diff options
-rw-r--r-- | jrt/pom.xml | 10 | ||||
-rw-r--r-- | security-utils/pom.xml | 10 | ||||
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/https/VespaHttpClientBuilder.java | 109 | ||||
-rw-r--r-- | security-utils/src/test/java/com/yahoo/security/tls/https/VespaHttpClientBuilderTest.java | 39 |
4 files changed, 0 insertions, 168 deletions
diff --git a/jrt/pom.xml b/jrt/pom.xml index e9383654e30..5208c0417cc 100644 --- a/jrt/pom.xml +++ b/jrt/pom.xml @@ -34,16 +34,6 @@ <artifactId>security-utils</artifactId> <version>${project.version}</version> <scope>compile</scope> - <exclusions> - <exclusion> <!-- not needed --> - <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpclient</artifactId> - </exclusion> - <exclusion> <!-- not needed --> - <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpcore</artifactId> - </exclusion> - </exclusions> </dependency> <dependency> <!-- required due to bug in maven dependency resolving - bouncycastle is compile scope in security-utils, yet it is not part of test scope here --> <groupId>org.bouncycastle</groupId> diff --git a/security-utils/pom.xml b/security-utils/pom.xml index f7704762250..10dec598915 100644 --- a/security-utils/pom.xml +++ b/security-utils/pom.xml @@ -31,16 +31,6 @@ <artifactId>jackson-databind</artifactId> <scope>compile</scope> </dependency> - <dependency> - <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpclient</artifactId> - <scope>compile</scope> - </dependency> - <dependency> - <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpcore</artifactId> - <scope>compile</scope> - </dependency> <!-- test scope --> <dependency> diff --git a/security-utils/src/main/java/com/yahoo/security/tls/https/VespaHttpClientBuilder.java b/security-utils/src/main/java/com/yahoo/security/tls/https/VespaHttpClientBuilder.java deleted file mode 100644 index 9fa51fc36cb..00000000000 --- a/security-utils/src/main/java/com/yahoo/security/tls/https/VespaHttpClientBuilder.java +++ /dev/null @@ -1,109 +0,0 @@ -// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.https; - -import com.yahoo.security.tls.MixedMode; -import com.yahoo.security.tls.TlsContext; -import com.yahoo.security.tls.TransportSecurityUtils; -import org.apache.http.HttpRequest; -import org.apache.http.HttpRequestInterceptor; -import org.apache.http.client.methods.HttpRequestBase; -import org.apache.http.client.utils.URIBuilder; -import org.apache.http.conn.HttpClientConnectionManager; -import org.apache.http.conn.ssl.NoopHostnameVerifier; -import org.apache.http.conn.ssl.SSLConnectionSocketFactory; -import org.apache.http.impl.client.HttpClientBuilder; -import org.apache.http.protocol.HttpContext; - -import javax.net.ssl.SSLParameters; -import java.net.URI; -import java.net.URISyntaxException; -import java.util.logging.Level; -import java.util.logging.Logger; - -/** - * Http client builder for internal Vespa communications over http/https. - * - * Notes: - * - hostname verification is not enabled - CN/SAN verification is assumed to be handled by the underlying x509 trust manager. - * - custom connection managers must be configured through {@link #createBuilder(ConnectionManagerFactory)}. Do not call {@link HttpClientBuilder#setConnectionManager(HttpClientConnectionManager)}. - * - * @author bjorncs - */ -public class VespaHttpClientBuilder { - - private static final Logger log = Logger.getLogger(VespaHttpClientBuilder.class.getName()); - - public interface ConnectionManagerFactory { - HttpClientConnectionManager create(SSLConnectionSocketFactory sslSocketFactory); - } - - private VespaHttpClientBuilder() {} - - public static HttpClientBuilder create() { - return createBuilder(null); - } - - public static HttpClientBuilder create(ConnectionManagerFactory connectionManagerFactory) { - return createBuilder(connectionManagerFactory); - } - - private static HttpClientBuilder createBuilder(ConnectionManagerFactory connectionManagerFactory) { - var builder = HttpClientBuilder.create(); - addSslSocketFactory(builder, connectionManagerFactory); - addTlsAwareRequestInterceptor(builder); - return builder; - } - - private static void addSslSocketFactory(HttpClientBuilder builder, ConnectionManagerFactory connectionManagerFactory) { - TransportSecurityUtils.createTlsContext() - .ifPresent(tlsContext -> { - log.log(Level.FINE, "Adding ssl socket factory to client"); - SSLConnectionSocketFactory socketFactory = createSslSocketFactory(tlsContext); - if (connectionManagerFactory != null) { - builder.setConnectionManager(connectionManagerFactory.create(socketFactory)); - } else { - builder.setSSLSocketFactory(socketFactory); - } - }); - } - - private static void addTlsAwareRequestInterceptor(HttpClientBuilder builder) { - if (TransportSecurityUtils.isTransportSecurityEnabled() - && TransportSecurityUtils.getInsecureMixedMode() != MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) { - log.log(Level.FINE, "Adding request interceptor to client"); - builder.addInterceptorFirst(new HttpToHttpsRewritingRequestInterceptor()); - } - } - - private static SSLConnectionSocketFactory createSslSocketFactory(TlsContext tlsContext) { - SSLParameters parameters = tlsContext.parameters(); - return new SSLConnectionSocketFactory(tlsContext.context(), parameters.getProtocols(), parameters.getCipherSuites(), new NoopHostnameVerifier()); - } - - static class HttpToHttpsRewritingRequestInterceptor implements HttpRequestInterceptor { - @Override - public void process(HttpRequest request, HttpContext context) { - if (request instanceof HttpRequestBase) { - HttpRequestBase httpUriRequest = (HttpRequestBase) request; - httpUriRequest.setURI(rewriteUri(httpUriRequest.getURI())); - } else { - log.log(Level.FINE, () -> "Not a HttpRequestBase - skipping URI rewriting: " + request.getClass().getName()); - } - } - - private static URI rewriteUri(URI originalUri) { - if (!originalUri.getScheme().equals("http")) { - return originalUri; - } - int port = originalUri.getPort(); - int rewrittenPort = port != -1 ? port : 80; - try { - URI rewrittenUri = new URIBuilder(originalUri).setScheme("https").setPort(rewrittenPort).build(); - log.log(Level.FINE, () -> String.format("Uri rewritten from '%s' to '%s'", originalUri, rewrittenUri)); - return rewrittenUri; - } catch (URISyntaxException e) { - throw new RuntimeException(e); - } - } - } -} diff --git a/security-utils/src/test/java/com/yahoo/security/tls/https/VespaHttpClientBuilderTest.java b/security-utils/src/test/java/com/yahoo/security/tls/https/VespaHttpClientBuilderTest.java deleted file mode 100644 index 10b8458359c..00000000000 --- a/security-utils/src/test/java/com/yahoo/security/tls/https/VespaHttpClientBuilderTest.java +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.security.tls.https; - -import com.yahoo.security.tls.https.VespaHttpClientBuilder.HttpToHttpsRewritingRequestInterceptor; -import org.apache.http.client.methods.HttpGet; -import org.apache.http.protocol.BasicHttpContext; -import org.junit.Test; - -import java.net.URI; - -import static org.assertj.core.api.AssertionsForClassTypes.assertThat; - -/** - * @author bjorncs - */ -public class VespaHttpClientBuilderTest { - - @Test - public void request_interceptor_modifies_scheme_of_requests() { - verifyProcessedUriMatchesExpectedOutput("http://dummyhostname:8080/a/path/to/resource?query=value", - "https://dummyhostname:8080/a/path/to/resource?query=value"); - } - - @Test - public void request_interceptor_add_handles_implicit_http_port() { - verifyProcessedUriMatchesExpectedOutput("http://dummyhostname/a/path/to/resource?query=value", - "https://dummyhostname:80/a/path/to/resource?query=value"); - } - - private static void verifyProcessedUriMatchesExpectedOutput(String inputUri, String expectedOutputUri) { - var interceptor = new HttpToHttpsRewritingRequestInterceptor(); - HttpGet request = new HttpGet(inputUri); - interceptor.process(request, new BasicHttpContext()); - URI modifiedUri = request.getURI(); - URI expectedUri = URI.create(expectedOutputUri); - assertThat(modifiedUri).isEqualTo(expectedUri); - } - -}
\ No newline at end of file |