diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-08-22 14:25:23 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-09-02 09:57:51 +0200 |
commit | 5154fa106b4b8b442a76279bc8c145f27b041b17 (patch) | |
tree | 59210bcd460d2dce2f233d00c993b02522fba858 | |
parent | 36bead13fbbd0b3ce5c5a364b6f07ee1d3555b9b (diff) |
Inject NodeHostnameVerifier to HttpProxy
5 files changed, 58 insertions, 8 deletions
diff --git a/config-provisioning/src/main/java/com/yahoo/config/provision/security/NodeHostnameVerifier.java b/config-provisioning/src/main/java/com/yahoo/config/provision/security/NodeHostnameVerifier.java new file mode 100644 index 00000000000..1d78bb74683 --- /dev/null +++ b/config-provisioning/src/main/java/com/yahoo/config/provision/security/NodeHostnameVerifier.java @@ -0,0 +1,11 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.config.provision.security; + +import javax.net.ssl.SSLSession; + +/** + * @author bjorncs + */ +public interface NodeHostnameVerifier { + boolean verify(String hostname, SSLSession session); +} diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/application/HttpProxy.java b/configserver/src/main/java/com/yahoo/vespa/config/server/application/HttpProxy.java index 06b57d8dac1..1168898d126 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/application/HttpProxy.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/application/HttpProxy.java @@ -10,6 +10,7 @@ import com.yahoo.component.annotation.Inject; import com.yahoo.config.model.api.HostInfo; import com.yahoo.config.model.api.PortInfo; import com.yahoo.config.model.api.ServiceInfo; +import com.yahoo.config.provision.security.NodeHostnameVerifier; import com.yahoo.container.jdisc.HttpResponse; import com.yahoo.vespa.config.server.http.HttpFetcher; import com.yahoo.vespa.config.server.http.HttpFetcher.Params; @@ -31,11 +32,9 @@ public class HttpProxy { private final HttpFetcher fetcher; - @Inject - public HttpProxy() { this(new SimpleHttpFetcher()); } - public HttpProxy(HttpFetcher fetcher) { - this.fetcher = fetcher; - } + @Inject public HttpProxy(NodeHostnameVerifier verifier) { this(new SimpleHttpFetcher(verifier)); } + + public HttpProxy(HttpFetcher fetcher) { this.fetcher = fetcher; } public HttpResponse get(Application application, String hostName, String serviceType, Path path, Query query) { return get(application, hostName, serviceType, path, query, null); diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/http/SimpleHttpFetcher.java b/configserver/src/main/java/com/yahoo/vespa/config/server/http/SimpleHttpFetcher.java index 724b9417dc1..a8dfe3700e7 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/http/SimpleHttpFetcher.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/http/SimpleHttpFetcher.java @@ -2,26 +2,36 @@ package com.yahoo.vespa.config.server.http; import ai.vespa.util.http.hc5.VespaHttpClientBuilder; +import com.yahoo.config.provision.security.NodeHostnameVerifier; import com.yahoo.container.jdisc.HttpResponse; import org.apache.hc.client5.http.classic.methods.HttpGet; import org.apache.hc.client5.http.config.RequestConfig; import org.apache.hc.client5.http.impl.classic.CloseableHttpClient; import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse; +import org.apache.hc.client5.http.impl.classic.HttpClientBuilder; +import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager; import org.apache.hc.core5.http.HttpEntity; import org.apache.hc.core5.util.Timeout; import java.io.IOException; import java.net.SocketTimeoutException; import java.net.URI; -import java.net.URISyntaxException; -import java.net.URL; import java.util.logging.Level; import java.util.logging.Logger; public class SimpleHttpFetcher implements HttpFetcher { private static final Logger logger = Logger.getLogger(SimpleHttpFetcher.class.getName()); - private final CloseableHttpClient client = VespaHttpClientBuilder.create().build(); + private final CloseableHttpClient client; + + public SimpleHttpFetcher() { this(null); } + + public SimpleHttpFetcher(NodeHostnameVerifier verifier) { + HttpClientBuilder b = verifier != null + ? VespaHttpClientBuilder.create(PoolingHttpClientConnectionManager::new, verifier::verify) + : VespaHttpClientBuilder.create(); + this.client = b.build(); + } @Override public HttpResponse get(Params params, URI url) { diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DummyNodeHostnameVerifierProvider.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DummyNodeHostnameVerifierProvider.java new file mode 100644 index 00000000000..64b9dfcd714 --- /dev/null +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DummyNodeHostnameVerifierProvider.java @@ -0,0 +1,29 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.config.server.rpc.security; + +import com.yahoo.component.annotation.Inject; +import com.yahoo.config.provision.security.NodeHostnameVerifier; +import com.yahoo.container.di.componentgraph.Provider; + +import javax.net.ssl.SSLSession; + +/** + * @author bjorncs + */ +public class DummyNodeHostnameVerifierProvider implements Provider<NodeHostnameVerifier> { + + private final ThrowingNodeHostnameVerifier instance = new ThrowingNodeHostnameVerifier(); + + @Inject public DummyNodeHostnameVerifierProvider() {} + + @Override public NodeHostnameVerifier get() { return instance; } + + @Override public void deconstruct() {} + + private static class ThrowingNodeHostnameVerifier implements NodeHostnameVerifier { + @Override + public boolean verify(String hostname, SSLSession session) { + throw new UnsupportedOperationException(); + } + } +} diff --git a/configserver/src/main/resources/configserver-app/services.xml b/configserver/src/main/resources/configserver-app/services.xml index 3536cfc7942..650176829e6 100644 --- a/configserver/src/main/resources/configserver-app/services.xml +++ b/configserver/src/main/resources/configserver-app/services.xml @@ -37,6 +37,7 @@ <component id="com.yahoo.vespa.config.server.filedistribution.FileServer" bundle="configserver" /> <component id="com.yahoo.vespa.config.server.rpc.RpcRequestHandlerProvider" bundle="configserver" /> <component id="com.yahoo.vespa.config.server.rpc.security.DummyNodeIdentifierProvider" bundle="configserver" /> + <component id="com.yahoo.vespa.config.server.rpc.security.DummyNodeHostnameVerifierProvider" bundle="configserver" /> <component id="com.yahoo.vespa.config.server.rpc.security.DefaultRpcAuthorizerProvider" bundle="configserver" /> <component id="com.yahoo.vespa.config.server.http.TesterClient" bundle="configserver" /> |