diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-04-03 15:20:10 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-04-03 15:21:31 +0200 |
commit | 84a41baedb4b6441d6b4c3b7b08159763059a905 (patch) | |
tree | fb04f11e7c82150238c1e7df247fd5fe0803fe20 /security-utils | |
parent | ea56eae3f73af014d90956a96c719b94efc7ed5a (diff) |
Add VespaHttpClientBuilder based on apache httpclient
Diffstat (limited to 'security-utils')
3 files changed, 153 insertions, 0 deletions
diff --git a/security-utils/pom.xml b/security-utils/pom.xml index 10dec598915..e326687ff61 100644 --- a/security-utils/pom.xml +++ b/security-utils/pom.xml @@ -19,6 +19,12 @@ <version>${project.version}</version> <scope>provided</scope> </dependency> + <dependency> + <groupId>org.apache.httpcomponents</groupId> + <artifactId>httpclient</artifactId> + <scope>provided</scope> + <optional>true</optional> <!-- Only needed for classes in com.yahoo.security.tls.https --> + </dependency> <!-- compile scope --> <dependency> diff --git a/security-utils/src/main/java/com/yahoo/security/tls/https/VespaHttpClientBuilder.java b/security-utils/src/main/java/com/yahoo/security/tls/https/VespaHttpClientBuilder.java new file mode 100644 index 00000000000..3b0d7a2f76b --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/https/VespaHttpClientBuilder.java @@ -0,0 +1,108 @@ +// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls.https; + +import com.yahoo.security.tls.MixedMode; +import com.yahoo.security.tls.TlsContext; +import com.yahoo.security.tls.TransportSecurityUtils; +import org.apache.http.HttpRequest; +import org.apache.http.HttpRequestInterceptor; +import org.apache.http.client.methods.HttpRequestBase; +import org.apache.http.conn.HttpClientConnectionManager; +import org.apache.http.conn.ssl.NoopHostnameVerifier; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.impl.client.HttpClientBuilder; +import org.apache.http.protocol.HttpContext; + +import javax.net.ssl.SSLParameters; +import java.net.URI; +import java.net.URISyntaxException; +import java.util.logging.Level; +import java.util.logging.Logger; + +/** + * Http client builder for internal Vespa communications over http/https. + * + * Notes: + * - hostname verification is not enabled - CN/SAN verification is assumed to be handled by the underlying x509 trust manager. + * - custom connection managers must be configured through {@link #createBuilder(ConnectionManagerFactory)}. Do not call {@link HttpClientBuilder#setConnectionManager(HttpClientConnectionManager)}. + * + * @author bjorncs + */ +public class VespaHttpClientBuilder { + + private static final Logger log = Logger.getLogger(VespaHttpClientBuilder.class.getName()); + + public interface ConnectionManagerFactory { + HttpClientConnectionManager create(SSLConnectionSocketFactory sslSocketFactory); + } + + private VespaHttpClientBuilder() {} + + public static HttpClientBuilder create() { + return createBuilder(null); + } + + public static HttpClientBuilder create(ConnectionManagerFactory connectionManagerFactory) { + return createBuilder(connectionManagerFactory); + } + + private static HttpClientBuilder createBuilder(ConnectionManagerFactory connectionManagerFactory) { + var builder = HttpClientBuilder.create(); + addSslSocketFactory(builder, connectionManagerFactory); + addTlsAwareRequestInterceptor(builder); + return builder; + } + + private static void addSslSocketFactory(HttpClientBuilder builder, ConnectionManagerFactory connectionManagerFactory) { + TransportSecurityUtils.createTlsContext() + .ifPresent(tlsContext -> { + log.log(Level.FINE, "Adding ssl socket factory to client"); + SSLConnectionSocketFactory socketFactory = createSslSocketFactory(tlsContext); + if (connectionManagerFactory != null) { + builder.setConnectionManager(connectionManagerFactory.create(socketFactory)); + } else { + builder.setSSLSocketFactory(socketFactory); + } + }); + } + + private static void addTlsAwareRequestInterceptor(HttpClientBuilder builder) { + if (TransportSecurityUtils.isTransportSecurityEnabled() + && TransportSecurityUtils.getInsecureMixedMode() != MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) { + log.log(Level.FINE, "Adding request interceptor to client"); + builder.addInterceptorFirst(new HttpToHttpsRewritingRequestInterceptor()); + } + } + + private static SSLConnectionSocketFactory createSslSocketFactory(TlsContext tlsContext) { + SSLParameters parameters = tlsContext.parameters(); + return new SSLConnectionSocketFactory(tlsContext.context(), parameters.getProtocols(), parameters.getCipherSuites(), new NoopHostnameVerifier()); + } + + static class HttpToHttpsRewritingRequestInterceptor implements HttpRequestInterceptor { + @Override + public void process(HttpRequest request, HttpContext context) { + if (request instanceof HttpRequestBase) { + HttpRequestBase httpUriRequest = (HttpRequestBase) request; + httpUriRequest.setURI(rewriteUri(httpUriRequest.getURI())); + } else { + log.log(Level.FINE, () -> "Not a HttpRequestBase - skipping URI rewriting: " + request.getClass().getName()); + } + } + + private static URI rewriteUri(URI originalUri) { + if (!originalUri.getScheme().equals("http")) { + return originalUri; + } + int port = originalUri.getPort(); + int rewrittenPort = port != -1 ? port : 80; + try { + URI rewrittenUri = new URI("https", originalUri.getUserInfo(), originalUri.getHost(), rewrittenPort, originalUri.getPath(), originalUri.getQuery(), originalUri.getFragment()); + log.log(Level.FINE, () -> String.format("Uri rewritten from '%s' to '%s'", originalUri, rewrittenUri)); + return rewrittenUri; + } catch (URISyntaxException e) { + throw new RuntimeException(e); + } + } + } +} diff --git a/security-utils/src/test/java/com/yahoo/security/tls/https/VespaHttpClientBuilderTest.java b/security-utils/src/test/java/com/yahoo/security/tls/https/VespaHttpClientBuilderTest.java new file mode 100644 index 00000000000..10b8458359c --- /dev/null +++ b/security-utils/src/test/java/com/yahoo/security/tls/https/VespaHttpClientBuilderTest.java @@ -0,0 +1,39 @@ +// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls.https; + +import com.yahoo.security.tls.https.VespaHttpClientBuilder.HttpToHttpsRewritingRequestInterceptor; +import org.apache.http.client.methods.HttpGet; +import org.apache.http.protocol.BasicHttpContext; +import org.junit.Test; + +import java.net.URI; + +import static org.assertj.core.api.AssertionsForClassTypes.assertThat; + +/** + * @author bjorncs + */ +public class VespaHttpClientBuilderTest { + + @Test + public void request_interceptor_modifies_scheme_of_requests() { + verifyProcessedUriMatchesExpectedOutput("http://dummyhostname:8080/a/path/to/resource?query=value", + "https://dummyhostname:8080/a/path/to/resource?query=value"); + } + + @Test + public void request_interceptor_add_handles_implicit_http_port() { + verifyProcessedUriMatchesExpectedOutput("http://dummyhostname/a/path/to/resource?query=value", + "https://dummyhostname:80/a/path/to/resource?query=value"); + } + + private static void verifyProcessedUriMatchesExpectedOutput(String inputUri, String expectedOutputUri) { + var interceptor = new HttpToHttpsRewritingRequestInterceptor(); + HttpGet request = new HttpGet(inputUri); + interceptor.process(request, new BasicHttpContext()); + URI modifiedUri = request.getURI(); + URI expectedUri = URI.create(expectedOutputUri); + assertThat(modifiedUri).isEqualTo(expectedUri); + } + +}
\ No newline at end of file |