Merge pull request #4551 from vespa-engine/bjorncs/osgi-painkiller

Bjorncs/osgi painkiller
author: Morten Tokle <morten.tokle@gmail.com> 2018-01-04 15:40:11 +0100
committer: GitHub <noreply@github.com> 2018-01-04 15:40:11 +0100
commit: f5f5222460ff5a65ecd7c2da81fecc049a0faecc (patch)
tree: e9e79aedf053ed6bf1b5ee201ad2fbde83506d67 /controller-server
parent: 15b47111e575f4cfa97309a8a12e6406b3428fee (diff)
parent: 85a21591c08c719f628276c87c8ced385b078228 (diff)
2 files changed, 46 insertions, 6 deletions
diff --git a/controller-server/pom.xml b/controller-server/pom.xml
index d1535f0ff39..b033286b82a 100644
--- a/controller-server/pom.xml
+++ b/controller-server/pom.xml
@@ -109,6 +109,11 @@
         </dependency>
 
         <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpcore</artifactId>
+        </dependency>
+
+        <dependency>
             <groupId>com.yahoo.vespa</groupId>
             <artifactId>config-model-api</artifactId>
             <version>${project.version}</version>
@@ -186,11 +191,6 @@
                     <groupId>com.fasterxml.jackson.core</groupId>
                     <artifactId>jackson-annotations</artifactId>
                 </exclusion>
-                <!--Exclude Apache httpclient -->
-                <exclusion>
-                    <groupId>org.apache.httpcomponents</groupId>
-                    <artifactId>httpclient</artifactId>
-                </exclusion>
             </exclusions>
         </dependency>
 
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java
index 7d06bbde081..379e5c10847 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java
@@ -7,8 +7,10 @@ import com.google.inject.Inject;
 import com.yahoo.config.provision.Environment;
 import com.yahoo.io.IOUtils;
 import com.yahoo.jdisc.http.HttpRequest.Method;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentity;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentityVerifier;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUtils;
 import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneId;
 import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneList;
 import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry;
@@ -21,14 +23,19 @@ import org.apache.http.client.methods.HttpPatch;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.methods.HttpPut;
 import org.apache.http.client.methods.HttpRequestBase;
+import org.apache.http.conn.ssl.X509HostnameVerifier;
 import org.apache.http.entity.InputStreamEntity;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
 
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
+import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.ArrayList;
 import java.util.HashSet;
@@ -254,9 +261,42 @@ public class ConfigServerRestExecutorImpl implements ConfigServerRestExecutor {
         return HttpClientBuilder.create()
                 .setUserAgent("config-server-client")
                 .setSslcontext(sslContextProvider.get())
-                .setHostnameVerifier(hostnameVerifier)
+                .setHostnameVerifier(new AthenzIdentityVerifierAdapter(hostnameVerifier))
                 .setDefaultRequestConfig(config)
                 .build();
     }
 
+    private static class AthenzIdentityVerifierAdapter implements X509HostnameVerifier {
+
+        private final AthenzIdentityVerifier verifier;
+
+        AthenzIdentityVerifierAdapter(AthenzIdentityVerifier verifier) {
+            this.verifier = verifier;
+        }
+
+        @Override
+        public boolean verify(String hostname, SSLSession sslSession) {
+            return verifier.verify(hostname, sslSession);
+        }
+
+        @Override
+        public void verify(String host, SSLSocket ssl) { /* All sockets accepted */}
+
+        @Override
+        public void verify(String hostname, X509Certificate certificate) throws SSLException {
+            AthenzIdentity identity = AthenzUtils.createAthenzIdentity(certificate);
+            if (!verifier.isTrusted(identity)) {
+                throw new SSLException("Athenz identity is not trusted: " + identity.getFullName());
+            }
+        }
+
+        @Override
+        public void verify(String hostname, String[] cns, String[] subjectAlts) throws SSLException {
+            AthenzIdentity identity = AthenzUtils.createAthenzIdentity(cns[0]);
+            if (!verifier.isTrusted(identity)) {
+                throw new SSLException("Athenz identity is not trusted: " + identity.getFullName());
+            }
+        }
+    }
+
 }
author	Morten Tokle <morten.tokle@gmail.com>	2018-01-04 15:40:11 +0100
committer	GitHub <noreply@github.com>	2018-01-04 15:40:11 +0100
commit	f5f5222460ff5a65ecd7c2da81fecc049a0faecc (patch)
tree	e9e79aedf053ed6bf1b5ee201ad2fbde83506d67 /controller-server
parent	15b47111e575f4cfa97309a8a12e6406b3428fee (diff)
parent	85a21591c08c719f628276c87c8ced385b078228 (diff)