diff options
3 files changed, 89 insertions, 0 deletions
diff --git a/jaxrs_client_utils/pom.xml b/jaxrs_client_utils/pom.xml index 636fbab7bb0..d32d4c5eccc 100644 --- a/jaxrs_client_utils/pom.xml +++ b/jaxrs_client_utils/pom.xml @@ -16,6 +16,7 @@ <packaging>container-plugin</packaging> <name>${project.artifactId}</name> <dependencies> + <!-- provided --> <dependency> <groupId>com.yahoo.vespa</groupId> <artifactId>vespajlib</artifactId> @@ -29,6 +30,12 @@ <scope>provided</scope> </dependency> <dependency> + <groupId>com.yahoo.vespa</groupId> + <artifactId>security-utils</artifactId> + <version>${project.version}</version> + <scope>provided</scope> + </dependency> + <dependency> <groupId>javax.ws.rs</groupId> <artifactId>javax.ws.rs-api</artifactId> <version>2.0</version> @@ -44,6 +51,8 @@ <artifactId>jersey-proxy-client</artifactId> <scope>provided</scope> </dependency> + + <!-- test --> <dependency> <groupId>com.yahoo.vespa</groupId> <artifactId>jaxrs_utils</artifactId> diff --git a/jaxrs_client_utils/src/main/java/ai/vespa/util/http/VespaClientBuilderFactory.java b/jaxrs_client_utils/src/main/java/ai/vespa/util/http/VespaClientBuilderFactory.java new file mode 100644 index 00000000000..d55128069c4 --- /dev/null +++ b/jaxrs_client_utils/src/main/java/ai/vespa/util/http/VespaClientBuilderFactory.java @@ -0,0 +1,72 @@ +// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package ai.vespa.util.http; + +import com.yahoo.security.tls.MixedMode; +import com.yahoo.security.tls.TlsContext; +import com.yahoo.security.tls.TransportSecurityUtils; + +import javax.ws.rs.client.ClientBuilder; +import javax.ws.rs.client.ClientRequestContext; +import javax.ws.rs.client.ClientRequestFilter; +import javax.ws.rs.core.UriBuilder; +import java.net.URI; +import java.util.logging.Level; +import java.util.logging.Logger; + +/** + * Factory for JAX-RS http client builder for internal Vespa communications over http/https. + * + * Notes: + * - hostname verification is not enabled - CN/SAN verification is assumed to be handled by the underlying x509 trust manager. + * - ssl context or hostname verifier must not be overriden by the caller + * + * @author bjorncs + */ +public class VespaClientBuilderFactory implements AutoCloseable { + + private static final Logger log = Logger.getLogger(VespaClientBuilderFactory.class.getName()); + + private final TlsContext tlsContext = TransportSecurityUtils.createTlsContext().orElse(null); + private final MixedMode mixedMode = TransportSecurityUtils.getInsecureMixedMode(); + + public ClientBuilder newBuilder() { + ClientBuilder builder = ClientBuilder.newBuilder(); + setSslConfiguration(builder); + return builder; + } + + private void setSslConfiguration(ClientBuilder builder) { + if (tlsContext != null) { + builder.sslContext(tlsContext.context()); + builder.hostnameVerifier((hostname, sslSession) -> true); // disable hostname verification + if (mixedMode != MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) { + builder.register(new UriRewritingRequestFilter()); + } + } + } + + @Override + public void close() { + if (tlsContext != null) { + tlsContext.close(); + } + } + + static class UriRewritingRequestFilter implements ClientRequestFilter { + @Override + public void filter(ClientRequestContext requestContext) { + requestContext.setUri(rewriteUri(requestContext.getUri())); + } + + private static URI rewriteUri(URI originalUri) { + if (!originalUri.getScheme().equals("http")) { + return originalUri; + } + int port = originalUri.getPort(); + int rewrittenPort = port != -1 ? port : 80; + URI rewrittenUri = UriBuilder.fromUri(originalUri).scheme("https").port(rewrittenPort).build(); + log.log(Level.FINE, () -> String.format("Uri rewritten from '%s' to '%s'", originalUri, rewrittenUri)); + return rewrittenUri; + } + } +} diff --git a/jaxrs_client_utils/src/main/java/ai/vespa/util/http/package-info.java b/jaxrs_client_utils/src/main/java/ai/vespa/util/http/package-info.java new file mode 100644 index 00000000000..8ee304d6de8 --- /dev/null +++ b/jaxrs_client_utils/src/main/java/ai/vespa/util/http/package-info.java @@ -0,0 +1,8 @@ +// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +/** + * @author bjorncs + */ +@ExportPackage +package ai.vespa.util.http; + +import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file |