diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-09-04 16:52:55 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-09-12 10:49:39 +0200 |
commit | 1aa8fa49301a0ca39609d3b6376f169398416331 (patch) | |
tree | e179266b126631fa752f1da36fc28675ce8862b3 /jdisc_http_service | |
parent | c2e248d9c0d8e687d09dee71823f634b38a3374a (diff) |
Move logic for creating default SslContextFactory to DefaultSslContextFactoryProvider
Diffstat (limited to 'jdisc_http_service')
-rw-r--r-- | jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java | 73 | ||||
-rw-r--r-- | jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java | 84 | ||||
-rw-r--r-- | jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/JDiscSslContextFactory.java (renamed from jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscSslContextFactory.java) | 2 | ||||
-rw-r--r-- | jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java | 7 | ||||
-rw-r--r-- | jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java | 7 |
5 files changed, 100 insertions, 73 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java index 8a829d33c1b..f9892759fbd 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java @@ -2,18 +2,9 @@ package com.yahoo.jdisc.http.server.jetty; import com.google.inject.Inject; -import com.yahoo.config.InnerNode; import com.yahoo.jdisc.Metric; import com.yahoo.jdisc.http.ConnectorConfig; -import com.yahoo.jdisc.http.ConnectorConfig.Ssl; -import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ExcludeCipherSuite; -import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ExcludeProtocol; -import com.yahoo.jdisc.http.ConnectorConfig.Ssl.IncludeCipherSuite; -import com.yahoo.jdisc.http.ConnectorConfig.Ssl.IncludeProtocol; -import com.yahoo.jdisc.http.ssl.DefaultSslKeyStoreContext; -import com.yahoo.jdisc.http.ssl.DefaultSslTrustStoreContext; -import com.yahoo.jdisc.http.ssl.SslKeyStoreConfigurator; -import com.yahoo.jdisc.http.ssl.SslTrustStoreConfigurator; +import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider; import org.eclipse.jetty.http.HttpVersion; import org.eclipse.jetty.server.HttpConfiguration; import org.eclipse.jetty.server.HttpConnectionFactory; @@ -24,10 +15,6 @@ import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.util.ssl.SslContextFactory; import java.nio.channels.ServerSocketChannel; -import java.util.Arrays; -import java.util.List; -import java.util.function.BiConsumer; -import java.util.function.Function; /** * @author Einar M R Rosenvinge @@ -36,16 +23,13 @@ import java.util.function.Function; public class ConnectorFactory { private final ConnectorConfig connectorConfig; - private final SslKeyStoreConfigurator sslKeyStoreConfigurator; - private final SslTrustStoreConfigurator sslTrustStoreConfigurator; + private final SslContextFactoryProvider sslContextFactoryProvider; @Inject public ConnectorFactory(ConnectorConfig connectorConfig, - SslKeyStoreConfigurator sslKeyStoreConfigurator, - SslTrustStoreConfigurator sslTrustStoreConfigurator) { + SslContextFactoryProvider sslContextFactoryProvider) { this.connectorConfig = connectorConfig; - this.sslKeyStoreConfigurator = sslKeyStoreConfigurator; - this.sslTrustStoreConfigurator = sslTrustStoreConfigurator; + this.sslContextFactoryProvider = sslContextFactoryProvider; } public ConnectorConfig getConnectorConfig() { @@ -87,55 +71,8 @@ public class ConnectorFactory { } private SslConnectionFactory newSslConnectionFactory() { - Ssl sslConfig = connectorConfig.ssl(); - - SslContextFactory factory = new JDiscSslContextFactory(); - - sslKeyStoreConfigurator.configure(new DefaultSslKeyStoreContext(factory)); - sslTrustStoreConfigurator.configure(new DefaultSslTrustStoreContext(factory)); - - switch (sslConfig.clientAuth()) { - case NEED_AUTH: - factory.setNeedClientAuth(true); - break; - case WANT_AUTH: - factory.setWantClientAuth(true); - break; - } - - if (!sslConfig.prng().isEmpty()) { - factory.setSecureRandomAlgorithm(sslConfig.prng()); - } - - // NOTE: ^TLS_RSA_.*$ ciphers are disabled by default in Jetty 9.4.12+ (https://github.com/eclipse/jetty.project/issues/2807) - // JDisc will allow these ciphers by default to support older clients (e.g. Java 8u60 and curl 7.29.0) - String[] excludedCiphersWithoutTlsRsaExclusion = Arrays.stream(factory.getExcludeCipherSuites()) - .filter(cipher -> !cipher.equals("^TLS_RSA_.*$")) - .toArray(String[]::new); - factory.setExcludeCipherSuites(excludedCiphersWithoutTlsRsaExclusion); - - setStringArrayParameter( - factory, sslConfig.excludeProtocol(), ExcludeProtocol::name, SslContextFactory::setExcludeProtocols); - setStringArrayParameter( - factory, sslConfig.includeProtocol(), IncludeProtocol::name, SslContextFactory::setIncludeProtocols); - setStringArrayParameter( - factory, sslConfig.excludeCipherSuite(), ExcludeCipherSuite::name, SslContextFactory::setExcludeCipherSuites); - setStringArrayParameter( - factory, sslConfig.includeCipherSuite(), IncludeCipherSuite::name, SslContextFactory::setIncludeCipherSuites); - - factory.setKeyManagerFactoryAlgorithm(sslConfig.sslKeyManagerFactoryAlgorithm()); - factory.setProtocol(sslConfig.protocol()); + SslContextFactory factory = sslContextFactoryProvider.getInstance(connectorConfig.name(), connectorConfig.listenPort()); return new SslConnectionFactory(factory, HttpVersion.HTTP_1_1.asString()); } - private static <T extends InnerNode> void setStringArrayParameter(SslContextFactory sslContextFactory, - List<T> configValues, - Function<T, String> nameProperty, - BiConsumer<SslContextFactory, String[]> setter) { - if (!configValues.isEmpty()) { - String[] nameArray = configValues.stream().map(nameProperty).toArray(String[]::new); - setter.accept(sslContextFactory, nameArray); - } - } - } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java new file mode 100644 index 00000000000..9e27a792a6a --- /dev/null +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java @@ -0,0 +1,84 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.ssl; + +import com.yahoo.config.InnerNode; +import com.yahoo.jdisc.http.ConnectorConfig; +import org.eclipse.jetty.util.ssl.SslContextFactory; + +import java.util.Arrays; +import java.util.List; +import java.util.function.BiConsumer; +import java.util.function.Function; + +/** + * JDisc's default implementation of {@link SslContextFactoryProvider} that uses the {@link ConnectorConfig} to construct a {@link SslContextFactory}. + * + * @author bjorncs + */ +public class DefaultSslContextFactoryProvider implements SslContextFactoryProvider { + + private final ConnectorConfig connectorConfig; + private final SslKeyStoreConfigurator sslKeyStoreConfigurator; + private final SslTrustStoreConfigurator sslTrustStoreConfigurator; + + public DefaultSslContextFactoryProvider(ConnectorConfig connectorConfig, + SslKeyStoreConfigurator sslKeyStoreConfigurator, + SslTrustStoreConfigurator sslTrustStoreConfigurator) { + this.connectorConfig = connectorConfig; + this.sslKeyStoreConfigurator = sslKeyStoreConfigurator; + this.sslTrustStoreConfigurator = sslTrustStoreConfigurator; + } + + @Override + public SslContextFactory getInstance(String containerId, int port) { + ConnectorConfig.Ssl sslConfig = connectorConfig.ssl(); + SslContextFactory factory = new JDiscSslContextFactory(); + + sslKeyStoreConfigurator.configure(new DefaultSslKeyStoreContext(factory)); + sslTrustStoreConfigurator.configure(new DefaultSslTrustStoreContext(factory)); + + switch (sslConfig.clientAuth()) { + case NEED_AUTH: + factory.setNeedClientAuth(true); + break; + case WANT_AUTH: + factory.setWantClientAuth(true); + break; + } + + if (!sslConfig.prng().isEmpty()) { + factory.setSecureRandomAlgorithm(sslConfig.prng()); + } + + // NOTE: All ciphers matching ^TLS_RSA_.*$ are disabled by default in Jetty 9.4.12+ (https://github.com/eclipse/jetty.project/issues/2807) + // JDisc will allow these ciphers by default to support older clients (e.g. Java 8u60 and curl 7.29.0) + // Removing the exclusion will allow for the TLS_RSA variants that are not covered by other exclusions + String[] excludedCiphersWithoutTlsRsaExclusion = Arrays.stream(factory.getExcludeCipherSuites()) + .filter(cipher -> !cipher.equals("^TLS_RSA_.*$")) + .toArray(String[]::new); + factory.setExcludeCipherSuites(excludedCiphersWithoutTlsRsaExclusion); + + setStringArrayParameter( + factory, sslConfig.excludeProtocol(), ConnectorConfig.Ssl.ExcludeProtocol::name, SslContextFactory::setExcludeProtocols); + setStringArrayParameter( + factory, sslConfig.includeProtocol(), ConnectorConfig.Ssl.IncludeProtocol::name, SslContextFactory::setIncludeProtocols); + setStringArrayParameter( + factory, sslConfig.excludeCipherSuite(), ConnectorConfig.Ssl.ExcludeCipherSuite::name, SslContextFactory::setExcludeCipherSuites); + setStringArrayParameter( + factory, sslConfig.includeCipherSuite(), ConnectorConfig.Ssl.IncludeCipherSuite::name, SslContextFactory::setIncludeCipherSuites); + + factory.setKeyManagerFactoryAlgorithm(sslConfig.sslKeyManagerFactoryAlgorithm()); + factory.setProtocol(sslConfig.protocol()); + return factory; + } + + private static <T extends InnerNode> void setStringArrayParameter(SslContextFactory sslContextFactory, + List<T> configValues, + Function<T, String> nameProperty, + BiConsumer<SslContextFactory, String[]> setter) { + if (!configValues.isEmpty()) { + String[] nameArray = configValues.stream().map(nameProperty).toArray(String[]::new); + setter.accept(sslContextFactory, nameArray); + } + } +} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscSslContextFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/JDiscSslContextFactory.java index 81a6a0c8048..dcd9435334d 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscSslContextFactory.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/JDiscSslContextFactory.java @@ -1,5 +1,5 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http.server.jetty; +package com.yahoo.jdisc.http.ssl; import org.eclipse.jetty.util.resource.Resource; import org.eclipse.jetty.util.security.CertificateUtils; diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java index d1a78f33e8f..5e586f5e59e 100644 --- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java +++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java @@ -11,6 +11,7 @@ import com.yahoo.jdisc.http.ConnectorConfig.Builder; import com.yahoo.jdisc.http.server.jetty.ConnectorFactory; import com.yahoo.jdisc.http.server.jetty.TestDrivers; +import com.yahoo.jdisc.http.ssl.DefaultSslContextFactoryProvider; import com.yahoo.jdisc.http.ssl.DefaultSslKeyStoreConfigurator; import com.yahoo.jdisc.http.ssl.DefaultSslTrustStoreConfigurator; @@ -49,8 +50,10 @@ public class ConnectorFactoryRegistryModule implements Module { public StaticKeyDbConnectorFactory(ConnectorConfig connectorConfig) { super(connectorConfig, - new DefaultSslKeyStoreConfigurator(connectorConfig, new MockSecretStore()), - new DefaultSslTrustStoreConfigurator(connectorConfig, new MockSecretStore())); + new DefaultSslContextFactoryProvider( + connectorConfig, + new DefaultSslKeyStoreConfigurator(connectorConfig, new MockSecretStore()), + new DefaultSslTrustStoreConfigurator(connectorConfig, new MockSecretStore()))); } } diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java index 083be36043e..d504e8be288 100644 --- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java +++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java @@ -3,6 +3,7 @@ package com.yahoo.jdisc.http.server.jetty; import com.yahoo.jdisc.Metric; import com.yahoo.jdisc.http.ConnectorConfig; +import com.yahoo.jdisc.http.ssl.DefaultSslContextFactoryProvider; import com.yahoo.jdisc.http.ssl.DefaultSslKeyStoreConfigurator; import com.yahoo.jdisc.http.ssl.DefaultSslTrustStoreConfigurator; import org.eclipse.jetty.server.Request; @@ -108,8 +109,10 @@ public class ConnectorFactoryTest { private static ConnectorFactory createConnectorFactory(ConnectorConfig config) { ThrowingSecretStore secretStore = new ThrowingSecretStore(); return new ConnectorFactory(config, - new DefaultSslKeyStoreConfigurator(config, secretStore), - new DefaultSslTrustStoreConfigurator(config, secretStore)); + new DefaultSslContextFactoryProvider( + config, + new DefaultSslKeyStoreConfigurator(config, secretStore), + new DefaultSslTrustStoreConfigurator(config, secretStore))); } private static class HelloWorldHandler extends AbstractHandler { |