diff options
-rw-r--r-- | jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java | 35 |
1 files changed, 30 insertions, 5 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java index 615cd5d46ad..f753084152e 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java @@ -1,24 +1,49 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jdisc.http.ssl.impl; +import com.google.inject.Inject; import com.yahoo.component.AbstractComponent; +import com.yahoo.jdisc.http.ConnectorConfig; import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider; import com.yahoo.security.tls.ConfigFileBasedTlsContext; +import com.yahoo.security.tls.PeerAuthentication; import com.yahoo.security.tls.TlsContext; import com.yahoo.security.tls.TransportSecurityUtils; import org.eclipse.jetty.util.ssl.SslContextFactory; +import java.nio.file.Path; + /** - * The default implementation of {@link SslContextFactoryProvider} to be injected into connectors without explicit ssl configuration + * The default implementation of {@link SslContextFactoryProvider} to be injected into connectors without explicit ssl configuration. * * @author bjorncs */ public class DefaultSslContextFactoryProvider extends AbstractComponent implements SslContextFactoryProvider { - private final SslContextFactoryProvider instance = TransportSecurityUtils.getConfigFile() - .map(configFile -> (SslContextFactoryProvider) new StaticTlsContextBasedProvider( - new ConfigFileBasedTlsContext(configFile, TransportSecurityUtils.getInsecureAuthorizationMode()))) - .orElseGet(ThrowingSslContextFactoryProvider::new); + private final SslContextFactoryProvider instance; + + @Inject + public DefaultSslContextFactoryProvider(ConnectorConfig connectorConfig) { + this.instance = TransportSecurityUtils.getConfigFile() + .map(configFile -> createTlsContextBasedProvider(connectorConfig, configFile)) + .orElseGet(ThrowingSslContextFactoryProvider::new); + } + + private static SslContextFactoryProvider createTlsContextBasedProvider(ConnectorConfig connectorConfig, Path configFile) { + return new StaticTlsContextBasedProvider( + new ConfigFileBasedTlsContext( + configFile, TransportSecurityUtils.getInsecureAuthorizationMode(), getPeerAuthenticationMode(connectorConfig))); + } + + /** + * Allows white-listing of user provided uri paths. + * JDisc will delegate the enforcement of peer authentication from the TLS to the HTTP layer if {@link ConnectorConfig.TlsClientAuthEnforcer#enable()} is true. + */ + private static PeerAuthentication getPeerAuthenticationMode(ConnectorConfig connectorConfig) { + return connectorConfig.tlsClientAuthEnforcer().enable() + ? PeerAuthentication.WANT + : PeerAuthentication.NEED; + } @Override public SslContextFactory getInstance(String containerId, int port) { |