diff options
author | Morten Tokle <morten.tokle@gmail.com> | 2018-01-04 15:40:11 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-01-04 15:40:11 +0100 |
commit | f5f5222460ff5a65ecd7c2da81fecc049a0faecc (patch) | |
tree | e9e79aedf053ed6bf1b5ee201ad2fbde83506d67 /controller-server | |
parent | 15b47111e575f4cfa97309a8a12e6406b3428fee (diff) | |
parent | 85a21591c08c719f628276c87c8ced385b078228 (diff) |
Merge pull request #4551 from vespa-engine/bjorncs/osgi-painkiller
Bjorncs/osgi painkiller
Diffstat (limited to 'controller-server')
-rw-r--r-- | controller-server/pom.xml | 10 | ||||
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java | 42 |
2 files changed, 46 insertions, 6 deletions
diff --git a/controller-server/pom.xml b/controller-server/pom.xml index d1535f0ff39..b033286b82a 100644 --- a/controller-server/pom.xml +++ b/controller-server/pom.xml @@ -109,6 +109,11 @@ </dependency> <dependency> + <groupId>org.apache.httpcomponents</groupId> + <artifactId>httpcore</artifactId> + </dependency> + + <dependency> <groupId>com.yahoo.vespa</groupId> <artifactId>config-model-api</artifactId> <version>${project.version}</version> @@ -186,11 +191,6 @@ <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-annotations</artifactId> </exclusion> - <!--Exclude Apache httpclient --> - <exclusion> - <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpclient</artifactId> - </exclusion> </exclusions> </dependency> diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java index 7d06bbde081..379e5c10847 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java @@ -7,8 +7,10 @@ import com.google.inject.Inject; import com.yahoo.config.provision.Environment; import com.yahoo.io.IOUtils; import com.yahoo.jdisc.http.HttpRequest.Method; +import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentity; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentityVerifier; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider; +import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUtils; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneId; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneList; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry; @@ -21,14 +23,19 @@ import org.apache.http.client.methods.HttpPatch; import org.apache.http.client.methods.HttpPost; import org.apache.http.client.methods.HttpPut; import org.apache.http.client.methods.HttpRequestBase; +import org.apache.http.conn.ssl.X509HostnameVerifier; import org.apache.http.entity.InputStreamEntity; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import java.io.IOException; import java.io.InputStream; import java.net.URI; import java.nio.charset.StandardCharsets; +import java.security.cert.X509Certificate; import java.time.Duration; import java.util.ArrayList; import java.util.HashSet; @@ -254,9 +261,42 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor { return HttpClientBuilder.create() .setUserAgent("config-server-client") .setSslcontext(sslContextProvider.get()) - .setHostnameVerifier(hostnameVerifier) + .setHostnameVerifier(new AthenzIdentityVerifierAdapter(hostnameVerifier)) .setDefaultRequestConfig(config) .build(); } + private static class AthenzIdentityVerifierAdapter implements X509HostnameVerifier { + + private final AthenzIdentityVerifier verifier; + + AthenzIdentityVerifierAdapter(AthenzIdentityVerifier verifier) { + this.verifier = verifier; + } + + @Override + public boolean verify(String hostname, SSLSession sslSession) { + return verifier.verify(hostname, sslSession); + } + + @Override + public void verify(String host, SSLSocket ssl) { /* All sockets accepted */} + + @Override + public void verify(String hostname, X509Certificate certificate) throws SSLException { + AthenzIdentity identity = AthenzUtils.createAthenzIdentity(certificate); + if (!verifier.isTrusted(identity)) { + throw new SSLException("Athenz identity is not trusted: " + identity.getFullName()); + } + } + + @Override + public void verify(String hostname, String[] cns, String[] subjectAlts) throws SSLException { + AthenzIdentity identity = AthenzUtils.createAthenzIdentity(cns[0]); + if (!verifier.isTrusted(identity)) { + throw new SSLException("Athenz identity is not trusted: " + identity.getFullName()); + } + } + } + } |