diff options
author | Geir Storli <geirstorli@yahoo.no> | 2019-01-21 16:06:53 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-01-21 16:06:53 +0100 |
commit | 8372a883c5a5fa100f88fc9b80824359b5bb70cd (patch) | |
tree | 660ce3ef61f060b33bd97eac1185715606b8e2bd /jdisc_http_service/src/main | |
parent | 3722c1cdd91fce30d1c2538b2a8749d9321e194b (diff) | |
parent | eb0b1134a66507e3bd8f09793c22cd824d01dff5 (diff) |
Merge pull request #8198 from vespa-engine/7
7 MERGEOK
Diffstat (limited to 'jdisc_http_service/src/main')
17 files changed, 38 insertions, 908 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/Cookie.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/Cookie.java index a43310aff51..06c93db7ede 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/Cookie.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/Cookie.java @@ -7,15 +7,11 @@ import org.eclipse.jetty.server.Response; import java.net.HttpCookie; import java.util.ArrayList; import java.util.Arrays; -import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Objects; import java.util.Set; -import java.util.StringTokenizer; import java.util.concurrent.TimeUnit; -import java.util.logging.Level; -import java.util.logging.Logger; import java.util.stream.Collectors; import java.util.stream.StreamSupport; @@ -24,22 +20,17 @@ import java.util.stream.StreamSupport; * * Note: RFC 2109 and RFC 2965 is no longer supported. All fields that are not part of RFC 6265 are deprecated. * - * @author <a href="mailto:einarmr@yahoo-inc.com">Einar M R Rosenvinge</a> + * @author Einar M R Rosenvinge * @author bjorncs */ public class Cookie { - private final static Logger log = Logger.getLogger(Cookie.class.getName()); - private final Set<Integer> ports = new HashSet<>(); private String name; private String value; private String domain; private String path; - private String comment; - private String commentUrl; private long maxAgeSeconds = Integer.MIN_VALUE; - private int version; private boolean secure; private boolean httpOnly; private boolean discard; @@ -53,10 +44,7 @@ public class Cookie { value = cookie.value; domain = cookie.domain; path = cookie.path; - comment = cookie.comment; - commentUrl = cookie.commentUrl; maxAgeSeconds = cookie.maxAgeSeconds; - version = cookie.version; secure = cookie.secure; httpOnly = cookie.httpOnly; discard = cookie.discard; @@ -103,38 +91,6 @@ public class Cookie { return this; } - @Deprecated - public String getComment() { - return comment; - } - - @Deprecated - public Cookie setComment(String comment) { - this.comment = comment; - return this; - } - - @Deprecated - public String getCommentURL() { - return getCommentUrl(); - } - - @Deprecated - public Cookie setCommentURL(String commentUrl) { - return setCommentUrl(commentUrl); - } - - @Deprecated - public String getCommentUrl() { - return commentUrl; - } - - @Deprecated - public Cookie setCommentUrl(String commentUrl) { - this.commentUrl = commentUrl; - return this; - } - public int getMaxAge(TimeUnit unit) { return (int)unit.convert(maxAgeSeconds, TimeUnit.SECONDS); } @@ -144,17 +100,6 @@ public class Cookie { return this; } - @Deprecated - public int getVersion() { - return version; - } - - @Deprecated - public Cookie setVersion(int version) { - this.version = version; - return this; - } - public boolean isSecure() { return secure; } @@ -173,29 +118,12 @@ public class Cookie { return this; } - @Deprecated - public boolean isDiscard() { - return discard; - } - - @Deprecated - public Cookie setDiscard(boolean discard) { - this.discard = discard; - return this; - } - - @Deprecated - public Set<Integer> ports() { - return ports; - } - @Override public boolean equals(Object o) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; Cookie cookie = (Cookie) o; return maxAgeSeconds == cookie.maxAgeSeconds && - version == cookie.version && secure == cookie.secure && httpOnly == cookie.httpOnly && discard == cookie.discard && @@ -203,14 +131,12 @@ public class Cookie { Objects.equals(name, cookie.name) && Objects.equals(value, cookie.value) && Objects.equals(domain, cookie.domain) && - Objects.equals(path, cookie.path) && - Objects.equals(comment, cookie.comment) && - Objects.equals(commentUrl, cookie.commentUrl); + Objects.equals(path, cookie.path); } @Override public int hashCode() { - return Objects.hash(ports, name, value, domain, path, comment, commentUrl, maxAgeSeconds, version, secure, httpOnly, discard); + return Objects.hash(ports, name, value, domain, path, maxAgeSeconds, secure, httpOnly, discard); } @Override @@ -229,19 +155,12 @@ public class Cookie { return StreamSupport.stream(cookies.spliterator(), false) .map(cookie -> { HttpCookie httpCookie = new HttpCookie(cookie.getName(), cookie.getValue()); - httpCookie.setComment(cookie.getComment()); - httpCookie.setCommentURL(cookie.getCommentURL()); - httpCookie.setDiscard(cookie.isDiscard()); httpCookie.setDomain(cookie.getDomain()); httpCookie.setHttpOnly(cookie.isHttpOnly()); httpCookie.setMaxAge(cookie.getMaxAge(TimeUnit.SECONDS)); httpCookie.setPath(cookie.getPath()); httpCookie.setSecure(cookie.isSecure()); - httpCookie.setVersion(cookie.getVersion()); - String portList = cookie.ports().stream() - .map(Number::toString) - .collect(Collectors.joining(",")); - httpCookie.setPortlist(portList); + httpCookie.setVersion(0); return httpCookie.toString(); }) .collect(Collectors.joining(";")); @@ -255,29 +174,17 @@ public class Cookie { Cookie cookie = new Cookie(); cookie.setName(servletCookie.getName()); cookie.setValue(servletCookie.getValue()); - cookie.setComment(servletCookie.getComment()); cookie.setPath(servletCookie.getPath()); cookie.setDomain(servletCookie.getDomain()); cookie.setMaxAge(servletCookie.getMaxAge(), TimeUnit.SECONDS); cookie.setSecure(servletCookie.getSecure()); - cookie.setVersion(servletCookie.getVersion()); cookie.setHttpOnly(servletCookie.isHttpOnly()); return cookie; }) .collect(Collectors.toList()); } - /** - * @deprecated Use {@link #toSetCookieHeaderAll(Iterable)} instead. - */ - @Deprecated - public static String toSetCookieHeader(Iterable<? extends Cookie> cookies) { - List<String> encodedCookies = toSetCookieHeaderAll(cookies); - return encodedCookies.isEmpty() ? null : encodedCookies.get(0); - } - - // TODO Rename to toSetCookieHeader for Vespa 7 - public static List<String> toSetCookieHeaderAll(Iterable<? extends Cookie> cookies) { + public static List<String> toSetCookieHeaders(Iterable<? extends Cookie> cookies) { // Ugly, bot Jetty does not provide a dedicated cookie parser (will be included in Jetty 10) Response response = new Response(null, null); for (Cookie cookie : cookies) { @@ -293,45 +200,25 @@ public class Cookie { return new ArrayList<>(response.getHeaders("Set-Cookie")); } - // TODO Change return type to Cookie for Vespa 7 - public static List<Cookie> fromSetCookieHeader(String headerVal) { + @Deprecated // TODO Vespa 8 Remove + public static List<String> toSetCookieHeaderAll(Iterable<? extends Cookie> cookies) { + return toSetCookieHeaders(cookies); + } + + public static Cookie fromSetCookieHeader(String headerVal) { return HttpCookie.parse(headerVal).stream() .map(httpCookie -> { Cookie cookie = new Cookie(); cookie.setName(httpCookie.getName()); cookie.setValue(httpCookie.getValue()); - cookie.setComment(httpCookie.getComment()); - cookie.setCommentUrl(httpCookie.getCommentURL()); - cookie.setDiscard(httpCookie.getDiscard()); cookie.setDomain(httpCookie.getDomain()); cookie.setHttpOnly(httpCookie.isHttpOnly()); - cookie.setMaxAge((int)httpCookie.getMaxAge(), TimeUnit.SECONDS); + cookie.setMaxAge((int) httpCookie.getMaxAge(), TimeUnit.SECONDS); cookie.setPath(httpCookie.getPath()); cookie.setSecure(httpCookie.getSecure()); - cookie.setVersion(httpCookie.getVersion()); - cookie.ports().addAll(parsePortList(httpCookie.getPortlist())); return cookie; }) - .collect(Collectors.toList()); - } - - - private static List<Integer> parsePortList(String rawPortList) { - if (rawPortList == null) return Collections.emptyList(); - - List<Integer> ports = new ArrayList<>(); - StringTokenizer tokenizer = new StringTokenizer(rawPortList, ","); - while (tokenizer.hasMoreTokens()) { - String rawPort = tokenizer.nextToken().trim(); - if (!rawPort.isEmpty()) { - try { - ports.add(Integer.parseInt(rawPort)); - } catch (NumberFormatException e) { - log.log(Level.FINE, "Unable to parse port: " + rawPort, e); - } - } - } - return ports; + .findFirst().get(); } } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/HttpResponse.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/HttpResponse.java index 8905549a002..f7138ba0e2b 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/HttpResponse.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/HttpResponse.java @@ -69,7 +69,7 @@ public class HttpResponse extends Response implements ServletOrJdiscHttpResponse } List<Cookie> ret = new LinkedList<>(); for (String cookie : cookies) { - ret.addAll(Cookie.fromSetCookieHeader(cookie)); + ret.add(Cookie.fromSetCookieHeader(cookie)); } return ret; } @@ -77,7 +77,7 @@ public class HttpResponse extends Response implements ServletOrJdiscHttpResponse public void encodeSetCookieHeader(List<Cookie> cookies) { headers().remove(HttpHeaders.Names.SET_COOKIE); for (Cookie cookie : cookies) { - headers().add(HttpHeaders.Names.SET_COOKIE, Cookie.toSetCookieHeaderAll(Arrays.asList(cookie))); + headers().add(HttpHeaders.Names.SET_COOKIE, Cookie.toSetCookieHeaders(Arrays.asList(cookie))); } } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/SecretStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/SecretStore.java index b70fc5fbd96..4f739c5bd78 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/SecretStore.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/SecretStore.java @@ -9,7 +9,7 @@ package com.yahoo.jdisc.http; * @author bjorncs * @deprecated Use com.yahoo.container.jdisc.secretstore.SecretStore */ -@Deprecated +@Deprecated // Vespa 8 public interface SecretStore { /** Returns the secret for this key */ diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/JDiscCookieWrapper.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/JDiscCookieWrapper.java index 8845f233fab..2b9c650d545 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/JDiscCookieWrapper.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/JDiscCookieWrapper.java @@ -8,7 +8,7 @@ import java.util.concurrent.TimeUnit; /** * Wrapper of Cookie. * - * @author tejalk + * @author Tejal Knot * */ public class JDiscCookieWrapper { @@ -23,11 +23,6 @@ public class JDiscCookieWrapper { return new JDiscCookieWrapper(cookie); } - @Deprecated - public String getComment() { - return cookie.getComment(); - } - public String getDomain() { return cookie.getDomain(); } @@ -52,16 +47,6 @@ public class JDiscCookieWrapper { return cookie.getValue(); } - @Deprecated - public int getVersion() { - return cookie.getVersion(); - } - - @Deprecated - public void setComment(String purpose) { - cookie.setComment(purpose); - } - public void setDomain(String pattern) { cookie.setDomain(pattern); } @@ -82,11 +67,6 @@ public class JDiscCookieWrapper { cookie.setValue(newValue); } - @Deprecated - public void setVersion(int version) { - cookie.setVersion(version); - } - /** * Return com.yahoo.jdisc.http.Cookie * diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/ServletFilterResponse.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/ServletFilterResponse.java index 1c8383ae427..b603e7776f1 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/ServletFilterResponse.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/filter/ServletFilterResponse.java @@ -12,8 +12,6 @@ import java.util.List; /** * Servlet implementation for JDisc filter responses. - * - * @since 5.27 */ class ServletFilterResponse extends DiscFilterResponse { @@ -77,7 +75,7 @@ class ServletFilterResponse extends DiscFilterResponse { @Override public void setCookies(List<Cookie> cookies) { removeHeaders(HttpHeaders.Names.SET_COOKIE); - List<String> setCookieHeaders = Cookie.toSetCookieHeaderAll(cookies); + List<String> setCookieHeaders = Cookie.toSetCookieHeaders(cookies); setCookieHeaders.forEach(cookie -> addHeader(HttpHeaders.Names.SET_COOKIE, cookie)); } } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java index 26db07f9ed7..a445230769b 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java @@ -28,13 +28,14 @@ import java.util.logging.Logger; * This class is a bridge between Jetty's {@link org.eclipse.jetty.server.handler.RequestLogHandler} * and our own configurable access logging in different formats provided by {@link AccessLog}. * - * @author bakksjo + * @author Oyvind Bakksjo * @author bjorncs */ public class AccessLogRequestLog extends AbstractLifeCycle implements RequestLog { private static final Logger logger = Logger.getLogger(AccessLogRequestLog.class.getName()); + // TODO These hardcoded headers should be provided by config instead private static final String HEADER_NAME_X_FORWARDED_FOR = "x-forwarded-for"; private static final String HEADER_NAME_Y_RA = "y-ra"; private static final String HEADER_NAME_Y_RP = "y-rp"; @@ -83,7 +84,6 @@ public class AccessLogRequestLog extends AbstractLifeCycle implements RequestLog public static void populateAccessLogEntryFromHttpServletRequest( final HttpServletRequest request, final AccessLogEntry accessLogEntry) { - setUriFromRequest(request, accessLogEntry); accessLogEntry.setRawPath(request.getRequestURI()); String queryString = request.getQueryString(); @@ -135,53 +135,4 @@ public class AccessLogRequestLog extends AbstractLifeCycle implements RequestLog .map(Integer::valueOf) .orElseGet(request::getRemotePort); } - - @SuppressWarnings("deprecation") - private static void setUriFromRequest(HttpServletRequest request, AccessLogEntry accessLogEntry) { - tryCreateUriFromRequest(request) - .ifPresent(accessLogEntry::setURI); // setURI is deprecated - } - - // This is a mess and does not work correctly - private static Optional<URI> tryCreateUriFromRequest(HttpServletRequest request) { - final String quotedQuery = request.getQueryString(); - final String quotedPath = request.getRequestURI(); - try { - final StringBuilder uriBuffer = new StringBuilder(); - uriBuffer.append(quotedPath); - if (quotedQuery != null) { - uriBuffer.append('?').append(quotedQuery); - } - return Optional.of(new URI(uriBuffer.toString())); - } catch (URISyntaxException e) { - return setUriFromMalformedInput(quotedPath, quotedQuery); - } - } - - private static Optional<URI> setUriFromMalformedInput(final String quotedPath, final String quotedQuery) { - try { - final String scheme = null; - final String authority = null; - final String fragment = null; - return Optional.of(new URI(scheme, authority, unquote(quotedPath), unquote(quotedQuery), fragment)); - } catch (URISyntaxException e) { - // I have no idea how this can happen here now... - logger.log(Level.WARNING, "Could not convert String URI to URI object", e); - return Optional.empty(); - } - } - - private static String unquote(final String quotedQuery) { - if (quotedQuery == null) { - return null; - } - try { - // inconsistent handling of semi-colon added here... - return URLDecoder.decode(quotedQuery, StandardCharsets.UTF_8.name()); - } catch (IllegalArgumentException e) { - return quotedQuery; - } catch (UnsupportedEncodingException e) { - throw new RuntimeException(e); // should not happen - } - } } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java index 95f26e8bc1b..617e081bd24 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HttpRequestFactory.java @@ -38,7 +38,7 @@ class HttpRequestFactory { } public static URI getUri(HttpServletRequest servletRequest) { - String query = extraQuote(servletRequest.getQueryString()); + String query = servletRequest.getQueryString(); try { return URI.create(servletRequest.getRequestURL() + (query != null ? '?' + query : "")); } catch (IllegalArgumentException e) { @@ -59,54 +59,6 @@ class HttpRequestFactory { } } - // TODO Remove this ugly, non-complete escaping in Vespa 7 - private static String extraQuote(String queryString) { - // TODO: Use an URI builder - if (queryString == null) return null; - - int toAndIncluding = -1; - for (int i = 0; i < queryString.length(); ++i) { - if (quote(queryString.charAt(i)) != null) { - break; - } - toAndIncluding = i; - } - - String washed; - if (toAndIncluding != (queryString.length() - 1)) { - StringBuilder w = new StringBuilder(queryString.substring(0, toAndIncluding + 1)); - for (int i = toAndIncluding + 1; i < queryString.length(); ++i) { - String s = quote(queryString.charAt(i)); - if (s == null) { - w.append(queryString.charAt(i)); - } else { - w.append(s); - } - } - washed = w.toString(); - } else { - washed = queryString; - } - return washed; - } - - private static String quote(char c) { - switch(c) { - case '\\': - return "%5C"; - case '^': - return "%5E"; - case '{': - return "%7B"; - case '|': - return "%7C"; - case '}': - return "%7D"; - default: - return null; - } - } - private static X509Certificate[] getCertChain(HttpServletRequest servletRequest) { return (X509Certificate[]) servletRequest.getAttribute("javax.servlet.request.X509Certificate"); } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscHttpServlet.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscHttpServlet.java index 2f5fe7612c8..20c8f945b82 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscHttpServlet.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscHttpServlet.java @@ -84,7 +84,6 @@ class JDiscHttpServlet extends HttpServlet { * Override to set connector attribute before the request becomes an upgrade request in the web socket case. * (After the upgrade, the HttpConnection is no longer available.) */ - @SuppressWarnings("deprecation") @Override protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { @@ -93,7 +92,6 @@ class JDiscHttpServlet extends HttpServlet { Metric.Context metricContext = getMetricContext(request); context.metric.add(JettyHttpServer.Metrics.NUM_REQUESTS, 1, metricContext); context.metric.add(JettyHttpServer.Metrics.JDISC_HTTP_REQUESTS, 1, metricContext); - context.metric.add(JettyHttpServer.Metrics.MANHATTAN_NUM_REQUESTS, 1, metricContext); if (JETTY_UNSUPPORTED_METHODS.contains(request.getMethod().toUpperCase())) { dispatchHttpRequest(request, response); diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java index 40be93f2111..07d3d77dff2 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java @@ -66,7 +66,6 @@ import java.util.stream.Collectors; * @author bjorncs */ @Beta -// TODO Vespa 7: Remove unused Manhattan metrics public class JettyHttpServer extends AbstractServerProvider { public interface Metrics { @@ -83,15 +82,12 @@ public class JettyHttpServer extends AbstractServerProvider { String NUM_BYTES_RECEIVED = "serverBytesReceived"; String NUM_BYTES_SENT = "serverBytesSent"; - @Deprecated String MANHATTAN_NUM_BYTES_RECEIVED = "http.in.bytes"; - @Deprecated String MANHATTAN_NUM_BYTES_SENT = "http.out.bytes"; String NUM_CONNECTIONS = "serverNumConnections"; /* For historical reasons, these are all aliases for the same metric. 'jdisc.http' should ideally be the only one. */ String JDISC_HTTP_REQUESTS = "jdisc.http.requests"; String NUM_REQUESTS = "serverNumRequests"; - @Deprecated String MANHATTAN_NUM_REQUESTS = "http.requests"; String NUM_SUCCESSFUL_RESPONSES = "serverNumSuccessfulResponses"; String NUM_FAILED_RESPONSES = "serverNumFailedResponses"; @@ -99,10 +95,8 @@ public class JettyHttpServer extends AbstractServerProvider { String NUM_FAILED_WRITES = "serverNumFailedResponseWrites"; String TOTAL_SUCCESSFUL_LATENCY = "serverTotalSuccessfulResponseLatency"; - @Deprecated String MANHATTAN_TOTAL_SUCCESSFUL_LATENCY = "http.latency"; String TOTAL_FAILED_LATENCY = "serverTotalFailedResponseLatency"; String TIME_TO_FIRST_BYTE = "serverTimeToFirstByte"; - @Deprecated String MANHATTAN_TIME_TO_FIRST_BYTE = "http.out.firstbytetime"; String RESPONSES_1XX = "http.status.1xx"; String RESPONSES_2XX = "http.status.2xx"; @@ -113,7 +107,6 @@ public class JettyHttpServer extends AbstractServerProvider { String RESPONSES_403 = "http.status.403"; String STARTED_MILLIS = "serverStartedMillis"; - @Deprecated String MANHATTAN_STARTED_MILLIS = "proc.uptime"; String URI_LENGTH = "jdisc.http.request.uri_length"; String CONTENT_SIZE = "jdisc.http.request.content_size"; @@ -350,11 +343,9 @@ public class JettyHttpServer extends AbstractServerProvider { } - @SuppressWarnings("deprecation") private void setServerMetrics(HttpResponseStatisticsCollector statisticsCollector) { long timeSinceStarted = System.currentTimeMillis() - timeStarted; metric.set(Metrics.STARTED_MILLIS, timeSinceStarted, null); - metric.set(Metrics.MANHATTAN_STARTED_MILLIS, timeSinceStarted, null); addResponseMetrics(statisticsCollector); } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/MetricReporter.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/MetricReporter.java index 4b01a475842..21a64792731 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/MetricReporter.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/MetricReporter.java @@ -29,22 +29,18 @@ public class MetricReporter { this.requestStartTime = requestStartTime; } - @SuppressWarnings("deprecation") public void successfulWrite(int numBytes) { setTimeToFirstByteFirstTime(); metric.add(Metrics.NUM_SUCCESSFUL_WRITES, 1, context); metric.set(Metrics.NUM_BYTES_SENT, numBytes, context); - metric.set(Metrics.MANHATTAN_NUM_BYTES_SENT, numBytes, context); } - @SuppressWarnings("deprecation") private void setTimeToFirstByteFirstTime() { boolean isFirstWrite = firstSetOfTimeToFirstByte.getAndSet(false); if (isFirstWrite) { long timeToFirstByte = getRequestLatency(); metric.set(Metrics.TIME_TO_FIRST_BYTE, timeToFirstByte, context); - metric.set(Metrics.MANHATTAN_TIME_TO_FIRST_BYTE, timeToFirstByte, context); } } @@ -52,14 +48,12 @@ public class MetricReporter { metric.add(Metrics.NUM_FAILED_WRITES, 1, context); } - @SuppressWarnings("deprecation") public void successfulResponse() { setTimeToFirstByteFirstTime(); long requestLatency = getRequestLatency(); metric.set(Metrics.TOTAL_SUCCESSFUL_LATENCY, requestLatency, context); - metric.set(Metrics.MANHATTAN_TOTAL_SUCCESSFUL_LATENCY, requestLatency, context); metric.add(Metrics.NUM_SUCCESSFUL_RESPONSES, 1, context); } @@ -75,10 +69,8 @@ public class MetricReporter { metric.add(Metrics.NUM_PREMATURELY_CLOSED_CONNECTIONS, 1, context); } - @SuppressWarnings("deprecation") public void successfulRead(int bytes_received) { metric.set(JettyHttpServer.Metrics.NUM_BYTES_RECEIVED, bytes_received, context); - metric.set(JettyHttpServer.Metrics.MANHATTAN_NUM_BYTES_RECEIVED, bytes_received, context); } private long getRequestLatency() { diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/servlet/ServletResponse.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/servlet/ServletResponse.java index 5825d3f5194..48c8f577de9 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/servlet/ServletResponse.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/servlet/ServletResponse.java @@ -18,8 +18,6 @@ import java.util.Map; /** * JDisc wrapper to use a {@link javax.servlet.http.HttpServletResponse} * with JDisc security filters. - * - * @since 5.26 */ public class ServletResponse extends HttpServletResponseWrapper implements ServletOrJdiscHttpResponse { @@ -60,7 +58,7 @@ public class ServletResponse extends HttpServletResponseWrapper implements Servl } List<Cookie> ret = new LinkedList<>(); for (String cookie : cookies) { - ret.addAll(Cookie.fromSetCookieHeader(cookie)); + ret.add(Cookie.fromSetCookieHeader(cookie)); } return ret; } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ThrowingSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ThrowingSslContextFactoryProvider.java new file mode 100644 index 00000000000..b28ef54e822 --- /dev/null +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ThrowingSslContextFactoryProvider.java @@ -0,0 +1,16 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.ssl; + +import org.eclipse.jetty.util.ssl.SslContextFactory; + +/** + * A dummy implementation of {@link SslContextFactoryProvider} to be injected into non-ssl connectors + * + * @author bjorncs + */ +public class ThrowingSslContextFactoryProvider implements SslContextFactoryProvider { + @Override + public SslContextFactory getInstance(String containerId, int port) { + throw new UnsupportedOperationException(); + } +}
\ No newline at end of file diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java index fa31f58dfc0..c381ba738a3 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java @@ -48,14 +48,6 @@ public class DefaultSslContextFactoryProvider implements SslContextFactoryProvid break; } - // NOTE: All ciphers matching ^TLS_RSA_.*$ are disabled by default in Jetty 9.4.12+ (https://github.com/eclipse/jetty.project/issues/2807) - // JDisc will allow these ciphers by default to support older clients (e.g. Java 8u60 and curl 7.29.0) - // Removing the exclusion will allow for the TLS_RSA variants that are not covered by other exclusions - String[] excludedCiphersWithoutTlsRsaExclusion = Arrays.stream(factory.getExcludeCipherSuites()) - .filter(cipher -> !cipher.equals("^TLS_RSA_.*$")) - .toArray(String[]::new); - factory.setExcludeCipherSuites(excludedCiphersWithoutTlsRsaExclusion); - // Check if using new ssl syntax from services.xml factory.setKeyStore(createKeystore(sslConfig)); factory.setKeyStorePassword(""); diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/LegacySslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/LegacySslContextFactoryProvider.java deleted file mode 100644 index 281f80c3aeb..00000000000 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/LegacySslContextFactoryProvider.java +++ /dev/null @@ -1,164 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http.ssl.impl; - -import com.yahoo.config.InnerNode; -import com.yahoo.jdisc.http.ConnectorConfig; -import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider; -import com.yahoo.jdisc.http.ssl.pem.PemSslKeyStore; -import org.eclipse.jetty.util.ssl.SslContextFactory; - -import java.io.IOException; -import java.io.UncheckedIOException; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.security.KeyStore; -import java.util.Arrays; -import java.util.List; -import java.util.function.BiConsumer; -import java.util.function.Function; -import java.util.logging.Logger; - -/** - * A implementation of {@link SslContextFactoryProvider} to be injected into non-ssl connectors or connectors using legacy ssl config - * - * @author bjorncs - */ -// TODO Vespa 7: Remove legacy ssl config -public class LegacySslContextFactoryProvider implements SslContextFactoryProvider { - private static final Logger log = Logger.getLogger(LegacySslContextFactoryProvider.class.getName()); - - private final ConnectorConfig connectorConfig; - @SuppressWarnings("deprecation") - private final com.yahoo.jdisc.http.SecretStore secretStore; - - public LegacySslContextFactoryProvider(ConnectorConfig connectorConfig, - @SuppressWarnings("deprecation") com.yahoo.jdisc.http.SecretStore secretStore) { - validateConfig(connectorConfig.ssl()); - this.connectorConfig = connectorConfig; - this.secretStore = secretStore; - } - - @Override - public SslContextFactory getInstance(String containerId, int port) { - ConnectorConfig.Ssl sslConfig = connectorConfig.ssl(); - if (!sslConfig.enabled()) throw new IllegalStateException(); - SslContextFactory factory = new JDiscSslContextFactory(); - - switch (sslConfig.clientAuth()) { - case NEED_AUTH: - factory.setNeedClientAuth(true); - break; - case WANT_AUTH: - factory.setWantClientAuth(true); - break; - } - - // NOTE: All ciphers matching ^TLS_RSA_.*$ are disabled by default in Jetty 9.4.12+ (https://github.com/eclipse/jetty.project/issues/2807) - // JDisc will allow these ciphers by default to support older clients (e.g. Java 8u60 and curl 7.29.0) - // Removing the exclusion will allow for the TLS_RSA variants that are not covered by other exclusions - String[] excludedCiphersWithoutTlsRsaExclusion = Arrays.stream(factory.getExcludeCipherSuites()) - .filter(cipher -> !cipher.equals("^TLS_RSA_.*$")) - .toArray(String[]::new); - factory.setExcludeCipherSuites(excludedCiphersWithoutTlsRsaExclusion); - - switch (sslConfig.keyStoreType()) { - case JKS: - factory.setKeyStorePath(sslConfig.keyStorePath()); - factory.setKeyStoreType("JKS"); - factory.setKeyStorePassword(secretStore.getSecret(sslConfig.keyDbKey())); - break; - case PEM: - factory.setKeyStorePath(sslConfig.keyStorePath()); - factory.setKeyStore(createPemKeyStore(sslConfig.pemKeyStore())); - break; - } - - if (!sslConfig.trustStorePath().isEmpty()) { - factory.setTrustStorePath(sslConfig.trustStorePath()); - factory.setTrustStoreType(sslConfig.trustStoreType().toString()); - if (sslConfig.useTrustStorePassword()) { - factory.setTrustStorePassword(secretStore.getSecret(sslConfig.keyDbKey())); - } - } - - if (!sslConfig.prng().isEmpty()) { - factory.setSecureRandomAlgorithm(sslConfig.prng()); - } - - setStringArrayParameter( - factory, sslConfig.excludeProtocol(), ConnectorConfig.Ssl.ExcludeProtocol::name, SslContextFactory::setExcludeProtocols); - setStringArrayParameter( - factory, sslConfig.includeProtocol(), ConnectorConfig.Ssl.IncludeProtocol::name, SslContextFactory::setIncludeProtocols); - setStringArrayParameter( - factory, sslConfig.excludeCipherSuite(), ConnectorConfig.Ssl.ExcludeCipherSuite::name, SslContextFactory::setExcludeCipherSuites); - setStringArrayParameter( - factory, sslConfig.includeCipherSuite(), ConnectorConfig.Ssl.IncludeCipherSuite::name, SslContextFactory::setIncludeCipherSuites); - - factory.setKeyManagerFactoryAlgorithm(sslConfig.sslKeyManagerFactoryAlgorithm()); - factory.setProtocol(sslConfig.protocol()); - - return factory; - } - - private static void validateConfig(ConnectorConfig.Ssl config) { - if (!config.enabled()) return; - switch (config.keyStoreType()) { - case JKS: - validateJksConfig(config); - break; - case PEM: - validatePemConfig(config); - break; - } - if (!config.trustStorePath().isEmpty() && config.useTrustStorePassword() && config.keyDbKey().isEmpty()) { - throw new IllegalArgumentException("Missing password for JKS truststore"); - } - } - - private static void validateJksConfig(ConnectorConfig.Ssl ssl) { - if (!ssl.pemKeyStore().keyPath().isEmpty() || ! ssl.pemKeyStore().certificatePath().isEmpty()) { - throw new IllegalArgumentException("pemKeyStore attributes can not be set when keyStoreType is JKS."); - } - if (ssl.keyDbKey().isEmpty()) { - throw new IllegalArgumentException("Missing password for JKS keystore"); - } - } - - private static void validatePemConfig(ConnectorConfig.Ssl ssl) { - if (! ssl.keyStorePath().isEmpty()) { - throw new IllegalArgumentException("keyStorePath can not be set when keyStoreType is PEM"); - } - if (!ssl.keyDbKey().isEmpty()) { - log.warning("Encrypted PEM key stores are not supported. Password is only applied to truststore"); - } - if (ssl.pemKeyStore().certificatePath().isEmpty()) { - throw new IllegalArgumentException("Missing certificate path."); - } - if (ssl.pemKeyStore().keyPath().isEmpty()) { - throw new IllegalArgumentException("Missing key path."); - } - } - - private static KeyStore createPemKeyStore(ConnectorConfig.Ssl.PemKeyStore pemKeyStore) { - try { - Path certificatePath = Paths.get(pemKeyStore.certificatePath()); - Path keyPath = Paths.get(pemKeyStore.keyPath()); - return new PemSslKeyStore(certificatePath, keyPath).loadJavaKeyStore(); - } catch (IOException e) { - throw new UncheckedIOException(e); - } catch (Exception e) { - throw new RuntimeException("Failed setting up key store for " + pemKeyStore.keyPath() + ", " + pemKeyStore.certificatePath(), e); - } - } - - private static <T extends InnerNode> void setStringArrayParameter(SslContextFactory sslContextFactory, - List<T> configValues, - Function<T, String> nameProperty, - BiConsumer<SslContextFactory, String[]> setter) { - if (!configValues.isEmpty()) { - String[] nameArray = configValues.stream().map(nameProperty).toArray(String[]::new); - setter.accept(sslContextFactory, nameArray); - } - } - -} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemKeyStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemKeyStore.java deleted file mode 100644 index b52e923662f..00000000000 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemKeyStore.java +++ /dev/null @@ -1,336 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http.ssl.pem; - -import com.google.common.base.Preconditions; -import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; -import org.bouncycastle.cert.X509CertificateHolder; -import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.openssl.PEMException; -import org.bouncycastle.openssl.PEMKeyPair; -import org.bouncycastle.openssl.PEMParser; -import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; - -import javax.annotation.concurrent.GuardedBy; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.io.Reader; -import java.io.UncheckedIOException; -import java.nio.file.Files; -import java.nio.file.Path; -import java.security.Key; -import java.security.KeyStore; -import java.security.KeyStore.LoadStoreParameter; -import java.security.KeyStoreException; -import java.security.KeyStoreSpi; -import java.security.NoSuchAlgorithmException; -import java.security.UnrecoverableKeyException; -import java.security.cert.Certificate; -import java.security.cert.CertificateException; -import java.util.Collection; -import java.util.Collections; -import java.util.Date; -import java.util.Enumeration; -import java.util.LinkedHashMap; -import java.util.List; -import java.util.Map; -import java.util.Map.Entry; -import java.util.function.Consumer; - -import static com.yahoo.jdisc.http.server.jetty.Exceptions.throwUnchecked; - -/** - * Exposes keys and certificates from unencrypted PEM keystore. - * - * @author Tony Vaagenes - * @author bjorncs - */ -public class PemKeyStore extends KeyStoreSpi { - - private static String KEY_ALIAS = "KEY"; - - static List<String> aliases = Collections.emptyList(); - static Map<String, String> attributes = Collections.emptyMap(); - private static final BouncyCastleProvider bouncyCastleProvider = new BouncyCastleProvider(); - - @GuardedBy("this") - private StoreRole storeRole; - @GuardedBy("this") - private Key privateKey; - @GuardedBy("this") - private final Map<String, Certificate> aliasToCertificate = new LinkedHashMap<>(); - - /** - * The user is responsible for closing any readers given in the parameter. - */ - @Override - public synchronized void engineLoad(LoadStoreParameter parameter) throws IOException { - if (storeRole != null) - throw new IllegalStateException("Already initialized."); - - if (parameter instanceof KeyStoreLoadParameter) { - storeRole = new KeyStoreRole(); - loadKeyStore((KeyStoreLoadParameter) parameter); - } else if (parameter instanceof TrustStoreLoadParameter) { - storeRole = new TrustStoreRole(); - loadTrustStore((TrustStoreLoadParameter) parameter); - } else { - throw new IllegalArgumentException("Expected key store or trust store load parameter, got " + parameter.getClass()); - } - } - - private void loadTrustStore(TrustStoreLoadParameter parameter) throws IOException { - withPemParser(parameter.certificateReader, this::loadCertificates); - } - - private void loadKeyStore(KeyStoreLoadParameter parameter) throws IOException{ - withPemParser(parameter.keyReader, this::loadPrivateKey); - withPemParser(parameter.certificateReader, this::loadCertificates); - } - - private static void withPemParser(ReaderForPath reader, Consumer<PEMParser> f) throws IOException { - try { - //parser.close() will close the underlying reader, - //which we want to avoid. - //See engineLoad comment. - PEMParser parser = new PEMParser(reader.reader); - f.accept(parser); - } catch (Exception e) { - throw new RuntimeException("Failed loading pem key store " + reader.path, e); - } - } - - private void loadPrivateKey(PEMParser parser) { - try { - Object object = parser.readObject(); - PrivateKeyInfo privateKeyInfo; - if (object instanceof PEMKeyPair) { // Legacy PKCS1 - privateKeyInfo = ((PEMKeyPair) object).getPrivateKeyInfo(); - } else if (object instanceof PrivateKeyInfo) { // PKCS8 - privateKeyInfo = (PrivateKeyInfo) object; - } else { - throw new UnsupportedOperationException( - "Expected " + PrivateKeyInfo.class + " or " + PEMKeyPair.class + ", got " + object.getClass()); - } - - Object nextObject = parser.readObject(); - if (nextObject != null) { - throw new UnsupportedOperationException( - "Expected a single private key, but found a second element " + nextObject.getClass()); - } - - setPrivateKey(privateKeyInfo); - } catch (Exception e) { - throw throwUnchecked(e); - } - } - - private synchronized void setPrivateKey(PrivateKeyInfo privateKey) throws PEMException { - JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider(bouncyCastleProvider); - this.privateKey = converter.getPrivateKey(privateKey); - } - - private void loadCertificates(PEMParser parser) { - try { - Object pemObject; - while ((pemObject = parser.readObject()) != null) { - addCertificate(pemObject); - } - - if (aliasToCertificate.isEmpty()) - throw new RuntimeException("No certificates available"); - } catch (Exception e) { - throw throwUnchecked(e); - } - } - - private synchronized void addCertificate(Object pemObject) throws CertificateException { - if (pemObject instanceof X509CertificateHolder) { - JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(bouncyCastleProvider); - String alias = "cert-" + aliasToCertificate.size(); - aliasToCertificate.put(alias, converter.getCertificate((X509CertificateHolder) pemObject)); - } else { - throw new UnsupportedOperationException("Expected X509 certificate, got " + pemObject.getClass()); - } - } - - @Override - public synchronized Enumeration<String> engineAliases() { - return Collections.enumeration(storeRole.engineAliases()); - - } - - @Override - public synchronized boolean engineIsKeyEntry(String alias) { - return KEY_ALIAS.equals(alias); - } - - @Override - public synchronized Key engineGetKey(String alias, char[] password) throws NoSuchAlgorithmException, UnrecoverableKeyException { - Preconditions.checkArgument(KEY_ALIAS.equals(alias)); - return privateKey; - } - - @Override - public synchronized boolean engineIsCertificateEntry(String alias) { - return aliasToCertificate.containsKey(alias); - } - - - @Override - public synchronized Certificate engineGetCertificate(String alias) { - return aliasToCertificate.get(alias); - } - - @Override - public synchronized Certificate[] engineGetCertificateChain(String alias) { - Preconditions.checkArgument(KEY_ALIAS.equals(alias)); - return aliasToCertificate.values().toArray(new Certificate[aliasToCertificate.size()]); - } - - - @Override - public synchronized boolean engineContainsAlias(String alias) { - return storeRole.engineContainsAlias(alias); - } - - @Override - public synchronized int engineSize() { - return storeRole.engineSize(); - } - - @Override - public synchronized String engineGetCertificateAlias(final Certificate certificate) { - for (Entry<String, Certificate> entry : aliasToCertificate.entrySet()) { - if (entry.getValue() == certificate) - return entry.getKey(); - } - - return null; - } - - @Override - public synchronized Date engineGetCreationDate(String alias) { - throw new UnsupportedOperationException(); - } - - @Override - public synchronized void engineSetKeyEntry(String alias, Key key, char[] password, Certificate[] chain) throws KeyStoreException { - throw new UnsupportedOperationException(); - } - - @Override - public synchronized void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain) throws KeyStoreException { - throw new UnsupportedOperationException(); - } - - @Override - public synchronized void engineSetCertificateEntry(String alias, Certificate cert) throws KeyStoreException { - throw new UnsupportedOperationException(); - } - - @Override - public synchronized void engineDeleteEntry(String alias) throws KeyStoreException { - throw new UnsupportedOperationException(); - } - - - @Override - public synchronized void engineStore(OutputStream stream, char[] password) throws IOException, NoSuchAlgorithmException, CertificateException { - throw new UnsupportedOperationException(); - } - - @Override - public synchronized void engineLoad(InputStream stream, char[] password) throws IOException, NoSuchAlgorithmException, CertificateException { - throw new UnsupportedOperationException(); - } - - private interface StoreRole { - Collection<String> engineAliases(); - boolean engineContainsAlias(String alias); - int engineSize(); - } - - private class KeyStoreRole implements StoreRole { - @Override - public Collection<String> engineAliases() { - return Collections.singletonList(KEY_ALIAS); - } - - @Override - public boolean engineContainsAlias(String alias) { - return KEY_ALIAS.equals(alias); - } - - @Override - public int engineSize() { - return 1; - } - } - - private class TrustStoreRole implements StoreRole{ - @Override - public Collection<String> engineAliases() { - return aliasToCertificate.keySet(); - } - - @Override - public boolean engineContainsAlias(String alias) { - return aliasToCertificate.containsKey(alias); - } - - @Override - public int engineSize() { - return aliasToCertificate.size(); - } - } - - // A reader along with the path used to construct it. - private static class ReaderForPath { - final Reader reader; - final Path path; - - private ReaderForPath(Reader reader, Path path) { - this.reader = reader; - this.path = path; - } - - static ReaderForPath of(Path path) { - try { - return new ReaderForPath(Files.newBufferedReader(path), path); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - } - } - - static class TrustStoreLoadParameter implements KeyStore.LoadStoreParameter { - final ReaderForPath certificateReader; - - TrustStoreLoadParameter(Path certificateReader) { - this.certificateReader = ReaderForPath.of(certificateReader); - } - - @Override - public KeyStore.ProtectionParameter getProtectionParameter() { - return null; - } - } - - static class KeyStoreLoadParameter implements KeyStore.LoadStoreParameter { - final ReaderForPath certificateReader; - final ReaderForPath keyReader; - - KeyStoreLoadParameter(Path certificateReader, Path keyReader) { - this.certificateReader = ReaderForPath.of(certificateReader); - this.keyReader = ReaderForPath.of(keyReader); - } - - @Override - public KeyStore.ProtectionParameter getProtectionParameter() { - return null; - } - } - -} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemSslKeyStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemSslKeyStore.java deleted file mode 100644 index fe41d74f692..00000000000 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemSslKeyStore.java +++ /dev/null @@ -1,64 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http.ssl.pem; - -import com.yahoo.jdisc.http.ssl.pem.PemKeyStore.KeyStoreLoadParameter; -import com.yahoo.jdisc.http.ssl.pem.PemKeyStore.TrustStoreLoadParameter; - -import java.io.IOException; -import java.nio.file.Path; -import java.security.KeyStore; -import java.security.KeyStore.LoadStoreParameter; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.Provider; -import java.security.Security; -import java.security.cert.CertificateException; - -/** - * Responsible for creating pem key stores. - * - * @author Tony Vaagenes - * @author bjorncs - */ -public class PemSslKeyStore { - - static { - Security.addProvider(new PemKeyStoreProvider()); - } - - private static final String KEY_STORE_TYPE = "PEM"; - - private final LoadStoreParameter loadParameter; - private KeyStore keyStore; - - public PemSslKeyStore(Path certificatePath, Path keyPath) { - this.loadParameter = new KeyStoreLoadParameter(certificatePath, keyPath); - } - - public PemSslKeyStore(Path certificatePath) { - this.loadParameter = new TrustStoreLoadParameter(certificatePath); - } - - public KeyStore loadJavaKeyStore() - throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException { - if (keyStore == null) { - keyStore = KeyStore.getInstance(KEY_STORE_TYPE); - keyStore.load(loadParameter); - } - return keyStore; - } - - private static class PemKeyStoreProvider extends Provider { - - static final String NAME = "PEMKeyStoreProvider"; - static final double VERSION = 1; - static final String DESCRIPTION = "Provides PEM keystore support"; - - @SuppressWarnings("deprecation") // TODO: Remove annotation and use new super ctor when we don't need Java 8 support anymore. - PemKeyStoreProvider() { - super(NAME, VERSION, DESCRIPTION); - putService(new Service(this, "KeyStore", "PEM", PemKeyStore. class.getName(), PemKeyStore.aliases, PemKeyStore.attributes)); - } - } - -} diff --git a/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def b/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def index 676fdbc8157..30c74ed2c35 100644 --- a/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def +++ b/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def @@ -25,10 +25,6 @@ acceptQueueSize int default=0 # Whether the server socket reuses addresses. reuseAddress bool default=true -# TODO Vespa 7: Remove soLingerTime - Jetty no longer support it. -# DEPRECATED No longer in use -soLingerTime double default=-1.0 - # The maximum idle time for a connection, which roughly translates to the Socket.setSoTimeout(int). idleTimeout double default=180.0 @@ -70,60 +66,3 @@ ssl.caCertificateFile string default="" # Client authentication mode. See SSLEngine.getNeedClientAuth()/getWantClientAuth() for details. ssl.clientAuth enum { DISABLED, WANT_AUTH, NEED_AUTH } default=DISABLED - - -######################################################################################### -# Config below is deprecated. Do not use -######################################################################################### - -# The name of the key to the password to the key store if in the secret store, if JKS is used. -# Must be empty with PEM -# By default this is also used to look up the password to the trust store. -ssl.keyDbKey string default="" -# TODO Rename keyDbKey to keyStorePassword after introducing custom services.xml syntax - -# Names of protocols to exclude. -ssl.excludeProtocol[].name string - -# Names of protocols to include. -ssl.includeProtocol[].name string - -# Names of cipher suites to exclude. -ssl.excludeCipherSuite[].name string - -# Names of cipher suites to include. -ssl.includeCipherSuite[].name string - -# The type of the keystore. -ssl.keyStoreType enum { JKS, PEM } default=JKS - -# JKS only - the path to the keystore. -ssl.keyStorePath string default="" - -ssl.pemKeyStore.keyPath string default="" -ssl.pemKeyStore.certificatePath string default="" - -ssl.trustStoreType enum { JKS } default=JKS - -# JKS only - the path to the truststore. -ssl.trustStorePath string default="" - -# TODO Add separate config for truststore password - -# Whether we should use keyDbKey as password to the trust store (true, default), -# or use no password with the trust store (false) -ssl.useTrustStorePassword bool default=true -# TODO Fix broken semantics with truststore and keystore password in Vespa 7 / Vespa 8 - -# The algorithm name used by the KeyManagerFactory. -ssl.sslKeyManagerFactoryAlgorithm string default="SunX509" - -# The SSL protocol passed to SSLContext.getInstance() -ssl.protocol string default="TLS" - -# The SecureRandom implementation passed to SSLEngine.init() -# Java have a default pseudo-random number generator (PRNG) for crypto operations. This default may have performance -# issues on some platform (e.g. NativePRNG in Linux utilizes a global lock). Changing the generator to SHA1PRNG may -# improve performance. Set value to empty string to use the default generator. -ssl.prng string default="" - |