Split ConfigFileManagedTlsContext into ReloadingTlsContext and DefaultTlsContext

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-12-03 15:19:56 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-12-05 16:35:35 +0100
commit: caff08abecd3414fbb46bb002c22c36e1dede893 (patch)
tree: 08c9a8c08434294bc413f418f76c0df796fbc6ed /security-utils
parent: eef87496cbdd79a32367c07311eb7867c9ae2e89 (diff)
3 files changed, 169 insertions, 49 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
index 2a40d5340ac..28f05b3c6d9 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
@@ -4,29 +4,26 @@ package com.yahoo.security.tls;
 import com.yahoo.security.SslContextBuilder;
 import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
 import com.yahoo.security.tls.authz.PeerAuthorizerTrustManagersFactory;
+import com.yahoo.security.tls.policy.AuthorizedPeers;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import java.nio.file.Path;
-import java.time.Duration;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.List;
-import java.util.concurrent.Executors;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.TimeUnit;
-import java.util.concurrent.atomic.AtomicReference;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
 /**
- * A {@link TlsContext} that regularly reloads the credentials referred to from the transport security options file.
+ * A static {@link TlsContext}
  *
  * @author bjorncs
  */
-public class ConfigFileManagedTlsContext implements TlsContext {
+public class DefaultTlsContext implements TlsContext {
 
-    private static final Duration UPDATE_PERIOD = Duration.ofHours(1);
-    private static final List<String> ALLOWED_CIPHER_SUITS = Arrays.asList(
+    public static final List<String> ALLOWED_CIPHER_SUITS = Arrays.asList(
             "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
@@ -38,31 +35,25 @@ public class ConfigFileManagedTlsContext implements TlsContext {
             "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256");
 
-    private static final Logger log = Logger.getLogger(ConfigFileManagedTlsContext.class.getName());
+    private static final Logger log = Logger.getLogger(DefaultTlsContext.class.getName());
 
-    private final Path tlsOptionsConfigFile;
-    private final PeerAuthorizerTrustManager.Mode mode;
-    private final AtomicReference<SSLContext> currentSslContext;
-    private final ScheduledExecutorService scheduler =
-            Executors.newSingleThreadScheduledExecutor(runnable -> {
-                Thread thread = new Thread(runnable, "tls-context-reloader");
-                thread.setDaemon(true);
-                return thread;
-            });
+    private final SSLContext sslContext;
 
+    public DefaultTlsContext(List<X509Certificate> certificates,
+                             PrivateKey privateKey,
+                             List<X509Certificate> caCertificates,
+                             AuthorizedPeers authorizedPeers,
+                             PeerAuthorizerTrustManager.Mode mode) {
+        this.sslContext = createSslContext(certificates, privateKey, caCertificates, authorizedPeers, mode);
+    }
 
-    public ConfigFileManagedTlsContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) {
-        this.tlsOptionsConfigFile = tlsOptionsConfigFile;
-        this.mode = mode;
-        this.currentSslContext = new AtomicReference<>(createSslContext(tlsOptionsConfigFile, mode));
-        this.scheduler.scheduleAtFixedRate(new SslContextReloader(),
-                                           UPDATE_PERIOD.getSeconds()/*initial delay*/,
-                                           UPDATE_PERIOD.getSeconds(),
-                                           TimeUnit.SECONDS);
+    public DefaultTlsContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) {
+        this.sslContext = createSslContext(tlsOptionsConfigFile, mode);
     }
 
+    @Override
     public SSLEngine createSslEngine() {
-        SSLEngine sslEngine = currentSslContext.get().createSSLEngine();
+        SSLEngine sslEngine = sslContext.createSSLEngine();
         restrictSetOfEnabledCiphers(sslEngine);
         return sslEngine;
     }
@@ -78,6 +69,24 @@ public class ConfigFileManagedTlsContext implements TlsContext {
         sslEngine.setEnabledCipherSuites(validCipherSuits);
     }
 
+    private static SSLContext createSslContext(List<X509Certificate> certificates,
+                                               PrivateKey privateKey,
+                                               List<X509Certificate> caCertificates,
+                                               AuthorizedPeers authorizedPeers,
+                                               PeerAuthorizerTrustManager.Mode mode) {
+        SslContextBuilder builder = new SslContextBuilder();
+        if (!certificates.isEmpty()) {
+            builder.withKeyStore(privateKey, certificates);
+        }
+        if (!caCertificates.isEmpty()) {
+            builder.withTrustStore(caCertificates);
+        }
+        if (authorizedPeers != null) {
+            builder.withTrustManagerFactory(new PeerAuthorizerTrustManagersFactory(authorizedPeers, mode));
+        }
+        return builder.build();
+    }
+
     private static SSLContext createSslContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) {
         TransportSecurityOptions options = TransportSecurityOptions.fromJsonFile(tlsOptionsConfigFile);
         SslContextBuilder builder = new SslContextBuilder();
@@ -89,25 +98,4 @@ public class ConfigFileManagedTlsContext implements TlsContext {
         return builder.build();
     }
 
-    @Override
-    public void close() {
-        try {
-            scheduler.shutdownNow();
-            scheduler.awaitTermination(5, TimeUnit.SECONDS);
-        } catch (InterruptedException e) {
-            throw new RuntimeException(e);
-        }
-    }
-
-    private class SslContextReloader implements Runnable {
-        @Override
-        public void run() {
-            try {
-                currentSslContext.set(createSslContext(tlsOptionsConfigFile, mode));
-            } catch (Throwable t) {
-                log.log(Level.SEVERE, String.format("Failed to load SSLContext (path='%s'): %s", tlsOptionsConfigFile, t.getMessage()), t);
-            }
-        }
-    }
-
 }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java
new file mode 100644
index 00000000000..04e36d24a04
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java
@@ -0,0 +1,73 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls;
+
+import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
+
+import javax.net.ssl.SSLEngine;
+import java.nio.file.Path;
+import java.time.Duration;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * A {@link TlsContext} that regularly reloads the credentials referred to from the transport security options file.
+ *
+ * @author bjorncs
+ */
+public class ReloadingTlsContext implements TlsContext {
+
+    private static final Duration UPDATE_PERIOD = Duration.ofHours(1);
+
+    private static final Logger log = Logger.getLogger(ReloadingTlsContext.class.getName());
+
+    private final Path tlsOptionsConfigFile;
+    private final PeerAuthorizerTrustManager.Mode mode;
+    private final AtomicReference<TlsContext> currentTlsContext;
+    private final ScheduledExecutorService scheduler =
+            Executors.newSingleThreadScheduledExecutor(runnable -> {
+                Thread thread = new Thread(runnable, "tls-context-reloader");
+                thread.setDaemon(true);
+                return thread;
+            });
+
+    public ReloadingTlsContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) {
+        this.tlsOptionsConfigFile = tlsOptionsConfigFile;
+        this.mode = mode;
+        this.currentTlsContext = new AtomicReference<>(new DefaultTlsContext(tlsOptionsConfigFile, mode));
+        this.scheduler.scheduleAtFixedRate(new SslContextReloader(),
+                                           UPDATE_PERIOD.getSeconds()/*initial delay*/,
+                                           UPDATE_PERIOD.getSeconds(),
+                                           TimeUnit.SECONDS);
+    }
+
+    @Override
+    public SSLEngine createSslEngine() {
+        return currentTlsContext.get().createSslEngine();
+    }
+
+    @Override
+    public void close() {
+        try {
+            scheduler.shutdownNow();
+            scheduler.awaitTermination(5, TimeUnit.SECONDS);
+        } catch (InterruptedException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private class SslContextReloader implements Runnable {
+        @Override
+        public void run() {
+            try {
+                currentTlsContext.set(new DefaultTlsContext(tlsOptionsConfigFile, mode));
+            } catch (Throwable t) {
+                log.log(Level.SEVERE, String.format("Failed to load SSLContext (path='%s'): %s", tlsOptionsConfigFile, t.getMessage()), t);
+            }
+        }
+    }
+
+}
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
new file mode 100644
index 00000000000..4809bad80c5
--- /dev/null
+++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
@@ -0,0 +1,59 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls;
+
+import com.yahoo.security.KeyUtils;
+import com.yahoo.security.X509CertificateBuilder;
+import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager.Mode;
+import com.yahoo.security.tls.policy.AuthorizedPeers;
+import com.yahoo.security.tls.policy.HostGlobPattern;
+import com.yahoo.security.tls.policy.PeerPolicy;
+import com.yahoo.security.tls.policy.RequiredPeerCredential;
+import com.yahoo.security.tls.policy.Role;
+import org.junit.Test;
+
+import javax.net.ssl.SSLEngine;
+import javax.security.auth.x500.X500Principal;
+import java.security.KeyPair;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+
+import static com.yahoo.security.KeyAlgorithm.RSA;
+import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA;
+import static com.yahoo.security.X509CertificateBuilder.generateRandomSerialNumber;
+import static java.time.Instant.EPOCH;
+import static java.time.temporal.ChronoUnit.DAYS;
+import static java.util.Collections.singleton;
+import static java.util.Collections.singletonList;
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * @author bjorncs
+ */
+public class DefaultTlsContextTest {
+
+    @Test
+    public void can_create_sslcontext_from_credentials() {
+        KeyPair keyPair = KeyUtils.generateKeypair(RSA);
+
+        X509Certificate certificate = X509CertificateBuilder
+                .fromKeypair(keyPair, new X500Principal("CN=dummy"), EPOCH, Instant.now().plus(1, DAYS), SHA256_WITH_RSA, generateRandomSerialNumber())
+                .build();
+
+        AuthorizedPeers authorizedPeers = new AuthorizedPeers(
+                singleton(
+                        new PeerPolicy(
+                                "dummy-policy",
+                                singleton(new Role("dummy-role")),
+                                singletonList(new RequiredPeerCredential(RequiredPeerCredential.Field.CN, new HostGlobPattern("dummy"))))));
+
+        DefaultTlsContext tlsContext =
+                new DefaultTlsContext(singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers, Mode.ENFORCE);
+
+        SSLEngine sslEngine = tlsContext.createSslEngine();
+        assertThat(sslEngine).isNotNull();
+        String[] enabledCiphers = sslEngine.getEnabledCipherSuites();
+        assertThat(enabledCiphers).isNotEmpty();
+        assertThat(enabledCiphers).isSubsetOf(DefaultTlsContext.ALLOWED_CIPHER_SUITS.toArray(new String[0]));
+    }
+
+}
+\ No newline at end of file
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-12-03 15:19:56 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-12-05 16:35:35 +0100
commit	caff08abecd3414fbb46bb002c22c36e1dede893 (patch)
tree	08c9a8c08434294bc413f418f76c0df796fbc6ed /security-utils
parent	eef87496cbdd79a32367c07311eb7867c9ae2e89 (diff)