diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2022-05-31 13:34:55 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2022-05-31 13:34:55 +0200 |
commit | 907556d43825e1f3cfd866a3f13bda5bdcbad78a (patch) | |
tree | 4654bcfc883e04fbb0c39a72b6bb43a1dfa03d85 /container-core | |
parent | e9319078a33a4cfa2925c8cc0afc05e2dcb84465 (diff) |
Rewrite current 'SslContextFactoryProvider' impls to 'SslProvider'
Diffstat (limited to 'container-core')
4 files changed, 48 insertions, 58 deletions
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java index fcb8c468bac..05a013c036e 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java @@ -2,14 +2,12 @@ package com.yahoo.jdisc.http.ssl.impl; import com.yahoo.jdisc.http.ConnectorConfig; -import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth; -import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider; +import com.yahoo.jdisc.http.SslProvider; import com.yahoo.security.KeyUtils; import com.yahoo.security.SslContextBuilder; import com.yahoo.security.X509CertificateUtils; import com.yahoo.security.tls.AutoReloadingX509KeyManager; import com.yahoo.security.tls.TlsContext; -import org.eclipse.jetty.util.ssl.SslContextFactory; import javax.net.ssl.SSLContext; import java.io.IOException; @@ -23,16 +21,12 @@ import java.util.ArrayList; import java.util.List; import java.util.Optional; -import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledCipherSuites; -import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledProtocols; - /** - * An implementation of {@link SslContextFactoryProvider} that uses the {@link ConnectorConfig} to construct a {@link SslContextFactory}. + * An implementation of {@link SslProvider} that uses the {@link ConnectorConfig} to configure SSL. * * @author bjorncs */ -@SuppressWarnings("removal") -public class ConfiguredSslContextFactoryProvider implements SslContextFactoryProvider { +public class ConfiguredSslContextFactoryProvider implements SslProvider { private volatile AutoReloadingX509KeyManager keyManager; private final ConnectorConfig connectorConfig; @@ -43,7 +37,7 @@ public class ConfiguredSslContextFactoryProvider implements SslContextFactoryPro } @Override - public SslContextFactory getInstance(String containerId, int port) { + public void configureSsl(ConnectorSsl ssl, String name, int port) { ConnectorConfig.Ssl sslConfig = connectorConfig.ssl(); if (!sslConfig.enabled()) throw new IllegalStateException(); @@ -63,23 +57,31 @@ public class ConfiguredSslContextFactoryProvider implements SslContextFactoryPro SSLContext sslContext = builder.build(); - SslContextFactory.Server factory = new SslContextFactory.Server(); - factory.setSslContext(sslContext); - - factory.setNeedClientAuth(sslConfig.clientAuth() == ClientAuth.Enum.NEED_AUTH); - factory.setWantClientAuth(sslConfig.clientAuth() == ClientAuth.Enum.WANT_AUTH); + ssl.setSslContext(sslContext); + + switch (sslConfig.clientAuth()) { + case NEED_AUTH: + ssl.setClientAuth(ConnectorSsl.ClientAuth.NEED); + break; + case WANT_AUTH: + ssl.setClientAuth(ConnectorSsl.ClientAuth.WANT); + break; + case DISABLED: + ssl.setClientAuth(ConnectorSsl.ClientAuth.DISABLED); + break; + default: + throw new IllegalArgumentException(sslConfig.clientAuth().toString()); + } List<String> protocols = !sslConfig.enabledProtocols().isEmpty() ? sslConfig.enabledProtocols() : new ArrayList<>(TlsContext.getAllowedProtocols(sslContext)); - setEnabledProtocols(factory, sslContext, protocols); + ssl.setEnabledProtocolVersions(protocols); List<String> ciphers = !sslConfig.enabledCipherSuites().isEmpty() ? sslConfig.enabledCipherSuites() : new ArrayList<>(TlsContext.getAllowedCipherSuites(sslContext)); - setEnabledCipherSuites(factory, sslContext, ciphers); - - return factory; + ssl.setEnabledCipherSuites(ciphers); } @Override diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java index 28e95c18424..c8cf5195c4c 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java @@ -4,24 +4,22 @@ package com.yahoo.jdisc.http.ssl.impl; import com.google.inject.Inject; import com.yahoo.component.AbstractComponent; import com.yahoo.jdisc.http.ConnectorConfig; -import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider; +import com.yahoo.jdisc.http.SslProvider; import com.yahoo.security.tls.ConfigFileBasedTlsContext; import com.yahoo.security.tls.PeerAuthentication; import com.yahoo.security.tls.TlsContext; import com.yahoo.security.tls.TransportSecurityUtils; -import org.eclipse.jetty.util.ssl.SslContextFactory; import java.nio.file.Path; /** - * The default implementation of {@link SslContextFactoryProvider} to be injected into connectors without explicit ssl configuration. + * The default implementation of {@link SslProvider} to be injected into connectors without explicit ssl configuration. * * @author bjorncs */ -@SuppressWarnings("removal") -public class DefaultSslContextFactoryProvider extends AbstractComponent implements SslContextFactoryProvider { +public class DefaultSslContextFactoryProvider extends AbstractComponent implements SslProvider { - private final SslContextFactoryProvider instance; + private final SslProvider instance; @Inject public DefaultSslContextFactoryProvider(ConnectorConfig connectorConfig) { @@ -30,7 +28,7 @@ public class DefaultSslContextFactoryProvider extends AbstractComponent implemen .orElseGet(ThrowingSslContextFactoryProvider::new); } - private static SslContextFactoryProvider createTlsContextBasedProvider(ConnectorConfig connectorConfig, Path configFile) { + private static SslProvider createTlsContextBasedProvider(ConnectorConfig connectorConfig, Path configFile) { return new StaticTlsContextBasedProvider( new ConfigFileBasedTlsContext( configFile, TransportSecurityUtils.getInsecureAuthorizationMode(), getPeerAuthenticationMode(connectorConfig))); @@ -47,8 +45,8 @@ public class DefaultSslContextFactoryProvider extends AbstractComponent implemen } @Override - public SslContextFactory getInstance(String containerId, int port) { - return instance.getInstance(containerId, port); + public void configureSsl(ConnectorSsl ssl, String name, int port) { + instance.configureSsl(ssl, name, port); } @Override @@ -56,9 +54,9 @@ public class DefaultSslContextFactoryProvider extends AbstractComponent implemen instance.close(); } - private static class ThrowingSslContextFactoryProvider implements SslContextFactoryProvider { + private static class ThrowingSslContextFactoryProvider implements SslProvider { @Override - public SslContextFactory getInstance(String containerId, int port) { + public void configureSsl(ConnectorSsl ssl, String name, int port) { throw new UnsupportedOperationException(); } } diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java index 73a6940afd9..712388a305e 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java @@ -2,42 +2,34 @@ package com.yahoo.jdisc.http.ssl.impl; import com.yahoo.component.AbstractComponent; -import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider; +import com.yahoo.jdisc.http.SslProvider; import com.yahoo.security.tls.TlsContext; -import org.eclipse.jetty.util.ssl.SslContextFactory; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLParameters; import java.util.List; -import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledCipherSuites; -import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledProtocols; - /** - * A {@link SslContextFactoryProvider} that creates {@link SslContextFactory} instances from {@link TlsContext} instances. + * A {@link SslProvider} that configures SSL from {@link TlsContext} instances. * * @author bjorncs */ -@SuppressWarnings("removal") -public abstract class TlsContextBasedProvider extends AbstractComponent implements SslContextFactoryProvider { +public abstract class TlsContextBasedProvider extends AbstractComponent implements SslProvider { protected abstract TlsContext getTlsContext(String containerId, int port); @Override - public final SslContextFactory getInstance(String containerId, int port) { - TlsContext tlsContext = getTlsContext(containerId, port); - SSLContext sslContext = tlsContext.context(); + public void configureSsl(ConnectorSsl ssl, String name, int port) { + TlsContext tlsContext = getTlsContext(name, port); SSLParameters parameters = tlsContext.parameters(); - - SslContextFactory.Server sslContextFactory = new SslContextFactory.Server(); - sslContextFactory.setSslContext(sslContext); - - sslContextFactory.setNeedClientAuth(parameters.getNeedClientAuth()); - sslContextFactory.setWantClientAuth(parameters.getWantClientAuth()); - - setEnabledProtocols(sslContextFactory, sslContext, List.of(parameters.getProtocols())); - setEnabledCipherSuites(sslContextFactory, sslContext, List.of(parameters.getCipherSuites())); - - return sslContextFactory; + ssl.setSslContext(tlsContext.context()); + ssl.setEnabledProtocolVersions(List.of(parameters.getProtocols())); + ssl.setEnabledCipherSuites(List.of(parameters.getCipherSuites())); + if (parameters.getNeedClientAuth()) { + ssl.setClientAuth(ConnectorSsl.ClientAuth.NEED); + } else if (parameters.getWantClientAuth()) { + ssl.setClientAuth(ConnectorSsl.ClientAuth.WANT); + } else { + ssl.setClientAuth(ConnectorSsl.ClientAuth.DISABLED); + } } } diff --git a/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java b/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java index 21597ceefcf..fce4d6ee74e 100644 --- a/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java +++ b/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java @@ -9,7 +9,6 @@ import com.yahoo.security.tls.HostnameVerification; import com.yahoo.security.tls.PeerAuthentication; import com.yahoo.security.tls.TlsContext; import com.yahoo.security.tls.policy.AuthorizedPeers; -import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.Test; import javax.security.auth.x500.X500Principal; @@ -24,7 +23,6 @@ import java.util.Set; import static com.yahoo.security.KeyAlgorithm.EC; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; import static org.junit.Assert.assertArrayEquals; -import static org.junit.Assert.assertNotNull; /** * @author bjorncs @@ -35,9 +33,9 @@ public class TlsContextBasedProviderTest { public void creates_sslcontextfactory_from_tlscontext() { TlsContext tlsContext = createTlsContext(); var provider = new SimpleTlsContextBasedProvider(tlsContext); - SslContextFactory sslContextFactory = provider.getInstance("dummyContainerId", 8080); - assertNotNull(sslContextFactory); - assertArrayEquals(tlsContext.parameters().getCipherSuites(), sslContextFactory.getIncludeCipherSuites()); + DefaultConnectorSsl ssl = new DefaultConnectorSsl(); + provider.configureSsl(ssl, "dummyContainerId", 8080); + assertArrayEquals(tlsContext.parameters().getCipherSuites(), ssl.createSslContextFactory().getIncludeCipherSuites()); } private static TlsContext createTlsContext() { |