Introduce 'disable-hostname-validation' to TLS json format

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2020-02-13 17:12:04 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2020-02-13 17:28:34 +0100
commit: 8794ed9299710b661332adcadacbdeb4c388ed5a (patch)
tree: 61b0dea06772795fccf84a76bafff53b9234e9fd /security-utils
parent: 762abbd7f48f3afe8257faf581c7defce160ad4f (diff)
7 files changed, 53 insertions, 5 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java
index c0e9e1053c3..5db6d551193 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java
@@ -30,6 +30,7 @@ public class TransportSecurityOptions {
     private final Path caCertificatesFile;
     private final AuthorizedPeers authorizedPeers;
     private final List<String> acceptedCiphers;
+    private final boolean isHostnameValidationDisabled;
 
     private TransportSecurityOptions(Builder builder) {
         this.privateKeyFile = builder.privateKeyFile;
@@ -37,6 +38,7 @@ public class TransportSecurityOptions {
         this.caCertificatesFile = builder.caCertificatesFile;
         this.authorizedPeers = builder.authorizedPeers;
         this.acceptedCiphers = builder.acceptedCiphers;
+        this.isHostnameValidationDisabled = builder.isHostnameValidationDisabled;
     }
 
     public Optional<Path> getPrivateKeyFile() {
@@ -57,6 +59,8 @@ public class TransportSecurityOptions {
 
     public List<String> getAcceptedCiphers() { return acceptedCiphers; }
 
+    public boolean isHostnameValidationDisabled() { return isHostnameValidationDisabled; }
+
     public static TransportSecurityOptions fromJsonFile(Path file) {
         try (InputStream in = Files.newInputStream(file)) {
             return new TransportSecurityOptionsJsonSerializer().deserialize(in);
@@ -90,6 +94,7 @@ public class TransportSecurityOptions {
         private Path caCertificatesFile;
         private AuthorizedPeers authorizedPeers;
         private List<String> acceptedCiphers = new ArrayList<>();
+        private boolean isHostnameValidationDisabled;
 
         public Builder() {}
 
@@ -114,6 +119,11 @@ public class TransportSecurityOptions {
             return this;
         }
 
+        public Builder withHostnameValidationDisabled(boolean isDisabled) {
+            this.isHostnameValidationDisabled = isDisabled;
+            return this;
+        }
+
         public TransportSecurityOptions build() {
             return new TransportSecurityOptions(this);
         }
@@ -127,6 +137,7 @@ public class TransportSecurityOptions {
                 ", caCertificatesFile=" + caCertificatesFile +
                 ", authorizedPeers=" + authorizedPeers +
                 ", acceptedCiphers=" + acceptedCiphers +
+                ", isHostnameValidationDisabled=" + isHostnameValidationDisabled +
                 '}';
     }
 
@@ -135,7 +146,8 @@ public class TransportSecurityOptions {
         if (this == o) return true;
         if (o == null || getClass() != o.getClass()) return false;
         TransportSecurityOptions that = (TransportSecurityOptions) o;
-        return Objects.equals(privateKeyFile, that.privateKeyFile) &&
+        return isHostnameValidationDisabled == that.isHostnameValidationDisabled &&
+                Objects.equals(privateKeyFile, that.privateKeyFile) &&
                 Objects.equals(certificatesFile, that.certificatesFile) &&
                 Objects.equals(caCertificatesFile, that.caCertificatesFile) &&
                 Objects.equals(authorizedPeers, that.authorizedPeers) &&
@@ -144,6 +156,6 @@ public class TransportSecurityOptions {
 
     @Override
     public int hashCode() {
-        return Objects.hash(privateKeyFile, certificatesFile, caCertificatesFile, authorizedPeers, acceptedCiphers);
+        return Objects.hash(privateKeyFile, certificatesFile, caCertificatesFile, authorizedPeers, acceptedCiphers, isHostnameValidationDisabled);
     }
 }
 \ No newline at end of file
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java
index 6594fa84255..2b001ca2ca0 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java
@@ -8,6 +8,7 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 import java.util.List;
 
 import static com.fasterxml.jackson.annotation.JsonInclude.Include.NON_EMPTY;
+import static com.fasterxml.jackson.annotation.JsonInclude.Include.NON_NULL;
 
 /**
  * Jackson bindings for transport security options
@@ -20,6 +21,7 @@ class TransportSecurityOptionsEntity {
     @JsonProperty("files") Files files;
     @JsonProperty("authorized-peers") @JsonInclude(NON_EMPTY) List<AuthorizedPeer> authorizedPeers;
     @JsonProperty("accepted-ciphers") @JsonInclude(NON_EMPTY) List<String> acceptedCiphers;
+    @JsonProperty("disable-hostname-validation") @JsonInclude(NON_NULL) Boolean isHostnameValidationDisabled;
 
     static class Files {
         @JsonProperty("private-key") String privateKeyFile;
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java
index 5487bad24e7..3cba434912c 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java
@@ -77,6 +77,9 @@ public class TransportSecurityOptionsJsonSerializer {
             }
             builder.withAcceptedCiphers(entity.acceptedCiphers);
         }
+        if (entity.isHostnameValidationDisabled != null) {
+            builder.withHostnameValidationDisabled(entity.isHostnameValidationDisabled);
+        }
         return builder.build();
     }
 
@@ -158,6 +161,9 @@ public class TransportSecurityOptionsJsonSerializer {
         if (!options.getAcceptedCiphers().isEmpty()) {
             entity.acceptedCiphers = options.getAcceptedCiphers();
         }
+        if (options.isHostnameValidationDisabled()) {
+            entity.isHostnameValidationDisabled = true;
+        }
         return entity;
     }
 
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java
index 28dc10d31d5..f2d2b932cd0 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java
@@ -21,6 +21,7 @@ public class TransportSecurityOptionsTest {
             .withCertificates(Paths.get("certs.pem"), Paths.get("myhost.key"))
             .withCaCertificates(Paths.get("my_cas.pem"))
             .withAcceptedCiphers(com.yahoo.vespa.jdk8compat.List.of("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" , "TLS_AES_256_GCM_SHA384"))
+            .withHostnameValidationDisabled(true)
             .build();
 
     @Test
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java
index 078aa58c948..0dec75fa711 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java
@@ -22,7 +22,6 @@ import java.nio.file.Paths;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
-import java.util.List;
 
 import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN;
 import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_DNS;
@@ -44,6 +43,7 @@ public class TransportSecurityOptionsJsonSerializerTest {
         TransportSecurityOptions options = new TransportSecurityOptions.Builder()
                 .withCaCertificates(Paths.get("/path/to/ca-certs.pem"))
                 .withCertificates(Paths.get("/path/to/cert.pem"), Paths.get("/path/to/key.pem"))
+                .withHostnameValidationDisabled(false)
                 .withAuthorizedPeers(
                         new AuthorizedPeers(
                                 new HashSet<>(Arrays.asList(
@@ -66,6 +66,7 @@ public class TransportSecurityOptionsJsonSerializerTest {
                 .withCertificates(Paths.get("certs.pem"), Paths.get("myhost.key"))
                 .withCaCertificates(Paths.get("my_cas.pem"))
                 .withAcceptedCiphers(com.yahoo.vespa.jdk8compat.List.of("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" , "TLS_AES_256_GCM_SHA384"))
+                .withHostnameValidationDisabled(true)
                 .build();
         File outputFile = tempDirectory.newFile();
         try (OutputStream out = Files.newOutputStream(outputFile.toPath())) {
@@ -76,4 +77,22 @@ public class TransportSecurityOptionsJsonSerializerTest {
         assertJsonEquals(expectedOutput, actualOutput);
     }
 
+    @Test
+    public void disable_hostname_validation_is_not_serialized_if_false() throws IOException {
+        TransportSecurityOptions options = new TransportSecurityOptions.Builder()
+                .withCertificates(Paths.get("certs.pem"), Paths.get("myhost.key"))
+                .withCaCertificates(Paths.get("my_cas.pem"))
+                .withHostnameValidationDisabled(false)
+                .build();
+        File outputFile = tempDirectory.newFile();
+        try (OutputStream out = Files.newOutputStream(outputFile.toPath())) {
+            new TransportSecurityOptionsJsonSerializer().serialize(out, options);
+        }
+
+        String expectedOutput = new String(Files.readAllBytes(
+                Paths.get("src/test/resources/transport-security-options-with-disable-hostname-validation-set-to-false.json")));
+        String actualOutput = new String(Files.readAllBytes(outputFile.toPath()));
+        assertJsonEquals(expectedOutput, actualOutput);
+    }
+
 }
diff --git a/security-utils/src/test/resources/transport-security-options-with-disable-hostname-validation-set-to-false.json b/security-utils/src/test/resources/transport-security-options-with-disable-hostname-validation-set-to-false.json
new file mode 100644
index 00000000000..0506c130722
--- /dev/null
+++ b/security-utils/src/test/resources/transport-security-options-with-disable-hostname-validation-set-to-false.json
@@ -0,0 +1,7 @@
+{
+  "files": {
+    "private-key": "myhost.key",
+    "ca-certificates": "my_cas.pem",
+    "certificates": "certs.pem"
+  }
+}
+\ No newline at end of file
diff --git a/security-utils/src/test/resources/transport-security-options.json b/security-utils/src/test/resources/transport-security-options.json
index 2e55c8fd931..7983982f644 100644
--- a/security-utils/src/test/resources/transport-security-options.json
+++ b/security-utils/src/test/resources/transport-security-options.json
@@ -1,8 +1,9 @@
 {
+  "disable-hostname-validation": true,
   "files": {
     "private-key": "myhost.key",
     "ca-certificates": "my_cas.pem",
     "certificates": "certs.pem"
-    },
-    "accepted-ciphers": ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_AES_256_GCM_SHA384"]
+  },
+  "accepted-ciphers": ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_AES_256_GCM_SHA384"]
 }
 \ No newline at end of file
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2020-02-13 17:12:04 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2020-02-13 17:28:34 +0100
commit	8794ed9299710b661332adcadacbdeb4c388ed5a (patch)
tree	61b0dea06772795fccf84a76bafff53b9234e9fd /security-utils
parent	762abbd7f48f3afe8257faf581c7defce160ad4f (diff)