diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-02-07 15:40:18 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-02-21 11:10:39 +0100 |
commit | f444dd86cfae0736353271463350fd6bc517e4ba (patch) | |
tree | f9f66a442fcf1b220750d50113d6b1952dcf7a54 /jdisc_http_service | |
parent | fc9740b88f095864f4955e5caf0fbef67f5e2479 (diff) |
Convert JDisc http connectors to https when TLS is configured through env vars
Diffstat (limited to 'jdisc_http_service')
3 files changed, 93 insertions, 12 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java index f9892759fbd..5d3550db9d2 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java @@ -5,9 +5,12 @@ import com.google.inject.Inject; import com.yahoo.jdisc.Metric; import com.yahoo.jdisc.http.ConnectorConfig; import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider; +import com.yahoo.security.tls.TransportSecurityUtils; import org.eclipse.jetty.http.HttpVersion; +import org.eclipse.jetty.server.ConnectionFactory; import org.eclipse.jetty.server.HttpConfiguration; import org.eclipse.jetty.server.HttpConnectionFactory; +import org.eclipse.jetty.server.OptionalSslConnectionFactory; import org.eclipse.jetty.server.SecureRequestCustomizer; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ServerConnector; @@ -15,6 +18,7 @@ import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.util.ssl.SslContextFactory; import java.nio.channels.ServerSocketChannel; +import java.util.List; /** * @author Einar M R Rosenvinge @@ -37,15 +41,8 @@ public class ConnectorFactory { } public ServerConnector createConnector(final Metric metric, final Server server, final ServerSocketChannel ch) { - ServerConnector connector; - if (connectorConfig.ssl().enabled()) { - connector = new JDiscServerConnector(connectorConfig, metric, server, ch, - newSslConnectionFactory(), - newHttpConnectionFactory()); - } else { - connector = new JDiscServerConnector(connectorConfig, metric, server, ch, - newHttpConnectionFactory()); - } + ServerConnector connector = new JDiscServerConnector( + connectorConfig, metric, server, ch, createConnectionFactories().toArray(ConnectionFactory[]::new)); connector.setPort(connectorConfig.listenPort()); connector.setName(connectorConfig.name()); connector.setAcceptQueueSize(connectorConfig.acceptQueueSize()); @@ -55,6 +52,26 @@ public class ConnectorFactory { return connector; } + private List<ConnectionFactory> createConnectionFactories() { + HttpConnectionFactory httpConnectionFactory = newHttpConnectionFactory(); + if (connectorConfig.ssl().enabled()) { + return List.of(newSslConnectionFactory(), httpConnectionFactory); + } else if (TransportSecurityUtils.isTransportSecurityEnabled()) { + SslConnectionFactory sslConnectionsFactory = newSslConnectionFactory(); + switch (TransportSecurityUtils.getInsecureMixedMode()) { + case TLS_CLIENT_MIXED_SERVER: + case PLAINTEXT_CLIENT_MIXED_SERVER: + return List.of(newOptionalSslConnectionFactory(sslConnectionsFactory), sslConnectionsFactory, httpConnectionFactory); + case DISABLED: + return List.of(sslConnectionsFactory, httpConnectionFactory); + default: + throw new IllegalStateException(); + } + } else { + return List.of(httpConnectionFactory); + } + } + private HttpConnectionFactory newHttpConnectionFactory() { HttpConfiguration httpConfig = new HttpConfiguration(); httpConfig.setSendDateHeader(true); @@ -64,7 +81,7 @@ public class ConnectorFactory { httpConfig.setOutputBufferSize(connectorConfig.outputBufferSize()); httpConfig.setRequestHeaderSize(connectorConfig.requestHeaderSize()); httpConfig.setResponseHeaderSize(connectorConfig.responseHeaderSize()); - if (connectorConfig.ssl().enabled()) { + if (connectorConfig.ssl().enabled() || TransportSecurityUtils.isTransportSecurityEnabled()) { // TODO Cleanup once mixed mode is gone httpConfig.addCustomizer(new SecureRequestCustomizer()); } return new HttpConnectionFactory(httpConfig); @@ -75,4 +92,8 @@ public class ConnectorFactory { return new SslConnectionFactory(factory, HttpVersion.HTTP_1_1.asString()); } + private OptionalSslConnectionFactory newOptionalSslConnectionFactory(SslConnectionFactory sslConnectionsFactory) { + return new OptionalSslConnectionFactory(sslConnectionsFactory, HttpVersion.HTTP_1_1.asString()); + } + } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java index 92c4f2333b5..03796c551e5 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java @@ -1,7 +1,11 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jdisc.http.ssl.impl; +import com.yahoo.component.AbstractComponent; import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider; +import com.yahoo.security.tls.ReloadingTlsContext; +import com.yahoo.security.tls.TlsContext; +import com.yahoo.security.tls.TransportSecurityUtils; import org.eclipse.jetty.util.ssl.SslContextFactory; /** @@ -9,9 +13,23 @@ import org.eclipse.jetty.util.ssl.SslContextFactory; * * @author bjorncs */ -public class DefaultSslContextFactoryProvider implements SslContextFactoryProvider { +public class DefaultSslContextFactoryProvider extends AbstractComponent implements SslContextFactoryProvider { + + private final TlsContext tlsContext = TransportSecurityUtils.getConfigFile() + .map(configFile -> new ReloadingTlsContext(configFile, TransportSecurityUtils.getInsecureAuthorizationMode())) + .orElse(null); + @Override public SslContextFactory getInstance(String containerId, int port) { - throw new UnsupportedOperationException(); + if (tlsContext != null) { + return new TlsContextManagedSslContextFactory(tlsContext); + } else { + throw new UnsupportedOperationException(); + } + } + + @Override + public void deconstruct() { + tlsContext.close(); } }
\ No newline at end of file diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextManagedSslContextFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextManagedSslContextFactory.java new file mode 100644 index 00000000000..d7d28e7d242 --- /dev/null +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/TlsContextManagedSslContextFactory.java @@ -0,0 +1,42 @@ +// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.ssl.impl; + +import com.yahoo.security.tls.TlsContext; +import org.eclipse.jetty.util.ssl.SslContextFactory; + +import javax.net.ssl.SSLEngine; +import java.net.InetSocketAddress; + +/** + * A Jetty {@link SslContextFactory} backed by {@link TlsContext}. + * Overrides methods that are used by Jetty to construct ssl sockets and ssl engines. + * + * @author bjorncs + */ +class TlsContextManagedSslContextFactory extends SslContextFactory { + + private final TlsContext tlsContext; + + TlsContextManagedSslContextFactory(TlsContext tlsContext) { + this.tlsContext = tlsContext; + } + + @Override protected void doStart() { } // Override default behaviour + @Override protected void doStop() { } // Override default behaviour + + @Override + public SSLEngine newSSLEngine() { + return tlsContext.createSslEngine(); + } + + @Override + public SSLEngine newSSLEngine(InetSocketAddress address) { + return tlsContext.createSslEngine(address.getHostString(), address.getPort()); + } + + @Override + public SSLEngine newSSLEngine(String host, int port) { + return tlsContext.createSslEngine(host, port); + } + +} |