aboutsummaryrefslogtreecommitdiffstats
path: root/jdisc_http_service
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@oath.com>2018-09-04 16:52:55 +0200
committerBjørn Christian Seime <bjorncs@oath.com>2018-09-12 10:49:39 +0200
commit1aa8fa49301a0ca39609d3b6376f169398416331 (patch)
treee179266b126631fa752f1da36fc28675ce8862b3 /jdisc_http_service
parentc2e248d9c0d8e687d09dee71823f634b38a3374a (diff)
Move logic for creating default SslContextFactory to DefaultSslContextFactoryProvider
Diffstat (limited to 'jdisc_http_service')
-rw-r--r--jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java73
-rw-r--r--jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java84
-rw-r--r--jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/JDiscSslContextFactory.java (renamed from jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscSslContextFactory.java)2
-rw-r--r--jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java7
-rw-r--r--jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java7
5 files changed, 100 insertions, 73 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
index 8a829d33c1b..f9892759fbd 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
@@ -2,18 +2,9 @@
package com.yahoo.jdisc.http.server.jetty;
import com.google.inject.Inject;
-import com.yahoo.config.InnerNode;
import com.yahoo.jdisc.Metric;
import com.yahoo.jdisc.http.ConnectorConfig;
-import com.yahoo.jdisc.http.ConnectorConfig.Ssl;
-import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ExcludeCipherSuite;
-import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ExcludeProtocol;
-import com.yahoo.jdisc.http.ConnectorConfig.Ssl.IncludeCipherSuite;
-import com.yahoo.jdisc.http.ConnectorConfig.Ssl.IncludeProtocol;
-import com.yahoo.jdisc.http.ssl.DefaultSslKeyStoreContext;
-import com.yahoo.jdisc.http.ssl.DefaultSslTrustStoreContext;
-import com.yahoo.jdisc.http.ssl.SslKeyStoreConfigurator;
-import com.yahoo.jdisc.http.ssl.SslTrustStoreConfigurator;
+import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider;
import org.eclipse.jetty.http.HttpVersion;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
@@ -24,10 +15,6 @@ import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import java.nio.channels.ServerSocketChannel;
-import java.util.Arrays;
-import java.util.List;
-import java.util.function.BiConsumer;
-import java.util.function.Function;
/**
* @author Einar M R Rosenvinge
@@ -36,16 +23,13 @@ import java.util.function.Function;
public class ConnectorFactory {
private final ConnectorConfig connectorConfig;
- private final SslKeyStoreConfigurator sslKeyStoreConfigurator;
- private final SslTrustStoreConfigurator sslTrustStoreConfigurator;
+ private final SslContextFactoryProvider sslContextFactoryProvider;
@Inject
public ConnectorFactory(ConnectorConfig connectorConfig,
- SslKeyStoreConfigurator sslKeyStoreConfigurator,
- SslTrustStoreConfigurator sslTrustStoreConfigurator) {
+ SslContextFactoryProvider sslContextFactoryProvider) {
this.connectorConfig = connectorConfig;
- this.sslKeyStoreConfigurator = sslKeyStoreConfigurator;
- this.sslTrustStoreConfigurator = sslTrustStoreConfigurator;
+ this.sslContextFactoryProvider = sslContextFactoryProvider;
}
public ConnectorConfig getConnectorConfig() {
@@ -87,55 +71,8 @@ public class ConnectorFactory {
}
private SslConnectionFactory newSslConnectionFactory() {
- Ssl sslConfig = connectorConfig.ssl();
-
- SslContextFactory factory = new JDiscSslContextFactory();
-
- sslKeyStoreConfigurator.configure(new DefaultSslKeyStoreContext(factory));
- sslTrustStoreConfigurator.configure(new DefaultSslTrustStoreContext(factory));
-
- switch (sslConfig.clientAuth()) {
- case NEED_AUTH:
- factory.setNeedClientAuth(true);
- break;
- case WANT_AUTH:
- factory.setWantClientAuth(true);
- break;
- }
-
- if (!sslConfig.prng().isEmpty()) {
- factory.setSecureRandomAlgorithm(sslConfig.prng());
- }
-
- // NOTE: ^TLS_RSA_.*$ ciphers are disabled by default in Jetty 9.4.12+ (https://github.com/eclipse/jetty.project/issues/2807)
- // JDisc will allow these ciphers by default to support older clients (e.g. Java 8u60 and curl 7.29.0)
- String[] excludedCiphersWithoutTlsRsaExclusion = Arrays.stream(factory.getExcludeCipherSuites())
- .filter(cipher -> !cipher.equals("^TLS_RSA_.*$"))
- .toArray(String[]::new);
- factory.setExcludeCipherSuites(excludedCiphersWithoutTlsRsaExclusion);
-
- setStringArrayParameter(
- factory, sslConfig.excludeProtocol(), ExcludeProtocol::name, SslContextFactory::setExcludeProtocols);
- setStringArrayParameter(
- factory, sslConfig.includeProtocol(), IncludeProtocol::name, SslContextFactory::setIncludeProtocols);
- setStringArrayParameter(
- factory, sslConfig.excludeCipherSuite(), ExcludeCipherSuite::name, SslContextFactory::setExcludeCipherSuites);
- setStringArrayParameter(
- factory, sslConfig.includeCipherSuite(), IncludeCipherSuite::name, SslContextFactory::setIncludeCipherSuites);
-
- factory.setKeyManagerFactoryAlgorithm(sslConfig.sslKeyManagerFactoryAlgorithm());
- factory.setProtocol(sslConfig.protocol());
+ SslContextFactory factory = sslContextFactoryProvider.getInstance(connectorConfig.name(), connectorConfig.listenPort());
return new SslConnectionFactory(factory, HttpVersion.HTTP_1_1.asString());
}
- private static <T extends InnerNode> void setStringArrayParameter(SslContextFactory sslContextFactory,
- List<T> configValues,
- Function<T, String> nameProperty,
- BiConsumer<SslContextFactory, String[]> setter) {
- if (!configValues.isEmpty()) {
- String[] nameArray = configValues.stream().map(nameProperty).toArray(String[]::new);
- setter.accept(sslContextFactory, nameArray);
- }
- }
-
}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java
new file mode 100644
index 00000000000..9e27a792a6a
--- /dev/null
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java
@@ -0,0 +1,84 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.ssl;
+
+import com.yahoo.config.InnerNode;
+import com.yahoo.jdisc.http.ConnectorConfig;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.function.BiConsumer;
+import java.util.function.Function;
+
+/**
+ * JDisc's default implementation of {@link SslContextFactoryProvider} that uses the {@link ConnectorConfig} to construct a {@link SslContextFactory}.
+ *
+ * @author bjorncs
+ */
+public class DefaultSslContextFactoryProvider implements SslContextFactoryProvider {
+
+ private final ConnectorConfig connectorConfig;
+ private final SslKeyStoreConfigurator sslKeyStoreConfigurator;
+ private final SslTrustStoreConfigurator sslTrustStoreConfigurator;
+
+ public DefaultSslContextFactoryProvider(ConnectorConfig connectorConfig,
+ SslKeyStoreConfigurator sslKeyStoreConfigurator,
+ SslTrustStoreConfigurator sslTrustStoreConfigurator) {
+ this.connectorConfig = connectorConfig;
+ this.sslKeyStoreConfigurator = sslKeyStoreConfigurator;
+ this.sslTrustStoreConfigurator = sslTrustStoreConfigurator;
+ }
+
+ @Override
+ public SslContextFactory getInstance(String containerId, int port) {
+ ConnectorConfig.Ssl sslConfig = connectorConfig.ssl();
+ SslContextFactory factory = new JDiscSslContextFactory();
+
+ sslKeyStoreConfigurator.configure(new DefaultSslKeyStoreContext(factory));
+ sslTrustStoreConfigurator.configure(new DefaultSslTrustStoreContext(factory));
+
+ switch (sslConfig.clientAuth()) {
+ case NEED_AUTH:
+ factory.setNeedClientAuth(true);
+ break;
+ case WANT_AUTH:
+ factory.setWantClientAuth(true);
+ break;
+ }
+
+ if (!sslConfig.prng().isEmpty()) {
+ factory.setSecureRandomAlgorithm(sslConfig.prng());
+ }
+
+ // NOTE: All ciphers matching ^TLS_RSA_.*$ are disabled by default in Jetty 9.4.12+ (https://github.com/eclipse/jetty.project/issues/2807)
+ // JDisc will allow these ciphers by default to support older clients (e.g. Java 8u60 and curl 7.29.0)
+ // Removing the exclusion will allow for the TLS_RSA variants that are not covered by other exclusions
+ String[] excludedCiphersWithoutTlsRsaExclusion = Arrays.stream(factory.getExcludeCipherSuites())
+ .filter(cipher -> !cipher.equals("^TLS_RSA_.*$"))
+ .toArray(String[]::new);
+ factory.setExcludeCipherSuites(excludedCiphersWithoutTlsRsaExclusion);
+
+ setStringArrayParameter(
+ factory, sslConfig.excludeProtocol(), ConnectorConfig.Ssl.ExcludeProtocol::name, SslContextFactory::setExcludeProtocols);
+ setStringArrayParameter(
+ factory, sslConfig.includeProtocol(), ConnectorConfig.Ssl.IncludeProtocol::name, SslContextFactory::setIncludeProtocols);
+ setStringArrayParameter(
+ factory, sslConfig.excludeCipherSuite(), ConnectorConfig.Ssl.ExcludeCipherSuite::name, SslContextFactory::setExcludeCipherSuites);
+ setStringArrayParameter(
+ factory, sslConfig.includeCipherSuite(), ConnectorConfig.Ssl.IncludeCipherSuite::name, SslContextFactory::setIncludeCipherSuites);
+
+ factory.setKeyManagerFactoryAlgorithm(sslConfig.sslKeyManagerFactoryAlgorithm());
+ factory.setProtocol(sslConfig.protocol());
+ return factory;
+ }
+
+ private static <T extends InnerNode> void setStringArrayParameter(SslContextFactory sslContextFactory,
+ List<T> configValues,
+ Function<T, String> nameProperty,
+ BiConsumer<SslContextFactory, String[]> setter) {
+ if (!configValues.isEmpty()) {
+ String[] nameArray = configValues.stream().map(nameProperty).toArray(String[]::new);
+ setter.accept(sslContextFactory, nameArray);
+ }
+ }
+}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscSslContextFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/JDiscSslContextFactory.java
index 81a6a0c8048..dcd9435334d 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscSslContextFactory.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/JDiscSslContextFactory.java
@@ -1,5 +1,5 @@
// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.jdisc.http.server.jetty;
+package com.yahoo.jdisc.http.ssl;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.security.CertificateUtils;
diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java
index d1a78f33e8f..5e586f5e59e 100644
--- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java
+++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java
@@ -11,6 +11,7 @@ import com.yahoo.jdisc.http.ConnectorConfig.Builder;
import com.yahoo.jdisc.http.server.jetty.ConnectorFactory;
import com.yahoo.jdisc.http.server.jetty.TestDrivers;
+import com.yahoo.jdisc.http.ssl.DefaultSslContextFactoryProvider;
import com.yahoo.jdisc.http.ssl.DefaultSslKeyStoreConfigurator;
import com.yahoo.jdisc.http.ssl.DefaultSslTrustStoreConfigurator;
@@ -49,8 +50,10 @@ public class ConnectorFactoryRegistryModule implements Module {
public StaticKeyDbConnectorFactory(ConnectorConfig connectorConfig) {
super(connectorConfig,
- new DefaultSslKeyStoreConfigurator(connectorConfig, new MockSecretStore()),
- new DefaultSslTrustStoreConfigurator(connectorConfig, new MockSecretStore()));
+ new DefaultSslContextFactoryProvider(
+ connectorConfig,
+ new DefaultSslKeyStoreConfigurator(connectorConfig, new MockSecretStore()),
+ new DefaultSslTrustStoreConfigurator(connectorConfig, new MockSecretStore())));
}
}
diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java
index 083be36043e..d504e8be288 100644
--- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java
+++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java
@@ -3,6 +3,7 @@ package com.yahoo.jdisc.http.server.jetty;
import com.yahoo.jdisc.Metric;
import com.yahoo.jdisc.http.ConnectorConfig;
+import com.yahoo.jdisc.http.ssl.DefaultSslContextFactoryProvider;
import com.yahoo.jdisc.http.ssl.DefaultSslKeyStoreConfigurator;
import com.yahoo.jdisc.http.ssl.DefaultSslTrustStoreConfigurator;
import org.eclipse.jetty.server.Request;
@@ -108,8 +109,10 @@ public class ConnectorFactoryTest {
private static ConnectorFactory createConnectorFactory(ConnectorConfig config) {
ThrowingSecretStore secretStore = new ThrowingSecretStore();
return new ConnectorFactory(config,
- new DefaultSslKeyStoreConfigurator(config, secretStore),
- new DefaultSslTrustStoreConfigurator(config, secretStore));
+ new DefaultSslContextFactoryProvider(
+ config,
+ new DefaultSslKeyStoreConfigurator(config, secretStore),
+ new DefaultSslTrustStoreConfigurator(config, secretStore)));
}
private static class HelloWorldHandler extends AbstractHandler {