diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-04 15:54:49 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-04 15:54:49 +0100 |
commit | 989d5df90b92ba3fd667c568cf61c047b6b74ad2 (patch) | |
tree | a5b603e825adc68171278328680f319f0b0eabed | |
parent | f5f5222460ff5a65ecd7c2da81fecc049a0faecc (diff) |
Use httpclient version matching zts-client
Also remove hostnameverifier adapter that is no longer needed.
3 files changed, 5 insertions, 49 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java index 6f8ebc4c5db..764ba9c2104 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java @@ -29,16 +29,12 @@ public class AthenzIdentityVerifier implements HostnameVerifier { public boolean verify(String hostname, SSLSession session) { try { X509Certificate cert = (X509Certificate) session.getPeerCertificates()[0]; - return isTrusted(AthenzUtils.createAthenzIdentity(cert)); + return allowedIdentities.contains(AthenzUtils.createAthenzIdentity(cert)); } catch (SSLPeerUnverifiedException e) { log.log(Level.WARNING, "Unverified client: " + hostname); return false; } } - public boolean isTrusted(AthenzIdentity identity) { - return allowedIdentities.contains(identity); - } - } diff --git a/controller-server/pom.xml b/controller-server/pom.xml index b033286b82a..989dda42641 100644 --- a/controller-server/pom.xml +++ b/controller-server/pom.xml @@ -110,7 +110,8 @@ <dependency> <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpcore</artifactId> + <artifactId>httpclient</artifactId> + <version>4.5.2</version> </dependency> <dependency> diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java index 379e5c10847..3f8e177ac8a 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java @@ -7,10 +7,8 @@ import com.google.inject.Inject; import com.yahoo.config.provision.Environment; import com.yahoo.io.IOUtils; import com.yahoo.jdisc.http.HttpRequest.Method; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentity; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentityVerifier; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUtils; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneId; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneList; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry; @@ -23,19 +21,14 @@ import org.apache.http.client.methods.HttpPatch; import org.apache.http.client.methods.HttpPost; import org.apache.http.client.methods.HttpPut; import org.apache.http.client.methods.HttpRequestBase; -import org.apache.http.conn.ssl.X509HostnameVerifier; import org.apache.http.entity.InputStreamEntity; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; -import javax.net.ssl.SSLException; -import javax.net.ssl.SSLSession; -import javax.net.ssl.SSLSocket; import java.io.IOException; import java.io.InputStream; import java.net.URI; import java.nio.charset.StandardCharsets; -import java.security.cert.X509Certificate; import java.time.Duration; import java.util.ArrayList; import java.util.HashSet; @@ -260,43 +253,9 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor { ZoneId.from(proxyRequest.getEnvironment(), proxyRequest.getRegion())))); return HttpClientBuilder.create() .setUserAgent("config-server-client") - .setSslcontext(sslContextProvider.get()) - .setHostnameVerifier(new AthenzIdentityVerifierAdapter(hostnameVerifier)) + .setSSLContext(sslContextProvider.get()) + .setSSLHostnameVerifier(hostnameVerifier) .setDefaultRequestConfig(config) .build(); } - - private static class AthenzIdentityVerifierAdapter implements X509HostnameVerifier { - - private final AthenzIdentityVerifier verifier; - - AthenzIdentityVerifierAdapter(AthenzIdentityVerifier verifier) { - this.verifier = verifier; - } - - @Override - public boolean verify(String hostname, SSLSession sslSession) { - return verifier.verify(hostname, sslSession); - } - - @Override - public void verify(String host, SSLSocket ssl) { /* All sockets accepted */} - - @Override - public void verify(String hostname, X509Certificate certificate) throws SSLException { - AthenzIdentity identity = AthenzUtils.createAthenzIdentity(certificate); - if (!verifier.isTrusted(identity)) { - throw new SSLException("Athenz identity is not trusted: " + identity.getFullName()); - } - } - - @Override - public void verify(String hostname, String[] cns, String[] subjectAlts) throws SSLException { - AthenzIdentity identity = AthenzUtils.createAthenzIdentity(cns[0]); - if (!verifier.isTrusted(identity)) { - throw new SSLException("Athenz identity is not trusted: " + identity.getFullName()); - } - } - } - } |