diff options
Diffstat (limited to 'security-utils')
6 files changed, 30 insertions, 28 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java index 28f05b3c6d9..dcf3a4162ee 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java @@ -2,7 +2,6 @@ package com.yahoo.security.tls; import com.yahoo.security.SslContextBuilder; -import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager; import com.yahoo.security.tls.authz.PeerAuthorizerTrustManagersFactory; import com.yahoo.security.tls.policy.AuthorizedPeers; @@ -43,11 +42,11 @@ public class DefaultTlsContext implements TlsContext { PrivateKey privateKey, List<X509Certificate> caCertificates, AuthorizedPeers authorizedPeers, - PeerAuthorizerTrustManager.Mode mode) { + AuthorizationMode mode) { this.sslContext = createSslContext(certificates, privateKey, caCertificates, authorizedPeers, mode); } - public DefaultTlsContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) { + public DefaultTlsContext(Path tlsOptionsConfigFile, AuthorizationMode mode) { this.sslContext = createSslContext(tlsOptionsConfigFile, mode); } @@ -73,7 +72,7 @@ public class DefaultTlsContext implements TlsContext { PrivateKey privateKey, List<X509Certificate> caCertificates, AuthorizedPeers authorizedPeers, - PeerAuthorizerTrustManager.Mode mode) { + AuthorizationMode mode) { SslContextBuilder builder = new SslContextBuilder(); if (!certificates.isEmpty()) { builder.withKeyStore(privateKey, certificates); @@ -87,14 +86,16 @@ public class DefaultTlsContext implements TlsContext { return builder.build(); } - private static SSLContext createSslContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) { + private static SSLContext createSslContext(Path tlsOptionsConfigFile, AuthorizationMode mode) { TransportSecurityOptions options = TransportSecurityOptions.fromJsonFile(tlsOptionsConfigFile); SslContextBuilder builder = new SslContextBuilder(); options.getCertificatesFile() .ifPresent(certificates -> builder.withKeyStore(options.getPrivateKeyFile().get(), certificates)); options.getCaCertificatesFile().ifPresent(builder::withTrustStore); - options.getAuthorizedPeers().ifPresent( - authorizedPeers -> builder.withTrustManagerFactory(new PeerAuthorizerTrustManagersFactory(authorizedPeers, mode))); + if (mode != AuthorizationMode.DISABLE) { + options.getAuthorizedPeers().ifPresent( + authorizedPeers -> builder.withTrustManagerFactory(new PeerAuthorizerTrustManagersFactory(authorizedPeers, mode))); + } return builder.build(); } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java index 04e36d24a04..5add13e067d 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java @@ -1,8 +1,6 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security.tls; -import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager; - import javax.net.ssl.SSLEngine; import java.nio.file.Path; import java.time.Duration; @@ -25,7 +23,7 @@ public class ReloadingTlsContext implements TlsContext { private static final Logger log = Logger.getLogger(ReloadingTlsContext.class.getName()); private final Path tlsOptionsConfigFile; - private final PeerAuthorizerTrustManager.Mode mode; + private final AuthorizationMode mode; private final AtomicReference<TlsContext> currentTlsContext; private final ScheduledExecutorService scheduler = Executors.newSingleThreadScheduledExecutor(runnable -> { @@ -34,7 +32,7 @@ public class ReloadingTlsContext implements TlsContext { return thread; }); - public ReloadingTlsContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) { + public ReloadingTlsContext(Path tlsOptionsConfigFile, AuthorizationMode mode) { this.tlsOptionsConfigFile = tlsOptionsConfigFile; this.mode = mode; this.currentTlsContext = new AtomicReference<>(new DefaultTlsContext(tlsOptionsConfigFile, mode)); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java index e93b880b085..f07924f3ce9 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java @@ -14,6 +14,7 @@ public class TransportSecurityUtils { public static final String CONFIG_FILE_ENVIRONMENT_VARIABLE = "VESPA_TLS_CONFIG_FILE"; public static final String INSECURE_MIXED_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_MIXED_MODE"; + public static final String INSECURE_AUTHORIZATION_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_AUTHORIZATION_MODE"; private TransportSecurityUtils() {} @@ -31,6 +32,12 @@ public class TransportSecurityUtils { .map(MixedMode::fromConfigValue); } + public static Optional<AuthorizationMode> getInsecureAuthorizationMode() { + if (!isInsecureMixedModeEnabled()) return Optional.empty(); + return getEnvironmentVariable(INSECURE_AUTHORIZATION_MODE_ENVIRONMENT_VARIABLE) + .map(AuthorizationMode::fromConfigValue); + } + public static Optional<Path> getConfigFile() { return getEnvironmentVariable(CONFIG_FILE_ENVIRONMENT_VARIABLE).map(Paths::get); } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java index aca4f86b639..05524cdffea 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java @@ -2,6 +2,7 @@ package com.yahoo.security.tls.authz; import com.yahoo.security.X509CertificateUtils; +import com.yahoo.security.tls.AuthorizationMode; import com.yahoo.security.tls.policy.AuthorizedPeers; import javax.net.ssl.SSLEngine; @@ -27,25 +28,23 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { private static final Logger log = Logger.getLogger(PeerAuthorizerTrustManager.class.getName()); - public enum Mode { DRY_RUN, ENFORCE } - private final PeerAuthorizer authorizer; private final X509ExtendedTrustManager defaultTrustManager; - private final Mode mode; + private final AuthorizationMode mode; - public PeerAuthorizerTrustManager(AuthorizedPeers authorizedPeers, Mode mode, X509ExtendedTrustManager defaultTrustManager) { + public PeerAuthorizerTrustManager(AuthorizedPeers authorizedPeers, AuthorizationMode mode, X509ExtendedTrustManager defaultTrustManager) { this.authorizer = new PeerAuthorizer(authorizedPeers); this.mode = mode; this.defaultTrustManager = defaultTrustManager; } - public static TrustManager[] wrapTrustManagersFromKeystore(AuthorizedPeers authorizedPeers, Mode mode, KeyStore keystore) throws GeneralSecurityException { + public static TrustManager[] wrapTrustManagersFromKeystore(AuthorizedPeers authorizedPeers, AuthorizationMode mode, KeyStore keystore) throws GeneralSecurityException { TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); factory.init(keystore); return wrapTrustManagers(authorizedPeers, mode, factory.getTrustManagers()); } - public static TrustManager[] wrapTrustManagers(AuthorizedPeers authorizedPeers, Mode mode, TrustManager[] managers) { + public static TrustManager[] wrapTrustManagers(AuthorizedPeers authorizedPeers, AuthorizationMode mode, TrustManager[] managers) { TrustManager[] wrappedManagers = new TrustManager[managers.length]; for (int i = 0; i < managers.length; i++) { if (managers[i] instanceof X509ExtendedTrustManager) { @@ -99,6 +98,8 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { } private void authorizePeer(X509Certificate certificate, String authType, boolean isVerifyingClient, SSLEngine sslEngine) throws CertificateException { + if (mode == AuthorizationMode.DISABLE) return; + log.fine(() -> "Verifying certificate: " + createInfoString(certificate, authType, isVerifyingClient)); AuthorizationResult result = authorizer.authorizePeer(certificate); if (sslEngine != null) { // getHandshakeSession() will never return null in this context @@ -109,13 +110,8 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { } else { String errorMessage = "Authorization failed: " + createInfoString(certificate, authType, isVerifyingClient); log.warning(errorMessage); - switch (mode) { - case ENFORCE: - throw new CertificateException(errorMessage); - case DRY_RUN: - break; - default: - throw new UnsupportedOperationException(); + if (mode == AuthorizationMode.ENFORCE) { + throw new CertificateException(errorMessage); } } } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java index 0bb99aea886..c0a3b4e41a5 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java @@ -2,6 +2,7 @@ package com.yahoo.security.tls.authz; import com.yahoo.security.SslContextBuilder; +import com.yahoo.security.tls.AuthorizationMode; import com.yahoo.security.tls.policy.AuthorizedPeers; import javax.net.ssl.TrustManager; @@ -13,9 +14,9 @@ import java.security.KeyStore; */ public class PeerAuthorizerTrustManagersFactory implements SslContextBuilder.TrustManagersFactory { private final AuthorizedPeers authorizedPeers; - private PeerAuthorizerTrustManager.Mode mode; + private AuthorizationMode mode; - public PeerAuthorizerTrustManagersFactory(AuthorizedPeers authorizedPeers, PeerAuthorizerTrustManager.Mode mode) { + public PeerAuthorizerTrustManagersFactory(AuthorizedPeers authorizedPeers, AuthorizationMode mode) { this.authorizedPeers = authorizedPeers; this.mode = mode; } diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java index 4809bad80c5..a1a3ba6548b 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java @@ -3,7 +3,6 @@ package com.yahoo.security.tls; import com.yahoo.security.KeyUtils; import com.yahoo.security.X509CertificateBuilder; -import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager.Mode; import com.yahoo.security.tls.policy.AuthorizedPeers; import com.yahoo.security.tls.policy.HostGlobPattern; import com.yahoo.security.tls.policy.PeerPolicy; @@ -47,7 +46,7 @@ public class DefaultTlsContextTest { singletonList(new RequiredPeerCredential(RequiredPeerCredential.Field.CN, new HostGlobPattern("dummy")))))); DefaultTlsContext tlsContext = - new DefaultTlsContext(singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers, Mode.ENFORCE); + new DefaultTlsContext(singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers, AuthorizationMode.ENFORCE); SSLEngine sslEngine = tlsContext.createSslEngine(); assertThat(sslEngine).isNotNull(); |