Merge pull request #7101 from vespa-engine/bjorncs/tls

Introduce insecure mixed mode + move env var logic to separate class
author: Bjørn Christian Seime <bjorn.christian@seime.no> 2018-09-26 15:00:15 +0200
committer: GitHub <noreply@github.com> 2018-09-26 15:00:15 +0200
commit: fd7ad12f8ca32c2dda024383822935fac2ff7e67 (patch)
tree: 5648d747655f59c084db489d0a09a406dc49c277
parent: 3a6ec425d48dc06cb6455fb3ae4eac9d10a7c37f (diff)
parent: 6a6f80b206b45fe7fcacb04bfd119dfab33ff25c (diff)
2 files changed, 83 insertions, 7 deletions
diff --git a/jrt/src/com/yahoo/jrt/CryptoEngine.java b/jrt/src/com/yahoo/jrt/CryptoEngine.java
index 2ef936ec7ed..c27aba73873 100644
--- a/jrt/src/com/yahoo/jrt/CryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/CryptoEngine.java
@@ -2,10 +2,10 @@
 package com.yahoo.jrt;
 
 
-import com.yahoo.security.tls.TransportSecurityOptions;
+import com.yahoo.security.tls.TransportSecurityUtils;
+import com.yahoo.security.tls.TransportSecurityUtils.MixedMode;
 
 import java.nio.channels.SocketChannel;
-import java.nio.file.Paths;
 
 
 /**
@@ -16,12 +16,22 @@ import java.nio.file.Paths;
  **/
 public interface CryptoEngine {
     public CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer);
-    static public CryptoEngine createDefault() { // TODO Move this logic to a dedicated factory class
-        String tlsConfigParameter = System.getenv("VESPA_TLS_CONFIG_FILE");
-        if (tlsConfigParameter != null && !tlsConfigParameter.isEmpty()) {
-            return new TlsCryptoEngine(TransportSecurityOptions.fromJsonFile(Paths.get(tlsConfigParameter)));
-        } else {
+    static public CryptoEngine createDefault() {
+        if (!TransportSecurityUtils.isTransportSecurityEnabled()) {
             return new NullCryptoEngine();
         }
+        TlsCryptoEngine tlsCryptoEngine = new TlsCryptoEngine(TransportSecurityUtils.getOptions().get());
+        if (!TransportSecurityUtils.isInsecureMixedModeEnabled()) {
+            return tlsCryptoEngine;
+        }
+        MixedMode mixedMode = TransportSecurityUtils.getInsecureMixedMode().get();
+        switch (mixedMode) {
+            case PLAINTEXT_CLIENT_MIXED_SERVER:
+                return new MaybeTlsCryptoEngine(tlsCryptoEngine, false);
+            case TLS_CLIENT_MIXED_SERVER:
+                return new MaybeTlsCryptoEngine(tlsCryptoEngine, true);
+            default:
+                throw new IllegalArgumentException(mixedMode.toString());
+        }
     }
 }
diff --git a/vespajlib/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java b/vespajlib/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
new file mode 100644
index 00000000000..5595d33a9b5
--- /dev/null
+++ b/vespajlib/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
@@ -0,0 +1,66 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls;
+
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.Arrays;
+import java.util.Optional;
+
+/**
+ * Utility class for retrieving {@link TransportSecurityOptions} from the system.
+ *
+ * @author bjorncs
+ */
+public class TransportSecurityUtils {
+
+    public static final String CONFIG_FILE_ENVIRONMENT_VARIABLE = "VESPA_TLS_CONFIG_FILE";
+    public static final String INSECURE_MIXED_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_MIXED_MODE";
+
+    public enum MixedMode {
+        PLAINTEXT_CLIENT_MIXED_SERVER("plaintext_client_mixed_server"),
+        TLS_CLIENT_MIXED_SERVER("tls_client_mixed_server");
+
+        final String configValue;
+
+        MixedMode(String configValue) {
+            this.configValue = configValue;
+        }
+
+        static MixedMode fromConfigValue(String configValue) {
+            return Arrays.stream(values())
+                    .filter(v -> v.configValue.equals(configValue))
+                    .findFirst()
+                    .orElseThrow(() -> new IllegalArgumentException("Unknown value: " + configValue));
+        }
+    }
+
+    private TransportSecurityUtils() {}
+
+    public static boolean isTransportSecurityEnabled() {
+        return getConfigFile().isPresent();
+    }
+
+    public static boolean isInsecureMixedModeEnabled() {
+        return getInsecureMixedMode().isPresent();
+    }
+
+    public static Optional<MixedMode> getInsecureMixedMode() {
+        if (!isTransportSecurityEnabled()) return Optional.empty();
+        return getEnvironmentVariable(INSECURE_MIXED_MODE_ENVIRONMENT_VARIABLE)
+                .map(MixedMode::fromConfigValue);
+    }
+
+    public static Optional<Path> getConfigFile() {
+        return getEnvironmentVariable(CONFIG_FILE_ENVIRONMENT_VARIABLE).map(Paths::get);
+    }
+
+    public static Optional<TransportSecurityOptions> getOptions() {
+        return getConfigFile()
+                .map(TransportSecurityOptions::fromJsonFile);
+    }
+
+    private static Optional<String> getEnvironmentVariable(String environmentVariable) {
+        return Optional.ofNullable(System.getenv(environmentVariable))
+                .filter(var -> !var.isEmpty());
+    }
+}
author	Bjørn Christian Seime <bjorn.christian@seime.no>	2018-09-26 15:00:15 +0200
committer	GitHub <noreply@github.com>	2018-09-26 15:00:15 +0200
commit	fd7ad12f8ca32c2dda024383822935fac2ff7e67 (patch)
tree	5648d747655f59c084db489d0a09a406dc49c277
parent	3a6ec425d48dc06cb6455fb3ae4eac9d10a7c37f (diff)
parent	6a6f80b206b45fe7fcacb04bfd119dfab33ff25c (diff)