diff options
Diffstat (limited to 'jrt/src')
-rw-r--r-- | jrt/src/com/yahoo/jrt/CryptoEngine.java | 2 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java | 8 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java | 13 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/NullCryptoEngine.java | 4 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/NullCryptoSocket.java | 15 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/TlsCryptoEngine.java | 4 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/TlsCryptoSocket.java | 5 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/Transport.java | 4 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/TransportMetrics.java | 74 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/XorCryptoEngine.java | 2 |
10 files changed, 100 insertions, 31 deletions
diff --git a/jrt/src/com/yahoo/jrt/CryptoEngine.java b/jrt/src/com/yahoo/jrt/CryptoEngine.java index 41a567a83f2..81bf10be187 100644 --- a/jrt/src/com/yahoo/jrt/CryptoEngine.java +++ b/jrt/src/com/yahoo/jrt/CryptoEngine.java @@ -18,7 +18,7 @@ import java.nio.channels.SocketChannel; * encryption. **/ public interface CryptoEngine extends AutoCloseable { - CryptoSocket createCryptoSocket(TransportMetrics metrics, SocketChannel channel, boolean isServer); + CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer); static CryptoEngine createDefault() { if (!TransportSecurityUtils.isTransportSecurityEnabled()) { return new NullCryptoEngine(); diff --git a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java index a0d56281744..801f2075c4e 100644 --- a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java +++ b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java @@ -21,13 +21,13 @@ public class MaybeTlsCryptoEngine implements CryptoEngine { } @Override - public CryptoSocket createCryptoSocket(TransportMetrics metrics, SocketChannel channel, boolean isServer) { + public CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) { if (isServer) { - return new MaybeTlsCryptoSocket(metrics, channel, tlsEngine, isServer); + return new MaybeTlsCryptoSocket(channel, tlsEngine, isServer); } else if (useTlsWhenClient) { - return tlsEngine.createCryptoSocket(metrics, channel, false); + return tlsEngine.createCryptoSocket(channel, false); } else { - return new NullCryptoSocket(metrics, channel, isServer); + return new NullCryptoSocket(channel, isServer); } } diff --git a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java index ba34bed11c0..2e0d41b28d1 100644 --- a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java +++ b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java @@ -56,13 +56,12 @@ public class MaybeTlsCryptoSocket implements CryptoSocket { private class MyCryptoSocket extends NullCryptoSocket { - private final TransportMetrics metrics; + private final TransportMetrics metrics = TransportMetrics.getInstance(); private TlsCryptoEngine factory; private Buffer buffer; - MyCryptoSocket(TransportMetrics metrics, SocketChannel channel, TlsCryptoEngine factory, boolean isServer) { - super(metrics, channel, isServer); - this.metrics = metrics; + MyCryptoSocket(SocketChannel channel, TlsCryptoEngine factory, boolean isServer) { + super(channel, isServer); this.factory = factory; this.buffer = new Buffer(4096); } @@ -81,7 +80,7 @@ public class MaybeTlsCryptoSocket implements CryptoSocket { data[i] = src.get(i); } if (looksLikeTlsToMe(data)) { - TlsCryptoSocket tlsSocket = factory.createCryptoSocket(metrics, channel(), true); + TlsCryptoSocket tlsSocket = factory.createCryptoSocket(channel(), true); tlsSocket.injectReadData(buffer); socket = tlsSocket; return socket.handshake(); @@ -117,8 +116,8 @@ public class MaybeTlsCryptoSocket implements CryptoSocket { } } - public MaybeTlsCryptoSocket(TransportMetrics metrics, SocketChannel channel, TlsCryptoEngine factory, boolean isServer) { - this.socket = new MyCryptoSocket(metrics, channel, factory, isServer); + public MaybeTlsCryptoSocket(SocketChannel channel, TlsCryptoEngine factory, boolean isServer) { + this.socket = new MyCryptoSocket(channel, factory, isServer); } @Override public SocketChannel channel() { return socket.channel(); } diff --git a/jrt/src/com/yahoo/jrt/NullCryptoEngine.java b/jrt/src/com/yahoo/jrt/NullCryptoEngine.java index 7a7773ed855..b5a53accf92 100644 --- a/jrt/src/com/yahoo/jrt/NullCryptoEngine.java +++ b/jrt/src/com/yahoo/jrt/NullCryptoEngine.java @@ -9,7 +9,7 @@ import java.nio.channels.SocketChannel; * CryptoEngine implementation that performs no encryption. **/ public class NullCryptoEngine implements CryptoEngine { - @Override public CryptoSocket createCryptoSocket(TransportMetrics metrics, SocketChannel channel, boolean isServer) { - return new NullCryptoSocket(metrics, channel, isServer); + @Override public CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) { + return new NullCryptoSocket(channel, isServer); } } diff --git a/jrt/src/com/yahoo/jrt/NullCryptoSocket.java b/jrt/src/com/yahoo/jrt/NullCryptoSocket.java index 1473f288306..0d7b83f1c7d 100644 --- a/jrt/src/com/yahoo/jrt/NullCryptoSocket.java +++ b/jrt/src/com/yahoo/jrt/NullCryptoSocket.java @@ -13,17 +13,14 @@ import java.nio.channels.SocketChannel; public class NullCryptoSocket implements CryptoSocket { private final boolean isServer; private SocketChannel channel; - private TransportMetrics metrics; - public NullCryptoSocket(TransportMetrics metrics, SocketChannel channel, boolean isServer) { this.metrics = metrics; this.channel = channel; this.isServer = isServer; } + private final TransportMetrics metrics = TransportMetrics.getInstance(); + public NullCryptoSocket(SocketChannel channel, boolean isServer) { this.channel = channel; this.isServer = isServer; } @Override public SocketChannel channel() { return channel; } @Override public HandshakeResult handshake() throws IOException { - if (metrics != null) { - if (isServer) { - metrics.incrementServerUnencryptedConnectionsEstablished(); - } else { - metrics.incrementClientUnencryptedConnectionsEstablished(); - } - metrics = null; + if (isServer) { + metrics.incrementServerUnencryptedConnectionsEstablished(); + } else { + metrics.incrementClientUnencryptedConnectionsEstablished(); } return HandshakeResult.DONE; } diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java index 7e5e6fd9dc4..41302a4c725 100644 --- a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java +++ b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java @@ -20,11 +20,11 @@ public class TlsCryptoEngine implements CryptoEngine { } @Override - public TlsCryptoSocket createCryptoSocket(TransportMetrics metrics, SocketChannel channel, boolean isServer) { + public TlsCryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) { SSLEngine sslEngine = tlsContext.createSslEngine(); sslEngine.setNeedClientAuth(true); sslEngine.setUseClientMode(!isServer); - return new TlsCryptoSocket(metrics, channel, sslEngine); + return new TlsCryptoSocket(channel, sslEngine); } @Override diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java index 184b8824877..f25a45169a8 100644 --- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java +++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java @@ -31,7 +31,7 @@ public class TlsCryptoSocket implements CryptoSocket { private enum HandshakeState { NOT_STARTED, NEED_READ, NEED_WRITE, COMPLETED } - private final TransportMetrics metrics; + private final TransportMetrics metrics = TransportMetrics.getInstance(); private final SocketChannel channel; private final SSLEngine sslEngine; private final Buffer wrapBuffer; @@ -42,8 +42,7 @@ public class TlsCryptoSocket implements CryptoSocket { private HandshakeState handshakeState; private AuthorizationResult authorizationResult; - public TlsCryptoSocket(TransportMetrics metrics, SocketChannel channel, SSLEngine sslEngine) { - this.metrics = metrics; + public TlsCryptoSocket(SocketChannel channel, SSLEngine sslEngine) { this.channel = channel; this.sslEngine = sslEngine; SSLSession nullSession = sslEngine.getSession(); diff --git a/jrt/src/com/yahoo/jrt/Transport.java b/jrt/src/com/yahoo/jrt/Transport.java index ccdd5683f6a..0a2f2a4b7cb 100644 --- a/jrt/src/com/yahoo/jrt/Transport.java +++ b/jrt/src/com/yahoo/jrt/Transport.java @@ -77,7 +77,7 @@ public class Transport { private Scheduler scheduler; private int state; private Selector selector; - private final TransportMetrics metrics = new TransportMetrics(); + private final TransportMetrics metrics = TransportMetrics.getInstance(); private void handleAddConnection(Connection conn) { if (conn.isClosed()) { @@ -197,7 +197,7 @@ public class Transport { * @param isServer flag indicating which end of the connection we are **/ CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) { - return cryptoEngine.createCryptoSocket(metrics, channel, isServer); + return cryptoEngine.createCryptoSocket(channel, isServer); } /** diff --git a/jrt/src/com/yahoo/jrt/TransportMetrics.java b/jrt/src/com/yahoo/jrt/TransportMetrics.java index e0afbc495e7..507a925572f 100644 --- a/jrt/src/com/yahoo/jrt/TransportMetrics.java +++ b/jrt/src/com/yahoo/jrt/TransportMetrics.java @@ -2,6 +2,7 @@ package com.yahoo.jrt; import java.util.concurrent.atomic.AtomicLong; +import java.util.function.ToLongFunction; /** * Metric values produced by {@link Transport}. @@ -10,6 +11,8 @@ import java.util.concurrent.atomic.AtomicLong; */ public class TransportMetrics { + private static final TransportMetrics instance = new TransportMetrics(); + private final AtomicLong tlsCertificateVerificationFailures = new AtomicLong(0); private final AtomicLong peerAuthorizationFailures = new AtomicLong(0); private final AtomicLong serverTlsConnectionsEstablished = new AtomicLong(0); @@ -17,6 +20,10 @@ public class TransportMetrics { private final AtomicLong serverUnencryptedConnectionsEstablished = new AtomicLong(0); private final AtomicLong clientUnencryptedConnectionsEstablished = new AtomicLong(0); + private TransportMetrics() {} + + public static TransportMetrics getInstance() { return instance; } + public long tlsCertificateVerificationFailures() { return tlsCertificateVerificationFailures.get(); } @@ -41,6 +48,8 @@ public class TransportMetrics { return clientUnencryptedConnectionsEstablished.get(); } + public Snapshot snapshot() { return new Snapshot(this); } + void incrementTlsCertificateVerificationFailures() { tlsCertificateVerificationFailures.incrementAndGet(); } @@ -76,4 +85,69 @@ public class TransportMetrics { ", clientUnencryptedConnectionsEstablished=" + clientUnencryptedConnectionsEstablished + '}'; } + + public static class Snapshot { + private final long tlsCertificateVerificationFailures; + private final long peerAuthorizationFailures; + private final long serverTlsConnectionsEstablished; + private final long clientTlsConnectionsEstablished; + private final long serverUnencryptedConnectionsEstablished; + private final long clientUnencryptedConnectionsEstablished; + + private Snapshot(TransportMetrics metrics) { + this(metrics.tlsCertificateVerificationFailures.get(), + metrics.peerAuthorizationFailures.get(), + metrics.serverTlsConnectionsEstablished.get(), + metrics.clientTlsConnectionsEstablished.get(), + metrics.serverUnencryptedConnectionsEstablished.get(), + metrics.clientUnencryptedConnectionsEstablished.get()); + } + + private Snapshot(long tlsCertificateVerificationFailures, + long peerAuthorizationFailures, + long serverTlsConnectionsEstablished, + long clientTlsConnectionsEstablished, + long serverUnencryptedConnectionsEstablished, + long clientUnencryptedConnectionsEstablished) { + this.tlsCertificateVerificationFailures = tlsCertificateVerificationFailures; + this.peerAuthorizationFailures = peerAuthorizationFailures; + this.serverTlsConnectionsEstablished = serverTlsConnectionsEstablished; + this.clientTlsConnectionsEstablished = clientTlsConnectionsEstablished; + this.serverUnencryptedConnectionsEstablished = serverUnencryptedConnectionsEstablished; + this.clientUnencryptedConnectionsEstablished = clientUnencryptedConnectionsEstablished; + } + + public long tlsCertificateVerificationFailures() { return tlsCertificateVerificationFailures; } + public long peerAuthorizationFailures() { return peerAuthorizationFailures; } + public long serverTlsConnectionsEstablished() { return serverTlsConnectionsEstablished; } + public long clientTlsConnectionsEstablished() { return clientTlsConnectionsEstablished; } + public long serverUnencryptedConnectionsEstablished() { return serverUnencryptedConnectionsEstablished; } + public long clientUnencryptedConnectionsEstablished() { return clientUnencryptedConnectionsEstablished; } + + public Snapshot changesSince(Snapshot base) { + return new Snapshot( + changesSince(base, Snapshot::tlsCertificateVerificationFailures), + changesSince(base, Snapshot::peerAuthorizationFailures), + changesSince(base, Snapshot::serverTlsConnectionsEstablished), + changesSince(base, Snapshot::clientTlsConnectionsEstablished), + changesSince(base, Snapshot::serverUnencryptedConnectionsEstablished), + changesSince(base, Snapshot::clientUnencryptedConnectionsEstablished)); + } + + private long changesSince(Snapshot base, ToLongFunction<Snapshot> metricProperty) { + return metricProperty.applyAsLong(this) - metricProperty.applyAsLong(base); + } + + @Override + public String toString() { + return "Snapshot{" + + "tlsCertificateVerificationFailures=" + tlsCertificateVerificationFailures + + ", peerAuthorizationFailures=" + peerAuthorizationFailures + + ", serverTlsConnectionsEstablished=" + serverTlsConnectionsEstablished + + ", clientTlsConnectionsEstablished=" + clientTlsConnectionsEstablished + + ", serverUnencryptedConnectionsEstablished=" + serverUnencryptedConnectionsEstablished + + ", clientUnencryptedConnectionsEstablished=" + clientUnencryptedConnectionsEstablished + + '}'; + } + } } diff --git a/jrt/src/com/yahoo/jrt/XorCryptoEngine.java b/jrt/src/com/yahoo/jrt/XorCryptoEngine.java index 6912a58e394..4ba6d00faa4 100644 --- a/jrt/src/com/yahoo/jrt/XorCryptoEngine.java +++ b/jrt/src/com/yahoo/jrt/XorCryptoEngine.java @@ -11,7 +11,7 @@ import java.nio.channels.SocketChannel; * from TLS. **/ public class XorCryptoEngine implements CryptoEngine { - @Override public CryptoSocket createCryptoSocket(TransportMetrics metrics, SocketChannel channel, boolean isServer) { + @Override public CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) { return new XorCryptoSocket(channel, isServer); } } |