diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2023-07-19 10:43:59 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-07-19 10:43:59 +0200 |
commit | 2a8acaa1d5283c3abd4a4fcbfff914321315bb72 (patch) | |
tree | bdf4855a3942a428bfdf1f6318c78ed0dbcb022c /config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java | |
parent | 69d705ef0d9679a1a73f6c00ec2eabb584a6576a (diff) |
Revert "Use builder pattern to make connector configuration more readable"
Diffstat (limited to 'config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java')
-rw-r--r-- | config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java | 110 |
1 files changed, 68 insertions, 42 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index 4f11611541d..5bf348e5bb5 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.model.container.http.ssl; import com.yahoo.config.model.api.EndpointCertificateSecrets; import com.yahoo.jdisc.http.ConnectorConfig; +import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth; import com.yahoo.security.tls.TlsContext; import com.yahoo.vespa.model.container.http.ConnectorFactory; @@ -17,71 +18,96 @@ import java.util.List; */ public class HostedSslConnectorFactory extends ConnectorFactory { - boolean requireTlsClientAuthDuringTlsHandshake; - private final List<String> tlsCiphersOverride; + private static final List<String> INSECURE_WHITELISTED_PATHS = List.of("/status.html"); + private static final String DEFAULT_HOSTED_TRUSTSTORE = "/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem"; + + private final boolean enforceClientAuth; + private final boolean enforceHandshakeClientAuth; + private final Collection<String> tlsCiphersOverride; private final boolean enableProxyProtocolMixedMode; private final Duration endpointConnectionTtl; - public static Builder builder(String name, int listenPort) { return new Builder(name, listenPort); } + /** + * Create connector factory that uses a certificate provided by the config-model / configserver and default hosted Vespa truststore. + */ + public static HostedSslConnectorFactory withProvidedCertificate( + String serverName, EndpointCertificateSecrets endpointCertificateSecrets, boolean enforceHandshakeClientAuth, + Collection<String> tlsCiphersOverride, boolean enableProxyProtocolMixedMode, int port, + Duration endpointConnectionTtl, boolean enableTokenSupport) { + CloudSslProvider sslProvider = createConfiguredDirectSslProvider( + serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null, enforceHandshakeClientAuth, enableTokenSupport); + return new HostedSslConnectorFactory(sslProvider, false, enforceHandshakeClientAuth, tlsCiphersOverride, + enableProxyProtocolMixedMode, port, endpointConnectionTtl); + } + + /** + * Create connector factory that uses a certificate provided by the config-model / configserver and a truststore configured by the application. + */ + public static HostedSslConnectorFactory withProvidedCertificateAndTruststore( + String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates, + Collection<String> tlsCiphersOverride, boolean enableProxyProtocolMixedMode, int port, + Duration endpointConnectionTtl, boolean enableTokenSupport) { + CloudSslProvider sslProvider = createConfiguredDirectSslProvider( + serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates, false, enableTokenSupport); + return new HostedSslConnectorFactory(sslProvider, true, false, tlsCiphersOverride, enableProxyProtocolMixedMode, + port, endpointConnectionTtl); + } + + /** + * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration). + */ + public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName, Collection<String> tlsCiphersOverride, + boolean enableProxyProtocolMixedMode, int port, + Duration endpointConnectionTtl) { + return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true, false, tlsCiphersOverride, + enableProxyProtocolMixedMode, port, endpointConnectionTtl); + } - private HostedSslConnectorFactory(Builder builder) { - super(new ConnectorFactory.Builder("tls"+builder.port, builder.port).sslProvider(createSslProvider(builder))); - this.requireTlsClientAuthDuringTlsHandshake = builder.requireTlsClientAuthDuringTlsHandshake; - this.tlsCiphersOverride = List.copyOf(builder.tlsCiphersOverride); - this.enableProxyProtocolMixedMode = builder.enableProxyProtocolMixedMode; - this.endpointConnectionTtl = builder.endpointConnectionTtl; + private HostedSslConnectorFactory(SslProvider sslProvider, boolean enforceClientAuth, + boolean enforceHandshakeClientAuth, Collection<String> tlsCiphersOverride, + boolean enableProxyProtocolMixedMode, int port, Duration endpointConnectionTtl) { + super(new Builder("tls"+port, port).sslProvider(sslProvider)); + this.enforceClientAuth = enforceClientAuth; + this.enforceHandshakeClientAuth = enforceHandshakeClientAuth; + this.tlsCiphersOverride = tlsCiphersOverride; + this.enableProxyProtocolMixedMode = enableProxyProtocolMixedMode; + this.endpointConnectionTtl = endpointConnectionTtl; } - private static SslProvider createSslProvider(Builder builder) { - if (builder.endpointCertificate == null) return new DefaultSslProvider(builder.name); - var clientAuthentication = builder.requireTlsClientAuthDuringTlsHandshake - ? ConnectorConfig.Ssl.ClientAuth.Enum.NEED_AUTH : ConnectorConfig.Ssl.ClientAuth.Enum.WANT_AUTH; + private static CloudSslProvider createConfiguredDirectSslProvider( + String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificatesPath, String tlsCaCertificates, boolean enforceHandshakeClientAuth, boolean enableTokenSupport) { + var clientAuthentication = enforceHandshakeClientAuth ? ClientAuth.Enum.NEED_AUTH : ClientAuth.Enum.WANT_AUTH; return new CloudSslProvider( - builder.name, builder.endpointCertificate.key(), builder.endpointCertificate.certificate(), - builder.tlsCaCertificatesPath, builder.tlsCaCertificatesPem, clientAuthentication); + serverName, + endpointCertificateSecrets.key(), + endpointCertificateSecrets.certificate(), + tlsCaCertificatesPath, + tlsCaCertificates, + clientAuthentication, + enableTokenSupport); } @Override public void getConfig(ConnectorConfig.Builder connectorBuilder) { super.getConfig(connectorBuilder); - if (! requireTlsClientAuthDuringTlsHandshake) { - connectorBuilder.tlsClientAuthEnforcer( - new ConnectorConfig.TlsClientAuthEnforcer.Builder() - .pathWhitelist(List.of("/status.html")).enable(true)); + if (! enforceHandshakeClientAuth) { + connectorBuilder + .tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder() + .pathWhitelist(INSECURE_WHITELISTED_PATHS) + .enable(enforceClientAuth)); } // Disables TLSv1.3 as it causes some browsers to prompt user for client certificate (when connector has 'want' auth) connectorBuilder.ssl.enabledProtocols(List.of("TLSv1.2")); + if (!tlsCiphersOverride.isEmpty()) { connectorBuilder.ssl.enabledCipherSuites(tlsCiphersOverride.stream().sorted().toList()); } else { connectorBuilder.ssl.enabledCipherSuites(TlsContext.ALLOWED_CIPHER_SUITES.stream().sorted().toList()); } + connectorBuilder .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(true).mixedMode(enableProxyProtocolMixedMode)) .idleTimeout(Duration.ofSeconds(30).toSeconds()) .maxConnectionLife(endpointConnectionTtl != null ? endpointConnectionTtl.toSeconds() : 0); } - - public static class Builder { - final String name; - final int port; - boolean requireTlsClientAuthDuringTlsHandshake; - List<String> tlsCiphersOverride; - boolean enableProxyProtocolMixedMode; - Duration endpointConnectionTtl; - EndpointCertificateSecrets endpointCertificate; - String tlsCaCertificatesPem; - String tlsCaCertificatesPath; - - private Builder(String name, int port) { this.name = name; this.port = port; } - public Builder requireTlsClientAuthDuringTlsHandshake(boolean enable) {this.requireTlsClientAuthDuringTlsHandshake = enable; return this; } - public Builder endpointConnectionTtl(Duration ttl) { endpointConnectionTtl = ttl; return this; } - public Builder tlsCiphersOverride(Collection<String> ciphers) { tlsCiphersOverride = List.copyOf(ciphers); return this; } - public Builder proxyProtocolMixedMode(boolean enable) { enableProxyProtocolMixedMode = enable; return this; } - public Builder endpointCertificate(EndpointCertificateSecrets cert) { this.endpointCertificate = cert; return this; } - public Builder tlsCaCertificatesPath(String path) { this.tlsCaCertificatesPath = path; return this; } - public Builder tlsCaCertificatesPem(String pem) { this.tlsCaCertificatesPem = pem; return this; } - - public HostedSslConnectorFactory build() { return new HostedSslConnectorFactory(this); } - } } |