From f732bc9403ca52ddb09effcf0fd760f2895af0a8 Mon Sep 17 00:00:00 2001 From: Harald Musum Date: Wed, 20 May 2020 16:04:48 +0200 Subject: Revert "Revert "Reapply "Build vespa zookeeper server variants with zookeeper 3.5.6 and 3.5.8""" --- zookeeper-server/CMakeLists.txt | 3 +- zookeeper-server/pom.xml | 3 +- .../zookeeper-server-3.5.6/CMakeLists.txt | 3 + zookeeper-server/zookeeper-server-3.5.6/pom.xml | 78 +++++ .../vespa/zookeeper/VespaZooKeeperServerImpl.java | 56 ++++ .../zookeeper-server-3.5.8/CMakeLists.txt | 4 + zookeeper-server/zookeeper-server-3.5.8/pom.xml | 78 +++++ .../vespa/zookeeper/VespaZooKeeperServerImpl.java | 57 ++++ .../zookeeper-server-3.5/CMakeLists.txt | 3 - zookeeper-server/zookeeper-server-3.5/pom.xml | 78 ----- .../vespa/zookeeper/VespaZooKeeperServerImpl.java | 351 --------------------- .../zookeeper/VespaZooKeeperServerImplTest.java | 322 ------------------- zookeeper-server/zookeeper-server-common/pom.xml | 7 + .../com/yahoo/vespa/zookeeper/Configurator.java | 307 ++++++++++++++++++ .../yahoo/vespa/zookeeper/ConfiguratorTest.java | 316 +++++++++++++++++++ 15 files changed, 910 insertions(+), 756 deletions(-) create mode 100644 zookeeper-server/zookeeper-server-3.5.6/CMakeLists.txt create mode 100644 zookeeper-server/zookeeper-server-3.5.6/pom.xml create mode 100644 zookeeper-server/zookeeper-server-3.5.6/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java create mode 100644 zookeeper-server/zookeeper-server-3.5.8/CMakeLists.txt create mode 100644 zookeeper-server/zookeeper-server-3.5.8/pom.xml create mode 100644 zookeeper-server/zookeeper-server-3.5.8/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java delete mode 100644 zookeeper-server/zookeeper-server-3.5/CMakeLists.txt delete mode 100644 zookeeper-server/zookeeper-server-3.5/pom.xml delete mode 100644 zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java delete mode 100644 zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java create mode 100644 zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java create mode 100644 zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java diff --git a/zookeeper-server/CMakeLists.txt b/zookeeper-server/CMakeLists.txt index 6e8c82bc66e..b146390046c 100644 --- a/zookeeper-server/CMakeLists.txt +++ b/zookeeper-server/CMakeLists.txt @@ -1,3 +1,4 @@ # Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. add_subdirectory(zookeeper-server-common) -add_subdirectory(zookeeper-server-3.5) +add_subdirectory(zookeeper-server-3.5.6) +add_subdirectory(zookeeper-server-3.5.8) diff --git a/zookeeper-server/pom.xml b/zookeeper-server/pom.xml index edfbdbad02e..28f18000c2d 100644 --- a/zookeeper-server/pom.xml +++ b/zookeeper-server/pom.xml @@ -13,7 +13,8 @@ 7-SNAPSHOT zookeeper-server-common - zookeeper-server-3.5 + zookeeper-server-3.5.6 + zookeeper-server-3.5.8 diff --git a/zookeeper-server/zookeeper-server-3.5.6/CMakeLists.txt b/zookeeper-server/zookeeper-server-3.5.6/CMakeLists.txt new file mode 100644 index 00000000000..b68994d32e0 --- /dev/null +++ b/zookeeper-server/zookeeper-server-3.5.6/CMakeLists.txt @@ -0,0 +1,3 @@ +# Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +install_fat_java_artifact(zookeeper-server-3.5.6) +install_symlink(lib/jars/zookeeper-server-3.5.6-jar-with-dependencies.jar lib/jars/zookeeper-server-jar-with-dependencies.jar) diff --git a/zookeeper-server/zookeeper-server-3.5.6/pom.xml b/zookeeper-server/zookeeper-server-3.5.6/pom.xml new file mode 100644 index 00000000000..e50324a0488 --- /dev/null +++ b/zookeeper-server/zookeeper-server-3.5.6/pom.xml @@ -0,0 +1,78 @@ + + + + 4.0.0 + + com.yahoo.vespa + zookeeper-server + 7-SNAPSHOT + ../pom.xml + + zookeeper-server-3.5.6 + container-plugin + 7-SNAPSHOT + + + com.yahoo.vespa + zookeeper-server-common + ${project.version} + + + org.apache.zookeeper + zookeeper + ${zookeeper.server.version} + + + org.slf4j + slf4j-jdk14 + + + org.slf4j + slf4j-log4j12 + 1.7.5 + + + junit + junit + test + + + + + + org.apache.maven.plugins + maven-compiler-plugin + + + -Xlint:all + -Werror + + + + + org.apache.maven.plugins + maven-surefire-plugin + + ${test.hide} + once + + + + org.apache.maven.plugins + maven-install-plugin + + true + + + + com.yahoo.vespa + bundle-plugin + true + + com.sun.management + zookeeper-server + + + + + diff --git a/zookeeper-server/zookeeper-server-3.5.6/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java b/zookeeper-server/zookeeper-server-3.5.6/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java new file mode 100644 index 00000000000..ee3695b02f8 --- /dev/null +++ b/zookeeper-server/zookeeper-server-3.5.6/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java @@ -0,0 +1,56 @@ +// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.zookeeper; + +import com.google.inject.Inject; +import com.yahoo.cloud.config.ZookeeperServerConfig; +import com.yahoo.component.AbstractComponent; +import com.yahoo.security.tls.TransportSecurityUtils; + +import java.util.logging.Level; + +import static com.yahoo.vespa.defaults.Defaults.getDefaults; +import static com.yahoo.vespa.zookeeper.Configurator.zookeeperServerHostnames; + +/** + * Writes zookeeper config and starts zookeeper server. + * + * @author Ulf Lilleengen + * @author Harald Musum + */ +public class VespaZooKeeperServerImpl extends AbstractComponent implements Runnable, VespaZooKeeperServer { + private static final java.util.logging.Logger log = java.util.logging.Logger.getLogger(VespaZooKeeperServerImpl.class.getName()); + private final Thread zkServerThread; + private final ZookeeperServerConfig zookeeperServerConfig; + + @Inject + public VespaZooKeeperServerImpl(ZookeeperServerConfig zookeeperServerConfig) { + this.zookeeperServerConfig = zookeeperServerConfig; + new Configurator(zookeeperServerConfig).writeConfigToDisk(TransportSecurityUtils.getOptions()); + zkServerThread = new Thread(this, "zookeeper server"); + zkServerThread.start(); + } + + private void shutdown() { + zkServerThread.interrupt(); + try { + zkServerThread.join(); + } catch (InterruptedException e) { + log.log(Level.WARNING, "Error joining server thread on shutdown", e); + } + } + + @Override + public void run() { + String[] args = new String[]{getDefaults().underVespaHome(zookeeperServerConfig.zooKeeperConfigFile())}; + log.log(Level.INFO, "Starting ZooKeeper server with config file " + args[0] + + ". Trying to establish ZooKeeper quorum (members: " + zookeeperServerHostnames(zookeeperServerConfig) + ")"); + org.apache.zookeeper.server.quorum.QuorumPeerMain.main(args); + } + + @Override + public void deconstruct() { + shutdown(); + super.deconstruct(); + } + +} diff --git a/zookeeper-server/zookeeper-server-3.5.8/CMakeLists.txt b/zookeeper-server/zookeeper-server-3.5.8/CMakeLists.txt new file mode 100644 index 00000000000..66765e34997 --- /dev/null +++ b/zookeeper-server/zookeeper-server-3.5.8/CMakeLists.txt @@ -0,0 +1,4 @@ +# Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +install_fat_java_artifact(zookeeper-server-3.5.8) +# TODO: Needs to be included when this is the wanted default version (and other symlinks need to be removed) +#install_symlink(lib/jars/zookeeper-server-3.5.8-jar-with-dependencies.jar lib/jars/zookeeper-server-jar-with-dependencies.jar) diff --git a/zookeeper-server/zookeeper-server-3.5.8/pom.xml b/zookeeper-server/zookeeper-server-3.5.8/pom.xml new file mode 100644 index 00000000000..e4000285ffa --- /dev/null +++ b/zookeeper-server/zookeeper-server-3.5.8/pom.xml @@ -0,0 +1,78 @@ + + + + 4.0.0 + + com.yahoo.vespa + zookeeper-server + 7-SNAPSHOT + ../pom.xml + + zookeeper-server-3.5.8 + container-plugin + 7-SNAPSHOT + + + com.yahoo.vespa + zookeeper-server-common + ${project.version} + + + org.apache.zookeeper + zookeeper + 3.5.8 + + + org.slf4j + slf4j-jdk14 + + + org.slf4j + slf4j-log4j12 + 1.7.5 + + + junit + junit + test + + + + + + org.apache.maven.plugins + maven-compiler-plugin + + + -Xlint:all + -Werror + + + + + org.apache.maven.plugins + maven-surefire-plugin + + ${test.hide} + once + + + + org.apache.maven.plugins + maven-install-plugin + + true + + + + com.yahoo.vespa + bundle-plugin + true + + com.sun.management + zookeeper-server + + + + + diff --git a/zookeeper-server/zookeeper-server-3.5.8/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java b/zookeeper-server/zookeeper-server-3.5.8/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java new file mode 100644 index 00000000000..15d5d2f6f31 --- /dev/null +++ b/zookeeper-server/zookeeper-server-3.5.8/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java @@ -0,0 +1,57 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.zookeeper; + +import com.google.inject.Inject; +import com.yahoo.cloud.config.ZookeeperServerConfig; +import com.yahoo.component.AbstractComponent; +import com.yahoo.security.tls.TransportSecurityUtils; + +import java.util.logging.Level; + +import static com.yahoo.vespa.defaults.Defaults.getDefaults; +import static com.yahoo.vespa.zookeeper.Configurator.zookeeperServerHostnames; + +/** + * Writes zookeeper config and starts zookeeper server. + * + * @author Ulf Lilleengen + * @author Harald Musum + */ +public class VespaZooKeeperServerImpl extends AbstractComponent implements Runnable, VespaZooKeeperServer { + + private static final java.util.logging.Logger log = java.util.logging.Logger.getLogger(VespaZooKeeperServerImpl.class.getName()); + private final Thread zkServerThread; + private final ZookeeperServerConfig zookeeperServerConfig; + + @Inject + public VespaZooKeeperServerImpl(ZookeeperServerConfig zookeeperServerConfig) { + this.zookeeperServerConfig = zookeeperServerConfig; + new Configurator(zookeeperServerConfig).writeConfigToDisk(TransportSecurityUtils.getOptions()); + zkServerThread = new Thread(this, "zookeeper server"); + zkServerThread.start(); + } + + private void shutdown() { + zkServerThread.interrupt(); + try { + zkServerThread.join(); + } catch (InterruptedException e) { + log.log(Level.WARNING, "Error joining server thread on shutdown", e); + } + } + + @Override + public void run() { + String[] args = new String[]{getDefaults().underVespaHome(zookeeperServerConfig.zooKeeperConfigFile())}; + log.log(Level.INFO, "Starting ZooKeeper server with config file " + args[0] + + ". Trying to establish ZooKeeper quorum (members: " + zookeeperServerHostnames(zookeeperServerConfig) + ")"); + org.apache.zookeeper.server.quorum.QuorumPeerMain.main(args); + } + + @Override + public void deconstruct() { + shutdown(); + super.deconstruct(); + } + +} diff --git a/zookeeper-server/zookeeper-server-3.5/CMakeLists.txt b/zookeeper-server/zookeeper-server-3.5/CMakeLists.txt deleted file mode 100644 index 782c5f07b83..00000000000 --- a/zookeeper-server/zookeeper-server-3.5/CMakeLists.txt +++ /dev/null @@ -1,3 +0,0 @@ -# Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -install_fat_java_artifact(zookeeper-server-3.5) -install_symlink(lib/jars/zookeeper-server-3.5-jar-with-dependencies.jar lib/jars/zookeeper-server-jar-with-dependencies.jar) diff --git a/zookeeper-server/zookeeper-server-3.5/pom.xml b/zookeeper-server/zookeeper-server-3.5/pom.xml deleted file mode 100644 index 0bbb97bd38c..00000000000 --- a/zookeeper-server/zookeeper-server-3.5/pom.xml +++ /dev/null @@ -1,78 +0,0 @@ - - - - 4.0.0 - - com.yahoo.vespa - zookeeper-server - 7-SNAPSHOT - ../pom.xml - - zookeeper-server-3.5 - container-plugin - 7-SNAPSHOT - - - com.yahoo.vespa - zookeeper-server-common - ${project.version} - - - org.apache.zookeeper - zookeeper - ${zookeeper.server.version} - - - org.slf4j - slf4j-jdk14 - - - org.slf4j - slf4j-log4j12 - 1.7.5 - - - junit - junit - test - - - - - - org.apache.maven.plugins - maven-compiler-plugin - - - -Xlint:all - -Werror - - - - - org.apache.maven.plugins - maven-surefire-plugin - - ${test.hide} - once - - - - org.apache.maven.plugins - maven-install-plugin - - true - - - - com.yahoo.vespa - bundle-plugin - true - - com.sun.management - zookeeper-server - - - - - diff --git a/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java b/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java deleted file mode 100644 index 1f66c919a41..00000000000 --- a/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java +++ /dev/null @@ -1,351 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.zookeeper; - -import com.google.inject.Inject; -import com.yahoo.cloud.config.ZookeeperServerConfig; -import com.yahoo.component.AbstractComponent; -import java.util.logging.Level; -import com.yahoo.security.KeyStoreBuilder; -import com.yahoo.security.KeyStoreType; -import com.yahoo.security.KeyStoreUtils; -import com.yahoo.security.KeyUtils; -import com.yahoo.security.SslContextBuilder; -import com.yahoo.security.X509CertificateUtils; -import com.yahoo.security.tls.TlsContext; -import com.yahoo.security.tls.TransportSecurityOptions; -import com.yahoo.security.tls.TransportSecurityUtils; -import com.yahoo.text.Utf8; - -import javax.net.ssl.SSLContext; -import java.io.File; -import java.io.FileWriter; -import java.io.IOException; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.security.PrivateKey; -import java.security.cert.X509Certificate; -import java.util.List; -import java.util.Optional; -import java.util.Set; -import java.util.TreeSet; -import java.util.stream.Collectors; - -import static com.yahoo.vespa.defaults.Defaults.getDefaults; - -/** - * Writes zookeeper config and starts zookeeper server. - * - * @author Ulf Lilleengen - * @author Harald Musum - */ -public class VespaZooKeeperServerImpl extends AbstractComponent implements Runnable, VespaZooKeeperServer { - - private static final java.util.logging.Logger log = java.util.logging.Logger.getLogger(VespaZooKeeperServerImpl.class.getName()); - private static final String ZOOKEEPER_JMX_LOG4J_DISABLE = "zookeeper.jmx.log4j.disable"; - static final String ZOOKEEPER_JUTE_MAX_BUFFER = "jute.maxbuffer"; - private final Thread zkServerThread; - private final ZookeeperServerConfig zookeeperServerConfig; - private final String configFilePath; - private final String jksKeyStoreFilePath; - - VespaZooKeeperServerImpl(ZookeeperServerConfig zookeeperServerConfig, boolean startServer, - Optional transportSecurityOptions) { - this.zookeeperServerConfig = zookeeperServerConfig; - System.setProperty("zookeeper.jmx.log4j.disable", "true"); - System.setProperty("zookeeper.snapshot.trust.empty", Boolean.valueOf(zookeeperServerConfig.trustEmptySnapshot()).toString()); - System.setProperty(ZOOKEEPER_JUTE_MAX_BUFFER, Integer.valueOf(zookeeperServerConfig.juteMaxBuffer()).toString()); - - configFilePath = getDefaults().underVespaHome(zookeeperServerConfig.zooKeeperConfigFile()); - jksKeyStoreFilePath = getDefaults().underVespaHome(zookeeperServerConfig.jksKeyStoreFile()); - writeConfigToDisk(zookeeperServerConfig, transportSecurityOptions); - zkServerThread = new Thread(this, "zookeeper server"); - if (startServer) { - zkServerThread.start(); - } - } - - @Inject - public VespaZooKeeperServerImpl(ZookeeperServerConfig zookeeperServerConfig) { - this(zookeeperServerConfig, true, TransportSecurityUtils.getOptions()); - } - - private void writeConfigToDisk(ZookeeperServerConfig config, Optional transportSecurityOptions) { - new File(configFilePath).getParentFile().mkdirs(); - - try { - writeZooKeeperConfigFile(zookeeperServerConfig, transportSecurityOptions); - writeMyIdFile(config); - transportSecurityOptions.ifPresent(this::writeJksKeystore); - } catch (IOException e) { - throw new RuntimeException("Error writing zookeeper config", e); - } - } - - private void writeZooKeeperConfigFile(ZookeeperServerConfig config, - Optional transportSecurityOptions) throws IOException { - try (FileWriter writer = new FileWriter(configFilePath)) { - writer.write(transformConfigToString(config, transportSecurityOptions)); - } - } - - private String transformConfigToString(ZookeeperServerConfig config, - Optional transportSecurityOptions) { - StringBuilder sb = new StringBuilder(); - sb.append("tickTime=").append(config.tickTime()).append("\n"); - sb.append("initLimit=").append(config.initLimit()).append("\n"); - sb.append("syncLimit=").append(config.syncLimit()).append("\n"); - sb.append("maxClientCnxns=").append(config.maxClientConnections()).append("\n"); - sb.append("snapCount=").append(config.snapshotCount()).append("\n"); - sb.append("dataDir=").append(getDefaults().underVespaHome(config.dataDir())).append("\n"); - sb.append("clientPort=").append(config.clientPort()).append("\n"); - sb.append("secureClientPort=").append(config.secureClientPort()).append("\n"); - sb.append("autopurge.purgeInterval=").append(config.autopurge().purgeInterval()).append("\n"); - sb.append("autopurge.snapRetainCount=").append(config.autopurge().snapRetainCount()).append("\n"); - // See http://zookeeper.apache.org/doc/r3.5.5/zookeeperAdmin.html#sc_zkCommands - // Includes all available commands in 3.5, except 'wchc' and 'wchp' - sb.append("4lw.commands.whitelist=conf,cons,crst,dirs,dump,envi,mntr,ruok,srst,srvr,stat,wchs").append("\n"); - sb.append("admin.enableServer=false").append("\n"); - // Need NettyServerCnxnFactory to be able to use TLS for communication - sb.append("serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory").append("\n"); - sb.append("quorumListenOnAllIPs=true").append("\n"); - ensureThisServerIsRepresented(config.myid(), config.server()); - config.server().forEach(server -> addServerToCfg(sb, server)); - SSLContext sslContext = new SslContextBuilder().build(); - sb.append(new TlsQuorumConfig(sslContext, jksKeyStoreFilePath).createConfig(config, transportSecurityOptions)); - sb.append(new TlsClientServerConfig(sslContext, jksKeyStoreFilePath).createConfig(config, transportSecurityOptions)); - return sb.toString(); - } - - private void writeMyIdFile(ZookeeperServerConfig config) throws IOException { - if (config.server().size() > 1) { - try (FileWriter writer = new FileWriter(getDefaults().underVespaHome(config.myidFile()))) { - writer.write(config.myid() + "\n"); - } - } - } - - private void writeJksKeystore(TransportSecurityOptions options) { - Path privateKeyFile = options.getPrivateKeyFile().orElseThrow(() -> new RuntimeException("Could not find private key file")); - Path certificatesFile = options.getCertificatesFile().orElseThrow(() -> new RuntimeException("Could not find certificates file")); - - PrivateKey privateKey; - List certificates; - try { - privateKey = KeyUtils.fromPemEncodedPrivateKey(Utf8.toString(Files.readAllBytes(privateKeyFile))); - certificates = X509CertificateUtils.certificateListFromPem(Utf8.toString(Files.readAllBytes(certificatesFile))); - } catch (IOException e) { - throw new RuntimeException(e); - } - KeyStoreBuilder keyStoreBuilder = KeyStoreBuilder - .withType(KeyStoreType.JKS) - .withKeyEntry("foo", privateKey, certificates); - - KeyStoreUtils.writeKeyStoreToFile(keyStoreBuilder.build(), Paths.get(jksKeyStoreFilePath)); - } - - private void ensureThisServerIsRepresented(int myid, List servers) { - boolean found = false; - for (ZookeeperServerConfig.Server server : servers) { - if (myid == server.id()) { - found = true; - break; - } - } - if (!found) { - throw new RuntimeException("No id in zookeeper server list that corresponds to my id(" + myid + ")"); - } - } - - private void addServerToCfg(StringBuilder sb, ZookeeperServerConfig.Server server) { - sb.append("server.").append(server.id()).append("=").append(server.hostname()).append(":").append(server.quorumPort()).append(":").append(server.electionPort()).append("\n"); - } - - private void shutdown() { - zkServerThread.interrupt(); - try { - zkServerThread.join(); - } catch (InterruptedException e) { - log.log(Level.WARNING, "Error joining server thread on shutdown", e); - } - } - - @Override - public void run() { - System.setProperty(ZOOKEEPER_JMX_LOG4J_DISABLE, "true"); - String[] args = new String[]{getDefaults().underVespaHome(zookeeperServerConfig.zooKeeperConfigFile())}; - log.log(Level.INFO, "Starting ZooKeeper server with config file " + args[0] + - ". Trying to establish ZooKeeper quorum (members: " + zookeeperServerHostnames(zookeeperServerConfig) + ")"); - org.apache.zookeeper.server.quorum.QuorumPeerMain.main(args); - } - - @Override - public void deconstruct() { - shutdown(); - super.deconstruct(); - } - - private static Set zookeeperServerHostnames(ZookeeperServerConfig zookeeperServerConfig) { - return zookeeperServerConfig.server().stream().map(ZookeeperServerConfig.Server::hostname).collect(Collectors.toSet()); - } - - private interface TlsConfig { - default Set allowedCiphers(SSLContext sslContext) { return new TreeSet<>(TlsContext.getAllowedCipherSuites(sslContext)); } - - default Set allowedProtocols(SSLContext sslContext) { return new TreeSet<>(TlsContext.getAllowedProtocols(sslContext)); } - - default Optional getEnvironmentVariable(String variableName) { - return Optional.ofNullable(System.getenv().get(variableName)) - .filter(var -> !var.isEmpty()); - } - - default void validateOptions(Optional transportSecurityOptions, String tlsSetting) { - if (transportSecurityOptions.isEmpty() && !tlsSetting.equals("OFF")) - throw new RuntimeException("Could not retrieve transport security options"); - } - - String configFieldPrefix(); - - String jksKeyStoreFilePath(); - - SSLContext sslContext(); - - default String createCommonKeyStoreTrustStoreOptions(Optional transportSecurityOptions) { - StringBuilder sb = new StringBuilder(); - transportSecurityOptions.ifPresent(options -> { - sb.append(configFieldPrefix()).append(".keyStore.location=").append(jksKeyStoreFilePath()).append("\n"); - sb.append(configFieldPrefix()).append(".keyStore.type=JKS\n"); - - Path caCertificatesFile = options.getCaCertificatesFile().orElseThrow(() -> new RuntimeException("Could not find ca certificates file")); - sb.append(configFieldPrefix()).append(".trustStore.location=").append(caCertificatesFile).append("\n"); - sb.append(configFieldPrefix()).append(".trustStore.type=PEM\n"); - }); - return sb.toString(); - } - - default String createCommonConfig() { - StringBuilder sb = new StringBuilder(); - sb.append(configFieldPrefix()).append(".hostnameVerification=false\n"); - sb.append(configFieldPrefix()).append(".clientAuth=NEED\n"); - sb.append(configFieldPrefix()).append(".ciphersuites=").append(String.join(",", allowedCiphers(sslContext()))).append("\n"); - sb.append(configFieldPrefix()).append(".enabledProtocols=").append(String.join(",", allowedProtocols(sslContext()))).append("\n"); - sb.append(configFieldPrefix()).append(".protocol=").append(sslContext().getProtocol()).append("\n"); - - return sb.toString(); - } - - } - - static class TlsClientServerConfig implements TlsConfig { - - private final SSLContext sslContext; - private final String jksKeyStoreFilePath; - - TlsClientServerConfig(SSLContext sslContext, String jksKeyStoreFilePath) { - this.sslContext = sslContext; - this.jksKeyStoreFilePath = jksKeyStoreFilePath; - } - - String createConfig(ZookeeperServerConfig config, Optional transportSecurityOptions) { - String tlsSetting = getEnvironmentVariable("VESPA_TLS_FOR_ZOOKEEPER_CLIENT_SERVER_COMMUNICATION") - .orElse(config.tlsForClientServerCommunication().name()); - validateOptions(transportSecurityOptions, tlsSetting); - - StringBuilder sb = new StringBuilder(createCommonConfig()); - boolean portUnification; - switch (tlsSetting) { - case "OFF": - case "TLS_ONLY": - portUnification = false; - break; - case "PORT_UNIFICATION": - case "TLS_WITH_PORT_UNIFICATION": - portUnification = true; - break; - default: - throw new IllegalArgumentException("Unknown value of config setting tlsForClientServerCommunication: " + tlsSetting); - } - sb.append("client.portUnification=").append(portUnification).append("\n"); - sb.append(createCommonKeyStoreTrustStoreOptions(transportSecurityOptions)); - - return sb.toString(); - } - - @Override - public String configFieldPrefix() { - return "ssl"; - } - - @Override - public String jksKeyStoreFilePath() { - return jksKeyStoreFilePath; - } - - @Override - public SSLContext sslContext() { - return sslContext; - } - } - - static class TlsQuorumConfig implements TlsConfig { - - private final SSLContext sslContext; - private final String jksKeyStoreFilePath; - - TlsQuorumConfig(SSLContext sslContext, String jksKeyStoreFilePath) { - this.sslContext = sslContext; - this.jksKeyStoreFilePath = jksKeyStoreFilePath; - } - - String createConfig(ZookeeperServerConfig config, Optional transportSecurityOptions) { - String tlsSetting = getEnvironmentVariable("VESPA_TLS_FOR_ZOOKEEPER_QUORUM_COMMUNICATION") - .orElse(config.tlsForQuorumCommunication().name()); - validateOptions(transportSecurityOptions, tlsSetting); - - StringBuilder sb = new StringBuilder(createCommonConfig()); - boolean sslQuorum; - boolean portUnification; - switch (tlsSetting) { - case "OFF": - sslQuorum = false; - portUnification = false; - break; - case "PORT_UNIFICATION": - sslQuorum = false; - portUnification = true; - break; - case "TLS_WITH_PORT_UNIFICATION": - sslQuorum = true; - portUnification = true; - break; - case "TLS_ONLY": - sslQuorum = true; - portUnification = false; - break; - default: throw new IllegalArgumentException("Unknown value of config setting tlsForQuorumCommunication: " + tlsSetting); - } - sb.append("sslQuorum=").append(sslQuorum).append("\n"); - sb.append("portUnification=").append(portUnification).append("\n"); - sb.append(createCommonKeyStoreTrustStoreOptions(transportSecurityOptions)); - - return sb.toString(); - } - - @Override - public String configFieldPrefix() { - return "ssl.quorum"; - } - - @Override - public String jksKeyStoreFilePath() { - return jksKeyStoreFilePath; - } - - @Override - public SSLContext sslContext() { - return sslContext; - } - - } - -} diff --git a/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java b/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java deleted file mode 100644 index 72351244cce..00000000000 --- a/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java +++ /dev/null @@ -1,322 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.zookeeper; - -import com.yahoo.cloud.config.ZookeeperServerConfig; -import com.yahoo.io.IOUtils; -import com.yahoo.security.KeyUtils; -import com.yahoo.security.X509CertificateBuilder; -import com.yahoo.security.X509CertificateUtils; -import com.yahoo.security.tls.TransportSecurityOptions; -import org.junit.Before; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.TemporaryFolder; - -import javax.security.auth.x500.X500Principal; -import java.io.File; -import java.io.IOException; -import java.math.BigInteger; -import java.nio.file.Files; -import java.nio.file.Path; -import java.security.KeyPair; -import java.security.cert.X509Certificate; -import java.util.Optional; - -import static com.yahoo.cloud.config.ZookeeperServerConfig.TlsForQuorumCommunication; -import static com.yahoo.cloud.config.ZookeeperServerConfig.TlsForClientServerCommunication; -import static com.yahoo.security.KeyAlgorithm.EC; -import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; -import static java.time.Instant.EPOCH; -import static java.time.temporal.ChronoUnit.DAYS; -import static org.hamcrest.CoreMatchers.is; -import static org.junit.Assert.assertThat; -import static com.yahoo.vespa.defaults.Defaults.getDefaults; -import static org.junit.Assert.assertTrue; - -/** - * Tests the zookeeper server. - */ -public class VespaZooKeeperServerImplTest { - - private File cfgFile; - private File idFile; - private File jksKeyStoreFile; - - @Rule - public TemporaryFolder folder = new TemporaryFolder(); - - @Before - public void setup() throws IOException { - cfgFile = folder.newFile(); - idFile = folder.newFile(); - jksKeyStoreFile = folder.newFile(); - } - - @Test - public void config_is_written_correctly_when_one_server() throws IOException { - ZookeeperServerConfig.Builder builder = createConfigBuilderForSingleHost(cfgFile, idFile, jksKeyStoreFile); - createServer(builder); - validateConfigFileSingleHost(cfgFile); - validateIdFile(idFile, ""); - } - - @Test - public void config_is_written_correctly_when_multiple_servers() throws IOException { - ZookeeperServerConfig.Builder builder = new ZookeeperServerConfig.Builder(); - builder.zooKeeperConfigFile(cfgFile.getAbsolutePath()); - builder.server(newServer(0, "foo", 123, 321)); - builder.server(newServer(1, "bar", 234, 432)); - builder.server(newServer(2, "baz", 345, 543)); - builder.myidFile(idFile.getAbsolutePath()); - builder.myid(1); - createServer(builder); - validateConfigFileMultipleHosts(cfgFile); - validateIdFile(idFile, "1\n"); - } - - @Test - public void config_is_written_correctly_with_tls_for_quorum_communication_port_unification() throws IOException { - ZookeeperServerConfig.Builder builder = createConfigBuilderForSingleHost(cfgFile, idFile, jksKeyStoreFile); - builder.tlsForQuorumCommunication(TlsForQuorumCommunication.PORT_UNIFICATION); - builder.tlsForClientServerCommunication(TlsForClientServerCommunication.Enum.PORT_UNIFICATION); - Optional transportSecurityOptions = createTransportSecurityOptions(); - createServer(builder, transportSecurityOptions); - validateConfigFilePortUnification(cfgFile, jksKeyStoreFile, transportSecurityOptions.get().getCaCertificatesFile().get().toFile()); - validateThatJksKeyStoreFileExists(jksKeyStoreFile); - } - - @Test - public void config_is_written_correctly_with_tls_for_quorum_communication_tls_with_port_unification() throws IOException { - ZookeeperServerConfig.Builder builder = createConfigBuilderForSingleHost(cfgFile, idFile, jksKeyStoreFile); - builder.tlsForQuorumCommunication(TlsForQuorumCommunication.TLS_WITH_PORT_UNIFICATION); - builder.tlsForClientServerCommunication(TlsForClientServerCommunication.Enum.TLS_WITH_PORT_UNIFICATION); - Optional transportSecurityOptions = createTransportSecurityOptions(); - createServer(builder, transportSecurityOptions); - validateConfigFileTlsWithPortUnification(cfgFile, jksKeyStoreFile, transportSecurityOptions.get().getCaCertificatesFile().get().toFile()); - validateThatJksKeyStoreFileExists(jksKeyStoreFile); - } - - @Test - public void config_is_written_correctly_with_tls_for_quorum_communication_tls_only() throws IOException { - ZookeeperServerConfig.Builder builder = createConfigBuilderForSingleHost(cfgFile, idFile, jksKeyStoreFile); - builder.tlsForQuorumCommunication(TlsForQuorumCommunication.TLS_ONLY); - builder.tlsForClientServerCommunication(TlsForClientServerCommunication.Enum.TLS_ONLY); - Optional transportSecurityOptions = createTransportSecurityOptions(); - createServer(builder, transportSecurityOptions); - validateConfigFileTlsOnly(cfgFile, jksKeyStoreFile, transportSecurityOptions.get().getCaCertificatesFile().get().toFile()); - validateThatJksKeyStoreFileExists(jksKeyStoreFile); - } - - private ZookeeperServerConfig.Builder createConfigBuilderForSingleHost(File cfgFile, File idFile, File jksKeyStoreFile) { - ZookeeperServerConfig.Builder builder = new ZookeeperServerConfig.Builder(); - builder.zooKeeperConfigFile(cfgFile.getAbsolutePath()); - builder.myidFile(idFile.getAbsolutePath()); - builder.server(newServer(0, "foo", 123, 321)); - builder.myid(0); - builder.jksKeyStoreFile(jksKeyStoreFile.getAbsolutePath()); - return builder; - } - - private void createServer(ZookeeperServerConfig.Builder builder) { - createServer(builder, Optional.empty()); - } - - private void createServer(ZookeeperServerConfig.Builder builder, Optional options) { - new VespaZooKeeperServerImpl(new ZookeeperServerConfig(builder), false, options); - } - - @Test(expected = RuntimeException.class) - public void require_that_this_id_must_be_present_amongst_servers() { - ZookeeperServerConfig.Builder builder = new ZookeeperServerConfig.Builder(); - builder.server(newServer(1, "bar", 234, 432)); - builder.server(newServer(2, "baz", 345, 543)); - builder.myid(0); - createServer(builder); - } - - @Test - public void juteMaxBufferCanBeSet() throws IOException { - ZookeeperServerConfig.Builder builder = new ZookeeperServerConfig.Builder(); - builder.myid(0); - File idFile = folder.newFile(); - File cfgFile = folder.newFile(); - - builder.server(new ZookeeperServerConfig.Server.Builder().id(0).hostname("testhost")); - builder.zooKeeperConfigFile(cfgFile.getAbsolutePath()); - builder.myidFile(idFile.getAbsolutePath()); - - createServer(builder); - assertThat(System.getProperty(VespaZooKeeperServerImpl.ZOOKEEPER_JUTE_MAX_BUFFER), is("" + new ZookeeperServerConfig(builder).juteMaxBuffer())); - - final int max_buffer = 1; - builder.juteMaxBuffer(max_buffer); - createServer(builder); - assertThat(System.getProperty(VespaZooKeeperServerImpl.ZOOKEEPER_JUTE_MAX_BUFFER), is("" + max_buffer)); - } - - private ZookeeperServerConfig.Server.Builder newServer(int id, String hostName, int electionPort, int quorumPort) { - ZookeeperServerConfig.Server.Builder builder = new ZookeeperServerConfig.Server.Builder(); - builder.id(id); - builder.hostname(hostName); - builder.electionPort(electionPort); - builder.quorumPort(quorumPort); - return builder; - } - - private void validateIdFile(File idFile, String expected) throws IOException { - String actual = IOUtils.readFile(idFile); - assertThat(actual, is(expected)); - } - - private String commonConfig() { - return "tickTime=2000\n" + - "initLimit=20\n" + - "syncLimit=15\n" + - "maxClientCnxns=0\n" + - "snapCount=50000\n" + - "dataDir=" + getDefaults().underVespaHome("var/zookeeper") + "\n" + - "clientPort=2181\n" + - "secureClientPort=2184\n" + - "autopurge.purgeInterval=1\n" + - "autopurge.snapRetainCount=15\n" + - "4lw.commands.whitelist=conf,cons,crst,dirs,dump,envi,mntr,ruok,srst,srvr,stat,wchs\n" + - "admin.enableServer=false\n" + - "serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory\n" + - "quorumListenOnAllIPs=true\n"; - } - - private String quorumKeyStoreAndTrustStoreConfig(File jksKeyStoreFilePath, File caCertificatesFilePath) { - StringBuilder sb = new StringBuilder(); - - sb.append("ssl.quorum.keyStore.location=").append(jksKeyStoreFilePath.getAbsolutePath()).append("\n"); - sb.append("ssl.quorum.keyStore.type=JKS\n"); - sb.append("ssl.quorum.trustStore.location=").append(caCertificatesFilePath.getAbsolutePath()).append("\n"); - sb.append("ssl.quorum.trustStore.type=PEM\n"); - return sb.toString(); - } - - private String clientServerKeyStoreAndTrustStoreConfig(File jksKeyStoreFilePath, File caCertificatesFilePath) { - StringBuilder sb = new StringBuilder(); - - sb.append("ssl.keyStore.location=").append(jksKeyStoreFilePath.getAbsolutePath()).append("\n"); - sb.append("ssl.keyStore.type=JKS\n"); - sb.append("ssl.trustStore.location=").append(caCertificatesFilePath.getAbsolutePath()).append("\n"); - sb.append("ssl.trustStore.type=PEM\n"); - return sb.toString(); - } - - private void validateConfigFileSingleHost(File cfgFile) throws IOException { - String expected = - commonConfig() + - "server.0=foo:321:123\n" + - commonTlsQuorumConfig() + - "sslQuorum=false\n" + - "portUnification=false\n" + - commonTlsClientServerConfig() + - "client.portUnification=false\n"; - validateConfigFile(cfgFile, expected); - } - - private String commonTlsQuorumConfig() { - return "ssl.quorum.hostnameVerification=false\n" + - "ssl.quorum.clientAuth=NEED\n" + - "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" + - "ssl.quorum.enabledProtocols=TLSv1.2\n" + - "ssl.quorum.protocol=TLS\n"; - } - - private String commonTlsClientServerConfig() { - return "ssl.hostnameVerification=false\n" + - "ssl.clientAuth=NEED\n" + - "ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" + - "ssl.enabledProtocols=TLSv1.2\n" + - "ssl.protocol=TLS\n"; - } - - private void validateConfigFileMultipleHosts(File cfgFile) throws IOException { - String expected = - commonConfig() + - "server.0=foo:321:123\n" + - "server.1=bar:432:234\n" + - "server.2=baz:543:345\n" + - commonTlsQuorumConfig() + - "sslQuorum=false\n" + - "portUnification=false\n" + - commonTlsClientServerConfig() + - "client.portUnification=false\n"; - validateConfigFile(cfgFile, expected); - } - - private void validateConfigFilePortUnification(File cfgFile, File jksKeyStoreFile, File caCertificatesFile) throws IOException { - String expected = - commonConfig() + - "server.0=foo:321:123\n" + - commonTlsQuorumConfig() + - "sslQuorum=false\n" + - "portUnification=true\n" + - quorumKeyStoreAndTrustStoreConfig(jksKeyStoreFile, caCertificatesFile) + - commonTlsClientServerConfig() + - "client.portUnification=true\n" + - clientServerKeyStoreAndTrustStoreConfig(jksKeyStoreFile, caCertificatesFile); - validateConfigFile(cfgFile, expected); - } - - private void validateConfigFileTlsWithPortUnification(File cfgFile, File jksKeyStoreFile, File caCertificatesFile) throws IOException { - String expected = - commonConfig() + - "server.0=foo:321:123\n" + - commonTlsQuorumConfig() + - "sslQuorum=true\n" + - "portUnification=true\n" + - quorumKeyStoreAndTrustStoreConfig(jksKeyStoreFile, caCertificatesFile) + - commonTlsClientServerConfig() + - "client.portUnification=true\n" + - clientServerKeyStoreAndTrustStoreConfig(jksKeyStoreFile, caCertificatesFile); - validateConfigFile(cfgFile, expected); - } - - private void validateConfigFileTlsOnly(File cfgFile, File jksKeyStoreFile, File caCertificatesFile) throws IOException { - String expected = - commonConfig() + - "server.0=foo:321:123\n" + - commonTlsQuorumConfig() + - "sslQuorum=true\n" + - "portUnification=false\n" + - quorumKeyStoreAndTrustStoreConfig(jksKeyStoreFile, caCertificatesFile) + - commonTlsClientServerConfig() + - "client.portUnification=false\n" + - clientServerKeyStoreAndTrustStoreConfig(jksKeyStoreFile, caCertificatesFile); - validateConfigFile(cfgFile, expected); - } - - private void validateConfigFile(File cfgFile, String expected) throws IOException { - String actual = IOUtils.readFile(cfgFile); - assertThat(actual, is(expected)); - } - - private void validateThatJksKeyStoreFileExists(File cfgFile) { - assertTrue(cfgFile.exists() && cfgFile.canRead()); - } - - private Optional createTransportSecurityOptions() throws IOException { - KeyPair keyPair = KeyUtils.generateKeypair(EC); - Path privateKeyFile = folder.newFile().toPath(); - Files.writeString(privateKeyFile, KeyUtils.toPem(keyPair.getPrivate())); - - X509Certificate certificate = X509CertificateBuilder - .fromKeypair(keyPair, new X500Principal("CN=dummy"), EPOCH, EPOCH.plus(1, DAYS), SHA256_WITH_ECDSA, BigInteger.ONE) - .build(); - Path certificateChainFile = folder.newFile().toPath(); - String certificatePem = X509CertificateUtils.toPem(certificate); - Files.writeString(certificateChainFile, certificatePem); - - Path caCertificatesFile = folder.newFile().toPath(); - Files.writeString(caCertificatesFile, certificatePem); - - return Optional.of(new TransportSecurityOptions.Builder() - .withCertificates(certificateChainFile, privateKeyFile) - .withCaCertificates(caCertificatesFile) - .build()); - } - -} diff --git a/zookeeper-server/zookeeper-server-common/pom.xml b/zookeeper-server/zookeeper-server-common/pom.xml index 66e5bc2075c..b05136cd151 100644 --- a/zookeeper-server/zookeeper-server-common/pom.xml +++ b/zookeeper-server/zookeeper-server-common/pom.xml @@ -11,6 +11,13 @@ zookeeper-server-common container-plugin 7-SNAPSHOT + + + junit + junit + test + + diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java new file mode 100644 index 00000000000..119509dd9cc --- /dev/null +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java @@ -0,0 +1,307 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.vespa.zookeeper; + +import com.yahoo.cloud.config.ZookeeperServerConfig; +import com.yahoo.security.KeyStoreBuilder; +import com.yahoo.security.KeyStoreType; +import com.yahoo.security.KeyStoreUtils; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.SslContextBuilder; +import com.yahoo.security.X509CertificateUtils; +import com.yahoo.security.tls.TlsContext; +import com.yahoo.security.tls.TransportSecurityOptions; +import com.yahoo.text.Utf8; + +import javax.net.ssl.SSLContext; +import java.io.File; +import java.io.FileWriter; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.util.List; +import java.util.Optional; +import java.util.Set; +import java.util.TreeSet; +import java.util.stream.Collectors; + +import static com.yahoo.vespa.defaults.Defaults.getDefaults; + +public class Configurator { + private static final String ZOOKEEPER_JMX_LOG4J_DISABLE = "zookeeper.jmx.log4j.disable"; + static final String ZOOKEEPER_JUTE_MAX_BUFFER = "jute.maxbuffer"; + + private final ZookeeperServerConfig zookeeperServerConfig; + private final String configFilePath; + private final String jksKeyStoreFilePath; + + public Configurator(ZookeeperServerConfig zookeeperServerConfig) { + this.zookeeperServerConfig = zookeeperServerConfig; + this.configFilePath = zookeeperServerConfig.zooKeeperConfigFile(); + this.jksKeyStoreFilePath = zookeeperServerConfig.jksKeyStoreFile(); + System.setProperty(ZOOKEEPER_JMX_LOG4J_DISABLE, "true"); + System.setProperty("zookeeper.snapshot.trust.empty", Boolean.valueOf(zookeeperServerConfig.trustEmptySnapshot()).toString()); + System.setProperty(ZOOKEEPER_JUTE_MAX_BUFFER, Integer.valueOf(zookeeperServerConfig.juteMaxBuffer()).toString()); + } + + void writeConfigToDisk(Optional transportSecurityOptions) { + new File(configFilePath).getParentFile().mkdirs(); + + try { + writeZooKeeperConfigFile(zookeeperServerConfig, transportSecurityOptions); + writeMyIdFile(zookeeperServerConfig); + transportSecurityOptions.ifPresent(this::writeJksKeystore); + } catch (IOException e) { + throw new RuntimeException("Error writing zookeeper config", e); + } + } + + private void writeZooKeeperConfigFile(ZookeeperServerConfig config, + Optional transportSecurityOptions) throws IOException { + try (FileWriter writer = new FileWriter(configFilePath)) { + writer.write(transformConfigToString(config, transportSecurityOptions)); + } + } + + private String transformConfigToString(ZookeeperServerConfig config, + Optional transportSecurityOptions) { + StringBuilder sb = new StringBuilder(); + sb.append("tickTime=").append(config.tickTime()).append("\n"); + sb.append("initLimit=").append(config.initLimit()).append("\n"); + sb.append("syncLimit=").append(config.syncLimit()).append("\n"); + sb.append("maxClientCnxns=").append(config.maxClientConnections()).append("\n"); + sb.append("snapCount=").append(config.snapshotCount()).append("\n"); + sb.append("dataDir=").append(getDefaults().underVespaHome(config.dataDir())).append("\n"); + sb.append("clientPort=").append(config.clientPort()).append("\n"); + sb.append("secureClientPort=").append(config.secureClientPort()).append("\n"); + sb.append("autopurge.purgeInterval=").append(config.autopurge().purgeInterval()).append("\n"); + sb.append("autopurge.snapRetainCount=").append(config.autopurge().snapRetainCount()).append("\n"); + // See http://zookeeper.apache.org/doc/r3.5.5/zookeeperAdmin.html#sc_zkCommands + // Includes all available commands in 3.5, except 'wchc' and 'wchp' + sb.append("4lw.commands.whitelist=conf,cons,crst,dirs,dump,envi,mntr,ruok,srst,srvr,stat,wchs").append("\n"); + sb.append("admin.enableServer=false").append("\n"); + // Need NettyServerCnxnFactory to be able to use TLS for communication + sb.append("serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory").append("\n"); + sb.append("quorumListenOnAllIPs=true").append("\n"); + ensureThisServerIsRepresented(config.myid(), config.server()); + config.server().forEach(server -> addServerToCfg(sb, server)); + SSLContext sslContext = new SslContextBuilder().build(); + sb.append(new TlsQuorumConfig(sslContext, jksKeyStoreFilePath).createConfig(config, transportSecurityOptions)); + sb.append(new TlsClientServerConfig(sslContext, jksKeyStoreFilePath).createConfig(config, transportSecurityOptions)); + return sb.toString(); + } + + private void writeMyIdFile(ZookeeperServerConfig config) throws IOException { + if (config.server().size() > 1) { + try (FileWriter writer = new FileWriter(getDefaults().underVespaHome(config.myidFile()))) { + writer.write(config.myid() + "\n"); + } + } + } + + private void writeJksKeystore(TransportSecurityOptions options) { + Path privateKeyFile = options.getPrivateKeyFile().orElseThrow(() -> new RuntimeException("Could not find private key file")); + Path certificatesFile = options.getCertificatesFile().orElseThrow(() -> new RuntimeException("Could not find certificates file")); + + PrivateKey privateKey; + List certificates; + try { + privateKey = KeyUtils.fromPemEncodedPrivateKey(Utf8.toString(Files.readAllBytes(privateKeyFile))); + certificates = X509CertificateUtils.certificateListFromPem(Utf8.toString(Files.readAllBytes(certificatesFile))); + } catch (IOException e) { + throw new RuntimeException(e); + } + KeyStoreBuilder keyStoreBuilder = KeyStoreBuilder + .withType(KeyStoreType.JKS) + .withKeyEntry("foo", privateKey, certificates); + + KeyStoreUtils.writeKeyStoreToFile(keyStoreBuilder.build(), Paths.get(jksKeyStoreFilePath)); + } + + private void ensureThisServerIsRepresented(int myid, List servers) { + boolean found = false; + for (ZookeeperServerConfig.Server server : servers) { + if (myid == server.id()) { + found = true; + break; + } + } + if (!found) { + throw new RuntimeException("No id in zookeeper server list that corresponds to my id(" + myid + ")"); + } + } + + private void addServerToCfg(StringBuilder sb, ZookeeperServerConfig.Server server) { + sb.append("server.").append(server.id()).append("=").append(server.hostname()).append(":").append(server.quorumPort()).append(":").append(server.electionPort()).append("\n"); + } + + + + + static Set zookeeperServerHostnames(ZookeeperServerConfig zookeeperServerConfig) { + return zookeeperServerConfig.server().stream().map(ZookeeperServerConfig.Server::hostname).collect(Collectors.toSet()); + } + + private interface TlsConfig { + default Set allowedCiphers(SSLContext sslContext) { return new TreeSet<>(TlsContext.getAllowedCipherSuites(sslContext)); } + + default Set allowedProtocols(SSLContext sslContext) { return new TreeSet<>(TlsContext.getAllowedProtocols(sslContext)); } + + default Optional getEnvironmentVariable(String variableName) { + return Optional.ofNullable(System.getenv().get(variableName)) + .filter(var -> !var.isEmpty()); + } + + default void validateOptions(Optional transportSecurityOptions, String tlsSetting) { + if (transportSecurityOptions.isEmpty() && !tlsSetting.equals("OFF")) + throw new RuntimeException("Could not retrieve transport security options"); + } + + String configFieldPrefix(); + + String jksKeyStoreFilePath(); + + SSLContext sslContext(); + + default String createCommonKeyStoreTrustStoreOptions(Optional transportSecurityOptions) { + StringBuilder sb = new StringBuilder(); + transportSecurityOptions.ifPresent(options -> { + sb.append(configFieldPrefix()).append(".keyStore.location=").append(jksKeyStoreFilePath()).append("\n"); + sb.append(configFieldPrefix()).append(".keyStore.type=JKS\n"); + + Path caCertificatesFile = options.getCaCertificatesFile().orElseThrow(() -> new RuntimeException("Could not find ca certificates file")); + sb.append(configFieldPrefix()).append(".trustStore.location=").append(caCertificatesFile).append("\n"); + sb.append(configFieldPrefix()).append(".trustStore.type=PEM\n"); + }); + return sb.toString(); + } + + default String createCommonConfig() { + StringBuilder sb = new StringBuilder(); + sb.append(configFieldPrefix()).append(".hostnameVerification=false\n"); + sb.append(configFieldPrefix()).append(".clientAuth=NEED\n"); + sb.append(configFieldPrefix()).append(".ciphersuites=").append(String.join(",", allowedCiphers(sslContext()))).append("\n"); + sb.append(configFieldPrefix()).append(".enabledProtocols=").append(String.join(",", allowedProtocols(sslContext()))).append("\n"); + sb.append(configFieldPrefix()).append(".protocol=").append(sslContext().getProtocol()).append("\n"); + + return sb.toString(); + } + + } + + static class TlsClientServerConfig implements TlsConfig { + + private final SSLContext sslContext; + private final String jksKeyStoreFilePath; + + TlsClientServerConfig(SSLContext sslContext, String jksKeyStoreFilePath) { + this.sslContext = sslContext; + this.jksKeyStoreFilePath = jksKeyStoreFilePath; + } + + String createConfig(ZookeeperServerConfig config, Optional transportSecurityOptions) { + String tlsSetting = getEnvironmentVariable("VESPA_TLS_FOR_ZOOKEEPER_CLIENT_SERVER_COMMUNICATION") + .orElse(config.tlsForClientServerCommunication().name()); + validateOptions(transportSecurityOptions, tlsSetting); + + StringBuilder sb = new StringBuilder(createCommonConfig()); + boolean portUnification; + switch (tlsSetting) { + case "OFF": + case "TLS_ONLY": + portUnification = false; + break; + case "PORT_UNIFICATION": + case "TLS_WITH_PORT_UNIFICATION": + portUnification = true; + break; + default: + throw new IllegalArgumentException("Unknown value of config setting tlsForClientServerCommunication: " + tlsSetting); + } + sb.append("client.portUnification=").append(portUnification).append("\n"); + sb.append(createCommonKeyStoreTrustStoreOptions(transportSecurityOptions)); + + return sb.toString(); + } + + @Override + public String configFieldPrefix() { + return "ssl"; + } + + @Override + public String jksKeyStoreFilePath() { + return jksKeyStoreFilePath; + } + + @Override + public SSLContext sslContext() { + return sslContext; + } + } + + static class TlsQuorumConfig implements TlsConfig { + + private final SSLContext sslContext; + private final String jksKeyStoreFilePath; + + TlsQuorumConfig(SSLContext sslContext, String jksKeyStoreFilePath) { + this.sslContext = sslContext; + this.jksKeyStoreFilePath = jksKeyStoreFilePath; + } + + String createConfig(ZookeeperServerConfig config, Optional transportSecurityOptions) { + String tlsSetting = getEnvironmentVariable("VESPA_TLS_FOR_ZOOKEEPER_QUORUM_COMMUNICATION") + .orElse(config.tlsForQuorumCommunication().name()); + validateOptions(transportSecurityOptions, tlsSetting); + + StringBuilder sb = new StringBuilder(createCommonConfig()); + boolean sslQuorum; + boolean portUnification; + switch (tlsSetting) { + case "OFF": + sslQuorum = false; + portUnification = false; + break; + case "PORT_UNIFICATION": + sslQuorum = false; + portUnification = true; + break; + case "TLS_WITH_PORT_UNIFICATION": + sslQuorum = true; + portUnification = true; + break; + case "TLS_ONLY": + sslQuorum = true; + portUnification = false; + break; + default: throw new IllegalArgumentException("Unknown value of config setting tlsForQuorumCommunication: " + tlsSetting); + } + sb.append("sslQuorum=").append(sslQuorum).append("\n"); + sb.append("portUnification=").append(portUnification).append("\n"); + sb.append(createCommonKeyStoreTrustStoreOptions(transportSecurityOptions)); + + return sb.toString(); + } + + @Override + public String configFieldPrefix() { + return "ssl.quorum"; + } + + @Override + public String jksKeyStoreFilePath() { + return jksKeyStoreFilePath; + } + + @Override + public SSLContext sslContext() { + return sslContext; + } + + } + +} diff --git a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java new file mode 100644 index 00000000000..74e21339022 --- /dev/null +++ b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java @@ -0,0 +1,316 @@ +// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.zookeeper; + +import com.yahoo.cloud.config.ZookeeperServerConfig; +import com.yahoo.io.IOUtils; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.X509CertificateBuilder; +import com.yahoo.security.X509CertificateUtils; +import com.yahoo.security.tls.TransportSecurityOptions; +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +import javax.security.auth.x500.X500Principal; +import java.io.File; +import java.io.IOException; +import java.math.BigInteger; +import java.nio.file.Files; +import java.nio.file.Path; +import java.security.KeyPair; +import java.security.cert.X509Certificate; +import java.util.Optional; + +import static com.yahoo.cloud.config.ZookeeperServerConfig.TlsForQuorumCommunication; +import static com.yahoo.cloud.config.ZookeeperServerConfig.TlsForClientServerCommunication; +import static com.yahoo.security.KeyAlgorithm.EC; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; +import static com.yahoo.vespa.zookeeper.Configurator.ZOOKEEPER_JUTE_MAX_BUFFER; +import static java.time.Instant.EPOCH; +import static java.time.temporal.ChronoUnit.DAYS; +import static org.hamcrest.CoreMatchers.is; +import static org.junit.Assert.assertThat; +import static com.yahoo.vespa.defaults.Defaults.getDefaults; +import static org.junit.Assert.assertTrue; + +/** + * Tests the zookeeper server. + */ +public class ConfiguratorTest { + + private File cfgFile; + private File idFile; + private File jksKeyStoreFile; + + @Rule + public TemporaryFolder folder = new TemporaryFolder(); + + @Before + public void setup() throws IOException { + cfgFile = folder.newFile(); + idFile = folder.newFile(); + jksKeyStoreFile = folder.newFile(); + } + + @Test + public void config_is_written_correctly_when_one_server() throws IOException { + ZookeeperServerConfig.Builder builder = createConfigBuilderForSingleHost(cfgFile, idFile, jksKeyStoreFile); + new Configurator(builder.build()).writeConfigToDisk(Optional.empty()); + validateConfigFileSingleHost(cfgFile); + validateIdFile(idFile, ""); + } + + @Test + public void config_is_written_correctly_when_multiple_servers() throws IOException { + ZookeeperServerConfig.Builder builder = new ZookeeperServerConfig.Builder(); + builder.zooKeeperConfigFile(cfgFile.getAbsolutePath()); + builder.server(newServer(0, "foo", 123, 321)); + builder.server(newServer(1, "bar", 234, 432)); + builder.server(newServer(2, "baz", 345, 543)); + builder.myidFile(idFile.getAbsolutePath()); + builder.myid(1); + new Configurator(builder.build()).writeConfigToDisk(Optional.empty()); + validateConfigFileMultipleHosts(cfgFile); + validateIdFile(idFile, "1\n"); + } + + @Test + public void config_is_written_correctly_with_tls_for_quorum_communication_port_unification() throws IOException { + ZookeeperServerConfig.Builder builder = createConfigBuilderForSingleHost(cfgFile, idFile, jksKeyStoreFile); + builder.tlsForQuorumCommunication(TlsForQuorumCommunication.PORT_UNIFICATION); + builder.tlsForClientServerCommunication(TlsForClientServerCommunication.Enum.PORT_UNIFICATION); + Optional transportSecurityOptions = createTransportSecurityOptions(); + new Configurator(builder.build()).writeConfigToDisk(transportSecurityOptions); + validateConfigFilePortUnification(cfgFile, jksKeyStoreFile, transportSecurityOptions.get().getCaCertificatesFile().get().toFile()); + validateThatJksKeyStoreFileExists(jksKeyStoreFile); + } + + @Test + public void config_is_written_correctly_with_tls_for_quorum_communication_tls_with_port_unification() throws IOException { + ZookeeperServerConfig.Builder builder = createConfigBuilderForSingleHost(cfgFile, idFile, jksKeyStoreFile); + builder.tlsForQuorumCommunication(TlsForQuorumCommunication.TLS_WITH_PORT_UNIFICATION); + builder.tlsForClientServerCommunication(TlsForClientServerCommunication.Enum.TLS_WITH_PORT_UNIFICATION); + Optional transportSecurityOptions = createTransportSecurityOptions(); + new Configurator(builder.build()).writeConfigToDisk(transportSecurityOptions); + validateConfigFileTlsWithPortUnification(cfgFile, jksKeyStoreFile, transportSecurityOptions.get().getCaCertificatesFile().get().toFile()); + validateThatJksKeyStoreFileExists(jksKeyStoreFile); + } + + @Test + public void config_is_written_correctly_with_tls_for_quorum_communication_tls_only() throws IOException { + ZookeeperServerConfig.Builder builder = createConfigBuilderForSingleHost(cfgFile, idFile, jksKeyStoreFile); + builder.tlsForQuorumCommunication(TlsForQuorumCommunication.TLS_ONLY); + builder.tlsForClientServerCommunication(TlsForClientServerCommunication.Enum.TLS_ONLY); + Optional transportSecurityOptions = createTransportSecurityOptions(); + new Configurator(builder.build()).writeConfigToDisk(transportSecurityOptions); + validateConfigFileTlsOnly(cfgFile, jksKeyStoreFile, transportSecurityOptions.get().getCaCertificatesFile().get().toFile()); + validateThatJksKeyStoreFileExists(jksKeyStoreFile); + } + + private ZookeeperServerConfig.Builder createConfigBuilderForSingleHost(File cfgFile, File idFile, File jksKeyStoreFile) { + ZookeeperServerConfig.Builder builder = new ZookeeperServerConfig.Builder(); + builder.zooKeeperConfigFile(cfgFile.getAbsolutePath()); + builder.myidFile(idFile.getAbsolutePath()); + builder.server(newServer(0, "foo", 123, 321)); + builder.myid(0); + builder.jksKeyStoreFile(jksKeyStoreFile.getAbsolutePath()); + return builder; + } + + @Test(expected = RuntimeException.class) + public void require_that_this_id_must_be_present_amongst_servers() { + ZookeeperServerConfig.Builder builder = new ZookeeperServerConfig.Builder(); + builder.zooKeeperConfigFile(cfgFile.getAbsolutePath()); + builder.server(newServer(1, "bar", 234, 432)); + builder.server(newServer(2, "baz", 345, 543)); + builder.myid(0); + new Configurator(builder.build()).writeConfigToDisk(Optional.empty()); + } + + @Test + public void juteMaxBufferCanBeSet() throws IOException { + ZookeeperServerConfig.Builder builder = new ZookeeperServerConfig.Builder(); + builder.myid(0); + File idFile = folder.newFile(); + File cfgFile = folder.newFile(); + + builder.server(new ZookeeperServerConfig.Server.Builder().id(0).hostname("testhost")); + builder.zooKeeperConfigFile(cfgFile.getAbsolutePath()); + builder.myidFile(idFile.getAbsolutePath()); + + new Configurator(builder.build()).writeConfigToDisk(Optional.empty()); + assertThat(System.getProperty(ZOOKEEPER_JUTE_MAX_BUFFER), is("" + new ZookeeperServerConfig(builder).juteMaxBuffer())); + + final int max_buffer = 1; + builder.juteMaxBuffer(max_buffer); + new Configurator(builder.build()).writeConfigToDisk(Optional.empty()); + assertThat(System.getProperty(ZOOKEEPER_JUTE_MAX_BUFFER), is("" + max_buffer)); + } + + private ZookeeperServerConfig.Server.Builder newServer(int id, String hostName, int electionPort, int quorumPort) { + ZookeeperServerConfig.Server.Builder builder = new ZookeeperServerConfig.Server.Builder(); + builder.id(id); + builder.hostname(hostName); + builder.electionPort(electionPort); + builder.quorumPort(quorumPort); + return builder; + } + + private void validateIdFile(File idFile, String expected) throws IOException { + String actual = IOUtils.readFile(idFile); + assertThat(actual, is(expected)); + } + + private String commonConfig() { + return "tickTime=2000\n" + + "initLimit=20\n" + + "syncLimit=15\n" + + "maxClientCnxns=0\n" + + "snapCount=50000\n" + + "dataDir=" + getDefaults().underVespaHome("var/zookeeper") + "\n" + + "clientPort=2181\n" + + "secureClientPort=2184\n" + + "autopurge.purgeInterval=1\n" + + "autopurge.snapRetainCount=15\n" + + "4lw.commands.whitelist=conf,cons,crst,dirs,dump,envi,mntr,ruok,srst,srvr,stat,wchs\n" + + "admin.enableServer=false\n" + + "serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory\n" + + "quorumListenOnAllIPs=true\n"; + } + + private String quorumKeyStoreAndTrustStoreConfig(File jksKeyStoreFilePath, File caCertificatesFilePath) { + StringBuilder sb = new StringBuilder(); + + sb.append("ssl.quorum.keyStore.location=").append(jksKeyStoreFilePath.getAbsolutePath()).append("\n"); + sb.append("ssl.quorum.keyStore.type=JKS\n"); + sb.append("ssl.quorum.trustStore.location=").append(caCertificatesFilePath.getAbsolutePath()).append("\n"); + sb.append("ssl.quorum.trustStore.type=PEM\n"); + return sb.toString(); + } + + private String clientServerKeyStoreAndTrustStoreConfig(File jksKeyStoreFilePath, File caCertificatesFilePath) { + StringBuilder sb = new StringBuilder(); + + sb.append("ssl.keyStore.location=").append(jksKeyStoreFilePath.getAbsolutePath()).append("\n"); + sb.append("ssl.keyStore.type=JKS\n"); + sb.append("ssl.trustStore.location=").append(caCertificatesFilePath.getAbsolutePath()).append("\n"); + sb.append("ssl.trustStore.type=PEM\n"); + return sb.toString(); + } + + private void validateConfigFileSingleHost(File cfgFile) throws IOException { + String expected = + commonConfig() + + "server.0=foo:321:123\n" + + commonTlsQuorumConfig() + + "sslQuorum=false\n" + + "portUnification=false\n" + + commonTlsClientServerConfig() + + "client.portUnification=false\n"; + validateConfigFile(cfgFile, expected); + } + + private String commonTlsQuorumConfig() { + return "ssl.quorum.hostnameVerification=false\n" + + "ssl.quorum.clientAuth=NEED\n" + + "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" + + "ssl.quorum.enabledProtocols=TLSv1.2\n" + + "ssl.quorum.protocol=TLS\n"; + } + + private String commonTlsClientServerConfig() { + return "ssl.hostnameVerification=false\n" + + "ssl.clientAuth=NEED\n" + + "ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" + + "ssl.enabledProtocols=TLSv1.2\n" + + "ssl.protocol=TLS\n"; + } + + private void validateConfigFileMultipleHosts(File cfgFile) throws IOException { + String expected = + commonConfig() + + "server.0=foo:321:123\n" + + "server.1=bar:432:234\n" + + "server.2=baz:543:345\n" + + commonTlsQuorumConfig() + + "sslQuorum=false\n" + + "portUnification=false\n" + + commonTlsClientServerConfig() + + "client.portUnification=false\n"; + validateConfigFile(cfgFile, expected); + } + + private void validateConfigFilePortUnification(File cfgFile, File jksKeyStoreFile, File caCertificatesFile) throws IOException { + String expected = + commonConfig() + + "server.0=foo:321:123\n" + + commonTlsQuorumConfig() + + "sslQuorum=false\n" + + "portUnification=true\n" + + quorumKeyStoreAndTrustStoreConfig(jksKeyStoreFile, caCertificatesFile) + + commonTlsClientServerConfig() + + "client.portUnification=true\n" + + clientServerKeyStoreAndTrustStoreConfig(jksKeyStoreFile, caCertificatesFile); + validateConfigFile(cfgFile, expected); + } + + private void validateConfigFileTlsWithPortUnification(File cfgFile, File jksKeyStoreFile, File caCertificatesFile) throws IOException { + String expected = + commonConfig() + + "server.0=foo:321:123\n" + + commonTlsQuorumConfig() + + "sslQuorum=true\n" + + "portUnification=true\n" + + quorumKeyStoreAndTrustStoreConfig(jksKeyStoreFile, caCertificatesFile) + + commonTlsClientServerConfig() + + "client.portUnification=true\n" + + clientServerKeyStoreAndTrustStoreConfig(jksKeyStoreFile, caCertificatesFile); + validateConfigFile(cfgFile, expected); + } + + private void validateConfigFileTlsOnly(File cfgFile, File jksKeyStoreFile, File caCertificatesFile) throws IOException { + String expected = + commonConfig() + + "server.0=foo:321:123\n" + + commonTlsQuorumConfig() + + "sslQuorum=true\n" + + "portUnification=false\n" + + quorumKeyStoreAndTrustStoreConfig(jksKeyStoreFile, caCertificatesFile) + + commonTlsClientServerConfig() + + "client.portUnification=false\n" + + clientServerKeyStoreAndTrustStoreConfig(jksKeyStoreFile, caCertificatesFile); + validateConfigFile(cfgFile, expected); + } + + private void validateConfigFile(File cfgFile, String expected) throws IOException { + String actual = IOUtils.readFile(cfgFile); + assertThat(actual, is(expected)); + } + + private void validateThatJksKeyStoreFileExists(File cfgFile) { + assertTrue(cfgFile.exists() && cfgFile.canRead()); + } + + private Optional createTransportSecurityOptions() throws IOException { + KeyPair keyPair = KeyUtils.generateKeypair(EC); + Path privateKeyFile = folder.newFile().toPath(); + Files.writeString(privateKeyFile, KeyUtils.toPem(keyPair.getPrivate())); + + X509Certificate certificate = X509CertificateBuilder + .fromKeypair(keyPair, new X500Principal("CN=dummy"), EPOCH, EPOCH.plus(1, DAYS), SHA256_WITH_ECDSA, BigInteger.ONE) + .build(); + Path certificateChainFile = folder.newFile().toPath(); + String certificatePem = X509CertificateUtils.toPem(certificate); + Files.writeString(certificateChainFile, certificatePem); + + Path caCertificatesFile = folder.newFile().toPath(); + Files.writeString(caCertificatesFile, certificatePem); + + return Optional.of(new TransportSecurityOptions.Builder() + .withCertificates(certificateChainFile, privateKeyFile) + .withCaCertificates(caCertificatesFile) + .build()); + } + +} -- cgit v1.2.3