Merge pull request #22760 from vespa-engine/bjorncs/hide-jetty-from-publicapi

`SslContextFactoryProvider` replacement [run-systemtest]
author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2022-05-31 16:02:18 +0200
committer: GitHub <noreply@github.com> 2022-05-31 16:02:18 +0200
commit: dc6437be5ca9e522004e2d01bc5df9dedd8d00cf (patch)
tree: 40574ce6343862a895ef99e57396516bc3fc7df3 /container-core
parent: b419a1ac99d50e71277fad14690270f841e27baa (diff)
parent: 8fe3095dff515019786b779929b6550fd2ed5c5b (diff)
10 files changed, 285 insertions, 67 deletions
diff --git a/container-core/abi-spec.json b/container-core/abi-spec.json
index 78a1c044d35..8ca6507f73e 100644
--- a/container-core/abi-spec.json
+++ b/container-core/abi-spec.json
@@ -2090,6 +2090,60 @@
       "public static final java.lang.String[] CONFIG_DEF_SCHEMA"
     ]
   },
+  "com.yahoo.jdisc.http.SslProvider$ConnectorSsl$ClientAuth": {
+    "superClass": "java.lang.Enum",
+    "interfaces": [],
+    "attributes": [
+      "public",
+      "final",
+      "enum"
+    ],
+    "methods": [
+      "public static com.yahoo.jdisc.http.SslProvider$ConnectorSsl$ClientAuth[] values()",
+      "public static com.yahoo.jdisc.http.SslProvider$ConnectorSsl$ClientAuth valueOf(java.lang.String)"
+    ],
+    "fields": [
+      "public static final enum com.yahoo.jdisc.http.SslProvider$ConnectorSsl$ClientAuth DISABLED",
+      "public static final enum com.yahoo.jdisc.http.SslProvider$ConnectorSsl$ClientAuth WANT",
+      "public static final enum com.yahoo.jdisc.http.SslProvider$ConnectorSsl$ClientAuth NEED"
+    ]
+  },
+  "com.yahoo.jdisc.http.SslProvider$ConnectorSsl": {
+    "superClass": "java.lang.Object",
+    "interfaces": [],
+    "attributes": [
+      "public",
+      "interface",
+      "abstract"
+    ],
+    "methods": [
+      "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setSslContext(javax.net.ssl.SSLContext)",
+      "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setClientAuth(com.yahoo.jdisc.http.SslProvider$ConnectorSsl$ClientAuth)",
+      "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setEnabledCipherSuites(java.util.List)",
+      "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setEnabledProtocolVersions(java.util.List)",
+      "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setKeystore(java.security.KeyStore, char[])",
+      "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setKeystore(java.security.KeyStore)",
+      "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setTruststore(java.security.KeyStore, char[])",
+      "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setTruststore(java.security.KeyStore)"
+    ],
+    "fields": []
+  },
+  "com.yahoo.jdisc.http.SslProvider": {
+    "superClass": "java.lang.Object",
+    "interfaces": [
+      "java.lang.AutoCloseable"
+    ],
+    "attributes": [
+      "public",
+      "interface",
+      "abstract"
+    ],
+    "methods": [
+      "public abstract void configureSsl(com.yahoo.jdisc.http.SslProvider$ConnectorSsl, java.lang.String, int)",
+      "public void close()"
+    ],
+    "fields": []
+  },
   "com.yahoo.jdisc.http.filter.DiscFilterRequest$ThreadLocalSimpleDateFormat": {
     "superClass": "java.lang.ThreadLocal",
     "interfaces": [],
@@ -2407,7 +2461,8 @@
   "com.yahoo.jdisc.http.ssl.SslContextFactoryProvider": {
     "superClass": "java.lang.Object",
     "interfaces": [
-      "java.lang.AutoCloseable"
+      "java.lang.AutoCloseable",
+      "com.yahoo.jdisc.http.SslProvider"
     ],
     "attributes": [
       "public",
@@ -2416,7 +2471,8 @@
     ],
     "methods": [
       "public abstract org.eclipse.jetty.util.ssl.SslContextFactory getInstance(java.lang.String, int)",
-      "public void close()"
+      "public void close()",
+      "public void configureSsl(com.yahoo.jdisc.http.SslProvider$ConnectorSsl, java.lang.String, int)"
     ],
     "fields": []
   },
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/SslProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/SslProvider.java
new file mode 100644
index 00000000000..bbdba395910
--- /dev/null
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/SslProvider.java
@@ -0,0 +1,36 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http;
+
+import javax.net.ssl.SSLContext;
+import java.security.KeyStore;
+import java.util.List;
+
+/**
+ * Provides SSL/TLS configuration for a server connector.
+ *
+ * @author bjorncs
+ */
+public interface SslProvider extends AutoCloseable {
+
+    interface ConnectorSsl {
+        enum ClientAuth { DISABLED, WANT, NEED }
+        ConnectorSsl setSslContext(SSLContext ctx);
+        ConnectorSsl setClientAuth(ConnectorSsl.ClientAuth auth);
+        ConnectorSsl setEnabledCipherSuites(List<String> ciphers);
+        ConnectorSsl setEnabledProtocolVersions(List<String> versions);
+        ConnectorSsl setKeystore(KeyStore keystore, char[] password);
+        ConnectorSsl setKeystore(KeyStore keystore);
+        ConnectorSsl setTruststore(KeyStore truststore, char[] password);
+        ConnectorSsl setTruststore(KeyStore truststore);
+    }
+
+    /**
+     * Invoked during configuration of server connector
+     * @param ssl provides methods to modify default SSL configuration
+     * @param name The connector name
+     * @param port The connector listen port
+     */
+    void configureSsl(ConnectorSsl ssl, String name, int port);
+
+    @Override default void close() {}
+}
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
index a7c5b83f6a6..b56743954f4 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
@@ -4,7 +4,9 @@ package com.yahoo.jdisc.http.server.jetty;
 import com.google.inject.Inject;
 import com.yahoo.jdisc.Metric;
 import com.yahoo.jdisc.http.ConnectorConfig;
+import com.yahoo.jdisc.http.SslProvider;
 import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider;
+import com.yahoo.jdisc.http.ssl.impl.DefaultConnectorSsl;
 import com.yahoo.security.tls.MixedMode;
 import com.yahoo.security.tls.TransportSecurityUtils;
 import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory;
@@ -41,14 +43,14 @@ public class ConnectorFactory {
     private static final Logger log = Logger.getLogger(ConnectorFactory.class.getName());
 
     private final ConnectorConfig connectorConfig;
-    private final SslContextFactoryProvider sslContextFactoryProvider;
+    private final SslProvider sslProvider;
 
     @Inject
     public ConnectorFactory(ConnectorConfig connectorConfig,
-                            SslContextFactoryProvider sslContextFactoryProvider) {
+                            SslProvider sslProvider) {
         runtimeConnectorConfigValidation(connectorConfig);
         this.connectorConfig = connectorConfig;
-        this.sslContextFactoryProvider = sslContextFactoryProvider;
+        this.sslProvider = sslProvider;
     }
 
     // Perform extra connector config validation that can only be performed at runtime,
@@ -180,12 +182,28 @@ public class ConnectorFactory {
     }
 
     private SslConnectionFactory newSslConnectionFactory(Metric metric, ConnectionFactory wrappedFactory) {
-        SslContextFactory ctxFactory = sslContextFactoryProvider.getInstance(connectorConfig.name(), connectorConfig.listenPort());
-        SslConnectionFactory connectionFactory = new SslConnectionFactory(ctxFactory, wrappedFactory.getProtocol());
+        SslConnectionFactory connectionFactory = new SslConnectionFactory(createSslContextFactory(), wrappedFactory.getProtocol());
         connectionFactory.addBean(new SslHandshakeFailedListener(metric, connectorConfig.name(), connectorConfig.listenPort()));
         return connectionFactory;
     }
 
+    @SuppressWarnings("removal")
+    private SslContextFactory createSslContextFactory() {
+        try {
+            DefaultConnectorSsl ssl = new DefaultConnectorSsl();
+            sslProvider.configureSsl(ssl, connectorConfig.name(), connectorConfig.listenPort());
+            return ssl.createSslContextFactory();
+        } catch (UnsupportedOperationException e) {
+            // TODO(bjorncs) Vespa 8 Remove this compatibility workaround
+            if (sslProvider instanceof SslContextFactoryProvider) {
+                return ((SslContextFactoryProvider) sslProvider)
+                        .getInstance(connectorConfig.name(), connectorConfig.listenPort());
+            } else {
+                throw e;
+            }
+        }
+    }
+
     private ALPNServerConnectionFactory newAlpnConnectionFactory() {
         ALPNServerConnectionFactory factory = new ALPNServerConnectionFactory("h2", "http/1.1");
         factory.setDefaultProtocol("http/1.1");
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/SslContextFactoryProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/SslContextFactoryProvider.java
index 4383b511637..e786074e8d0 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/SslContextFactoryProvider.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/SslContextFactoryProvider.java
@@ -1,14 +1,17 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jdisc.http.ssl;
 
+import com.yahoo.jdisc.http.SslProvider;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 /**
  * A provider that is used to configure SSL connectors in JDisc
  *
+ * @deprecated Implement {@link SslProvider} instead
  * @author bjorncs
  */
-public interface SslContextFactoryProvider extends AutoCloseable {
+@Deprecated(forRemoval = true, since = "7")
+public interface SslContextFactoryProvider extends AutoCloseable, SslProvider {
 
     /**
      * This method is called once for each SSL connector.
@@ -18,4 +21,10 @@ public interface SslContextFactoryProvider extends AutoCloseable {
     SslContextFactory getInstance(String containerId, int port);
 
     @Override default void close() {}
+
+    @Override
+    default void configureSsl(ConnectorSsl ssl, String name, int port) {
+        // Signal that getInstance() should be invoked instead
+        throw new UnsupportedOperationException();
+    }
 }
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
index 8916fd7760d..05a013c036e 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
@@ -2,14 +2,12 @@
 package com.yahoo.jdisc.http.ssl.impl;
 
 import com.yahoo.jdisc.http.ConnectorConfig;
-import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth;
-import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider;
+import com.yahoo.jdisc.http.SslProvider;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.SslContextBuilder;
 import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.security.tls.AutoReloadingX509KeyManager;
 import com.yahoo.security.tls.TlsContext;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 import javax.net.ssl.SSLContext;
 import java.io.IOException;
@@ -23,15 +21,12 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
 
-import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledCipherSuites;
-import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledProtocols;
-
 /**
- * An implementation of {@link SslContextFactoryProvider} that uses the {@link ConnectorConfig} to construct a {@link SslContextFactory}.
+ * An implementation of {@link SslProvider} that uses the {@link ConnectorConfig} to configure SSL.
  *
  * @author bjorncs
  */
-public class ConfiguredSslContextFactoryProvider implements SslContextFactoryProvider {
+public class ConfiguredSslContextFactoryProvider implements SslProvider {
 
     private volatile AutoReloadingX509KeyManager keyManager;
     private final ConnectorConfig connectorConfig;
@@ -42,7 +37,7 @@ public class ConfiguredSslContextFactoryProvider implements SslContextFactoryPro
     }
 
     @Override
-    public SslContextFactory getInstance(String containerId, int port) {
+    public void configureSsl(ConnectorSsl ssl, String name, int port) {
         ConnectorConfig.Ssl sslConfig = connectorConfig.ssl();
         if (!sslConfig.enabled()) throw new IllegalStateException();
 
@@ -62,23 +57,31 @@ public class ConfiguredSslContextFactoryProvider implements SslContextFactoryPro
 
         SSLContext sslContext = builder.build();
 
-        SslContextFactory.Server factory = new SslContextFactory.Server();
-        factory.setSslContext(sslContext);
-
-        factory.setNeedClientAuth(sslConfig.clientAuth() == ClientAuth.Enum.NEED_AUTH);
-        factory.setWantClientAuth(sslConfig.clientAuth() == ClientAuth.Enum.WANT_AUTH);
+        ssl.setSslContext(sslContext);
+
+        switch (sslConfig.clientAuth()) {
+            case NEED_AUTH:
+                ssl.setClientAuth(ConnectorSsl.ClientAuth.NEED);
+                break;
+            case WANT_AUTH:
+                ssl.setClientAuth(ConnectorSsl.ClientAuth.WANT);
+                break;
+            case DISABLED:
+                ssl.setClientAuth(ConnectorSsl.ClientAuth.DISABLED);
+                break;
+            default:
+                throw new IllegalArgumentException(sslConfig.clientAuth().toString());
+        }
 
         List<String> protocols = !sslConfig.enabledProtocols().isEmpty()
                 ? sslConfig.enabledProtocols()
                 : new ArrayList<>(TlsContext.getAllowedProtocols(sslContext));
-        setEnabledProtocols(factory, sslContext, protocols);
+        ssl.setEnabledProtocolVersions(protocols);
 
         List<String> ciphers = !sslConfig.enabledCipherSuites().isEmpty()
                 ? sslConfig.enabledCipherSuites()
                 : new ArrayList<>(TlsContext.getAllowedCipherSuites(sslContext));
-        setEnabledCipherSuites(factory, sslContext, ciphers);
-
-        return factory;
+        ssl.setEnabledCipherSuites(ciphers);
     }
 
     @Override
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultConnectorSsl.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultConnectorSsl.java
new file mode 100644
index 00000000000..65f877a6029
--- /dev/null
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultConnectorSsl.java
@@ -0,0 +1,94 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.ssl.impl;
+
+import com.yahoo.jdisc.http.SslProvider;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+
+import javax.net.ssl.SSLContext;
+import java.security.KeyStore;
+import java.util.List;
+
+/**
+ * Default implementation of {@link SslProvider} backed by {@link SslContextFactory.Server}
+ *
+ * @author bjorncs
+ */
+public class DefaultConnectorSsl implements SslProvider.ConnectorSsl {
+
+    private SSLContext sslContext;
+    private ClientAuth clientAuth;
+    private List<String> cipherSuites = List.of();
+    private List<String> protocolVersions = List.of();
+    private KeyStore keystore;
+    private char[] keystorePassword;
+    private KeyStore truststore;
+    private char[] truststorePassword;
+
+    @Override
+    public SslProvider.ConnectorSsl setSslContext(SSLContext ctx) {
+        this.sslContext = ctx; return this;
+    }
+
+    @Override
+    public SslProvider.ConnectorSsl setClientAuth(SslProvider.ConnectorSsl.ClientAuth auth) {
+        this.clientAuth = auth; return this;
+    }
+
+    @Override
+    public SslProvider.ConnectorSsl setEnabledCipherSuites(List<String> ciphers) {
+        this.cipherSuites = ciphers; return this;
+    }
+
+    @Override
+    public SslProvider.ConnectorSsl setEnabledProtocolVersions(List<String> versions) {
+        this.protocolVersions = versions; return this;
+    }
+
+    @Override
+    public SslProvider.ConnectorSsl setKeystore(KeyStore keystore, char[] password) {
+        this.keystore = keystore; this.keystorePassword = password; return this;
+    }
+
+    @Override
+    public SslProvider.ConnectorSsl setKeystore(KeyStore keystore) {
+        this.keystore = keystore; return this;
+    }
+
+    @Override
+    public SslProvider.ConnectorSsl setTruststore(KeyStore truststore, char[] password) {
+        this.truststore = truststore; this.truststorePassword = password; return this;
+    }
+
+    @Override
+    public SslProvider.ConnectorSsl setTruststore(KeyStore truststore) {
+        this.truststore = truststore; return this;
+    }
+
+    public SslContextFactory.Server createSslContextFactory() {
+        SslContextFactory.Server ssl = new SslContextFactory.Server();
+        if (sslContext != null) ssl.setSslContext(sslContext);
+        if (keystore != null) ssl.setKeyStore(keystore);
+        if (keystorePassword != null) ssl.setKeyStorePassword(new String(keystorePassword));
+        if (truststore != null) ssl.setTrustStore(truststore);
+        if (truststorePassword != null) ssl.setTrustStorePassword(new String(truststorePassword));
+        switch (clientAuth) {
+            case DISABLED:
+                ssl.setWantClientAuth(false);
+                ssl.setNeedClientAuth(false);
+                break;
+            case NEED:
+                ssl.setWantClientAuth(false);
+                ssl.setNeedClientAuth(true);
+                break;
+            case WANT:
+                ssl.setWantClientAuth(true);
+                ssl.setNeedClientAuth(false);
+                break;
+            default:
+                throw new IllegalArgumentException(clientAuth.name());
+        }
+        if (!cipherSuites.isEmpty()) SslContextFactoryUtils.setEnabledCipherSuites(ssl, sslContext, cipherSuites);
+        if (!protocolVersions.isEmpty()) SslContextFactoryUtils.setEnabledProtocols(ssl, sslContext, protocolVersions);
+        return ssl;
+    }
+}
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java
index c3c99b71c46..c8cf5195c4c 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java
@@ -4,23 +4,22 @@ package com.yahoo.jdisc.http.ssl.impl;
 import com.google.inject.Inject;
 import com.yahoo.component.AbstractComponent;
 import com.yahoo.jdisc.http.ConnectorConfig;
-import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider;
+import com.yahoo.jdisc.http.SslProvider;
 import com.yahoo.security.tls.ConfigFileBasedTlsContext;
 import com.yahoo.security.tls.PeerAuthentication;
 import com.yahoo.security.tls.TlsContext;
 import com.yahoo.security.tls.TransportSecurityUtils;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 import java.nio.file.Path;
 
 /**
- * The default implementation of {@link SslContextFactoryProvider} to be injected into connectors without explicit ssl configuration.
+ * The default implementation of {@link SslProvider} to be injected into connectors without explicit ssl configuration.
  *
  * @author bjorncs
  */
-public class DefaultSslContextFactoryProvider extends AbstractComponent implements SslContextFactoryProvider {
+public class DefaultSslContextFactoryProvider extends AbstractComponent implements SslProvider {
 
-    private final SslContextFactoryProvider instance;
+    private final SslProvider instance;
 
     @Inject
     public DefaultSslContextFactoryProvider(ConnectorConfig connectorConfig) {
@@ -29,7 +28,7 @@ public class DefaultSslContextFactoryProvider extends AbstractComponent implemen
                 .orElseGet(ThrowingSslContextFactoryProvider::new);
     }
 
-    private static SslContextFactoryProvider createTlsContextBasedProvider(ConnectorConfig connectorConfig, Path configFile) {
+    private static SslProvider createTlsContextBasedProvider(ConnectorConfig connectorConfig, Path configFile) {
         return new StaticTlsContextBasedProvider(
                 new ConfigFileBasedTlsContext(
                         configFile, TransportSecurityUtils.getInsecureAuthorizationMode(), getPeerAuthenticationMode(connectorConfig)));
@@ -46,8 +45,8 @@ public class DefaultSslContextFactoryProvider extends AbstractComponent implemen
     }
 
     @Override
-    public SslContextFactory getInstance(String containerId, int port) {
-        return instance.getInstance(containerId, port);
+    public void configureSsl(ConnectorSsl ssl, String name, int port) {
+        instance.configureSsl(ssl, name, port);
     }
 
     @Override
@@ -55,9 +54,9 @@ public class DefaultSslContextFactoryProvider extends AbstractComponent implemen
         instance.close();
     }
 
-    private static class ThrowingSslContextFactoryProvider implements SslContextFactoryProvider {
+    private static class ThrowingSslContextFactoryProvider implements SslProvider {
         @Override
-        public SslContextFactory getInstance(String containerId, int port) {
+        public void configureSsl(ConnectorSsl ssl, String name, int port) {
             throw new UnsupportedOperationException();
         }
     }
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/SslContextFactoryUtils.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/SslContextFactoryUtils.java
index 07c599aa229..e7c9e4f0bee 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/SslContextFactoryUtils.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/SslContextFactoryUtils.java
@@ -4,6 +4,8 @@ package com.yahoo.jdisc.http.ssl.impl;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLParameters;
+import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.List;
 
@@ -12,14 +14,14 @@ import java.util.List;
  */
 class SslContextFactoryUtils {
 
-    static void setEnabledCipherSuites(SslContextFactory factory, SSLContext sslContext, List<String> enabledCiphers) {
-        String[] supportedCiphers = sslContext.getSupportedSSLParameters().getCipherSuites();
+    static void setEnabledCipherSuites(SslContextFactory factory, SSLContext sslContextOrNull, List<String> enabledCiphers) {
+        String[] supportedCiphers = supportedSslParams(sslContextOrNull).getCipherSuites();
         factory.setIncludeCipherSuites(enabledCiphers.toArray(String[]::new));
         factory.setExcludeCipherSuites(createExclusionList(enabledCiphers, supportedCiphers));
     }
 
-    static void setEnabledProtocols(SslContextFactory factory, SSLContext sslContext, List<String> enabledProtocols) {
-        String[] supportedProtocols = sslContext.getSupportedSSLParameters().getProtocols();
+    static void setEnabledProtocols(SslContextFactory factory, SSLContext sslContextOrNull, List<String> enabledProtocols) {
+        String[] supportedProtocols = supportedSslParams(sslContextOrNull).getProtocols();
         factory.setIncludeProtocols(enabledProtocols.toArray(String[]::new));
         factory.setExcludeProtocols(createExclusionList(enabledProtocols, supportedProtocols));
     }
@@ -29,4 +31,14 @@ class SslContextFactoryUtils {
                 .filter(supportedValue -> !enabledValues.contains(supportedValue))
                 .toArray(String[]::new);
     }
+
+    private static SSLParameters supportedSslParams(SSLContext ctx) {
+        try {
+            return ctx != null
+                    ? ctx.getSupportedSSLParameters()
+                    : SSLContext.getDefault().getSupportedSSLParameters();
+        } catch (NoSuchAlgorithmException e) {
+            throw new IllegalStateException(e);
+        }
+    }
 }
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java
index 3d9e0bf39d3..712388a305e 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java
@@ -2,41 +2,34 @@
 package com.yahoo.jdisc.http.ssl.impl;
 
 import com.yahoo.component.AbstractComponent;
-import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider;
+import com.yahoo.jdisc.http.SslProvider;
 import com.yahoo.security.tls.TlsContext;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
 
-import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLParameters;
 import java.util.List;
 
-import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledCipherSuites;
-import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledProtocols;
-
 /**
- * A {@link SslContextFactoryProvider} that creates {@link SslContextFactory} instances from {@link TlsContext} instances.
+ * A {@link SslProvider} that configures SSL from {@link TlsContext} instances.
  *
  * @author bjorncs
  */
-public abstract class TlsContextBasedProvider extends AbstractComponent implements SslContextFactoryProvider {
+public abstract class TlsContextBasedProvider extends AbstractComponent implements SslProvider {
 
     protected abstract TlsContext getTlsContext(String containerId, int port);
 
     @Override
-    public final SslContextFactory getInstance(String containerId, int port) {
-        TlsContext tlsContext = getTlsContext(containerId, port);
-        SSLContext sslContext = tlsContext.context();
+    public void configureSsl(ConnectorSsl ssl, String name, int port) {
+        TlsContext tlsContext = getTlsContext(name, port);
         SSLParameters parameters = tlsContext.parameters();
-
-        SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
-        sslContextFactory.setSslContext(sslContext);
-
-        sslContextFactory.setNeedClientAuth(parameters.getNeedClientAuth());
-        sslContextFactory.setWantClientAuth(parameters.getWantClientAuth());
-
-        setEnabledProtocols(sslContextFactory, sslContext, List.of(parameters.getProtocols()));
-        setEnabledCipherSuites(sslContextFactory, sslContext, List.of(parameters.getCipherSuites()));
-
-        return sslContextFactory;
+        ssl.setSslContext(tlsContext.context());
+        ssl.setEnabledProtocolVersions(List.of(parameters.getProtocols()));
+        ssl.setEnabledCipherSuites(List.of(parameters.getCipherSuites()));
+        if (parameters.getNeedClientAuth()) {
+            ssl.setClientAuth(ConnectorSsl.ClientAuth.NEED);
+        } else if (parameters.getWantClientAuth()) {
+            ssl.setClientAuth(ConnectorSsl.ClientAuth.WANT);
+        } else {
+            ssl.setClientAuth(ConnectorSsl.ClientAuth.DISABLED);
+        }
     }
 }
diff --git a/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java b/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java
index 21597ceefcf..fce4d6ee74e 100644
--- a/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java
+++ b/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java
@@ -9,7 +9,6 @@ import com.yahoo.security.tls.HostnameVerification;
 import com.yahoo.security.tls.PeerAuthentication;
 import com.yahoo.security.tls.TlsContext;
 import com.yahoo.security.tls.policy.AuthorizedPeers;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.junit.Test;
 
 import javax.security.auth.x500.X500Principal;
@@ -24,7 +23,6 @@ import java.util.Set;
 import static com.yahoo.security.KeyAlgorithm.EC;
 import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
 import static org.junit.Assert.assertArrayEquals;
-import static org.junit.Assert.assertNotNull;
 
 /**
  * @author bjorncs
@@ -35,9 +33,9 @@ public class TlsContextBasedProviderTest {
     public void creates_sslcontextfactory_from_tlscontext() {
         TlsContext tlsContext = createTlsContext();
         var provider = new SimpleTlsContextBasedProvider(tlsContext);
-        SslContextFactory sslContextFactory = provider.getInstance("dummyContainerId", 8080);
-        assertNotNull(sslContextFactory);
-        assertArrayEquals(tlsContext.parameters().getCipherSuites(), sslContextFactory.getIncludeCipherSuites());
+        DefaultConnectorSsl ssl = new DefaultConnectorSsl();
+        provider.configureSsl(ssl, "dummyContainerId", 8080);
+        assertArrayEquals(tlsContext.parameters().getCipherSuites(), ssl.createSslContextFactory().getIncludeCipherSuites());
     }
 
     private static TlsContext createTlsContext() {
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2022-05-31 16:02:18 +0200
committer	GitHub <noreply@github.com>	2022-05-31 16:02:18 +0200
commit	dc6437be5ca9e522004e2d01bc5df9dedd8d00cf (patch)
tree	40574ce6343862a895ef99e57396516bc3fc7df3 /container-core
parent	b419a1ac99d50e71277fad14690270f841e27baa (diff)
parent	8fe3095dff515019786b779929b6550fd2ed5c5b (diff)