aboutsummaryrefslogtreecommitdiffstats
path: root/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java
diff options
context:
space:
mode:
Diffstat (limited to 'zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java')
-rw-r--r--zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java60
1 files changed, 60 insertions, 0 deletions
diff --git a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java
new file mode 100644
index 00000000000..62191880b8f
--- /dev/null
+++ b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java
@@ -0,0 +1,60 @@
+// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.zookeeper.client;
+
+import com.yahoo.security.tls.MixedMode;
+import com.yahoo.security.tls.TlsContext;
+import com.yahoo.security.tls.TransportSecurityUtils;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+import java.util.stream.Collectors;
+
+/**
+ * Builder for ZK client configuration
+ *
+ * @author bjorncs
+ */
+public class ZkClientConfigBuilder {
+
+ public static final String CLIENT_SECURE_PROPERTY = "zookeeper.client.secure";
+ public static final String SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY = "zookeeper.ssl.context.supplier.class";
+ public static final String SSL_ENABLED_PROTOCOLS_PROPERTY = "zookeeper.ssl.enabledProtocols";
+ public static final String SSL_ENABLED_CIPHERSUITES_PROPERTY = "zookeeper.ssl.ciphersuites";
+ public static final String SSL_CLIENTAUTH_PROPERTY = "zookeeper.ssl.clientAuth";
+
+ private static final TlsContext tlsContext = getTlsContext().orElse(null);
+
+ public ZkClientConfigBuilder() {}
+
+ public String toConfigString() {
+ StringBuilder builder = new StringBuilder();
+ Map<String, String> properties = toConfigProperties();
+ properties.forEach((key, value) -> builder.append(key).append('=').append(value).append('\n'));
+ return builder.toString();
+ }
+
+ public Map<String, String> toConfigProperties() {
+ Map<String, String> builder = new HashMap<>();
+ builder.put(CLIENT_SECURE_PROPERTY, Boolean.toString(tlsContext != null));
+ if (tlsContext != null) {
+ builder.put(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY, VespaSslContextProvider.class.getName());
+ String protocolsConfigValue = Arrays.stream(tlsContext.parameters().getProtocols()).sorted().collect(Collectors.joining(","));
+ builder.put(SSL_ENABLED_PROTOCOLS_PROPERTY, protocolsConfigValue);
+ String ciphersConfigValue = Arrays.stream(tlsContext.parameters().getCipherSuites()).sorted().collect(Collectors.joining(","));
+ builder.put(SSL_ENABLED_CIPHERSUITES_PROPERTY, ciphersConfigValue);
+ builder.put(SSL_CLIENTAUTH_PROPERTY, "NEED");
+ }
+ return Map.copyOf(builder);
+ }
+
+ private static Optional<TlsContext> getTlsContext() {
+ // TODO(bjorncs) Remove handling of temporary feature flag
+ boolean temporaryFeatureFlag = Optional.ofNullable(System.getenv("VESPA_USE_TLS_FOR_ZOOKEEPER_CLIENT")).map(Boolean::parseBoolean).orElse(false);
+ if (!temporaryFeatureFlag) return Optional.empty();
+
+ if (TransportSecurityUtils.getInsecureMixedMode() == MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) return Optional.empty();
+ return TransportSecurityUtils.getSystemTlsContext();
+ }
+}