diff options
| author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2018-11-07 10:58:53 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-11-07 10:58:53 +0100 |
| commit | 95ffa3196cc6719a6295ad3ba7cee366499864f1 (patch) | |
| tree | 4efaa8de3cccaef4f58a1025522de4f1d85d1e86 /security-utils | |
| parent | 9863899ffe849ad7af74759977fbf2640b0add93 (diff) | |
| parent | 2fee9978ee7c93b3eafdc79c2f3553d8d0117bb1 (diff) | |
Merge pull request #7585 from vespa-engine/bjorncs/accepted-ciphers
Bjorncs/accepted ciphers
Diffstat (limited to 'security-utils')
3 files changed, 51 insertions, 12 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java index 67466179634..bc124b4fe2d 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java @@ -8,6 +8,9 @@ import java.io.IOException; import java.io.UncheckedIOException; import java.nio.file.Path; import java.nio.file.Paths; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; import java.util.Objects; import java.util.Optional; @@ -16,6 +19,7 @@ import java.util.Optional; * * @author bjorncs */ +// TODO Add builder public class TransportSecurityOptions { private static final ObjectMapper mapper = new ObjectMapper(); @@ -23,15 +27,25 @@ public class TransportSecurityOptions { private final Path privateKeyFile; private final Path certificatesFile; private final Path caCertificatesFile; + private final List<String> acceptedCiphers; public TransportSecurityOptions(String privateKeyFile, String certificatesFile, String caCertificatesFile) { this(Paths.get(privateKeyFile), Paths.get(certificatesFile), Paths.get(caCertificatesFile)); } public TransportSecurityOptions(Path privateKeyFile, Path certificatesFile, Path caCertificatesFile) { + this(privateKeyFile, certificatesFile, caCertificatesFile, Collections.emptyList()); + } + + public TransportSecurityOptions(String privateKeyFile, String certificatesFile, String caCertificatesFile, List<String> acceptedCiphers) { + this(Paths.get(privateKeyFile), Paths.get(certificatesFile), Paths.get(caCertificatesFile), acceptedCiphers); + } + + public TransportSecurityOptions(Path privateKeyFile, Path certificatesFile, Path caCertificatesFile, List<String> acceptedCiphers) { this.privateKeyFile = privateKeyFile; this.certificatesFile = certificatesFile; this.caCertificatesFile = caCertificatesFile; + this.acceptedCiphers = acceptedCiphers; } public Path getPrivateKeyFile() { @@ -46,6 +60,10 @@ public class TransportSecurityOptions { return caCertificatesFile; } + public List<String> getAcceptedCiphers() { + return acceptedCiphers; + } + public static TransportSecurityOptions fromJsonFile(Path file) { try { return fromJsonNode(mapper.readTree(file.toFile())); @@ -63,15 +81,30 @@ public class TransportSecurityOptions { } private static TransportSecurityOptions fromJsonNode(JsonNode root) { - JsonNode filesNode = getField(root, "files"); - String privateKeyFile = getField(filesNode, "private-key").asText(); - String certificatesFile = getField(filesNode, "certificates").asText(); - String caCertificatesFile = getField(filesNode, "ca-certificates").asText(); - return new TransportSecurityOptions(privateKeyFile, certificatesFile, caCertificatesFile); + JsonNode filesNode = getFieldOrThrow(root, "files"); + List<String> acceptedCiphers = getField(root, "accepted-ciphers") + .map(TransportSecurityOptions::toCipherList) + .orElse(Collections.emptyList()); + String privateKeyFile = getFieldOrThrow(filesNode, "private-key").asText(); + String certificatesFile = getFieldOrThrow(filesNode, "certificates").asText(); + String caCertificatesFile = getFieldOrThrow(filesNode, "ca-certificates").asText(); + return new TransportSecurityOptions(privateKeyFile, certificatesFile, caCertificatesFile, acceptedCiphers); + } + + private static List<String> toCipherList(JsonNode ciphersNode) { + List<String> ciphers = new ArrayList<>(); + for (JsonNode cipherNode : ciphersNode) { + ciphers.add(cipherNode.asText()); + } + return ciphers; + } + + private static Optional<JsonNode> getField(JsonNode root, String fieldName) { + return Optional.ofNullable(root.get(fieldName)); } - private static JsonNode getField(JsonNode root, String fieldName) { - return Optional.ofNullable(root.get(fieldName)) + private static JsonNode getFieldOrThrow(JsonNode root, String fieldName) { + return getField(root, fieldName) .orElseThrow(() -> new IllegalArgumentException(String.format("'%s' field missing", fieldName))); } @@ -81,6 +114,7 @@ public class TransportSecurityOptions { "privateKeyFile=" + privateKeyFile + ", certificatesFile=" + certificatesFile + ", caCertificatesFile=" + caCertificatesFile + + ", acceptedCiphers=" + acceptedCiphers + '}'; } @@ -91,11 +125,12 @@ public class TransportSecurityOptions { TransportSecurityOptions that = (TransportSecurityOptions) o; return Objects.equals(privateKeyFile, that.privateKeyFile) && Objects.equals(certificatesFile, that.certificatesFile) && - Objects.equals(caCertificatesFile, that.caCertificatesFile); + Objects.equals(caCertificatesFile, that.caCertificatesFile) && + Objects.equals(acceptedCiphers, that.acceptedCiphers); } @Override public int hashCode() { - return Objects.hash(privateKeyFile, certificatesFile, caCertificatesFile); + return Objects.hash(privateKeyFile, certificatesFile, caCertificatesFile, acceptedCiphers); } }
\ No newline at end of file diff --git a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java index 84f71cf8fc2..2ae140d7958 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java @@ -8,6 +8,8 @@ import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; +import java.util.Collections; +import java.util.List; import static org.junit.Assert.*; @@ -16,11 +18,12 @@ import static org.junit.Assert.*; */ public class TransportSecurityOptionsTest { + private static final List<String> CIPHERS = Collections.singletonList("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"); private static final Path TEST_CONFIG_FILE = Paths.get("src/test/resources/transport-security-options.json"); @Test public void can_read_options_from_json_file() { - TransportSecurityOptions expectedOptions = new TransportSecurityOptions("myhost.key", "certs.pem", "my_cas.pem"); + TransportSecurityOptions expectedOptions = new TransportSecurityOptions("myhost.key", "certs.pem", "my_cas.pem", CIPHERS); TransportSecurityOptions actualOptions = TransportSecurityOptions.fromJsonFile(TEST_CONFIG_FILE); assertEquals(expectedOptions, actualOptions); } @@ -28,7 +31,7 @@ public class TransportSecurityOptionsTest { @Test public void can_read_options_from_json() throws IOException { String tlsJson = new String(Files.readAllBytes(TEST_CONFIG_FILE), StandardCharsets.UTF_8); - TransportSecurityOptions expectedOptions = new TransportSecurityOptions("myhost.key", "certs.pem", "my_cas.pem"); + TransportSecurityOptions expectedOptions = new TransportSecurityOptions("myhost.key", "certs.pem", "my_cas.pem", CIPHERS); TransportSecurityOptions actualOptions = TransportSecurityOptions.fromJson(tlsJson); assertEquals(expectedOptions, actualOptions); } diff --git a/security-utils/src/test/resources/transport-security-options.json b/security-utils/src/test/resources/transport-security-options.json index 0506c130722..259d4133aee 100644 --- a/security-utils/src/test/resources/transport-security-options.json +++ b/security-utils/src/test/resources/transport-security-options.json @@ -3,5 +3,6 @@ "private-key": "myhost.key", "ca-certificates": "my_cas.pem", "certificates": "certs.pem" - } + }, + "accepted-ciphers": ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"] }
\ No newline at end of file |