Revert "Use httpclient version matching zts-client"

author: Bjørn Christian Seime <bjorn.christian@seime.no> 2018-01-05 10:16:57 +0100
committer: GitHub <noreply@github.com> 2018-01-05 10:16:57 +0100
commit: 92c43eede16d4c3e5059a690e24548689f3ec204 (patch)
tree: e7ad98feb133e69f728f4ad856ec43516ed00491 /controller-server
parent: f5df837564f3e60216657cc8da35849887539c18 (diff)
2 files changed, 44 insertions, 4 deletions
diff --git a/controller-server/pom.xml b/controller-server/pom.xml
index 989dda42641..b033286b82a 100644
--- a/controller-server/pom.xml
+++ b/controller-server/pom.xml
@@ -110,8 +110,7 @@
 
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>httpclient</artifactId>
-            <version>4.5.2</version>
+            <artifactId>httpcore</artifactId>
         </dependency>
 
         <dependency>
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java
index 3f8e177ac8a..379e5c10847 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java
@@ -7,8 +7,10 @@ import com.google.inject.Inject;
 import com.yahoo.config.provision.Environment;
 import com.yahoo.io.IOUtils;
 import com.yahoo.jdisc.http.HttpRequest.Method;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentity;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentityVerifier;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUtils;
 import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneId;
 import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneList;
 import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry;
@@ -21,14 +23,19 @@ import org.apache.http.client.methods.HttpPatch;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.methods.HttpPut;
 import org.apache.http.client.methods.HttpRequestBase;
+import org.apache.http.conn.ssl.X509HostnameVerifier;
 import org.apache.http.entity.InputStreamEntity;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
 
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
+import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.ArrayList;
 import java.util.HashSet;
@@ -253,9 +260,43 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor {
                                         ZoneId.from(proxyRequest.getEnvironment(), proxyRequest.getRegion()))));
         return HttpClientBuilder.create()
                 .setUserAgent("config-server-client")
-                .setSSLContext(sslContextProvider.get())
-                .setSSLHostnameVerifier(hostnameVerifier)
+                .setSslcontext(sslContextProvider.get())
+                .setHostnameVerifier(new AthenzIdentityVerifierAdapter(hostnameVerifier))
                 .setDefaultRequestConfig(config)
                 .build();
     }
+
+    private static class AthenzIdentityVerifierAdapter implements X509HostnameVerifier {
+
+        private final AthenzIdentityVerifier verifier;
+
+        AthenzIdentityVerifierAdapter(AthenzIdentityVerifier verifier) {
+            this.verifier = verifier;
+        }
+
+        @Override
+        public boolean verify(String hostname, SSLSession sslSession) {
+            return verifier.verify(hostname, sslSession);
+        }
+
+        @Override
+        public void verify(String host, SSLSocket ssl) { /* All sockets accepted */}
+
+        @Override
+        public void verify(String hostname, X509Certificate certificate) throws SSLException {
+            AthenzIdentity identity = AthenzUtils.createAthenzIdentity(certificate);
+            if (!verifier.isTrusted(identity)) {
+                throw new SSLException("Athenz identity is not trusted: " + identity.getFullName());
+            }
+        }
+
+        @Override
+        public void verify(String hostname, String[] cns, String[] subjectAlts) throws SSLException {
+            AthenzIdentity identity = AthenzUtils.createAthenzIdentity(cns[0]);
+            if (!verifier.isTrusted(identity)) {
+                throw new SSLException("Athenz identity is not trusted: " + identity.getFullName());
+            }
+        }
+    }
+
 }
author	Bjørn Christian Seime <bjorn.christian@seime.no>	2018-01-05 10:16:57 +0100
committer	GitHub <noreply@github.com>	2018-01-05 10:16:57 +0100
commit	92c43eede16d4c3e5059a690e24548689f3ec204 (patch)
tree	e7ad98feb133e69f728f4ad856ec43516ed00491 /controller-server
parent	f5df837564f3e60216657cc8da35849887539c18 (diff)