Rewrite current 'SslContextFactoryProvider' impls to 'SslProvider'

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2022-05-31 13:34:55 +0200
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2022-05-31 13:34:55 +0200
commit: 907556d43825e1f3cfd866a3f13bda5bdcbad78a (patch)
tree: 4654bcfc883e04fbb0c39a72b6bb43a1dfa03d85 /container-core
parent: e9319078a33a4cfa2925c8cc0afc05e2dcb84465 (diff)
4 files changed, 48 insertions, 58 deletions
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
index fcb8c468bac..05a013c036e 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
@@ -2,14 +2,12 @@
 package com.yahoo.jdisc.http.ssl.impl;
 
 import com.yahoo.jdisc.http.ConnectorConfig;
-import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth;
-import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider;
+import com.yahoo.jdisc.http.SslProvider;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.SslContextBuilder;
 import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.security.tls.AutoReloadingX509KeyManager;
 import com.yahoo.security.tls.TlsContext;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 import javax.net.ssl.SSLContext;
 import java.io.IOException;
@@ -23,16 +21,12 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
 
-import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledCipherSuites;
-import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledProtocols;
-
 /**
- * An implementation of {@link SslContextFactoryProvider} that uses the {@link ConnectorConfig} to construct a {@link SslContextFactory}.
+ * An implementation of {@link SslProvider} that uses the {@link ConnectorConfig} to configure SSL.
  *
  * @author bjorncs
  */
-@SuppressWarnings("removal")
-public class ConfiguredSslContextFactoryProvider implements SslContextFactoryProvider {
+public class ConfiguredSslContextFactoryProvider implements SslProvider {
 
     private volatile AutoReloadingX509KeyManager keyManager;
     private final ConnectorConfig connectorConfig;
@@ -43,7 +37,7 @@ public class ConfiguredSslContextFactoryProvider implements SslContextFactoryPro
     }
 
     @Override
-    public SslContextFactory getInstance(String containerId, int port) {
+    public void configureSsl(ConnectorSsl ssl, String name, int port) {
         ConnectorConfig.Ssl sslConfig = connectorConfig.ssl();
         if (!sslConfig.enabled()) throw new IllegalStateException();
 
@@ -63,23 +57,31 @@ public class ConfiguredSslContextFactoryProvider implements SslContextFactoryPro
 
         SSLContext sslContext = builder.build();
 
-        SslContextFactory.Server factory = new SslContextFactory.Server();
-        factory.setSslContext(sslContext);
-
-        factory.setNeedClientAuth(sslConfig.clientAuth() == ClientAuth.Enum.NEED_AUTH);
-        factory.setWantClientAuth(sslConfig.clientAuth() == ClientAuth.Enum.WANT_AUTH);
+        ssl.setSslContext(sslContext);
+
+        switch (sslConfig.clientAuth()) {
+            case NEED_AUTH:
+                ssl.setClientAuth(ConnectorSsl.ClientAuth.NEED);
+                break;
+            case WANT_AUTH:
+                ssl.setClientAuth(ConnectorSsl.ClientAuth.WANT);
+                break;
+            case DISABLED:
+                ssl.setClientAuth(ConnectorSsl.ClientAuth.DISABLED);
+                break;
+            default:
+                throw new IllegalArgumentException(sslConfig.clientAuth().toString());
+        }
 
         List<String> protocols = !sslConfig.enabledProtocols().isEmpty()
                 ? sslConfig.enabledProtocols()
                 : new ArrayList<>(TlsContext.getAllowedProtocols(sslContext));
-        setEnabledProtocols(factory, sslContext, protocols);
+        ssl.setEnabledProtocolVersions(protocols);
 
         List<String> ciphers = !sslConfig.enabledCipherSuites().isEmpty()
                 ? sslConfig.enabledCipherSuites()
                 : new ArrayList<>(TlsContext.getAllowedCipherSuites(sslContext));
-        setEnabledCipherSuites(factory, sslContext, ciphers);
-
-        return factory;
+        ssl.setEnabledCipherSuites(ciphers);
     }
 
     @Override
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java
index 28e95c18424..c8cf5195c4c 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java
@@ -4,24 +4,22 @@ package com.yahoo.jdisc.http.ssl.impl;
 import com.google.inject.Inject;
 import com.yahoo.component.AbstractComponent;
 import com.yahoo.jdisc.http.ConnectorConfig;
-import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider;
+import com.yahoo.jdisc.http.SslProvider;
 import com.yahoo.security.tls.ConfigFileBasedTlsContext;
 import com.yahoo.security.tls.PeerAuthentication;
 import com.yahoo.security.tls.TlsContext;
 import com.yahoo.security.tls.TransportSecurityUtils;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 import java.nio.file.Path;
 
 /**
- * The default implementation of {@link SslContextFactoryProvider} to be injected into connectors without explicit ssl configuration.
+ * The default implementation of {@link SslProvider} to be injected into connectors without explicit ssl configuration.
  *
  * @author bjorncs
  */
-@SuppressWarnings("removal")
-public class DefaultSslContextFactoryProvider extends AbstractComponent implements SslContextFactoryProvider {
+public class DefaultSslContextFactoryProvider extends AbstractComponent implements SslProvider {
 
-    private final SslContextFactoryProvider instance;
+    private final SslProvider instance;
 
     @Inject
     public DefaultSslContextFactoryProvider(ConnectorConfig connectorConfig) {
@@ -30,7 +28,7 @@ public class DefaultSslContextFactoryProvider extends AbstractComponent implemen
                 .orElseGet(ThrowingSslContextFactoryProvider::new);
     }
 
-    private static SslContextFactoryProvider createTlsContextBasedProvider(ConnectorConfig connectorConfig, Path configFile) {
+    private static SslProvider createTlsContextBasedProvider(ConnectorConfig connectorConfig, Path configFile) {
         return new StaticTlsContextBasedProvider(
                 new ConfigFileBasedTlsContext(
                         configFile, TransportSecurityUtils.getInsecureAuthorizationMode(), getPeerAuthenticationMode(connectorConfig)));
@@ -47,8 +45,8 @@ public class DefaultSslContextFactoryProvider extends AbstractComponent implemen
     }
 
     @Override
-    public SslContextFactory getInstance(String containerId, int port) {
-        return instance.getInstance(containerId, port);
+    public void configureSsl(ConnectorSsl ssl, String name, int port) {
+        instance.configureSsl(ssl, name, port);
     }
 
     @Override
@@ -56,9 +54,9 @@ public class DefaultSslContextFactoryProvider extends AbstractComponent implemen
         instance.close();
     }
 
-    private static class ThrowingSslContextFactoryProvider implements SslContextFactoryProvider {
+    private static class ThrowingSslContextFactoryProvider implements SslProvider {
         @Override
-        public SslContextFactory getInstance(String containerId, int port) {
+        public void configureSsl(ConnectorSsl ssl, String name, int port) {
             throw new UnsupportedOperationException();
         }
     }
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java
index 73a6940afd9..712388a305e 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java
@@ -2,42 +2,34 @@
 package com.yahoo.jdisc.http.ssl.impl;
 
 import com.yahoo.component.AbstractComponent;
-import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider;
+import com.yahoo.jdisc.http.SslProvider;
 import com.yahoo.security.tls.TlsContext;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
 
-import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLParameters;
 import java.util.List;
 
-import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledCipherSuites;
-import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledProtocols;
-
 /**
- * A {@link SslContextFactoryProvider} that creates {@link SslContextFactory} instances from {@link TlsContext} instances.
+ * A {@link SslProvider} that configures SSL from {@link TlsContext} instances.
  *
  * @author bjorncs
  */
-@SuppressWarnings("removal")
-public abstract class TlsContextBasedProvider extends AbstractComponent implements SslContextFactoryProvider {
+public abstract class TlsContextBasedProvider extends AbstractComponent implements SslProvider {
 
     protected abstract TlsContext getTlsContext(String containerId, int port);
 
     @Override
-    public final SslContextFactory getInstance(String containerId, int port) {
-        TlsContext tlsContext = getTlsContext(containerId, port);
-        SSLContext sslContext = tlsContext.context();
+    public void configureSsl(ConnectorSsl ssl, String name, int port) {
+        TlsContext tlsContext = getTlsContext(name, port);
         SSLParameters parameters = tlsContext.parameters();
-
-        SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
-        sslContextFactory.setSslContext(sslContext);
-
-        sslContextFactory.setNeedClientAuth(parameters.getNeedClientAuth());
-        sslContextFactory.setWantClientAuth(parameters.getWantClientAuth());
-
-        setEnabledProtocols(sslContextFactory, sslContext, List.of(parameters.getProtocols()));
-        setEnabledCipherSuites(sslContextFactory, sslContext, List.of(parameters.getCipherSuites()));
-
-        return sslContextFactory;
+        ssl.setSslContext(tlsContext.context());
+        ssl.setEnabledProtocolVersions(List.of(parameters.getProtocols()));
+        ssl.setEnabledCipherSuites(List.of(parameters.getCipherSuites()));
+        if (parameters.getNeedClientAuth()) {
+            ssl.setClientAuth(ConnectorSsl.ClientAuth.NEED);
+        } else if (parameters.getWantClientAuth()) {
+            ssl.setClientAuth(ConnectorSsl.ClientAuth.WANT);
+        } else {
+            ssl.setClientAuth(ConnectorSsl.ClientAuth.DISABLED);
+        }
     }
 }
diff --git a/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java b/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java
index 21597ceefcf..fce4d6ee74e 100644
--- a/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java
+++ b/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java
@@ -9,7 +9,6 @@ import com.yahoo.security.tls.HostnameVerification;
 import com.yahoo.security.tls.PeerAuthentication;
 import com.yahoo.security.tls.TlsContext;
 import com.yahoo.security.tls.policy.AuthorizedPeers;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.junit.Test;
 
 import javax.security.auth.x500.X500Principal;
@@ -24,7 +23,6 @@ import java.util.Set;
 import static com.yahoo.security.KeyAlgorithm.EC;
 import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
 import static org.junit.Assert.assertArrayEquals;
-import static org.junit.Assert.assertNotNull;
 
 /**
  * @author bjorncs
@@ -35,9 +33,9 @@ public class TlsContextBasedProviderTest {
     public void creates_sslcontextfactory_from_tlscontext() {
         TlsContext tlsContext = createTlsContext();
         var provider = new SimpleTlsContextBasedProvider(tlsContext);
-        SslContextFactory sslContextFactory = provider.getInstance("dummyContainerId", 8080);
-        assertNotNull(sslContextFactory);
-        assertArrayEquals(tlsContext.parameters().getCipherSuites(), sslContextFactory.getIncludeCipherSuites());
+        DefaultConnectorSsl ssl = new DefaultConnectorSsl();
+        provider.configureSsl(ssl, "dummyContainerId", 8080);
+        assertArrayEquals(tlsContext.parameters().getCipherSuites(), ssl.createSslContextFactory().getIncludeCipherSuites());
     }
 
     private static TlsContext createTlsContext() {
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2022-05-31 13:34:55 +0200
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2022-05-31 13:34:55 +0200
commit	907556d43825e1f3cfd866a3f13bda5bdcbad78a (patch)
tree	4654bcfc883e04fbb0c39a72b6bb43a1dfa03d85 /container-core
parent	e9319078a33a4cfa2925c8cc0afc05e2dcb84465 (diff)