diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-02-13 17:12:04 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-02-13 17:28:34 +0100 |
commit | 8794ed9299710b661332adcadacbdeb4c388ed5a (patch) | |
tree | 61b0dea06772795fccf84a76bafff53b9234e9fd /security-utils | |
parent | 762abbd7f48f3afe8257faf581c7defce160ad4f (diff) |
Introduce 'disable-hostname-validation' to TLS json format
Diffstat (limited to 'security-utils')
7 files changed, 53 insertions, 5 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java index c0e9e1053c3..5db6d551193 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java @@ -30,6 +30,7 @@ public class TransportSecurityOptions { private final Path caCertificatesFile; private final AuthorizedPeers authorizedPeers; private final List<String> acceptedCiphers; + private final boolean isHostnameValidationDisabled; private TransportSecurityOptions(Builder builder) { this.privateKeyFile = builder.privateKeyFile; @@ -37,6 +38,7 @@ public class TransportSecurityOptions { this.caCertificatesFile = builder.caCertificatesFile; this.authorizedPeers = builder.authorizedPeers; this.acceptedCiphers = builder.acceptedCiphers; + this.isHostnameValidationDisabled = builder.isHostnameValidationDisabled; } public Optional<Path> getPrivateKeyFile() { @@ -57,6 +59,8 @@ public class TransportSecurityOptions { public List<String> getAcceptedCiphers() { return acceptedCiphers; } + public boolean isHostnameValidationDisabled() { return isHostnameValidationDisabled; } + public static TransportSecurityOptions fromJsonFile(Path file) { try (InputStream in = Files.newInputStream(file)) { return new TransportSecurityOptionsJsonSerializer().deserialize(in); @@ -90,6 +94,7 @@ public class TransportSecurityOptions { private Path caCertificatesFile; private AuthorizedPeers authorizedPeers; private List<String> acceptedCiphers = new ArrayList<>(); + private boolean isHostnameValidationDisabled; public Builder() {} @@ -114,6 +119,11 @@ public class TransportSecurityOptions { return this; } + public Builder withHostnameValidationDisabled(boolean isDisabled) { + this.isHostnameValidationDisabled = isDisabled; + return this; + } + public TransportSecurityOptions build() { return new TransportSecurityOptions(this); } @@ -127,6 +137,7 @@ public class TransportSecurityOptions { ", caCertificatesFile=" + caCertificatesFile + ", authorizedPeers=" + authorizedPeers + ", acceptedCiphers=" + acceptedCiphers + + ", isHostnameValidationDisabled=" + isHostnameValidationDisabled + '}'; } @@ -135,7 +146,8 @@ public class TransportSecurityOptions { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; TransportSecurityOptions that = (TransportSecurityOptions) o; - return Objects.equals(privateKeyFile, that.privateKeyFile) && + return isHostnameValidationDisabled == that.isHostnameValidationDisabled && + Objects.equals(privateKeyFile, that.privateKeyFile) && Objects.equals(certificatesFile, that.certificatesFile) && Objects.equals(caCertificatesFile, that.caCertificatesFile) && Objects.equals(authorizedPeers, that.authorizedPeers) && @@ -144,6 +156,6 @@ public class TransportSecurityOptions { @Override public int hashCode() { - return Objects.hash(privateKeyFile, certificatesFile, caCertificatesFile, authorizedPeers, acceptedCiphers); + return Objects.hash(privateKeyFile, certificatesFile, caCertificatesFile, authorizedPeers, acceptedCiphers, isHostnameValidationDisabled); } }
\ No newline at end of file diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java index 6594fa84255..2b001ca2ca0 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java @@ -8,6 +8,7 @@ import com.fasterxml.jackson.annotation.JsonProperty; import java.util.List; import static com.fasterxml.jackson.annotation.JsonInclude.Include.NON_EMPTY; +import static com.fasterxml.jackson.annotation.JsonInclude.Include.NON_NULL; /** * Jackson bindings for transport security options @@ -20,6 +21,7 @@ class TransportSecurityOptionsEntity { @JsonProperty("files") Files files; @JsonProperty("authorized-peers") @JsonInclude(NON_EMPTY) List<AuthorizedPeer> authorizedPeers; @JsonProperty("accepted-ciphers") @JsonInclude(NON_EMPTY) List<String> acceptedCiphers; + @JsonProperty("disable-hostname-validation") @JsonInclude(NON_NULL) Boolean isHostnameValidationDisabled; static class Files { @JsonProperty("private-key") String privateKeyFile; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java index 5487bad24e7..3cba434912c 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java @@ -77,6 +77,9 @@ public class TransportSecurityOptionsJsonSerializer { } builder.withAcceptedCiphers(entity.acceptedCiphers); } + if (entity.isHostnameValidationDisabled != null) { + builder.withHostnameValidationDisabled(entity.isHostnameValidationDisabled); + } return builder.build(); } @@ -158,6 +161,9 @@ public class TransportSecurityOptionsJsonSerializer { if (!options.getAcceptedCiphers().isEmpty()) { entity.acceptedCiphers = options.getAcceptedCiphers(); } + if (options.isHostnameValidationDisabled()) { + entity.isHostnameValidationDisabled = true; + } return entity; } diff --git a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java index 28dc10d31d5..f2d2b932cd0 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java @@ -21,6 +21,7 @@ public class TransportSecurityOptionsTest { .withCertificates(Paths.get("certs.pem"), Paths.get("myhost.key")) .withCaCertificates(Paths.get("my_cas.pem")) .withAcceptedCiphers(com.yahoo.vespa.jdk8compat.List.of("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" , "TLS_AES_256_GCM_SHA384")) + .withHostnameValidationDisabled(true) .build(); @Test diff --git a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java index 078aa58c948..0dec75fa711 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java @@ -22,7 +22,6 @@ import java.nio.file.Paths; import java.util.Arrays; import java.util.Collections; import java.util.HashSet; -import java.util.List; import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN; import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_DNS; @@ -44,6 +43,7 @@ public class TransportSecurityOptionsJsonSerializerTest { TransportSecurityOptions options = new TransportSecurityOptions.Builder() .withCaCertificates(Paths.get("/path/to/ca-certs.pem")) .withCertificates(Paths.get("/path/to/cert.pem"), Paths.get("/path/to/key.pem")) + .withHostnameValidationDisabled(false) .withAuthorizedPeers( new AuthorizedPeers( new HashSet<>(Arrays.asList( @@ -66,6 +66,7 @@ public class TransportSecurityOptionsJsonSerializerTest { .withCertificates(Paths.get("certs.pem"), Paths.get("myhost.key")) .withCaCertificates(Paths.get("my_cas.pem")) .withAcceptedCiphers(com.yahoo.vespa.jdk8compat.List.of("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" , "TLS_AES_256_GCM_SHA384")) + .withHostnameValidationDisabled(true) .build(); File outputFile = tempDirectory.newFile(); try (OutputStream out = Files.newOutputStream(outputFile.toPath())) { @@ -76,4 +77,22 @@ public class TransportSecurityOptionsJsonSerializerTest { assertJsonEquals(expectedOutput, actualOutput); } + @Test + public void disable_hostname_validation_is_not_serialized_if_false() throws IOException { + TransportSecurityOptions options = new TransportSecurityOptions.Builder() + .withCertificates(Paths.get("certs.pem"), Paths.get("myhost.key")) + .withCaCertificates(Paths.get("my_cas.pem")) + .withHostnameValidationDisabled(false) + .build(); + File outputFile = tempDirectory.newFile(); + try (OutputStream out = Files.newOutputStream(outputFile.toPath())) { + new TransportSecurityOptionsJsonSerializer().serialize(out, options); + } + + String expectedOutput = new String(Files.readAllBytes( + Paths.get("src/test/resources/transport-security-options-with-disable-hostname-validation-set-to-false.json"))); + String actualOutput = new String(Files.readAllBytes(outputFile.toPath())); + assertJsonEquals(expectedOutput, actualOutput); + } + } diff --git a/security-utils/src/test/resources/transport-security-options-with-disable-hostname-validation-set-to-false.json b/security-utils/src/test/resources/transport-security-options-with-disable-hostname-validation-set-to-false.json new file mode 100644 index 00000000000..0506c130722 --- /dev/null +++ b/security-utils/src/test/resources/transport-security-options-with-disable-hostname-validation-set-to-false.json @@ -0,0 +1,7 @@ +{ + "files": { + "private-key": "myhost.key", + "ca-certificates": "my_cas.pem", + "certificates": "certs.pem" + } +}
\ No newline at end of file diff --git a/security-utils/src/test/resources/transport-security-options.json b/security-utils/src/test/resources/transport-security-options.json index 2e55c8fd931..7983982f644 100644 --- a/security-utils/src/test/resources/transport-security-options.json +++ b/security-utils/src/test/resources/transport-security-options.json @@ -1,8 +1,9 @@ { + "disable-hostname-validation": true, "files": { "private-key": "myhost.key", "ca-certificates": "my_cas.pem", "certificates": "certs.pem" - }, - "accepted-ciphers": ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_AES_256_GCM_SHA384"] + }, + "accepted-ciphers": ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_AES_256_GCM_SHA384"] }
\ No newline at end of file |