/test/schema-test-files/services.xml @@ -112,10 +112,7 @@ </request-chain> </filtering> - <server port="4080" id="myServer"> - <ssl-keystore-configurator class="com.yahoo.MySslKeyStoreConfigurator" bundle="mybundle" /> - <ssl-truststore-configurator class="com.yahoo.MySslTrustStoreConfigurator" bundle="mybundle" /> - </server> + <server port="4080" id="myServer"/> <server port="4081" id="anotherServer"> <config name="container.jdisc.config.http-server"> <maxChunkSize>9999</maxChunkSize> diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzTrustStoreConfigurator.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzTrustStoreConfigurator.java deleted file mode 100644 index e805332429b..00000000000 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzTrustStoreConfigurator.java +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.athenz.filter; - -import com.google.inject.Inject; -import com.yahoo.jdisc.http.ssl.SslTrustStoreConfigurator; -import com.yahoo.jdisc.http.ssl.SslTrustStoreContext; -import com.yahoo.security.KeyStoreBuilder; -import com.yahoo.security.KeyStoreType; -import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; - -import java.nio.file.Path; -import java.nio.file.Paths; -import java.security.KeyStore; - -/** - * Load trust store with Athenz CA certificates - * - * @author bjorncs - */ -public class AthenzTrustStoreConfigurator implements SslTrustStoreConfigurator { - - private final KeyStore trustStore; - - @Inject - public AthenzTrustStoreConfigurator(AthenzConfig config) { - this.trustStore = createTrustStore(Paths.get(config.athenzCaTrustStore())); - } - - private static KeyStore createTrustStore(Path trustStoreFile) { - return KeyStoreBuilder.withType(KeyStoreType.JKS) - .fromFile(trustStoreFile, "changeit".toCharArray()) - .build(); - } - - @Override - public void configure(SslTrustStoreContext context) { - context.updateTrustStore(trustStore); - } -} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java index 8799e781532..dd38bdd94f9 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java @@ -3,6 +3,7 @@ package com.yahoo.jdisc.http.ssl; import com.yahoo.config.InnerNode; import com.yahoo.jdisc.http.ConnectorConfig; +import com.yahoo.jdisc.http.ssl.pem.PemSslKeyStore; import com.yahoo.security.KeyStoreBuilder; import com.yahoo.security.KeyStoreType; import com.yahoo.security.KeyUtils; @@ -12,6 +13,7 @@ import org.eclipse.jetty.util.ssl.SslContextFactory; import java.io.IOException; import java.io.UncheckedIOException; import java.nio.file.Files; +import java.nio.file.Path; import java.nio.file.Paths; import java.security.KeyStore; import java.security.PrivateKey; @@ -20,6 +22,7 @@ import java.util.Arrays; import java.util.List; import java.util.function.BiConsumer; import java.util.function.Function; +import java.util.logging.Logger; /** * JDisc's default implementation of {@link SslContextFactoryProvider} that uses the {@link ConnectorConfig} to construct a {@link SslContextFactory}. @@ -28,16 +31,17 @@ import java.util.function.Function; */ public class DefaultSslContextFactoryProvider implements SslContextFactoryProvider { + private static final Logger log = Logger.getLogger(DefaultSslContextFactoryProvider.class.getName()); + private final ConnectorConfig connectorConfig; - private final SslKeyStoreConfigurator sslKeyStoreConfigurator; - private final SslTrustStoreConfigurator sslTrustStoreConfigurator; + @SuppressWarnings("deprecation") + private final com.yahoo.jdisc.http.SecretStore secretStore; public DefaultSslContextFactoryProvider(ConnectorConfig connectorConfig, - SslKeyStoreConfigurator sslKeyStoreConfigurator, - SslTrustStoreConfigurator sslTrustStoreConfigurator) { + @SuppressWarnings("deprecation") com.yahoo.jdisc.http.SecretStore secretStore) { + validateConfig(connectorConfig.ssl()); this.connectorConfig = connectorConfig; - this.sslKeyStoreConfigurator = sslKeyStoreConfigurator; - this.sslTrustStoreConfigurator = sslTrustStoreConfigurator; + this.secretStore = secretStore; } @Override @@ -69,29 +73,100 @@ public class DefaultSslContextFactoryProvider implements SslContextFactoryProvid factory.setTrustStore(createTruststore(sslConfig)); } factory.setProtocol("TLS"); - } else { - // TODO Remove SslKeyStoreConfigurator / SslTrustStoreConfigurator - sslKeyStoreConfigurator.configure(new DefaultSslKeyStoreContext(factory)); - sslTrustStoreConfigurator.configure(new DefaultSslTrustStoreContext(factory)); - - // TODO Remove support for deprecated ssl connector config - if (!sslConfig.prng().isEmpty()) { - factory.setSecureRandomAlgorithm(sslConfig.prng()); + } else { // TODO Vespa 7: Remove support for deprecated ssl connector config + configureUsingDeprecatedConnectorConfig(sslConfig, factory); + } + return factory; + } + + private void configureUsingDeprecatedConnectorConfig(ConnectorConfig.Ssl sslConfig, SslContextFactory factory) { + switch (sslConfig.keyStoreType()) { + case JKS: + factory.setKeyStorePath(sslConfig.keyStorePath()); + factory.setKeyStoreType("JKS"); + factory.setKeyStorePassword(secretStore.getSecret(sslConfig.keyDbKey())); + break; + case PEM: + factory.setKeyStorePath(sslConfig.keyStorePath()); + factory.setKeyStore(createPemKeyStore(sslConfig.pemKeyStore())); + break; + } + + if (!sslConfig.trustStorePath().isEmpty()) { + factory.setTrustStorePath(sslConfig.trustStorePath()); + factory.setTrustStoreType(sslConfig.trustStoreType().toString()); + if (sslConfig.useTrustStorePassword()) { + factory.setTrustStorePassword(secretStore.getSecret(sslConfig.keyDbKey())); } + } + + if (!sslConfig.prng().isEmpty()) { + factory.setSecureRandomAlgorithm(sslConfig.prng()); + } - setStringArrayParameter( - factory, sslConfig.excludeProtocol(), ConnectorConfig.Ssl.ExcludeProtocol::name, SslContextFactory::setExcludeProtocols); - setStringArrayParameter( - factory, sslConfig.includeProtocol(), ConnectorConfig.Ssl.IncludeProtocol::name, SslContextFactory::setIncludeProtocols); - setStringArrayParameter( - factory, sslConfig.excludeCipherSuite(), ConnectorConfig.Ssl.ExcludeCipherSuite::name, SslContextFactory::setExcludeCipherSuites); - setStringArrayParameter( - factory, sslConfig.includeCipherSuite(), ConnectorConfig.Ssl.IncludeCipherSuite::name, SslContextFactory::setIncludeCipherSuites); + setStringArrayParameter( + factory, sslConfig.excludeProtocol(), ConnectorConfig.Ssl.ExcludeProtocol::name, SslContextFactory::setExcludeProtocols); + setStringArrayParameter( + factory, sslConfig.includeProtocol(), ConnectorConfig.Ssl.IncludeProtocol::name, SslContextFactory::setIncludeProtocols); + setStringArrayParameter( + factory, sslConfig.excludeCipherSuite(), ConnectorConfig.Ssl.ExcludeCipherSuite::name, SslContextFactory::setExcludeCipherSuites); + setStringArrayParameter( + factory, sslConfig.includeCipherSuite(), ConnectorConfig.Ssl.IncludeCipherSuite::name, SslContextFactory::setIncludeCipherSuites); + + factory.setKeyManagerFactoryAlgorithm(sslConfig.sslKeyManagerFactoryAlgorithm()); + factory.setProtocol(sslConfig.protocol()); + } - factory.setKeyManagerFactoryAlgorithm(sslConfig.sslKeyManagerFactoryAlgorithm()); - factory.setProtocol(sslConfig.protocol()); + private static void validateConfig(ConnectorConfig.Ssl config) { + if (!config.enabled()) return; + switch (config.keyStoreType()) { + case JKS: + validateJksConfig(config); + break; + case PEM: + validatePemConfig(config); + break; + } + if (!config.trustStorePath().isEmpty() && config.useTrustStorePassword() && config.keyDbKey().isEmpty()) { + throw new IllegalArgumentException("Missing password for JKS truststore"); + } + } + + private static void validateJksConfig(ConnectorConfig.Ssl ssl) { + if (!ssl.pemKeyStore().keyPath().isEmpty() || ! ssl.pemKeyStore().certificatePath().isEmpty()) { + throw new IllegalArgumentException("pemKeyStore attributes can not be set when keyStoreType is JKS."); + } + if (ssl.keyDbKey().isEmpty()) { + throw new IllegalArgumentException("Missing password for JKS keystore"); + } + } + + private static void validatePemConfig(ConnectorConfig.Ssl ssl) { + if (! ssl.keyStorePath().isEmpty()) { + throw new IllegalArgumentException("keyStorePath can not be set when keyStoreType is PEM"); + } + if (!ssl.keyDbKey().isEmpty()) { + // TODO Make an error once there are separate passwords for truststore and keystore + log.warning("Encrypted PEM key stores are not supported. Password is only applied to truststore"); + } + if (ssl.pemKeyStore().certificatePath().isEmpty()) { + throw new IllegalArgumentException("Missing certificate path."); + } + if (ssl.pemKeyStore().keyPath().isEmpty()) { + throw new IllegalArgumentException("Missing key path."); + } + } + + private static KeyStore createPemKeyStore(ConnectorConfig.Ssl.PemKeyStore pemKeyStore) { + try { + Path certificatePath = Paths.get(pemKeyStore.certificatePath()); + Path keyPath = Paths.get(pemKeyStore.keyPath()); + return new PemSslKeyStore(certificatePath, keyPath).loadJavaKeyStore(); + } catch (IOException e) { + throw new UncheckedIOException(e); + } catch (Exception e) { + throw new RuntimeException("Failed setting up key store for " + pemKeyStore.keyPath() + ", " + pemKeyStore.certificatePath(), e); } - return factory; } private static KeyStore createTruststore(ConnectorConfig.Ssl sslConfig) { diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslKeyStoreConfigurator.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslKeyStoreConfigurator.java deleted file mode 100644 index 1cf8997b465..00000000000 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslKeyStoreConfigurator.java +++ /dev/null @@ -1,96 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http.ssl; - -import com.google.inject.Inject; -import com.yahoo.jdisc.http.ConnectorConfig; -import com.yahoo.jdisc.http.ssl.pem.PemSslKeyStore; - -import java.io.IOException; -import java.io.UncheckedIOException; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.security.KeyStore; -import java.util.logging.Logger; - -/** - * @author bjorncs - */ -public class DefaultSslKeyStoreConfigurator implements SslKeyStoreConfigurator { - - private static final Logger log = Logger.getLogger(DefaultSslKeyStoreConfigurator.class.getName()); - - @SuppressWarnings("deprecation") - private final com.yahoo.jdisc.http.SecretStore secretStore; - private final ConnectorConfig.Ssl config; - - @Inject - @SuppressWarnings("deprecation") - public DefaultSslKeyStoreConfigurator(ConnectorConfig config, com.yahoo.jdisc.http.SecretStore secretStore) { - validateConfig(config.ssl()); - this.secretStore = secretStore; - this.config = config.ssl(); - } - - private static void validateConfig(ConnectorConfig.Ssl config) { - if (!config.enabled()) return; - switch (config.keyStoreType()) { - case JKS: - validateJksConfig(config); - break; - case PEM: - validatePemConfig(config); - break; - } - } - - @Override - public void configure(SslKeyStoreContext context) { - if (!config.enabled()) return; - switch (config.keyStoreType()) { - case JKS: - context.updateKeyStore(config.keyStorePath(), "JKS", secretStore.getSecret(config.keyDbKey())); - break; - case PEM: - context.updateKeyStore(createPemKeyStore(config.pemKeyStore())); - break; - } - } - - private static void validateJksConfig(ConnectorConfig.Ssl ssl) { - if (!ssl.pemKeyStore().keyPath().isEmpty() || ! ssl.pemKeyStore().certificatePath().isEmpty()) { - throw new IllegalArgumentException("pemKeyStore attributes can not be set when keyStoreType is JKS."); - } - if (ssl.keyDbKey().isEmpty()) { - throw new IllegalArgumentException("Missing password for JKS keystore"); - } - } - - private static void validatePemConfig(ConnectorConfig.Ssl ssl) { - if (! ssl.keyStorePath().isEmpty()) { - throw new IllegalArgumentException("keyStorePath can not be set when keyStoreType is PEM"); - } - if (!ssl.keyDbKey().isEmpty()) { - // TODO Make an error once there are separate passwords for truststore and keystore - log.warning("Encrypted PEM key stores are not supported. Password is only applied to truststore"); - } - if (ssl.pemKeyStore().certificatePath().isEmpty()) { - throw new IllegalArgumentException("Missing certificate path."); - } - if (ssl.pemKeyStore().keyPath().isEmpty()) { - throw new IllegalArgumentException("Missing key path."); - } - } - - private static KeyStore createPemKeyStore(ConnectorConfig.Ssl.PemKeyStore pemKeyStore) { - try { - Path certificatePath = Paths.get(pemKeyStore.certificatePath()); - Path keyPath = Paths.get(pemKeyStore.keyPath()); - return new PemSslKeyStore(certificatePath, keyPath).loadJavaKeyStore(); - } catch (IOException e) { - throw new UncheckedIOException(e); - } catch (Exception e) { - throw new RuntimeException("Failed setting up key store for " + pemKeyStore.keyPath() + ", " + pemKeyStore.certificatePath(), e); - } - } - -} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslKeyStoreContext.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslKeyStoreContext.java deleted file mode 100644 index 44a9c606576..00000000000 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslKeyStoreContext.java +++ /dev/null @@ -1,51 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http.ssl; - -import org.eclipse.jetty.util.ssl.SslContextFactory; - -import java.security.KeyStore; -import java.util.function.Consumer; - -/** - * @author bjorncs - */ -public class DefaultSslKeyStoreContext implements SslKeyStoreContext { - - private final SslContextFactory sslContextFactory; - - public DefaultSslKeyStoreContext(SslContextFactory sslContextFactory) { - this.sslContextFactory = sslContextFactory; - } - - @Override - public void updateKeyStore(KeyStore keyStore) { - updateKeyStore(keyStore, null); - } - - @Override - public void updateKeyStore(KeyStore keyStore, String password) { - updateKeyStore(sslContextFactory -> { - sslContextFactory.setKeyStore(keyStore); - if (password != null) { - sslContextFactory.setKeyStorePassword(password); - } - }); - } - - @Override - public void updateKeyStore(String keyStorePath, String keyStoreType, String keyStorePassword) { - updateKeyStore(sslContextFactory -> { - sslContextFactory.setKeyStorePath(keyStorePath); - sslContextFactory.setKeyStoreType(keyStoreType); - sslContextFactory.setKeyStorePassword(keyStorePassword); - }); - } - - private void updateKeyStore(Consumer<SslContextFactory> reloader) { - try { - sslContextFactory.reload(reloader); - } catch (Exception e) { - throw new RuntimeException("Could not update keystore: " + e.getMessage(), e); - } - } -} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslTrustStoreConfigurator.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslTrustStoreConfigurator.java deleted file mode 100644 index 5a8c399e6ba..00000000000 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslTrustStoreConfigurator.java +++ /dev/null @@ -1,41 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http.ssl; - -import com.google.inject.Inject; -import com.yahoo.jdisc.http.ConnectorConfig; - -/** - * @author bjorncs - */ -public class DefaultSslTrustStoreConfigurator implements SslTrustStoreConfigurator { - - @SuppressWarnings("deprecation") - private final com.yahoo.jdisc.http.SecretStore secretStore; - private final ConnectorConfig.Ssl config; - - @Inject - @SuppressWarnings("deprecation") - public DefaultSslTrustStoreConfigurator(ConnectorConfig config, com.yahoo.jdisc.http.SecretStore secretStore) { - validateConfig(config.ssl()); - this.secretStore = secretStore; - this.config = config.ssl(); - } - - @Override - public void configure(SslTrustStoreContext context) { - if (!config.enabled()) return; - String keyDbPassword = config.keyDbKey(); - if (!config.trustStorePath().isEmpty()) { - String password = config.useTrustStorePassword() ? secretStore.getSecret(keyDbPassword) : null; - context.updateTrustStore(config.trustStorePath(), config.trustStoreType().toString(), password); - } - } - - private static void validateConfig(ConnectorConfig.Ssl config) { - if (!config.enabled()) return; - if (!config.trustStorePath().isEmpty() && config.useTrustStorePassword() && config.keyDbKey().isEmpty()) { - throw new IllegalArgumentException("Missing password for JKS truststore"); - } - } - -} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslTrustStoreContext.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslTrustStoreContext.java deleted file mode 100644 index c2d91cca3ea..00000000000 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslTrustStoreContext.java +++ /dev/null @@ -1,54 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http.ssl; - -import org.eclipse.jetty.util.ssl.SslContextFactory; - -import java.security.KeyStore; -import java.util.function.Consumer; - -/** - * @author bjorncs - */ -public class DefaultSslTrustStoreContext implements SslTrustStoreContext { - - private final SslContextFactory sslContextFactory; - - public DefaultSslTrustStoreContext(SslContextFactory sslContextFactory) { - this.sslContextFactory = sslContextFactory; - } - - @Override - public void updateTrustStore(KeyStore trustStore) { - updateTrustStore(trustStore, null); - } - - @Override - public void updateTrustStore(KeyStore trustStore, String password) { - updateTrustStore(sslContextFactory -> { - sslContextFactory.setTrustStore(trustStore); - if (password != null) { - sslContextFactory.setTrustStorePassword(password); - } - }); - } - - @Override - public void updateTrustStore(String trustStorePath, String trustStoreType, String trustStorePassword) { - updateTrustStore(sslContextFactory -> { - sslContextFactory.setTrustStorePath(trustStorePath); - sslContextFactory.setTrustStoreType(trustStoreType); - if (trustStorePassword != null) { - sslContextFactory.setTrustStorePassword(trustStorePassword); - } - }); - } - - private void updateTrustStore(Consumer<SslContextFactory> reloader) { - try { - sslContextFactory.reload(reloader); - } catch (Exception e) { - throw new RuntimeException("Could not update truststore: " + e.getMessage(), e); - } - } - -} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreConfigurator.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreConfigurator.java deleted file mode 100644 index 619f4a636ed..00000000000 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreConfigurator.java +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http.ssl; - -/** - * An interface for an component that can configure an {@link SslKeyStoreContext}. The implementor can assume that - * the {@link SslKeyStoreContext} instance is thread-safe and be updated at any time - * during and after the call to{@link #configure(SslKeyStoreContext)}. - * Modifying the {@link SslKeyStoreContext} instance will trigger a hot reload of the keystore in JDisc. - * - * @author bjorncs - */ -public interface SslKeyStoreConfigurator { - void configure(SslKeyStoreContext context); -} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreContext.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreContext.java deleted file mode 100644 index 2a25f6d78b5..00000000000 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreContext.java +++ /dev/null @@ -1,16 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http.ssl; - -import java.security.KeyStore; - -/** - * An interface to update the keystore in JDisc. Any update will trigger a hot reload and new connections will - * immediately see the new certificate chain. - * - * @author bjorncs - */ -public interface SslKeyStoreContext { - void updateKeyStore(KeyStore keyStore); - void updateKeyStore(KeyStore keyStore, String password); - void updateKeyStore(String keyStorePath, String keyStoreType, String keyStorePassword); -} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslTrustStoreConfigurator.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslTrustStoreConfigurator.java deleted file mode 100644 index de1119a5275..00000000000 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslTrustStoreConfigurator.java +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http.ssl; - -/** - * An interface for an component that can configure an {@link SslTrustStoreContext}. The implementor can assume that - * the {@link SslTrustStoreContext} instance is thread-safe and be updated at any time - * during and after the call to{@link #configure(SslTrustStoreContext)}. - * Modifying the {@link SslKeyStoreContext} instance will trigger a hot reload of the truststore in JDisc. - * - * @author bjorncs - */ -public interface SslTrustStoreConfigurator { - void configure(SslTrustStoreContext context); -} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslTrustStoreContext.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslTrustStoreContext.java deleted file mode 100644 index fc8cf397b24..00000000000 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslTrustStoreContext.java +++ /dev/null @@ -1,16 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http.ssl; - -import java.security.KeyStore; - -/** - * An interface to update the truststore in JDisc. Any update will trigger a hot reload and new connections will - * authenticated using the update truststore. - * - * @author bjorncs - */ -public interface SslTrustStoreContext { - void updateTrustStore(KeyStore trustStore); - void updateTrustStore(KeyStore trustStore, String password); - void updateTrustStore(String trustStorePath, String trustStoreType, String trustStorePassword); -} diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java index 5e586f5e59e..cb7d30af952 100644 --- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java +++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java @@ -12,8 +12,6 @@ import com.yahoo.jdisc.http.ConnectorConfig.Builder; import com.yahoo.jdisc.http.server.jetty.ConnectorFactory; import com.yahoo.jdisc.http.server.jetty.TestDrivers; import com.yahoo.jdisc.http.ssl.DefaultSslContextFactoryProvider; -import com.yahoo.jdisc.http.ssl.DefaultSslKeyStoreConfigurator; -import com.yahoo.jdisc.http.ssl.DefaultSslTrustStoreConfigurator; /** * Guice module for test ConnectorFactories @@ -49,11 +47,7 @@ public class ConnectorFactoryRegistryModule implements Module { private static class StaticKeyDbConnectorFactory extends ConnectorFactory { public StaticKeyDbConnectorFactory(ConnectorConfig connectorConfig) { - super(connectorConfig, - new DefaultSslContextFactoryProvider( - connectorConfig, - new DefaultSslKeyStoreConfigurator(connectorConfig, new MockSecretStore()), - new DefaultSslTrustStoreConfigurator(connectorConfig, new MockSecretStore()))); + super(connectorConfig, new DefaultSslContextFactoryProvider(connectorConfig, new MockSecretStore())); } } diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java index d504e8be288..b328e151f51 100644 --- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java +++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java @@ -4,8 +4,6 @@ package com.yahoo.jdisc.http.server.jetty; import com.yahoo.jdisc.Metric; import com.yahoo.jdisc.http.ConnectorConfig; import com.yahoo.jdisc.http.ssl.DefaultSslContextFactoryProvider; -import com.yahoo.jdisc.http.ssl.DefaultSslKeyStoreConfigurator; -import com.yahoo.jdisc.http.ssl.DefaultSslTrustStoreConfigurator; import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.handler.AbstractHandler; @@ -107,12 +105,7 @@ public class ConnectorFactoryTest { } private static ConnectorFactory createConnectorFactory(ConnectorConfig config) { - ThrowingSecretStore secretStore = new ThrowingSecretStore(); - return new ConnectorFactory(config, - new DefaultSslContextFactoryProvider( - config, - new DefaultSslKeyStoreConfigurator(config, secretStore), - new DefaultSslTrustStoreConfigurator(config, secretStore))); + return new ConnectorFactory(config, new DefaultSslContextFactoryProvider(config, new ThrowingSecretStore())); } private static class HelloWorldHandler extends AbstractHandler { |