diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-11-06 17:05:28 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-11-06 17:05:28 +0100 |
commit | 4ae24233cecd1cbe3fdf2ee1d2e0987719be2ee1 (patch) | |
tree | ade90bd24c2693a724f4667574ce084d268c7f29 /security-utils/src | |
parent | 0689f93f9750f9d8c0fdbb383388b03c918ce11a (diff) |
Add 'accepted-ciphers' to transport security options
Diffstat (limited to 'security-utils/src')
3 files changed, 47 insertions, 10 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java index 67466179634..9a6ee508df8 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java @@ -8,6 +8,9 @@ import java.io.IOException; import java.io.UncheckedIOException; import java.nio.file.Path; import java.nio.file.Paths; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; import java.util.Objects; import java.util.Optional; @@ -16,6 +19,7 @@ import java.util.Optional; * * @author bjorncs */ +// TODO Add builder public class TransportSecurityOptions { private static final ObjectMapper mapper = new ObjectMapper(); @@ -23,15 +27,25 @@ public class TransportSecurityOptions { private final Path privateKeyFile; private final Path certificatesFile; private final Path caCertificatesFile; + private final List<String> acceptedCiphers; public TransportSecurityOptions(String privateKeyFile, String certificatesFile, String caCertificatesFile) { this(Paths.get(privateKeyFile), Paths.get(certificatesFile), Paths.get(caCertificatesFile)); } public TransportSecurityOptions(Path privateKeyFile, Path certificatesFile, Path caCertificatesFile) { + this(privateKeyFile, certificatesFile, caCertificatesFile, Collections.emptyList()); + } + + public TransportSecurityOptions(String privateKeyFile, String certificatesFile, String caCertificatesFile, List<String> acceptedCiphers) { + this(Paths.get(privateKeyFile), Paths.get(certificatesFile), Paths.get(caCertificatesFile), acceptedCiphers); + } + + public TransportSecurityOptions(Path privateKeyFile, Path certificatesFile, Path caCertificatesFile, List<String> acceptedCiphers) { this.privateKeyFile = privateKeyFile; this.certificatesFile = certificatesFile; this.caCertificatesFile = caCertificatesFile; + this.acceptedCiphers = acceptedCiphers; } public Path getPrivateKeyFile() { @@ -46,6 +60,10 @@ public class TransportSecurityOptions { return caCertificatesFile; } + public List<String> getAcceptedCiphers() { + return acceptedCiphers; + } + public static TransportSecurityOptions fromJsonFile(Path file) { try { return fromJsonNode(mapper.readTree(file.toFile())); @@ -63,15 +81,30 @@ public class TransportSecurityOptions { } private static TransportSecurityOptions fromJsonNode(JsonNode root) { - JsonNode filesNode = getField(root, "files"); - String privateKeyFile = getField(filesNode, "private-key").asText(); - String certificatesFile = getField(filesNode, "certificates").asText(); - String caCertificatesFile = getField(filesNode, "ca-certificates").asText(); - return new TransportSecurityOptions(privateKeyFile, certificatesFile, caCertificatesFile); + JsonNode filesNode = getFieldOrThrow(root, "files"); + List<String> acceptedCiphers = getField(root, "accepted-ciphers") + .map(TransportSecurityOptions::toCipherList) + .orElse(Collections.emptyList()); + String privateKeyFile = getFieldOrThrow(filesNode, "private-key").asText(); + String certificatesFile = getFieldOrThrow(filesNode, "certificates").asText(); + String caCertificatesFile = getFieldOrThrow(filesNode, "ca-certificates").asText(); + return new TransportSecurityOptions(privateKeyFile, certificatesFile, caCertificatesFile, acceptedCiphers); + } + + private static List<String> toCipherList(JsonNode ciphersNode) { + List<String> ciphers = new ArrayList<>(); + for (JsonNode cipherNode : ciphersNode) { + ciphers.add(cipherNode.asText()); + } + return ciphers; + } + + private static Optional<JsonNode> getField(JsonNode root, String fieldName) { + return Optional.ofNullable(root.get(fieldName)); } - private static JsonNode getField(JsonNode root, String fieldName) { - return Optional.ofNullable(root.get(fieldName)) + private static JsonNode getFieldOrThrow(JsonNode root, String fieldName) { + return getField(root, fieldName) .orElseThrow(() -> new IllegalArgumentException(String.format("'%s' field missing", fieldName))); } diff --git a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java index 84f71cf8fc2..2ae140d7958 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java @@ -8,6 +8,8 @@ import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; +import java.util.Collections; +import java.util.List; import static org.junit.Assert.*; @@ -16,11 +18,12 @@ import static org.junit.Assert.*; */ public class TransportSecurityOptionsTest { + private static final List<String> CIPHERS = Collections.singletonList("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"); private static final Path TEST_CONFIG_FILE = Paths.get("src/test/resources/transport-security-options.json"); @Test public void can_read_options_from_json_file() { - TransportSecurityOptions expectedOptions = new TransportSecurityOptions("myhost.key", "certs.pem", "my_cas.pem"); + TransportSecurityOptions expectedOptions = new TransportSecurityOptions("myhost.key", "certs.pem", "my_cas.pem", CIPHERS); TransportSecurityOptions actualOptions = TransportSecurityOptions.fromJsonFile(TEST_CONFIG_FILE); assertEquals(expectedOptions, actualOptions); } @@ -28,7 +31,7 @@ public class TransportSecurityOptionsTest { @Test public void can_read_options_from_json() throws IOException { String tlsJson = new String(Files.readAllBytes(TEST_CONFIG_FILE), StandardCharsets.UTF_8); - TransportSecurityOptions expectedOptions = new TransportSecurityOptions("myhost.key", "certs.pem", "my_cas.pem"); + TransportSecurityOptions expectedOptions = new TransportSecurityOptions("myhost.key", "certs.pem", "my_cas.pem", CIPHERS); TransportSecurityOptions actualOptions = TransportSecurityOptions.fromJson(tlsJson); assertEquals(expectedOptions, actualOptions); } diff --git a/security-utils/src/test/resources/transport-security-options.json b/security-utils/src/test/resources/transport-security-options.json index 0506c130722..0970ffb3524 100644 --- a/security-utils/src/test/resources/transport-security-options.json +++ b/security-utils/src/test/resources/transport-security-options.json @@ -2,6 +2,7 @@ "files": { "private-key": "myhost.key", "ca-certificates": "my_cas.pem", - "certificates": "certs.pem" + "certificates": "certs.pem", + "accepted-ciphers": ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"] } }
\ No newline at end of file |