diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2018-01-05 10:16:57 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-01-05 10:16:57 +0100 |
commit | 92c43eede16d4c3e5059a690e24548689f3ec204 (patch) | |
tree | e7ad98feb133e69f728f4ad856ec43516ed00491 /controller-server | |
parent | f5df837564f3e60216657cc8da35849887539c18 (diff) |
Revert "Use httpclient version matching zts-client"
Diffstat (limited to 'controller-server')
-rw-r--r-- | controller-server/pom.xml | 3 | ||||
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java | 45 |
2 files changed, 44 insertions, 4 deletions
diff --git a/controller-server/pom.xml b/controller-server/pom.xml index 989dda42641..b033286b82a 100644 --- a/controller-server/pom.xml +++ b/controller-server/pom.xml @@ -110,8 +110,7 @@ <dependency> <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpclient</artifactId> - <version>4.5.2</version> + <artifactId>httpcore</artifactId> </dependency> <dependency> diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java index 3f8e177ac8a..379e5c10847 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java @@ -7,8 +7,10 @@ import com.google.inject.Inject; import com.yahoo.config.provision.Environment; import com.yahoo.io.IOUtils; import com.yahoo.jdisc.http.HttpRequest.Method; +import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentity; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentityVerifier; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider; +import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUtils; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneId; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneList; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry; @@ -21,14 +23,19 @@ import org.apache.http.client.methods.HttpPatch; import org.apache.http.client.methods.HttpPost; import org.apache.http.client.methods.HttpPut; import org.apache.http.client.methods.HttpRequestBase; +import org.apache.http.conn.ssl.X509HostnameVerifier; import org.apache.http.entity.InputStreamEntity; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import java.io.IOException; import java.io.InputStream; import java.net.URI; import java.nio.charset.StandardCharsets; +import java.security.cert.X509Certificate; import java.time.Duration; import java.util.ArrayList; import java.util.HashSet; @@ -253,9 +260,43 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor { ZoneId.from(proxyRequest.getEnvironment(), proxyRequest.getRegion())))); return HttpClientBuilder.create() .setUserAgent("config-server-client") - .setSSLContext(sslContextProvider.get()) - .setSSLHostnameVerifier(hostnameVerifier) + .setSslcontext(sslContextProvider.get()) + .setHostnameVerifier(new AthenzIdentityVerifierAdapter(hostnameVerifier)) .setDefaultRequestConfig(config) .build(); } + + private static class AthenzIdentityVerifierAdapter implements X509HostnameVerifier { + + private final AthenzIdentityVerifier verifier; + + AthenzIdentityVerifierAdapter(AthenzIdentityVerifier verifier) { + this.verifier = verifier; + } + + @Override + public boolean verify(String hostname, SSLSession sslSession) { + return verifier.verify(hostname, sslSession); + } + + @Override + public void verify(String host, SSLSocket ssl) { /* All sockets accepted */} + + @Override + public void verify(String hostname, X509Certificate certificate) throws SSLException { + AthenzIdentity identity = AthenzUtils.createAthenzIdentity(certificate); + if (!verifier.isTrusted(identity)) { + throw new SSLException("Athenz identity is not trusted: " + identity.getFullName()); + } + } + + @Override + public void verify(String hostname, String[] cns, String[] subjectAlts) throws SSLException { + AthenzIdentity identity = AthenzUtils.createAthenzIdentity(cns[0]); + if (!verifier.isTrusted(identity)) { + throw new SSLException("Athenz identity is not trusted: " + identity.getFullName()); + } + } + } + } |