Add back the sometimes-used ssl context supplier

author: jonmv <venstad@gmail.com> 2023-12-15 12:52:14 +0100
committer: jonmv <venstad@gmail.com> 2023-12-15 12:52:14 +0100
commit: a8a34ca51b7958962a4247abc0abc8bcad8fbef8 (patch)
tree: fa9420127094923ea293ac936b4c1ed4acdb714f /zookeeper-client-common
parent: 01b40d7e149df23c84a7a13560208e862480ce3a (diff)
3 files changed, 3 insertions, 232 deletions
diff --git a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java
index 1aaae08d4ef..af49fab0d40 100644
--- a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java
+++ b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java
@@ -70,6 +70,7 @@ public class ZkClientConfigBuilder {
         builder.put(CLIENT_CONNECTION_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty");
         if (tlsContext != null) {
             String protocolsConfigValue = Arrays.stream(tlsContext.parameters().getProtocols()).sorted().collect(Collectors.joining(","));
+            builder.put(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY, VespaSslContextProvider.class.getName());
             builder.put(SSL_ENABLED_PROTOCOLS_PROPERTY, protocolsConfigValue);
             String ciphersConfigValue = Arrays.stream(tlsContext.parameters().getCipherSuites()).sorted().collect(Collectors.joining(","));
             builder.put(SSL_ENABLED_CIPHERSUITES_PROPERTY, ciphersConfigValue);
diff --git a/zookeeper-client-common/src/main/java/org/apache/zookeeper/common/ClientX509Util.java b/zookeeper-client-common/src/main/java/org/apache/zookeeper/common/ClientX509Util.java
deleted file mode 100644
index ab528ca7cbb..00000000000
--- a/zookeeper-client-common/src/main/java/org/apache/zookeeper/common/ClientX509Util.java
+++ /dev/null
@@ -1,232 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.zookeeper.common;
-
-import com.yahoo.security.tls.MixedMode;
-import com.yahoo.security.tls.TransportSecurityUtils;
-import com.yahoo.vespa.zookeeper.tls.VespaZookeeperTlsContextUtils;
-import io.netty.handler.ssl.DelegatingSslContext;
-import io.netty.handler.ssl.SslContext;
-import io.netty.handler.ssl.SslContextBuilder;
-import io.netty.handler.ssl.SslProvider;
-import java.util.Arrays;
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLParameters;
-import javax.net.ssl.TrustManager;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * X509 utilities specific for client-server communication framework.
- * <p>
- * <em>Modified to use Vespa's TLS context, whenever it is available, instead of the file-based key and trust stores of ZK 3.9.
- * Based on https://github.com/apache/zookeeper/blob/branch-3.9/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java</em>
- *
- * @author jonmv
- */
-public class ClientX509Util extends X509Util {
-
-    private static final Logger LOG = LoggerFactory.getLogger(ClientX509Util.class);
-
-    private final String sslAuthProviderProperty = getConfigPrefix() + "authProvider";
-    private final String sslProviderProperty = getConfigPrefix() + "sslProvider";
-
-    @Override
-    protected String getConfigPrefix() {
-        return "zookeeper.ssl.";
-    }
-
-    @Override
-    protected boolean shouldVerifyClientHostname() {
-        return false;
-    }
-
-    public String getSslAuthProviderProperty() {
-        return sslAuthProviderProperty;
-    }
-
-    public String getSslProviderProperty() {
-        return sslProviderProperty;
-    }
-
-    public SslContext createNettySslContextForClient(ZKConfig config)
-            throws X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException {
-        SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
-        KeyManager km;
-        TrustManager tm;
-        if (   TransportSecurityUtils.getInsecureMixedMode() != MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER
-            && VespaZookeeperTlsContextUtils.tlsContext().isPresent()) {
-            km = VespaZookeeperTlsContextUtils.tlsContext().get().sslContext().keyManager();
-            tm = VespaZookeeperTlsContextUtils.tlsContext().get().sslContext().trustManager();
-        }
-        else {
-            String keyStoreLocation = config.getProperty(getSslKeystoreLocationProperty(), "");
-            String keyStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslKeystorePasswdProperty(),
-                                                                          getSslKeystorePasswdPathProperty());
-            String keyStoreType = config.getProperty(getSslKeystoreTypeProperty());
-
-            if (keyStoreLocation.isEmpty()) {
-                LOG.warn("{} not specified", getSslKeystoreLocationProperty());
-                km = null;
-            }
-            else {
-                km = createKeyManager(keyStoreLocation, keyStorePassword, keyStoreType);
-            }
-
-            tm = getTrustManager(config);
-        }
-
-        if (km != null) {
-            sslContextBuilder.keyManager(km);
-        }
-        if (tm != null) {
-            sslContextBuilder.trustManager(tm);
-        }
-
-        sslContextBuilder.enableOcsp(config.getBoolean(getSslOcspEnabledProperty()));
-        sslContextBuilder.protocols(getEnabledProtocols(config));
-        Iterable<String> enabledCiphers = getCipherSuites(config);
-        if (enabledCiphers != null) {
-            sslContextBuilder.ciphers(enabledCiphers);
-        }
-        sslContextBuilder.sslProvider(getSslProvider(config));
-
-        SslContext sslContext1 = sslContextBuilder.build();
-
-        if (getFipsMode(config) && isServerHostnameVerificationEnabled(config)) {
-            return addHostnameVerification(sslContext1, "Server");
-        } else {
-            return sslContext1;
-        }
-    }
-
-    public SslContext createNettySslContextForServer(ZKConfig config)
-            throws X509Exception.SSLContextException, X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException {
-        KeyManager km;
-        TrustManager tm;
-        if (VespaZookeeperTlsContextUtils.tlsContext().isPresent()) {
-            km = VespaZookeeperTlsContextUtils.tlsContext().get().sslContext().keyManager();
-            tm = VespaZookeeperTlsContextUtils.tlsContext().get().sslContext().trustManager();
-        }
-        else {
-            String keyStoreLocation = config.getProperty(getSslKeystoreLocationProperty(), "");
-            String keyStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslKeystorePasswdProperty(),
-                                                                          getSslKeystorePasswdPathProperty());
-            String keyStoreType = config.getProperty(getSslKeystoreTypeProperty());
-
-            if (keyStoreLocation.isEmpty()) {
-                throw new X509Exception.SSLContextException(
-                        "Keystore is required for SSL server: " + getSslKeystoreLocationProperty());
-            }
-            km = createKeyManager(keyStoreLocation, keyStorePassword, keyStoreType);
-            tm = getTrustManager(config);
-        }
-        return createNettySslContextForServer(config, km, tm);
-    }
-
-    public SslContext createNettySslContextForServer(ZKConfig config, KeyManager keyManager, TrustManager trustManager) throws SSLException {
-        SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(keyManager);
-
-        if (trustManager != null) {
-            sslContextBuilder.trustManager(trustManager);
-        }
-
-        sslContextBuilder.enableOcsp(config.getBoolean(getSslOcspEnabledProperty()));
-        sslContextBuilder.protocols(getEnabledProtocols(config));
-        sslContextBuilder.clientAuth(getClientAuth(config).toNettyClientAuth());
-        Iterable<String> enabledCiphers = getCipherSuites(config);
-        if (enabledCiphers != null) {
-            sslContextBuilder.ciphers(enabledCiphers);
-        }
-        sslContextBuilder.sslProvider(getSslProvider(config));
-
-        SslContext sslContext1 = sslContextBuilder.build();
-
-        if (getFipsMode(config) && isClientHostnameVerificationEnabled(config)) {
-            return addHostnameVerification(sslContext1, "Client");
-        } else {
-            return sslContext1;
-        }
-    }
-
-    private SslContext addHostnameVerification(SslContext sslContext, String clientOrServer) {
-        return new DelegatingSslContext(sslContext) {
-            @Override
-            protected void initEngine(SSLEngine sslEngine) {
-                SSLParameters sslParameters = sslEngine.getSSLParameters();
-                sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
-                sslEngine.setSSLParameters(sslParameters);
-                if (LOG.isDebugEnabled()) {
-                    LOG.debug("{} hostname verification: enabled HTTPS style endpoint identification algorithm", clientOrServer);
-                }
-            }
-        };
-    }
-
-    private String[] getEnabledProtocols(final ZKConfig config) {
-        String enabledProtocolsInput = config.getProperty(getSslEnabledProtocolsProperty());
-        if (enabledProtocolsInput == null) {
-            return new String[]{ config.getProperty(getSslProtocolProperty(), DEFAULT_PROTOCOL) };
-        }
-        return enabledProtocolsInput.split(",");
-    }
-
-    private X509Util.ClientAuth getClientAuth(final ZKConfig config) {
-        return X509Util.ClientAuth.fromPropertyValue(config.getProperty(getSslClientAuthProperty()));
-    }
-
-    private Iterable<String> getCipherSuites(final ZKConfig config) {
-        String cipherSuitesInput = config.getProperty(getSslCipherSuitesProperty());
-        if (cipherSuitesInput == null) {
-            if (getSslProvider(config) != SslProvider.JDK) {
-                return null;
-            }
-            return Arrays.asList(X509Util.getDefaultCipherSuites());
-        } else {
-            return Arrays.asList(cipherSuitesInput.split(","));
-        }
-    }
-
-    public SslProvider getSslProvider(ZKConfig config) {
-        return SslProvider.valueOf(config.getProperty(getSslProviderProperty(), "JDK"));
-    }
-
-    private TrustManager getTrustManager(ZKConfig config) throws X509Exception.TrustManagerException {
-        String trustStoreLocation = config.getProperty(getSslTruststoreLocationProperty(), "");
-        String trustStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslTruststorePasswdProperty(),
-                                                                        getSslTruststorePasswdPathProperty());
-        String trustStoreType = config.getProperty(getSslTruststoreTypeProperty());
-
-        boolean sslCrlEnabled = config.getBoolean(getSslCrlEnabledProperty());
-        boolean sslOcspEnabled = config.getBoolean(getSslOcspEnabledProperty());
-        boolean sslServerHostnameVerificationEnabled = isServerHostnameVerificationEnabled(config);
-        boolean sslClientHostnameVerificationEnabled = isClientHostnameVerificationEnabled(config);
-
-        if (trustStoreLocation.isEmpty()) {
-            LOG.warn("{} not specified", getSslTruststoreLocationProperty());
-            return null;
-        } else {
-            return createTrustManager(trustStoreLocation, trustStorePassword, trustStoreType,
-                                      sslCrlEnabled, sslOcspEnabled, sslServerHostnameVerificationEnabled,
-                                      sslClientHostnameVerificationEnabled, getFipsMode(config));
-        }
-    }
-}
diff --git a/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java b/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java
index 697d76dc53f..45ae68cb41d 100644
--- a/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java
+++ b/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java
@@ -31,6 +31,7 @@ public class ZkClientConfigBuilderTest {
         assertEquals("org.apache.zookeeper.ClientCnxnSocketNetty", config.getProperty(CLIENT_CONNECTION_SOCKET));
         assertNull(config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY));
         assertNull(config.getProperty(SSL_CLIENTAUTH_PROPERTY));
+        assertNull(config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY));
     }
 
     @Test
@@ -42,6 +43,7 @@ public class ZkClientConfigBuilderTest {
         assertEquals("TLSv1.3", config.getProperty(SSL_ENABLED_PROTOCOLS_PROPERTY));
         assertEquals("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", config.getProperty(SSL_ENABLED_CIPHERSUITES_PROPERTY));
         assertEquals("NEED", config.getProperty(SSL_CLIENTAUTH_PROPERTY));
+        assertEquals(VespaSslContextProvider.class.getName(), config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY));
     }
 
     private static class MockTlsContext implements TlsContext {
author	jonmv <venstad@gmail.com>	2023-12-15 12:52:14 +0100
committer	jonmv <venstad@gmail.com>	2023-12-15 12:52:14 +0100
commit	a8a34ca51b7958962a4247abc0abc8bcad8fbef8 (patch)
tree	fa9420127094923ea293ac936b4c1ed4acdb714f /zookeeper-client-common
parent	01b40d7e149df23c84a7a13560208e862480ce3a (diff)