diff options
| author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-12-05 17:11:49 +0100 |
|---|---|---|
| committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-12-05 17:11:49 +0100 |
| commit | 46dc5eb47d7f9ebb5bb8f950d966e40d9d656da7 (patch) | |
| tree | 76826012202b7399268a27a1c87200036e2c4b5e | |
| parent | 292bcb689af5faa739a5703f6add35cb229dcef6 (diff) | |
Allow configuration of PEM files in programmatic API
4 files changed, 58 insertions, 19 deletions
diff --git a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/config/ConnectionParams.java b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/config/ConnectionParams.java index ec9471e68ed..1accbd51ac7 100644 --- a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/config/ConnectionParams.java +++ b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/config/ConnectionParams.java @@ -8,6 +8,7 @@ import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; +import java.nio.file.Path; import java.time.Duration; import java.util.Collection; import java.util.Collections; @@ -46,6 +47,9 @@ public final class ConnectionParams { private boolean printTraceToStdErr = true; private boolean useTlsConfigFromEnvironment = false; private Duration connectionTimeToLive = Duration.ofSeconds(15); + private Path privateKey; + private Path certificate; + private Path caCertificates; /** * Use TLS configuration through the standard Vespa environment variables. @@ -81,6 +85,23 @@ public final class ConnectionParams { } /** + * Set path to private key and certificate files. Both the private key and certificate must be PEM-encoded. + */ + public Builder setCertificateAndPrivateKey(Path privateKey, Path certificate) { + this.privateKey = privateKey; + this.certificate = certificate; + return this; + } + + /** + * Set path a PEM file containing the CA certificates. + */ + public Builder setCaCertificates(Path caCertificates) { + this.caCertificates = caCertificates; + return this; + } + + /** * Set custom headers to be used * * @param key header name @@ -240,6 +261,9 @@ public final class ConnectionParams { public ConnectionParams build() { return new ConnectionParams( sslContext, + privateKey, + certificate, + caCertificates, hostnameVerifier, headers, headerProviders, @@ -302,8 +326,14 @@ public final class ConnectionParams { public Duration getConnectionTimeToLive() { return connectionTimeToLive; } + public Path getPrivateKey() { return privateKey; } + public Path getCertificate() { return certificate; } + public Path getCaCertificates() { return caCertificates; } } private final SSLContext sslContext; + private final Path privateKey; + private final Path certificate; + private final Path caCertificates; private final HostnameVerifier hostnameVerifier; private final Multimap<String, String> headers = ArrayListMultimap.create(); private final Map<String, HeaderProvider> headerProviders = new HashMap<>(); @@ -322,6 +352,7 @@ public final class ConnectionParams { private ConnectionParams( SSLContext sslContext, + Path privateKey, Path certificate, Path caCertificates, HostnameVerifier hostnameVerifier, Multimap<String, String> headers, Map<String, HeaderProvider> headerProviders, @@ -338,6 +369,9 @@ public final class ConnectionParams { boolean useTlsConfigFromEnvironment, Duration connectionTimeToLive) { this.sslContext = sslContext; + this.privateKey = privateKey; + this.certificate = certificate; + this.caCertificates = caCertificates; this.hostnameVerifier = hostnameVerifier; this.useTlsConfigFromEnvironment = useTlsConfigFromEnvironment; this.connectionTimeToLive = connectionTimeToLive; @@ -427,8 +461,9 @@ public final class ConnectionParams { * * Important: The implementation of {@link #getHeaderValue()} must be thread-safe! */ - public interface HeaderProvider { - String getHeaderValue(); - } + public interface HeaderProvider { String getHeaderValue(); } + public Path getPrivateKey() { return privateKey; } + public Path getCertificate() { return certificate; } + public Path getCaCertificates() { return caCertificates; } } diff --git a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/config/Endpoint.java b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/config/Endpoint.java index b7d8cab5a4f..98aca13fff6 100644 --- a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/config/Endpoint.java +++ b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/config/Endpoint.java @@ -29,7 +29,6 @@ public final class Endpoint implements Serializable { * @param port the port * @param useSsl true if SSL is to be used * @return an Endpoint instance - * @see com.yahoo.vespa.http.client.config.ConnectionParams#getSslContext() needs to be set as well for SSL */ public static Endpoint create(String hostname, int port, boolean useSsl) { return new Endpoint(hostname, port, useSsl); diff --git a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/communication/ApacheGatewayConnection.java b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/communication/ApacheGatewayConnection.java index e7a1e6615f4..7aa451bd8db 100644 --- a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/communication/ApacheGatewayConnection.java +++ b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/communication/ApacheGatewayConnection.java @@ -4,6 +4,7 @@ package com.yahoo.vespa.http.client.core.communication; import ai.vespa.util.http.VespaHttpClientBuilder; import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; +import com.yahoo.security.SslContextBuilder; import com.yahoo.vespa.http.client.config.ConnectionParams; import com.yahoo.vespa.http.client.config.Endpoint; import com.yahoo.vespa.http.client.config.FeedParams; @@ -400,8 +401,19 @@ class ApacheGatewayConnection implements GatewayConnection { clientBuilder = VespaHttpClientBuilder.create(); } else { clientBuilder = HttpClientBuilder.create(); - if (useSsl && connectionParams.getSslContext() != null) { + if (connectionParams.getSslContext() != null) { clientBuilder.setSslcontext(connectionParams.getSslContext()); + } else { + SslContextBuilder builder = new SslContextBuilder(); + if (connectionParams.getPrivateKey() != null && connectionParams.getCertificate() != null) { + builder.withKeyStore(connectionParams.getPrivateKey(), connectionParams.getCertificate()); + } + if (connectionParams.getCaCertificates() != null) { + builder.withTrustStore(connectionParams.getCaCertificates()); + } + clientBuilder.setSslcontext(builder.build()); + } + if (connectionParams.getHostnameVerifier() != null) { clientBuilder.setSSLHostnameVerifier(connectionParams.getHostnameVerifier()); } } diff --git a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/runner/CommandLineArguments.java b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/runner/CommandLineArguments.java index 06affe9fe1e..cff9e2fefb0 100644 --- a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/runner/CommandLineArguments.java +++ b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/runner/CommandLineArguments.java @@ -2,7 +2,6 @@ package com.yahoo.vespa.http.client.runner; import com.google.common.base.Splitter; -import com.yahoo.security.SslContextBuilder; import com.yahoo.vespa.http.client.config.Cluster; import com.yahoo.vespa.http.client.config.ConnectionParams; import com.yahoo.vespa.http.client.config.Endpoint; @@ -19,13 +18,14 @@ import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.message.BasicLineParser; import javax.inject.Inject; -import javax.net.ssl.SSLContext; import java.net.MalformedURLException; import java.net.URL; +import java.nio.file.Path; import java.nio.file.Paths; import java.time.Duration; import java.util.ArrayList; import java.util.List; +import java.util.Optional; import java.util.concurrent.TimeUnit; /** @@ -253,19 +253,11 @@ public class CommandLineArguments { public boolean getAddRootElementToXml() { return addRootElementToXml; } - private SSLContext createSslContext() { - SslContextBuilder builder = new SslContextBuilder(); - if (privateKeyPath != null && certificatePath != null) { - builder.withKeyStore(Paths.get(privateKeyPath), Paths.get(certificatePath)); - } - if (caCertificatesPath != null) { - builder.withTrustStore(Paths.get(caCertificatesPath)); - } - return builder.build(); - } - SessionParams createSessionParams(boolean useJson) { final int minThrottleValue = useDynamicThrottlingArg ? 10 : 0; + Path privateKeyPath = Optional.ofNullable(this.privateKeyPath).map(Paths::get).orElse(null); + Path certificatePath = Optional.ofNullable(this.certificatePath).map(Paths::get).orElse(null); + Path caCertificatesPath = Optional.ofNullable(this.caCertificatesPath).map(Paths::get).orElse(null); ConnectionParams.Builder connectionParamsBuilder = new ConnectionParams.Builder(); parsedHeaders.forEach(header -> connectionParamsBuilder.addHeader(header.getName(), header.getValue())); SessionParams.Builder builder = new SessionParams.Builder() @@ -295,7 +287,8 @@ public class CommandLineArguments { .setTraceEveryXOperation(traceEveryXOperation) .setPrintTraceToStdErr(traceArg > 0) .setNumPersistentConnectionsPerEndpoint(numPersistentConnectionsPerEndpoint) - .setSslContext(createSslContext()) + .setCertificateAndPrivateKey(privateKeyPath, certificatePath) + .setCaCertificates(caCertificatesPath) .setUseTlsConfigFromEnvironment(useTlsConfigFromEnvironment) .setConnectionTimeToLive(Duration.ofSeconds(connectionTimeToLive)) .build() |