diff options
| author | Bjørn Christian Seime <bjorncs@oath.com> | 2017-10-24 17:11:23 +0200 |
|---|---|---|
| committer | Bjørn Christian Seime <bjorncs@oath.com> | 2017-10-24 17:11:23 +0200 |
| commit | c9fb09355a288fe604474a13c472401643d64a0c (patch) | |
| tree | 021dfbd7c1fd7316a578c63724193e61b2b91c22 /container-disc/src/main | |
| parent | 21a6196a1633adf98bad15525a94f0d182e50587 (diff) | |
Disable certifcate validation for service provider client
Diffstat (limited to 'container-disc/src/main')
| -rw-r--r-- | container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/ServiceProviderApi.java | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/ServiceProviderApi.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/ServiceProviderApi.java index 8d51e8b940b..388fc63d086 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/ServiceProviderApi.java +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/ServiceProviderApi.java @@ -3,6 +3,9 @@ package com.yahoo.container.jdisc.athenz.impl; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.RequestBuilder; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.conn.ssl.SSLContextBuilder; +import org.apache.http.conn.ssl.TrustSelfSignedStrategy; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.util.EntityUtils; @@ -10,6 +13,9 @@ import org.eclipse.jetty.http.HttpStatus; import java.io.IOException; import java.net.URI; +import java.security.KeyManagementException; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; /** * @author mortent @@ -26,10 +32,7 @@ public class ServiceProviderApi { * Get signed identity document from config server */ public String getSignedIdentityDocument() { - - // TODO Use client side auth to establish trusted secure channel - try (CloseableHttpClient httpClient = HttpClientBuilder.create().build()) { - + try (CloseableHttpClient httpClient = createHttpClient()) { CloseableHttpResponse idDocResponse = httpClient.execute(RequestBuilder.get().setUri(providerUri + "/identity-document").build()); if (HttpStatus.isSuccess(idDocResponse.getStatusLine().getStatusCode())) { return EntityUtils.toString(idDocResponse.getEntity()); @@ -42,4 +45,19 @@ public class ServiceProviderApi { } } + // TODO Use client side auth to establish trusted secure channel + // TODO Validate TLS certifcate of config server + private static CloseableHttpClient createHttpClient() { + try { + SSLContextBuilder sslContextBuilder = new SSLContextBuilder(); + sslContextBuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy()); + SSLConnectionSocketFactory sslSocketFactory = + new SSLConnectionSocketFactory(sslContextBuilder.build(), + SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); + return HttpClientBuilder.create().setSSLSocketFactory(sslSocketFactory).build(); + } catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException e) { + throw new RuntimeException(e); + } + } + } |