Inject NodeHostnameVerifier to HttpProxy

4 files changed, 47 insertions, 8 deletions

diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/application/HttpProxy.java b/configserver/src/main/java/com/yahoo/vespa/config/server/application/HttpProxy.java
index 06b57d8dac1..1168898d126 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/application/HttpProxy.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/application/HttpProxy.java
@@ -10,6 +10,7 @@ import com.yahoo.component.annotation.Inject;
 import com.yahoo.config.model.api.HostInfo;
 import com.yahoo.config.model.api.PortInfo;
 import com.yahoo.config.model.api.ServiceInfo;
+import com.yahoo.config.provision.security.NodeHostnameVerifier;
 import com.yahoo.container.jdisc.HttpResponse;
 import com.yahoo.vespa.config.server.http.HttpFetcher;
 import com.yahoo.vespa.config.server.http.HttpFetcher.Params;
@@ -31,11 +32,9 @@ public class HttpProxy {
 
     private final HttpFetcher fetcher;
 
-    @Inject
-    public HttpProxy() { this(new SimpleHttpFetcher()); }
-    public HttpProxy(HttpFetcher fetcher) {
-        this.fetcher = fetcher;
-    }
+    @Inject public HttpProxy(NodeHostnameVerifier verifier) { this(new SimpleHttpFetcher(verifier)); }
+
+    public HttpProxy(HttpFetcher fetcher) { this.fetcher = fetcher; }
 
     public HttpResponse get(Application application, String hostName, String serviceType, Path path, Query query) {
         return get(application, hostName, serviceType, path, query, null);
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/http/SimpleHttpFetcher.java b/configserver/src/main/java/com/yahoo/vespa/config/server/http/SimpleHttpFetcher.java
index 724b9417dc1..a8dfe3700e7 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/http/SimpleHttpFetcher.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/http/SimpleHttpFetcher.java
@@ -2,26 +2,36 @@
 package com.yahoo.vespa.config.server.http;
 
 import ai.vespa.util.http.hc5.VespaHttpClientBuilder;
+import com.yahoo.config.provision.security.NodeHostnameVerifier;
 import com.yahoo.container.jdisc.HttpResponse;
 import org.apache.hc.client5.http.classic.methods.HttpGet;
 import org.apache.hc.client5.http.config.RequestConfig;
 import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
 import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse;
+import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
+import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager;
 import org.apache.hc.core5.http.HttpEntity;
 import org.apache.hc.core5.util.Timeout;
 
 import java.io.IOException;
 import java.net.SocketTimeoutException;
 import java.net.URI;
-import java.net.URISyntaxException;
-import java.net.URL;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
 public class SimpleHttpFetcher implements HttpFetcher {
     private static final Logger logger = Logger.getLogger(SimpleHttpFetcher.class.getName());
 
-    private final CloseableHttpClient client = VespaHttpClientBuilder.create().build();
+    private final CloseableHttpClient client;
+
+    public SimpleHttpFetcher() { this(null); }
+
+    public SimpleHttpFetcher(NodeHostnameVerifier verifier) {
+        HttpClientBuilder b = verifier != null
+                ? VespaHttpClientBuilder.create(PoolingHttpClientConnectionManager::new, verifier::verify)
+                : VespaHttpClientBuilder.create();
+        this.client = b.build();
+    }
 
     @Override
     public HttpResponse get(Params params, URI url) {
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DummyNodeHostnameVerifierProvider.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DummyNodeHostnameVerifierProvider.java
new file mode 100644
index 00000000000..64b9dfcd714
--- /dev/null
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DummyNodeHostnameVerifierProvider.java
@@ -0,0 +1,29 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.config.server.rpc.security;
+
+import com.yahoo.component.annotation.Inject;
+import com.yahoo.config.provision.security.NodeHostnameVerifier;
+import com.yahoo.container.di.componentgraph.Provider;
+
+import javax.net.ssl.SSLSession;
+
+/**
+ * @author bjorncs
+ */
+public class DummyNodeHostnameVerifierProvider implements Provider<NodeHostnameVerifier> {
+
+    private final ThrowingNodeHostnameVerifier instance = new ThrowingNodeHostnameVerifier();
+
+    @Inject public DummyNodeHostnameVerifierProvider() {}
+
+    @Override public NodeHostnameVerifier get() { return instance; }
+
+    @Override public void deconstruct() {}
+
+    private static class ThrowingNodeHostnameVerifier implements NodeHostnameVerifier {
+        @Override
+        public boolean verify(String hostname, SSLSession session) {
+            throw new UnsupportedOperationException();
+        }
+    }
+}
diff --git a/configserver/src/main/resources/configserver-app/services.xml b/configserver/src/main/resources/configserver-app/services.xml
index 3536cfc7942..650176829e6 100644
--- a/configserver/src/main/resources/configserver-app/services.xml
+++ b/configserver/src/main/resources/configserver-app/services.xml
@@ -37,6 +37,7 @@
     <component id="com.yahoo.vespa.config.server.filedistribution.FileServer" bundle="configserver" />
     <component id="com.yahoo.vespa.config.server.rpc.RpcRequestHandlerProvider" bundle="configserver" />
     <component id="com.yahoo.vespa.config.server.rpc.security.DummyNodeIdentifierProvider" bundle="configserver" />
+    <component id="com.yahoo.vespa.config.server.rpc.security.DummyNodeHostnameVerifierProvider" bundle="configserver" />
     <component id="com.yahoo.vespa.config.server.rpc.security.DefaultRpcAuthorizerProvider" bundle="configserver" />
     <component id="com.yahoo.vespa.config.server.http.TesterClient" bundle="configserver" />