diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2022-05-31 16:02:18 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-05-31 16:02:18 +0200 |
commit | dc6437be5ca9e522004e2d01bc5df9dedd8d00cf (patch) | |
tree | 40574ce6343862a895ef99e57396516bc3fc7df3 /container-core | |
parent | b419a1ac99d50e71277fad14690270f841e27baa (diff) | |
parent | 8fe3095dff515019786b779929b6550fd2ed5c5b (diff) |
Merge pull request #22760 from vespa-engine/bjorncs/hide-jetty-from-publicapi
`SslContextFactoryProvider` replacement [run-systemtest]
Diffstat (limited to 'container-core')
10 files changed, 285 insertions, 67 deletions
diff --git a/container-core/abi-spec.json b/container-core/abi-spec.json index 78a1c044d35..8ca6507f73e 100644 --- a/container-core/abi-spec.json +++ b/container-core/abi-spec.json @@ -2090,6 +2090,60 @@ "public static final java.lang.String[] CONFIG_DEF_SCHEMA" ] }, + "com.yahoo.jdisc.http.SslProvider$ConnectorSsl$ClientAuth": { + "superClass": "java.lang.Enum", + "interfaces": [], + "attributes": [ + "public", + "final", + "enum" + ], + "methods": [ + "public static com.yahoo.jdisc.http.SslProvider$ConnectorSsl$ClientAuth[] values()", + "public static com.yahoo.jdisc.http.SslProvider$ConnectorSsl$ClientAuth valueOf(java.lang.String)" + ], + "fields": [ + "public static final enum com.yahoo.jdisc.http.SslProvider$ConnectorSsl$ClientAuth DISABLED", + "public static final enum com.yahoo.jdisc.http.SslProvider$ConnectorSsl$ClientAuth WANT", + "public static final enum com.yahoo.jdisc.http.SslProvider$ConnectorSsl$ClientAuth NEED" + ] + }, + "com.yahoo.jdisc.http.SslProvider$ConnectorSsl": { + "superClass": "java.lang.Object", + "interfaces": [], + "attributes": [ + "public", + "interface", + "abstract" + ], + "methods": [ + "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setSslContext(javax.net.ssl.SSLContext)", + "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setClientAuth(com.yahoo.jdisc.http.SslProvider$ConnectorSsl$ClientAuth)", + "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setEnabledCipherSuites(java.util.List)", + "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setEnabledProtocolVersions(java.util.List)", + "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setKeystore(java.security.KeyStore, char[])", + "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setKeystore(java.security.KeyStore)", + "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setTruststore(java.security.KeyStore, char[])", + "public abstract com.yahoo.jdisc.http.SslProvider$ConnectorSsl setTruststore(java.security.KeyStore)" + ], + "fields": [] + }, + "com.yahoo.jdisc.http.SslProvider": { + "superClass": "java.lang.Object", + "interfaces": [ + "java.lang.AutoCloseable" + ], + "attributes": [ + "public", + "interface", + "abstract" + ], + "methods": [ + "public abstract void configureSsl(com.yahoo.jdisc.http.SslProvider$ConnectorSsl, java.lang.String, int)", + "public void close()" + ], + "fields": [] + }, "com.yahoo.jdisc.http.filter.DiscFilterRequest$ThreadLocalSimpleDateFormat": { "superClass": "java.lang.ThreadLocal", "interfaces": [], @@ -2407,7 +2461,8 @@ "com.yahoo.jdisc.http.ssl.SslContextFactoryProvider": { "superClass": "java.lang.Object", "interfaces": [ - "java.lang.AutoCloseable" + "java.lang.AutoCloseable", + "com.yahoo.jdisc.http.SslProvider" ], "attributes": [ "public", @@ -2416,7 +2471,8 @@ ], "methods": [ "public abstract org.eclipse.jetty.util.ssl.SslContextFactory getInstance(java.lang.String, int)", - "public void close()" + "public void close()", + "public void configureSsl(com.yahoo.jdisc.http.SslProvider$ConnectorSsl, java.lang.String, int)" ], "fields": [] }, diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/SslProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/SslProvider.java new file mode 100644 index 00000000000..bbdba395910 --- /dev/null +++ b/container-core/src/main/java/com/yahoo/jdisc/http/SslProvider.java @@ -0,0 +1,36 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http; + +import javax.net.ssl.SSLContext; +import java.security.KeyStore; +import java.util.List; + +/** + * Provides SSL/TLS configuration for a server connector. + * + * @author bjorncs + */ +public interface SslProvider extends AutoCloseable { + + interface ConnectorSsl { + enum ClientAuth { DISABLED, WANT, NEED } + ConnectorSsl setSslContext(SSLContext ctx); + ConnectorSsl setClientAuth(ConnectorSsl.ClientAuth auth); + ConnectorSsl setEnabledCipherSuites(List<String> ciphers); + ConnectorSsl setEnabledProtocolVersions(List<String> versions); + ConnectorSsl setKeystore(KeyStore keystore, char[] password); + ConnectorSsl setKeystore(KeyStore keystore); + ConnectorSsl setTruststore(KeyStore truststore, char[] password); + ConnectorSsl setTruststore(KeyStore truststore); + } + + /** + * Invoked during configuration of server connector + * @param ssl provides methods to modify default SSL configuration + * @param name The connector name + * @param port The connector listen port + */ + void configureSsl(ConnectorSsl ssl, String name, int port); + + @Override default void close() {} +} diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java index a7c5b83f6a6..b56743954f4 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java @@ -4,7 +4,9 @@ package com.yahoo.jdisc.http.server.jetty; import com.google.inject.Inject; import com.yahoo.jdisc.Metric; import com.yahoo.jdisc.http.ConnectorConfig; +import com.yahoo.jdisc.http.SslProvider; import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider; +import com.yahoo.jdisc.http.ssl.impl.DefaultConnectorSsl; import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TransportSecurityUtils; import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory; @@ -41,14 +43,14 @@ public class ConnectorFactory { private static final Logger log = Logger.getLogger(ConnectorFactory.class.getName()); private final ConnectorConfig connectorConfig; - private final SslContextFactoryProvider sslContextFactoryProvider; + private final SslProvider sslProvider; @Inject public ConnectorFactory(ConnectorConfig connectorConfig, - SslContextFactoryProvider sslContextFactoryProvider) { + SslProvider sslProvider) { runtimeConnectorConfigValidation(connectorConfig); this.connectorConfig = connectorConfig; - this.sslContextFactoryProvider = sslContextFactoryProvider; + this.sslProvider = sslProvider; } // Perform extra connector config validation that can only be performed at runtime, @@ -180,12 +182,28 @@ public class ConnectorFactory { } private SslConnectionFactory newSslConnectionFactory(Metric metric, ConnectionFactory wrappedFactory) { - SslContextFactory ctxFactory = sslContextFactoryProvider.getInstance(connectorConfig.name(), connectorConfig.listenPort()); - SslConnectionFactory connectionFactory = new SslConnectionFactory(ctxFactory, wrappedFactory.getProtocol()); + SslConnectionFactory connectionFactory = new SslConnectionFactory(createSslContextFactory(), wrappedFactory.getProtocol()); connectionFactory.addBean(new SslHandshakeFailedListener(metric, connectorConfig.name(), connectorConfig.listenPort())); return connectionFactory; } + @SuppressWarnings("removal") + private SslContextFactory createSslContextFactory() { + try { + DefaultConnectorSsl ssl = new DefaultConnectorSsl(); + sslProvider.configureSsl(ssl, connectorConfig.name(), connectorConfig.listenPort()); + return ssl.createSslContextFactory(); + } catch (UnsupportedOperationException e) { + // TODO(bjorncs) Vespa 8 Remove this compatibility workaround + if (sslProvider instanceof SslContextFactoryProvider) { + return ((SslContextFactoryProvider) sslProvider) + .getInstance(connectorConfig.name(), connectorConfig.listenPort()); + } else { + throw e; + } + } + } + private ALPNServerConnectionFactory newAlpnConnectionFactory() { ALPNServerConnectionFactory factory = new ALPNServerConnectionFactory("h2", "http/1.1"); factory.setDefaultProtocol("http/1.1"); diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/SslContextFactoryProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/SslContextFactoryProvider.java index 4383b511637..e786074e8d0 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/SslContextFactoryProvider.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/SslContextFactoryProvider.java @@ -1,14 +1,17 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jdisc.http.ssl; +import com.yahoo.jdisc.http.SslProvider; import org.eclipse.jetty.util.ssl.SslContextFactory; /** * A provider that is used to configure SSL connectors in JDisc * + * @deprecated Implement {@link SslProvider} instead * @author bjorncs */ -public interface SslContextFactoryProvider extends AutoCloseable { +@Deprecated(forRemoval = true, since = "7") +public interface SslContextFactoryProvider extends AutoCloseable, SslProvider { /** * This method is called once for each SSL connector. @@ -18,4 +21,10 @@ public interface SslContextFactoryProvider extends AutoCloseable { SslContextFactory getInstance(String containerId, int port); @Override default void close() {} + + @Override + default void configureSsl(ConnectorSsl ssl, String name, int port) { + // Signal that getInstance() should be invoked instead + throw new UnsupportedOperationException(); + } } diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java index 8916fd7760d..05a013c036e 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java @@ -2,14 +2,12 @@ package com.yahoo.jdisc.http.ssl.impl; import com.yahoo.jdisc.http.ConnectorConfig; -import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth; -import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider; +import com.yahoo.jdisc.http.SslProvider; import com.yahoo.security.KeyUtils; import com.yahoo.security.SslContextBuilder; import com.yahoo.security.X509CertificateUtils; import com.yahoo.security.tls.AutoReloadingX509KeyManager; import com.yahoo.security.tls.TlsContext; -import org.eclipse.jetty.util.ssl.SslContextFactory; import javax.net.ssl.SSLContext; import java.io.IOException; @@ -23,15 +21,12 @@ import java.util.ArrayList; import java.util.List; import java.util.Optional; -import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledCipherSuites; -import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledProtocols; - /** - * An implementation of {@link SslContextFactoryProvider} that uses the {@link ConnectorConfig} to construct a {@link SslContextFactory}. + * An implementation of {@link SslProvider} that uses the {@link ConnectorConfig} to configure SSL. * * @author bjorncs */ -public class ConfiguredSslContextFactoryProvider implements SslContextFactoryProvider { +public class ConfiguredSslContextFactoryProvider implements SslProvider { private volatile AutoReloadingX509KeyManager keyManager; private final ConnectorConfig connectorConfig; @@ -42,7 +37,7 @@ public class ConfiguredSslContextFactoryProvider implements SslContextFactoryPro } @Override - public SslContextFactory getInstance(String containerId, int port) { + public void configureSsl(ConnectorSsl ssl, String name, int port) { ConnectorConfig.Ssl sslConfig = connectorConfig.ssl(); if (!sslConfig.enabled()) throw new IllegalStateException(); @@ -62,23 +57,31 @@ public class ConfiguredSslContextFactoryProvider implements SslContextFactoryPro SSLContext sslContext = builder.build(); - SslContextFactory.Server factory = new SslContextFactory.Server(); - factory.setSslContext(sslContext); - - factory.setNeedClientAuth(sslConfig.clientAuth() == ClientAuth.Enum.NEED_AUTH); - factory.setWantClientAuth(sslConfig.clientAuth() == ClientAuth.Enum.WANT_AUTH); + ssl.setSslContext(sslContext); + + switch (sslConfig.clientAuth()) { + case NEED_AUTH: + ssl.setClientAuth(ConnectorSsl.ClientAuth.NEED); + break; + case WANT_AUTH: + ssl.setClientAuth(ConnectorSsl.ClientAuth.WANT); + break; + case DISABLED: + ssl.setClientAuth(ConnectorSsl.ClientAuth.DISABLED); + break; + default: + throw new IllegalArgumentException(sslConfig.clientAuth().toString()); + } List<String> protocols = !sslConfig.enabledProtocols().isEmpty() ? sslConfig.enabledProtocols() : new ArrayList<>(TlsContext.getAllowedProtocols(sslContext)); - setEnabledProtocols(factory, sslContext, protocols); + ssl.setEnabledProtocolVersions(protocols); List<String> ciphers = !sslConfig.enabledCipherSuites().isEmpty() ? sslConfig.enabledCipherSuites() : new ArrayList<>(TlsContext.getAllowedCipherSuites(sslContext)); - setEnabledCipherSuites(factory, sslContext, ciphers); - - return factory; + ssl.setEnabledCipherSuites(ciphers); } @Override diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultConnectorSsl.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultConnectorSsl.java new file mode 100644 index 00000000000..65f877a6029 --- /dev/null +++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultConnectorSsl.java @@ -0,0 +1,94 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.ssl.impl; + +import com.yahoo.jdisc.http.SslProvider; +import org.eclipse.jetty.util.ssl.SslContextFactory; + +import javax.net.ssl.SSLContext; +import java.security.KeyStore; +import java.util.List; + +/** + * Default implementation of {@link SslProvider} backed by {@link SslContextFactory.Server} + * + * @author bjorncs + */ +public class DefaultConnectorSsl implements SslProvider.ConnectorSsl { + + private SSLContext sslContext; + private ClientAuth clientAuth; + private List<String> cipherSuites = List.of(); + private List<String> protocolVersions = List.of(); + private KeyStore keystore; + private char[] keystorePassword; + private KeyStore truststore; + private char[] truststorePassword; + + @Override + public SslProvider.ConnectorSsl setSslContext(SSLContext ctx) { + this.sslContext = ctx; return this; + } + + @Override + public SslProvider.ConnectorSsl setClientAuth(SslProvider.ConnectorSsl.ClientAuth auth) { + this.clientAuth = auth; return this; + } + + @Override + public SslProvider.ConnectorSsl setEnabledCipherSuites(List<String> ciphers) { + this.cipherSuites = ciphers; return this; + } + + @Override + public SslProvider.ConnectorSsl setEnabledProtocolVersions(List<String> versions) { + this.protocolVersions = versions; return this; + } + + @Override + public SslProvider.ConnectorSsl setKeystore(KeyStore keystore, char[] password) { + this.keystore = keystore; this.keystorePassword = password; return this; + } + + @Override + public SslProvider.ConnectorSsl setKeystore(KeyStore keystore) { + this.keystore = keystore; return this; + } + + @Override + public SslProvider.ConnectorSsl setTruststore(KeyStore truststore, char[] password) { + this.truststore = truststore; this.truststorePassword = password; return this; + } + + @Override + public SslProvider.ConnectorSsl setTruststore(KeyStore truststore) { + this.truststore = truststore; return this; + } + + public SslContextFactory.Server createSslContextFactory() { + SslContextFactory.Server ssl = new SslContextFactory.Server(); + if (sslContext != null) ssl.setSslContext(sslContext); + if (keystore != null) ssl.setKeyStore(keystore); + if (keystorePassword != null) ssl.setKeyStorePassword(new String(keystorePassword)); + if (truststore != null) ssl.setTrustStore(truststore); + if (truststorePassword != null) ssl.setTrustStorePassword(new String(truststorePassword)); + switch (clientAuth) { + case DISABLED: + ssl.setWantClientAuth(false); + ssl.setNeedClientAuth(false); + break; + case NEED: + ssl.setWantClientAuth(false); + ssl.setNeedClientAuth(true); + break; + case WANT: + ssl.setWantClientAuth(true); + ssl.setNeedClientAuth(false); + break; + default: + throw new IllegalArgumentException(clientAuth.name()); + } + if (!cipherSuites.isEmpty()) SslContextFactoryUtils.setEnabledCipherSuites(ssl, sslContext, cipherSuites); + if (!protocolVersions.isEmpty()) SslContextFactoryUtils.setEnabledProtocols(ssl, sslContext, protocolVersions); + return ssl; + } +} diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java index c3c99b71c46..c8cf5195c4c 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java @@ -4,23 +4,22 @@ package com.yahoo.jdisc.http.ssl.impl; import com.google.inject.Inject; import com.yahoo.component.AbstractComponent; import com.yahoo.jdisc.http.ConnectorConfig; -import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider; +import com.yahoo.jdisc.http.SslProvider; import com.yahoo.security.tls.ConfigFileBasedTlsContext; import com.yahoo.security.tls.PeerAuthentication; import com.yahoo.security.tls.TlsContext; import com.yahoo.security.tls.TransportSecurityUtils; -import org.eclipse.jetty.util.ssl.SslContextFactory; import java.nio.file.Path; /** - * The default implementation of {@link SslContextFactoryProvider} to be injected into connectors without explicit ssl configuration. + * The default implementation of {@link SslProvider} to be injected into connectors without explicit ssl configuration. * * @author bjorncs */ -public class DefaultSslContextFactoryProvider extends AbstractComponent implements SslContextFactoryProvider { +public class DefaultSslContextFactoryProvider extends AbstractComponent implements SslProvider { - private final SslContextFactoryProvider instance; + private final SslProvider instance; @Inject public DefaultSslContextFactoryProvider(ConnectorConfig connectorConfig) { @@ -29,7 +28,7 @@ public class DefaultSslContextFactoryProvider extends AbstractComponent implemen .orElseGet(ThrowingSslContextFactoryProvider::new); } - private static SslContextFactoryProvider createTlsContextBasedProvider(ConnectorConfig connectorConfig, Path configFile) { + private static SslProvider createTlsContextBasedProvider(ConnectorConfig connectorConfig, Path configFile) { return new StaticTlsContextBasedProvider( new ConfigFileBasedTlsContext( configFile, TransportSecurityUtils.getInsecureAuthorizationMode(), getPeerAuthenticationMode(connectorConfig))); @@ -46,8 +45,8 @@ public class DefaultSslContextFactoryProvider extends AbstractComponent implemen } @Override - public SslContextFactory getInstance(String containerId, int port) { - return instance.getInstance(containerId, port); + public void configureSsl(ConnectorSsl ssl, String name, int port) { + instance.configureSsl(ssl, name, port); } @Override @@ -55,9 +54,9 @@ public class DefaultSslContextFactoryProvider extends AbstractComponent implemen instance.close(); } - private static class ThrowingSslContextFactoryProvider implements SslContextFactoryProvider { + private static class ThrowingSslContextFactoryProvider implements SslProvider { @Override - public SslContextFactory getInstance(String containerId, int port) { + public void configureSsl(ConnectorSsl ssl, String name, int port) { throw new UnsupportedOperationException(); } } diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/SslContextFactoryUtils.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/SslContextFactoryUtils.java index 07c599aa229..e7c9e4f0bee 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/SslContextFactoryUtils.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/SslContextFactoryUtils.java @@ -4,6 +4,8 @@ package com.yahoo.jdisc.http.ssl.impl; import org.eclipse.jetty.util.ssl.SslContextFactory; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLParameters; +import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.List; @@ -12,14 +14,14 @@ import java.util.List; */ class SslContextFactoryUtils { - static void setEnabledCipherSuites(SslContextFactory factory, SSLContext sslContext, List<String> enabledCiphers) { - String[] supportedCiphers = sslContext.getSupportedSSLParameters().getCipherSuites(); + static void setEnabledCipherSuites(SslContextFactory factory, SSLContext sslContextOrNull, List<String> enabledCiphers) { + String[] supportedCiphers = supportedSslParams(sslContextOrNull).getCipherSuites(); factory.setIncludeCipherSuites(enabledCiphers.toArray(String[]::new)); factory.setExcludeCipherSuites(createExclusionList(enabledCiphers, supportedCiphers)); } - static void setEnabledProtocols(SslContextFactory factory, SSLContext sslContext, List<String> enabledProtocols) { - String[] supportedProtocols = sslContext.getSupportedSSLParameters().getProtocols(); + static void setEnabledProtocols(SslContextFactory factory, SSLContext sslContextOrNull, List<String> enabledProtocols) { + String[] supportedProtocols = supportedSslParams(sslContextOrNull).getProtocols(); factory.setIncludeProtocols(enabledProtocols.toArray(String[]::new)); factory.setExcludeProtocols(createExclusionList(enabledProtocols, supportedProtocols)); } @@ -29,4 +31,14 @@ class SslContextFactoryUtils { .filter(supportedValue -> !enabledValues.contains(supportedValue)) .toArray(String[]::new); } + + private static SSLParameters supportedSslParams(SSLContext ctx) { + try { + return ctx != null + ? ctx.getSupportedSSLParameters() + : SSLContext.getDefault().getSupportedSSLParameters(); + } catch (NoSuchAlgorithmException e) { + throw new IllegalStateException(e); + } + } } diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java index 3d9e0bf39d3..712388a305e 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProvider.java @@ -2,41 +2,34 @@ package com.yahoo.jdisc.http.ssl.impl; import com.yahoo.component.AbstractComponent; -import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider; +import com.yahoo.jdisc.http.SslProvider; import com.yahoo.security.tls.TlsContext; -import org.eclipse.jetty.util.ssl.SslContextFactory; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLParameters; import java.util.List; -import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledCipherSuites; -import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledProtocols; - /** - * A {@link SslContextFactoryProvider} that creates {@link SslContextFactory} instances from {@link TlsContext} instances. + * A {@link SslProvider} that configures SSL from {@link TlsContext} instances. * * @author bjorncs */ -public abstract class TlsContextBasedProvider extends AbstractComponent implements SslContextFactoryProvider { +public abstract class TlsContextBasedProvider extends AbstractComponent implements SslProvider { protected abstract TlsContext getTlsContext(String containerId, int port); @Override - public final SslContextFactory getInstance(String containerId, int port) { - TlsContext tlsContext = getTlsContext(containerId, port); - SSLContext sslContext = tlsContext.context(); + public void configureSsl(ConnectorSsl ssl, String name, int port) { + TlsContext tlsContext = getTlsContext(name, port); SSLParameters parameters = tlsContext.parameters(); - - SslContextFactory.Server sslContextFactory = new SslContextFactory.Server(); - sslContextFactory.setSslContext(sslContext); - - sslContextFactory.setNeedClientAuth(parameters.getNeedClientAuth()); - sslContextFactory.setWantClientAuth(parameters.getWantClientAuth()); - - setEnabledProtocols(sslContextFactory, sslContext, List.of(parameters.getProtocols())); - setEnabledCipherSuites(sslContextFactory, sslContext, List.of(parameters.getCipherSuites())); - - return sslContextFactory; + ssl.setSslContext(tlsContext.context()); + ssl.setEnabledProtocolVersions(List.of(parameters.getProtocols())); + ssl.setEnabledCipherSuites(List.of(parameters.getCipherSuites())); + if (parameters.getNeedClientAuth()) { + ssl.setClientAuth(ConnectorSsl.ClientAuth.NEED); + } else if (parameters.getWantClientAuth()) { + ssl.setClientAuth(ConnectorSsl.ClientAuth.WANT); + } else { + ssl.setClientAuth(ConnectorSsl.ClientAuth.DISABLED); + } } } diff --git a/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java b/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java index 21597ceefcf..fce4d6ee74e 100644 --- a/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java +++ b/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java @@ -9,7 +9,6 @@ import com.yahoo.security.tls.HostnameVerification; import com.yahoo.security.tls.PeerAuthentication; import com.yahoo.security.tls.TlsContext; import com.yahoo.security.tls.policy.AuthorizedPeers; -import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.Test; import javax.security.auth.x500.X500Principal; @@ -24,7 +23,6 @@ import java.util.Set; import static com.yahoo.security.KeyAlgorithm.EC; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; import static org.junit.Assert.assertArrayEquals; -import static org.junit.Assert.assertNotNull; /** * @author bjorncs @@ -35,9 +33,9 @@ public class TlsContextBasedProviderTest { public void creates_sslcontextfactory_from_tlscontext() { TlsContext tlsContext = createTlsContext(); var provider = new SimpleTlsContextBasedProvider(tlsContext); - SslContextFactory sslContextFactory = provider.getInstance("dummyContainerId", 8080); - assertNotNull(sslContextFactory); - assertArrayEquals(tlsContext.parameters().getCipherSuites(), sslContextFactory.getIncludeCipherSuites()); + DefaultConnectorSsl ssl = new DefaultConnectorSsl(); + provider.configureSsl(ssl, "dummyContainerId", 8080); + assertArrayEquals(tlsContext.parameters().getCipherSuites(), ssl.createSslContextFactory().getIncludeCipherSuites()); } private static TlsContext createTlsContext() { |