From 5eb199b2b5670458324c4e6073a5a810bee33364 Mon Sep 17 00:00:00 2001 From: jonmv Date: Sun, 17 Dec 2023 12:45:29 +0100 Subject: Revert "Merge pull request #29683 from vespa-engine/revert-29678-jonmv/reapply-zk-3.9.1" This reverts commit c8ece8b229362c7bf725e4433ef4fec86024cd29, reversing changes made to d42b67f0fe821d122548a345f27fda7f9c9c9d10. --- zookeeper-client-common/pom.xml | 13 +++++++++++++ .../vespa/zookeeper/client/VespaSslContextProvider.java | 12 +++++------- .../yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java | 12 +++--------- .../vespa/zookeeper/client/ZkClientConfigBuilderTest.java | 3 ++- 4 files changed, 23 insertions(+), 17 deletions(-) (limited to 'zookeeper-client-common') diff --git a/zookeeper-client-common/pom.xml b/zookeeper-client-common/pom.xml index 12ff1517e53..ccfdbd9a429 100644 --- a/zookeeper-client-common/pom.xml +++ b/zookeeper-client-common/pom.xml @@ -20,6 +20,12 @@ ${project.version} provided + + com.yahoo.vespa + defaults + ${project.version} + provided + org.apache.zookeeper zookeeper @@ -27,6 +33,13 @@ + + com.yahoo.vespa + zookeeper-common + ${project.version} + compile + + org.junit.jupiter diff --git a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java index 9cc71eab96e..5772070d550 100644 --- a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java +++ b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java @@ -1,25 +1,23 @@ // Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.zookeeper.client; -import com.yahoo.security.tls.TransportSecurityUtils; +import com.yahoo.vespa.zookeeper.tls.VespaZookeeperTlsContextUtils; import javax.net.ssl.SSLContext; import java.util.function.Supplier; /** - * Provider for Vespa {@link SSLContext} instance to Zookeeper + misc utility methods for providing Vespa TLS specific ZK configuration. + * Provider for Vespa {@link SSLContext} instance to Zookeeper. * * @author bjorncs */ public class VespaSslContextProvider implements Supplier { - private static final SSLContext sslContext = TransportSecurityUtils.getSystemTlsContext() - .map(tc -> tc.sslContext().context()).orElse(null); - @Override public SSLContext get() { - if (sslContext == null) throw new IllegalStateException("Vespa TLS is not enabled"); - return sslContext; + return VespaZookeeperTlsContextUtils.tlsContext() + .orElseThrow(() -> new IllegalStateException("Vespa TLS is not enabled")) + .sslContext().context(); } } diff --git a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java index 5c969454d11..af49fab0d40 100644 --- a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java +++ b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java @@ -1,9 +1,8 @@ // Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.zookeeper.client; -import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TlsContext; -import com.yahoo.security.tls.TransportSecurityUtils; +import com.yahoo.vespa.zookeeper.tls.VespaZookeeperTlsContextUtils; import org.apache.zookeeper.client.ZKClientConfig; import org.apache.zookeeper.server.quorum.QuorumPeerConfig; @@ -14,7 +13,6 @@ import java.nio.file.StandardCopyOption; import java.util.Arrays; import java.util.HashMap; import java.util.Map; -import java.util.Optional; import java.util.stream.Collectors; /** @@ -31,7 +29,7 @@ public class ZkClientConfigBuilder { public static final String SSL_CLIENTAUTH_PROPERTY = "zookeeper.ssl.clientAuth"; public static final String CLIENT_CONNECTION_SOCKET = "zookeeper.clientCnxnSocket"; - private static final TlsContext defaultTlsContext = getTlsContext().orElse(null); + private static final TlsContext defaultTlsContext = VespaZookeeperTlsContextUtils.tlsContext().orElse(null); private final TlsContext tlsContext; @@ -71,8 +69,8 @@ public class ZkClientConfigBuilder { builder.put(CLIENT_SECURE_PROPERTY, Boolean.toString(tlsContext != null)); builder.put(CLIENT_CONNECTION_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty"); if (tlsContext != null) { - builder.put(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY, VespaSslContextProvider.class.getName()); String protocolsConfigValue = Arrays.stream(tlsContext.parameters().getProtocols()).sorted().collect(Collectors.joining(",")); + builder.put(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY, VespaSslContextProvider.class.getName()); builder.put(SSL_ENABLED_PROTOCOLS_PROPERTY, protocolsConfigValue); String ciphersConfigValue = Arrays.stream(tlsContext.parameters().getCipherSuites()).sorted().collect(Collectors.joining(",")); builder.put(SSL_ENABLED_CIPHERSUITES_PROPERTY, ciphersConfigValue); @@ -81,8 +79,4 @@ public class ZkClientConfigBuilder { return Map.copyOf(builder); } - private static Optional getTlsContext() { - if (TransportSecurityUtils.getInsecureMixedMode() == MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) return Optional.empty(); - return TransportSecurityUtils.getSystemTlsContext(); - } } diff --git a/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java b/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java index 56bfe8381c2..45ae68cb41d 100644 --- a/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java +++ b/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java @@ -31,6 +31,7 @@ public class ZkClientConfigBuilderTest { assertEquals("org.apache.zookeeper.ClientCnxnSocketNetty", config.getProperty(CLIENT_CONNECTION_SOCKET)); assertNull(config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY)); assertNull(config.getProperty(SSL_CLIENTAUTH_PROPERTY)); + assertNull(config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY)); } @Test @@ -39,10 +40,10 @@ public class ZkClientConfigBuilderTest { ZKClientConfig config = builder.toConfig(); assertEquals("true", config.getProperty(CLIENT_SECURE_PROPERTY)); assertEquals("org.apache.zookeeper.ClientCnxnSocketNetty", config.getProperty(CLIENT_CONNECTION_SOCKET)); - assertEquals(com.yahoo.vespa.zookeeper.client.VespaSslContextProvider.class.getName(), config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY)); assertEquals("TLSv1.3", config.getProperty(SSL_ENABLED_PROTOCOLS_PROPERTY)); assertEquals("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", config.getProperty(SSL_ENABLED_CIPHERSUITES_PROPERTY)); assertEquals("NEED", config.getProperty(SSL_CLIENTAUTH_PROPERTY)); + assertEquals(VespaSslContextProvider.class.getName(), config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY)); } private static class MockTlsContext implements TlsContext { -- cgit v1.2.3