From 4747938832aecb6b1639050983cdfcb079da1a1f Mon Sep 17 00:00:00 2001 From: Valerij Fredriksen Date: Fri, 20 May 2022 15:46:17 +0200 Subject: Use config server SSLSocketFactory in FlagsClient and ConfigServerRestExecutor --- .../proxy/ConfigServerRestExecutorImpl.java | 25 ++++++++++------------ .../restapi/systemflags/FlagsClient.java | 13 ++++++----- .../restapi/systemflags/SystemFlagsDeployer.java | 4 ++-- .../restapi/systemflags/SystemFlagsHandler.java | 4 ++-- .../proxy/ConfigServerRestExecutorImplTest.java | 9 ++++---- 5 files changed, 27 insertions(+), 28 deletions(-) (limited to 'controller-server') diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java index 671222e2123..9bea7fb829d 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java @@ -1,13 +1,13 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.proxy; -import com.yahoo.component.annotation.Inject; import com.yahoo.component.AbstractComponent; +import com.yahoo.component.annotation.Inject; import com.yahoo.jdisc.http.HttpRequest.Method; import com.yahoo.text.Text; import com.yahoo.vespa.athenz.api.AthenzIdentity; -import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier; +import com.yahoo.vespa.hosted.controller.api.integration.ControllerIdentityProvider; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry; import com.yahoo.yolean.concurrent.Sleeper; import org.apache.http.Header; @@ -20,6 +20,7 @@ import org.apache.http.client.methods.HttpPatch; import org.apache.http.client.methods.HttpPost; import org.apache.http.client.methods.HttpPut; import org.apache.http.client.methods.HttpRequestBase; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.entity.InputStreamEntity; import org.apache.http.impl.DefaultConnectionReuseStrategy; import org.apache.http.impl.client.CloseableHttpClient; @@ -29,7 +30,6 @@ import org.apache.http.protocol.HttpCoreContext; import org.apache.http.util.EntityUtils; import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSession; import java.io.IOException; import java.io.InputStream; @@ -68,16 +68,15 @@ public class ConfigServerRestExecutorImpl extends AbstractComponent implements C private final Sleeper sleeper; @Inject - public ConfigServerRestExecutorImpl(ZoneRegistry zoneRegistry, ServiceIdentityProvider sslContextProvider) { - this(zoneRegistry, sslContextProvider.getIdentitySslContext(), Sleeper.DEFAULT, - new ConnectionReuseStrategy(zoneRegistry)); + public ConfigServerRestExecutorImpl(ZoneRegistry zoneRegistry, ControllerIdentityProvider identityProvider) { + this(new SSLConnectionSocketFactory(identityProvider.getConfigServerSslSocketFactory(), new ControllerOrConfigserverHostnameVerifier(zoneRegistry)), + Sleeper.DEFAULT, + new ConnectionReuseStrategy(zoneRegistry)); } - ConfigServerRestExecutorImpl(ZoneRegistry zoneRegistry, SSLContext sslContext, + ConfigServerRestExecutorImpl(SSLConnectionSocketFactory connectionSocketFactory, Sleeper sleeper, ConnectionReuseStrategy connectionReuseStrategy) { - this.client = createHttpClient(sslContext, - new ControllerOrConfigserverHostnameVerifier(zoneRegistry), - connectionReuseStrategy); + this.client = createHttpClient(connectionSocketFactory, connectionReuseStrategy); this.sleeper = sleeper; } @@ -227,8 +226,7 @@ public class ConfigServerRestExecutorImpl extends AbstractComponent implements C } } - private static CloseableHttpClient createHttpClient(SSLContext sslContext, - HostnameVerifier hostnameVerifier, + private static CloseableHttpClient createHttpClient(SSLConnectionSocketFactory connectionSocketFactory, org.apache.http.ConnectionReuseStrategy connectionReuseStrategy) { RequestConfig config = RequestConfig.custom() @@ -237,8 +235,7 @@ public class ConfigServerRestExecutorImpl extends AbstractComponent implements C .setSocketTimeout((int) PROXY_REQUEST_TIMEOUT.toMillis()).build(); return HttpClientBuilder.create() .setUserAgent("config-server-proxy-client") - .setSSLContext(sslContext) - .setSSLHostnameVerifier(hostnameVerifier) + .setSSLSocketFactory(connectionSocketFactory) .setDefaultRequestConfig(config) .setMaxConnPerRoute(10) .setMaxConnTotal(500) diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java index c87fea3beb3..4a208aa3794 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java @@ -5,10 +5,10 @@ import ai.vespa.util.http.hc4.retry.DelayedConnectionLevelRetryHandler; import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; import com.yahoo.vespa.athenz.api.AthenzIdentity; -import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier; import com.yahoo.vespa.flags.FlagId; import com.yahoo.vespa.flags.json.FlagData; +import com.yahoo.vespa.hosted.controller.api.integration.ControllerIdentityProvider; import com.yahoo.vespa.hosted.controller.api.systemflags.v1.FlagsTarget; import com.yahoo.vespa.hosted.controller.api.systemflags.v1.wire.WireErrorResponse; import org.apache.http.HttpEntity; @@ -22,6 +22,7 @@ import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpPut; import org.apache.http.client.methods.HttpUriRequest; import org.apache.http.client.utils.URIBuilder; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.entity.ContentType; import org.apache.http.entity.StringEntity; import org.apache.http.impl.client.CloseableHttpClient; @@ -55,7 +56,7 @@ class FlagsClient { private final CloseableHttpClient client; - FlagsClient(ServiceIdentityProvider identityProvider, Set targets) { + FlagsClient(ControllerIdentityProvider identityProvider, Set targets) { this.client = createClient(identityProvider, targets); } @@ -95,14 +96,16 @@ class FlagsClient { }); } - private static CloseableHttpClient createClient(ServiceIdentityProvider identityProvider, Set targets) { + private static CloseableHttpClient createClient(ControllerIdentityProvider identityProvider, Set targets) { DelayedConnectionLevelRetryHandler retryHandler = DelayedConnectionLevelRetryHandler.Builder .withExponentialBackoff(Duration.ofSeconds(1), Duration.ofSeconds(20), 5) .build(); + SSLConnectionSocketFactory connectionSocketFactory = new SSLConnectionSocketFactory( + identityProvider.getConfigServerSslSocketFactory(), new FlagTargetsHostnameVerifier(targets)); + return HttpClientBuilder.create() .setUserAgent("controller-flags-v1-client") - .setSSLContext(identityProvider.getIdentitySslContext()) - .setSSLHostnameVerifier(new FlagTargetsHostnameVerifier(targets)) + .setSSLSocketFactory(connectionSocketFactory) .setDefaultRequestConfig(RequestConfig.custom() .setConnectTimeout((int) Duration.ofSeconds(10).toMillis()) .setConnectionRequestTimeout((int) Duration.ofSeconds(10).toMillis()) diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/SystemFlagsDeployer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/SystemFlagsDeployer.java index 1b543045adc..abc888abccb 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/SystemFlagsDeployer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/SystemFlagsDeployer.java @@ -4,10 +4,10 @@ package com.yahoo.vespa.hosted.controller.restapi.systemflags; import com.yahoo.concurrent.DaemonThreadFactory; import com.yahoo.config.provision.SystemName; import com.yahoo.text.Text; -import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.flags.FlagId; import com.yahoo.vespa.flags.Flags; import com.yahoo.vespa.flags.json.FlagData; +import com.yahoo.vespa.hosted.controller.api.integration.ControllerIdentityProvider; import com.yahoo.vespa.hosted.controller.api.systemflags.v1.FlagsTarget; import com.yahoo.vespa.hosted.controller.api.systemflags.v1.SystemFlagsDataArchive; import com.yahoo.vespa.hosted.controller.restapi.systemflags.SystemFlagsDeployResult.OperationError; @@ -46,7 +46,7 @@ class SystemFlagsDeployer { private final ExecutorService executor = Executors.newCachedThreadPool(new DaemonThreadFactory("system-flags-deployer-")); - SystemFlagsDeployer(ServiceIdentityProvider identityProvider, SystemName system, Set targets) { + SystemFlagsDeployer(ControllerIdentityProvider identityProvider, SystemName system, Set targets) { this(new FlagsClient(identityProvider, targets), system, targets); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/SystemFlagsHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/SystemFlagsHandler.java index aaaf09fa781..ed27ffad978 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/SystemFlagsHandler.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/SystemFlagsHandler.java @@ -8,7 +8,7 @@ import com.yahoo.container.jdisc.ThreadedHttpRequestHandler; import com.yahoo.restapi.ErrorResponse; import com.yahoo.restapi.JacksonJsonResponse; import com.yahoo.restapi.Path; -import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; +import com.yahoo.vespa.hosted.controller.api.integration.ControllerIdentityProvider; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry; import com.yahoo.vespa.hosted.controller.api.systemflags.v1.FlagsTarget; import com.yahoo.vespa.hosted.controller.api.systemflags.v1.SystemFlagsDataArchive; @@ -30,7 +30,7 @@ public class SystemFlagsHandler extends ThreadedHttpRequestHandler { @Inject public SystemFlagsHandler(ZoneRegistry zoneRegistry, - ServiceIdentityProvider identityProvider, + ControllerIdentityProvider identityProvider, Executor executor) { super(executor); this.deployer = new SystemFlagsDeployer(identityProvider, zoneRegistry.system(), FlagsTarget.getAllTargetsInSystem(zoneRegistry, true)); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java index c4fbf1aa3a5..f5926e799af 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java @@ -4,11 +4,10 @@ package com.yahoo.vespa.hosted.controller.proxy; import ai.vespa.http.HttpURL.Path; import com.github.tomakehurst.wiremock.junit.WireMockRule; import com.github.tomakehurst.wiremock.stubbing.Scenario; -import com.yahoo.config.provision.SystemName; import com.yahoo.container.jdisc.HttpRequest; import com.yahoo.container.jdisc.HttpResponse; -import com.yahoo.vespa.hosted.controller.integration.ZoneRegistryMock; import com.yahoo.yolean.concurrent.Sleeper; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.protocol.HttpContext; import org.apache.http.protocol.HttpCoreContext; import org.junit.Rule; @@ -39,7 +38,7 @@ public class ConfigServerRestExecutorImplTest { @Test public void proxy_with_retries() throws Exception { var connectionReuseStrategy = new CountingConnectionReuseStrategy(Set.of("127.0.0.1")); - var proxy = new ConfigServerRestExecutorImpl(new ZoneRegistryMock(SystemName.cd), SSLContext.getDefault(), + var proxy = new ConfigServerRestExecutorImpl(new SSLConnectionSocketFactory(SSLContext.getDefault()), Sleeper.NOOP, connectionReuseStrategy); URI url = url(); @@ -64,8 +63,8 @@ public class ConfigServerRestExecutorImplTest { @Test public void proxy_without_connection_reuse() throws Exception { var connectionReuseStrategy = new CountingConnectionReuseStrategy(Set.of()); - var proxy = new ConfigServerRestExecutorImpl(new ZoneRegistryMock(SystemName.cd), SSLContext.getDefault(), - (duration) -> {}, connectionReuseStrategy); + var proxy = new ConfigServerRestExecutorImpl(new SSLConnectionSocketFactory(SSLContext.getDefault()), + Sleeper.NOOP, connectionReuseStrategy); URI url = url(); String path = url.getPath(); -- cgit v1.2.3