diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-01-18 15:08:12 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-01-18 15:08:12 +0100 |
commit | a87cf9a0492dfb7b34aa01fa1f9a316dbbf55d48 (patch) | |
tree | 69bedabadb8de8c3e4494e88e55155ee1bbf0414 /jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty | |
parent | a5f0f0f06c53386f32307ccef3b68c9e4dc3ad26 (diff) |
Move SslHandshakeFailure to separate class
Diffstat (limited to 'jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty')
2 files changed, 53 insertions, 41 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailedListener.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailedListener.java index 4c9059b5b37..822e1c2ffb8 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailedListener.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailedListener.java @@ -49,45 +49,4 @@ class SslHandshakeFailedListener implements SslHandshakeListener { .ifPresent(clientIp -> dimensions.put(MetricDefinitions.CLIENT_IP_DIMENSION, clientIp)); return Map.copyOf(dimensions); } - - private enum SslHandshakeFailure { - INCOMPATIBLE_PROTOCOLS( - MetricDefinitions.SSL_HANDSHAKE_FAILURE_INCOMPATIBLE_PROTOCOLS, - "(Client requested protocol \\S+? is not enabled or supported in server context" + - "|The client supported protocol versions \\[\\S+?\\] are not accepted by server preferences \\[\\S+?\\])"), - INCOMPATIBLE_CIPHERS( - MetricDefinitions.SSL_HANDSHAKE_FAILURE_INCOMPATIBLE_CIPHERS, - "no cipher suites in common"), - MISSING_CLIENT_CERT( - MetricDefinitions.SSL_HANDSHAKE_FAILURE_MISSING_CLIENT_CERT, - "Empty server certificate chain"), - EXPIRED_CLIENT_CERTIFICATE( - MetricDefinitions.SSL_HANDSHAKE_FAILURE_EXPIRED_CLIENT_CERT, - // Note: this pattern will match certificates with too late notBefore as well - "PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed"), - INVALID_CLIENT_CERT( - MetricDefinitions.SSL_HANDSHAKE_FAILURE_INVALID_CLIENT_CERT, // Includes mismatch of client certificate and private key - "(PKIX path (building|validation) failed: .+)|(Invalid CertificateVerify signature)"); - - private final String metricName; - private final Predicate<String> messageMatcher; - - SslHandshakeFailure(String metricName, String messagePattern) { - this.metricName = metricName; - this.messageMatcher = Pattern.compile(messagePattern).asMatchPredicate(); - } - - String metricName() { return metricName; } - - static Optional<SslHandshakeFailure> fromSslHandshakeException(SSLHandshakeException exception) { - String message = exception.getMessage(); - if (message == null || message.isBlank()) return Optional.empty(); - for (SslHandshakeFailure failure : values()) { - if (failure.messageMatcher.test(message)) { - return Optional.of(failure); - } - } - return Optional.empty(); - } - } } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailure.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailure.java new file mode 100644 index 00000000000..6be36635376 --- /dev/null +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailure.java @@ -0,0 +1,53 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.server.jetty; + +import javax.net.ssl.SSLHandshakeException; +import java.util.Optional; +import java.util.function.Predicate; +import java.util.regex.Pattern; + +/** + * Categorizes instances of {@link SSLHandshakeException} + * + * @author bjorncs + */ +enum SslHandshakeFailure { + INCOMPATIBLE_PROTOCOLS( + MetricDefinitions.SSL_HANDSHAKE_FAILURE_INCOMPATIBLE_PROTOCOLS, + "(Client requested protocol \\S+? is not enabled or supported in server context" + + "|The client supported protocol versions \\[\\S+?\\] are not accepted by server preferences \\[\\S+?\\])"), + INCOMPATIBLE_CIPHERS( + MetricDefinitions.SSL_HANDSHAKE_FAILURE_INCOMPATIBLE_CIPHERS, + "no cipher suites in common"), + MISSING_CLIENT_CERT( + MetricDefinitions.SSL_HANDSHAKE_FAILURE_MISSING_CLIENT_CERT, + "Empty server certificate chain"), + EXPIRED_CLIENT_CERTIFICATE( + MetricDefinitions.SSL_HANDSHAKE_FAILURE_EXPIRED_CLIENT_CERT, + // Note: this pattern will match certificates with too late notBefore as well + "PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed"), + INVALID_CLIENT_CERT( + MetricDefinitions.SSL_HANDSHAKE_FAILURE_INVALID_CLIENT_CERT, // Includes mismatch of client certificate and private key + "(PKIX path (building|validation) failed: .+)|(Invalid CertificateVerify signature)"); + + private final String metricName; + private final Predicate<String> messageMatcher; + + SslHandshakeFailure(String metricName, String messagePattern) { + this.metricName = metricName; + this.messageMatcher = Pattern.compile(messagePattern).asMatchPredicate(); + } + + String metricName() { return metricName; } + + static Optional<SslHandshakeFailure> fromSslHandshakeException(SSLHandshakeException exception) { + String message = exception.getMessage(); + if (message == null || message.isBlank()) return Optional.empty(); + for (SslHandshakeFailure failure : values()) { + if (failure.messageMatcher.test(message)) { + return Optional.of(failure); + } + } + return Optional.empty(); + } +} |