diff options
| author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-09-13 11:24:08 +0200 |
|---|---|---|
| committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-09-13 11:24:08 +0200 |
| commit | a743f2ea83790a59097c12d51765eac902a5b349 (patch) | |
| tree | 01322982885e2449d70c962ced737ce7906832c8 /jdisc_http_service | |
| parent | 88a8ed4e3223d761a7943ad646dba25b3b70ed4c (diff) | |
Move old ssl logic for connectors into LegacySslProvider
- Inject LegacySslContextFactoryProvider if not using ssl/ssl-provider syntax
- Update JDisc unit tests to use new connector config
Diffstat (limited to 'jdisc_http_service')
10 files changed, 188 insertions, 306 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java index 39dfef480f3..f2d5d42ee2c 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java @@ -31,22 +31,17 @@ import java.util.logging.Logger; */ public class DefaultSslContextFactoryProvider implements SslContextFactoryProvider { - private static final Logger log = Logger.getLogger(DefaultSslContextFactoryProvider.class.getName()); - private final ConnectorConfig connectorConfig; - @SuppressWarnings("deprecation") - private final com.yahoo.jdisc.http.SecretStore secretStore; - public DefaultSslContextFactoryProvider(ConnectorConfig connectorConfig, - @SuppressWarnings("deprecation") com.yahoo.jdisc.http.SecretStore secretStore) { + public DefaultSslContextFactoryProvider(ConnectorConfig connectorConfig) { validateConfig(connectorConfig.ssl()); this.connectorConfig = connectorConfig; - this.secretStore = secretStore; } @Override public SslContextFactory getInstance(String containerId, int port) { ConnectorConfig.Ssl sslConfig = connectorConfig.ssl(); + if (!sslConfig.enabled()) throw new IllegalStateException(); SslContextFactory factory = new JDiscSslContextFactory(); switch (sslConfig.clientAuth()) { @@ -67,116 +62,24 @@ public class DefaultSslContextFactoryProvider implements SslContextFactoryProvid factory.setExcludeCipherSuites(excludedCiphersWithoutTlsRsaExclusion); // Check if using new ssl syntax from services.xml - if (!sslConfig.privateKeyFile().isEmpty()) { - factory.setKeyStore(createKeystore(sslConfig)); - if (!sslConfig.caCertificateFile().isEmpty()) { - factory.setTrustStore(createTruststore(sslConfig)); - } - factory.setProtocol("TLS"); - } else { // TODO Vespa 7: Remove support for deprecated ssl connector config - configureUsingDeprecatedConnectorConfig(sslConfig, factory); + factory.setKeyStore(createKeystore(sslConfig)); + factory.setKeyStorePassword(""); + if (!sslConfig.caCertificateFile().isEmpty()) { + factory.setTrustStore(createTruststore(sslConfig)); } + factory.setProtocol("TLS"); return factory; } - private void configureUsingDeprecatedConnectorConfig(ConnectorConfig.Ssl sslConfig, SslContextFactory factory) { - switch (sslConfig.keyStoreType()) { - case JKS: - factory.setKeyStorePath(sslConfig.keyStorePath()); - factory.setKeyStoreType("JKS"); - factory.setKeyStorePassword(secretStore.getSecret(sslConfig.keyDbKey())); - break; - case PEM: - factory.setKeyStorePath(sslConfig.keyStorePath()); - factory.setKeyStore(createPemKeyStore(sslConfig.pemKeyStore())); - break; - } - - if (!sslConfig.trustStorePath().isEmpty()) { - factory.setTrustStorePath(sslConfig.trustStorePath()); - factory.setTrustStoreType(sslConfig.trustStoreType().toString()); - if (sslConfig.useTrustStorePassword()) { - factory.setTrustStorePassword(secretStore.getSecret(sslConfig.keyDbKey())); - } - } - - if (!sslConfig.prng().isEmpty()) { - factory.setSecureRandomAlgorithm(sslConfig.prng()); - } - - setStringArrayParameter( - factory, sslConfig.excludeProtocol(), ConnectorConfig.Ssl.ExcludeProtocol::name, SslContextFactory::setExcludeProtocols); - setStringArrayParameter( - factory, sslConfig.includeProtocol(), ConnectorConfig.Ssl.IncludeProtocol::name, SslContextFactory::setIncludeProtocols); - setStringArrayParameter( - factory, sslConfig.excludeCipherSuite(), ConnectorConfig.Ssl.ExcludeCipherSuite::name, SslContextFactory::setExcludeCipherSuites); - setStringArrayParameter( - factory, sslConfig.includeCipherSuite(), ConnectorConfig.Ssl.IncludeCipherSuite::name, SslContextFactory::setIncludeCipherSuites); - - factory.setKeyManagerFactoryAlgorithm(sslConfig.sslKeyManagerFactoryAlgorithm()); - factory.setProtocol(sslConfig.protocol()); - } - private static void validateConfig(ConnectorConfig.Ssl config) { if (!config.enabled()) return; - if (!config.privateKeyFile().isEmpty()) { - if (config.certificateFile().isEmpty()) { - throw new IllegalArgumentException("Missing certificate file."); - } - } else { - validateConfigUsingDeprecatedConnectorConfig(config); - } - } - - private static void validateConfigUsingDeprecatedConnectorConfig(ConnectorConfig.Ssl config) { - switch (config.keyStoreType()) { - case JKS: - validateJksConfig(config); - break; - case PEM: - validatePemConfig(config); - break; + if (config.certificateFile().isEmpty()) { + throw new IllegalArgumentException("Missing certificate file."); } - if (!config.trustStorePath().isEmpty() && config.useTrustStorePassword() && config.keyDbKey().isEmpty()) { - throw new IllegalArgumentException("Missing password for JKS truststore"); + if (config.privateKeyFile().isEmpty()) { + throw new IllegalArgumentException("Missing private key file."); } - } - - private static void validateJksConfig(ConnectorConfig.Ssl ssl) { - if (!ssl.pemKeyStore().keyPath().isEmpty() || ! ssl.pemKeyStore().certificatePath().isEmpty()) { - throw new IllegalArgumentException("pemKeyStore attributes can not be set when keyStoreType is JKS."); - } - if (ssl.keyDbKey().isEmpty()) { - throw new IllegalArgumentException("Missing password for JKS keystore"); - } - } - private static void validatePemConfig(ConnectorConfig.Ssl ssl) { - if (! ssl.keyStorePath().isEmpty()) { - throw new IllegalArgumentException("keyStorePath can not be set when keyStoreType is PEM"); - } - if (!ssl.keyDbKey().isEmpty()) { - // TODO Make an error once there are separate passwords for truststore and keystore - log.warning("Encrypted PEM key stores are not supported. Password is only applied to truststore"); - } - if (ssl.pemKeyStore().certificatePath().isEmpty()) { - throw new IllegalArgumentException("Missing certificate path."); - } - if (ssl.pemKeyStore().keyPath().isEmpty()) { - throw new IllegalArgumentException("Missing key path."); - } - } - - private static KeyStore createPemKeyStore(ConnectorConfig.Ssl.PemKeyStore pemKeyStore) { - try { - Path certificatePath = Paths.get(pemKeyStore.certificatePath()); - Path keyPath = Paths.get(pemKeyStore.keyPath()); - return new PemSslKeyStore(certificatePath, keyPath).loadJavaKeyStore(); - } catch (IOException e) { - throw new UncheckedIOException(e); - } catch (Exception e) { - throw new RuntimeException("Failed setting up key store for " + pemKeyStore.keyPath() + ", " + pemKeyStore.certificatePath(), e); - } } private static KeyStore createTruststore(ConnectorConfig.Ssl sslConfig) { @@ -202,13 +105,4 @@ public class DefaultSslContextFactoryProvider implements SslContextFactoryProvid } } - private static <T extends InnerNode> void setStringArrayParameter(SslContextFactory sslContextFactory, - List<T> configValues, - Function<T, String> nameProperty, - BiConsumer<SslContextFactory, String[]> setter) { - if (!configValues.isEmpty()) { - String[] nameArray = configValues.stream().map(nameProperty).toArray(String[]::new); - setter.accept(sslContextFactory, nameArray); - } - } } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/LegacySslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/LegacySslContextFactoryProvider.java new file mode 100644 index 00000000000..5b090824e6a --- /dev/null +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/LegacySslContextFactoryProvider.java @@ -0,0 +1,163 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.ssl; + +import com.yahoo.config.InnerNode; +import com.yahoo.jdisc.http.ConnectorConfig; +import com.yahoo.jdisc.http.ssl.pem.PemSslKeyStore; +import org.eclipse.jetty.util.ssl.SslContextFactory; + +import java.io.IOException; +import java.io.UncheckedIOException; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.security.KeyStore; +import java.util.Arrays; +import java.util.List; +import java.util.function.BiConsumer; +import java.util.function.Function; +import java.util.logging.Logger; + +/** + * A implementation of {@link SslContextFactoryProvider} to be injected into non-ssl connectors or connectors using legacy ssl config + * + * @author bjorncs + */ +// TODO Vespa 7: Remove legacy ssl config +public class LegacySslContextFactoryProvider implements SslContextFactoryProvider { + private static final Logger log = Logger.getLogger(LegacySslContextFactoryProvider.class.getName()); + + private final ConnectorConfig connectorConfig; + @SuppressWarnings("deprecation") + private final com.yahoo.jdisc.http.SecretStore secretStore; + + public LegacySslContextFactoryProvider(ConnectorConfig connectorConfig, + @SuppressWarnings("deprecation") com.yahoo.jdisc.http.SecretStore secretStore) { + validateConfig(connectorConfig.ssl()); + this.connectorConfig = connectorConfig; + this.secretStore = secretStore; + } + + @Override + public SslContextFactory getInstance(String containerId, int port) { + ConnectorConfig.Ssl sslConfig = connectorConfig.ssl(); + if (!sslConfig.enabled()) throw new IllegalStateException(); + SslContextFactory factory = new JDiscSslContextFactory(); + + switch (sslConfig.clientAuth()) { + case NEED_AUTH: + factory.setNeedClientAuth(true); + break; + case WANT_AUTH: + factory.setWantClientAuth(true); + break; + } + + // NOTE: All ciphers matching ^TLS_RSA_.*$ are disabled by default in Jetty 9.4.12+ (https://github.com/eclipse/jetty.project/issues/2807) + // JDisc will allow these ciphers by default to support older clients (e.g. Java 8u60 and curl 7.29.0) + // Removing the exclusion will allow for the TLS_RSA variants that are not covered by other exclusions + String[] excludedCiphersWithoutTlsRsaExclusion = Arrays.stream(factory.getExcludeCipherSuites()) + .filter(cipher -> !cipher.equals("^TLS_RSA_.*$")) + .toArray(String[]::new); + factory.setExcludeCipherSuites(excludedCiphersWithoutTlsRsaExclusion); + + switch (sslConfig.keyStoreType()) { + case JKS: + factory.setKeyStorePath(sslConfig.keyStorePath()); + factory.setKeyStoreType("JKS"); + factory.setKeyStorePassword(secretStore.getSecret(sslConfig.keyDbKey())); + break; + case PEM: + factory.setKeyStorePath(sslConfig.keyStorePath()); + factory.setKeyStore(createPemKeyStore(sslConfig.pemKeyStore())); + break; + } + + if (!sslConfig.trustStorePath().isEmpty()) { + factory.setTrustStorePath(sslConfig.trustStorePath()); + factory.setTrustStoreType(sslConfig.trustStoreType().toString()); + if (sslConfig.useTrustStorePassword()) { + factory.setTrustStorePassword(secretStore.getSecret(sslConfig.keyDbKey())); + } + } + + if (!sslConfig.prng().isEmpty()) { + factory.setSecureRandomAlgorithm(sslConfig.prng()); + } + + setStringArrayParameter( + factory, sslConfig.excludeProtocol(), ConnectorConfig.Ssl.ExcludeProtocol::name, SslContextFactory::setExcludeProtocols); + setStringArrayParameter( + factory, sslConfig.includeProtocol(), ConnectorConfig.Ssl.IncludeProtocol::name, SslContextFactory::setIncludeProtocols); + setStringArrayParameter( + factory, sslConfig.excludeCipherSuite(), ConnectorConfig.Ssl.ExcludeCipherSuite::name, SslContextFactory::setExcludeCipherSuites); + setStringArrayParameter( + factory, sslConfig.includeCipherSuite(), ConnectorConfig.Ssl.IncludeCipherSuite::name, SslContextFactory::setIncludeCipherSuites); + + factory.setKeyManagerFactoryAlgorithm(sslConfig.sslKeyManagerFactoryAlgorithm()); + factory.setProtocol(sslConfig.protocol()); + + return factory; + } + + private static void validateConfig(ConnectorConfig.Ssl config) { + if (!config.enabled()) return; + switch (config.keyStoreType()) { + case JKS: + validateJksConfig(config); + break; + case PEM: + validatePemConfig(config); + break; + } + if (!config.trustStorePath().isEmpty() && config.useTrustStorePassword() && config.keyDbKey().isEmpty()) { + throw new IllegalArgumentException("Missing password for JKS truststore"); + } + } + + private static void validateJksConfig(ConnectorConfig.Ssl ssl) { + if (!ssl.pemKeyStore().keyPath().isEmpty() || ! ssl.pemKeyStore().certificatePath().isEmpty()) { + throw new IllegalArgumentException("pemKeyStore attributes can not be set when keyStoreType is JKS."); + } + if (ssl.keyDbKey().isEmpty()) { + throw new IllegalArgumentException("Missing password for JKS keystore"); + } + } + + private static void validatePemConfig(ConnectorConfig.Ssl ssl) { + if (! ssl.keyStorePath().isEmpty()) { + throw new IllegalArgumentException("keyStorePath can not be set when keyStoreType is PEM"); + } + if (!ssl.keyDbKey().isEmpty()) { + log.warning("Encrypted PEM key stores are not supported. Password is only applied to truststore"); + } + if (ssl.pemKeyStore().certificatePath().isEmpty()) { + throw new IllegalArgumentException("Missing certificate path."); + } + if (ssl.pemKeyStore().keyPath().isEmpty()) { + throw new IllegalArgumentException("Missing key path."); + } + } + + private static KeyStore createPemKeyStore(ConnectorConfig.Ssl.PemKeyStore pemKeyStore) { + try { + Path certificatePath = Paths.get(pemKeyStore.certificatePath()); + Path keyPath = Paths.get(pemKeyStore.keyPath()); + return new PemSslKeyStore(certificatePath, keyPath).loadJavaKeyStore(); + } catch (IOException e) { + throw new UncheckedIOException(e); + } catch (Exception e) { + throw new RuntimeException("Failed setting up key store for " + pemKeyStore.keyPath() + ", " + pemKeyStore.certificatePath(), e); + } + } + + private static <T extends InnerNode> void setStringArrayParameter(SslContextFactory sslContextFactory, + List<T> configValues, + Function<T, String> nameProperty, + BiConsumer<SslContextFactory, String[]> setter) { + if (!configValues.isEmpty()) { + String[] nameArray = configValues.stream().map(nameProperty).toArray(String[]::new); + setter.accept(sslContextFactory, nameArray); + } + } + +} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ThrowingSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ThrowingSslContextFactoryProvider.java deleted file mode 100644 index 0bf5a5f37bd..00000000000 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ThrowingSslContextFactoryProvider.java +++ /dev/null @@ -1,16 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http.ssl; - -import org.eclipse.jetty.util.ssl.SslContextFactory; - -/** - * A dummy implementation of {@link SslContextFactoryProvider} to be injected into non-ssl connectors - * - * @author bjorncs - */ -public class ThrowingSslContextFactoryProvider implements SslContextFactoryProvider { - @Override - public SslContextFactory getInstance(String containerId, int port) { - throw new UnsupportedOperationException(); - } -} diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/JksKeyStore.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/JksKeyStore.java deleted file mode 100644 index 1c7a917c688..00000000000 --- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/JksKeyStore.java +++ /dev/null @@ -1,41 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http; - -import java.io.InputStream; -import java.nio.file.Files; -import java.nio.file.Path; -import java.security.KeyStore; - -/** - * @author Tony Vaagenes - * @author bjorncs - */ -public class JksKeyStore { - - private static final String KEY_STORE_TYPE = "JKS"; - - private final Path keyStoreFile; - private final String keyStorePassword; - - public JksKeyStore(Path keyStoreFile) { - this(keyStoreFile, null); - } - - public JksKeyStore(Path keyStoreFile, String keyStorePassword) { - this.keyStoreFile = keyStoreFile; - this.keyStorePassword = keyStorePassword; - } - - public String getKeyStorePassword() { - return keyStorePassword; - } - - public KeyStore loadJavaKeyStore() throws Exception { - try(InputStream stream = Files.newInputStream(keyStoreFile)) { - KeyStore keystore = KeyStore.getInstance(KEY_STORE_TYPE); - keystore.load(stream, keyStorePassword != null ? keyStorePassword.toCharArray() : null); - return keystore; - } - } - -} diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/SslContextFactory.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/SslContextFactory.java deleted file mode 100644 index d86516df453..00000000000 --- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/SslContextFactory.java +++ /dev/null @@ -1,82 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jdisc.http; - -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManagerFactory; -import java.util.logging.Level; -import java.util.logging.Logger; - -/** - * @author Charles Kim - */ -public class SslContextFactory { - - private static final Logger log = Logger.getLogger(SslContextFactory.class.getName()); - private static final String DEFAULT_ALGORITHM = "SunX509"; - private static final String DEFAULT_PROTOCOL = "TLS"; - private final SSLContext sslContext; - - private SslContextFactory(SSLContext sslContext) { - this.sslContext = sslContext; - } - - public SSLContext getServerSSLContext() { - return this.sslContext; - } - - public static SslContextFactory newInstanceFromTrustStore(JksKeyStore trustStore) { - return newInstance(DEFAULT_ALGORITHM, DEFAULT_PROTOCOL, null, trustStore); - } - - public static SslContextFactory newInstance(JksKeyStore trustStore, JksKeyStore keyStore) { - return newInstance(DEFAULT_ALGORITHM, DEFAULT_PROTOCOL, keyStore, trustStore); - } - - public static SslContextFactory newInstance(String sslAlgorithm, String sslProtocol, - JksKeyStore keyStore, JksKeyStore trustStore) { - log.fine("Configuring SSLContext..."); - log.fine("Using " + sslAlgorithm + " algorithm."); - try { - SSLContext sslContext = SSLContext.getInstance(sslProtocol); - sslContext.init( - keyStore == null ? null : getKeyManagers(keyStore, sslAlgorithm), - trustStore == null ? null : getTrustManagers(trustStore, sslAlgorithm), - null); - return new SslContextFactory(sslContext); - } catch (Exception e) { - log.log(Level.SEVERE, "Got exception creating SSLContext.", e); - throw new RuntimeException(e); - } - } - - /** - * Used for the key store, which contains the SSL cert and private key. - */ - public static javax.net.ssl.KeyManager[] getKeyManagers(JksKeyStore keyStore, - String sslAlgorithm) throws Exception { - - KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(sslAlgorithm); - String keyStorePassword = keyStore.getKeyStorePassword(); - keyManagerFactory.init( - keyStore.loadJavaKeyStore(), - keyStorePassword != null ? keyStorePassword.toCharArray() : null); - log.fine("KeyManagerFactory initialized with keystore"); - return keyManagerFactory.getKeyManagers(); - } - - /** - * Used for the trust store, which contains certificates from other parties that you expect to communicate with, - * or from Certificate Authorities that you trust to identify other parties. - */ - public static javax.net.ssl.TrustManager[] getTrustManagers(JksKeyStore trustStore, - String sslAlgorithm) - throws Exception { - - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(sslAlgorithm); - trustManagerFactory.init(trustStore.loadJavaKeyStore()); - log.fine("TrustManagerFactory initialized with truststore."); - return trustManagerFactory.getTrustManagers(); - } - -} diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java index cb7d30af952..d204d633304 100644 --- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java +++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java @@ -47,17 +47,7 @@ public class ConnectorFactoryRegistryModule implements Module { private static class StaticKeyDbConnectorFactory extends ConnectorFactory { public StaticKeyDbConnectorFactory(ConnectorConfig connectorConfig) { - super(connectorConfig, new DefaultSslContextFactoryProvider(connectorConfig, new MockSecretStore())); - } - - } - - @SuppressWarnings("deprecation") - private static final class MockSecretStore implements com.yahoo.jdisc.http.SecretStore { - - @Override - public String getSecret(String key) { - return TestDrivers.KEY_STORE_PASSWORD; + super(connectorConfig, new DefaultSslContextFactoryProvider(connectorConfig)); } } diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java index b328e151f51..08a38d5e13b 100644 --- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java +++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java @@ -105,7 +105,7 @@ public class ConnectorFactoryTest { } private static ConnectorFactory createConnectorFactory(ConnectorConfig config) { - return new ConnectorFactory(config, new DefaultSslContextFactoryProvider(config, new ThrowingSecretStore())); + return new ConnectorFactory(config, new DefaultSslContextFactoryProvider(config)); } private static class HelloWorldHandler extends AbstractHandler { @@ -134,14 +134,4 @@ public class ConnectorFactoryTest { private static class DummyContext implements Metric.Context { } - @SuppressWarnings("deprecation") - private static final class ThrowingSecretStore implements com.yahoo.jdisc.http.SecretStore { - - @Override - public String getSecret(String key) { - throw new UnsupportedOperationException("A secret store is not available"); - } - - } - } diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/TestDriver.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/TestDriver.java index 39b68fcf1f6..227b0b20f10 100644 --- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/TestDriver.java +++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/TestDriver.java @@ -1,20 +1,16 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jdisc.http.server.jetty; -import com.google.inject.Key; import com.google.inject.Module; import com.yahoo.jdisc.application.ContainerBuilder; import com.yahoo.jdisc.handler.RequestHandler; import com.yahoo.jdisc.http.ConnectorConfig; -import com.yahoo.jdisc.http.SslContextFactory; -import com.yahoo.jdisc.http.JksKeyStore; +import com.yahoo.security.SslContextBuilder; import javax.net.ssl.SSLContext; import java.io.IOException; import java.nio.file.Paths; -import static com.google.inject.name.Names.named; - /** * This class is based on the class by the same name in the jdisc_http_service module. * It provides functionality for setting up a jdisc container with an HTTP server and handlers. @@ -61,9 +57,7 @@ public class TestDriver { public SimpleHttpClient client() { return client; } - public SimpleHttpClient newClient() throws IOException { return newClient(false); } - - public SimpleHttpClient newClient(final boolean useCompression) throws IOException { + public SimpleHttpClient newClient(final boolean useCompression) { return new SimpleHttpClient(newSslContext(), server.getListenPort(), useCompression); } @@ -75,10 +69,10 @@ public class TestDriver { ConnectorConfig.Ssl sslConfig = builder.getInstance(ConnectorConfig.class).ssl(); if (!sslConfig.enabled()) return null; - JksKeyStore keyStore = new JksKeyStore( - Paths.get(sslConfig.keyStorePath()), - builder.getInstance(Key.get(String.class, named("keyStorePassword")))); - return SslContextFactory.newInstanceFromTrustStore(keyStore).getServerSSLContext(); + return new SslContextBuilder() + .withKeyStore(Paths.get(sslConfig.privateKeyFile()), Paths.get(sslConfig.certificateFile())) + .withTrustStore(Paths.get(sslConfig.caCertificateFile())) + .build(); } } diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/TestDrivers.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/TestDrivers.java index f4344545637..b7805328124 100644 --- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/TestDrivers.java +++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/TestDrivers.java @@ -17,15 +17,13 @@ import com.yahoo.jdisc.http.server.FilterBindings; import java.io.IOException; -import static com.google.inject.name.Names.named; - /** * @author Simon Thoresen Hult */ public class TestDrivers { - private static final String KEY_STORE = "src/test/resources/ssl_keystore_test.jks"; - public static final String KEY_STORE_PASSWORD = "secret"; + private static final String PRIVATE_KEY_FILE = "src/test/resources/pem/test.key"; + private static final String CERTIFICATE_FILE = "src/test/resources/pem/test.crt"; public static TestDriver newConfiguredInstance(final RequestHandler requestHandler, final ServerConfig.Builder serverConfig, @@ -59,18 +57,10 @@ public class TestDrivers { new ConnectorConfig.Builder() .ssl(new ConnectorConfig.Ssl.Builder() .enabled(true) - .keyDbKey("dummy-key-for-StaticKeyDbConnectorFactory.getPasswordFromKeydb") - .keyStorePath(KEY_STORE) - .trustStorePath(KEY_STORE)), - Modules.combine(new AbstractModule() { - - @Override - protected void configure() { - bind(String.class).annotatedWith(named("keyStorePassword")) - .toInstance(KEY_STORE_PASSWORD); - } - }, Modules.combine(guiceModules)) - )); + .privateKeyFile(PRIVATE_KEY_FILE) + .certificateFile(CERTIFICATE_FILE) + .caCertificateFile(CERTIFICATE_FILE)), + Modules.combine(guiceModules))); } private static Module newConfigModule( diff --git a/jdisc_http_service/src/test/resources/ssl_keystore_test.jks b/jdisc_http_service/src/test/resources/ssl_keystore_test.jks Binary files differdeleted file mode 100644 index 6dbb19b9692..00000000000 --- a/jdisc_http_service/src/test/resources/ssl_keystore_test.jks +++ /dev/null |