diff options
Diffstat (limited to 'zookeeper-client-common')
5 files changed, 136 insertions, 0 deletions
diff --git a/zookeeper-client-common/OWNERS b/zookeeper-client-common/OWNERS new file mode 100644 index 00000000000..569bf1cc3a1 --- /dev/null +++ b/zookeeper-client-common/OWNERS @@ -0,0 +1 @@ +bjorncs diff --git a/zookeeper-client-common/README.md b/zookeeper-client-common/README.md new file mode 100644 index 00000000000..51c757a8af2 --- /dev/null +++ b/zookeeper-client-common/README.md @@ -0,0 +1,3 @@ +# zookeeper-client-common + +Shared client configuration logic for ZooKeeper clients diff --git a/zookeeper-client-common/pom.xml b/zookeeper-client-common/pom.xml new file mode 100644 index 00000000000..fd799e13fca --- /dev/null +++ b/zookeeper-client-common/pom.xml @@ -0,0 +1,47 @@ +<?xml version="1.0"?> +<!-- Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. --> +<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>com.yahoo.vespa</groupId> + <artifactId>parent</artifactId> + <version>7-SNAPSHOT</version> + <relativePath>../parent/pom.xml</relativePath> + </parent> + <artifactId>zookeeper-client-common</artifactId> + <packaging>jar</packaging> + <version>7-SNAPSHOT</version> + + <dependencies> + <!-- provided --> + <dependency> + <groupId>com.yahoo.vespa</groupId> + <artifactId>security-utils</artifactId> + <version>${project.version}</version> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>org.apache.zookeeper</groupId> + <artifactId>zookeeper</artifactId> + <version>${zookeeper.client.version}</version> + <scope>provided</scope> + </dependency> + + <!-- compile scope --> + <!-- test scope --> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> + </dependencies> + + <build> + <plugins> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-compiler-plugin</artifactId> + </plugin> + </plugins> + </build> +</project> diff --git a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java new file mode 100644 index 00000000000..209e08db6cc --- /dev/null +++ b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java @@ -0,0 +1,25 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.zookeeper.client; + +import com.yahoo.security.tls.TlsContext; +import com.yahoo.security.tls.TransportSecurityUtils; + +import javax.net.ssl.SSLContext; +import java.util.function.Supplier; + +/** + * Provider for Vespa {@link SSLContext} instance to Zookeeper + misc utility methods for providing Vespa TLS specific ZK configuration. + * + * @author bjorncs + */ +public class VespaSslContextProvider implements Supplier<SSLContext> { + + private static final SSLContext sslContext = TransportSecurityUtils.getSystemTlsContext().map(TlsContext::context).orElse(null); + + @Override + public SSLContext get() { + if (sslContext == null) throw new IllegalStateException("Vespa TLS is not enabled"); + return sslContext; + } + +} diff --git a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java new file mode 100644 index 00000000000..62191880b8f --- /dev/null +++ b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java @@ -0,0 +1,60 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.zookeeper.client; + +import com.yahoo.security.tls.MixedMode; +import com.yahoo.security.tls.TlsContext; +import com.yahoo.security.tls.TransportSecurityUtils; + +import java.util.Arrays; +import java.util.HashMap; +import java.util.Map; +import java.util.Optional; +import java.util.stream.Collectors; + +/** + * Builder for ZK client configuration + * + * @author bjorncs + */ +public class ZkClientConfigBuilder { + + public static final String CLIENT_SECURE_PROPERTY = "zookeeper.client.secure"; + public static final String SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY = "zookeeper.ssl.context.supplier.class"; + public static final String SSL_ENABLED_PROTOCOLS_PROPERTY = "zookeeper.ssl.enabledProtocols"; + public static final String SSL_ENABLED_CIPHERSUITES_PROPERTY = "zookeeper.ssl.ciphersuites"; + public static final String SSL_CLIENTAUTH_PROPERTY = "zookeeper.ssl.clientAuth"; + + private static final TlsContext tlsContext = getTlsContext().orElse(null); + + public ZkClientConfigBuilder() {} + + public String toConfigString() { + StringBuilder builder = new StringBuilder(); + Map<String, String> properties = toConfigProperties(); + properties.forEach((key, value) -> builder.append(key).append('=').append(value).append('\n')); + return builder.toString(); + } + + public Map<String, String> toConfigProperties() { + Map<String, String> builder = new HashMap<>(); + builder.put(CLIENT_SECURE_PROPERTY, Boolean.toString(tlsContext != null)); + if (tlsContext != null) { + builder.put(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY, VespaSslContextProvider.class.getName()); + String protocolsConfigValue = Arrays.stream(tlsContext.parameters().getProtocols()).sorted().collect(Collectors.joining(",")); + builder.put(SSL_ENABLED_PROTOCOLS_PROPERTY, protocolsConfigValue); + String ciphersConfigValue = Arrays.stream(tlsContext.parameters().getCipherSuites()).sorted().collect(Collectors.joining(",")); + builder.put(SSL_ENABLED_CIPHERSUITES_PROPERTY, ciphersConfigValue); + builder.put(SSL_CLIENTAUTH_PROPERTY, "NEED"); + } + return Map.copyOf(builder); + } + + private static Optional<TlsContext> getTlsContext() { + // TODO(bjorncs) Remove handling of temporary feature flag + boolean temporaryFeatureFlag = Optional.ofNullable(System.getenv("VESPA_USE_TLS_FOR_ZOOKEEPER_CLIENT")).map(Boolean::parseBoolean).orElse(false); + if (!temporaryFeatureFlag) return Optional.empty(); + + if (TransportSecurityUtils.getInsecureMixedMode() == MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) return Optional.empty(); + return TransportSecurityUtils.getSystemTlsContext(); + } +} |