diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2018-09-26 15:00:15 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-09-26 15:00:15 +0200 |
commit | fd7ad12f8ca32c2dda024383822935fac2ff7e67 (patch) | |
tree | 5648d747655f59c084db489d0a09a406dc49c277 | |
parent | 3a6ec425d48dc06cb6455fb3ae4eac9d10a7c37f (diff) | |
parent | 6a6f80b206b45fe7fcacb04bfd119dfab33ff25c (diff) |
Merge pull request #7101 from vespa-engine/bjorncs/tls
Introduce insecure mixed mode + move env var logic to separate class
-rw-r--r-- | jrt/src/com/yahoo/jrt/CryptoEngine.java | 24 | ||||
-rw-r--r-- | vespajlib/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java | 66 |
2 files changed, 83 insertions, 7 deletions
diff --git a/jrt/src/com/yahoo/jrt/CryptoEngine.java b/jrt/src/com/yahoo/jrt/CryptoEngine.java index 2ef936ec7ed..c27aba73873 100644 --- a/jrt/src/com/yahoo/jrt/CryptoEngine.java +++ b/jrt/src/com/yahoo/jrt/CryptoEngine.java @@ -2,10 +2,10 @@ package com.yahoo.jrt; -import com.yahoo.security.tls.TransportSecurityOptions; +import com.yahoo.security.tls.TransportSecurityUtils; +import com.yahoo.security.tls.TransportSecurityUtils.MixedMode; import java.nio.channels.SocketChannel; -import java.nio.file.Paths; /** @@ -16,12 +16,22 @@ import java.nio.file.Paths; **/ public interface CryptoEngine { public CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer); - static public CryptoEngine createDefault() { // TODO Move this logic to a dedicated factory class - String tlsConfigParameter = System.getenv("VESPA_TLS_CONFIG_FILE"); - if (tlsConfigParameter != null && !tlsConfigParameter.isEmpty()) { - return new TlsCryptoEngine(TransportSecurityOptions.fromJsonFile(Paths.get(tlsConfigParameter))); - } else { + static public CryptoEngine createDefault() { + if (!TransportSecurityUtils.isTransportSecurityEnabled()) { return new NullCryptoEngine(); } + TlsCryptoEngine tlsCryptoEngine = new TlsCryptoEngine(TransportSecurityUtils.getOptions().get()); + if (!TransportSecurityUtils.isInsecureMixedModeEnabled()) { + return tlsCryptoEngine; + } + MixedMode mixedMode = TransportSecurityUtils.getInsecureMixedMode().get(); + switch (mixedMode) { + case PLAINTEXT_CLIENT_MIXED_SERVER: + return new MaybeTlsCryptoEngine(tlsCryptoEngine, false); + case TLS_CLIENT_MIXED_SERVER: + return new MaybeTlsCryptoEngine(tlsCryptoEngine, true); + default: + throw new IllegalArgumentException(mixedMode.toString()); + } } } diff --git a/vespajlib/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java b/vespajlib/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java new file mode 100644 index 00000000000..5595d33a9b5 --- /dev/null +++ b/vespajlib/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java @@ -0,0 +1,66 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import java.nio.file.Path; +import java.nio.file.Paths; +import java.util.Arrays; +import java.util.Optional; + +/** + * Utility class for retrieving {@link TransportSecurityOptions} from the system. + * + * @author bjorncs + */ +public class TransportSecurityUtils { + + public static final String CONFIG_FILE_ENVIRONMENT_VARIABLE = "VESPA_TLS_CONFIG_FILE"; + public static final String INSECURE_MIXED_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_MIXED_MODE"; + + public enum MixedMode { + PLAINTEXT_CLIENT_MIXED_SERVER("plaintext_client_mixed_server"), + TLS_CLIENT_MIXED_SERVER("tls_client_mixed_server"); + + final String configValue; + + MixedMode(String configValue) { + this.configValue = configValue; + } + + static MixedMode fromConfigValue(String configValue) { + return Arrays.stream(values()) + .filter(v -> v.configValue.equals(configValue)) + .findFirst() + .orElseThrow(() -> new IllegalArgumentException("Unknown value: " + configValue)); + } + } + + private TransportSecurityUtils() {} + + public static boolean isTransportSecurityEnabled() { + return getConfigFile().isPresent(); + } + + public static boolean isInsecureMixedModeEnabled() { + return getInsecureMixedMode().isPresent(); + } + + public static Optional<MixedMode> getInsecureMixedMode() { + if (!isTransportSecurityEnabled()) return Optional.empty(); + return getEnvironmentVariable(INSECURE_MIXED_MODE_ENVIRONMENT_VARIABLE) + .map(MixedMode::fromConfigValue); + } + + public static Optional<Path> getConfigFile() { + return getEnvironmentVariable(CONFIG_FILE_ENVIRONMENT_VARIABLE).map(Paths::get); + } + + public static Optional<TransportSecurityOptions> getOptions() { + return getConfigFile() + .map(TransportSecurityOptions::fromJsonFile); + } + + private static Optional<String> getEnvironmentVariable(String environmentVariable) { + return Optional.ofNullable(System.getenv(environmentVariable)) + .filter(var -> !var.isEmpty()); + } +} |